攻防世界 reverse Windows_Reverse2

Windows_Reverse2   2019_DDCTF

查壳:

 

寻找oep-->dump-->iat修复   便可成功脱壳

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char Dest; // [esp+8h] [ebp-C04h]
  char v5; // [esp+9h] [ebp-C03h]
  char myinput; // [esp+408h] [ebp-804h]
  char Dst; // [esp+409h] [ebp-803h]
  char tg; // [esp+808h] [ebp-404h]
  char v9; // [esp+809h] [ebp-403h]

  myinput = 0;
  memset(&Dst, 0, 0x3FFu);
  tg = 0;
  memset(&v9, 0, 0x3FFu);
  printf("input code:");
  scanf("%s", &myinput);
  if ( !firstcheck_4011F0(&myinput) )
  {
    printf("invalid input\n");
    exit(0);
  }
  maincheck_401240(&myinput, &tg);
  Dest = 0;
  memset(&v5, 0, 0x3FFu);
  sprintf(&Dest, "DDCTF{%s}", &tg);             // ADEBDEAEC7BE
  if ( !strcmp(&Dest, "DDCTF{reverse+}") )
    printf("You've got it !!! %s\n", &Dest);
  else
    printf("Something wrong. Try again...\n");
  return 0;
}

先进入第一处验证:

char __usercall firstcheck_4011F0@<al>(const char *myinput@<esi>)
{
  signed int lens; // eax
  signed int v2; // edx
  int v3; // ecx
  char v4; // al

  lens = strlen(myinput);
  v2 = lens;
  if ( lens && lens % 2 != 1 )                  // 2的倍数位
  {
    v3 = 0;
    if ( lens <= 0 )
      return 1;
    while ( 1 )
    {
      v4 = myinput[v3];
      if ( (v4 < '0' || v4 > '9') && (v4 < 'A' || v4 > 'F') )// 0-9 A-F
        break;
      if ( ++v3 >= v2 )
        return 1;
    }
  }
  return 0;
}

输入为0-9 A-F 之中的字符,2的倍数位

再看下面的验证:

int __usercall maincheck_401240@<eax>(const char *myinput@<esi>, char *tg)
{
  signed int lens; // edi
  signed int i; // edx
  char t_; // bl
  char c; // al
  char v6; // al
  unsigned int v7; // ecx
  char t; // [esp+Bh] [ebp-405h]
  char v10; // [esp+Ch] [ebp-404h]
  char Dst; // [esp+Dh] [ebp-403h]

  lens = strlen(myinput);
  v10 = 0;
  memset(&Dst, 0, 0x3FFu);
  i = 0;
  if ( lens > 0 )//下面主要进行输入的转换,将输入的字符串按字面值存储,'0'-->0  ‘A’-->0x10  
  {
    t_ = t;
    do
    {
      c = myinput[i];
      if ( (unsigned __int8)(myinput[i] - '0') > 9u )
      {
        if ( (unsigned __int8)(c - 'A') <= 5u )
          t = c - '7';
      }
      else
      {
        t = myinput[i] - '0';
      }
      v6 = myinput[i + 1];
      if ( (unsigned __int8)(myinput[i + 1] - '0') > 9u )
      {
        if ( (unsigned __int8)(v6 - 'A') <= 5u )
          t_ = v6 - 55;
      }
      else
      {
        t_ = myinput[i + 1] - '0';
      }
      v7 = (unsigned int)i >> 1;
      i += 2;
      *(&v10 + v7) = t_ | 16 * t;
    }
    while ( i < lens );
  }
  return base64_encode_401000(lens / 2, tg);
}
base64_encode_401000
int __cdecl base64_encode_401000(int size, void *tg)
{
  char *v2; // ecx
  int v3; // ebp
  char *v4; // edi
  signed int v5; // esi
  unsigned __int8 v6; // bl
  signed int v7; // esi
  int v8; // edi
  int v9; // edi
  size_t v10; // esi
  void *v11; // edi
  const void *v12; // eax
  unsigned __int8 Dst; // [esp+14h] [ebp-38h]
  unsigned __int8 v15; // [esp+15h] [ebp-37h]
  unsigned __int8 v16; // [esp+16h] [ebp-36h]
  char v17; // [esp+18h] [ebp-34h]
  char v18; // [esp+19h] [ebp-33h]
  char v19; // [esp+1Ah] [ebp-32h]
  char i; // [esp+1Bh] [ebp-31h]
  void *v21; // [esp+1Ch] [ebp-30h]
  char v22; // [esp+20h] [ebp-2Ch]
  void *Src; // [esp+24h] [ebp-28h]
  size_t Size; // [esp+34h] [ebp-18h]
  unsigned int v25; // [esp+38h] [ebp-14h]
  int v26; // [esp+48h] [ebp-4h]

  v3 = size;
  v4 = v2;
  v21 = tg;
  std::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string<char,std::char_traits<char>,std::allocator<char>>(&v22);
  v5 = 0;
  v26 = 0;
  if ( size )
  {
    do
    {
      *(&Dst + v5) = *v4;
      v6 = v15;
      ++v5;
      --v3;
      ++v4;
      if ( v5 == 3 )
      {
        v17 = Dst >> 2;
        v18 = (v15 >> 4) + 16 * (Dst & 3);
        v19 = (v16 >> 6) + 4 * (v15 & 0xF);
        i = v16 & 0x3F;
        v7 = 0;
        do
          std::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+=(
            &v22,
            (unsigned __int8)(a745230189[(unsigned __int8)*(&v17 + v7++)] ^ 0x76));// ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
        while ( v7 < 4 );
        v5 = 0;
      }
    }
    while ( v3 );
    if ( v5 )
    {
      if ( v5 < 3 )
      {
        memset(&Dst + v5, 0, 3 - v5);
        v6 = v15;
      }
      v18 = (v6 >> 4) + 16 * (Dst & 3);
      v17 = Dst >> 2;
      v19 = (v16 >> 6) + 4 * (v6 & 0xF);
      v8 = 0;
      for ( i = v16 & 0x3F; v8 < v5 + 1; ++v8 )
        std::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+=(
          &v22,
          (unsigned __int8)(a745230189[(unsigned __int8)*(&v17 + v8)] ^ 0x76));
      if ( v5 < 3 )
      {
        v9 = 3 - v5;
        do
        {
          std::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator+=(&v22, '=');
          --v9;
        }
        while ( v9 );
      }
    }
  }
  v10 = Size;
  v11 = v21;
  memset(v21, 0, Size + 1);
  v12 = Src;
  if ( v25 < 0x10 )
    v12 = &Src;
  memcpy(v11, v12, v10);
  v26 = -1;
  return std::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string<char,std::char_traits<char>,std::allocator<char>>();
}

发现有点像base64编码,编码表^ 0x76,脚本跑出来发现正好是标准密码表

最后的验证即 输入为大写16进制字符串,base64编码,验证结果是否为‘reverse+’

 

base64 解码‘reverse+ ’  便可得到输入

wp(python2):

import base64
s='reverse+'
print base64.b64decode(s).encode('hex').upper()

ADEBDEAEC7BE

 

flag{ADEBDEAEC7BE}

 

 

  

posted @ 2020-02-22 21:41  DirWangK  阅读(1049)  评论(0编辑  收藏  举报