hitconctf2022 Meow Way

写过一篇 · 2022-11-28 13:07:55

int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [esp+0h] [ebp-24h]
int v5; // [esp+0h] [ebp-24h]
int flag; // [esp+14h] [ebp-10h]
_DWORD v7[2]; // [esp+18h] [ebp-Ch] BYREF
v7[0] = -1;
v7[1] = -1;
if ( argc < 2 )
{
sub_921340("Usage: %s <flag>\n", (char)*argv);
exit(1);
}
if ( strlen(argv[1]) != 48 )
{
sub_921340("Wrong length\n", v4);
exit(1);
}
flag = (int)argv[1];
off_92544C(flag, flag >> 31, flag, flag >> 31, 196, 0, v7, (int)v7 >> 31);
++flag;
off_9253A8(flag, flag >> 31, flag, flag >> 31, 22, 0, v7, (int)v7 >> 31);
++flag;
off_9253B4(flag, flag >> 31, flag, flag >> 31, 142, 0, v7, (int)v7 >> 31);
++flag;
off_9253F0(flag, flag >> 31, flag, flag >> 31, 119, 0, v7, (int)v7 >> 31);
++flag;
off_925448(flag, flag >> 31, flag, flag >> 31, 5, 0, v7, (int)v7 >> 31);
++flag;
off_9253FC(flag, flag >> 31, flag, flag >> 31, 185, 0, v7, (int)v7 >> 31);
++flag;
off_925400(flag, flag >> 31, flag, flag >> 31, 13, 0, v7, (int)v7 >> 31);
++flag;
off_925410(flag, flag >> 31, flag, flag >> 31, 107, 0, v7, (int)v7 >> 31);
++flag;
off_9253F8(flag, flag >> 31, flag, flag >> 31, 36, 0, v7, (int)v7 >> 31);
++flag;
off_925430(flag, flag >> 31, flag, flag >> 31, 85, 0, v7, (int)v7 >> 31);
++flag;
off_9253D0(flag, flag >> 31, flag, flag >> 31, 18, 0, v7, (int)v7 >> 31);
++flag;
off_925434(flag, flag >> 31, flag, flag >> 31, 53, 0, v7, (int)v7 >> 31);
++flag;
off_92545C(flag, flag >> 31, flag, flag >> 31, 118, 0, v7, (int)v7 >> 31);
++flag;
off_925454(flag, flag >> 31, flag, flag >> 31, 231, 0, v7, (int)v7 >> 31);
++flag;
off_9253C0(flag, flag >> 31, flag, flag >> 31, 251, 0, v7, (int)v7 >> 31);
++flag;
off_9253E4(flag, flag >> 31, flag, flag >> 31, 160, 0, v7, (int)v7 >> 31);
++flag;
off_9253C4(flag, flag >> 31, flag, flag >> 31, 218, 0, v7, (int)v7 >> 31);
++flag;
off_925440(flag, flag >> 31, flag, flag >> 31, 52, 0, v7, (int)v7 >> 31);
++flag;
off_9253BC(flag, flag >> 31, flag, flag >> 31, 132, 0, v7, (int)v7 >> 31);
++flag;
off_9253AC(flag, flag >> 31, flag, flag >> 31, 180, 0, v7, (int)v7 >> 31);
++flag;
off_925408(flag, flag >> 31, flag, flag >> 31, 200, 0, v7, (int)v7 >> 31);
++flag;
off_9253D8(flag, flag >> 31, flag, flag >> 31, 155, 0, v7, (int)v7 >> 31);
++flag;
off_9253B8(flag, flag >> 31, flag, flag >> 31, 239, 0, v7, (int)v7 >> 31);
++flag;
off_9253C8(flag, flag >> 31, flag, flag >> 31, 180, 0, v7, (int)v7 >> 31);
++flag;
off_9253E0(flag, flag >> 31, flag, flag >> 31, 185, 0, v7, (int)v7 >> 31);
++flag;
off_925418(flag, flag >> 31, flag, flag >> 31, 10, 0, v7, (int)v7 >> 31);
++flag;
off_9253EC(flag, flag >> 31, flag, flag >> 31, 87, 0, v7, (int)v7 >> 31);
++flag;
off_925414(flag, flag >> 31, flag, flag >> 31, 92, 0, v7, (int)v7 >> 31);
++flag;
off_925450(flag, flag >> 31, flag, flag >> 31, 254, 0, v7, (int)v7 >> 31);
++flag;
off_9253E8(flag, flag >> 31, flag, flag >> 31, 197, 0, v7, (int)v7 >> 31);
++flag;
off_9253D4(flag, flag >> 31, flag, flag >> 31, 106, 0, v7, (int)v7 >> 31);
++flag;
off_92541C(flag, flag >> 31, flag, flag >> 31, 115, 0, v7, (int)v7 >> 31);
++flag;
off_92542C(flag, flag >> 31, flag, flag >> 31, 73, 0, v7, (int)v7 >> 31);
++flag;
off_925444(flag, flag >> 31, flag, flag >> 31, 189, 0, v7, (int)v7 >> 31);
++flag;
off_925458(flag, flag >> 31, flag, flag >> 31, 17, 0, v7, (int)v7 >> 31);
++flag;
off_925420(flag, flag >> 31, flag, flag >> 31, 214, 0, v7, (int)v7 >> 31);
++flag;
off_9253B0(flag, flag >> 31, flag, flag >> 31, 143, 0, v7, (int)v7 >> 31);
++flag;
off_9253DC(flag, flag >> 31, flag, flag >> 31, 107, 0, v7, (int)v7 >> 31);
++flag;
off_925464(flag, flag >> 31, flag, flag >> 31, 10, 0, v7, (int)v7 >> 31);
++flag;
off_9253CC(flag, flag >> 31, flag, flag >> 31, 151, 0, v7, (int)v7 >> 31);
++flag;
off_925424(flag, flag >> 31, flag, flag >> 31, 171, 0, v7, (int)v7 >> 31);
++flag;
off_92543C(flag, flag >> 31, flag, flag >> 31, 78, 0, v7, (int)v7 >> 31);
++flag;
off_925404(flag, flag >> 31, flag, flag >> 31, 237, 0, v7, (int)v7 >> 31);
++flag;
off_925428(flag, flag >> 31, flag, flag >> 31, 254, 0, v7, (int)v7 >> 31);
++flag;
off_925460(flag, flag >> 31, flag, flag >> 31, 151, 0, v7, (int)v7 >> 31);
++flag;
off_92540C(flag, flag >> 31, flag, flag >> 31, 249, 0, v7, (int)v7 >> 31);
++flag;
off_9253F4(flag, flag >> 31, flag, flag >> 31, 152, 0, v7, (int)v7 >> 31);
off_925438(flag + 1, (flag + 1) >> 31, flag + 1, (flag + 1) >> 31, 101, 0, v7, (int)v7 >> 31);
v5 = memcmp(&unk_925018, argv[1], 0x30u);
if ( v5 )
{
sub_921340("Wrong\n", v5);
exit(-1);
}
sub_921340("I know you know the flag!\n", 0);
return 0;
}

复制代码

ida打开简单审计代码可知程序对flag的每一位进行了操作，我们随便点击一个看一下，其他的依此类推。

最终来到这个函数，这里已经手动patch过了
可以f5看伪代码也可以直接看汇编
额这里为了好说明就看伪代码吧

其中a5是传入的参数，a2就是flag的密文，我们猜测(a5+36)的地址对应的值就是flag传入的一位，因此将每一个a5参数提取出来，猜测flag是按照从左往右的顺序加密。建flag的密文提取出来，然后将异或的每个值提取出来写出解密脚本

enc=[ 0x96, 0x50, 0xCF, 0x2C, 0xEB, 0x9B, 0xAA, 0xFB, 0x53, 0xAB,
0x73, 0xDD, 0x6C, 0x9E, 0xDB, 0xBC, 0xEE, 0xAB, 0x23, 0xD6,
0x16, 0xFD, 0xF1, 0xF0, 0xB9, 0x75, 0xC3, 0x28, 0xA2, 0x74,
0x7D, 0xE3, 0x27, 0xD5, 0x95, 0x5C, 0xF5, 0x76, 0x75, 0xC9,
0x8C, 0xFB, 0x42, 0x0E, 0xBD, 0x51, 0xA2, 0x98]
a=[196,22, 142, 119, 5,185, 13, 107, 36, 85, 18, 53, 118, 231, 251, 160, 218, 52, 132, 180, 200, 155, 239, 180, 185, 10, 87, 92, 254, 197, 106,115, 73, 189, 17,214, 143, 107, 10, 151, 171, 78, 237, 254, 151, 249,152,101]
k=[0xba,0x2f,0xcd,0xf6,0x9f,0xd0,0x22,0xf7,0xd0,0x1f,0xa8,0x3d,0xc7,0xa5,0x47,0x68,0xd7,0x4a,0x96,0x91,0x2e,0x19,0xc5,0xe3,0x88,0xbd,0x4e,0x93,0x13,0xf1,0xcc,0x47,0xab,0xc9,0x48,0x2b,0x9,0x50,0x4f,0xe9,0xc0,0x5e,0xef,0x8b,0x85,0xcb,0x55,0x70]
flag=""
for i in range(48):
tmp=(enc[i]^k[i])-a[i]
if tmp>0 and tmp<126:
flag+=chr(tmp)
elif tmp>=126:
flag+=chr(256-tmp)
elif tmp<0 and tmp>-126:
flag+=chr(-tmp)
else:
flag+=chr(256+tmp)
print(flag)

复制代码

这里通过flag格式测试可知，范围为-126到126(也可以是-128到128)之间的数直接将其绝对值转为ascii对应的字符，范围之外的正数用256减去，负数用256加上。控制在ascii字符范围内。
最终得flag:hitcon{___7U5T_4_S1mpIE_xB6_M@G1C_4_mE0w_W@y___}

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

		自动登录	找回密码
密码			立即注册

hitconctf2022 Meow Way

本帖子中包含更多资源

0 个回复

快速回复

楼主热帖

标签云