BaseCTF2024[Week1]
Reverse
You are good at IDA
Part1
打开IDA按F5,得到第一部分
Part2
根据以上提示,shift+F2:
Second字符点击进入,按“X”交叉引入找到对应函数,
得到第二部分flag,按“R”转换为字符:
Part3
第三部分flag在一个Interesting的函数中:
flag:
BaseCTF{Y0u_4Re_900d_47_id4}
UPX mini
拖DIE中查壳儿,4.01版本
upx -d UPXmini.exe
点击base64函数,发现没换表,有密文,直接出flag
附一个标准base64:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62
| _BYTE *__fastcall base64_encode(char *a1) { int v1; _BYTE *v2; char v4[72]; _BYTE *v5; int v6; char *Str; int v8; int v9; int v10; int v11;
Str = a1; strcpy(v4, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"); v6 = strlen(a1); v1 = v6 % 3; if ( v6 % 3 == 1 ) { v10 = 1; v11 = 4 * (v6 / 3 + 1); } else if ( v1 == 2 ) { v10 = 2; v11 = 4 * (v6 / 3 + 1); } else if ( !v1 ) { v10 = 0; v11 = 4 * (v6 / 3); } v5 = malloc(v11 + 1); v9 = 0; v8 = 0; while ( v8 < v6 - v10 ) { v5[v9] = v4[(int)(unsigned __int8)Str[v8] >> 2]; v5[v9 + 1] = v4[((int)(unsigned __int8)Str[v8 + 1] >> 4) | (16 * Str[v8]) & 0x30]; v5[v9 + 2] = v4[((int)(unsigned __int8)Str[v8 + 2] >> 6) | (4 * Str[v8 + 1]) & 0x3C]; v5[v9 + 3] = v4[Str[v8 + 2] & 0x3F]; v8 += 3; v9 += 4; } if ( v10 == 1 ) { v5[v11 - 4] = v4[(int)(unsigned __int8)Str[v6 - 1] >> 2]; v5[v11 - 3] = v4[(16 * Str[v6 - 1]) & 0x30]; v2 = &v5[v11 - 1]; *v2 = 61; v5[v11 - 2] = *v2; } else if ( v10 == 2 ) { v5[v11 - 4] = v4[(int)(unsigned __int8)Str[v6 - 2] >> 2]; v5[v11 - 3] = v4[((int)(unsigned __int8)Str[v6 - 1] >> 4) | (16 * Str[v6 - 2]) & 0x30]; v5[v11 - 2] = v4[(4 * Str[v6 - 1]) & 0x3C]; v5[v11 - 1] = 61; } v5[v11] = 0; return v5; }
|
Ez Xor
无壳
看逻辑,判断输入字符为28位,处理v4(假设为密钥”Xor”),加密输入字符,与密文比较——
Set item type 改数据类型
异或串1由i异或key循环产生28位
flag与 逆转的异或串1 异或产生字符串Str
最后Str与给的密文比较
逻辑也简单,写脚本:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| key = [0x58,0x6F,0x72] flag = "" box = [] b = "" Str = [ 0x01, 0x09, 0x05, 0x25, 0x26, 0x2D, 0x0B, 0x1D, 0x24, 0x7A, 0x31, 0x20, 0x1E, 0x49, 0x3D, 0x67, 0x4D, 0x50, 0x08, 0x25, 0x2E, 0x6E, 0x05, 0x34, 0x22, 0x40, 0x3b, 0x25, ]
for i in range(0,28): flag +=chr(i ^ enflag[27-i] ^ key[i%3] )
print(flag[::-1])
|
ez_maze
wa!迷宫!
出来啦!sssssssddddwwwddsssssssdddsssddddd
BasePlus
看题目,看main函数:
encode:看着像base64,但是Plus!细细看,不只是换了表
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69
| __int64 __fastcall Encode(const char *a1, __int64 a2) { int v3; char *v4; __int64 v5; __int64 v6; int v7; __int64 v8; __int64 result; __int64 v10; __int64 v11; bool v12; bool v13; char v14; __int16 v15; unsigned __int8 v16; char v17[60];
v3 = strlen(a1); if ( v3 <= 0 ) { LODWORD(result) = 0; } else { v4 = v17; v5 = 4i64; v6 = 0i64; v7 = 0; do { v15 = 0; v16 = 0; if ( v3 > v7 ) { v10 = v7 + 1; v11 = 1i64; do { v7 = v10; *(&v14 + v11) = a1[v10 - 1]; v12 = (int)v11 <= 2; v13 = v3 > (int)v10++; ++v11; } while ( v13 && v12 ); } v17[0] = Secret[(unsigned __int8)v15 >> 2]; v17[1] = Secret[(HIBYTE(v15) >> 4) | (16 * (_BYTE)v15) & 0x30]; v17[2] = Secret[(v16 >> 6) | (4 * HIBYTE(v15)) & 0x3C]; v17[3] = Secret[v16 & 0x3F]; v8 = v6; do { *(_BYTE *)(a2 + v8) = v4[v8] ^ 0xE; ++v8; } while ( v8 != v5 ); LODWORD(result) = v5; v6 += 4i64; v4 -= 4; v5 += 4i64; } while ( v3 > v7 ); } result = (int)result; *(_BYTE *)(a2 + (int)result) = 0; return result; }
|
果然结果异或0xE