热门标签
热门文章
- 1执行'brew update'提示'Permission denied'解决方案_brew upgrade permission denied mac
- 2最新个人简历(通用20篇)_个人简历免费
- 3Java 给视频添加背景音乐 | Java工具_java video audio encoder
- 4关于github双因素验证问题解决方案_two-factor code verification failed. please try ag
- 5ONLYOFFICE 桌面编辑器 8.1 强势来袭:解锁全新PDF编辑、幻灯片优化与本地化体验,立即下载!AI_onlyoffice8.1版本
- 6Baidu Comate 编程的智能化新时代
- 72024年最全微信公众号 接口测试平台 获取自定义菜单教程,2024年最新推荐给大家_微信公众平台接口调试工具自定义菜单
- 8PHP 免费开源 cms 内容管理系统 (07flyCMS)
- 9dell电脑安装Ubuntu系统BIOS设置_dell服务器默认ubuntu操作系统吗
- 10python列表的扩展操作
当前位置: article > 正文
5.8---5.14 reverse刷题笔记_upx防脱壳
作者:繁依Fanyi0 | 2024-06-20 03:20:25
赞
踩
upx防脱壳
提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档
一. [NSSRound#X Basic]ez_z3
- 发现有UPX壳,但直接放入UPX中却无法解压缩
- Google。。。。
- 发现一种UPX防脱壳机脱壳,下面简单记录一下
- 一步一步加深
1. UPX防脱壳机脱壳
1.1 修改区段名
区段查看器
名称 V. 偏移 V. 大小 R. 偏移 R. 大小 标志
UPX0 00001000 0000F000 00000400 00000000 E0000080
UPX1 00010000 00009000 00000400 00008400 E0000040
.rsrc 00019000 00002000 00008800 00001800 C0000040
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 将区段名UPX0,UPX1改为RPX
- 这时不能正常脱壳
1.2 改标识
- 修改特征UPX!改为。。。!
2. 去掉UPX特征码
- 加强版修改
特征码1:60 BE ?? ?? ?? 00 8D BE ?? ?? ?? FF
特征码2:60 BE ?? ?? ?? ?? 8D BE ?? ?? ?? ?? 57 EB 0B 90 8A 06 46 88 07 47 01 DB 75 ?? 8B 1E 83 ?? ?? 11 DB 72 ?? B8 01 00 00 00 01 DB 75
特征码3:55 FF 96 ?? ?? ?? ?? 09 C0 74 07 89 03 83 C3 04 EB ?? FF 96 ?? ?? ?? ?? 8B AE ?? ?? ?? ?? 8D BE 00 F0 FF FF BB 00 10 00 00 50 54 6A 04 53 57 FF D5 8D 87 ?? ?? 00 00 80 20 7F 80 60 28 7F 58 50 54 50 53 57 FF D5 58 61 8D 44 24 80 6A 00 39 C4 75 FA 83 EC 80
- 1
- 2
- 3
- 把加壳程序加载进入OD:
- 特征码1的解法:
00418110 > 60 pushad
00418111 BE 00004100 mov esi,packed.00410000
00418116 8DBE 0010FFFF lea edi,dword ptr ds:[esi+FFFF1000]
0041811C 57 push edi
0041811D EB 0B jmp short packed.0041812A
0041811F 90 nop
00418120 8A06 mov al,byte ptr ds:[esi]
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 修改为:
00418130 > 60 pushad
00418131 90 nop
00418132 BE 00004100 mov esi,Ep_2_5_1.00410000
00418137 8DBE 0010FFFF lea edi,dword ptr ds:[esi+FFFF1000]
0041813D 57 push edi
0041813E EB 0A jmp short Ep_2_5_1.0041814A
00418140 8A06 mov al,byte ptr ds:[esi]
00418142 46 inc esi
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 特征码2的解法:
00418131 ^\72 ED jb short packed.00418120
00418133 B8 01000000 mov eax,1
00418138 01DB add ebx,ebx
- 1
- 2
- 3
- 修改为:
00418151 ^\72 ED jb short Ep_2_5_1.00418140
00418153 33C0 xor eax,eax
00418155 40 inc eax
00418156 8BC0 mov eax,eax
00418158 01DB add ebx,ebx
- 1
- 2
- 3
- 4
- 5
- 特征码3的解法:
00418295 39C4 cmp esp,eax
00418297 ^ 75 FA jnz short packed.00418293
00418299 83EC 80 sub esp,-80
0041829C - E9 82DDFEFF jmp packed.00406023
- 1
- 2
- 3
- 4
- 修改为:
00418295 39C4 cmp esp,eax
00418297 ^ 0F85 F6FFFFFF jnz packed.00418293
0041829D 83EC 80 sub esp,-80
004182A0 - E9 7EDDFEFF jmp packed.00406023
- 1
- 2
- 3
- 4
3.垃圾区段
- 用010在文件尾部粘帖512个00
4. 移动PE头
- 将一些关键数据修改掉
- 将PE头起始位置以及PE头大小改掉
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?  00000010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ? @ 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000030 00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00 ? 00000040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ? ???L?Th 00000050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 00000060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 00000070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode. nbsp; 00000080 99 3C 71 89 DD 5D 1F DA DD 5D 1F DA DD 5D 1F DA ?q壿] 谳] 谳] ? 00000090 5E 41 11 DA D2 5D 1F DA 53 55 40 DA DC 5D 1F DA ^A 谝] 赟U@谲] ? 000000A0 DD 5D 1E DA 66 5D 1F DA 5E 55 42 DA CE 5D 1F DA 輂 趂] 赹UB谖] ? 000000B0 35 42 14 DA DF 5D 1F DA 35 42 15 DA A9 5D 1F DA 5B 谶] ?B 讴] ? 000000C0 65 5B 19 DA DC 5D 1F DA 52 69 63 68 DD 5D 1F DA e[ 谲] 赗ich輂 ? 000000D0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 PE L 000000E0 9A DA 22 4D 00 00 00 00 00 00 00 00 E0 00 0F 01 氌"M ? 000000F0 0B 01 06 00 00 90 00 00 00 20 00 00 00 F0 00 00 ? ? 00000100 10 81 01 00 00 00 01 00 00 90 01 00 00 00 40 00 ? ? @ 00000110 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 00000120 04 00 00 00 00 00 00 00 00 B0 01 00 00 10 00 00 ? 00000130 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00000140 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00000150 00 00 00 00 00 00 00 00 D0 A5 01 00 04 02 00 00 啸 00000160 00 90 01 00 D0 15 00 00 00 00 00 00 00 00 00 00 ? ? 00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001B0 00 00 00 00 00 00 00 00
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 改后:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?  00000010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ? @ 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000030 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 @ 00000040 50 45 00 00 4C 01 03 00 9A DA 22 4D 00 00 00 00 PE L 氌"M 00000050 00 00 00 00 78 01 0F 01 0B 01 06 00 00 90 00 00 x ? 00000060 00 20 00 00 00 F0 00 00 10 81 01 00 00 00 01 00 ? ? 00000070 00 90 01 00 00 00 40 00 00 10 00 00 00 02 00 00 ? @ 00000080 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00000090 00 B0 01 00 00 10 00 00 00 00 00 00 02 00 00 00 ? 000000A0 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 000000B0 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 000000C0 D0 A5 01 00 04 02 00 00 00 90 01 00 D0 15 00 00 啸 ? ? 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000001B0 00 00 00 00 00 00 00 00
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
5. 开始做题
__int64 sub_1400181C0() { __int64 v0; // rax __int64 v1; // rax sub_140011514(&unk_14002B069); sub_1400110AF(std::cout, "Please input the flag:"); sub_1400114D8(std::cin, Str); v0 = sub_1400110AF(std::cout, "Can you calculated out z3?"); std::ostream::operator<<(v0, sub_14001104B); sub_1400110AF(std::cout, "Please input z3:"); sub_1400114D8(std::cin, &unk_140025588); for ( dword_1400254C8 = 0; (unsigned int)dword_1400254C8 < j_strlen(Str); ++dword_1400254C8 ) dword_140025520[dword_1400254C8] = sub_14001124E( (unsigned int)Str[dword_1400254C8], dword_140025000[dword_1400254C8]); sub_14001103C(&unk_140025588); sub_1400112F8(&unk_140025588); dword_1400254C4 = sub_1400110E6(); if ( dword_1400254C4 == 1 ) v1 = sub_1400110AF(std::cout, "yeah!!!!!!you get the flag"); else v1 = sub_1400110AF(std::cout, "oh no!!!!!your flag is wrong,try again"); std::ostream::operator<<(v1, sub_14001104B); system("pause"); return 0i64; }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 现在找到以下函数
__int64 __fastcall sub_140014E90(char *a1) { __int64 v1; // rax __int64 v2; // rax sub_140011514((__int64)&unk_14002B069); if ( 20 * a1[19] * 19 * a1[18] + 14 * a1[13] + 13 * a1[12] + 11 * a1[10] * 10 * a1[9] + 30 * a1[5] + 5 * a1[4] + *a1 + 2 * a1[1] - 3 * a1[2] - 4 * a1[3] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8] - 12 * a1[11] - 16 * a1[15] * 15 * a1[14] - 17 * a1[16] - 18 * a1[17] == 2582239 || 20 * a1[19] * 19 * a1[18] + 14 * a1[13] + 13 * a1[12] + 11 * a1[10] * 10 * a1[9] + 30 * a1[5] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8] + 5 * a1[4] + 3 * a1[2] + 2 * a1[1] * *a1 - 4 * a1[3] - 12 * a1[11] - 16 * a1[15] * 15 * a1[14] - (18 * a1[17] + 17 * a1[16]) == 2602741 || 19 * a1[18] + 18 * a1[17] + 14 * a1[13] * 13 * a1[12] + 12 * a1[11] * 11 * a1[10] + 9 * a1[8] + 7 * a1[6] * 30 * a1[5] + *a1 - 2 * a1[1] - 4 * a1[3] * 3 * a1[2] - 5 * a1[4] + 8 * a1[7] - 10 * a1[9] - 15 * a1[14] - 17 * a1[16] * 16 * a1[15] - 20 * a1[19] == 2668123 || 20 * a1[19] * 19 * a1[18] + 14 * a1[13] + (13 * a1[12] + 11 * a1[10] - 12 * a1[11]) * 10 * a1[9] + 30 * a1[5] + 5 * a1[4] + *a1 + 2 * a1[1] - 3 * a1[2] - 4 * a1[3] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8] - 16 * a1[15] * 15 * a1[14] - 17 * a1[16] - 18 * a1[17] == 2520193 || 18 * a1[17] + 17 * a1[16] + 15 * a1[14] + 13 * a1[12] * 12 * a1[11] + 10 * a1[9] + 9 * a1[8] * 8 * a1[7] + 3 * a1[2] * 2 * a1[1] * *a1 - 4 * a1[3] - 5 * a1[4] - 30 * a1[5] - 7 * a1[6] - 11 * a1[10] - 14 * a1[13] - 16 * a1[15] - 19 * a1[18] - 20 * a1[19] == 8904587 || 18 * a1[17] + 7 * a1[6] * 30 * a1[5] * 5 * a1[4] + 4 * a1[3] + 8 * a1[7] + *a1 - 2 * a1[1] - 3 * a1[2] - 9 * a1[8] - 11 * a1[10] * 10 * a1[9] - 16 * a1[15] * (13 * a1[12] + 12 * a1[11] - 14 * a1[13] - 15 * a1[14]) - 17 * a1[16] - 19 * a1[18] - 20 * a1[19] == 1227620874 || 20 * a1[19] * 19 * a1[18] + 17 * a1[16] + 14 * a1[13] + 13 * a1[12] + 12 * a1[11] * 11 * a1[10] * 10 * a1[9] + 7 * a1[6] * 30 * a1[5] + 5 * a1[4] + 3 * a1[2] + *a1 + 2 * a1[1] + 4 * a1[3] + 8 * a1[7] - 9 * a1[8] - 16 * a1[15] * 15 * a1[14] - 18 * a1[17] == 1836606059 || 20 * a1[19] * 19 * a1[18] + 16 * a1[15] * 15 * a1[14] + 14 * a1[13] + 13 * a1[12] + 12 * a1[11] + 7 * a1[6] * 30 * a1[5] + 5 * a1[4] + 2 * a1[1] * *a1 - 3 * a1[2] + 4 * a1[3] + 8 * a1[7] - 9 * a1[8] - 10 * a1[9] - 11 * a1[10] - 17 * a1[16] - 18 * a1[17] == 8720560 || 20 * a1[19] * 19 * a1[18] + 14 * a1[13] + 13 * a1[12] + 11 * a1[10] * (10 * a1[9] + 30 * a1[5] + 5 * a1[4] + 4 * a1[3] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8]) + *a1 + 2 * a1[1] - 3 * a1[2] - 12 * a1[11] - (16 * a1[15] - 17 * a1[16] - 18 * a1[17]) * 15 * a1[14] == 11387045 || 20 * a1[19] * 19 * a1[18] + 16 * a1[15] * 15 * a1[14] + 14 * a1[13] + 11 * a1[10] * 10 * a1[9] + 9 * a1[8] + 3 * a1[2] + *a1 - 2 * a1[1] + 4 * a1[3] - 5 * a1[4] - 30 * a1[5] - 7 * a1[6] + 8 * a1[7] - 12 * a1[11] - 13 * a1[12] - 17 * a1[16] - 18 * a1[17] == 7660269 || 20 * a1[19] * 19 * a1[18] + 14 * a1[13] + 13 * a1[12] + 11 * a1[10] * 10 * a1[9] - 12 * a1[11] + *a1 + 2 * a1[1] - (4 * a1[3] * 3 * a1[2] - 5 * a1[4] - 30 * a1[5]) - 7 * a1[6] + 8 * a1[7] - 9 * a1[8] - 16 * a1[15] * 15 * a1[14] - 17 * a1[16] - 18 * a1[17] == 2461883 || 14 * a1[13] + 11 * a1[10] * 10 * a1[9] + 9 * a1[8] * 8 * a1[7] + 7 * a1[6] + 2 * a1[1] * *a1 - 4 * a1[3] * 3 * a1[2] - 5 * a1[4] - 30 * a1[5] - 12 * a1[11] - 13 * a1[12] - 15 * a1[14] - 17 * a1[16] * 16 * a1[15] - 18 * a1[17] - 19 * a1[18] - 20 * a1[19] == -966296 || 14 * a1[13] + 13 * a1[12] + (11 * a1[10] * 10 * a1[9] + 30 * a1[5] + 5 * a1[4] + 3 * a1[2] + 4 * a1[3] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8]) * 2 * a1[1] + *a1 - 12 * a1[11] - 15 * a1[14] - 16 * a1[15] - 17 * a1[16] - 18 * a1[17] - 20 * a1[19] * 19 * a1[18] == 254500223 || 16 * a1[15] * 15 * a1[14] + 14 * a1[13] + 11 * a1[10] * 10 * a1[9] + 7 * a1[6] * 30 * a1[5] + *a1 - 2 * a1[1] - 3 * a1[2] - 5 * a1[4] * 4 * a1[3] + 8 * a1[7] - 9 * a1[8] - 12 * a1[11] - 13 * a1[12] - 17 * a1[16] - 18 * a1[17] - 19 * a1[18] - 20 * a1[19] == 6022286 || 18 * a1[17] + 16 * a1[15] - 17 * a1[16] + 14 * a1[13] + 12 * a1[11] + 11 * a1[10] * 10 * a1[9] + 30 * a1[5] + 5 * a1[4] + 4 * a1[3] * 3 * a1[2] + 2 * a1[1] * *a1 - 9 * a1[8] * 8 * a1[7] * 7 * a1[6] - 13 * a1[12] - 15 * a1[14] - 19 * a1[18] - 20 * a1[19] == -636956022 || 20 * a1[19] * 19 * a1[18] + 13 * a1[12] + 12 * a1[11] + 11 * a1[10] * 10 * a1[9] + 7 * a1[6] + 30 * a1[5] + 5 * a1[4] + 3 * a1[2] * 2 * a1[1] * *a1 - 4 * a1[3] - 9 * a1[8] * 8 * a1[7] - 14 * a1[13] - 15 * a1[14] - 16 * a1[15] - 17 * a1[16] - 18 * a1[17] == 10631829 || 20 * a1[19] * 19 * a1[18] + 16 * a1[15] - 17 * a1[16] - 18 * a1[17] + 15 * a1[14] * 14 * a1[13] + 13 * a1[12] + 11 * a1[10] * 10 * a1[9] - 12 * a1[11] + 7 * a1[6] + (4 * a1[3] - 5 * a1[4] - 30 * a1[5]) * 3 * a1[2] + *a1 + 2 * a1[1] + 8 * a1[7] - 9 * a1[8] == 6191333 || 14 * a1[13] + 10 * a1[9] * 9 * a1[8] * 8 * a1[7] + 5 * a1[4] + 4 * a1[3] * 3 * a1[2] + 2 * a1[1] * *a1 - 7 * a1[6] * 30 * a1[5] - 11 * a1[10] - 13 * a1[12] * 12 * a1[11] - 16 * a1[15] * 15 * a1[14] - 18 * a1[17] * 17 * a1[16] - 20 * a1[19] * 19 * a1[18] == 890415359 || 20 * a1[19] + 19 * a1[18] + 18 * a1[17] + 16 * a1[15] - 17 * a1[16] + 12 * a1[11] + 11 * a1[10] + 10 * a1[9] + 9 * a1[8] + 30 * a1[5] + *a1 + 4 * a1[3] * 3 * a1[2] * 2 * a1[1] - 5 * a1[4] - 7 * a1[6] + 8 * a1[7] - 13 * a1[12] - 14 * a1[13] - 15 * a1[14] == 23493664 || 20 * a1[19] * 19 * a1[18] + 13 * a1[12] + 12 * a1[11] + 10 * a1[9] + 3 * a1[2] * 2 * a1[1] + *a1 - 4 * a1[3] - 5 * a1[4] + 8 * a1[7] * 7 * a1[6] * 30 * a1[5] - 9 * a1[8] - 11 * a1[10] - 14 * a1[13] - 16 * a1[15] * 15 * a1[14] - 17 * a1[16] - 18 * a1[17] == 1967260144 ) { v2 = sub_1400110AF(std::cout, "YOU are right"); std::ostream::operator<<(v2, sub_14001104B); } else { v1 = sub_1400110AF(std::cout, "YOU are wrong"); std::ostream::operator<<(v1, sub_14001104B); } return 0i64; }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 明显为z3库求解
- 直接跑出来代码
from z3 import * a1 = [BitVec("num[%d]" % i, 32) for i in range(20)] s = Solver() s.add( 20 * a1[19] * 19 * a1[18] + 14 * a1[13] + 13 * a1[12] + 11 * a1[10] * 10 * a1[9] + 30 * a1[5] + 5 * a1[4] + a1[0] + 2 * a1[1] - 3 * a1[2] - 4 * a1[3] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8] - 12 * a1[11] - 16 * a1[15] * 15 * a1[14] - 17 * a1[16] - 18 * a1[17] == 2582239) s.add( 20 * a1[19] * 19 * a1[18] + 14 * a1[13] + 13 * a1[12] + 11 * a1[10] * 10 * a1[9] + 30 * a1[5] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8] + 5 * a1[4] + 3 * a1[2] + 2 * a1[1] * a1[0] - 4 * a1[3] - 12 * a1[11] - 16 * a1[15] * 15 * a1[14] - (18 * a1[17] + 17 * a1[16]) == 2602741) s.add(19 * a1[18] + 18 * a1[17] + 14 * a1[13] * 13 * a1[12] + 12 * a1[11] * 11 * a1[10] + 9 * a1[8] + 7 * a1[6] * 30 * a1[5] + a1[0] - 2 * a1[1] - 4 * a1[3] * 3 * a1[2] - 5 * a1[4] + 8 * a1[7] - 10 * a1[9] - 15 * a1[14] - 17 * a1[16] * 16 * a1[15] - 20 * a1[19] == 2668123) s.add(20 * a1[19] * 19 * a1[18] + 14 * a1[13] + (13 * a1[12] + 11 * a1[10] - 12 * a1[11]) * 10 * a1[9] + 30 * a1[5] + 5 * a1[4] + a1[0] + 2 * a1[1] - 3 * a1[2] - 4 * a1[3] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8] - 16 * a1[15] * 15 * a1[14] - 17 * a1[16] - 18 * a1[17] == 2520193) s.add( 18 * a1[17] + 17 * a1[16] + 15 * a1[14] + 13 * a1[12] * 12 * a1[11] + 10 * a1[9] + 9 * a1[8] * 8 * a1[7] + 3 * a1[2] * 2 * a1[1] * a1[0] - 4 * a1[3] - 5 * a1[4] - 30 * a1[5] - 7 * a1[6] - 11 * a1[10] - 14 * a1[13] - 16 * a1[15] - 19 * a1[18] - 20 * a1[19] == 8904587) s.add( 18 * a1[17] + 7 * a1[6] * 30 * a1[5] * 5 * a1[4] + 4 * a1[3] + 8 * a1[7] + a1[0] - 2 * a1[1] - 3 * a1[2] - 9 * a1[8] - 11 * a1[10] * 10 * a1[9] - 16 * a1[15] * (13 * a1[12] + 12 * a1[11] - 14 * a1[13] - 15 * a1[14]) - 17 * a1[16] - 19 * a1[18] - 20 * a1[19] == 1227620874) s.add(20 * a1[19] * 19 * a1[18] + 17 * a1[16] + 14 * a1[13] + 13 * a1[12] + 12 * a1[11] * 11 * a1[10] * 10 * a1[9] + 7 * a1[6] * 30 * a1[5] + 5 * a1[4] + 3 * a1[2] + a1[0] + 2 * a1[1] + 4 * a1[3] + 8 * a1[7] - 9 * a1[8] - 16 * a1[15] * 15 * a1[14] - 18 * a1[17] == 1836606059) s.add( 20 * a1[19] * 19 * a1[18] + 16 * a1[15] * 15 * a1[14] + 14 * a1[13] + 13 * a1[12] + 12 * a1[11] + 7 * a1[6] * 30 * a1[5] + 5 * a1[4] + 2 * a1[1] * a1[0] - 3 * a1[2] + 4 * a1[3] + 8 * a1[7] - 9 * a1[8] - 10 * a1[9] - 11 * a1[10] - 17 * a1[16] - 18 * a1[17] == 8720560) s.add(20 * a1[19] * 19 * a1[18] + 14 * a1[13] + 13 * a1[12] + 11 * a1[10] * (10 * a1[9] + 30 * a1[5] + 5 * a1[4] + 4 * a1[3] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8]) + a1[0] + 2 * a1[1] - 3 * a1[2] - 12 * a1[11] - (16 * a1[15] - 17 * a1[16] - 18 * a1[17]) * 15 * a1[14] == 11387045) s.add( 20 * a1[19] * 19 * a1[18] + 16 * a1[15] * 15 * a1[14] + 14 * a1[13] + 11 * a1[10] * 10 * a1[9] + 9 * a1[8] + 3 * a1[2] + a1[0] - 2 * a1[1] + 4 * a1[3] - 5 * a1[4] - 30 * a1[5] - 7 * a1[6] + 8 * a1[7] - 12 * a1[11] - 13 * a1[12] - 17 * a1[16] - 18 * a1[17] == 7660269) s.add(20 * a1[19] * 19 * a1[18] + 14 * a1[13] + 13 * a1[12] + 11 * a1[10] * 10 * a1[9] - 12 * a1[11] + a1[0] + 2 * a1[1] - (4 * a1[3] * 3 * a1[2] - 5 * a1[4] - 30 * a1[5]) - 7 * a1[6] + 8 * a1[7] - 9 * a1[8] - 16 * a1[15] * 15 * a1[14] - 17 * a1[16] - 18 * a1[17] == 2461883) s.add( 14 * a1[13] + 11 * a1[10] * 10 * a1[9] + 9 * a1[8] * 8 * a1[7] + 7 * a1[6] + 2 * a1[1] * a1[0] - 4 * a1[3] * 3 * a1[2] - 5 * a1[4] - 30 * a1[5] - 12 * a1[11] - 13 * a1[12] - 15 * a1[14] - 17 * a1[16] * 16 * a1[15] - 18 * a1[17] - 19 * a1[18] - 20 * a1[19] == -966296) s.add( 14 * a1[13] + 13 * a1[12] + (11 * a1[10] * 10 * a1[9] + 30 * a1[5] + 5 * a1[4] + 3 * a1[2] + 4 * a1[3] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8]) * 2 * a1[1] + a1[0] - 12 * a1[11] - 15 * a1[14] - 16 * a1[15] - 17 * a1[16] - 18 * a1[17] - 20 * a1[19] * 19 * a1[18] == 254500223 ) s.add( 16 * a1[15] * 15 * a1[14] + 14 * a1[13] + 11 * a1[10] * 10 * a1[9] + 7 * a1[6] * 30 * a1[5] + a1[0] - 2 * a1[1] - 3 * a1[2] - 5 * a1[4] * 4 * a1[3] + 8 * a1[7] - 9 * a1[8] - 12 * a1[11] - 13 * a1[12] - 17 * a1[16] - 18 * a1[17] - 19 * a1[18] - 20 * a1[19] == 6022286 ) s.add( 18 * a1[17] + 16 * a1[15] - 17 * a1[16] + 14 * a1[13] + 12 * a1[11] + 11 * a1[10] * 10 * a1[9] + 30 * a1[5] + 5 * a1[4] + 4 * a1[3] * 3 * a1[2] + 2 * a1[1] * a1[0] - 9 * a1[8] * 8 * a1[7] * 7 * a1[6] - 13 * a1[12] - 15 * a1[14] - 19 * a1[18] - 20 * a1[19] == -636956022 ) s.add( 20 * a1[19] * 19 * a1[18] + 13 * a1[12] + 12 * a1[11] + 11 * a1[10] * 10 * a1[9] + 7 * a1[6] + 30 * a1[5] + 5 * a1[4] + 3 * a1[2] * 2 * a1[1] * a1[0] - 4 * a1[3] - 9 * a1[8] * 8 * a1[7] - 14 * a1[13] - 15 * a1[14] - 16 * a1[15] - 17 * a1[16] - 18 * a1[17] == 10631829 ) s.add( 20 * a1[19] * 19 * a1[18] + 16 * a1[15] - 17 * a1[16] - 18 * a1[17] + 15 * a1[14] * 14 * a1[13] + 13 * a1[12] + 11 * a1[10] * 10 * a1[9] - 12 * a1[11] + 7 * a1[6] + (4 * a1[3] - 5 * a1[4] - 30 * a1[5]) * 3 * a1[2] + a1[0] + 2 * a1[1] + 8 * a1[7] - 9 * a1[8] == 6191333 ) s.add( 14 * a1[13] + 10 * a1[9] * 9 * a1[8] * 8 * a1[7] + 5 * a1[4] + 4 * a1[3] * 3 * a1[2] + 2 * a1[1] * a1[0] - 7 * a1[6] * 30 * a1[5] - 11 * a1[10] - 13 * a1[12] * 12 * a1[11] - 16 * a1[15] * 15 * a1[14] - 18 * a1[17] * 17 * a1[16] - 20 * a1[19] * 19 * a1[18] == 890415359 ) s.add( 20 * a1[19] + 19 * a1[18] + 18 * a1[17] + 16 * a1[15] - 17 * a1[16] + 12 * a1[11] + 11 * a1[10] + 10 * a1[9] + 9 * a1[8] + 30 * a1[5] + a1[0] + 4 * a1[3] * 3 * a1[2] * 2 * a1[1] - 5 * a1[4] - 7 * a1[6] + 8 * a1[7] - 13 * a1[12] - 14 * a1[13] - 15 * a1[14] == 23493664 ) s.add( 20 * a1[19] * 19 * a1[18] + 13 * a1[12] + 12 * a1[11] + 10 * a1[9] + 3 * a1[2] * 2 * a1[1] + a1[0] - 4 * a1[3] - 5 * a1[4] + 8 * a1[7] * 7 * a1[6] * 30 * a1[5] - 9 * a1[8] - 11 * a1[10] - 14 * a1[13] - 16 * a1[15] * 15 * a1[14] - 17 * a1[16] - 18 * a1[17] == 1967260144 ) print(s.check()) for i in a1: print(s.model()[i].as_long(), end=",")
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 314
- 315
- 316
- 317
- 318
- 319
- 320
- 321
- 322
- 323
- 324
- 325
- 326
- 327
- 328
- 跑出来还挺慢
- [104,97,104,97,104,97,116,104,105,115,105,115,102,97,99,107,102,108,97,103]
- 这里找到下一个函数
__int64 __fastcall sub_140014830(__int64 a1)
{
sub_140011514(&unk_14002B069);
for ( dword_1400254C8 = 0; (unsigned int)dword_1400254C8 < j_strlen(Str); ++dword_1400254C8 )
dword_1400254D0[dword_1400254C8] = *(char *)(a1 + j_strlen(Str) - (unsigned int)dword_1400254C8 - 1) ^ dword_140025520[dword_1400254C8];
return 0i64;
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 明显的异或
- 将z3产生的a1逆序并与25520异或
- 产生254D0
- 再看下一个
size_t sub_140014770()
{
size_t result; // rax
sub_140011514((__int64)&unk_14002B069);
dword_1400254CC = 0;
result = j_strlen(Str);
if ( result )
return dword_1400254D0[dword_1400254CC] == dword_140025050[dword_1400254CC];
return result;
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 进行一个比较
- 254d0与25050相等
- 这是25050
b = [4615,19616,20257,57,107811,570,2342,19623,25952,54,108955,19624,113632,14085,2342,30675,39576,25979,24,2833] - 这时可以异或回去了
_int64 __fastcall sub_140014CC0(int a1, int a2)
{
unsigned int v3; // [rsp+24h] [rbp+4h]
sub_140011514((__int64)&unk_14002B069);
v3 = 1;
while ( a2 )
{
if ( (a2 & 1) != 0 )
v3 *= a1;
a1 = a1 * a1 % 1000;
a2 >>= 2;
}
return v3;
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 上面的快速幂算法
- 这个函数产生25520
- 这里总结一下:快速幂,z3,异或,比较,出结果
- 可以写脚本了
b = [4615,19616,20257,57,107811,570,2342,19623,25952,54,108955,19624,113632,14085,2342,30675,39576,25979,24,2833] a = [104,97,104,97,104,97,116,104,105,115,105,115,102,97,99,107,102,108,97,103] d =[0]*20 for i in range(20): d[i] = b[i] ^ a[19-i] print(d) key = [7,7,7,9,5,6,7,7,7,9,7,7,5,7,7,7,5,7,9,7] def powmod(b,c): ans = 1 while (c != 0): if ((c & 1) != 0): ans *= b y1 = (b * b) % 1000 b = y1 c >>= 2 return ans for i in range(len(key)): for x in range(32,128): y=powmod(x,key[i]) if y==d[i]: print(chr(x),end="") break
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 运行的比较慢
- 得到NSSCTF{T1e_z3_1s_v1r9_3asy!}
- 常规题
- over!
二. [watevrCTF 2019]Punk Whine
- 下载发现是perl语言,没学过,现学
- 原题如下:
use Math::GMP;
$n=Math::GMP->new(qq(536018640196762457338417213156139210797503288570914761082715926425358449791328993937721926376105480732615175814278026237005963393643271375551776466074880078352176848748633274705308676504241945010083370664252174660968981608953119805998112599444060117661138019669941300626094793785491036807276934081756872237035956066726023202435146319519186296845387730847082301207272706630575162904104891798083143447249860927095605483756287763072034119769237339974564945305247939664464781533502444109841292054088680415296886140803754567227251363793912074682950313333484488520417086224770611908328633006024083949830736713715761501454281636788229391326476406245753793013887786365670859995142806760509151118148600568866548233674044514257067962241030850686575331644579302648429368515448183731464587114229394619632992183021530788695198534470594966402044396279950016455526781914520195216651795834698311226746366299875263541011225002788347929468168715114352661339771654233339021594637252699132137826888653030047359889519548601018119305304054251358133937242275573738930265735630891392403144442528153565918878904736766442438330118148177424487919937321030740669950264125585344665111413876835134091927335636095883215944455112774026188920367809061832030746565487875663208490503939534644466596746478366934570764522389807721704658952585780912109790158728868790523426031411340205991624428072384506507538321806087186528621427227281378044005559557013663505177910861852605171692522203626393685704184832547059732919177380600272123088053085559220467180468530632223977693446355995434579173580848428361179171194581466611364419911403932027093667597947428863948279950204080270018521963443517628196446289843070452581111359251862675192796305658555602637885256086237258547426276510185414325103524910341740343369666492736208387291296903817941660932252561211329968446058806881036295951481851107596050492224467933898074211388015228033645706311747694044899970880702136400492862579927938186258415344231883422369698811234415306780453008593763066386409293253445503592904165997213846772992745684701510199006516693015777069346721040457598081443961030290765298803955230953588530690781946089450259077609678850665125724750895581020239617235767981458050496828730736032792402047586857987009509860521095657941173026952231244500844709739141614811803950864407503348165649017532197947302901691949629432327121868776195092474161882521086237930801738676554611694935296174071567195135987213020171355911905229219543499652499346136281398590838201242575718858549556940211460864292701830795292884047284846085429328906977415710922318903943876646319192420997493084804807447410521269115546294610249231249199998809879581954790784649094310934755061823741473872554786278527721130956448003101603540409775541626306820355806893604655310531957949403286042507894994343941405394191263692663159004814773433521553298133350288534911033173270333917231702429952746745980272349634748915246222027686188663941242604225311133674177313422472062183318182382233069927217196084167997366146805112332026188868290931694204087884649515997296110047248905389300265027971517383292006833586355062503579106363153859100263800703364744692135557184042844025975678124347327782633248949050465222340254333242422214668886453924352051721821505479430415620064575934769236281916435708673562516267244328571102602515490125021704471842501411413491726868689039070168844092343017290739479230544731248371895349090043614681912967677554655436835960301478846001693511522952068798227030561795200135470941410173276382068055193544624197725372044387303231662116394016154634236466841547450714649628436349013444588877375888483952736261634922475345054655836299638737052246866918583027409040838402178729288131625690520741721731793577576321297042097038100447773550121170491840027565290553451385865338395632831455402374088893130353117797526457513269540823576719932416627961054137416143258657573279807299206311750030448921495513478258761302356583376579373865212397302533672264105433071343112329554553192539423143937968994832359098112031756001812978148462182020549206353513799381906904370717954311705246231773174066945734041202629864821803549550107697611149449836551488244929092534531452107584238794228638535834526081002269878422651095844173916790081068160033465763985959040750740645471240904195802641208399623487455621716969583068722657224347071857465628331129671407270542673383919644680689842401432861889740312270377928474023777879113362415351381613377174492905238591569772833470016304160242504042833358305208104682231696700895206457536721929136841065546117344486651383910269021156619055157939767524679555957843512776699128442016466721435955089993735773872597037668496242506029886801502668195930896557643210792537791632558662313397367812541434804102159625838245131250255704894766430940677995495806111498589936548317464015294200634272062546923549886350454035660095385899513832694551585435531531092918953760332288897076214872664526342794157833628445960346553154906913253392684636335946550654599740863451201584080828599468914405113401887258745264729306827598631718613919111530361852799166927771847465134848282799044855979461783025683988354660220319819832181748527760487478889128839452331570222950056314110866469657534242229205162039541817359769507304852173924512545615242223850883137665194647206224769412888277184331727851282953145215699562616948467820366267070768134646567716070724846838905308067930357609452185901463456368079086587479593478755483299238881430238451353791271668444825394161866024928513256084422344952973940284969139863839569945606170100584707413646323274306716452974258722155501389728407724240587875795205659957089685715005610853300899554627907591050676556562502782357288625297608629678345422935042214036086514974569763876640833160546586937279594905565261339424125419638888107213644286014623774476904195393844200606144861332204228588903508110895795243261569340052155573304292662820519802935112926033473565189725836542832972462437026478286144282874379223534176446928255904628251552486076324922361544972282931115143055793543391800420954156353858561531625223326379017303383423591171728648565267989197407276948981844719741118258087164267398600698128638259557435732029831343846199617460021996965550385893295027868882255266368411670603703667933205583740913898644920136897853640923833545313569906032969695573409587116832277212979339114637688708152797058466260134585711583787805058784880124696739754314190204797748001676393934339826376486668914130305536156936757348761332045059807531515913478836681384644449917009386581589228986524038386629494542317733409916019127199037937989307573904286897466286193427365601150509626654618312201146046320337576448486458612875182234122752170564475311817610609791564137211769388845328705980509417212586877520318133180949125196902365835546688456494136371831250152415004494146181245825783836579761229397753468323213425024089304520098056692459203073896356975232389739970486845448320084979535958367044841575139983858481627710402990234527365357624766461753188248059706449581450756797098824800933085462544436249978046092624071524790546061870880938333189123172096854645929833928744179719682187161552263785959471311488977941528835968867632262301272247739550831902936645553508173947884990035046584904533207916835764716864547503565215662609065941420404380428919206329231642305891620579333072658346824144206465717943891515035715097417220304496263004880090810920434091751429526448800967263998482796977258335541766126283866643612377879489607658841296623946555450959723125063731448084064806834669600286394377324985329207643214718019187483183269935305444629949849943037179844281714336005231649119949368818264219552186708890120227421072187865534457019987836926535670852906888914703504733741618570072573236045903079307612428152736356667661598315660492761276964237842021170226789423902132947182867554977266528742475959477643399990866134243575203794514585407604328984996971140248310947221578782792470389214301506905005474092045872024984199436670674468083756554895031307322941237883565507999065527762990693360431159690157868262133055311695191034400636497555040569649292217694775029598279040235313682424219784025313983067475455023587467089466417359979232779498678299557587777065154201465244738728190215504957623945147716639649915378475397455313480571576835752892920443562728563596314314933894911388019505556299874499387806637254384387244833764880967334418268126100382088726261460041572119796062724019258520405106320430266755946299150437490832503299320751468216906296966997978544183482647070153681901837433240013288421602518298792831260216915630645934204484646050974104346843362707928248741521884208045179469305639093500392799243049507976081342625414746804566075476697556188430594583343218341344847476484475326000756058576221283693464138330373036141174864521270139806190597982916586759080622790567856887663887411439056835201628369422597766928668026483503403309490993042710666485673892047332517203533607788846604410973397882087809096482781875429576444685788373148838455532621471093473989055058610727268734482933515265488578979657907909048726125490166193528504383211483877307565365739316770479665413576178412246537562558743718115849143045741340537999766352880597842102605661874515865255245812173544701654728908310097666401588159471434691280939392477732046684700652876266021695971312021447273708372515509783011686469987836853545332343623116832512874109490997646372557506537777435195298013745382212351694785702861882699545659248974894355819474086618096962216403826355560765421634755646007114283691647652553698118160685184799259115386033897513061035343191551804647662722856888120453311530211054238605313256874768688845585248000180469382191293594397194936666510474312402845796532862283140799442481493492409041110695101198733062902742963580888183805992394815274018647245856968117814655120062117147524743556181108229157105216806756835767627452561814479269315701534114368077961829593112780850452929638153223627516150223193442716100294689994629503029722784481176392782574539028959121502715073243981856750917886069948639657209334247292963249361663140414285243811360703657426626027651876768820296008720753559828483600764245456427184292551129684846409930148847048792478234281982299816644117248720105156965255960755735288463297721789204681110091891626221767542660437298077410487775229596481519369430425538164930344613458851028022663530378549341888752119342680920488696303787626329225364499941548652135663141545093010007418659262558044807876470699225470792281280471394402449273917294280711925256732896706344035628757063265572983007628183765366139905503257771405290401572655086825662960234454768665630645638597486445581317328118790026653080908126662045348127089579956347373420700241116706741144585592832003614655366806737595597934395420030825225529792315004141331150126502300783706882180026271176885635458741834202094134380779511989962007391225157898343447565380497116417905104613125411722796861265589975768040298871368481191463994487565359005290881418594310942038242095490137457430113921700914190809041712626349483221038596162823551380518361432625778100425766135915983461968285145479749284005213549575053749454547006856109030816831572325785833840465662608981829817315104129860357895536386815511220320856147380661700388739290891664207309462038381138614017816515897184596470509041708788049376381966580982191120470292259391410277362045420169283294480418719253687205110764586237254068062224157061988489536518731041315082051423598047403969732651381597974399599052734874989258534202064544059190888836570452075232534432080692849891308648288345658858913557200530375251664318481313749999208677156216679772500334650589188023132426008213751771975339931267455651020549172088534103265639345824548733115364407668098476174093750671307027999140467794869781064102514506387524937283185899747308790496205925637979039941073714989234191503713197365240251962384929422385098371833218735917065179197095408247070205619717852555506775114221897384593867674797972997625141305959100358807323290103015774024838588524261536872464615464372444499998134799790282084969317956385368477763876504767687777508890699913408022991698004395568773456122344991418727562815150713036328131761207743991479769178514725642343502661969274142628564332796075301308620783432595115486362698177864488771632758645429306471967176400313912306573528834497594518248036195273913032689136494318349766919622955918916570327666837133665964914674336488926026955966120456683245217960124790775202182559336216031406539008107050994985942544261419801453546346300579507673631763045902571738594054201174991240395872827818656733808736951806253591371928775018516968607172025244377586033635452011629443100668970123075598516485275709529469885598726526794223482610330955615022809511904624391856316948509920041734654810705967688872895481492343322360101176110518837886196834982294040392466844991384794437670776312367213399185513156636326696930037612148636211987354550863417491502916195307997005490132242465305836267780946943064688451354167588683385972678158662740981015192689905944888944219495967534478509217480965118225228403516975667947865142854647461861332459907168166992765261271471614650286060618717631106041973380069490908012615839492796565354245833892329240477121114364355466496433328996768094126356391224662178679410555736610094829075805417771970821025774499640734405754596104988282657838949729486362327056560299828126547892700617710009283766176834381144640016660977728799590803611580475645783091183624784844760499308806477200752253757429175734114250977691175772572746536071107936581761240694567354138628767191325801861058917189408404204418346014973781198380317438362029569541246652831810879152248260206395395237447784560491086153440399762040393624114255227447834251171143138269053577294848519623567291539590740299333939174692100635933124268159494722746337823116482069177379470205678557176691015558981664269627478334729382852554771289775136436287751216774011789993086094997687607888054599098278874224899709472480063529715101854322139584268537262580418113863575240204470029025496519117162564631862155782383228603023004177278164392870854023804644457208767059995119772226532851232815953125839577615562921740920277563172121650425976694450888433705228944141981853410273199853460260028282781245235763102929837778843937718395086759841413076487260571967926363321170251043880386459929440667321460163083684601048499850213020296776025722077868054054761619435793187510416563682091514284885148368063521342223419097330136408040659487592398755361339113507122836515291521728118229961396822179844693778076680340429101286603366024277896078571669306774777638203804665815968866557628859092741906584180352659047082205807422249803250558044968345857546746771646024613826459399128465814363061463599832420276265521613296879275698636840302271681454084905609885047282233019868592705535317289234117412047959477774785056445434543637847908443020562954821196439513704205637291606949668622595090905887793346651206621287466317017153684275393090031632561873332623265486457780489517419016427840879779092174738511707693116035052431089103295483658260274233251385564295187821492148010451455271252635223930008657764397300712154837693772916831234464548167973138522585118438538316052354427184072284165602378198723551206823096756348300021697763322171730444874824891757334146837198310855411537328297102389122575639447321579461302877464122087635722838175298402530406663937966340503164327397282632238195670137601369687004823923879625428795876117815799767697008062347128284807333426801813181697777948701321862763776345979940252911841656237181912565833413503129939441756393396494618078588510503454493455342506941975727123508105712131070880978305946662608217939449203156076619683830403183830186456498006653738061812335148469362877003850966618430859695919070186653458866625305916459519272196354580521800034053508922314981178499150324027654342678662937414325040577483309807127303156865877488830495531818928006222042617110855502577186623703059175985567664722424995855383934781271759883735865463278112030008483817080199002078598269172229266019049499162055209062845868372896323467428106440891328543770518697297303176417742847470066077018939409318173648546522634886617309161992431082882500155405849990797509897668173036121106093167833941168676796917849185927729063394639355821114527971750706567478583249790138286313842677250708820487212270299633787308420417261584055083677740909339779238074054204348974021123216698001562045028227412060563590308274121184428220427293160776427453775031459384264452123708084708495418534339734195790272933415885486583750879743799700526323339071123982971926213786186492741369871540713680431053741794240366942798007594061051198197127085820125669920506248833874008891567576100384617669534435446079736544527904089769954152423436011562330612821215844862917213363272915582803183342153333832546132694574718057327479556735324382306432024035909048410391170285142090169529502853531337512985467469754405167540214085277771037677125184782958426647392175442634956071157068982449319464893723664912386621873779451388728844469204936727623058314518561898159221605777669361878826359990257579428781380853635172977849088922915492937809157686949617792456559060716403455924973628663638221251723138402774064287467084832070357790237274785396108290571067985598122819965034332041400763155594698742175645305651924288248528454790418478728338079159502314919083251174965929751592157924163035463086458657709914922663331141538299201510314662870550760304034042869152812443625950965188315472692066667756851484511478312021347765236997911702317805372058004786043400133080909630472734022559109937019237009421137207520589216466326695781833495639724382562948098413969826653086240302796086363085880700476989769025580716193074503423703106726845086213785827947184654568971085567932706065680525864221954087499423710257987834470058249196303879662871022361426342465119026315560382179534719767943571892554617373844353439083777270753986814517786458130770202395503847602360638535708314812632048727430195024222153111503458757855603388031674039988314174076748188814595409424290073226413843774289668812749536427766190005885590545255733834338493472641024174769510862096350235603899460851648533836129894433546831793847607930761699327208522266027035142088354414635936891025504994457982266778758462769132787032485075450251380314228124412366813691098623253990518717180608929679551953664564817901647676790976624514712373977713303808214119736634277036680349054934944378911310066942607216390266846251067277443747529790491978174450027449222636925981846559757475121956207465335077027955125957789804456843432258334982841057568245352408725210590352753647758514637996490140766871440337743702307376499683975961018366552885302977886430423317666909471351297411610131012076185929461554535079133619252548826687502893483008063951862898351574610306267165992614897772486538439468678544464686836205581666959113470559539824537249814008710282162599094192255743583803221978203375281144253142722652434488016030197908849691029748383061113015795746908341611854838380614126430118921819870663546271753946828869530688394294288081304497394578767687660238589979106916413212340494128596539490101771554930775817201758275396358303388918820659489907730304272648845547098719361989457768904762294496163091714672474196315358138679703022317914845723755615392808282119361983528249968859941774266195954014617820952858554925056857374817842191597522226770873433049370685184032377041438883653273024779557146412336783691114481919880762797926650172652693052962024849946826027516041895525251011236457544801440531583692602444383470699061352749158134022062755638220949538009985259285085876819591029123985383603087718611969465948062859802804207808812882828054294872754225741254883578199926900412635143634882752030919344025216242465381690642415150469730483130283));
$i=275707953942;
$a=';
$i=%d;
$a=%c%s%c;
$r = $n->bxor($n->blshift(1,0))->band(Math::GMP->new(2)**65535-1);
exit printf $a,$i-(print "use Math::GMP;\n\$n=Math::GMP->new(qq(",$r,"))"),39,$a,39 if$i;
do{$c=($n+$i/3)%256;print chr$c if$c>31||$c==10}while$n>>=8;';
$r = $n->bxor($n->blshift(1,0))->band(Math::GMP->new(2)**65535-1);
exit printf $a,$i-(print "use Math::GMP;\n\$n=Math::GMP->new(qq(",$r,"))"),39,$a,39 if$i;
do{$c=$n%256;print chr$c if$c>31+$i||$c==10}while $n=$n->brshift(8);
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 与C语言比较一下:
- 相同之处:1.分号是每个简单语句必需的,换行不能表示语句结束。
2.数组下标也是从0开始
3.逗号操作符的作用一样。
4.&&和||操作符作用一样。 - 不同之处:
- 1.变量的类型由它前面的符号确定: 在Perl中, 说明变量是一个 s c a l a r , @ 表明变量是一个 a r r a y ,而 说明变量是一个scalar,@表明变量是一个array,而%说明后面的变量是一个hash。比如:@foo是一个数组,而 说明变量是一个scalar,@表明变量是一个array,而foo[0]是数组@foo中第一个元素,@foo[0]是一个数组片段,当然也是数组,但这个片段只有一个元素 f o o [ 0 ] 。如果你数组变量把赋给一个标量,比如: foo[0]。如果你数组变量把赋给一个标量,比如: foo[0]。如果你数组变量把赋给一个标量,比如:bar=@foo;,你将得到的是该数组中元素的个数。
- 2.没必要提前声明一个变量:在Perl中完全没有必要,你可以在任何时候任意引入新的变量。
- 3.没有类型转换:Perl中的标量类型范围很广,可以是整数,可以是字符串,也可以是浮点数。你可以很安全地把一个整数默默地转化成相应的字符串。
- 4.没有字符类型:Perl中没有char这种类型。 c h = ′ c ′ ; 上面的语句其实是给标量 ch='c';上面的语句其实是给标量 ch=′c′;上面的语句其实是给标量ch赋了一个字符串值,因为Perl中单引号也能括起字符串
- 5./不是整除:而是浮点除法
- 6.数组:普通数组array是使用 ()进行初始化的,Perl中的数组是可以任意伸缩的,不存在数组越界问题
- 7.没有switch
- 8.没有内存泄漏
- 9.函数参数:Perl很好地支持可变参数,而且Perl传递函数参数实际上是引用传递,而不是像C那样采用值传递
- 10.没有main函数
- 11.左值:Perl中所有可能是左值的东西都可以作为左值。比如,如果?:操作符的两部分表达式都是左值,那么整个表达式也可以是左值。函数也可以是左值,若substr函数的第一个参数运算后是可修改的,它也可以用作左值。你也可以把自己的子函数定义成可以作为左值使用的,是的,Perl允许你这么做。
sub canuse : lvalue {
$val;}
canuse() = 9;它可以很安全地把右值赋给$var。
- 1
- 2
- 3
- 分析下源代码
- 其实就是在do{ c = c= c=n%256;print chr c i f c if cifc>31+ i ∣ ∣ i|| i∣∣c==10}while n = n= n=n->brshift(8);提取 if 标志watevr时输出是否包含。
- 写脚本
use Math::GMP; $n = Math::GMP->new(qq(…)); foreach my $i (0..65535) { $n = $n->bxor($n->blshift(1,0))->band(Math::GMP->new(2)**65535-1); $nn = $n->gmp_copy(); my $res = ''; do { $c = $nn % 256; $res .= chr($c) if $c > 31 || $c == 10 } while $nn=$nn->brshift(8, 0); if (index($res, 'watevr') != -1) { print $res; } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- watevr{we_have_hit_rock_bottom}
三. [GDOUCTF 2023]润!
- 熟悉的UPX壳,魔改过的
- 我们直接010修改一下
- 脱壳后,IDA分析
- 下为主函数
int __cdecl main(int argc, const char **argv, const char **envp) { char Str[8]; // [rsp+20h] [rbp-30h] BYREF __int64 v5; // [rsp+28h] [rbp-28h] __int64 v6; // [rsp+30h] [rbp-20h] __int64 v7; // [rsp+38h] [rbp-18h] char v8; // [rsp+40h] [rbp-10h] int v9; // [rsp+44h] [rbp-Ch] int i; // [rsp+48h] [rbp-8h] unsigned int v11; // [rsp+4Ch] [rbp-4h] _main(); init(); *(_QWORD *)Str = 0i64; v5 = 0i64; v6 = 0i64; v7 = 0i64; v8 = 0; puts("This is a easy puzzle.\nInput your route."); scanf("%31c", Str); v11 = 0; v9 = strlen(Str); for ( i = 0; i < v9; ++i ) v11 = moving(v11, (unsigned int)Str[i]); if ( v11 != 511 || jur ) printf("Wrong way!"); else printf("Right!"); return 0; }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- init函数
__int64 init() { __int64 result; // rax int j; // [rsp+4h] [rbp-Ch] int i; // [rsp+8h] [rbp-8h] int v3; // [rsp+Ch] [rbp-4h] v3 = 0; for ( i = 0; i <= 7; ++i ) { for ( j = 0; j <= 7; ++j ) { puzzle[8 * i + conut + 7 - j] = (gen[conut / 8 + i] >> j) & 1; ++v3; } } result = (unsigned int)(conut + v3); conut += v3; return result; }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 创建迷宫的函数
- 走出迷宫的路径函数
__int64 __fastcall moving(int a1, char a2) { __int64 result; // rax int v3; // [rsp+2Ch] [rbp-4h] switch ( a2 ) { case 'a': v3 = a1 - 1; goto LABEL_11; case 'd': v3 = a1 + 1; goto LABEL_11; case 'n': v3 = a1 - 64; if ( --layer >= 0 ) goto LABEL_11; result = 0i64; break; case 's': v3 = a1 + 8; goto LABEL_11; case 'u': v3 = a1 + 64; if ( ++layer <= 7 ) { init(); LABEL_11: if ( v3 > 511 ) { LABEL_15: jur = 1; result = 0i64; } else if ( puzzle[v3] ) { jur = 1; result = 0i64; } else { result = (unsigned int)v3; } } else { result = 0i64; } break; case 'w': v3 = a1 - 8; goto LABEL_11; default: goto LABEL_15; } return result; }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 三维的迷宫,每层是8*8,一共8层
- 我们下断点,然后将迷宫数据动调出来
- 然后写脚本讲迷宫输出,这里可以直接手算
- 注意从IDA中提取出来的是dd,也就是一个数占四个字节
maze_arr=[ 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] for l in range(8): for i in range(8): for j in range(8): print(maze_arr[l*64*4+i*8*4+j*4], end='') print('\n', end='') print('\n',end='')
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 找到路径:ssddssuuwwddndduuussdussasauudd,即为flag
四. [HNCTF 2022 WEEK2]Try2Bebug_Plus
- 主函数还是挺短的
- 将sleep函数patch掉,再进行动调
- 就会显示flag
五. 【 SWPU2019 】easyRE
- 先动调,发现直接退出了
- 我们用x64dbg打开
- 发现如下
- 步过找到main函数的entry point
- 再往下运行,发现这里跳转后直接退出
- 打开IDA,开始动调,记得下断点,把那个jmp nop掉,或者改一个jnz
- 观察主函数
int __cdecl main(int argc, const char **argv, const char **envp) { _DWORD v4[28]; // [esp-6Ch] [ebp-F8h] BYREF _DWORD *v5; // [esp+4h] [ebp-88h] _DWORD *v6; // [esp+8h] [ebp-84h] int v7; // [esp+Ch] [ebp-80h] char v8[108]; // [esp+10h] [ebp-7Ch] BYREF int v9; // [esp+88h] [ebp-4h] if ( sub_8AEF90() ) return 1; sub_8A26C0(0x6Cu); sub_8A1FE0(v4[27], v5); v9 = 0; v6 = v4; sub_8AF360(v8); sub_8AF080(v4[0], v4[1]); v5 = v4; sub_8AF360(v8); sub_8AF150(argc, (int)argv); v7 = 0; v9 = -1; sub_8A21C0(v8); return v7; }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
_DWORD *__thiscall sub_8A1FE0(_DWORD *this) { int i; // [esp+4h] [ebp-14h] *this = &EASYRE::`vftable'; this[1] = 0; *((_BYTE *)this + 52) = 8; *((_BYTE *)this + 53) = -22; *((_BYTE *)this + 54) = 88; *((_BYTE *)this + 55) = -34; *((_BYTE *)this + 56) = -108; *((_BYTE *)this + 57) = -48; *((_BYTE *)this + 58) = 59; *((_BYTE *)this + 59) = -66; *((_BYTE *)this + 60) = -120; *((_BYTE *)this + 61) = -44; *((_BYTE *)this + 62) = 50; *((_BYTE *)this + 63) = -74; *((_BYTE *)this + 64) = 20; *((_BYTE *)this + 65) = -126; *((_BYTE *)this + 66) = -73; *((_BYTE *)this + 67) = -81; *((_BYTE *)this + 68) = 20; *((_BYTE *)this + 69) = 84; *((_BYTE *)this + 70) = 127; *((_BYTE *)this + 71) = -49; qmemcpy(this + 18, " 03\"3 0 203\" $ ", 20); sub_8A30A0(this + 23); sub_8A2DE0(this + 26); for ( i = 0; i < 40; ++i ) *((_BYTE *)this + i + 12) = 0; return this; }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 找到虚函数表
- 如下为判定函数
BOOL __thiscall sub_8A24B0(_DWORD *this, int a2)
{
BOOL result; // eax
this[2] = a2;
result = 0;
if ( (*(int (__thiscall **)(_DWORD *))(*this + 12))(this) )
{
(*(void (__thiscall **)(_DWORD *))(*this + 24))(this);
if ( (*(int (__thiscall **)(_DWORD *))(*this + 40))(this) )
return 1;
}
return result;
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 看一下this+12
int __thiscall sub_8A2500(const char **this) { int v2; // [esp+Ch] [ebp-B0h] unsigned int v3; // [esp+14h] [ebp-A8h] int i; // [esp+24h] [ebp-98h] char v6[56]; // [esp+30h] [ebp-8Ch] BYREF char v7[20]; // [esp+68h] [ebp-54h] BYREF char v8[48]; // [esp+7Ch] [ebp-40h] BYREF int v9; // [esp+B8h] [ebp-4h] v3 = (unsigned int)&this[2][strlen(this[2])]; strcpy(v8, "Ncg`esdvLkLgk$mL=Lgk$mL=Lgk$mL=Lgk$mL=Lgk$mLm"); sub_8A26C0(v6, 0x38u); sub_8A2B00(); v9 = 0; for ( i = 0; i < 45; ++i ) v8[i] ^= 0x10u; sub_8A26C0(v7, 0x14u); sub_8A2A70(v8, 1); LOBYTE(v9) = 1; v2 = (unsigned __int8)sub_8A4260(this[2], v3, v6, v7, 0); LOBYTE(v9) = 0; sub_8A2A50(v7); v9 = -1; sub_8A26A0(); return v2; }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
-
swpuctf{\w{4}-\w{4}-\w{4}-\w{4}-\w{4}},即为flag格式
-
this+24
- 调用了如下两个函数
- this+28
int __thiscall sub_8A2730(_DWORD *this, int a2) { int v2; // esi int v3; // ecx unsigned __int8 v4; // al char v6; // cf char v7; // bl char v8; // t2 int v10; // [esp+Ch] [ebp-30h] int i; // [esp+14h] [ebp-28h] int j; // [esp+1Ch] [ebp-20h] int v13; // [esp+20h] [ebp-1Ch] BYREF int v14; // [esp+24h] [ebp-18h] int v15; // [esp+28h] [ebp-14h] int v16; // [esp+2Ch] [ebp-10h] int v17; // [esp+30h] [ebp-Ch] int v18; // [esp+34h] [ebp-8h] v13 = 0; v14 = 0; v15 = 0; v16 = 0; v17 = 0; v18 = 0; v10 = this[2] + 5 * a2 + 8; for ( i = 0; i < 4; ++i ) *((_BYTE *)&v13 + i) = *(_BYTE *)(i + v10); v2 = 0; v3 = 4; do { v4 = *((_BYTE *)&v13 + v2); _DL = v4; __asm { rcl dl, 1 } *((_BYTE *)&v15 + v2) = 1; v7 = 0; v6 = 0; do { v8 = v6 << 7; v6 = v4 & 1; v4 = (v4 >> 1) | v8; ++v7; } while ( v6 ); *((_BYTE *)&v16 + v2++) = v7 - 1; --v3; } while ( v3 ); for ( j = 0; j < 4; ++j ) { *((_BYTE *)&v14 + j) = *((_BYTE *)&v16 + j) + *((_BYTE *)&v15 + j); *((_BYTE *)&v17 + j) = *((char *)&v13 + j) << *((_BYTE *)&v15 + j); *((_BYTE *)&v18 + j) = (*((char *)&v13 + j) << (8 - *((_BYTE *)&v16 + j))) | ((unsigned __int8)(*((char *)&v13 + j) >> (8 - *((_BYTE *)&v15 + j))) << *((_BYTE *)&v15 + j)); } return sub_8A2F80(&v13); }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 下面分析一下他的汇编
.text:008A1E40 push ebp .text:008A1E41 mov ebp, esp .text:008A1E43 sub esp, 30h .text:008A1E46 mov eax, ___security_cookie .text:008A1E4B xor eax, ebp .text:008A1E4D mov [ebp+var_4], eax .text:008A1E50 push ebx .text:008A1E51 push esi .text:008A1E52 push edi .text:008A1E53 mov [ebp+var_2C], ecx .text:008A1E56 xor eax, eax .text:008A1E58 mov [ebp+var_1C], eax .text:008A1E5B mov [ebp+var_18], eax .text:008A1E5E mov [ebp+var_14], eax .text:008A1E61 mov [ebp+var_10], eax .text:008A1E64 mov [ebp+var_C], eax .text:008A1E67 mov [ebp+var_8], eax .text:008A1E6A imul ecx, [ebp+arg_0], 5 .text:008A1E6E mov edx, [ebp+var_2C] .text:008A1E71 mov eax, [edx+8] .text:008A1E74 lea ecx, [eax+ecx+8] .text:008A1E78 mov [ebp+var_30], ecx .text:008A1E7B mov [ebp+var_28], 0 .text:008A1E82 jmp short loc_8A1E8D .text:008A1E82 .text:008A1E84 ; --------------------------------------------------------------------------- .text:008A1E84 .text:008A1E84 loc_8A1E84: ; CODE XREF: sub_8A1E40+62↓j .text:008A1E84 mov edx, [ebp+var_28] .text:008A1E87 add edx, 1 .text:008A1E8A mov [ebp+var_28], edx .text:008A1E8A .text:008A1E8D .text:008A1E8D loc_8A1E8D: ; CODE XREF: sub_8A1E40+42↑j .text:008A1E8D cmp [ebp+var_28], 4 .text:008A1E91 jge short loc_8A1EA4 .text:008A1E91 .text:008A1E93 mov eax, [ebp+var_30] .text:008A1E96 add eax, [ebp+var_28] .text:008A1E99 mov ecx, [ebp+var_28] .text:008A1E9C mov dl, [eax] .text:008A1E9E mov byte ptr [ebp+ecx+var_1C], dl .text:008A1EA2 jmp short loc_8A1E84 .text:008A1EA2 .text:008A1EA4 ; --------------------------------------------------------------------------- .text:008A1EA4 .text:008A1EA4 loc_8A1EA4: ; CODE XREF: sub_8A1E40+51↑j .text:008A1EA4 pusha .text:008A1EA5 xor esi, esi .text:008A1EA7 mov ecx, 4 .text:008A1EA7 .text:008A1EAC .text:008A1EAC loc_8A1EAC: ; CODE XREF: sub_8A1E40+99↓j .text:008A1EAC xor eax, eax .text:008A1EAE mov al, byte ptr [ebp+esi+var_1C] .text:008A1EB5 mov edx, eax .text:008A1EB7 xor ebx, ebx .text:008A1EB7 .text:008A1EB9 .text:008A1EB9 loc_8A1EB9: ; CODE XREF: sub_8A1E40+7E↓j .text:008A1EB9 rcl dl, 1 .text:008A1EBB inc ebx .text:008A1EBC jb short loc_8A1EC0 .text:008A1EBC .text:008A1EBE jmp short loc_8A1EB9 .text:008A1EBE .text:008A1EC0 ; --------------------------------------------------------------------------- .text:008A1EC0 .text:008A1EC0 loc_8A1EC0: ; CODE XREF: sub_8A1E40+7C↑j .text:008A1EC0 mov byte ptr [ebp+esi+var_14], bl .text:008A1EC7 xor ebx, ebx .text:008A1EC7 .text:008A1EC9 .text:008A1EC9 loc_8A1EC9: ; CODE XREF: sub_8A1E40+8E↓j .text:008A1EC9 rcr al, 1 .text:008A1ECB inc ebx .text:008A1ECC jb short loc_8A1ED0 .text:008A1ECC .text:008A1ECE jmp short loc_8A1EC9 .text:008A1ECE .text:008A1ED0 ; --------------------------------------------------------------------------- .text:008A1ED0 .text:008A1ED0 loc_8A1ED0: ; CODE XREF: sub_8A1E40+8C↑j .text:008A1ED0 dec ebx .text:008A1ED1 mov byte ptr [ebp+esi+var_10], bl .text:008A1ED8 inc esi .text:008A1ED9 loop loc_8A1EAC .text:008A1ED9 .text:008A1EDB popa .text:008A1EDC mov [ebp+var_20], 0 .text:008A1EE3 jmp short loc_8A1EEE .text:008A1EE3 .text:008A1EE5 ; --------------------------------------------------------------------------- .text:008A1EE5 .text:008A1EE5 loc_8A1EE5: ; CODE XREF: sub_8A1E40+171↓j .text:008A1EE5 mov eax, [ebp+var_20] .text:008A1EE8 add eax, 1 .text:008A1EEB mov [ebp+var_20], eax .text:008A1EEB .text:008A1EEE .text:008A1EEE loc_8A1EEE: ; CODE XREF: sub_8A1E40+A3↑j .text:008A1EEE cmp [ebp+var_20], 4 .text:008A1EF2 jge loc_8A1FB6 .text:008A1EF2 .text:008A1EF8 mov ecx, [ebp+var_20] .text:008A1EFB movzx edx, byte ptr [ebp+ecx+var_14] .text:008A1F00 mov eax, [ebp+var_20] .text:008A1F03 movzx ecx, byte ptr [ebp+eax+var_10] .text:008A1F08 add edx, ecx .text:008A1F0A mov eax, [ebp+var_20] .text:008A1F0D mov byte ptr [ebp+eax+var_18], dl .text:008A1F11 mov ecx, [ebp+var_20] .text:008A1F14 movsx edx, byte ptr [ebp+ecx+var_1C] .text:008A1F19 mov eax, [ebp+var_20] .text:008A1F1C movzx ecx, byte ptr [ebp+eax+var_14] .text:008A1F21 shl edx, cl .text:008A1F23 mov ecx, [ebp+var_20] .text:008A1F26 mov byte ptr [ebp+ecx+var_C], dl .text:008A1F2A mov edx, [ebp+var_20] .text:008A1F2D mov eax, [ebp+var_20] .text:008A1F30 mov dl, byte ptr [ebp+edx+var_C] .text:008A1F34 mov cl, byte ptr [ebp+eax+var_18] .text:008A1F38 shr dl, cl .text:008A1F3A mov eax, [ebp+var_20] .text:008A1F3D mov byte ptr [ebp+eax+var_C], dl .text:008A1F41 mov ecx, [ebp+var_20] .text:008A1F44 movzx edx, byte ptr [ebp+ecx+var_14] .text:008A1F49 mov eax, 8 .text:008A1F4E sub eax, edx .text:008A1F50 mov [ebp+var_22], al .text:008A1F53 mov ecx, [ebp+var_20] .text:008A1F56 movsx edx, byte ptr [ebp+ecx+var_1C] .text:008A1F5B movzx ecx, [ebp+var_22] .text:008A1F5F sar edx, cl .text:008A1F61 mov [ebp+var_24], dl .text:008A1F64 mov eax, [ebp+var_20] .text:008A1F67 movzx ecx, byte ptr [ebp+eax+var_10] .text:008A1F6C mov edx, 8 .text:008A1F71 sub edx, ecx .text:008A1F73 mov [ebp+var_23], dl .text:008A1F76 mov eax, [ebp+var_20] .text:008A1F79 movsx edx, byte ptr [ebp+eax+var_1C] .text:008A1F7E movzx ecx, [ebp+var_23] .text:008A1F82 shl edx, cl .text:008A1F84 mov [ebp+var_21], dl .text:008A1F87 mov eax, [ebp+var_20] .text:008A1F8A mov dl, [ebp+var_21] .text:008A1F8D mov cl, byte ptr [ebp+eax+var_18] .text:008A1F91 shr dl, cl .text:008A1F93 mov [ebp+var_21], dl .text:008A1F96 movzx eax, [ebp+var_24] .text:008A1F9A mov ecx, [ebp+var_20] .text:008A1F9D movzx ecx, byte ptr [ebp+ecx+var_14] .text:008A1FA2 shl eax, cl .text:008A1FA4 movzx edx, [ebp+var_21] .text:008A1FA8 or eax, edx .text:008A1FAA mov ecx, [ebp+var_20] .text:008A1FAD mov byte ptr [ebp+ecx+var_8], al .text:008A1FB1 jmp loc_8A1EE5 .text:008A1FB1 .text:008A1FB6 ; --------------------------------------------------------------------------- .text:008A1FB6 .text:008A1FB6 loc_8A1FB6: ; CODE XREF: sub_8A1E40+B2↑j .text:008A1FB6 lea edx, [ebp+var_1C] .text:008A1FB9 push edx .text:008A1FBA mov ecx, [ebp+var_2C] .text:008A1FBD add ecx, 5Ch ; '\' .text:008A1FC0 call sub_8A2F80 .text:008A1FC0 .text:008A1FC5 pop edi .text:008A1FC6 pop esi .text:008A1FC7 pop ebx .text:008A1FC8 mov ecx, [ebp+var_4] .text:008A1FCB xor ecx, ebp ; StackCookie .text:008A1FCD call @__security_check_cookie@4 ; __security_check_cookie(x) .text:008A1FCD .text:008A1FD2 mov esp, ebp .text:008A1FD4 pop ebp .text:008A1FD5 retn 4 .text:008A1FD5 .text:008A1FD5 sub_8A1E40 endp
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- RCL是带进位左循环移位指令,RCR是带进位右循环移位指令;RCL是将某数最高位移进入CF,而CF里的内容跑到该数的最低位,形成咬尾蛇循环,移位次数为CL或CX指定的次数;而RCR相反,它是从最低位移出到CF,CF跑到最高位,形成咬尾蛇循环。
- 不断地对dl右移,每次右移让ebx++, 直到有进位时跳到下一代码块, 并把ebx保存到栈上, 清空ebx
- dl, al都是从一个栈上地址mov来的,而每次这个地址指向一位flag
保存的地址分别为[ebp+esi+var_1C+8] [ebp+…+0xC], 同时再 esi ++
也就是看看dl的最高位1在第几位
- this+36
int __thiscall sub_8A28A0(_DWORD *this) { _DWORD *v1; // eax int v2; // eax int result; // eax int v4; // eax int v5; // eax int v6; // eax char v7; // bl int v8; // eax int v9; // eax int v10; // eax char v11[4]; // [esp+4h] [ebp-1Ch] BYREF char v12[4]; // [esp+8h] [ebp-18h] BYREF int v13; // [esp+Ch] [ebp-14h] int v14; // [esp+10h] [ebp-10h] _DWORD *v15; // [esp+14h] [ebp-Ch] int i; // [esp+18h] [ebp-8h] _DWORD *v17; // [esp+1Ch] [ebp-4h] v17 = this; v14 = 32; v13 = 0; v15 = this + 3; v1 = (_DWORD *)sub_8A2EA0(v12); v17[26] = *v1; while ( 1 ) { v2 = sub_8A2E40(v11); result = sub_8A2E00(v2); if ( !(_BYTE)result ) break; for ( i = 0; i < 8; ++i ) { if ( i >= 4 ) { v9 = sub_8A2DC0(v17 + 26); v14 -= *(unsigned __int8 *)(v9 + i); v10 = sub_8A2DC0(v17 + 26); *v15 |= *(unsigned __int8 *)(v10 + i + 16) << v14; } else { v4 = sub_8A2DC0(v17 + 26); v13 = 8 - *(unsigned __int8 *)(v4 + i + 4); v14 -= v13; v5 = sub_8A2DC0(v17 + 26); *v15 |= *(unsigned __int8 *)(v5 + i + 16) << v14; v6 = sub_8A2DC0(v17 + 26); v7 = 16 * *(_BYTE *)(v6 + i + 8); v8 = sub_8A2DC0(v17 + 26); *((_BYTE *)v15 + i + 20) = *(_BYTE *)(v8 + i + 12) | v7; } } ++v15; sub_8A2DA0(v17 + 26); } return result; }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 整个程序流程:
校验flag格式
通过-分割flag成5部分,对flag进行位移运算,对flag的每个字符都得到5个结果,将其存储到内存中
进行5次循环,每次循环处理4个字符,利用每个字符得到的5个结果继续进行移位和或运算,最终会生成两个结果,一个结果受字符影响,而另外一个结果是每个字符独立存在,不受其他字符的影响
将得到的结果与初始化中的两个字符串进行对比
import string class SwpuctfBabyre(): def __init__(self): self.s2 = ' 03\"3 0 203\" $ ' self.s = ['08', 'EA', '58', 'DE', '94', 'D0', '3B', 'BE', '88', 'D4', '32', 'B6', '14', '82', 'B7', 'AF', '14', '54', '7F', 'CF'] self.flag = 'swpuctf{' self.d = dict.fromkeys(list(set(self.s2))) self.v14 = 0x20 for i in list(set(self.s2)): self.d[i] = [] def check_1(self, c): # 左移进位位数 num = 0 while True: c = c << 1 num += 1 if c & 0x100: return num def check_0(self, c): # 右边0的个数 num = 0 while True: if c & 1: return num num += 1 c = c >> 1 def generate_0(self, c): res1 = self.check_0(c) + self.check_1(c) res2 = ((c << self.check_1(c)) & 0xff) >> res1 res3 = ((c >> (8 - self.check_1(c))) << self.check_1(c)) | ((c << (8 - self.check_0(c)) & 0xff) >> res1) return [res1, res2, res3] def check_part(self, c): tmp = list(set(self.s2)) tmp2 = self.check_0(c) | (16 * self.check_1(c)) for i in tmp: if tmp2 == ord(i): return i return '' def classify(self): for_each = string.ascii_lowercase + string.ascii_uppercase + string.digits for i in for_each: tmp = self.check_part(ord(i)) if tmp: self.d[tmp].append(i) def test_1(self, c): exam = {c: self.generate_0(ord(c))} self.v14 = self.v14 - (8 - exam[c][0]) tmp = exam[c][1] << self.v14 return tmp def test_2(self, c): exam = {c: self.generate_0(ord(c))} self.v14 = self.v14 - exam[c][0] tmp = exam[c][2] << self.v14 return tmp def calc_first_part(self, s): self.v14 = 0x20 tmp = 0 for i in s: tmp |= self.test_1(i) for i in s: tmp |= self.test_2(i) return tmp def check_first_part(self, second_part, first_part): for i in self.d[second_part[0]]: for j in self.d[second_part[1]]: for k in self.d[second_part[2]]: for m in self.d[second_part[3]]: tmp = i + j + k + m if self.calc_first_part(tmp) == first_part: return tmp def run(self): self.classify() for i in range(0, 5): first_part = int(self.s[3 + 4 * i]+self.s[2 + 4 * i]+self.s[1 + 4 * i]+self.s[4 * i], 16) second_part = self.s2[i*4:i*4+4] res = self.check_first_part(second_part, first_part) if i == 4: self.flag += res break self.flag += res + '-' self.flag += '}' print(self.flag) if __name__ == '__main__': swpuctf = SwpuctfBabyre() swpuctf.run()
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- swpuctf{we18-l8co-m1e4-58to-swpu}
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/繁依Fanyi0/article/detail/738474
推荐阅读
相关标签
