复现平台：https://ctf.xidian.edu.cn/training/14?challenge=565

week1

Simple_encryption

Week1 - Reverse 逆向工程
简单
出题人：tgrddf55
一眼秒的算法

alt text

写脚本

alt text

唉放弃python非得用c

#include <stdio.h>

unsigned char buffer[] = { 0x47,0x95,0x34,0x48,0xa4,0x1c,0x35,0x88,0x64,0x16,0x88,0x07,0x14,0x6a,0x39,0x12,0xa2,0x0a,0x37,0x5c,0x07,0x5a,0x56,0x60,0x12,0x76,0x25,0x12,0x8e,0x28 };
int main() {
    int len = 30;
    for (int i = 0; i < len; i++) {
        if (i % 3 == 0) {
            buffer[i] += 0x1f;
        }
        if (i % 3 == 1) {
            buffer[i] -= 0x29;
        }
        if (i % 3 == 2) {
            buffer[i] ^= 0x55;
        }
    }
    printf("%s", buffer);

    return 0;
}
// flag{IT_15_R3Al1y_V3Ry-51Mp1e}

base64

Week1 - Reverse 逆向工程
简单
出题人：0xA1pha
仍然是 base64

alt text

begin

Week1 - Reverse 逆向工程
签到
出题人：tgrddf55
什么是 IDA？

flag_part1      db 'flag{Mak3_aN_',0       ;要uddda
this is flag part2: 3Ff0rt_tO_5eArcH_  ,You can press
int F0r_th3_f14g_C0Rpse()
{
  printf_0("the function name is flag part3,Don't forget to add a '}' at the end");
  return flag_part2();
}

flag{Mak3_aN_3Ff0rt_tO_5eArcH_F0r_th3_f14g_C0Rpse}

ezandroidstudy

Week1 - Reverse 逆向工程
简单
出题人：PangBai
这是什么？猫猫虫？

ez_debug

Week1 - Reverse 逆向工程
简单
出题人：kw17
动态调试（可能 xdbg 会更简单哦）

alt text

0000000000401D11 | 48:8D95 40010000 | lea rdx,qword ptr ss:[rbp+140] | [rbp+140]:“flag{y0u_ar3_g0od_@_Debu9}”

week2

ezencrypt

Week2 - Reverse 逆向工程
中等
出题人：PangBai
有一位魔女坐着扫帚飞在空中，灰色头发在风中飘逸，这位像洋娃娃一般漂亮又可爱，连夏天的当空烈日见了都会放出更炙热光芒的少女，究竟是谁呢，没错就是我。

之前做过一遍，点击
alt text

AES/ECB/PKCS5Padding key=IamEzEncryptGame
base64
doEncCheck
xor
rc4

alt text

Dirty_flowers

Week2 - Reverse 逆向工程
简单
出题人：tgrddf55
IDA 的 F5 怎么失效了

alt text

这里真是乱七八糟，失败请尝试选择函数范围再ucp f5
nop（字节0x90）
函数名u p f5
注意这里的函数名是最上边的函数名
ai

if ( &v11[strlen(&v10)] - v11 == 36 )

修一下

alt text

这里很诡异的结果很诡异的修法不完全解决，尝试n次最好还是选择函数范围再ucp f5

alt text

官方脚本

# exp.py
lis = [0x02, 0x05, 0x13, 0x13, 0x02, 0x1e, 0x53, 0x1f, 0x5c, 0x1a, 0x27, 0x43, 0x1d, 0x36, 0x43,
       0x07, 0x26, 0x2d, 0x55, 0x0d, 0x03, 0x1b, 0x1c, 0x2d, 0x02, 0x1c, 0x1c, 0x30, 0x38, 0x32,
       0x55, 0x02, 0x1b, 0x16, 0x54, 0x0f]
str = "dirty_flower"
flag = ""
for i in range(len(lis)):
    lis[i] ^= ord(str[i % len(str)])
    flag += chr(lis[i])
print(flag)
# flag{A5s3mB1y_1s_r3ally_funDAm3nta1}

alt text

UPX

Week2 - Reverse 逆向工程
简单
出题人：nuthecz
你知道 upx 吗？

alt text

官方脚本

#include <stdio.h>
#include <string.h>

unsigned char sbox[256] = {0};
const unsigned char* key = (const unsigned char*)"NewStar";
unsigned char data[22] = {-60, 96,  -81, -71, -29, -1,  46,  -101, -11,  16,  86,
                          81,  110, -18, 95,  125, 125, 110, 43,   -100, 117, -75};

void swap(unsigned char* a, unsigned char* b) {
    unsigned char tmp = *a;
    *a = *b;
    *b = tmp;
}

void init_sbox(const unsigned char key[]) {
    for (unsigned int i = 0; i < 256; i++) sbox[i] = i;
    unsigned int keyLen = strlen((const char*)key);
    unsigned char Ttable[256] = {0};
    for (int i = 0; i < 256; i++) Ttable[i] = key[i % keyLen];
    for (int j = 0, i = 0; i < 256; i++) {
        j = (j + sbox[i] + Ttable[i]) % 256;
        swap(&sbox[i], &sbox[j]);
    }
}

void RC4(unsigned char* data, unsigned int dataLen, const unsigned char key[]) {
    unsigned char k, i = 0, j = 0, t;
    init_sbox(key);
    for (unsigned int h = 0; h < dataLen; h++) {
        i = (i + 1) % 256;
        j = (j + sbox[i]) % 256;
        swap(&sbox[i], &sbox[j]);
        t = (sbox[i] + sbox[j]) % 256;
        k = sbox[t];
        data[h] ^= k;
    }
}

int main(void) {
    unsigned int dataLen = sizeof(data) / sizeof(data[0]);
    RC4(data, dataLen, key);
    for (unsigned int i = 0; i < dataLen; i++) {
        printf("%c", data[i]);
    }
    return 0;
}

官方动调方法1

alt text

from ida_bytes import *
# addr = 0x56201B813040  # 这里需要填写自己动调时得到的地址
enc = [0xC4, 0x60, 0xAF, 0xB9, 0xE3, 0xFF, 0x2E, 0x9B, 0xF5, 0x10,
       0x56, 0x51, 0x6E, 0xEE, 0x5F, 0x7D, 0x7D, 0x6E, 0x2B, 0x9C,
       0x75, 0xB5]
for i in range(22):
    patch_byte(addr + i, enc[i])
print('Done')