攻防世界 reverse BABYRE

今天学到了动态函数这种东西。

 1 int __cdecl main(int argc, const char **argv, const char **envp)
 2 {
 3   char s; // [rsp+0h] [rbp-20h]
 4   int v5; // [rsp+18h] [rbp-8h]
 5   int i; // [rsp+1Ch] [rbp-4h]
 6 
 7   for ( i = 0; i <= 181; ++i )
 8   {
 9     envp = (const char **)(*((unsigned __int8 *)judge + i) ^ 0xCu);
10     *((_BYTE *)judge + i) ^= 0xCu;
11   }
12   printf("Please input flag:", argv, envp);
13   __isoc99_scanf("%20s", &s);
14   v5 = strlen(&s);
15   if ( v5 == 14 && (unsigned int)judge(&s) ) #输入长度14
16     puts("Right!");
17   else
18     puts("Wrong!");
19   return 0;
20 }

judge函数F5没用，猜测judge函数动态生成，下断点动调。

发现14个赋值语句，猜测与flag有关。接着跟进去找到关键算法‘异或’（下图）

查看ecx的值发现是0x0到0xe，正好14个，与前面赋值语句异或就是flag。

1 cipher=[0x66,0x6d,0x63,0x64,0x7f,0x6b,0x37,0x64,0x3b,0x56,0x60,0x3b,0x6e,0x70]
2 flag=""
3 for i in range(0x0,0xe):
4     flag+=chr(cipher[i]^i)
5 print(flag)

flag{n1c3_j0b}

posted @ 2020-10-15 21:14 Sk2rw 阅读(473) 评论(0) 编辑收藏举报

刷新页面返回顶部

攻防世界 reverse BABYRE

公告