本文深入剖析了一款32位游戏的逆向工程过程,通过IDA Pro解析,追踪flag线索,揭示了隐藏在代码中的旗子位置和逻辑。最终揭示flag为:zsctf{T9is_tOpic_1s_v5ry_int7resting_b6t_others_are_n0t}
攻防世界 game
打开题目附件,看看程序是否带壳
发现其是一个32位的程序,使用神奇ida进行查看
查询数据字段看看里面有没有flag:
没有看见具体的flag值,通过flag字段找主函数:
F5进行反编汇:
void sub_45F400()
{
char v0; // [sp+Ch] [bp-F0h]@1
int v1; // [sp+10h] [bp-ECh]@8
int i; // [sp+DCh] [bp-20h]@6
int v3; // [sp+F4h] [bp-8h]@2
memset(&v0, 0xCCu, 0xF0u);
sub_45A7BE(&unk_50B110);
sub_45A7BE(&unk_50B158);
sub_45A7BE(&unk_50B1A0);
sub_45A7BE(&unk_50B1E8);
sub_45A7BE("|--------------------|------------/ --------☆--------|\n");
sub_45A7BE("| |------------/ --------▽--------|\n");
sub_45A7BE(&unk_50B2C0);
sub_45A7BE("| |------------/ -----(;°Д°)----|\n");
sub_45A7BE(&unk_50AFD0);
sub_45A7BE("| by 0x61 |\n");
sub_45A7BE("| |\n");
sub_45A7BE("|------------------------------------------------------|\n");
sub_45A7BE("Play a game\nThe n is the serial number of the lamp,and m is the state of the lamp\nIf m of the Nth lamp is 1,it's on ,if not it's off\nAt first all the lights were closed\n");
sub_45A7BE("Now you can input n to change its state\n");
sub_45A7BE("But you should pay attention to one thing,if you change the state of the Nth lamp,the state of (N-1)th and (N+1)th will be changed too\n");
sub_45A7BE("When all lamps are on,flag will appear\n");
sub_45A7BE("Now,input n \n");
while ( 1 )
{
while ( 1 )
{
sub_45A7BE("input n,n(1-8)\n");
sub_459418();
sub_45A7BE("n=");
sub_4596D4("%d", &v3);
sub_45A7BE("\n");
if ( v3 >= 0 && v3 <= 8 )
break;
sub_45A7BE("sorry,n error,try again\n");
}
if ( v3 )
{
sub_4576D6(v3 - 1);
}
else
{
for ( i = 0; i < 8; ++i )
{
v1 = i;
if ( (unsigned int)i >= 9 )
sub_458919();
byte_532E28[v1] = 0;
}
}
sub_4581B7("CLS");
sub_458054();
if ( byte_532E28[0] == 1
&& byte_532E28[1] == 1
&& byte_532E28[2] == 1
&& byte_532E28[3] == 1
&& byte_532E28[4] == 1
&& byte_532E28[5] == 1
&& byte_532E28[6] == 1
&& byte_532E28[7] == 1 )
{
sub_457AB4();
}
}
}
由这段代码可以看出最后的flag应该是存放在sub_457AB4中的,跳转到其中:
在进行跟进sub_457AB4得到伪代码:
memset(&v3, 0xCCu, 0x158u);
v119 = (unsigned int)&savedregs ^ __security_cookie;
sub_45A7BE("done!!! the flag is ");
v62 = 18;
v63 = 64;
v64 = 98;
v65 = 5;
v66 = 2;
v67 = 4;
v68 = 6;
v69 = 3;
v70 = 6;
v71 = 48;
v72 = 49;
v73 = 65;
v74 = 32;
v75 = 12;
v76 = 48;
v77 = 65;
v78 = 31;
v79 = 78;
v80 = 62;
v81 = 32;
v82 = 49;
v83 = 32;
v84 = 1;
v85 = 57;
v86 = 96;
v87 = 3;
v88 = 21;
v89 = 9;
v90 = 4;
v91 = 62;
v92 = 3;
v93 = 5;
v94 = 4;
v95 = 1;
v96 = 2;
v97 = 3;
v98 = 44;
v99 = 65;
v100 = 78;
v101 = 32;
v102 = 16;
v103 = 97;
v104 = 54;
v105 = 16;
v106 = 44;
v107 = 52;
v108 = 32;
v109 = 64;
v110 = 89;
v111 = 45;
v112 = 32;
v113 = 65;
v114 = 15;
v115 = 34;
v116 = 18;
v117 = 16;
v118 = 0;
v5 = 123;
v6 = 32;
v7 = 18;
v8 = 98;
v9 = 119;
v10 = 108;
v11 = 65;
v12 = 41;
v13 = 124;
v14 = 80;
v15 = 125;
v16 = 38;
v17 = 124;
v18 = 111;
v19 = 74;
v20 = 49;
v21 = 83;
v22 = 108;
v23 = 94;
v24 = 108;
v25 = 84;
v26 = 6;
v27 = 96;
v28 = 83;
v29 = 44;
v30 = 121;
v31 = 104;
v32 = 110;
v33 = 32;
v34 = 95;
v35 = 117;
v36 = 101;
v37 = 99;
v38 = 123;
v39 = 127;
v40 = 119;
v41 = 96;
v42 = 48;
v43 = 107;
v44 = 71;
v45 = 92;
v46 = 29;
v47 = 81;
v48 = 107;
v49 = 90;
v50 = 85;
v51 = 64;
v52 = 12;
v53 = 43;
v54 = 76;
v55 = 86;
v56 = 13;
v57 = 114;
v58 = 1;
v59 = 117;
v60 = 126;
v61 = 0;
for ( i = 0; i < 56; ++i )
{
*(&v5 + i) ^= *(&v62 + i);
*(&v5 + i) ^= 0x13u;
}
sub_45A7BE("%s\n");
sub_459AE9(&savedregs, &dword_45EC04);
sub_459C06();
return sub_458801(v1, v0);
}
这就是最后的答案,通过这个可以编写解题的脚本:
a=[18,64,98,5,2,4,6,3,6,48,49,65,32,12,48,65,31,78,62,32,49,32,
1,57,96,3,21,9,4,62,3,5,4,1,2,3,44,65,78,32,16,97,54,16,44,
52,32,64,89,45,32,65,15,34,18,16,0]
b=[123,32,18,98,119,108,65,41,124,80,125,38,124,111,74,49,
83,108,94,108,84,6,96,83,44,121,104,110,32,95,117,101,99,
123,127,119,96,48,107,71,92,29,81,107,90,85,64,12,43,76,86,
13,114,1,117,126,0]
s=''
for i in range(56):
a[i] ^= b[i]
a[i] ^=0x13
s += chr(a[i])
print(s)
运行结果:
flag:zsctf{T9is_tOpic_1s_v5ry_int7resting_b6t_others_are_n0t}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
