程序流程很清晰

 1 int __cdecl main(int argc, const char **argv, const char **envp)
2 {
3 unsigned int v3; // edx
4 unsigned int i; // ecx
5 __m128i v5; // xmm1
6 unsigned int v6; // esi
7 const __m128i *v7; // eax
8 __m128i v8; // xmm0
9 int v9; // eax
10 char sc; // [esp+0h] [ebp-CCh]
11 char str; // [esp+1h] [ebp-CBh]
12 char s_; // [esp+64h] [ebp-68h]
13 char v14; // [esp+65h] [ebp-67h]
14 unsigned int de_s_len; // [esp+C8h] [ebp-4h]
15
16 printf("please input your flah:");
17 sc = 0;
18 memset(&str, 0, 0x63u);
19 scanf("%s", &sc);
20 s_ = 0;
21 memset(&v14, 0, 0x63u);
22 sub_401000(&de_s_len, &s_, (unsigned __int8 *)&sc, strlen(&sc));// base64解码
23 v3 = de_s_len; // 解码后长度
24 i = 0;
25 if ( de_s_len )
26 {
27 if ( de_s_len >= 0x10 )
28 {
29 v5 = _mm_load_si128((const __m128i *)&xmmword_414F20);
30 v6 = de_s_len - (de_s_len & 0xF);
31 v7 = (const __m128i *)&s_;
32 do
33 {
34 v8 = _mm_loadu_si128(v7);
35 i += 16;
36 ++v7;
37 _mm_storeu_si128((__m128i *)&v7[-1], _mm_xor_si128(v8, v5));
38 }
39 while ( i < v6 );
40 }
41 for ( ; i < v3; ++i )
42 *(&s_ + i) ^= 0x25u; // 异或
43 }
44 v9 = strcmp(&s_, "you_know_how_to_remove_junk_code");
45 if ( v9 )
46 v9 = -(v9 < 0) | 1;
47 if ( v9 )
48 printf("wrong\n");
49 else
50 printf("correct\n");
51 system("pause");
52 return 0;
53 }

关键比较

strcmp(&s_, "you_know_how_to_remove_junk_code")向上跟踪,发现sub_401000(&de_s_len, &s_, (unsigned __int8 *)&sc, strlen(&sc));

进入函数分析可以发现是base64解码

  1 signed int __usercall sub_401000@<eax>(unsigned int *a1@<edx>, _BYTE *a2@<ecx>, unsigned __int8 *sc, unsigned int size)
2 {
3 int j; // ebx
4 unsigned int k; // eax
5 int v6; // ecx
6 unsigned __int8 *v7; // edi
7 int v8; // edx
8 bool v9; // zf
9 unsigned __int8 v10; // cl
10 char v11; // cl
11 _BYTE *v12; // esi
12 unsigned int v13; // ecx
13 int v14; // ebx
14 unsigned __int8 v15; // cl
15 char v16; // dl
16 _BYTE *v18; // [esp+Ch] [ebp-Ch]
17 unsigned int *v19; // [esp+10h] [ebp-8h]
18 int v20; // [esp+14h] [ebp-4h]
19 unsigned int v21; // [esp+14h] [ebp-4h]
20 int sizea; // [esp+24h] [ebp+Ch]
21
22 j = 0;
23 v18 = a2;
24 k = 0;
25 v6 = 0;
26 v19 = a1;
27 v20 = 0;
28 if ( !size )
29 return 0;
30 v7 = sc;
31 do
32 {
33 v8 = 0;
34 v9 = k == size;
35 if ( k < size )
36 {
37 do
38 {
39 if ( sc[k] != ' ' )
40 break;
41 ++k; // 不含空格
42 ++v8;
43 }
44 while ( k < size );
45 v9 = k == size;
46 }
47 if ( v9 )
48 break;
49 if ( size - k >= 2 && sc[k] == '\r' && sc[k + 1] == '\n' || (v10 = sc[k], v10 == '\n') )
50 {
51 v6 = v20;
52 }
53 else
54 {
55 if ( v8 )
56 return 0xFFFFFFD4;
57 if ( v10 == '=' && (unsigned int)++j > 2 )
58 return 0xFFFFFFD4;
59 if ( v10 > 0x7Fu )
60 return 0xFFFFFFD4;
61 v11 = byte_414E40[v10];
62 if ( v11 == 0x7F || (unsigned __int8)v11 < '@' && j )
63 return 0xFFFFFFD4;
64 v6 = v20++ + 1;
65 }
66 ++k;
67 }
68 while ( k < size );
69 if ( !v6 )
70 return 0;
71 v12 = v18;
72 v13 = ((unsigned int)(6 * v6 + 7) >> 3) - j;
73 if ( v18 && *v19 >= v13 )
74 {
75 v21 = 3;
76 v14 = 0;
77 for ( sizea = 0; k; --k )
78 {
79 v15 = *v7;
80 if ( *v7 != '\r' && v15 != '\n' && v15 != ' ' )
81 {
82 v16 = byte_414E40[v15]; // 关键处理
83 v21 -= v16 == '@';
84 v14 = v16 & 0x3F | (v14 << 6);
85 if ( ++sizea == 4 )
86 {
87 sizea = 0;
88 if ( v21 )
89 *v12++ = BYTE2(v14);
90 if ( v21 > 1 )
91 *v12++ = BYTE1(v14);
92 if ( v21 > 2 )
93 *v12++ = v14;
94 }
95 }
96 ++v7;
97 }
98 *v19 = v12 - v18;
99 return 0;
100 }
101 *v19 = v13;
102 return -42;
103 }

识别base64解码函数是这题主要的考点,之后的操作就很简单

流程:

base64解码-->异或-->strcmp(&s_, "you_know_how_to_remove_junk_code")

1 import base64
2
3 s = 'you_know_how_to_remove_junk_code'
4 tmp = ''
5 for i in range(len(s)):
6 tmp += chr(ord(s[i]) ^ 0x25)
7 print(base64.b64encode(tmp.encode('utf-8')))
XEpQek5LSlJ6TUpSelFKeldASEpTQHpPUEtOekZKQUA=
												

攻防世界 reverse 进阶 12 ReverseMe-120的更多相关文章

  1. 攻防世界 reverse 进阶 APK-逆向2

    APK-逆向2 Hack-you-2014 (看名以为是安卓逆向呢0.0,搞错了吧) 程序是.net写的,直接祭出神器dnSpy 1 using System; 2 using System.Diag ...

  2. 攻防世界 reverse 进阶 10 Reverse Box

    攻防世界中此题信息未给全,题目来源为[TWCTF-2016:Reverse] Reverse Box 网上有很多wp是使用gdb脚本,这里找到一个本地还原关键算法,然后再爆破的 https://www ...

  3. 攻防世界 reverse 进阶 9-re1-100

    9.re1-100 1 if ( numRead ) 2 { 3 if ( childCheckDebugResult() ) 4 { 5 responseFalse(); 6 } 7 else if ...

  4. 攻防世界 reverse 进阶 8-The_Maya_Society Hack.lu-2017

    8.The_Maya_Society Hack.lu-2017 在linux下将时间调整为2012-12-21,运行即可得到flag. 下面进行分析 1 signed __int64 __fastca ...

  5. 攻防世界 reverse 进阶 notsequence

    notsequence  RCTF-2015 关键就是两个check函数 1 signed int __cdecl check1_80486CD(int a1[]) 2 { 3 signed int ...

  6. 攻防世界 reverse 进阶 easyre-153

    easyre-153 查壳: upx壳 脱壳: 1 int __cdecl main(int argc, const char **argv, const char **envp) 2 { 3 int ...

  7. 攻防世界 reverse 进阶 -gametime

    19.gametime csaw-ctf-2016-quals 这是一个小游戏,挺有意思的 's'-->' '    'x'-->'x'   'm'-->'m' 观察流程,发现检验函 ...

  8. 攻防世界 reverse 进阶 15-Reversing-x64Elf-100

    15.Reversing-x64Elf-100 这题非常简单, 1 signed __int64 __fastcall sub_4006FD(__int64 a1) 2 { 3 signed int ...

  9. 攻防世界 reverse 进阶5-7

    5.re-for-50-plz-50  tu-ctf-2016 流程很简单,异或比较 1 x=list('cbtcqLUBChERV[[Nh@_X^D]X_YPV[CJ') 2 y=0x37 3 z= ...

随机推荐

  1. 翻译:《实用的Python编程》01_04_Strings

    目录 | 上一节 (1.3 数字) | 下一节 (1.5 列表) 1.4 字符串 本节介绍处理文本的方法. 表示字面量文本 在程序中字符串字面量使用引号来书写. # 单引号(Single quote) ...

  2. webpack 打包性能优化

    webpack 打包性能优化 开启多线程打包 thread-loader https://www.npmjs.com/package/thread-loader https://github.com/ ...

  3. 如何配置 webpack 支持 preload, prefetch, dns-prefetch

    如何配置 webpack 支持 preload, prefetch, dns-prefetch webpack , preload, prefetch https://webpack.js.org/p ...

  4. ES2021 & ES12

    ES2021 & ES12 ES2021 new features replaceAll String.prototype.replaceAll const str = `abc,abc`; ...

  5. 微信小程序 components

    微信小程序 components wx-xcx-components https://developers.weixin.qq.com/miniprogram/dev/component/ https ...

  6. js 在浏览器中使用 monaco editor

    <!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content ...

  7. bowser checker & UA

    bowser checker & UA navigator.userAgent; https://developer.mozilla.org/en-US/docs/Web/HTTP/Brows ...

  8. CentOS7安装ElasticSearch7.9.2

    1:下载 wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.2-linux-x86_64.tar. ...

  9. 小心你的个人信息——GitHub 热点速览 v.21.09

    作者:HelloGitHub-小鱼干 浏览过必有痕迹,有什么可以抹去社交痕迹的方法呢?social-analyzer 是一个可在 350+ 网站分析特定用户资料的工具,你可以用它来"人肉&q ...

  10. React 中的 onInput/onChange

    参考链接:https://stackoverflow.com/questions/38256332/in-react-whats-the-difference-between-onchange-and ...