BUUCTF--刮开有奖
准备
获取信息
- 32位文件
IDA打开
进入主函数WinMain
int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
DialogBoxParamA(hInstance, (LPCSTR)0x67, , DialogFunc, );
return ;
}
找到关键的函数DialogFunc,并反编译为C代码
BOOL __userpurge DialogFunc@
{
const char *v6; // esi
const char *v7; // edi
int v9; // [esp+4h] [ebp-20030h]
int v10; // [esp+8h] [ebp-2002Ch]
int v11; // [esp+Ch] [ebp-20028h]
int v12; // [esp+10h] [ebp-20024h]
int v13; // [esp+14h] [ebp-20020h]
int v14; // [esp+18h] [ebp-2001Ch]
int v15; // [esp+1Ch] [ebp-20018h]
int v16; // [esp+20h] [ebp-20014h]
int v17; // [esp+24h] [ebp-20010h]
int v18; // [esp+28h] [ebp-2000Ch]
int v19; // [esp+2Ch] [ebp-20008h]
CHAR String; // [esp+30h] [ebp-20004h]
char v21; // [esp+31h] [ebp-20003h]
char v22; // [esp+32h] [ebp-20002h]
char v23; // [esp+33h] [ebp-20001h]
char v24; // [esp+34h] [ebp-20000h]
char v25; // [esp+10030h] [ebp-10004h]
char v26; // [esp+10031h] [ebp-10003h]
char v27; // [esp+10032h] [ebp-10002h]
int v28; // [esp+20028h] [ebp-Ch]
int v29; // [esp+2002Ch] [ebp-8h]
__alloca_probe();
if ( a4 == )
return ;
v29 = a2;
v28 = a1;
if ( a4 != )
return ;
if ( (_WORD)a5 == )
{
memset(&String, , 0xFFFFu);
GetDlgItemTextA(hDlg, , &String, 0xFFFF);
if ( strlen(&String) == )
{
v9 = ;
v10 = ;
v11 = ;
v12 = ;
v13 = ;
v14 = ;
v15 = ;
v16 = ;
v17 = ;
v18 = ;
v19 = ;
sub_4010F0(&v9, , );
memset(&v25, , 0xFFFFu);
v6 = (const char *)sub_401000(&v25, strlen(&v25));
memset(&v25, , 0xFFFFu);
v26 = v23;
v25 = v22;
v27 = v24;
v7 = (const char *)sub_401000(&v25, strlen(&v25));
if ( String == v9 +
&& v21 == v13
&& * v22 - == * v11
&& v23 / == * (v16 / )
&& !strcmp(v6, "ak1w")
&& !strcmp(v7, "V1Ax") )
{
MessageBoxA(hDlg, "U g3t 1T!", "@_@", );
}
}
return ;
}
if ( (_WORD)a5 != && (_WORD)a5 != )
return ;
EndDialog(hDlg, (unsigned __int16)a5);
return ;
}
代码分析
通过第37行代码GetDlgItemTextA,我们知道了String是我们输入的flag。
通过第38行代码我们知道flag的长度应该是8
第51行函数sub_4010F0在对v9~v19进行某种操作,进入sub_4010F0函数,将函数转换为C语言代码,再将v9~v19代入
#include
#include
#include
using namespace std;
int __cdecl sub_4010F0(char *a1, int a2, int a3)
{
int result; // eax
int i; // esi
int v5; // ecx
int v6; // edx
result = a3;
for (i = a2; i <= a3; a2 = i)
{
v5 = i;
v6 = a1\[i\];
if (a2 < result && i < result)
{
do
{
if (v6 >a1\[result\])
{
if (i >= result)
break;
++i;
a1\[v5\] = a1\[result\];
if (i >= result)
break;
while (a1\[i\] <= v6)
{
if (++i >= result)
goto LABEL\_13;
}
if (i >= result)
break;
v5 = i;
a1\[result\] = a1\[i\];
}
--result;
} while (i < result);
}
LABEL\_13:
a1\[result\] = v6;
sub\_4010F0(a1, a2, i - );
result = a3;
++i;
}
return result; }
char str[] = { ,,,,,,,,,, };
int main()
{
cout << str << endl;
sub\_4010F0(str, , );
for (int i = ; i < ; ++i) {
cout << str\[i\];
}
return ; }
输出
分析第52行代码~58行代码。我们转到汇编代码处
.text:004012B0 push 0FFFFh ; size_t
.text:004012B5 lea edx, [ebp+var_10004]
.text:004012BB push ; int
.text:004012BD push edx ; void *
.text:004012BE call _memset
.text:004012C3 mov al, [ebp+var_1FFFF]
.text:004012C9 mov dl, [ebp+var_1FFFD]
.text:004012CF mov cl, [ebp+var_1FFFE]
.text:004012D5 mov [ebp+var_10004], al
.text:004012DB lea eax, [ebp+var_10004]
.text:004012E1 mov [ebp+var_10002], dl
.text:004012E7 add esp, 18h
.text:004012EA mov [ebp+var_10003], cl
.text:004012F0 lea edx, [eax+]
.text:004012F3
.text:004012F3 loc_4012F3: ; CODE XREF: DialogFunc+158↓j
.text:004012F3 mov cl, [eax]
.text:004012F5 inc eax
.text:004012F6 test cl, cl
.text:004012F8 jnz short loc_4012F3
.text:004012FA sub eax, edx
.text:004012FC push eax
.text:004012FD lea eax, [ebp+var_10004]
.text: push eax
.text: call sub_401000
.text: push 0FFFFh ; size_t
.text:0040130E lea ecx, [ebp+var_10004]
.text: push ; int
.text: push ecx ; void *
.text: mov esi, eax
.text: call _memset
.text:0040131E mov al, [ebp+var_20001]
.text:00401324 mov dl, [ebp+var_20002]
.text:0040132A mov cl, [ebp+var_20000]
.text: mov [ebp+var_10003], al
.text: lea eax, [ebp+var_10004]
.text:0040133C mov [ebp+var_10004], dl
.text: add esp, 14h
.text: mov [ebp+var_10002], cl
.text:0040134B lea edx, [eax+]
.text:0040134E mov edi, edi
看加粗加红处(下面是对应字符串的信息)
- String db ?
- var_20003 db ?
- var_20002 db ?
- var_20001 db ?
- var_20000 db ?
-0001FFFF var_1FFFF db ?
-0001FFFE var_1FFFE db ?
-0001FFFD var_1FFFD db ?
我们可以知道,v6使用sub_4010F0函数后的字符串的6,7,8位,调用sub_401000函数,v7使用sub_4010F0函数后的字符串的3,4,5位,调用sub_401000函数。
进入sub_401000
_BYTE *__cdecl sub_401000(int a1, int a2)
{
int v2; // eax
int v3; // esi
size_t v4; // ebx
_BYTE *v5; // eax
_BYTE *v6; // edi
int v7; // eax
_BYTE *v8; // ebx
int v9; // edi
signed int v10; // edx
int v11; // edi
signed int v12; // eax
signed int v13; // esi
_BYTE *result; // eax
_BYTE *v15; // [esp+Ch] [ebp-10h]
_BYTE *v16; // [esp+10h] [ebp-Ch]
int v17; // [esp+14h] [ebp-8h]
int v18; // [esp+18h] [ebp-4h]
v2 = a2 / ;
v3 = ;
if ( a2 % > )
++v2;
v4 = * v2 + ;
v5 = malloc(v4);
v6 = v5;
v15 = v5;
if ( !v5 )
exit();
memset(v5, , v4);
v7 = a2;
v8 = v6;
v16 = v6;
if ( a2 > )
{
while ( )
{
v9 = ;
v10 = ;
v18 = ;
do
{
if ( v3 >= v7 )
break;
++v10;
v9 = *(unsigned __int8 *)(v3++ + a1) | (v9 << );
}
while ( v10 < );
v11 = v9 << * ( - v10);
v12 = ;
v17 = v3;
v13 = ;
do
{
if ( v10 >= v12 )
{
*((_BYTE *)&v18 + v12) = (v11 >> v13) & 0x3F;
v8 = v16;
}
else
{
*((_BYTE *)&v18 + v12) = ;
}
*v8++ = byte_407830[*((char *)&v18 + v12)];
v13 -= ;
++v12;
v16 = v8;
}
while ( v13 > - );
v3 = v17;
if ( v17 >= a2 )
break;
v7 = a2;
}
v6 = v15;
}
result = v6;
*v8 = ;
return result;
}
进入第65行byte_407830
.rdata: ; char byte_407830[]
.rdata: byte_407830 db 41h ; DATA XREF: sub_401000+C0↑r
.rdata: aBcdefghijklmno db 'BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=',
我们可以猜测这个函数应该是base64加密。
if ( String == v9 + // sub\_4010F0函数后的第一位等于51+34=85-->'U'
&& v21 == v13 // 第2位,等于v13,即sub\_4010F0函数返回值的第5位值-->'J'
&& \* v22 - == \* v11
&& v23 / == \* (v16 / )
&& !strcmp(v6, "ak1w") // 第6,7,8行代码base64之后,需要等于"ak1w"
&& !strcmp( // 第3,4,5行代码,加密之后等于V1Ax
v7,
"V1Ax") )
{
MessageBoxA(hDlg, "U g3t 1T!", "@\_@", );
}将v6,v7解密之后得到WP1jMp,再结合第1,2位得到flag
get flag!
flag{UJWP1jMp}
手机扫一扫
移动阅读更方便
你可能感兴趣的文章