crazy 百越杯2018

查看main函数:

int __cdecl main(int argc, const char **argv, const char **envp)

{

  __int64 v3; // rax

  __int64 v4; // rax

  __int64 v5; // rax

  __int64 v6; // rax

  __int64 v7; // rax

  __int64 v8; // rax

  __int64 v9; // rax

  __int64 v10; // rax

  __int64 v11; // rax

  __int64 v12; // rax

  __int64 v13; // rax

  __int64 v14; // rax

  __int64 v15; // rax

  __int64 v16; // rax

  char myinput_str; // [rsp+10h] [rbp-130h]

  char v19; // [rsp+30h] [rbp-110h]

  char v20; // [rsp+50h] [rbp-F0h]

  char v21; // [rsp+70h] [rbp-D0h]

  char myinput_copy; // [rsp+90h] [rbp-B0h]

  char temp; // [rsp+B0h] [rbp-90h]

  unsigned __int64 v24; // [rsp+128h] [rbp-18h]

  v24 = __readfsqword(0x28u);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (__int64)&myinput_str,

    (__int64)argv,

    (__int64)envp);

  std::operator>><char,std::char_traits<char>,std::allocator<char>>(&std::cin, &myinput_str);

  v3 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");

  std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);

  v4 = std::operator<<<std::char_traits<char>>(&std::cout, "Quote from people's champ");

  std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);

  v5 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");

  std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);

  v6 = std::operator<<<std::char_traits<char>>(

         &std::cout,

         "*My goal was never to be the loudest or the craziest. It was to be the most entertaining.");

  std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>);

  v7 = std::operator<<<std::char_traits<char>>(&std::cout, "*Wrestling was like stand-up comedy for me.");

  std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);

  v8 = std::operator<<<std::char_traits<char>>(

         &std::cout,

         "*I like to use the hard times in the past to motivate me today.");

  std::ostream::operator<<(v8, &std::endl<char,std::char_traits<char>>);

  v9 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");

  std::ostream::operator<<(v9, &std::endl<char,std::char_traits<char>>);

  HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str);// 327a6c4304ad5938eaf0efb6cc3e53dc

  v10 = std::operator<<<std::char_traits<char>>(&std::cout, "Checking....");

  std::ostream::operator<<(v10, &std::endl<char,std::char_traits<char>>);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v19, &myinput_str);

  func1((__int64)&v20, (__int64)&v19);

  func2((__int64)&v21, (__int64)&v20);

  func3((__int64)&v21, 0);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v21);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v20);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v19);

  HighTemplar::calculate((HighTemplar *)&temp);//加密处

  if ( (unsigned int)HighTemplar::getSerial((HighTemplar *)&temp) == 0 )//验证处

  {

    v11 = std::operator<<<std::char_traits<char>>(&std::cout, "/////////////////////////////////");

    std::ostream::operator<<(v11, &std::endl<char,std::char_traits<char>>);

    v12 = std::operator<<<std::char_traits<char>>(&std::cout, "Do not be angry. Happy Hacking :)");

    std::ostream::operator<<(v12, &std::endl<char,std::char_traits<char>>);

    v13 = std::operator<<<std::char_traits<char>>(&std::cout, "/////////////////////////////////");

    std::ostream::operator<<(v13, &std::endl<char,std::char_traits<char>>);

    ZN11HighTemplar7getFlagB5cxx11Ev((__int64)&myinput_copy, (__int64)&temp);// 取输入

    v14 = std::operator<<<std::char_traits<char>>(&std::cout, "flag{");

    v15 = std::operator<<<char,std::char_traits<char>,std::allocator<char>>(v14, &myinput_copy);

    v16 = std::operator<<<std::char_traits<char>>(v15, "}");

    std::ostream::operator<<(v16, &std::endl<char,std::char_traits<char>>);

    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&myinput_copy);

  }

  HighTemplar::~HighTemplar((HighTemplar *)&temp);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&myinput_str);

  return 0;

}

三个关键函数HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str);    HighTemplar::getSerial((HighTemplar *)&temp)   和  HighTemplar::calculate((HighTemplar *)&temp);

HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str),进行字符串转储。

unsigned __int64 __fastcall HighTemplar::HighTemplar(DarkTemplar *temp, char *myinput_str)

{

  char v3; // [rsp+17h] [rbp-19h]

  unsigned __int64 v4; // [rsp+18h] [rbp-18h]

  v4 = __readfsqword(0x28u);

  DarkTemplar::DarkTemplar(temp);

  *(_QWORD *)temp = &off_401EA0;

  *((_DWORD *)temp + 3) = 0;

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (char *)temp + 16,

    myinput_str);                               // temp + 16 -->存储输入

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (char *)temp + 48,

    myinput_str);                               // temp + 48 -->存储输入

  std::allocator<char>::allocator(&v3, myinput_str);

  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(

    (__int64)temp + 80,                         // temp + 80 -->存储327a6c4304ad5938eaf0efb6cc3e53dc

    (__int64)"327a6c4304ad5938eaf0efb6cc3e53dc",

    (__int64)&v3);

  std::allocator<char>::~allocator(&v3);

  return __readfsqword(0x28u) ^ v4;

}

HighTemplar::calculate((HighTemplar *)&temp);进行加密操作

bool __fastcall HighTemplar::calculate(HighTemplar *this)

{

  __int64 v1; // rax

  _BYTE *v2; // rbx

  bool result; // al

  _BYTE *v4; // rbx

  int i; // [rsp+18h] [rbp-18h]

  int j; // [rsp+1Ch] [rbp-14h]

  if ( std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16) != 32 )// 输入长32

  {

    v1 = std::operator<<<std::char_traits<char>>(&std::cout, "Too short or too long");

    std::ostream::operator<<(v1, &std::endl<char,std::char_traits<char>>);

    exit(-1);

  }

  for ( i = 0;

        i <= (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);

        ++i )

  {

    v2 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                    (char *)this + 16,

                    i);

    *v2 = (*(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                       (char *)this + 16,

                       i) ^ 0x50)               // (每个字符^0x50)+23

        + 23;

  }

  for ( j = 0; ; ++j )

  {

    result = j <= (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);

    if ( !result )

      break;

    v4 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                    (char *)this + 16,

                    j);

    *v4 = (*(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                       (char *)this + 16,

                       j) ^ 0x13)               // (每个字符^0x13)+11

        + 11;

  }

  return result;

}

HighTemplar::getSerial((HighTemplar *)&temp)进行验证操作

__int64 __fastcall HighTemplar::getSerial(HighTemplar *this)

{

  __int64 v1; // rbx

  __int64 v2; // rax

  __int64 v3; // rax

  __int64 v4; // rax

  __int64 v5; // rax

  unsigned int i; // [rsp+1Ch] [rbp-14h]

  for ( i = 0;

        (signed int)i < (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);

        ++i )

  {

    v1 = *(unsigned __int8 *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                               (char *)this + 80,// HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str)之前赋值,327a6c4304ad5938eaf0efb6cc3e53dc

                               (signed int)i);

    if ( (_BYTE)v1 != *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](

                                  (char *)this + 16,// 取输入

                                  (signed int)i) )

    {

      v4 = std::operator<<<std::char_traits<char>>(&std::cout, "You did not pass ");

      v5 = std::ostream::operator<<(v4, i);

      std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);

      *((_DWORD *)this + 3) = 1;

      return *((unsigned int *)this + 3);

    }

    v2 = std::operator<<<std::char_traits<char>>(&std::cout, "Pass ");

    v3 = std::ostream::operator<<(v2, i);

    std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);

  }

  return *((unsigned int *)this + 3);

}

简单的异或与加法的操作

wp:

temp='327a6c4304ad5938eaf0efb6cc3e53dc'

flag=''

for i in range(len(temp)):

    n=ord(temp[i])

    flag+=chr((((n-11)^0x13)-23)^0x50)

print('flag{'+flag+'}')

flag{tMx~qdstOs~crvtwb~aOba}qddtbrtcd}

攻防世界 reverse crazy的更多相关文章

  1. 攻防世界 reverse 进阶 10 Reverse Box

    攻防世界中此题信息未给全,题目来源为[TWCTF-2016:Reverse] Reverse Box 网上有很多wp是使用gdb脚本,这里找到一个本地还原关键算法,然后再爆破的 https://www ...

  2. 攻防世界 reverse evil

    这是2017 ddctf的一道逆向题, 挑战:<恶意软件分析> 赛题背景: 员工小A收到了一封邮件,带一个文档附件,小A随手打开了附件.随后IT部门发现小A的电脑发出了异常网络访问请求,进 ...

  3. 攻防世界 reverse tt3441810

    tt3441810 tinyctf-2014 附件给了一堆数据,将十六进制数据部分提取出来, flag应该隐藏在里面,(这算啥子re,) 保留可显示字符,然后去除填充字符(找规律 0.0) 处理脚本: ...

  4. 攻防世界 reverse 进阶 APK-逆向2

    APK-逆向2 Hack-you-2014 (看名以为是安卓逆向呢0.0,搞错了吧) 程序是.net写的,直接祭出神器dnSpy 1 using System; 2 using System.Diag ...

  5. 攻防世界 reverse Windows_Reverse2

    Windows_Reverse2   2019_DDCTF 查壳: 寻找oep-->dump-->iat修复   便可成功脱壳 int __cdecl main(int argc, con ...

  6. 攻防世界 reverse BabyXor

    BabyXor     2019_UNCTF 查壳 脱壳 dump 脱壳后 IDA静态分析 int main_0() { void *v0; // eax int v1; // ST5C_4 char ...

  7. 攻防世界 reverse parallel-comparator-200

    parallel-comparator-200 school-ctf-winter-2015 https://github.com/ctfs/write-ups-2015/tree/master/sc ...

  8. 攻防世界 reverse 进阶 8-The_Maya_Society Hack.lu-2017

    8.The_Maya_Society Hack.lu-2017 在linux下将时间调整为2012-12-21,运行即可得到flag. 下面进行分析 1 signed __int64 __fastca ...

  9. 攻防世界 reverse easy_Maze

    easy_Maze 从题目可得知是简单的迷宫问题 int __cdecl main(int argc, const char **argv, const char **envp) { __int64 ...

随机推荐

  1. 记一次 Raven2 渗透(phpmailer漏洞+UDF提权)

    目录: 1. 寻找IP 2.dirb目录爆破 2.PHPMailer漏洞反弹得到shell 3.python版本的exp修改 4.查看wordpress的wp-config.php配置文件得到数据库账 ...

  2. Rails框架学习

    Don't Repeat Yourself! Convention Over Configuration. REST. Rails框架总览. Rails框架基本使用. Rails框架数据交互. Rai ...

  3. css position sticky All In One

    css position sticky All In One css sticky & 吸顶效果 demo https://codepen.io/xgqfrms/pen/PoqyVYz ref ...

  4. TypeScript Generics All In one

    TypeScript Generics All In one TypeScript 泛型 代码逻辑复用 扩展性 设计模式 方法覆写, 直接覆盖 方法重载,参数个数或参数类型不同 test " ...

  5. Redis 大 key 问题 & 问题分析 & 解决方案

    Redis 大 key 问题 & 问题分析 & 解决方案 Redis 什么是 Redis 大 key 单个key 存储的 value 很大 hash, set,zset,list 结构 ...

  6. Raspberry Pi 电路图模拟器

    Raspberry Pi 电路图模拟器 Circuit Diagram / Circuit Graph https://fritzing.org/learning/tutorials/building ...

  7. React Native hot reloading & Android & iOS

    React Native hot reloading & Android & iOS https://facebook.github.io/react-native/docs/debu ...

  8. js & touch & swiper

    js & touch & swiper https://developer.mozilla.org/en/docs/Web/API/Touch_events "use str ...

  9. vue & $router & History API

    vue & $router gotoTemplateManage(e) { e.preventDefault(); this.$router.push({ path: `/operate-to ...

  10. C++算法代码——纪念品分组[NOIP2007 普及组]

    题目来自:http://218.5.5.242:9018/JudgeOnline/problem.php?id=1099 https://www.luogu.com.cn/problem/P1094 ...