基本面
32位 ASPack壳 既然是签到题应该不会太难把
手动脱壳
直接ESP定律就可以了
可以参考之前写过的帖子 基本一样
https://blog.csdn.net/weixin_49764009/article/details/122059947
注意入口的位置
这个位置才是正确的入口位置 一开始找错了 真是给我整不会了
静态分析
int __cdecl main(int argc, const char **argv, const char **envp)
{
unsigned __int8 Dest[50]; // [esp+1Ch] [ebp-74h] BYREF
char Str[50]; // [esp+4Eh] [ebp-42h] BYREF
__time32_t Time; // [esp+80h] [ebp-10h] BYREF
int v7; // [esp+84h] [ebp-Ch]
int v8; // [esp+88h] [ebp-8h]
struct tm *v9; // [esp+8Ch] [ebp-4h]
sub_40DCF0();
time(&Time);
v9 = gmtime(&Time);
sub_47C7D0(&dword_487F00, Str);
if ( strlen(Str) != 42 )
{
sub_47BAB0(&dword_488140, aWrong);
exit(0);
}
if ( Str[0] != 68 || Str[1] != 65 || Str[2] != 83 || Str[3] != 67 || Str[4] != 84 || Str[5] != 70 )
{
sub_47BAB0(&dword_488140, aWrong);
exit(0);
}
mbscpy(Dest, Str);
v8 = v9->tm_year + 1900;
v7 = 0;
sub_4019BE(Str);
sub_401771(Dest);
system(Command);
return 0;
}
前面已经提示了我们的flag长度和flag的前六位(DASCTF)
直接查找字符串 可以发现right字符串在函数 sub_401771(Dest); 中
估计主要的加密函数就在这了
着重分析一下sub_401771(Dest);
int __cdecl sub_401771(char *input)
{
int v2[50]; // [esp+1Ch] [ebp-DCh] BYREF
int v3; // [esp+E4h] [ebp-14h]
int j; // [esp+E8h] [ebp-10h]
int i; // [esp+ECh] [ebp-Ch]
v3 = strlen(input);
sub_401500();
sub_40152B();
sub_401593();
sub_401619(input, v3);
for ( i = 0; i < v3; ++i )
vv2[i] = (LOBYTE(key[i]) ^ input[i]) + 71;
memset(v2, 0, sizeof(v2));
v2[0] = -61;
v2[1] = -128;
v2[2] = -43;
v2[3] = -14;
v2[4] = -101;
v2[5] = 48;
v2[6] = 11;
v2[7] = -76;
v2[8] = 85;
v2[9] = -34;
v2[10] = 34;
v2[11] = -125;
v2[12] = 47;
v2[13] = -105;
v2[14] = -72;
v2[15] = 32;
v2[16] = 29;
v2[17] = 116;
v2[18] = -47;
v2[19] = 1;
v2[20] = 115;
v2[21] = 26;
v2[22] = -78;
v2[23] = -56;
v2[24] = -59;
v2[25] = 116;
v2[26] = -64;
v2[27] = 91;
v2[28] = -9;
v2[29] = 15;
v2[30] = -45;
v2[31] = 1;
v2[32] = 85;
v2[33] = -78;
v2[34] = -92;
v2[35] = -82;
v2[36] = 123;
v2[37] = -84;
v2[38] = 92;
v2[39] = 86;
v2[40] = -68;
v2[41] = 35;
for ( j = 0; j <= 41; ++j )
{
if ( v2[j] != vv2[j] )
exit(0);
}
return sub_47BAB0(&dword_488140, aRight);
}
后面的if ( v2[j] != vv2[j] ) 说明了 vv2数组加密之后的值应该是v2数组是相同的
题目已经给出了v2数组 所以就可以利用 vv2[i] = (LOBYTE(key[i]) ^ input[i]) + 71;
逆推出我们的input 已经知道了vv2 那么需要知道key[i]的值
但key[i]的初始值是空 所以猜测应该是经过动调就可以看到了
动态调试
断点这个位置就可向后放也行
满足长度条件和flag标识
运行后就可以发现key的值 多次验证就可以发现key的值是固定的
算法分析
既然key的值知道了直接上脚本就行了
input = [-61,-128,-43,-14,-101,48,11,-76,85,-34,34,-125,47,-105,-72,32,29,116,-47,1,115,26,-78,-56,-59,116,-64,91,-9,15,-45,1,85,-78,-92,-82,123,-84,92,86,-68,35]
flag = ''
key = [0x38, 0x78,0xDD, 0xE8,0x0,0xAF, 0xBF, 0x3A, 0x6B, 0xFB,0xB8, 0xC, 0x85, 0x35, 0x5C, 0xAD, 0xE6, 0, 0xE0, 0x8A, 0x1D, 0xBD, 0x46, 0xd2,0x2b,0,0x15,0x24,0xc6,0xad,0xa1,0xc9,0x7b,0x12,0x28,0,5,0,0x72,0x3e,0x10,0xa1]
for i in range(len(key)):
if input[i] > 71 :
input[i] = input[i] - 71
else:
input[i] = input[i] + 256 - 71
for i in range(42):
flag += chr(input[i] ^ key[i])
print(flag)
#DASCTF{Welc0me-t0-j01n-SU-l0ve-suyug1eg1e}
题目出得不错下次不要出了(lll¬ω¬)