zoukankan      html  css  js  c++  java
  • buuctf re [FlareOn4]IgniteMe

    无壳32位

    void __noreturn start()
    {
      DWORD NumberOfBytesWritten; // [esp+0h] [ebp-4h] BYREF
    
      NumberOfBytesWritten = 0;
      hFile = GetStdHandle(0xFFFFFFF6);
      dword_403074 = GetStdHandle(0xFFFFFFF5);
      WriteFile(dword_403074, aG1v3M3T3hFl4g, 0x13u, &NumberOfBytesWritten, 0);
      sub_4010F0();
      if ( sub_401050() )
        WriteFile(dword_403074, aG00dJ0b, 0xAu, &NumberOfBytesWritten, 0);
      else
        WriteFile(dword_403074, aN0tT00H0tRWe7r, 0x24u, &NumberOfBytesWritten, 0);
      ExitProcess(0);
    }
    

    就两个函数 一个sub_4010F0() 一个sub_401050()

    查看sub_4010F0()

    int sub_4010F0()
    {
      unsigned int v0; // eax
      char Buffer[260]; // [esp+0h] [ebp-110h] BYREF
      DWORD NumberOfBytesRead; // [esp+104h] [ebp-Ch] BYREF
      unsigned int i; // [esp+108h] [ebp-8h]
      char v5; // [esp+10Fh] [ebp-1h]
    
      v5 = 0;
      for ( i = 0; i < 0x104; ++i )
        Buffer[i] = 0;
      ReadFile(hFile, Buffer, 0x104u, &NumberOfBytesRead, 0);
      for ( i = 0; ; ++i )
      {
        v0 = sub_401020((int)Buffer);
        if ( i >= v0 )
          break;
        v5 = Buffer[i];
        if ( v5 != 10 && v5 != 13 )
        {
          if ( v5 )
            byte_403078[i] = v5;
        }
      }
      return 1;
    }
    

    发现就是 v5 != 10 && v5 != 13 也就是/n /r排除
    查看sub_401050()

    int sub_401050()
    {
      int v1; // [esp+0h] [ebp-Ch]
      int i; // [esp+4h] [ebp-8h]
      unsigned int j; // [esp+4h] [ebp-8h]
      char v4; // [esp+Bh] [ebp-1h]
    
      v1 = sub_401020((int)byte_403078);
      v4 = sub_401000();
      for ( i = v1 - 1; i >= 0; --i )
      {
        byte_403180[i] = v4 ^ byte_403078[i];
        v4 = byte_403078[i];
      }
      for ( j = 0; j < 0x27; ++j )
      {
        if ( byte_403180[j] != (unsigned __int8)byte_403000[j] )
          return 0;
      }
      return 1;
    }
    

    sub_401050函数就是将字符串逆向做了异或操作之后,与已知字符串byte_403000对比
    v4就是

    __int16 sub_401000()
    {
      return (unsigned __int16)__ROL4__(-2147024896, 4) >> 1;
    }
    

    那么查看wp大家都说是4 可以进入OD查看当前函数返回值

    byte_403000=[0x0D,0x26,0x49, 0x45, 0x2A, 0x17, 0x78, 0x44, 0x2B, 0x6C, 0x5D,0x5E, 0x45, 0x12, 0x2F, 0x17, 0x2B, 0x44, 0x6F, 0x6E, 0x56, 0x9,0x5F, 0x45, 0x47, 0x73, 0x26, 0x0A, 0x0D, 0x13, 0x17, 0x48, 0x42,0x1, 0x40, 0x4D, 0x0C, 0x2, 0x69, 0x0]
    flag=""
    L=len(byte_403000)-1
    
    for i in range(len(byte_403000)):
        if i==0:
           byte_403000[L-i]= byte_403000[L-i]^0x4
        byte_403000[L-i-1] = byte_403000[L-i-1]^byte_403000[L-i]
    
    for i in byte_403000:
        flag+=chr(i)
    
    print ("flag{"+flag+"}")
    
    
  • 相关阅读:
    自用类库整理之SqlHelper和MySqlHelper
    如何设置root登录(滴滴云)
    linux下载命令wget
    linux下查看已经安装的jdk 并卸载jdk
    Angular之constructor和ngOnInit差异及适用场景(转)
    【Spring Boot-技巧】API返回值去除为NULL的字段
    jackson 实体转json 为NULL或者为空不参加序列化
    Android 将Android项目打包成aar文件
    Linux修改war包中文件
    Android 7.0 Gallery图库源码分析4
  • 原文地址:https://www.cnblogs.com/socialbiao/p/15709929.html
Copyright © 2011-2022 走看看