程序流程很清晰

 1 int __cdecl main(int argc, const char **argv, const char **envp)

 2 {

 3   unsigned int v3; // edx

 4   unsigned int i; // ecx

 5   __m128i v5; // xmm1

 6   unsigned int v6; // esi

 7   const __m128i *v7; // eax

 8   __m128i v8; // xmm0

 9   int v9; // eax

10   char sc; // [esp+0h] [ebp-CCh]

11   char str; // [esp+1h] [ebp-CBh]

12   char s_; // [esp+64h] [ebp-68h]

13   char v14; // [esp+65h] [ebp-67h]

14   unsigned int de_s_len; // [esp+C8h] [ebp-4h]

15

16   printf("please input your flah:");

17   sc = 0;

18   memset(&str, 0, 0x63u);

19   scanf("%s", &sc);

20   s_ = 0;

21   memset(&v14, 0, 0x63u);

22   sub_401000(&de_s_len, &s_, (unsigned __int8 *)&sc, strlen(&sc));// base64解码

23   v3 = de_s_len;                                // 解码后长度

24   i = 0;

25   if ( de_s_len )

26   {

27     if ( de_s_len >= 0x10 )

28     {

29       v5 = _mm_load_si128((const __m128i *)&xmmword_414F20);

30       v6 = de_s_len - (de_s_len & 0xF);

31       v7 = (const __m128i *)&s_;

32       do

33       {

34         v8 = _mm_loadu_si128(v7);

35         i += 16;

36         ++v7;

37         _mm_storeu_si128((__m128i *)&v7[-1], _mm_xor_si128(v8, v5));

38       }

39       while ( i < v6 );

40     }

41     for ( ; i < v3; ++i )

42       *(&s_ + i) ^= 0x25u;                      // 异或

43   }

44   v9 = strcmp(&s_, "you_know_how_to_remove_junk_code");

45   if ( v9 )

46     v9 = -(v9 < 0) | 1;

47   if ( v9 )

48     printf("wrong\n");

49   else

50     printf("correct\n");

51   system("pause");

52   return 0;

53 }

关键比较

strcmp(&s_, "you_know_how_to_remove_junk_code")向上跟踪,发现sub_401000(&de_s_len, &s_, (unsigned __int8 *)&sc, strlen(&sc));

进入函数分析可以发现是base64解码

  1 signed int __usercall sub_401000@<eax>(unsigned int *a1@<edx>, _BYTE *a2@<ecx>, unsigned __int8 *sc, unsigned int size)

  2 {

  3   int j; // ebx

  4   unsigned int k; // eax

  5   int v6; // ecx

  6   unsigned __int8 *v7; // edi

  7   int v8; // edx

  8   bool v9; // zf

  9   unsigned __int8 v10; // cl

 10   char v11; // cl

 11   _BYTE *v12; // esi

 12   unsigned int v13; // ecx

 13   int v14; // ebx

 14   unsigned __int8 v15; // cl

 15   char v16; // dl

 16   _BYTE *v18; // [esp+Ch] [ebp-Ch]

 17   unsigned int *v19; // [esp+10h] [ebp-8h]

 18   int v20; // [esp+14h] [ebp-4h]

 19   unsigned int v21; // [esp+14h] [ebp-4h]

 20   int sizea; // [esp+24h] [ebp+Ch]

 21

 22   j = 0;

 23   v18 = a2;

 24   k = 0;

 25   v6 = 0;

 26   v19 = a1;

 27   v20 = 0;

 28   if ( !size )

 29     return 0;

 30   v7 = sc;

 31   do

 32   {

 33     v8 = 0;

 34     v9 = k == size;

 35     if ( k < size )

 36     {

 37       do

 38       {

 39         if ( sc[k] != ' ' )

 40           break;

 41         ++k;                                    // 不含空格

 42         ++v8;

 43       }

 44       while ( k < size );

 45       v9 = k == size;

 46     }

 47     if ( v9 )

 48       break;

 49     if ( size - k >= 2 && sc[k] == '\r' && sc[k + 1] == '\n' || (v10 = sc[k], v10 == '\n') )

 50     {

 51       v6 = v20;

 52     }

 53     else

 54     {

 55       if ( v8 )

 56         return 0xFFFFFFD4;

 57       if ( v10 == '=' && (unsigned int)++j > 2 )

 58         return 0xFFFFFFD4;

 59       if ( v10 > 0x7Fu )

 60         return 0xFFFFFFD4;

 61       v11 = byte_414E40[v10];

 62       if ( v11 == 0x7F || (unsigned __int8)v11 < '@' && j )

 63         return 0xFFFFFFD4;

 64       v6 = v20++ + 1;

 65     }

 66     ++k;

 67   }

 68   while ( k < size );

 69   if ( !v6 )

 70     return 0;

 71   v12 = v18;

 72   v13 = ((unsigned int)(6 * v6 + 7) >> 3) - j;

 73   if ( v18 && *v19 >= v13 )

 74   {

 75     v21 = 3;

 76     v14 = 0;

 77     for ( sizea = 0; k; --k )

 78     {

 79       v15 = *v7;

 80       if ( *v7 != '\r' && v15 != '\n' && v15 != ' ' )

 81       {

 82         v16 = byte_414E40[v15];                 // 关键处理

 83         v21 -= v16 == '@';

 84         v14 = v16 & 0x3F | (v14 << 6);

 85         if ( ++sizea == 4 )

 86         {

 87           sizea = 0;

 88           if ( v21 )

 89             *v12++ = BYTE2(v14);

 90           if ( v21 > 1 )

 91             *v12++ = BYTE1(v14);

 92           if ( v21 > 2 )

 93             *v12++ = v14;

 94         }

 95       }

 96       ++v7;

 97     }

 98     *v19 = v12 - v18;

 99     return 0;

100   }

101   *v19 = v13;

102   return -42;

103 }

识别base64解码函数是这题主要的考点,之后的操作就很简单

流程:

base64解码-->异或-->strcmp(&s_, "you_know_how_to_remove_junk_code")

1 import base64

2

3 s = 'you_know_how_to_remove_junk_code'

4 tmp = ''

5 for i in range(len(s)):

6     tmp += chr(ord(s[i]) ^ 0x25)

7 print(base64.b64encode(tmp.encode('utf-8')))
XEpQek5LSlJ6TUpSelFKeldASEpTQHpPUEtOekZKQUA=
												


											
攻防世界 reverse 进阶 12 ReverseMe-120的更多相关文章
	

    
								
  1. 攻防世界 reverse 进阶 APK-逆向2
		
    APK-逆向2 Hack-you-2014 (看名以为是安卓逆向呢0.0,搞错了吧) 程序是.net写的,直接祭出神器dnSpy 1 using System; 2 using System.Diag ...
    
		
    2. 
						
  2. 攻防世界 reverse 进阶 10 Reverse Box
		
    攻防世界中此题信息未给全,题目来源为[TWCTF-2016:Reverse] Reverse Box 网上有很多wp是使用gdb脚本,这里找到一个本地还原关键算法,然后再爆破的 https://www ...
    
		
    3. 
						
  3. 攻防世界 reverse 进阶 9-re1-100
		
    9.re1-100 1 if ( numRead ) 2 { 3 if ( childCheckDebugResult() ) 4 { 5 responseFalse(); 6 } 7 else if ...
    
		
    4. 
						
  4. 攻防世界 reverse 进阶 8-The_Maya_Society Hack.lu-2017
		
    8.The_Maya_Society Hack.lu-2017 在linux下将时间调整为2012-12-21,运行即可得到flag. 下面进行分析 1 signed __int64 __fastca ...
    
		
    5. 
						
  5. 攻防世界 reverse 进阶 notsequence
		
    notsequence  RCTF-2015 关键就是两个check函数 1 signed int __cdecl check1_80486CD(int a1[]) 2 { 3 signed int  ...
    
		
    6. 
						
  6. 攻防世界 reverse 进阶 easyre-153
		
    easyre-153 查壳: upx壳 脱壳: 1 int __cdecl main(int argc, const char **argv, const char **envp) 2 { 3 int ...
    
		
    7. 
						
  7. 攻防世界 reverse 进阶 -gametime
		
    19.gametime csaw-ctf-2016-quals 这是一个小游戏,挺有意思的 's'-->' '    'x'-->'x'   'm'-->'m' 观察流程,发现检验函 ...
    
		
    8. 
						
  8. 攻防世界 reverse 进阶 15-Reversing-x64Elf-100
		
    15.Reversing-x64Elf-100 这题非常简单, 1 signed __int64 __fastcall sub_4006FD(__int64 a1) 2 { 3 signed int  ...
    
		
    9. 
						
  9. 攻防世界 reverse 进阶5-7
		
    5.re-for-50-plz-50  tu-ctf-2016 流程很简单,异或比较 1 x=list('cbtcqLUBChERV[[Nh@_X^D]X_YPV[CJ') 2 y=0x37 3 z= ...
    
		
    10. 
		

	


随机推荐
	

    
									
  1. 末日余晖 PC 版 下载
			
    末日余晖 PC 版 下载 <末日余晖>(英文名:Farlight 84)一款废土题材的射击游戏 Farlight 84 Official Trailer Farlight 84 官方预告片 ...
    
			
    2. 
						
  2. JavaScript this All In One
			
    JavaScript this All In One js, this, bind, call, apply, new, function, arrow function, constructor f ...
    
			
    3. 
						
  3. docthis & VS code
			
    docthis & VS code JSDoc 3 http://usejsdoc.org/ http://usejsdoc.org/about-getting-started.html ht ...
    
			
    4. 
						
  4. ORM All In One
			
    ORM All In One ORM Object Relational Mapping https://en.wikipedia.org/wiki/Object-relational_mapping ...
    
			
    5. 
						
  5. Flutter Vignettes
			
    Flutter Vignettes Flutter Animation https://flutter.gskinner.com/ https://github.com/gskinnerTeam/fl ...
    
			
    6. 
						
  6. node.js & read argv
			
    node.js & read argv https://nodejs.org/docs/latest/api/process.html https://flaviocopes.com/node ...
    
			
    7. 
						
  7. NGK公链依靠技术创新推动数字经济产业发展
			
    数字经济更让人们的生活发生了翻天覆地的变化.数字经济的发展要依靠技术的创新,发展出生态新模式.同时数字经济的发展要利用新技术对传统产业进行全面的的改造升级,释放数字对经济发展的放大.倍增作用.打造数字 ...
    
			
    8. 
						
  8. 23_MySQL单行和多行子查询语法规则(重点)
			
    本节涉及SQL语句: -- 如何用子查询查找FORD和MARTIN两个人的同事? 1 WHERE子查询 SELECT ename FROM t_emp WHERE deptno IN (SELECT  ...
    
			
    9. 
						
  9. 09_MySQL数据库的索引机制
			
    CREATE TABLE t_message( id INT UNSIGNED PRIMARY KEY, content VARCHAR(200) NOT NULL, type ENUM(" ...
    
			
    10. 
						
  10. apply方法的实现原理
			
    apply 的核心原理: 将函数设为对象的属性 执行和删除这个函数 指定 this 到函数并传入给定参数执行函数 如果不传参数,默认指向 window Function.prototype.myApp ...
    
			
    11.