Reverse 高校网络信息安全运维挑战赛
1 signed int sub_403CC0() 2 { 3 unsigned int v0; // eax 4 int key_lens; // eax 5 FILE *v2; // eax 6 FILE *v3; // eax 7 signed int result; // eax 8 int data; // [esp+10h] [ebp-44h] 9 int v6; // [esp+14h] [ebp-40h] 10 int v7; // [esp+18h] [ebp-3Ch] 11 int v8; // [esp+1Ch] [ebp-38h] 12 int v9; // [esp+20h] [ebp-34h] 13 int v10; // [esp+24h] [ebp-30h] 14 int v11; // [esp+28h] [ebp-2Ch] 15 int v12; // [esp+2Ch] [ebp-28h] 16 int mykey[8]; // [esp+30h] [ebp-24h] 17 18 sub_401AD0(); 19 data = 'F2A1'; // 1A2F943C4D8C5B6EA3C9BCAD7E 20 v6 = 'C349'; 21 v0 = 0; 22 v7 = 'C8D4'; 23 v8 = 'E6B5'; 24 v9 = '9C3A'; 25 v10 = 'DACB'; 26 v11 = 'E7'; 27 v12 = 0; 28 do 29 { 30 mykey[v0] = 0; 31 ++v0; 32 } 33 while ( v0 < 8 ); 34 puts("input your key:"); 35 scanf("%s", mykey); 36 key_lens = strlen((const char *)mykey); 37 if ( key_lens <= 19 ) 38 { 39 printf("too short!"); 40 result = -1; 41 } 42 else if ( key_lens > 30 ) 43 { 44 printf("too long!"); 45 result = -1; 46 } 47 else 48 { 49 if ( check_4014A0((char *)mykey, (char *)&data, key_lens) ) 50 printf("congratulations, your input is the flag ^_^"); 51 else 52 printf("try agian"); 53 v2 = (FILE *)((char *)iob[1] - 1); 54 iob[1] = v2; 55 if ( (signed int)v2 < 0 ) 56 { 57 filbuf(iob[0]); 58 v2 = iob[1]; 59 } 60 else 61 { 62 ++iob[0]; 63 } 64 v3 = (FILE *)((char *)v2 - 1); 65 iob[1] = v3; 66 if ( (signed int)v3 < 0 ) 67 filbuf(iob[0]); 68 else 69 ++iob[0]; 70 result = 0; 71 } 72 return result; 73 }signed int sub_403CC0() 74 { 75 unsigned int v0; // eax 76 int key_lens; // eax 77 FILE *v2; // eax 78 FILE *v3; // eax 79 signed int result; // eax 80 int data; // [esp+10h] [ebp-44h] 81 int v6; // [esp+14h] [ebp-40h] 82 int v7; // [esp+18h] [ebp-3Ch] 83 int v8; // [esp+1Ch] [ebp-38h] 84 int v9; // [esp+20h] [ebp-34h] 85 int v10; // [esp+24h] [ebp-30h] 86 int v11; // [esp+28h] [ebp-2Ch] 87 int v12; // [esp+2Ch] [ebp-28h] 88 int mykey[8]; // [esp+30h] [ebp-24h] 89 90 sub_401AD0(); 91 data = 'F2A1'; // 1A2F943C4D8C5B6EA3C9BCAD7E 92 v6 = 'C349'; 93 v0 = 0; 94 v7 = 'C8D4'; 95 v8 = 'E6B5'; 96 v9 = '9C3A'; 97 v10 = 'DACB'; 98 v11 = 'E7'; 99 v12 = 0; 100 do 101 { 102 mykey[v0] = 0; 103 ++v0; 104 } 105 while ( v0 < 8 ); 106 puts("input your key:"); 107 scanf("%s", mykey); 108 key_lens = strlen((const char *)mykey); 109 if ( key_lens <= 19 ) 110 { 111 printf("too short!"); 112 result = -1; 113 } 114 else if ( key_lens > 30 ) 115 { 116 printf("too long!"); 117 result = -1; 118 } 119 else 120 { 121 if ( check_4014A0((char *)mykey, (char *)&data, key_lens) ) 122 printf("congratulations, your input is the flag ^_^"); 123 else 124 printf("try agian"); 125 v2 = (FILE *)((char *)iob[1] - 1); 126 iob[1] = v2; 127 if ( (signed int)v2 < 0 ) 128 { 129 filbuf(iob[0]); 130 v2 = iob[1]; 131 } 132 else 133 { 134 ++iob[0]; 135 } 136 v3 = (FILE *)((char *)v2 - 1); 137 iob[1] = v3; 138 if ( (signed int)v3 < 0 ) 139 filbuf(iob[0]); 140 else 141 ++iob[0]; 142 result = 0; 143 } 144 return result; 145 }
关键函数check_4014A0((char *)mykey, (char *)&data, key_lens)
1 signed int __cdecl check_4014A0(char *mykey, char *data, int key_lens) 2 { 3 unsigned int v3; // ebx 4 int j; // eax 5 int k; // ebx 6 char v7; // dl 7 int i; // eax 8 char v9; // [esp+Ah] [ebp-4Ah] 9 char v10; // [esp+Bh] [ebp-49h] 10 char v11; // [esp+Ch] [ebp-48h] 11 char v12; // [esp+Dh] [ebp-47h] 12 char v13; // [esp+Eh] [ebp-46h] 13 char v14; // [esp+Fh] [ebp-45h] 14 char v15; // [esp+10h] [ebp-44h] 15 char v16; // [esp+11h] [ebp-43h] 16 char v17; // [esp+12h] [ebp-42h] 17 char v18; // [esp+13h] [ebp-41h] 18 char v19; // [esp+14h] [ebp-40h] 19 char v20; // [esp+15h] [ebp-3Fh] 20 char v21; // [esp+16h] [ebp-3Eh] 21 char v22; // [esp+17h] [ebp-3Dh] 22 char v23; // [esp+18h] [ebp-3Ch] 23 char v24; // [esp+19h] [ebp-3Bh] 24 char v25; // [esp+1Ah] [ebp-3Ah] 25 char v26; // [esp+1Bh] [ebp-39h] 26 char v27; // [esp+1Ch] [ebp-38h] 27 char v28; // [esp+1Dh] [ebp-37h] 28 char v29; // [esp+1Eh] [ebp-36h] 29 char v30; // [esp+1Fh] [ebp-35h] 30 char v31; // [esp+20h] [ebp-34h] 31 char v32; // [esp+21h] [ebp-33h] 32 char v33; // [esp+22h] [ebp-32h] 33 int v34; // [esp+24h] [ebp-30h] 34 char v35[44]; // [esp+28h] [ebp-2Ch] 35 36 v3 = 0; 37 v34 = 0; 38 do 39 { 40 *(_DWORD *)(&v11 + v3) = 0; 41 v3 += 4; // 置零初始化 42 } 43 while ( v3 < ((&v9 - &v11 + 30) & 0xFFFFFFFC) );// <28 44 v9 = 0xF; //encryptArray 45 v10 = 0x87u; 46 v11 = 0x62; 47 v12 = 0x14; 48 v13 = 1; 49 v14 = 0xC6u; 50 v15 = 0xF0u; 51 v16 = 33; 52 v17 = 48; 53 v18 = 17; 54 v19 = 80; 55 v20 = 0xD0u; 56 v21 = 0x82u; 57 v22 = 35; 58 v23 = 0xAEu; 59 v24 = 35; 60 v25 = 0xEEu; 61 v26 = 0xA9u; 62 v27 = 0xB4u; 63 v28 = 82; 64 v29 = 120; 65 v30 = 87; 66 v31 = 12; 67 v32 = 0x86u; 68 v33 = 0x8Bu; // 0F 87 62 14 01 C6 F0 21 30 11 50 D0 82 23 AE 23 EE A9 B4 52 78 57 0C 86 8B 69 // 70 // 71 if ( key_lens == 25 ) 72 { 73 j = 0; 74 do 75 { 76 v35[j] = __ROL1__(mykey[j], 2); // 循环左移2位 77 ++j; 78 } 79 while ( j != 25 ); 80 k = 0; 81 do 82 { 83 v35[k] ^= numb_401460(data, k); // data:(ASCII "1A2F943C4D8C5B6EA3C9BCAD7E") 84 // numb函数根据data、k生成一系列数, 85 // 86 ++k; 87 } 88 while ( k != 25 ); 89 v7 = 15; 90 for ( i = 0; v35[i] == v7; v7 = *(&v9 + i) )//关键比较,v35存储内容:(key循环左移2位 异或 numb数据) 结果与encryptArray比较 91 { 92 if ( ++i == 25 ) 93 return 1; 94 } 95 } 96 return 0; 97 }
numb_401460(data, k)函数:
int __cdecl sub_401460(char *data, int index) { char a; // al char b; // cl int x; // eax int y; // edx 1A2F943C4D8C5B6EA3C9BCAD7E a = data[index]; b = data[index + 1]; if ( (unsigned __int8)(a - 0x30) > 9u ) a -= 0x37; x = a & 0xF; y = (b - 0x37) & 0xF; if ( (unsigned __int8)(b - 0x30) <= 9u ) y = b & 0xF; return y | 16 * x;
‘wp:
1 encryptArray=[0x0F, 0x87, 0x62, 0x14, 0x01, 0xC6, 0xF0, 0x21, 0x30, 0x11, 0x50, 0xD0, 0x82, 0x23, 0xAE, 0x23,0xEE, 0xA9, 0xB4, 0x52, 0x78, 0x57, 0x0C, 0x86, 0x8B] 2 data='1A2F943C4D8C5B6EA3C9BCAD7E' 3 numbs=[] 4 # numbs=[0x1a, 0xa2, 0x2f, 0xf9, 0x94, 0x43, 0x3c, 0xc4, 0x4d, 0xd8, 0x8c, 0xc5, 0x5b, 0xb6, 0x6e, 0xea, 0xa3, 0x3c, 0xc9, 0x9b, 0xbc, 0xca, 0xad, 0xd7, 0x7e] 5 6 # def ROLN_(val,N,n): 7 # 假如将一个无符号的数据val,长度为N,需要循环移动n位。可以利用下面的公式: 8 # 循环左移:(val >> (N - n) | (val << n)) 9 # 循环右移:(val << (32 - n) | (val >> n)) 10 def ROL_2(val):#8字节数循环左移2位 11 return ((val>>6)&0xff)|((val<<2)&0xff) 12 def ROR_2(val):#8字节数循环右移2位 13 return ((val<<6)&0xff)|((val>>2)&0xff) 14 def numb(data,index): 15 a = ord(data[index]); 16 b = ord(data[index + 1]); 17 if ((a - 0x30) > 9): 18 a -= 0x37; 19 x = a & 0xF; 20 y = (b - 0x37) & 0xF; 21 if ((b - 0x30) <= 9): 22 y = b & 0xF; 23 return y | 16 * x; 24 25 for i in range(25): 26 numbs.append(numb(data,i)) 27 print('numbs=[',','.join(map(hex,numbs)),']') 28 29 key=[] 30 for i in range(25): 31 x=encryptArray[i]^numbs[i] 32 x=ROR_2(x) 33 key.append(chr(x)) 34 print(''.join(key))
EIS{ea3y_r7Eve0rSe_r1ghT}
在攻防世界中提交失败0.0,Orz