0
点赞
收藏
分享

微信扫一扫

buu-[ACTF新生赛2020]easyre

妖妖妈 2022-02-08 阅读 71
安全

查看文件信息
在这里插入图片描述
32位,UPX脱壳
查看main函数

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [esp+12h] [ebp-2Eh]
  char v5; // [esp+13h] [ebp-2Dh]
  char v6; // [esp+14h] [ebp-2Ch]
  char v7; // [esp+15h] [ebp-2Bh]
  char v8; // [esp+16h] [ebp-2Ah]
  char v9; // [esp+17h] [ebp-29h]
  char v10; // [esp+18h] [ebp-28h]
  char v11; // [esp+19h] [ebp-27h]
  char v12; // [esp+1Ah] [ebp-26h]
  char v13; // [esp+1Bh] [ebp-25h]
  char v14; // [esp+1Ch] [ebp-24h]
  char v15; // [esp+1Dh] [ebp-23h]
  int v16; // [esp+1Eh] [ebp-22h]
  int v17; // [esp+22h] [ebp-1Eh]
  int v18; // [esp+26h] [ebp-1Ah]
  __int16 v19; // [esp+2Ah] [ebp-16h]
  char v20; // [esp+2Ch] [ebp-14h]
  char v21; // [esp+2Dh] [ebp-13h]
  char v22; // [esp+2Eh] [ebp-12h]
  int v23; // [esp+2Fh] [ebp-11h]
  int v24; // [esp+33h] [ebp-Dh]
  int v25; // [esp+37h] [ebp-9h]
  char v26; // [esp+3Bh] [ebp-5h]
  int i; // [esp+3Ch] [ebp-4h]

  sub_401A10();
  v4 = 42;
  v5 = 70;
  v6 = 39;
  v7 = 34;
  v8 = 78;
  v9 = 44;
  v10 = 34;
  v11 = 40;
  v12 = 73;
  v13 = 63;
  v14 = 43;
  v15 = 64;
  printf("Please input:");
  scanf("%s", &v19);
 if ( v19 != 'A' || HIBYTE(v19) != 'C' || v20 != 'T' || v21 != 'F' || v22 != '{' || v26 != '}' )
 //ACTF{}
    return 0;
  v16 = v23;
  v17 = v24;
  v18 = v25;
  for ( i = 0; i <= 11; ++i )
  {
    if ( *(&v4 + i) != byte_402000[*((char *)&v16 + i) - 1] )
      return 0;
  }
  printf("You are correct!");
  return 0;
}

byte_402000,包括7E的
在这里插入图片描述
16进制视角
在这里插入图片描述

for循环0-11应该就是12位的flag
数组v4的值是byte_402000以[v16+i-1]为下标所对应的值

放上exp

byte_402000 = '~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)(\'&%$# !"'

v4 = [42,70,39,34,78,44,34,40,73,63,43,64]

flag = ''

for i in v4:
    flag += chr(byte_402000.find(chr(i)) + 1)

print(flag)

flag{U9X_1S_W6@T?}

对flag存放的地址没太搞懂
翻了好几页的wp发现有些wp的逆向是这样的,可能是脱壳工具不一样

 1 int __cdecl main(int argc, const char **argv, const char **envp)
 2 {
 3   _BYTE v4[12]; // [esp+12h] [ebp-2Eh] BYREF
 4   _DWORD v5[3]; // [esp+1Eh] [ebp-22h]
 5   _BYTE v6[5]; // [esp+2Ah] [ebp-16h] BYREF
 6   int v7; // [esp+2Fh] [ebp-11h]
 7   int v8; // [esp+33h] [ebp-Dh]
 8   int v9; // [esp+37h] [ebp-9h]
 9   char v10; // [esp+3Bh] [ebp-5h]
10   int i; // [esp+3Ch] [ebp-4h]
11 
12   sub_401A10();
13   qmemcpy(v4, "*F'\"N,\"(I?+@", sizeof(v4));
14   printf("Please input:");
15   scanf("%s", v6);
16   if ( v6[0] != 'A' || v6[1] != 'C' || v6[2] != 'T' || v6[3] != 'F' || v6[4] != '{' || v10 != '}' )
17     return 0;
18   v5[0] = v7;
19   v5[1] = v8;
20   v5[2] = v9;
21   for ( i = 0; i <= 11; ++i )
22   {
23     if ( v4[i] != byte_402000[*((char *)v5 + i) - 1] )
24       return 0;
25   }
26   printf("You are correct!");
27   return 0;
28 }

v4是*F’“N,”(I?+@
然后flag存在v5里
v5分为三组,v7,v8,v9
(恍然大悟.jpg)
漏了这一步,三个int刚好12字节,对应v4-v15
v19-v22对应ACTF{
v23-v25为flag
v26为}
在这里插入图片描述
翻了7页的百度,下次要注意了

举报

相关推荐

0 条评论