題目(來源:Jarvis-OJ):
Classical Crackme
Classical CrackMe2
FindKey
Login
Classical Crackme
首先查殼
沒有殼,不過發現這是一個.net的程序,將其拖進dnSpy中,找到主程序,同時發現關鍵代碼,如下所示:
private void \u202C\u200B\u206A\u202A\u206D\u206B\u202D\u206F\u202D\u200C\u200E\u206B\u202E\u202E\u202C\u202B\u206A\u206D\u206E\u202B\u206E\u200F\u202D\u200E\u202C\u200F\u200D\u200F\u202B\u200C\u202A\u206D\u206A\u206E\u202D\u200D\u200C\u206B\u202A\u202D\u202E(object obj, EventArgs eventArgs)
{
string s = this.\u200E\u206F\u206A\u200F\u206E\u202C\u206C\u200C\u206A\u200B\u206E\u202D\u206B\u202D\u200F\u206B\u202B\u200C\u206B\u202D\u206D\u202B\u206B\u200C\u206F\u206D\u206A\u202D\u200F\u202E\u200B\u206D\u202C\u200D\u200D\u202C\u200F\u202E\u202E\u206A\u202E.Text.ToString();
byte[] bytes = Encoding.Default.GetBytes(s);
string a = Convert.ToBase64String(bytes);
string b = "UENURntFYTV5X0RvX05ldF9DcjRjazNyfQ==";
if (a == b)
{
MessageBox.Show("注冊成功!", "提示", MessageBoxButtons.OK);
}
else
{
MessageBox.Show("注冊失敗!", "提示", MessageBoxButtons.OK, MessageBoxIcon.Hand);
}
}
可以看到,如果輸入的字符串進行base64編碼后若和字符串‘UENURntFYTV5X0RvX05ldF9DcjRjazNyfQ==’一致,則顯示注冊成功,將該字符串進行base64解碼,得到flag
Flag:PCTF{Ea5y_Do_Net_Cr4ck3r}
Classical CrackMe2
首先查殼
.net程序,先拖進ILSpy(dnSpy的編碼看起來太辛苦了-_-|||,等一下需要動態調試的時候再用它)找到主函數中的關鍵代碼,如下所示
可以看到對用戶輸入的flag限制條件為:
(1)不為空
(2)進行AES加密后再經過base64編碼必須等于某個字符串
既然這樣我們就通過動態調試來找出key和加密后字符串,將文件拖進dnSpy,找到上面的函數,給獲取key的地方下個斷點,如下所示
開始調試,運行到該位置時得到key
右鍵->show in memory window->memory 1,key如下
然后找加密后的字符串,接下來在關鍵判斷的位置下斷點
調試,得到加密后的字符串”x/nzolo0TTIyrEISd4AP1spCzlhSWJXeNbY81SjPgmk=”
下面就可以寫腳本獲取flag
import base64,binascii from Crypto.Cipher import AES key = 'pctf2016pctf2016pctf2016pctf2016' result = 'x/nzolo0TTIyrEISd4AP1spCzlhSWJXeNbY81SjPgmk=' after_encrypt = binascii.b2a_hex(base64.b64decode(result)) a = AES.new(key) flag = a.decrypt(after_encrypt.decode('hex')) print flag
Flag:PCTF{Dot_Net_UnPack3r_yoo}
FindKey
這是一道pyc逆向,直接百度pyc在線逆向,找到相應的網站后上傳需要逆向的pyc文件,接下來就能得到源碼,如下所示
#!/usr/bin/env python # encoding: utf-8 # 訪問 http://tool.lu/pyc/ 查看更多信息 import sys lookup = [196,153,149,206,17,221,10,217,167,18,36,135,103,61,111,31,92,152,21,228,105,191,173,41,2,245,23,144, ????????? 1,246,89,178,182,119,38,85,48,226,165,241,166,214,71,90,151,3,109,169,150,224,69,156,158,57,181,29, ????????? 200,37,51,252,227,93,65,82,66,80,170,77,49,177,81,94,202,107,25,73,148,98,129,231,212,14,84,121,174, ????????? 171,64,180,233,74,140,242,75,104,253,44,39,87,86,27,68,22,55,76,35,248,96,5,56,20,161,213,238,220,72, ????????? 100,247,8,63,249,145,243,155,222,122,32,43,186,0,102,216,126,15,42,115,138,240,147,229,204,117,223,141, ????????? 159,131,232,124,254,60,116,46,113,79,16,128,6,251,40,205,137,199,83,54,188,19,184,201,110,255,26,91,211, ????????? 132,160,168,154,185,183,244,78,33,123,28,59,12,210,218,47,163,215,209,108,235,237,118,101,24,234,106,143, ????????? 88,9,136,95,30,193,176,225,198,197,194,239,134,162,192,11,70,58,187,50,67,236,230,13,99,190,208,207,7,53, ????????? 219,203,62,114,127,125,164,179,175,112,172,250,133,130,52,189,97,146,34,157,120,195,45,4,142,139] pwda = [188,155,11,58,251,208,204,202,150,120,206,237,114,92,126,6,42] pwdb = [53,222,230,35,67,248,226,216,17,209,32,2,181,200,171,60,108] flag = raw_input('Input your Key:').strip() if len(flag) != 17: ??? print 'Wrong Key!!' ??? sys.exit(1) flag = flag[::-1] for i in range(0, len(flag)): ??? if ord(flag[i]) + pwda[i] & 255 != lookup[i + pwdb[i]]: ??????? print 'Wrong Key!!' ??????? sys.exit(1) ?print 'Congratulations!!'
很簡單,將其的代碼復制下來就可得到flag,腳本如下所示
lookup = [196,153,149,206,17,221,10,217,167,18,36,135,103,61,111,31,92,152,21,228,105,191,173,41,2,245,23,144, ????????? 1,246,89,178,182,119,38,85,48,226,165,241,166,214,71,90,151,3,109,169,150,224,69,156,158,57,181,29, ????????? 200,37,51,252,227,93,65,82,66,80,170,77,49,177,81,94,202,107,25,73,148,98,129,231,212,14,84,121,174, ????????? 171,64,180,233,74,140,242,75,104,253,44,39,87,86,27,68,22,55,76,35,248,96,5,56,20,161,213,238,220,72, ????????? 100,247,8,63,249,145,243,155,222,122,32,43,186,0,102,216,126,15,42,115,138,240,147,229,204,117,223,141, ????????? 159,131,232,124,254,60,116,46,113,79,16,128,6,251,40,205,137,199,83,54,188,19,184,201,110,255,26,91,211, ????????? 132,160,168,154,185,183,244,78,33,123,28,59,12,210,218,47,163,215,209,108,235,237,118,101,24,234,106,143, ????????? 88,9,136,95,30,193,176,225,198,197,194,239,134,162,192,11,70,58,187,50,67,236,230,13,99,190,208,207,7,53, ????????? 219,203,62,114,127,125,164,179,175,112,172,250,133,130,52,189,97,146,34,157,120,195,45,4,142,139] pwda = [188,155,11,58,251,208,204,202,150,120,206,237,114,92,126,6,42] pwdb = [53,222,230,35,67,248,226,216,17,209,32,2,181,200,171,60,108]flag = "" for i in range(17): ??? flag += chr(lookup[i+pwdb[i]] - pwda[i]&255) ?print flag[::-1]
Flag:PCTF{PyC_Cr4ck3r}
Login
首先查殼
沒殼,拖進IDA,F12查看字符串,發現里面出現了python的標志
按理來說一般的c程序是不會出現python的,但是這里卻出現了大量的Py前綴,這說明什么呢,說明這個exe實際上是一個python轉exe的程序(你問我為什么會知道?因為我之前在HXBCTF征題的時候就出了道Python轉exe的題打算坑一坑人\/ ? ? ? \/),在網上下一個pyinstxtractor.py就可將其解壓,然后查看解壓后的文件夾
首先看到有一堆API的dll,不管它,然后還看到一個Python35.dll,查一下殼,發現是UPX加殼的,使用脫殼機脫掉后,丟進IDA里查看,點擊F12查看字符串,一大堆字符串-_-||,嘗試搜索一下flag,然后發現了這個
查看引用后來到了這個函數
就這樣來到了核心代碼的位置,這里可以看到if ( v3 != (v4 ^ byte_1E253040[v3]) )這個if判斷是關鍵判斷,只有當其正確,整個while循環才會執行到輸出Congratulation處而V4就是用戶輸入的Password,因此就可以寫一個腳本來得出flag
a = [0x50 ,0x78 ,0x76 ,0x6B ,0x34 ,0x6B ,0x59 ,0x63? ,0x49 ,0x56 ,0x6C ,0x4A ,0x53 ,0x65 ,0x4F ,0x3F] count = 0 flag = '' for i in range(len(a)): ??? for i in range(33,127): ??????? if i^a[count] == count: ??????????? flag += chr(i) ??????????? count += 1 ??????????? break print flag
這里的a就是上面代碼中的byte_1E253040數組
Flag:Pyth0n_dA_fA_hA0
 - 圖像分割 基礎知識 標準差分割法)
![[Buzz Today]2012.08.08](http://pic.xiahunao.cn/[Buzz Today]2012.08.08)
