攻防世界--ReverseMe-120

测试文件:https://adworld.xctf.org.cn/media/task/attachments/a5c0e8322d9645468befabddfe0cb51d.exe

 

1.准备

获取信息

  • 32位文件

2.IDA打开

 1 int __cdecl main(int argc, const char **argv, const char **envp)
 2 {
 3   unsigned int v3; // edx
 4   unsigned int v4; // ecx
 5   __m128i v5; // xmm1
 6   unsigned int v6; // esi
 7   const __m128i *v7; // eax
 8   __m128i v8; // xmm0
 9   int v9; // eax
10   char v11; // [esp+0h] [ebp-CCh]
11   char v12; // [esp+1h] [ebp-CBh]
12   char v13; // [esp+64h] [ebp-68h]
13   char v14; // [esp+65h] [ebp-67h]
14   unsigned int v15; // [esp+C8h] [ebp-4h]
15 
16   printf("please input your flah:");
17   v11 = 0;
18   memset(&v12, 0, 0x63u);
19   scanf("%s", &v11);
20   v13 = 0;
21   memset(&v14, 0, 0x63u);
22   sub_401000(&v15, &v13, (unsigned __int8 *)&v11, strlen(&v11));
23   v3 = v15;
24   v4 = 0;
25   if ( v15 )
26   {
27     if ( v15 >= 0x10 )
28     {
29       v5 = _mm_load_si128((const __m128i *)&xmmword_414F20);// 这部分对我们的结果没有影响
30       v6 = v15 - (v15 & 0xF);
31       v7 = (const __m128i *)&v13;
32       do
33       {
34         v8 = _mm_loadu_si128(v7);
35         v4 += 16;
36         ++v7;
37         _mm_storeu_si128((__m128i *)&v7[-1], _mm_xor_si128(v8, v5));
38       }
39       while ( v4 < v6 );
40     }
41     for ( ; v4 < v3; ++v4 )                     // 对每位字符进行异或0x25
42       *(&v13 + v4) ^= 0x25u;
43   }
44   v9 = strcmp(&v13, "you_know_how_to_remove_junk_code");// 处理之后的字符串为"you_know_how_to_remove_junk_code"
45   if ( v9 )
46     v9 = -(v9 < 0) | 1;
47   if ( v9 )
48     printf("wrong\n");
49   else
50     printf("correct\n");
51   system("pause");
52   return 0;
53 }

 

其中的一些函数解释

__m128i _mm_load_si128 (__m128i *p);
//返回可以存放在代表寄存器的变量中的值,即*p的值

__m128i _mm_load_si128 (__m128i *p);
//返回可以存放在代表寄存器的变量中的值,即*p的值

void _mm_storeu_si128 ( __m128i *p, __m128i a);
//将__m128i 变量a的值存储到p所指定的变量中去;

 

3.代码分析

这道题思路很清晰,就是逆向操作结果字符串就行。

我们输入v11,在下面有个关键的sub_401000(&v15, &v13, (unsigned __int8 *)&v11, strlen(&v11));函数

  1 signed int __usercall sub_401000@<eax>(unsigned int *a1@<edx>, _BYTE *a2@<ecx>, unsigned __int8 *a3, unsigned int a4)
  2 {
  3   int v4; // ebx
  4   unsigned int v5; // eax
  5   int v6; // ecx
  6   unsigned __int8 *v7; // edi
  7   int v8; // edx
  8   bool v9; // zf
  9   unsigned __int8 v10; // cl
 10   char v11; // cl
 11   _BYTE *v12; // esi
 12   unsigned int v13; // ecx
 13   int v14; // ebx
 14   unsigned __int8 v15; // cl
 15   char v16; // dl
 16   _BYTE *v18; // [esp+Ch] [ebp-Ch]
 17   unsigned int *v19; // [esp+10h] [ebp-8h]
 18   int v20; // [esp+14h] [ebp-4h]
 19   unsigned int v21; // [esp+14h] [ebp-4h]
 20   int i; // [esp+24h] [ebp+Ch]
 21 
 22   v4 = 0;
 23   v18 = a2;
 24   v5 = 0;
 25   v6 = 0;
 26   v19 = a1;
 27   v20 = 0;
 28   if ( !a4 )
 29     return 0;
 30   v7 = a3;
 31   do
 32   {
 33     v8 = 0;
 34     v9 = v5 == a4;
 35     if ( v5 < a4 )
 36     {
 37       do
 38       {
 39         if ( a3[v5] != 32 )
 40           break;
 41         ++v5;
 42         ++v8;
 43       }
 44       while ( v5 < a4 );
 45       v9 = v5 == a4;
 46     }
 47     if ( v9 )
 48       break;
 49     if ( a4 - v5 >= 2 && a3[v5] == 13 && a3[v5 + 1] == 10 || (v10 = a3[v5], v10 == 10) )
 50     {
 51       v6 = v20;
 52     }
 53     else
 54     {
 55       if ( v8 )
 56         return 4294967252;
 57       if ( v10 == 61 && (unsigned int)++v4 > 2 )
 58         return 4294967252;
 59       if ( v10 > 0x7Fu )
 60         return 4294967252;
 61       v11 = byte_414E40[v10];
 62       if ( v11 == 127 || (unsigned __int8)v11 < 0x40u && v4 )
 63         return 4294967252;
 64       v6 = v20++ + 1;
 65     }
 66     ++v5;
 67   }
 68   while ( v5 < a4 );
 69   if ( !v6 )
 70     return 0;
 71   v12 = v18;
 72   v13 = ((unsigned int)(6 * v6 + 7) >> 3) - v4;
 73   if ( v18 && *v19 >= v13 )
 74   {
 75     v21 = 3;
 76     v14 = 0;
 77     for ( i = 0; v5; --v5 )
 78     {
 79       v15 = *v7;
 80       if ( *v7 != 13 && v15 != 10 && v15 != 32 )
 81       {
 82         v16 = byte_414E40[v15];
 83         v21 -= v16 == 64;
 84         v14 = v16 & 0x3F | (v14 << 6);
 85         if ( ++i == 4 )
 86         {
 87           i = 0;
 88           if ( v21 )
 89             *v12++ = BYTE2(v14);
 90           if ( v21 > 1 )
 91             *v12++ = BYTE1(v14);
 92           if ( v21 > 2 )
 93             *v12++ = v14;
 94         }
 95       }
 96       ++v7;
 97     }
 98     *v19 = v12 - v18;
 99     return 0;
100   }
101   *v19 = v13;
102   return -42;
103 }
View Code

 

对于这段函数实际上是base64解密,关键代码在于

 if ( v18 && *v19 >= v13 )
  {
    v21 = 3;
    v14 = 0;
    for ( i = 0; v5; --v5 )
    {
      v15 = *v7;
      if ( *v7 != 13 && v15 != 10 && v15 != 32 )
      {
        v16 = byte_414E40[v15];
        v21 -= v16 == 64;
        v14 = v16 & 0x3F | (v14 << 6);
        if ( ++i == 4 )                         // 4字节为一组处理
        {
          i = 0;
          if ( v21 )                            // 分为3字节输出
            *v12++ = BYTE2(v14);
          if ( v21 > 1 )
            *v12++ = BYTE1(v14);
          if ( v21 > 2 )
            *v12++ = v14;
        }
      }
      ++v7;
    }

要了解base64加密原理可以看:https://www.cnblogs.com/Mayfly-nymph/p/11644823.html

解密代码可以看:https://blog.csdn.net/prsniper/article/details/7097643

 

byte_414E40

00414E40  7F 7F 7F 7F 7F 7F 7F 7F  7F 7F 7F 7F 7F 7F 7F 7F  ................
00414E50  7F 7F 7F 7F 7F 7F 7F 7F  7F 7F 7F 7F 7F 7F 7F 7F  ................
00414E60  7F 7F 7F 7F 7F 7F 7F 7F  7F 7F 7F 3E 7F 7F 7F 3F  ...........>...?
00414E70  34 35 36 37 38 39 3A 3B  3C 3D 7F 7F 7F 40 7F 7F  456789:;<=...@..
00414E80  7F 00 01 02 03 04 05 06  07 08 09 0A 0B 0C 0D 0E  ................
00414E90  0F 10 11 12 13 14 15 16  17 18 19 7F 7F 7F 7F 7F  ................
00414EA0  7F 1A 1B 1C 1D 1E 1F 20  21 22 23 24 25 26 27 28  ....... !"#$%&'(
00414EB0  29 2A 2B 2C 2D 2E 2F 30  31 32 33 7F 7F 7F 7F 7F  )*+,-./0123.....

也可以猜测是base64相关的操作

 

4.脚本解密

import base64

str1='you_know_how_to_remove_junk_code'

flag=''

for i in str1:
    flag += chr(ord(i)^0x25)
    
print(base64.b64encode(flag))

 

5.get flag!

XEpQek5LSlJ6TUpSelFKeldASEpTQHpPUEtOekZKQUA=

 

posted @ 2019-10-09 23:52  Hk_Mayfly  阅读(831)  评论(0编辑  收藏  举报