FlareOnCTF 练习

[FlareOn4] IgniteMe

无壳, ida 打开
在 xor_flag[i] = v4 ^ input[i] 处下断点，动态调试后就可以看到 v4 的值了，（把鼠标放 v4 上就可以显示值），不好截图，双击 v4 也可以看到值为 4
最后, 从 最后一个 开始异或 前一个 的运算
易错的是，v4 = a[i] ^ v4, 之前写成 v4 = a[i] 卡了好久

a = [
  0x0D, 0x26, 0x49, 0x45, 0x2A, 0x17, 0x78, 0x44, 0x2B, 0x6C, 
  0x5D, 0x5E, 0x45, 0x12, 0x2F, 0x17, 0x2B, 0x44, 0x6F, 0x6E, 
  0x56, 0x09, 0x5F, 0x45, 0x47, 0x73, 0x26, 0x0A, 0x0D, 0x13, 
  0x17, 0x48, 0x42, 0x01, 0x40, 0x4D, 0x0C, 0x02, 0x69
]
v4 = 0x4
flag = ''
for i in range(len(a) - 1, 0, -1):
    flag += chr(a[i] ^ v4)
    v4 = a[i] ^ v4

print(flag[::-1])
# _y0u_H0t_3n0ugH_t0_1gn1t3@flare-on.com

[FlareOn1] Bob-Doge

一个下载器，下载后运行是这个东西

alt text

IDA 反编译, 看不懂没见过的形式
换一个工具, despy 打开, 看上舒服多了
主要在这，DECODE 按钮事件，最终解码后的字符串 text3 显示在 lbl_title 标签中。

alt text

下断点，动态调试，直接看内容

alt text

[FlareOn3] Challenge1

alt text

base64 加密

alt text

shift+f12 查看字符串，发现换表了

alt text

赛博厨子梭哈一下，根据后面小写的形式可知，换的表前面少了个 Z

alt text

1	flag{sh00ting_phish_in_a_barrel@flare-on.com}

[FlareOn6] Overlong

根据题目提示，这句话冒号 : 后面应该还有内容

alt text

题目内容很少，都看一下

int __stdcall start(int a1, int a2, int a3, int a4)
{
  char Text[128]; // [esp+0h] [ebp-84h] BYREF
  unsigned int v6; // [esp+80h] [ebp-4h]

  v6 = sub_401160(Text, (int)&unk_402008, 28u);
  Text[v6] = 0;
  MessageBoxA(0, Text, Caption, 0);
  return 0;
}
unsigned int __cdecl sub_401160(char *a1, char *a2, unsigned int a3)
{
  unsigned int i; // [esp+4h] [ebp-4h]

  for ( i = 0; i < a3; ++i )
  {
    a2 += sub_401000(a1, a2);
    if ( !*a1++ )
      break;
  }
  return i;
}

这里进行加密

int __cdecl sub_401000(unsigned __int8 *a1, char *a2)
{
  int v3; // [esp+0h] [ebp-8h]
  unsigned __int8 v4; // [esp+4h] [ebp-4h]

  if ( (int)(unsigned __int8)*a2 >> 3 == 30 )
  {
    v4 = a2[3] & 0x3F | ((a2[2] & 0x3F) << 6);
    v3 = 4;
  }
  else if ( (int)(unsigned __int8)*a2 >> 4 == 14 )
  {
    v4 = a2[2] & 0x3F | ((a2[1] & 0x3F) << 6);
    v3 = 3;
  }
  else if ( (int)(unsigned __int8)*a2 >> 5 == 6 )
  {
    v4 = a2[1] & 0x3F | ((*a2 & 0x1F) << 6);
    v3 = 2;
  }
  else
  {
    v4 = *a2;
    v3 = 1;
  }
  *a1 = v4;
  return v3;
}

在 &unk_FB2008 按 shift+e 提取数据，按加密写 python 脚本解密

a2 = [0xe0, 0x81, 0x89, 0xc0, 0xa0, 0xc1, 0xae, 0xe0, 0x81, 0xa5,
      0xc1, 0xb6, 0xf0, 0x80, 0x81, 0xa5, 0xe0, 0x81, 0xb2, 0xf0,
      0x80, 0x80, 0xa0, 0xe0, 0x81, 0xa2, 0x72, 0x6f, 0xc1, 0xab,
      0x65, 0xe0, 0x80, 0xa0, 0xe0, 0x81, 0xb4, 0xe0, 0x81, 0xa8,
      0xc1, 0xa5, 0x20, 0xc1, 0xa5, 0xe0, 0x81, 0xae, 0x63, 0xc1,
      0xaf, 0xe0, 0x81, 0xa4, 0xf0, 0x80, 0x81, 0xa9, 0x6e, 0xc1,
      0xa7, 0xc0, 0xba, 0x20, 0x49, 0xf0, 0x80, 0x81, 0x9f, 0xc1,
      0xa1, 0xc1, 0x9f, 0xc1, 0x8d, 0xe0, 0x81, 0x9f, 0xc1, 0xb4,
      0xf0, 0x80, 0x81, 0x9f, 0xf0, 0x80, 0x81, 0xa8, 0xc1, 0x9f,
      0xf0, 0x80, 0x81, 0xa5, 0xe0, 0x81, 0x9f, 0xc1, 0xa5, 0xe0,
      0x81, 0x9f, 0xf0, 0x80, 0x81, 0xae, 0xc1, 0x9f, 0xf0, 0x80,
      0x81, 0x83, 0xc1, 0x9f, 0xe0, 0x81, 0xaf, 0xe0, 0x81, 0x9f,
      0xc1, 0x84, 0x5f, 0xe0, 0x81, 0xa9, 0xf0, 0x80, 0x81, 0x9f,
      0x6e, 0xe0, 0x81, 0x9f, 0xe0, 0x81, 0xa7, 0xe0, 0x81, 0x80,
      0xf0, 0x80, 0x81, 0xa6, 0xf0, 0x80, 0x81, 0xac, 0xe0, 0x81,
      0xa1, 0xc1, 0xb2, 0xc1, 0xa5, 0xf0, 0x80, 0x80, 0xad, 0xf0,
      0x80, 0x81, 0xaf, 0x6e, 0xc0, 0xae, 0xf0, 0x80, 0x81, 0xa3,
      0x6f, 0xf0, 0x80, 0x81, 0xad, 0x0]
flag = []
j = 0
for i in range(68):
    if a2[j] >> 3 == 30:
        v4 = a2[j + 3] & 0x3f | ((a2[j + 2] & 0x3f) << 6)
        v3 = 4
    elif a2[j] >> 4 == 14:
        v4 = a2[j + 2] & 0x3F | ((a2[j + 1] & 0x3F) << 6)
        v3 = 3
    elif a2[j] >> 5 == 6:
        v4 = a2[j + 1] & 0x3F | ((a2[j] & 0x1F) << 6)
        v3 = 2
    else:
        v4 = a2[j]
        v3 = 1
    flag.append(chr(v4))
    j += v3
for x in flag:
    print(x, end='')

# I never broke the encoding: I_a_M_t_h_e_e_n_C_o_D_i_n_g@flare-on.com
flag{I_a_M_t_h_e_e_n_C_o_D_i_n_g@flare-on.com}

[FlareOn5] Ultimate MineSweeper

大佬题解

透视挂
无敌挂
提取数据

这题不会，但大佬三个方法中的一个，手动操作一下

无敌挂

右键-编辑方法 或 ctrl+shift+E
改为 if (this.MineField.BombRevealed && false) 或直接把这段删除

if (this.MineField.BombRevealed)
{
    this.stopwatch.Stop();
    Application.DoEvents();
    Thread.Sleep(1000);
    new FailurePopup().ShowDialog();
    Application.Exit();
}

变成这样

alt text

文件-保存模块，然后运行程序，找到旗子

![alt text](./pic/FlareOnCTF.assets/[FlareOn5]Ultimate MineSweeper-1.png)

alt text

题目是一个网页加密，直接查看页面源代码

<!DOCTYPE Html />
<html>
    <head>
        <title>FLARE On 2017</title>
    </head>
    <body>
        <input type="text" name="flag" id="flag" value="Enter the flag" />
        <input type="button" id="prompt" value="Click to check the flag" />
        <script type="text/javascript">
            document.getElementById("prompt").onclick = function () {
                var flag = document.getElementById("flag").value;
                var rotFlag = flag.replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);});
                if ("PyvragFvqrYbtvafNerRnfl@syner-ba.pbz" == rotFlag) {
                    alert("Correct flag!");
                } else {
                    alert("Incorrect flag, rot again");
                }
            }
        </script>
    </body>
</html>

rot13加密

document.getElementById("prompt").onclick = function () {
    var flag = document.getElementById("flag").value;
    var rotFlag = flag.replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);});
    if ("PyvragFvqrYbtvafNerRnfl@syner-ba.pbz" == rotFlag) {
        alert("Correct flag!");
    } else {
        alert("Incorrect flag, rot again");
    }
}