• BUUCTF--[ACTF新生赛2020]easyre


    测试文件:https://www.lanzous.com/ib515vi

    脱壳

    获取到信息

    • 32位文件
    • upx加密

    代码分析

     1 int __cdecl main(int argc, const char **argv, const char **envp)
     2 {
     3   char v4; // [esp+12h] [ebp-2Eh]
     4   char v5; // [esp+13h] [ebp-2Dh]
     5   char v6; // [esp+14h] [ebp-2Ch]
     6   char v7; // [esp+15h] [ebp-2Bh]
     7   char v8; // [esp+16h] [ebp-2Ah]
     8   char v9; // [esp+17h] [ebp-29h]
     9   char v10; // [esp+18h] [ebp-28h]
    10   char v11; // [esp+19h] [ebp-27h]
    11   char v12; // [esp+1Ah] [ebp-26h]
    12   char v13; // [esp+1Bh] [ebp-25h]
    13   char v14; // [esp+1Ch] [ebp-24h]
    14   char v15; // [esp+1Dh] [ebp-23h]
    15   int v16; // [esp+1Eh] [ebp-22h]
    16   int v17; // [esp+22h] [ebp-1Eh]
    17   int v18; // [esp+26h] [ebp-1Ah]
    18   __int16 v19; // [esp+2Ah] [ebp-16h]
    19   char v20; // [esp+2Ch] [ebp-14h]
    20   char v21; // [esp+2Dh] [ebp-13h]
    21   char v22; // [esp+2Eh] [ebp-12h]
    22   int v23; // [esp+2Fh] [ebp-11h]
    23   int v24; // [esp+33h] [ebp-Dh]
    24   int v25; // [esp+37h] [ebp-9h]
    25   char v26; // [esp+3Bh] [ebp-5h]
    26   int i; // [esp+3Ch] [ebp-4h]
    27 
    28   __main();
    29   v4 = 42;
    30   v5 = 70;
    31   v6 = 39;
    32   v7 = 34;
    33   v8 = 78;
    34   v9 = 44;
    35   v10 = 34;
    36   v11 = 40;
    37   v12 = 73;
    38   v13 = 63;
    39   v14 = 43;
    40   v15 = 64;
    41   printf("Please input:");
    42   scanf("%s", &v19);
    43   if ( (_BYTE)v19 != 65 || HIBYTE(v19) != 67 || v20 != 84 || v21 != 70 || v22 != 123 || v26 != 125 )
    44     return 0;
    45   v16 = v23;
    46   v17 = v24;
    47   v18 = v25;
    48   for ( i = 0; i <= 11; ++i )
    49   {
    50     if ( *(&v4 + i) != _data_start__[*((char *)&v16 + i) - 1] )
    51       return 0;
    52   }
    53   printf("You are correct!");
    54   return 0;
    55 }

    着眼观察for循环就行,从for循环了解到flag长度应该是11,将flag的ASCII值作为下标取值,与v4数组比较。很简单,只需要利用v4数组在_data_start__中找位置,就是我们flag的值

    脚本

    # -*- coding:utf-8 -*-
    
    v4 = [42,70,39,34,78,44,34,40,73,63,43,64]
    
    model = r"}|{zyxwvutsrqponmlkjihgfedcba`_^][ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)(" + chr(0x27) + r'&%$# !"'
    
    pos = []
    
    for i in v4:
        pos.append(model.find(chr(i))+1)
    s = [chr(x + 1) for x in pos]
    flag = ''.join(s)
    print ('flag{'+flag+'}')

    get flag!

    flag{U9X_1S_W6@T?}

  • 相关阅读:
    再论使用Oracle Instant Client连接Oracle
    再谈业务逻辑架构模式(事务脚本,表模块,活动记录,领域模型)
    业务逻辑架构模式(事务脚本,表模块,活动记录,领域模型)
    .net程序集组成与内存布局
    多参的实现原理
    起点
    Windows1[头文件]
    C++中构造函数、析构函数、拷贝构造函数详解
    PHP 开发工具
    写点东西顺便吐槽(很弱很弱的技术文)
  • 原文地址:https://www.cnblogs.com/Mayfly-nymph/p/12664201.html
Copyright © 2020-2023  润新知