crazy 百越杯2018

查看main函数:

int __cdecl main(int argc, const char **argv, const char **envp)

{

  __int64 v3; // rax

  __int64 v4; // rax

  __int64 v5; // rax

  __int64 v6; // rax

  __int64 v7; // rax

  __int64 v8; // rax

  __int64 v9; // rax

  __int64 v10; // rax

  __int64 v11; // rax

  __int64 v12; // rax

  __int64 v13; // rax

  __int64 v14; // rax

  __int64 v15; // rax

  __int64 v16; // rax

  char myinput_str; // [rsp+10h] [rbp-130h]

  char v19; // [rsp+30h] [rbp-110h]

  char v20; // [rsp+50h] [rbp-F0h]

  char v21; // [rsp+70h] [rbp-D0h]

  char myinput_copy; // [rsp+90h] [rbp-B0h]

  char temp; // [rsp+B0h] [rbp-90h]

  unsigned __int64 v24; // [rsp+128h] [rbp-18h]

  v24 = __readfsqword(0x28u);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (__int64)&myinput_str,

    (__int64)argv,

    (__int64)envp);

  std::operator>><char,std::char_traits<char>,std::allocator<char>>(&std::cin, &myinput_str);

  v3 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");

  std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);

  v4 = std::operator<<<std::char_traits<char>>(&std::cout, "Quote from people's champ");

  std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);

  v5 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");

  std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);

  v6 = std::operator<<<std::char_traits<char>>(

         &std::cout,

         "*My goal was never to be the loudest or the craziest. It was to be the most entertaining.");

  std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>);

  v7 = std::operator<<<std::char_traits<char>>(&std::cout, "*Wrestling was like stand-up comedy for me.");

  std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);

  v8 = std::operator<<<std::char_traits<char>>(

         &std::cout,

         "*I like to use the hard times in the past to motivate me today.");

  std::ostream::operator<<(v8, &std::endl<char,std::char_traits<char>>);

  v9 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");

  std::ostream::operator<<(v9, &std::endl<char,std::char_traits<char>>);

  HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str);// 327a6c4304ad5938eaf0efb6cc3e53dc

  v10 = std::operator<<<std::char_traits<char>>(&std::cout, "Checking....");

  std::ostream::operator<<(v10, &std::endl<char,std::char_traits<char>>);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v19, &myinput_str);

  func1((__int64)&v20, (__int64)&v19);

  func2((__int64)&v21, (__int64)&v20);

  func3((__int64)&v21, 0);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v21);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v20);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v19);

  HighTemplar::calculate((HighTemplar *)&temp);//加密处

  if ( (unsigned int)HighTemplar::getSerial((HighTemplar *)&temp) == 0 )//验证处

  {

    v11 = std::operator<<<std::char_traits<char>>(&std::cout, "/////////////////////////////////");

    std::ostream::operator<<(v11, &std::endl<char,std::char_traits<char>>);

    v12 = std::operator<<<std::char_traits<char>>(&std::cout, "Do not be angry. Happy Hacking :)");

    std::ostream::operator<<(v12, &std::endl<char,std::char_traits<char>>);

    v13 = std::operator<<<std::char_traits<char>>(&std::cout, "/////////////////////////////////");

    std::ostream::operator<<(v13, &std::endl<char,std::char_traits<char>>);

    ZN11HighTemplar7getFlagB5cxx11Ev((__int64)&myinput_copy, (__int64)&temp);// 取输入

    v14 = std::operator<<<std::char_traits<char>>(&std::cout, "flag{");

    v15 = std::operator<<<char,std::char_traits<char>,std::allocator<char>>(v14, &myinput_copy);

    v16 = std::operator<<<std::char_traits<char>>(v15, "}");

    std::ostream::operator<<(v16, &std::endl<char,std::char_traits<char>>);

    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&myinput_copy);

  }

  HighTemplar::~HighTemplar((HighTemplar *)&temp);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&myinput_str);

  return 0;

}

三个关键函数HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str);    HighTemplar::getSerial((HighTemplar *)&temp)   和  HighTemplar::calculate((HighTemplar *)&temp);

HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str),进行字符串转储。

unsigned __int64 __fastcall HighTemplar::HighTemplar(DarkTemplar *temp, char *myinput_str)

{

  char v3; // [rsp+17h] [rbp-19h]

  unsigned __int64 v4; // [rsp+18h] [rbp-18h]

  v4 = __readfsqword(0x28u);

  DarkTemplar::DarkTemplar(temp);

  *(_QWORD *)temp = &off_401EA0;

  *((_DWORD *)temp + 3) = 0;

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (char *)temp + 16,

    myinput_str);                               // temp + 16 -->存储输入

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (char *)temp + 48,

    myinput_str);                               // temp + 48 -->存储输入

  std::allocator<char>::allocator(&v3, myinput_str);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (__int64)temp + 80,                         // temp + 80 -->存储327a6c4304ad5938eaf0efb6cc3e53dc

    (__int64)"327a6c4304ad5938eaf0efb6cc3e53dc",

    (__int64)&v3);

  std::allocator<char>::~allocator(&v3);

  return __readfsqword(0x28u) ^ v4;

}

HighTemplar::calculate((HighTemplar *)&temp);进行加密操作

bool __fastcall HighTemplar::calculate(HighTemplar *this)

{

  __int64 v1; // rax

  _BYTE *v2; // rbx

  bool result; // al

  _BYTE *v4; // rbx

  int i; // [rsp+18h] [rbp-18h]

  int j; // [rsp+1Ch] [rbp-14h]

  if ( std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16) != 32 )// 输入长32

  {

    v1 = std::operator<<<std::char_traits<char>>(&std::cout, "Too short or too long");

    std::ostream::operator<<(v1, &std::endl<char,std::char_traits<char>>);

    exit(-1);

  }

  for ( i = 0;

        i <= (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);

        ++i )

  {

    v2 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                    (char *)this + 16,

                    i);

    *v2 = (*(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                       (char *)this + 16,

                       i) ^ 0x50)               // (每个字符^0x50)+23

        + 23;

  }

  for ( j = 0; ; ++j )

  {

    result = j <= (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);

    if ( !result )

      break;

    v4 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                    (char *)this + 16,

                    j);

    *v4 = (*(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                       (char *)this + 16,

                       j) ^ 0x13)               // (每个字符^0x13)+11

        + 11;

  }

  return result;

}

HighTemplar::getSerial((HighTemplar *)&temp)进行验证操作

__int64 __fastcall HighTemplar::getSerial(HighTemplar *this)

{

  __int64 v1; // rbx

  __int64 v2; // rax

  __int64 v3; // rax

  __int64 v4; // rax

  __int64 v5; // rax

  unsigned int i; // [rsp+1Ch] [rbp-14h]

  for ( i = 0;

        (signed int)i < (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);

        ++i )

  {

    v1 = *(unsigned __int8 *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                               (char *)this + 80,// HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str)之前赋值,327a6c4304ad5938eaf0efb6cc3e53dc

                               (signed int)i);

    if ( (_BYTE)v1 != *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                                  (char *)this + 16,// 取输入

                                  (signed int)i) )

    {

      v4 = std::operator<<<std::char_traits<char>>(&std::cout, "You did not pass ");

      v5 = std::ostream::operator<<(v4, i);

      std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);

      *((_DWORD *)this + 3) = 1;

      return *((unsigned int *)this + 3);

    }

    v2 = std::operator<<<std::char_traits<char>>(&std::cout, "Pass ");

    v3 = std::ostream::operator<<(v2, i);

    std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);

  }

  return *((unsigned int *)this + 3);

}

简单的异或与加法的操作

wp:

temp='327a6c4304ad5938eaf0efb6cc3e53dc'

flag=''

for i in range(len(temp)):

    n=ord(temp[i])

    flag+=chr((((n-11)^0x13)-23)^0x50)

print('flag{'+flag+'}')

flag{tMx~qdstOs~crvtwb~aOba}qddtbrtcd}

攻防世界 reverse crazy的更多相关文章

  1. 攻防世界 reverse 进阶 10 Reverse Box

    攻防世界中此题信息未给全,题目来源为[TWCTF-2016:Reverse] Reverse Box 网上有很多wp是使用gdb脚本,这里找到一个本地还原关键算法,然后再爆破的 https://www ...

  2. 攻防世界 reverse evil

    这是2017 ddctf的一道逆向题, 挑战:<恶意软件分析> 赛题背景: 员工小A收到了一封邮件,带一个文档附件,小A随手打开了附件.随后IT部门发现小A的电脑发出了异常网络访问请求,进 ...

  3. 攻防世界 reverse tt3441810

    tt3441810 tinyctf-2014 附件给了一堆数据,将十六进制数据部分提取出来, flag应该隐藏在里面,(这算啥子re,) 保留可显示字符,然后去除填充字符(找规律 0.0) 处理脚本: ...

  4. 攻防世界 reverse 进阶 APK-逆向2

    APK-逆向2 Hack-you-2014 (看名以为是安卓逆向呢0.0,搞错了吧) 程序是.net写的,直接祭出神器dnSpy 1 using System; 2 using System.Diag ...

  5. 攻防世界 reverse Windows_Reverse2

    Windows_Reverse2   2019_DDCTF 查壳: 寻找oep-->dump-->iat修复   便可成功脱壳 int __cdecl main(int argc, con ...

  6. 攻防世界 reverse BabyXor

    BabyXor     2019_UNCTF 查壳 脱壳 dump 脱壳后 IDA静态分析 int main_0() { void *v0; // eax int v1; // ST5C_4 char ...

  7. 攻防世界 reverse parallel-comparator-200

    parallel-comparator-200 school-ctf-winter-2015 https://github.com/ctfs/write-ups-2015/tree/master/sc ...

  8. 攻防世界 reverse 进阶 8-The_Maya_Society Hack.lu-2017

    8.The_Maya_Society Hack.lu-2017 在linux下将时间调整为2012-12-21,运行即可得到flag. 下面进行分析 1 signed __int64 __fastca ...

  9. 攻防世界 reverse easy_Maze

    easy_Maze 从题目可得知是简单的迷宫问题 int __cdecl main(int argc, const char **argv, const char **envp) { __int64 ...

随机推荐

  1. Gym 101128F Landscaping(网络流)题解

    题意:n*m的地,从有高地和低地,从高地走到低地或者从低地走到高地花费a,把高地和低地互相改造一次花费b.现在要走遍每一行每一列,问最小花费 思路:超级源点连接所有低地,容量b:所有地向四周建边,容量 ...

  2. MYSQL基础常见常用语句200条

    数据库 # 查看所有的数据库 SHOW DATABASES ; # 创建一个数据库 CREATE DATABASE k; # 删除一个数据库 DROP DATABASE k; # 使用这个数据库 US ...

  3. Tailwind CSS in Action

    Tailwind CSS in Action Tailwind CSS是一个高度可定制的低级CSS框架,它为您提供了构建定制设计所需的所有构造块,而无需烦恼要覆盖的烦人的自以为是的样式 https:/ ...

  4. React Native & Fast Refresh

    React Native & Fast Refresh 0.61 https://reactnative.dev/blog/2019/09/18/version-0.61/ Fast Refr ...

  5. queueMicrotask & microtask

    queueMicrotask & microtask microtask microtask queue Promise Mutation Observer API MutationObser ...

  6. css 设置多行文本的行间距

    css 设置多行文本的行间距 block element span .ticket-card-info{ line-height:16px; display: inline-block; } .tic ...

  7. qt 注册热键

    原文 将所需的库添加到您的qmake项目(.PRO文件) LIBS += \ -lUser32 2.在代码中包含所需的头文件. #include <windows.h> 在程序开始时注册热 ...

  8. vue技术栈

    1 vue 说明:vue生命周期:技术点:1:常用的API:computed,methods,props,mounted,created,components 2vue-cli说明:vue绞手架,用于 ...

  9. ECMAScript 等性运算符

    判断两个变量是否相等是程序设计中非常重要的运算.在处理原始值时,这种运算相当简单,但涉及对象,任务就稍有点复杂. ECMAScript 提供了两套等性运算符:等号和非等号用于处理原始值,全等号和非全等 ...

  10. 🎊 Element UI 新春快报

    新年好,Element UI 开发团队给各位支持我们的开发者们拜个晚年,祝大家在新的一年里工作没 bug, 天天不加班. 在过去一年里,Element UI 团队在稳定维护 Vue 2.x 版本的同时 ...