V2AS问路
Reverse 高校网络信息安全运维挑战赛
阅读原文时间:2023年07月08日阅读:1

Reverse 高校网络信息安全运维挑战赛

1 signed int sub_403CC0()
2 {
3 unsigned int v0; // eax
4 int key_lens; // eax
5 FILE *v2; // eax
6 FILE *v3; // eax
7 signed int result; // eax
8 int data; // [esp+10h] [ebp-44h]
9 int v6; // [esp+14h] [ebp-40h]
10 int v7; // [esp+18h] [ebp-3Ch]
11 int v8; // [esp+1Ch] [ebp-38h]
12 int v9; // [esp+20h] [ebp-34h]
13 int v10; // [esp+24h] [ebp-30h]
14 int v11; // [esp+28h] [ebp-2Ch]
15 int v12; // [esp+2Ch] [ebp-28h]
16 int mykey[8]; // [esp+30h] [ebp-24h]
17
18 sub_401AD0();
19 data = 'F2A1'; // 1A2F943C4D8C5B6EA3C9BCAD7E
20 v6 = 'C349';
21 v0 = 0;
22 v7 = 'C8D4';
23 v8 = 'E6B5';
24 v9 = '9C3A';
25 v10 = 'DACB';
26 v11 = 'E7';
27 v12 = 0;
28 do
29 {
30 mykey[v0] = 0;
31 ++v0;
32 }
33 while ( v0 < 8 ); 34 puts("input your key:"); 35 scanf("%s", mykey); 36 key_lens = strlen((const char *)mykey); 37 if ( key_lens <= 19 ) 38 { 39 printf("too short!"); 40 result = -1; 41 } 42 else if ( key_lens > 30 )
43 {
44 printf("too long!");
45 result = -1;
46 }
47 else
48 {
49 if ( check_4014A0((char *)mykey, (char *)&data, key_lens) )
50 printf("congratulations, your input is the flag ^_^");
51 else
52 printf("try agian");
53 v2 = (FILE *)((char *)iob[1] - 1);
54 iob[1] = v2;
55 if ( (signed int)v2 < 0 ) 56 { 57 filbuf(iob[0]); 58 v2 = iob[1]; 59 } 60 else 61 { 62 ++iob[0]; 63 } 64 v3 = (FILE *)((char *)v2 - 1); 65 iob[1] = v3; 66 if ( (signed int)v3 < 0 ) 67 filbuf(iob[0]); 68 else 69 ++iob[0]; 70 result = 0; 71 } 72 return result; 73 }signed int sub_403CC0() 74 { 75 unsigned int v0; // eax 76 int key_lens; // eax 77 FILE *v2; // eax 78 FILE *v3; // eax 79 signed int result; // eax 80 int data; // [esp+10h] [ebp-44h] 81 int v6; // [esp+14h] [ebp-40h] 82 int v7; // [esp+18h] [ebp-3Ch] 83 int v8; // [esp+1Ch] [ebp-38h] 84 int v9; // [esp+20h] [ebp-34h] 85 int v10; // [esp+24h] [ebp-30h] 86 int v11; // [esp+28h] [ebp-2Ch] 87 int v12; // [esp+2Ch] [ebp-28h] 88 int mykey[8]; // [esp+30h] [ebp-24h] 89 90 sub_401AD0(); 91 data = 'F2A1'; // 1A2F943C4D8C5B6EA3C9BCAD7E 92 v6 = 'C349'; 93 v0 = 0; 94 v7 = 'C8D4'; 95 v8 = 'E6B5'; 96 v9 = '9C3A'; 97 v10 = 'DACB'; 98 v11 = 'E7'; 99 v12 = 0; 100 do 101 { 102 mykey[v0] = 0; 103 ++v0; 104 } 105 while ( v0 < 8 ); 106 puts("input your key:"); 107 scanf("%s", mykey); 108 key_lens = strlen((const char *)mykey); 109 if ( key_lens <= 19 ) 110 { 111 printf("too short!"); 112 result = -1; 113 } 114 else if ( key_lens > 30 )
115 {
116 printf("too long!");
117 result = -1;
118 }
119 else
120 {
121 if ( check_4014A0((char *)mykey, (char *)&data, key_lens) )
122 printf("congratulations, your input is the flag ^_^");
123 else
124 printf("try agian");
125 v2 = (FILE *)((char *)iob[1] - 1);
126 iob[1] = v2;
127 if ( (signed int)v2 < 0 )
128 {
129 filbuf(iob[0]);
130 v2 = iob[1];
131 }
132 else
133 {
134 ++iob[0];
135 }
136 v3 = (FILE *)((char *)v2 - 1);
137 iob[1] = v3;
138 if ( (signed int)v3 < 0 )
139 filbuf(iob[0]);
140 else
141 ++iob[0];
142 result = 0;
143 }
144 return result;
145 }

关键函数check_4014A0((char *)mykey, (char *)&data, key_lens)

1 signed int __cdecl check_4014A0(char *mykey, char *data, int key_lens)
2 {
3 unsigned int v3; // ebx
4 int j; // eax
5 int k; // ebx
6 char v7; // dl
7 int i; // eax
8 char v9; // [esp+Ah] [ebp-4Ah]
9 char v10; // [esp+Bh] [ebp-49h]
10 char v11; // [esp+Ch] [ebp-48h]
11 char v12; // [esp+Dh] [ebp-47h]
12 char v13; // [esp+Eh] [ebp-46h]
13 char v14; // [esp+Fh] [ebp-45h]
14 char v15; // [esp+10h] [ebp-44h]
15 char v16; // [esp+11h] [ebp-43h]
16 char v17; // [esp+12h] [ebp-42h]
17 char v18; // [esp+13h] [ebp-41h]
18 char v19; // [esp+14h] [ebp-40h]
19 char v20; // [esp+15h] [ebp-3Fh]
20 char v21; // [esp+16h] [ebp-3Eh]
21 char v22; // [esp+17h] [ebp-3Dh]
22 char v23; // [esp+18h] [ebp-3Ch]
23 char v24; // [esp+19h] [ebp-3Bh]
24 char v25; // [esp+1Ah] [ebp-3Ah]
25 char v26; // [esp+1Bh] [ebp-39h]
26 char v27; // [esp+1Ch] [ebp-38h]
27 char v28; // [esp+1Dh] [ebp-37h]
28 char v29; // [esp+1Eh] [ebp-36h]
29 char v30; // [esp+1Fh] [ebp-35h]
30 char v31; // [esp+20h] [ebp-34h]
31 char v32; // [esp+21h] [ebp-33h]
32 char v33; // [esp+22h] [ebp-32h]
33 int v34; // [esp+24h] [ebp-30h]
34 char v35[44]; // [esp+28h] [ebp-2Ch]
35
36 v3 = 0;
37 v34 = 0;
38 do
39 {
40 *(_DWORD *)(&v11 + v3) = 0;
41 v3 += 4; // 置零初始化
42 }
43 while ( v3 < ((&v9 - &v11 + 30) & 0xFFFFFFFC) );// <28
44 v9 = 0xF; //encryptArray
45 v10 = 0x87u;
46 v11 = 0x62;
47 v12 = 0x14;
48 v13 = 1;
49 v14 = 0xC6u;
50 v15 = 0xF0u;
51 v16 = 33;
52 v17 = 48;
53 v18 = 17;
54 v19 = 80;
55 v20 = 0xD0u;
56 v21 = 0x82u;
57 v22 = 35;
58 v23 = 0xAEu;
59 v24 = 35;
60 v25 = 0xEEu;
61 v26 = 0xA9u;
62 v27 = 0xB4u;
63 v28 = 82;
64 v29 = 120;
65 v30 = 87;
66 v31 = 12;
67 v32 = 0x86u;
68 v33 = 0x8Bu; // 0F 87 62 14 01 C6 F0 21 30 11 50 D0 82 23 AE 23 EE A9 B4 52 78 57 0C 86 8B
69 //
70 //
71 if ( key_lens == 25 )
72 {
73 j = 0;
74 do
75 {
76 v35[j] = __ROL1__(mykey[j], 2); // 循环左移2位
77 ++j;
78 }
79 while ( j != 25 );
80 k = 0;
81 do
82 {
83 v35[k] ^= numb_401460(data, k); // data:(ASCII "1A2F943C4D8C5B6EA3C9BCAD7E")
84 // numb函数根据data、k生成一系列数,
85 //
86 ++k;
87 }
88 while ( k != 25 );
89 v7 = 15;
90 for ( i = 0; v35[i] == v7; v7 = *(&v9 + i) )//关键比较,v35存储内容:(key循环左移2位 异或 numb数据) 结果与encryptArray比较
91 {
92 if ( ++i == 25 )
93 return 1;
94 }
95 }
96 return 0;
97 }

numb_401460(data, k)函数:

int __cdecl sub_401460(char *data, int index)
{
char a; // al
char b; // cl
int x; // eax
int y; // edx 1A2F943C4D8C5B6EA3C9BCAD7E

a = data[index];
b = data[index + 1];
if ( (unsigned __int8)(a - 0x30) > 9u )
a -= 0x37;
x = a & 0xF;
y = (b - 0x37) & 0xF;
if ( (unsigned __int8)(b - 0x30) <= 9u )
y = b & 0xF;
return y | 16 * x;

‘wp:

1 encryptArray=[0x0F, 0x87, 0x62, 0x14, 0x01, 0xC6, 0xF0, 0x21, 0x30, 0x11, 0x50, 0xD0, 0x82, 0x23, 0xAE, 0x23,0xEE, 0xA9, 0xB4, 0x52, 0x78, 0x57, 0x0C, 0x86, 0x8B]
2 data='1A2F943C4D8C5B6EA3C9BCAD7E'
3 numbs=[]
4 # numbs=[0x1a, 0xa2, 0x2f, 0xf9, 0x94, 0x43, 0x3c, 0xc4, 0x4d, 0xd8, 0x8c, 0xc5, 0x5b, 0xb6, 0x6e, 0xea, 0xa3, 0x3c, 0xc9, 0x9b, 0xbc, 0xca, 0xad, 0xd7, 0x7e]
5
6 # def ROLN_(val,N,n):
7 # 假如将一个无符号的数据val,长度为N,需要循环移动n位。可以利用下面的公式:
8 # 循环左移:(val >> (N - n) | (val << n)) 9 # 循环右移:(val << (32 - n) | (val >> n))
10 def ROL_2(val):#8字节数循环左移2位
11 return ((val>>6)&0xff)|((val<<2)&0xff) 12 def ROR_2(val):#8字节数循环右移2位 13 return ((val<<6)&0xff)|((val>>2)&0xff)
14 def numb(data,index):
15 a = ord(data[index]);
16 b = ord(data[index + 1]);
17 if ((a - 0x30) > 9):
18 a -= 0x37;
19 x = a & 0xF;
20 y = (b - 0x37) & 0xF;
21 if ((b - 0x30) <= 9):
22 y = b & 0xF;
23 return y | 16 * x;
24
25 for i in range(25):
26 numbs.append(numb(data,i))
27 print('numbs=[',','.join(map(hex,numbs)),']')
28
29 key=[]
30 for i in range(25):
31 x=encryptArray[i]^numbs[i]
32 x=ROR_2(x)
33 key.append(chr(x))
34 print(''.join(key))

EIS{ea3y_r7Eve0rSe_r1ghT}

在攻防世界中提交失败0.0,Orz

手机扫一扫

移动阅读更方便

阿里云服务器
腾讯云服务器
七牛云服务器

你可能感兴趣的文章

1.4 编写简易ShellCode弹窗
BUGKU逆向reverse 1-8题
2023CISCN华中赛区re

4

1.5 编写自定位ShellCode弹窗

5

驱动开发:内核RIP劫持实现DLL注入

6

BUUCTF 刮开有奖 WriteUp

7

NEFU-NSILAB2021选拔赛WriteUp

8

CSGO 服务端扩展插件开发记录之"DropClientReason"(1)

9

MS06-040漏洞研究(下)【转载】

10

NewStarCTF 公开赛 2022 RE WP