BUUCTF--[SWPU2019]REVERSEME

测试文件:https://wwa.lanzous.com/io59Hejom5e

 

代码分析

IDA分析

实际就三个过程:

  1. 异或加密
  2. sub_4025c0函数加密
  3. 比较

比较的数据为:

0xB3,0x37,0x0F,0xF8,0xBC,0xBC,0xAE,0x5D,0xBA,0x5A,0x4D,0x86,0x44,0x97,0x62,0xD3,0x4F,0xBA,0x24,0x16,0x0B,0x9F,0x72,0x1A,0x65,0x68,0x6D,0x26,0xBA,0x6B,0xC8,0x67

 

ollydbg分析

再到ollydbg中分析

 

这段在将异或后的输入,存储到栈中,后面坑定会对栈中数据读取,因此我们下内存断点。

运行

实际,这也是一个异或操作,记录下异或值

0x86,0x0C,0x3E,0xCA,0x98,0xD7,0xAE,0x19,0xE2,0x77,0x6B,0xA6,0x6A,0xA1,0x77,0xB0,0x69,0x91,0x37,0x05,0x7A,0xF9,0x7B,0x30,0x43,0x5A,0x4B,0x10,0x86,0x7D,0xD4,0x28

刚开始使用x32dbg下内存断点,很多次就一次成功了,不知道怎么回事。

 

脚本

flag = ''
model1 = 'SWPU_2019_CTF'
model2 = [0x86, 0x0C, 0x3E, 0xCA, 0x98, 0xD7, 0xAE, 0x19, 0xE2, 0x77, 0x6B, 0xA6, 0x6A, 0xA1, 0x77, 0xB0, 0x69, 0x91,
          0x37, 0x05, 0x7A, 0xF9, 0x7B, 0x30, 0x43, 0x5A, 0x4B, 0x10, 0x86, 0x7D, 0xD4, 0x28]
result = [0xB3, 0x37, 0x0F, 0xF8, 0xBC, 0xBC, 0xAE, 0x5D, 0xBA, 0x5A, 0x4D, 0x86, 0x44, 0x97, 0x62, 0xD3, 0x4F, 0xBA,
          0x24, 0x16, 0x0B, 0x9F, 0x72, 0x1A, 0x65, 0x68, 0x6D, 0x26, 0xBA, 0x6B, 0xC8, 0x67]

l = [result[i] ^ model2[i] for i in range(len(result))]

print (l)

for i in range(len(l)):
    flag += chr(ord(model1[i%len(model1)]) ^ l[i])
print (flag)

 

get flag!

flag{Y0uaretheB3st!#@_VirtualCC}

 

posted @ 2020-07-12 17:44  Hk_Mayfly  阅读(874)  评论(0)    收藏  举报