171101 逆向-EISCTF（Reverse）

1625-5 王子昂 总结《2017年11月1日》 【连续第397天总结】

A. EISCTF-Reverse

B.

IgniteMe

IDA反编译显示需要开头四个字符为”EIS{“，结尾字符为”}”

然后将输入字符串送入sub_4011C0进行Check

循环中先进行了大小写互转，然后由Input进行计算，最后与硬编码进行比较



计算都是可逆的，因此按着硬编码逆回去就好了

s = "GONDPHyGjPEKruv{{pj]X@rF"
d = [13, 19, 23, 17, 2, 1, 32, 29, 12, 2, 25, 47, 23, 43, 36, 31, 30, 22, 9, 15, 21, 39, 19, 38, 10, 47, 30, 26, 45, 12, 34, 4, 184, 186, 67]
print('EIS{', end='')
q=0
for i in range(len(s)):
i = ((ord(s[i]) ^ d[i]) - 72)^0x55
if(i<=ord('z') and i>=ord('a')):
p = i-32
elif(i<=ord('Z') and i>=ord('A')):
p = i+32
else:
p = i
print(chr(p), end='')

print('}', end='')

ReverseMe

程序显示检查长度，然后通过sub_4014a0进行校验

内部函数先进行循环左移，然后与数组进行异或，最后要求等于一个数组



也都是可逆运算，同样脚本反求即可

def ror(num, times):
for i in range(times):
num = ((num)&1)*0x80 + ((num>>1))
# print(bin(num))
return num

def sub_401460(l, i):
a = l[i]
b = l[i+1]
if(a-48>9):
a -= 55
a = a & 0xf
p = (b-55)&0xf
if(b-48<=9):
b &= 0xf
else:
b = p
return a<<4|b

d = [0x31, 0x41, 0x32, 0x46, 0x39, 0x34, 0x33, 0x43, 0x34, 0x44, 0x38, 0x43, 0x35, 0x42, 0x36, 0x45, 0x41, 0x33, 0x43, 0x39, 0x42, 0x43, 0x41, 0x44, 0x37, 0x45]
f = [15, 135, 98, 20, 1, 198, 240, 33, 48, 17, 80, 208, 130, 35, 174, 35, 238, 169, 180, 82, 120, 87, 12, 134, 139]
k = []
for i in range(len(f)):
q = sub_401460(d, i)
p = f[i] ^ q
print(chr(ror(p, 2)), end='')

基本上都是同样的套路，读懂源码然后按照最后的校验数组逆运算即可得到input

C. 明日计划

安卓逆向