当前位置:   article > 正文

5.8---5.14 reverse刷题笔记_upx防脱壳

upx防脱壳

提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档


一. [NSSRound#X Basic]ez_z3

  • 发现有UPX壳,但直接放入UPX中却无法解压缩
  • Google。。。。
  • 发现一种UPX防脱壳机脱壳,下面简单记录一下
  • 一步一步加深

1. UPX防脱壳机脱壳

1.1 修改区段名

区段查看器
  名称      V. 偏移   V. 大小    R. 偏移   R. 大小    标志
  UPX0       00001000  0000F000   00000400  00000000   E0000080
  UPX1       00010000  00009000   00000400  00008400   E0000040
  .rsrc      00019000  00002000   00008800  00001800   C0000040

                                
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 将区段名UPX0,UPX1改为RPX
  • 这时不能正常脱壳

1.2 改标识

  • 修改特征UPX!改为。。。!

2. 去掉UPX特征码

  • 加强版修改
特征码1:60 BE ?? ?? ?? 00 8D BE ?? ?? ?? FF
特征码2:60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 EB 0B 90 8A 06 46 88 07 47 01 DB 75 ?? 8B 1E 83 ?? ?? 11 DB 72 ?? B8 01 00 00 00 01 DB 75
特征码3:55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80
  • 1
  • 2
  • 3
  • 把加壳程序加载进入OD:
  • 特征码1的解法:
00418110 >  60              pushad
00418111    BE 00004100     mov esi,packed.00410000
00418116    8DBE 0010FFFF   lea edi,dword ptr ds:[esi+FFFF1000]
0041811C    57              push edi
0041811D    EB 0B           jmp short packed.0041812A
0041811F    90              nop
00418120    8A06            mov al,byte ptr ds:[esi]
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 修改为:
00418130 >  60              pushad
00418131    90              nop
00418132    BE 00004100     mov esi,Ep_2_5_1.00410000
00418137    8DBE 0010FFFF   lea edi,dword ptr ds:[esi+FFFF1000]
0041813D    57              push edi
0041813E    EB 0A           jmp short Ep_2_5_1.0041814A
00418140    8A06            mov al,byte ptr ds:[esi]
00418142    46              inc esi
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 特征码2的解法:
00418131  ^\72 ED           jb short packed.00418120
00418133    B8 01000000     mov eax,1
00418138    01DB            add ebx,ebx
  • 1
  • 2
  • 3
  • 修改为:
00418151  ^\72 ED           jb short Ep_2_5_1.00418140
00418153    33C0            xor eax,eax
00418155    40              inc eax
00418156    8BC0            mov eax,eax
00418158    01DB            add ebx,ebx
  • 1
  • 2
  • 3
  • 4
  • 5
  • 特征码3的解法:
00418295    39C4            cmp esp,eax
00418297  ^ 75 FA           jnz short packed.00418293
00418299    83EC 80         sub esp,-80
0041829C  - E9 82DDFEFF     jmp packed.00406023
  • 1
  • 2
  • 3
  • 4
  • 修改为:
00418295    39C4            cmp esp,eax
00418297  ^ 0F85 F6FFFFFF   jnz packed.00418293
0041829D    83EC 80         sub esp,-80
004182A0  - E9 7EDDFEFF     jmp packed.00406023
  • 1
  • 2
  • 3
  • 4

3.垃圾区段

  • 用010在文件尾部粘帖512个00

4. 移动PE头

  • 将一些关键数据修改掉
  • 将PE头起始位置以及PE头大小改掉
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
00000000   4D 5A 90 00 03 00 00 00  04 00 00 00 FF FF 00 00   MZ?          
00000010   B8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00   ?      @       
00000020   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000030   00 00 00 00 00 00 00 00  00 00 00 00 D8 00 00 00               ?  
00000040   0E 1F BA 0E 00 B4 09 CD  21 B8 01 4C CD 21 54 68     ? ???L?Th
00000050   69 73 20 70 72 6F 67 72  61 6D 20 63 61 6E 6E 6F   is program canno
00000060   74 20 62 65 20 72 75 6E  20 69 6E 20 44 4F 53 20   t be run in DOS 
00000070   6D 6F 64 65 2E 0D 0D 0A  24 00 00 00 00 00 00 00   mode.   nbsp;      
00000080   99 3C 71 89 DD 5D 1F DA  DD 5D 1F DA DD 5D 1F DA   ?q壿]]] ?
00000090   5E 41 11 DA D2 5D 1F DA  53 55 40 DA DC 5D 1F DA   ^A 谝] 赟U@谲] ?
000000A0   DD 5D 1E DA 66 5D 1F DA  5E 55 42 DA CE 5D 1F DA   輂 趂] 赹UB谖] ?
000000B0   35 42 14 DA DF 5D 1F DA  35 42 15 DA A9 5D 1F DA   5B 谶] ?B 讴] ?
000000C0   65 5B 19 DA DC 5D 1F DA  52 69 63 68 DD 5D 1F DA   e[] 赗ich輂 ?
000000D0   00 00 00 00 00 00 00 00  50 45 00 00 4C 01 03 00           PE  L   
000000E0   9A DA 22 4D 00 00 00 00  00 00 00 00 E0 00 0F 01   氌"M        ?  
000000F0   0B 01 06 00 00 90 00 00  00 20 00 00 00 F0 00 00        ?      ? 
00000100   10 81 01 00 00 00 01 00  00 90 01 00 00 00 40 00    ?      ?   @ 
00000110   00 10 00 00 00 02 00 00  04 00 00 00 00 00 00 00                   
00000120   04 00 00 00 00 00 00 00  00 B0 01 00 00 10 00 00            ?     
00000130   00 00 00 00 02 00 00 00  00 00 10 00 00 10 00 00                   
00000140   00 00 10 00 00 10 00 00  00 00 00 00 10 00 00 00                   
00000150   00 00 00 00 00 00 00 00  D0 A5 01 00 04 02 00 0000000160   00 90 01 00 D0 15 00 00  00 00 00 00 00 00 00 00    ? ?          
00000170   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000180   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000190   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000001A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000001B0   00 00 00 00 00 00 00 00                                    
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 改后:
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
00000000   4D 5A 90 00 03 00 00 00  04 00 00 00 FF FF 00 00   MZ?          
00000010   B8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00   ?      @       
00000020   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000030   00 00 00 00 00 00 00 00  00 00 00 00 40 00 00 00               @   
00000040   50 45 00 00 4C 01 03 00  9A DA 22 4D 00 00 00 00   PE  L   氌"M    
00000050   00 00 00 00 78 01 0F 01  0B 01 06 00 00 90 00 00       x        ? 
00000060   00 20 00 00 00 F0 00 00  10 81 01 00 00 00 01 00        ?  ?     
00000070   00 90 01 00 00 00 40 00  00 10 00 00 00 02 00 00    ?   @         
00000080   04 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00                   
00000090   00 B0 01 00 00 10 00 00  00 00 00 00 02 00 00 00    ?             
000000A0   00 00 10 00 00 10 00 00  00 00 10 00 00 10 00 00                   
000000B0   00 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00                   
000000C0   D0 A5 01 00 04 02 00 00  00 90 01 00 D0 15 00 00? ?  
000000D0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000000E0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000000F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000100   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000110   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000120   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000130   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000140   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000150   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000160   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000170   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000180   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
00000190   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000001A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00                   
000001B0   00 00 00 00 00 00 00 00                                    
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29

5. 开始做题

  • 运用上述方法,将其用010改变特征值
    在这里插入图片描述

  • 改为UPX1,UPX2,UPX!

  • 再查壳
    在这里插入图片描述

  • 脱壳
    在这里插入图片描述

  • 成功脱壳

  • 找到关键函数

__int64 sub_1400181C0()
{
  __int64 v0; // rax
  __int64 v1; // rax

  sub_140011514(&unk_14002B069);
  sub_1400110AF(std::cout, "Please input the flag:");
  sub_1400114D8(std::cin, Str);
  v0 = sub_1400110AF(std::cout, "Can you calculated out z3?");
  std::ostream::operator<<(v0, sub_14001104B);
  sub_1400110AF(std::cout, "Please input z3:");
  sub_1400114D8(std::cin, &unk_140025588);
  for ( dword_1400254C8 = 0; (unsigned int)dword_1400254C8 < j_strlen(Str); ++dword_1400254C8 )
    dword_140025520[dword_1400254C8] = sub_14001124E(
                                         (unsigned int)Str[dword_1400254C8],
                                         dword_140025000[dword_1400254C8]);
  sub_14001103C(&unk_140025588);
  sub_1400112F8(&unk_140025588);
  dword_1400254C4 = sub_1400110E6();
  if ( dword_1400254C4 == 1 )
    v1 = sub_1400110AF(std::cout, "yeah!!!!!!you get the flag");
  else
    v1 = sub_1400110AF(std::cout, "oh no!!!!!your flag is wrong,try again");
  std::ostream::operator<<(v1, sub_14001104B);
  system("pause");
  return 0i64;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 现在找到以下函数
__int64 __fastcall sub_140014E90(char *a1)
{
  __int64 v1; // rax
  __int64 v2; // rax

  sub_140011514((__int64)&unk_14002B069);
  if ( 20 * a1[19] * 19 * a1[18]
     + 14 * a1[13]
     + 13 * a1[12]
     + 11 * a1[10] * 10 * a1[9]
     + 30 * a1[5]
     + 5 * a1[4]
     + *a1
     + 2 * a1[1]
     - 3 * a1[2]
     - 4 * a1[3]
     - 7 * a1[6]
     + 8 * a1[7]
     - 9 * a1[8]
     - 12 * a1[11]
     - 16 * a1[15] * 15 * a1[14]
     - 17 * a1[16]
     - 18 * a1[17] == 2582239
    || 20 * a1[19] * 19 * a1[18]
     + 14 * a1[13]
     + 13 * a1[12]
     + 11 * a1[10] * 10 * a1[9]
     + 30 * a1[5]
     - 7 * a1[6]
     + 8 * a1[7]
     - 9 * a1[8]
     + 5 * a1[4]
     + 3 * a1[2]
     + 2 * a1[1] * *a1
     - 4 * a1[3]
     - 12 * a1[11]
     - 16 * a1[15] * 15 * a1[14]
     - (18 * a1[17]
      + 17 * a1[16]) == 2602741
    || 19 * a1[18]
     + 18 * a1[17]
     + 14 * a1[13] * 13 * a1[12]
     + 12 * a1[11] * 11 * a1[10]
     + 9 * a1[8]
     + 7 * a1[6] * 30 * a1[5]
     + *a1
     - 2 * a1[1]
     - 4 * a1[3] * 3 * a1[2]
     - 5 * a1[4]
     + 8 * a1[7]
     - 10 * a1[9]
     - 15 * a1[14]
     - 17 * a1[16] * 16 * a1[15]
     - 20 * a1[19] == 2668123
    || 20 * a1[19] * 19 * a1[18]
     + 14 * a1[13]
     + (13 * a1[12] + 11 * a1[10] - 12 * a1[11]) * 10 * a1[9]
     + 30 * a1[5]
     + 5 * a1[4]
     + *a1
     + 2 * a1[1]
     - 3 * a1[2]
     - 4 * a1[3]
     - 7 * a1[6]
     + 8 * a1[7]
     - 9 * a1[8]
     - 16 * a1[15] * 15 * a1[14]
     - 17 * a1[16]
     - 18 * a1[17] == 2520193
    || 18 * a1[17]
     + 17 * a1[16]
     + 15 * a1[14]
     + 13 * a1[12] * 12 * a1[11]
     + 10 * a1[9]
     + 9 * a1[8] * 8 * a1[7]
     + 3 * a1[2] * 2 * a1[1] * *a1
     - 4 * a1[3]
     - 5 * a1[4]
     - 30 * a1[5]
     - 7 * a1[6]
     - 11 * a1[10]
     - 14 * a1[13]
     - 16 * a1[15]
     - 19 * a1[18]
     - 20 * a1[19] == 8904587
    || 18 * a1[17]
     + 7 * a1[6] * 30 * a1[5] * 5 * a1[4]
     + 4 * a1[3]
     + 8 * a1[7]
     + *a1
     - 2 * a1[1]
     - 3 * a1[2]
     - 9 * a1[8]
     - 11 * a1[10] * 10 * a1[9]
     - 16 * a1[15] * (13 * a1[12] + 12 * a1[11] - 14 * a1[13] - 15 * a1[14])
     - 17 * a1[16]
     - 19 * a1[18]
     - 20 * a1[19] == 1227620874
    || 20 * a1[19] * 19 * a1[18]
     + 17 * a1[16]
     + 14 * a1[13]
     + 13 * a1[12]
     + 12 * a1[11] * 11 * a1[10] * 10 * a1[9]
     + 7 * a1[6] * 30 * a1[5]
     + 5 * a1[4]
     + 3 * a1[2]
     + *a1
     + 2 * a1[1]
     + 4 * a1[3]
     + 8 * a1[7]
     - 9 * a1[8]
     - 16 * a1[15] * 15 * a1[14]
     - 18 * a1[17] == 1836606059
    || 20 * a1[19] * 19 * a1[18]
     + 16 * a1[15] * 15 * a1[14]
     + 14 * a1[13]
     + 13 * a1[12]
     + 12 * a1[11]
     + 7 * a1[6] * 30 * a1[5]
     + 5 * a1[4]
     + 2 * a1[1] * *a1
     - 3 * a1[2]
     + 4 * a1[3]
     + 8 * a1[7]
     - 9 * a1[8]
     - 10 * a1[9]
     - 11 * a1[10]
     - 17 * a1[16]
     - 18 * a1[17] == 8720560
    || 20 * a1[19] * 19 * a1[18]
     + 14 * a1[13]
     + 13 * a1[12]
     + 11 * a1[10] * (10 * a1[9] + 30 * a1[5] + 5 * a1[4] + 4 * a1[3] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8])
     + *a1
     + 2 * a1[1]
     - 3 * a1[2]
     - 12 * a1[11]
     - (16 * a1[15] - 17 * a1[16] - 18 * a1[17]) * 15 * a1[14] == 11387045
    || 20 * a1[19] * 19 * a1[18]
     + 16 * a1[15] * 15 * a1[14]
     + 14 * a1[13]
     + 11 * a1[10] * 10 * a1[9]
     + 9 * a1[8]
     + 3 * a1[2]
     + *a1
     - 2 * a1[1]
     + 4 * a1[3]
     - 5 * a1[4]
     - 30 * a1[5]
     - 7 * a1[6]
     + 8 * a1[7]
     - 12 * a1[11]
     - 13 * a1[12]
     - 17 * a1[16]
     - 18 * a1[17] == 7660269
    || 20 * a1[19] * 19 * a1[18]
     + 14 * a1[13]
     + 13 * a1[12]
     + 11 * a1[10] * 10 * a1[9]
     - 12 * a1[11]
     + *a1
     + 2 * a1[1]
     - (4 * a1[3] * 3 * a1[2]
      - 5 * a1[4]
      - 30 * a1[5])
     - 7 * a1[6]
     + 8 * a1[7]
     - 9 * a1[8]
     - 16 * a1[15] * 15 * a1[14]
     - 17 * a1[16]
     - 18 * a1[17] == 2461883
    || 14 * a1[13]
     + 11 * a1[10] * 10 * a1[9]
     + 9 * a1[8] * 8 * a1[7]
     + 7 * a1[6]
     + 2 * a1[1] * *a1
     - 4 * a1[3] * 3 * a1[2]
     - 5 * a1[4]
     - 30 * a1[5]
     - 12 * a1[11]
     - 13 * a1[12]
     - 15 * a1[14]
     - 17 * a1[16] * 16 * a1[15]
     - 18 * a1[17]
     - 19 * a1[18]
     - 20 * a1[19] == -966296
    || 14 * a1[13]
     + 13 * a1[12]
     + (11 * a1[10] * 10 * a1[9] + 30 * a1[5] + 5 * a1[4] + 3 * a1[2] + 4 * a1[3] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8])
     * 2
     * a1[1]
     + *a1
     - 12 * a1[11]
     - 15 * a1[14]
     - 16 * a1[15]
     - 17 * a1[16]
     - 18 * a1[17]
     - 20 * a1[19] * 19 * a1[18] == 254500223
    || 16 * a1[15] * 15 * a1[14]
     + 14 * a1[13]
     + 11 * a1[10] * 10 * a1[9]
     + 7 * a1[6] * 30 * a1[5]
     + *a1
     - 2 * a1[1]
     - 3 * a1[2]
     - 5 * a1[4] * 4 * a1[3]
     + 8 * a1[7]
     - 9 * a1[8]
     - 12 * a1[11]
     - 13 * a1[12]
     - 17 * a1[16]
     - 18 * a1[17]
     - 19 * a1[18]
     - 20 * a1[19] == 6022286
    || 18 * a1[17]
     + 16 * a1[15]
     - 17 * a1[16]
     + 14 * a1[13]
     + 12 * a1[11]
     + 11 * a1[10] * 10 * a1[9]
     + 30 * a1[5]
     + 5 * a1[4]
     + 4 * a1[3] * 3 * a1[2]
     + 2 * a1[1] * *a1
     - 9 * a1[8] * 8 * a1[7] * 7 * a1[6]
     - 13 * a1[12]
     - 15 * a1[14]
     - 19 * a1[18]
     - 20 * a1[19] == -636956022
    || 20 * a1[19] * 19 * a1[18]
     + 13 * a1[12]
     + 12 * a1[11]
     + 11 * a1[10] * 10 * a1[9]
     + 7 * a1[6]
     + 30 * a1[5]
     + 5 * a1[4]
     + 3 * a1[2] * 2 * a1[1] * *a1
     - 4 * a1[3]
     - 9 * a1[8] * 8 * a1[7]
     - 14 * a1[13]
     - 15 * a1[14]
     - 16 * a1[15]
     - 17 * a1[16]
     - 18 * a1[17] == 10631829
    || 20 * a1[19] * 19 * a1[18]
     + 16 * a1[15]
     - 17 * a1[16]
     - 18 * a1[17]
     + 15 * a1[14] * 14 * a1[13]
     + 13 * a1[12]
     + 11 * a1[10] * 10 * a1[9]
     - 12 * a1[11]
     + 7 * a1[6]
     + (4 * a1[3] - 5 * a1[4] - 30 * a1[5]) * 3 * a1[2]
     + *a1
     + 2 * a1[1]
     + 8 * a1[7]
     - 9 * a1[8] == 6191333
    || 14 * a1[13]
     + 10 * a1[9] * 9 * a1[8] * 8 * a1[7]
     + 5 * a1[4]
     + 4 * a1[3] * 3 * a1[2]
     + 2 * a1[1] * *a1
     - 7 * a1[6] * 30 * a1[5]
     - 11 * a1[10]
     - 13 * a1[12] * 12 * a1[11]
     - 16 * a1[15] * 15 * a1[14]
     - 18 * a1[17] * 17 * a1[16]
     - 20 * a1[19] * 19 * a1[18] == 890415359
    || 20 * a1[19]
     + 19 * a1[18]
     + 18 * a1[17]
     + 16 * a1[15]
     - 17 * a1[16]
     + 12 * a1[11]
     + 11 * a1[10]
     + 10 * a1[9]
     + 9 * a1[8]
     + 30 * a1[5]
     + *a1
     + 4 * a1[3] * 3 * a1[2] * 2 * a1[1]
     - 5 * a1[4]
     - 7 * a1[6]
     + 8 * a1[7]
     - 13 * a1[12]
     - 14 * a1[13]
     - 15 * a1[14] == 23493664
    || 20 * a1[19] * 19 * a1[18]
     + 13 * a1[12]
     + 12 * a1[11]
     + 10 * a1[9]
     + 3 * a1[2] * 2 * a1[1]
     + *a1
     - 4 * a1[3]
     - 5 * a1[4]
     + 8 * a1[7] * 7 * a1[6] * 30 * a1[5]
     - 9 * a1[8]
     - 11 * a1[10]
     - 14 * a1[13]
     - 16 * a1[15] * 15 * a1[14]
     - 17 * a1[16]
     - 18 * a1[17] == 1967260144 )
  {
    v2 = sub_1400110AF(std::cout, "YOU are right");
    std::ostream::operator<<(v2, sub_14001104B);
  }
  else
  {
    v1 = sub_1400110AF(std::cout, "YOU are wrong");
    std::ostream::operator<<(v1, sub_14001104B);
  }
  return 0i64;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 明显为z3库求解
  • 直接跑出来代码
from z3 import *

a1 = [BitVec("num[%d]" % i, 32) for i in range(20)]
s = Solver()
s.add(
    20 * a1[19] * 19 * a1[18]
    + 14 * a1[13]
    + 13 * a1[12]
    + 11 * a1[10] * 10 * a1[9]
    + 30 * a1[5]
    + 5 * a1[4]
    + a1[0]
+ 2 * a1[1]
- 3 * a1[2]
- 4 * a1[3]
- 7 * a1[6]
+ 8 * a1[7]
- 9 * a1[8]
- 12 * a1[11]
- 16 * a1[15] * 15 * a1[14]
- 17 * a1[16]
- 18 * a1[17] == 2582239)
s.add(
    20 * a1[19] * 19 * a1[18]
    + 14 * a1[13]
    + 13 * a1[12]
    + 11 * a1[10] * 10 * a1[9]
    + 30 * a1[5]
    - 7 * a1[6]
    + 8 * a1[7]
    - 9 * a1[8]
    + 5 * a1[4]
    + 3 * a1[2]
    + 2 * a1[1] * a1[0]
    - 4 * a1[3]
    - 12 * a1[11]
    - 16 * a1[15] * 15 * a1[14]
    - (18 * a1[17]
       + 17 * a1[16]) == 2602741)
s.add(19 * a1[18]
     + 18 * a1[17]
     + 14 * a1[13] * 13 * a1[12]
     + 12 * a1[11] * 11 * a1[10]
     + 9 * a1[8]
     + 7 * a1[6] * 30 * a1[5]
     + a1[0]
     - 2 * a1[1]
     - 4 * a1[3] * 3 * a1[2]
     - 5 * a1[4]
     + 8 * a1[7]
     - 10 * a1[9]
     - 15 * a1[14]
     - 17 * a1[16] * 16 * a1[15]
     - 20 * a1[19] == 2668123)
s.add(20 * a1[19] * 19 * a1[18]
     + 14 * a1[13]
     + (13 * a1[12] + 11 * a1[10] - 12 * a1[11]) * 10 * a1[9]
     + 30 * a1[5]
     + 5 * a1[4]
     + a1[0]
     + 2 * a1[1]
     - 3 * a1[2]
     - 4 * a1[3]
     - 7 * a1[6]
     + 8 * a1[7]
     - 9 * a1[8]
     - 16 * a1[15] * 15 * a1[14]
     - 17 * a1[16]
     - 18 * a1[17] == 2520193)
s.add(
    18 * a1[17]
    + 17 * a1[16]
    + 15 * a1[14]
    + 13 * a1[12] * 12 * a1[11]
    + 10 * a1[9]
    + 9 * a1[8] * 8 * a1[7]
    + 3 * a1[2] * 2 * a1[1] * a1[0]
    - 4 * a1[3]
    - 5 * a1[4]
    - 30 * a1[5]
    - 7 * a1[6]
    - 11 * a1[10]
    - 14 * a1[13]
    - 16 * a1[15]
    - 19 * a1[18]
    - 20 * a1[19] == 8904587)
s.add(
    18 * a1[17]
    + 7 * a1[6] * 30 * a1[5] * 5 * a1[4]
    + 4 * a1[3]
    + 8 * a1[7]
    + a1[0]
- 2 * a1[1]
- 3 * a1[2]
- 9 * a1[8]
- 11 * a1[10] * 10 * a1[9]
- 16 * a1[15] * (13 * a1[12] + 12 * a1[11] - 14 * a1[13] - 15 * a1[14])
- 17 * a1[16]
- 19 * a1[18]
- 20 * a1[19] == 1227620874)
s.add(20 * a1[19] * 19 * a1[18]
     + 17 * a1[16]
     + 14 * a1[13]
     + 13 * a1[12]
     + 12 * a1[11] * 11 * a1[10] * 10 * a1[9]
     + 7 * a1[6] * 30 * a1[5]
     + 5 * a1[4]
     + 3 * a1[2]
     + a1[0]
     + 2 * a1[1]
     + 4 * a1[3]
     + 8 * a1[7]
     - 9 * a1[8]
     - 16 * a1[15] * 15 * a1[14]
     - 18 * a1[17] == 1836606059)
s.add(
    20 * a1[19] * 19 * a1[18]
    + 16 * a1[15] * 15 * a1[14]
    + 14 * a1[13]
    + 13 * a1[12]
    + 12 * a1[11]
    + 7 * a1[6] * 30 * a1[5]
    + 5 * a1[4]
    + 2 * a1[1] * a1[0]
    - 3 * a1[2]
    + 4 * a1[3]
    + 8 * a1[7]
    - 9 * a1[8]
    - 10 * a1[9]
    - 11 * a1[10]
    - 17 * a1[16]
    - 18 * a1[17] == 8720560)
s.add(20 * a1[19] * 19 * a1[18]
     + 14 * a1[13]
     + 13 * a1[12]
     + 11 * a1[10] * (10 * a1[9] + 30 * a1[5] + 5 * a1[4] + 4 * a1[3] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8])
     + a1[0]
     + 2 * a1[1]
     - 3 * a1[2]
     - 12 * a1[11]
     - (16 * a1[15] - 17 * a1[16] - 18 * a1[17]) * 15 * a1[14] == 11387045)
s.add(
    20 * a1[19] * 19 * a1[18]
    + 16 * a1[15] * 15 * a1[14]
    + 14 * a1[13]
    + 11 * a1[10] * 10 * a1[9]
    + 9 * a1[8]
    + 3 * a1[2]
    + a1[0]
- 2 * a1[1]
+ 4 * a1[3]
- 5 * a1[4]
- 30 * a1[5]
- 7 * a1[6]
+ 8 * a1[7]
- 12 * a1[11]
- 13 * a1[12]
- 17 * a1[16]
- 18 * a1[17] == 7660269)
s.add(20 * a1[19] * 19 * a1[18]
     + 14 * a1[13]
     + 13 * a1[12]
     + 11 * a1[10] * 10 * a1[9]
     - 12 * a1[11]
     + a1[0]
     + 2 * a1[1]
     - (4 * a1[3] * 3 * a1[2]
      - 5 * a1[4]
      - 30 * a1[5])
     - 7 * a1[6]
     + 8 * a1[7]
     - 9 * a1[8]
     - 16 * a1[15] * 15 * a1[14]
     - 17 * a1[16]
     - 18 * a1[17] == 2461883)
s.add(
    14 * a1[13]
    + 11 * a1[10] * 10 * a1[9]
    + 9 * a1[8] * 8 * a1[7]
    + 7 * a1[6]
    + 2 * a1[1] * a1[0]
    - 4 * a1[3] * 3 * a1[2]
    - 5 * a1[4]
    - 30 * a1[5]
    - 12 * a1[11]
    - 13 * a1[12]
    - 15 * a1[14]
    - 17 * a1[16] * 16 * a1[15]
    - 18 * a1[17]
    - 19 * a1[18]
    - 20 * a1[19] == -966296)

s.add(
14 * a1[13]
     + 13 * a1[12]
     + (11 * a1[10] * 10 * a1[9] + 30 * a1[5] + 5 * a1[4] + 3 * a1[2] + 4 * a1[3] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8])
     * 2
     * a1[1]
     + a1[0]
     - 12 * a1[11]
     - 15 * a1[14]
     - 16 * a1[15]
     - 17 * a1[16]
     - 18 * a1[17]
     - 20 * a1[19] * 19 * a1[18] == 254500223
    )
s.add(
16 * a1[15] * 15 * a1[14]
     + 14 * a1[13]
     + 11 * a1[10] * 10 * a1[9]
     + 7 * a1[6] * 30 * a1[5]
     + a1[0]
     - 2 * a1[1]
     - 3 * a1[2]
     - 5 * a1[4] * 4 * a1[3]
     + 8 * a1[7]
     - 9 * a1[8]
     - 12 * a1[11]
     - 13 * a1[12]
     - 17 * a1[16]
     - 18 * a1[17]
     - 19 * a1[18]
     - 20 * a1[19] == 6022286
    )
s.add(
18 * a1[17]
     + 16 * a1[15]
     - 17 * a1[16]
     + 14 * a1[13]
     + 12 * a1[11]
     + 11 * a1[10] * 10 * a1[9]
     + 30 * a1[5]
     + 5 * a1[4]
     + 4 * a1[3] * 3 * a1[2]
     + 2 * a1[1] * a1[0]
     - 9 * a1[8] * 8 * a1[7] * 7 * a1[6]
     - 13 * a1[12]
     - 15 * a1[14]
     - 19 * a1[18]
     - 20 * a1[19] == -636956022
    )
s.add(
20 * a1[19] * 19 * a1[18]
     + 13 * a1[12]
     + 12 * a1[11]
     + 11 * a1[10] * 10 * a1[9]
     + 7 * a1[6]
     + 30 * a1[5]
     + 5 * a1[4]
     + 3 * a1[2] * 2 * a1[1] * a1[0]
     - 4 * a1[3]
     - 9 * a1[8] * 8 * a1[7]
     - 14 * a1[13]
     - 15 * a1[14]
     - 16 * a1[15]
     - 17 * a1[16]
     - 18 * a1[17] == 10631829
)
s.add(
20 * a1[19] * 19 * a1[18]
     + 16 * a1[15]
     - 17 * a1[16]
     - 18 * a1[17]
     + 15 * a1[14] * 14 * a1[13]
     + 13 * a1[12]
     + 11 * a1[10] * 10 * a1[9]
     - 12 * a1[11]
     + 7 * a1[6]
     + (4 * a1[3] - 5 * a1[4] - 30 * a1[5]) * 3 * a1[2]
     + a1[0]
     + 2 * a1[1]
     + 8 * a1[7]
     - 9 * a1[8] == 6191333
)
s.add(
14 * a1[13]
     + 10 * a1[9] * 9 * a1[8] * 8 * a1[7]
     + 5 * a1[4]
     + 4 * a1[3] * 3 * a1[2]
     + 2 * a1[1] * a1[0]
     - 7 * a1[6] * 30 * a1[5]
     - 11 * a1[10]
     - 13 * a1[12] * 12 * a1[11]
     - 16 * a1[15] * 15 * a1[14]
     - 18 * a1[17] * 17 * a1[16]
     - 20 * a1[19] * 19 * a1[18] == 890415359
)
s.add(
20 * a1[19]
     + 19 * a1[18]
     + 18 * a1[17]
     + 16 * a1[15]
     - 17 * a1[16]
     + 12 * a1[11]
     + 11 * a1[10]
     + 10 * a1[9]
     + 9 * a1[8]
     + 30 * a1[5]
     + a1[0]
     + 4 * a1[3] * 3 * a1[2] * 2 * a1[1]
     - 5 * a1[4]
     - 7 * a1[6]
     + 8 * a1[7]
     - 13 * a1[12]
     - 14 * a1[13]
     - 15 * a1[14] == 23493664
)
s.add(
20 * a1[19] * 19 * a1[18]
     + 13 * a1[12]
     + 12 * a1[11]
     + 10 * a1[9]
     + 3 * a1[2] * 2 * a1[1]
     + a1[0]
     - 4 * a1[3]
     - 5 * a1[4]
     + 8 * a1[7] * 7 * a1[6] * 30 * a1[5]
     - 9 * a1[8]
     - 11 * a1[10]
     - 14 * a1[13]
     - 16 * a1[15] * 15 * a1[14]
     - 17 * a1[16]
     - 18 * a1[17] == 1967260144
)
print(s.check())
for i in a1:
    print(s.model()[i].as_long(), end=",")

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324
  • 325
  • 326
  • 327
  • 328
  • 跑出来还挺慢
  • [104,97,104,97,104,97,116,104,105,115,105,115,102,97,99,107,102,108,97,103]
  • 这里找到下一个函数
__int64 __fastcall sub_140014830(__int64 a1)
{
  sub_140011514(&unk_14002B069);
  for ( dword_1400254C8 = 0; (unsigned int)dword_1400254C8 < j_strlen(Str); ++dword_1400254C8 )
    dword_1400254D0[dword_1400254C8] = *(char *)(a1 + j_strlen(Str) - (unsigned int)dword_1400254C8 - 1) ^ dword_140025520[dword_1400254C8];
  return 0i64;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 明显的异或
  • 将z3产生的a1逆序并与25520异或
  • 产生254D0
  • 再看下一个
size_t sub_140014770()
{
  size_t result; // rax

  sub_140011514((__int64)&unk_14002B069);
  dword_1400254CC = 0;
  result = j_strlen(Str);
  if ( result )
    return dword_1400254D0[dword_1400254CC] == dword_140025050[dword_1400254CC];
  return result;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 进行一个比较
  • 254d0与25050相等
  • 这是25050b = [4615,19616,20257,57,107811,570,2342,19623,25952,54,108955,19624,113632,14085,2342,30675,39576,25979,24,2833]
  • 这时可以异或回去了
_int64 __fastcall sub_140014CC0(int a1, int a2)
{
  unsigned int v3; // [rsp+24h] [rbp+4h]

  sub_140011514((__int64)&unk_14002B069);
  v3 = 1;
  while ( a2 )
  {
    if ( (a2 & 1) != 0 )
      v3 *= a1;
    a1 = a1 * a1 % 1000;
    a2 >>= 2;
  }
  return v3;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 上面的快速幂算法
  • 这个函数产生25520
  • 这里总结一下:快速幂,z3,异或,比较,出结果
  • 可以写脚本了
b = [4615,19616,20257,57,107811,570,2342,19623,25952,54,108955,19624,113632,14085,2342,30675,39576,25979,24,2833]
a = [104,97,104,97,104,97,116,104,105,115,105,115,102,97,99,107,102,108,97,103]
d =[0]*20
for i in range(20):
    d[i] = b[i] ^ a[19-i]
print(d)
key = [7,7,7,9,5,6,7,7,7,9,7,7,5,7,7,7,5,7,9,7]
def powmod(b,c):
    ans = 1
    while (c != 0):
        if ((c & 1) != 0):
            ans *= b
            y1 = (b * b) % 1000
            b = y1
            c >>= 2
            return ans
for i in range(len(key)):
    for x in range(32,128):
        y=powmod(x,key[i])
        if y==d[i]:
            print(chr(x),end="")
            break



  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 运行的比较慢
  • 得到NSSCTF{T1e_z3_1s_v1r9_3asy!}
  • 常规题
  • over!

二. [watevrCTF 2019]Punk Whine

  • 下载发现是perl语言,没学过,现学
  • 原题如下:
use Math::GMP;
$n=Math::GMP->new(qq(536018640196762457338417213156139210797503288570914761082715926425358449791328993937721926376105480732615175814278026237005963393643271375551776466074880078352176848748633274705308676504241945010083370664252174660968981608953119805998112599444060117661138019669941300626094793785491036807276934081756872237035956066726023202435146319519186296845387730847082301207272706630575162904104891798083143447249860927095605483756287763072034119769237339974564945305247939664464781533502444109841292054088680415296886140803754567227251363793912074682950313333484488520417086224770611908328633006024083949830736713715761501454281636788229391326476406245753793013887786365670859995142806760509151118148600568866548233674044514257067962241030850686575331644579302648429368515448183731464587114229394619632992183021530788695198534470594966402044396279950016455526781914520195216651795834698311226746366299875263541011225002788347929468168715114352661339771654233339021594637252699132137826888653030047359889519548601018119305304054251358133937242275573738930265735630891392403144442528153565918878904736766442438330118148177424487919937321030740669950264125585344665111413876835134091927335636095883215944455112774026188920367809061832030746565487875663208490503939534644466596746478366934570764522389807721704658952585780912109790158728868790523426031411340205991624428072384506507538321806087186528621427227281378044005559557013663505177910861852605171692522203626393685704184832547059732919177380600272123088053085559220467180468530632223977693446355995434579173580848428361179171194581466611364419911403932027093667597947428863948279950204080270018521963443517628196446289843070452581111359251862675192796305658555602637885256086237258547426276510185414325103524910341740343369666492736208387291296903817941660932252561211329968446058806881036295951481851107596050492224467933898074211388015228033645706311747694044899970880702136400492862579927938186258415344231883422369698811234415306780453008593763066386409293253445503592904165997213846772992745684701510199006516693015777069346721040457598081443961030290765298803955230953588530690781946089450259077609678850665125724750895581020239617235767981458050496828730736032792402047586857987009509860521095657941173026952231244500844709739141614811803950864407503348165649017532197947302901691949629432327121868776195092474161882521086237930801738676554611694935296174071567195135987213020171355911905229219543499652499346136281398590838201242575718858549556940211460864292701830795292884047284846085429328906977415710922318903943876646319192420997493084804807447410521269115546294610249231249199998809879581954790784649094310934755061823741473872554786278527721130956448003101603540409775541626306820355806893604655310531957949403286042507894994343941405394191263692663159004814773433521553298133350288534911033173270333917231702429952746745980272349634748915246222027686188663941242604225311133674177313422472062183318182382233069927217196084167997366146805112332026188868290931694204087884649515997296110047248905389300265027971517383292006833586355062503579106363153859100263800703364744692135557184042844025975678124347327782633248949050465222340254333242422214668886453924352051721821505479430415620064575934769236281916435708673562516267244328571102602515490125021704471842501411413491726868689039070168844092343017290739479230544731248371895349090043614681912967677554655436835960301478846001693511522952068798227030561795200135470941410173276382068055193544624197725372044387303231662116394016154634236466841547450714649628436349013444588877375888483952736261634922475345054655836299638737052246866918583027409040838402178729288131625690520741721731793577576321297042097038100447773550121170491840027565290553451385865338395632831455402374088893130353117797526457513269540823576719932416627961054137416143258657573279807299206311750030448921495513478258761302356583376579373865212397302533672264105433071343112329554553192539423143937968994832359098112031756001812978148462182020549206353513799381906904370717954311705246231773174066945734041202629864821803549550107697611149449836551488244929092534531452107584238794228638535834526081002269878422651095844173916790081068160033465763985959040750740645471240904195802641208399623487455621716969583068722657224347071857465628331129671407270542673383919644680689842401432861889740312270377928474023777879113362415351381613377174492905238591569772833470016304160242504042833358305208104682231696700895206457536721929136841065546117344486651383910269021156619055157939767524679555957843512776699128442016466721435955089993735773872597037668496242506029886801502668195930896557643210792537791632558662313397367812541434804102159625838245131250255704894766430940677995495806111498589936548317464015294200634272062546923549886350454035660095385899513832694551585435531531092918953760332288897076214872664526342794157833628445960346553154906913253392684636335946550654599740863451201584080828599468914405113401887258745264729306827598631718613919111530361852799166927771847465134848282799044855979461783025683988354660220319819832181748527760487478889128839452331570222950056314110866469657534242229205162039541817359769507304852173924512545615242223850883137665194647206224769412888277184331727851282953145215699562616948467820366267070768134646567716070724846838905308067930357609452185901463456368079086587479593478755483299238881430238451353791271668444825394161866024928513256084422344952973940284969139863839569945606170100584707413646323274306716452974258722155501389728407724240587875795205659957089685715005610853300899554627907591050676556562502782357288625297608629678345422935042214036086514974569763876640833160546586937279594905565261339424125419638888107213644286014623774476904195393844200606144861332204228588903508110895795243261569340052155573304292662820519802935112926033473565189725836542832972462437026478286144282874379223534176446928255904628251552486076324922361544972282931115143055793543391800420954156353858561531625223326379017303383423591171728648565267989197407276948981844719741118258087164267398600698128638259557435732029831343846199617460021996965550385893295027868882255266368411670603703667933205583740913898644920136897853640923833545313569906032969695573409587116832277212979339114637688708152797058466260134585711583787805058784880124696739754314190204797748001676393934339826376486668914130305536156936757348761332045059807531515913478836681384644449917009386581589228986524038386629494542317733409916019127199037937989307573904286897466286193427365601150509626654618312201146046320337576448486458612875182234122752170564475311817610609791564137211769388845328705980509417212586877520318133180949125196902365835546688456494136371831250152415004494146181245825783836579761229397753468323213425024089304520098056692459203073896356975232389739970486845448320084979535958367044841575139983858481627710402990234527365357624766461753188248059706449581450756797098824800933085462544436249978046092624071524790546061870880938333189123172096854645929833928744179719682187161552263785959471311488977941528835968867632262301272247739550831902936645553508173947884990035046584904533207916835764716864547503565215662609065941420404380428919206329231642305891620579333072658346824144206465717943891515035715097417220304496263004880090810920434091751429526448800967263998482796977258335541766126283866643612377879489607658841296623946555450959723125063731448084064806834669600286394377324985329207643214718019187483183269935305444629949849943037179844281714336005231649119949368818264219552186708890120227421072187865534457019987836926535670852906888914703504733741618570072573236045903079307612428152736356667661598315660492761276964237842021170226789423902132947182867554977266528742475959477643399990866134243575203794514585407604328984996971140248310947221578782792470389214301506905005474092045872024984199436670674468083756554895031307322941237883565507999065527762990693360431159690157868262133055311695191034400636497555040569649292217694775029598279040235313682424219784025313983067475455023587467089466417359979232779498678299557587777065154201465244738728190215504957623945147716639649915378475397455313480571576835752892920443562728563596314314933894911388019505556299874499387806637254384387244833764880967334418268126100382088726261460041572119796062724019258520405106320430266755946299150437490832503299320751468216906296966997978544183482647070153681901837433240013288421602518298792831260216915630645934204484646050974104346843362707928248741521884208045179469305639093500392799243049507976081342625414746804566075476697556188430594583343218341344847476484475326000756058576221283693464138330373036141174864521270139806190597982916586759080622790567856887663887411439056835201628369422597766928668026483503403309490993042710666485673892047332517203533607788846604410973397882087809096482781875429576444685788373148838455532621471093473989055058610727268734482933515265488578979657907909048726125490166193528504383211483877307565365739316770479665413576178412246537562558743718115849143045741340537999766352880597842102605661874515865255245812173544701654728908310097666401588159471434691280939392477732046684700652876266021695971312021447273708372515509783011686469987836853545332343623116832512874109490997646372557506537777435195298013745382212351694785702861882699545659248974894355819474086618096962216403826355560765421634755646007114283691647652553698118160685184799259115386033897513061035343191551804647662722856888120453311530211054238605313256874768688845585248000180469382191293594397194936666510474312402845796532862283140799442481493492409041110695101198733062902742963580888183805992394815274018647245856968117814655120062117147524743556181108229157105216806756835767627452561814479269315701534114368077961829593112780850452929638153223627516150223193442716100294689994629503029722784481176392782574539028959121502715073243981856750917886069948639657209334247292963249361663140414285243811360703657426626027651876768820296008720753559828483600764245456427184292551129684846409930148847048792478234281982299816644117248720105156965255960755735288463297721789204681110091891626221767542660437298077410487775229596481519369430425538164930344613458851028022663530378549341888752119342680920488696303787626329225364499941548652135663141545093010007418659262558044807876470699225470792281280471394402449273917294280711925256732896706344035628757063265572983007628183765366139905503257771405290401572655086825662960234454768665630645638597486445581317328118790026653080908126662045348127089579956347373420700241116706741144585592832003614655366806737595597934395420030825225529792315004141331150126502300783706882180026271176885635458741834202094134380779511989962007391225157898343447565380497116417905104613125411722796861265589975768040298871368481191463994487565359005290881418594310942038242095490137457430113921700914190809041712626349483221038596162823551380518361432625778100425766135915983461968285145479749284005213549575053749454547006856109030816831572325785833840465662608981829817315104129860357895536386815511220320856147380661700388739290891664207309462038381138614017816515897184596470509041708788049376381966580982191120470292259391410277362045420169283294480418719253687205110764586237254068062224157061988489536518731041315082051423598047403969732651381597974399599052734874989258534202064544059190888836570452075232534432080692849891308648288345658858913557200530375251664318481313749999208677156216679772500334650589188023132426008213751771975339931267455651020549172088534103265639345824548733115364407668098476174093750671307027999140467794869781064102514506387524937283185899747308790496205925637979039941073714989234191503713197365240251962384929422385098371833218735917065179197095408247070205619717852555506775114221897384593867674797972997625141305959100358807323290103015774024838588524261536872464615464372444499998134799790282084969317956385368477763876504767687777508890699913408022991698004395568773456122344991418727562815150713036328131761207743991479769178514725642343502661969274142628564332796075301308620783432595115486362698177864488771632758645429306471967176400313912306573528834497594518248036195273913032689136494318349766919622955918916570327666837133665964914674336488926026955966120456683245217960124790775202182559336216031406539008107050994985942544261419801453546346300579507673631763045902571738594054201174991240395872827818656733808736951806253591371928775018516968607172025244377586033635452011629443100668970123075598516485275709529469885598726526794223482610330955615022809511904624391856316948509920041734654810705967688872895481492343322360101176110518837886196834982294040392466844991384794437670776312367213399185513156636326696930037612148636211987354550863417491502916195307997005490132242465305836267780946943064688451354167588683385972678158662740981015192689905944888944219495967534478509217480965118225228403516975667947865142854647461861332459907168166992765261271471614650286060618717631106041973380069490908012615839492796565354245833892329240477121114364355466496433328996768094126356391224662178679410555736610094829075805417771970821025774499640734405754596104988282657838949729486362327056560299828126547892700617710009283766176834381144640016660977728799590803611580475645783091183624784844760499308806477200752253757429175734114250977691175772572746536071107936581761240694567354138628767191325801861058917189408404204418346014973781198380317438362029569541246652831810879152248260206395395237447784560491086153440399762040393624114255227447834251171143138269053577294848519623567291539590740299333939174692100635933124268159494722746337823116482069177379470205678557176691015558981664269627478334729382852554771289775136436287751216774011789993086094997687607888054599098278874224899709472480063529715101854322139584268537262580418113863575240204470029025496519117162564631862155782383228603023004177278164392870854023804644457208767059995119772226532851232815953125839577615562921740920277563172121650425976694450888433705228944141981853410273199853460260028282781245235763102929837778843937718395086759841413076487260571967926363321170251043880386459929440667321460163083684601048499850213020296776025722077868054054761619435793187510416563682091514284885148368063521342223419097330136408040659487592398755361339113507122836515291521728118229961396822179844693778076680340429101286603366024277896078571669306774777638203804665815968866557628859092741906584180352659047082205807422249803250558044968345857546746771646024613826459399128465814363061463599832420276265521613296879275698636840302271681454084905609885047282233019868592705535317289234117412047959477774785056445434543637847908443020562954821196439513704205637291606949668622595090905887793346651206621287466317017153684275393090031632561873332623265486457780489517419016427840879779092174738511707693116035052431089103295483658260274233251385564295187821492148010451455271252635223930008657764397300712154837693772916831234464548167973138522585118438538316052354427184072284165602378198723551206823096756348300021697763322171730444874824891757334146837198310855411537328297102389122575639447321579461302877464122087635722838175298402530406663937966340503164327397282632238195670137601369687004823923879625428795876117815799767697008062347128284807333426801813181697777948701321862763776345979940252911841656237181912565833413503129939441756393396494618078588510503454493455342506941975727123508105712131070880978305946662608217939449203156076619683830403183830186456498006653738061812335148469362877003850966618430859695919070186653458866625305916459519272196354580521800034053508922314981178499150324027654342678662937414325040577483309807127303156865877488830495531818928006222042617110855502577186623703059175985567664722424995855383934781271759883735865463278112030008483817080199002078598269172229266019049499162055209062845868372896323467428106440891328543770518697297303176417742847470066077018939409318173648546522634886617309161992431082882500155405849990797509897668173036121106093167833941168676796917849185927729063394639355821114527971750706567478583249790138286313842677250708820487212270299633787308420417261584055083677740909339779238074054204348974021123216698001562045028227412060563590308274121184428220427293160776427453775031459384264452123708084708495418534339734195790272933415885486583750879743799700526323339071123982971926213786186492741369871540713680431053741794240366942798007594061051198197127085820125669920506248833874008891567576100384617669534435446079736544527904089769954152423436011562330612821215844862917213363272915582803183342153333832546132694574718057327479556735324382306432024035909048410391170285142090169529502853531337512985467469754405167540214085277771037677125184782958426647392175442634956071157068982449319464893723664912386621873779451388728844469204936727623058314518561898159221605777669361878826359990257579428781380853635172977849088922915492937809157686949617792456559060716403455924973628663638221251723138402774064287467084832070357790237274785396108290571067985598122819965034332041400763155594698742175645305651924288248528454790418478728338079159502314919083251174965929751592157924163035463086458657709914922663331141538299201510314662870550760304034042869152812443625950965188315472692066667756851484511478312021347765236997911702317805372058004786043400133080909630472734022559109937019237009421137207520589216466326695781833495639724382562948098413969826653086240302796086363085880700476989769025580716193074503423703106726845086213785827947184654568971085567932706065680525864221954087499423710257987834470058249196303879662871022361426342465119026315560382179534719767943571892554617373844353439083777270753986814517786458130770202395503847602360638535708314812632048727430195024222153111503458757855603388031674039988314174076748188814595409424290073226413843774289668812749536427766190005885590545255733834338493472641024174769510862096350235603899460851648533836129894433546831793847607930761699327208522266027035142088354414635936891025504994457982266778758462769132787032485075450251380314228124412366813691098623253990518717180608929679551953664564817901647676790976624514712373977713303808214119736634277036680349054934944378911310066942607216390266846251067277443747529790491978174450027449222636925981846559757475121956207465335077027955125957789804456843432258334982841057568245352408725210590352753647758514637996490140766871440337743702307376499683975961018366552885302977886430423317666909471351297411610131012076185929461554535079133619252548826687502893483008063951862898351574610306267165992614897772486538439468678544464686836205581666959113470559539824537249814008710282162599094192255743583803221978203375281144253142722652434488016030197908849691029748383061113015795746908341611854838380614126430118921819870663546271753946828869530688394294288081304497394578767687660238589979106916413212340494128596539490101771554930775817201758275396358303388918820659489907730304272648845547098719361989457768904762294496163091714672474196315358138679703022317914845723755615392808282119361983528249968859941774266195954014617820952858554925056857374817842191597522226770873433049370685184032377041438883653273024779557146412336783691114481919880762797926650172652693052962024849946826027516041895525251011236457544801440531583692602444383470699061352749158134022062755638220949538009985259285085876819591029123985383603087718611969465948062859802804207808812882828054294872754225741254883578199926900412635143634882752030919344025216242465381690642415150469730483130283));
$i=275707953942;
$a=';
$i=%d;
$a=%c%s%c;
$r = $n->bxor($n->blshift(1,0))->band(Math::GMP->new(2)**65535-1);
exit printf $a,$i-(print "use Math::GMP;\n\$n=Math::GMP->new(qq(",$r,"))"),39,$a,39 if$i;
do{$c=($n+$i/3)%256;print chr$c if$c>31||$c==10}while$n>>=8;';
$r = $n->bxor($n->blshift(1,0))->band(Math::GMP->new(2)**65535-1);
exit printf $a,$i-(print "use Math::GMP;\n\$n=Math::GMP->new(qq(",$r,"))"),39,$a,39 if$i;
do{$c=$n%256;print chr$c if$c>31+$i||$c==10}while $n=$n->brshift(8);

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 与C语言比较一下:
  • 相同之处:1.分号是每个简单语句必需的,换行不能表示语句结束。
    2.数组下标也是从0开始
    3.逗号操作符的作用一样。
    4.&&和||操作符作用一样。
  • 不同之处:
  • 1.变量的类型由它前面的符号确定: 在Perl中, 说明变量是一个 s c a l a r , @ 表明变量是一个 a r r a y ,而 说明变量是一个scalar,@表明变量是一个array,而%说明后面的变量是一个hash。比如:@foo是一个数组,而 说明变量是一个scalar@表明变量是一个array,而foo[0]是数组@foo中第一个元素,@foo[0]是一个数组片段,当然也是数组,但这个片段只有一个元素 f o o [ 0 ] 。如果你数组变量把赋给一个标量,比如: foo[0]。如果你数组变量把赋给一个标量,比如: foo[0]。如果你数组变量把赋给一个标量,比如:bar=@foo;,你将得到的是该数组中元素的个数。
  • 2.没必要提前声明一个变量:在Perl中完全没有必要,你可以在任何时候任意引入新的变量。
  • 3.没有类型转换:Perl中的标量类型范围很广,可以是整数,可以是字符串,也可以是浮点数。你可以很安全地把一个整数默默地转化成相应的字符串。
  • 4.没有字符类型:Perl中没有char这种类型。 c h = ′ c ′ ; 上面的语句其实是给标量 ch='c';上面的语句其实是给标量 ch=c;上面的语句其实是给标量ch赋了一个字符串值,因为Perl中单引号也能括起字符串
  • 5./不是整除:而是浮点除法
  • 6.数组:普通数组array是使用 ()进行初始化的,Perl中的数组是可以任意伸缩的,不存在数组越界问题
  • 7.没有switch
  • 8.没有内存泄漏
  • 9.函数参数:Perl很好地支持可变参数,而且Perl传递函数参数实际上是引用传递,而不是像C那样采用值传递
  • 10.没有main函数
  • 11.左值:Perl中所有可能是左值的东西都可以作为左值。比如,如果?:操作符的两部分表达式都是左值,那么整个表达式也可以是左值。函数也可以是左值,若substr函数的第一个参数运算后是可修改的,它也可以用作左值。你也可以把自己的子函数定义成可以作为左值使用的,是的,Perl允许你这么做。
sub canuse : lvalue {
$val;}
canuse() = 9;它可以很安全地把右值赋给$var
  • 1
  • 2
  • 3
  • 分析下源代码
  • 其实就是在do{ c = c= c=n%256;print chr c i f c if cifc>31+ i ∣ ∣ i|| i∣∣c==10}while n = n= n=n->brshift(8);提取 if 标志watevr时输出是否包含。
  • 写脚本
use Math::GMP;

$n = Math::GMP->new(qq(…));
foreach my $i (0..65535) {
  $n = $n->bxor($n->blshift(1,0))->band(Math::GMP->new(2)**65535-1);
  $nn = $n->gmp_copy();

  my $res = '';
  do {
    $c = $nn % 256;
    $res .= chr($c) if $c > 31 || $c == 10
  } while $nn=$nn->brshift(8, 0);

  if (index($res, 'watevr') != -1) {
    print $res;
  }
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • watevr{we_have_hit_rock_bottom}

三. [GDOUCTF 2023]润!

  • 熟悉的UPX壳,魔改过的
  • 我们直接010修改一下
  • 脱壳后,IDA分析
  • 下为主函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
  char Str[8]; // [rsp+20h] [rbp-30h] BYREF
  __int64 v5; // [rsp+28h] [rbp-28h]
  __int64 v6; // [rsp+30h] [rbp-20h]
  __int64 v7; // [rsp+38h] [rbp-18h]
  char v8; // [rsp+40h] [rbp-10h]
  int v9; // [rsp+44h] [rbp-Ch]
  int i; // [rsp+48h] [rbp-8h]
  unsigned int v11; // [rsp+4Ch] [rbp-4h]

  _main();
  init();
  *(_QWORD *)Str = 0i64;
  v5 = 0i64;
  v6 = 0i64;
  v7 = 0i64;
  v8 = 0;
  puts("This is a easy puzzle.\nInput your route.");
  scanf("%31c", Str);
  v11 = 0;
  v9 = strlen(Str);
  for ( i = 0; i < v9; ++i )
    v11 = moving(v11, (unsigned int)Str[i]);
  if ( v11 != 511 || jur )
    printf("Wrong way!");
  else
    printf("Right!");
  return 0;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • init函数
__int64 init()
{
  __int64 result; // rax
  int j; // [rsp+4h] [rbp-Ch]
  int i; // [rsp+8h] [rbp-8h]
  int v3; // [rsp+Ch] [rbp-4h]

  v3 = 0;
  for ( i = 0; i <= 7; ++i )
  {
    for ( j = 0; j <= 7; ++j )
    {
      puzzle[8 * i + conut + 7 - j] = (gen[conut / 8 + i] >> j) & 1;
      ++v3;
    }
  }
  result = (unsigned int)(conut + v3);
  conut += v3;
  return result;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 创建迷宫的函数
  • 走出迷宫的路径函数
__int64 __fastcall moving(int a1, char a2)
{
  __int64 result; // rax
  int v3; // [rsp+2Ch] [rbp-4h]

  switch ( a2 )
  {
    case 'a':
      v3 = a1 - 1;
      goto LABEL_11;
    case 'd':
      v3 = a1 + 1;
      goto LABEL_11;
    case 'n':
      v3 = a1 - 64;
      if ( --layer >= 0 )
        goto LABEL_11;
      result = 0i64;
      break;
    case 's':
      v3 = a1 + 8;
      goto LABEL_11;
    case 'u':
      v3 = a1 + 64;
      if ( ++layer <= 7 )
      {
        init();
LABEL_11:
        if ( v3 > 511 )
        {
LABEL_15:
          jur = 1;
          result = 0i64;
        }
        else if ( puzzle[v3] )
        {
          jur = 1;
          result = 0i64;
        }
        else
        {
          result = (unsigned int)v3;
        }
      }
      else
      {
        result = 0i64;
      }
      break;
    case 'w':
      v3 = a1 - 8;
      goto LABEL_11;
    default:
      goto LABEL_15;
  }
  return result;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 三维的迷宫,每层是8*8,一共8层
  • 我们下断点,然后将迷宫数据动调出来
  • 然后写脚本讲迷宫输出,这里可以直接手算
  • 注意从IDA中提取出来的是dd,也就是一个数占四个字节
maze_arr=[   0,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   0,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   0,   0,   0,   0,   0,   0, 
    0,   0,   0,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   0,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   0,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   0,   0,   0,   0, 
    0,   0,   0,   0,   0,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   0,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   0,   0,   0,   0,   0,   0, 
    0,   0,   0,   0,   0,   0,   1,   0,   0,   0, 
    0,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   0,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   0,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   0,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    0,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   0,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   0,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   0,   0,   0,   0, 
    0,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   0,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   0,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   0,   0,   0,   0, 
    0,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   0,   0,   0,   0,   0,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    0,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   1,   0,   0,   0, 
    1,   0,   0,   0,   1,   0,   0,   0,   1,   0, 
    0,   0,   1,   0,   0,   0,   0,   0,   0,   0, 
    0,   0,   0,   0,   0,   0,   0,   0]
for l in range(8):
    for i in range(8):
       for j in range(8):
            print(maze_arr[l*64*4+i*8*4+j*4], end='')
       print('\n', end='')
    print('\n',end='')
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 找到路径:ssddssuuwwddndduuussdussasauudd,即为flag

四. [HNCTF 2022 WEEK2]Try2Bebug_Plus

  • 主函数还是挺短的
  • 将sleep函数patch掉,再进行动调
  • 就会显示flag

五. 【 SWPU2019 】easyRE

  • 先动调,发现直接退出了
  • 我们用x64dbg打开
  • 发现如下
    在这里插入图片描述
  • 步过找到main函数的entry point
  • 再往下运行,发现这里跳转后直接退出

在这里插入图片描述

  • 打开IDA,开始动调,记得下断点,把那个jmp nop掉,或者改一个jnz
  • 观察主函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
  _DWORD v4[28]; // [esp-6Ch] [ebp-F8h] BYREF
  _DWORD *v5; // [esp+4h] [ebp-88h]
  _DWORD *v6; // [esp+8h] [ebp-84h]
  int v7; // [esp+Ch] [ebp-80h]
  char v8[108]; // [esp+10h] [ebp-7Ch] BYREF
  int v9; // [esp+88h] [ebp-4h]

  if ( sub_8AEF90() )
    return 1;
  sub_8A26C0(0x6Cu);
  sub_8A1FE0(v4[27], v5);
  v9 = 0;
  v6 = v4;
  sub_8AF360(v8);
  sub_8AF080(v4[0], v4[1]);
  v5 = v4;
  sub_8AF360(v8);
  sub_8AF150(argc, (int)argv);
  v7 = 0;
  v9 = -1;
  sub_8A21C0(v8);
  return v7;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
_DWORD *__thiscall sub_8A1FE0(_DWORD *this)
{
  int i; // [esp+4h] [ebp-14h]

  *this = &EASYRE::`vftable';
  this[1] = 0;
  *((_BYTE *)this + 52) = 8;
  *((_BYTE *)this + 53) = -22;
  *((_BYTE *)this + 54) = 88;
  *((_BYTE *)this + 55) = -34;
  *((_BYTE *)this + 56) = -108;
  *((_BYTE *)this + 57) = -48;
  *((_BYTE *)this + 58) = 59;
  *((_BYTE *)this + 59) = -66;
  *((_BYTE *)this + 60) = -120;
  *((_BYTE *)this + 61) = -44;
  *((_BYTE *)this + 62) = 50;
  *((_BYTE *)this + 63) = -74;
  *((_BYTE *)this + 64) = 20;
  *((_BYTE *)this + 65) = -126;
  *((_BYTE *)this + 66) = -73;
  *((_BYTE *)this + 67) = -81;
  *((_BYTE *)this + 68) = 20;
  *((_BYTE *)this + 69) = 84;
  *((_BYTE *)this + 70) = 127;
  *((_BYTE *)this + 71) = -49;
  qmemcpy(this + 18, "  03\"3   0 203\"   $ ", 20);
  sub_8A30A0(this + 23);
  sub_8A2DE0(this + 26);
  for ( i = 0; i < 40; ++i )
    *((_BYTE *)this + i + 12) = 0;
  return this;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 找到虚函数表
    在这里插入图片描述
  • 如下为判定函数
BOOL __thiscall sub_8A24B0(_DWORD *this, int a2)
{
  BOOL result; // eax

  this[2] = a2;
  result = 0;
  if ( (*(int (__thiscall **)(_DWORD *))(*this + 12))(this) )
  {
    (*(void (__thiscall **)(_DWORD *))(*this + 24))(this);
    if ( (*(int (__thiscall **)(_DWORD *))(*this + 40))(this) )
      return 1;
  }
  return result;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 看一下this+12
int __thiscall sub_8A2500(const char **this)
{
  int v2; // [esp+Ch] [ebp-B0h]
  unsigned int v3; // [esp+14h] [ebp-A8h]
  int i; // [esp+24h] [ebp-98h]
  char v6[56]; // [esp+30h] [ebp-8Ch] BYREF
  char v7[20]; // [esp+68h] [ebp-54h] BYREF
  char v8[48]; // [esp+7Ch] [ebp-40h] BYREF
  int v9; // [esp+B8h] [ebp-4h]

  v3 = (unsigned int)&this[2][strlen(this[2])];
  strcpy(v8, "Ncg`esdvLkLgk$mL=Lgk$mL=Lgk$mL=Lgk$mL=Lgk$mLm");
  sub_8A26C0(v6, 0x38u);
  sub_8A2B00();
  v9 = 0;
  for ( i = 0; i < 45; ++i )
    v8[i] ^= 0x10u;
  sub_8A26C0(v7, 0x14u);
  sub_8A2A70(v8, 1);
  LOBYTE(v9) = 1;
  v2 = (unsigned __int8)sub_8A4260(this[2], v3, v6, v7, 0);
  LOBYTE(v9) = 0;
  sub_8A2A50(v7);
  v9 = -1;
  sub_8A26A0();
  return v2;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • swpuctf{\w{4}-\w{4}-\w{4}-\w{4}-\w{4}},即为flag格式

  • this+24

在这里插入图片描述

  • 调用了如下两个函数
  • this+28
int __thiscall sub_8A2730(_DWORD *this, int a2)
{
  int v2; // esi
  int v3; // ecx
  unsigned __int8 v4; // al
  char v6; // cf
  char v7; // bl
  char v8; // t2
  int v10; // [esp+Ch] [ebp-30h]
  int i; // [esp+14h] [ebp-28h]
  int j; // [esp+1Ch] [ebp-20h]
  int v13; // [esp+20h] [ebp-1Ch] BYREF
  int v14; // [esp+24h] [ebp-18h]
  int v15; // [esp+28h] [ebp-14h]
  int v16; // [esp+2Ch] [ebp-10h]
  int v17; // [esp+30h] [ebp-Ch]
  int v18; // [esp+34h] [ebp-8h]

  v13 = 0;
  v14 = 0;
  v15 = 0;
  v16 = 0;
  v17 = 0;
  v18 = 0;
  v10 = this[2] + 5 * a2 + 8;
  for ( i = 0; i < 4; ++i )
    *((_BYTE *)&v13 + i) = *(_BYTE *)(i + v10);
  v2 = 0;
  v3 = 4;
  do
  {
    v4 = *((_BYTE *)&v13 + v2);
    _DL = v4;
    __asm { rcl     dl, 1 }
    *((_BYTE *)&v15 + v2) = 1;
    v7 = 0;
    v6 = 0;
    do
    {
      v8 = v6 << 7;
      v6 = v4 & 1;
      v4 = (v4 >> 1) | v8;
      ++v7;
    }
    while ( v6 );
    *((_BYTE *)&v16 + v2++) = v7 - 1;
    --v3;
  }
  while ( v3 );
  for ( j = 0; j < 4; ++j )
  {
    *((_BYTE *)&v14 + j) = *((_BYTE *)&v16 + j) + *((_BYTE *)&v15 + j);
    *((_BYTE *)&v17 + j) = *((char *)&v13 + j) << *((_BYTE *)&v15 + j);
    *((_BYTE *)&v18 + j) = (*((char *)&v13 + j) << (8 - *((_BYTE *)&v16 + j))) | ((unsigned __int8)(*((char *)&v13 + j) >> (8 - *((_BYTE *)&v15 + j))) << *((_BYTE *)&v15 + j));
  }
  return sub_8A2F80(&v13);
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 下面分析一下他的汇编
.text:008A1E40 push    ebp
.text:008A1E41 mov     ebp, esp
.text:008A1E43 sub     esp, 30h
.text:008A1E46 mov     eax, ___security_cookie
.text:008A1E4B xor     eax, ebp
.text:008A1E4D mov     [ebp+var_4], eax
.text:008A1E50 push    ebx
.text:008A1E51 push    esi
.text:008A1E52 push    edi
.text:008A1E53 mov     [ebp+var_2C], ecx
.text:008A1E56 xor     eax, eax
.text:008A1E58 mov     [ebp+var_1C], eax
.text:008A1E5B mov     [ebp+var_18], eax
.text:008A1E5E mov     [ebp+var_14], eax
.text:008A1E61 mov     [ebp+var_10], eax
.text:008A1E64 mov     [ebp+var_C], eax
.text:008A1E67 mov     [ebp+var_8], eax
.text:008A1E6A imul    ecx, [ebp+arg_0], 5
.text:008A1E6E mov     edx, [ebp+var_2C]
.text:008A1E71 mov     eax, [edx+8]
.text:008A1E74 lea     ecx, [eax+ecx+8]
.text:008A1E78 mov     [ebp+var_30], ecx
.text:008A1E7B mov     [ebp+var_28], 0
.text:008A1E82 jmp     short loc_8A1E8D
.text:008A1E82
.text:008A1E84 ; ---------------------------------------------------------------------------
.text:008A1E84
.text:008A1E84 loc_8A1E84:                             ; CODE XREF: sub_8A1E40+62↓j
.text:008A1E84 mov     edx, [ebp+var_28]
.text:008A1E87 add     edx, 1
.text:008A1E8A mov     [ebp+var_28], edx
.text:008A1E8A
.text:008A1E8D
.text:008A1E8D loc_8A1E8D:                             ; CODE XREF: sub_8A1E40+42↑j
.text:008A1E8D cmp     [ebp+var_28], 4
.text:008A1E91 jge     short loc_8A1EA4
.text:008A1E91
.text:008A1E93 mov     eax, [ebp+var_30]
.text:008A1E96 add     eax, [ebp+var_28]
.text:008A1E99 mov     ecx, [ebp+var_28]
.text:008A1E9C mov     dl, [eax]
.text:008A1E9E mov     byte ptr [ebp+ecx+var_1C], dl
.text:008A1EA2 jmp     short loc_8A1E84
.text:008A1EA2
.text:008A1EA4 ; ---------------------------------------------------------------------------
.text:008A1EA4
.text:008A1EA4 loc_8A1EA4:                             ; CODE XREF: sub_8A1E40+51↑j
.text:008A1EA4 pusha
.text:008A1EA5 xor     esi, esi
.text:008A1EA7 mov     ecx, 4
.text:008A1EA7
.text:008A1EAC
.text:008A1EAC loc_8A1EAC:                             ; CODE XREF: sub_8A1E40+99↓j
.text:008A1EAC xor     eax, eax
.text:008A1EAE mov     al, byte ptr [ebp+esi+var_1C]
.text:008A1EB5 mov     edx, eax
.text:008A1EB7 xor     ebx, ebx
.text:008A1EB7
.text:008A1EB9
.text:008A1EB9 loc_8A1EB9:                             ; CODE XREF: sub_8A1E40+7E↓j
.text:008A1EB9 rcl     dl, 1
.text:008A1EBB inc     ebx
.text:008A1EBC jb      short loc_8A1EC0
.text:008A1EBC
.text:008A1EBE jmp     short loc_8A1EB9
.text:008A1EBE
.text:008A1EC0 ; ---------------------------------------------------------------------------
.text:008A1EC0
.text:008A1EC0 loc_8A1EC0:                             ; CODE XREF: sub_8A1E40+7C↑j
.text:008A1EC0 mov     byte ptr [ebp+esi+var_14], bl
.text:008A1EC7 xor     ebx, ebx
.text:008A1EC7
.text:008A1EC9
.text:008A1EC9 loc_8A1EC9:                             ; CODE XREF: sub_8A1E40+8E↓j
.text:008A1EC9 rcr     al, 1
.text:008A1ECB inc     ebx
.text:008A1ECC jb      short loc_8A1ED0
.text:008A1ECC
.text:008A1ECE jmp     short loc_8A1EC9
.text:008A1ECE
.text:008A1ED0 ; ---------------------------------------------------------------------------
.text:008A1ED0
.text:008A1ED0 loc_8A1ED0:                             ; CODE XREF: sub_8A1E40+8C↑j
.text:008A1ED0 dec     ebx
.text:008A1ED1 mov     byte ptr [ebp+esi+var_10], bl
.text:008A1ED8 inc     esi
.text:008A1ED9 loop    loc_8A1EAC
.text:008A1ED9
.text:008A1EDB popa
.text:008A1EDC mov     [ebp+var_20], 0
.text:008A1EE3 jmp     short loc_8A1EEE
.text:008A1EE3
.text:008A1EE5 ; ---------------------------------------------------------------------------
.text:008A1EE5
.text:008A1EE5 loc_8A1EE5:                             ; CODE XREF: sub_8A1E40+171↓j
.text:008A1EE5 mov     eax, [ebp+var_20]
.text:008A1EE8 add     eax, 1
.text:008A1EEB mov     [ebp+var_20], eax
.text:008A1EEB
.text:008A1EEE
.text:008A1EEE loc_8A1EEE:                             ; CODE XREF: sub_8A1E40+A3↑j
.text:008A1EEE cmp     [ebp+var_20], 4
.text:008A1EF2 jge     loc_8A1FB6
.text:008A1EF2
.text:008A1EF8 mov     ecx, [ebp+var_20]
.text:008A1EFB movzx   edx, byte ptr [ebp+ecx+var_14]
.text:008A1F00 mov     eax, [ebp+var_20]
.text:008A1F03 movzx   ecx, byte ptr [ebp+eax+var_10]
.text:008A1F08 add     edx, ecx
.text:008A1F0A mov     eax, [ebp+var_20]
.text:008A1F0D mov     byte ptr [ebp+eax+var_18], dl
.text:008A1F11 mov     ecx, [ebp+var_20]
.text:008A1F14 movsx   edx, byte ptr [ebp+ecx+var_1C]
.text:008A1F19 mov     eax, [ebp+var_20]
.text:008A1F1C movzx   ecx, byte ptr [ebp+eax+var_14]
.text:008A1F21 shl     edx, cl
.text:008A1F23 mov     ecx, [ebp+var_20]
.text:008A1F26 mov     byte ptr [ebp+ecx+var_C], dl
.text:008A1F2A mov     edx, [ebp+var_20]
.text:008A1F2D mov     eax, [ebp+var_20]
.text:008A1F30 mov     dl, byte ptr [ebp+edx+var_C]
.text:008A1F34 mov     cl, byte ptr [ebp+eax+var_18]
.text:008A1F38 shr     dl, cl
.text:008A1F3A mov     eax, [ebp+var_20]
.text:008A1F3D mov     byte ptr [ebp+eax+var_C], dl
.text:008A1F41 mov     ecx, [ebp+var_20]
.text:008A1F44 movzx   edx, byte ptr [ebp+ecx+var_14]
.text:008A1F49 mov     eax, 8
.text:008A1F4E sub     eax, edx
.text:008A1F50 mov     [ebp+var_22], al
.text:008A1F53 mov     ecx, [ebp+var_20]
.text:008A1F56 movsx   edx, byte ptr [ebp+ecx+var_1C]
.text:008A1F5B movzx   ecx, [ebp+var_22]
.text:008A1F5F sar     edx, cl
.text:008A1F61 mov     [ebp+var_24], dl
.text:008A1F64 mov     eax, [ebp+var_20]
.text:008A1F67 movzx   ecx, byte ptr [ebp+eax+var_10]
.text:008A1F6C mov     edx, 8
.text:008A1F71 sub     edx, ecx
.text:008A1F73 mov     [ebp+var_23], dl
.text:008A1F76 mov     eax, [ebp+var_20]
.text:008A1F79 movsx   edx, byte ptr [ebp+eax+var_1C]
.text:008A1F7E movzx   ecx, [ebp+var_23]
.text:008A1F82 shl     edx, cl
.text:008A1F84 mov     [ebp+var_21], dl
.text:008A1F87 mov     eax, [ebp+var_20]
.text:008A1F8A mov     dl, [ebp+var_21]
.text:008A1F8D mov     cl, byte ptr [ebp+eax+var_18]
.text:008A1F91 shr     dl, cl
.text:008A1F93 mov     [ebp+var_21], dl
.text:008A1F96 movzx   eax, [ebp+var_24]
.text:008A1F9A mov     ecx, [ebp+var_20]
.text:008A1F9D movzx   ecx, byte ptr [ebp+ecx+var_14]
.text:008A1FA2 shl     eax, cl
.text:008A1FA4 movzx   edx, [ebp+var_21]
.text:008A1FA8 or      eax, edx
.text:008A1FAA mov     ecx, [ebp+var_20]
.text:008A1FAD mov     byte ptr [ebp+ecx+var_8], al
.text:008A1FB1 jmp     loc_8A1EE5
.text:008A1FB1
.text:008A1FB6 ; ---------------------------------------------------------------------------
.text:008A1FB6
.text:008A1FB6 loc_8A1FB6:                             ; CODE XREF: sub_8A1E40+B2↑j
.text:008A1FB6 lea     edx, [ebp+var_1C]
.text:008A1FB9 push    edx
.text:008A1FBA mov     ecx, [ebp+var_2C]
.text:008A1FBD add     ecx, 5Ch ; '\'
.text:008A1FC0 call    sub_8A2F80
.text:008A1FC0
.text:008A1FC5 pop     edi
.text:008A1FC6 pop     esi
.text:008A1FC7 pop     ebx
.text:008A1FC8 mov     ecx, [ebp+var_4]
.text:008A1FCB xor     ecx, ebp                        ; StackCookie
.text:008A1FCD call    @__security_check_cookie@4      ; __security_check_cookie(x)
.text:008A1FCD
.text:008A1FD2 mov     esp, ebp
.text:008A1FD4 pop     ebp
.text:008A1FD5 retn    4
.text:008A1FD5
.text:008A1FD5 sub_8A1E40 endp
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • RCL是带进位左循环移位指令,RCR是带进位右循环移位指令;RCL是将某数最高位移进入CF,而CF里的内容跑到该数的最低位,形成咬尾蛇循环,移位次数为CL或CX指定的次数;而RCR相反,它是从最低位移出到CF,CF跑到最高位,形成咬尾蛇循环。
  • 不断地对dl右移,每次右移让ebx++, 直到有进位时跳到下一代码块, 并把ebx保存到栈上, 清空ebx
  • dl, al都是从一个栈上地址mov来的,而每次这个地址指向一位flag

保存的地址分别为[ebp+esi+var_1C+8] [ebp+…+0xC], 同时再 esi ++

也就是看看dl的最高位1在第几位

  • this+36
int __thiscall sub_8A28A0(_DWORD *this)
{
  _DWORD *v1; // eax
  int v2; // eax
  int result; // eax
  int v4; // eax
  int v5; // eax
  int v6; // eax
  char v7; // bl
  int v8; // eax
  int v9; // eax
  int v10; // eax
  char v11[4]; // [esp+4h] [ebp-1Ch] BYREF
  char v12[4]; // [esp+8h] [ebp-18h] BYREF
  int v13; // [esp+Ch] [ebp-14h]
  int v14; // [esp+10h] [ebp-10h]
  _DWORD *v15; // [esp+14h] [ebp-Ch]
  int i; // [esp+18h] [ebp-8h]
  _DWORD *v17; // [esp+1Ch] [ebp-4h]

  v17 = this;
  v14 = 32;
  v13 = 0;
  v15 = this + 3;
  v1 = (_DWORD *)sub_8A2EA0(v12);
  v17[26] = *v1;
  while ( 1 )
  {
    v2 = sub_8A2E40(v11);
    result = sub_8A2E00(v2);
    if ( !(_BYTE)result )
      break;
    for ( i = 0; i < 8; ++i )
    {
      if ( i >= 4 )
      {
        v9 = sub_8A2DC0(v17 + 26);
        v14 -= *(unsigned __int8 *)(v9 + i);
        v10 = sub_8A2DC0(v17 + 26);
        *v15 |= *(unsigned __int8 *)(v10 + i + 16) << v14;
      }
      else
      {
        v4 = sub_8A2DC0(v17 + 26);
        v13 = 8 - *(unsigned __int8 *)(v4 + i + 4);
        v14 -= v13;
        v5 = sub_8A2DC0(v17 + 26);
        *v15 |= *(unsigned __int8 *)(v5 + i + 16) << v14;
        v6 = sub_8A2DC0(v17 + 26);
        v7 = 16 * *(_BYTE *)(v6 + i + 8);
        v8 = sub_8A2DC0(v17 + 26);
        *((_BYTE *)v15 + i + 20) = *(_BYTE *)(v8 + i + 12) | v7;
      }
    }
    ++v15;
    sub_8A2DA0(v17 + 26);
  }
  return result;
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 整个程序流程:

校验flag格式
通过-分割flag成5部分,对flag进行位移运算,对flag的每个字符都得到5个结果,将其存储到内存中
进行5次循环,每次循环处理4个字符,利用每个字符得到的5个结果继续进行移位和或运算,最终会生成两个结果,一个结果受字符影响,而另外一个结果是每个字符独立存在,不受其他字符的影响
将得到的结果与初始化中的两个字符串进行对比

import string

class SwpuctfBabyre():
    def __init__(self):
        self.s2 = '  03\"3   0 203\"   $ '
        self.s = ['08', 'EA', '58', 'DE', '94', 'D0', '3B', 'BE', '88', 'D4', '32', 'B6', '14', '82', 'B7', 'AF', '14', '54',
             '7F', 'CF']
        self.flag = 'swpuctf{'
        self.d = dict.fromkeys(list(set(self.s2)))
        self.v14 = 0x20
        for i in list(set(self.s2)):
            self.d[i] = []

    def check_1(self, c): # 左移进位位数
        num = 0
        while True:
            c = c << 1
            num += 1
            if c & 0x100:
                return num


    def check_0(self, c): # 右边0的个数
        num = 0
        while True:
            if c & 1:
                return num
            num += 1
            c = c >> 1


    def generate_0(self, c):
        res1 = self.check_0(c) + self.check_1(c)
        res2 = ((c << self.check_1(c)) & 0xff) >> res1
        res3 = ((c >> (8 - self.check_1(c))) << self.check_1(c)) | ((c << (8 - self.check_0(c)) & 0xff) >> res1)
        return [res1, res2, res3]


    def check_part(self, c):
        tmp = list(set(self.s2))
        tmp2 = self.check_0(c) | (16 * self.check_1(c))
        for i in tmp:
            if tmp2 == ord(i):
                return i

        return ''


    def classify(self):
        for_each = string.ascii_lowercase + string.ascii_uppercase + string.digits
        for i in for_each:
            tmp = self.check_part(ord(i))
            if tmp:
                self.d[tmp].append(i)

    def test_1(self, c):
        exam = {c: self.generate_0(ord(c))}
        self.v14 = self.v14 - (8 - exam[c][0])
        tmp = exam[c][1] << self.v14
        return tmp


    def test_2(self, c):
        exam = {c: self.generate_0(ord(c))}
        self.v14 = self.v14 - exam[c][0]
        tmp = exam[c][2] << self.v14
        return tmp


    def calc_first_part(self, s):
        self.v14 = 0x20
        tmp = 0
        for i in s:
            tmp |= self.test_1(i)

        for i in s:
            tmp |= self.test_2(i)

        return tmp


    def check_first_part(self, second_part, first_part):
        for i in self.d[second_part[0]]:
            for j in self.d[second_part[1]]:
                for k in self.d[second_part[2]]:
                    for m in self.d[second_part[3]]:
                        tmp = i + j + k + m
                        if self.calc_first_part(tmp) == first_part:
                            return tmp

    def run(self):
        self.classify()
        for i in range(0, 5):
            first_part = int(self.s[3 + 4 * i]+self.s[2 + 4 * i]+self.s[1 + 4 * i]+self.s[4 * i], 16)
            second_part = self.s2[i*4:i*4+4]
            res = self.check_first_part(second_part, first_part)
            if i == 4:
                self.flag += res
                break
            self.flag += res + '-'
        self.flag += '}'

        print(self.flag)

if __name__ == '__main__':
    swpuctf = SwpuctfBabyre()
    swpuctf.run()
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • swpuctf{we18-l8co-m1e4-58to-swpu}
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/繁依Fanyi0/article/detail/738474
推荐阅读
相关标签
  

闽ICP备14008679号