ukfc周会

First Post:

2023-05-19

Last Update:

2023-09-14

这次周会主题就是ctf逆向的入门，精选了四道有趣的逆向题目，都是简单入门题

[2023春秋杯 sum]

考点：逆向分析的能力

main函数：

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char *v3; // rbp
  int v4; // r14d
  unsigned int v5; // r12d
  __int64 i; // rbx
  char v7; // al
  int v8; // eax
  const char *v9; // rax

  v3 = (char *)&matrix;
  v4 = 1;
  v5 = 0;
  puts("Welcome to Solver!");
  do
  {
    for ( i = 0LL; i != 9; ++i )
    {
      if ( !v3[i] )
      {
        v7 = getchar();
        if ( (unsigned __int8)(v7 - 49) > 8u )
          v4 = 0;
        else
          v3[i] = v7 - 48;
      }
      v8 = v3[i];
      v5 += v8;
    }
    v3 += 9;
  }
  while ( v3 != (char *)&matrix + 81 );
  if ( v4 && (unsigned int)verify("Welcome to Solver!", argv) )
  {
    puts("You Win!");
    __snprintf_chk(buf, 32LL, 1LL, 32LL, "%d", v5);
    v9 = (const char *)str2md5(buf, strlen(buf));
    __printf_chk(1LL, "flag is: flag{%s}\n\n", v9);
    exit(0);
  }
  puts("Again~");
  return 0;
}

首先是一个do while嵌套for的一个81次的循环，循环时当v3[i]的值等于0，会让用户输入一个字符，并且该输入必须在0-9之间

那么接下来进入verify函数：

不仔细看的话中等复杂，但他肯定是一段验证程序，因为它在if条件里嘛，满足条件就是win了。分析的话要么动调，要么为了省事直接问gpt（这个题效果还不错，有时候小心他会胡说八道）：

solve：

知道是数独，提取出81个数据，找个在线网站解一下数独，再运行程序填进去flag就输出了

[GDOUCTF 2023]doublegame

考点：动态调试，交叉引用

直接运行程序是一个贪吃蛇游戏，撞壁游戏就结束了。

拖入ida，因为没有main函数，所以通过字符串来定位关键逻辑：

看到挺多0，跟进去，来到了这么一个函数：

void __noreturn sub_140012CF0()
{
  char *v0; // rdi
  __int64 i; // rcx
  char v2; // [rsp+20h] [rbp+0h] BYREF
  char Buffer[22]; // [rsp+30h] [rbp+10h] BYREF
  char v4[44]; // [rsp+46h] [rbp+26h] BYREF
  char v5[44]; // [rsp+72h] [rbp+52h] BYREF
  char v6[44]; // [rsp+9Eh] [rbp+7Eh] BYREF
  char v7[44]; // [rsp+CAh] [rbp+AAh] BYREF
  char v8[44]; // [rsp+F6h] [rbp+D6h] BYREF
  char v9[44]; // [rsp+122h] [rbp+102h] BYREF
  char v10[44]; // [rsp+14Eh] [rbp+12Eh] BYREF
  char v11[44]; // [rsp+17Ah] [rbp+15Ah] BYREF
  char v12[44]; // [rsp+1A6h] [rbp+186h] BYREF
  char v13[66]; // [rsp+1D2h] [rbp+1B2h] BYREF
  int j; // [rsp+214h] [rbp+1F4h]
  int v15; // [rsp+234h] [rbp+214h]
  int v16; // [rsp+254h] [rbp+234h]
  int v17; // [rsp+274h] [rbp+254h]
  int v18; // [rsp+294h] [rbp+274h]
  _DWORD v19[25]; // [rsp+2C0h] [rbp+2A0h] BYREF
  char v20[100]; // [rsp+324h] [rbp+304h] BYREF
  char v21[828]; // [rsp+388h] [rbp+368h] BYREF
  char v22; // [rsp+6C4h] [rbp+6A4h]
  int v23; // [rsp+6E4h] [rbp+6C4h]
  int v24; // [rsp+704h] [rbp+6E4h]

  v0 = &v2;
  for ( i = 448i64; i; --i )
  {
    *(_DWORD *)v0 = -858993460;
    v0 += 4;
  }
  sub_14001141A(&unk_1400290A6);
  strcpy(Buffer, "000000000000000000000");
  strcpy(v4, "0 0 0 0     0     0 0");
  strcpy(&v4[22], "0 0 0 00000 00000 0 0");
  strcpy(v5, "0 0               0 0");
  strcpy(&v5[22], "0 000 000 0 000 0 0 0");
  strcpy(v6, "0 0     0 0 0   0 0 0");
  strcpy(&v6[22], "0 0 0 00000 000 000 0");
  strcpy(v7, "0 0 0     0   0 0    ");
  strcpy(&v7[22], "0 000 0 0 000 0 0 0 0");
  strcpy(v8, "0     0 0 0 0 0 0 0 0");
  strcpy(&v8[22], "0 00000 000 000 0 0 0");
  strcpy(v9, "0     0       0   0 0");
  strcpy(&v9[22], "000 0 0 0 000 0 0 0 0");
  strcpy(v10, "0 0 0 0 0 0 * 0 0 0 0");
  strcpy(&v10[22], "0 0000000 0 000 00000");
  strcpy(v11, "@       0 0         0");
  strcpy(&v11[22], "0 0 0 0 0 00000000000");
  strcpy(v12, "0 0 0 0             0");
  strcpy(&v12[22], "000 0 00000 0 000 000");
  strcpy(v13, "0         0 0   0   0");
  strcpy(&v13[22], "000000000000000000000");
  v11[4] = 48;
  strcpy((char *)v19, "Please to save the cat!");
  memset(&v19[6], 0, 0x4Cui64);
  strcpy(v20, "the score is saving cat's key!\n");
  memset(&v20[32], 0, 0x44ui64);
  qmemcpy(v21, &unk_14001D340, 0x47ui64);
  memset(&v21[71], 0, 729);
  sub_1400111F9("path\n");
  v23 = 0;
  v24 = 0;
  v15 = 15;
  v16 = 0;
  v17 = 7;
  v18 = 20;
  for ( j = 0; j <= 20; ++j )
    puts(&Buffer[22 * j]);
  sub_1400111F9("Please to save the cat!\n");
  while ( v15 != v17 || v16 != v18 )
  {
    v22 = getchar();
    switch ( v22 )
    {
      case 's':
        if ( Buffer[22 * v15 + 22 + v16] != 48 )
        {
          Buffer[22 * v15++ + v16] = 32;
          Buffer[22 * v15 + v16] = 64;
        }
        break;
      case 'w':
        if ( Buffer[22 * v15 - 22 + v16] != 48 )
        {
          Buffer[22 * v15-- + v16] = 32;
          Buffer[22 * v15 + v16] = 64;
        }
        break;
      case 'a':
        if ( Buffer[22 * v15 - 1 + v16] != 48 )
        {
          if ( Buffer[22 * v15 - 1 + v16] == 42 )
            v7[20] = 48;
          Buffer[22 * v15 + v16--] = 32;
          Buffer[22 * v15 + v16] = 64;
        }
        break;
      default:
        if ( v22 == 100 && Buffer[22 * v15 + 1 + v16] != 48 )
        {
          Buffer[22 * v15 + v16++] = 32;
          Buffer[22 * v15 + v16] = 64;
        }
        break;
    }
    system("cls");
    for ( j = 0; j <= 20; ++j )
      puts(&Buffer[22 * j]);
    puts((const char *)&v19[25 * v23]);
    if ( v7[20] == 48 )
    {
      v24 = sub_140011433(0i64);
      if ( v24 == 13376013 )
      {
        v23 = 1;
        v7[20] = 32;
        Buffer[22 * v15 + v16] = 32;
        v15 = 15;
        v16 = 0;
        v11[0] = 64;
        ++v23;
      }
      else
      {
        sub_1400111F9("error");
      }
    }
  }
  system("cls");
  Sleep(0x1F4u);
  Sleep(0xBB8u);
  sub_140011492();
  exit(0);
}

很明显是一个迷宫，但刚才的贪吃蛇哪去了（因为是double game啦），那么就再交叉引用看看谁调用了这个迷宫的函数，一直可以追到贪吃蛇游戏里：

这个dword_140022CD0就是当前得分了，当它＞13371337时就会跳转到迷宫游戏

逻辑清楚了，那么在判断分数前下个断点，贪吃蛇游戏结束之后断下来，修改两次标志位（sf）跳转到迷宫游戏

接下来通过wsad控制上下左右走迷宫，先把小猫救出来后，程序会让输入key（其实就是贪吃蛇分数13371337），也可以通过判断key的逻辑再把key逆出来：

if ( v7[20] == '0' )
   {
     v25 = sub_7FF777D31433(0i64);
     if ( v25 == 13376013 )

__int64 __fastcall sub_7FF777D31E10(unsigned int a1)
{
  unsigned int v2; // [rsp+120h] [rbp+100h] BYREF

  v2 = a1;
  sub_7FF777D3141A(&unk_7FF777D490A6);
  sub_7FF777D311F9("do you know the key to open the door\n");
  sub_7FF777D3126C("%d", &v2);
  v2 ^= 0x1DC4u;
  return v2;
}

所以为了使v25=13376013，需要v2^0x1dc4=13376013,那么key就是13376013^13376013=13371337

输入key之后，又回到原点了，再走一下迷宫，flag就是{key+md5(最短路径)}

[HDCTF 2023]fake_game

考点：pyc反编译，z3解方程

做了两道exe的题目了，再来一道python的题目

题目附件虽然是exe，但这个使python打包的exe文件，需要用到pyinstxtractor-master进行解包，输入命令：python pyinstxtractor.py fake_game.exe即可

在文件夹下找到game.pyc文件，找在线网站即可反编译成py文件，推荐：在线Python pyc文件编译与反编译 (lddgo.net)

反编译代码如下：

# uncompyle6 version 3.9.0
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.6.12 (default, Feb  9 2021, 09:19:15) 
# [GCC 8.3.0]
# Embedded file name: game.py
import pygame, random
from win32api import MessageBox
IMAGE_PATH = 'imgs/'
scrrr_width = 800
scrrr_height = 560
GAMEOVER = False
LOG = '文件:{}中的方法:{}出错'.format(__file__, __name__)

class Map:
    map_names_list = [
     IMAGE_PATH + 'map1.png', IMAGE_PATH + 'map2.png']

    def __init__(self, x, y, img_index):
        self.image = pygame.image.load(Map.map_names_list[img_index])
        self.position = (x, y)
        self.can_grow = True

    def load_map(self):
        MainGame.window.blit(self.image, self.position)


class Plant(pygame.sprite.Sprite):

    def __init__(self):
        super(Plant, self).__init__()
        self.live = True

    def load_image(self):
        if hasattr(self, 'image') and hasattr(self, 'rect'):
            MainGame.window.blit(self.image, self.rect)
        else:
            print(LOG)


class Sunflower(Plant):

    def __init__(self, x, y):
        super(Sunflower, self).__init__()
        self.image = pygame.image.load('imgs/sunflower.png')
        self.rect = self.image.get_rect()
        self.rect.x = x
        self.rect.y = y
        self.price = 50
        self.hp = 100
        self.time_count = 0

    def produce_money(self):
        self.time_count += 1
        if self.time_count == 25:
            MainGame.money += 5
            self.time_count = 0

    def display_sunflower(self):
        MainGame.window.blit(self.image, self.rect)


class PeaShooter(Plant):

    def __init__(self, x, y):
        super(PeaShooter, self).__init__()
        self.image = pygame.image.load('imgs/peashooter.png')
        self.rect = self.image.get_rect()
        self.rect.x = x
        self.rect.y = y
        self.price = 50
        self.hp = 200
        self.shot_count = 0

    def shot(self):
        should_fire = False
        for zombie in MainGame.zombie_list:
            if zombie.rect.y == self.rect.y and zombie.rect.x < 800 and zombie.rect.x > self.rect.x:
                should_fire = True
        else:
            if self.live:
                if should_fire:
                    self.shot_count += 1
                    if self.shot_count == 25:
                        peabullet = PeaBullet(self)
                        MainGame.peabullet_list.append(peabullet)
                        self.shot_count = 0

    def display_peashooter(self):
        MainGame.window.blit(self.image, self.rect)


class PeaBullet(pygame.sprite.Sprite):

    def __init__(self, peashooter):
        self.live = True
        self.image = pygame.image.load('imgs/peabullet.png')
        self.damage = 50
        self.speed = 10
        self.rect = self.image.get_rect()
        self.rect.x = peashooter.rect.x + 60
        self.rect.y = peashooter.rect.y + 15

    def move_bullet(self):
        if self.rect.x < scrrr_width:
            self.rect.x += self.speed
        else:
            self.live = False

    def hit_zombie(self):
        for zombie in MainGame.zombie_list:
            if pygame.sprite.collide_rect(self, zombie):
                self.live = False
                zombie.hp -= self.damage
                if zombie.hp <= 0:
                    zombie.live = False
                    self.nextLevel()

    def nextLevel(self):
        MainGame.score += 20
        MainGame.remnant_score -= 20
        for i in range(1, 100):
            if MainGame.score == 100 * i and MainGame.remnant_score == 0:
                MainGame.remnant_score = 100 * i
                MainGame.shaoguan += 1
                MainGame.produce_zombie += 50

    def display_peabullet(self):
        MainGame.window.blit(self.image, self.rect)


class Zombie(pygame.sprite.Sprite):

    def __init__(self, x, y):
        super(Zombie, self).__init__()
        self.image = pygame.image.load('imgs/zombie.png')
        self.rect = self.image.get_rect()
        self.rect.x = x
        self.rect.y = y
        self.hp = 1000
        self.damage = 2
        self.speed = 1
        self.live = True
        self.stop = False

    def move_zombie(self):
        if self.live:
            if not self.stop:
                self.rect.x -= self.speed
                if self.rect.x < -80:
                    MainGame().gameOver()

    def hit_plant(self):
        for plant in MainGame.plants_list:
            if pygame.sprite.collide_rect(self, plant):
                self.stop = True
                self.eat_plant(plant)

    def eat_plant(self, plant):
        plant.hp -= self.damage
        if plant.hp <= 0:
            a = plant.rect.y // 80 - 1
            b = plant.rect.x // 80
            map = MainGame.map_list[a][b]
            map.can_grow = True
            plant.live = False
            self.stop = False

    def display_zombie(self):
        MainGame.window.blit(self.image, self.rect)


class MainGame:
    shaoguan = 1
    score = 0
    remnant_score = 100
    money = 200
    map_points_list = []
    map_list = []
    plants_list = []
    peabullet_list = []
    zombie_list = []
    count_zombie = 0
    produce_zombie = 100

    def init_window(self):
        pygame.display.init()
        MainGame.window = pygame.display.set_mode([scrrr_width, scrrr_height])

    def draw_text(self, content, size, color):
        pygame.font.init()
        font = pygame.font.SysFont('kaiti', size)
        text = font.render(content, True, color)
        return text

    def load_help_text(self):
        text1 = self.draw_text('1.按左键创建向日葵 2.按右键创建豌豆射手', 26, (255, 0, 0))
        MainGame.window.blit(text1, (5, 5))

    def init_plant_points(self):
        for y in range(1, 7):
            points = []
            for x in range(10):
                point = (
                 x, y)
                points.append(point)
            else:
                MainGame.map_points_list.append(points)
                print('MainGame.map_points_list', MainGame.map_points_list)

    def init_map(self):
        for points in MainGame.map_points_list:
            temp_map_list = list()
            for point in points:
                if (point[0] + point[1]) % 2 == 0:
                    map = Map(point[0] * 80, point[1] * 80, 0)
                else:
                    map = Map(point[0] * 80, point[1] * 80, 1)
                temp_map_list.append(map)
                print('temp_map_list', temp_map_list)
            else:
                MainGame.map_list.append(temp_map_list)

        else:
            print('MainGame.map_list', MainGame.map_list)

    def load_map(self):
        for temp_map_list in MainGame.map_list:
            for map in temp_map_list:
                map.load_map()

    def load_plants(self):
        for plant in MainGame.plants_list:
            if plant.live:
                if isinstance(plant, Sunflower):
                    plant.display_sunflower()
                    plant.produce_money()
                elif isinstance(plant, PeaShooter):
                    plant.display_peashooter()
                    plant.shot()
            else:
                MainGame.plants_list.remove(plant)

    def load_peabullets(self):
        for b in MainGame.peabullet_list:
            if b.live:
                b.display_peabullet()
                b.move_bullet()
                b.hit_zombie()
            else:
                MainGame.peabullet_list.remove(b)

    def deal_events(self):
        eventList = pygame.event.get()
        for e in eventList:
            if e.type == pygame.QUIT:
                self.gameOver()
            elif e.type == pygame.MOUSEBUTTONDOWN:
                print(e.pos)
                x = e.pos[0] // 80
                y = e.pos[1] // 80
                print(x, y)
                map = MainGame.map_list[y - 1][x]
                print(map.position)
                if e.button == 1:
                    if map.can_grow:
                        if MainGame.money >= 50:
                            sunflower = Sunflower(map.position[0], map.position[1])
                            MainGame.plants_list.append(sunflower)
                            print('当前植物列表长度:{}'.format(len(MainGame.plants_list)))
                            map.can_grow = False
                            MainGame.money -= 50
            elif e.button == 3 and map.can_grow and MainGame.money >= 50:
                peashooter = PeaShooter(map.position[0], map.position[1])
                MainGame.plants_list.append(peashooter)
                print('当前植物列表长度:{}'.format(len(MainGame.plants_list)))
                map.can_grow = False
                MainGame.money -= 50

    def init_zombies(self):
        for i in range(1, 7):
            dis = random.randint(1, 5) * 200
            zombie = Zombie(800 + dis, i * 80)
            MainGame.zombie_list.append(zombie)

    def load_zombies(self):
        for zombie in MainGame.zombie_list:
            if zombie.live:
                zombie.display_zombie()
                zombie.move_zombie()
                zombie.hit_plant()
            else:
                MainGame.zombie_list.remove(zombie)

    def start_game(self):
        global GAMEOVER
        xorr = [
         0] * 4
        ans = [0] * 55
        flag = [178868, 188, 56953, 2413, 178874, 131, 56957, 2313, 178867, 156, 
         56933, 2377, 178832, 202, 56899, 2314, 178830, 167, 56924, 
         2313, 178830, 167, 56938, 2383, 178822, 217, 56859, 2372]
        self.init_window()
        self.init_plant_points()
        self.init_map()
        self.init_zombies()
        while not GAMEOVER:
            MainGame.window.fill((255, 255, 255))
            MainGame.window.blit(self.draw_text('当前钱数$: {}'.format(MainGame.money), 26, (255,
                                                                                         0,
                                                                                         0)), (500,
                                                                                               40))
            MainGame.window.blit(self.draw_text('当前关数{}，得分{},距离下关还差{}分'.format(MainGame.shaoguan, MainGame.score, MainGame.remnant_score), 26, (255,
                                                                                                                                                0,
                                                                                                                                                0)), (5,
                                                                                                                                                      40))
            self.load_help_text()
            xorr[0] = MainGame.money
            xorr[1] = MainGame.shaoguan
            xorr[2] = MainGame.score
            xorr[3] = MainGame.remnant_score
            if xorr[0] * 256 - xorr[1] / 2 + xorr[2] * 23 + xorr[3] / 2 == 47118166:
                if xorr[0] * 252 - xorr[1] * 366 + xorr[2] * 23 + xorr[3] / 2 - 1987 == 46309775:
                    if xorr[0] * 6 - xorr[1] * 88 + xorr[2] / 2 + xorr[3] / 2 - 11444 == 1069997:
                        if (xorr[0] - 652) * 2 - xorr[1] * 366 + xorr[2] * 233 + xorr[3] / 2 - 13333 == 13509025:
                            for i in range(len(flag)):
                                ans[i] = flag[i] ^ xorr[i % 4]
                            else:
                                with open('flag.txt', 'w') as (f):
                                    f.write(''.join([chr(a) for a in ans]))

            self.load_map()
            self.load_plants()
            self.load_peabullets()
            self.deal_events()
            self.load_zombies()
            MainGame.count_zombie += 1
            if MainGame.count_zombie == MainGame.produce_zombie:
                self.init_zombies()
                MainGame.count_zombie = 0
            pygame.time.wait(10)
            pygame.display.update()

    def gameOver(self):
        global GAMEOVER
        MainGame.window.blit(self.draw_text('游戏结束', 50, (255, 0, 0)), (300, 200))
        print('游戏结束')
        pygame.time.wait(400)
        GAMEOVER = True


if __name__ == '__main__':
    game = MainGame()
    game.start_game()

flag初始值已给出，只需要再求出xor数组内的4个值即可，这四个值的求解就需要用到z3这个解方程工具了（如何使用就不说了，有兴趣可以百度搜一搜用法）:

from z3 import*
xorr = [BitVec("num[%d]" % i, 32) for i in range(4)]
s = Solver()
s.add(xorr[0] * 256 - xorr[1] / 2 + xorr[2] * 23 + xorr[3] / 2 == 47118166)
s.add(xorr[0] * 252 - xorr[1] * 366 + xorr[2] * 23 + xorr[3] / 2 - 1987 == 46309775)
s.add(xorr[0] * 6 - xorr[1] * 88 + xorr[2] / 2 + xorr[3] / 2 - 11444 == 1069997)
s.add((xorr[0] - 652) * 2 - xorr[1] * 366 + xorr[2] * 233 + xorr[3] / 2 - 13333 == 13509025)
if s.check() == sat:
    s = s.model()
print(s)

#xorr[1] = 248
#xorr[0] = 178940
#xorr[2] = 56890
#xorr[3] = 2361

[SCTF2019]Who is he

考点：c#的逆向

运行程序，emmm，（这段视频不错）

主要逻辑是在dll文件里的，\Who is he\Who is he_Data\Managed\Assembly-CSharp.

至于怎么定位到这个dll的，就是看文件名称，有很多Unity的，System的一看就不是，剩下没几个了，试一试就知道了

使用dnspy打开这个dll，定位到Testclick，下面有OnClick函数：

public void OnClick()
{
	Debug.Log("Button Clicked. TestClick.");
	Debug.Log(this.Name.text);
	bool flag = this.Name.text.Equals(this.Decrypt(this.EncryptData));
	if (flag)
	{
		Debug.Log("Right");
		TestClick.Messagebox.MessageBox(IntPtr.Zero, "Haha, same as you!", "Info:", 0);
	}
	else
	{
		Debug.Log("Wrong");
		TestClick.Messagebox.MessageBox(IntPtr.Zero, "Emmmmm,I don't think so.", "Info:", 0);
	}
}

逆向再看decrypt函数：

private string Decrypt(string str)
	{
		string result;
		try
		{
			byte[] bytes = Encoding.Unicode.GetBytes(TestClick.encryptKey);
			byte[] array = Convert.FromBase64String(str);
			DESCryptoServiceProvider descryptoServiceProvider = new DESCryptoServiceProvider();
			MemoryStream memoryStream = new MemoryStream();
			CryptoStream cryptoStream = new CryptoStream(memoryStream, descryptoServiceProvider.CreateDecryptor(bytes, bytes), CryptoStreamMode.Write);
			cryptoStream.Write(array, 0, array.Length);
			cryptoStream.FlushFinalBlock();
			byte[] bytes2 = memoryStream.ToArray();
			cryptoStream.Close();
			memoryStream.Close();
			result = Encoding.Unicode.GetString(bytes2);
		}
		catch
		{
			result = str;
		}
		return result;
	}

就是一个DES加base64的加密，具体怎么解的就不说了，因为今天只是逆向的一个简单介绍和入门。（估计这时候时间也不够了，计划30min）

≡