高校网络信息安全运维挑战赛:IgniteMe
一道比较简单的逆运算题目。
下载附件查壳,没有加壳:
在IDA中打开,找到主函数:
int __cdecl main(int argc, const char **argv, const char **envp) { int result; // eax size_t i; // [esp+4Ch] [ebp-8Ch] char v5[4]; // [esp+50h] [ebp-88h] char v6[28]; // [esp+58h] [ebp-80h] char v7; // [esp+74h] [ebp-64h] sub_402B30(&unk_446360, "Give me your flag:"); sub_4013F0(sub_403670); sub_401440(v6, 127); if ( strlen(v6) < 036 && strlen(v6) > 4 ) //前四个字符为:"EIS{" 长度也有限制 { strcpy(v5, "EIS{"); for ( i = 0; i < strlen(v5); ++i ) { if ( v6[i] != v5[i] ) { sub_402B30(&unk_446360, "Sorry, keep trying! "); sub_4013F0(sub_403670); return 0; } } if ( v7 == '}' ) //最后的字符为:"}" { if ( sub_4011C0(v6) ) //关键的比较函数 sub_402B30(&unk_446360, "Congratulations! "); else sub_402B30(&unk_446360, "Sorry, keep trying! "); sub_4013F0(sub_403670); result = 0; } else { sub_402B30(&unk_446360, "Sorry, keep trying! "); sub_4013F0(sub_403670); result = 0; } } else { sub_402B30(&unk_446360, "Sorry, keep trying!"); sub_4013F0(sub_403670); result = 0; } return result; }
跟进比较函数中观察:
bool __cdecl sub_4011C0(char *a1) { size_t v2; // eax signed int v3; // [esp+50h] [ebp-B0h] char v4[32]; // [esp+54h] [ebp-ACh] int v5; // [esp+74h] [ebp-8Ch] int v6; // [esp+78h] [ebp-88h] size_t i; // [esp+7Ch] [ebp-84h] char v8[128]; // [esp+80h] [ebp-80h] if ( strlen(a1) <= 4 ) return 0; i = 4; v6 = 0; while ( i < strlen(a1) - 1 ) v8[v6++] = a1[i++]; v8[v6] = 0; v5 = 0; v3 = 0; memset(v4, 0, 0x20u); for ( i = 0; ; ++i ) { v2 = strlen(v8); if ( i >= v2 ) break; if ( v8[i] >= 97 && v8[i] <= 122 ) { v8[i] -= 32; //小写转大写 v3 = 1; } if ( !v3 && v8[i] >= 65 && v8[i] <= 90 ) v8[i] += 32; //大写转小写 v4[i] = byte_4420B0[i] ^ sub_4013C0(v8[i]); //再次进行处理 v3 = 0; } return strcmp("GONDPHyGjPEKruv{{pj]X@rF", v4) == 0; //比较 }
跟进处理函数:
int __cdecl sub_4013C0(int a1) { return (a1 ^ 0x55) + 72; }
byte_4420B0 中的值:
0D 13 17 11 02 01 20 1D 0C 02 19 2F 17 2B 24 1F 1E 16 09 0F 15 27 13 26 0A 2F 1E 1A 2D 0C 22 04
编写python脚本:
s = "GONDPHyGjPEKruv{{pj]X@rF" d = [0x0D, 0x13, 0x17, 0x11, 0x2, 0x1, 0x20, 0x1D, 0x0C, 0x2, 0x19, 0x2F, 0x17, 0x2B, 0x24, 0x1F, 0x1E, 0x16, 0x9, 0xF, 0x15, 0x27, 0x13, 0x26, 0x0A, 0x2F, 0x1E, 0x1A, 0x2D, 0x0C, 0x22, 0x4] print('EIS{',end='') q=0 for i in range(len(s)): i = ((ord(s[i]) ^ d[i]) - 72)^0x55 if(i<=ord('z') and i>=ord('a')): p = i-32 elif(i<=ord('Z') and i>=ord('A')): p = i+32 else: p = i print(chr(p),end='') print('}')
输出:EIS{wadx_tdgk_aihc_ihkn_pjlm}
解题完毕~~~~
