当前位置: 首页 > news >正文

长城杯铁人三项初赛-REVERSE复现

news 来源:原创 2025/4/25 9:01:12

前言

记录记录

1.LoginToMe

int __fastcall main(int argc, const char **argv, const char **envp)
{unsigned int v3; // eaxchar s[96]; // [rsp+10h] [rbp-70h] BYREFint v6; // [rsp+70h] [rbp-10h]int v7; // [rsp+78h] [rbp-8h]int i; // [rsp+7Ch] [rbp-4h]memset(s, 0, sizeof(s));v6 = 0;printf("input:");__isoc99_scanf("%s", s);if ( strlen(s) == 20 ){v3 = time(0LL);srand(v3);v7 = rand() % 100;for ( i = 0; i < v7; ++i );if ( *(unsigned __int16 *)s * *(unsigned __int16 *)&s[2] == 342772773&& *(unsigned __int16 *)s + *(unsigned __int16 *)&s[2] == 39526&& *(_DWORD *)&s[4] - *(_DWORD *)&s[8] == 1005712381&& *(unsigned __int16 *)&s[4] + *(unsigned __int16 *)&s[6] == 56269&& *(unsigned __int16 *)&s[8] - *(unsigned __int16 *)&s[10] == 15092&& s[4] * s[8] == 10710&& s[6] * s[10] == 12051&& s[7] + s[11] == 172&& *(unsigned __int16 *)&s[12] * *(unsigned __int16 *)&s[14] == 171593250&& *(unsigned __int16 *)&s[12] + *(unsigned __int16 *)&s[14] == 26219&& *(unsigned __int16 *)&s[16] * *(unsigned __int16 *)&s[18] == 376306868&& *(unsigned __int16 *)&s[16] + *(unsigned __int16 *)&s[18] == 40341 ){puts("check ok~!");}else{puts("check failed~!");}}return 1;
}

分析可知这是一个验证程序输入的问题,如果多轮程序输入的与条件一样则是会检查正确,会进入该轮的下一轮,否则会输出错误,逆向的话要对其爆破一个唯一解,这里可以用z3库进行操作

import libnum
from z3 import *for i in (range(33, 128)):x = Solver()ans = []s = [BitVec(('%d' % i), 32) for i in range(5)]x.add(s[0] & 0xff == i)x.add((s[0] & 0xffff) * (s[0] >> 16) == 342772773, (s[0] & 0xffff) + (s[0] >> 16) == 39526, s[1] - s[2] == 1005712381, (s[1] & 0xffff) + (s[1] >> 16) == 56269, (s[2] & 0xffff) - (s[2] >> 16) == 15092, ((s[1]) & 0xff) * ((s[2]) & 0xff) == 10710, ((s[1] >> 16) & 0xff) * ((s[2] >> 16) & 0xff) == 12051, ((s[1]) >> 24) + ((s[2]) >> 24) == 172, (s[3] & 0xffff) * (s[3] >> 16) == 171593250, (s[3] & 0xffff) + (s[3] >> 16) == 26219, (s[4] & 0xffff) * (s[4] >> 16) == 376306868, (s[4] & 0xffff) + (s[4] >> 16) == 40341)if x.check() == sat:model = x.model()for j in s:print(libnum.n2s(model[j].as_long())[::-1].decode(), end='')print()

然后输出就会爆出一个唯一解

由于比赛有环境,赛后没有环境,所以这道题就这样了

2.茶(tea)

主函数

int __fastcall main(int argc, const char **argv, const char **envp)
{char Str[64]; // [rsp+20h] [rbp-70h] BYREFchar v5[39]; // [rsp+60h] [rbp-30h]char v6[3]; // [rsp+87h] [rbp-9h] BYREFint i; // [rsp+8Ch] [rbp-4h]_main(argc, argv, envp);v5[0] = -119;v5[1] = -48;v5[2] = -121;v5[3] = 54;v5[4] = -55;v5[5] = 69;v5[6] = -39;v5[7] = -48;v5[8] = 113;v5[9] = 59;v5[10] = 54;v5[11] = -109;v5[12] = 24;v5[13] = -65;v5[14] = 1;v5[15] = 99;v5[16] = -87;v5[17] = 54;v5[18] = 126;v5[19] = -9;v5[20] = -1;v5[21] = 32;v5[22] = 25;v5[23] = -126;v5[24] = -51;v5[25] = 119;v5[26] = 123;v5[27] = -118;v5[28] = 18;v5[29] = 48;v5[30] = 34;v5[31] = 80;v5[32] = -106;v5[33] = -87;v5[34] = -53;v5[35] = 92;v5[36] = 43;v5[37] = 33;v5[38] = -109;qmemcpy(v6, "ta}", sizeof(v6));printf("plz input your flag:");scanf("%42s", Str);if ( strlen(Str) != 42 ){printf("wrong length");exit(0);}for ( i = 0; i <= 39; i += 8 )encrypt((unsigned int *)&Str[i], key);for ( i = 0; i <= 41; ++i ){if ( Str[i] != v5[i] ){printf("error");exit(0);}}printf("win");return 0;
}

加密流程

DWORD *__fastcall encrypt(unsigned int *a1, _DWORD *a2)
{_DWORD *result; // raxunsigned int i; // [rsp+20h] [rbp-10h]int v4; // [rsp+24h] [rbp-Ch]unsigned int v5; // [rsp+28h] [rbp-8h]unsigned int v6; // [rsp+2Ch] [rbp-4h]v6 = *a1;v5 = a1[1];v4 = 0;for ( i = 0; i <= 0x1F; ++i ){v4 -= 1640531527;v6 += (v5 + v4) ^ (*a2 + 16 * v5) ^ ((v5 >> 5) + a2[1]);v5 += (v6 + v4) ^ (a2[2] + 16 * v6) ^ ((v6 >> 5) + a2[3]);}*a1 = v6;result = a1 + 1;a1[1] = v5;return result;
}

key

0x78, 0x56, 0x34, 0x12, 0x0D, 0xF0, 0xAD, 0x0B, 0x14, 0x13, 
0x20, 0x05, 0x21, 0x43, 0x65, 0x87

脚本

#include <stdio.h>int main() {// Encrypted data blocks, each block is 8 bytes (two unsigned integers)unsigned int a1[] = {0x3687d089, 0xd0d945c9,0x93363b71, 0x6301bf18,0xf77e36a9, 0x821920ff,0x8a7b77cd, 0x50223012,0x5ccba996, 0x7493212b};// Key used for encryption/decryptionunsigned int a2[4] = { 0x12345678, 0x0BADF00D, 0x5201314, 0x87654321 };// Decrypt each block of datafor (int i = 0; i <= 9; i += 2) {int j = 0;unsigned int delta = 0xc6ef3720;unsigned int v5 = a1[i + 1];unsigned int v6 = a1[i];// Perform the decryption roundsdo {++j;v5 -= (v6 + delta) ^ (a2[2] + 16 * v6) ^ ((v6 >> 5) + a2[3]);v6 -= (v5 + delta) ^ (*a2 + 16 * v5) ^ ((v5 >> 5) + a2[1]);delta += 1640531527;} while (j <= 31);// Store the decrypted values back into the arraya1[i + 1] = v5;a1[i] = v6;}// Print the decrypted data as charactersfor (int i = 0; i <= 9; i++) {for (int j = 0; j <= 3; j++) {printf("%c", (a1[i] >> (j * 8)) & 0xFF);}}return 0;
}

输出

flag{7b06c572-d317-49cf-8ff2-8e402e1ea53}

3.VM

加密是固定的单字节加密,动调程序获取数据后进行简单解密即可

#include <stdio.h>
#include <stdint.h>int main() {// Encrypted data arrayuint8_t codee[] = {0x05, 0x82, 0x02, 0x01,0x41, 0xA5, 0xE6, 0x00,0x2D, 0xA0, 0xDF, 0x00,0x16, 0xCB, 0x81, 0x00,0x8F, 0xBC, 0xA6, 0x00,0xF6, 0xC0, 0xA3, 0x00,0x6D, 0xB0, 0xD2, 0x00,0xA4, 0x9D, 0xE7, 0x00,0xB9, 0xD2, 0x7A, 0x00,0x7B, 0xB4, 0xB3, 0x00,0xF3, 0xCA, 0x8C, 0x00,0x4C, 0xC2, 0x87, 0x00,0xC7, 0xEE, 0x26, 0x00,0x53, 0x8B, 0x06, 0x01,0x41, 0x91, 0x0E, 0x01,0xA1, 0xB7, 0x9D, 0x00,0xD6, 0xD3, 0x77, 0x00,0x54, 0xAE, 0xCF, 0x00,0x2D, 0x99, 0xF6, 0x00,0xAE, 0xBA, 0xA9, 0x00,0x67, 0xA7, 0xD2, 0x00,0x31, 0xA6, 0xF2, 0x00,0xA1, 0xEE, 0x26, 0x00,0xE4, 0x87, 0x15, 0x01,0x4A, 0xF2, 0x1D, 0x00,0x82, 0xC3, 0xA3, 0x00,0x21, 0x90, 0x02, 0x01,0x4B, 0xB9, 0xB5, 0x00,0xA0, 0xCB, 0x6D, 0x00,0x7D, 0x86, 0x2E, 0x01,0x70, 0xA5, 0xEF, 0x00,0xE3, 0xC7, 0x85, 0x00,0xDB, 0xF0, 0x26, 0x00};// Process the encrypted data and print characters in reverse orderfor (int i = sizeof(codee) / sizeof(codee[0]) - 4; i >= 0; i -= 4) {uint16_t low_word = (codee[i + 1] << 8) | codee[i];uint16_t high_word = (codee[i + 3] << 8) | codee[i + 2];printf("%c", (0xffff ^ low_word) / high_word);}// Another set of data to be printed in reverse orderint aa[] = {125, 101, 110, 106, 105, 100, 97, 109, 96, 109, 98, 118, 122, 114, 105, 119,96, 101, 107, 106, 108, 95, 123, 111, 129, 96, 111, 101, 124, 103, 97, 109, 108};printf("\n\n\n");  // Print three newlines// Print the reversed data from 'aa'for (int i = 0; i < sizeof(aa) / sizeof(aa[0]); ++i) {printf("%c ", aa[sizeof(aa) / sizeof(aa[0]) - i - 1]);}// Print additional characters based on bitwise operationsprintf("%c", (0xffff ^ 0xf0db) / 0x26);printf("%c", (0xffff ^ 0xc7e3) / 0x85);printf("%c", (0xffff ^ 0xa570) / 0xef);return 0;
}

输出

flag{do_you_like_virtual_machine}

相关文章:

  • Vue3 ref与props
  • CTF--file_get_contents
  • 【多线程】线程互斥 互斥量操作 守卫锁 重入与线程安全
  • 大模型工业化元年:GPT-5开启通用AI新纪元,中国技术如何破局?
  • 安宝特案例 | 物流仓储头部企业应用AR+作业流,规范日常安全点检,保障消防安全
  • 简单易懂:从零开始训练CLIP模型的实用指南
  • SiamMask原理详解:从SiamFC到SiamRPN++,再到多任务分支设计
  • 数字IC后端项目典型问题之后端实战项目问题记录(2025.04.24)
  • Spark-Streaming核心编程(2)
  • 利用 SSE 实现文字吐字效果:技术与实践
  • 作业。。。。。。
  • Kubernetes 常用运维命令整理
  • 如何用大模型技术重塑物流供应链
  • 智慧景区国标GB28181视频平台EasyGBS视频融合应用全场景解决方案
  • CentOS 7上安装与配置Memcached及PHP客户端使用教程
  • 2025磐石行动第七周WP
  • 5.3.1 MvvmLight以及CommunityToolkit.Mvvm介绍
  • 【win11 安装WSL2 详解一遍过!!】
  • 什么是Wi-SUN?与其他低功耗广域网技术有何区别?
  • 人工智能与机器学习:二元分类决策树构建指南
  • 冯象|那“交出”后的崩溃,如撒旦坠落诸天
  • 山西10岁男孩遭生母和继父殴打遇害,案件庭审延期
  • 昆明一小区电梯突然从40楼降到负4楼,回应:临时断电引起
  • 神二十成功对接空间站
  • 吃饭睡觉打国米,如今的米兰把意大利杯当成宝
  • “雷公”起诉人贩子王浩文案开庭:庭审前手写道歉信,庭审中不承认拐走川川