Published on

[ctfs.me] reverse me 0x01

Authors
  • avatar
    Name
    wellsleep (Liu Zheng)
    Twitter

第一次做正经的CTF练习,花了点时间做这道逆向,记录一下。 下载下来是一个压缩包,解压有两个文件: reverseme-x86和reverseme-x86_64,为了省事就做reverseme-x86了。 用file看了一眼

reverseme-x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=22cc5cd877bf6c08537feefce6e9fbdf7b16c224, stripped

运行一下试试,不给参数的话要求你给参数作为flag,给参数的话报一个印尼语“答案是错的”。用IDA打开寻找相关字符串,没有。嗯,看来不像reverseme 0x02那么简单了(那题直接读源码就好)。 仔细看了一下main函数,发现在函数中有几个疑似对字符串做了解密的地方。

Application选择Linux端路径或本地均可,Parameters填argv[1]给的参数,Hostname和Password不知道为啥要,就按Linux用户信息填好了。

buf = [0x39,0xA6,0x78,0x9A,0x0E,0xA3,0x8F,0xC0,0xB5,0x70,0x03,0x58,0x12,0x23]
target = [0x6f,0xfa,0x29,0xcd,0x45,0xf2,0xdd,0x85,0xe0,0x2c,0x5a,0x1c,0x43,0x6e]

for i in range(0x0e):
    k = buf[i] ^ target[i]
    print(hex(k))
    print(chr(k))

结果:

0x56
V
0x5c
\
0x51
Q
0x57
W
0x4b
K
0x51
Q
0x52
R
0x45
E
0x55
U
0x5c
\
0x59
Y
0x44
D
0x51
Q
0x4d
M

已经都是可打印字符啦,把明文字符输进去测试,发现,

不对!!!

回头再瞄了一眼加密后的输入,发现与密文每个字符都差了那么一点。难道还有另外的坑?! 仔细想了想,觉得应该是输入字符的'0'被解码成0x30做的异或,使得预估出现了偏差,修改程序,多异或一个0x30即可。

buf = [0x39,0xA6,0x78,0x9A,0x0E,0xA3,0x8F,0xC0,0xB5,0x70,0x03,0x58,0x12,0x23]
target = [0x6f,0xfa,0x29,0xcd,0x45,0xf2,0xdd,0x85,0xe0,0x2c,0x5a,0x1c,0x43,0x6e]

for i in range(0x0e):
    k = buf[i] ^ target[i] ^ 0x30
    print(hex(k))
    print(chr(k))
Discuss on TwitterView on GitHub