0
点赞
收藏
分享

微信扫一扫

buu-reverse3

窗外路过了谁 2022-02-03 阅读 53
安全

23位无壳
在这里插入图片描述拖入32位ida
查看字符串
在这里插入图片描述
在这里插入图片描述
可能会用到base64编码
查看main函数的伪代码
在这里插入图片描述

__int64 __usercall main_0@<edx:eax>(int a1@<ebx>, int a2@<edi>, int a3@<esi>)
{
  int v3; // eax
  const char *v4; // eax
  size_t v5; // eax
  int v6; // edx
  __int64 v7; // ST08_8
  signed int j; // [esp+DCh] [ebp-ACh]
  signed int i; // [esp+E8h] [ebp-A0h]
  signed int v11; // [esp+E8h] [ebp-A0h]
  char Dest[108]; // [esp+F4h] [ebp-94h]
  char Str; // [esp+160h] [ebp-28h]
  char v14; // [esp+17Ch] [ebp-Ch]

  for ( i = 0; i < 100; ++i )
  {
    if ( (unsigned int)i >= 0x64 )
      j____report_rangecheckfailure(a1, a2, a3);
    Dest[i] = 0;
  }
  //初始化Dest
  sub_41132F("please enter the flag:");
  sub_411375((int)"%20s", (unsigned int)&Str);
  //读入20个字符串给Str
  v3 = j_strlen(&Str);
  //获取Str长度
  v4 = (const char *)sub_4110BE((int)&Str, v3, (int)&v14);
  //sub_4110BE函数加密
  strncpy(Dest, v4, 0x28u);
  //将v7的前40位复制给Dest
  v11 = j_strlen(Dest);
  //获取Dest的长度
  for ( j = 0; j < v11; ++j )
    Dest[j] += j;
	//对Dest的每位字符加上下标
  v5 = j_strlen(Dest);
  if ( !strncmp(Dest, Str2, v5) )
  //Str2值为'e3nifIH9b_C@n@dH'
    sub_41132F("rigth flag!\n");
  else
    sub_41132F("wrong flag!\n");
  HIDWORD(v7) = v6;
  LODWORD(v7) = 0;
  return v7;
}

跟进sub_4110BE函数

while ( v11 > 0 )
  {
    byte_41A144[2] = 0;
    byte_41A144[1] = 0;
    byte_41A144[0] = 0;
    for ( i = 0; i < 3 && v11 >= 1; ++i )
    {
      byte_41A144[i] = *v13;
      --v11;
      ++v13;
    }
    if ( !i )
      break;
    switch ( i )
    {
      case 1:
        *((_BYTE *)Dst + v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];
        v4 = v7 + 1;
        *((_BYTE *)Dst + v4++) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];
        *((_BYTE *)Dst + v4++) = aAbcdefghijklmn[64];
        *((_BYTE *)Dst + v4) = aAbcdefghijklmn[64];
        v7 = v4 + 1;
        break;
      case 2:
        *((_BYTE *)Dst + v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];
        v5 = v7 + 1;
        *((_BYTE *)Dst + v5++) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];
        *((_BYTE *)Dst + v5++) = aAbcdefghijklmn[((byte_41A144[2] & 0xC0) >> 6) | 4 * (byte_41A144[1] & 0xF)];
        *((_BYTE *)Dst + v5) = aAbcdefghijklmn[64];
        v7 = v5 + 1;
        break;
      case 3:
        *((_BYTE *)Dst + v7) = aAbcdefghijklmn[(signed int)(unsigned __int8)byte_41A144[0] >> 2];
        v6 = v7 + 1;
        *((_BYTE *)Dst + v6++) = aAbcdefghijklmn[((byte_41A144[1] & 0xF0) >> 4) | 16 * (byte_41A144[0] & 3)];
        *((_BYTE *)Dst + v6++) = aAbcdefghijklmn[((byte_41A144[2] & 0xC0) >> 6) | 4 * (byte_41A144[1] & 0xF)];
        *((_BYTE *)Dst + v6) = aAbcdefghijklmn[byte_41A144[2] & 0x3F];
        v7 = v6 + 1;
        break;
    }
  }
  *((_BYTE *)Dst + v7) = 0;
  return Dst;
}

以及aAbcdefghijklmn的值
在这里插入图片描述

有点难看
先转Str2

a = "e3nifIH9b_C@n@dH"
b = ""

for i in range(0,len(a)):
	b += chr(ord(a[i]) - i)
	
print(b)

得到e2lfbDB2ZV95b3V9
然后根据哈希表和string的提示尝试base64解密
得到{i_l0ve_you}

举报

相关推荐

第二周buu

flaskpython后端

buuctf-逆向-reverse3

系统安全

[BUU-WriteUp]rip

wp网络安全pwn信息安全python

BUU [HCTF 2018]Hideandseek

全文检索neo4j知识图谱

buu-re-CrackRTF

网络安全安全

buu-day08

服务器mysql数据库

buu-SimpleRev

安全

REVERSE-COMPETITION-HGAME2022-Week3

安全系统安全

BUU-CTF-greatescape

sslhttps网络

BUU CODE REVIEW 1

web安全
0 条评论