2020网鼎杯 青龙组reverse:signal

Posted blackicelisa

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了2020网鼎杯 青龙组reverse:signal相关的知识,希望对你有一定的参考价值。

主函数,从内存给v4赋值,进行vm_operad操作

技术图片

 

 vm_operad函数,会根据v4每一int大小的值进行switch选择操作,v4是传入参数,这里的接受变量是a1为int型数组

技术图片

 

 技术图片

 

 v4在内存中所copy的对象是db型数据,大小为0x1c8即456

技术图片

 

 为方便获取数据,进入内存数据16进制页面

技术图片

 

 0x403040+0x1c8等于0x403208,所以将0x403040到0x403208的这段数据拷贝出来

0A 00 00 00 04 00 00 00  10 00 00 00 08 00 00 00
03 00 00 00 05 00 00 00  01 00 00 00 04 00 00 00
20 00 00 00 08 00 00 00  05 00 00 00 03 00 00 00
01 00 00 00 03 00 00 00  02 00 00 00 08 00 00 00
0B 00 00 00 01 00 00 00  0C 00 00 00 08 00 00 00
04 00 00 00 04 00 00 00  01 00 00 00 05 00 00 00
03 00 00 00 08 00 00 00  03 00 00 00 21 00 00 00
01 00 00 00 0B 00 00 00  08 00 00 00 0B 00 00 00
01 00 00 00 04 00 00 00  09 00 00 00 08 00 00 00
03 00 00 00 20 00 00 00  01 00 00 00 02 00 00 00
51 00 00 00 08 00 00 00  04 00 00 00 24 00 00 00
01 00 00 00 0C 00 00 00  08 00 00 00 0B 00 00 00
01 00 00 00 05 00 00 00  02 00 00 00 08 00 00 00
02 00 00 00 25 00 00 00  01 00 00 00 02 00 00 00
36 00 00 00 08 00 00 00  04 00 00 00 41 00 00 00
01 00 00 00 02 00 00 00  20 00 00 00 08 00 00 00
05 00 00 00 01 00 00 00  01 00 00 00 05 00 00 00
03 00 00 00 08 00 00 00  02 00 00 00 25 00 00 00
01 00 00 00 04 00 00 00  09 00 00 00 08 00 00 00
03 00 00 00 20 00 00 00  01 00 00 00 02 00 00 00
41 00 00 00 08 00 00 00  0C 00 00 00 01 00 00 00
07 00 00 00 22 00 00 00  07 00 00 00 3F 00 00 00
07 00 00 00 34 00 00 00  07 00 00 00 32 00 00 00
07 00 00 00 72 00 00 00  07 00 00 00 33 00 00 00
07 00 00 00 18 00 00 00  07 00 00 00 A7 FF FF FF
07 00 00 00 31 00 00 00  07 00 00 00 F1 FF FF FF
07 00 00 00 28 00 00 00  07 00 00 00 84 FF FF FF
07 00 00 00 C1 FF FF FF  07 00 00 00 1E 00 00 00
07 00 00 00 7A 00 00 00

4字节等于一个int,interl处理器是小端存储,刚好a1数组的值就是三个00之前那十六进制

10, 4, 16, 8, 3, 5, 1, 4, 32, 8, 5, 3, 1, 3, 2, 8, 11, 1, 12, 8, 4, 4, 1, 5, 3, 8, 3, 33, 1, 11, 8, 11, 1, 4, 9, 8, 3, 32, 1, 2, 81, 8, 4, 36, 1, 12, 8, 11, 1, 5, 2, 8, 2, 37, 1, 2, 54, 8, 4, 65, 1, 2, 32, 8, 5, 1, 1, 5, 3, 8, 2, 37, 1, 4, 9, 8, 3, 32, 1, 2, 65, 8, 12, 1, 7, 34, 7, 63, 7, 52, 7, 50, 7, 114, 7, 51, 7, 24, 7, 167, 255, 255, 255, 7, 49, 7, 241, 255, 255, 255, 7, 40, 7, 132, 255, 255, 255, 7, 193, 255, 255, 255, 7, 30, 7, 122

  vm_operad函数会根据a1数组的值进行switch操作,当值等于7时v4数组的值会与a1数组的下一位进行比较,相等继续,不等报错。7后面的数字就是正确输入进行加密后需要与之比较的值,刚好7这个值在a1数组的最后,将这串值提取出来为34,63,52,50,114,51,24,167,49,241,40,132,193,30,122,为v4数组的值

#获得v4数组
v4=[]
s=[10, 4, 16, 8, 3, 5, 1, 4, 32, 8, 5, 3, 1, 3, 2, 8, 11, 1, 12, 8, 4, 4, 1, 5, 3, 8, 3, 33, 1, 11, 8, 11, 1, 4, 9, 8, 3, 32, 1, 2, 81, 8, 4, 36, 1, 12, 8, 11, 1, 5, 2, 8, 2, 37, 1, 2, 54, 8, 4, 65, 1, 2, 32, 8, 5, 1, 1, 5, 3, 8, 2, 37, 1, 4, 9, 8, 3, 32, 1, 2, 65, 8, 12, 1, 7, 34, 7, 63, 7, 52, 7, 50, 7, 114, 7, 51, 7, 24, 7, 167, 255, 255, 255, 7, 49, 7, 241, 255, 255, 255, 7, 40, 7, 132, 255, 255, 255, 7, 193, 255, 255, 255, 7, 30, 7, 122]
for i in range(0,len(s)):
          if s[i]==7:
                    v4.append(s[i+1])

根据v4数组的值,逆向switch的操作的计算得到需要输入的正确flag

v4 = [34,63,52,50,114,51,24,167,49,241,40,132,193,30,122]
v4.reverse()

a=[10, 4, 16, 8, 3, 5, 1, 4, 32, 8, 5, 3, 1, 3, 2, 8, 11, 1, 12, 8, 4, 4, 1, 5, 3, 8, 3, 33, 1, 11, 8, 11, 1, 4, 9, 8, 3, 32, 1, 2, 81, 8, 4, 36, 1, 12, 8, 11, 1, 5, 2, 8, 2, 37, 1, 2, 54, 8, 4, 65, 1, 2, 32, 8, 5, 1, 1, 5, 3, 8, 2, 37, 1, 4, 9, 8, 3, 32, 1, 2, 65, 8, 12, 1]
a.reverse()

v9 = 0
us=0
v5=0
flag=[]
for i in range(0,len(a)):
          if i ==len(a)-1:
                    flag.append(us)
                    
          if a[i]==1 and a[i-1]!=1:
                    v5 = v4[v9]
                    v9+=1
                    flag.append(us)
                    
          if a[i]==2:
                    if(a[i+1]!=3 and a[i+1]!=4 and a[i+1]!=5):
                              us = v5 - a[i-1]
                              #print(us,v5,a[i-1])
                    
          if a[i]==3:
                    if(a[i+1]!=2 and a[i+1]!=4 and a[i+1]!=5):               
                              us = v5 + a[i-1]  #LOBYTE是al有8位,参与运算的5、33、32是全值,所以LOBYTE可省略
                    
          if a[i]==4:
                    if(a[i+1]!=3 and a[i+1]!=2 and a[i+1]!=5):
                              us = v5^a[i-1]

          if a[i]==5:
                    if(a[i+1]!=3 and a[i+1]!=4 and a[i+1]!=2):
                              us = int(v5/a[i-1])
          if a[i]==8:
                    v5 = us
                              
          if a[i]==11:
                    us = v5 +1
          if a[i]==12:
                    us = v5 -1
                    #print("12:",us)

flag.reverse()
out=‘‘
for j in flag:
          out +=chr(j)
print("flag{"+out+"}")

另外,LOBYTE这个函数做的时候我去百度了有说是取最右边那位,有说右边四位,这是ida的函数,但是怎么取都不对,这里我切换到汇编界面看了下LOBYTE取的是al的值,那么就是右边8位。a1数组的值没有大于8位二进制的,所以可以忽略这个函数。rax是64位寄存器,eax是32位寄存器,ax是16位寄存器,al是ax寄存器低8位,ah是ax寄存器高8位。

技术图片

 

以上是关于2020网鼎杯 青龙组reverse:signal的主要内容,如果未能解决你的问题,请参考以下文章

2020/5/24 网鼎杯_青龙组_signal

Buuctf-Reverse(逆向) 网鼎杯 2020 青龙组-singal Write up

Java安全-Java In CTF([网鼎杯 2020 青龙组]filejava[网鼎杯 2020 朱雀组]Think Java)

Java安全-Java In CTF([网鼎杯 2020 青龙组]filejava[网鼎杯 2020 朱雀组]Think Java)

[网鼎杯 2020 青龙组]AreUSerialz

BUU-WEB-[网鼎杯 2020 青龙组]AreUSerialz