BUUOJ N1BOOK的几道高级语言逆向题

N0zoM1z0

已于 2024-04-28 16:27:18 修改

阅读量251

点赞数 5

文章标签： c++

于 2024-04-28 16:26:22 首次发布

本文链接：https://blog.csdn.net/ULGANOY/article/details/138282306

版权

easyCSharp

die检查发现有壳
在这里插入图片描述
用de4dot把壳脱掉拖进dnspy发现啥也没有

用IDA看能看到这种代码：

跟着逆就行

密文: IqmrKHtIFa15wi+hfFFfyhcIgsxQQvK07ZZgbZpG4FU=

easy_rust

由于rust代码冗长所以我们可以通过string搜索关键字符串比如搜索flag
找到输入点发现在一个base64encode里
再在函数列表搜索main 进入main
核心逻辑就这两句:

  BASE64ENCODE((__int64)v14, (__int64)(&v11.private_2 + 1));
  if ( (_$LT$alloc..string..String$u20$as$u20$core..cmp..PartialEq$GT$::eq::h785456d93284be99(v14, &v11) & 1) != 0 )

这是base64和check
发现check的两个值都在base64encode的参数里
进入base64encode 可以发现这样一句

core::panicking::panic::hb5daa85c7c72fc62(
        "attempt to add with overflowxkPmey0LoJt4u5A9MznQhZEH6VSUvRX=Y13fi8srlaTdwGB2+q7cg/bKjpNCFIODInput your flag:\n"
        "Ufy3UbIdXc82u0z=Sfk3=MlWFailed to read lineTrue!\n"
        "False!\n",
        28LL,
        &off_23FE58);

结合语言特性这种就是把函数用上的参数/字符串都写进去了
很容易猜出overflow后面的是base64变表 flag后面的是密文
变表base64解就行了

n1book{9o0d_j0b}

easy_go

函数列表搜索main 进入main_main
查找发现没有main_init 所以放心分析main_main即可
代码很短
check len and format:

if ( p_string->len == 21
    && (*(_DWORD *)ptr != 1868706158 || *((_WORD *)ptr + 2) != 27503 ? (v1 = 0) : (v1 = ptr[6] == 123),
        v1 && ptr[20] == 125) )

Final_Check:

for ( i = 0LL; i < 13; ++i )
    {
      if ( i >= v4 )
        runtime_panicIndex();
      if ( byte_561538[i] + byte_561518[i] * *(_BYTE *)(i + v3) != byte_561528[i] )
        goto LABEL_12;
    }

找到对应值爆破即可

enc = [0xB7, 0x9C, 0x79, 0x43, 0x9B, 0xAF, 0x94, 0xE4, 0x94, 0x71, 0xEC, 0xEA, 0x8E, 0x00, 0x00, 0x00]
key1 = [0xD3, 0x75, 0x9B, 0xF9, 0xA3, 0x87, 0xED, 0x93, 0x8D, 0xDD, 0x77, 0xED, 0x67, 0x00, 0x00, 0x00]
key2 = [0xDB, 0x9E, 0xB7, 0x9A, 0x91, 0xCA, 0xA1, 0x6B, 0x97, 0xC1, 0x74, 0xB3, 0x90, 0x00, 0x00, 0x00]
flag = "n1book{"
for i in range(13):
    for x in range(32,128):
        check = (key2[i]+key1[i]*x)&0xff
        if check==enc[i]:
            flag += chr(x)
            break
        
    print(flag)
flag += "}"
print(flag)

n1book{4Ff1n3_C1pH3R}

easy_mfc

这题打开还是不好找到逻辑
WinMain里面貌似没有进行check操作
还好函数很少挨个翻
翻到有个check

  v7[0] = 0x928C9DBC;
  v7[1] = 0x21864740;
  v7[2] = 0xFD8FACF5;
  v3 = *(_DWORD *)(a2 - 12) == 26;              // len=26
  v7[3] = 0x3AE9E468;
  v7[4] = 0x64B366C0;
  v7[5] = 0x22D3797E;
  v8 = 0xF831;
  v5[0] = 0xFDEEACD2;
  v5[1] = 0x79FD2C2F;
  v5[2] = 0x85D0DEC5;
  v5[3] = 0xBB6B658;
  v5[4] = 0x54C039F5;
  v5[5] = 0x54E21F21;
  v6 = 0x8502;
  if ( v3 )
  {
    v4 = 0;                                     // CHECK！
    while ( (*((unsigned __int8 *)v7 + v4) ^ (unsigned __int16)ATL::CSimpleStringT<wchar_t,1>::GetAt(&a2, v4)) == *((unsigned __int8 *)v5 + v4) )
    {
      if ( ++v4 >= *(_DWORD *)(a2 - 12) )
      {
        CWnd::SetDlgItemTextW(this, -1, L"OK");
        goto LABEL_7;
      }
    }
  }
  CWnd::SetDlgItemTextW(this, -1, L"Error");

这里提取出两个数组 xor回去即可

enc1 = "BC9D8C9240478621F5AC8FFD68E4E93AC066B3647E79D32231F8"
enc2 = "D2ACEEFD2F2CFD79C5DED08558B6B60BF539C054211FE2540285"
enc1 = [int(enc1[i*2:i*2+2],16) for i in range(len(enc1)//2)]
enc2 = [int(enc2[i*2:i*2+2],16) for i in range(len(enc2)//2)]
for i in range(len(enc1)):
    print(chr(enc1[i]^enc2[i]),end='')