crazy 百越杯2018

查看main函数:

int __cdecl main(int argc, const char **argv, const char **envp)

{

  __int64 v3; // rax

  __int64 v4; // rax

  __int64 v5; // rax

  __int64 v6; // rax

  __int64 v7; // rax

  __int64 v8; // rax

  __int64 v9; // rax

  __int64 v10; // rax

  __int64 v11; // rax

  __int64 v12; // rax

  __int64 v13; // rax

  __int64 v14; // rax

  __int64 v15; // rax

  __int64 v16; // rax

  char myinput_str; // [rsp+10h] [rbp-130h]

  char v19; // [rsp+30h] [rbp-110h]

  char v20; // [rsp+50h] [rbp-F0h]

  char v21; // [rsp+70h] [rbp-D0h]

  char myinput_copy; // [rsp+90h] [rbp-B0h]

  char temp; // [rsp+B0h] [rbp-90h]

  unsigned __int64 v24; // [rsp+128h] [rbp-18h]

  v24 = __readfsqword(0x28u);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (__int64)&myinput_str,

    (__int64)argv,

    (__int64)envp);

  std::operator>><char,std::char_traits<char>,std::allocator<char>>(&std::cin, &myinput_str);

  v3 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");

  std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);

  v4 = std::operator<<<std::char_traits<char>>(&std::cout, "Quote from people's champ");

  std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);

  v5 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");

  std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);

  v6 = std::operator<<<std::char_traits<char>>(

         &std::cout,

         "*My goal was never to be the loudest or the craziest. It was to be the most entertaining.");

  std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>);

  v7 = std::operator<<<std::char_traits<char>>(&std::cout, "*Wrestling was like stand-up comedy for me.");

  std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);

  v8 = std::operator<<<std::char_traits<char>>(

         &std::cout,

         "*I like to use the hard times in the past to motivate me today.");

  std::ostream::operator<<(v8, &std::endl<char,std::char_traits<char>>);

  v9 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");

  std::ostream::operator<<(v9, &std::endl<char,std::char_traits<char>>);

  HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str);// 327a6c4304ad5938eaf0efb6cc3e53dc

  v10 = std::operator<<<std::char_traits<char>>(&std::cout, "Checking....");

  std::ostream::operator<<(v10, &std::endl<char,std::char_traits<char>>);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v19, &myinput_str);

  func1((__int64)&v20, (__int64)&v19);

  func2((__int64)&v21, (__int64)&v20);

  func3((__int64)&v21, 0);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v21);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v20);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v19);

  HighTemplar::calculate((HighTemplar *)&temp);//加密处

  if ( (unsigned int)HighTemplar::getSerial((HighTemplar *)&temp) == 0 )//验证处

  {

    v11 = std::operator<<<std::char_traits<char>>(&std::cout, "/////////////////////////////////");

    std::ostream::operator<<(v11, &std::endl<char,std::char_traits<char>>);

    v12 = std::operator<<<std::char_traits<char>>(&std::cout, "Do not be angry. Happy Hacking :)");

    std::ostream::operator<<(v12, &std::endl<char,std::char_traits<char>>);

    v13 = std::operator<<<std::char_traits<char>>(&std::cout, "/////////////////////////////////");

    std::ostream::operator<<(v13, &std::endl<char,std::char_traits<char>>);

    ZN11HighTemplar7getFlagB5cxx11Ev((__int64)&myinput_copy, (__int64)&temp);// 取输入

    v14 = std::operator<<<std::char_traits<char>>(&std::cout, "flag{");

    v15 = std::operator<<<char,std::char_traits<char>,std::allocator<char>>(v14, &myinput_copy);

    v16 = std::operator<<<std::char_traits<char>>(v15, "}");

    std::ostream::operator<<(v16, &std::endl<char,std::char_traits<char>>);

    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&myinput_copy);

  }

  HighTemplar::~HighTemplar((HighTemplar *)&temp);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&myinput_str);

  return 0;

}

三个关键函数HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str);    HighTemplar::getSerial((HighTemplar *)&temp)   和  HighTemplar::calculate((HighTemplar *)&temp);

HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str),进行字符串转储。

unsigned __int64 __fastcall HighTemplar::HighTemplar(DarkTemplar *temp, char *myinput_str)

{

  char v3; // [rsp+17h] [rbp-19h]

  unsigned __int64 v4; // [rsp+18h] [rbp-18h]

  v4 = __readfsqword(0x28u);

  DarkTemplar::DarkTemplar(temp);

  *(_QWORD *)temp = &off_401EA0;

  *((_DWORD *)temp + 3) = 0;

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (char *)temp + 16,

    myinput_str);                               // temp + 16 -->存储输入

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (char *)temp + 48,

    myinput_str);                               // temp + 48 -->存储输入

  std::allocator<char>::allocator(&v3, myinput_str);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (__int64)temp + 80,                         // temp + 80 -->存储327a6c4304ad5938eaf0efb6cc3e53dc

    (__int64)"327a6c4304ad5938eaf0efb6cc3e53dc",

    (__int64)&v3);

  std::allocator<char>::~allocator(&v3);

  return __readfsqword(0x28u) ^ v4;

}

HighTemplar::calculate((HighTemplar *)&temp);进行加密操作

bool __fastcall HighTemplar::calculate(HighTemplar *this)

{

  __int64 v1; // rax

  _BYTE *v2; // rbx

  bool result; // al

  _BYTE *v4; // rbx

  int i; // [rsp+18h] [rbp-18h]

  int j; // [rsp+1Ch] [rbp-14h]

  if ( std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16) != 32 )// 输入长32

  {

    v1 = std::operator<<<std::char_traits<char>>(&std::cout, "Too short or too long");

    std::ostream::operator<<(v1, &std::endl<char,std::char_traits<char>>);

    exit(-1);

  }

  for ( i = 0;

        i <= (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);

        ++i )

  {

    v2 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                    (char *)this + 16,

                    i);

    *v2 = (*(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                       (char *)this + 16,

                       i) ^ 0x50)               // (每个字符^0x50)+23

        + 23;

  }

  for ( j = 0; ; ++j )

  {

    result = j <= (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);

    if ( !result )

      break;

    v4 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                    (char *)this + 16,

                    j);

    *v4 = (*(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                       (char *)this + 16,

                       j) ^ 0x13)               // (每个字符^0x13)+11

        + 11;

  }

  return result;

}

HighTemplar::getSerial((HighTemplar *)&temp)进行验证操作

__int64 __fastcall HighTemplar::getSerial(HighTemplar *this)

{

  __int64 v1; // rbx

  __int64 v2; // rax

  __int64 v3; // rax

  __int64 v4; // rax

  __int64 v5; // rax

  unsigned int i; // [rsp+1Ch] [rbp-14h]

  for ( i = 0;

        (signed int)i < (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);

        ++i )

  {

    v1 = *(unsigned __int8 *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                               (char *)this + 80,// HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str)之前赋值,327a6c4304ad5938eaf0efb6cc3e53dc

                               (signed int)i);

    if ( (_BYTE)v1 != *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                                  (char *)this + 16,// 取输入

                                  (signed int)i) )

    {

      v4 = std::operator<<<std::char_traits<char>>(&std::cout, "You did not pass ");

      v5 = std::ostream::operator<<(v4, i);

      std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);

      *((_DWORD *)this + 3) = 1;

      return *((unsigned int *)this + 3);

    }

    v2 = std::operator<<<std::char_traits<char>>(&std::cout, "Pass ");

    v3 = std::ostream::operator<<(v2, i);

    std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);

  }

  return *((unsigned int *)this + 3);

}

简单的异或与加法的操作

wp:

temp='327a6c4304ad5938eaf0efb6cc3e53dc'

flag=''

for i in range(len(temp)):

    n=ord(temp[i])

    flag+=chr((((n-11)^0x13)-23)^0x50)

print('flag{'+flag+'}')

flag{tMx~qdstOs~crvtwb~aOba}qddtbrtcd}

攻防世界 reverse crazy的更多相关文章

  1. 攻防世界 reverse 进阶 10 Reverse Box

    攻防世界中此题信息未给全,题目来源为[TWCTF-2016:Reverse] Reverse Box 网上有很多wp是使用gdb脚本,这里找到一个本地还原关键算法,然后再爆破的 https://www ...

  2. 攻防世界 reverse evil

    这是2017 ddctf的一道逆向题, 挑战:<恶意软件分析> 赛题背景: 员工小A收到了一封邮件,带一个文档附件,小A随手打开了附件.随后IT部门发现小A的电脑发出了异常网络访问请求,进 ...

  3. 攻防世界 reverse tt3441810

    tt3441810 tinyctf-2014 附件给了一堆数据,将十六进制数据部分提取出来, flag应该隐藏在里面,(这算啥子re,) 保留可显示字符,然后去除填充字符(找规律 0.0) 处理脚本: ...

  4. 攻防世界 reverse 进阶 APK-逆向2

    APK-逆向2 Hack-you-2014 (看名以为是安卓逆向呢0.0,搞错了吧) 程序是.net写的,直接祭出神器dnSpy 1 using System; 2 using System.Diag ...

  5. 攻防世界 reverse Windows_Reverse2

    Windows_Reverse2   2019_DDCTF 查壳: 寻找oep-->dump-->iat修复   便可成功脱壳 int __cdecl main(int argc, con ...

  6. 攻防世界 reverse BabyXor

    BabyXor     2019_UNCTF 查壳 脱壳 dump 脱壳后 IDA静态分析 int main_0() { void *v0; // eax int v1; // ST5C_4 char ...

  7. 攻防世界 reverse parallel-comparator-200

    parallel-comparator-200 school-ctf-winter-2015 https://github.com/ctfs/write-ups-2015/tree/master/sc ...

  8. 攻防世界 reverse 进阶 8-The_Maya_Society Hack.lu-2017

    8.The_Maya_Society Hack.lu-2017 在linux下将时间调整为2012-12-21,运行即可得到flag. 下面进行分析 1 signed __int64 __fastca ...

  9. 攻防世界 reverse easy_Maze

    easy_Maze 从题目可得知是简单的迷宫问题 int __cdecl main(int argc, const char **argv, const char **envp) { __int64 ...

随机推荐

  1. Makefile 赋值 函数定义 等小知识点

    1.赋值 == 到用的时候实际才去赋值:= 立刻赋值?= 未赋值才赋值+= 2.多层变量 多层变量引用(各种复杂组合...)a =bb= cc= dd =1$($($($(a)))) 最终等于1 3. ...

  2. 24 WAYS to impress your friends

    24 WAYS to impress your friends 24 ways is the advent calendar for web geeks. For twenty-four days e ...

  3. Flutter CodePen challenges

    Flutter CodePen challenges 挑战赛 https://mp.weixin.qq.com/s/qIYokWN9SVgr-F7YxbJuOQ CodePen Flutter 编辑器 ...

  4. Deno 1.0 & Node.js

    Deno 1.0 & Node.js A secure runtime for JavaScript and TypeScript. https://deno.land/v1 https:// ...

  5. lerna

    lerna A tool for managing JavaScript projects with multiple packages. https://lerna.js.org/ https:// ...

  6. Flutter Widget API

    Flutter Widget API https://api.flutter.dev/ https://api.flutter.dev/flutter/material/material-librar ...

  7. USDN代币多少钱?USDN有什么用?

    加密货币走向主流人群的采用有很多障碍,比如监管.交易所黑客事件等,但最明显的障碍还是它们极端的价格波动.这从加密货币的整个历史长度来看都是如此.一个货币要正常运转,比如成为有效的交换媒介.记账单位以及 ...

  8. Captain technology开发的新能源汽车强在哪里?

    在新能源汽车飞速发展的这些年,Captain technology 认识到,要改变有状况,就要不断创新,调整新能源汽车发展路线.新能源汽车本质永远是汽车, Captain technology是在改变 ...

  9. JULLIAN MURPHY:拥有良好的心态,运气福气便会自来

    JULLIAN MURPHY是星盟全球投资公司的基金预审经理,负责星盟投资项目预审,有着资深的基金管理经验,并且在区块链应用的兴起中投资了多个应用区块链技术的公司. JULLIAN MURPHY认为往 ...

  10. css中的transform,transition,translate的关系

    transform 旋转(transform是没有动画效果,你改变了它的值,元素的样子就唰的改变了.其中的位移的函数名就叫translate,所以说,translate是transform的一部分.) ...