2024网络与信息安全管理员职工职业技能竞赛re0220164094

 main部分，就是要逆这部分shellcode，程序把data段里面的东西复制到bss段去执行，期间包含解码操作。

  v19 = 0;puts("Please input your flag: ");__isoc99_scanf("%s", s);if ( strlen(s) != 38 ){puts("Wrong length!");exit(0);}for ( i = 0; i <= 37; ++i ){exec = shellcode;*(&loc_404144 + 4) = MEMORY[0x404068];loc_404150 = loc_404070;*(&MEMORY[0x404154] + 4) = MEMORY[0x404078];MEMORY[0x404160] = loc_404080;MEMORY[0x404168] = unk_404088;MEMORY[0x404170] = unk_404090;MEMORY[0x404178] = loc_404098;MEMORY[0x404180] = loc_4040A0;MEMORY[0x404188] = MEMORY[0x4040A8];loc_404190 = loc_4040B0;loc_404198 = loc_4040B8;loc_4041A0 = loc_4040C0;MEMORY[0x4041A8] = MEMORY[0x4040C8];v19 = (exec)(s[i]);*(s1 + i) = v19;}if ( !memcmp(s1, &enc, 0x26uLL) )puts("Congratulations~");elseputs("Sorry try again.");return 0;
}

这里貌似就是smc（self-Modifying Code）的部分，并不是生成flag的代码

 这部分才是真正生成flag的代码

字节高四位和第四位互换，然后-3，然后xor 0x1c。

149 push    r15
.bss:000000000040414B push    r14
.bss:000000000040414D mov     r15, rdi
.bss:000000000040414D
.bss:0000000000404150
.bss:0000000000404150 loc_404150:                             ; DATA XREF: main+181↑w
.bss:0000000000404150 and     r15, 0FFh
.bss:0000000000404157
.bss:0000000000404157 loc_404157:                             ; DATA XREF: main+188↑w
.bss:0000000000404157 and     r15, 0Fh
.bss:000000000040415B mov     r14, rdi
.bss:000000000040415E
.bss:000000000040415E loc_40415E:                             ; DATA XREF: main+19D↑w
.bss:000000000040415E and     r14, 0FFh
.bss:0000000000404165
.bss:0000000000404165 loc_404165:                             ; DATA XREF: main+1A4↑w
.bss:0000000000404165 sar     r14, 4
.bss:0000000000404169 and     r14, 0Fh
.bss:000000000040416D
.bss:000000000040416D loc_40416D:                             ; DATA XREF: main+1B9↑w
.bss:000000000040416D shl     r15, 4
.bss:0000000000404171 or      r14, r15
.bss:0000000000404174 mov     rax, r14
.bss:0000000000404177
.bss:0000000000404177 loc_404177:                             ; DATA XREF: main+1C0↑w
.bss:0000000000404177 dec     al
.bss:0000000000404179 dec     al
.bss:000000000040417B dec     al
.bss:000000000040417D xor     al, 1Ch
.bss:000000000040417F
.bss:000000000040417F loc_40417F:                             ; DATA XREF: main+1D5↑w
.bss:000000000040417F pop     r14
.bss:0000000000404181 pop     r15
.bss:0000000000404183 jmp     short loc_4041A5

enc=[0x7F, 0xDF, 0x0F, 0x6F, 0xA8, 0x7F, 0x7C, 0x3C, 0x0C, 0x4C, 0x5C, 0x9C, 0x4F, 0x3F, 0x4F, 0x3C, 0x0C, 0x0F, 0x4C, 0x3C, 0x5F, 0x9C, 0x4C, 0x9C, 0x7C, 0x9C, 0x0C, 0x5F, 0x2C, 0x2F, 0x4F, 0x5C, 0x5C, 0x8C, 0x2F, 0x9C, 0x5F, 0xC8, 0x81]
print(len(enc))
# offset=0x65
# for index in range(offset,offset+1):
l=''
for i in range(len(enc)):temp=(enc[i]^0x1c)+3l+=chr(((temp<<4|temp>>4)&0xff))# if 'flag' in l or '}' in l[-1]:
print(l,l.encode(),len(l))
# flag=b'flag'
# for i in range(4):
#     print((flag[i]^0x65)%enc[i])
#flag{f621548ebe21a52d858681d3ce449c8d}