zoukankan      html  css  js  c++  java
  • xctf-re-re1-100

    查壳发现是ELF文件,IDA载入,找到main函数,查看反汇编代码

    int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
    {
      __pid_t v3; // eax
      size_t v4; // rax
      ssize_t v5; // rbx
      bool v6; // al
      char **argva; // [rsp+0h] [rbp-1D0h]
      bool bCheckPtrace; // [rsp+13h] [rbp-1BDh]
      ssize_t numRead; // [rsp+18h] [rbp-1B8h]
      ssize_t numReada; // [rsp+18h] [rbp-1B8h]
      char bufWrite[200]; // [rsp+20h] [rbp-1B0h]
      char bufParentRead[200]; // [rsp+F0h] [rbp-E0h]
      unsigned __int64 v13; // [rsp+1B8h] [rbp-18h]
    
      argva = (char **)argv;
      v13 = __readfsqword(0x28u);
      bCheckPtrace = detectDebugging();
      if ( pipe(pParentWrite) == -1 )
        exit(1);
      if ( pipe(pParentRead) == -1 )
        exit(1);
      v3 = fork();
      if ( v3 != -1 )
      {
        if ( v3 )
        {
          close(pParentWrite[0]);
          close(pParentRead[1]);
          while ( 1 )
          {
            printf("Input key : ", argva);
            memset(bufWrite, 0, 0xC8uLL);
            gets(bufWrite, 0LL);
            v4 = strlen(bufWrite);
            v5 = write(pParentWrite[1], bufWrite, v4);
            if ( v5 != strlen(bufWrite) )
              printf("parent - partial/failed write", bufWrite);
            do
            {
              memset(bufParentRead, 0, 0xC8uLL);
              numReada = read(pParentRead[0], bufParentRead, 0xC8uLL);
              v6 = bCheckPtrace || checkDebuggerProcessRunning();
              if ( v6 )
              {
                puts("Wrong !!!
    ");
              }
              else if ( !checkStringIsNumber(bufParentRead) )            
              {
                puts("Wrong !!!
    ");
              }
              else
              {
                if ( atoi(bufParentRead) )
                {
                  puts("True");
                  if ( close(pParentWrite[1]) == -1 )
                    exit(1);
                  exit(0);
                }
                puts("Wrong !!!
    ");
              }
            }
            while ( numReada == -1 );
          }
        }
        close(pParentWrite[1]);
        close(pParentRead[0]);
        while ( 1 )                                                             /////////
        {
          memset(bufParentRead, 0, 0xC8uLL);
          numRead = read(pParentWrite[0], bufParentRead, 0xC8uLL);
          if ( numRead == -1 )
            break;
          if ( numRead )
          {
            if ( childCheckDebugResult() )
            {
              responseFalse();
            }
            else if ( bufParentRead[0] == '{' )                                 //第一个字符是 '{'
            {
              if ( strlen(bufParentRead) == 42 )                            //字符串长度为42
              {
                if ( !strncmp(&bufParentRead[1], "53fc275d81", 0xAuLL) )   //第2~11个字符是"53fc275d81"
                {
                  if ( bufParentRead[strlen(bufParentRead) - 1] == '}' )        //最后一个字符是 '}'
                  {
                    if ( !strncmp(&bufParentRead[31], "4938ae4efd", 0xAuLL) )    //第32~41个字符是“4938ae4efd”
                    {
                      if ( !confuseKey(bufParentRead, 42) )
                      {
                        responseFalse();
                      }
                      else if ( !strncmp(bufParentRead, "{daf29f59034938ae4efd53fc275d81053ed5be8c}", 0x2AuLL) )
                      {
                        responseTrue();
                      }
                      else
                      {
                        responseFalse();
                      }
                    }
                    else
                    {
                      responseFalse();
                    }
                  }
                  else
                  {
                    responseFalse();
                  }
                }
                else
                {
                  responseFalse();
                }
              }
              else
              {
                responseFalse();
              }
            }
            else
            {
              responseFalse();
            }
          }
        }
        exit(1);
      }
      exit(1);
    }
    

    while(1)上面的代码是检查一些东西的
    bufParentRead是输入的字符串
    跟着代码走,最后到confuseKey函数,查看代码,找到关键代码

      strncpy(szPart1, szKey + 1, 0xAuLL);        /*     
      strncpy(szPart2, szKey + 11, 0xAuLL);         
      strncpy(szPart3, szKey + 21, 0xAuLL);         
      strncpy(szPart4, szKey + 31, 0xAuLL);            
      memset(szKey, 0, iKeyLength);                     
      *szKey = 123;
      strcat(szKey, szPart3);                                 
      strcat(szKey, szPart4);                                 
      strcat(szKey, szPart1);
      strcat(szKey, szPart2);
      szKey[41] = 125;
      return 1;
    }
    

    函数作用为:把字符串分为四部分:第2 ~11,12 ~ 21,22 ~ 31,32 ~ 41
    然后调换顺序,改为第22 ~ 31,32 ~ 41,2 ~ 11,12 ~ 21
    所以只要将daf29f59034938ae4efd53fc275d81053ed5be8c调换顺序即可得到flag

  • 相关阅读:
    整理前端面试题1
    前端面试题2
    6.显示锁Lock 和 线程通信Condition
    5.创建执行线程的方式之三 :实现Callable 接口
    4.闭锁 CountDownLatch
    3.ConcurrentHashMap 锁分段机制 Copy-On-Write
    2.原子变量 CAS算法
    1.volatile关键字 内存可见性
    13.MyBatis注解式开发
    12.查询缓存
  • 原文地址:https://www.cnblogs.com/pluie/p/13034395.html
Copyright © 2011-2022 走看看