reverse学习

一.[WUSTCTF2020]level4

ida打开之后是

int __fastcall main(int argc, const char **argv, const char **envp) { puts("Practice my Data Structure code....."); puts("Typing....Struct.....char....*left....*right............emmmmm...OK!"); init("Typing....Struct.....char....*left....*right............emmmmm...OK!", argv); puts("Traversal!"); printf("Traversal type 1:"); type1(&unk_601290); // 二叉树的中序遍历 printf("\nTraversal type 2:"); type2(&unk_601290); // 二叉树的后序遍历 printf("\nTraversal type 3:"); puts(" //type3(&x[22]); No way!"); puts(&byte_400A37); return 0; }

我们一个一个看,发现二叉树的代码

__int64 __fastcall type1(char *a1) { __int64 result; // rax if ( a1 ) { type1(*(a1 + 1)); putchar(*a1); return type1(*(a1 + 2)); } return result; } int __fastcall type2(char *a1) { int result; // eax if ( a1 ) { type2(*(a1 + 1)); type2(*(a1 + 2)); return putchar(*a1); } return result; }

我们需要已知两种二叉树的遍历结果才可以确定二叉树的结构,而原文给出了中序遍历和后序遍历的代码,我们运行ELF文件得到运行后的结果

所以得到了中序遍历和后序遍历的结果

2f0t02T{hcsiI_SwA__r7Ee}

20f0Th{2tsIS_icArE}e7__w 之后我们写代码找到前序排列的结果

#include <stdio.h> #include <stdlib.h> #include <string.h> typedef struct TreeNode { char data; struct TreeNode* left; struct TreeNode* right; } TreeNode; // ´´½¨½Úµã TreeNode* createNode(char data) { TreeNode* node = (TreeNode*)malloc(sizeof(TreeNode)); node->data = data; node->left = NULL; node->right = NULL; return node; } // ÔÚÖÐÐò±éÀúÖÐÕÒµ½¸ù½ÚµãµÄλÖà int findIndex(const char* inorder, char rootVal, int start, int end) { for (int i = start; i <= end; i++) { if (inorder[i] == rootVal) return i; } return -1; } // ´ÓºóÐòºÍÖÐÐò±éÀú¹¹½¨¶þ²æÊ÷ TreeNode* buildTree(const char* postorder, const char* inorder, int start, int end, int* postIndex) { if (start > end) return NULL; char rootVal = postorder[*postIndex]; (*postIndex)--; TreeNode* root = createNode(rootVal); int inIndex = findIndex(inorder, rootVal, start, end); root->right = buildTree(postorder, inorder, inIndex + 1, end, postIndex); root->left = buildTree(postorder, inorder, start, inIndex - 1, postIndex); return root; } // Ç°Ðò±éÀú void preorderTraversal(TreeNode* root) { if (root == NULL) return; printf("%c", root->data); preorderTraversal(root->left); preorderTraversal(root->right); } int main() { const char* inorder = "2f0t02T{hcsiI_SwA__r7Ee}"; const char* postorder = "20f0Th{2tsIS_icArE}e7__w"; int postIndex = strlen(postorder) - 1; TreeNode* root = buildTree(postorder, inorder, 0, strlen(inorder) - 1, &postIndex); printf("Preorder traversal: "); preorderTraversal(root); printf("\n"); return 0; }

其实不太熟悉二叉树,这是ai帮忙写的代码,至少是对的

 wctf2020{This_IS_A_7reE}

二.[羊城杯 2020]easyre

是exe文件直接运行一下,提示输入flag

查壳是64位,ida打开,

int __fastcall main(int argc, const char **argv, const char **envp) { int v3; // eax int v4; // eax int v5; // eax char Str[48]; // [rsp+20h] [rbp-60h] BYREF char Str1[64]; // [rsp+50h] [rbp-30h] BYREF char v9[64]; // [rsp+90h] [rbp+10h] BYREF char v10[64]; // [rsp+D0h] [rbp+50h] BYREF char Str2[60]; // [rsp+110h] [rbp+90h] BYREF int v12; // [rsp+14Ch] [rbp+CCh] BYREF _main(); strcpy(Str2, "EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG");// 密文EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG puts("Hello, please input your flag and I will tell you whether it is right or not."); scanf("%38s", Str); if ( strlen(Str) != 38 || (v3 = strlen(Str), encode_one(Str, v3, v10, &v12))// base64ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ || (v4 = strlen(v10), encode_two(v10, v4, v9, &v12))// 赋值 || (v5 = strlen(v9), encode_three(v9, v5, Str1, &v12))// 凯撒加密3 || strcmp(Str1, Str2) ) { printf("Something wrong. Keep going."); return 0; } // 38 // else { puts("you are right!"); return 0; } }

代码很清晰是分三部加密,我们一个一个看

有str2最后和str1比较,有encode三个加密,传入的都是明文,长度和密文缓冲区,我们分析代码即可

__int64 __fastcall encode_one(char *a1, int a2, char *a3, int *a4) { int v5; // esi int v6; // esi int v7; // esi int v8; // [rsp+34h] [rbp-1Ch] int v9; // [rsp+38h] [rbp-18h] int v11; // [rsp+48h] [rbp-8h] int i; // [rsp+4Ch] [rbp-4h] unsigned __int8 *v13; // [rsp+70h] [rbp+20h] v13 = a1; if ( !a1 || !a2 ) return 0xFFFFFFFFi64; v11 = 0; if ( a2 % 3 ) v11 = 3 - a2 % 3; v9 = a2 + v11; v8 = 8 * (a2 + v11) / 6; for ( i = 0; i < v9; i += 3 ) { *a3 = alphabet[*v13 >> 2]; if ( a2 + v11 - 3 == i && v11 ) { if ( v11 == 1 ) { v5 = cmove_bits(*v13, 6u, 2u); a3[1] = alphabet[v5 + cmove_bits(v13[1], 0, 4u)]; a3[2] = alphabet[cmove_bits(v13[1], 4u, 2u)]; a3[3] = 61; } else if ( v11 == 2 ) { a3[1] = alphabet[cmove_bits(*v13, 6u, 2u)]; a3[2] = 61; a3[3] = 61; } } else { v6 = cmove_bits(*v13, 6u, 2u); a3[1] = alphabet[v6 + cmove_bits(v13[1], 0, 4u)]; v7 = cmove_bits(v13[1], 4u, 2u); a3[2] = alphabet[v7 + cmove_bits(v13[2], 0, 6u)]; a3[3] = alphabet[v13[2] & 0x3F]; } a3 += 4; v13 += 3; } if ( a4 ) *a4 = v8; return 0i64; }

第一个明显是base64加密,再查看alphabet有没有被修改和变表,

(其中后面的A是和下面的rgument组合的Argument,,在 IDA 中，Argument domain error (DOMAIN) 通常指的是函数参数的类型或值超出了预期的范围或定义域，导致 IDA 在分析或反编译过程中无法正确处理。我们不用管)

可知没有,注释一下,分析下一个

__int64 __fastcall encode_two(const char *a1, int a2, char *a3, int *a4) { if ( !a1 || !a2 ) return 0xFFFFFFFFi64; strncpy(a3, a1 + 26, 0xDui64); strncpy(a3 + 13, a1, 0xDui64); strncpy(a3 + 26, a1 + 39, 0xDui64); strncpy(a3 + 39, a1 + 13, 0xDui64); return 0i64; }

猜测是互换位置,我们由后面的代码可知str2是明文的base64加密后的结果,我们看str2长度是52而这里的每一组是13个一共4组13*4==52个正好,所以我们写代码交换位置即可

之后看第三个

__int64 __fastcall encode_three(const char *a1, int a2, char *a3, int *a4) { char v5; // [rsp+Fh] [rbp-11h] int i; // [rsp+14h] [rbp-Ch] const char *v8; // [rsp+30h] [rbp+10h] v8 = a1; if ( !a1 || !a2 ) return 0xFFFFFFFFi64; for ( i = 0; i < a2; ++i ) { v5 = *v8; if ( *v8 <= 64 || v5 > 90 ) { if ( v5 <= 96 || v5 > 122 ) { if ( v5 <= 47 || v5 > 57 ) *a3 = v5; else *a3 = (v5 - 48 + 3) % 10 + 48; // 数字 } else { *a3 = (v5 - 97 + 3) % 26 + 97; // 小写 } } else { *a3 = (v5 - 65 + 3) % 26 + 65; // 大写 } ++a3; ++v8; } return 0i64; }

后两个我们很熟悉是凯撒加密偏移量是3位,可是中间有一个47~57的我们查一下ascll可知这是数字0~9,所以如果是数字的话也要偏移三位,因为数字比较少,为了方便,我们找网站先偏移字母再手动偏移数字,之后写交换的代码让后找网站base64解码即可

#include<stdio.h> #include<string.h> int main() { char enc[]="BjYjM2Mjk4NzMR1dIVHs2NzJjY0MTEzM2VhMn0=zQ3NzhhMzhlOD"; //52 13/ printf("%d\n",strlen(enc)); char enc1[100]; strncpy(enc1+26,enc,13); strncpy(enc1,enc+13,13); strncpy(enc1+39,enc+26,13); strncpy(enc1+13,enc+39,13); puts(enc1); } //EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG //EmBmP2Pmn4QcPU1gLYKv2QcMmB0PWHcP2YkPq0=cT3QckkPckoRG //BjYjM5Mjk7NzM //R4dIVHs5NzJjY //3MTEzM5VhMn3= //zQ6NzhhMzhlOD //R1dIVHs2NzJjYzQ3NzhhMzhlODBjYjM2Mjk4NzM0MTEzM2VhMn0=

得到flag{672cc4778a38e80cb362987341133ea2}

我们运行文件输入GWHT{672cc4778a38e80cb362987341133ea2}得到right