[LitCTF 2023]程序和人有一个能跑就行了
新知识 seh
表面上的逻辑蛮简单的
int __cdecl main(int argc, const char **argv, const char **envp)
{_DWORD *v3; // eax_DWORD *v5; // eaxchar *v6; // eaxint v7; // [esp+0h] [ebp-2ACh] BYREFint v8; // [esp+14h] [ebp-298h]int *v9; // [esp+18h] [ebp-294h]int v10; // [esp+1Ch] [ebp-290h] BYREFint v11; // [esp+20h] [ebp-28Ch]int (__cdecl *v12)(int, int, int, int, int, int); // [esp+34h] [ebp-278h]int *v13; // [esp+38h] [ebp-274h]int *v14; // [esp+3Ch] [ebp-270h]void *v15; // [esp+40h] [ebp-26Ch]int *v16; // [esp+44h] [ebp-268h]char Buf1[27]; // [esp+68h] [ebp-244h] BYREFchar Buf2[256]; // [esp+A0h] [ebp-20Ch] BYREFchar Destination[268]; // [esp+1A0h] [ebp-10Ch] BYREFint savedregs; // [esp+2ACh] [ebp+0h] BYREFv9 = &v10;v12 = sub_4752F0;v13 = dword_476078;v14 = &savedregs;v15 = &loc_475B38;v16 = &v7;sub_40A8F0(&v10);sub_409B80();v11 = -1;sub_472810(&dword_47DD80, Buf2);strcpy(Destination, "litctf");decode(Buf2, strlen(Buf2), Destination, 6u);Buf1[0] = -115;Buf1[1] = 108;Buf1[2] = -123;Buf1[3] = 118;Buf1[4] = 50;Buf1[5] = 114;Buf1[6] = -73;Buf1[7] = 64;Buf1[8] = -120;Buf1[9] = 126;Buf1[10] = -107;Buf1[11] = -18;Buf1[12] = -59;Buf1[13] = -19;Buf1[14] = 46;Buf1[15] = 113;Buf1[16] = 55;Buf1[17] = -15;Buf1[18] = 74;Buf1[19] = -103;Buf1[20] = 53;Buf1[21] = 24;Buf1[22] = -89;Buf1[23] = -80;Buf1[24] = 0;Buf1[25] = -106;Buf1[26] = -73;v8 = memcmp(Buf1, Buf2, 27u);if ( v8 ){v11 = 1;v5 = print(&dword_47DF60, "U are wrong?");sub_46FBA0(v5);v6 = sub_474310(4);*v6 = Buf2;sub_475190(v6, &off_483660, 0);}v11 = 1;v3 = print(&dword_47DF60, "U are right?");sub_46FBA0(v3);sub_40AA70(v9);return v8;
}逻辑比较简单
看一下decode
int __cdecl sub_4015A0(int a1, int a2, int a3, unsigned int a4)
{unsigned int i; // ecxchar *v5; // eaxint v6; // ecxchar v7; // siint result; // eaxint v9; // ecxint v10; // edxchar v11; // dichar v12; // siint v13; // ediint v14; // [esp+0h] [ebp-214h]char v15[256]; // [esp+4h] [ebp-210h] BYREFchar v16[272]; // [esp+104h] [ebp-110h] BYREFfor ( i = 0; i != 256; ++i ){v15[i] = i;v16[i] = *(a3 + i % a4);}v5 = v15;LOBYTE(v6) = 0;do{v7 = *v5++;v6 = (v5[255] + v7 + v6);*(v5 - 1) = v15[v6];v15[v6] = v7;}while ( v5 != v16 );result = a2;if ( a2 ){LOBYTE(v9) = 0;LOBYTE(result) = 0;v10 = 0;v14 = 0;do{++v10;result = (result + 1);v11 = v15[result];v12 = v11;v9 = (v11 + v9);v15[result] = v15[v9];v15[v9] = v11;v13 = v14;v14 = v10;*(a1 + v13) ^= v15[(v15[result] + v12)];}while ( v10 != a2 );}return result;
}标准的RC4,没搞什么怪
但是解出来,就是fake flag
这道题,我们动调一下,你会发现
左边是F5反汇编出来的,右边F5不行,但是在程序动调时候,却能运行
这边的代码也比较简单
我们复制数据过来
就OK了
——————————————————
最后我谈谈我对这个enc,也就是C++异常机制的理解
就是 正常运行————>正常程序报错——>修补机制(里面有代码)-——————>正常程序
这道题就是 第一个RC4就是正常程序,第二个就是在修补机制里面(我这样理解原理上应该是错的,只是方便我理解,给不想深究的同学看看,哈哈)