hitconctf2022 Meow Way
int __cdecl main(int argc, const char **argv, const char **envp) { char v4; // [esp+0h] [ebp-24h] int v5; // [esp+0h] [ebp-24h] int flag; // [esp+14h] [ebp-10h] _DWORD v7[2]; // [esp+18h] [ebp-Ch] BYREF v7[0] = -1; v7[1] = -1; if ( argc < 2 ) { sub_921340("Usage: %s <flag>\n", (char)*argv); exit(1); } if ( strlen(argv[1]) != 48 ) { sub_921340("Wrong length\n", v4); exit(1); } flag = (int)argv[1]; off_92544C(flag, flag >> 31, flag, flag >> 31, 196, 0, v7, (int)v7 >> 31); ++flag; off_9253A8(flag, flag >> 31, flag, flag >> 31, 22, 0, v7, (int)v7 >> 31); ++flag; off_9253B4(flag, flag >> 31, flag, flag >> 31, 142, 0, v7, (int)v7 >> 31); ++flag; off_9253F0(flag, flag >> 31, flag, flag >> 31, 119, 0, v7, (int)v7 >> 31); ++flag; off_925448(flag, flag >> 31, flag, flag >> 31, 5, 0, v7, (int)v7 >> 31); ++flag; off_9253FC(flag, flag >> 31, flag, flag >> 31, 185, 0, v7, (int)v7 >> 31); ++flag; off_925400(flag, flag >> 31, flag, flag >> 31, 13, 0, v7, (int)v7 >> 31); ++flag; off_925410(flag, flag >> 31, flag, flag >> 31, 107, 0, v7, (int)v7 >> 31); ++flag; off_9253F8(flag, flag >> 31, flag, flag >> 31, 36, 0, v7, (int)v7 >> 31); ++flag; off_925430(flag, flag >> 31, flag, flag >> 31, 85, 0, v7, (int)v7 >> 31); ++flag; off_9253D0(flag, flag >> 31, flag, flag >> 31, 18, 0, v7, (int)v7 >> 31); ++flag; off_925434(flag, flag >> 31, flag, flag >> 31, 53, 0, v7, (int)v7 >> 31); ++flag; off_92545C(flag, flag >> 31, flag, flag >> 31, 118, 0, v7, (int)v7 >> 31); ++flag; off_925454(flag, flag >> 31, flag, flag >> 31, 231, 0, v7, (int)v7 >> 31); ++flag; off_9253C0(flag, flag >> 31, flag, flag >> 31, 251, 0, v7, (int)v7 >> 31); ++flag; off_9253E4(flag, flag >> 31, flag, flag >> 31, 160, 0, v7, (int)v7 >> 31); ++flag; off_9253C4(flag, flag >> 31, flag, flag >> 31, 218, 0, v7, (int)v7 >> 31); ++flag; off_925440(flag, flag >> 31, flag, flag >> 31, 52, 0, v7, (int)v7 >> 31); ++flag; off_9253BC(flag, flag >> 31, flag, flag >> 31, 132, 0, v7, (int)v7 >> 31); ++flag; off_9253AC(flag, flag >> 31, flag, flag >> 31, 180, 0, v7, (int)v7 >> 31); ++flag; off_925408(flag, flag >> 31, flag, flag >> 31, 200, 0, v7, (int)v7 >> 31); ++flag; off_9253D8(flag, flag >> 31, flag, flag >> 31, 155, 0, v7, (int)v7 >> 31); ++flag; off_9253B8(flag, flag >> 31, flag, flag >> 31, 239, 0, v7, (int)v7 >> 31); ++flag; off_9253C8(flag, flag >> 31, flag, flag >> 31, 180, 0, v7, (int)v7 >> 31); ++flag; off_9253E0(flag, flag >> 31, flag, flag >> 31, 185, 0, v7, (int)v7 >> 31); ++flag; off_925418(flag, flag >> 31, flag, flag >> 31, 10, 0, v7, (int)v7 >> 31); ++flag; off_9253EC(flag, flag >> 31, flag, flag >> 31, 87, 0, v7, (int)v7 >> 31); ++flag; off_925414(flag, flag >> 31, flag, flag >> 31, 92, 0, v7, (int)v7 >> 31); ++flag; off_925450(flag, flag >> 31, flag, flag >> 31, 254, 0, v7, (int)v7 >> 31); ++flag; off_9253E8(flag, flag >> 31, flag, flag >> 31, 197, 0, v7, (int)v7 >> 31); ++flag; off_9253D4(flag, flag >> 31, flag, flag >> 31, 106, 0, v7, (int)v7 >> 31); ++flag; off_92541C(flag, flag >> 31, flag, flag >> 31, 115, 0, v7, (int)v7 >> 31); ++flag; off_92542C(flag, flag >> 31, flag, flag >> 31, 73, 0, v7, (int)v7 >> 31); ++flag; off_925444(flag, flag >> 31, flag, flag >> 31, 189, 0, v7, (int)v7 >> 31); ++flag; off_925458(flag, flag >> 31, flag, flag >> 31, 17, 0, v7, (int)v7 >> 31); ++flag; off_925420(flag, flag >> 31, flag, flag >> 31, 214, 0, v7, (int)v7 >> 31); ++flag; off_9253B0(flag, flag >> 31, flag, flag >> 31, 143, 0, v7, (int)v7 >> 31); ++flag; off_9253DC(flag, flag >> 31, flag, flag >> 31, 107, 0, v7, (int)v7 >> 31); ++flag; off_925464(flag, flag >> 31, flag, flag >> 31, 10, 0, v7, (int)v7 >> 31); ++flag; off_9253CC(flag, flag >> 31, flag, flag >> 31, 151, 0, v7, (int)v7 >> 31); ++flag; off_925424(flag, flag >> 31, flag, flag >> 31, 171, 0, v7, (int)v7 >> 31); ++flag; off_92543C(flag, flag >> 31, flag, flag >> 31, 78, 0, v7, (int)v7 >> 31); ++flag; off_925404(flag, flag >> 31, flag, flag >> 31, 237, 0, v7, (int)v7 >> 31); ++flag; off_925428(flag, flag >> 31, flag, flag >> 31, 254, 0, v7, (int)v7 >> 31); ++flag; off_925460(flag, flag >> 31, flag, flag >> 31, 151, 0, v7, (int)v7 >> 31); ++flag; off_92540C(flag, flag >> 31, flag, flag >> 31, 249, 0, v7, (int)v7 >> 31); ++flag; off_9253F4(flag, flag >> 31, flag, flag >> 31, 152, 0, v7, (int)v7 >> 31); off_925438(flag + 1, (flag + 1) >> 31, flag + 1, (flag + 1) >> 31, 101, 0, v7, (int)v7 >> 31); v5 = memcmp(&unk_925018, argv[1], 0x30u); if ( v5 ) { sub_921340("Wrong\n", v5); exit(-1); } sub_921340("I know you know the flag!\n", 0); return 0; }
ida打开简单审计代码可知程序对flag的每一位进行了操作,我们随便点击一个看一下,其他的依此类推。
最终来到这个函数,这里已经手动patch过了
可以f5看伪代码也可以直接看汇编
额这里为了好说明就看伪代码吧
其中a5是传入的参数,a2就是flag的密文,我们猜测(a5+36)的地址对应的值就是flag传入的一位,因此将每一个a5参数提取出来,猜测flag是按照从左往右的顺序加密。将flag的密文提取出来,然后将异或的每个值提取出来写出解密脚本
enc=[ 0x96, 0x50, 0xCF, 0x2C, 0xEB, 0x9B, 0xAA, 0xFB, 0x53, 0xAB, 0x73, 0xDD, 0x6C, 0x9E, 0xDB, 0xBC, 0xEE, 0xAB, 0x23, 0xD6, 0x16, 0xFD, 0xF1, 0xF0, 0xB9, 0x75, 0xC3, 0x28, 0xA2, 0x74, 0x7D, 0xE3, 0x27, 0xD5, 0x95, 0x5C, 0xF5, 0x76, 0x75, 0xC9, 0x8C, 0xFB, 0x42, 0x0E, 0xBD, 0x51, 0xA2, 0x98] a=[196,22, 142, 119, 5,185, 13, 107, 36, 85, 18, 53, 118, 231, 251, 160, 218, 52, 132, 180, 200, 155, 239, 180, 185, 10, 87, 92, 254, 197, 106,115, 73, 189, 17,214, 143, 107, 10, 151, 171, 78, 237, 254, 151, 249,152,101] k=[0xba,0x2f,0xcd,0xf6,0x9f,0xd0,0x22,0xf7,0xd0,0x1f,0xa8,0x3d,0xc7,0xa5,0x47,0x68,0xd7,0x4a,0x96,0x91,0x2e,0x19,0xc5,0xe3,0x88,0xbd,0x4e,0x93,0x13,0xf1,0xcc,0x47,0xab,0xc9,0x48,0x2b,0x9,0x50,0x4f,0xe9,0xc0,0x5e,0xef,0x8b,0x85,0xcb,0x55,0x70] flag="" for i in range(48): tmp=(enc[i]^k[i])-a[i] if tmp>0 and tmp<126: flag+=chr(tmp) elif tmp>=126: flag+=chr(256-tmp) elif tmp<0 and tmp>-126: flag+=chr(-tmp) else: flag+=chr(256+tmp) print(flag)
#hitcon{___7U5T_4_S1mpIE_xB6_M@G1C_4_mE0w_W@y___}
这里通过flag格式测试可知,范围为-126到126(也可以是-128到128)之间的数直接将其绝对值转为ascii对应的字符,范围之外的正数用256减去,负数用256加上。控制在ascii字符范围内。
最终得flag:hitcon{___7U5T_4_S1mpIE_xB6_M@G1C_4_mE0w_W@y___}
