攻防世界--IgniteMe
测试文件:https://adworld.xctf.org.cn/media/task/attachments/fac4d1290e604fdfacbbe06fd1a5ca39.exe数组
1.准备
获取信息:函数
- 32位文件
2.IDA打开
打开main函数测试
1 int __cdecl main(int argc, const char **argv, const char **envp) 2 { 3 void *v3; // eax 4 int v4; // edx 5 void *v5; // eax 6 int result; // eax 7 void *v7; // eax 8 void *v8; // eax 9 void *v9; // eax 10 size_t i; // [esp+4Ch] [ebp-8Ch] 11 char v11[4]; // [esp+50h] [ebp-88h] 12 char v12[28]; // [esp+58h] [ebp-80h] 13 char v13; // [esp+74h] [ebp-64h] 14 15 v3 = (void *)sub_402B30(&unk_446360, "Give me your flag:");// 这两段代码直接理解成printf便可。下面的代码一样如此 16 sub_4013F0(v3, (int (__cdecl *)(void *))sub_403670); 17 sub_401440((int)&dword_4463F0, v4, (int)v12, 127); 18 if ( strlen(v12) < 30 && strlen(v12) > 4 ) 19 { 20 strcpy(v11, "EIS{"); 21 for ( i = 0; i < strlen(v11); ++i ) 22 { 23 if ( v12[i] != v11[i] ) // flag前四位为"ESI{" 24 { 25 v7 = (void *)sub_402B30(&unk_446360, "Sorry, keep trying! "); 26 sub_4013F0(v7, (int (__cdecl *)(void *))sub_403670); 27 return 0; 28 } 29 } 30 if ( v13 == 125 ) 31 { 32 if ( sub_4011C0(v12) ) 33 v9 = (void *)sub_402B30(&unk_446360, "Congratulations! "); 34 else 35 v9 = (void *)sub_402B30(&unk_446360, "Sorry, keep trying! "); 36 sub_4013F0(v9, (int (__cdecl *)(void *))sub_403670); 37 result = 0; 38 } 39 else 40 { 41 v8 = (void *)sub_402B30(&unk_446360, "Sorry, keep trying! "); 42 sub_4013F0(v8, (int (__cdecl *)(void *))sub_403670); 43 result = 0; 44 } 45 } 46 else 47 { 48 v5 = (void *)sub_402B30(&unk_446360, "Sorry, keep trying!"); 49 sub_4013F0(v5, (int (__cdecl *)(void *))sub_403670); 50 result = 0; 51 } 52 return result; 53 }
3.代码分析
看到第32行代码spa
if ( sub_4011C0(v12) ) v9 = (void *)sub_402B30(&unk_446360, "Congratulations! ");
这里经过sub_4011C0(v12)传入输入的flag来判断真假,打开函数code
1 bool __cdecl sub_4011C0(char *a1) 2 { 3 size_t v2; // eax 4 signed int v3; // [esp+50h] [ebp-B0h] 5 char v4[32]; // [esp+54h] [ebp-ACh] 6 int v5; // [esp+74h] [ebp-8Ch] 7 int v6; // [esp+78h] [ebp-88h] 8 size_t i; // [esp+7Ch] [ebp-84h] 9 char v8[128]; // [esp+80h] [ebp-80h] 10 11 if ( strlen(a1) <= 4 ) 12 return 0; 13 i = 4; 14 v6 = 0; 15 while ( i < strlen(a1) - 1 ) 16 v8[v6++] = a1[i++]; 17 v8[v6] = 0; 18 v5 = 0; 19 v3 = 0; 20 memset(v4, 0, 0x20u); 21 for ( i = 0; ; ++i ) 22 { 23 v2 = strlen(v8); 24 if ( i >= v2 ) 25 break; 26 if ( v8[i] >= 97 && v8[i] <= 122 ) 27 { 28 v8[i] -= 32; 29 v3 = 1; 30 } 31 if ( !v3 && v8[i] >= 65 && v8[i] <= 90 ) 32 v8[i] += 32; 33 v4[i] = byte_4420B0[i] ^ sub_4013C0(v8[i]); 34 v3 = 0; 35 } 36 return strcmp("GONDPHyGjPEKruv{{pj]X@rF", v4) == 0; 37 }
这里i是从4开始即flag的第四位开始,对flag的操做分为了两部分:blog
- 第26行代码~第32行代码,将flag中的大写字母转小写,小写字母转大写。
- 第33行代码对每位字符进行异或操做。
第一步没必要多说,第二步byte_4420B0数组从文件中提取出来v8
0D 13 17 11 02 01 20 1D 0C 02 19 2F 17 2B 24 1F 1E 16 09 0F 15 27 13 26 0A 2F 1E 1A 2D 0C 22 04
sub_4013C0(v8[i])函数为字符串
int __cdecl sub_4013C0(int a1) { return (a1 ^ 0x55) + 72; }
最后获得的字符串V4为get
GONDPHyGjPEKruv{{pj]X@rF
所以咱们只须要逆向操做还原flag便可io
4.脚本获取
n = 28 val1 = [0x0D,0x13,0x17,0x11,0x02,0x01,0x20,0x1D,0x0C,0x02,0x19,0x2F,0x17,0x2B, 0x24,0x1F,0x1E,0x16,0x09,0x0F,0x15,0x27,0x13,0x26,0x0A,0x2F,0x1E,0x1A, 0x2D,0x0C,0x22,0x04] v4 = "GONDPHyGjPEKruv{{pj]X@rF" v8 = "" flag = "" for i in range(len(v4)): v8 += chr(((ord(v4[i]) ^ val1[i]) - 72) ^ 0x55) for i in range(len(v8)): if ord(v8[i]) >= 97 and ord(v8[i]) <= 122: flag += chr(ord(v8[i]) - 32) elif ord(v8[i]) >= 65 and ord(v8[i]) <= 90: flag += chr(ord(v8[i]) + 32) else: flag += v8[i] print('EIS{'+flag+'}')
5.get flag!
EIS{wadx_tdgk_aihc_ihkn_pjlm}
相关文章
- 1. 攻防世界--IgniteMe
- 2. 攻防世界
- 3. 攻防世界web
- 4. Web攻防世界
- 5. 攻防世界-web
- 6. 攻防世界XCTF:bug
- 7. 攻防世界cookie
- 8. 攻防世界cat
- 9. 攻防世界-upload1
- 10. 攻防世界--The_Maya_Society
- 更多相关文章...
- • 使用TCP协议检测防火墙 - TCP/IP教程
- • 防止使用TCP协议扫描端口 - TCP/IP教程
- • Docker容器实战(七) - 容器眼光下的文件系统
- • 互联网组织的未来:剖析GitHub员工的任性之源
相关标签/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
欢迎关注本站公众号,获取更多信息
相关文章
- 1. 攻防世界--IgniteMe
- 2. 攻防世界
- 3. 攻防世界web
- 4. Web攻防世界
- 5. 攻防世界-web
- 6. 攻防世界XCTF:bug
- 7. 攻防世界cookie
- 8. 攻防世界cat
- 9. 攻防世界-upload1
- 10. 攻防世界--The_Maya_Society