buuctf刷题记录3 [2019红帽杯]easyRE
先查壳,没有壳,拖进ida,f12大法
![buuctf刷题记录3 [2019红帽杯]easyRE_第1张图片](http://img.e-com-net.com/image/info8/60abffea127d456bb9dab18d7cd572e1.jpg)
发现敏感句子,进入,代码如下
signed __int64 sub_4009C6()
{
const char *v0; // rdi
signed __int64 result; // rax
__int64 v2; // ST10_8
__int64 v3; // ST18_8
__int64 v4; // ST20_8
__int64 v5; // ST28_8
__int64 v6; // ST30_8
__int64 v7; // ST38_8
__int64 v8; // ST40_8
__int64 v9; // ST48_8
__int64 v10; // ST50_8
int i; // [rsp+Ch] [rbp-114h]
char v12; // [rsp+60h] [rbp-C0h]
char v13; // [rsp+61h] [rbp-BFh]
char v14; // [rsp+62h] [rbp-BEh]
char v15; // [rsp+63h] [rbp-BDh]
char v16; // [rsp+64h] [rbp-BCh]
char v17; // [rsp+65h] [rbp-BBh]
char v18; // [rsp+66h] [rbp-BAh]
char v19; // [rsp+67h] [rbp-B9h]
char v20; // [rsp+68h] [rbp-B8h]
char v21; // [rsp+69h] [rbp-B7h]
char v22; // [rsp+6Ah] [rbp-B6h]
char v23; // [rsp+6Bh] [rbp-B5h]
char v24; // [rsp+6Ch] [rbp-B4h]
char v25; // [rsp+6Dh] [rbp-B3h]
char v26; // [rsp+6Eh] [rbp-B2h]
char v27; // [rsp+6Fh] [rbp-B1h]
char v28; // [rsp+70h] [rbp-B0h]
char v29; // [rsp+71h] [rbp-AFh]
char v30; // [rsp+72h] [rbp-AEh]
char v31; // [rsp+73h] [rbp-ADh]
char v32; // [rsp+74h] [rbp-ACh]
char v33; // [rsp+75h] [rbp-ABh]
char v34; // [rsp+76h] [rbp-AAh]
char v35; // [rsp+77h] [rbp-A9h]
char v36; // [rsp+78h] [rbp-A8h]
char v37; // [rsp+79h] [rbp-A7h]
char v38; // [rsp+7Ah] [rbp-A6h]
char v39; // [rsp+7Bh] [rbp-A5h]
char v40; // [rsp+7Ch] [rbp-A4h]
char v41; // [rsp+7Dh] [rbp-A3h]
char v42; // [rsp+7Eh] [rbp-A2h]
char v43; // [rsp+7Fh] [rbp-A1h]
char v44; // [rsp+80h] [rbp-A0h]
char v45; // [rsp+81h] [rbp-9Fh]
char v46; // [rsp+82h] [rbp-9Eh]
char v47; // [rsp+83h] [rbp-9Dh]
char v48[32]; // [rsp+90h] [rbp-90h]
int v49; // [rsp+B0h] [rbp-70h]
char v50; // [rsp+B4h] [rbp-6Ch]
char v51; // [rsp+C0h] [rbp-60h]
char v52; // [rsp+E7h] [rbp-39h]
char v53; // [rsp+100h] [rbp-20h]
unsigned __int64 v54; // [rsp+108h] [rbp-18h]
v54 = __readfsqword(0x28u);
v12 = 73;
v13 = 111;
v14 = 100;
v15 = 108;
v16 = 62;
v17 = 81;
v18 = 110;
v19 = 98;
v20 = 40;
v21 = 111;
v22 = 99;
v23 = 121;
v24 = 127;
v25 = 121;
v26 = 46;
v27 = 105;
v28 = 127;
v29 = 100;
v30 = 96;
v31 = 51;
v32 = 119;
v33 = 125;
v34 = 119;
v35 = 101;
v36 = 107;
v37 = 57;
v38 = 123;
v39 = 105;
v40 = 121;
v41 = 61;
v42 = 126;
v43 = 121;
v44 = 76;
v45 = 64;
v46 = 69;
v47 = 67;
memset(v48, 0, sizeof(v48));
v49 = 0;
v50 = 0;
sub_4406E0(0LL, v48, 37LL);
v50 = 0;
v0 = v48;
if ( sub_424BA0(v48) == 36 )
{
for ( i = 0; ; ++i )
{
v0 = v48;
if ( i >= (unsigned __int64)sub_424BA0(v48) )
break;
if ( (unsigned __int8)(v48[i] ^ i) != *(&v12 + i) )
{
result = 4294967294LL;
goto LABEL_13;
}
}
sub_410CC0("continue!");
memset(&v51, 0, 0x40uLL);
v53 = 0;
sub_4406E0(0LL, &v51, 64LL);
v52 = 0;
v0 = &v51;
if ( sub_424BA0(&v51) == 39 )
{
v2 = sub_400E44(&v51);
v3 = sub_400E44(v2);
v4 = sub_400E44(v3);
v5 = sub_400E44(v4);
v6 = sub_400E44(v5);
v7 = sub_400E44(v6);
v8 = sub_400E44(v7);
v9 = sub_400E44(v8);
v10 = sub_400E44(v9);
v0 = (const char *)sub_400E44(v10);
if ( !(unsigned int)sub_400360(v0, off_6CC090) )
{
sub_410CC0("You found me!!!");
v0 = "bye bye~";
sub_410CC0("bye bye~");
}
result = 0LL;
}
else
{
result = 4294967293LL;
}
}
else
{
result = 0xFFFFFFFFLL;
}
LABEL_13:
if ( __readfsqword(0x28u) != v54 )
sub_444020(v0);
return result;
}
里面有两处关键运算
![buuctf刷题记录3 [2019红帽杯]easyRE_第2张图片](http://img.e-com-net.com/image/info8/bce68717e22d40efa350d7fa1bfa6f3e.jpg)
这是里面第一个关键运算,逻辑很简单,构造脚本
num=[73,111,100,108,62,81,110,98,40,111,99,121,127,121,46,105,127,100,96,51,119,125,119,101,107,57,123,105,121,61,126,121,76,64,69,67]
text=''
for i in range(0,36):
text=text+chr(num[i]^i)
print(text)
得到:Info:The first four chars are flag
前四个字母是flag
第二个关键运算:![buuctf刷题记录3 [2019红帽杯]easyRE_第3张图片](http://img.e-com-net.com/image/info8/623d031963ed4f08b8b26b17bea55c94.jpg)
点进去后发现是一个类似base64的运算(10次),而且得到的结果与off_6cc090比较,而6cc090是一串base64编码,于是就猜这个是base64加密了10次,解密得
https://bbs.pediy.com/thread-254172.htm
发现是个网址,但是没有卵用,应该是干扰(打死出题人!)
没有思路后,看了看别人的wp:
在off_6cc090下面还有一个常量,在sub_400D35函数中调用
![buuctf刷题记录3 [2019红帽杯]easyRE_第4张图片](http://img.e-com-net.com/image/info8/3dac6a8b64d94ef38415437cd0eca90d.jpg)
进入到该函数中
![buuctf刷题记录3 [2019红帽杯]easyRE_第5张图片](http://img.e-com-net.com/image/info8/b2ec8689c9ae4ce2b798f0e81fe474af.jpg)
通过分析,v6(或v3)在里面起到很重要的作用,在
if ( ((unsigned __int8)v3 ^ byte_6CC0A0[0]) == ‘f’ && (HIBYTE(v6) ^ (unsigned __int8)unk_6CC0A3) == ‘g’ )
里面,判断v3第一个和第四个是不是f和g,那就猜测这四个字符是flag。(v3-v6地址是连着的,可以将v3看作一个char数组)
然后循环24次做异或操作。
先求出来v3:这里key就是v3
num2=[0x40,0x35,0x20,0x56,0x5D,0x18,0x22,0x45,0x17,0x2F,0x24,0x6E,0x62,0x3C,0x27,0x54,0x48,0x6C,0x24,0x6E,0x72,0x3C,0x32,0x45,0x5B]
text2='flag'
key=''
for i in range(0,4):
key=key+chr(ord(text2[i])^num2[i])
print(key)
得到v3: &YA1
再求出v0(24次异或)
num2=[0x40,0x35,0x20,0x56,0x5D,0x18,0x22,0x45,0x17,0x2F,0x24,0x6E,0x62,0x3C,0x27,0x54,0x48,0x6C,0x24,0x6E,0x72,0x3C,0x32,0x45,0x5B]
key='&YA1'
flag=''
for i in range(0,25):
flag=flag+chr(num2[i]^ord(key[i%4]))
print(flag)
就得到flag了(曲折,脑壳痛)
flag{Act1ve_Defen5e_Test}