BUUCTF Reverse/[2019红帽杯]easyRE
先看下文件属性
用IDA64位打开,查找字符串,看到一句“You found me!!!” 这个应该就是flag的所在地了
跟随跳转
__int64 sub_4009C6()
{
__int64 result; // rax
int i; // [rsp+Ch] [rbp-114h]
__int64 v2; // [rsp+10h] [rbp-110h]
__int64 v3; // [rsp+18h] [rbp-108h]
__int64 v4; // [rsp+20h] [rbp-100h]
__int64 v5; // [rsp+28h] [rbp-F8h]
__int64 v6; // [rsp+30h] [rbp-F0h]
__int64 v7; // [rsp+38h] [rbp-E8h]
__int64 v8; // [rsp+40h] [rbp-E0h]
__int64 v9; // [rsp+48h] [rbp-D8h]
__int64 v10; // [rsp+50h] [rbp-D0h]
__int64 v11; // [rsp+58h] [rbp-C8h]
char v12[17]; // [rsp+60h] [rbp-C0h] BYREF
char v13[19]; // [rsp+71h] [rbp-AFh] BYREF
char v14[32]; // [rsp+90h] [rbp-90h] BYREF
int v15; // [rsp+B0h] [rbp-70h]
char v16; // [rsp+B4h] [rbp-6Ch]
char v17[72]; // [rsp+C0h] [rbp-60h] BYREF
unsigned __int64 v18; // [rsp+108h] [rbp-18h]
v18 = __readfsqword(0x28u);
qmemcpy(v12, "Iodl>Qnb(ocy\x7Fy.i", 16);
v12[16] = 127;
qmemcpy(v13, "d`3w}wek9{iy=~yL@EC", sizeof(v13));
memset(v14, 0, sizeof(v14));
v15 = 0;
v16 = 0;
sub_4406E0(0LL, v14, 37LL);
v16 = 0;
if ( sub_424BA0(v14) == 36 )
{
for ( i = 0; i < (unsigned __int64)sub_424BA0(v14); ++i )
{
if ( (unsigned __int8)(v14[i] ^ i) != v12[i] )
{
result = 4294967294LL;
goto LABEL_13;
}
}
sub_410CC0("continue!");
memset(v17, 0, 0x40uLL);
v17[64] = 0;
sub_4406E0(0LL, v17, 64LL);
v17[39] = 0;
if ( sub_424BA0(v17) == 39 )
{
v2 = sub_400E44((__int64)v17);
v3 = sub_400E44(v2);
v4 = sub_400E44(v3);
v5 = sub_400E44(v4);
v6 = sub_400E44(v5);
v7 = sub_400E44(v6);
v8 = sub_400E44(v7);
v9 = sub_400E44(v8);
v10 = sub_400E44(v9);
v11 = sub_400E44(v10);
if ( !(unsigned int)sub_400360(v11, off_6CC090) )
{
sub_410CC0("You found me!!!");
sub_410CC0("bye bye~");
}
result = 0LL;
}
else
{
result = 4294967293LL;
}
}
else
{
result = 0xFFFFFFFFLL;
}
LABEL_13:
if ( __readfsqword(0x28u) != v18 )
sub_444020();
return result;
}
看一下这段代码,跟进查看一下off_6CC090
v2 = sub_400E44((__int64)v17);
v3 = sub_400E44(v2);
v4 = sub_400E44(v3);
v5 = sub_400E44(v4);
v6 = sub_400E44(v5);
v7 = sub_400E44(v6);
v8 = sub_400E44(v7);
v9 = sub_400E44(v8);
v10 = sub_400E44(v9);
v11 = sub_400E44(v10);
if ( !(unsigned int)sub_400360(v11, off_6CC090) )
{
sub_410CC0("You found me!!!");
sub_410CC0("bye bye~");
}
发现是一段base64加密,而且还是加密了10次后的结果
写个脚本解密
import hashlib
import base64
Str = "Vm0wd2VHUXhTWGhpUm1SWVYwZDRWVll3Wkc5WFJsbDNXa1pPVlUxV2NIcFhhMk0xVmpKS1NHVkdXbFpOYmtKVVZtcEtTMUl5VGtsaVJtUk9ZV3hhZVZadGVHdFRNVTVYVW01T2FGSnRVbGhhVjNoaFZWWmtWMXBFVWxSTmJFcElWbTAxVDJGV1NuTlhia0pXWWxob1dGUnJXbXRXTVZaeVdrWm9hVlpyV1hwV1IzaGhXVmRHVjFOdVVsWmlhMHBZV1ZSR1lWZEdVbFZTYlhSWFRWWndNRlZ0TVc5VWJGcFZWbXR3VjJKSFVYZFdha1pXWlZaT2NtRkhhRk5pVjJoWVYxZDBhMVV3TlhOalJscFlZbGhTY1ZsclduZGxiR1J5VmxSR1ZXSlZjRWhaTUZKaFZqSktWVkZZYUZkV1JWcFlWV3BHYTFkWFRrZFRiV3hvVFVoQ1dsWXhaRFJpTWtsM1RVaG9hbEpYYUhOVmJUVkRZekZhY1ZKcmRGTk5Wa3A2VjJ0U1ExWlhTbFpqUldoYVRVWndkbFpxUmtwbGJVWklZVVprYUdFeGNHOVhXSEJIWkRGS2RGSnJhR2hTYXpWdlZGVm9RMlJzV25STldHUlZUVlpXTlZadE5VOVdiVXBJVld4c1dtSllUWGhXTUZwell6RmFkRkpzVWxOaVNFSktWa1phVTFFeFduUlRhMlJxVWxad1YxWnRlRXRXTVZaSFVsUnNVVlZVTURrPQ=="
for i in range(10):
t = base64.b64decode(Str)
Str = t
print(Str)
得到结果
b'https://bbs.pediy.com/thread-254172.htm'
然后我傻乎乎的跟进去看了,发现是看雪的一篇教你如何迷惑写题人的文章,,评论区也一堆求flag的,结果我还真在评论区找到flag了。。。
flag{Act1ve_Defen5e_Test}
看了下其他大佬的wp,才发现要利用一开始的字符串,
v18 = __readfsqword(0x28u);
qmemcpy(v12, "Iodl>Qnb(ocy\x7Fy.i", 16);
v12[16] = 127;
qmemcpy(v13, "d`3w}wek9{iy=~yL@EC", sizeof(v13));
memset(v14, 0, sizeof(v14));
v15 = 0;
v16 = 0;
sub_4406E0(0LL, v14, 37LL);
v16 = 0;
if ( sub_424BA0(v14) == 36 )
{
for ( i = 0; i < (unsigned __int64)sub_424BA0(v14); ++i )
{
if ( (unsigned __int8)(v14[i] ^ i) != v12[i] )
{
result = 4294967294LL;
goto LABEL_13;
}
}
写个脚本
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main()
{
int i , j;
char v12[50] = {'I','o','d','l','>','Q','n',
'b','(','o','c','y',0x7F,'y','.','i'};
v12[16] = 127;
char v13[] = "d`3w}wek9{iy=~yL@EC";
strcat(v12,v13);
for(i = 0 ; i < strlen(v12); i ++)
{
printf("%c",i ^ v12[i]);
}
return 0;
}
运行得到提示
以及还要用到下面的那串字符,就是在那个base64编码下面。。。。,跟进查看
unsigned __int64 sub_400D35()
{
unsigned __int64 result; // rax
unsigned int v1; // [rsp+Ch] [rbp-24h]
int i; // [rsp+10h] [rbp-20h]
int j; // [rsp+14h] [rbp-1Ch]
unsigned int v4; // [rsp+24h] [rbp-Ch]
unsigned __int64 v5; // [rsp+28h] [rbp-8h]
v5 = __readfsqword(0x28u);
v1 = sub_43FD20(0LL) - qword_6CEE38;
for ( i = 0; i <= 1233; ++i )
{
sub_40F790(v1);
sub_40FE60();
sub_40FE60();
v1 = sub_40FE60() ^ 0x98765432;
}
v4 = v1;
if ( ((unsigned __int8)v1 ^ byte_6CC0A0[0]) == 102 && (HIBYTE(v4) ^ (unsigned __int8)byte_6CC0A3) == 103 )
{
for ( j = 0; j <= 24; ++j )
sub_410E90((unsigned __int8)(byte_6CC0A0[j] ^ *((_BYTE *)&v4 + j % 4)));
}
result = __readfsqword(0x28u) ^ v5;
if ( result )
sub_444020();
return result;
}
这个就是调用的刚才的那串字符进行异或,,根据这个写出脚本
if ( ((unsigned __int8)v1 ^ byte_6CC0A0[0]) == 102 && (HIBYTE(v4) ^ (unsigned __int8)byte_6CC0A3) == 103 )
{
for ( j = 0; j <= 24; ++j )
sub_410E90((unsigned __int8)(byte_6CC0A0[j] ^ *((_BYTE *)&v4 + j % 4)));
}
脚本
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main()
{
int i,j,k;
char v1[] = "flag";
char v4[4];
int flag[] = {0x40,0x35,0x20,0x56,0x5D,0x18,0x22,0x45,0x17,0x2F,0x24,0x6E,
0x62,0x3C,0x27,0x54,0x48,0x6C,0x24,0x6E,0x72,0x3C,0x32,0x45,0x5B};
for(i = 0; i < 4; i++)
{
v4[i] = v1[i] ^ flag[i];
}
for(i = 0 ; i <= 24; i++)
{
printf("%c",flag[i] ^ v4[i % 4]);
}
return 0;
}
运行得到结果
flag{Act1ve_Defen5e_Test}