逆向入门题目
0x00:介绍以下为CTF中一些简单的Windows逆向入门题目,帮助一些刚接触逆向又无法下手的朋友,题目都非常基础,主要是对文件做一些简单的分析
1.Bugkuctf平台中的逆向题easy_vb:
打开文件发现需要输入正确的注册码才能获取flag
https://img-blog.csdn.net/20180913184632730?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
话不多说先放入PEID看看,这是一个查壳工具,负责分析PE头的一些信息,可以通过它查看是否加壳以编写程序的语言,养成这个好习惯,我们打开后发现是用VB6写的
https://img-blog.csdn.net/2018091318493421?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
IDA是一个非常强大的静态反编译工具,通过查看汇编代码以及伪C代码可以对文件进行很细致的分析我们载入IDA进行分析,用alt + t搜索字符串CTF,然后crtl + t搜索下一个字符串,直到看到flag
https://img-blog.csdn.net/20180913185528700?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
2.Bugkuctf平台中的逆向题Easy_Re:
先把文件下载下来载入PEID
https://img-blog.csdn.net/20180913190549695?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
运行文件发现有字符串flag,于是考虑用IDA打开文件用alt+F12查找字符串flag
https://img-blog.csdn.net/20180913190938430?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
来到这里发现xmmword后面有两串奇怪的字符串,我们将其选中按R键将其变成字符串发现flag
https://img-blog.csdn.net/20180913191335990?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
3.南邮CTF逆向题Hello,RE!
下载文件用PEID载入,无壳,运行一下发现让输入flag,老办法用IDA打开查找字符串flag
https://img-blog.csdn.net/20180913191511917?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
查找到之后用跳到这里
https://img-blog.csdn.net/20180913192025274?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
我们用F5查看反汇编的伪C代码
https://img-blog.csdn.net/20180913192212415?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
4.实验吧 Just Click
下载文件用exeinfo这款软件查看发现程序用C#撰写,exeinfo也是一款查壳软件
https://img-blog.csdn.net/20180914151832312?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
打开软件发现需要点击相应的数字才能发现flag
https://img-blog.csdn.net/20180914152012957?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
因为是用C#写的所以我们考虑用Reflector软件将其打开,每一种语言都有相应的一些反编译工具,我们现在只需要灵活的使用和熟悉各种工具就行了
https://img-blog.csdn.net/20180914152200740?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
找到MainWindow发现类似主函数的东西,分析发现需要按顺序点击8次就能出现flag,按这个顺序点击即出现flag
https://img-blog.csdn.net/2018091415240019?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
5.南邮CTF py交易
链接:https://pan.baidu.com/s/1o8fVxkI密码:kd37
下载文件发现是pyc格式,是一道python逆向的题目,我们直接在网上找在线反编译python的网站:https://tool.lu/pyc/
反编译后发现是这样的
https://img-blog.csdn.net/20180916181237141?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
分析算法:
首先输入一段字符串,进入encode函数之后与字符串correct进行比较encode函数就是将输入的字符串中每个字符ascii都与32进行异或运算,然后每个在加上16得到新的字符串,最后再将这个字符串进行base64加密。所以我们只需将"XlNkVmtUI1MgXWBZXCFeKY+AaXNt"进行base64解密,再将每个字符ascii码都减16,接着与32异或即可得到flag
python代码如下:
import base64
correct ='XlNkVmtUI1MgXWBZXCFeKY+AaXNt'
s = base64.b64decode(correct)
flag =''
for i in s:
i = chr((ord(i)-16)^32)
flag += i
print flag
运行即可得到flag:nctf{d3c0mpil1n9_PyC}
6.Jarvis OJ :FindKey
下载文件发现是一个名字比较长的东西(大多数题目后缀名都比较长)
https://img-blog.csdn.net/20180916234156197?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
用一款叫做斯托夫文件格式分析器分析一下这个软件的类型
https://img-blog.csdn.net/20180916234318739?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
发现是python写的,将其后缀名改为.pyc然后放入在线反编译网站里得到如下
import sys
lookup = [
196,153, 149,206, 17,221, 10, 217, 167, 18, 36, 135, 103, 61, 111, 31, 92, 152, 21, 228, 105, 191, 173, 41, 2, 245, 23, 144, 1, 246, 89, 178, 182, 119, 38, 85, 48, 226, 165, 241, 166, 214, 71, 90, 151, 3, 109, 169, 150, 224, 69, 156, 158, 57, 181, 29, 200, 37, 51, 252, 227, 93, 65, 82, 66, 80, 170, 77, 49, 177, 81, 94, 202, 107, 25, 73, 148, 98, 129, 231, 212, 14, 84, 121, 174, 171, 64, 180, 233, 74, 140, 242, 75, 104, 253, 44, 39, 87, 86, 27, 68, 22, 55, 76, 35, 248, 96, 5, 56, 20, 161, 213, 238, 220, 72, 100, 247, 8, 63, 249, 145, 243, 155, 222, 122, 32, 43, 186, 0, 102, 216, 126, 15, 42, 115, 138, 240, 147, 229, 204, 117, 223, 141, 159, 131, 232, 124, 254, 60, 116, 46, 113, 79, 16, 128, 6, 251, 40, 205, 137, 199, 83, 54, 188, 19, 184, 201, 110, 255, 26, 91, 211, 132, 160, 168, 154, 185, 183, 244, 78, 33, 123, 28, 59, 12, 210, 218, 47, 163, 215, 209, 108, 235, 237, 118, 101, 24, 234, 106, 143, 88, 9, 136, 95, 30, 193, 176, 225, 198, 197, 194, 239, 134, 162, 192, 11, 70, 58, 187, 50, 67, 236, 230, 13, 99, 190, 208, 207, 7, 53, 219, 203, 62, 114, 127, 125, 164, 179, 175, 112, 172, 250, 133, 130, 52, 189, 97, 146, 34, 157, 120, 195, 45, 4, 142, 139]
pwda =
pwdb =
flag = raw_input('Input your Key:').strip()
if len(flag) != 17:
print 'Wrong Key!!'
sys.exit(1)
flag = flag[::-1]
for i in range(0, len(flag)):
if ord(flag) + pwda & 255 != lookup:
print 'Wrong Key!!'
sys.exit(1)
print 'Congratulations!!'
下面写个脚本满足输出flag的条件就ok了
import sys
lookup = [
196,153, 149,206, 17,221, 10, 217, 167, 18, 36, 135, 103, 61, 111, 31, 92, 152, 21, 228, 105, 191, 173, 41, 2, 245, 23, 144, 1, 246, 89, 178, 182, 119, 38, 85, 48, 226, 165, 241, 166, 214, 71, 90, 151, 3, 109, 169, 150, 224, 69, 156, 158, 57, 181, 29, 200, 37, 51, 252, 227, 93, 65, 82, 66, 80, 170, 77, 49, 177, 81, 94, 202, 107, 25, 73, 148, 98, 129, 231, 212, 14, 84, 121, 174, 171, 64, 180, 233, 74, 140, 242, 75, 104, 253, 44, 39, 87, 86, 27, 68, 22, 55, 76, 35, 248, 96, 5, 56, 20, 161, 213, 238, 220, 72, 100, 247, 8, 63, 249, 145, 243, 155, 222, 122, 32, 43, 186, 0, 102, 216, 126, 15, 42, 115, 138, 240, 147, 229, 204, 117, 223, 141, 159, 131, 232, 124, 254, 60, 116, 46, 113, 79, 16, 128, 6, 251, 40, 205, 137, 199, 83, 54, 188, 19, 184, 201, 110, 255, 26, 91, 211, 132, 160, 168, 154, 185, 183, 244, 78, 33, 123, 28, 59, 12, 210, 218, 47, 163, 215, 209, 108, 235, 237, 118, 101, 24, 234, 106, 143, 88, 9, 136, 95, 30, 193, 176, 225, 198, 197, 194, 239, 134, 162, 192, 11, 70, 58, 187, 50, 67, 236, 230, 13, 99, 190, 208, 207, 7, 53, 219, 203, 62, 114, 127, 125, 164, 179, 175, 112, 172, 250, 133, 130, 52, 189, 97, 146, 34, 157, 120, 195, 45, 4, 142, 139]
pwda =
pwdb =
flag = ''
for i in range(0,17)://这里就是要满足wrong key的条件才能得到正确的flag
flag+=chr(lookup-pwda & 255)
flag=flag[::-1]
print flag
运行一下就得到flag了
https://img-blog.csdn.net/20180916235111541?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
7.Jarvis OJ :stheasy
拿到题目下载了一个很复杂的文件,我们先放入斯托夫文件格式分析器分析,发现是ELF文件:
https://img-blog.csdn.net/20180920212949763?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
我们用IDA将其打开,很容易找到关键函数位置:
https://img-blog.csdn.net/20180920213101406?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
按下F5编译一下,观察到如下函数:
https://img-blog.csdn.net/20180920213133837?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
有一个sub_8048630函数决定了Flag的对错,所以我们只需要研究一下它:
https://img-blog.csdn.net/20180920213602817?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
这里我为了便于观察重新命名了a,b函数,我们双击a和b查找一下他们具体的值,将a这两排选中用shift + E快捷键选择第四个选项,用数组表示a如下,b同理:
https://img-blog.csdn.net/20180920213730595?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
研究完算法之后就可以写脚本了:
a = [
0x48, 0x5D, 0x8D, 0x24, 0x84, 0x27, 0x99, 0x9F, 0x54, 0x18,
0x1E, 0x69, 0x7E, 0x33, 0x15, 0x72, 0x8D, 0x33, 0x24, 0x63,
0x21, 0x54, 0x0C, 0x78, 0x78, 0x78, 0x78, 0x78, 0x1B
]
b = [
0x6C, 0x6B, 0x32, 0x6A, 0x39, 0x47, 0x68, 0x7D, 0x41, 0x67,
0x66, 0x59, 0x34, 0x64, 0x73, 0x2D, 0x61, 0x36, 0x51, 0x57,
0x31, 0x23, 0x6B, 0x35, 0x45, 0x52, 0x5F, 0x54, 0x5B, 0x63,
0x76, 0x4C, 0x62, 0x56, 0x37, 0x6E, 0x4F, 0x6D, 0x33, 0x5A,
0x65, 0x58, 0x7B, 0x43, 0x4D, 0x74, 0x38, 0x53, 0x5A, 0x6F,
0x5D, 0x55, 0x00
]
flag = ''
c = []
for i in range(0,len(a)):
c.append(a/3-2) //append() 方法用于在列表末尾添加新的对象
c = int(c) //将数据转换为整形,不转换会出错
for j in range(0,len(a)):
flag += chr(b])
print(flag)
最后运行得到Flag:
https://img-blog.csdn.net/20180920214030852?watermark/2/text/aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L0NoYXJsZXNHb2RY/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70
0x02:总结
上面仅仅是一些入门的题目,如果是新手的话先把这些题目弄懂,弄透。熟悉各种工具的使用,不断的总结,逆向最重要的是分析,要自己多去分析。
如果链接失效,下面补上备用链接:
感谢!{:6_117:}{:6_117:}{:6_117:}{:6_117:}{:6_117:}{:6_117:}{:6_117:}{:6_117:}{:6_117:}{:6_117:} 灌水回复会受到严厉的惩罚,还好我是一个守规矩的好宝宝! 啥也不说了,楼主就是给力! 支持学逆向论坛,资源不错! 太给力了,这么多好东西! 识内存地址和偏移量 用心讨论,共获提升! 这么多好东西!谢谢