心血来潮,想接触点Reverse,感受下Reverse,于是从CTF的简单题目中慢慢入门
提示:以下是本篇文章正文内容,下面案例可供参考
1、工具:IDA
直接使用IDA将exe反编译,得到一堆代码。
使用Ctrl+X,查看编译流程,然后使用F5,查看代码。
int __cdecl main(int argc, const char **argv, const char **envp)
{
char Str2[1008]; // [rsp+20h] [rbp-60h] BYREF
char Str1[1000]; // [rsp+410h] [rbp+390h] BYREF
int i; // [rsp+7FCh] [rbp+77Ch]
_main();
strcpy(Str2, "{34sy_r3v3rs3}");
printf("please put your flag:");
scanf("%s", Str1);
for ( i = 0; i <= 665; ++i )
{
if ( Str1[i] == 101 )
Str1[i] = 51;
}
for ( i = 0; i <= 665; ++i )
{
if ( Str1[i] == 97 )
Str1[i] = 52;
}
if ( strcmp(Str1, Str2) )
printf("you are wrong,see again!");
else
printf("you are right!");
system("pause");
return 0;
}
将输入的字符,ascii为101的变成51,97的变成52,然后与str2对比,一致则成功。
s = '{34sy_r3v3rs3}'
r = ''
for i in s:
if ord(i) ==51:
r += chr(101)
elif ord(i) == 52:
r += chr(97)
else:
r += i
print(r)
得到flag
int __cdecl main(int argc, const char **argv, const char **envp)
{
char Str2[64]; // [rsp+20h] [rbp-90h] BYREF
char Str[68]; // [rsp+60h] [rbp-50h] BYREF
int v7; // [rsp+A8h] [rbp-8h]
int i; // [rsp+ACh] [rbp-4h]
_main();
strcpy(Str2, "ylqq]aycqyp{");
printf(Format);
gets(Str);
v7 = strlen(Str);
for ( i = 0; i < v7; ++i )
{
if ( (Str[i] <= 96 || Str[i] > 98) && (Str[i] <= 64 || Str[i] > 66) )
Str[i] -= 2;
else
Str[i] += 24;
}
if ( strcmp(Str, Str2) )
printf(asc_404024);
else
printf(aBingo);
system("pause");
return 0;
}
s = 'ylqq]aycqyp{'
l = []
for i in s:
l.append(ord(i))
# print(l)
l = [121, 108, 113, 113, 93, 97, 121, 99, 113, 121, 112, 123]
r = ''
for i in l:
if (i <= 94 or i > 96) and (i <= 62 or i > 64):
r += chr(i + 2)
else:
r += chr(i - 24)
print(r)
得到的结果进行caser,并且猜一下,得到{nss_caesar}
存在大量jmp跳转,导致程序无法正常编译,尝试将跳转nop掉,即将其转换成空指令。
startaddr = 0x1135
endaddr = 0x3100
for i in range(startaddr,endaddr):
if get_wide_byte(i) == 0xEB:
if get_wide_byte(i+1) == 0xFF:
patch_byte(i,0x90)
print("[+] Addr {} is patched".format(hex(i)))
起始地址是main函数的0x1135到结束,通过遍历byte,判断是否和EB FF,即jmp的机械码,是则改成90,即nop。
看到flag为GFCTF{u_are2wordy}
可以看到0041188C处有call,并且爆红,可以判断为花指令,因此要消除即变成nop,选中41188C,按快捷键D,将其转换为数据。
然后将0E8h改成0x90即nop机器码
快捷键C,将数据再次转换成指令,并将下面黄色的部分依次使用C转换成指令。
最后往上选中main入口,快捷键P生成函数,然后F5,获得函数代码。
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
int i; // [esp+D0h] [ebp-2Ch]
char v5[28]; // [esp+DCh] [ebp-20h] BYREF
strcpy(v5, "NSSCTF{Jump_b9_jump!}");
for ( i = 0; i < 21; ++i )
v5[i] = (v5[i] + v5[(i * i + 123) % 21]) % 128;
sub_4110CD("%s", (char)v5);
return 0;
}
发现flag根本没被加密,直接开始Shift+F12就可以看到字符串。
跟上面一样,将爆红那里改成空指令,P+F5得到伪代码。
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
int i; // [esp+D0h] [ebp-40h]
char Str1[36]; // [esp+E8h] [ebp-28h] BYREF
sub_411037("%s", (char)Str1);
for ( i = 0; i < 29; ++i )
Str1[i] = (Str1[i] + Str1[(i * i + 123) % 21]) % 96 + 32;
if ( !j_strcmp(Str1, "~4G~M:=WV7iX,zlViGmu4?hJ0H-Q*") )
puts("right!");
else
puts("nope!");
return 0;
}
将flag打乱了,并且进行了变换,逆向解密。
a = ['~', '4', 'G', '~', 'M', ':', '=', 'W', 'V', '7', 'i', 'X', ',', 'z', 'l', 'V', 'i', 'G', 'm', 'u', '4', '?', 'h',
'J', '0', 'H', '-', 'Q', '*']
for i in range(28, -1, -1):
k = (i * i + 123) % 21
for j in range(5):
x = (ord(a[i]) - 32 + j * 96 - ord(a[k]))
if 33 <= x <= 126:
a[i] = chr(x)
break
print("".join(a))
- 找到OEP,程序运行壳代码执行完后会跳转到真正的OEP
- 抓到内存文件,将新得到的源文件保存,可从头到后复制
- 对PE文件进行修复
萌新,手动脱壳不是很现实,一些脱壳工具链接:
UPX脱壳工具
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [rsp+24h] [rbp-44h] BYREF
void *Buf1; // [rsp+28h] [rbp-40h] BYREF
char v6[56]; // [rsp+30h] [rbp-38h] BYREF
sub_401770(argc, argv, envp);
printf("please input the flag:");
scanf("%s", v6);
Buf1 = 0i64;
sub_401570(v6, &Buf1, &v4);
if ( !memcmp(Buf1, a5mc58bphliax7j, v4) )
printf("\nsuccess!");
else
printf("\nfailed!");
if ( Buf1 )
free(Buf1);
return 0;
}
输入的v6经过sub_401570()函数加密与a5mc58bphliax7j比较,一致则成功,a5mc58bphliax7j的值为5Mc58bPHLiAx7J8ocJIlaVUxaJvMcoYMaoPMaOfg15c475tscHfM/8==,有点像是base64。
但是下面好像还有一串字符串,不知道干什么的,看了下加密函数。
好像加密跟下面的字符串有关,正常的base64也解密不出来,可能是base64换表。
发现PK头,直接改成zip后缀,解压得到一个apk安卓,反编译,得:
Encode类:
package com.example.ilililililil;
public class Encoder
{
private int key = 123456789;
public String encode(String paramString)
{
StringBuilder localStringBuilder = new StringBuilder();
paramString = paramString.toCharArray();
int i = paramString.length;
for (int j = 0; j < i; j++)
localStringBuilder.append((char)(paramString[j] ^ this.key));
return localStringBuilder.toString();
}
}
public /* synthetic */ void lambda$onCreate$0$MainActivity(final EditText editText, View v) {
System.out.println(encoder.encode(editText.getText().toString()));
if (encoder.encode(editText.getText().toString()).equals("棿棢棢棲棥棷棊棐棁棚棨棨棵棢棌")) {
Toast.makeText(this, "YES", 0).show();
} else {
Toast.makeText(this, "NO", 0).show();
}
}
MainActivity类:
package com.example.ilililililil;
import java.lang.reflect.Field;
public class MainActlvity
{
public MainActlvity()
{
try
{
Field localField = Encoder.class.getDeclaredField("key");
localField.setAccessible(true);
localField.set(MainActivity.encoder, Integer.valueOf(987654321));
}
catch (NoSuchFieldException localNoSuchFieldException)
{
}
catch (IllegalAccessException localIllegalAccessException)
{
}
localIllegalAccessException.printStackTrace();
}
}
可以知道key变成了987654321
所以exp为:
code = '棿棢棢棲棥棷棊棐棁棚棨棨棵棢棌'
key = 987654321
flag = ""
for i in code:
flag += chr((ord(i) ^ key) % 128)
print(flag)
得到flag NSSCTF{apkYYDS}
private static final void onCreate$lambda-0(MainActivity paramMainActivity, int[] paramArrayOfInt, View paramView)
{
Intrinsics.checkNotNullParameter(paramMainActivity, "this$0");
Intrinsics.checkNotNullParameter(paramArrayOfInt, "$c");
paramView = ((EditText)paramMainActivity._$_findCachedViewById(R.id.input)).getText().toString().chars().toArray();
Intrinsics.checkNotNullExpressionValue(paramView, "flag.toArray()");
if (Arrays.equals(paramMainActivity.baby_xor(paramView), paramArrayOfInt))
Toast.makeText((Context)paramMainActivity, (CharSequence)"Success", 1).show();
else
Toast.makeText((Context)paramMainActivity, (CharSequence)"Failed", 0).show();
}
protected void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
ActivityMainBinding localActivityMainBinding = ActivityMainBinding.inflate(getLayoutInflater());
Intrinsics.checkNotNullExpressionValue(localActivityMainBinding, "inflate(layoutInflater)");
this.binding = localActivityMainBinding;
paramBundle = localActivityMainBinding;
if (localActivityMainBinding == null)
{
Intrinsics.throwUninitializedPropertyAccessException("binding");
paramBundle = null;
}
setContentView((View)paramBundle.getRoot());
((Button)_$_findCachedViewById(R.id.btn)).setOnClickListener(new MainActivity..ExternalSyntheticLambda0(this, new int[] { 119, 9, 40, 44, 106, 83, 126, 123, 33, 87, 113, 123, 112, 93, 125, 127, 41, 82, 44, 127, 39, 3, 126, 125, 119, 87, 47, 125, 33, 6, 44, 127, 112, 0, 126, 123, 115, 24 }));
}
flag转成了数组,进行baby_xor异或,要等于{ 119, 9, 40, 44, 106, 83, 126, 123, 33, 87, 113, 123, 112, 93, 125, 127, 41, 82, 44, 127, 39, 3, 126, 125, 119, 87, 47, 125, 33, 6, 44, 127, 112, 0, 126, 123, 115, 24 },在反编译的函数中找不到baby_xor,它还给了so文件,放入IDA,会发现存在babyxor函数。
__int64 __fastcall Java_com_example_createso_MainActivity_baby_1xor(__int64 a1, __int64 a2, __int64 a3)
{
int i; // [rsp+14h] [rbp-2Ch]
__int64 v5; // [rsp+18h] [rbp-28h]
unsigned int v6; // [rsp+24h] [rbp-1Ch]
v6 = _JNIEnv::GetArrayLength(a1, a3);
v5 = _JNIEnv::GetIntArrayElements(a1, a3, 0LL);
for ( i = 0; i < (int)v6; ++i )
*(_DWORD *)(v5 + 4LL * i) ^= key[i % 4];
_JNIEnv::SetIntArrayRegion(a1, a3, 0LL, v6, v5);
return a3;
}
_DWORD *hide_key(void)
{
_DWORD *result; // rax
result = key;
key[0] ^= 0x47u;
key[1] ^= 0x32u;
key[2] ^= 0x11u;
key[3] ^= 0x12u;
return result;
}
这里就是先将key异或变一下,然后与key[i%4]做异或。
发现key的初始值 0x56 0x57 0x58 0x59
from Crypto.Util.number import long_to_bytes
l = [119, 9, 40, 44, 106, 83, 126, 123, 33, 87, 113, 123, 112, 93, 125, 127, 41, 82, 44, 127, 39, 3, 126, 125, 119, 87,
47, 125, 33, 6, 44, 127, 112, 0, 126, 123, 115, 24]
key = [0x56, 0x57, 0x58, 0x59]
key[0] ^= 0x47
key[1] ^= 0x32
key[2] ^= 0x11
key[3] ^= 0x12
flag = ''
for i in range(len(l)):
flag += chr(l[i] ^ key[i % 4])
print(flag)
得到flag
函数定义了操作码的功能,可看成是操作码表,202060地址存放操作码,可理解成密文,qword_2022A8存放输入的字符串,其余九是操作码代表的功能,要通过语句推断功能代表的语句,还原程序流程。
多个分支,并且都是赋值,推断是mov操作,根据0xE1等分直情况不同,进行不同的表达式,0XE1:mov R0 flag 0XE2:mov R1 flag以此类推
xor操作,R0=R0^R1
读取长度为21的flag
mul乘法操作,R0=R0*R3
swap交换指令操作,swap R0 R1
线性运算 R0=R2+2R1+3R0
知道所有的操作码的含义后,获取密文操作码,从0x202060到0x20229结束,然后翻译操作码
import binascii
from pwn import *
fd = open("babyvm", "rb")
arr = []
offset = 0x2060
while offset <= 0x229e:
fd.seek(offset)
fr = fd.read(1)
arr.append(int(binascii.b2a_hex(fr).decode('utf-8'),16))
offset += 1
# print(arr, len(arr))
result = ""
i = 0
while i < 575:
if arr[i] == 0xf1:
if arr[i + 1] == 0xE1:
result += "{0} mov R0 flag[{1}]\n".format(i, arr[i + 2])
elif arr[i + 1] == 0xE2:
result += "{0} mov R1 flag[{1}]\n".format(i, arr[i + 2])
elif arr[i + 1] == 0xE3:
result += "{0} mov R2 flag[{1}]\n".format(i, arr[i + 2])
elif arr[i + 1] == 0xE4:
result += "{0} mov flag[{1}] R0\n".format(i, arr[i + 2])
elif arr[i + 1] == 0xE5:
result += "{0} mov R3 flag[{1}]\n".format(i, arr[i + 2])
elif arr[i + 1] == 0xE7:
result += "{0} mov flag[{1}] R1\n".format(i, arr[i + 2])
i = i + 6
elif arr[i] == 0xf2:
result += "{0} xor R0 R1\n".format(i)
i += 1
elif arr[i] == 0xf5:
result += "{0} read flag 21\n".format(i)
i += 1
elif arr[i] == 0xf4:
i += 1
elif arr[i] == 0xf7:
result += "{0} mul R0 R3\n".format(i)
i += 1
elif arr[i] == 0xf8:
result += "{0} swap R0 R1\n".format(i)
i += 1
elif arr[i] == 0xf6:
result += "{0} mov R0 R2+2*R1+3*R0\n".format(i)
i += 1
else:
i += 1
with open("babyvm.txt", "a+") as tr:
tr.write(result)
tr.close()
得到:
0 read flag 21
1 mov R0 flag[0]
7 xor R0 R1
8 mov flag[32] R0
14 mov R0 flag[1]
20 xor R0 R1
21 mov flag[33] R0
27 mov R0 flag[2]
33 xor R0 R1
34 mov flag[34] R0
40 mov R0 flag[3]
46 xor R0 R1
47 mov flag[35] R0
53 mov R0 flag[4]
59 xor R0 R1
60 mov flag[36] R0
66 mov R0 flag[5]
72 xor R0 R1
73 mov flag[37] R0
79 mov R0 flag[6]
85 xor R0 R1
86 mov flag[38] R0
92 mov R0 flag[7]
98 xor R0 R1
99 mov flag[39] R0
105 mov R0 flag[8]
111 xor R0 R1
112 mov flag[40] R0
118 mov R0 flag[9]
124 xor R0 R1
125 mov flag[41] R0
131 mov R0 flag[10]
137 xor R0 R1
138 mov flag[42] R0
144 mov R0 flag[11]
150 xor R0 R1
151 mov flag[43] R0
157 mov R0 flag[12]
163 xor R0 R1
164 mov flag[44] R0
170 mov R0 flag[13]
176 xor R0 R1
177 mov flag[45] R0
183 mov R0 flag[14]
189 xor R0 R1
190 mov flag[46] R0
196 mov R0 flag[15]
202 xor R0 R1
203 mov flag[47] R0
209 mov R0 flag[16]
215 xor R0 R1
216 mov flag[48] R0
222 mov R0 flag[17]
228 xor R0 R1
229 mov flag[49] R0
235 mov R0 flag[18]
241 xor R0 R1
242 mov flag[50] R0
248 mov R0 flag[19]
254 xor R0 R1
255 mov flag[51] R0
288 read flag 21
289 mov R0 flag[0]
295 mov R1 flag[1]
301 xor R0 R1
302 mov flag[0] R0
308 mov R0 flag[1]
314 mov R1 flag[2]
320 xor R0 R1
321 mov flag[1] R0
327 mov R0 flag[2]
333 mov R1 flag[3]
339 xor R0 R1
340 mov flag[2] R0
346 mov R0 flag[3]
352 mov R1 flag[4]
358 xor R0 R1
359 mov flag[3] R0
365 mov R0 flag[4]
371 mov R1 flag[5]
377 xor R0 R1
378 mov flag[4] R0
384 mov R0 flag[5]
390 mov R1 flag[6]
396 xor R0 R1
397 mov flag[5] R0
403 mov R0 flag[6]
409 mov R1 flag[7]
415 mov R2 flag[8]
421 mov R3 flag[12]
427 mov R0 R2+2*R1+3*R0
428 mul R0 R3
429 mov flag[6] R0
435 mov R0 flag[7]
441 mov R1 flag[8]
447 mov R2 flag[9]
453 mov R3 flag[12]
459 mov R0 R2+2*R1+3*R0
460 mul R0 R3
461 mov flag[7] R0
467 mov R0 flag[8]
473 mov R1 flag[9]
479 mov R2 flag[10]
485 mov R3 flag[12]
491 mov R0 R2+2*R1+3*R0
492 mul R0 R3
493 mov flag[8] R0
499 mov R0 flag[13]
505 mov R1 flag[19]
511 swap R0 R1
512 mov flag[13] R0
518 mov flag[19] R1
524 mov R0 flag[14]
530 mov R1 flag[18]
536 swap R0 R1
537 mov flag[14] R0
543 mov flag[18] R1
549 mov R0 flag[15]
555 mov R1 flag[17]
561 swap R0 R1
562 mov flag[15] R0
568 mov flag[17] R1
有两端read flag操作,但是第一段flag[34]等等,flag长度只有21,所有第二段是正确的,分析第二段
288 read flag 21
289 mov R0 flag[0]
295 mov R1 flag[1]
301 xor R0 R1
302 mov flag[0] R0 //flag[0]=flag[0]^flag[1]
308 mov R0 flag[1]
314 mov R1 flag[2]
320 xor R0 R1
321 mov flag[1] R0 //flag[1]=flag[1]^flag[2]
327 mov R0 flag[2]
333 mov R1 flag[3]
339 xor R0 R1
340 mov flag[2] R0 flag[2]=flag[2]^flag[3]
346 mov R0 flag[3]
352 mov R1 flag[4]
358 xor R0 R1
359 mov flag[3] R0 //flag[3]=flag[3]^flag[4]
365 mov R0 flag[4]
371 mov R1 flag[5]
377 xor R0 R1
378 mov flag[4] R0 //flag[4]=flag[4]^flag[5]
384 mov R0 flag[5]
390 mov R1 flag[6]
396 xor R0 R1
397 mov flag[5] R0 //flag[5]=flag[5]^flag[6]
403 mov R0 flag[6]
409 mov R1 flag[7]
415 mov R2 flag[8]
421 mov R3 flag[12]
427 mov R0 R2+2*R1+3*R0
428 mul R0 R3 //flag[6]=FLAG[8]+2*FLAG[7]+3*FLAG[6]*FLAG[12]
429 mov flag[6] R0
435 mov R0 flag[7]
441 mov R1 flag[8]
447 mov R2 flag[9]
453 mov R3 flag[12]
459 mov R0 R2+2*R1+3*R0
460 mul R0 R3 //flag[7]=flag[9]+2*flag[8]+3*flag[7]*flag[12]
461 mov flag[7] R0
467 mov R0 flag[8]
473 mov R1 flag[9]
479 mov R2 flag[10]
485 mov R3 flag[12]
491 mov R0 R2+2*R1+3*R0
492 mul R0 R3
493 mov flag[8] R0 //flag[8]=(flag[10]+2*flag[9]+3*flag[8])*flag[12]
499 mov R0 flag[13]
505 mov R1 flag[19]
511 swap R0 R1 //swap(flag[13],flag[19])
512 mov flag[13] R0
518 mov flag[19] R1
524 mov R0 flag[14]
530 mov R1 flag[18]
536 swap R0 R1 //swap(flag[14],flag[18])
537 mov flag[14] R0
543 mov flag[18] R1
549 mov R0 flag[15]
555 mov R1 flag[17]
561 swap R0 R1 //swap(flag[15],flag[17])
562 mov flag[15] R0
568 mov flag[17] R1
程序的操作大致为:
flag=''
for i in range(6)::
flag[i]=flag[i]^flag[i+1]
flag[6]=(flag[8]+2*flag[7]+3*flag[6])*flag[12]
flag[7]=(flag[9]+2*flag[8]+3*flag[7])*flag[12]
flag[8]=(flag[10]+2*flag[9]+3*flag[8])*flag[12]
swap(flag[13],flag[19])
swap(flag[14],flag[18])
swap(flag[15],flag[17])
题目真正的check
还原脚本
from pwn import *
re = []
fd = open("babyvm", "rb")
offset = 0x2020
while offset < 0x2034:
fd.seek(offset)
fr = fd.read(1)
re.append(int(binascii.b2a_hex(fr).decode('utf-8'),16))
offset += 1
# print(re,len(re))
flag = []
for i in range(20):
flag.append(0)
flag[11] = re[11]
flag[12] = re[12]
flag[13] = re[19]
flag[14] = re[18]
flag[15] = re[17]
flag[16] = re[16]
flag[17] = re[15]
flag[18] = re[14]
flag[19] = re[13]
flag[9] = re[9]
flag[10] = re[10]
for i in range(128):
if re[8] == ((i * 3 + flag[9] * 2 + flag[10]) * flag[12]) & 0xff:
flag[8] = i
for j in range(128):
if re[7] == ((j * 3 + flag[8] * 2 + flag[9]) * flag[12]) & 0xff:
flag[7] = j
for k in range(128):
if re[6] == ((k * 3 + flag[7] * 2 + flag[8]) * flag[12]) & 0xff:
flag[6] = k
flag[5] = re[5] ^ flag[6]
flag[4] = re[4] ^ flag[5]
flag[3] = re[3] ^ flag[4]
flag[2] = re[2] ^ flag[3]
flag[1] = re[1] ^ flag[2]
flag[0] = re[0] ^ flag[1]
FLAG = ""
for i in flag:
FLAG += chr(i)
print(FLAG)
得到flag
总结一下VMre的解法步骤:
1.根据函数获取操作码表,操作码表中对应的操作,还原程序流程。
2.根据程序流程获得程序的算法。
3.获取flag存放位置并获得加密数据,根据算法还原。
.file "test.c"
.text
.section .rodata
.LC0:
.string "%s"
.LC1:
.string "YES,you get the flag"
.LC2:
.string "NO,error"
.text
.globl main
.type main, @function
main:
.LFB6:
.cfi_startproc
endbr64
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
pushq %rbx
subq $216, %rsp
.cfi_offset 3, -24
movq %fs:40, %rax
movq %rax, -24(%rbp)
xorl %eax, %eax
movabsq $7158324656262427505, %rax
movabsq $7163901470557426799, %rdx
movq %rax, -208(%rbp)
movq %rdx, -200(%rbp)
movabsq $3619001219890117209, %rax
movabsq $5780770822738496110, %rdx
movq %rax, -192(%rbp)
movq %rdx, -184(%rbp)
movabsq $3838605427404404553, %rax
movabsq $4427116830602054234, %rdx
movq %rax, -176(%rbp)
movq %rdx, -168(%rbp)
movb $0, -160(%rbp)
movl $0, -212(%rbp)
leaq -80(%rbp), %rax
movq %rax, %rsi
leaq .LC0(%rip), %rdi
movl $0, %eax
call __isoc99_scanf@PLT
movl $0, -220(%rbp)
jmp .L2
.L15:
movl -220(%rbp), %eax
cltq
movzbl -80(%rbp,%rax), %eax
cmpb $64, %al
jle .L3
movl -220(%rbp), %eax
cltq
movzbl -80(%rbp,%rax), %eax
cmpb $90, %al
jle .L4
.L3:
movl -220(%rbp), %eax
cltq
movzbl -80(%rbp,%rax), %eax
cmpb $96, %al
jle .L5
movl -220(%rbp), %eax
cltq
movzbl -80(%rbp,%rax), %eax
cmpb $122, %al
jle .L6
.L5:
movl -220(%rbp), %eax
cltq
movzbl -80(%rbp,%rax), %edx
movl -220(%rbp), %eax
cltq
movb %dl, -144(%rbp,%rax)
jmp .L11
.L6:
movl $97, -216(%rbp)
jmp .L8
.L10:
movl -220(%rbp), %eax
cltq
movzbl -80(%rbp,%rax), %eax
movsbl %al, %eax
leal -84(%rax), %edx
movslq %edx, %rax
imulq $1321528399, %rax, %rax
shrq $32, %rax
movl %eax, %ecx
sarl $3, %ecx
movl %edx, %eax
sarl $31, %eax
subl %eax, %ecx
movl %ecx, %eax
imull $26, %eax, %eax
subl %eax, %edx
movl %edx, %eax
addl $97, %eax
cmpl %eax, -216(%rbp)
jne .L9
movl -216(%rbp), %eax
movl %eax, %edx
movl -220(%rbp), %eax
cltq
movb %dl, -144(%rbp,%rax)
.L9:
addl $1, -216(%rbp)
.L8:
cmpl $122, -216(%rbp)
jle .L10
jmp .L11
.L4:
movl $65, -216(%rbp)
jmp .L12
.L14:
movl -220(%rbp), %eax
cltq
movzbl -80(%rbp,%rax), %eax
movsbl %al, %eax
leal -52(%rax), %edx
movslq %edx, %rax
imulq $1321528399, %rax, %rax
shrq $32, %rax
movl %eax, %ecx
sarl $3, %ecx
movl %edx, %eax
sarl $31, %eax
subl %eax, %ecx
movl %ecx, %eax
imull $26, %eax, %eax
subl %eax, %edx
movl %edx, %eax
addl $65, %eax
cmpl %eax, -216(%rbp)
jne .L13
movl -216(%rbp), %eax
movl %eax, %edx
movl -220(%rbp), %eax
cltq
movb %dl, -144(%rbp,%rax)
.L13:
addl $1, -216(%rbp)
.L12:
cmpl $90, -216(%rbp)
jle .L14
.L11:
addl $1, -220(%rbp)
.L2:
movl -220(%rbp), %eax
movslq %eax, %rbx
leaq -80(%rbp), %rax
movq %rax, %rdi
call strlen@PLT
cmpq %rax, %rbx
jb .L15
movl $0, -220(%rbp)
jmp .L16
.L18:
movl -220(%rbp), %eax
cltq
movzbl -208(%rbp,%rax), %edx
movl -220(%rbp), %eax
cltq
movzbl -144(%rbp,%rax), %eax
cmpb %al, %dl
jne .L17
addl $1, -212(%rbp)
.L17:
addl $1, -220(%rbp)
.L16:
movl -220(%rbp), %eax
movslq %eax, %rbx
leaq -80(%rbp), %rax
movq %rax, %rdi
call strlen@PLT
cmpq %rax, %rbx
jb .L18
movl -212(%rbp), %eax
movslq %eax, %rbx
leaq -208(%rbp), %rax
movq %rax, %rdi
call strlen@PLT
cmpq %rax, %rbx
jne .L19
leaq .LC1(%rip), %rdi
call puts@PLT
jmp .L20
.L19:
leaq .LC2(%rip), %rdi
call puts@PLT
.L20:
movl $0, %eax
movq -24(%rbp), %rsi
xorq %fs:40, %rsi
je .L22
call __stack_chk_fail@PLT
.L22:
addq $216, %rsp
popq %rbx
popq %rbp
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE6:
.size main, .-main
.ident "GCC: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0"
.section .note.GNU-stack,"",@progbits
.section .note.gnu.property,"a"
.align 8
.long 1f - 0f
.long 4f - 1f
.long 5
0:
.string "GNU"
1:
.align 8
.long 0xc0000002
.long 3f - 2f
2:
.long 0x3
3:
.align 8
4:
直接给GNU代码,可以使用as命令将汇编代码编译为二进制代码,让再用gcc编译成程序。
int __cdecl main(int argc, const char **argv, const char **envp)
{
int i; // [rsp+4h] [rbp-DCh]
int l; // [rsp+4h] [rbp-DCh]
int k; // [rsp+8h] [rbp-D8h]
int j; // [rsp+8h] [rbp-D8h]
int v8; // [rsp+Ch] [rbp-D4h]
char v9[128]; // [rsp+10h] [rbp-D0h] BYREF
char s[56]; // [rsp+90h] [rbp-50h] BYREF
unsigned __int64 v11; // [rsp+C8h] [rbp-18h]
v11 = __readfsqword(0x28u);
strcpy(v9, "q3q3YzWcoTyvnJkcYzAioF92nJEyol9PIwSeLwE5ZJ03MGp=");
v8 = 0;
__isoc99_scanf(&unk_2004, s);
for ( i = 0; i < strlen(s); ++i )
{
if ( s[i] > 64 && s[i] <= 90 )
{
for ( j = 65; j <= 90; ++j )
{
if ( j == (s[i] - 52) % 26 + 65 )
v9[i + 64] = j;
}
}
else if ( s[i] > 96 && s[i] <= 122 )
{
for ( k = 97; k <= 122; ++k )
{
if ( k == (s[i] - 84) % 26 + 97 )
v9[i + 64] = k;
}
}
else
{
v9[i + 64] = s[i];
}
}
for ( l = 0; l < strlen(s); ++l )
{
if ( v9[l] == v9[l + 64] )
++v8;
}
if ( v8 == strlen(v9) )
puts("YES,you get the flag");
else
puts("NO,error");
return 0;
}
1 0 LOAD_CONST 0 (-1)
3 LOAD_CONST 1 (None)
6 IMPORT_NAME 0 (os)
9 STORE_NAME 0 (os)
4 12 LOAD_CONST 2 (0)
15 STORE_NAME 1 (a)
5 18 LOAD_NAME 2 (input)
21 CALL_FUNCTION 0
24 STORE_NAME 3 (flag)
6 27 SETUP_LOOP 36 (to 66)
30 LOAD_NAME 4 (range)
33 LOAD_NAME 5 (len)
36 LOAD_NAME 3 (flag)
39 CALL_FUNCTION 1
42 CALL_FUNCTION 1
45 GET_ITER
>> 46 FOR_ITER 16 (to 65)
49 STORE_NAME 6 (i)
7 52 LOAD_NAME 1 (a)
55 LOAD_CONST 3 (1)
58 INPLACE_ADD
59 STORE_NAME 1 (a)
62 JUMP_ABSOLUTE 46
>> 65 POP_BLOCK
9 >> 66 LOAD_NAME 1 (a)
69 LOAD_CONST 4 (32)
72 COMPARE_OP 3 (!=)
75 POP_JUMP_IF_FALSE 93
10 78 LOAD_CONST 5 ('error')
81 PRINT_ITEM
82 PRINT_NEWLINE
11 83 LOAD_NAME 7 (exit)
86 CALL_FUNCTION 0
89 POP_TOP
90 JUMP_FORWARD 0 (to 93)
13 >> 93 LOAD_NAME 3 (flag)
96 LOAD_CONST 2 (0)
99 BINARY_SUBSCR
100 LOAD_CONST 6 ('f')
103 COMPARE_OP 3 (!=)
106 POP_JUMP_IF_TRUE 189
109 LOAD_NAME 3 (flag)
112 LOAD_CONST 3 (1)
115 BINARY_SUBSCR
116 LOAD_CONST 7 ('l')
119 COMPARE_OP 3 (!=)
122 POP_JUMP_IF_TRUE 189
125 LOAD_NAME 3 (flag)
128 LOAD_CONST 8 (2)
131 BINARY_SUBSCR
132 LOAD_CONST 9 ('a')
135 COMPARE_OP 3 (!=)
138 POP_JUMP_IF_TRUE 189
141 LOAD_NAME 3 (flag)
144 LOAD_CONST 10 (3)
147 BINARY_SUBSCR
148 LOAD_CONST 11 ('g')
151 COMPARE_OP 3 (!=)
154 POP_JUMP_IF_TRUE 189
157 LOAD_NAME 3 (flag)
160 LOAD_CONST 12 (4)
163 BINARY_SUBSCR
164 LOAD_CONST 13 ('{')
167 COMPARE_OP 3 (!=)
170 POP_JUMP_IF_TRUE 189
173 LOAD_NAME 3 (flag)
176 LOAD_CONST 14 (31)
179 BINARY_SUBSCR
180 LOAD_CONST 15 ('}')
183 COMPARE_OP 3 (!=)
186 POP_JUMP_IF_FALSE 204
14 >> 189 LOAD_CONST 5 ('error')
192 PRINT_ITEM
193 PRINT_NEWLINE
15 194 LOAD_NAME 7 (exit)
197 CALL_FUNCTION 0
200 POP_TOP
201 JUMP_FORWARD 0 (to 204)
17 >> 204 BUILD_LIST 0
207 STORE_NAME 8 (tmp)
19 210 SETUP_LOOP 37 (to 250)
213 LOAD_NAME 4 (range)
216 LOAD_NAME 1 (a)
219 CALL_FUNCTION 1
222 GET_ITER
>> 223 FOR_ITER 23 (to 249)
226 STORE_NAME 6 (i)
20 229 LOAD_NAME 8 (tmp)
232 LOAD_ATTR 9 (append)
235 LOAD_NAME 3 (flag)
238 LOAD_NAME 6 (i)
241 BINARY_SUBSCR
242 CALL_FUNCTION 1
245 POP_TOP
246 JUMP_ABSOLUTE 223
>> 249 POP_BLOCK
22 >> 250 SETUP_LOOP 44 (to 297)
253 LOAD_NAME 4 (range)
256 LOAD_NAME 1 (a)
259 CALL_FUNCTION 1
262 GET_ITER
>> 263 FOR_ITER 30 (to 296)
266 STORE_NAME 6 (i)
23 269 LOAD_NAME 10 (ord)
272 LOAD_NAME 8 (tmp)
275 LOAD_NAME 6 (i)
278 BINARY_SUBSCR
279 CALL_FUNCTION 1
282 LOAD_CONST 16 (9)
285 BINARY_SUBTRACT
286 LOAD_NAME 8 (tmp)
289 LOAD_NAME 6 (i)
292 STORE_SUBSCR
293 JUMP_ABSOLUTE 263
>> 296 POP_BLOCK
25 >> 297 SETUP_LOOP 38 (to 338)
300 LOAD_NAME 4 (range)
303 LOAD_NAME 1 (a)
306 CALL_FUNCTION 1
309 GET_ITER
>> 310 FOR_ITER 24 (to 337)
313 STORE_NAME 6 (i)
26 316 LOAD_NAME 8 (tmp)
319 LOAD_NAME 6 (i)
322 BINARY_SUBSCR
323 LOAD_CONST 17 (51)
326 BINARY_XOR
327 LOAD_NAME 8 (tmp)
330 LOAD_NAME 6 (i)
333 STORE_SUBSCR
334 JUMP_ABSOLUTE 310
>> 337 POP_BLOCK
28 >> 338 SETUP_LOOP 38 (to 379)
341 LOAD_NAME 4 (range)
344 LOAD_NAME 1 (a)
347 CALL_FUNCTION 1
350 GET_ITER
>> 351 FOR_ITER 24 (to 378)
354 STORE_NAME 6 (i)
29 357 LOAD_NAME 8 (tmp)
360 LOAD_NAME 6 (i)
363 BINARY_SUBSCR
364 LOAD_CONST 18 (8)
367 BINARY_ADD
368 LOAD_NAME 8 (tmp)
371 LOAD_NAME 6 (i)
374 STORE_SUBSCR
375 JUMP_ABSOLUTE 351
>> 378 POP_BLOCK
31 >> 379 LOAD_NAME 8 (tmp)
382 LOAD_NAME 1 (a)
385 LOAD_CONST 10 (3)
388 BINARY_SUBTRACT
389 BINARY_SUBSCR
390 STORE_NAME 11 (tmp1)
32 393 LOAD_NAME 8 (tmp)
396 LOAD_NAME 1 (a)
399 LOAD_CONST 8 (2)
402 BINARY_SUBTRACT
403 BINARY_SUBSCR
404 STORE_NAME 12 (tmp2)
33 407 LOAD_NAME 8 (tmp)
410 LOAD_NAME 1 (a)
413 LOAD_CONST 3 (1)
416 BINARY_SUBTRACT
417 BINARY_SUBSCR
418 STORE_NAME 13 (tmp3)
35 421 SETUP_LOOP 58 (to 482)
424 LOAD_NAME 4 (range)
427 LOAD_NAME 1 (a)
430 LOAD_CONST 10 (3)
433 BINARY_SUBTRACT
434 CALL_FUNCTION 1
437 GET_ITER
>> 438 FOR_ITER 40 (to 481)
441 STORE_NAME 6 (i)
36 444 LOAD_NAME 8 (tmp)
447 LOAD_NAME 1 (a)
450 LOAD_CONST 3 (1)
453 BINARY_SUBTRACT
454 LOAD_NAME 6 (i)
457 BINARY_SUBTRACT
458 LOAD_CONST 10 (3)
461 BINARY_SUBTRACT
462 BINARY_SUBSCR
463 LOAD_NAME 8 (tmp)
466 LOAD_NAME 1 (a)
469 LOAD_CONST 3 (1)
472 BINARY_SUBTRACT
473 LOAD_NAME 6 (i)
476 BINARY_SUBTRACT
477 STORE_SUBSCR
478 JUMP_ABSOLUTE 438
>> 481 POP_BLOCK
38 >> 482 LOAD_NAME 13 (tmp3)
485 LOAD_NAME 8 (tmp)
488 LOAD_CONST 2 (0)
491 STORE_SUBSCR
39 492 LOAD_NAME 12 (tmp2)
495 LOAD_NAME 8 (tmp)
498 LOAD_CONST 3 (1)
501 STORE_SUBSCR
40 502 LOAD_NAME 11 (tmp1)
505 LOAD_NAME 8 (tmp)
508 LOAD_CONST 8 (2)
511 STORE_SUBSCR
42 512 SETUP_LOOP 58 (to 573)
515 LOAD_NAME 4 (range)
518 LOAD_NAME 1 (a)
521 CALL_FUNCTION 1
524 GET_ITER
>> 525 FOR_ITER 44 (to 572)
528 STORE_NAME 6 (i)
43 531 LOAD_NAME 6 (i)
534 LOAD_CONST 19 (7)
537 BINARY_MODULO
538 LOAD_CONST 3 (1)
541 COMPARE_OP 2 (==)
544 POP_JUMP_IF_FALSE 553
44 547 JUMP_ABSOLUTE 525
550 JUMP_FORWARD 0 (to 553)
45 >> 553 LOAD_NAME 8 (tmp)
556 LOAD_NAME 6 (i)
559 DUP_TOPX 2
562 BINARY_SUBSCR
563 LOAD_CONST 20 (119)
566 INPLACE_XOR
567 ROT_THREE
568 STORE_SUBSCR
569 JUMP_ABSOLUTE 525
>> 572 POP_BLOCK
48 >> 573 LOAD_NAME 14 (open)
576 LOAD_CONST 21 ('out')
579 LOAD_CONST 22 ('w')
582 CALL_FUNCTION 2
585 SETUP_WITH 26 (to 614)
588 STORE_NAME 15 (f)
49 591 LOAD_NAME 15 (f)
594 LOAD_ATTR 16 (write)
597 LOAD_NAME 17 (str)
600 LOAD_NAME 8 (tmp)
603 CALL_FUNCTION 1
606 CALL_FUNCTION 1
609 POP_TOP
610 POP_BLOCK
611 LOAD_CONST 1 (None)
>> 614 WITH_CLEANUP
615 END_FINALLY
616 LOAD_CONST 1 (None)
619 RETURN_VALUE
python字节码,直接手撕,结构为 源码行号 | 指令在函数中的偏移 | 指令符号 | 指令参数 | 实际参数值。
参考文章:python字节码
字节码
a = [56, 17, 99, 1, 47, 4, 2, 62, 75, 102, 8, 242, 16, 242, 97, 97, 100, 107, 16, 9, 10, 3, 117, 20, 80, 87, 242, 2, 6, 119, 7, 17]
flag = ''
for i in range(len(a)):
if i%7==1:
flag += (chr(((a[i]-8)^51)+9))
else:
flag += (chr((((a[i]^119)-8)^51)+9))
print(flag)
unsigned __int64 get_flag()
{
unsigned int v0; // eax
int i; // [rsp+4h] [rbp-3Ch]
int j; // [rsp+8h] [rbp-38h]
__int64 s; // [rsp+10h] [rbp-30h] BYREF
char v5; // [rsp+18h] [rbp-28h]
unsigned __int64 v6; // [rsp+38h] [rbp-8h]
v6 = __readfsqword(0x28u);
v0 = time(0LL);
srand(v0);
for ( i = 0; i <= 4; ++i )
{
switch ( rand() % 200 )
{
case 1:
puts("OK, it's flag:");
memset(&s, 0, 0x28uLL);
strcat((char *)&s, f1);
strcat((char *)&s, &f2);
printf("%s", (const char *)&s);
break;
case 2:
printf("Solar not like you");
break;
case 3:
printf("Solar want a girlfriend");
break;
case 4:
s = 0x7F666F6067756369LL;
v5 = 0;
strcat(&f2, (const char *)&s);
break;
case 5:
for ( j = 0; j <= 7; ++j )
{
if ( j % 2 == 1 )
*(&f2 + j) -= 2;
else
--*(&f2 + j);
}
break;
default:
puts("emmm,you can't find flag 23333");
break;
}
}
return __readfsqword(0x28u) ^ v6;
}
flag拼接了f1和f2,f1直接给出,f2与s拼接,并做了case5的处理,注意0x7F666F6067756369LL是小端,逆序的,所以解密的时候要反过来
s = [0x7F, 0x66, 0x6F, 0x60, 0x67, 0x75, 0x63, 0x69][::-1]
flag = 'GXY{do_not_'
for i in range(8):
if i % 2 == 1:
s[i]-=2
else:
s[i]-=1
flag += chr(s[i])
print(flag)
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4[36]; // [rsp+20h] [rbp-30h] BYREF
int i; // [rsp+44h] [rbp-Ch]
char *v6; // [rsp+48h] [rbp-8h]
_main();
puts("please input your flag");
scanf("%s", v4);
v6 = v4;
for ( i = 0; i <= 5; ++i )
{
if ( *(_DWORD *)v6 != (enc[i] ^ 0x12345678) )
{
printf("Data3rr0r!");
exit(0);
}
v6 += 4;
}
printf("you are right!");
return 0;
}
直接从题目可以知道小端存储,即最低位的字节数据存在最低地址上,而次低位的字节数据按次序排列在次低的地址上,所以反着来就好。
enc = [1365706038, 1582239788, 2118132241, 2087782731, 2085961500, 1868183574]
flag = ''
l = []
for i in range(len(enc)):
flag = enc[i] ^ 0x12345678
l.append(hex(flag).replace('0x',''))
print(l)
for k in l:
i=len(k)-2
while i >= 0:
num = k[i:i + 2]
print(chr(int(num, 16)), end="")
i = i - 2
# uncompyle6 version 3.8.0
# Python bytecode 3.8.0 (3413)
# Decompiled from: Python 3.9.8 (tags/v3.9.8:bb3fdcf, Nov 5 2021, 20:48:33) [MSC v.1929 64 bit (AMD64)]
# Embedded file name: Ezpython.py
# Compiled at: 2021-07-28 10:01:40
# Size of source mod 2**32: 931 bytes
import time
c = [119, 121, 111, 109, 100, 112, 123, 74, 105, 100, 114, 48, 120, 95, 49, 99, 95, 99, 121, 48, 121, 48, 121, 48, 121, 48, 95, 111, 107, 99, 105, 125]
def decrypt(a):
result=[]
for i in range(len(a)):
if ord('a') <= a[i] <= ord('z'):
result.append((a[i] - 114 - ord('a')) % 26 + ord('a'))
elif ord('A') <= a[i] <= ord('Z'):
result.append((a[i] - 514 - ord('A')) % 26 + ord('A'))
else:
result.append(a[i])
else:
return result
result=decrypt(c)
flag=''
for i in result:
flag+=chr(i)
print(flag)
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4[100]; // [esp+0h] [ebp-1CCh] BYREF
char v5[52]; // [esp+190h] [ebp-3Ch] BYREF
int j; // [esp+1C4h] [ebp-8h]
int i; // [esp+1C8h] [ebp-4h]
memset(v5, 0, 0x32u);
memset(v4, 0, sizeof(v4));
sub_4011A0(a50s, (char)v5);
for ( i = 0; i < 50; ++i )
{
v4[2 * i] = v5[i] & 0xF;
v4[2 * i + 1] = (v5[i] >> 4) & 0xF;
}
for ( j = 0; j < 100; ++j )
{
if ( v4[j] != dword_403000[j] )
{
sub_401160(Format, v4[0]);
return 0;
}
}
sub_401160(aYesYouAreRight, v4[0]);
return 0;
}
就是将输入的字符串一个字节切割成两部分,即每部分4个字节,然后对比,完全正确则正确。
c = [8, 6, 7, 6, 1, 6, 13, 6, 5, 6, 11, 7, 5, 6, 14, 6, 3, 6, 15, 6, 4, 6, 5, 6, 15, 5, 9, 6, 3, 7, 15, 5, 5, 6, 1, 6,
3, 7, 9, 7, 15, 5, 6, 6, 15, 6, 2, 7, 15, 5, 1, 6, 15, 5, 2, 7, 5, 6, 6, 7, 5, 6, 2, 7, 3, 7, 5, 6, 15, 5, 5, 6,
14, 6, 7, 6, 9, 6, 14, 6, 5, 6, 5, 6, 2, 7, 13, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
flag = ''
for i in range(50):
t = (c[i * 2 + 1] << 4) + c[i * 2]
flag += chr(t)
print(flag)
直接对APK进行反编译:
package com.example.ndktest;
import android.content.Context;
import android.content.Intent;
import android.os.Bundle;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.Button;
import android.widget.EditText;
import android.widget.TextView;
import android.widget.Toast;
import androidx.appcompat.app.AppCompatActivity;
public class MainActivity extends AppCompatActivity
{
public EditText editText1;
private EditText editText2;
private TextView textView1;
public byte[] encode(String paramString, byte[] paramArrayOfByte)
{
byte[] arrayOfByte1 = paramString.getBytes();
byte[] arrayOfByte2 = new byte[16];
int i = 0;
int k;
for (int j = 0; ; j++)
{
k = i;
if (j >= 16)
break;
arrayOfByte2[j] = (byte)((arrayOfByte1[j] + paramArrayOfByte[j]) % 61);
}
while (k < 16)
{
arrayOfByte2[k] = (byte)(arrayOfByte2[k] * 2 - k);
k++;
}
if (new String(arrayOfByte2).equals(paramString))
return arrayOfByte2;
return paramString.getBytes();
}
protected void onCreate(Bundle paramBundle)
{
super.onCreate(paramBundle);
setContentView(2131427356);
this.textView1 = ((TextView)findViewById(2131231101));
this.editText1 = ((EditText)findViewById(2131230872));
this.editText2 = ((EditText)findViewById(2131230873));
((Button)findViewById(2131230807)).setOnClickListener(new View.OnClickListener()
{
public void onClick(View paramView)
{
String str1 = MainActivity.this.editText1.getText().toString();
String str2 = MainActivity.this.editText2.getText().toString();
if (str1.length() != 16)
{
MainActivity.this.toShow();
}
else if (str2.length() != 16)
{
MainActivity.this.toShow();
}
else
{
paramView = MainActivity.this.encode(str1, new byte[] { 23, 22, 26, 26, 25, 25, 25, 26, 27, 28, 30, 30, 29, 30, 32, 32 });
for (int i = 0; i < paramView.length; i++)
paramView[i] = (byte)(paramView[i] ^ 0x22);
Object localObject = new String(paramView).toCharArray();
paramView = "";
StringBuilder localStringBuilder;
for (i = 0; i < 10; i++)
{
localStringBuilder = new StringBuilder();
localStringBuilder.append(paramView);
localStringBuilder.append(localObject[i]);
paramView = localStringBuilder.toString();
}
localObject = new StringBuilder();
((StringBuilder)localObject).append(paramView);
((StringBuilder)localObject).append("_");
((StringBuilder)localObject).append(new String(new byte[] { 64, 48, 48, 49, 49 }));
if ((str2.equals(((StringBuilder)localObject).toString())) || (new O().v.equals("")))
{
paramView = new Intent(MainActivity.this, o0.class);
localObject = MainActivity.this;
localStringBuilder = new StringBuilder();
localStringBuilder.append("Welcome ");
localStringBuilder.append(str1);
localStringBuilder.append(" !");
Toast.makeText((Context)localObject, localStringBuilder.toString(), 0).show();
paramView.putExtra("TOKEN", str2);
MainActivity.this.startActivity(paramView);
}
}
}
});
}
public void toShow()
{
Toast.makeText(this, "Wrong! Please Retry!", 0).show();
}
}
根据逻辑可以求出用户名和密码,然后将密码通过Intent传到了o0类
paramArrayOfByte = [23, 22, 26, 26, 25, 25, 25, 26, 27, 28, 30, 30, 29, 30, 32, 32]
paramArrayOfByte2 = []
username = ''
def check(a, b):
if ((a + paramArrayOfByte[b]) % 61) * 2 - b == a:
return True
else:
return False
for i in range(16):
for j in range(128):
if check(j, i):
username += chr(j)
print(username)
password = ''
paramview = ""
for k in username:
password += chr(ord(k) ^ 0x22)
for g in range(10):
r = ''
r += paramview
r += password[g]
paramview = r
localObject=""
localObject+=paramview
localObject+='_'
a=[64, 48, 48, 49, 49 ]
for l in a:
localObject+=chr(l)
print(localObject)
账号密码分别为LOHILMNMLKHILKHI、nmjknoloni_@0011
然后发现这里o0类又把密码传到了b类
b类调用了f类的一个oho方法,这个方法找不到,应该在so文件中,通过它加密后,如果返回true则表示获取flag成功,传入的参数是密码、用户名和其它一个界面中EditText输入的内容,获取oho方法
int __cdecl Java_com_example_ndktest_f_oho(int a1, int a2, char *s, char *a4, char *dest)
{
char *v5; // edi
size_t v6; // esi
int v7; // esi
unsigned int i; // eax
char v9; // cc
int j; // esi
char *v11; // eax
size_t v13; // [esp+14h] [ebp-7548h]
char src[10000]; // [esp+18h] [ebp-7544h] BYREF
_BYTE v15[10000]; // [esp+2728h] [ebp-4E34h] BYREF
_BYTE v16[10000]; // [esp+4E38h] [ebp-2724h] BYREF
unsigned int v17; // [esp+7548h] [ebp-14h]
v17 = __readgsdword(0x14u);
__strcpy_chk(v16, s, 10000);
v5 = v15;
__strcpy_chk(v15, a4, 10000);
v13 = strlen(s);
v6 = v13 + strlen(a4);
v13 = v6 >> 1;
if ( v13 + strlen(dest) != 24 )
return 0;
v7 = v6 >> 2;
if ( v7 )
{
for ( i = 0; i < v7; i += 2 )
src[i] = v16[i];
v9 = v7 <= 1;
for ( j = v7 - 1; !v9; j -= 2 )
{
src[j] = *v5;
v5 += 2;
v9 = (j - 2 < 0) ^ __OFADD__(-2, j) | (j == 2);
}
}
v11 = strcat(dest, src);
return encode(v11, src);
}
从源码中可以得知flag的长度是24,然后下面的逻辑就是将密码每次两位拼到src中,用户名则是倒置过来,每两位拼接到src中,最后将src和第三方输入的内容拼接,执行encode方法
char __cdecl encode(char *s, char *a2)
{
char *v2; // ebx
__m128i v3; // xmm0
__m128i v4; // xmm0
int v5; // edi
_DWORD *v6; // eax
size_t i; // esi
char v8; // cl
int v9; // eax
int v10; // edi
_DWORD *v12; // [esp+Ch] [ebp-40h]
__m128i v13; // [esp+10h] [ebp-3Ch]
int v14; // [esp+20h] [ebp-2Ch]
int v15; // [esp+24h] [ebp-28h]
unsigned int v16; // [esp+38h] [ebp-14h]
v2 = s;
v16 = __readgsdword(0x14u);
v3 = _mm_cvtsi32_si128(*(_DWORD *)(a2 + 1));
v4 = _mm_unpacklo_epi8(v3, v3);
v13 = _mm_srai_epi32(_mm_unpacklo_epi16(v4, v4), 0x18u);
v14 = a2[5];
v15 = a2[6];
v5 = 0;
v6 = &unk_7EC;
for ( i = 0; ; i += 4 )
{
v12 = v6;
if ( i >= strlen(v2) )
break;
v2 = s;
v8 = v13.m128i_i8[i];
v9 = __ROL4__(__ROR4__((s[i + 1] << 16) | ((unsigned __int8)s[i] << 24) | (s[i + 2] << 8) | s[i + 3], v8), 16);
v10 = v5 ^ 0xFFFF;
if ( !i )
v10 = 0xFFFF;
v5 = v9 ^ v10 ^ (1 << v8);
v6 = v12 + 1;
if ( v5 != *v12 )
return 0;
}
return 1;
}
这里encode看不太懂,贴个官方WP
#include
using namespace std;
int main() {
char key1[]={"nNjLnHlL"};
int count=1;
int key[7];//nNjLnHlL
for (int i = 0; i < 6; ++i) {
key[i] = key1[count];
count++;
}
unsigned int ks[6]={0x5d950ef2,0x86cca2de,0xc039bbf4,0xc5948102,0xaed55e9c,0x89f14377};
unsigned int k=0,bk=0;
unsigned int p[4];
for(int i=5;i>=0;i--)
if(i>0) ks[i]^=ks[i-1];
for(int i=0;i<24;i+=4){
k=ks[i/4];
k=(1<<key[i/4])^k;
k=((k>>16)) | ((~(k<<16))&0xffff0000);
k=((k<<key[i/4])) | (k>>(32-key[i/4]));
for(int j=0; j<4; j++) printf("%c", *((char*)&k+3-j));
}
return 0;
}
得到flag WelCOme_To_mAkaBakA!BrO!
直接就是一段汇编
dseg:0000 ; Segment type: Pure data
dseg:0000 dseg segment para public 'DATA' use16
dseg:0000 assume cs:dseg
dseg:0000 aHgameFillInYou db 'hgame{Fill_in_your_flag}',0
dseg:0019 db 0
dseg:001A db 0
dseg:001B db 0
dseg:001C db 0
dseg:001D db 0
dseg:001E db 0
dseg:001F db 0
dseg:0020 db 0
dseg:0021 db 0
dseg:0022 db 0
dseg:0023 db 0
dseg:0024 db 0
dseg:0025 db 0
dseg:0026 db 0
dseg:0027 db 0
dseg:0028 db 0
dseg:0029 db 0
dseg:002A db 0
dseg:002B db 0
dseg:002C db 0
dseg:002D db 0
dseg:002E db 0
dseg:002F db 0
dseg:002F dseg ends
dseg:002F
seg001:0000 ; ===========================================================================
seg001:0000
seg001:0000 ; Segment type: Regular
seg001:0000 seg001 segment byte public 'UNK' use16
seg001:0000 assume cs:seg001
seg001:0000 assume es:nothing, ss:nothing, ds:dseg, fs:nothing, gs:nothing
seg001:0000 db 91h
seg001:0001 db 61h ; a
seg001:0002 db 1
seg001:0003 db 0C1h
seg001:0004 db 41h ; A
seg001:0005 db 0A0h
seg001:0006 db 60h ; `
seg001:0007 db 41h ; A
seg001:0008 db 0D1h
seg001:0009 db 21h ; !
seg001:000A db 14h
seg001:000B db 0C1h
seg001:000C db 41h ; A
seg001:000D db 0E2h
seg001:000E db 50h ; P
seg001:000F db 0E1h
seg001:0010 db 0E2h
seg001:0011 db 54h ; T
seg001:0012 db 20h
seg001:0013 db 0C1h
seg001:0014 db 0E2h
seg001:0015 db 60h ; `
seg001:0016 db 14h
seg001:0017 db 30h ; 0
seg001:0018 db 0D1h
seg001:0019 db 51h ; Q
seg001:001A db 0C0h
seg001:001B db 17h
seg001:001C db 0
seg001:001D db 0
seg001:001E db 0
seg001:001F db 0
seg001:001F seg001 ends
seg001:001F
seg002:0000 ; ===========================================================================
seg002:0000
seg002:0000 ; Segment type: Uninitialized
seg002:0000 seg002 segment byte stack 'STACK' use16
seg002:0000 assume cs:seg002
seg002:0000 assume es:nothing, ss:nothing, ds:dseg, fs:nothing, gs:nothing
seg002:0000 db 80h dup(0)
seg002:0000 seg002 ends
seg002:0000
seg003:0000 ; ===========================================================================
seg003:0000
seg003:0000 ; Segment type: Pure code
seg003:0000 seg003 segment byte public 'CODE' use16
seg003:0000 assume cs:seg003
seg003:0000 assume es:nothing, ss:seg002, ds:nothing, fs:nothing, gs:nothing
seg003:0000
seg003:0000 ; =============== S U B R O U T I N E =======================================
seg003:0000
seg003:0000 ; Attributes: noreturn
seg003:0000
seg003:0000 public start
seg003:0000 start proc near
seg003:0000 mov ax, seg dseg
seg003:0003 mov ds, ax
seg003:0005 assume ds:dseg
seg003:0005 mov ax, seg seg001
seg003:0008 mov es, ax
seg003:000A assume es:seg001
seg003:000A mov si, 0
seg003:000D
seg003:000D loc_100DD: ; CODE XREF: start+38↓j
seg003:000D cmp si, 1Ch
seg003:0010 jz short loc_10135
seg003:0012 xor ax, ax
seg003:0014 mov al, [si]
seg003:0016 shl al, 1
seg003:0018 shl al, 1
seg003:001A shl al, 1
seg003:001C shl al, 1
seg003:001E push ax
seg003:001F xor ax, ax
seg003:0021 mov al, [si]
seg003:0023 shr al, 1
seg003:0025 shr al, 1
seg003:0027 shr al, 1
seg003:0029 shr al, 1
seg003:002B pop bx
seg003:002C add ax, bx
seg003:002E xor ax, 17h
seg003:0031 add si, 1
seg003:0034 cmp al, es:[si-1]
seg003:0038 jz short loc_100DD
seg003:003A mov ax, 0B800h
seg003:003D mov es, ax
seg003:003F assume es:nothing
seg003:003F mov byte ptr es:0, 77h ; 'w'
seg003:0045 mov byte ptr es:2, 72h ; 'r'
seg003:004B mov byte ptr es:4, 6Fh ; 'o'
seg003:0051 mov byte ptr es:6, 6Eh ; 'n'
seg003:0057 mov byte ptr es:8, 67h ; 'g'
seg003:005D mov byte ptr es:0Ah, 21h ; '!'
seg003:0063
seg003:0063 loc_10133: ; CODE XREF: start:loc_10133↓j
seg003:0063 jmp short loc_10133
seg003:0065 ; ---------------------------------------------------------------------------
seg003:0065
seg003:0065 loc_10135: ; CODE XREF: start+10↑j
seg003:0065 mov ax, 0B800h
seg003:0068 mov es, ax
seg003:006A mov byte ptr es:0, 72h ; 'r'
seg003:0070 mov byte ptr es:2, 69h ; 'i'
seg003:0076 mov byte ptr es:4, 67h ; 'g'
seg003:007C mov byte ptr es:6, 68h ; 'h'
seg003:0082 mov byte ptr es:8, 74h ; 't'
seg003:0088 mov byte ptr es:0Ah, 21h ; '!'
seg003:008E
seg003:008E loc_1015E: ; CODE XREF: start:loc_1015E↓j
seg003:008E jmp short loc_1015E
seg003:008E start endp
seg003:008E
seg003:008E seg003 ends
seg003:008E
seg003:008E
seg003:008E end start
seg001是一串列表串,然后按dsg的英文意思应该是你填入的字符串,整个流程就是将ax清零,然后从数据段中拿出数据,向左偏移4,压入栈中,再清零ax,再从数据段中拿出数据,再向右偏移4,将栈中的数据拿出给bx,ax+bx,再拿ax与17进行异或,最后进行比较。
l = [0x91, 0x61, 0x01, 0xC1, 0x41, 0xA0, 0x60, 0x41, 0xD1, 0x21, 0x14, 0xC1, 0x41, 0xE2, 0x50, 0xE1, 0xE2, 0x54, 0x20,
0xC1, 0xE2, 0x60, 0x14, 0x30, 0xD1, 0x52, 0xC0, 0x17]
flag = ''
for i in l:
temp = i ^ 0x17
flag += chr((temp >> 4) + ((temp << 4)%128))
print(flag)