• 安恒月赛4 逆向两题


    最后十分钟才刷新看到有第三题,已经来不及了,记一下前两题。

    这两题都是简单的异或,但是就是纯看反汇编函数有点迷,好在问题不大。

    第一题: 运行没有啥东西:

     程序也没加壳啥的,拖到ida就是一顿分析:

    int __cdecl main(int argc, const char **argv, const char **envp)
    {
      size_t i; // [esp+28h] [ebp-80h]
      char input; // [esp+30h] [ebp-78h]
      char v6[8]; // [esp+A0h] [ebp-8h]
    
      _alloca(0x10u);
      __main();
      std::operator<<<std::char_traits<char>>(&std::cout, "input your key: ");
      std::operator>><char,std::char_traits<char>>(&std::cin, &input);
      for ( i = 0; i < strlen(&input); ++i )
        v6[i - 112] = (v6[i - 112] ^ 6) + 1;
      if ( !strcmp(&input, "akhb~chdaZrdaZudqduvdZvvv|") )
        std::operator<<<std::char_traits<char>>(&std::cout, "yes!you are right");
      else
        std::operator<<<std::char_traits<char>>(&std::cout, "try again");
      system("PAUSE");
      return 0;
    }

    中间的for循环是对输入的字符串的操作,至于为什么不是input直接进行操作而是用v6,我猜测是因为内存数据存储有关。

    keygen:

    chr1='akhb~chdaZrdaZudqduvdZvvv|'
    flag=""
    for i in range(len(chr1)):
        flag += chr((ord(chr1[i])-1)^6)
    print(flag)

    flag{daef_wef_reverse_sss}

    第二题:运行貌似需要输入一个数,但是没啥反应,看一下代码:

     v54 = __readfsqword(0x28u);
      v16 = 38;
      v17 = 44;
      v18 = 33;
      v19 = 39;
      v20 = 59;
      v21 = 35;
      v22 = 34;
      v23 = 115;
      v24 = 117;
      v25 = 114;
      v26 = 113;
      v27 = 33;
      v28 = 36;
      v29 = 117;
      v30 = 118;
      v31 = 119;
      v32 = 35;
      v33 = 120;
      v34 = 38;
      v35 = 114;
      v36 = 117;
      v37 = 113;
      v38 = 38;
      v39 = 34;
      v40 = 113;
      v41 = 114;
      v42 = 117;
      v43 = 114;
      v44 = 36;
      v45 = 112;
      v46 = 115;
      v47 = 118;
      v48 = 121;
      v49 = 112;
      v50 = 35;
      v51 = 37;
      v52 = 121;
      v53 = 61;
      v3 = std::operator<<<std::char_traits<char>>(&std::cout, "Please input your magic number", a3);
      std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
      std::istream::operator>>(&std::cin, &input);
      if ( input <= 9 )
        return 0xFFFFFFFFLL;
      v15 = operator new[](input);                  // 分配一个大小是input
      for ( i = 0; i < input; ++i )
        std::operator>><char,std::char_traits<char>>(&std::cin, i + v15);// v15=0一直加到input
      v6 = std::operator<<<std::char_traits<char>>(&std::cout, "You have input sth.", v5);
      std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>);
      v8 = std::operator<<<std::char_traits<char>>(&std::cout, "I will mix them with the enc_flag!", v7);
      std::ostream::operator<<(v8, &std::endl<char,std::char_traits<char>>);
      for ( j = 0; j <= 37; ++j )
      {
        v10 = 0;
        for ( k = 0; k < input; ++k )
          v10 ^= *(k + v15);
        putchar(v10 ^ *(&v16 + j));
      }
      std::operator<<<std::char_traits<char>>(&std::cout, "
    Maybe you have found the `flag`
    ", v9);
      return 0LL;
    }

    关键比较就是那个for循环,对输入的值每一个进行 xor v10,但是每次v10都会重新赋值再进行异或,一开始我想直接计算出v15,但是没有必要,应该就是一个混淆的,猜测一下最后的

      v53 = 61; 对应的就是  }   ,异或的就是64,所以:
    chr2=[38, 44 ,33,39, 59 , 35 , 34, 115 , 117 , 114 , 113 , 33 , 36 , 117 , 118 , 119 , 35 , 120 , 38 , 114 , 117 , 113 , 38 , 34, 113, 114, 117, 114, 36, 112, 115, 118, 121, 112, 35, 37, 121, 61]
    
    flag2=""
    
    for i in range(38):
         flag2+=chr(chr2[i]^64)
    print(flag2)

    flag{cb3521ad567c8f251fb1252d03690ce9}

     

  • 相关阅读:
    icomet研究
    python使用ssdb的队列,用于替换canal+rabbitmq
    最近关于mysql的造型,binlog使用,以及阿里云上线数据处理错误导致被处罚的思考
    删除一个存在的RabbitMQ队列
    检查Rabbitmq中队列及消息个数,还有清空的方法
    Mysql在master上查看有哪些slave
    查看Linux端口的占用及连接情况
    Kettle根据时间戳同步数据实现
    kettle的下载、安装和初步使用(windows平台下)(图文详解)
    golang学习 ----获取URL
  • 原文地址:https://www.cnblogs.com/jentleTao/p/12775329.html
Copyright © 2020-2023  润新知