#re刷题第七天
回了躺家,耽搁了,继续开始刷题吧
0x00 ReverseMe-120
还是老套路,载入IDA,看了下大致的逻辑,是比较清楚的,关键点就在于401000
这个函数,简单的动态调试了一下,发现是个base64解码,算法就很清楚了,先将输入的字符串进行base64解码,然后在于0x25异或,最后与you_know_how_to_remove_junk_code
做比较
写出解密脚本
import base64
cipher = 'you_know_how_to_remove_junk_code'
tmp = ''
for i in range(len(cipher)):
tmp += chr(ord(cipher[i])^0x25)
print base64.b64encode(tmp)
0x01 IgniteMe
载入IDA,F5大法
int __cdecl main(int argc, const char **argv, const char **envp)
{
void *v3; // eax
int v4; // edx
void *v5; // eax
int result; // eax
void *v7; // eax
void *v8; // eax
void *v9; // eax
size_t i; // [esp+4Ch] [ebp-8Ch]
char v11[4]; // [esp+50h] [ebp-88h]
char v12[28]; // [esp+58h] [ebp-80h]
char v13; // [esp+74h] [ebp-64h]
v3 = sub_402B30(&unk_446360, "Give me your flag:");
sub_4013F0(v3, sub_403670);
sub_401440(&dword_4463F0, v4, v12, 127);
if ( strlen(v12) < 0x1E && strlen(v12) > 4 )
{
strcpy(v11, "EIS{");
for ( i = 0; i < strlen(v11); ++i )
{
if ( v12[i] != v11[i] )
{
v7 = sub_402B30(&unk_446360, "Sorry, keep trying! ");
sub_4013F0(v7, sub_403670);
return 0;
}
}
if ( v13 == '}' )
{
if ( sub_4011C0(v12) )
v9 = sub_402B30(&unk_446360, "Congratulations! ");
else
v9 = sub_402B30(&unk_446360, "Sorry, keep trying! ");
sub_4013F0(v9, sub_403670);
result = 0;
}
else
{
v8 = sub_402B30(&unk_446360, "Sorry, keep trying! ");
sub_4013F0(v8, sub_403670);
result = 0;
}
}
else
{
v5 = sub_402B30(&unk_446360, "Sorry, keep trying!");
sub_4013F0(v5, sub_403670);
result = 0;
}
return result;
}
可以看到代码逻辑还是很清晰的,首先限制了输入的长度,然后限制了输入的flag格式,然后进入4011c0
函数进行check
简单的静态分析了一下,4011c0
函数中进行了一个大小写反转,遇到大写就转为小写,遇到小写就转为大写。然后有一个异或操作。最后做比较
bool __cdecl sub_4011C0(char *a1)
{
size_t v2; // eax
signed int v3; // [esp+50h] [ebp-B0h]
char v4[32]; // [esp+54h] [ebp-ACh]
int v5; // [esp+74h] [ebp-8Ch]
int v6; // [esp+78h] [ebp-88h]
size_t i; // [esp+7Ch] [ebp-84h]
char v8[128]; // [esp+80h] [ebp-80h]
if ( strlen(a1) <= 4 )
return 0;
i = 4;
v6 = 0;
while ( i < strlen(a1) - 1 )
v8[v6++] = a1[i++];
v8[v6] = 0;
v5 = 0;
v3 = 0;
memset(v4, 0, 0x20u);
for ( i = 0; ; ++i )
{
v2 = strlen(v8);
if ( i >= v2 )
break;
if ( v8[i] >= 'a' && v8[i] <= 'z' )
{
v8[i] -= 32;
v3 = 1;
}
if ( !v3 && v8[i] >= 65 && v8[i] <= 90 )
v8[i] += 32;
v4[i] = byte_4420B0[i] ^ sub_4013C0(v8[i]);
v3 = 0;
}
return strcmp("GONDPHyGjPEKruv{{pj]X@rF", v4) == 0;
}
4013c0
函数:
int __cdecl sub_4013C0(int a1)
{
return (a1 ^ 0x55) + 72;
}
写一个小的IDAPython脚本提取出来4420b0
地址的数据
start = 0x4420b0
end = 0x4420d0
key = []
while(start<end):
tmp = GetManyBytes(start,1)
key.append(ord(tmp))
start = start + 1
print key
写出解密脚本
key = [13, 19, 23, 17, 2, 1, 32, 29, 12, 2, 25, 47, 23, 43, 36, 31, 30, 22, 9, 15, 21, 39, 19, 38, 10, 47, 30, 26, 45, 12, 34, 4]
cipher = 'GONDPHyGjPEKruv{{pj]X@rF'
flag = ''
for i in range(len(cipher)):
flag += chr(((ord(cipher[i])^key[i])-72)^0x55)
print flag
将解密出来的flag,大小写转换后加上flag格式就是正确的flag