7.1-7.3
RE
BUU_RE_Youngter-drive
查壳,upx
脱壳,32位,查字符
主函数:
int __cdecl main_0(int argc, const char **argv, const char **envp) { HANDLE v4; // [esp+D0h] [ebp-14h] HANDLE hObject; // [esp+DCh] [ebp-8h] ((void (*)(void))sub_4110FF)(); ::hObject = CreateMutexW(0, 0, 0); j_strcpy(Destination, Source); hObject = CreateThread(0, 0, StartAddress, 0, 0, 0); v4 = CreateThread(0, 0, sub_41119F, 0, 0, 0); CloseHandle(hObject); CloseHandle(v4); while ( dword_418008 != -1 ) ; sub_411190(); CloseHandle(::hObject); return 0; }
WaitForSingleObject
WaitForSingleObject是一种Windows API函数,当等待仍在挂起状态时,句柄被关闭,那么函数行为是未定义的。该句柄必须具有 SYNCHRONIZE 访问权限。
WaitForSingleObject函数用来检测hHandle事件的信号状态,在某一线程中调用该函数时,线程暂时挂起,如果在挂起的dwMilliseconds毫秒内,线程所等待的对象变为有信号状态,则该函数立即返回;如果超时时间已经到达dwMilliseconds毫秒,但hHandle所指向的对象还没有变成有信号状态,函数照样返回。
ReleaseMutex
ReleaseMutex是一种线性指令,具有释放线程拥有的互斥体的控制权。
线程也能告诉系统,它不想在某个时间段内被调度。这是通过调用Sleep函数来实现的:
VOID Sleep(DWORD dwMilliseconds);
该函数可使线程暂停自己的运行,直到dwMilliseconds过去为止。
#include <stdio.h> int main(void) { char off1[] = "TOiZiZtOrYaToUwPnToBsOaOapsyS"; char off2[] = "QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm"; char flag[30]={0}; int i,j; for(i=28;i>-1;i--) { if(i%2==0) { flag[i] = off1[i]; continue; } for(j=0;j<52;j++) { if(off1[i] == off2[j]) { flag[i] = j+38; if(!(flag[i]>=65 &&flag[i]<=90)) flag[i] = j+96; break; } } } puts(flag); return 0; }
flag{ThisisthreadofwindowshahaIsESE}
[SWPUCTF 2021 新生赛]fakebase
flag = 'xxxxxxxxxxxxxxxxxxx' s_box = 'qwertyuiopasdfghjkzxcvb123456#$' tmp = '' for i in flag: tmp += str(bin(ord(i)))[2:].zfill(8) b1 = int(tmp,2) s = '' while b1//31 != 0: s += s_box[b1%31] b1 = b1//31 print(s) # s = u#k4ggia61egegzjuqz12jhfspfkay
大致加密流程就是把flag挨个取出然后拼接成一个字符串,然后再从s_box中取对应的值
也可以简单理解成base31
s='u#k4ggia61egegzjuqz12jhfspfkay' s_box = 'qwertyuiopasdfghjkzxcvb123456#$' for j in range(31): num = j for i in s[::-1]: num = num * 31 + s_box.index(i) num = str(bin(num)[2:]) num = num.zfill((len(num) // 8 + 1) * 8) flag = "" for i in range(0,len(num),8): flag += chr(int(num[i:i+8],2)) print (flag)
flag
NSSCTF{WHAt_BASe31}
