x2658y's Blog

杂七杂八的记事本

发表于 更新于 分类于 本文字数: 465 阅读时长 ≈ 2 分钟

无壳, 直接拖进IDA分析, F5查看伪代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  char v3[29]; // [esp+17h] [ebp-35h] BYREF
  int v4; // [esp+34h] [ebp-18h]
  int v5; // [esp+38h] [ebp-14h] BYREF
  int i; // [esp+3Ch] [ebp-10h]
  _BYTE v7[12]; // [esp+40h] [ebp-Ch] BYREF

  __main();		//源程序应该是C++写的, __main()函数调用了一个构造函数, 不管
  v4 = 0;
  strcpy(v3, "*11110100001010000101111#");	//奇怪的数字
  while ( 1 )
  {
    puts("you can choose one action to execute");
    puts("1 up");
    puts("2 down");
    puts("3 left");
    printf("4 right\n:");
    scanf("%d", &v5);
    if ( v5 == 2 )
    {
      ++*(_DWORD *)&v3[25];
    }
    else if ( v5 > 2 )
    {
      if ( v5 == 3 )
      {
        --v4;
      }
      else
      {
        if ( v5 != 4 )
LABEL_13:
          exit(1);
        ++v4;
      }
    }
    else
    {
      if ( v5 != 1 )
        goto LABEL_13;
      --*(_DWORD *)&v3[25];
    }
    for ( i = 0; i <= 1; ++i )
    {
      if ( *(int *)&v3[4 * i + 25] < 0 || *(int *)&v3[4 * i + 25] > 4 )
        exit(1);
    }
    if ( v7[5 * *(_DWORD *)&v3[25] - 41 + v4] == 49 )
      exit(1);
    if ( v7[5 * *(_DWORD *)&v3[25] - 41 + v4] == 35 )
    {
      puts("\nok, the order you enter is the flag!"); //好家伙, 我输入的就是flag?真够不一样的
      exit(0);
    }
  }
}

反编译出来的伪代码可读性极差, 花了很长时间写出等效形式的代码, 如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#define _CRT_SECURE_NO_WARNINGS
#include <cstdio>
#include <cstdlib>
#include <cstring>

using namespace std;

int  main()
{
	char char_arr[25];
	int x_pos = 0;
	int y_pos = 0;
	strncpy(char_arr, "*11110100001010000101111#", 25);
	while (1)
	{
		printf("you can choose one action to execute\n1 up\n2 down\n3 left\n4 right\n:");
		int temp;
		scanf("%d", &temp);
		switch (temp)
		{
		case 1:
			--x_pos;
			break;
		case 2:
			++x_pos;
			break;
		case 3:
			--y_pos;
			break;
		case 4:
			++y_pos;
			break;
		}
		if (x_pos < 0 || x_pos > 4 || y_pos < 0 || y_pos > 4)
			exit(1);
		if (char_arr[5 * x_pos + y_pos] == '1')
			exit(1);
		if (char_arr[5 * x_pos + y_pos] == '#')
		{
			puts("\nok, the order you enter is the flag!");
			exit(0);
		}
	}
}

这样看结构清晰很多, 就是把*11110100001010000101111#这个字符串排成一个5x5的迷宫

1
2
3
4
5
6
7
8
9
    0  1  2  3  4
   -------------→
0 | *  1  1  1  1
1 | 0  1  0  0  0
2 | 0  1  0  1  0
3 | 0  0  0  1  0
4 ↓ 1  1  1  1  #
横为Y轴,竖为X轴, 0是路, 1是墙,*是起点, #是终点
走出迷宫只需要"下下下右右上上右右下下下", 即"222441144222"

所以flag就是flag{222441144222}

发表于 更新于 分类于 本文字数: 697 阅读时长 ≈ 3 分钟

无壳, 直接拖进IDA分析, F5查看伪代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
  size_t v3; // eax
  const char *v4; // eax
  size_t v5; // eax
  char v7; // [esp+0h] [ebp-188h]
  char v8; // [esp+0h] [ebp-188h]
  signed int j; // [esp+DCh] [ebp-ACh]
  int i; // [esp+E8h] [ebp-A0h]
  signed int v11; // [esp+E8h] [ebp-A0h]
  char Destination[108]; // [esp+F4h] [ebp-94h] BYREF
  char Str[28]; // [esp+160h] [ebp-28h] BYREF
  char v14[8]; // [esp+17Ch] [ebp-Ch] BYREF

  for ( i = 0; i < 100; ++i )
  {
    if ( (unsigned int)i >= 0x64 )
      j____report_rangecheckfailure();	//应该是VS调试器加的代码,不管
    Destination[i] = 0;
  }
  sub_41132F("please enter the flag:", v7);
  sub_411375("%20s", (char)Str);
  v3 = j_strlen(Str);
  v4 = (const char *)sub_4110BE(Str, v3, v14);	//注意这个sub_4110BE()函数, 作用未知
      strncpy(Destination, v4, 0x28u);	//将sub_4110BE()返回值指向的字符拷到Destination数组
  v11 = j_strlen(Destination);
  for ( j = 0; j < v11; ++j )
    Destination[j] += j;		//字符移位
  v5 = j_strlen(Destination);
  if ( !strncmp(Destination, Str2, v5) )	//Str2="e3nifIH9b_C@n@dH"
    sub_41132F("rigth flag!\n", v8);		
  else
    sub_41132F("wrong flag!\n", v8);
  return 0;
}

关键在于sub_4110BE()这个函数, 菜鸡一时没看出来它是干啥的. 于是把它从IDA抠出来, 略作修改让它能跑起来, 命名为unknown(), 看看这个它的作用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#include <cstdio>
#include <cstdlib>
#include <cstring>

using namespace std;

void* __cdecl unknown(char* a1, unsigned int a2)	//第三个参数无用, 可删去
{
    int v4; // [esp+D4h] [ebp-38h]
    int v5; // [esp+D4h] [ebp-38h]
    int v6; // [esp+D4h] [ebp-38h]
    int v7; // [esp+D4h] [ebp-38h]
    int i; // [esp+E0h] [ebp-2Ch]
    unsigned int v9; // [esp+ECh] [ebp-20h]
    int v10; // [esp+ECh] [ebp-20h]
    int v11; // [esp+ECh] [ebp-20h]
    void* v12; // [esp+F8h] [ebp-14h]
    char* v13; // [esp+104h] [ebp-8h]

    if (!a1 || !a2)
        return 0;
    v9 = a2 / 3;
    if ((int)(a2 / 3) % 3)
        ++v9;
    v10 = 4 * v9;
    v12 = malloc(v10 + 1);
    if (!v12)
        return 0;
    memset(v12, 0, v10 + 1);
    char byte_41A144[4];
    char aAbcdefghijklmn[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\x00";
    //后来才知道,很明显这是一个base64的码表
    v13 = a1;
    v11 = a2;
    v4 = 0;
    while (v11 > 0)
    {
        byte_41A144[2] = 0;
        byte_41A144[1] = 0;
        byte_41A144[0] = 0;
        for (i = 0; i < 3 && v11 >= 1; ++i)
        {
            byte_41A144[i] = *v13;
            --v11;
            ++v13;
        }
        if (!i)
            break;
        switch (i)
        {
        case 1:
            *((unsigned char*)v12 + v4) = aAbcdefghijklmn[(int)(unsigned __int8)byte_41A144[0] >> 2];
            v5 = v4 + 1;
            *((unsigned char*)v12 + v5) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | (16 * (byte_41A144[0] & 3))];
            *((unsigned char*)v12 + ++v5) = aAbcdefghijklmn[64];
            *((unsigned char*)v12 + ++v5) = aAbcdefghijklmn[64];
            v4 = v5 + 1;
            break;
        case 2:
            *((unsigned char*)v12 + v4) = aAbcdefghijklmn[(int)(unsigned __int8)byte_41A144[0] >> 2];
            v6 = v4 + 1;
            *((unsigned char*)v12 + v6) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | (16 * (byte_41A144[0] & 3))];
            *((unsigned char*)v12 + ++v6) = aAbcdefghijklmn[((byte_41A144[2] & 0xC0) >> 6) | (4 * (byte_41A144[1] & 0xF))];
            *((unsigned char*)v12 + ++v6) = aAbcdefghijklmn[64];
            v4 = v6 + 1;
            break;
        case 3:
            *((unsigned char*)v12 + v4) = aAbcdefghijklmn[(int)(unsigned __int8)byte_41A144[0] >> 2];
            v7 = v4 + 1;
            *((unsigned char*)v12 + v7) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | (16 * (byte_41A144[0] & 3))];
            *((unsigned char*)v12 + ++v7) = aAbcdefghijklmn[((byte_41A144[2] & 0xC0) >> 6) | (4 * (byte_41A144[1] & 0xF))];
            *((unsigned char*)v12 + ++v7) = aAbcdefghijklmn[byte_41A144[2] & 0x3F];
            v4 = v7 + 1;
            break;
        }
    }
    *((unsigned char*)v12 + v4) = 0;
    return v12;
}

int main()
{
    char a[] = "Hello World!";
    printf("%s", (char*)unknown(a, sizeof(a)));
}
//SGVsbG8gV29ybGQhAA==
//看起来是进行base64编码的函数

知道了这个函数的作用, 接下来只需要处理一下字符的移位就可以还原出原文了

1
2
3
4
5
6
7
8
import base64

ciphertext = "e3nifIH9b_C@n@dH"
plaintext = ""
for i in range(0,len(ciphertext)):
    plaintext += chr(ord(ciphertext[i])-i)
print(base64.b64decode(plaintext).decode())
#{i_l0ve_you}

验证一下, 没毛病

image-20220121230115616

发表于 更新于 分类于 本文字数: 347 阅读时长 ≈ 1 分钟

下载下来发现文件不是exe, 先IDA看一下, 发现不是PE文件

image-20220121202632787

直接分析F5看伪代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+2Ch] [rbp-124h]
  char __b[264]; // [rsp+40h] [rbp-110h] BYREF

  memset(__b, 0, 0x100uLL);
  printf("Input your flag:\n");
  get_line(__b, 256LL);                 //将输入的字符串保存到__b数组中
  if ( strlen(__b) != 33 )              //输入的字符串必须长33字节(不含尾部'\0')
    goto LABEL_7;
  for ( i = 1; i < 33; ++i )			
    __b[i] ^= __b[i - 1];               //输入字符串的每后一位与前一位的异或
  if ( !strncmp(__b, global, 0x21uLL) ) //将异或后的结果与global这个字符串相比较
    printf("Success");
  else
LABEL_7:
    printf("Failed");
  return 0;
}

这这题需要用到一个知识点, 异或(XOR)两次会还原

1
2
101011 XOR 111111 = 010100  //101011111111异或
010100 XOR 111111 = 101011  //将异或所得结果再次与111111异或即可还原原文

所以只需要把global指向的字符串按照题目的方式再次进行一次异或即可得到原文, 原文应该就是flag

可以在IDA里使用shift+e提取字符数组

image-20220121205312277

解密代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <cstdio>

using namespace std;

int main()
{
	unsigned char ciphertext[] =
	{
	  0x66, 0x0A, 0x6B, 0x0C, 0x77, 0x26, 0x4F, 0x2E, 0x40, 0x11,
	  0x78, 0x0D, 0x5A, 0x3B, 0x55, 0x11, 0x70, 0x19, 0x46, 0x1F,
	  0x76, 0x22, 0x4D, 0x23, 0x44, 0x0E, 0x67, 0x06, 0x68, 0x0F,
	  0x47, 0x32, 0x4F, 0x00
	};
	for (int i = 32; i >= 1; i--)
		ciphertext[i] ^= ciphertext[i - 1];
	printf("%s", ciphertext);
}
//flag{QianQiuWanDai_YiTongJiangHu}
0%