Buuctf - findKey
首先是取出花指令,让程序可以反编译
LRESULT __stdcall sub_401640(HWND hWndParent, UINT Msg, WPARAM wParam, LPARAM lParam)
{
int v5; // eax
size_t Str_len; // eax
DWORD Str_len1; // eax
int Str_len2; // eax
int str2_len; // eax
CHAR str2[256]; // [esp+54h] [ebp-3F8h] BYREF
char v11[7]; // [esp+154h] [ebp-2F8h] BYREF
__int16 v12; // [esp+15Bh] [ebp-2F1h]
char v13; // [esp+15Dh] [ebp-2EFh]
char Str[253]; // [esp+160h] [ebp-2ECh] BYREF
__int16 v15; // [esp+25Dh] [ebp-1EFh]
char v16; // [esp+25Fh] [ebp-1EDh]
CHAR v17[256]; // [esp+260h] [ebp-1ECh] BYREF
CHAR String[4]; // [esp+360h] [ebp-ECh] BYREF
int v19; // [esp+364h] [ebp-E8h]
__int16 v20; // [esp+368h] [ebp-E4h]
CHAR Text[32]; // [esp+36Ch] [ebp-E0h] BYREF
struct tagRECT Rect; // [esp+38Ch] [ebp-C0h] BYREF
CHAR Buffer[100]; // [esp+39Ch] [ebp-B0h] BYREF
HDC hdc; // [esp+400h] [ebp-4Ch]
struct tagPAINTSTRUCT Paint; // [esp+404h] [ebp-48h] BYREF
int v26; // [esp+444h] [ebp-8h]
int v27; // [esp+448h] [ebp-4h]
LoadStringA(hInstance, 0x6Au, Buffer, 100);
if ( Msg > 273 )
{
if ( Msg == 517 )
{
if ( strlen((const char *)String1) > 6 )
ExitProcess(0);
if ( strlen((const char *)String1) )
{
memset(v17, 0, sizeof(v17));
Str_len = strlen((const char *)String1);
memcpy(v17, String1, Str_len);
Str_len1 = strlen((const char *)String1);
md5_encode(String1, Str_len1, (LPSTR)String1);
strcpy(Str, "0kk`d1a`55k222k2a776jbfgd`06cjjb");
memset(&Str[33], 0, 220u);
v15 = 0;
v16 = 0;
strcpy(v11, "SS");
*(_DWORD *)&v11[3] = 0;
v12 = 0;
v13 = 0;
Str_len2 = strlen(Str);
xor(v11, (int)Str, Str_len2);
if ( _strcmpi((const char *)String1, Str) )
{
SetWindowTextA(hWndParent, "flag{}");
MessageBoxA(hWndParent, "Are you kidding me?", "^_^", 0);
ExitProcess(0);
}
memcpy(str2, &unk_423030, 0x32u);
str2_len = strlen(str2);
xor(v17, (int)str2, str2_len);
MessageBoxA(hWndParent, str2, 0, 50u);
}
++dword_428D54;
}
else
{
if ( Msg != 520 )
return DefWindowProcA(hWndParent, Msg, wParam, lParam);
if ( dword_428D54 == 16 )
{
strcpy(String, "ctf");
v19 = 0;
v20 = 0;
SetWindowTextA(hWndParent, String);
strcpy(Text, "Are you kidding me?");
MessageBoxA(hWndParent, Text, Buffer, 0);
}
++dword_428D54;
}
}
else
{
switch ( Msg )
{
case 0x111u:
v27 = (unsigned __int16)wParam;
v26 = HIWORD(wParam);
if ( (unsigned __int16)wParam == 104 )
{
DialogBoxParamA(hInstance, (LPCSTR)0x67, hWndParent, (DLGPROC)DialogFunc, 0);
}
else
{
if ( (unsigned __int16)wParam != 105 )
return DefWindowProcA(hWndParent, Msg, wParam, lParam);
DestroyWindow(hWndParent);
}
break;
case 2u:
PostQuitMessage(0);
break;
case 0xFu:
hdc = BeginPaint(hWndParent, &Paint);
GetClientRect(hWndParent, &Rect);
v5 = strlen(Buffer);
DrawTextA(hdc, Buffer, v5, &Rect, 1u);
EndPaint(hWndParent, &Paint);
break;
default:
return DefWindowProcA(hWndParent, Msg, wParam, lParam);
}
}
return 0;
}
Str经md5_encode
String1经xor
两者之后比较
其中
_strcmpi((const char *)String1, Str)
_strcmpi在相等时返回0,大于返回整数,小于返回负数
要调过这个if
继续执行下面的代码
将得到的v17与str2异或
最后的MessageBoxA显示str2,说明最后的flag很可能是str2
import hashlib
from tqdm import tqdm
a = "0kk`d1a`55k222k2a776jbfgd`06cjjb"
b = "SS"
a = list(a)
for i in range(len(a)):
a[i] = chr(ord(a[i]) ^ ord(b[i % 2]))
a = "".join(each for each in a)
print(a)
for i in tqdm(range(10000, 9999999)):
encrypted = hashlib.md5(str(i).encode()).hexdigest()
if encrypted == a:
tqdm.write(str(i))
a = "123321"
b = [0x57, 0x5E, 0x52, 0x54, 0x49, 0x5F, 0x01, 0x6D, 0x69, 0x46, 0x02, 0x6E, 0x5F, 0x02, 0x6C, 0x57, 0x5B, 0x54, 0x4C]
for i in range(len(b)):
b[i] = chr(ord(a[i % 6]) ^ b[i])
print(b[i], end ="")
最后输出flag
浙公网安备 33010602011771号