• 攻防世界--logmein


    测试文件:https://adworld.xctf.org.cn/media/task/attachments/a00849bb514c413f8a6526f6bb56c628

    1.准备

    得到信息

    1. 64位文件
    2. obj文件

    2.IDA打开

    将main函数转换为C语言代码

     1 void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
     2 {
     3   size_t v3; // rsi
     4   int i; // [rsp+3Ch] [rbp-54h]
     5   char s[36]; // [rsp+40h] [rbp-50h]
     6   int v6; // [rsp+64h] [rbp-2Ch]
     7   __int64 v7; // [rsp+68h] [rbp-28h]
     8   char v8[8]; // [rsp+70h] [rbp-20h]
     9   int v9; // [rsp+8Ch] [rbp-4h]
    10 
    11   v9 = 0;
    12   strcpy(v8, ":"AL_RT^L*.?+6/46");
    13   v7 = 28537194573619560LL;
    14   v6 = 7;
    15   printf("Welcome to the RC3 secure password guesser.
    ", a2, a3);
    16   printf("To continue, you must enter the correct password.
    ");
    17   printf("Enter your guess: ");
    18   __isoc99_scanf("%32s", s);
    19   v3 = strlen(s);
    20   if ( v3 < strlen(v8) )
    21     sub_4007C0(v8);
    22   for ( i = 0; i < strlen(s); ++i )
    23   {
    24     if ( i >= strlen(v8) )
    25       ((void (*)(void))sub_4007C0)();
    26     if ( s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i]) )
    27       ((void (*)(void))sub_4007C0)();
    28   }
    29   sub_4007F0();
    30 }

    2.1 分析代码

    进入sub_4007C0)()

    void __noreturn sub_4007C0()
    {
      printf("Incorrect password!
    ");
      exit(0);
    }

    进入sub_4007F0();

    void __noreturn sub_4007F0()
    {
      printf("You entered the correct password!
    Great job!
    ");
      exit(0);
    }

    通过第26行代码,我们了解到flag的获取

    for(i =0; i < strlen(v8); ++i){
        s[i] != (char)(*((_BYTE *)&v7 + i % v6) ^ v8[i];
    }

    2.2 算法代码

    通过分析,实现算法的代码

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    
    #define BYTE unsigned char
    
    int main(int argc, char* argv[]) {
        unsigned int i;
        char v8[18] = ":"AL_RT^L*.?+6/46";
        __int64 v7 = 28537194573619560;
        int v6 = 7;
    
        char s[18] = "";
        for (i = 0; i < strlen(v8); ++i) {
            s[i] = (char)(*((BYTE*)&v7 + i % v6)^v8[i]);
        }
    
        printf("%s
    ", s);
    
        system("PAUSE");
        return 0;
    }

    3. get flag!

  • 相关阅读:
    ARM指令集----寻址方式
    [js] 实现接口
    sublime自定义配置
    [javascript] postmessage
    [javascript] visible - 待写
    [读书笔记]24个比利
    解决div里面img的缝隙问题(转)
    【JAVASCRIPT】React + Redux
    【JAVASCRIPT】React 学习
    代理
  • 原文地址:https://www.cnblogs.com/Mayfly-nymph/p/11399801.html
Copyright © 2020-2023  润新知