当前位置: 首页 > news >正文

[SCTF2019]babyre

news 2025/8/8 8:07:52

打开看看还是有花指令

解除后首先pass1是解maze,好像又是三维的

x是+25,也就是向下跳五层,注意是立体的

得到 passwd1: ddwwxxssxaxwwaasasyywwdd

接着往下看

有一个加密函数
IDA逆向常用宏定义_lodword-CSDN博客

unsigned __int64 __fastcall sub_C22(const char *a1, __int64 a2)
{__int64 v2; // raxchar v3; // ccint v4; // edxint v5; // eaxint v6; // eaxint v7; // eaxint v9; // [rsp+14h] [rbp-24Ch]int v10; // [rsp+18h] [rbp-248h]int v11; // [rsp+1Ch] [rbp-244h]int v12; // [rsp+20h] [rbp-240h]int v13; // [rsp+24h] [rbp-23Ch]int v14; // [rsp+28h] [rbp-238h]int v15; // [rsp+2Ch] [rbp-234h]const char *v16; // [rsp+48h] [rbp-218h]int v17[130]; // [rsp+50h] [rbp-210h] BYREFunsigned __int64 v18; // [rsp+258h] [rbp-8h]v18 = __readfsqword(0x28u);qmemcpy(v17, &unk_1740, 0x200uLL);v10 = 3;v9 = 0;v12 = 0;v13 = 0;v14 = strlen(a1);v16 = a1;while ( 1 ){v15 = 0;if ( v12 < v14 )break;
LABEL_7:if ( v12 >= v14 )goto LABEL_8;}do{if ( a1[v12] != 25 )break;++v12;++v15;}while ( v12 < v14 );if ( v12 != v14 ){++v12;goto LABEL_7;}
LABEL_8:v2 = 0LL;while ( 1 ){v3 = (*(_DWORD *)v2 + 1 < 0) ^ __OFADD__(1, *(_DWORD *)v2) | (*(_DWORD *)v2 == -1);++*(_DWORD *)v2;if ( v3 )break;v10 -= v17[*v16] == 64;v4 = v17[*v16] & 0x3F;v2 = v4 | (unsigned int)(v9 << 6);v9 = v4 | (v9 << 6);LOBYTE(v2) = ++v11 == 4;if ( v11 == 4 ){v11 = 0;if ( v10 ){v5 = v13++;v2 = v5 + a2;*(_BYTE *)v2 = BYTE2(v9);}if ( v10 > 1 ){v6 = v13++;v2 = v6 + a2;*(_BYTE *)v2 = BYTE1(v9);}if ( v10 > 2 ){v7 = v13++;v2 = v7 + a2;*(_BYTE *)v2 = v9;}}++v16;--v14;}return __readfsqword(0x28u) ^ v18;
}

也就是将input2的每四位改成三位给v18,然后v18再与v8="sctf_9102"进行比较
v8有9位,可知input2有16位。(好像真的是base64)
提取出数据,写爆破脚本。(C快一些)

enc='sctf_9102'
for i in range(len(enc)):print(hex(ord(enc[i]))[2:],end='')

先改成字节。

#include <iostream>
using namespace std;
int main() {int str[3] = { 0x736374,0x665f39,0x313032 };int data[128] = {0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F,0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F,0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F,0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F,0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F,0x7F, 0x7F, 0x7F, 0x3E, 0x7F, 0x7F, 0x7F, 0x3F,0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B,0x3C, 0x3D, 0x7F, 0x7F, 0x7F, 0x40, 0x7F, 0x7F,0x7F, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E,0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,0x17, 0x18, 0x19, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F,0x7F, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20,0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28,0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30,0x31, 0x32, 0x33, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F};int i0, i1, i2, i3, i4, final;for (i0 = 0; i0 < 3; i0++) {for (i1 = 32; i1 < 128; i1++) {for (i2 = 32; i2 < 128; i2++) {for (i3 = 32; i3 < 128; i3++) {for (i4 = 32; i4 < 128; i4++) {final = (((((data[i1] << 6) | data[i2]) << 6) | data[i3]) << 6) | data[i4];//i5 = (((((data[i1] << 6) | data[i2]) << 6) | data[i3]) << 6) | data[i4];if (final == str[i0]) {printf("第%d组:%c%c%c%c\n", i0 + 1, i1, i2, i3, i4);}}}}}}return 0;
}

第1组:c2N0
第2组:Zl85
第3组:MS=y
第3组:MT=y
第3组:MTAy

第三组有多个解可以先动调来确定,是MTAY

第三部分:

__int64 __fastcall sub_FFA(char *a1)
{int v2; // [rsp+18h] [rbp-158h]int i; // [rsp+18h] [rbp-158h]int v4; // [rsp+1Ch] [rbp-154h]unsigned int v5; // [rsp+24h] [rbp-14Ch]unsigned int v6; // [rsp+28h] [rbp-148h]unsigned int v7; // [rsp+2Ch] [rbp-144h]int v8[16]; // [rsp+30h] [rbp-140h]int v9[16]; // [rsp+70h] [rbp-100h]int v10[26]; // [rsp+B0h] [rbp-C0h]unsigned int v11; // [rsp+118h] [rbp-58h]unsigned int v12; // [rsp+11Ch] [rbp-54h]unsigned int v13; // [rsp+120h] [rbp-50h]unsigned int v14; // [rsp+124h] [rbp-4Ch]unsigned __int64 v15; // [rsp+168h] [rbp-8h]v15 = __readfsqword(0x28u);v8[0] = 190;v8[1] = 4;v8[2] = 6;v8[3] = 128;v8[4] = 197;v8[5] = 175;v8[6] = 118;v8[7] = 71;v8[8] = 159;v8[9] = 204;v8[10] = 64;v8[11] = 31;v8[12] = 216;v8[13] = 191;v8[14] = 146;v8[15] = 239;v5 = (a1[6] << 8) | (a1[5] << 16) | (a1[4] << 24) | a1[7];v6 = (a1[10] << 8) | (a1[9] << 16) | (a1[8] << 24) | a1[11];v7 = (a1[14] << 8) | (a1[13] << 16) | (a1[12] << 24) | a1[15];v4 = 0;v2 = 4;v10[0] = byteswap((a1[2] << 8) | (a1[1] << 16) | (*a1 << 24) | a1[3]);v10[1] = byteswap(v5);v10[2] = byteswap(v6);v10[3] = byteswap(v7);do{v10[v2] = sub_143B(v10[v4], v10[v4 + 1], v10[v4 + 2], v10[v4 + 3]);++v4;++v2;}while ( v2 <= 29 );v9[0] = HIBYTE(v11);v9[1] = BYTE2(v11);v9[2] = BYTE1(v11);v9[3] = v11;v9[4] = HIBYTE(v12);v9[5] = BYTE2(v12);v9[6] = BYTE1(v12);v9[7] = v12;v9[8] = HIBYTE(v13);v9[9] = BYTE2(v13);v9[10] = BYTE1(v13);v9[11] = v13;v9[12] = HIBYTE(v14);v9[13] = BYTE2(v14);v9[14] = BYTE1(v14);v9[15] = v14;for ( i = 0; i <= 15; ++i ){if ( v9[i] != v8[i] )return 0xFFFFFFFFLL;}return 1LL;
}

它的v_output原始ida分析出来的是独立的变量,双击进去按下*调整为同一个数组,然后按下y定义为下图这样的变量(int v_output[32])

  • 其中__ROL4__是循环左移
  • byte3、byte2、byte1分别表示获取第几个byte,hibyte表示获取最高位的byte
取输入值作为下标从表中取值再组合。
(循环移位宏)循环左右移不同位之后再异或取值。

 最后一点位运算和宏还需要再研究研究。

CTF逆向-[SCTF2019]babyre-WP_简单去花指令和流程识别_ctf babyre-CSDN博客

 

http://www.lryc.cn/news/352863.html

相关文章:

  • uniapp实现下拉过滤查询列表
  • C++—— set、map、multiset、multimap的介绍及使用
  • STM32 学习——1. STM32最小系统
  • react实现table可拖拽表头(给react-jss样式传递参数、滚动条样式)
  • 如何跨过robots协议的限制爬取内容?
  • Parasoft C++Test软件静态分析操作指南_编码规范/标准检查
  • [AIGC] CompletableFuture如何实现任务链式调用?
  • 神奇动物在哪里?斯洛文尼亚旅游之野生动物寻踪
  • 电商项目之有趣的支付签名算法
  • Web开发核心
  • 【Python】【Scrapy 爬虫】理解HTML和XPath
  • 【CTF Web】CTFShow web5 Writeup(SQL注入+PHP+位运算)
  • LeetCode 968.监控二叉树 (hard)
  • 数理逻辑:1、预备知识
  • 14-云原生监控体系-Redis_exporter 监控 MySQL[部署Dashborad告警规则实战]
  • DOS学习-目录与文件应用操作经典案例-xcopy
  • Midjourney是一个基于GPT-3.5系列接口开发的免费AI机器人
  • v-model详解
  • ArcGIS中分割与按属性分割的区别
  • 就业班 第三阶段(ELK) 2401--5.20 day1 ELK 企业实战 ES+head+kibana+logstash部署(最大集群)
  • PCM和QAM
  • Mongodb分布式id
  • AI模型抉择:开源VS闭源,谁主沉浮?
  • 佩戴安全头盔监测识别摄像机
  • 5.24学习记录
  • 创建FreeRTOS工程
  • HTML中 video标签样式铺满全屏
  • vue项目移动端商场
  • Golang | Leetcode Golang题解之第97题交错字符串
  • 2024电工杯B题:大学生平衡膳食食谱的优化设计及评价