逆向攻防世界CTF系列9-no-strings-attached

image-20241014144159264

image-20241014144251583

image-20241014144404342

wsccmp:应该是个比较函数,相同为0,输出“Success! Welcome back!”,点进unk,从上往下看的车。

不知道decrypt是个什么,查了下,是解密的意思。

image-20241014150734763

解法1:

选中shift+e

image-20241014160153421

把s和A2转出,目标程序是 32 位 Ubuntu ,所以 wchar_t 表示 \0 占 4 字节,后面 4 个是截止符,不代入计算。(64位也是4字节)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#include <stdio.h>

int main() {
    unsigned char s[] =
    {
       58,  20,   0,   0,  54,  20,   0,   0,  55,  20,
        0,   0,  59,  20,   0,   0, 128,  20,   0,   0,
      122,  20,   0,   0, 113,  20,   0,   0, 120,  20,
        0,   0,  99,  20,   0,   0, 102,  20,   0,   0,
      115,  20,   0,   0, 103,  20,   0,   0,  98,  20,
        0,   0, 101,  20,   0,   0, 115,  20,   0,   0,
       96,  20,   0,   0, 107,  20,   0,   0, 113,  20,
        0,   0, 120,  20,   0,   0, 106,  20,   0,   0,
      115,  20,   0,   0, 112,  20,   0,   0, 100,  20,
        0,   0, 120,  20,   0,   0, 110,  20,   0,   0,
      112,  20,   0,   0, 112,  20,   0,   0, 100,  20,
        0,   0, 112,  20,   0,   0, 100,  20,   0,   0,
      110,  20,   0,   0, 123,  20,   0,   0, 118,  20,
        0,   0, 120,  20,   0,   0, 106,  20,   0,   0,
      115,  20,   0,   0, 123,  20,   0,   0, 128,  20,
        0,   0
    };
    unsigned char a2[] = {
        1, 20, 0, 0, 2, 20, 0, 0, 3, 20,
        0, 0, 4, 20, 0, 0, 5, 20, 0, 0
    };
    int v4 = 0;
    int v6 = sizeof(s) / sizeof(unsigned char);
    int v7 = sizeof(a2) / sizeof(unsigned char);
    while (v4 < v6) {
        for (int i = 0; i < v7 && v4 < v6; ++i) {
            printf("%c", s[v4++] - a2[i]);
        }
    }
    return 0;

}

输出9447{you_are_an_international_mystery}

解法2:

image-20241014165115685

得a2=[0x1401,0x1402,0x1403,0x1404,0x1405],同理可得s,再修改上面的代码也行

解法3:

脚本查看

运行脚本,ida中,file,script file,选择脚本,查看地址,最后的0L要舍去

这里的39我猜测是尾项地址-0x08048AA8/4算出来,填>39的也没事,0L处截断就行

1
2
3
4
5
addr=0x08048AA8
arr = []
for i in range(39):
    arr.append(Dword(addr+4* i))
print(arr)

image-20241014165316760

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
s = [5178, 5174, 5175, 5179, 5248, 5242, 5233, 5240, 5219, 5222, 5235, 5223, 5218, 5221, 5235, 5216, 5227, 5233, 5240, 5226, 5235, 5232, 5220, 5240, 5230, 5232, 5232, 5220, 5232, 5220, 5230, 5243, 5238, 5240, 5226, 5235, 5243, 5248]
a = [5121, 5122, 5123, 5124, 5125]
v6 = len(s)
v7 = len(a )
v2 = len(s)

v4=0
while v4<v6:
    
    for i in range(0,5):
        if(i<v7 and v4<v6):
            s[v4]-=a[i]
            v4 += 1
        else:
            break
for i in range (38):
    print(chr(s[i]),end="")

解法4:

动态分析

此时我们需要转变一下思维:之前我们都是各种找、各种逻辑推断正确输入。但是我们忽略了一件事,那个与输入的比较的正确答案,一定是加载到内存里面之后,才与输入比较。要是我们能跟踪到这个正确答案储存在内存的位置然后把他拿出来,也行

参考[CTF-攻防世界 Reverse新手练习解析_ctf中的rev题-CSDN博客](https://blog.csdn.net/weixin_42621117/article/details/99768988#:~:text=XCTF 攻防世界)这篇文章