[SWPU2019]ReverseMe
2024-04-21 16:12:39
看了半天没看出啥,然后下个断点动调了一下,发现居然还是个SMC自解密
if ( v28 == 32 ){v37 = -1173078761;v38 = 494076752;v39 = -1811652486;v40 = 688582768;v8 = 0;v32 = 0i64;v34 = 0;v33 = 0i64;v9 = strlen(v35);do{v10 = Block;if ( v29 >= 0x10 )v10 = (void **)Block[0];*((_BYTE *)v10 + v8) ^= v35[v8 % v9];++v8;}while ( v8 < 32 );v11 = (__int128 *)Block;v7 = (char *)Block[0];if ( v29 >= 0x10 )v11 = (__int128 *)Block[0];v31 = 0;memset(v30, 0, sizeof(v30));v32 = *v11;v33 = v11[1];sub_9625C0(v25, v26, 256, (unsigned int)&v32, (unsigned int)v30); //加密结果存入到v30中v36[0] = -133220429;v36[1] = 1571732668;v12 = v36;v36[2] = -2041750854;v13 = v30;v36[3] = -748513468;v14 = 28;v37 = 371505743;v38 = 443719435;v39 = 644704357;v40 = 1741188026;while ( 1 ){v15 = *v12;if ( *v12 != *(_DWORD *)v13 ) //比较break;++v12;v13 = (__int128 *)((char *)v13 + 4);v17 = v14 < 4;v14 -= 4;if ( v17 ){v16 = 0;goto LABEL_19;}}v17 = (unsigned __int8)v15 < *(_BYTE *)v13;if ( (_BYTE)v15 == *(_BYTE *)v13&& (v18 = *((_BYTE *)v12 + 1), v17 = v18 < *((_BYTE *)v13 + 1), v18 == *((_BYTE *)v13 + 1))&& (v19 = *((_BYTE *)v12 + 2), v17 = v19 < *((_BYTE *)v13 + 2), v19 == *((_BYTE *)v13 + 2))&& (v20 = *((_BYTE *)v12 + 3), v17 = v20 < *((_BYTE *)v13 + 3), v20 == *((_BYTE *)v13 + 3)) ){v16 = 0;}else{v16 = v17 ? -1 : 1;}
LABEL_19:if ( v16 )v21 = "Try again!\r\n";elsev21 = "Congratulations! I always knew you could do it.";v22 = sub_962DA0((int)v12, v21);sub_963050((int)v22);sub_96ADBE("pause");}else{v6 = sub_962DA0(v5, "Try again!\r\n");sub_963050((int)v6);sub_96ADBE("pause");v7 = (char *)Block[0];}if ( v29 >= 0x10 ){v23 = v7;if ( v29 + 1 >= 0x1000 ){v7 = (char *)*((_DWORD *)v7 - 1);if ( (unsigned int)(v23 - v7 - 4) > 0x1F )_invalid_parameter_noinfo_noreturn();}sub_9664DE(v7);}return 0;
}
点进sub_9625C0(v25, v26, 256, (unsigned int)&v32, (unsigned int)v30); 用findcrypto 找了下加密方式
void __cdecl sub_9625C0(int a1, int a2, int a3, unsigned int a4, unsigned int a5)
{int v5; // ecxunsigned int v6; // ebxint v7; // esiunsigned int v8; // ediunsigned int v9; // esiunsigned int v10; // edxunsigned int v11; // esi_DWORD *v12; // ecxunsigned int v13; // eaxunsigned int v14; // ebxchar *v15; // esi__m128i v16; // xmm0__m128i v17; // xmm1__m128i v18; // xmm0__m128i v19; // xmm1__m128i v20; // xmm0__m128i v21; // xmm1__m128i v22; // xmm0__m128i v23; // xmm1unsigned int v24; // ebxunsigned int v25; // eaxchar *v26; // esiunsigned int v27; // ediint v28; // ecxsigned int v29; // [esp+20h] [ebp-20h]int v30; // [esp+24h] [ebp-1Ch]_DWORD *Block; // [esp+28h] [ebp-18h]int v32[4]; // [esp+2Ch] [ebp-14h] BYREFv6 = a5;v7 = v5;v8 = (unsigned int)(a3 + 31) >> 5;v30 = 4 * v8;Block = malloc(4 * v8);v32[0] = 0x92540366;v32[1] = 0x78;v32[2] = 0x92540366;v32[3] = 0x78;sub_962270(v7, v32);sub_9620E0();sub_962150();sub_961F80();v29 = 0;if ( v8 ){do{dword_990D94 = (2 * dword_990DA4) ^ (unsigned __int16)(dword_990DBC ^ (2 * dword_990DA4));dword_990D78 = (dword_990DB8 << 16) | ((unsigned int)dword_990DAC >> 15);v9 = (dword_990D70 << 16) | ((unsigned int)dword_990D90 >> 15);dword_990D8C = (dword_990D68 << 16) | ((unsigned int)dword_990D84 >> 15);dword_990D7C = v9;Block[v29] = v9 ^ sub_962150();sub_961F80();++v29;}while ( v29 < (int)v8 );v6 = a5;}v10 = 0;if ( v8 ){v11 = a4;if ( v8 < 0x10 || v6 <= a4 + v30 - 4 && v6 + v30 - 4 >= a4 ){v12 = Block;}else{v12 = Block;if ( v6 > (unsigned int)&Block[v8 - 1] || v6 + v30 - 4 < (unsigned int)Block ){v13 = a4 + 16;v12 = Block;v14 = v6 + 32;v15 = (char *)Block - a4;do{v16 = *(__m128i *)(v13 - 16);v13 += 64;v14 += 64;v17 = _mm_xor_si128(*(__m128i *)&Block[v10], v16);v18 = *(__m128i *)(v13 - 64);*(__m128i *)(v14 - 96) = v17;v19 = _mm_xor_si128(*(__m128i *)&v15[v13 - 64], v18);v20 = *(__m128i *)(v13 - 48);*(__m128i *)(a5 - a4 + v13 - 64) = v19;v15 = (char *)Block - a4;v21 = _mm_xor_si128(*(__m128i *)((char *)Block + v14 - a5 - 64), v20);v22 = *(__m128i *)(v13 - 32);*(__m128i *)(v14 - 64) = v21;v23 = *(__m128i *)&Block[v10 + 12];v10 += 16;*(__m128i *)(v14 - 48) = _mm_xor_si128(v23, v22);}while ( v10 < (v8 & 0xFFFFFFF0) );v6 = a5;v11 = a4;}}if ( v10 < v8 ){v24 = v6 - a4;v25 = v11 + 4 * v10;v26 = (char *)v12 - a4;v27 = v8 - v10;do{v28 = *(_DWORD *)&v26[v25];v25 += 4;*(_DWORD *)(v24 + v25 - 4) = *(_DWORD *)(v25 - 4) ^ v28;--v27;}while ( v27 );}}free(Block);
}
看到一堆的加密,很吓人
看不出来,就直接动调,这里将ecx中的值存入了eax,然后调用那个复杂的加密函数
跟进函数,最后这里进行了一个异或操作
这里向 0x3BF7D0中写入异或后的结果
最后有个比较ecx和edx,如果不相等就输出error
edx中存的值,发现这里就是之前那个异或操作写入数据的地址
ecx中存着最终变换的值
大概流程: 输入flag -> 与”SWPU_2019_CTF"进行异或 -> 再与一串字符进行异或 ->将结果存入edx中 -> 与eax进行比较
解题脚本
s = [ord(i) for i in "SWPU_2019_CTF"]
v36 = [0xF80F37B3,0x5DAEBCBC,0x864D5ABA,0xD3629744,0x1624BA4F,0x1A729F0B,0x266D6865,0x67C86BBA]
v = [0xca3e0c86,0x19aed798,0xa66b77e2,0xb077a16a,0x05379169,0x307bf97a,0x104b5a43,0x28d47d86 ]
flag = []
for i in range(0,8):v36[i] ^= v[i]v36[i] = str(hex(v36[i])).replace("0x","")
k = 0
for i in range(8):t = v36[i]for j in range(6,-1,-2):flag.append(int(t[j:j+2],16) ^ s[k % len(s)])k += 1
for i in flag:print(chr(i),end="")
结果:flag{Y0uaretheB3st!#@_VirtualCC}
[SWPU2019]ReverseMe相关推荐
- 动态调试——[SWPU2019]ReverseMe
文章目录 声明 题目 分析 声明 1)该文章部分借鉴于[BUUCTF]Reverse--[SWPU2019]ReverseMe. 2)博主是萌新上路,文中如有不当之处,请各位大佬指出,共同进步,谢谢. ...
- REVERSE-PRACTICE-BUUCTF-18
REVERSE-PRACTICE-BUUCTF-18 [SWPU2019]ReverseMe [FlareOn1]Bob Doge [FlareOn5]Ultimate Minesweeper [GK ...
- BUUCTF reverse题解汇总
本文是BUUCTF平台reverse题解的汇总 题解均来自本人博客 目录 Page1 Page2 Page3 Page4 Page1 easyre reverse1 reverse2 内涵的软件 新年 ...
- 小甲鱼 OllyDbg 教程系列 (一) :二进制破解科普系列之 ReverseMe
小甲鱼 视频教程( 4.5 集 ):https://www.bilibili.com/video/av6889190?p=4 实验程序 reverseME.exe 下载地址:https://pan.b ...
- BUUCTF:[SWPU2019]Network
https://buuoj.cn/challenges#[SWPU2019]Network TTL隐写 import binascii with open('attachment.txt','r') ...
- BUUCTF:[SWPU2019]神奇的二维码
题目地址:https://buuoj.cn/challenges#[SWPU2019]%E7%A5%9E%E5%A5%87%E7%9A%84%E4%BA%8C%E7%BB%B4%E7%A0%81 bi ...
- BUUCTF:[SWPU2019]你有没有好好看网课?
题目地址:https://buuoj.cn/challenges#[SWPU2019]%E4%BD%A0%E6%9C%89%E6%B2%A1%E6%9C%89%E5%A5%BD%E5%A5%BD%E7 ...
- [SWPU2019]Web1
[SWPU2019]Web1 尝试注册admin,显示已存在,爆破密码没爆出来 注册一个test账户 登陆 申请发布广告 尝试注入 使用单引号尝试,报错 说明存在注入,尝试万能密码 有过滤,尝试fuz ...
- BUUCTF Misc [BJDCTF2020]鸡你太美 [BJDCTF2020]一叶障目 [SWPU2019]神奇的二维码 梅花香之苦寒来 [BJDCTF2020]纳尼
目录 [BJDCTF2020]鸡你太美 [BJDCTF2020]一叶障目 [SWPU2019]神奇的二维码 梅花香之苦寒来 [BJDCTF2020]纳尼 [BJDCTF2020]鸡你太美 下载文件 真 ...
最新文章
- Linux_LEMP
- java基础IO BIO、NIO、AIO的区别
- 老师计算机传帮带工作总结,传帮带工作总结范文
- 2017最新顺口溜出炉(超级经典)!
- spark 不同模式用途_Spark 的四种模式
- Maven知识点整理
- Qt系列教程-yafeilinx Qt入门教程
- Java 延时常见的几种方法
- 开源电脑屏幕录制软件Captura源码下载及编译(Win10,VS2022)
- 客车网上售票系统(Java源码+sql脚本)
- 请收藏ANSYS Fluent电子风扇效能及噪音仿真攻略
- Css Reset -Css样式重置
- 个人微信公众号对接自动回复电影网站接口又能实现菜单功能
- Windows和Mac常用网络测试命令
- 实现人生梦想,共同创造人生辉煌!
- 手机java安装_花样繁多 MOTO手机JAVA程序安装详细步骤
- 手握千亿美金的孙正义,这次真的不能如愿了
- google地图api
- xss for u7 BOM
- 巨杉数据库sequoiadb笔记