小白一个,这是第一次做逆向题目,仅记录一下
需要输入正确的flag。
使用ida打开,可以看到`_ptrace`函数阻止我们反调试用。
因为后面需要动态调试,所以先nop掉。
F5查看反汇编
可以看到输入是一个长度为72的chr类型数组,n为数组长度,然后跟s2(长度为60)比较,如果两个数组一样则是正确flag。
s2 = [0xa8,0xac,0x36,0x6a,0xc4,0x0a,0x9a,0xdc,0x12,0x48,0xf2,0x60,0xcb,0xcc,0x3a,0x5e,0xf2,0x63,0x9c,0x94,0xf5,0x48,0xcd,0x17,0x82,0xcd,0xf7,0x71,0x9f,0x36,0xb4,0x88,0xaf,0x5f,0xdd,0x64,0x85,0x96,0xf7,0x5e,0xc4,0x09,0xad,0xdd,0xab,0x16,0x99,0x60,0x9b,0xde,0xf5,0x53,0xc3,0x21,0xfc,0x80,0xf8,0x10,0xc7,0x26]
我们设置断点验证一下
在11行输入字符串为“111111111111”,但字符串经过11行后发生了改变,所以应该是关键函数。
进入函数发现有这么一点代码,肯定不对
百度后发现是使用了花指令(如何修复花指令参考:https://blog.csdn.net/qq_45313512/article/details/134564021?spm=1001.2014.3001.5502),真正的指令在函数sub_5616D9F63208(你们可能和我的不一样)的地址+1的位置。修改后可查看伪代码
分析发现是经过两次异或,将输入的字符串每六个分一组,每组先和key1= [0x2b,0x8e,0x7d,0x31 0x9c,0x4f]异或,再和key2 = [0xc7,0x63,0x18,0x18,0x0c,0x03],其中key1第一组是给定的,每组异或完值均加1,key2[0]的值为i-57取一个字节,key2[1]、key2[2]、key2[3]、key2[4]、key2[5]分别为key2[0]右移0、1、2、0、1、2位所得的值,也就是除以1、2、4、1、2、4所得的值,key2每组异或完key[0]加6,剩余五个值仍以右移方式得到。分别将key1和key2的60个值放到a1和a2里如下:
a1 = [0x2b,0x8e,0x7d,0x31,0x9c,0x4f,0x2c,0x8f,0x7e,0x32,0x9d,0x50,0x2d,0x90,0x7f,0x33,0x9e,0x51,0x2e,0x91,0x80,0x34,0x9f,0x52,0x2f,0x92,0x81,0x35,0xa0,0x53,0x30,0x93,0x82,0x36,0xa1,0x54,0x31,0x94,0x83,0x37,0xa2,0x55,0x32,0x95,0x84,0x38,0xa3,0x56,0x33,0x96,0x85,0x39,0xa4,0x57,0x34,0x97,0x86,0x3a,0xa5,0x58]
a2 = [0xc7,0x63,0x18,0x18,0x0c,0x03,0xcd,0x66,0x19,0x19,0x0c,0x03,0xd3,0x69,0x1a,0x1a,0x0d,0x03,0xd9,0x6c,0x1b,0x1b,0x0d,0x03,0xdf,0x6f,0x1b,0x1b,0x0d,0x03,0xe5,0x72,0x1c,0x1c,0x0e,0x03,0xeb,0x75,0x1d,0x1d,0x0e,0x03,0xf1,0x78,0x1e,0x1e,0x0f,0x03,0xf7,0x7b,0x1e,0x1e,0x0f,0x03,0xfd,0x7e,0x1f,0x1f,0x0f,0x03]
下面只是一个简单的脚本
dest = [0xa8,0xac,0x36,0x6a,0xc4,0x0a,0x9a,0xdc,0x12,0x48,0xf2,0x60,0xcb,0xcc,0x3a,0x5e,0xf2,0x63,0x9c,0x94,0xf5,0x48,0xcd,0x17,0x82,0xcd,0xf7,0x71,0x9f,0x36,0xb4,0x88,0xaf,0x5f,0xdd,0x64,0x85,0x96,0xf7,0x5e,0xc4,0x09,0xad,0xdd,0xab,0x16,0x99,0x60,0x9b,0xde,0xf5,0x53,0xc3,0x21,0xfc,0x80,0xf8,0x10,0xc7,0x26]
a1 = [0xc7,0x63,0x18,0x18,0x0c,0x03,0xcd,0x66,0x19,0x19,0x0c,0x03,0xd3,0x69,0x1a,0x1a,0x0d,0x03,0xd9,0x6c,0x1b,0x1b,0x0d,0x03,0xdf,0x6f,0x1b,0x1b,0x0d,0x03,0xe5,0x72,0x1c,0x1c,0x0e,0x03,0xeb,0x75,0x1d,0x1d,0x0e,0x03,0xf1,0x78,0x1e,0x1e,0x0f,0x03,0xf7,0x7b,0x1e,0x1e,0x0f,0x03,0xfd,0x7e,0x1f,0x1f,0x0f,0x03]
a2 = [0x2b,0x8e,0x7d,0x31,0x9c,0x4f,0x2c,0x8f,0x7e,0x32,0x9d,0x50,0x2d,0x90,0x7f,0x33,0x9e,0x51,0x2e,0x91,0x80,0x34,0x9f,0x52,0x2f,0x92,0x81,0x35,0xa0,0x53,0x30,0x93,0x82,0x36,0xa1,0x54,0x31,0x94,0x83,0x37,0xa2,0x55,0x32,0x95,0x84,0x38,0xa3,0x56,0x33,0x96,0x85,0x39,0xa4,0x57,0x34,0x97,0x86,0x3a,0xa5,0x58]
flag = ''
for i in range(0,60):
flag += chr(dest[i]^a1[i]^a2[i])
print(flag)DASCTF{5ucc355_wa1king_Fr0m_2fai1ur3_with_n01055_3nthu5ia5m}
还有一种方式,因为异或是可逆的,所以可以将s2取出来当作输入,通过查看关键函数的返回值得到flag,但是取出来后发现s2并不是可打印字符,无法当作输入,因此需要gdb配合(我目前还不会所以就提供一个思路)。
菜鸡一个,文章可能写的不太好,望理解!
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
