[email protected] eax int [email protected] edi , DWORD / [email protected] esi { BYTE / v2; // e...">

当前位置:网站首页>[buuctf.reverse] 107_[FlareOn4]greek_to_me

[buuctf.reverse] 107_[FlareOn4]greek_to_me

2022-06-09 10:47:00 石氏是时试

一上来只有4个函数,还以为又是加了壳,可一看确实就这么短

先打开个端口然后接收数据,通过第1个字符将后边的一段代码加密,然后输出是否正确的提示。

int __usercall [email protected]<eax>(int [email protected]<edi>, _DWORD *[email protected]<esi>)
{
  _BYTE *v2; // eax
  char v3; // dl
  bool v5; // cf
  unsigned int v6; // ett
  int v7; // edx
  int v9; // [esp-4h] [ebp-1Ch]
  char buf[4]; // [esp+10h] [ebp-8h] BYREF
  SOCKET s; // [esp+14h] [ebp-4h]
  int savedregs; // [esp+18h] [ebp+0h] BYREF

  s = sub_401121(buf);
  if ( !s )
    return 0;
  v2 = &loc_40107C;
  v3 = buf[0];
  do
  {
    *v2 = (v3 ^ *v2) + 34;
    ++v2;
  }
  while ( (int)v2 < (int)&loc_40107C + 0x79 );
  if ( (unsigned __int16)sub_4011E6((unsigned __int8 *)&loc_40107C, 0x79u) == 64350 )
  {
    _EBX = *(_DWORD *)(v9 + 377554449);
    __asm { lock xor bl, [edi+61791C4h] }
    v5 = __CFADD__(*(_DWORD *)(8 * (_DWORD)a2 + 0xFB5E), -250248954);
    *(_DWORD *)(8 * (_DWORD)a2 + 0xFB5E) -= 250248954;
    if ( v9 == 1 )
    {
      v6 = v5 + 427886322;
      v5 = MEMORY[0xFB5E] < v6;
      MEMORY[0xFB5E] -= v6;
    }
    __asm { icebp }
    *a2 -= v5 + 530171120;
    v7 = *(_DWORD *)(v9 - 1 + 494994972);
    __outbyte(6u, 0x5Eu);
    *(_DWORD *)(v7 - 17) &= 0xF2638106;
    MEMORY[0xFB41] &= 0x66199C4u;
    *(a2 - 17) &= 0xE6678106;
    *(_DWORD *)(8 * (_DWORD)&savedregs + 64350 + 6) &= 0x69D6581u;
    *(_DWORD *)(v7 - 14) -= 107715012;
    MEMORY[0xFB07] += 278298362;
    *(_DWORD *)((char *)a2 - 18) += 1368424186;
    *(_DWORD *)(_EBX + 6) -= 116354433;
    *(_DWORD *)(v7 - 23) ^= 0x7C738106u;
    send(s, "Congratulations! But wait, where's my flag?", 43, 0);
  }
  else
  {
    send(s, "Nope, that's not it.", 20, 0);
  }
  closesocket(s);
  return WSACleanup();
}

这里buf[0]很关键,所以爆破这一个字符就行,先用一个最笨的方法,由于v3只有1字节,将字遍历一遍先用眼直接看下有什么结果

from pwn import *

data = open('greek_to_me.exe', 'rb').read()[0x27c:0x2f5]

for v3 in range(256):
    b = bytes([((v2^v3) + 34)&0xff for v2 in data])
    print(v3)
    
    tmp = disasm(b)
    if '(bad)' not in tmp and '.byte' not in tmp:
        print(tmp)

当看到162时,眼前一亮,这一堆6x,7x的数字不就是ASCII码吗,直接转出来就行。这里_和e预存在dl和bl需要用到多次。

161
162
   0:   b3 65                   mov    bl, 0x65
   2:   88 5d d5                mov    BYTE PTR [ebp-0x2b], bl
   5:   c6 45 d6 74             mov    BYTE PTR [ebp-0x2a], 0x74
   9:   b2 5f                   mov    dl, 0x5f
   b:   88 55 d7                mov    BYTE PTR [ebp-0x29], dl
   e:   c6 45 d8 74             mov    BYTE PTR [ebp-0x28], 0x74
  12:   c6 45 d9 75             mov    BYTE PTR [ebp-0x27], 0x75
  16:   88 55 da                mov    BYTE PTR [ebp-0x26], dl
  19:   c6 45 db 62             mov    BYTE PTR [ebp-0x25], 0x62
  1d:   c6 45 dc 72             mov    BYTE PTR [ebp-0x24], 0x72
  21:   c6 45 dd 75             mov    BYTE PTR [ebp-0x23], 0x75
  25:   c6 45 de 74             mov    BYTE PTR [ebp-0x22], 0x74
  29:   88 5d df                mov    BYTE PTR [ebp-0x21], bl
  2c:   88 55 e0                mov    BYTE PTR [ebp-0x20], dl
  2f:   c6 45 e1 66             mov    BYTE PTR [ebp-0x1f], 0x66
  33:   c6 45 e2 6f             mov    BYTE PTR [ebp-0x1e], 0x6f
  37:   c6 45 e3 72             mov    BYTE PTR [ebp-0x1d], 0x72
  3b:   c6 45 e4 63             mov    BYTE PTR [ebp-0x1c], 0x63
  3f:   88 5d e5                mov    BYTE PTR [ebp-0x1b], bl
  42:   c6 45 e6 40             mov    BYTE PTR [ebp-0x1a], 0x40
  46:   c6 45 e7 66             mov    BYTE PTR [ebp-0x19], 0x66
  4a:   c6 45 e8 6c             mov    BYTE PTR [ebp-0x18], 0x6c
  4e:   c6 45 e9 61             mov    BYTE PTR [ebp-0x17], 0x61
  52:   c6 45 ea 72             mov    BYTE PTR [ebp-0x16], 0x72
  56:   88 5d eb                mov    BYTE PTR [ebp-0x15], bl
  59:   c6 45 ec 2d             mov    BYTE PTR [ebp-0x14], 0x2d
  5d:   c6 45 ed 6f             mov    BYTE PTR [ebp-0x13], 0x6f
  61:   c6 45 ee 6e             mov    BYTE PTR [ebp-0x12], 0x6e
  65:   c6 45 ef 2e             mov    BYTE PTR [ebp-0x11], 0x2e
  69:   c6 45 f0 63             mov    BYTE PTR [ebp-0x10], 0x63
  6d:   c6 45 f1 6f             mov    BYTE PTR [ebp-0xf], 0x6f
  71:   c6 45 f2 6d             mov    BYTE PTR [ebp-0xe], 0x6d
  75:   c6 45 f3 00             mov    BYTE PTR [ebp-0xd], 0x0

#[email protected] 
#flag{[email protected]}

原网站

版权声明
本文为[石氏是时试]所创,转载请带上原文链接,感谢
https://blog.csdn.net/weixin_52640415/article/details/125161248

边栏推荐

猜你喜欢

随机推荐