arm汇编入门
arm汇编入门ARM中包含了大量的汇编指令,最新的ARM V8指令文档包含了所有的ARM架构与指令的详细信息,虽然ARM指令集的家族庞大,但它是精减指令集,使用的指令格式比x86简单很多
MIPS逆向
MIPS逆向准备调试环境安装qemu在linux中安装qemu
sudo apt-get install qemu qemu-system qemu-user-static qemu-user
然后尝试执行mips64的程序
qemu-mips64 ./mips64
调试qemugdbserver
VNCTF2022WP
VNCTF2022ReBabyMaze删除2E-33 6个字节,把2A位置的EE改成E8
反编译结果
_map = [[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1],[1, 5, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1],[1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1],[1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1],[1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1 ...
CE介绍
CE介绍EAX=24BE0FB8EBX=00000001ECX=00000226EDX=D6EF0002ESI=24D24928EDI=24BE0FB8EBP=0019F9D8ESP=0019F968EIP=00430A1D
Probable base pointer =24BE0FB8
00430A0E - mov eax,[esi+04]00430A11 - add [eax+00005560],ecx00430A17 - mov ecx,[eax+00005560]00430A1D - cmp ecx,0000270600430A23 - jle 00430A9D
EAX=00452650EBX=0019FD00ECX=027E9F78EDX=00667BA0ESI=24BE0FB8EDI=027E9F78EBP=00000001ESP=0019FC60EIP=00452679
Probable base pointer =027E9F78
0045266A - cmp byte ptr [edi+000004CF],0000452671 - je 0045269B0045267 ...
进程
进程进程结构
PEB 3环下
typedef struct _PEB { BYTE Reserved1[2]; BYTE BeingDebugged; BYTE Reserved2[1]; PVOID Reserved3[2]; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; PVOID Reserved4[3]; PVOID AtlThunkSListPtr; PVOID Reserved5; ULONG Reserved6; PVOID ...
lib和dll
LIB使用VS编译
先建立一个静态链接库,
// StaticLib1.h#pragma once#include<Windows.h>void Lib();// StaticLib1.cpp// StaticLib1.cpp : 定义静态库的函数。//#include "pch.h"#include "framework.h"#include "StaticLib1.h"// TODO: 这是一个库函数示例void Lib(){ MessageBox(NULL, L"Lib", L"you", MB_OK);}
生成
然后建立一个空项目调用生成的lib文件
#include"StaticLib1.h"#include<stdio.h>#pragma comment(lib,"./StaticLib1.lib")int main(){ Lib(); return 0;}
即可实现调 ...
长安战疫WP
长安战疫WP某些题的flag头是cazy是我没有想到的
REcombat_sloganif (flag == 0 && str5.toString().compareTo("871019511949491089510249103104116951164895101110100951164895101110100959997122121") == 0) // 把数字转化为char// 87 101 95 119 49 49 108 95 102 49 103 104 116 95 116 48 95 101 110 100 95 116 48 95 101 110 100 95 99 97 122 121// We_w11l_f1ght_t0_end_t0_end_cazy
hello_py反编译
import threadingimport timedef encode_1(n): global num if num >= 0: flag[num] = flag[num] ^ num num -= 1 ...
西电抗疫
RE个人the_edgeflag{WhAt1s_this-0ver_th3_edge?}
当时交不上去,好像是账号问题,就没再写
recovery原件有三个
Flag.py
class DataFrame(object): def __init__(self, flag): self.flag = (lambda data: data + bytes([16-len(data) % 16] * (16-len(data) % 16)))(flag) self.matrix = [0] * len(self.flag) def gen_matrix(self): for i in range(len(self.flag)): self.matrix[i] = bin(self.flag[i])[2:].rjust(8, '0') # cycle left shift 1 bit self.matrix[i] = ...
西湖论剑2021WP
西湖论剑2021WP_RE复现先复现RE的吧,之后可能会有别的
REROP32位无壳,逻辑很简单。粘上主要实现代码
printf("Input:");scanf("%40s", (char)flag);if (strlen(flag) != 40) exit(0);for (i = 0; i < 0x28; i += 8){ for (j = 0; j < 8; ++j) { v4 = ((v5[j] & flag[i + 3]) << (8 - (3 - j) % 8u)) | ((v5[j] & (unsigned int)flag[i + 3]) >> ((3 - j) % 8u)) | ((v5[j] & flag[i + 2]) << (8 - (2 - j) % 8u)) | ((v5[j] & (unsigned int)flag[i + 2]) >> ((2 - j) % 8u)) | ( ...
第四届美团2021WP
第四届美团2021WP_复现还是一样菜呜呜呜
RE比赛中只做出了最简单的,其他的不会
Random只需看主函数,逻辑挺简单的,已修改部分函数
int __cdecl main(int argc, const char **argv, const char **envp){ int v3; // eax int v4; // esi int v5; // edx int v6; // ecx int v7; // esi int v8; // eax char *v9; // eax int result; // eax int v11; // [esp-4h] [ebp-2Ch] const char **v12; // [esp+0h] [ebp-28h] const char **v13; // [esp+4h] [ebp-24h] if ( !n ) scanf("%s", flag); v3 = rand(); srand(v3); v4 = n; flag[v4] ^= rand(); if ( n == ...