zoukankan      html  css  js  c++  java

  • 攻防世界 reverse crazy

    crazy 百越杯2018

    查看main函数:

    int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rax
  __int64 v4; // rax
  __int64 v5; // rax
  __int64 v6; // rax
  __int64 v7; // rax
  __int64 v8; // rax
  __int64 v9; // rax
  __int64 v10; // rax
  __int64 v11; // rax
  __int64 v12; // rax
  __int64 v13; // rax
  __int64 v14; // rax
  __int64 v15; // rax
  __int64 v16; // rax
  char myinput_str; // [rsp+10h] [rbp-130h]
  char v19; // [rsp+30h] [rbp-110h]
  char v20; // [rsp+50h] [rbp-F0h]
  char v21; // [rsp+70h] [rbp-D0h]
  char myinput_copy; // [rsp+90h] [rbp-B0h]
  char temp; // [rsp+B0h] [rbp-90h]
  unsigned __int64 v24; // [rsp+128h] [rbp-18h]

  v24 = __readfsqword(0x28u);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(
    (__int64)&myinput_str,
    (__int64)argv,
    (__int64)envp);
  std::operator>><char,std::char_traits<char>,std::allocator<char>>(&std::cin, &myinput_str);
  v3 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");
  std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
  v4 = std::operator<<<std::char_traits<char>>(&std::cout, "Quote from people's champ");
  std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);
  v5 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");
  std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);
  v6 = std::operator<<<std::char_traits<char>>(
         &std::cout,
         "*My goal was never to be the loudest or the craziest. It was to be the most entertaining.");
  std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>);
  v7 = std::operator<<<std::char_traits<char>>(&std::cout, "*Wrestling was like stand-up comedy for me.");
  std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);
  v8 = std::operator<<<std::char_traits<char>>(
         &std::cout,
         "*I like to use the hard times in the past to motivate me today.");
  std::ostream::operator<<(v8, &std::endl<char,std::char_traits<char>>);
  v9 = std::operator<<<std::char_traits<char>>(&std::cout, "-------------------------------------------");
  std::ostream::operator<<(v9, &std::endl<char,std::char_traits<char>>);
  HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str);// 327a6c4304ad5938eaf0efb6cc3e53dc
  v10 = std::operator<<<std::char_traits<char>>(&std::cout, "Checking....");
  std::ostream::operator<<(v10, &std::endl<char,std::char_traits<char>>);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(&v19, &myinput_str);
  func1((__int64)&v20, (__int64)&v19);
  func2((__int64)&v21, (__int64)&v20);
  func3((__int64)&v21, 0);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v21);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v20);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&v19);
  HighTemplar::calculate((HighTemplar *)&temp);//加密处
  if ( (unsigned int)HighTemplar::getSerial((HighTemplar *)&temp) == 0 )//验证处
  {
    v11 = std::operator<<<std::char_traits<char>>(&std::cout, "/////////////////////////////////");
    std::ostream::operator<<(v11, &std::endl<char,std::char_traits<char>>);
    v12 = std::operator<<<std::char_traits<char>>(&std::cout, "Do not be angry. Happy Hacking :)");
    std::ostream::operator<<(v12, &std::endl<char,std::char_traits<char>>);
    v13 = std::operator<<<std::char_traits<char>>(&std::cout, "/////////////////////////////////");
    std::ostream::operator<<(v13, &std::endl<char,std::char_traits<char>>);
    ZN11HighTemplar7getFlagB5cxx11Ev((__int64)&myinput_copy, (__int64)&temp);// 取输入
    v14 = std::operator<<<std::char_traits<char>>(&std::cout, "flag{");
    v15 = std::operator<<<char,std::char_traits<char>,std::allocator<char>>(v14, &myinput_copy);
    v16 = std::operator<<<std::char_traits<char>>(v15, "}");
    std::ostream::operator<<(v16, &std::endl<char,std::char_traits<char>>);
    std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&myinput_copy);
  }
  HighTemplar::~HighTemplar((HighTemplar *)&temp);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string(&myinput_str);
  return 0;
}

    三个关键函数HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str);    HighTemplar::getSerial((HighTemplar *)&temp)   和  HighTemplar::calculate((HighTemplar *)&temp);

    HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str),进行字符串转储。

    unsigned __int64 __fastcall HighTemplar::HighTemplar(DarkTemplar *temp, char *myinput_str)
{
  char v3; // [rsp+17h] [rbp-19h]
  unsigned __int64 v4; // [rsp+18h] [rbp-18h]

  v4 = __readfsqword(0x28u);
  DarkTemplar::DarkTemplar(temp);
  *(_QWORD *)temp = &off_401EA0;
  *((_DWORD *)temp + 3) = 0;
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(
    (char *)temp + 16,
    myinput_str);                               // temp + 16 -->存储输入
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(
    (char *)temp + 48,
    myinput_str);                               // temp + 48 -->存储输入
  std::allocator<char>::allocator(&v3, myinput_str);
  std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(
    (__int64)temp + 80,                         // temp + 80 -->存储327a6c4304ad5938eaf0efb6cc3e53dc
    (__int64)"327a6c4304ad5938eaf0efb6cc3e53dc",
    (__int64)&v3);
  std::allocator<char>::~allocator(&v3);
  return __readfsqword(0x28u) ^ v4;
}

    HighTemplar::calculate((HighTemplar *)&temp);进行加密操作

    bool __fastcall HighTemplar::calculate(HighTemplar *this)
{
  __int64 v1; // rax
  _BYTE *v2; // rbx
  bool result; // al
  _BYTE *v4; // rbx
  int i; // [rsp+18h] [rbp-18h]
  int j; // [rsp+1Ch] [rbp-14h]

  if ( std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16) != 32 )// 输入长32
  {
    v1 = std::operator<<<std::char_traits<char>>(&std::cout, "Too short or too long");
    std::ostream::operator<<(v1, &std::endl<char,std::char_traits<char>>);
    exit(-1);
  }
  for ( i = 0;
        i <= (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);
        ++i )
  {
    v2 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](
                    (char *)this + 16,
                    i);
    *v2 = (*(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](
                       (char *)this + 16,
                       i) ^ 0x50)               // (每个字符^0x50)+23
        + 23;
  }
  for ( j = 0; ; ++j )
  {
    result = j <= (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);
    if ( !result )
      break;
    v4 = (_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](
                    (char *)this + 16,
                    j);
    *v4 = (*(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](
                       (char *)this + 16,
                       j) ^ 0x13)               // (每个字符^0x13)+11
        + 11;
  }
  return result;
}

    HighTemplar::getSerial((HighTemplar *)&temp)进行验证操作

    __int64 __fastcall HighTemplar::getSerial(HighTemplar *this)
{
  __int64 v1; // rbx
  __int64 v2; // rax
  __int64 v3; // rax
  __int64 v4; // rax
  __int64 v5; // rax
  unsigned int i; // [rsp+1Ch] [rbp-14h]

  for ( i = 0;
        (signed int)i < (unsigned __int64)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);
        ++i )
  {
    v1 = *(unsigned __int8 *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](
                               (char *)this + 80,// HighTemplar::HighTemplar((DarkTemplar *)&temp, &myinput_str)之前赋值,327a6c4304ad5938eaf0efb6cc3e53dc
                               (signed int)i);
    if ( (_BYTE)v1 != *(_BYTE *)std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[](
                                  (char *)this + 16,// 取输入
                                  (signed int)i) )
    {
      v4 = std::operator<<<std::char_traits<char>>(&std::cout, "You did not pass ");
      v5 = std::ostream::operator<<(v4, i);
      std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);
      *((_DWORD *)this + 3) = 1;
      return *((unsigned int *)this + 3);
    }
    v2 = std::operator<<<std::char_traits<char>>(&std::cout, "Pass ");
    v3 = std::ostream::operator<<(v2, i);
    std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);
  }
  return *((unsigned int *)this + 3);
}

    简单的异或与加法的操作

    wp:

    temp='327a6c4304ad5938eaf0efb6cc3e53dc'
flag=''
for i in range(len(temp)):
    n=ord(temp[i])
    flag+=chr((((n-11)^0x13)-23)^0x50)
print('flag{'+flag+'}')

    flag{tMx~qdstOs~crvtwb~aOba}qddtbrtcd}
  • 相关阅读:
    20145227&20145201 《信息安全系统设计基础》实验五
    20145227&20145201 《信息安全系统设计基础》实验四
    20145227《信息安全系统设计基础》第十一周学习总结
    20145206 《信息安全系统设计基础》课程总结
    20145206 《信息安全系统设计基础》第十四周学习总结
    20145206 《信息安全系统设计基础》第十三周学习总结
    20145206 《信息安全系统设计基础》第十二周学习总结
    第五周博客实践分析
    《信息安全系统设计基础》第三周问题总结
    《信息安全系统设计基础》 实验五
  • 原文地址:https://www.cnblogs.com/DirWang/p/12258695.html
Copyright © 2011-2022 走看看