测试文件:https://lanzous.com/ibh1vch
代码分析
void __noreturn start() { DWORD NumberOfBytesWritten; // [esp+0h] [ebp-4h] NumberOfBytesWritten = 0; hFile = GetStdHandle(0xFFFFFFF6); dword_403074 = GetStdHandle(0xFFFFFFF5); WriteFile(dword_403074, aG1v3M3T3hFl4g, 0x13u, &NumberOfBytesWritten, 0); sub_4010F0(); if ( sub_401050() ) WriteFile(dword_403074, aG00dJ0b, 0xAu, &NumberOfBytesWritten, 0); else WriteFile(dword_403074, aN0tT00H0tRWe7r, 0x24u, &NumberOfBytesWritten, 0); ExitProcess(0); }
这里面分析好sub_4010F0和sub_401050函数就行了。
sub_4010F0函数
signed int sub_4010F0() { unsigned int v0; // eax char Buffer[260]; // [esp+0h] [ebp-110h] DWORD NumberOfBytesRead; // [esp+104h] [ebp-Ch] unsigned int i; // [esp+108h] [ebp-8h] char v5; // [esp+10Fh] [ebp-1h] v5 = 0; for ( i = 0; i < 0x104; ++i ) Buffer[i] = 0; ReadFile(hFile, Buffer, 0x104u, &NumberOfBytesRead, 0); for ( i = 0; ; ++i ) { v0 = sub_401020(Buffer); if ( i >= v0 ) break; v5 = Buffer[i]; if ( v5 != 10 && v5 != 13 ) { if ( v5 ) byte_403078[i] = v5; } } return 1; }
sub_401050函数
signed int sub_401050() { int v0; // ST04_4 int i; // [esp+4h] [ebp-8h] unsigned int j; // [esp+4h] [ebp-8h] char v4; // [esp+Bh] [ebp-1h] v0 = sub_401020(byte_403078); v4 = sub_401000(); for ( i = v0 - 1; i >= 0; --i ) { byte_403180[i] = v4 ^ byte_403078[i]; v4 = byte_403078[i]; } for ( j = 0; j < 0x27; ++j ) { if ( byte_403180[j] != (unsigned __int8)byte_403000[j] ) return 0; } return 1; }
还是倒过来分析
sub_401050函数就是将字符串逆向做了异或操作之后,与已知字符串byte_403000对比。
sub_4010F0函数就是把我们输入字符串中的/r/n去掉。
脚本
# -*- coding:utf-8 -*- arr2 = [0x0D,0x26,0x49,0x45,0x2A,0x17,0x78,0x44,0x2B,0x6C,0x5D,0x5E,0x45,0x12,0x2F,0x17, 0x2B,0x44,0x6F,0x6E,0x56,0x09,0x5F,0x45,0x47,0x73,0x26,0x0A,0x0D,0x13,0x17,0x48, 0x42,0x01,0x40,0x4D,0x0C,0x02,0x69] arr1 = [] v4 = 4 for i in range(len(arr2)-1,-1,-1): arr1.append(arr2[i] ^ v4) v4 = arr1[-1] print ('flag{'+''.join([chr(x) for x in arr1[::-1]])+'}')
get flag!
flag{R_y0u_H0t_3n0ugH_t0_1gn1t3@flare-on.com}