攻防世界 REVERSE 新手区/no-strings-attached
下载附件,用exeinfope查看一下信息
这个文件没有加壳,用IDA32bit打开,找到main函数,按f5查看伪代码
可以看到一共调用了四个函数,前三个函数没有有用的信息,所以重点看第四个函数
跟进查看第四个函数
分析代码:fgetws是从键盘读入一串字符,看到里面有 wcslen() 函数以及 wcscmp() 函数
可以看出这是一个字符串比较的算法,所以wcslen() = strlen() ; wcscmp() = strcmp()
用读入的字符串储存在 ws中,再与 s2比较,如果相等就输出success
那么接下来就是算出s2的值了
跟进s,每个14h的上一个16进制数就是s中的值,接下来一个一个把s的字符记下来
int s[] = {0x36,0x37,0x3B,0x80,0x7A,0x71,0x78,0x63,0x66,0x73,0x67,0x62,
0x65,0x73,0x60,0x6B,0x71,0x78,0x6A,0x73,0x70,0x64,0x78,
0x6E,0x70,0x70,0x64,0x70,0x64,0x6E,0x7B,0x76,0x78,0x6A,0x73,0x7B,0x80};
再看dword_8048A90,一样把它记下来
int dw[] = {2,3,4,5};
接下来跟进decrypt函数
一个很简单的算法,返回的是一个指针dest,那么dest就是flag了,照着写一遍就行
int v6 = 37;
int v7 = 4;
int v4 = 0;
while( v4 < v6)
{
for(int i = 0; i < v7 && v4 < v6 ; i++)
{
s[v4 ++] -= dw[i];
}
}
完整代码
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main()
{
int dw[] = {2,3,4,5};
int s[] = {0x36,0x37,0x3B,0x80,0x7A,0x71,0x78,0x63,0x66,0x73,0x67,0x62,
0x65,0x73,0x60,0x6B,0x71,0x78,0x6A,0x73,0x70,0x64,0x78,
0x6E,0x70,0x70,0x64,0x70,0x64,0x6E,0x7B,0x76,0x78,0x6A,0x73,0x7B,0x80};
int v6 = 37;
int v7 = 4;
int v4 = 0;
while( v4 < v6)
{
for(int i = 0; i < v7 && v4 < v6 ; i++)
{
s[v4 ++] -= dw[i];
printf("%c",s[v4 - 1]);
}
}
return 0;
}
运行结果
这结果一看就不对,,,,, ,可以看到这个结果的开头有个447,再看下题目,题目来源来自于9447 CTF ,对上了3个数字,但是少了一个9
根据之前那个加密的算法,推测出s和dw都少了前面的一位数
int v6 = 37;
int v7 = 4;
int v4 = 0;
while( v4 < v6)
{
for(int i = 0; i < v7 && v4 < v6 ; i++)
{
s[v4 ++] -= dw[i];
}
}
再看下s和dw,在开头都有个dd ,后面的数都只有两位数,而这个有四位数,所以143Ah取后半个部分得到14h,dw同理,得到 01
将这两个缺的数字加到开头
int dw[] = {1,2,3,4,5};
int s[] = {0x3A,0x36,0x37,0x3B,0x80,0x7A,0x71,0x78,0x63,0x66,0x73,0x67,0x62,
0x65,0x73,0x60,0x6B,0x71,0x78,0x6A,0x73,0x70,0x64,0x78,
0x6E,0x70,0x70,0x64,0x70,0x64,0x6E,0x7B,0x76,0x78,0x6A,0x73,0x7B,0x80};
下面是完整代码
#include <stdlib.h>
#include <stdio.h>
int main()
{
int dw[] = {1,2,3,4,5};
int s[] = {0x3A,0x36,0x37,0x3B,0x80,0x7A,0x71,0x78,0x63,0x66,0x73,0x67,0x62,
0x65,0x73,0x60,0x6B,0x71,0x78,0x6A,0x73,0x70,0x64,0x78,
0x6E,0x70,0x70,0x64,0x70,0x64,0x6E,0x7B,0x76,0x78,0x6A,0x73,0x7B,0x80};
int v6 = 38;
int v7 = 5;
int v4 = 0;
while( v4 < v6)
{
for(int i = 0; i < v7 && v4 < v6 ; i++)
{
s[v4 ++] -= dw[i];
printf("%c",s[v4 - 1]);
}
}
return 0;
}
运行得到flag:9447{you_are_an_international_mystery}