b01lers

crackme

直接

bctf{133&_letmein_123}

crackme_2

bctf{4lg3br4!}

extreme_64

这题是个汇编

nc ctf.b01lers.com 9301

查看服务器端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
Warning: _curses.error: setupterm: could not find terminfo database

Terminal features will not be available.  Consider setting TERM variable to your current terminal name (or xterm).
Enter a level password or press enter if you don't have one:
>>>
================================= LEVEL 0x000 ==================================
Set rdi to 0x1337 using only one instruction.
>>> mov rdi, 0x1337
-->
Success! Level password is: code{very_1337}

================================= LEVEL 0x001 ==================================
Add rdi to rsi and store the result in rax using two or less instructions.
>>> mov rax, rdi; add rax, rsi
-->
Success! Level password is: code{math_time}

================================= LEVEL 0x002 ==================================
Translate the following C-Like pseudocode to x86_64 assembly:

================================================================================
0001: if (rax == 0x1000) {
0002:     rsi = 0x10;
0003: }
================================================================================

>>> cmp rax,0x1000;
 jne L1;
 mov rsi, 0x10;
 L1: nop
-->
Success! Level password is: code{control_flow_is_the_best}

================================= LEVEL 0x003 ==================================
Translate the following C-Like pseudocode to x86_64 assembly:

================================================================================
0001: if (rax == 0x1000) {
0002:     rsi = 0x10;
0003: } else if (rax == 0x3000) {
0004:     rsi = 0x20;
0005: }
================================================================================

>>> cmp rax,0x1000;
--> jne L1;
--> mov rsi,0x10;
--> L1:cmp rax,0x3000;
--> jne L2;
--> mov rsi,0x20;
--> L2:nop;
-->
Success! Level password is: code{we_c4n_d0_th1s_all_d4y}

================================= LEVEL 0x004 ==================================
Translate the following C-Like pseudocode to x86_64 assembly:

================================================================================
0001: while (rax > 0x0) {
0002:     rsi += rax;
0003:     rax--;
0004: }
================================================================================

>>> main:
 cmp rax, 0x0;
 jle L1;
 add rsi, rax;
 dec rax; 
jmp main;
 L1: nop
-->
Success! Level password is: code{l00p_the_l00p}

You have completed all levels! Here's the flag: bctf{c3rt1f13d_asm_pr0gr4mmer!!}

I love JAVA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/*
 * Decompiled with CFR 0.150.
 */
import java.util.Random;
import java.util.Scanner;

public class CrackMe {
    public static void main(String[] arrstring) {
        int n;
        Scanner scanner = new Scanner(System.in);
        System.out.println("What is the flag?");
        String string = scanner.nextLine();
        if (string.length() != 22) {
            System.out.println("Not the flag :(");
            return;
        }
        char[] arrc = new char[string.length()];
        for (n = 0; n < string.length(); ++n) {
            arrc[n] = string.charAt(n);
        }
        for (n = 0; n < string.length() / 2; ++n) {   //0-11
            char c = arrc[string.length() - n - 1];
            arrc[string.length() - n - 1] = arrc[n];
            arrc[n] = c;
        }
        int[] arrn = new int[]{19, 17, 15, 6, 9, 4, 18, 8, 16, 13, 21, 11, 7, 0, 12, 3, 5, 2, 20, 14, 10, 1};
        int[] arrn2 = new int[arrc.length];
        for (int i = arrn.length - 1; i >= 0; --i) {
            arrn2[i] = arrc[arrn[i]];
        }
        Random random = new Random();
        random.setSeed(431289L);
        int[] arrn3 = new int[string.length()];
        for (int i = 0; i < string.length(); ++i) {
            arrn3[i] = arrn2[i] ^ random.nextInt(i + 1);
        }
        Object object = "";
        for (int i = 0; i < arrn3.length; ++i) {
            object = (String)object + arrn3[i] + ".";
        }
        System.out.println("\nYOUR FLAG: " + (String)object);
        if (((String)object).equals("116.122.54.50.93.66.98.117.75.51.97.78.104.119.90.53.94.36.105.84.40.69.")) {
            System.out.println("Congrats! You got the flag!");
        } else {
            System.out.println("Not the flag :(");
        }
    }
}

中间有个java的随机数组

因为设置了seed所以可以还原出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import java.util.Random;
public class randomDemo {

    public static void main(String[] args) {
        Random random = new Random();
        random.setSeed(431289L);
        for (int j = 0; j < 22; ++j) {
            System.out.print(random.nextInt(j + 1) + ", ");
        }
        System.out.println();
        Random random2 = new Random();
        random2.setSeed(431289L);
        for (int j = 0; j < 22; ++j) {
            System.out.print(random2.nextInt(j + 1) + ", ");
        }
    }
}

忘记放脚本了www

1
2
3
4
5
6
7
8
9
10
11
12
13
data=[116,122,54,50,93,66,98,117,75,51,97,78,104,119,90,53,94,36,105,84,40,69]
randomdata=[0, 1, 2, 1, 2, 5, 4, 1, 1, 7, 3, 7, 0, 10, 5, 5, 1, 16, 10, 2, 12, 17]
arrn=[19, 17, 15, 6, 9, 4, 18, 8, 16, 13, 21, 11, 7, 0, 12, 3, 5, 2, 20, 14, 10, 1]
for i in range(22):
 data[i]^=randomdata[i]
arrc=[0]*22
for x in range(21,-1,-1):
  arrc[arrn[x]]=data[x]
for a in range(11):
    c=arrc[a]
    arrc[a]=arrc[22-a-1]
    arrc[22-a-1]=c
print(''.join(chr(i)for i in arrc))

bctf{J4V4_I$_th3_G04T}

extreme_64_part_2

又是另一道汇编题目

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Warning: _curses.error: setupterm: could not find terminfo database

Terminal features will not be available.  Consider setting TERM variable to your current terminal name (or xterm).
Enter a level password or press enter if you don't have one:
>>>
================================= LEVEL 0x000 ==================================
Add rdi to rsi and store the result in rax using only one instruction.
>>> lea rax,[rsi+rdi]
-->
Success! Level password is: code{some_instructions_have_many_uses}

================================= LEVEL 0x001 ==================================
Print the string 'hackerman' to stdout.
>>> mov rdx,9;
 mov rsi, 0x00006e;
 push rsi;
 mov rsi, 0x616d72656b636168;
 push rsi;
 mov rsi, rsp;
 lea rsi, [rsp];
 mov rax, 1;
 mov rdi, rax;
 syscall
-->
[=]     (fd = 0x1, buf = 0x11feff0, count = 0x9)
Success! Level password is: code{asm_c4n_d0_anything_java_can_do}

================================= LEVEL 0x002 ==================================
 Register rsi contains a pointer to the flag, but the  flag has been encoded by
XOR-ing each byte with 0x82.  Decode it and print it out to complete the
challenge! Hint: the flag is 32 characters long...
>>> xor rax, rax;
 theloop: cmp rax, 0x20;
 jge printflag;
 lea rdx, [rsi+rax];
 xor byte ptr [rdx], 0x82; 
 inc rax;
 jmp theloop; 
 printflag: mov rdx, 0x20;
 mov rax, 1; 
 mov rdi, rax;
 syscall
-->
[=]     (fd = 0x1, buf = 0x10000000, count = 0x20)
stdout: b'bctf{c0ngrats_y0u_are_a_pr0!!!!}'
Failed! Reason:

TM

推测加密方式

所有值^0x45

偶数值+10,

倒序检查

指针位置


几个不同的指针,分辨指向不同的状态

data内部的地址

其中前面7个都是指向不同操作的,分别是传输input,数据加法,数据异或,和轮空。

而后20位则都是back1,进行数据比较

不过至于为什么是这个结构。。

似乎ida对结构体编译的不是很好

1
2
3
4
5
6
7
8
9
encode1=[0x29, 0x26, 0x3B, 0x35, 0x3E, 0x3B, 0x30, 0x39, 0x74, 0x3D,
         0x22, 0x1A, 0x28, 0x7B, 0x1A, 0x06, 0x1A, 0x74, 0x3D, 0x76, 0x38]
flag=[0]*20

for i in range(len(flag)):
    flag[i] = encode1[i]^69
    if flag[i]%2==0:
            flag[i]-=10
print(''.join(chr(i)for i in flag))

bctf{tur1ng_m4_C_1n3}

ps:这题我还以为是按照数据的值来进行指针跳转。。。实际上我是看8,9,10递增看出来的。。。网上的wp看不懂啦,英文不会啦,日文不会啦,韩文不会啦,俄文不会啦wwww