引言
本次分享PolarCTF靶场中所有[easy]re题目的WP。
由于文章篇幅较长(一共有22道题目),分为两期发表,本期先分享上半部分内容,适合刚接触逆向的朋友。如果你也对逆向感兴趣,或者正在准备CTF比赛,希望这些内容能给大家一些帮助。
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/4-1740964406.png "PolarCTF[RE][easy]全解(上)")
发现是Aspack壳,用工具脱壳:
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/3-1740964407.png "PolarCTF[RE][easy]全解(上)")
32位:用IDA打开。直接shift+f12发现关键字符“Enter password:”
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/0-1740964407.png "PolarCTF[RE][easy]全解(上)")
直接跟进函数看看:
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/7-1740964407.png "PolarCTF[RE][easy]全解(上)")
-
关键函数:
sub_401738。继续跟进去看看:-
大概逻辑就是:
input逐个和0xC进行异或,然后和Str2进行比较 -
所以
input = Str2 ^ 0xC
-
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/6-1740964407.png "PolarCTF[RE][easy]全解(上)")
Str2 = >4i44oo4?i=n>:m;8m4=oo4i;>?4>h9m
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/3-1740964408.png "PolarCTF[RE][easy]全解(上)")
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/6-1740964409.png "PolarCTF[RE][easy]全解(上)")
编写解密脚本:
int main() {char str[] = ">4i44oo4?i=n>:m;8m4=oo4i;>?4>h9m";for (int i = 0; i < 32; i++) {str[i] ^= 0xC;}printf("%s", str);return 0;}// 28e88cc83e1b26a74a81cc8e72382d5a
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/3-1740964409.png "PolarCTF[RE][easy]全解(上)")
查壳发现是NsPack,用工具脱壳:
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/6-1740964410.png "PolarCTF[RE][easy]全解(上)")
32位,用IDA打开。直接搜索函数,找到main函数:
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/0-1740964410.png "PolarCTF[RE][easy]全解(上)")
很长,但实际上很简单,步骤大概是:
-
和几个数组逐个进行比较,且异或不同的数
-
例如第一个
for循环,input[i]和aNqt[i] ^ 0xBu的结果进行比较 -
第二个
for循环,input[i+len(aNqt)]和aKixs[i] ^ 0xCu的结果进行比较 -
...
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/6-1740964411.png "PolarCTF[RE][easy]全解(上)")
-
aNqt = nqT
-
aKixs = kixS
-
aKa9jr = ka9jR
-
aHCq = h|>cQ
-
aG = g<}<
编写解密脚本:
int main() {char str1[] = "nqT";char str2[] = "kixS";char str3[] = "ka9jR";char str4[] = "h|>cQ";char str5[] = "g<}<";for (int i = 0; i < sizeof(str1)-1; i++) {str1[i] ^= 0xBu;}printf("%s", str1);for (int i = 0; i < sizeof(str2) - 1; i++) {str2[i] ^= 0xCu;}printf("%s", str2);for (int i = 0; i < sizeof(str3) - 1; i++) {str3[i] ^= 0xDu;}printf("%s", str3);for (int i = 0; i < sizeof(str4) - 1; i++) {str4[i] ^= 0xEu;}printf("%s", str4);for (int i = 0; i < sizeof(str5) - 1; i++) {str5[i] ^= 0xFu;}printf("%s", str5);return 0;}//ez_get_fl4g_fr0m_h3r3// 需要md5 32位小写加密后再提交
查壳发现是upx
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/10-1740964412.png "PolarCTF[RE][easy]全解(上)")
工具脱壳:upx -d [FilePath]
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/5-1740964412.png "PolarCTF[RE][easy]全解(上)")
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/10-1740964412-1.png "PolarCTF[RE][easy]全解(上)")
32位,IDA打开,shitf+F12发现关键字符串。跟进去看看
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/3-1740964413.png "PolarCTF[RE][easy]全解(上)")
F5反编译直接看到!
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/3-1740964413-1.png "PolarCTF[RE][easy]全解(上)")
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/0-1740964413.png "PolarCTF[RE][easy]全解(上)")
不是PE文件?根据题目,大概可以猜到,是想让我们修复PE结构。winhex打开看看
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/9-1740964415.png "PolarCTF[RE][easy]全解(上)")
上来就发现不是MZ!notepad++修改一下(别问为什么不是winhex,notepad用起来顺手一点QAQ)
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/0-1740964415.png "PolarCTF[RE][easy]全解(上)")
再打开,发现OK了。
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/10-1740964416.png "PolarCTF[RE][easy]全解(上)")
直接运行试试:
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/6-1740964416.png "PolarCTF[RE][easy]全解(上)")
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/5-1740964417.png "PolarCTF[RE][easy]全解(上)")
32位,直接用IDA打开,发现脸上就是main函数,手直接就挪F5上了啊!
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/1-1740964417.png "PolarCTF[RE][easy]全解(上)")
嗯······这拼接在,嗯。哈哈。
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/5-1740964418.png "PolarCTF[RE][easy]全解(上)")
32位,IDA打开。main函数又在脸上,直接F5:
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/5-1740964418-1.png "PolarCTF[RE][easy]全解(上)")
看眼逻辑:input每位都--,然后与str2进行比较。
所以str2每位都++,就是flag
int main() {char str2[] = "ek`fz5123086/ce7ac7/`4a81`6/87b`b28a5|";for (int i = 0; i < strlen(str2); i++) {str2[i]++;}printf("%s", str2);return 0;}
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/3-1740964419.png "PolarCTF[RE][easy]全解(上)")
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/5-1740964421.png "PolarCTF[RE][easy]全解(上)")
upx壳,工具脱掉:
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/10-1740964421.png "PolarCTF[RE][easy]全解(上)")
32位,因为是注册机,所以先运行看看:
![PolarCTF[RE][easy]全解(上)](https://cn-sec.com/wp-content/uploads/2025/03/8-1740964421.png "PolarCTF[RE][easy]全解(上)")
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/7-1740964421.png "PolarCTF[RE][easy]全解(上)")
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/4-1740964421.png "PolarCTF[RE][easy]全解(上)")
跟进去发现关键:
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/0-1740964421.png "PolarCTF[RE][easy]全解(上)")
pawd会被打印,所以可以x64嗯调到打印的地方? 哦不行,试了一下发现,只会打印输入的东西,还是得自己对照QAQ
复制下来试试:
int main() {char v11[20];v11[0] = 'C';v11[15] = 'X';v11[1] = 'Z';v11[14] = 'A';v11[2] = '9';v11[13] = 'b';v11[3] = 'd';v11[12] = '7';v11[4] = 'm';v11[11] = 'G';v11[5] = 'q';v11[10] = '9';v11[6] = '4';v11[9] = 'g';v11[7] = 'c';v11[8] = '8';v11[16] = '�';if (strlen(v11) == 0x10) {printf("%s", v11);}return 0;}// CZ9dmq4c8g9G7bAX
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/1-1740964422.png "PolarCTF[RE][easy]全解(上)")
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/1-1740964422-1.png "PolarCTF[RE][easy]全解(上)")
哦对,邮箱要有@,且@后面有字符,有.,且.后面要有字符。反正写规范一点,直接123会被拦截
tip:最终密码要进行32位md5加密哦
flag{c3ec13a01b07ad218dbd5f4bbab592b9}
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/2-1740964423.png "PolarCTF[RE][easy]全解(上)")
64位ELF。进kali看看:
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/2-1740964423-1.png "PolarCTF[RE][easy]全解(上)")
程序入口是key2。IDA,启动!
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/3-1740964423.png "PolarCTF[RE][easy]全解(上)")
跟进去发现,key2=str1,str1 = that_ok = key2
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/4-1740964423.png "PolarCTF[RE][easy]全解(上)")
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/3-1740964423-1.png "PolarCTF[RE][easy]全解(上)")
接着找谁调用了key2(),找到main函数
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/0-1740964424.png "PolarCTF[RE][easy]全解(上)")
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/4-1740964425.png "PolarCTF[RE][easy]全解(上)")
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/2-1740964426.png "PolarCTF[RE][easy]全解(上)")
直接复制下来,运行一下发现:key1 = 11694441,key3 = NNSXS===
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/8-1740964426.png "PolarCTF[RE][easy]全解(上)")
拼起来:flag{11694441that_okNNSXS===}
啊?不对。
草,key3需要base32解密,结果为:key 所以:flag{11694441that_okkey},再进行md5,32位小写加密即可
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/6-1740964428.png "PolarCTF[RE][easy]全解(上)")
64位ELF,进kali看看:发现没有任何输出,直接等你输入。
好吧,那IDA启动!
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/0-1740964428.png "PolarCTF[RE][easy]全解(上)")
简单分析一下strmncpy函数:
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/4-1740964429.png "PolarCTF[RE][easy]全解(上)")
简单分析一下magic函数:
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/5-1740964429.png "PolarCTF[RE][easy]全解(上)")
查找发现,python的binascii库和zlib库有crc32
因为flag的前4位包是flag,所以可以试试:flag加密后是否和0xd1f4eb9a相等,看看python库里的crc32的实现是否和这题的实现一致。
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/6-1740964429.png "PolarCTF[RE][easy]全解(上)")
OK!可以开始爆破了
import binasciifor i in range(128):str2 = chr(i)crc2 = binascii.crc32(str2.encode())if crc2 == 0x15d54739:print("str2 = ", str2)if crc2 == 0xfcb6e20c:print("str6 = ", str2)for j in range(128):str4 = chr(i)+chr(j)if binascii.crc32(str4.encode()) == 0x3fcbd242:print("str4 = ", str4)for k in range(128):for l in range(128):str1 = chr(i)+chr(j)+chr(k)+chr(l)crc1 = binascii.crc32(str1.encode())if crc1 == 0xd1f4eb9a:print("str1 = ",str1)if crc1 == 0x540bbb08:print("str3 = ", str1)if crc1 == 0x2479c623:print("str5 = ", str1)print("end")
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/5-1740964429-1.png "PolarCTF[RE][easy]全解(上)")
拼起来:flag{ezrebyzhsh}
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/0-1740964431.png "PolarCTF[RE][easy]全解(上)")
64位ELF。直接运行发现:没有任何输出,直接等你输入。
IDA启动:
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/2-1740964432.png "PolarCTF[RE][easy]全解(上)")
看了眼flag = qisngksofhuivvmg
再看眼encode():+=3再^6=1u
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/0-1740964433.png "PolarCTF[RE][easy]全解(上)")
所以对flag = qisngksofhuivvmg进行encode()就是我们的input
int main() {char flag[] = "qisngksofhuivvmg";for (int i = 0; i <= 15; i++) {flag[i] += 3;flag[i] ^= 0x1u;}printf("%s", flag);return 0;}//umwpkowshjymxxqk
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/7-1740964434.png "PolarCTF[RE][easy]全解(上)")
64位ELF,直接运行:flag{HaiZI233N145wuD!le112@666}
![PolarCTF[RE][easy]全解(上)](http://cn-sec.com/wp-content/uploads/2025/03/1-1740964434.png "PolarCTF[RE][easy]全解(上)")
啊?真这么简单wow
原文始发于微信公众号(SecNL安全团队):PolarCTF[RE][easy]全解(上)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论