提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档
一. ez_re
- UPX脱壳,base64解密即可
- NSSCTF{Y0u_h@v2_//@57er3d_7he_r3v3rs3}
二. easy_asm
- 看题目,知道是个分析汇编的题
00 B8 00 10 mov ax, seg dseg
seg001:0003 8E D8 mov ds, ax
seg001:0005 assume ds:dseg
seg001:0005 8D 16 00 00 lea dx, asc_10000 ; "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$"...
seg001:0009 B4 0A mov ah, 0Ah
seg001:000B 8B F2 mov si, dx
seg001:000D CD 21 int 21h ; DOS - BUFFERED KEYBOARD INPUT
seg001:000D ; DS:DX -> buffer
seg001:000D
seg001:000F 8D 36 00 00 lea si, asc_10000 ; "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$"...
seg001:0013 B1 10 mov cl, 10h
seg001:0013
seg001:0015
seg001:0015 loc_10085: ; CODE XREF: start+1B↓j
seg001:0015 AC lodsb
seg001:0016 32 C1 xor al, cl
seg001:0018 AA stosb
seg001:0019 3C 24 cmp al, 24h ; '$'
seg001:001B 75 F8 jnz short loc_10085
seg001:001B
seg001:001D 8D 36 00 00 lea si, asc_10000 ; "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$"...
seg001:0021 8D 3E 59 00 lea di, asc_10000+59h ; "$$$$$$$$$$$"
seg001:0021
seg001:0025
seg001:0025 loc_10095: ; CODE XREF: start+2F↓j
seg001:0025 AC lodsb
seg001:0026 3A 05 cmp al, [di]
seg001:0028 75 07 jnz short loc_100A1
seg001:0028
seg001:002A 3C 24 cmp al, 24h ; '$'
seg001:002C 74 0D jz short loc_100AB
seg001:002C
seg001:002E 47 inc di
seg001:002F EB F4 jmp short loc_10095
seg001:002F
seg001:0031 ; ---------------------------------------------------------------------------
seg001:0031
seg001:0031 loc_100A1: ; CODE XREF: start+28↑j
seg001:0031 B4 09 mov ah, 9
seg001:0033 8D 16 47 00 lea dx, asc_10000+47h ; "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$"
seg001:0037 CD 21 int 21h ; DOS - PRINT STRING
seg001:0037 ; DS:DX -> string terminated by "$"
seg001:0037
seg001:0039 EB 08 jmp short loc_100B3
seg001:0039
seg001:003B ; ---------------------------------------------------------------------------
seg001:003B
seg001:003B loc_100AB: ; CODE XREF: start+2C↑j
seg001:003B B4 09 mov ah, 9
seg001:003D 8D 16 52 00 lea dx, asc_10000+52h ; "$$$$$$$$$$$$$$$$$$"
seg001:0041 CD 21 int 21h ; DOS - PRINT STRING
seg001:0041 ; DS:DX -> string terminated by "$"
seg001:0041
seg001:0043
seg001:0043 loc_100B3: ; CODE XREF: start+39↑j
seg001:0043 B4 4C mov ah, 4Ch
seg001:0045 CD 21 int 21h ; DOS - 2+ - QUIT WITH EXIT CODE (EXIT)
seg001:0045 ; AL = exit code
seg001:0045
seg001:0045 start endp
seg001:0045
- 整个exe的汇编指令就这么多
- 从头看,整段中就如下一个xor操作,绝对是关键
- 再将$符号作为结束符号,那么我们找到数据段,再异或16就行
- 得到NSSCTF{Just_a_e3sy_aSm}
三. fake_game
- pyinstaller解包,uncompyle6反编译,得到.py文件
- 如下为关键代码:
xorr = [
0] * 4
ans = [0] * 55
flag = [178868, 188, 56953, 2413, 178874, 131, 56957, 2313, 178867, 156,
56933, 2377, 178832, 202, 56899, 2314, 178830, 167, 56924,
2313, 178830, 167, 56938, 2383, 178822, 217, 56859, 2372]
self.init_window()
self.init_plant_points()
self.init_map()
self.init_zombies()
while not GAMEOVER:
MainGame.window.fill((255, 255, 255))
MainGame.window.blit(self.draw_text('当前钱数$: {}'.format(MainGame.money), 26, (255,
0,
0)), (500,
40))
MainGame.window.blit(self.draw_text('当前关数{},得分{},距离下关还差{}分'.format(MainGame.shaoguan, MainGame.score, MainGame.remnant_score), 26, (255,
0,
0)), (5,
40))
self.load_help_text()
xorr[0] = MainGame.money
xorr[1] = MainGame.shaoguan
xorr[2] = MainGame.score
xorr[3] = MainGame.remnant_score
if xorr[0] * 256 - xorr[1] / 2 + xorr[2] * 23 + xorr[3] / 2 == 47118166:
if xorr[0] * 252 - xorr[1] * 366 + xorr[2] * 23 + xorr[3] / 2 - 1987 == 46309775:
if xorr[0] * 6 - xorr[1] * 88 + xorr[2] / 2 + xorr[3] / 2 - 11444 == 1069997:
if (xorr[0] - 652) * 2 - xorr[1] * 366 + xorr[2] * 233 + xorr[3] / 2 - 13333 == 13509025:
for i in range(len(flag)):
ans[i] = flag[i] ^ xorr[i % 4]
else:
with open('flag.txt', 'w') as (f):
f.write(''.join([chr(a) for a in ans]))
- 很明显的z3库解法
from z3 import *
xorr = [BitVec('u%d' % i, 64) for i in range(0, 4)]
solver = Solver()
solver.add(xorr[0] * 256 - xorr[1] / 2 + xorr[2] * 23 + xorr[3] / 2 == 47118166)
solver.add(xorr[0] * 252 - xorr[1] * 366 + xorr[2] * 23 + xorr[3] / 2 - 1987 == 46309775)
solver.add(xorr[0] * 6 - xorr[1] * 88 + xorr[2] / 2 + xorr[3] / 2 - 11444 == 1069997)
solver.add((xorr[0] - 652) * 2 - xorr[1] * 366 + xorr[2] * 233 + xorr[3] / 2 - 13333 == 13509025)
solver.check()
result = solver.model()
print(result)
- 这时有密文,有密钥,可以写脚本了
xorr=[178940,248,56890,2361]
flag = [178868, 188, 56953, 2413, 178874, 131, 56957, 2313, 178867, 156,
56933, 2377, 178832, 202, 56899, 2314, 178830, 167, 56924,
2313, 178830, 167, 56938, 2383, 178822, 217, 56859, 2372]
for i in range(len(flag)):
flag[i] = flag[i] ^ xorr[i % 4]
print(bytes(flag))
- HDCTF{G0Od_pl2y3r_f0r_Pvz!!}
四. double_code
- 字符串中并没有看到所谓的关键字符串
- 根据最近所学知识,如下即是切入点
- 分别是,分配内存,写入内存,与创建进程
- 实际上是个shellcode 加载器
- 这里用谷歌搜索一下WriteProcessMemory function
- 找到函数参数
BOOL WriteProcessMemory(
[in] HANDLE hProcess,
[in] LPVOID lpBaseAddress,
[in] LPCVOID lpBuffer,
[in] SIZE_T nSize,
[out] SIZE_T *lpNumberOfBytesWritten
);
- 第三个参数是:[in] lpBuffer
A pointer to the buffer that contains data to be written in the address space of the specified process.
- 即写入内存的指针,找到这个函数,就是shellcode
__int64 sub_14001F000()
{
__int64 v0; // rdx
__int64 v1; // rcx
__int64 v2; // r8
__int64 v3; // r9
int v4; // esp
unsigned __int64 v5; // rax
int v6; // esp
unsigned __int64 v7; // rax
int v8; // esp
unsigned __int64 v9; // rax
int v10; // esp
unsigned __int64 v11; // rax
int v12; // esp
unsigned __int64 v13; // rax
char v15[41]; // [rsp+1Fh] [rbp-41h] BYREF
int v16; // [rsp+48h] [rbp-18h]
int v17; // [rsp+4Ch] [rbp-14h]
int v18; // [rsp+50h] [rbp-10h]
int v19; // [rsp+54h] [rbp-Ch]
int v20; // [rsp+58h] [rbp-8h]
int i; // [rsp+5Ch] [rbp-4h]
MEMORY[0x140029C60]();
*(_DWORD *)&v15[37] = 1;
v16 = 5;
v17 = 2;
v18 = 4;
v19 = 3;
strcpy(v15, "************************************");
for ( i = 0;
(unsigned int)MEMORY[0x14003A250](v1, v0, v2, v3, *(_QWORD *)&v15[1], *(_QWORD *)&v15[9], *(_QWORD *)&v15[17]) > i;
++i )
{
v0 = (unsigned int)(i / 5);
v1 = (unsigned int)(i % 5);
v20 = i % 5;
if ( i % 5 == 1 )
{
v5 = (unsigned int)(v4 + 31 + i);
v1 = *(unsigned __int8 *)v5 ^ 0x23u;
v0 = (unsigned int)(v4 + 31);
*(_BYTE *)(unsigned int)(v0 + i) = *(_BYTE *)v5 ^ 0x23;
}
else
{
switch ( v20 )
{
case 2:
v7 = (unsigned int)(v6 + 31 + i);
v0 = (unsigned int)*(unsigned __int8 *)v7 + 2;
v1 = (unsigned int)(v6 + 31);
*(_BYTE *)(unsigned int)(v1 + i) = *(_BYTE *)v7 + 2;
break;
case 3:
v9 = (unsigned int)(v8 + 31 + i);
v0 = (unsigned int)*(unsigned __int8 *)v9 - 3;
v1 = (unsigned int)(v8 + 31);
*(_BYTE *)(unsigned int)(v1 + i) = *(_BYTE *)v9 - 3;
break;
case 4:
v11 = (unsigned int)(v10 + 31 + i);
v0 = (unsigned int)*(unsigned __int8 *)v11 - 4;
v1 = (unsigned int)(v10 + 31);
*(_BYTE *)(unsigned int)(v1 + i) = *(_BYTE *)v11 - 4;
break;
case 5:
v13 = (unsigned int)(v12 + 31 + i);
v0 = (unsigned int)*(unsigned __int8 *)v13 - 25;
v1 = (unsigned int)(v12 + 31);
*(_BYTE *)(unsigned int)(v1 + i) = *(_BYTE *)v13 - 25;
break;
}
}
}
return 0i64;
}
- 通过该函数对v15进行switch-case的操作
- 逆向就行
X = [0x48,0x67,0x45,0x51,0x42,0x7b,0x70,0x6a,0x30,0x68,0x6c,0x60,0x32,0x61,0x61,0x5f,0x42,0x70,0x61,0x5b,0x30,0x53,0x65,0x6c,0x60,0x65,0x7c,0x63,0x69,0x2d,0x5f,0x46,0x35,0x70,0x75,0x7d]
for i in range(len(X)):
if(i%5 == 1):
X[i] ^= 0x23
if(i%5 == 2):
X[i] -= 2
if(i%5 == 3):
X[i] += 3
if(i%5 == 4):
X[i] += 4
if(i%5 == 5):
X[i] += 25
for i in X:
print(chr(i))
- HDCTF{Sh3llC0de_and_0pcode_al1_e3sy}
六. encmaster
- 32位无壳
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
int v3; // eax
char v5; // [esp+0h] [ebp-218h]
char v6[264]; // [esp+D0h] [ebp-148h] BYREF
int v7; // [esp+1D8h] [ebp-40h] BYREF
int v8; // [esp+1DCh] [ebp-3Ch]
int v9[6]; // [esp+1E8h] [ebp-30h] BYREF
int v10; // [esp+200h] [ebp-18h]
int v11; // [esp+20Ch] [ebp-Ch] BYREF
__CheckForDebuggerJustMyCode(&unk_425036);
v3 = sub_41125D(std::cout, "plesase input the key");
std::ostream::operator<<(v3, &sub_411055);
std::istream::operator>>(std::cin, &v11);
v10 = v11;
v9[0] = 18;
v9[1] = 52;
v9[2] = 86;
v9[3] = 120;
v7 = v11;
v8 = 4;
sub_411523(&v7, v9);
if ( v7 == 1627184887 && v8 == 37149676 )
{
j_memset(v6, 0, 0x100u);
sub_4113DE(v10);
sub_41114F("Right,please continue...\nPlease input your flag.\n", v5);
sub_4110E1(std::cin, v6);
sub_411302(v6);
}
return 0;
}
- 找到sub_411523函数
int __cdecl sub_415100(unsigned int *a1, _DWORD *a2)
{
int result; // eax
unsigned int i; // [esp+DCh] [ebp-2Ch]
int v4; // [esp+E8h] [ebp-20h]
unsigned int v5; // [esp+F4h] [ebp-14h]
unsigned int v6; // [esp+100h] [ebp-8h]
__CheckForDebuggerJustMyCode(&unk_425036);
v6 = *a1;
v5 = a1[1];
v4 = 0;
for ( i = 0; i < 0x20; ++i )
{
v4 -= 1640531527;
v6 += (a2[1] + (v5 >> 5)) ^ (v4 + v5) ^ (*a2 + 16 * v5);
v5 += (a2[3] + (v6 >> 5)) ^ (v4 + v6) ^ (a2[2] + 16 * v6);
}
*a1 = v6;
result = 4;
a1[1] = v5;
return result;
}
- 看出来是一个tea算法
- 这里用tea解密
#include <string.h>
#include <iostream>
using namespace std;
void decrypt(uint32_t *v, uint32_t *k) {
uint32_t v0 = v[0], v1 = v[1], sum = 0xC6EF3720, i;
uint32_t delta = 0x9e3779b9;
for (i = 0; i < 32; i++) {
v1 -= ((v0 << 4) + k[2]) ^ (v0 + sum) ^ ((v0 >> 5) + k[3]);
v0 -= ((v1 << 4) + k[0]) ^ (v1 + sum) ^ ((v1 >> 5) + k[1]);
sum -= delta;
}
v[0] = v0;
v[1] = v1;
}
int main() {
uint32_t enc[2]={0x60FCDEF7,0x236DBEC};
uint32_t key[]={0x12,0x34,0x56,0x78};
decrypt(enc,key);
cout<<enc[0];
return 0;
}
- 解出v10就是3
- 跟进sub_4113DE函数
int __cdecl sub_414B00(int a1, int a2)
{
int result; // eax
int i; // [esp+E8h] [ebp-44h]
char *Str1; // [esp+F4h] [ebp-38h]
__int16 v5; // [esp+118h] [ebp-14h]
__CheckForDebuggerJustMyCode(&unk_425036);
v5 = *(_WORD *)(*(_DWORD *)(a1 + 60) + a1 + 6);
Str1 = (char *)(a1 + *(_DWORD *)(a1 + 60) + 248);
for ( i = 0; ; ++i )
{
result = v5;
if ( i >= v5 )
break;
if ( !j_strcmp(Str1, ".hdctf") )
return sub_411221(*((_DWORD *)Str1 + 3) + a1, *((_DWORD *)Str1 + 4), a2);
Str1 += 40;
}
return result;
}
- 这里是SMC函数,参考文章:https://www.anquanke.com/post/id/238645
- 找到被加密的代码段
.hdctf:0041D00C 8E BE 37 FF FC FC BA F0 03 03+dd 0FF37BE8Eh, 0F0BAFCFCh, 0BB030303h, 0CFCFCFCFh, 7A2A8F0h, 30034123h, 0FF468AC6h, 415335BAh, 478BEB03h
.hdctf:0041D00C 03 BB CF CF CF CF F0 A8 A2 07+dd 46C5FCFCh, 46C50CD7h, 46C597D6h, 46C5ADD5h, 46C5F1D4h, 46C5C3DBh, 46C554DAh, 46C5C1D9h, 46C5E3D8h
.hdctf:0041D00C 23 41 03 30 C6 8A 46 FF BA 35+dd 46C599DFh, 46C546DEh, 46C534DDh, 46C553DCh, 46C5F6E3h, 46C5A3E2h, 46C55DE1h, 46C5C8E0h, 46C52FE7h
.hdctf:0041D00C 53 41 03 EB 8B 47 FC FC C5 46+dd 46C515E6h, 46C52BE5h, 46C52AE4h, 46C5FDEBh, 46C5FCEAh, 46C530E9h, 46C545E8h, 46C50DEFh, 46C554EEh
.hdctf:0041D00C D7 0C C5 46 D6 97 C5 46 D5 AD+dd 46C581EDh, 46C521ECh, 46C551F3h, 46C525F2h, 46C528F1h, 46C56DF0h, 46C5E7F7h, 46C581F6h, 36B27F5h
.hdctf:0041D00C C5 46 D4 F1 C5 46 DB C3 C5 46+dd 69030302h, 0CF868E03h, 53FCFCFDh, 0FC4259EBh, 0FC780FCh, 530B4688h, 0FC4748EBh, 7C780FCh, 0FDC3868Ah
.hdctf:0041D00C DA 54 C5 46 D9 C1 C5 46 D8 E3+dd 77A2FCFCh, 8A0342FFh, 0FCFDAB86h, 7B0E88FCh, 8A0342FFh, 0FCFDAF8Eh, 7F1688FCh, 8A0342FFh, 0FCFDB396h
.hdctf:0041D00C C5 46 DF 99 C5 46 DE 46 C5 46+dd 83A265FCh, 650342FFh, 0FDB7868Ah, 0E89FCFCh, 342FF81h, 0FDB58E8Bh, 86C5FCFCh, 0FCFCFD9Ch, 5F86C403h
.hdctf:0041D00C DD 34 C5 46 DC 53 C5 46 E3 F6+dd 3FCFCFFh, 0C4030303h, 0FCFF7786h, 30303FCh, 880CE803h, 0FCFF7786h, 2C380FCh, 0FF77868Ah, 0BE82FCFCh
.hdctf:0041D00C C5 46 E2 A3 C5 46 E1 5D C5 46+dd 0FCFCFF77h, 3030203h, 8688477Eh, 0FCFCFF77h, 0FF778E89h, 8F8BFCFCh, 0FCFE9706h, 0AB868EFCh, 53FCFCFDh
.hdctf:0041D00C E0 C8 C5 46 E7 2F C5 46 E6 15+dd 0FC40ACEBh, 7C780FCh, 8688CB88h, 0FCFCFF77h, 0F2F4D130h, 0FF778688h, 8F89FCFCh, 0FCFDAB16h, 68F8BFCh
.hdctf:0041D00C C5 46 E5 2B C5 46 E4 2A C5 46+dd 0FCFCFF8Fh, 86C4A2E8h, 0FCFCFF77h, 3030303h, 86880CE8h, 0FCFCFF77h, 8A02C380h, 0FCFF7786h, 77BE82FCh
.hdctf:0041D00C EB FD C5 46 EA FC C5 46 E9 30+dd 3FCFCFFh, 7E030302h, 7786887Ch, 0CFCFCFFh, 97068FB5h, 0FCFCFEh, 0FCFF5F8Eh, 779688FCh, 0CFCFCFFh
.hdctf:0041D00C C5 46 E8 45 C5 46 EF 0D C5 46+dd 8F1687B5h, 0FCFCFFh, 0FCE282CBh, 7A830303h, 0CA824A0Bh, 0FCFCFC03h, 5F8E8A42h, 88FCFCFFh, 0FCFF7786h
.hdctf:0041D00C EE 54 C5 46 ED 81 C5 46 EC 21+dd 68F89FCh, 0FCFCFE97h, 0FF808E8Bh, 8688FCFCh, 0FCFCFF77h, 0FF5F8E88h, 9789FCFCh, 0FCFE970Eh, 6978BFCh
.hdctf:0041D00C C5 46 F3 51 C5 46 F2 25 C5 46+dd 0FCFCFE97h, 0FF5F8688h, 8E89FCFCh, 0FCFCFF80h, 97068F8Bh, 0EAFCFCFEh, 0FCFCFC65h, 0FF6B86C4h, 303FCFCh
.hdctf:0041D00C F1 28 C5 46 F0 6D C5 46 F7 E7+dd 86880303h, 0FCFCFF6Bh, 0FF77868Ah, 86C4FCFCh, 0FCFCFF53h, 3030303h, 86880CE8h, 0FCFCFF53h, 8A02C380h
.hdctf:0041D00C C5 46 F6 81 C5 46 F5 27 6B 03+dd 0FCFF5386h, 538688FCh, 38FCFCFFh, 0FCFDC386h, 0D88E0CFCh, 88030303h, 0FCFF7786h, 2C380FCh, 303FC26h
.hdctf:0041D00C 02 03 03 69 03 8E 86 CF FD FC+dd 4B047A83h, 0FCFC030Eh, 868A43FCh, 0FCFCFF77h, 0FF778688h, 0B50CFCFCh, 0FE97068Fh, 8E00FCFCh, 0FCFCFF6Bh
.hdctf:0041D00C FC 53 EB 59 42 FC FC 80 C7 0F+dd 3FCE282h, 0B7A8303h, 3CA824Ah, 42FCFCFCh, 0FF6B8E8Ah, 8688FCFCh, 0FCFCFF77h, 97068F89h, 8BFCFCFEh
.hdctf:0041D00C 88 46 0B 53 EB 48 47 FC FC 80+dd 0FCFF808Eh, 778688FCh, 88FCFCFFh, 0FCFF6B8Eh, 0E9789FCh, 0FCFCFE97h, 9706978Bh, 88FCFCFEh, 0FCFF6B86h
.hdctf:0041D00C C7 07 8A 86 C3 FD FC FC A2 77+dd 808E89FCh, 8BFCFCFFh, 0FE97068Fh, 4688FCFCh, 5386000Bh, 0CFCFCFFh, 96880BBDh, 0FCFCFF77h, 1687B50Ch
.hdctf:0041D00C FF 42 03 8A 86 AB FD FC FC 88+dd 0FCFCFE97h, 0FF6B9688h, 0B50CFCFCh, 0FE971697h, 0C100FCFCh, 303FC26h, 4B047A83h, 0FCFC030Eh, 0B50C43FCh
.hdctf:0041D00C 0E 7B FF 42 03 8A 8E AF FD FC+dd 0FE970687h, 0CB30FCFCh, 0FF539688h, 8F8BFCFCh, 0FCFDCF16h, 0FC07EAFCh, 86C4FCFCh, 0FCFCFF47h, 3030302h
.hdctf:0041D00C FC 88 16 7F FF 42 03 8A 96 B3+dd 530B4688h, 0FC42B0EBh, 7C780FCh, 7720FB80h, 4786C409h, 3FCFCFFh, 0C4030303h, 0FCFF3B86h, 30303FCh
.hdctf:0041D00C FD FC FC 65 A2 83 FF 42 03 65+dd 880CE803h, 0FCFF3B86h, 2C380FCh, 0FF3B868Ah, 468EFCFCh, 7EEB53D7h, 80FCFC42h, 863A07C7h, 0FCFCFF3Bh
.hdctf:0041D00C 8A 86 B7 FD FC FC 89 0E 81 FF+dd 86882870h, 0FCFCFF3Bh, 64FB50Ch, 3B9688D7h, 0CFCFCFFh, 0CF1687B5h, 38FCFCFDh, 0C40F77CBh, 0FCFF4786h
.hdctf:0041D00C 42 03 8B 8E B5 FD FC FC C5 86+dd 30303FCh, 0E801E803h, 47BE80B1h, 3FCFCFFh, 8B6B0C77h, 0EB0342FFh, 0FCFC3E58h, 0E807C780h, 0FF976B0Eh
.hdctf:0041D00C 9C FD FC FC 03 C4 86 5F FF FC+dd 4FEB0342h, 80FCFC3Eh, 885107C7h, 168E53CEh, 342D73Bh, 0FC3DEBEBh, 5C595BFCh, 4E88585Dh, 0EBCE30FFh
.hdctf:0041D00C FC 03 03 03 03 C4 86 77 FF FC+dd 0FCFC3D01h, 64FC782h, 0EF380303h, 0FC3C3CEBh, 5EE688FCh, 31C0CC0h, 3030306h, 342D743h, 0FCFCFCD7h
.hdctf:0041D00C FC 03 03 03 03 E8 0C 88 86 77+dd 3030320h, 342D788h, 0FCFCFDCFh, 3030203h, 342D787h, 0FCFCFDABh, 303030Ch, 342D783h, 0FCFCFE97h, 3030203h
.hdctf:0041D00C FF FC FC 80 C3 02 8A 86 77 FF+dd 342D77Dh, 0FCFCFF8Fh, 3030203h, 342D77Fh, 3700368h, 37A6668h, 7377766Ch, 65037776h, 364626Fh, 449h dup(0CFCFCFCFh)
.hdctf:0041D00C FC FC 82 BE 77 FF FC FC 03 02+dd 13h dup(3030303h)
.hdctf:0041E600 ?? ?? ?? ?? ?? ?? ?? ?? ?? ??+dd 280h dup(?)
- 再跟进sub_411221
int __cdecl sub_415340(int a1, int a2, char a3)
{
int result; // eax
int i; // [esp+D0h] [ebp-8h]
__CheckForDebuggerJustMyCode(&unk_425036);
for ( i = 0; ; ++i )
{
result = i;
if ( i >= a2 )
break;
*(_BYTE *)(i + a1) ^= a3;
}
return result;
}
- 这里与3异或
- 用python脚本将这些字段还原
for i in range(0x41d000,0x41E600):
patch_byte(i,get_wide_byte(i)^3)
- 还原后就有了这段函数原本的样子,将汇编指令重新创建函数
int __cdecl sub_41D000(char *Str)
{
char v2; // [esp+0h] [ebp-558h]
size_t m; // [esp+190h] [ebp-3C8h]
BOOL v4; // [esp+19Ch] [ebp-3BCh]
int k; // [esp+1A8h] [ebp-3B0h]
int v6; // [esp+1B4h] [ebp-3A4h]
int v7; // [esp+1C0h] [ebp-398h]
int i; // [esp+1CCh] [ebp-38Ch]
int j; // [esp+1CCh] [ebp-38Ch]
int v10; // [esp+1CCh] [ebp-38Ch]
char v11; // [esp+1DBh] [ebp-37Dh]
char v12; // [esp+1DBh] [ebp-37Dh]
char v13[540]; // [esp+1E4h] [ebp-374h]
char v14[24]; // [esp+400h] [ebp-158h] BYREF
int v15; // [esp+418h] [ebp-140h]
char v16[264]; // [esp+424h] [ebp-134h] BYREF
char v17[40]; // [esp+52Ch] [ebp-2Ch] BYREF
__CheckForDebuggerJustMyCode(&unk_425036);
v17[0] = 15;
v17[1] = -108;
v17[2] = -82;
v17[3] = -14;
v17[4] = -64;
v17[5] = 87;
v17[6] = -62;
v17[7] = -32;
v17[8] = -102;
v17[9] = 69;
v17[10] = 55;
v17[11] = 80;
v17[12] = -11;
v17[13] = -96;
v17[14] = 94;
v17[15] = -53;
v17[16] = 44;
v17[17] = 22;
v17[18] = 40;
v17[19] = 41;
v17[20] = -2;
v17[21] = -1;
v17[22] = 51;
v17[23] = 70;
v17[24] = 14;
v17[25] = 87;
v17[26] = -126;
v17[27] = 34;
v17[28] = 82;
v17[29] = 38;
v17[30] = 43;
v17[31] = 110;
v17[32] = -28;
v17[33] = -126;
v17[34] = 36;
j_memset(v16, 0, 0x100u);
v15 = j_strlen(Str);
strcpy(v14, "you_are_master");
v13[531] = 0;
v6 = 0;
for ( i = 0; i < 256; ++i )
{
v13[i + 264] = i;
v13[i] = v14[i % j_strlen(v14)];
}
for ( j = 0; j < 256; ++j )
{
v6 = ((unsigned __int8)v13[j] + v6 + (unsigned __int8)v13[j + 264]) % 256;
v11 = v13[j + 264];
v13[j + 264] = v13[v6 + 264];
v13[v6 + 264] = v11;
}
v7 = 0;
v10 = 0;
for ( k = 0; k < v15; ++k )
{
v10 = (v10 + 1) % 256;
v7 = (v7 + (unsigned __int8)v13[v10 + 264]) % 256;
v12 = v13[v10 + 264];
v13[v10 + 264] = v13[v7 + 264];
v13[v7 + 264] = v12;
v16[k] = v13[((unsigned __int8)v13[v7 + 264] + (unsigned __int8)v13[v10 + 264]) % 256 + 264] ^ Str[k];
}
v4 = j_strlen(Str) == 35;
for ( m = 0; m < j_strlen(v17); ++m )
{
if ( v17[m] != v16[m] )
{
v4 = 0;
break;
}
}
if ( v4 )
return sub_41114F("right!!!!", v2);
else
return sub_41114F("please try agin~", v2);
}
- 明显的RC4加密
- 直接赛博厨子一把梭哈
- HDCTF{y0u_ar3_rc4_t3a_smc_m4ster!!}