TWCTF-reverse_box WP
分析
-
IDA分析代码
int __cdecl main(int argc, char **argv) { size_t i; // [esp+18h] [ebp-10Ch] int randnumber; // [esp+1Ch] [ebp-108h] unsigned int v5; // [esp+11Ch] [ebp-8h] v5 = __readgsdword(0x14u); if ( argc <= 1 ) { printf("usage: %s flag\n", *argv); exit(1); } generate_randomnumber(&randnumber); for ( i = 0; i < strlen(argv[1]); ++i ) printf("%02x", *(&randnumber + argv[1][i]));// 相当于是randnumber[argv[1][i]] putchar(10); return 0; } -
部分函数根据分析已被重命名,generate_randomnumber函数会生成一张随机数表:
int __cdecl generate_randomnumber(_BYTE *a1) { unsigned int v1; // eax int v2; // edx char v3; // al char v4; // ST1B_1 char v5; // al int result; // eax unsigned __int8 v7; // [esp+1Ah] [ebp-Eh] char v8; // [esp+1Bh] [ebp-Dh] char v9; // [esp+1Bh] [ebp-Dh] int randnumber; // [esp+1Ch] [ebp-Ch] v1 = time(0); srand(v1); do randnumber = rand(); while ( !randnumber ); *a1 = randnumber; v7 = 1; v8 = 1; do { v2 = v7 ^ 2 * v7; if ( (v7 & 0x80u) == 0 ) v3 = 0; else v3 = 27; v7 = v2 ^ v3; v4 = 4 * (2 * v8 ^ v8) ^ 2 * v8 ^ v8; v9 = 16 * v4 ^ v4; if ( v9 >= 0 ) v5 = 0; else v5 = 9; v8 = v9 ^ v5; result = __ROR1__(v8, 4) ^ __ROR1__(v8, 5) ^ __ROR1__(v8, 6) ^ __ROR1__(v8, 7) ^ (v8 ^ *a1); a1[v7] = result; } while ( v7 != 1 ); return result; } -
注意看此函数的汇编代码,在取随机数种子的位置:
-
这样就保证了随机数种子只有256种可能,即0~255。
-
程序的流程很简单,就是先以时间做种子,取随机数生成一张表,然后输入作为表的索引,输出对应表中的十六进制数据。
-
题目给出的目标输出为:95eeaf95ef94234999582f722f492f72b19a7aaf72e6e776b57aee722fe77ab5ad9aaeb156729676ae7a236d99b1df4a
-
实际上就是要求输入是多少
-
那么现在的问题就是编写脚本了。编写这个脚本要用到gdb,python的gdb模块装不上,很操蛋。借用了另个博主的gdb脚本获取正确的随机数表:
脚本
gdb脚本(稍作了些修改)
Set args brucy1998416
set $i=0
set $total=256
while($i<$total)
b *0x080485B1
b *0x8048704
run T
set $eax=$i
set $i=$i+1
continue
if ($eax==0x95)
print $i, $i
x/256xb $esp+0x1c
set $i=256
end
stop
end
end
- gdb脚本的使用方法:
- 最后将取得的表转用python处理
python脚本
#encoding=utf-8
correct='95eeaf95ef94234999582f722f492f72b19a7aaf72e6e776b57aee722fe77ab5ad9aaeb156729676ae7a236d99b1df4a'
box=[\
0xd6,0xc9,0xc2,0xce,0x47,0xde,0xda,0x70,\
0x85,0xb4,0xd2,0x9e,0x4b,0x62,0x1e,0xc3,\
0x7f,0x37,0x7c,0xc8,0x4f,0xec,0xf2,0x45,\
0x18,0x61,0x17,0x1a,0x29,0x11,0xc7,0x75,\
0x02,0x48,0x26,0x93,0x83,0x8a,0x42,0x79,\
0x81,0x10,0x50,0x44,0xc4,0x6d,0x84,0xa0,\
0xb1,0x72,0x96,0x76,0xad,0x23,0xb0,0x2f,\
0xb2,0xa7,0x35,0x57,0x5e,0x92,0x07,0xc0,\
0xbc,0x36,0x99,0xaf,0xae,0xdb,0xef,0x15,\
0xe7,0x8e,0x63,0x06,0x9c,0x56,0x9a,0x31,\
0xe6,0x64,0xb5,0x58,0x95,0x49,0x04,0xee,\
0xdf,0x7e,0x0b,0x8c,0xff,0xf9,0xed,0x7a,\
0x65,0x5a,0x1f,0x4e,0xf6,0xf8,0x86,0x30,\
0xf0,0x4c,0xb7,0xca,0xe5,0x89,0x2a,0x1d,\
0xe4,0x16,0xf5,0x3a,0x27,0x28,0x8d,0x40,\
0x09,0x03,0x6f,0x94,0xa5,0x4a,0x46,0x67,\
0x78,0xb9,0xa6,0x59,0xea,0x22,0xf1,0xa2,\
0x71,0x12,0xcb,0x88,0xd1,0xe8,0xac,0xc6,\
0xd5,0x34,0xfa,0x69,0x97,0x9f,0x25,0x3d,\
0xf3,0x5b,0x0d,0xa1,0x6b,0xeb,0xbe,0x6e,\
0x55,0x87,0x8f,0xbf,0xfc,0xb3,0x91,0xe9,\
0x77,0x66,0x19,0xd7,0x24,0x20,0x51,0xcc,\
0x52,0x7d,0x82,0xd8,0x38,0x60,0xfb,0x1c,\
0xd9,0xe3,0x41,0x5f,0xd0,0xcf,0x1b,0xbd,\
0x0f,0xcd,0x90,0x9b,0xa9,0x13,0x01,0x73,\
0x5d,0x68,0xc1,0xaa,0xfe,0x08,0x3e,0x3f,\
0xc5,0x8b,0x00,0xd3,0xfd,0xb6,0x43,0xbb,\
0xd4,0x80,0xe2,0x0c,0x33,0x74,0xa8,0x2b,\
0x54,0x4d,0x2d,0xa4,0xdc,0x6c,0x3b,0x21,\
0x2e,0xab,0x32,0x5c,0x7b,0xe0,0x9d,0x6a,\
0x39,0x14,0x3c,0xb8,0x0a,0x53,0xf7,0xdd,\
0xf4,0x2c,0x98,0xba,0x05,0xe1,0x0e,0xa3\
]
flag=''
for i in range(len(correct)//2):
idx=box.index(int(correct[2*i:2*i+2],16))
flag+=chr(idx)
print flag
- flag:TWCTF{5UBS717U710N_C1PH3R_W17H_R4ND0M123D_5-B0X}
https://blog.csdn.net/qq_38025365/article/details/89577302