程序流程很清晰

 1 int __cdecl main(int argc, const char **argv, const char **envp)

 2 {

 3   unsigned int v3; // edx

 4   unsigned int i; // ecx

 5   __m128i v5; // xmm1

 6   unsigned int v6; // esi

 7   const __m128i *v7; // eax

 8   __m128i v8; // xmm0

 9   int v9; // eax

10   char sc; // [esp+0h] [ebp-CCh]

11   char str; // [esp+1h] [ebp-CBh]

12   char s_; // [esp+64h] [ebp-68h]

13   char v14; // [esp+65h] [ebp-67h]

14   unsigned int de_s_len; // [esp+C8h] [ebp-4h]

15

16   printf("please input your flah:");

17   sc = 0;

18   memset(&str, 0, 0x63u);

19   scanf("%s", &sc);

20   s_ = 0;

21   memset(&v14, 0, 0x63u);

22   sub_401000(&de_s_len, &s_, (unsigned __int8 *)&sc, strlen(&sc));// base64解码

23   v3 = de_s_len;                                // 解码后长度

24   i = 0;

25   if ( de_s_len )

26   {

27     if ( de_s_len >= 0x10 )

28     {

29       v5 = _mm_load_si128((const __m128i *)&xmmword_414F20);

30       v6 = de_s_len - (de_s_len & 0xF);

31       v7 = (const __m128i *)&s_;

32       do

33       {

34         v8 = _mm_loadu_si128(v7);

35         i += 16;

36         ++v7;

37         _mm_storeu_si128((__m128i *)&v7[-1], _mm_xor_si128(v8, v5));

38       }

39       while ( i < v6 );

40     }

41     for ( ; i < v3; ++i )

42       *(&s_ + i) ^= 0x25u;                      // 异或

43   }

44   v9 = strcmp(&s_, "you_know_how_to_remove_junk_code");

45   if ( v9 )

46     v9 = -(v9 < 0) | 1;

47   if ( v9 )

48     printf("wrong\n");

49   else

50     printf("correct\n");

51   system("pause");

52   return 0;

53 }

关键比较

strcmp(&s_, "you_know_how_to_remove_junk_code")向上跟踪,发现sub_401000(&de_s_len, &s_, (unsigned __int8 *)&sc, strlen(&sc));

进入函数分析可以发现是base64解码

  1 signed int __usercall sub_401000@<eax>(unsigned int *a1@<edx>, _BYTE *a2@<ecx>, unsigned __int8 *sc, unsigned int size)

  2 {

  3   int j; // ebx

  4   unsigned int k; // eax

  5   int v6; // ecx

  6   unsigned __int8 *v7; // edi

  7   int v8; // edx

  8   bool v9; // zf

  9   unsigned __int8 v10; // cl

 10   char v11; // cl

 11   _BYTE *v12; // esi

 12   unsigned int v13; // ecx

 13   int v14; // ebx

 14   unsigned __int8 v15; // cl

 15   char v16; // dl

 16   _BYTE *v18; // [esp+Ch] [ebp-Ch]

 17   unsigned int *v19; // [esp+10h] [ebp-8h]

 18   int v20; // [esp+14h] [ebp-4h]

 19   unsigned int v21; // [esp+14h] [ebp-4h]

 20   int sizea; // [esp+24h] [ebp+Ch]

 21

 22   j = 0;

 23   v18 = a2;

 24   k = 0;

 25   v6 = 0;

 26   v19 = a1;

 27   v20 = 0;

 28   if ( !size )

 29     return 0;

 30   v7 = sc;

 31   do

 32   {

 33     v8 = 0;

 34     v9 = k == size;

 35     if ( k < size )

 36     {

 37       do

 38       {

 39         if ( sc[k] != ' ' )

 40           break;

 41         ++k;                                    // 不含空格

 42         ++v8;

 43       }

 44       while ( k < size );

 45       v9 = k == size;

 46     }

 47     if ( v9 )

 48       break;

 49     if ( size - k >= 2 && sc[k] == '\r' && sc[k + 1] == '\n' || (v10 = sc[k], v10 == '\n') )

 50     {

 51       v6 = v20;

 52     }

 53     else

 54     {

 55       if ( v8 )

 56         return 0xFFFFFFD4;

 57       if ( v10 == '=' && (unsigned int)++j > 2 )

 58         return 0xFFFFFFD4;

 59       if ( v10 > 0x7Fu )

 60         return 0xFFFFFFD4;

 61       v11 = byte_414E40[v10];

 62       if ( v11 == 0x7F || (unsigned __int8)v11 < '@' && j )

 63         return 0xFFFFFFD4;

 64       v6 = v20++ + 1;

 65     }

 66     ++k;

 67   }

 68   while ( k < size );

 69   if ( !v6 )

 70     return 0;

 71   v12 = v18;

 72   v13 = ((unsigned int)(6 * v6 + 7) >> 3) - j;

 73   if ( v18 && *v19 >= v13 )

 74   {

 75     v21 = 3;

 76     v14 = 0;

 77     for ( sizea = 0; k; --k )

 78     {

 79       v15 = *v7;

 80       if ( *v7 != '\r' && v15 != '\n' && v15 != ' ' )

 81       {

 82         v16 = byte_414E40[v15];                 // 关键处理

 83         v21 -= v16 == '@';

 84         v14 = v16 & 0x3F | (v14 << 6);

 85         if ( ++sizea == 4 )

 86         {

 87           sizea = 0;

 88           if ( v21 )

 89             *v12++ = BYTE2(v14);

 90           if ( v21 > 1 )

 91             *v12++ = BYTE1(v14);

 92           if ( v21 > 2 )

 93             *v12++ = v14;

 94         }

 95       }

 96       ++v7;

 97     }

 98     *v19 = v12 - v18;

 99     return 0;

100   }

101   *v19 = v13;

102   return -42;

103 }

识别base64解码函数是这题主要的考点,之后的操作就很简单

流程:

base64解码-->异或-->strcmp(&s_, "you_know_how_to_remove_junk_code")

1 import base64

2

3 s = 'you_know_how_to_remove_junk_code'

4 tmp = ''

5 for i in range(len(s)):

6     tmp += chr(ord(s[i]) ^ 0x25)

7 print(base64.b64encode(tmp.encode('utf-8')))
XEpQek5LSlJ6TUpSelFKeldASEpTQHpPUEtOekZKQUA=
												


											
攻防世界 reverse 进阶 12 ReverseMe-120的更多相关文章
	

    
								
  1. 攻防世界 reverse 进阶 APK-逆向2
		
    APK-逆向2 Hack-you-2014 (看名以为是安卓逆向呢0.0,搞错了吧) 程序是.net写的,直接祭出神器dnSpy 1 using System; 2 using System.Diag ...
    
		
    2. 
						
  2. 攻防世界 reverse 进阶 10 Reverse Box
		
    攻防世界中此题信息未给全,题目来源为[TWCTF-2016:Reverse] Reverse Box 网上有很多wp是使用gdb脚本,这里找到一个本地还原关键算法,然后再爆破的 https://www ...
    
		
    3. 
						
  3. 攻防世界 reverse 进阶 9-re1-100
		
    9.re1-100 1 if ( numRead ) 2 { 3 if ( childCheckDebugResult() ) 4 { 5 responseFalse(); 6 } 7 else if ...
    
		
    4. 
						
  4. 攻防世界 reverse 进阶 8-The_Maya_Society Hack.lu-2017
		
    8.The_Maya_Society Hack.lu-2017 在linux下将时间调整为2012-12-21,运行即可得到flag. 下面进行分析 1 signed __int64 __fastca ...
    
		
    5. 
						
  5. 攻防世界 reverse 进阶 notsequence
		
    notsequence  RCTF-2015 关键就是两个check函数 1 signed int __cdecl check1_80486CD(int a1[]) 2 { 3 signed int  ...
    
		
    6. 
						
  6. 攻防世界 reverse 进阶 easyre-153
		
    easyre-153 查壳: upx壳 脱壳: 1 int __cdecl main(int argc, const char **argv, const char **envp) 2 { 3 int ...
    
		
    7. 
						
  7. 攻防世界 reverse 进阶 -gametime
		
    19.gametime csaw-ctf-2016-quals 这是一个小游戏,挺有意思的 's'-->' '    'x'-->'x'   'm'-->'m' 观察流程,发现检验函 ...
    
		
    8. 
						
  8. 攻防世界 reverse 进阶 15-Reversing-x64Elf-100
		
    15.Reversing-x64Elf-100 这题非常简单, 1 signed __int64 __fastcall sub_4006FD(__int64 a1) 2 { 3 signed int  ...
    
		
    9. 
						
  9. 攻防世界 reverse 进阶5-7
		
    5.re-for-50-plz-50  tu-ctf-2016 流程很简单,异或比较 1 x=list('cbtcqLUBChERV[[Nh@_X^D]X_YPV[CJ') 2 y=0x37 3 z= ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. Qt开发Activex笔记(二):Qt调用Qt开发的Activex控件
			
    若该文为原创文章,转载请注明原文出处本文章博客地址:https://blog.csdn.net/qq21497936/article/details/113789693 长期持续带来更多项目与技术分享 ...
    
			
    2. 
						
  2. How to enable HTTPS for local development in macOS using Chrome
			
    How to enable HTTPS for local development in macOS using Chrome HTTPS, macOS, Chrome local HTTPS htt ...
    
			
    3. 
						
  3. 1+X 证书制度
			
    1+X 证书制度 教育部职业技术教育 http://www.cvae.com.cn/zgzcw/tzgg/202001/c0ddd6c87e6c42839f8cc3e09a2dce89.shtml 2 ...
    
			
    4. 
						
  4. Dart DevTools & Flutter
			
    Dart DevTools & Flutter https://flutter.dev/docs/development/tools/devtools/overview https://dar ...
    
			
    5. 
						
  5. D language
			
    D language https://en.wikipedia.org/wiki/D_(programming_language) Dart https://dlang.org/ flutter fr ...
    
			
    6. 
						
  6. svg & regex
			
    svg & regex https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Reg ...
    
			
    7. 
						
  7. c++ 使用PID获取可执行文件路径
			
    注意看备注 https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-getmodulefilenameexa #includ ...
    
			
    8. 
						
  8. django学习-3.如何编写一个html页面并展示到浏览器,及相关导入错误的解决方案
			
    1.前言 在django中,视图的概念是:具有相同功能和模板的网页,都可以称为视图.通俗一点来说,就是你平常打开任一浏览器,输入一个地址A后看到浏览器窗口展示出来地址A所对应的页面内容B,页面内容B就 ...
    
			
    9. 
						
  9. luogu4464:莫比乌斯反演,积性函数和伯努利数
			
    题目链接:https://www.luogu.com.cn/problem/P4464 简记$gcd(x,y)=(x,y)$. 推式子: $\sum_{i=1}^{n}{(i,n)^xlcm(i,n) ...
    
			
    10. 
						
  10. vue:表单验证时,trigger的值什么时候选blur什么时候选change
			
    对el-input输入框的验证,trigger的值选blur,即失去焦点时进行验证. 下拉框(el-select).日期选择器(el-date-picker).复选框(el-checkbox).单选框 ...
    
			
    11.