HDCTF 逆向wp

First Post:

Last Update:

这个比赛因为天梯赛耽误了,就补补题算了

ez_re

签到,upx脱壳后base64解密即可

easy_asm

签到2,这个ida打开全是“$”都有点看懵了,其实不用管就行,直接找关键点

稍微扫一眼,可以看到xor al cl这个操作,cl在之前被赋值为0x10。再往后看还有个数据段,很明显就是简单异或一下就行。那个“$”有结束符的意思,所以数据段里除去相等不相等那些。

double_code

shellcode loader

找到其中的shellcode

根据提示也很容易找到,这里ida已经自动将shellcode分析为代码

输出给出,逻辑也给出,逆着回去就是flag

fake_game

也简单,但是反编译会出一点问题,magic nember得手动修复,听说最新版pyinstall会自动修复。

看到这,很简单了:

1
2
for i in range(len(flag)):
                                ans[i] = flag[i] ^ xorr[i % 4]

这个xorr[]的四个数是前面有四个方程,z3解一下就ok

或者,前四个字符肯定是HDCT 直接逆推

enc

先需要输入一个key来启动程序,这个key是经过tea加密的,结果已知,加密过程已知,写出解密脚本即可:

tea加密函数:

1
2
3
4
5
6
7
v4 = 0;
for ( i = 0; i < 0x20; ++i )
{
  v4 -= 0x61C88647;
  v6 += (a2[1] + (v5 >> 5)) ^ (v4 + v5) ^ (*a2 + 16 * v5);
  v5 += (a2[3] + (v6 >> 5)) ^ (v4 + v6) ^ (a2[2] + 16 * v6);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#include <iostream>
using namespace std;
int main()
{
  //求解sum:
  //  unsigned int aaa = 0;
  //  for (int i = 0; i < 32; i++)
  //  {
  //     
  //      aaa -= 1640531527;//sum
  //      
  //}
  //  cout << aaa;
   
    unsigned int  v4= 0xC6EF3720;//sum
    uint32_t v5 = 0x236DBEC;//加密结果1
    uint32_t v6 = 0x60FCDEF7;//加密结果2
    uint32_t a2[4] = { 0x12,0x34,0x56,0x78 };//key
    for (int i = 0; i < 0x20; ++i)//还是三个步骤逆序,+=变-=,-=变+=
    {
        v5 -= (a2[3] + (v6 >> 5)) ^ (v4 + v6) ^ (a2[2] + 16 * v6);

        v6 -= (a2[1] + (v5 >> 5)) ^ (v4 + v5) ^ (*a2 + 16 * v5);
        v4 += 0x61C88647;
    }
    cout << v5 <<' ' << v6<<endl;

  
	return 0;
}

结果:3 和 4

3就是key

继续看接下来的函数:将这个key(3)传入了接下来的函数,一直点进去,可以看到smc的部分:

1
2
3
4
5
6
7
for ( i = 0; ; ++i )
{
  result = i;
  if ( i >= a2 )
    break;
  *(i + a1) ^= a3;
}

这个异或的a3就是传入的那个3

那么smc加密了哪段代码呢:看前面的函数:

1
2
if ( !j_strcmp(Str1, ".hdctf") )
      return sub_411221(*(Str1 + 3) + a1, *(Str1 + 4), a2);

可以发现是加密了.hdctf段的代码,如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
.hdctf:0041D000                               ; ---------------------------------------------------------------------------
.hdctf:0041D000                               ; Section 3. (virtual address 0001D000)
.hdctf:0041D000                               ; Virtual size                  : 000015B4 (   5556.)
.hdctf:0041D000                               ; Section size in file          : 00001600 (   5632.)
.hdctf:0041D000                               ; Offset to raw data for section: 0000BE00
.hdctf:0041D000                               ; Flags E0000020: Text Executable Readable Writable
.hdctf:0041D000                               ; Alignment     : default
.hdctf:0041D000                               ; ===========================================================================
.hdctf:0041D000
.hdctf:0041D000                               ; Segment type: Pure code
.hdctf:0041D000                               ; Segment permissions: Read/Write/Execute
.hdctf:0041D000                               _hdctf segment para public 'CODE' use32
.hdctf:0041D000                               assume cs:_hdctf
.hdctf:0041D000                               ;org 41D000h
.hdctf:0041D000                               assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.hdctf:0041D000
.hdctf:0041D000                               loc_41D000:                             ; CODE XREF: sub_411302↑j
.hdctf:0041D000 56                            push    esi
.hdctf:0041D001 88 EF                         mov     bh, ch
.hdctf:0041D003 82 EF 4F                      sub     bh, 4Fh ; 'O'
.hdctf:0041D006 06                            push    es
.hdctf:0041D007 03 03                         add     eax, [ebx]
.hdctf:0041D009 50                            push    eax
.hdctf:0041D00A 55                            push    ebp
.hdctf:0041D00B 54                            push    esp
.hdctf:0041D00B
.hdctf:0041D00B                               ; ---------------------------------------------------------------------------
.hdctf:0041D00C 8E BE 37 FF FC FC BA F0 03 03+dd 0FF37BE8Eh, 0F0BAFCFCh, 0BB030303h, 0CFCFCFCFh, 7A2A8F0h, 30034123h, 0FF468AC6h, 415335BAh, 478BEB03h
.hdctf:0041D00C 03 BB CF CF CF CF F0 A8 A2 07+dd 46C5FCFCh, 46C50CD7h, 46C597D6h, 46C5ADD5h, 46C5F1D4h, 46C5C3DBh, 46C554DAh, 46C5C1D9h, 46C5E3D8h
.hdctf:0041D00C 23 41 03 30 C6 8A 46 FF BA 35+dd 46C599DFh, 46C546DEh, 46C534DDh, 46C553DCh, 46C5F6E3h, 46C5A3E2h, 46C55DE1h, 46C5C8E0h, 46C52FE7h
.hdctf:0041D00C 53 41 03 EB 8B 47 FC FC C5 46+dd 46C515E6h, 46C52BE5h, 46C52AE4h, 46C5FDEBh, 46C5FCEAh, 46C530E9h, 46C545E8h, 46C50DEFh, 46C554EEh
.hdctf:0041D00C D7 0C C5 46 D6 97 C5 46 D5 AD+dd 46C581EDh, 46C521ECh, 46C551F3h, 46C525F2h, 46C528F1h, 46C56DF0h, 46C5E7F7h, 46C581F6h, 36B27F5h
.hdctf:0041D00C C5 46 D4 F1 C5 46 DB C3 C5 46+dd 69030302h, 0CF868E03h, 53FCFCFDh, 0FC4259EBh, 0FC780FCh, 530B4688h, 0FC4748EBh, 7C780FCh, 0FDC3868Ah
.hdctf:0041D00C DA 54 C5 46 D9 C1 C5 46 D8 E3+dd 77A2FCFCh, 8A0342FFh, 0FCFDAB86h, 7B0E88FCh, 8A0342FFh, 0FCFDAF8Eh, 7F1688FCh, 8A0342FFh, 0FCFDB396h
.hdctf:0041D00C C5 46 DF 99 C5 46 DE 46 C5 46+dd 83A265FCh, 650342FFh, 0FDB7868Ah, 0E89FCFCh, 342FF81h, 0FDB58E8Bh, 86C5FCFCh, 0FCFCFD9Ch, 5F86C403h
.hdctf:0041D00C DD 34 C5 46 DC 53 C5 46 E3 F6+dd 3FCFCFFh, 0C4030303h, 0FCFF7786h, 30303FCh, 880CE803h, 0FCFF7786h, 2C380FCh, 0FF77868Ah, 0BE82FCFCh
.hdctf:0041D00C C5 46 E2 A3 C5 46 E1 5D C5 46+dd 0FCFCFF77h, 3030203h, 8688477Eh, 0FCFCFF77h, 0FF778E89h, 8F8BFCFCh, 0FCFE9706h, 0AB868EFCh, 53FCFCFDh
.hdctf:0041D00C E0 C8 C5 46 E7 2F C5 46 E6 15+dd 0FC40ACEBh, 7C780FCh, 8688CB88h, 0FCFCFF77h, 0F2F4D130h, 0FF778688h, 8F89FCFCh, 0FCFDAB16h, 68F8BFCh
.hdctf:0041D00C C5 46 E5 2B C5 46 E4 2A C5 46+dd 0FCFCFF8Fh, 86C4A2E8h, 0FCFCFF77h, 3030303h, 86880CE8h, 0FCFCFF77h, 8A02C380h, 0FCFF7786h, 77BE82FCh
.hdctf:0041D00C EB FD C5 46 EA FC C5 46 E9 30+dd 3FCFCFFh, 7E030302h, 7786887Ch, 0CFCFCFFh, 97068FB5h, 0FCFCFEh, 0FCFF5F8Eh, 779688FCh, 0CFCFCFFh
.hdctf:0041D00C C5 46 E8 45 C5 46 EF 0D C5 46+dd 8F1687B5h, 0FCFCFFh, 0FCE282CBh, 7A830303h, 0CA824A0Bh, 0FCFCFC03h, 5F8E8A42h, 88FCFCFFh, 0FCFF7786h
.hdctf:0041D00C EE 54 C5 46 ED 81 C5 46 EC 21+dd 68F89FCh, 0FCFCFE97h, 0FF808E8Bh, 8688FCFCh, 0FCFCFF77h, 0FF5F8E88h, 9789FCFCh, 0FCFE970Eh, 6978BFCh
.hdctf:0041D00C C5 46 F3 51 C5 46 F2 25 C5 46+dd 0FCFCFE97h, 0FF5F8688h, 8E89FCFCh, 0FCFCFF80h, 97068F8Bh, 0EAFCFCFEh, 0FCFCFC65h, 0FF6B86C4h, 303FCFCh
.hdctf:0041D00C F1 28 C5 46 F0 6D C5 46 F7 E7+dd 86880303h, 0FCFCFF6Bh, 0FF77868Ah, 86C4FCFCh, 0FCFCFF53h, 3030303h, 86880CE8h, 0FCFCFF53h, 8A02C380h
.hdctf:0041D00C C5 46 F6 81 C5 46 F5 27 6B 03+dd 0FCFF5386h, 538688FCh, 38FCFCFFh, 0FCFDC386h, 0D88E0CFCh, 88030303h, 0FCFF7786h, 2C380FCh, 303FC26h
.hdctf:0041D00C 02 03 03 69 03 8E 86 CF FD FC+dd 4B047A83h, 0FCFC030Eh, 868A43FCh, 0FCFCFF77h, 0FF778688h, 0B50CFCFCh, 0FE97068Fh, 8E00FCFCh, 0FCFCFF6Bh
.hdctf:0041D00C FC 53 EB 59 42 FC FC 80 C7 0F+dd 3FCE282h, 0B7A8303h, 3CA824Ah, 42FCFCFCh, 0FF6B8E8Ah, 8688FCFCh, 0FCFCFF77h, 97068F89h, 8BFCFCFEh
.hdctf:0041D00C 88 46 0B 53 EB 48 47 FC FC 80+dd 0FCFF808Eh, 778688FCh, 88FCFCFFh, 0FCFF6B8Eh, 0E9789FCh, 0FCFCFE97h, 9706978Bh, 88FCFCFEh, 0FCFF6B86h
.hdctf:0041D00C C7 07 8A 86 C3 FD FC FC A2 77+dd 808E89FCh, 8BFCFCFFh, 0FE97068Fh, 4688FCFCh, 5386000Bh, 0CFCFCFFh, 96880BBDh, 0FCFCFF77h, 1687B50Ch
.hdctf:0041D00C FF 42 03 8A 86 AB FD FC FC 88+dd 0FCFCFE97h, 0FF6B9688h, 0B50CFCFCh, 0FE971697h, 0C100FCFCh, 303FC26h, 4B047A83h, 0FCFC030Eh, 0B50C43FCh
.hdctf:0041D00C 0E 7B FF 42 03 8A 8E AF FD FC+dd 0FE970687h, 0CB30FCFCh, 0FF539688h, 8F8BFCFCh, 0FCFDCF16h, 0FC07EAFCh, 86C4FCFCh, 0FCFCFF47h, 3030302h
.hdctf:0041D00C FC 88 16 7F FF 42 03 8A 96 B3+dd 530B4688h, 0FC42B0EBh, 7C780FCh, 7720FB80h, 4786C409h, 3FCFCFFh, 0C4030303h, 0FCFF3B86h, 30303FCh
.hdctf:0041D00C FD FC FC 65 A2 83 FF 42 03 65+dd 880CE803h, 0FCFF3B86h, 2C380FCh, 0FF3B868Ah, 468EFCFCh, 7EEB53D7h, 80FCFC42h, 863A07C7h, 0FCFCFF3Bh
.hdctf:0041D00C 8A 86 B7 FD FC FC 89 0E 81 FF+dd 86882870h, 0FCFCFF3Bh, 64FB50Ch, 3B9688D7h, 0CFCFCFFh, 0CF1687B5h, 38FCFCFDh, 0C40F77CBh, 0FCFF4786h
.hdctf:0041D00C 42 03 8B 8E B5 FD FC FC C5 86+dd 30303FCh, 0E801E803h, 47BE80B1h, 3FCFCFFh, 8B6B0C77h, 0EB0342FFh, 0FCFC3E58h, 0E807C780h, 0FF976B0Eh
.hdctf:0041D00C 9C FD FC FC 03 C4 86 5F FF FC+dd 4FEB0342h, 80FCFC3Eh, 885107C7h, 168E53CEh, 342D73Bh, 0FC3DEBEBh, 5C595BFCh, 4E88585Dh, 0EBCE30FFh
.hdctf:0041D00C FC 03 03 03 03 C4 86 77 FF FC+dd 0FCFC3D01h, 64FC782h, 0EF380303h, 0FC3C3CEBh, 5EE688FCh, 31C0CC0h, 3030306h, 342D743h, 0FCFCFCD7h
.hdctf:0041D00C FC 03 03 03 03 E8 0C 88 86 77+dd 3030320h, 342D788h, 0FCFCFDCFh, 3030203h, 342D787h, 0FCFCFDABh, 303030Ch, 342D783h, 0FCFCFE97h, 3030203h
.hdctf:0041D00C FF FC FC 80 C3 02 8A 86 77 FF+dd 342D77Dh, 0FCFCFF8Fh, 3030203h, 342D77Fh, 3700368h, 37A6668h, 7377766Ch, 65037776h, 364626Fh, 449h dup(0CFCFCFCFh)
.hdctf:0041D00C FC FC 82 BE 77 FF FC FC 03 02+dd 13h dup(3030303h)
.hdctf:0041E600 ?? ?? ?? ?? ?? ?? ?? ?? ?? ??+dd 280h dup(?)
.hdctf:0041E600 ?? ?? ?? ?? ?? ?? ?? ?? ?? ??+_hdctf ends
.hdctf:0041E600 ?? ?? ?? ?? ?? ?? ?? ?? ?? ??+

idc脚本解密之后就是个rc4,很简单了,不说了

买了些什么呢

随便看看,给出的文字提示已经很明确了,背包容量50 物品40个,要总价值最大,01背包问题,写个板子求解一下就行了

注意点就是商品的价值和重量看似是随机生成的,但是程序设置随机数种子是1,所以每次生成的就都一样了。

抄的exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#include<bits/stdc++.h>
using namespace std;
const int N=1e4+5;
int f[N],p[N][N],w[N],v[N];
//void printpath(int x)
//{
// if(!x) return;
// printpath(x-w[p[x]]);
// cout<<p[x]<<" ";
//}
int main()
{
 int n,m;
 // 先输入物品数量,再输入背包容量
 cin>>n>>m;
 for(int i=1; i<=n; i++)
 cin>>w[i]>>v[i];
 for(int i=n; i>=1; i--)
 {;
  for(int j=m; j>=w[i]; j--)
  {
   if(f[j]<f[j-w[i]]+v[i])
   {
    f[j]=f[j-w[i]]+v[i];
    p[i][j]=1;
   }
  }
 }
 cout<<f[m]<<'\n';
// printpath(m);
 for(int i=1,j=m;i<=n&&j>=0;i++)
 {
  if(p[i][j])
  {
   cout<<i-14<<" ";
   j-=w[i];
  }
 }
 return 0;
}