BUU findkey
定位关键函数
跟入flag找到问题位置
两行一样的代码,nop掉第二行,按p生成函数
代码审计
int __userpurge sub_4018C4@<eax>(int a1@<ebp>, int a2, int a3, int a4, int a5) { size_t v5; // eax _WORD *v6; // edx DWORD v7; // eax int v8; // edi int v9; // eax int v10; // eax LPSTR v12; // [esp-454h] [ebp-454h] BYREF if ( strlen((const char *)String1) ) { memset((void *)(a1 - 492), 0, 0x100u); v5 = strlen((const char *)String1); memcpy((void *)(a1 - 492), String1, v5); v12 = (LPSTR)String1; *v6 = __ES__; v7 = strlen((const char *)&v12); sub_40101E(String1, v7, v12); strcpy((char *)(a1 - 748), "0kk`d1a`55k222k2a776jbfgd`06cjjb"); memset((void *)(a1 - 715), 0, 0xDCu); v8 = a1 - 715 + 220; *(_WORD *)v8 = 0; *(_BYTE *)(v8 + 2) = 0; strcpy((char *)(a1 - 760), "SS"); *(_DWORD *)(a1 - 757) = 0; *(_WORD *)(a1 - 753) = 0; *(_BYTE *)(a1 - 751) = 0; v9 = strlen((const char *)(a1 - 748)); sub_401005((LPCSTR)(a1 - 760), a1 - 748, v9); if ( _strcmpi((const char *)String1, (const char *)(a1 - 748)) ) { SetWindowTextA(*(HWND *)(a1 + 8), "flag{}"); MessageBoxA(*(HWND *)(a1 + 8), "Are you kidding me?", "^_^", 0); ExitProcess(0); } memcpy((void *)(a1 - 1016), &unk_423030, 0x32u); v10 = strlen((const char *)(a1 - 1016)); sub_401005((LPCSTR)(a1 - 492), a1 - 1016, v10); MessageBoxA(*(HWND *)(a1 + 8), (LPCSTR)(a1 - 1016), 0, 0x32u); } ++dword_428D54; return 0; }
关键函数
unsigned int __cdecl sub_401590(LPCSTR lpString, int a2, int a3) { unsigned int result; // eax unsigned int i; // [esp+4Ch] [ebp-Ch] unsigned int v5; // [esp+54h] [ebp-4h] v5 = lstrlenA(lpString); for ( i = 0; ; ++i ) { result = i; if ( i >= a3 ) break; *(_BYTE *)(i + a2) ^= lpString[i % v5]; } return result; }unsigned int __cdecl sub_401590(LPCSTR lpString, int a2, int a3) { unsigned int result; // eax unsigned int i; // [esp+4Ch] [ebp-Ch] unsigned int v5; // [esp+54h] [ebp-4h] v5 = lstrlenA(lpString); for ( i = 0; ; ++i ) { result = i; if ( i >= a3 ) break; *(_BYTE *)(i + a2) ^= lpString[i % v5]; } return result; }
对字符串进行异或
int __cdecl sub_4013A0(BYTE *pbData, DWORD dwDataLen, LPSTR lpString1) { int result; // eax DWORD i; // [esp+4Ch] [ebp-24h] CHAR String2[4]; // [esp+50h] [ebp-20h] BYREF BYTE v6[16]; // [esp+54h] [ebp-1Ch] BYREF DWORD pdwDataLen; // [esp+64h] [ebp-Ch] BYREF HCRYPTHASH phHash; // [esp+68h] [ebp-8h] BYREF HCRYPTPROV phProv; // [esp+6Ch] [ebp-4h] BYREF if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000) ) return 0; if ( CryptCreateHash(phProv, 0x8003u, 0, 0, &phHash) ) { if ( CryptHashData(phHash, pbData, dwDataLen, 0) ) { CryptGetHashParam(phHash, 2u, v6, &pdwDataLen, 0); *lpString1 = 0; for ( i = 0; i < pdwDataLen; ++i ) { wsprintfA(String2, "%02X", v6[i]); lstrcatA(lpString1, String2); } CryptDestroyHash(phHash); CryptReleaseContext(phProv, 0); result = 1; } else { CryptDestroyHash(phHash); CryptReleaseContext(phProv, 0); result = 0; } } else { CryptReleaseContext(phProv, 0); result = 0; } return result; }
windows签名加密函数,其中0x8003u表示md5加密
getflag
我们虽然不知道string1里面放的是什么大师通过a1-748与string1的check我们可以得到md5加密后的内容就是a1-748异或后的内容
se1 = "" for i in '0kk`d1a`55k222k2a776jbfgd`
s = ['1','2','3','3','2','1'] b = [0x57, 0x5E, 0x52, 0x54, 0x49, 0x5F, 0x01, 0x6D, 0x69, 0x46, 0x02, 0x6E, 0x5F, 0x02, 0x6C, 0x57, 0x5B, 0x54, 0x4C] flag = '' for i in range(len(b)): flag += chr(b[i]^ord(s[i%6])) print(flag)
06cjjb': se1 += chr(ord(i) ^ ord('S')) print(se1) #c8837b23ff8aaa8a2dde915473ce0991
unsigned char unk_423030[] = { 0x57, 0x5E, 0x52, 0x54, 0x49, 0x5F, 0x01, 0x6D, 0x69, 0x46, 0x02, 0x6E, 0x5F, 0x02, 0x6C, 0x57, 0x5B, 0x54, 0x4C };
a1-1016内容
s = ['1','2','3','3','2','1'] b = [0x57, 0x5E, 0x52, 0x54, 0x49, 0x5F, 0x01, 0x6D, 0x69, 0x46, 0x02, 0x6E, 0x5F, 0x02, 0x6C, 0x57, 0x5B, 0x54, 0x4C] flag = '' for i in range(len(b)): flag += chr(b[i]^ord(s[i%6])) print(flag)
flag{n0_Zu0_n0_die}
