ida又停了,说明里边放了花指令,还好不太花,可以解决,前边jb,jnb说明怎么着也得跳到990但是98F的E1被认成指令,所以这这里要把98F位置的E1改为90 然后后边的认成数据的部分按c重新识别成代码。
.text:0000000000000988 48 31 C0 xor rax, rax
.text:000000000000098B 72 03 jb short near ptr loc_98F+1
.text:000000000000098B
.text:000000000000098D 73 01 jnb short near ptr loc_98F+1
.text:000000000000098D
.text:000000000000098F
.text:000000000000098F loc_98F: ; CODE XREF: .text:000000000000098B↑j
.text:000000000000098F ; .text:000000000000098D↑j
.text:000000000000098F E1 48 loope near ptr loc_9D6+3
.text:000000000000098F
.text:0000000000000991 8D 3D 69 0C 00 00 lea edi, aPlzTellMeTheSh ; "plz tell me the shortest password1:"
.text:0000000000000997 E8 84 FC FF FF call _puts
这样的地方有几个,都作完,在main头部按P生成函数头就可以F5了,如果生不成下边有提示花指令的位置。
反编译后发现加密分3部分:
第1块是个迷宫,不同的是是个3维迷宫
strcpy(
v17,
"**************.****.**s..*..******.****.***********..***..**..#*..***..***.********************.**..*******..**...*..*.*.**.*");
v9[0] = 0LL;
v9[1] = 0LL;
v10 = 0;
v7 = &v17[22];
strcpy(v8, "sctf_9102");
puts("plz tell me the shortest password1:");
scanf("%s", v15);
v6 = 1;
while ( v6 )
{
v4 = *((_BYTE *)v15 + v5);
switch ( v4 )
{
case 'w':
v7 -= 5;
break;
case 's':
v7 += 5;
break;
case 'd':
++v7;
break;
case 'a':
--v7;
break;
case 'x':
v7 += 25;
break;
case 'y':
v7 -= 25;
break;
default:
v6 = 0;
break;
}
++v5;
if ( *v7 != 46 && *v7 != 35 )
v6 = 0;
if ( *v7 == 35 )
{
puts("good!you find the right way!\nBut there is another challenge!");
break;
}
这个写程序搞很耗里的,规模不大还是手工来吧,手工从s走到#
ddwwxxssxaxwwaasasyywwdd
第2段是变表base64,这个也容易
unsigned __int64 __fastcall sub_C22(const char *a1, __int64 a2)
{
int v2; // eax
int v3; // eax
int v4; // eax
int v6; // [rsp+14h] [rbp-24Ch]
int v7; // [rsp+18h] [rbp-248h]
int v8; // [rsp+1Ch] [rbp-244h]
int v9; // [rsp+20h] [rbp-240h]
int v10; // [rsp+24h] [rbp-23Ch]
int v11; // [rsp+28h] [rbp-238h]
int v12; // [rsp+2Ch] [rbp-234h]
const char *v13; // [rsp+48h] [rbp-218h]
int v14[130]; // [rsp+50h] [rbp-210h] BYREF
unsigned __int64 v15; // [rsp+258h] [rbp-8h]
v15 = __readfsqword(0x28u);
qmemcpy(v14, &unk_1740, 0x200uLL);
v7 = 3;
v6 = 0;
v9 = 0;
v10 = 0;
v11 = strlen(a1);
v13 = a1;
while ( 1 )
{
v12 = 0;
if ( v9 < v11 )
break;
LABEL_7:
if ( v9 >= v11 )
goto LABEL_8;
}
do
{
if ( a1[v9] != 25 )
break;
++v9;
++v12;
}
while ( v9 < v11 );
if ( v9 != v11 )
{
++v9;
goto LABEL_7;
}
LABEL_8:
v8 = 0;
while ( v11 > 0 )
{
v7 -= v14[*v13] == 64;
v6 = v14[*v13] & 0x3F | (v6 << 6);
if ( ++v8 == 4 )
{
v8 = 0;
if ( v7 )
{
v2 = v10++;
*(_BYTE *)(v2 + a2) = BYTE2(v6);
}
if ( v7 > 1 )
{
v3 = v10++;
*(_BYTE *)(v3 + a2) = BYTE1(v6);
}
if ( v7 > 2 )
{
v4 = v10++;
*(_BYTE *)(v4 + a2) = v6;
}
}
++v13;
--v11;
}
return __readfsqword(0x28u) ^ v15;
}
第3块是类SM4
这个加密的时候没用到密钥,CK,FK也就都没有了,直接是a4=a0^f(a1^a2^a3)一共26轮。f是查box再循环移位。这里用到的BOX是标准的没有变动。可以用a0 = a4^f(a1^a2^a3) 从后向前一轮轮还原。
__int64 __fastcall sub_FFA(char *a1)
{
int v2; // [rsp+18h] [rbp-158h]
int i; // [rsp+18h] [rbp-158h]
int v4; // [rsp+1Ch] [rbp-154h]
unsigned int v5; // [rsp+24h] [rbp-14Ch]
unsigned int v6; // [rsp+28h] [rbp-148h]
unsigned int v7; // [rsp+2Ch] [rbp-144h]
int v8[16]; // [rsp+30h] [rbp-140h]
int v9[16]; // [rsp+70h] [rbp-100h]
int v10[26]; // [rsp+B0h] [rbp-C0h]
unsigned int v11; // [rsp+118h] [rbp-58h]
unsigned int v12; // [rsp+11Ch] [rbp-54h]
unsigned int v13; // [rsp+120h] [rbp-50h]
unsigned int v14; // [rsp+124h] [rbp-4Ch]
unsigned __int64 v15; // [rsp+168h] [rbp-8h]
v15 = __readfsqword(0x28u);
v8[0] = 190;
v8[1] = 4;
v8[2] = 6;
v8[3] = 128;
v8[4] = 197;
v8[5] = 175;
v8[6] = 118;
v8[7] = 71;
v8[8] = 159;
v8[9] = 204;
v8[10] = 64;
v8[11] = 31;
v8[12] = 216;
v8[13] = 191;
v8[14] = 146;
v8[15] = 239;
v5 = (a1[6] << 8) | (a1[5] << 16) | (a1[4] << 24) | a1[7];
v6 = (a1[10] << 8) | (a1[9] << 16) | (a1[8] << 24) | a1[11];
v7 = (a1[14] << 8) | (a1[13] << 16) | (a1[12] << 24) | a1[15];
v4 = 0;
v2 = 4;
v10[0] = sub_78A((a1[2] << 8) | (a1[1] << 16) | (*a1 << 24) | (unsigned int)a1[3]);
v10[1] = sub_78A(v5);
v10[2] = sub_78A(v6);
v10[3] = sub_78A(v7); // 转大端
do // 类SM4,加密至30,26轮无CK
{
v10[v2] = sub_143B(
(unsigned int)v10[v4],
(unsigned int)v10[v4 + 1],
(unsigned int)v10[v4 + 2],
(unsigned int)v10[v4 + 3]);
++v4;
++v2;
}
while ( v2 <= 29 );
v9[0] = HIBYTE(v11);
v9[1] = BYTE2(v11);
v9[2] = BYTE1(v11);
v9[3] = (unsigned __int8)v11;
v9[4] = HIBYTE(v12);
v9[5] = BYTE2(v12);
v9[6] = BYTE1(v12);
v9[7] = (unsigned __int8)v12;
v9[8] = HIBYTE(v13);
v9[9] = BYTE2(v13);
v9[10] = BYTE1(v13);
v9[11] = (unsigned __int8)v13;
v9[12] = HIBYTE(v14);
v9[13] = BYTE2(v14);
v9[14] = BYTE1(v14);
v9[15] = (unsigned __int8)v14;
for ( i = 0; i <= 15; ++i )
{
if ( v9[i] != v8[i] )
return 0xFFFFFFFFLL;
}
return 1LL;
}
// a5 = a1 ^f(a2^a3^a4)
__int64 __fastcall sub_143B(int a1, int a2, int a3, unsigned int a4)
{
return a1 ^ (unsigned int)sub_1464(a2 ^ a3 ^ a4);
}
//f 查BOX再循环移位异或
__int64 __fastcall sub_1464(unsigned int a1)
{
int v2; // [rsp+18h] [rbp-498h]
int v3[290]; // [rsp+20h] [rbp-490h] BYREF
unsigned __int64 v4; // [rsp+4A8h] [rbp-8h]
v4 = __readfsqword(0x28u);
qmemcpy(v3, &unk_1940, 0x480uLL);
v2 = (v3[BYTE2(a1)] << 16) | v3[(unsigned __int8)a1] | (v3[BYTE1(a1)] << 8) | (v3[HIBYTE(a1)] << 24);
return __ROL4__(v2, 12) ^ (unsigned int)(__ROL4__(v2, 8) ^ __ROR4__(v2, 2)) ^ __ROR4__(v2, 6);
}
最后给了flag的组成方式
puts("Congratulation!Here is your flag!:");
printf("sctf{%s-%s(%s)}", (const char *)v15, (const char *)v11, (const char *)v9);
完整的代码
#第1层三维迷宫 wsadxy表示上下左右下层上层
'''
***** *..** *..** ***** *****
***** ****. *..** ***** **..*
****. ****. ..#*. ***** *...*
****. ***** .***. ***** ..*.*
**s.. ***** .***. .**.. .**.*
'''
s1 = b'ddwwxxssxaxwwaasasyywwdd'
#第2层类base64查表
data = open('a2', 'rb').read()[0x1740: 0x1740+0x200]
from pwn import u32
tab = [u32(data[i:i+4]) for i in range(0, 0x200, 4)]
from base64 import b64encode
cipher = b64encode(b'sctf_9102')
code = b'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
s2 = bytes([tab.index(code.index(i)) for i in cipher])
print(s2)
#类SM4无密钥有box(标准)
def _rot_left(n, m):
"""循环左移"""
return ((n << m) | (n >> (32 - m))) & 0xFFFFFFFF
BOX = [0xD6, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7, 0x16, 0xB6, 0x14, 0xC2, 0x28, 0xFB, 0x2C, 0x05, 0x2B,
0x67, 0x9A, 0x76, 0x2A, 0xBE, 0x04, 0xC3, 0xAA, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99, 0x9C, 0x42,
0x50, 0xF4, 0x91, 0xEF, 0x98, 0x7A, 0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62, 0xE4, 0xB3, 0x1C,
0xA9, 0xC9, 0x08, 0xE8, 0x95, 0x80, 0xDF, 0x94, 0xFA, 0x75, 0x8F, 0x3F, 0xA6, 0x47, 0x07, 0xA7, 0xFC,
0xF3, 0x73, 0x17, 0xBA, 0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8, 0x68, 0x6B, 0x81, 0xB2, 0x71,
0x64, 0xDA, 0x8B, 0xF8, 0xEB, 0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35, 0x1E, 0x24, 0x0E, 0x5E, 0x63, 0x58,
0xD1, 0xA2, 0x25, 0x22, 0x7C, 0x3B, 0x01, 0x21, 0x78, 0x87, 0xD4, 0x00, 0x46, 0x57, 0x9F, 0xD3, 0x27,
0x52, 0x4C, 0x36, 0x02, 0xE7, 0xA0, 0xC4, 0xC8, 0x9E, 0xEA, 0xBF, 0x8A, 0xD2, 0x40, 0xC7, 0x38, 0xB5,
0xA3, 0xF7, 0xF2, 0xCE, 0xF9, 0x61, 0x15, 0xA1, 0xE0, 0xAE, 0x5D, 0xA4, 0x9B, 0x34, 0x1A, 0x55, 0xAD,
0x93, 0x32, 0x30, 0xF5, 0x8C, 0xB1, 0xE3, 0x1D, 0xF6, 0xE2, 0x2E, 0x82, 0x66, 0xCA, 0x60, 0xC0, 0x29,
0x23, 0xAB, 0x0D, 0x53, 0x4E, 0x6F, 0xD5, 0xDB, 0x37, 0x45, 0xDE, 0xFD, 0x8E, 0x2F, 0x03, 0xFF, 0x6A,
0x72, 0x6D, 0x6C, 0x5B, 0x51, 0x8D, 0x1B, 0xAF, 0x92, 0xBB, 0xDD, 0xBC, 0x7F, 0x11, 0xD9, 0x5C, 0x41,
0x1F, 0x10, 0x5A, 0xD8, 0x0A, 0xC1, 0x31, 0x88, 0xA5, 0xCD, 0x7B, 0xBD, 0x2D, 0x74, 0xD0, 0x12, 0xB8,
0xE5, 0xB4, 0xB0, 0x89, 0x69, 0x97, 0x4A, 0x0C, 0x96, 0x77, 0x7E, 0x65, 0xB9, 0xF1, 0x09, 0xC5, 0x6E,
0xC6, 0x84, 0x18, 0xF0, 0x7D, 0xEC, 0x3A, 0xDC, 0x4D, 0x20, 0x79, 0xEE, 0x5F, 0x3E, 0xD7, 0xCB, 0x39,
0x48]
'''
data = open('a2', 'rb').read()[0x1940: 0x1940+0x400]
for i in range(256):
BOX[i] = data[i*4]
print(hex(BOX[i]), end=',')
if i%17 == 16:
print()
'''
def _s_box(n: int):
result = bytearray()
# 将 32bit 拆分成 4x8bit,依次进行S盒变换
for item in list(n.to_bytes(4, 'big')):
result.append(BOX[item])
return int.from_bytes(result, 'big')
#print(hex(_s_box(0x1020304)))
v8 = bytes([190,4,6,128,197,175,118,71,159,204,64,31,216,191,146,239])
v10 = [0]*30
for i in range(26,30):
v10[i] = int.from_bytes(v8[(i-26)*4: (i-26)*4+4], 'big')
#print(hex(v10[i]))
for i in range(25,-1,-1):
box_in = v10[i+1]^v10[i+2]^v10[i+3]
box_out = _s_box(box_in)
v10[i] = v10[i+4] ^ _rot_left(box_out, 12) ^ _rot_left(box_out, 8) ^ _rot_left(box_out, 30) ^ _rot_left(box_out, 26)
s3 = b''
for i in range(4):
s3 += v10[i].to_bytes(4, 'little')
print(s3)
print(b'flag{'+s1+b'-'+s2+b'('+s3+b')}')
#flag{ddwwxxssxaxwwaasasyywwdd-c2N0Zl85MTAy(fl4g_is_s0_ug1y!)}