ISCTF 逆向题解

用一个晚上的时间看了看ISCTF，有的题还蛮难的(毕竟得嘎嘎猜出题人想法)

CrackMe

winhex打开exe，修改标识头PFX为UPX

然后放进UPXshell里面试试

脱了，放进ida，直接反编译得到flag

EasyRe

exeinfo看看这个是什么

64位，放进ida反编译得到一段很清晰的逻辑

反转+异或+单表代换。。。这是要爆破吗

直接搜md5得到flag

ISCTF{SNXJSIAOWCBXNAL}

BabyRe

打开附件发现是python打包的exe，直接用pydumpck解包

得到的pyc是python的字节码(类似C语言的指令码)

需要进一步反编译成python代码

首先看看这个pyc文件是否完整，比如pyc的魔术头是否还在

拖入winhex，整个文件头都丢了啊喂

无奈，把文件头补上，这里猜一下，用python3.7的pyc魔术头

运气有点逆天，直接中奖

看了一下源码，是一个简单的RSA加密，直接解密

from Crypto.Util.number import long_to_bytes
import gmpy2
from z3 import *

total = '292884018782106151080211087047278002613718113661882871562870811030932129300110050822187903340426820507419488984883216665816506575312384940488196435920320779296487709207011656728480651848786849994095965852212548311864730225380390740637527033103610408592664948012814290769567441038868614508362013860087396409860'
s = '21292789073160227295768319780997976991300923684414991432030077313041762314144710093780468352616448047534339208324518089727210764843655182515955359309813600286949887218916518346391288151954579692912105787780604137276300957046899460796651855983154616583709095921532639371311099659697834887064510351319531902433355833604752638757132129136704458119767279776712516825379722837005380965686817229771252693736534397063201880826010273930761767650438638395019411119979149337260776965247144705915951674697425506236801595477159432369862377378306461809669885764689526096087635635247658396780671976617716801660025870405374520076160'
e = '65537'
c = '5203005542361323780340103662023144468501161788183930759975924790394097999367062944602228590598053194005601497154183700604614648980958953643596732510635460233363517206803267054976506058495592964781868943617992245808463957957161100800155936109928340808755112091651619258385206684038063600864669934451439637410568700470057362554045334836098013308228518175901113235436257998397401389511926288739759268080251377782356779624616546966237213737535252748926042086203600860251557074440685879354169866206490962331203234019516485700964227924668452181975961352914304357731769081382406940750260817547299552705287482926593175925396'

p, q = Ints('p q')
solver = Solver()
solver.add((p + 1) * (q + 1) == int(s))
solver.add(p + q == int(total))
if solver.check() == sat:
ans = solver.model()
p = gmpy2.mpz(str(ans[p]))
q = gmpy2.mpz(str(ans[q]))
n = p * q
d = gmpy2.invert(gmpy2.mpz(e), gmpy2.mpz((p - 1) * (q - 1)))
M = pow(gmpy2.mpz(c), d, n)
print(long_to_bytes(M))

得到flag

easy_z3

打开附件，是一坨函数，解密的话只能用z3了

from z3 import *
from Crypto.Util.number import long_to_bytes,bytes_to_long
s = Solver()
a1 = [0]*6
for i in range(6):
a1[i] = Int('a1['+str(i)+']')

s.add(593*a1[5] + 997*a1[0] + 811*a1[1] + 258*a1[2] + 829*a1[3] + 532*a1[4] == 0x54eb02012bed42c08)
s.add(605*a1[4] + 686*a1[5] + 328*a1[0] + 602*a1[1] + 695*a1[2] + 576*a1[3]== 0x4f039a9f601affc3a)
s.add(373*a1[3] + 512*a1[4] + 449*a1[5] + 756*a1[0] + 448*a1[1] + 580*a1[2]== 0x442b62c4ad653e7d9 )
s.add(560*a1[2] + 635*a1[3] + 422*a1[4] + 971*a1[5] + 855*a1[0] + 597*a1[1]== 0x588aabb6a4cb26838)
s.add(717*a1[1] + 507*a1[2] + 388*a1[3] + 925*a1[4] + 324*a1[5] + 524*a1[0]== 0x48f8e42ac70c9af91)
s.add(312*a1[0] + 368*a1[1] + 884*a1[2] + 518*a1[3] + 495*a1[4] + 414*a1[5]== 0x4656c19578a6b1170)
s.check()
S = s.model()

for i in range(len(S)):
print(S[a1[i]],end="\n")

# 20639221941697358
# 13615593641303915
# 31015537033047360
# 32765855640286324
# 28554726411354222
# 26860403902456189

arr = [20639221941697358,13615593641303915,31015537033047360,32765855640286324,28554726411354222,26860403902456189]
for i in range(len(arr)):
print(long_to_bytes(arr[i]))

#ISCTF{N0_One_kn0ws_m@th_B3tter_Th@n_me!!!}

mfx_re

依然是UPX，不过这次是ELF的UPX，直接拖winhex改标识

upx自动脱

可以看出如果标识没有改的话，工具根本识别不出来

拖进ida，一个非常简单的自减1移动，直接cyberchef自加1就行

easy_flower_tea

看这个名字就不好惹，放进ida一看，有脏字节

先手动nop一下，up大法识别main函数成功（只有一段花指令，失望）

f5直接看代码，还真是tea算法，密钥在主函数

套代码,这个题貌似直接提交ISCTF{数字}就可以了