22.1.13
记录日常啦。
昨晚还在拉肚子,也没人陪我玩游戏。肚子疼得厉害,咕噜咕噜的叫。
到现在感觉也不怎么样。
今天打算不做buu了,做做攻防世界了。
0x01 reverse game
- 好可爱的小程序。IDA启动!
- 很快就能找到源代码的地方。
- 但是要注意一个地方,虽然反编译出来了好几个数组出来,但是实际上这是一个数组。
- 也就是v3,v4,甚至v5都是一个数组。
运行代码
#include<cstdio> #include<cstring> int sub_45E940() { char v1; // [esp+0h] [ebp-164h] int i; // [esp+D0h] [ebp-94h] char v3[22]; // [esp+DCh] [ebp-88h] BYREF char v4[32]="`S,yhn _uec{"; // [esp+F2h] [ebp-72h] BYREF char v5[4]; // [esp+112h] [ebp-52h] BYREF char v6[64]; // [esp+120h] [ebp-44h] // sub_45A7BE((int)"done!!! the flag is ", v1); v6[0] = 18; v6[1] = 64; v6[2] = 98; v6[3] = 5; v6[4] = 2; v6[5] = 4; v6[6] = 6; v6[7] = 3; v6[8] = 6; v6[9] = 48; v6[10] = 49; v6[11] = 65; v6[12] = 32; v6[13] = 12; v6[14] = 48; v6[15] = 65; v6[16] = 31; v6[17] = 78; v6[18] = 62; v6[19] = 32; v6[20] = 49; v6[21] = 32; v6[22] = 1; v6[23] = 57; v6[24] = 96; v6[25] = 3; v6[26] = 21; v6[27] = 9; v6[28] = 4; v6[29] = 62; v6[30] = 3; v6[31] = 5; v6[32] = 4; v6[33] = 1; v6[34] = 2; v6[35] = 3; v6[36] = 44; v6[37] = 65; v6[38] = 78; v6[39] = 32; v6[40] = 16; v6[41] = 97; v6[42] = 54; v6[43] = 16; v6[44] = 44; v6[45] = 52; v6[46] = 32; v6[47] = 64; v6[48] = 89; v6[49] = 45; v6[50] = 32; v6[51] = 65; v6[52] = 15; v6[53] = 34; v6[54] = 18; v6[55] = 16; v6[56] = 0; v3[0] = 123; v3[1] = 32; v3[2] = 18; v3[3] = 98; v3[4] = 119; v3[5] = 108; v3[6] = 65; v3[7] = 41; v3[8] = 124; v3[9] = 80; v3[10] = 125; v3[11] = 38; v3[12] = 124; v3[13] = 111; v3[14] = 74; v3[15] = 49; v3[16] = 83; v3[17] = 108; v3[18] = 94; v3[19] = 108; v3[20] = 84; v3[21] = 6; //qmemcpy(v4, "`S,yhn _uec{", 12); v4[12] = 127; v4[13] = 119; v4[14] = 96; v4[15] = 48; v4[16] = 107; v4[17] = 71; v4[18] = 92; v4[19] = 29; v4[20] = 81; v4[21] = 107; v4[22] = 90; v4[23] = 85; v4[24] = 64; v4[25] = 12; v4[26] = 43; v4[27] = 76; v4[28] = 86; v4[29] = 13; v4[30] = 114; v4[31] = 1; v4[32]='u'; v4[33]='~'; strcpy(v5, " ~"); for ( i = 22; i < 55; ++i ) { v4[i-22] ^= v6[i]; v4[i-22] ^= '\x13'; } printf("%s",v4); return 1; } int main(){ sub_45E940(); } //zsctf{T9is_tOpic_1s_v5ry_int7resting_b6t_others_are_n0t}- 这样运行v3,v4就可以拿到差不多的flag
但,这个题还有别的做法。
那就是可爱的CE修改器
先上结论:
|-----------------------▲--------| |-----------------------●--------| |-----------------------◆--------| |-----------------------■--------| |--------------------|-----------------------★--------| | |-----------------------▼--------| | |--------------------(°Д°)-----| | |--------------------(*°▽°)=3--| 二 | | by 0x61 | | | |------------------------------------------------------| done!!! the flag is zsctf{T9is_tOpic_1s_v5ry_int7resting_b6t_others_are_n0t} input n,n(1-8) 1.△ 2.○ 3.◇ 4.□ 5.☆ 6.▽ 7.( ̄▽ ̄)/ 8.(;°Д°) 0.restart n=- 因为前面逆向了一次,可以看到,这个判断是个数组。
- 那样就直接搜数组,毕竟数组的内存地址基本上是连续的。
然后因为CE的修改数值的速度可能不如那啥快,那样就锁定绝大多数值,然后随便玩玩,很轻松就可以得到啦
zsctf{T9is_tOpic_1s_v5ry_int7resting_b6t_others_are_n0t}
0x02 BUU LSB
- linux 下file命令显示
flag11.png: PNG image data, 268 x 268, 8-bit/color RGB, non-interlaced - 好像没什么有用的信息,winhex也没有看到什么东西。
- 不会做,看WP
- 天,原来stegsolve的analyse功能可以这么用,好恐怖。
- 出来之后是个二维码。
cumtctf{1sb_i4_s0_Ea4y}
0x03 BUU 你竟然赶我走
winhex 图片尾部 flag{stego_is_s0_bor1ing}