2022DASCTF X SU 三月春季挑战赛 easyre
2022DASCTF X SU 三月春季挑战赛 easyre
前奏
查壳
查壳,asp壳,esp定律脱之,修复可以看我的上一篇文章
main函数
main函数的反汇编代码
int __cdecl main(int argc, const char **argv, const char **envp) { unsigned __int8 Dest[50]; // [esp+1Ch] [ebp-74h] BYREF char Str[50]; // [esp+4Eh] [ebp-42h] BYREF __time32_t Time; // [esp+80h] [ebp-10h] BYREF int v7; // [esp+84h] [ebp-Ch] int v8; // [esp+88h] [ebp-8h] struct tm *v9; // [esp+8Ch] [ebp-4h] sub_40DCF0(); time(&Time); v9 = gmtime(&Time); sub_47C7D0((int)&dword_487F00, Str); if ( strlen(Str) != 42 ) { sub_47BAB0((int)&dword_488140, aWrong); exit(0); } if ( Str[0] != 'D' || Str[1] != 'A' || Str[2] != 'S' || Str[3] != 'C' || Str[4] != 'T' || Str[5] != 'F' ) { sub_47BAB0((int)&dword_488140, aWrong); exit(0); } mbscpy(Dest, (const unsigned __int8 *)Str); v8 = v9->tm_year + 1900; v7 = 0; sub_4019BE(Str); sub_401771((char *)Dest); system(Command); return 0; } Str是我们的输入
sub_47BAB0是printf
sub_47C7D0是scanf
修复后的代码
int __cdecl main(int argc, const char **argv, const char **envp) { unsigned __int8 Dest[50]; // [esp+1Ch] [ebp-74h] BYREF char Str[50]; // [esp+4Eh] [ebp-42h] BYREF __time32_t Time; // [esp+80h] [ebp-10h] BYREF int v7; // [esp+84h] [ebp-Ch] int v8; // [esp+88h] [ebp-8h] struct tm *v9; // [esp+8Ch] [ebp-4h] sub_40DCF0(); time(&Time); v9 = gmtime(&Time); scanf(&dword_487F00, Str); if ( strlen(Str) != 42 ) { printf_0(&dword_488140, aWrong); exit(0); } if ( Str[0] != 'D' || Str[1] != 'A' || Str[2] != 'S' || Str[3] != 'C' || Str[4] != 'T' || Str[5] != 'F' ) { printf_0(&dword_488140, aWrong); exit(0); } mbscpy(Dest, Str); v8 = v9->tm_year + 1900; v7 = 0; sub_4019BE(Str); sub_401771(Dest); system(Command); return 0; } 可以分析得出,我们输入的内容需要首先满足Str[0] != 'D' || Str[1] != 'A' || Str[2] != 'S' || Str[3] != 'C' || Str[4] != 'T' || Str[5] != 'F' 和= 42这两个条件
所以可以我们可以构造如下的满足条件的输入
DASCTFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
然后根据代码,程序会进入下面两个函数
sub_4019BE(Str); sub_401771(Dest); sub_4019BE(Str)
代码
size_t __cdecl sub_4019BE(char *Str) { size_t result; // eax char v2[84]; // [esp+1Ch] [ebp-7Ch] BYREF char *v3; // [esp+70h] [ebp-28h] size_t Size; // [esp+74h] [ebp-24h] int v5; // [esp+78h] [ebp-20h] int v6; // [esp+7Ch] [ebp-1Ch] int v7; // [esp+84h] [ebp-14h] size_t v8; // [esp+88h] [ebp-10h] int i; // [esp+8Ch] [ebp-Ch] strcpy(&v2[59], 26St9k3bNYWAadAhJJjDCRVx); v5 = 0; v6 = 0; Size = 138 * strlen(Str) / 0x64 + 1; strcpy(v2, 123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz); v3 = malloc(Size); v8 = 0; memset(v3, 0, Size); while ( v8 < strlen(Str) ) { v7 = Str[v8]; for ( i = Size - 1; ; --i ) { v7 += v3[i] << 8; v3[i] = v7 % 58; v7 /= 58; if ( !v7 ) break; } for ( i = 0; !v3[i]; ++i ) ; ++v8; } for ( i = 0; !v3[i]; ++i ) ; while ( 1 ) { result = Size - 1; if ( (Size - 1) < i ) break; Str[i] = v2[v3[i]]; ++i; } return result; } 根据strcpy(v2, 123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz);这一段,可以发现是base58
对strcpy(&v2[59], 26St9k3bNYWAadAhJJjDCRVx);中的v2进行解码,可以发现是个fake flag
那就不管他,看sub_401771(Dest);
sub_401771(Dest)
代码
int __cdecl sub_401771(char *Str) { int v2[50]; // [esp+1Ch] [ebp-DCh] BYREF int v3; // [esp+E4h] [ebp-14h] int j; // [esp+E8h] [ebp-10h] int i; // [esp+ECh] [ebp-Ch] v3 = strlen(Str); sub_401500(); sub_40152B(); sub_401593(); sub_401619(Str, v3); for ( i = 0; i < v3; ++i ) byte_492A60[i] = (LOBYTE(dword_492940[i]) ^ Str[i]) + 71; memset(v2, 0, sizeof(v2)); v2[0] = -61; v2[1] = -128; v2[2] = -43; v2[3] = -14; v2[4] = -101; v2[5] = 48; v2[6] = 11; v2[7] = -76; v2[8] = 85; v2[9] = -34; v2[10] = 34; v2[11] = -125; v2[12] = 47; v2[13] = -105; v2[14] = -72; v2[15] = 32; v2[16] = 29; v2[17] = 116; v2[18] = -47; v2[19] = 1; v2[20] = 115; v2[21] = 26; v2[22] = -78; v2[23] = -56; v2[24] = -59; v2[25] = 116; v2[26] = -64; v2[27] = 91; v2[28] = -9; v2[29] = 15; v2[30] = -45; v2[31] = 1; v2[32] = 85; v2[33] = -78; v2[34] = -92; v2[35] = -82; v2[36] = 123; v2[37] = -84; v2[38] = 92; v2[39] = 86; v2[40] = -68; v2[41] = 35; for ( j = 0; j <= 41; ++j ) { if ( v2[j] != byte_492A60[j] ) exit(0); } return printf_0(&dword_488140, aRight); } 根据最后的
if ( v2[j] != byte_492A60[j] ) exit(0); 这个代码,倒推需要我们input的flag
可以知道需要我们输入的flag的验证逻辑是
flag = (byte_492A60[j]-71)^LOBYTE(dword_492940[i]) 根据byte_492A60[i] = (LOBYTE(dword_492940[i]) ^ Str[i]) + 71;这段代码,可以知道我们需要LOBYTE(dword_492940[i])的数值
这里我直接使用了动态分析(静态分析太麻烦)
动态调试
先输入我们上一把得到的过第一层校验的字符串DASCTFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
程序此时已经断在了我们需要的地方
此时我们就可以去拿dword_492940的值了
以BYTE的格式(因为前文有提示说是BYTE)
unsigned char dword_492940[171] = { 0x38, 0x00, 0x00, 0x00, 0x78, 0x00, 0x00, 0x00, 0xDD, 0x00, 0x00, 0x00, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAF, 0x00, 0x00, 0x00, 0xBF, 0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x00, 0x6B, 0x00, 0x00, 0x00, 0xFB, 0x00, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x85, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x5C, 0x01, 0x00, 0x00, 0xAD, 0x00, 0x00, 0x00, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x00, 0x00, 0x00, 0x8A, 0x00, 0x00, 0x00, 0x1D, 0x00, 0x00, 0x00, 0xBD, 0x00, 0x00, 0x00, 0x46, 0x01, 0x00, 0x00, 0xD2, 0xFF, 0xFF, 0xFF, 0x2B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0xC6, 0x00, 0x00, 0x00, 0xAD, 0x00, 0x00, 0x00, 0xA1, 0x00, 0x00, 0x00, 0xC9, 0x00, 0x00, 0x00, 0x7B, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x72, 0x00, 0x00, 0x00, 0x3E, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0xA1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 因为LOBYTE(dword_492940[i])的要求,所以我们需要低字节
#include<stdio.h> int main(){ unsigned char dword_492940[171] = { 0x38, 0x00, 0x00, 0x00, 0x78, 0x00, 0x00, 0x00, 0xDD, 0x00, 0x00, 0x00, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAF, 0x00, 0x00, 0x00, 0xBF, 0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x00, 0x6B, 0x00, 0x00, 0x00, 0xFB, 0x00, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x85, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x5C, 0x01, 0x00, 0x00, 0xAD, 0x00, 0x00, 0x00, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x00, 0x00, 0x00, 0x8A, 0x00, 0x00, 0x00, 0x1D, 0x00, 0x00, 0x00, 0xBD, 0x00, 0x00, 0x00, 0x46, 0x01, 0x00, 0x00, 0xD2, 0xFF, 0xFF, 0xFF, 0x2B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0xC6, 0x00, 0x00, 0x00, 0xAD, 0x00, 0x00, 0x00, 0xA1, 0x00, 0x00, 0x00, 0xC9, 0x00, 0x00, 0x00, 0x7B, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x72, 0x00, 0x00, 0x00, 0x3E, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0xA1 }; for(int i = 0;i < 171;i=i+4){ printf(%d,,dword_492940[i]); } } 输出
56,120,221,232,0,175,191,58,107,251,184,12,133,53,92,173,230,0,224,138,29,189,70,210,43,0,21,36,198,173,161,201,123,18,40,0,5,0,114,62,16,161,0 我们现在已知byte_492A60和LOBYTE(dword_492940[])
再加上flag的逻辑是
flag = (byte_492A60[i]-71)^LOBYTE(dword_492940[i]) 接下来就可以写逆向脚本了
#include<stdio.h> int main(){ int v1[43] = {56,120,221,232,0,175,191,58,107,251,184,12,133,53,92,173,230,0,224,138,29,189,70,210,43,0,21,36,198,173,161,201,123,18,40,0,5,0,114,62,16,161,43,0}; int v2[41]; v2[0] = -61; v2[1] = -128; v2[2] = -43; v2[3] = -14; v2[4] = -101; v2[5] = 48; v2[6] = 11; v2[7] = -76; v2[8] = 85; v2[9] = -34; v2[10] = 34; v2[11] = -125; v2[12] = 47; v2[13] = -105; v2[14] = -72; v2[15] = 32; v2[16] = 29; v2[17] = 116; v2[18] = -47; v2[19] = 1; v2[20] = 115; v2[21] = 26; v2[22] = -78; v2[23] = -56; v2[24] = -59; v2[25] = 116; v2[26] = -64; v2[27] = 91; v2[28] = -9; v2[29] = 15; v2[30] = -45; v2[31] = 1; v2[32] = 85; v2[33] = -78; v2[34] = -92; v2[35] = -82; v2[36] = 123; v2[37] = -84; v2[38] = 92; v2[39] = 86; v2[40] = -68; v2[41] = 35; char flag[42]; for (int i =0;i <43 ;i++) { flag[i] = (v2[i]-71)^v1[i]; printf(%c,flag[i]); } } 
DASCTF{Welc0me-t0-j01n-SU-l0ve-suyug1eg1e}