hitconctf2022 Meow Way
int __cdecl main(int argc, const char **argv, const char **envp){
char v4; //
int v5; //
int flag; //
_DWORD v7; // BYREF
v7 = -1;
v7 = -1;
if ( argc < 2 )
{
sub_921340("Usage: %s <flag>\n", (char)*argv);
exit(1);
}
if ( strlen(argv) != 48 )
{
sub_921340("Wrong length\n", v4);
exit(1);
}
flag = (int)argv;
off_92544C(flag, flag >> 31, flag, flag >> 31, 196, 0, v7, (int)v7 >> 31);
++flag;
off_9253A8(flag, flag >> 31, flag, flag >> 31, 22, 0, v7, (int)v7 >> 31);
++flag;
off_9253B4(flag, flag >> 31, flag, flag >> 31, 142, 0, v7, (int)v7 >> 31);
++flag;
off_9253F0(flag, flag >> 31, flag, flag >> 31, 119, 0, v7, (int)v7 >> 31);
++flag;
off_925448(flag, flag >> 31, flag, flag >> 31, 5, 0, v7, (int)v7 >> 31);
++flag;
off_9253FC(flag, flag >> 31, flag, flag >> 31, 185, 0, v7, (int)v7 >> 31);
++flag;
off_925400(flag, flag >> 31, flag, flag >> 31, 13, 0, v7, (int)v7 >> 31);
++flag;
off_925410(flag, flag >> 31, flag, flag >> 31, 107, 0, v7, (int)v7 >> 31);
++flag;
off_9253F8(flag, flag >> 31, flag, flag >> 31, 36, 0, v7, (int)v7 >> 31);
++flag;
off_925430(flag, flag >> 31, flag, flag >> 31, 85, 0, v7, (int)v7 >> 31);
++flag;
off_9253D0(flag, flag >> 31, flag, flag >> 31, 18, 0, v7, (int)v7 >> 31);
++flag;
off_925434(flag, flag >> 31, flag, flag >> 31, 53, 0, v7, (int)v7 >> 31);
++flag;
off_92545C(flag, flag >> 31, flag, flag >> 31, 118, 0, v7, (int)v7 >> 31);
++flag;
off_925454(flag, flag >> 31, flag, flag >> 31, 231, 0, v7, (int)v7 >> 31);
++flag;
off_9253C0(flag, flag >> 31, flag, flag >> 31, 251, 0, v7, (int)v7 >> 31);
++flag;
off_9253E4(flag, flag >> 31, flag, flag >> 31, 160, 0, v7, (int)v7 >> 31);
++flag;
off_9253C4(flag, flag >> 31, flag, flag >> 31, 218, 0, v7, (int)v7 >> 31);
++flag;
off_925440(flag, flag >> 31, flag, flag >> 31, 52, 0, v7, (int)v7 >> 31);
++flag;
off_9253BC(flag, flag >> 31, flag, flag >> 31, 132, 0, v7, (int)v7 >> 31);
++flag;
off_9253AC(flag, flag >> 31, flag, flag >> 31, 180, 0, v7, (int)v7 >> 31);
++flag;
off_925408(flag, flag >> 31, flag, flag >> 31, 200, 0, v7, (int)v7 >> 31);
++flag;
off_9253D8(flag, flag >> 31, flag, flag >> 31, 155, 0, v7, (int)v7 >> 31);
++flag;
off_9253B8(flag, flag >> 31, flag, flag >> 31, 239, 0, v7, (int)v7 >> 31);
++flag;
off_9253C8(flag, flag >> 31, flag, flag >> 31, 180, 0, v7, (int)v7 >> 31);
++flag;
off_9253E0(flag, flag >> 31, flag, flag >> 31, 185, 0, v7, (int)v7 >> 31);
++flag;
off_925418(flag, flag >> 31, flag, flag >> 31, 10, 0, v7, (int)v7 >> 31);
++flag;
off_9253EC(flag, flag >> 31, flag, flag >> 31, 87, 0, v7, (int)v7 >> 31);
++flag;
off_925414(flag, flag >> 31, flag, flag >> 31, 92, 0, v7, (int)v7 >> 31);
++flag;
off_925450(flag, flag >> 31, flag, flag >> 31, 254, 0, v7, (int)v7 >> 31);
++flag;
off_9253E8(flag, flag >> 31, flag, flag >> 31, 197, 0, v7, (int)v7 >> 31);
++flag;
off_9253D4(flag, flag >> 31, flag, flag >> 31, 106, 0, v7, (int)v7 >> 31);
++flag;
off_92541C(flag, flag >> 31, flag, flag >> 31, 115, 0, v7, (int)v7 >> 31);
++flag;
off_92542C(flag, flag >> 31, flag, flag >> 31, 73, 0, v7, (int)v7 >> 31);
++flag;
off_925444(flag, flag >> 31, flag, flag >> 31, 189, 0, v7, (int)v7 >> 31);
++flag;
off_925458(flag, flag >> 31, flag, flag >> 31, 17, 0, v7, (int)v7 >> 31);
++flag;
off_925420(flag, flag >> 31, flag, flag >> 31, 214, 0, v7, (int)v7 >> 31);
++flag;
off_9253B0(flag, flag >> 31, flag, flag >> 31, 143, 0, v7, (int)v7 >> 31);
++flag;
off_9253DC(flag, flag >> 31, flag, flag >> 31, 107, 0, v7, (int)v7 >> 31);
++flag;
off_925464(flag, flag >> 31, flag, flag >> 31, 10, 0, v7, (int)v7 >> 31);
++flag;
off_9253CC(flag, flag >> 31, flag, flag >> 31, 151, 0, v7, (int)v7 >> 31);
++flag;
off_925424(flag, flag >> 31, flag, flag >> 31, 171, 0, v7, (int)v7 >> 31);
++flag;
off_92543C(flag, flag >> 31, flag, flag >> 31, 78, 0, v7, (int)v7 >> 31);
++flag;
off_925404(flag, flag >> 31, flag, flag >> 31, 237, 0, v7, (int)v7 >> 31);
++flag;
off_925428(flag, flag >> 31, flag, flag >> 31, 254, 0, v7, (int)v7 >> 31);
++flag;
off_925460(flag, flag >> 31, flag, flag >> 31, 151, 0, v7, (int)v7 >> 31);
++flag;
off_92540C(flag, flag >> 31, flag, flag >> 31, 249, 0, v7, (int)v7 >> 31);
++flag;
off_9253F4(flag, flag >> 31, flag, flag >> 31, 152, 0, v7, (int)v7 >> 31);
off_925438(flag + 1, (flag + 1) >> 31, flag + 1, (flag + 1) >> 31, 101, 0, v7, (int)v7 >> 31);
v5 = memcmp(&unk_925018, argv, 0x30u);
if ( v5 )
{
sub_921340("Wrong\n", v5);
exit(-1);
}
sub_921340("I know you know the flag!\n", 0);
return 0;
}ida打开简单审计代码可知程序对flag的每一位进行了操作,我们随便点击一个看一下,其他的依此类推。
https://img2023.cnblogs.com/blog/3032507/202211/3032507-20221128111807592-733847681.png
https://img2023.cnblogs.com/blog/3032507/202211/3032507-20221128111844759-869921148.png
https://img2023.cnblogs.com/blog/3032507/202211/3032507-20221128111939039-448907236.png
最终来到这个函数,这里已经手动patch过了
可以f5看伪代码也可以直接看汇编
额这里为了好说明就看伪代码吧
https://img2023.cnblogs.com/blog/3032507/202211/3032507-20221128112443024-1028962259.png
其中a5是传入的参数,a2就是flag的密文,我们猜测(a5+36)的地址对应的值就是flag传入的一位,因此将每一个a5参数提取出来,猜测flag是按照从左往右的顺序加密。建flag的密文提取出来,然后将异或的每个值提取出来写出解密脚本
enc=[ 0x96, 0x50, 0xCF, 0x2C, 0xEB, 0x9B, 0xAA, 0xFB, 0x53, 0xAB,
0x73, 0xDD, 0x6C, 0x9E, 0xDB, 0xBC, 0xEE, 0xAB, 0x23, 0xD6,
0x16, 0xFD, 0xF1, 0xF0, 0xB9, 0x75, 0xC3, 0x28, 0xA2, 0x74,
0x7D, 0xE3, 0x27, 0xD5, 0x95, 0x5C, 0xF5, 0x76, 0x75, 0xC9,
0x8C, 0xFB, 0x42, 0x0E, 0xBD, 0x51, 0xA2, 0x98]
a=
k=
flag=""
for i in range(48):
tmp=(enc^k)-a
if tmp>0 and tmp<126:
flag+=chr(tmp)
elif tmp>=126:
flag+=chr(256-tmp)
elif tmp<0 and tmp>-126:
flag+=chr(-tmp)
else:
flag+=chr(256+tmp)
print(flag)这里通过flag格式测试可知,范围为-126到126(也可以是-128到128)之间的数直接将其绝对值转为ascii对应的字符,范围之外的正数用256减去,负数用256加上。控制在ascii字符范围内。
最终得flag:hitcon{___7U5T_4_S1mpIE_xB6_M@G1C_4_mE0w_W@y___}
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]