[BUUCTF]刮开有奖

无壳, 直接拖进IDA分析, F5查看伪代码

主函数很简洁

1
2
3
4
5
6
int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
DialogBoxParamA(hInstance, (LPCSTR)0x67, 0, DialogFunc, 0);
//玄机就在DialogFunc()函数中
return 0;
}

跟进DialogFunc()函数, 发现两个作用不明的函数

image-20220123002708137

sub_4010F0函数抠出来测试发现它会修改v7[0]v7[1]以及v8~v16的值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#include <cstdio>

using namespace std;

int __cdecl sub_4010F0(int a1, int a2, int a3)
{
int result; // eax
int i; // esi
int v5; // ecx
int v6; // edx

result = a3;
for (i = a2; i <= a3; a2 = i)
{
v5 = 4 * i;
v6 = *(unsigned long*)(4 * i + a1);
if (a2 < result && i < result)
{
do
{
if (v6 > *(unsigned long*)(a1 + 4 * result))
{
if (i >= result)
break;
++i;
*(unsigned long*)(v5 + a1) = *(unsigned long*)(a1 + 4 * result);
if (i >= result)
break;
while (*(unsigned long*)(a1 + 4 * i) <= v6)
{
if (++i >= result)
goto LABEL_13;
}
if (i >= result)
break;
v5 = 4 * i;
*(unsigned long*)(a1 + 4 * result) = *(unsigned long*)(4 * i + a1);
}
--result;
} while (i < result);
}
LABEL_13:
*(unsigned long*)(a1 + 4 * result) = v6;
sub_4010F0(a1, a2, i - 1);
result = a3;
++i;
}
return result;
}

int main()
{
int arr[11] = { 90,74,83,69,67,97,78,72,51,110,103 };
sub_4010F0((int)arr, 0, 10);
for (int i = 0; i < 11; i++)
printf("%d ", arr[i]);
}
//51 67 69 72 74 78 83 90 97 103 110
//当作ASCII字符就是"3CEHJNSZagn"
//每一位分别对应v7[0]、v7[1]以及v8~v16的值
//显然sub_4010F0()的作用是升序排序

sub_401000()函数, 可以根据其中用到的码表推测, 是base64编码函数

image-20220123002448205
image-20220123002452161

然后DialogFunc()函数的算法就清晰了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
INT_PTR __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4)
{
const char *v4; // esi
const char *v5; // edi
int v7[2]; // [esp+8h] [ebp-20030h] BYREF
int v8; // [esp+10h] [ebp-20028h]
int v9; // [esp+14h] [ebp-20024h]
int v10; // [esp+18h] [ebp-20020h]
int v11; // [esp+1Ch] [ebp-2001Ch]
int v12; // [esp+20h] [ebp-20018h]
int v13; // [esp+24h] [ebp-20014h]
int v14; // [esp+28h] [ebp-20010h]
int v15; // [esp+2Ch] [ebp-2000Ch]
int v16; // [esp+30h] [ebp-20008h]
CHAR String[65536]; // [esp+34h] [ebp-20004h] BYREF
char v18[65536]; // [esp+10034h] [ebp-10004h] BYREF

if ( a2 == 272 )
return 1;
if ( a2 != 273 )
return 0;
if ( (_WORD)a3 == 1001 )
{
memset(String, 0, 0xFFFFu);
GetDlgItemTextA(hDlg, 1000, String, 0xFFFF);
if ( strlen(String) == 8 )
{
v7[0] = 90;
v7[1] = 74;
v8 = 83;
v9 = 69;
v10 = 67;
v11 = 97;
v12 = 78;
v13 = 72;
v14 = 51;
v15 = 110;
v16 = 103;
sub_4010F0((int)v7, 0, 10); //将v7[0]、v7[1]以及v8~v16进行升序排序
memset(v18, 0, 0xFFFFu);
v18[0] = String[5];
v18[2] = String[7];
v18[1] = String[6];
v4 = (const char *)sub_401000(v18, strlen(v18)); //对String的5~7位进行base64编码
memset(v18, 0, 0xFFFFu);
v18[1] = String[3];
v18[0] = String[2];
v18[2] = String[4];
v5 = (const char *)sub_401000(v18, strlen(v18)); //对String的2~4位进行base64编码
if ( String[0] == v7[0] + 34 //String[0]='U', v7='3'
&& String[1] == v10 //String[1]='J', v10='J'
&& 4 * String[2] - 141 == 3 * v8 //String[2]='W', v8='E'
&& String[3] / 4 == 2 * (v13 / 9) //String[3]='P', v13='Z'
&& !strcmp(v4, "ak1w") //base64解码可知String[5]~String[7]="jMp"
&& !strcmp(v5, "V1Ax") ) //同理String[2]~String[4]="WP1"
{
MessageBoxA(hDlg, "U g3t 1T!", "@_@", 0);
}
}
return 0;
}
if ( (_WORD)a3 != 1 && (_WORD)a3 != 2 )
return 0;
EndDialog(hDlg, (unsigned __int16)a3);
return 1;
}

String的8位连起来就是UJWP1jMp, 所以flag就是flag{UJWP1jMp}