re學習筆記（39）BUUCTF-re-[GWCTF 2019]xxor

新手一枚，如有錯誤（不足）請指正，謝謝！！
個人博客：點擊進入
題目鏈接：[GWCTF 2019]xxor

IDA載入，主要函數代碼

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  signed int i; // [rsp+8h] [rbp-68h]
  signed int j; // [rsp+Ch] [rbp-64h]
  int v6[10]; // [rsp+10h] [rbp-60h]
  int v7[10]; // [rsp+40h] [rbp-30h]
  unsigned __int64 v8; // [rsp+68h] [rbp-8h]

  v8 = __readfsqword(0x28u);
  puts("Let us play a game?");
  puts("you have six chances to input");
  puts("Come on!");
  *(_QWORD *)v6 = 0LL;
  *(_QWORD *)&v6[2] = 0LL;
  *(_QWORD *)&v6[4] = 0LL;
  *(_QWORD *)&v6[6] = 0LL;
  *(_QWORD *)&v6[8] = 0LL;
  for ( i = 0; i <= 5; ++i )
  {
    printf("%s", "input: ", (unsigned int)i);
    __isoc99_scanf("%d", &v6[i]);
  }
  *(_QWORD *)v7 = 0LL;
  *(_QWORD *)&v7[2] = 0LL;
  *(_QWORD *)&v7[4] = 0LL;
  *(_QWORD *)&v7[6] = 0LL;
  *(_QWORD *)&v7[8] = 0LL;
  for ( j = 0; j <= 4; j += 2 )
  {
    y = v6[j];
    x = v6[j + 1];
    sub_400686((unsigned int *)&y, dword_601060);
    v7[j] = y;
    v7[j + 1] = x;
  }
  if ( (unsigned int)sub_400770(v7) != 1 )
  {
    puts("NO NO NO~ ");
    exit(0);
  }
  puts("Congratulation!\n");
  puts("You seccess half\n");
  puts("Do not forget to change input to hex and combine~\n");
  puts("ByeBye");
  return 0LL;
}

輸入6個數，然後每兩個數進入sub_400686()函數進行變換，
之後sub_400770()函數來驗證是否成功

先看sub_400770()函數

只要這些條件滿足就會返回1了，一個數學方程組，懶惰的我直接丟給Z3來解了。

xorm[0] = 3746099070,
xorm[1] = 550153460,
xorm[2] = 3774025685,
xorm[3] = 1548802262,
xorm[4] = 2652626477,
xorm[5] = 2230518816

之後看一下sub_400686()函數

寫腳本來解密，得到flag

#include <stdio.h>
int main()
{
	unsigned int xorm[6];
	xorm[0] = 3746099070;
	xorm[1] = 550153460;
	xorm[2] = 3774025685;
	xorm[3] = 1548802262;
	xorm[4] = 2652626477;
	xorm[5] = 2230518816;
	int i = 0,j=0,sum;
	unsigned int temp[2] = {0};
	unsigned int data[4] = { 2,2,3,4 };
	for (i = 0; i < 5; i += 2)
	{
		temp[0] = xorm[i];
		temp[1] = xorm[i + 1];

		sum = 0x458BCD42 * 64;
		for (j = 0; j < 64; j++)
		{
			temp[1] -= (temp[0] + sum + 20) ^ ((temp[0] << 6) + 3) ^ ((temp[0] >> 9) + 4) ^ 0x10;
			temp[0] -= (temp[1] + sum + 11) ^ ((temp[1] << 6) + 2) ^ ((temp[1] >> 9) + 2) ^ 0x20;
			sum -= 0x458BCD42;
		}
		xorm[i] = temp[0];
		xorm[i + 1] = temp[1];
	}
	for (i = 0; i < 6; i++)
		printf("%c%c%c", *((char*)&xorm[i]+2), *((char*)&xorm[i] + 1), *(char*)&xorm[i]);
}

最後得到flag爲flag{re_is_great!}

發表評論

所有評論

還沒有人評論，想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.

re學習筆記（39）BUUCTF-re-[GWCTF 2019]xxor

DAPPER 事務 TRANSACTION

re學習筆記（67）SCTF-re-signin

re學習筆記（66）第五空間智能安全大賽-re-nop

re學習筆記（65）BUUCTF - re - [GKCTF2020]Chellys identity

re學習筆記（48）BUUCTF-re-[V&N2020 公開賽]CSRe

re學習筆記（59）BUUCTF-re-[ACTF新生賽2020]Oruga

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結