ISCC逆向myala

最新推荐文章于 2024-05-10 10:58:59 发布
最新推荐文章于 2024-05-10 10:58:59 发布
阅读量421 收藏
点赞数
文章标签: 安全 软件工程
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_52003247/article/details/124980541
版权 
__int64 __fastcall main(int a1, char **a2, char **a3)
{
  __int64 v3; // rdx
  bool v4; // bl
  __int64 v5; // rax
  __int64 v6; // rdx
  __int64 v7; // rax
  __int64 v8; // rdx
  __int64 v9; // rax
  __int64 v10; // rsi
  __int64 v11; // rdx
  __int64 v12; // rax
  char v14; // [rsp+Fh] [rbp-1E1h] BYREF
  char v15[32]; // [rsp+10h] [rbp-1E0h] BYREF
  char v16[32]; // [rsp+30h] [rbp-1C0h] BYREF
  int v17[8]; // [rsp+50h] [rbp-1A0h] BYREF
  char v18[32]; // [rsp+70h] [rbp-180h] BYREF
  char v19[32]; // [rsp+90h] [rbp-160h] BYREF
  char v20[32]; // [rsp+B0h] [rbp-140h] BYREF
  char v21[32]; // [rsp+D0h] [rbp-120h] BYREF
  char v22[32]; // [rsp+F0h] [rbp-100h] BYREF
  char v23[32]; // [rsp+110h] [rbp-E0h] BYREF
  char v24[32]; // [rsp+130h] [rbp-C0h] BYREF
  char v25[136]; // [rsp+150h] [rbp-A0h] BYREF
  unsigned __int64 v26; // [rsp+1D8h] [rbp-18h]

  v26 = __readfsqword(0x28u);
  v17[0] = 1;
  v17[1] = 2;
  v17[2] = 3;
  v17[3] = 4;
  v17[4] = 5;
  v17[5] = 6;
  v17[6] = 7;
  std::allocator<char>::allocator(v16, a2, a3);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v18, "ISCCYES", v16);
  std::allocator<char>::~allocator(v16);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v19);
  std::operator<<<std::char_traits<char>>(&std::cout, "id: ");
  std::operator>><char>(&std::cin, v19);
  std::istream::get((std::istream *)&std::cin);
  sub_4A5A(v25, v19);
  std::allocator<char>::allocator(v16, v19, v3);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(
    v20,
    "cfe6902ba6404626f1bcabc81e72767b",
    v16);
  std::allocator<char>::~allocator(v16);
  sub_4CE4(v24, v25);
  v4 = (unsigned int)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::compare(v24, v20) == 0;
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v24);
  if ( v4 )
  {
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v21);
    v5 = std::operator<<<std::char_traits<char>>(&std::cout, "Please give me the flag:");
    std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);
    std::operator>><char>(&std::cin, v21);
    std::allocator<char>::allocator(v16, v21, v6);
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v24, "{", v16);
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v23, v21);
    sub_2A5F(v15, v23, v24);
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v23);
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v24);
    std::allocator<char>::~allocator(v16);
    v7 = sub_38CA(v15);
    if ( (unsigned __int8)sub_38F4(v7, "ISCC") )
    {
      std::allocator<char>::allocator(&v14, "ISCC", v8);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v24, "}", &v14);
      v9 = sub_391E(v15);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v23, v9);
      sub_2A5F(v16, v23, v24);
      v10 = sub_38CA(v16);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator=(v21, v10);
      sub_3704(v16);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v23);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v24);
      std::allocator<char>::~allocator(&v14);
      std::allocator<char>::allocator(&v14, v10, v11);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v23, "4", &v14);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(v22, v19);
      sub_2A5F(v16, v22, v23);
      v12 = sub_38CA(v16);
      std::operator+<char>(v24, v21, v12);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator=(v21, v24);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v24);
      sub_3704(v16);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v22);
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v23);
      std::allocator<char>::~allocator(&v14);
      sub_2914(v21, v17);
      sub_29C9(v24, v21, v18);
      if ( (unsigned int)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::compare(
                           v24,
                           "rJFsLqVyFKZFEJvgerWvFpMkdmHBs5RX1ummCrv=") )
        std::operator<<<std::char_traits<char>>(&std::cout, "Wrong!");
      else
        std::operator<<<std::char_traits<char>>(&std::cout, "Correct!");
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v24);
    }
    else
    {
      std::operator<<<std::char_traits<char>>(&std::cout, "head! head! head!");
    }
    sub_3704(v15);
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v21);
  }
  else
  {
    std::operator<<<std::char_traits<char>>(&std::cout, "You don't have permission to acess the file!");
  }
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v20);
  sub_3636(v25);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v19);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v18);
  return 0LL;
}

逆向后得到的伪C代码,发现乱乱的

先打开string的的窗口检查一下

 

而且有一处

"rJFsLqVyFKZFEJvgerWvFpMkdmHBs5RX1ummCrv="

推测存在base64

开始逆向分析 

打开sub_29c9函数,v24为函数执行结果,也就是"rJFsLqVyFKZFEJvgerWvFpMkdmHBs5RX1ummCrv=",v18是上面的"ISCCKEY",v21是sub_2914的执行结果,那么逆向就是要推出v21

__int64 __fastcall sub_29C9(__int64 a1, __int64 a2, __int64 a3)
{
  char v5[40]; // [rsp+20h] [rbp-40h] BYREF
  unsigned __int64 v6; // [rsp+48h] [rbp-18h]

  v6 = __readfsqword(0x28u);
  sub_27C6(v5, a2);
  sub_2569(a1, v5, a3);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v5);
  return a1;
}

先把v21作为a2传入sub_27c6中

然后将执行结果和v18一起传入sub_2569

27c6和2569分别分析

__int64 __fastcall sub_27C6(__int64 a1, __int64 a2)
{
  int v3; // [rsp+14h] [rbp-1Ch]
  int v4; // [rsp+18h] [rbp-18h]
  int i; // [rsp+1Ch] [rbp-14h]

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(a1);
  v3 = 0;
  v4 = -6;
  for ( i = 0;
        i < (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::size(a2);
        ++i )
  {
    v3 = (v3 << 8)
       + *(char *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a2, i);
    for ( v4 += 8; v4 >= 0; v4 -= 6 )
      std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::push_back(
        a1,
        (unsigned int)aAbcdefghijklmn[(v3 >> v4) & 0x3F]);
  }
  if ( v4 >= -5 )
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::push_back(
      a1,
      (unsigned int)aAbcdefghijklmn[(v3 << 8 >> (v4 + 8)) & 0x3F]);
  while ( (std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::size(a1) & 3) != 0 )
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::push_back(a1, 61LL);
  return a1;
}

可以推测出这是base64

看看2569

__int64 __fastcall sub_2569(__int64 a1, __int64 a2, __int64 a3)
{
  __int64 v3; // rdx
  char *v4; // rax
  char *v6; // rax
  int v7; // ebx
  char *v8; // rax
  unsigned __int64 v9; // rbx
  unsigned __int64 v10; // rax
  _BYTE *v11; // rbx
  char v14; // [rsp+23h] [rbp-4Dh] BYREF
  int i; // [rsp+24h] [rbp-4Ch]
  int v16; // [rsp+28h] [rbp-48h]
  int v17; // [rsp+2Ch] [rbp-44h]
  char v18[40]; // [rsp+30h] [rbp-40h] BYREF
  unsigned __int64 v19; // [rsp+58h] [rbp-18h]

  v19 = __readfsqword(0x28u);
  v16 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::size(a2);
  v17 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::size(a3);
  std::allocator<char>::allocator(&v14, a2, v3);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(a1, v16, 120LL, &v14);
  std::allocator<char>::~allocator(&v14);
  sub_2447(v18, a2, a3);
  for ( i = 0; i < v16; ++i )
  {
    v4 = (char *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a2, i);
    if ( isalnum(*v4)
      || *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a2, i) == 32 )
    {
      v6 = (char *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a2, i);
      v7 = sub_23D9((unsigned int)*v6);
      v8 = (char *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](v18, i);
      v9 = (int)(v7 + sub_23D9((unsigned int)*v8));
      v10 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::size(&unk_10280);
      v11 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](
                       &unk_10280,
                       v9 % v10);
    }
    else
    {
      v11 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a2, i);
    }
    *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a1, i) = *v11;
  }
  *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a1, i) = 0;
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(v18);
  return a1;
}

sub_2447

__int64 __fastcall sub_2447(__int64 a1, __int64 a2, __int64 a3)
{
  __int64 v3; // rdx
  _BYTE *v4; // rbx
  char v7; // [rsp+2Fh] [rbp-21h] BYREF
  int v8; // [rsp+30h] [rbp-20h]
  int v9; // [rsp+34h] [rbp-1Ch]
  int v10; // [rsp+38h] [rbp-18h]
  int v11; // [rsp+3Ch] [rbp-14h]

  v10 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::size(a2);
  std::allocator<char>::allocator(&v7, a2, v3);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(a1, v10, 120LL, &v7);
  std::allocator<char>::~allocator(&v7);
  v11 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::size(a3);
  v8 = 0;
  v9 = 0;
  while ( v8 < v10 )
  {
    if ( v9 == v11 )
      v9 = 0;
    v4 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a3, v9);
    *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a1, v8++) = *v4;
    ++v9;
  }
  *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a1, v8) = 0;
  return a1;
}

发现这个函数将字符串"ISCCKEY"循环延长到与"rJFsLqVyFKZFEJvgerWvFpMkdmHBs5RX1ummCrv="长度一样

sub_23D9

__int64 __fastcall sub_23D9(char a1)
{
  unsigned int i; // [rsp+1Ch] [rbp-14h]

  for ( i = 0;
        (int)i < (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::size(&unk_10280);
        ++i )
  {
    if ( a1 == *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](
                           &unk_10280,
                           (int)i) )
      return i;
  }
  return 0xFFFFFFFFLL;
}

其中&unk_10280我们需要用交叉引用

int __fastcall sub_343C(int a1, int a2)
{
  __int64 v2; // rdx
  int result; // eax
  char v4[9]; // [rsp+1Fh] [rbp-11h] BYREF

  if ( a1 == 1 && a2 == 0xFFFF )
  {
    std::ios_base::Init::Init((std::ios_base::Init *)&unk_102A0);
    __cxa_atexit((void (__fastcall *)(void *))&std::ios_base::Init::~Init, &unk_102A0, &dso_handle);
    std::allocator<char>::allocator(v4, &unk_102A0, v2);
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(
      &unk_10280,
      "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ",
      v4);
    std::allocator<char>::~allocator(v4);
    result = __cxa_atexit(
               (void (__fastcall *)(void *))&std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string,
               &unk_10280,
               &dso_handle);
  }
  return result;
}

发现这里有个函数是把"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 "

赋值到&unk_10280

说明sub_23D9中

 就是查找a1在

"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 "

中的位置,并返回下标

分析

其实是对base64加密后的的那个字符串和"ISCCKEY"那个字符串进行遍历

得到的两个字符分别在"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 "

中查找下标,并相加

得到的数字和strlen("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ")

取余

当做下标从&unk_10280里进行取值

赋给v24

再看2914

 

__int64 __fastcall sub_2914(__int64 a1, __int64 a2)
{
  char v2; // bl
  int v3; // er12
  __int64 result; // rax
  signed int i; // [rsp+18h] [rbp-18h]
  signed int v6; // [rsp+1Ch] [rbp-14h]

  v6 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::size(a1);
  for ( i = 0; ; ++i )
  {
    result = (unsigned int)i;
    if ( i >= v6 )
      break;
    v2 = *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a1, i);
    v3 = *(_DWORD *)(4LL * (i % 7) + a2);
    *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](a1, i) = v3 ^ v2;
  }
  return result;
}

一个简单的取余和异或

编写脚本解密

import base64
a = "ISCCYES"
b = ''
c = "rJFsLqVyFKZFEJvgerWvFpMkdmHBs5RX1ummCrv="
d = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 '
f = ''
for i in range(len(c)):
    b += a[i % len(a)]
print(b)
for i in range(len(c)-1):
    f += d[(d.find(c[i]) - d.find(b[i]) + 63) % 63]
print(base64.b64decode(f))
f='Sguawub,Rkf37Ova.S37TVzowQOWN'
g=[1,2,3,4,5,6,7]
h=''
for i in range(len(f)):
    h+=chr(ord(f[i])^(g[i%7]))
print(h)

小小姜姜
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
[C++][原创]std::__cxx11::basic_string<char, std::char_traits<char>, std::allocatorchar> >)’未定义的引用
FL1623863129的博客
12-12 932
写了个非常简单类封装,结果cmake一直报错,正当绝望时候发现类的定义时候忘记加类名,犯了一个低级错误。结果就会导致上面错误,正确是。
今天你pwn了吗(上)
蚁景网安学院
05-07 3984
前言:"二进制太难了", 一起到 buu 开始 刷题吧。这里 仅记录 下 非高分题目的 解题思路和 知识讲解。特别是文章里的函数,我特意整理了下,还请好好学习下。test...
ISCC-Amy‘s Code CTF-Reverse
最新发布
m0_72904009的博客
05-10 225
ISCC-Amy's Code CTF-Reverse
校赛writeup
Ni9htMar3的博客
12-26 1万+
第一届校赛 WEB MISC RE Crypto
在函数‘get_filename(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocatorchar> > con
xiaoqie159的博客
12-06 778
在函数‘get_filename(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, std::__cxx11::basic_string<char, std::char_traits, std::allocator >&)’中: dfwt_tick.cpp:(.text+0x200): get_filename(std::__cxx11::basic_string&l
C++函数调用解耦
Turn X7
05-17 392
C++函数调用解耦
ISCC2022题目附件
06-06
2022ISCC所有题目附件,包含ISCC2022-练武题附件和ISCC2022-擂台题附件 信息安全已涉及到国家政治、经济、文化、社会和生态文明的建设,信息系统越发展到它的高级阶段,人们对其依赖性就越强,从某种程度上讲其越...
CTF,ISCC各个隐写总结
08-29
在网络安全领域,CTF(Capture The Flag)是一种流行的比赛形式,它涉及到各种技术挑战,包括但不限于密码学、逆向工程、网络攻防以及隐写术等。ISCC( Invisible Steganographic Communication Challenge)是其中...
ISCC2021-MISC部分题目.zip
08-07
ISCC2021-MISC部分题目.zip是一个与ISCC(International Symposium on Computer Science and Convergence,国际计算机科学与融合大会)相关的压缩包文件。这个压缩包可能包含了该会议的多份论文、研究报告或者竞赛...
ISCC2021线上赛赛题.zip
05-19
ISCC2021线上赛赛题.zip wp见主页
error: undefined symbol: std::__cxx11::basic_string和std::__1::basic_string
热门推荐
Three_dog的博客
03-09 2万+
undefined symbol: cv::imwrite(cv::String const&, cv::_InputArray const&, std::__1::vector<int, std::__1::allocator > const&)
c++:错误:undefined reference to `std::__cxx11::basic_string<char, std::char_traits<char>,
mzhan017的博客
11-19 6500
编译出错的命令 g++ thread.cpp 代码 #include <iostream> #include <thread> using namespace std; int main(); class abc { friend int print(); protected: string m_string; public: string get(); }; string abc::get() { return m_string; }
gcc编译链接std::__cxx11::string和std::string的问题
weixin_30764137的博客
08-09 8590
今天公司的小伙伴遇到一个问题,这里做一个记录。 问题是这样的,他编译了公司的基础库,然后在程序中链接的时候遇到点问题,报错找不到定义。 用到的函数声明大概是这样的: void function(const std::string& in,int* out); 编译的时候显示找不到定义,报错大概是这样的: ‘function(std::__cxx11::basic_string&...
链接错误: "std::basic_string<char, std::char_traits<char>等错误
奔向火星的博客
10-21 9187
解决办法:将libstdc++.dylib换成libstdc++.6.0.9.dylib即可
"std::basic_stringbuf<char, std::char_traits<char>, std::allocator<char> >::str() const"问题的解决办法
lognic10的专栏
05-16 1万+
今天用cocos2d-x 3.6版本创建了一个新的工程,用xocde编译后出现了N多个链接错误,错误如下: Undefined symbols for architecture x86_64:   "std::basic_stringbuf, std::allocator >::str() const", referenced from:       umeng::J
std::allocator 的简单用法
oiooooio的专栏
08-11 2010
#include //shared_ptr && allocator /* * @brief * Xxx内存池 * @multi-thread-safe: NO */ class XxxMemoryPool { friend class XxxMgr; typedef std::shared_ptr XxxPtr; typedef std::allocator XxxPo
ISCC where
09-08
ISCC是指"Intelligent Self-Configuring Cluster",其中的"ISCC"表示智能自配置集群。在ISCC中,有两种集群形式,一种是分散式集群,另一种是集中式集群。在分散式集群中,每个节点都有潜力成为簇头,而在集中式集群...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值