[SCTF2019]babyre
一、查壳
无壳,64位
二、IDA分析
1.没有main,那就shife+f12
点击:
再进:
都是花指令,所以要先解决花指令
三、解决花指令,得到完整的 main
往上面翻,注意看爆红的!
第一个花指令:
将jb、jnb、loope进行nop处理,记得还要D键进行数据化处理,最后要成这样:
(上面这个图不一定是第一个花指令的最后结果,我截图是忘记这是谁的了。)
第二个花指令:
第三个花指令:
二、三处理方法与第一个相同。都是上2下1进行nop--D键。
第四个花指令:
处理略微有些不同:将jb、jnb进行nop处理,对于in查看字节
将E4改为90(nop字节),后面的保留。
注意有个call loc_C22但是C22不是一个函数,需要给他修改类型。
双击快速定位到loc_C22,摁Y键修改类型。将其改为一个独立的函数
最后,从main到retn进行p键声明为函数,这就好了。
按F5可以查看伪代码了。
四、解密
第一部分:
//main...........
v19 = __readfsqword(0x28u);
v6 = 0;
memset(v12, 0, sizeof(v12));
v13 = 0;
memset(v14, 0, sizeof(v14));
v15 = 0;
memset(v16, 0, sizeof(v16));
v17 = 0;
strcpy(
v18,
"**************.****.**s..*..******.****.***********..***..**..#*..***..***.********************.**..*******..**...*..*.*.**.*");
v10[0] = 0LL;
v10[1] = 0LL;
v11 = 0;
v8 = &v18[22];
strcpy(v9, "sctf_9102");
puts(a1);
v3 = "%s";
scanf("%s", v16);
v7 = 1;
while ( v7 )
{
v5 = *((_BYTE *)v16 + v6);
switch ( v5 )
{
case 'w':
v8 -= 5;
break;
case 's':
v8 += 5;
break;
case 'd':
++v8;
break;
case 'a':
--v8;
break;
case 'x':
v8 += 25;
break;
case 'y':
v8 -= 25;
break;
default:
v7 = 0;
break;
}
++v6;
if ( *v8 != 46 && *v8 != 35 )
v7 = 0;
if ( *v8 == 35 )
{
v3 = "good!you find the right way!\nBut there is another challenge!";
puts("good!you find the right way!\nBut there is another challenge!");
break;
}
}
//...........可以看出是个迷宫题了。三维迷宫。
平面来看,
w控制上,s控制下,a控制左,d控制右,x控制去上一层,y控制去下一层。,*是墙,.是路径,#是终点,s是起点。
所以input1为ddwwxxssxaxwwaasasyywwdd
第二部分:
sub_C22()函数
//main.......
if ( v7 )
{
puts(v3);
scanf("%s", v12);
sub_C22();
if ( (unsigned int)sub_F67(v14, v9) == 1 )
{
puts("Congratulation!");
puts("Congratulation!");
//.......查看sub_C22()函数
unsigned __int64 __fastcall sub_C22(const char *a1, __int64 a2)
{
bool v2; // al
int v3; // eax
int v4; // eax
int v5; // eax
int v7; // [rsp+14h] [rbp-24Ch]
signed int v8; // [rsp+18h] [rbp-248h]
int v9; // [rsp+1Ch] [rbp-244h]
int v10; // [rsp+20h] [rbp-240h]
int v11; // [rsp+24h] [rbp-23Ch]
int v12; // [rsp+28h] [rbp-238h]
int v13; // [rsp+2Ch] [rbp-234h]
char *v14; // [rsp+48h] [rbp-218h]
int v15[130]; // [rsp+50h] [rbp-210h]
unsigned __int64 v16; // [rsp+258h] [rbp-8h]
v16 = __readfsqword(0x28u);
qmemcpy(v15, dword_1740, 512uLL);
v8 = 3;
v7 = 0;
v10 = 0;
v11 = 0;
v12 = strlen(a1);
v14 = (char *)a1;
while ( 1 )
{
v13 = 0;
if ( v10 < v12 )
break;
LABEL_13:
if ( v10 >= v12 )
goto LABEL_14;
}
do
{
if ( a1[v10] != 25 )
break;
++v10;
++v13;
}
while ( v10 < v12 );
if ( v10 != v12 )
{
if ( v12 - v10 > 1 )
{
v2 = v10 == 19 && a1[20] == 16;
a1[v2];
}
++v10;
goto LABEL_13;
}
LABEL_14:
v9 = 0;
while ( v12 > 0 )
{
v8 -= v15[*v14] == 0x40; // v8初始为3
v7 = v15[*v14] & 0x3F | (v7 << 6); // 3F的二进制为111111
// 也就是将v7左移6位,空缺由v15[*v14]的低六位补上。
if ( ++v9 == 4 ) // 每次存4位进入一次if条件代码块
{ // 将其改为三位,赋值给a2
v9 = 0;
if ( v8 ) // v11为计数器
{
v3 = v11++;
*(_BYTE *)(v3 + a2) = BYTE2(v7); // BYTE2(V7)=((BYTE*)&(V7)+2)
}
if ( v8 > 1 )
{
v4 = v11++;
*(_BYTE *)(v4 + a2) = BYTE1(v7); // BYTE1(V7)=((BYTE*)&(V7)+1)
}
if ( v8 > 2 )
{
v5 = v11++;
*(_BYTE *)(v5 + a2) = v7;
}
}
++v14;
--v12;
}
return __readfsqword(0x28u) ^ v16;
}也就是将input2的每四位改成三位给v16,然后v16再与v8="sctf_9102"进行比较,v8有9位,可知input2有16位。
所以提取出数据,写爆破脚本。
#include <stdio.h>
unsigned int data[128] = {
0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F,
0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F,
0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F,
0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F,
0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F,
0x7F, 0x7F, 0x7F, 0x3E, 0x7F, 0x7F, 0x7F, 0x3F,
0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B,
0x3C, 0x3D, 0x7F, 0x7F, 0x7F, 0x40, 0x7F, 0x7F,
0x7F, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E,
0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,
0x17, 0x18, 0x19, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F,
0x7F, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20,
0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28,
0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30,
0x31, 0x32, 0x33, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F
};
int main()
{
int shuju[3] = { 0x736374,0x665f39,0x313032 };
int i0, i1, i2, i3, i4, i5;
for (i0 = 0; i0 < 3; i0++)
{
for(i1=32;i1<128;i1++)
for (i2 = 32; i2 < 128; i2++)
for (i3 = 32; i3 < 128; i3++)
for (i4 = 32; i4 < 128; i4++)
{
i5 = (((((data[i1] << 6) | data[i2]) << 6) | data[i3]) << 6) | data[i4];
if (i5 == shuju[i0])
printf("第%d组:%c%c%c%c\n", i0+1,i1, i2, i3, i4);
}
}
return 0;
}
----------------------------
第1组:c2N0
第2组:Zl85
第3组:MS=y
第3组:MT=y
第3组:MTAy第三组是什么,不知道
看网上的大佬说
动态调试一下,发现第三个应该是MTAy
这里我也不会动态调试.
动态调试一下,发现第三个应该是MTAy
这样的话:input2应该为c2N0Zl85MTAy
第三部分:
//main........
puts("plz tell me the password3:");
scanf("%s", v10);
if ( (unsigned int)sub_FFA(v10) == 1 )
{
puts("Congratulation!Here is your flag!:");
printf("sctf{%s-%s(%s)}", (const char *)v16, (const char *)v12, (const char *)v10);
}
else
{
printf("something srong...");
}
return 0LL;
}
else
{
printf("sorry,somthing wrong...");
return 0LL;
}
}
else
{
printf("sorry,is't not a right way...");
return 0LL;
}
}重点是sub_FFA()
查看:
这一部分,我只能看到这里,破解的脚本我不会写
下面是网上的
#include <stdio.h>
#include "defs.h"
unsigned int data1[288] = {
0xD6, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7,
0x16, 0xB6, 0x14, 0xC2, 0x28, 0xFB, 0x2C, 0x05,
0x2B, 0x67, 0x9A, 0x76, 0x2A, 0xBE, 0x04, 0xC3,
0xAA, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99,
0x9C, 0x42, 0x50, 0xF4, 0x91, 0xEF, 0x98, 0x7A,
0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62,
0xE4, 0xB3, 0x1C, 0xA9, 0xC9, 0x08, 0xE8, 0x95,
0x80, 0xDF, 0x94, 0xFA, 0x75, 0x8F, 0x3F, 0xA6,
0x47, 0x07, 0xA7, 0xFC, 0xF3, 0x73, 0x17, 0xBA,
0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8,
0x68, 0x6B, 0x81, 0xB2, 0x71, 0x64, 0xDA, 0x8B,
0xF8, 0xEB, 0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35,
0x1E, 0x24, 0x0E, 0x5E, 0x63, 0x58, 0xD1, 0xA2,
0x25, 0x22, 0x7C, 0x3B, 0x01, 0x21, 0x78, 0x87,
0xD4, 0x00, 0x46, 0x57, 0x9F, 0xD3, 0x27, 0x52,
0x4C, 0x36, 0x02, 0xE7, 0xA0, 0xC4, 0xC8, 0x9E,
0xEA, 0xBF, 0x8A, 0xD2, 0x40, 0xC7, 0x38, 0xB5,
0xA3, 0xF7, 0xF2, 0xCE, 0xF9, 0x61, 0x15, 0xA1,
0xE0, 0xAE, 0x5D, 0xA4, 0x9B, 0x34, 0x1A, 0x55,
0xAD, 0x93, 0x32, 0x30, 0xF5, 0x8C, 0xB1, 0xE3,
0x1D, 0xF6, 0xE2, 0x2E, 0x82, 0x66, 0xCA, 0x60,
0xC0, 0x29, 0x23, 0xAB, 0x0D, 0x53, 0x4E, 0x6F,
0xD5, 0xDB, 0x37, 0x45, 0xDE, 0xFD, 0x8E, 0x2F,
0x03, 0xFF, 0x6A, 0x72, 0x6D, 0x6C, 0x5B, 0x51,
0x8D, 0x1B, 0xAF, 0x92, 0xBB, 0xDD, 0xBC, 0x7F,
0x11, 0xD9, 0x5C, 0x41, 0x1F, 0x10, 0x5A, 0xD8,
0x0A, 0xC1, 0x31, 0x88, 0xA5, 0xCD, 0x7B, 0xBD,
0x2D, 0x74, 0xD0, 0x12, 0xB8, 0xE5, 0xB4, 0xB0,
0x89, 0x69, 0x97, 0x4A, 0x0C, 0x96, 0x77, 0x7E,
0x65, 0xB9, 0xF1, 0x09, 0xC5, 0x6E, 0xC6, 0x84,
0x18, 0xF0, 0x7D, 0xEC, 0x3A, 0xDC, 0x4D, 0x20,
0x79, 0xEE, 0x5F, 0x3E, 0xD7, 0xCB, 0x39, 0x48,
0xC6, 0xBA, 0xB1, 0xA3, 0x50, 0x33, 0xAA, 0x56,
0x97, 0x91, 0x7D, 0x67, 0xDC, 0x22, 0x70, 0xB2,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
unsigned int fun(unsigned int a1)
{
int v1;
v1 = (data1[BYTE2(a1)] << 16) | data1[(unsigned __int8)a1] | (data1[BYTE1(a1)] << 8) | (data1[a1 >> 24] << 24);
return __ROL4__(v1, 12) ^ (unsigned int)(__ROL4__(v1, 8) ^ __ROR4__(v1, 2)) ^ __ROR4__(v1, 6);
}
int main()
{
unsigned int data[30] = { 0 };
data[26] = 0xBE040680;
data[27] = 0xC5AF7647;
data[28] = 0x9FCC401F;
data[29] = 0xD8BF92EF;
int i;
for (i = 25; i >=0; i--)
data[i] = fun(data[i+1] ^ data[i+2] ^ data[i+3]) ^ data[i+4];
printf("%x %x %x %x\n", data[0], data[1], data[2], data[3]);
for (i = 0; i < 4; i++)
printf("%c%c%c%c", ((char*)&data[i])[0], ((char*)&data[i])[1], ((char*)&data[i])[2], ((char*)&data[i])[3]);
return 0;
}
-----------------------------------
fl4g_is_s0_ug1y!综上所述:
得到flag为sctf{ddwwxxssxaxwwaasasyywwdd-c2N0Zl85MTAy(fl4g_is_s0_ug1y!)}
参考文章:
re学习笔记(38)BUUCTF-re-[SCTF2019]babyre IDA无法F5|代码修复|花指令------------Forgo7ten
链接:re学习笔记(38)BUUCTF-re-[SCTF2019]babyre IDA无法F5|代码修复|花指令_ctf reabbit-优快云博客
扫一扫
3万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
