BUUCTF Reverse/[FlareOn4]IgniteMe

BUUCTF Reverse/[FlareOn4]IgniteMe

先查看文件信息：没有加壳且为32位程序

运行，发现又是一道字符串比较的题目

用IDA32位打开分析代码

void __noreturn start()
{
  DWORD NumberOfBytesWritten; // [esp+0h] [ebp-4h] BYREF

  NumberOfBytesWritten = 0;
  hFile = GetStdHandle(0xFFFFFFF6);
  dword_403074 = GetStdHandle(0xFFFFFFF5);
  WriteFile(dword_403074, aG1v3M3T3hFl4g, 0x13u, &NumberOfBytesWritten, 0);
  sub_4010F0();
  if ( sub_401050() )
    WriteFile(dword_403074, aG00dJ0b, 0xAu, &NumberOfBytesWritten, 0);
  else
    WriteFile(dword_403074, aN0tT00H0tRWe7r, 0x24u, &NumberOfBytesWritten, 0);
  ExitProcess(0);
}

跟进查看

看到这个只是个输入函数，将输入的字符串存储在byte_403078中

int sub_4010F0()
{
  unsigned int v0; // eax
  char Buffer[260]; // [esp+0h] [ebp-110h] BYREF
  DWORD NumberOfBytesRead; // [esp+104h] [ebp-Ch] BYREF
  unsigned int i; // [esp+108h] [ebp-8h]
  char v5; // [esp+10Fh] [ebp-1h]

  v5 = 0;
  for ( i = 0; i < 0x104; ++i )
    Buffer[i] = 0;
  ReadFile(hFile, Buffer, 0x104u, &NumberOfBytesRead, 0);
  for ( i = 0; ; ++i )
  {
    v0 = sub_401020((int)Buffer);
    if ( i >= v0 )
      break;
    v5 = Buffer[i];
    if ( v5 != 10 && v5 != 13 )
    {
      if ( v5 )
        byte_403078[i] = v5;
    }
  }
  return 1;
}

那重点就是这个if条件中 的语句

跟进查看

int sub_401050()
{
  int v1; // [esp+0h] [ebp-Ch]
  int i; // [esp+4h] [ebp-8h]
  unsigned int j; // [esp+4h] [ebp-8h]
  char v4; // [esp+Bh] [ebp-1h]

  v1 = sub_401020((int)byte_403078);
  v4 = sub_401000();
  for ( i = v1 - 1; i >= 0; --i )
  {
    byte_403180[i] = v4 ^ byte_403078[i];
    v4 = byte_403078[i];
  }
  for ( j = 0; j < 0x27; ++j )
  {
    if ( byte_403180[j] != (unsigned __int8)byte_403000[j] )
      return 0;
  }
  return 1;
}

推测v1应该是字符串的长度，且flag的长度为38

简单的异或题，重点就是求v4 = sub_401000(); 的值了

__int16 sub_401000()
{
  return (unsigned __int16)__ROL4__(0x80070000, 4) >> 1;
}

搜了下这个_ROL4_感觉像这个循环左移，但是算出来又不像

然后根据提示 Hint:本题解出相应字符串后请用flag{}包裹，形如：flag{[email protected]} flag中的最后一位数一定是m，然后 m ^ 4 = 0x69。那么v4 = 4

用动态调试也能得到v4的值，我输入的数为123456，异或是从最后一位开始的，将6放入了eax中，然后eax与ecx进行异或，由此可以推出ecx中存储的就是v4的值（具体的计算可以看这个大佬的博客）

根据这个条件，以及byte_403000 写出脚本

for ( j = 0; j < 0x27; ++j )
  {
    if ( byte_403180[j] != (unsigned __int8)byte_403000[j] )
      return 0;
  }

脚本

#include 
#include 
#include 
int main()
{
     int i,j,k;
     int fin[] = {0x0D,0x26,0x49,0x45,0x2A,0x17,0x78,0x44,0x2B,0x6C,0x5D,0x5E,
                  0x45,0x12,0x2F,0x17,0x2B,0x44,0x6F,0x6E,0x56,0x9,0x5F,0x45,
                  0x47,0x73,0x26,0x0A,0x0D,0x13,0x17,0x48,0x42,0x1,0x40,0x4D,
                  0x0C,0x2,0x69};
    int flag[40] = {0};
     int v4 = 4;
     for(i = 38 ; i  >= 0; i--)
     {
         flag[i] = fin[i] ^ v4;
         v4 = flag[i];
     }
     for(i = 0 ; i < 39; i++)
     {
         printf("%c",flag[i]);
     }
     return 0;
}

运行结果

最终flag ： flag{[email protected]}