新知识 seh
表面上的逻辑蛮简单的
int __cdecl main(int argc, const char **argv, const char **envp)
{
_DWORD *v3; // eax
_DWORD *v5; // eax
char *v6; // eax
int v7; // [esp+0h] [ebp-2ACh] BYREF
int v8; // [esp+14h] [ebp-298h]
int *v9; // [esp+18h] [ebp-294h]
int v10; // [esp+1Ch] [ebp-290h] BYREF
int v11; // [esp+20h] [ebp-28Ch]
int (__cdecl *v12)(int, int, int, int, int, int); // [esp+34h] [ebp-278h]
int *v13; // [esp+38h] [ebp-274h]
int *v14; // [esp+3Ch] [ebp-270h]
void *v15; // [esp+40h] [ebp-26Ch]
int *v16; // [esp+44h] [ebp-268h]
char Buf1[27]; // [esp+68h] [ebp-244h] BYREF
char Buf2[256]; // [esp+A0h] [ebp-20Ch] BYREF
char Destination[268]; // [esp+1A0h] [ebp-10Ch] BYREF
int savedregs; // [esp+2ACh] [ebp+0h] BYREF
v9 = &v10;
v12 = sub_4752F0;
v13 = dword_476078;
v14 = &savedregs;
v15 = &loc_475B38;
v16 = &v7;
sub_40A8F0(&v10);
sub_409B80();
v11 = -1;
sub_472810(&dword_47DD80, Buf2);
strcpy(Destination, "litctf");
decode(Buf2, strlen(Buf2), Destination, 6u);
Buf1[0] = -115;
Buf1[1] = 108;
Buf1[2] = -123;
Buf1[3] = 118;
Buf1[4] = 50;
Buf1[5] = 114;
Buf1[6] = -73;
Buf1[7] = 64;
Buf1[8] = -120;
Buf1[9] = 126;
Buf1[10] = -107;
Buf1[11] = -18;
Buf1[12] = -59;
Buf1[13] = -19;
Buf1[14] = 46;
Buf1[15] = 113;
Buf1[16] = 55;
Buf1[17] = -15;
Buf1[18] = 74;
Buf1[19] = -103;
Buf1[20] = 53;
Buf1[21] = 24;
Buf1[22] = -89;
Buf1[23] = -80;
Buf1[24] = 0;
Buf1[25] = -106;
Buf1[26] = -73;
v8 = memcmp(Buf1, Buf2, 27u);
if ( v8 )
{
v11 = 1;
v5 = print(&dword_47DF60, "U are wrong?");
sub_46FBA0(v5);
v6 = sub_474310(4);
*v6 = Buf2;
sub_475190(v6, &off_483660, 0);
}
v11 = 1;
v3 = print(&dword_47DF60, "U are right?");
sub_46FBA0(v3);
sub_40AA70(v9);
return v8;
}
逻辑比较简单
看一下decode
int __cdecl sub_4015A0(int a1, int a2, int a3, unsigned int a4)
{
unsigned int i; // ecx
char *v5; // eax
int v6; // ecx
char v7; // si
int result; // eax
int v9; // ecx
int v10; // edx
char v11; // di
char v12; // si
int v13; // edi
int v14; // [esp+0h] [ebp-214h]
char v15[256]; // [esp+4h] [ebp-210h] BYREF
char v16[272]; // [esp+104h] [ebp-110h] BYREF
for ( i = 0; i != 256; ++i )
{
v15[i] = i;
v16[i] = *(a3 + i % a4);
}
v5 = v15;
LOBYTE(v6) = 0;
do
{
v7 = *v5++;
v6 = (v5[255] + v7 + v6);
*(v5 - 1) = v15[v6];
v15[v6] = v7;
}
while ( v5 != v16 );
result = a2;
if ( a2 )
{
LOBYTE(v9) = 0;
LOBYTE(result) = 0;
v10 = 0;
v14 = 0;
do
{
++v10;
result = (result + 1);
v11 = v15[result];
v12 = v11;
v9 = (v11 + v9);
v15[result] = v15[v9];
v15[v9] = v11;
v13 = v14;
v14 = v10;
*(a1 + v13) ^= v15[(v15[result] + v12)];
}
while ( v10 != a2 );
}
return result;
}
标准的RC4,没搞什么怪
但是解出来,就是fake flag
这道题,我们动调一下,你会发现
左边是F5反汇编出来的,右边F5不行,但是在程序动调时候,却能运行
这边的代码也比较简单
我们复制数据过来
就OK了
——————————————————
最后我谈谈我对这个enc,也就是C++异常机制的理解
就是 正常运行————>正常程序报错——>修补机制(里面有代码)-——————>正常程序
这道题就是 第一个RC4就是正常程序,第二个就是在修补机制里面(我这样理解原理上应该是错的,只是方便我理解,给不想深究的同学看看,哈哈)