攻防世界 reverse Replace
Replace 湖湘杯2018
查壳upx,手动脱壳,修复IAT,去掉重定向便可以运行。
ida查看,流程清晰。关键函数check_E51090。
int __cdecl main(int argc, const char **argv, const char **envp)
{
int lens; // kr00_4
char Buf; // [esp+4h] [ebp-2Ch]
char Dst; // [esp+5h] [ebp-2Bh] Buf = 0;
memset(&Dst, 0, 0x27u);
printf("Welcome The System\nPlease Input Key:");
gets_s(&Buf, 0x28u);
lens = strlen(&Buf);
if ( (unsigned int)(lens - 35) <= 2 ) // <=37
{
if ( check_E51090(&Buf, lens) == 1 )
printf("Well Done!\n");
else
printf("Your Wrong!\n");
}
return 0;
}
查看check_E51090
signed int __fastcall check_E51090(char *buf, int lens)
{
char *buf_2; // ebx
int i; // edx
char a; // al
int b; // esi
int c; // edi
char d; // al
int e; // eax
char f; // cl
int g; // eax
int h; // ecx buf_2 = buf;
if ( lens != 35 )
return -1;
i = 0;
while ( 1 )
{
a = buf_2[i];
b = (a >> 4) % 16;
c = (16 * a >> 4) % 16;
d = data_E52150[2 * i];
if ( d < 48 || d > 57 )
e = d - 87;
else
e = d - 48;
f = data_E52150[2 * i + 1];
g = 16 * e;
if ( f < 48 || f > 57 )
h = f - 87;
else
h = f - 48;
if ( (unsigned __int8)data[16 * b + c] != ((g + h) ^ 0x19) )
break;
if ( ++i >= 35 )
return 1;
}
return -1;
}
wp:
data_E52150=[50, 97, 52, 57, 102, 54, 57, 99, 51, 56,
51, 57, 53, 99, 100, 101, 57, 54, 100, 54,
100, 101, 57, 54, 100, 54, 102, 52, 101, 48,
50, 53, 52, 56, 52, 57, 53, 52, 100, 54,
49, 57, 53, 52, 52, 56, 100, 101, 102, 54,
101, 50, 100, 97, 100, 54, 55, 55, 56, 54,
101, 50, 49, 100, 53, 97, 100, 97, 101, 54]
data=[99, 124, 119, 123, 242, 107, 111, 197, 48, 1,
103, 43, 254, 215, 171, 118, 202, 130, 201, 125,
250, 89, 71, 240, 173, 212, 162, 175, 156, 164,
114, 192, 183, 253, 147, 38, 54, 63, 247, 204,
52, 165, 229, 241, 113, 216, 49, 21, 4, 199,
35, 195, 24, 150, 5, 154, 7, 18, 128, 226,
235, 39, 178, 117, 9, 131, 44, 26, 27, 110,
90, 160, 82, 59, 214, 179, 41, 227, 47, 132,
83, 209, 0, 237, 32, 252, 177, 91, 106, 203,
190, 57, 74, 76, 88, 207, 208, 239, 170, 251,
67, 77, 51, 133, 69, 249, 2, 127, 80, 60,
159, 168, 81, 163, 64, 143, 146, 157, 56, 245,
188, 182, 218, 33, 16, 255, 243, 210, 205, 12,
19, 236, 95, 151, 68, 23, 196, 167, 126, 61,
100, 93, 25, 115, 96, 129, 79, 220, 34, 42,
144, 136, 70, 238, 184, 20, 222, 94, 11, 219,
224, 50, 58, 10, 73, 6, 36, 92, 194, 211,
172, 98, 145, 149, 228, 121, 231, 200, 55, 109,
141, 213, 78, 169, 108, 86, 244, 234, 101, 122,
174, 8, 186, 120, 37, 46, 28, 166, 180, 198,
232, 221, 116, 31, 75, 189, 139, 138, 112, 62,
181, 102, 72, 3, 246, 14, 97, 53, 87, 185,
134, 193, 29, 158, 225, 248, 152, 17, 105, 217,
142, 148, 155, 30, 135, 233, 206, 85, 40, 223,
140, 161, 137, 13, 191, 230, 66, 104, 65, 153,
45, 15, 176, 84, 187, 22, 72, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0]
tg=[]
for i in range(35):
d = data_E52150[2 * i];
if (d < 48 or d > 57):
e = d - 87;
else:
e = d - 48;
f = data_E52150[2 * i + 1];
g = 16 * e;
if (f < 48 or f > 57):
h = f - 87;
else:
h = f - 48;
x=((g + h) ^ 0x19)
tg.append(x)
flag=''
for i in range(35):
flag+=chr(data.index(tg[i]))
print(flag)
flag{Th1s_1s_Simple_Rep1ac3_Enc0d3}
攻防世界 reverse Replace的更多相关文章
- 攻防世界 reverse tt3441810
tt3441810 tinyctf-2014 附件给了一堆数据,将十六进制数据部分提取出来, flag应该隐藏在里面,(这算啥子re,) 保留可显示字符,然后去除填充字符(找规律 0.0) 处理脚本: ...
- 攻防世界 reverse 进阶 10 Reverse Box
攻防世界中此题信息未给全,题目来源为[TWCTF-2016:Reverse] Reverse Box 网上有很多wp是使用gdb脚本,这里找到一个本地还原关键算法,然后再爆破的 https://www ...
- 攻防世界 reverse evil
这是2017 ddctf的一道逆向题, 挑战:<恶意软件分析> 赛题背景: 员工小A收到了一封邮件,带一个文档附件,小A随手打开了附件.随后IT部门发现小A的电脑发出了异常网络访问请求,进 ...
- 攻防世界 reverse 进阶 APK-逆向2
APK-逆向2 Hack-you-2014 (看名以为是安卓逆向呢0.0,搞错了吧) 程序是.net写的,直接祭出神器dnSpy 1 using System; 2 using System.Diag ...
- 攻防世界 reverse Windows_Reverse2
Windows_Reverse2 2019_DDCTF 查壳: 寻找oep-->dump-->iat修复 便可成功脱壳 int __cdecl main(int argc, con ...
- 攻防世界 reverse BabyXor
BabyXor 2019_UNCTF 查壳 脱壳 dump 脱壳后 IDA静态分析 int main_0() { void *v0; // eax int v1; // ST5C_4 char ...
- 攻防世界 reverse parallel-comparator-200
parallel-comparator-200 school-ctf-winter-2015 https://github.com/ctfs/write-ups-2015/tree/master/sc ...
- 攻防世界 reverse 进阶 8-The_Maya_Society Hack.lu-2017
8.The_Maya_Society Hack.lu-2017 在linux下将时间调整为2012-12-21,运行即可得到flag. 下面进行分析 1 signed __int64 __fastca ...
- 攻防世界 reverse easy_Maze
easy_Maze 从题目可得知是简单的迷宫问题 int __cdecl main(int argc, const char **argv, const char **envp) { __int64 ...
随机推荐
- Eclipce怎么恢复误删类
选择误删除文件在eclipse所在包(文件夹) 在包上单击右键. 选择restore from local history... 在弹出的对话框中选择需要恢复的文件
- Set-Cookie & Secure & HttpOnly & SameSite
Set-Cookie & Secure & HttpOnly & SameSite HTTP/Headers/Set-Cookie Set-Cookie https://dev ...
- Rust learning notes
Rust learning notes Rust Version 1.42.0 $ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs ...
- Linux & SIGUSER1
Linux & SIGUSER1 https://stackoverflow.com/questions/10824886/how-to-signal-an-application-witho ...
- zsh all in one
zsh all in one zsh https://ohmyz.sh/ # install $ sh -c "$(curl -fsSL https://raw.github.com/ohm ...
- arrayBuffer 转base64
var buffer = new ArrayBuffer(8);// buffer 是接收到后台的流 function _arrayBufferToBase64( buffer ) { var bin ...
- NGK福利再升级,1万枚VAST限时免费送
NGK在推出持有算力获得SPC空投活动后,福利再升级,于美国加州时间2021年2月8日下午4点推出新人福利活动,注册NGK成为新会员,即可获得0.2枚VAST奖励. VAST免费福利送活动仅送出1万枚 ...
- React Native选择器组件-react-native-slidepicker
react-native-slidepicker 一个纯 JavaScript 实现的的 React Native 组件,用于如地址,时间等分类数据选择的场景. github: https://git ...
- java数据类型(进阶篇)
public class note03 { public static void main(String[] args) { //数据类型拓展 //1.整数拓展 //进制: 二进制0b 十进制 八进制 ...
- redis5.* 手动构建集群
1.集群的概念 集群是一组相互独立的.通过高速网络互联的计算机,它们构成了一个组,并以单一系统的模式加以管理.一个客户与集群相互作用时,集群像是一个独立的服务器.集群配置是用于提高可用性和可缩放性.当 ...