BUUCTF_N1book_RE_[第五章 CTF之RE章]BabyAlgorithm
64位,无壳
主函数:
__int64 __fastcall main(int a1, char **a2, char **a3) { __int64 result; // rax int i; // [rsp+Ch] [rbp-E4h] char v5[16]; // [rsp+10h] [rbp-E0h] BYREF char s[64]; // [rsp+20h] [rbp-D0h] BYREF char v7[64]; // [rsp+60h] [rbp-90h] BYREF char v8[72]; // [rsp+A0h] [rbp-50h] BYREF unsigned __int64 v9; // [rsp+E8h] [rbp-8h] v9 = __readfsqword(0x28u); memset(v8, 0, 0x40uLL); v8[0] = -58; v8[1] = 33; v8[2] = -54; v8[3] = -65; v8[4] = 81; v8[5] = 67; v8[6] = 55; v8[7] = 49; v8[8] = 117; v8[9] = -28; v8[10] = -114; v8[11] = -64; v8[12] = 84; v8[13] = 111; v8[14] = -113; v8[15] = -18; v8[16] = -8; v8[17] = 90; v8[18] = -94; v8[19] = -63; v8[20] = -21; v8[21] = -91; v8[22] = 52; v8[23] = 109; v8[24] = 113; v8[25] = 85; v8[26] = 8; v8[27] = 7; v8[28] = -78; v8[29] = -88; v8[30] = 47; v8[31] = -12; v8[32] = 81; v8[33] = -114; v8[34] = 12; v8[35] = -52; qmemcpy(&v8[36], "3S1", 3); v8[40] = 64; v8[41] = -42; v8[42] = -54; v8[43] = -20; v8[44] = -44; puts("Input flag: "); __isoc99_scanf("%63s", s); if ( strlen(s) == 45 ) { strcpy(v5, "Nu1Lctf233"); sub_400874(v5, s, v7); for ( i = 0; i <= 44; ++i ) { if ( v7[i] != v8[i] ) { puts("GG!"); return 0LL; } } puts("Congratulations!"); result = 0LL; } else { puts("GG!"); result = 0LL; } return result; }
__int64 __fastcall main(int a1, char **a2, char **a3) { __int64 result; // rax int i; // [rsp+Ch] [rbp-E4h] char v5[16]; // [rsp+10h] [rbp-E0h] BYREF char s[64]; // [rsp+20h] [rbp-D0h] BYREF char v7[64]; // [rsp+60h] [rbp-90h] BYREF char v8[72]; // [rsp+A0h] [rbp-50h] BYREF unsigned __int64 v9; // [rsp+E8h] [rbp-8h] v9 = __readfsqword(0x28u); memset(v8, 0, 0x40uLL); v8[0] = -58; v8[1] = 33; v8[2] = -54; v8[3] = -65; v8[4] = 81; v8[5] = 67; v8[6] = 55; v8[7] = 49; v8[8] = 117; v8[9] = -28; v8[10] = -114; v8[11] = -64; v8[12] = 84; v8[13] = 111; v8[14] = -113; v8[15] = -18; v8[16] = -8; v8[17] = 90; v8[18] = -94; v8[19] = -63; v8[20] = -21; v8[21] = -91; v8[22] = 52; v8[23] = 109; v8[24] = 113; v8[25] = 85; v8[26] = 8; v8[27] = 7; v8[28] = -78; v8[29] = -88; v8[30] = 47; v8[31] = -12; v8[32] = 81; v8[33] = -114; v8[34] = 12; v8[35] = -52; qmemcpy(&v8[36], "3S1", 3); v8[40] = 64; v8[41] = -42; v8[42] = -54; v8[43] = -20; v8[44] = -44; puts("Input flag: "); __isoc99_scanf("%63s", s); if ( strlen(s) == 45 ) { strcpy(v5, "Nu1Lctf233"); sub_400874(v5, s, v7); for ( i = 0; i <= 44; ++i ) { if ( v7[i] != v8[i] ) { puts("GG!"); return 0LL; } } puts("Congratulations!"); result = 0LL; } else { puts("GG!"); result = 0LL; } return result; }
一长串数组赋值
然后关键函数很明显是
sub_400874
__int64 __fastcall sub_400874(__int64 a1, __int64 a2, __int64 a3) { char v5[264]; // [rsp+20h] [rbp-110h] BYREF unsigned __int64 v6; // [rsp+128h] [rbp-8h] v6 = __readfsqword(0x28u); sub_40067A(a1, v5); sub_400753(v5, a2, a3); return 0LL; }
这里面又有两个函数
sub_40067A
__int64 __fastcall sub_40067A(const char *a1, __int64 a2) { int v3; // [rsp+10h] [rbp-10h] int i; // [rsp+14h] [rbp-Ch] int j; // [rsp+18h] [rbp-8h] int v6; // [rsp+1Ch] [rbp-4h] v6 = strlen(a1); v3 = 0; for ( i = 0; i <= 255; ++i ) *(_BYTE *)(i + a2) = i; for ( j = 0; j <= 255; ++j ) { v3 = (*(unsigned __int8 *)(j + a2) + v3 + a1[j % v6]) % 256; sub_400646(j + a2, a2 + v3); } return 0LL; }
sub_400753
__int64 __fastcall sub_400753(__int64 a1, const char *a2, __int64 a3) { int v5; // [rsp+24h] [rbp-1Ch] int v6; // [rsp+28h] [rbp-18h] size_t v7; // [rsp+30h] [rbp-10h] size_t v8; // [rsp+38h] [rbp-8h] v5 = 0; v6 = 0; v7 = 0LL; v8 = strlen(a2); while ( v7 < v8 ) { v5 = (v5 + 1) % 256; v6 = (v6 + *(unsigned __int8 *)(v5 + a1)) % 256; sub_400646(v5 + a1, a1 + v6); *(_BYTE *)(a3 + v7) = a2[v7] ^ *(_BYTE *)((unsigned __int8)(*(_BYTE *)(v5 + a1) + *(_BYTE *)(v6 + a1)) + a1); ++v7; } return 0LL; }
其实这两个函数都有一个共同的特征
%256
典型的RC4的特征
那么主函数的strcpy就是key密钥
Nu1Lctf233
但是有个问题就是数组的解出来是乱码,这里base64加utf-8编码就可以得到密文
import base64 a=[0xc6,0x21,0xca,0xbf,0x51,0x43,0x37,0x31,0x75,0xe4,0x8e,0xc0,0x54,0x6f,0x8f,0xee,0xf8,0x5a,0xa2,0xc1,0xeb,0xa5,0x34,0x6d,0x71,0x55,0x8,0x7,0xb2,0xa8,0x2f,0xf4,0x51,0x8e,0xc,0xcc,0x33,0x53,0x31,0x0,0x40,0xd6,0xca,0xec,0xd4] s="" for i in a: s+=chr(i) print(s) print(str(base64.b64encode(s.encode('utf-8')), 'utf-8'))
w4Yhw4rCv1FDNzF1w6TCjsOAVG/Cj8Ouw7hawqLDgcOrwqU0bXFVCAfCssKoL8O0UcKODMOMM1MxAEDDlsOKw6zDlA==
然后就是直接解
n1book{us1nG_f3atur3s_7o_de7erm1n3_4lg0ri7hm}
