BUUCTF Reverse/[2019紅帽杯]easyRE BUUCTF Reverse/[2019紅帽杯]easyRE 先看下檔案屬性 BUUCTF Reverse/[2019紅帽杯]easyRE 用IDA64位打開,查找字元串,看到一句“You found me!!!” 這個應該就是flag的所在地了 BUUCTF Reverse/[2019紅帽杯]easyRE 跟随跳轉 __int64 sub_4009C6()
{
__int64 result; // rax
int i; // [rsp+Ch] [rbp-114h]
__int64 v2; // [rsp+10h] [rbp-110h]
__int64 v3; // [rsp+18h] [rbp-108h]
__int64 v4; // [rsp+20h] [rbp-100h]
__int64 v5; // [rsp+28h] [rbp-F8h]
__int64 v6; // [rsp+30h] [rbp-F0h]
__int64 v7; // [rsp+38h] [rbp-E8h]
__int64 v8; // [rsp+40h] [rbp-E0h]
__int64 v9; // [rsp+48h] [rbp-D8h]
__int64 v10; // [rsp+50h] [rbp-D0h]
__int64 v11; // [rsp+58h] [rbp-C8h]
char v12[17]; // [rsp+60h] [rbp-C0h] BYREF
char v13[19]; // [rsp+71h] [rbp-AFh] BYREF
char v14[32]; // [rsp+90h] [rbp-90h] BYREF
int v15; // [rsp+B0h] [rbp-70h]
char v16; // [rsp+B4h] [rbp-6Ch]
char v17[72]; // [rsp+C0h] [rbp-60h] BYREF
unsigned __int64 v18; // [rsp+108h] [rbp-18h]
v18 = __readfsqword(0x28u);
qmemcpy(v12, "Iodl>Qnb(ocy\x7Fy.i", 16);
v12[16] = 127;
qmemcpy(v13, "d`3w}wek9{[email protected]", sizeof(v13));
memset(v14, 0, sizeof(v14));
v15 = 0;
v16 = 0;
sub_4406E0(0LL, v14, 37LL);
v16 = 0;
if ( sub_424BA0(v14) == 36 )
{
for ( i = 0; i < (unsigned __int64)sub_424BA0(v14); ++i )
{
if ( (unsigned __int8)(v14[i] ^ i) != v12[i] )
{
result = 4294967294LL;
goto LABEL_13;
}
}
sub_410CC0("continue!");
memset(v17, 0, 0x40uLL);
v17[64] = 0;
sub_4406E0(0LL, v17, 64LL);
v17[39] = 0;
if ( sub_424BA0(v17) == 39 )
{
v2 = sub_400E44((__int64)v17);
v3 = sub_400E44(v2);
v4 = sub_400E44(v3);
v5 = sub_400E44(v4);
v6 = sub_400E44(v5);
v7 = sub_400E44(v6);
v8 = sub_400E44(v7);
v9 = sub_400E44(v8);
v10 = sub_400E44(v9);
v11 = sub_400E44(v10);
if ( !(unsigned int)sub_400360(v11, off_6CC090) )
{
sub_410CC0("You found me!!!");
sub_410CC0("bye bye~");
}
result = 0LL;
}
else
{
result = 4294967293LL;
}
}
else
{
result = 0xFFFFFFFFLL;
}
LABEL_13:
if ( __readfsqword(0x28u) != v18 )
sub_444020();
return result;
}
看一下這段代碼,跟進檢視一下off_6CC090 v2 = sub_400E44((__int64)v17);
v3 = sub_400E44(v2);
v4 = sub_400E44(v3);
v5 = sub_400E44(v4);
v6 = sub_400E44(v5);
v7 = sub_400E44(v6);
v8 = sub_400E44(v7);
v9 = sub_400E44(v8);
v10 = sub_400E44(v9);
v11 = sub_400E44(v10);
if ( !(unsigned int)sub_400360(v11, off_6CC090) )
{
sub_410CC0("You found me!!!");
sub_410CC0("bye bye~");
}
發現是一段base64加密,而且還是加密了10次後的結果 BUUCTF Reverse/[2019紅帽杯]easyRE 寫個腳本解密 import hashlib
import base64
Str = "Vm0wd2VHUXhTWGhpUm1SWVYwZDRWVll3Wkc5WFJsbDNXa1pPVlUxV2NIcFhhMk0xVmpKS1NHVkdXbFpOYmtKVVZtcEtTMUl5VGtsaVJtUk9ZV3hhZVZadGVHdFRNVTVYVW01T2FGSnRVbGhhVjNoaFZWWmtWMXBFVWxSTmJFcElWbTAxVDJGV1NuTlhia0pXWWxob1dGUnJXbXRXTVZaeVdrWm9hVlpyV1hwV1IzaGhXVmRHVjFOdVVsWmlhMHBZV1ZSR1lWZEdVbFZTYlhSWFRWWndNRlZ0TVc5VWJGcFZWbXR3VjJKSFVYZFdha1pXWlZaT2NtRkhhRk5pVjJoWVYxZDBhMVV3TlhOalJscFlZbGhTY1ZsclduZGxiR1J5VmxSR1ZXSlZjRWhaTUZKaFZqSktWVkZZYUZkV1JWcFlWV3BHYTFkWFRrZFRiV3hvVFVoQ1dsWXhaRFJpTWtsM1RVaG9hbEpYYUhOVmJUVkRZekZhY1ZKcmRGTk5Wa3A2VjJ0U1ExWlhTbFpqUldoYVRVWndkbFpxUmtwbGJVWklZVVprYUdFeGNHOVhXSEJIWkRGS2RGSnJhR2hTYXpWdlZGVm9RMlJzV25STldHUlZUVlpXTlZadE5VOVdiVXBJVld4c1dtSllUWGhXTUZwell6RmFkRkpzVWxOaVNFSktWa1phVTFFeFduUlRhMlJxVWxad1YxWnRlRXRXTVZaSFVsUnNVVlZVTURrPQ=="
for i in range(10):
t = base64.b64decode(Str)
Str = t
print(Str)
得到結果 然後我傻乎乎的跟進去看了,發現是看雪的一篇教你如何迷惑寫題人的文章,,評論區也一堆求flag的,結果我還真在評論區找到flag了。。。 BUUCTF Reverse/[2019紅帽杯]easyRE flag{Act1ve_Defen5e_Test} 看了下其他大佬的wp,才發現要利用一開始的字元串, v18 = __readfsqword(0x28u);
qmemcpy(v12, "Iodl>Qnb(ocy\x7Fy.i", 16);
v12[16] = 127;
qmemcpy(v13, "d`3w}wek9{[email protected]", sizeof(v13));
memset(v14, 0, sizeof(v14));
v15 = 0;
v16 = 0;
sub_4406E0(0LL, v14, 37LL);
v16 = 0;
if ( sub_424BA0(v14) == 36 )
{
for ( i = 0; i < (unsigned __int64)sub_424BA0(v14); ++i )
{
if ( (unsigned __int8)(v14[i] ^ i) != v12[i] )
{
result = 4294967294LL;
goto LABEL_13;
}
}
寫個腳本 #include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main()
{
int i , j;
char v12[50] = {'I','o','d','l','>','Q','n',
'b','(','o','c','y',0x7F,'y','.','i'};
v12[16] = 127;
char v13[] = "d`3w}wek9{[email protected]";
strcat(v12,v13);
for(i = 0 ; i < strlen(v12); i ++)
{
printf("%c",i ^ v12[i]);
}
return 0;
}
運作得到提示 BUUCTF Reverse/[2019紅帽杯]easyRE 以及還要用到下面的那串字元,就是在那個base64編碼下面。。。。,跟進檢視 BUUCTF Reverse/[2019紅帽杯]easyRE unsigned __int64 sub_400D35()
{
unsigned __int64 result; // rax
unsigned int v1; // [rsp+Ch] [rbp-24h]
int i; // [rsp+10h] [rbp-20h]
int j; // [rsp+14h] [rbp-1Ch]
unsigned int v4; // [rsp+24h] [rbp-Ch]
unsigned __int64 v5; // [rsp+28h] [rbp-8h]
v5 = __readfsqword(0x28u);
v1 = sub_43FD20(0LL) - qword_6CEE38;
for ( i = 0; i <= 1233; ++i )
{
sub_40F790(v1);
sub_40FE60();
sub_40FE60();
v1 = sub_40FE60() ^ 0x98765432;
}
v4 = v1;
if ( ((unsigned __int8)v1 ^ byte_6CC0A0[0]) == 102 && (HIBYTE(v4) ^ (unsigned __int8)byte_6CC0A3) == 103 )
{
for ( j = 0; j <= 24; ++j )
sub_410E90((unsigned __int8)(byte_6CC0A0[j] ^ *((_BYTE *)&v4 + j % 4)));
}
result = __readfsqword(0x28u) ^ v5;
if ( result )
sub_444020();
return result;
}
這個就是調用的剛才的那串字元進行異或,,根據這個寫出腳本 if ( ((unsigned __int8)v1 ^ byte_6CC0A0[0]) == 102 && (HIBYTE(v4) ^ (unsigned __int8)byte_6CC0A3) == 103 )
{
for ( j = 0; j <= 24; ++j )
sub_410E90((unsigned __int8)(byte_6CC0A0[j] ^ *((_BYTE *)&v4 + j % 4)));
}
腳本 #include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main()
{
int i,j,k;
char v1[] = "flag";
char v4[4];
int flag[] = {0x40,0x35,0x20,0x56,0x5D,0x18,0x22,0x45,0x17,0x2F,0x24,0x6E,
0x62,0x3C,0x27,0x54,0x48,0x6C,0x24,0x6E,0x72,0x3C,0x32,0x45,0x5B};
for(i = 0; i < 4; i++)
{
v4[i] = v1[i] ^ flag[i];
}
for(i = 0 ; i <= 24; i++)
{
printf("%c",flag[i] ^ v4[i % 4]);
}
return 0;
}
運作得到結果 BUUCTF Reverse/[2019紅帽杯]easyRE flag{Act1ve_Defen5e_Test} 
