论坛首页 安全工具分享区 阅读主题

[原创]POLARIS CTF 2026 Reverse WP

394 浏览 0 回复
A
admin
楼主
主题: 1872
回复: 10138
注册于 2026-04-15
#1 楼主 2026-06-01 21:08:59
POLARIS CTF 2026 WP
1个多月前我就把WP传到我博客上了。看雪也传一下。标注了x的两题我是没做出来的(没能复现),放的是别人的题解。别的均有我个人的理解和细节补充。
部分题目参考以下WP:
第一届 Polaris CTF 招新赛 Reverse wp
5d0K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2K6j5h3&6B7K9i4g2U0N6r3k6Q4x3X3g2U0L8W2)9J5c8W2)9K6c8Y4m8Q4x3@1b7K6x3U0t1H3
AIL0的WP
illusion
​#RC4#​ #AES#​ #AES128ECB#​ #hook#
fake flag
以这道题为例子,只是看 main 函数,只会得到 fake flag。
?能看到的是一个 RC4,但是解密后获得的 flag 有一个不可见字符,比要求的少一个。
int __fastcall main(int argc, const char **argv, const char **envp)
__int64 v3; // r9
char **argv_1; // rdx
const char **envp_1; // r8
__int64 v6; // r9
__int64 n25; // rax
char **argv_2; // rdx
const char **envp_2; // r8
__int64 v10; // r9
unsigned __int64 v12; // [rsp+20h] [rbp-60h] BYREF
int n1045879079; // [rsp+28h] [rbp-58h]
unsigned int v14; // [rsp+2Ch] [rbp-54h]
__int16 n21529; // [rsp+30h] [rbp-50h]
char v16; // [rsp+32h] [rbp-4Eh]
char nev_gona_give_up[24]; // [rsp+38h] [rbp-48h] BYREF
char inp[25]; // [rsp+50h] [rbp-30h] BYREF

sub_7FF7BD0A1930("w3lc0me to the Re w0r1d.\nP1z input your flag: ", argv, envp, v3);
strcpy(nev_gona_give_up, "nev_gona_give_up");
sub_7FF7BD0A1990("%25s", inp);
if ( *inp != 'mx' )
goto LABEL_12;
if ( inp[2] != 'c' )
goto LABEL_12;
if ( inp[3] != 't' )
goto LABEL_12;
if ( inp[4] != 'f' )
goto LABEL_12;
if ( inp[5] != '{' )
goto LABEL_12;
if ( inp[24] != '}' )
goto LABEL_12;
n25 = -1;
do
++n25;
while ( inp[n25] );
if ( n25 != 25 )
LABEL_12:
sub_7FF7BD0A1930(Text, argv_1, envp_1, v6);
exit(0);
v12 = 0xE72C8F0A84FB0AD5uLL;
v16 = 0;
n1045879079 = 0x3E56D927;
v14 = 0xAB296CF3;
n21529 = 0x5419;
strncpy(
Destination, // "aaabbbaaabbbaaabbb"
&inp[6],
18u);
unk_7FF7BD0C8B12 = 0; // "aaabbbaaabbbaaabbb"
if ( !checkFlag(
Destination, // "aaabbbaaabbbaaabbb"
nev_gona_give_up,
&v12) )
MessageBoxA(0, Text, "Illusion", 0);
exit(0);
sub_7FF7BD0A1930(&w3lc0me_to_the_Re_w0r1d__nP1z_input_your_flag___, argv_2, envp_2, v10);
return 0;

加密部分
char __fastcall checkFlag(char *Destination, char *key, __int64 cip_1)
__int64 j; // rbx
double (__cdecl *j_0)(double); // r9
__int64 lenOfCip; // r10
__m128i si128; // xmm2
char *v10; // rdx
__m128 v11; // xmm3
unsigned int n8; // ecx
__int64 n256; // rbp
unsigned int v14; // eax
__m128i v15; // xmm0
__m128i v16; // xmm1
__m128i v17; // xmm0
__m128i v18; // xmm1
__m128i v19; // xmm0
__m128i v20; // xmm0
__m128i v21; // xmm0
__m128i v22; // xmm1
__m128i v23; // xmm1
unsigned __int8 *v24; // r8
unsigned __int64 i0; // rdi
unsigned __int64 counter1; // rcx
int v27; // esi
unsigned __int8 v28; // cl
unsigned __int8 i2; // r11
int i; // r9d
_BYTE *v31; // rcx
int v32; // r8d
char sboxValue; // al
__int64 i2_0; // r8
unsigned __int8 i_1; // dl
_BYTE flag[32]; // [rsp+0h] [rbp-148h]
_BYTE sbox[4

...(已截断)

---
来源: 看雪论坛
原文链接: https://bbs.kanxue.com/thread-291294.htm

暂无回复,快来抢沙发吧!

请登录后参与讨论

立即登录 注册账号