ReverseMe-120
打开是个可执行文件,先随便输入
ida打开,查看main函数,反汇编
int __cdecl main(int argc, const char **argv, const char **envp)
{
unsigned int v3; // edx
unsigned int v4; // ecx
__m128i v5; // xmm1
unsigned int v6; // esi
const __m128i *v7; // eax
__m128i v8; // xmm0
int v9; // eax
char v11; // [esp+0h] [ebp-CCh] BYREF
char v12[99]; // [esp+1h] [ebp-CBh] BYREF
char v13; // [esp+64h] [ebp-68h] BYREF
char v14[99]; // [esp+65h] [ebp-67h] BYREF
unsigned int v15; // [esp+C8h] [ebp-4h]
printf("please input your flah:");
v11 = 0;
memset(v12, 0, sizeof(v12));
scanf("%s", &v11);
v13 = 0;
memset(v14, 0, sizeof(v14));
sub_401000(&v11, strlen(&v11));
v3 = v15;
v4 = 0;
if ( v15 )
{
if ( v15 >= 0x10 )
{
v5 = _mm_load_si128((const __m128i *)&xmmword_414F20);
v6 = v15 - (v15 & 0xF);
v7 = (const __m128i *)&v13;
do
{
v8 = _mm_loadu_si128(v7);
v4 += 16;
++v7;
v7[-1] = _mm_xor_si128(v8, v5);
}
while ( v4 < v6 );
}
for ( ; v4 < v3; ++v4 )
*(&v13 + v4) ^= 0x25u; //依次进行异或处理
}
v9 = strcmp(&v13, "you_know_how_to_remove_junk_code");//异或处理后与字符串进行比较
if ( v9 ) //关键条件V9
v9 = v9 < 0 ? -1 : 1;
if ( v9 )
printf("wrong\n");
else
printf("correct\n");
system("pause");
return 0;
}
关键条件v9是v13 和字符串you_know_how_to_remove_junk_code比较的结果,比较之前又和0x25依次进行了异或比较
我们输入的v11经过函数sub_401000得到v13,追到函数sub_401000
int __usercall sub_401000@<eax>(unsigned int *a1@<edx>, _BYTE *a2@<ecx>, unsigned __int8 *a3, unsigned int a4)
{
int v4; // ebx
unsigned int v5; // eax
int v6; // ecx
unsigned __int8 *v7; // edi
int v8; // edx
bool v9; // zf
unsigned __int8 v10; // cl
char v11; // cl
_BYTE *v12; // esi
unsigned int v13; // ecx
int v14; // ebx
unsigned __int8 v15; // cl
char v16; // dl
int v20; // [esp+14h] [ebp-4h]
unsigned int v21; // [esp+14h] [ebp-4h]
int i; // [esp+24h] [ebp+Ch]
v4 = 0;
v5 = 0;
v6 = 0;
v20 = 0;
if ( !a4 )
return 0;
v7 = a3;
do
{
v8 = 0;
v9 = v5 == a4;
if ( v5 < a4 )
{
do
{
if ( a3[v5] != 32 )
break;
++v5;
++v8;
}
while ( v5 < a4 );
v9 = v5 == a4;
}
if ( v9 )
break;
if ( a4 - v5 >= 2 && a3[v5] == 13 && a3[v5 + 1] == 10 || (v10 = a3[v5], v10 == 10) )
{
v6 = v20;
}
else
{
if ( v8 )
return -44;
if ( v10 == 61 && (unsigned int)++v4 > 2 )
return -44;
if ( v10 > 0x7Fu )
return -44;
v11 = byte_414E40[v10];
if ( v11 == 127 || (unsigned __int8)v11 < 0x40u && v4 )
return -44;
v6 = ++v20;
}
++v5;
}
while ( v5 < a4 );
if ( !v6 )
return 0;
v12 = a2;
v13 = ((unsigned int)(6 * v6 + 7) >> 3) - v4;
if ( a2 && *a1 >= v13 )
{
v21 = 3;
v14 = 0;
for ( i = 0; v5; --v5 )
{
v15 = *v7;
if ( *v7 != 13 && v15 != 10 && v15 != 32 )
{
v16 = byte_414E40[v15]; //base64解码表
v21 -= v16 == 64;
v14 = v16 & 0x3F | (v14 << 6);
if ( ++i == 4 )
{
i = 0;
if ( v21 )
*v12++ = BYTE2(v14);
if ( v21 > 1 )
*v12++ = BYTE1(v14);
if ( v21 > 2 )
*v12++ = v14;
}
}
++v7;
}
*a1 = v12 - a2;
return 0;
}
*a1 = v13;
return -42;
}
看来wp才知道sub_401000是个base64解码
思路大致是输入v11,base64解码,依次和0x25依次进行异或,最后和字符串you_know_how_to_remove_junk_code进行比较
写脚本
import base64
string='you_know_how_to_remove_junk_code'
flag=''
for i in string:
flag+=chr(ord(i)^0x25)
print(base64.b64encode(flag.encode()))
运行得到flag
XEpQek5LSlJ6TUpSelFKeldASEpTQHpPUEtOekZKQUA=