码迷,mamicode.com
首页 > 其他好文 > 详细

2021.03.27_Reverse_xCTF_IgniteMe_WriteUp

时间:2021-03-29 12:28:35      阅读:0      评论:0      收藏:0      [点我收藏+]

标签:另一个   应该   break   windows   amp   sign   异或   info   turn   

今天早点干活

仍然是常规的Windows可执行程序逆向,拖入exeinfope之后发现没壳直接丢进IDA,找到main函数进入

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // edx
  int result; // eax
  size_t i; // [esp+4Ch] [ebp-8Ch]
  char v6[4]; // [esp+50h] [ebp-88h]
  char flag[28]; // [esp+58h] [ebp-80h]
  char v8; // [esp+74h] [ebp-64h]

  print(&unk_446360, "Give me your flag:");
  sub_4013F0(sub_403670);
  sub_401440((int)&dword_4463F0, v3, (int)flag, 127);//这两个应该是输入字符串
  if ( strlen(flag) < 0x1E && strlen(flag) > 4 )
  {
    strcpy(v6, "EIS{");
    for ( i = 0; i < strlen(v6); ++i )
    {
      if ( flag[i] != v6[i] )
      {
        print(&unk_446360, "Sorry, keep trying! ");
        sub_4013F0(sub_403670);
        return 0;
      }
    }
    if ( v8 == 125 )
    {
      if ( sub_4011C0(flag) )//该函数返回值为1时正确,进入该函数
        print(&unk_446360, "Congratulations! ");
      else
        print(&unk_446360, "Sorry, keep trying! ");
      sub_4013F0(sub_403670);
      result = 0;
    }
    else
    {
      print(&unk_446360, "Sorry, keep trying! ");
      sub_4013F0(sub_403670);
      result = 0;
    }
  }
  else
  {
    print(&unk_446360, "Sorry, keep trying!");
    sub_4013F0(sub_403670);
    result = 0;
  }
  return result;
}

直接进入ssub-4011C0看看什么情况下返回值为1

bool __cdecl sub_4011C0(char *flag)
{
  size_t v2; // eax
  signed int v3; // [esp+50h] [ebp-B0h]
  char v4[32]; // [esp+54h] [ebp-ACh]
  int v5; // [esp+74h] [ebp-8Ch]
  int j; // [esp+78h] [ebp-88h]
  size_t i; // [esp+7Ch] [ebp-84h]
  char flag_sub_first4[128]; // [esp+80h] [ebp-80h]

  if ( strlen(flag) <= 4 )
    return 0;
  i = 4;
  j = 0;
  while ( i < strlen(flag) - 1 )
    flag_sub_first4[j++] = flag[i++];
  flag_sub_first4[j] = 0;//将flag除了前四位之外全部复制到另一个变量中
  v5 = 0;
  v3 = 0;
  memset(v4, 0, 0x20u);
  for ( i = 0; ; ++i )
  {
    v2 = strlen(flag_sub_first4);
    if ( i >= v2 )
      break;
    if ( flag_sub_first4[i] >= 97 && flag_sub_first4[i] <= 122 )
    {
      flag_sub_first4[i] -= 32;
      v3 = 1;
    }
    if ( !v3 && flag_sub_first4[i] >= 65 && flag_sub_first4[i] <= 90 )
      flag_sub_first4[i] += 32;
    v4[i] = byte_4420B0[i] ^ sub_4013C0(flag_sub_first4[i]);
    v3 = 0;
  }
  return strcmp("GONDPHyGjPEKruv{{pj]X@rF", v4) == 0;
}

发现该函数先把flag除了前四位之外全部复制到一个变量中,即除去main中的‘EIS{’

然后对所有的大写转变成小写,小写转变成大写,接着用一个简单的异或运算,将得到的字符串与已知字符串进行比较。

下面开始编写逆向代码python

v1 = [0x0D,0x13,0x17,0x11,0x02,0x01,0x20,0x1D,0x0C,
      0x02,0x19,0x2F,0x17,0x2B,0x24,0x1F,0x1E,0x16,
      0x09,0x0F,0x15,0x27,0x13,0x26,0x0A,0x2F,0x1E,
      0x1A,0x2D,0x0C,0x22,0x04]//byte_4420B0中的内容
v4 = "GONDPHyGjPEKruv{{pj]X@rF"//已知字符串
flag = EIS{
v = 0
for i in range(24):
    a = v1[i] ^ ord(v4[i])
    b = (a - 72) ^ 0x55
    if b >= 97 and b <= 122:
        b -= 32
        v = 1
    if v == 0 and b >= 65 and b <= 90:
        b += 32
    v = 0
    flag += chr(b)
flag += }
print(flag)

EIS{wadx_tdgk_aihc_ihkn_pjlm}

---------------------------------------------------分割线-----------------------------------------------

仍然是简单的逆向分析题,没啥技巧,慢慢看代码然后求解就好,想求快唯手熟尔

2021.03.27_Reverse_xCTF_IgniteMe_WriteUp

标签:另一个   应该   break   windows   amp   sign   异或   info   turn   

原文地址:https://www.cnblogs.com/m1nercy/p/14585556.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!