Reverse

Official WP

TAMUCTF2024

Reveille Petter

这是一个用Godot引擎写的游戏，用gdsdecomp可以进行反编译
RE Tools - Recover Project 选择 reveille_petter.exe 进行反编译
2024-04-08T203452
选择输出目录
2024-04-08T203515
在输出目录中有一个project.godot文件，可以用Godot打开
但这题用不到，重点是clicker.gd文件
这是Godot的脚本文件，在脚本文件里可以直接看到明文flag

extends Node2D


var pets = 0;

# Called when the node enters the scene tree for the first time.
func _ready():
	pets = 0;
	$CanvasLayer/pets_label.text = "Pets: " + str(pets)
	$CanvasLayer/info.text = "[center]Pet Reveille 4052024 times to get the flag![/center]"

# Called every frame. 'delta' is the elapsed time since the previous frame.
func _process(delta):
	if pets == 4052024:
		$CanvasLayer/info.text = "[center]flag: gigem{r3v_1s_cut3!!}[/center]"
	$CanvasLayer/pets_label.text = "Pets: " + str(pets)


func _on_texture_button_pressed():
	if pets >= 10:
		$CanvasLayer/rev.disabled = true;
		$CanvasLayer/info.text = "[center]Reveille is tired and cannot take any more pets :([/center]"
	else:
		pets += 1


func _on_restart_pressed():
	_ready()
	$CanvasLayer/rev.disabled = false;

flag

gigem{r3v_1s_cut3!!}

Resistant

描述：

All these RE challenges are just too easy! So what happens when the binary fights back?

openssl s_client -connect tamuctf.com:443 -servername resistant

openssl 连接后要求我们输入密码
用 IDA 打开 resistant 查看main函数
可以看到应该是有SMC
2024-04-08T204629
decrypt_func 函数如下
2024-04-08T204730
到汇编界面可以看到 0x15B9到0x17F8和0x17F9到0x19B0是被加密的代码
2024-04-08T205301
2024-04-08T205311
使用idapython 脚本patch一下

addr = 0x15B9#0x17F9
end = 0x17F8#0x19B0
key = [0x6C, 0x5E, 0xC5, 0x4B, 0x6D, 0xF8, 0x69, 0xBC, 0x14, 0x93, 0x52, 0x69, 0x92, 0x7B, 0x9A, 0xFB]
for i in range(addr, end):
    b = get_bytes(i, 1)
    idc.patch_byte(i, ord(b) ^ key[i & 0xf])