x2658y's Blog

杂七杂八的记事本

发表于 更新于 分类于 本文字数: 565 阅读时长 ≈ 2 分钟

不是PE文件, 直接拖进IDA分析, F5查看伪代码

image-20220122141058186 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  int v3; // eax
  char v4; // [rsp+Fh] [rbp-1h]

  while ( 1 )
  {
    while ( 1 )
    {
      printf("Welcome to CTF game!\nPlease input d/D to start or input q/Q to quit this program: ");
      v4 = getchar();
      if ( v4 != 100 && v4 != 68 )
        break;
      Decry();	//重点就在这个函数里面
    }
    if ( v4 == 113 || v4 == 81 )
      Exit("Welcome to CTF game!\nPlease input d/D to start or input q/Q to quit this program: ", argv);		//退出函数这里为啥要传参进去?不是很懂
    puts("Input fault format!");
    v3 = getchar();
    putchar(v3);
  }
}

Decry()函数长这样

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
unsigned __int64 Decry()
{
  char v1; // [rsp+Fh] [rbp-51h]
  int v2; // [rsp+10h] [rbp-50h]
  int v3; // [rsp+14h] [rbp-4Ch]
  int i; // [rsp+18h] [rbp-48h]
  int v5; // [rsp+1Ch] [rbp-44h]
  char src[8]; // [rsp+20h] [rbp-40h] BYREF
  __int64 v7; // [rsp+28h] [rbp-38h]
  int v8; // [rsp+30h] [rbp-30h]
  __int64 v9[2]; // [rsp+40h] [rbp-20h] BYREF
  int v10; // [rsp+50h] [rbp-10h]
  unsigned __int64 v11; // [rsp+58h] [rbp-8h]

  v11 = __readfsqword(0x28u);
  /*__readfsqword()函数从FS:[Offset]读取4字长的内容,同理还有__readfsbyte()等函数, 此处作用未知*/
  *(_QWORD *)src = 0x534C43444ELL;
  v7 = 0LL;
  v8 = 0;
  v9[0] = 0x776F646168LL;
  v9[1] = 0LL;
  v10 = 0;
  text = (char *)join(key3, v9);	//自定义的字符拼接,text="killshadow"
  strcpy(key, key1);
  strcat(key, src);		//key="ADSFKNDCLS"
  v2 = 0;
  v3 = 0;
  getchar();
  v5 = strlen(key);
  for ( i = 0; i < v5; ++i )
  {
    if ( key[v3 % v5] > 64 && key[v3 % v5] <= 90 )
      key[i] = key[v3 % v5] + 32;	//将key中每个字符由大写转成小写
    ++v3;
  }
  printf("Please input your flag:");
  while ( 1 )
  {
    v1 = getchar();
    if ( v1 == 10 )
      break;
    if ( v1 == 32 )
    {
      ++v2;
    }
    else
    {
      if ( v1 <= 96 || v1 > 122 )
      {
        if ( v1 > 64 && v1 <= 90 )
        {
          str2[v2] = (v1 - 39 - key[v3 % v5] + 97) % 26 + 97;
          ++v3;
        }
      }
      else
      {
        str2[v2] = (v1 - 39 - key[v3 % v5] + 97) % 26 + 97;
        ++v3;
      }
      if ( !(v3 % v5) )
        putchar(32);
      ++v2;
    }
  }
  if ( !strcmp(text, str2) )
    puts("Congratulation!\n");
  else
    puts("Try again!\n");
  return __readfsqword(0x28u) ^ v11;
}

主要就是逆向这一段, 得出v1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
while ( 1 )
  {
    v1 = getchar();
    if ( v1 == 10 )
      break;
    if ( v1 == 32 )
    {
      ++v2;
    }
    else
    {
      if ( v1 <= 96 || v1 > 122 )
      {
        if ( v1 > 64 && v1 <= 90 )
        {
          str2[v2] = (v1 - 39 - key[v3 % v5] + 97) % 26 + 97;
          ++v3;
        }
      }
      else
      {
        str2[v2] = (v1 - 39 - key[v3 % v5] + 97) % 26 + 97;
        ++v3;
      }
      if ( !(v3 % v5) )
        putchar(32);
      ++v2;
    }
  }

写出解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#include <cstdio>
#include <cstring>

using namespace std;

int main()
{
    char key[16] = "adsfkndcls";
    char ciphertext[16] = "killshadow";
    char plaintext[16] = { 0 };
    char key_offset = 0;
    for (int i = 0; i < strlen(ciphertext); i++)
        for (char c = 32; c < 127; c++) //穷举所有可打印ASCII字符
        {
            char temp = c;
            if (('a' <= c && c <= 'z') or ('A' <= c && c <= 'Z'))
                temp = (c - 39 - key[key_offset % strlen(key)] + 97) % 26 + 97;
            if (temp == ciphertext[i])
            {
                plaintext[i] = c;
                key_offset++;
                break;
            }
        }
    printf("%s", plaintext);
}
//KLDQCUDFZO

所以flag就是flag{KLDQCUDFZO}

发表于 更新于 分类于 本文字数: 465 阅读时长 ≈ 2 分钟

无壳, 直接拖进IDA分析, F5查看伪代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  char v3[29]; // [esp+17h] [ebp-35h] BYREF
  int v4; // [esp+34h] [ebp-18h]
  int v5; // [esp+38h] [ebp-14h] BYREF
  int i; // [esp+3Ch] [ebp-10h]
  _BYTE v7[12]; // [esp+40h] [ebp-Ch] BYREF

  __main();		//源程序应该是C++写的, __main()函数调用了一个构造函数, 不管
  v4 = 0;
  strcpy(v3, "*11110100001010000101111#");	//奇怪的数字
  while ( 1 )
  {
    puts("you can choose one action to execute");
    puts("1 up");
    puts("2 down");
    puts("3 left");
    printf("4 right\n:");
    scanf("%d", &v5);
    if ( v5 == 2 )
    {
      ++*(_DWORD *)&v3[25];
    }
    else if ( v5 > 2 )
    {
      if ( v5 == 3 )
      {
        --v4;
      }
      else
      {
        if ( v5 != 4 )
LABEL_13:
          exit(1);
        ++v4;
      }
    }
    else
    {
      if ( v5 != 1 )
        goto LABEL_13;
      --*(_DWORD *)&v3[25];
    }
    for ( i = 0; i <= 1; ++i )
    {
      if ( *(int *)&v3[4 * i + 25] < 0 || *(int *)&v3[4 * i + 25] > 4 )
        exit(1);
    }
    if ( v7[5 * *(_DWORD *)&v3[25] - 41 + v4] == 49 )
      exit(1);
    if ( v7[5 * *(_DWORD *)&v3[25] - 41 + v4] == 35 )
    {
      puts("\nok, the order you enter is the flag!"); //好家伙, 我输入的就是flag?真够不一样的
      exit(0);
    }
  }
}

反编译出来的伪代码可读性极差, 花了很长时间写出等效形式的代码, 如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#define _CRT_SECURE_NO_WARNINGS
#include <cstdio>
#include <cstdlib>
#include <cstring>

using namespace std;

int  main()
{
	char char_arr[25];
	int x_pos = 0;
	int y_pos = 0;
	strncpy(char_arr, "*11110100001010000101111#", 25);
	while (1)
	{
		printf("you can choose one action to execute\n1 up\n2 down\n3 left\n4 right\n:");
		int temp;
		scanf("%d", &temp);
		switch (temp)
		{
		case 1:
			--x_pos;
			break;
		case 2:
			++x_pos;
			break;
		case 3:
			--y_pos;
			break;
		case 4:
			++y_pos;
			break;
		}
		if (x_pos < 0 || x_pos > 4 || y_pos < 0 || y_pos > 4)
			exit(1);
		if (char_arr[5 * x_pos + y_pos] == '1')
			exit(1);
		if (char_arr[5 * x_pos + y_pos] == '#')
		{
			puts("\nok, the order you enter is the flag!");
			exit(0);
		}
	}
}

这样看结构清晰很多, 就是把*11110100001010000101111#这个字符串排成一个5x5的迷宫

1
2
3
4
5
6
7
8
9
    0  1  2  3  4
   -------------→
0 | *  1  1  1  1
1 | 0  1  0  0  0
2 | 0  1  0  1  0
3 | 0  0  0  1  0
4 ↓ 1  1  1  1  #
横为Y轴,竖为X轴, 0是路, 1是墙,*是起点, #是终点
走出迷宫只需要"下下下右右上上右右下下下", 即"222441144222"

所以flag就是flag{222441144222}

发表于 更新于 分类于 本文字数: 697 阅读时长 ≈ 3 分钟

无壳, 直接拖进IDA分析, F5查看伪代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
  size_t v3; // eax
  const char *v4; // eax
  size_t v5; // eax
  char v7; // [esp+0h] [ebp-188h]
  char v8; // [esp+0h] [ebp-188h]
  signed int j; // [esp+DCh] [ebp-ACh]
  int i; // [esp+E8h] [ebp-A0h]
  signed int v11; // [esp+E8h] [ebp-A0h]
  char Destination[108]; // [esp+F4h] [ebp-94h] BYREF
  char Str[28]; // [esp+160h] [ebp-28h] BYREF
  char v14[8]; // [esp+17Ch] [ebp-Ch] BYREF

  for ( i = 0; i < 100; ++i )
  {
    if ( (unsigned int)i >= 0x64 )
      j____report_rangecheckfailure();	//应该是VS调试器加的代码,不管
    Destination[i] = 0;
  }
  sub_41132F("please enter the flag:", v7);
  sub_411375("%20s", (char)Str);
  v3 = j_strlen(Str);
  v4 = (const char *)sub_4110BE(Str, v3, v14);	//注意这个sub_4110BE()函数, 作用未知
      strncpy(Destination, v4, 0x28u);	//将sub_4110BE()返回值指向的字符拷到Destination数组
  v11 = j_strlen(Destination);
  for ( j = 0; j < v11; ++j )
    Destination[j] += j;		//字符移位
  v5 = j_strlen(Destination);
  if ( !strncmp(Destination, Str2, v5) )	//Str2="e3nifIH9b_C@n@dH"
    sub_41132F("rigth flag!\n", v8);		
  else
    sub_41132F("wrong flag!\n", v8);
  return 0;
}

关键在于sub_4110BE()这个函数, 菜鸡一时没看出来它是干啥的. 于是把它从IDA抠出来, 略作修改让它能跑起来, 命名为unknown(), 看看这个它的作用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#include <cstdio>
#include <cstdlib>
#include <cstring>

using namespace std;

void* __cdecl unknown(char* a1, unsigned int a2)	//第三个参数无用, 可删去
{
    int v4; // [esp+D4h] [ebp-38h]
    int v5; // [esp+D4h] [ebp-38h]
    int v6; // [esp+D4h] [ebp-38h]
    int v7; // [esp+D4h] [ebp-38h]
    int i; // [esp+E0h] [ebp-2Ch]
    unsigned int v9; // [esp+ECh] [ebp-20h]
    int v10; // [esp+ECh] [ebp-20h]
    int v11; // [esp+ECh] [ebp-20h]
    void* v12; // [esp+F8h] [ebp-14h]
    char* v13; // [esp+104h] [ebp-8h]

    if (!a1 || !a2)
        return 0;
    v9 = a2 / 3;
    if ((int)(a2 / 3) % 3)
        ++v9;
    v10 = 4 * v9;
    v12 = malloc(v10 + 1);
    if (!v12)
        return 0;
    memset(v12, 0, v10 + 1);
    char byte_41A144[4];
    char aAbcdefghijklmn[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\x00";
    //后来才知道,很明显这是一个base64的码表
    v13 = a1;
    v11 = a2;
    v4 = 0;
    while (v11 > 0)
    {
        byte_41A144[2] = 0;
        byte_41A144[1] = 0;
        byte_41A144[0] = 0;
        for (i = 0; i < 3 && v11 >= 1; ++i)
        {
            byte_41A144[i] = *v13;
            --v11;
            ++v13;
        }
        if (!i)
            break;
        switch (i)
        {
        case 1:
            *((unsigned char*)v12 + v4) = aAbcdefghijklmn[(int)(unsigned __int8)byte_41A144[0] >> 2];
            v5 = v4 + 1;
            *((unsigned char*)v12 + v5) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | (16 * (byte_41A144[0] & 3))];
            *((unsigned char*)v12 + ++v5) = aAbcdefghijklmn[64];
            *((unsigned char*)v12 + ++v5) = aAbcdefghijklmn[64];
            v4 = v5 + 1;
            break;
        case 2:
            *((unsigned char*)v12 + v4) = aAbcdefghijklmn[(int)(unsigned __int8)byte_41A144[0] >> 2];
            v6 = v4 + 1;
            *((unsigned char*)v12 + v6) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | (16 * (byte_41A144[0] & 3))];
            *((unsigned char*)v12 + ++v6) = aAbcdefghijklmn[((byte_41A144[2] & 0xC0) >> 6) | (4 * (byte_41A144[1] & 0xF))];
            *((unsigned char*)v12 + ++v6) = aAbcdefghijklmn[64];
            v4 = v6 + 1;
            break;
        case 3:
            *((unsigned char*)v12 + v4) = aAbcdefghijklmn[(int)(unsigned __int8)byte_41A144[0] >> 2];
            v7 = v4 + 1;
            *((unsigned char*)v12 + v7) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | (16 * (byte_41A144[0] & 3))];
            *((unsigned char*)v12 + ++v7) = aAbcdefghijklmn[((byte_41A144[2] & 0xC0) >> 6) | (4 * (byte_41A144[1] & 0xF))];
            *((unsigned char*)v12 + ++v7) = aAbcdefghijklmn[byte_41A144[2] & 0x3F];
            v4 = v7 + 1;
            break;
        }
    }
    *((unsigned char*)v12 + v4) = 0;
    return v12;
}

int main()
{
    char a[] = "Hello World!";
    printf("%s", (char*)unknown(a, sizeof(a)));
}
//SGVsbG8gV29ybGQhAA==
//看起来是进行base64编码的函数

知道了这个函数的作用, 接下来只需要处理一下字符的移位就可以还原出原文了

1
2
3
4
5
6
7
8
import base64

ciphertext = "e3nifIH9b_C@n@dH"
plaintext = ""
for i in range(0,len(ciphertext)):
    plaintext += chr(ord(ciphertext[i])-i)
print(base64.b64decode(plaintext).decode())
#{i_l0ve_you}

验证一下, 没毛病

image-20220121230115616
0%