2020 9月 重庆市赛选拔赛（安恒） Reverse Write Up

---

Reverse1

ExeinfoPE查壳：

Dev-C++ Compiler v4.9.9.2 ( MINGW 32 v3.4.x )
Not packed

无壳，IDA直接打开：

找到main函数，F5：

int __cdecl main(int argc, const char **argv, const char **envp)
{
  size_t i; // [esp+28h] [ebp-80h]
  char v5; // [esp+30h] [ebp-78h]
  char v6[8]; // [esp+A0h] [ebp-8h]

  _alloca(0x10u);
  __main();
  std::operator<<<std::char_traits<char>>((int)&std::cout, "input your key: ");
  std::operator>><char,std::char_traits<char>>(&std::cin, &v5);
  for ( i = 0; i < strlen(&v5); ++i )
    v6[i - 112] = (v6[i - 112] ^ 6) + 1;	//变换
  if ( !strcmp(&v5, "akhb~chdaZrdaZudqduvdZvvv|") )
    std::operator<<<std::char_traits<char>>((int)&std::cout, "yes!you are right");
  else
    std::operator<<<std::char_traits<char>>((int)&std::cout, "try again");
  system("PAUSE");
  return 0;
}

基本逻辑：输入变量v5，将其经过for循环迭代变换，生成的新字符串与"akhb~chdaZrdaZudqduvdZvvv|"比较；
变换方式是逐位将字符ASCII与6异或+1，写出逆向脚本：

s = "akhb~chdaZrdaZudqduvdZvvv|"
flag = ""
for i in s:
    flag += chr((ord(i)-1)^6)
print(flag)

flag{daef_wef_reverse_sss}

phone

（本题没有完整解出，只描述思路）

下载是apk文件，利用ApkStudio反编译出JAVA代码

重点部分：

\mobile.apk-decompiled\sources\com\example\test002\MainActivity.java

/* access modifiers changed from: protected */
    public void onCreate(Bundle bundle) {
        super.onCreate(bundle);
        setContentView((int) R.layout.activity_main);
        this.but = (Button) findViewById(R.id.button);
        this.txt = (EditText) findViewById(R.id.editText);
        this.but.setOnClickListener(new View.OnClickListener() {
            public void onClick(View view) {
                MainActivity mainActivity = MainActivity.this;
                if (mainActivity.checkFlag(mainActivity.txt.getText().toString())) {
                    Toast.makeText(MainActivity.this, "right!", 0).show();
                } else {
                    Toast.makeText(MainActivity.this, "wrong!", 0).show();
                }
            }
        });
    }

重点在checkFlag函数，需要用IDA打开

\mobile.apk-decompiled\lib\armeabi-v7a\libnative-lib.so

能直接找到checkFlag函数，看得出是静态验证，代码如下：

signed int __fastcall Java_com_example_test002_MainActivity_checkFlag(int a1, int a2, int a3)
{
  const char *v3; // r4
  int v4; // r1
  _DWORD *v5; // r0
  int v6; // r3
  int v7; // r5
  int v8; // r6
  int v9; // r2
  int v10; // r5

  v3 = (const char *)jstringToChar(a1, a3);
  if ( strlen(v3) != 32 )
    return 0;
  v4 = 0;
  v5 = &xx;				// 常量xx
  while ( v4 != 32 )
  {
    v6 = 0;
    v7 = 0;
    while ( v7 != 32 )
    {
      v8 = (unsigned __int8)v3[v7];
      v9 = v5[v7++];
      v6 += v9 * v8;
    }
    v10 = x[v4];		// 常量x
    v5 += 32;
    ++v4;
    if ( v6 != v10 )
      return 0;
  }
  return 1;
}

在内存中可以找到xx和x，用idapython辅助输出数据，脚本例子：

import idautils
import idaapi
out = ""
addr = 0x4080
while True:
    if Byte(addr) != 0:
        out += chr(Byte(addr))
    else:
        break
    addr += 1
print(out)

得到：

xx = [13, 144, 129, 36, 58, 38, 53, 40, 103, 125, 97, 19, 68, 132, 31, 148, 150, 96, 118, 37, 30, 143, 134, 37, 96, 42, 129, 84, 111, 66, 13, 48, 127, 111, 102, 17, 111, 100, 120, 73, 34, 144, 78, 86, 133, 48, 64, 141, 110, 15, 10, 37, 128, 119, 68, 104, 137, 12, 97, 29, 46, 11, 116, 116, 131, 124, 54, 57, 55, 122, 74, 123, 57, 44, 63, 131, 81, 86, 56, 92, 31, 118, 98, 135, 66, 115, 51, 128, 102, 67, 41, 40, 41, 144, 53, 84, 105, 121, 74, 132, 40, 66, 62, 61, 18, 103, 107, 51, 133, 85, 132, 137, 52, 42, 69, 79, 70, 147, 54, 43, 50, 145, 54, 69, 58, 58, 47, 136, 74, 42, 58, 65, 62, 134, 53, 56, 143, 74, 70, 84, 33, 112, 36, 61, 41, 17, 93, 111, 66, 85, 62, 37, 133, 149, 144, 41, 103, 55, 16, 125, 132, 117, 53, 57, 104, 125, 10, 78, 19, 34, 25, 126, 134, 139, 90, 22, 138, 142, 56, 87, 43, 116, 39, 74, 105, 61, 54, 48, 62, 136, 87, 129, 68, 132, 28, 102, 69, 71, 36, 72, 59, 114, 96, 55, 71, 75, 126, 76, 89, 106, 116, 33, 138, 143, 144, 15, 65, 86, 61, 79, 64, 24, 62, 10, 99, 14, 24, 141, 45, 68, 25, 124, 120, 108, 29, 71, 38, 10, 83, 63, 121, 44, 30, 112, 107, 85, 66, 82, 56, 137, 39, 34, 39, 58, 116, 125, 45, 62, 120, 103, 55, 148, 56, 81, 89, 99, 51, 113, 80, 79, 102, 41, 27, 46, 62, 33, 74, 70, 100, 56, 37, 129, 102, 112, 137, 13, 48, 145, 52, 61, 60, 47, 57, 80, 111, 150, 44, 78, 16, 59, 131, 24, 45, 106, 51, 78, 146, 19, 113, 105, 137, 16, 47, 96, 84, 33, 89, 135, 60, 139, 60, 123, 121, 10, 28, 65, 43, 111, 144, 118, 11, 26, 37, 84, 103, 12, 14, 57, 126, 54, 27, 116, 78, 103, 128, 73, 135, 107, 102, 63, 98, 78, 60, 67, 58, 48, 119, 54, 78, 10, 45, 46, 120, 138, 67, 27, 148, 61, 69, 29, 34, 104, 116, 55, 72, 98, 88, 137, 72, 86, 118, 79, 29, 113, 67, 62, 119, 70, 136, 125, 47, 145, 27, 80, 75, 69, 40, 145, 37, 37, 97, 41, 114, 90, 99, 87, 144, 130, 66, 10, 42, 43, 144, 130, 71, 110, 112, 123, 138, 117, 118, 52, 64, 120, 90, 140, 95, 122, 22, 33, 123, 29, 147, 100, 133, 92, 106, 39, 48, 101, 30, 149, 86, 117, 15, 61, 28, 96, 76, 36, 111, 139, 53, 16, 93, 74, 132, 24, 123, 49, 91, 24, 87, 40, 32, 74, 130, 73, 13, 135, 88, 46, 105, 53, 40, 49, 48, 63, 15, 34, 131, 89, 133, 145, 112, 124, 81, 129, 105, 78, 121, 69, 10, 129, 133, 27, 123, 108, 117, 121, 55, 122, 38, 128, 136, 53, 81, 29, 70, 45, 127, 40, 134, 133, 51, 63, 124, 110, 47, 117, 75, 34, 148, 29, 112, 90, 87, 83, 123, 25, 20, 148, 81, 38, 95, 129, 117, 72, 48, 33, 104, 38, 21, 143, 114, 141, 18, 75, 71, 113, 120, 48, 37, 59, 102, 133, 120, 80, 113, 49, 138, 23, 78, 75, 11, 141, 76, 72, 17, 23, 118, 61, 105, 83, 66, 135, 113, 83, 105, 92, 102, 24, 58, 126, 46, 23, 34, 83, 89, 62, 102, 69, 16, 102, 103, 147, 46, 28, 101, 42, 20, 17, 27, 11, 132, 133, 119, 68, 65, 41, 95, 41, 134, 135, 135, 53, 38, 131, 93, 71, 82, 49, 115, 48, 80, 68, 50, 51, 28, 90, 101, 34, 24, 145, 75, 146, 120, 60, 93, 112, 24, 82, 139, 150, 113, 128, 36, 130, 47, 32, 93, 53, 122, 39, 96, 19, 131, 33, 42, 123, 80, 113, 108, 24, 73, 117, 131, 81, 29, 66, 20, 149, 28, 124, 56, 35, 59, 120, 96, 113, 87, 111, 80, 123, 134, 64, 87, 87, 114, 146, 123, 23, 125, 55, 115, 61, 36, 77, 124, 105, 23, 141, 110, 49, 112, 85, 116, 86, 54, 150, 85, 86, 108, 86, 45, 36, 87, 122, 51, 54, 75, 44, 104, 103, 35, 128, 143, 73, 69, 13, 47, 38, 68, 12, 122, 50, 65, 27, 109, 105, 60, 124, 90, 12, 51, 61, 26, 143, 140, 37, 65, 13, 52, 139, 77, 89, 138, 114, 107, 23, 141, 23, 85, 74, 119, 106, 90, 116, 20, 64, 138, 52, 23, 97, 52, 38, 135, 65, 26, 134, 135, 14, 143, 32, 110, 52, 50, 80, 133, 66, 69, 90, 78, 20, 147, 28, 115, 27, 93, 48, 81, 96, 121, 62, 145, 94, 10, 22, 105, 23, 125, 105, 42, 130, 139, 85, 29, 19, 38, 51, 98, 139, 85, 80, 106, 55, 41, 42, 149, 145, 12, 74, 18, 132, 72, 121, 138, 97, 104, 74, 40, 81, 33, 103, 113, 85, 32, 29, 146, 88, 27, 137, 36, 126, 32, 56, 37, 29, 82, 89, 79, 100, 87, 72, 90, 93, 68, 87, 52, 75, 138, 122, 138, 84, 141, 13, 59, 113, 102, 119, 137, 55, 27, 146, 52, 18, 65, 78, 44, 135, 139, 88, 107, 138, 116, 16, 44, 100, 139, 101, 13, 76, 68, 17, 56, 74, 72, 27, 102, 28, 70, 108, 46, 39, 34, 46, 142, 17, 141, 60, 52, 103, 136, 70, 20, 102, 147, 98, 55, 17, 14, 33, 77, 134, 147, 75, 124, 60, 82, 116, 26, 146, 49, 110, 44, 128, 54, 147, 107, 58, 66, 143, 24, 90, 22, 92, 139, 73, 141, 129, 134, 84, 27, 62, 46, 34, 58, 144, 43, 136, 107, 11, 82, 95, 24, 117, 57, 113, 73, 44, 91, 141, 44, 60, 128, 142, 96, 57, 127, 60, 74, 54, 138, 119, 118, 61, 130, 146, 11, 65, 92, 82, 60, 114, 54, 139, 148, 84, 110, 141, 142, 84, 21, 70, 54, 120, 48, 93, 104, 98, 39, 103, 29, 104, 132, 255]

x = [0x313EF, 0x32F1B, 0x31C4E, 0x3246F, 0x30158, 0x33BF0,
0x2E3C8, 0x2A9B9, 0x30344, 0x31749, 0x2D060, 0x2D97F,
0x345ED, 0x35BA8, 0x27523, 0x3729D, 0x31A55, 0x335FF,
0x29380, 0x32DA3, 0x33F5D, 0x35B6C, 0x2EAA9, 0x3241A,
0x2B11A, 0x3062D, 0x31041, 0x33820, 0x2BA33, 0x322E9,
0x2FFCD, 0x38606]

总之写出checkFlag函数的逆向脚本，理论上可以得到关于flag的一个32 x 32线性方程组，使用z3之类的工具解出应该就能获得flag

script

DASCTF五月原题，参照WriteUp：

https://bbs.pediy.com/thread-259707-1.htm

https://blog.csdn.net/weixin_44145820/article/details/106296568

https://www.cnblogs.com/harmonica11/p/12943773.html