buuctf reverse wp(11-13)
阿新 • • 發佈:2021-07-29
Java逆向解密
jd-gui 開啟,檢視核心程式碼
呼叫了 encrypt,在 encrypt 裡會對輸入的內容進行一個 +64^0x20 的操作然後與 key 對比,如果一致就輸出 "Congratulations!"
所以得到指令碼:
#include <bits/stdc++.h> using namespace std; int key[] = { 180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65 }; int main() { for (int i = 0; i < 18; i++) cout << char(key[i] - 64 ^ 0x20); return 0; }
flag{This_is_the_flag_!}
刮開有獎
無殼,拖入 IDA 檢視 main 函式
檢視關鍵函式 dialogfunc
INT_PTR __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4) { const char *v4; // esi const char *v5; // edi int v7[2]; // [esp+8h] [ebp-20030h] BYREF int v8; // [esp+10h] [ebp-20028h] int v9; // [esp+14h] [ebp-20024h] int v10; // [esp+18h] [ebp-20020h] int v11; // [esp+1Ch] [ebp-2001Ch] int v12; // [esp+20h] [ebp-20018h] int v13; // [esp+24h] [ebp-20014h] int v14; // [esp+28h] [ebp-20010h] int v15; // [esp+2Ch] [ebp-2000Ch] int v16; // [esp+30h] [ebp-20008h] CHAR String[65536]; // [esp+34h] [ebp-20004h] BYREF char v18[65536]; // [esp+10034h] [ebp-10004h] BYREF if ( a2 == 272 ) return 1; if ( a2 != 273 ) return 0; if ( (_WORD)a3 == 1001 ) { memset(String, 0, 0xFFFFu); GetDlgItemTextA(hDlg, 1000, String, 0xFFFF); if ( strlen(String) == 8 ) { v7[0] = 90; v7[1] = 74; v8 = 83; v9 = 69; v10 = 67; v11 = 97; v12 = 78; v13 = 72; v14 = 51; v15 = 110; v16 = 103; sub_4010F0(v7, 0, 10); memset(v18, 0, 0xFFFFu); v18[0] = String[5]; v18[2] = String[7]; v18[1] = String[6]; v4 = (const char *)sub_401000(v18, strlen(v18)); memset(v18, 0, 0xFFFFu); v18[1] = String[3]; v18[0] = String[2]; v18[2] = String[4]; v5 = (const char *)sub_401000(v18, strlen(v18)); if ( String[0] == v7[0] + 34 && String[1] == v10 && 4 * String[2] - 141 == 3 * v8 && String[3] / 4 == 2 * (v13 / 9) && !strcmp(v4, "ak1w") && !strcmp(v5, "V1Ax") ) { MessageBoxA(hDlg, "U g3t 1T!", "@_@", 0); } } return 0; } if ( (_WORD)a3 != 1 && (_WORD)a3 != 2 ) return 0; EndDialog(hDlg, (unsigned __int16)a3); return 1; }
可以看到 v7 到 v16 其實是一個數組,String 也是
49 行進入一個 sub_4010F0 函式對 v7 進行了加工,跟進 sub_1010F0 看一下
int __cdecl sub_4010F0(int a1, int a2, int a3) { int result; // eax int i; // esi int v5; // ecx int v6; // edx result = a3; for ( i = a2; i <= a3; a2 = i ) { v5 = 4 * i; v6 = *(_DWORD *)(4 * i + a1); if ( a2 < result && i < result ) { do { if ( v6 > *(_DWORD *)(a1 + 4 * result) ) { if ( i >= result ) break; ++i; *(_DWORD *)(v5 + a1) = *(_DWORD *)(a1 + 4 * result); if ( i >= result ) break; while ( *(_DWORD *)(a1 + 4 * i) <= v6 ) { if ( ++i >= result ) goto LABEL_13; } if ( i >= result ) break; v5 = 4 * i; *(_DWORD *)(a1 + 4 * result) = *(_DWORD *)(4 * i + a1); } --result; } while ( i < result ); } LABEL_13: *(_DWORD *)(a1 + 4 * result) = v6; sub_4010F0(a1, a2, i - 1); result = a3; ++i; } return result; }
直接複製貼上稍作修改得到操作後的 v7
#include <bits/stdc++.h>
using namespace std;
int v7[] = {90, 74, 83, 69, 67, 97, 78, 72, 51, 110, 103};
int sub_4010F0(int *a1, int a2, int a3) {
int result; // eax
int i; // esi
int v5; // ecx
int v6; // edx
result = a3;
for (i = a2; i <= a3; a2 = i )
{
v5 = i;
//v6 = *(DWORD *)(4 * i + a1);
v6 = a1[i];
if ( a2 < result && i < result )
{
do
{
if ( v6 > a1[result] )
{
if ( i >= result )
break;
++i;
a1[v5] = a1[result];
if ( i >= result )
break;
while ( a1[i] <= v6 )
{
if ( ++i >= result )
goto LABEL_13;
}
if ( i >= result )
break;
v5 = 4 * i;
a1[result] = a1[i];
}
--result;
}
while ( i < result );
}
LABEL_13:
a1[result]= v6;
sub_4010F0(a1, a2, i - 1);
result = a3;
++i;
}
return result;
}
int main() {
sub_4010F0(v7, 0, 10);
for (int i = 0; i < 11; ++i)
cout << (char)v7[i];
return 0;
}
得到:3CSJNSaZEgn
接著往下看
先進入 sub_401000 看看
_BYTE *__cdecl sub_401000(int a1, int a2)
{
int v2; // eax
int v3; // esi
size_t v4; // ebx
_BYTE *v5; // eax
_BYTE *v6; // edi
int v7; // eax
_BYTE *v8; // ebx
int v9; // edi
int v10; // edx
int v11; // edi
int v12; // eax
int i; // esi
_BYTE *result; // eax
_BYTE *v15; // [esp+Ch] [ebp-10h]
_BYTE *v16; // [esp+10h] [ebp-Ch]
int v17; // [esp+14h] [ebp-8h]
int v18; // [esp+18h] [ebp-4h]
v2 = a2 / 3;
v3 = 0;
if ( a2 % 3 > 0 )
++v2;
v4 = 4 * v2 + 1;
v5 = malloc(v4);
v6 = v5;
v15 = v5;
if ( !v5 )
exit(0);
memset(v5, 0, v4);
v7 = a2;
v8 = v6;
v16 = v6;
if ( a2 > 0 )
{
while ( 1 )
{
v9 = 0;
v10 = 0;
v18 = 0;
do
{
if ( v3 >= v7 )
break;
++v10;
v9 = *(unsigned __int8 *)(v3 + a1) | (v9 << 8);
++v3;
}
while ( v10 < 3 );
v11 = v9 << (8 * (3 - v10));
v12 = 0;
v17 = v3;
for ( i = 18; i > -6; i -= 6 )
{
if ( v10 >= v12 )
{
*((_BYTE *)&v18 + v12) = (v11 >> i) & 0x3F;
v8 = v16;
}
else
{
*((_BYTE *)&v18 + v12) = 64;
}
*v8++ = byte_407830[*((char *)&v18 + v12++)];
v16 = v8;
}
v3 = v17;
if ( v17 >= a2 )
break;
v7 = a2;
}
v6 = v15;
}
result = v6;
*v8 = 0;
return result;
}
然後檢視 byte_407830
可以判定這個函式主要是進行了 base64 加密
所以 v4 和 v5 就可以通過 base64 解密得到
v4:jMp 以及 v5:WP1
然後再看那個最後的判斷
if ( String[0] == v7[0] + 34 //String == '3'+34 即第一位為'U'
&& String[1] == v10 //第二位為'J'
&& 4 * String[2] - 141 == 3 * v8 //第三位('E'*3+141)/4 即'W'
&& String[3] / 4 == 2 * (v13 / 9) //第四位為'P'
&& !strcmp(v4, "ak1w") //v4為jMp
&& !strcmp(v5, "V1Ax") ) //v5為WP1
//拼接起來即flag{UJWP1jMp}
flag{UJWP1jMp}
[GXYCTF2019]luck_guy
IDA 載入,檢視主函式
進入關鍵函式 patch_me
看到關鍵函式 get_flag,跟進去看到核心部分如下
分析一下這一部分的程式碼,首先會獲得一個隨機數種子,然後 %200 進入 switch
只有 1,4,5 這三個操作是有用的,而且還要按照 4-->5-->1 的順序,難怪題目為 lucky_boy
首先看 case4
case 4:
s = 0x7F666F6067756369LL;
v5 = 0;
strcat(&f2, (const char *)&s);
break;
可以發現,case4 對 f2 進行了賦值,將 s 賦值給 f2
然後看 case5
case 5:
for ( j = 0; j <= 7; ++j )
{
if ( j % 2 == 1 )
*(&f2 + j) -= 2;
else
--*(&f2 + j);
}
break;
將 f2 進行了些許變換,寫出指令碼
#include <bits/stdc++.h>
using namespace std;
char f2[] = {0x69, 0x63, 0x75, 0x67, 0x60, 0x6f, 0x66, 0x7f};
//由於IDA是反編譯C語言,s=0x69,0x63,0x75,0x67,0x60,0x6f,0x66,0x7f應該逆序成s=0x7F666F6067756369LL作為小端儲存
int main() {
for (int i = 0; i < 8; i++)
if (i % 2 == 1) f2[i] -= 2;
else --f2[i];
for (int i = 0; i < 8; i++)
cout << f2[i];
return 0;
}
得到了半個 flag:hate_me}
然後看 case1
case 1:
puts("OK, it's flag:");
memset(&s, 0, 0x28uLL);
strcat((char *)&s, f1);
strcat((char *)&s, &f2);
printf("%s", (const char *)&s);
break;
得知 flag 是由 f1 和 f2 拼接而成的,f2 就是我們上文得到的 "hate_me}",f1 的值雙擊就可以檢視
flag{do_not_hate_me}