2014三叶草校赛总结

逆向：

最简单的题目

分数:100

描述:key是syclover的注册码

Link:题目链接

题目为 安卓逆向





最后 拷贝成java代码：

鬼子进村

分数:200

描述:你猜^_^

Link:题目链接

题目比较简单 linux 程序64位，直接在IDA上看 逆向出代码：

char pass[]= "pqllauzduh";
for (int i=0;i<=4;i++)
{
pass[i] +=4;
}
for (i = 5;i<=9;i++)
{
pass[i] -=3;
}
puts(pass);//key:tupperware

初中数学题

分数:300

描述:上过初中的人都能做。提示1：upx脱壳 提示2：解方程组

程序为linux程序，IDA查看



下载对应版本的upx 然后脱壳



然后再拖进IDA分析



然后再逐步计算·············小菜算了很久···终于算出了

char v12[]="12345678901";

int  v10 = 0;
v12[0] = 71;
v12[1] = 111;
v12[2] = 111;
v12[3] = 100;
v12[4] = 0x43;
v12[5] = 0x72;
v12[6] = 0x61;
v12[7] = 0x63;
v12[8] = 0x4B;

v12[9]=51;
v12[10] = 82;

// 		for (int i = 4; i <= 8; ++i )
// 		{
// 			if ( v10 + (char)(v12[i] ^ 0x11) != 0x52 )
//0x52,0x64,0x72,0x75,0x5e
// 0    1    2    3   4
// 					return 0;
// 			++v10;
// 		}
printf("The key is %s\n", v12);

编程：

Code100

分数:100

描述:见连接

直接逆向得到主要关键代码：

int main(int argc, char* argv[])
{

char v1[100]; // [sp+1Ch] [bp-7Ch]@2
int v2; // [sp+80h] [bp-18h]@1
int v3; // [sp+84h] [bp-14h]@1
int v4; // [sp+88h] [bp-10h]@1
int i; // [sp+8Ch] [bp-Ch]@1

v4 = (int)"ASD$@SDF!@#SF";
v3 = (int)"CSDSDADASDSAD";
v2 = (int)"2145631201923";
for ( i = 0; *(char *)(i + v3); ++i )
{
v1[i] = *(char *)(i + v3) ^ *(char *)(i + v2);
v1[i] >>= 1;
v1[i] ^= *(char *)(i + v4);
if ( v1[i] <= 47 )
v1[i] *= 2;
if ( v1[i] <= 47 )
v1[i] *= 2;
v1[i + 1] = 0;
}
for ( i = 1; v1[i]; i += 2 )
printf("%X%c", v1[i], v1[i]);

return 0;
}

女神的秘密

题目说明：

女神把重要的Secret信息送给了屌丝asdf君。

asdf君如获至宝，他把信息进行了某种加密，最后处理成了Secret{xxxx}，其中xxxx就是加密后的信息。

asdf君把Secret{xxxx}藏在了某个文件中，你能找到嘛？

解法1：

解压文件。。然后在cmd里面输入copy * 0.txt

就会将所有文件组合在0.txt里面

然后搜索Secret字符串得到

Secret{S2V5OmZrbGo0JCEoUnExRiE=}

base64解密得到key

fklj4$!(Rq1F!

解法2：

re.compile(pattern[,
flags])
Compile a regular expression pattern into a regular expression object, which can be used for matching using its
match() and
search() methods, described below.

The sequence

prog = re.compile(pattern)
result = prog.match(string)

is equivalent to

result = re.match(pattern, string)

'.' (Dot.) In the default mode, this matches any character except a newline. If the
DOTALL flag has been specified, this matches any character including a newline. '?' Causes the resulting RE to match 0 or 1 repetitions of the preceding RE.
ab? will match either ‘a’ or ‘ab’. '*' Causes the resulting RE to match 0 or more repetitions of the preceding RE, as many repetitions as are possible.
ab* will match ‘a’, ‘ab’, or ‘a’ followed by any number of ‘b’s.

os.listdir(path)

Return a list containing the names of the entries in the directory given by
path. The list is in arbitrary order. It does not include the special entries
'.' and '..' even if they are present in the directory.

import os
import re

dir = r'D:\Secret'
list = []
prog  =  re.compile('Secret{.*?}')

for x in os.listdir(dir):
x = dir+'\\'+x
list.append(x)

for x2 in list:
f = file(x2)
x3 = f.readlines()
for x4 in x3:
if prog.match(x4):
print x4

Secret{S2V5OmZrbGo0JCEoUnExRiE=}

Code300

分数:300

描述:程序比较大,前往下载

本地本应该是变成得出的，但编程了很久 始终不行，问题在于程序接受到指令的时间间隔，最后只能爆破得出，直接用IDA调试，修改程序对应的流程，跳到程序的KEY显示处









做法2：

开变速齿轮 然后输入60次得到KEY

杂项：

BP断点

分数:100

描述:提示1：key不是大家喜欢的波波老师！ 提示2：bmp+png 提示3：CRC

直接HEX看出是两个图片合成的，将PNG 图片抠出来，然后 发现 宽和高不知道， 需要了解 PNG格式知识



可以看到 宽 和 高 还缺少几位

import binascii
def CalcCrc32(str):
return hex(binascii.crc32(str) & 0xffffffff)

str1 = "\x49\x48\x44\x52\x00\x00\x01"
str2 = "\x00\x00"
str3 = "\x08\x06\x00\x00\x00"

chr1 = "\x00"
chr2 = "\x00"
chr3 = "\x00"

num1 = ord(chr1)
num2 = ord(chr2)
num3 = ord(chr3)

for i1 in xrange(0,255):
for i2 in xrange(0,255):
for i3 in xrange(0,255):
if CalcCrc32(str1+chr1+str2+chr2+chr3+str3) == "0x80bf36ccL":
print "find it"
print  hex(ord(chr1)),hex(ord(chr2)),hex(ord(chr3))
exit()
else:
num3 = ord(chr3)+1
chr3 = chr(num3)
if num3 == 255:
chr3 = "\x00"
break
num2 = ord(chr2) + 1
chr2 = chr(num2)
if num2 == 255:
chr2 = "\x00"
break
num1 = ord(chr1) + 1
chr1 = chr(num1)

print "hello world"

显示图片KEY：



部分题目解析为转载~~~~~~~~~~~~~~