crazy 百越杯2018

查看main函数:

int __cdecl main(int argc, const char **argv, const char **envp)

{

  __int64 v3; // rax

  __int64 v4; // rax

  __int64 v5; // rax

  __int64 v6; // rax

  __int64 v7; // rax

  __int64 v8; // rax

  __int64 v9; // rax

  __int64 v10; // rax

  __int64 v11; // rax

  __int64 v12; // rax

  __int64 v13; // rax

  __int64 v14; // rax

  __int64 v15; // rax

  __int64 v16; // rax

  char myinput_str; // [rsp+10h] [rbp-130h]

  char v19; // [rsp+30h] [rbp-110h]

  char v20; // [rsp+50h] [rbp-F0h]

  char v21; // [rsp+70h] [rbp-D0h]

  char myinput_copy; // [rsp+90h] [rbp-B0h]

  char temp; // [rsp+B0h] [rbp-90h]

  unsigned __int64 v24; // [rsp+128h] [rbp-18h]

  v24 = __readfsqword(0x28u);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (__int64)&myinput_str,

    (__int64)argv,

    (__int64)envp);

  std::operator>><char,std::char_traits<char>,std::allocator<char>>(&std::cin, &myinput_str);

  v3 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");

  std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);

  v4 = std::operator<<<std::char_traits<char>>(&std::cout, "Quote from people's champ");

  std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);

  v5 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");

  std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);

  v6 = std::operator<<<std::char_traits<char>>(

         &std::cout,

         "*My goal was never to be the loudest or the craziest. It was to be the most entertaining.");

  std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>);

  v7 = std::operator<<<std::char_traits<char>>(&std::cout, "*Wrestling was like stand-up comedy for me.");

  std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);

  v8 = std::operator<<<std::char_traits<char>>(

         &std::cout,

         "*I like to use the hard times in the past to motivate me today.");

  std::ostream::operator<<(v8, &std::endl<char,std::char_traits<char>>);

  v9 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");

  std::ostream::operator<<(v9, &std::endl<char,std::char_traits<char>>);

  HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str);// 327a6c4304ad5938eaf0efb6cc3e53dc

  v10 = std::operator<<<std::char_traits<char>>(&std::cout, "Checking....");

  std::ostream::operator<<(v10, &std::endl<char,std::char_traits<char>>);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v19, &myinput_str);

  func1((__int64)&v20, (__int64)&v19);

  func2((__int64)&v21, (__int64)&v20);

  func3((__int64)&v21, 0);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v21);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v20);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v19);

  HighTemplar::calculate((HighTemplar *)&temp);//加密处

  if ( (unsigned int)HighTemplar::getSerial((HighTemplar *)&temp) == 0 )//验证处

  {

    v11 = std::operator<<<std::char_traits<char>>(&std::cout, "/////////////////////////////////");

    std::ostream::operator<<(v11, &std::endl<char,std::char_traits<char>>);

    v12 = std::operator<<<std::char_traits<char>>(&std::cout, "Do not be angry. Happy Hacking :)");

    std::ostream::operator<<(v12, &std::endl<char,std::char_traits<char>>);

    v13 = std::operator<<<std::char_traits<char>>(&std::cout, "/////////////////////////////////");

    std::ostream::operator<<(v13, &std::endl<char,std::char_traits<char>>);

    ZN11HighTemplar7getFlagB5cxx11Ev((__int64)&myinput_copy, (__int64)&temp);// 取输入

    v14 = std::operator<<<std::char_traits<char>>(&std::cout, "flag{");

    v15 = std::operator<<<char,std::char_traits<char>,std::allocator<char>>(v14, &myinput_copy);

    v16 = std::operator<<<std::char_traits<char>>(v15, "}");

    std::ostream::operator<<(v16, &std::endl<char,std::char_traits<char>>);

    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&myinput_copy);

  }

  HighTemplar::~HighTemplar((HighTemplar *)&temp);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&myinput_str);

  return 0;

}

三个关键函数HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str);    HighTemplar::getSerial((HighTemplar *)&temp)   和  HighTemplar::calculate((HighTemplar *)&temp);

HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str),进行字符串转储。

unsigned __int64 __fastcall HighTemplar::HighTemplar(DarkTemplar *temp, char *myinput_str)

{

  char v3; // [rsp+17h] [rbp-19h]

  unsigned __int64 v4; // [rsp+18h] [rbp-18h]

  v4 = __readfsqword(0x28u);

  DarkTemplar::DarkTemplar(temp);

  *(_QWORD *)temp = &off_401EA0;

  *((_DWORD *)temp + 3) = 0;

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (char *)temp + 16,

    myinput_str);                               // temp + 16 -->存储输入

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (char *)temp + 48,

    myinput_str);                               // temp + 48 -->存储输入

  std::allocator<char>::allocator(&v3, myinput_str);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (__int64)temp + 80,                         // temp + 80 -->存储327a6c4304ad5938eaf0efb6cc3e53dc

    (__int64)"327a6c4304ad5938eaf0efb6cc3e53dc",

    (__int64)&v3);

  std::allocator<char>::~allocator(&v3);

  return __readfsqword(0x28u) ^ v4;

}

HighTemplar::calculate((HighTemplar *)&temp);进行加密操作

bool __fastcall HighTemplar::calculate(HighTemplar *this)

{

  __int64 v1; // rax

  _BYTE *v2; // rbx

  bool result; // al

  _BYTE *v4; // rbx

  int i; // [rsp+18h] [rbp-18h]

  int j; // [rsp+1Ch] [rbp-14h]

  if ( std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16) != 32 )// 输入长32

  {

    v1 = std::operator<<<std::char_traits<char>>(&std::cout, "Too short or too long");

    std::ostream::operator<<(v1, &std::endl<char,std::char_traits<char>>);

    exit(-1);

  }

  for ( i = 0;

        i <= (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);

        ++i )

  {

    v2 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                    (char *)this + 16,

                    i);

    *v2 = (*(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                       (char *)this + 16,

                       i) ^ 0x50)               // (每个字符^0x50)+23

        + 23;

  }

  for ( j = 0; ; ++j )

  {

    result = j <= (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);

    if ( !result )

      break;

    v4 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                    (char *)this + 16,

                    j);

    *v4 = (*(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                       (char *)this + 16,

                       j) ^ 0x13)               // (每个字符^0x13)+11

        + 11;

  }

  return result;

}

HighTemplar::getSerial((HighTemplar *)&temp)进行验证操作

__int64 __fastcall HighTemplar::getSerial(HighTemplar *this)

{

  __int64 v1; // rbx

  __int64 v2; // rax

  __int64 v3; // rax

  __int64 v4; // rax

  __int64 v5; // rax

  unsigned int i; // [rsp+1Ch] [rbp-14h]

  for ( i = 0;

        (signed int)i < (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);

        ++i )

  {

    v1 = *(unsigned __int8 *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                               (char *)this + 80,// HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str)之前赋值,327a6c4304ad5938eaf0efb6cc3e53dc

                               (signed int)i);

    if ( (_BYTE)v1 != *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                                  (char *)this + 16,// 取输入

                                  (signed int)i) )

    {

      v4 = std::operator<<<std::char_traits<char>>(&std::cout, "You did not pass ");

      v5 = std::ostream::operator<<(v4, i);

      std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);

      *((_DWORD *)this + 3) = 1;

      return *((unsigned int *)this + 3);

    }

    v2 = std::operator<<<std::char_traits<char>>(&std::cout, "Pass ");

    v3 = std::ostream::operator<<(v2, i);

    std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);

  }

  return *((unsigned int *)this + 3);

}

简单的异或与加法的操作

wp:

temp='327a6c4304ad5938eaf0efb6cc3e53dc'

flag=''

for i in range(len(temp)):

    n=ord(temp[i])

    flag+=chr((((n-11)^0x13)-23)^0x50)

print('flag{'+flag+'}')

flag{tMx~qdstOs~crvtwb~aOba}qddtbrtcd}

攻防世界 reverse crazy的更多相关文章

  1. 攻防世界 reverse 进阶 10 Reverse Box

    攻防世界中此题信息未给全,题目来源为[TWCTF-2016:Reverse] Reverse Box 网上有很多wp是使用gdb脚本,这里找到一个本地还原关键算法,然后再爆破的 https://www ...

  2. 攻防世界 reverse evil

    这是2017 ddctf的一道逆向题, 挑战:<恶意软件分析> 赛题背景: 员工小A收到了一封邮件,带一个文档附件,小A随手打开了附件.随后IT部门发现小A的电脑发出了异常网络访问请求,进 ...

  3. 攻防世界 reverse tt3441810

    tt3441810 tinyctf-2014 附件给了一堆数据,将十六进制数据部分提取出来, flag应该隐藏在里面,(这算啥子re,) 保留可显示字符,然后去除填充字符(找规律 0.0) 处理脚本: ...

  4. 攻防世界 reverse 进阶 APK-逆向2

    APK-逆向2 Hack-you-2014 (看名以为是安卓逆向呢0.0,搞错了吧) 程序是.net写的,直接祭出神器dnSpy 1 using System; 2 using System.Diag ...

  5. 攻防世界 reverse Windows_Reverse2

    Windows_Reverse2   2019_DDCTF 查壳: 寻找oep-->dump-->iat修复   便可成功脱壳 int __cdecl main(int argc, con ...

  6. 攻防世界 reverse BabyXor

    BabyXor     2019_UNCTF 查壳 脱壳 dump 脱壳后 IDA静态分析 int main_0() { void *v0; // eax int v1; // ST5C_4 char ...

  7. 攻防世界 reverse parallel-comparator-200

    parallel-comparator-200 school-ctf-winter-2015 https://github.com/ctfs/write-ups-2015/tree/master/sc ...

  8. 攻防世界 reverse 进阶 8-The_Maya_Society Hack.lu-2017

    8.The_Maya_Society Hack.lu-2017 在linux下将时间调整为2012-12-21,运行即可得到flag. 下面进行分析 1 signed __int64 __fastca ...

  9. 攻防世界 reverse easy_Maze

    easy_Maze 从题目可得知是简单的迷宫问题 int __cdecl main(int argc, const char **argv, const char **envp) { __int64 ...

随机推荐

  1. range()函数的使用、while循环、for-in循环等

    一.range()函数 用于直接生成一个整数序列 创建range对象的三种方式: (1)range(stop)    创建一个(0,stop)之间的整数序列,步长为1 (2)range(start,s ...

  2. Flutter Widgets

    Flutter Widgets Flutter 组件 Syncfusion Flutter Widgets 所有组件均支持即装即用的 Android,iOS和 Web not free https:/ ...

  3. 海 鱼立 鲷 & 海䲞鲷

    海 鱼立 鲷 & 海䲞鲷 䲞 lì 鲷 diāo 二长棘鲷 二长棘鲷(学名:Parargyrops edita)为辐鳍鱼纲鲈形目鲷科二长棘鲷属的鱼类,俗名板鱼.䲞鱼.盘仔鱼.立花.赤鬃.长鳍. ...

  4. 十三香 & 香料

    十三香 & 香料 十三香原料组成不完全一致, 但有一些香料却是大家都会采用的: 草蔻.砂仁.肉豆蔻.肉桂.丁香. 花椒.大料.小茴香.木香.白芷. 山萘.良姜和姜 王守义十三香 http:// ...

  5. SVG image tag

    SVG image tag https://developer.mozilla.org/en-US/docs/Web/SVG/Tutorial/SVG_Image_Tag <?xml versi ...

  6. HTML5 Learning Paths

    HTML5 Learning Paths HTML5 Expert refs https://developer.mozilla.org/en-US/docs/Web/HTML xgqfrms 201 ...

  7. taro weapp

    taro weapp 开发指南 https://nervjs.github.io/taro/docs/GETTING-STARTED.html#微信小程序 taro # build $ taro bu ...

  8. SpringBoot 项目初始化

    工作之余,想要学习一下SpringBoot,通过网络大量教程最终成功运行SpringBoot项目.  第一步 首先,通过教程发现一套完整的快速搭建SpringBoot项目网站:https://star ...

  9. 手把手教你Spring Boot整合Mybatis Plus 代码生成器

    一.在pom.xml中添加所需依赖 <!-- MyBatis-Plus代码生成器--> <dependency> <groupId>com.baomidou< ...

  10. 第41天学习打卡(死锁 Lock synchronized与Lock的对比 线程协作 使用线程池)

    死锁 多个线程各自占有一些共享资源,并且互相等待其他线程占有的资源才能运行,而导致两个或者多个线程都在等待对方释放资源,都停止执行的情形.某一个同步块同时拥有"两个以上对象的锁"时 ...