攻防世界 reverse crazy
crazy 百越杯2018
查看main函数:
int __cdecl main(int argc, const char **argv, const char **envp) { __int64 v3; // rax __int64 v4; // rax __int64 v5; // rax __int64 v6; // rax __int64 v7; // rax __int64 v8; // rax __int64 v9; // rax __int64 v10; // rax __int64 v11; // rax __int64 v12; // rax __int64 v13; // rax __int64 v14; // rax __int64 v15; // rax __int64 v16; // rax char myinput_str; // [rsp+10h] [rbp-130h] char v19; // [rsp+30h] [rbp-110h] char v20; // [rsp+50h] [rbp-F0h] char v21; // [rsp+70h] [rbp-D0h] char myinput_copy; // [rsp+90h] [rbp-B0h] char temp; // [rsp+B0h] [rbp-90h] unsigned __int64 v24; // [rsp+128h] [rbp-18h] v24 = __readfsqword(0x28u); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string( (__int64)&myinput_str, (__int64)argv, (__int64)envp); std::operator>><char,std::char_traits<char>,std::allocator<char>>(&std::cin, &myinput_str); v3 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------"); std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>); v4 = std::operator<<<std::char_traits<char>>(&std::cout, "Quote from people's champ"); std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>); v5 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------"); std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>); v6 = std::operator<<<std::char_traits<char>>( &std::cout, "*My goal was never to be the loudest or the craziest. It was to be the most entertaining."); std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>); v7 = std::operator<<<std::char_traits<char>>(&std::cout, "*Wrestling was like stand-up comedy for me."); std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>); v8 = std::operator<<<std::char_traits<char>>( &std::cout, "*I like to use the hard times in the past to motivate me today."); std::ostream::operator<<(v8, &std::endl<char,std::char_traits<char>>); v9 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------"); std::ostream::operator<<(v9, &std::endl<char,std::char_traits<char>>); HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str);// 327a6c4304ad5938eaf0efb6cc3e53dc v10 = std::operator<<<std::char_traits<char>>(&std::cout, "Checking...."); std::ostream::operator<<(v10, &std::endl<char,std::char_traits<char>>); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v19, &myinput_str); func1((__int64)&v20, (__int64)&v19); func2((__int64)&v21, (__int64)&v20); func3((__int64)&v21, 0); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v21); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v20); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v19); HighTemplar::calculate((HighTemplar *)&temp);//加密处 if ( (unsigned int)HighTemplar::getSerial((HighTemplar *)&temp) == 0 )//验证处 { v11 = std::operator<<<std::char_traits<char>>(&std::cout, "/////////////////////////////////"); std::ostream::operator<<(v11, &std::endl<char,std::char_traits<char>>); v12 = std::operator<<<std::char_traits<char>>(&std::cout, "Do not be angry. Happy Hacking :)"); std::ostream::operator<<(v12, &std::endl<char,std::char_traits<char>>); v13 = std::operator<<<std::char_traits<char>>(&std::cout, "/////////////////////////////////"); std::ostream::operator<<(v13, &std::endl<char,std::char_traits<char>>); ZN11HighTemplar7getFlagB5cxx11Ev((__int64)&myinput_copy, (__int64)&temp);// 取输入 v14 = std::operator<<<std::char_traits<char>>(&std::cout, "flag{"); v15 = std::operator<<<char,std::char_traits<char>,std::allocator<char>>(v14, &myinput_copy); v16 = std::operator<<<std::char_traits<char>>(v15, "}"); std::ostream::operator<<(v16, &std::endl<char,std::char_traits<char>>); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&myinput_copy); } HighTemplar::~HighTemplar((HighTemplar *)&temp); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&myinput_str); return 0; }
三个关键函数HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str); HighTemplar::getSerial((HighTemplar *)&temp) 和 HighTemplar::calculate((HighTemplar *)&temp);
HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str),进行字符串转储。
unsigned __int64 __fastcall HighTemplar::HighTemplar(DarkTemplar *temp, char *myinput_str) { char v3; // [rsp+17h] [rbp-19h] unsigned __int64 v4; // [rsp+18h] [rbp-18h] v4 = __readfsqword(0x28u); DarkTemplar::DarkTemplar(temp); *(_QWORD *)temp = &off_401EA0; *((_DWORD *)temp + 3) = 0; std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string( (char *)temp + 16, myinput_str); // temp + 16 -->存储输入 std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string( (char *)temp + 48, myinput_str); // temp + 48 -->存储输入 std::allocator<char>::allocator(&v3, myinput_str); std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string( (__int64)temp + 80, // temp + 80 -->存储327a6c4304ad5938eaf0efb6cc3e53dc (__int64)"327a6c4304ad5938eaf0efb6cc3e53dc", (__int64)&v3); std::allocator<char>::~allocator(&v3); return __readfsqword(0x28u) ^ v4; }
HighTemplar::calculate((HighTemplar *)&temp);进行加密操作
bool __fastcall HighTemplar::calculate(HighTemplar *this) { __int64 v1; // rax _BYTE *v2; // rbx bool result; // al _BYTE *v4; // rbx int i; // [rsp+18h] [rbp-18h] int j; // [rsp+1Ch] [rbp-14h] if ( std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16) != 32 )// 输入长32 { v1 = std::operator<<<std::char_traits<char>>(&std::cout, "Too short or too long"); std::ostream::operator<<(v1, &std::endl<char,std::char_traits<char>>); exit(-1); } for ( i = 0; i <= (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16); ++i ) { v2 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]( (char *)this + 16, i); *v2 = (*(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]( (char *)this + 16, i) ^ 0x50) // (每个字符^0x50)+23 + 23; } for ( j = 0; ; ++j ) { result = j <= (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16); if ( !result ) break; v4 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]( (char *)this + 16, j); *v4 = (*(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]( (char *)this + 16, j) ^ 0x13) // (每个字符^0x13)+11 + 11; } return result; }
HighTemplar::getSerial((HighTemplar *)&temp)进行验证操作
__int64 __fastcall HighTemplar::getSerial(HighTemplar *this) { __int64 v1; // rbx __int64 v2; // rax __int64 v3; // rax __int64 v4; // rax __int64 v5; // rax unsigned int i; // [rsp+1Ch] [rbp-14h] for ( i = 0; (signed int)i < (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16); ++i ) { v1 = *(unsigned __int8 *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]( (char *)this + 80,// HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str)之前赋值,327a6c4304ad5938eaf0efb6cc3e53dc (signed int)i); if ( (_BYTE)v1 != *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]( (char *)this + 16,// 取输入 (signed int)i) ) { v4 = std::operator<<<std::char_traits<char>>(&std::cout, "You did not pass "); v5 = std::ostream::operator<<(v4, i); std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>); *((_DWORD *)this + 3) = 1; return *((unsigned int *)this + 3); } v2 = std::operator<<<std::char_traits<char>>(&std::cout, "Pass "); v3 = std::ostream::operator<<(v2, i); std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>); } return *((unsigned int *)this + 3); }
简单的异或与加法的操作
wp:
temp='327a6c4304ad5938eaf0efb6cc3e53dc' flag='' for i in range(len(temp)): n=ord(temp[i]) flag+=chr((((n-11)^0x13)-23)^0x50) print('flag{'+flag+'}')
flag{tMx~qdstOs~crvtwb~aOba}qddtbrtcd}
