BUUCTF Reverse/[网鼎杯 2020 青龙组]singal
BUUCTF Reverse/[网鼎杯 2020 青龙组]singal
![BUUCTF Reverse/[网鼎杯 2020 青龙组]singal_第1张图片](http://img.e-com-net.com/image/info8/36d504e532704624ba7d6171ea66bb37.jpg)
先看文件信息,没有加壳
![BUUCTF Reverse/[网鼎杯 2020 青龙组]singal_第2张图片](http://img.e-com-net.com/image/info8/acfbb5ea4b754c12a18ac22fbf36a584.jpg)
运行,又是字符串比较的题目
![BUUCTF Reverse/[网鼎杯 2020 青龙组]singal_第3张图片](http://img.e-com-net.com/image/info8/e83e0d4add924958a628c3f01c12e656.jpg)
IDA32位打开,打开string窗口,跟随跳转
![BUUCTF Reverse/[网鼎杯 2020 青龙组]singal_第4张图片](http://img.e-com-net.com/image/info8/761508c5f0b6432a86be6f335047bfca.jpg)
读入字符串
size_t __cdecl read(char *Str)
{
size_t result; // eax
printf("string:");
scanf("%s", Str);
result = strlen(Str);
if ( result != 15 )
{
puts("WRONG!\n");
exit(0);
}
return result;
}
主函数
![BUUCTF Reverse/[网鼎杯 2020 青龙组]singal_第5张图片](http://img.e-com-net.com/image/info8/c2a3b8b83c8c4da29bfdaf4d8fbb27ac.jpg)
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4[117]; // [esp+18h] [ebp-1D4h] BYREF
__main();
qmemcpy(v4, &unk_403040, 0x1C8u);
vm_operad(v4, 114);
puts("good,The answer format is:flag {}");
return 0;
}
重点就是== vm_operad==里面对字符串进行变换了
int __cdecl vm_operad(int *a1, int a2)
{
int result; // eax
char Str[200]; // [esp+13h] [ebp-E5h] BYREF
char v4; // [esp+DBh] [ebp-1Dh]
int v5; // [esp+DCh] [ebp-1Ch]
int v6; // [esp+E0h] [ebp-18h]
int v7; // [esp+E4h] [ebp-14h]
int v8; // [esp+E8h] [ebp-10h]
int v9; // [esp+ECh] [ebp-Ch]
v9 = 0;
v8 = 0;
v7 = 0;
v6 = 0;
v5 = 0;
while ( 1 )
{
result = v9;
if ( v9 >= a2 )
return result;
switch ( a1[v9] )
{
case 1:
Str[v6 + 100] = v4;
++v9;
++v6;
++v8;
break;
case 2:
v4 = a1[v9 + 1] + Str[v8];
v9 += 2;
break;
case 3:
v4 = Str[v8] - LOBYTE(a1[v9 + 1]);
v9 += 2;
break;
case 4:
v4 = a1[v9 + 1] ^ Str[v8];
v9 += 2;
break;
case 5:
v4 = a1[v9 + 1] * Str[v8];
v9 += 2;
break;
case 6:
++v9;
break;
case 7:
if ( Str[v7 + 100] != a1[v9 + 1] )
{
printf("what a shame...");
exit(0);
}
++v7;
v9 += 2;
break;
case 8:
Str[v5] = v4;
++v9;
++v5;
break;
case 10:
read(Str);
++v9;
break;
case 11:
v4 = Str[v8] - 1;
++v9;
break;
case 12:
v4 = Str[v8] + 1;
++v9;
break;
default:
continue;
}
}
}
unk_40340里的值,这里0可以去掉
![BUUCTF Reverse/[网鼎杯 2020 青龙组]singal_第6张图片](http://img.e-com-net.com/image/info8/bb0db0eefae246a28910a54ed3b51b2d.jpg)
转到hex窗口,复制出来批量替换一下,得到
0x0A,0x04,0x10,0x08, 0x03,0x05,0x01,0x04, 0x20,0x08,0x05,0x03, 0x01,0x03,0x02,0x08,
0x0B,0x01,0x0C,0x08, 0x04,0x04,0x01,0x05, 0x03,0x08,0x03,0x21, 0x01,0x0B,0x08,0x0B,
0x01,0x04,0x09,0x08, 0x03,0x20,0x01,0x02, 0x51,0x08,0x04,0x24, 0x01,0x0C,0x08,0x0B,
0x01,0x05,0x02,0x08, 0x02,0x25,0x01,0x02, 0x36,0x08,0x04,0x41, 0x01,0x02,0x20,0x08,
0x05,0x01,0x01,0x05, 0x03,0x08,0x02,0x25, 0x01,0x04,0x09,0x08, 0x03,0x20,0x01,0x02,
0x41,0x08,0x0C,0x01, 0x07,0x22,0x07,0x3F, 0x07,0x34,0x07,0x32, 0x07,0x72,0x07,0x33,
0x07,0x18,0x07,0xA7,0xFF,0xFF,0xFF, 0x07,0x31,0x07,0xF1,0xFF,0xFF,0xFF,
0x07,0x28,0x07,0x84,0xFF,0xFF,0xFF, 0x07,0xC1,0xFF,0xFF,0xFF,0x07,0x1E, 0x07,0x7A
看这个case7,以及这个case1,这个是将每个v4存储到v6+100的下标中,然后与a1[v9+1]进行比较,如果不同则退出,说明这里的a1[v9+1]存储的就是输入字符串变化后的值
case 7:
if ( Str[v7 + 100] != a1[v9 + 1] )
{
printf("what a shame...");
exit(0);
}
case 1:
Str[v6 + 100] = v4;
++v9;
++v6;
++v8;
break;
而要当case1才会将变化后的值存储,说明每个1后面的一位数就是变换后的字符,得到
v[15] = {0x22,0x3f,0x34,0x32,0x72,0x33,0x18,0xa7,0x31,0xf1,0x28,0x84,0xc1,0x1e,0x7a}; //v4的值
然后直接暴力破解flag,改一些代码,写出脚本
#include 运行结果
![BUUCTF Reverse/[网鼎杯 2020 青龙组]singal_第7张图片](http://img.e-com-net.com/image/info8/4faeeae7d4444c92b70c311b1c2fc895.jpg)
得到flag: flag{757515121f3d478}