RaCTF2021 WriteUp

Posted on

reverse

verybabyrev

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  __int64 s1[12]; // [rsp+0h] [rbp-100h] BYREF
  char v4; // [rsp+60h] [rbp-A0h]
  char s[140]; // [rsp+70h] [rbp-90h] BYREF
  int v6; // [rsp+FCh] [rbp-4h]

  setvbuf(stdout, 0LL, 2, 0LL);
  memset(s, 0, 0x80uLL);
  s1[0] = 0x45481D1217111313LL;
  s1[1] = 0x95F422C260B4145LL;
  s1[2] = 0x541B56563D6C5F0BLL;
  s1[3] = 0x585C0B3C2945415FLL;
  s1[4] = 0x402A6C54095D5F00LL;
  s1[5] = 0x4B5F4248276A0606LL;
  s1[6] = 0x6C5E5D432C2D4256LL;
  s1[7] = 0x6B315E434707412DLL;
  s1[8] = 0x5E54491C6E3B0A5ALL;
  s1[9] = 0x2828475E05342B1ALL;
  s1[10] = 0x60450073B26111FLL;
  s1[11] = 0xA774803050B0D04LL;
  v4 = 0;
  printf("Enter your flag: ");
  fgets(s, 128, stdin);
  v6 = 0;
  if ( s[0] != 'r' )
  {
    puts("Nope!");
    exit(0);
  }
  while ( v6 <= 126 )
  {
    s[v6] ^= s[v6 + 1];
    ++v6;
  }
  if ( !memcmp(s1, s, 97uLL) )
  {
    puts("Correct!");
    exit(1);
  }
  puts("Nope!");
  exit(0);
}

很明显,flag以字符r开头(不过这个提示没有什么用)。每次flag[i]与flag[i + 1]进行异或运算。我们可以从最后一个没有进行异或运算的值(即:flag[96]),算出flag[95],再用flag[95]算出flag[94]……

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
secret = [0x13, 0x13, 0x11, 0x17, 0x12, 0x1D, 0x48, 0x45, 0x45, 0x41, 0x0B, 0x26, 0x2C, 0x42, 0x5F, 9, 0x0B, 0x5F, 0x6C,
          0x3D, 0x56, 0x56, 0x1B, 0x54, 0x5F, 0x41, 0x45, 0x29, 0x3C, 0x0B, 0x5C, 0x58, 0, 0x5F, 0x5D, 9, 0x54, 0x6C,
          0x2A, 0x40, 6, 6, 0x6A, 0x27, 0x48, 0x42, 0x5F, 0x4B, 0x56, 0x42, 0x2D, 0x2C, 0x43, 0x5D, 0x5E, 0x6C, 0x2D,
          0x41, 7, 0x47, 0x43, 0x5E, 0x31, 0x6B, 0x5A, 0x0A, 0x3B, 0x6E, 0x1C, 0x49, 0x54, 0x5E, 0x1A, 0x2B, 0x34, 5,
          0x5E, 0x47, 0x28, 0x28, 0x1F, 0x11, 0x26, 0x3B, 7, 0x50, 4, 6, 4, 0x0D, 0x0B, 5, 3, 0x48, 0x77, 0x0A, 0]

flag = "r"
i = 0

while i < 97:
    flag = flag + chr(ord(flag[i]) ^ secret[i])
    i += 1
print(flag)

flag = ""
i = 95

while i >= 0:
    secret[i] = secret[i] ^ secret[i + 1]
    flag = chr(secret[i]) + flag
    i -= 1
print(flag)

Dotty

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
check = "-|....|.|/|..-.|.-..|.-|--.|/|..|...|/|---|.---|--.-|-..-|.|-.--|...--|..-|--|--..|.....|.--|..|--|.-..|.|.-..|.....|....-|-|.-|.....|-.-|--...|---|.-|--..|-|--.|..---|..---|--...|--.|-...|--..|..-.|-....|-.|.-..|--.-|.--.|.|--...|-|-....|.--.|--..|--...|.-..|.....|-|--.|-.-.|-.|-..|-...|--|--|...--|-..|.-|-.|.-..|.....|/|-...|.-|...|.|...--|..---"

check_list = check.split('|')

d = {
    "/": " ",
    ".-": "A",
    "-...": "B",
    "-.-.": "C",
    "-..": "D",
    ".": "E",
    "..-.": "F",
    "--.": "G",
    "....": "H",
    "..": "I",
    ".---": "J",
    "-.-": "K",
    ".-..": "L",
    "--": "M",
    "-.": "N",
    "---": "O",
    ".--.": "P",
    "--.-": "Q",
    ".-.": "R",
    "...": "S",
    "-": "T",
    "..-": "U",
    "...-": "V",
    ".--": "W",
    "-..-": "X",
    "-.--": "Y",
    "--..": "Z",
    ".----": "1",
    "..---": "2",
    "...--": "3",
    "....-": "4",
    ".....": "5",
    "-....": "6",
    "--...": "7",
    "---..": "8",
    "----.": "9",
    "-----": "0"
}

for item in check_list:
    print(d[item], end='')