#re刷題第七天
回了躺家,耽擱了,繼續開始刷題吧
0x00 ReverseMe-120
還是老套路,載入IDA,看了下大致的邏輯,是比較清楚的,關鍵點就在於401000
這個函數,簡單的動態調試了一下,發現是個base64解碼,算法就很清楚了,先將輸入的字符串進行base64解碼,然後在於0x25異或,最後與you_know_how_to_remove_junk_code
做比較
寫出解密腳本
import base64
cipher = 'you_know_how_to_remove_junk_code'
tmp = ''
for i in range(len(cipher)):
tmp += chr(ord(cipher[i])^0x25)
print base64.b64encode(tmp)
0x01 IgniteMe
載入IDA,F5大法
int __cdecl main(int argc, const char **argv, const char **envp)
{
void *v3; // eax
int v4; // edx
void *v5; // eax
int result; // eax
void *v7; // eax
void *v8; // eax
void *v9; // eax
size_t i; // [esp+4Ch] [ebp-8Ch]
char v11[4]; // [esp+50h] [ebp-88h]
char v12[28]; // [esp+58h] [ebp-80h]
char v13; // [esp+74h] [ebp-64h]
v3 = sub_402B30(&unk_446360, "Give me your flag:");
sub_4013F0(v3, sub_403670);
sub_401440(&dword_4463F0, v4, v12, 127);
if ( strlen(v12) < 0x1E && strlen(v12) > 4 )
{
strcpy(v11, "EIS{");
for ( i = 0; i < strlen(v11); ++i )
{
if ( v12[i] != v11[i] )
{
v7 = sub_402B30(&unk_446360, "Sorry, keep trying! ");
sub_4013F0(v7, sub_403670);
return 0;
}
}
if ( v13 == '}' )
{
if ( sub_4011C0(v12) )
v9 = sub_402B30(&unk_446360, "Congratulations! ");
else
v9 = sub_402B30(&unk_446360, "Sorry, keep trying! ");
sub_4013F0(v9, sub_403670);
result = 0;
}
else
{
v8 = sub_402B30(&unk_446360, "Sorry, keep trying! ");
sub_4013F0(v8, sub_403670);
result = 0;
}
}
else
{
v5 = sub_402B30(&unk_446360, "Sorry, keep trying!");
sub_4013F0(v5, sub_403670);
result = 0;
}
return result;
}
可以看到代碼邏輯還是很清晰的,首先限制了輸入的長度,然後限制了輸入的flag格式,然後進入4011c0
函數進行check
簡單的靜態分析了一下,4011c0
函數中進行了一個大小寫反轉,遇到大寫就轉爲小寫,遇到小寫就轉爲大寫。然後有一個異或操作。最後做比較
bool __cdecl sub_4011C0(char *a1)
{
size_t v2; // eax
signed int v3; // [esp+50h] [ebp-B0h]
char v4[32]; // [esp+54h] [ebp-ACh]
int v5; // [esp+74h] [ebp-8Ch]
int v6; // [esp+78h] [ebp-88h]
size_t i; // [esp+7Ch] [ebp-84h]
char v8[128]; // [esp+80h] [ebp-80h]
if ( strlen(a1) <= 4 )
return 0;
i = 4;
v6 = 0;
while ( i < strlen(a1) - 1 )
v8[v6++] = a1[i++];
v8[v6] = 0;
v5 = 0;
v3 = 0;
memset(v4, 0, 0x20u);
for ( i = 0; ; ++i )
{
v2 = strlen(v8);
if ( i >= v2 )
break;
if ( v8[i] >= 'a' && v8[i] <= 'z' )
{
v8[i] -= 32;
v3 = 1;
}
if ( !v3 && v8[i] >= 65 && v8[i] <= 90 )
v8[i] += 32;
v4[i] = byte_4420B0[i] ^ sub_4013C0(v8[i]);
v3 = 0;
}
return strcmp("GONDPHyGjPEKruv{{pj]X@rF", v4) == 0;
}
4013c0
函數:
int __cdecl sub_4013C0(int a1)
{
return (a1 ^ 0x55) + 72;
}
寫一個小的IDAPython腳本提取出來4420b0
地址的數據
start = 0x4420b0
end = 0x4420d0
key = []
while(start<end):
tmp = GetManyBytes(start,1)
key.append(ord(tmp))
start = start + 1
print key
寫出解密腳本
key = [13, 19, 23, 17, 2, 1, 32, 29, 12, 2, 25, 47, 23, 43, 36, 31, 30, 22, 9, 15, 21, 39, 19, 38, 10, 47, 30, 26, 45, 12, 34, 4]
cipher = 'GONDPHyGjPEKruv{{pj]X@rF'
flag = ''
for i in range(len(cipher)):
flag += chr(((ord(cipher[i])^key[i])-72)^0x55)
print flag
將解密出來的flag,大小寫轉換後加上flag格式就是正確的flag