攻防世界 reverse Replace

Replace 湖湘杯2018

查壳upx，手动脱壳，修复IAT，去掉重定向便可以运行。

ida查看，流程清晰。关键函数check_E51090。

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int lens; // kr00_4
  char Buf; // [esp+4h] [ebp-2Ch]
  char Dst; // [esp+5h] [ebp-2Bh]

  Buf = 0;
  memset(&Dst, 0, 0x27u);
  printf("Welcome The System
Please Input Key:");
  gets_s(&Buf, 0x28u);
  lens = strlen(&Buf);
  if ( (unsigned int)(lens - 35) <= 2 )         // <=37
  {
    if ( check_E51090(&Buf, lens) == 1 )
      printf("Well Done!
");
    else
      printf("Your Wrong!
");
  }
  return 0;
}

查看check_E51090

signed int __fastcall check_E51090(char *buf, int lens)
{
  char *buf_2; // ebx
  int i; // edx
  char a; // al
  int b; // esi
  int c; // edi
  char d; // al
  int e; // eax
  char f; // cl
  int g; // eax
  int h; // ecx

  buf_2 = buf;
  if ( lens != 35 )
    return -1;
  i = 0;
  while ( 1 )
  {
    a = buf_2[i];
    b = (a >> 4) % 16;
    c = (16 * a >> 4) % 16;
    d = data_E52150[2 * i];
    if ( d < 48 || d > 57 )
      e = d - 87;
    else
      e = d - 48;
    f = data_E52150[2 * i + 1];
    g = 16 * e;
    if ( f < 48 || f > 57 )
      h = f - 87;
    else
      h = f - 48;
    if ( (unsigned __int8)data[16 * b + c] != ((g + h) ^ 0x19) )
      break;
    if ( ++i >= 35 )
      return 1;
  }
  return -1;
}

wp:

data_E52150=[50,  97,  52,  57, 102,  54,  57,  99,  51,  56,
   51,  57,  53,  99, 100, 101,  57,  54, 100,  54,
  100, 101,  57,  54, 100,  54, 102,  52, 101,  48,
   50,  53,  52,  56,  52,  57,  53,  52, 100,  54,
   49,  57,  53,  52,  52,  56, 100, 101, 102,  54,
  101,  50, 100,  97, 100,  54,  55,  55,  56,  54,
  101,  50,  49, 100,  53,  97, 100,  97, 101,  54]
data=[99, 124, 119, 123, 242, 107, 111, 197,  48,   1,
  103,  43, 254, 215, 171, 118, 202, 130, 201, 125,
  250,  89,  71, 240, 173, 212, 162, 175, 156, 164,
  114, 192, 183, 253, 147,  38,  54,  63, 247, 204,
   52, 165, 229, 241, 113, 216,  49,  21,   4, 199,
   35, 195,  24, 150,   5, 154,   7,  18, 128, 226,
  235,  39, 178, 117,   9, 131,  44,  26,  27, 110,
   90, 160,  82,  59, 214, 179,  41, 227,  47, 132,
   83, 209,   0, 237,  32, 252, 177,  91, 106, 203,
  190,  57,  74,  76,  88, 207, 208, 239, 170, 251,
   67,  77,  51, 133,  69, 249,   2, 127,  80,  60,
  159, 168,  81, 163,  64, 143, 146, 157,  56, 245,
  188, 182, 218,  33,  16, 255, 243, 210, 205,  12,
   19, 236,  95, 151,  68,  23, 196, 167, 126,  61,
  100,  93,  25, 115,  96, 129,  79, 220,  34,  42,
  144, 136,  70, 238, 184,  20, 222,  94,  11, 219,
  224,  50,  58,  10,  73,   6,  36,  92, 194, 211,
  172,  98, 145, 149, 228, 121, 231, 200,  55, 109,
  141, 213,  78, 169, 108,  86, 244, 234, 101, 122,
  174,   8, 186, 120,  37,  46,  28, 166, 180, 198,
  232, 221, 116,  31,  75, 189, 139, 138, 112,  62,
  181, 102,  72,   3, 246,  14,  97,  53,  87, 185,
  134, 193,  29, 158, 225, 248, 152,  17, 105, 217,
  142, 148, 155,  30, 135, 233, 206,  85,  40, 223,
  140, 161, 137,  13, 191, 230,  66, 104,  65, 153,
   45,  15, 176,  84, 187,  22,  72,   0,   0,   0,
    0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
    0,   0]
tg=[]
for i in range(35):
    d = data_E52150[2 * i];
    if (d < 48 or d > 57):
        e = d - 87;
    else:
        e = d - 48;
    f = data_E52150[2 * i + 1];
    g = 16 * e;
    if (f < 48  or  f > 57):
        h = f - 87;
    else:
        h = f - 48;
    x=((g + h) ^ 0x19)
    tg.append(x)
flag=''
for i in range(35):
    flag+=chr(data.index(tg[i]))
print(flag)

flag{Th1s_1s_Simple_Rep1ac3_Enc0d3}