re刷題第七天

#re刷題第七天

回了躺家，耽擱了，繼續開始刷題吧

0x00 ReverseMe-120

還是老套路，載入IDA，看了下大致的邏輯，是比較清楚的，關鍵點就在於401000這個函數，簡單的動態調試了一下，發現是個base64解碼，算法就很清楚了，先將輸入的字符串進行base64解碼，然後在於0x25異或，最後與you_know_how_to_remove_junk_code做比較

寫出解密腳本

import base64

cipher = 'you_know_how_to_remove_junk_code'

tmp = ''
for i in range(len(cipher)):
	tmp += chr(ord(cipher[i])^0x25)

print base64.b64encode(tmp)

0x01 IgniteMe

載入IDA，F5大法

int __cdecl main(int argc, const char **argv, const char **envp)
{
  void *v3; // eax
  int v4; // edx
  void *v5; // eax
  int result; // eax
  void *v7; // eax
  void *v8; // eax
  void *v9; // eax
  size_t i; // [esp+4Ch] [ebp-8Ch]
  char v11[4]; // [esp+50h] [ebp-88h]
  char v12[28]; // [esp+58h] [ebp-80h]
  char v13; // [esp+74h] [ebp-64h]

  v3 = sub_402B30(&unk_446360, "Give me your flag:");
  sub_4013F0(v3, sub_403670);
  sub_401440(&dword_4463F0, v4, v12, 127);
  if ( strlen(v12) < 0x1E && strlen(v12) > 4 )
  {
    strcpy(v11, "EIS{");
    for ( i = 0; i < strlen(v11); ++i )
    {
      if ( v12[i] != v11[i] )
      {
        v7 = sub_402B30(&unk_446360, "Sorry, keep trying! ");
        sub_4013F0(v7, sub_403670);
        return 0;
      }
    }
    if ( v13 == '}' )
    {
      if ( sub_4011C0(v12) )
        v9 = sub_402B30(&unk_446360, "Congratulations! ");
      else
        v9 = sub_402B30(&unk_446360, "Sorry, keep trying! ");
      sub_4013F0(v9, sub_403670);
      result = 0;
    }
    else
    {
      v8 = sub_402B30(&unk_446360, "Sorry, keep trying! ");
      sub_4013F0(v8, sub_403670);
      result = 0;
    }
  }
  else
  {
    v5 = sub_402B30(&unk_446360, "Sorry, keep trying!");
    sub_4013F0(v5, sub_403670);
    result = 0;
  }
  return result;
}

可以看到代碼邏輯還是很清晰的，首先限制了輸入的長度，然後限制了輸入的flag格式，然後進入4011c0函數進行check

簡單的靜態分析了一下，4011c0函數中進行了一個大小寫反轉，遇到大寫就轉爲小寫，遇到小寫就轉爲大寫。然後有一個異或操作。最後做比較

bool __cdecl sub_4011C0(char *a1)
{
  size_t v2; // eax
  signed int v3; // [esp+50h] [ebp-B0h]
  char v4[32]; // [esp+54h] [ebp-ACh]
  int v5; // [esp+74h] [ebp-8Ch]
  int v6; // [esp+78h] [ebp-88h]
  size_t i; // [esp+7Ch] [ebp-84h]
  char v8[128]; // [esp+80h] [ebp-80h]

  if ( strlen(a1) <= 4 )
    return 0;
  i = 4;
  v6 = 0;
  while ( i < strlen(a1) - 1 )
    v8[v6++] = a1[i++];
  v8[v6] = 0;
  v5 = 0;
  v3 = 0;
  memset(v4, 0, 0x20u);
  for ( i = 0; ; ++i )
  {
    v2 = strlen(v8);
    if ( i >= v2 )
      break;
    if ( v8[i] >= 'a' && v8[i] <= 'z' )
    {
      v8[i] -= 32;
      v3 = 1;
    }
    if ( !v3 && v8[i] >= 65 && v8[i] <= 90 )
      v8[i] += 32;
    v4[i] = byte_4420B0[i] ^ sub_4013C0(v8[i]);
    v3 = 0;
  }
  return strcmp("GONDPHyGjPEKruv{{pj]X@rF", v4) == 0;
}

4013c0函數：

int __cdecl sub_4013C0(int a1)
{
  return (a1 ^ 0x55) + 72;
}

寫一個小的IDAPython腳本提取出來4420b0地址的數據

start = 0x4420b0
end = 0x4420d0
key = []
while(start<end):
    tmp = GetManyBytes(start,1)
    key.append(ord(tmp))
    start = start + 1
print key

寫出解密腳本

key = [13, 19, 23, 17, 2, 1, 32, 29, 12, 2, 25, 47, 23, 43, 36, 31, 30, 22, 9, 15, 21, 39, 19, 38, 10, 47, 30, 26, 45, 12, 34, 4]
cipher = 'GONDPHyGjPEKruv{{pj]X@rF'
flag = ''
for i in range(len(cipher)):
	flag += chr(((ord(cipher[i])^key[i])-72)^0x55)

print flag

將解密出來的flag，大小寫轉換後加上flag格式就是正確的flag