Re学习之RX引路_week6
PyDis
这个题应该是rx仿今年的hgame的那一个pypy……
先把pyc转成byte_code:
import dis,marshal
f=open("pyre.cpython-39.pyc","rb").read()
code = marshal.loads(f[16:])
dis.dis(code)
没错,我就是嫖含树的(理直气壮
然后硬刚byte_code:
1 0 BUILD_LIST 0
2 LOAD_CONST 0 ((178, 184, 185, 191, 182, 165, 174, 191, 129, 183, 187, 176, 129, 169, 191, 167, 163))
4 CALL_FINALLY 1 (to 7)
6 STORE_NAME 0 (magic)
2 8 LOAD_NAME 1 (input)
10 LOAD_CONST 1 ('flag >>> ')
12 CALL_FUNCTION 1
14 STORE_NAME 2 (inp)
4 16 LOAD_NAME 3 (list)
18 LOAD_NAME 2 (inp)
20 CALL_FUNCTION 1
22 STORE_NAME 4 (flag)
5 24 LOAD_NAME 5 (len)
26 LOAD_NAME 4 (flag)
28 CALL_FUNCTION 1
30 LOAD_NAME 5 (len)
32 LOAD_NAME 0 (magic)
34 CALL_FUNCTION 1
36 COMPARE_OP 3 (!=)
38 POP_JUMP_IF_FALSE 54
6 40 LOAD_NAME 6 (print)
42 LOAD_CONST 2 ('qwq')
44 CALL_FUNCTION 1
46 POP_TOP
7 48 LOAD_NAME 7 (exit)
50 CALL_FUNCTION 0
52 POP_TOP
9 >> 54 LOAD_NAME 8 (range)
56 LOAD_NAME 5 (len)
58 LOAD_NAME 4 (flag)
60 CALL_FUNCTION 1
62 LOAD_CONST 3 (2)
64 BINARY_FLOOR_DIVIDE
66 CALL_FUNCTION 1
68 GET_ITER
>> 70 FOR_ITER 54 (to 126)
72 STORE_NAME 9 (i)
10 74 LOAD_NAME 4 (flag)
76 LOAD_CONST 3 (2)
78 LOAD_NAME 9 (i)
80 BINARY_MULTIPLY
82 LOAD_CONST 4 (1)
84 BINARY_ADD
86 BINARY_SUBSCR
88 LOAD_NAME 4 (flag)
90 LOAD_CONST 3 (2)
92 LOAD_NAME 9 (i)
94 BINARY_MULTIPLY
96 BINARY_SUBSCR
98 ROT_TWO
100 LOAD_NAME 4 (flag)
102 LOAD_CONST 3 (2)
104 LOAD_NAME 9 (i)
106 BINARY_MULTIPLY
108 STORE_SUBSCR
110 LOAD_NAME 4 (flag)
112 LOAD_CONST 3 (2)
114 LOAD_NAME 9 (i)
116 BINARY_MULTIPLY
118 LOAD_CONST 4 (1)
120 BINARY_ADD
122 STORE_SUBSCR
124 JUMP_ABSOLUTE 70
12 >> 126 BUILD_LIST 0
128 STORE_NAME 10 (check)
14 130 LOAD_NAME 8 (range)
132 LOAD_NAME 5 (len)
134 LOAD_NAME 4 (flag)
136 CALL_FUNCTION 1
138 CALL_FUNCTION 1
140 GET_ITER
>> 142 FOR_ITER 26 (to 170)
144 STORE_NAME 9 (i)
15 146 LOAD_NAME 10 (check)
148 LOAD_METHOD 11 (append)
150 LOAD_NAME 12 (ord)
152 LOAD_NAME 4 (flag)
154 LOAD_NAME 9 (i)
156 BINARY_SUBSCR
158 CALL_FUNCTION 1
160 LOAD_CONST 5 (222)
162 BINARY_XOR
164 CALL_METHOD 1
166 POP_TOP
168 JUMP_ABSOLUTE 142
17 >> 170 LOAD_NAME 8 (range)
172 LOAD_NAME 5 (len)
174 LOAD_NAME 0 (magic)
176 CALL_FUNCTION 1
178 CALL_FUNCTION 1
180 GET_ITER
>> 182 FOR_ITER 34 (to 218)
184 STORE_NAME 9 (i)
18 186 LOAD_NAME 10 (check)
188 LOAD_NAME 9 (i)
190 BINARY_SUBSCR
192 LOAD_NAME 0 (magic)
194 LOAD_NAME 9 (i)
196 BINARY_SUBSCR
198 COMPARE_OP 3 (!=)
200 POP_JUMP_IF_FALSE 182
19 202 LOAD_NAME 6 (print)
204 LOAD_CONST 2 ('qwq')
206 CALL_FUNCTION 1
208 POP_TOP
20 210 LOAD_NAME 7 (exit)
212 CALL_FUNCTION 0
214 POP_TOP
216 JUMP_ABSOLUTE 182
22 >> 218 LOAD_NAME 6 (print)
220 LOAD_CONST 6 ('happy new year!')
222 CALL_FUNCTION 1
224 POP_TOP
226 LOAD_CONST 7 (None)
228 RETURN_VALUE
不是很难:
magic = [178, 184, 185, 191, 182, 165, 174, 191, 129, 183, 187, 176, 129, 169, 191, 167, 163]
inp = input("flag>>> ")
flag = list(inp)
if len(magic) != len(flag):
print('qwq')
exit(0)
else:
for i in range(len(flag)//2):
flag[i*2],flag[i*2+1]=flag[i*2+1],flag[i*2]
check=[]
for i in range(len(flag)):
check.append(ord(flag[i]) ^ 222)
for i in range(len(magic)):
if check[i] != magic[i]:
print('qwq')
exit(0)
print('happy new year!')
写一下exp:
check=[178, 184, 185, 191, 182, 165, 174, 191, 129, 183, 187, 176, 129, 169, 191, 167, 163]
flag=[]
for i in check:
flag.append(chr(i^222))
for i in range(len(flag)//2):
flag[i*2],flag[i*2+1]=flag[i*2+1],flag[i*2]
for i in flag:
print(i,end='')
FlareOn4 IgniteMe
题确实比较简单,直接定位关键函数sub_401050,重命名一下:
int sub_401050()
{
int length; // [esp+0h] [ebp-Ch]
int i; // [esp+4h] [ebp-8h]
unsigned int j; // [esp+4h] [ebp-8h]
char v4; // [esp+Bh] [ebp-1h]
length = strlen((int)input);
v4 = sub_401000();
for ( i = length - 1; i >= 0; --i )
{
rel[i] = v4 ^ input[i];
v4 = input[i];
}
for ( j = 0; j < 39; ++j )
{
if ( rel[j] != (unsigned __int8)byte_403000[j] )
return 0;
}
return 1;
}
代码逻辑十分简单,然后就是那个v4不会算,动调一下就知道了。
写一下exp:
#include<bits/stdc++.h>
using namespace std;
int main(){
int rel[]={0x0D,0x26,0x49,0x45,0x2A,0x17,0x78,0x44,0x2B,0x6C,0x5D,0x5E,0x45,0x12,0x2F,0x17,0x2B,0x44,0x6F,0x6E,0x56,0x9,0x5F,0x45,0x47,0x73,0x26,0x0A,0x0D,0x13,0x17,0x48,0x42,0x1,0x40,0x4D,0x0C,0x2,0x69,0x0};
char flag[40];
int v4=4;
for ( int i = 38; i >= 0; --i )
{
flag[i] = v4 ^ rel[i];
v4 = flag[i];
}
cout<<"flag{"<<flag<<'}';
} //flag{R_y0u_H0t_3n0ugH_t0_1gn1t3@flare-on.com}
BUUCTF Firmware
这尼玛……是啥????电子取证???还是MISC???还是IOT???
我还是按照MISC来处理吧……它给的是内存文件,里面应该有日志,配置文件啥的……(我猜的
所以我们先分离一下:
第一个空文件夹……第二个没看出来是个啥,第三个应该跟第二个是一样的,但我解压也没搞定……最后一个没见过。
我们先看一下最后一个的文件格式:
SquashFS 是一套基于Linux内核使用的压缩只读文件系统。该文件系统能够压缩系统内的文档,inode以及目录,文件最大支持字节。
解析这个文件格式需要用一个工具firm-mod-kit,但是这个东西我死活装不上!!!
我又尝试用ubuntu自带的unsquashfs进行解析:
我又尝试挂载该文件:
草!!!!
最后还是没有解决……淦!!!网上有题解,感兴趣的直接百度……
博客内容遵循 署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0) 协议
本文永久链接是:http://example.com/2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week6/
