当前位置:网站首页>[buuctf.reverse] 107_[FlareOn4]greek_to_me
[buuctf.reverse] 107_[FlareOn4]greek_to_me
2022-06-09 10:47:00 【石氏是时试】
一上来只有4个函数,还以为又是加了壳,可一看确实就这么短
先打开个端口然后接收数据,通过第1个字符将后边的一段代码加密,然后输出是否正确的提示。
int __usercall [email protected]<eax>(int [email protected]<edi>, _DWORD *[email protected]<esi>)
{
_BYTE *v2; // eax
char v3; // dl
bool v5; // cf
unsigned int v6; // ett
int v7; // edx
int v9; // [esp-4h] [ebp-1Ch]
char buf[4]; // [esp+10h] [ebp-8h] BYREF
SOCKET s; // [esp+14h] [ebp-4h]
int savedregs; // [esp+18h] [ebp+0h] BYREF
s = sub_401121(buf);
if ( !s )
return 0;
v2 = &loc_40107C;
v3 = buf[0];
do
{
*v2 = (v3 ^ *v2) + 34;
++v2;
}
while ( (int)v2 < (int)&loc_40107C + 0x79 );
if ( (unsigned __int16)sub_4011E6((unsigned __int8 *)&loc_40107C, 0x79u) == 64350 )
{
_EBX = *(_DWORD *)(v9 + 377554449);
__asm { lock xor bl, [edi+61791C4h] }
v5 = __CFADD__(*(_DWORD *)(8 * (_DWORD)a2 + 0xFB5E), -250248954);
*(_DWORD *)(8 * (_DWORD)a2 + 0xFB5E) -= 250248954;
if ( v9 == 1 )
{
v6 = v5 + 427886322;
v5 = MEMORY[0xFB5E] < v6;
MEMORY[0xFB5E] -= v6;
}
__asm { icebp }
*a2 -= v5 + 530171120;
v7 = *(_DWORD *)(v9 - 1 + 494994972);
__outbyte(6u, 0x5Eu);
*(_DWORD *)(v7 - 17) &= 0xF2638106;
MEMORY[0xFB41] &= 0x66199C4u;
*(a2 - 17) &= 0xE6678106;
*(_DWORD *)(8 * (_DWORD)&savedregs + 64350 + 6) &= 0x69D6581u;
*(_DWORD *)(v7 - 14) -= 107715012;
MEMORY[0xFB07] += 278298362;
*(_DWORD *)((char *)a2 - 18) += 1368424186;
*(_DWORD *)(_EBX + 6) -= 116354433;
*(_DWORD *)(v7 - 23) ^= 0x7C738106u;
send(s, "Congratulations! But wait, where's my flag?", 43, 0);
}
else
{
send(s, "Nope, that's not it.", 20, 0);
}
closesocket(s);
return WSACleanup();
}这里buf[0]很关键,所以爆破这一个字符就行,先用一个最笨的方法,由于v3只有1字节,将字遍历一遍先用眼直接看下有什么结果
from pwn import *
data = open('greek_to_me.exe', 'rb').read()[0x27c:0x2f5]
for v3 in range(256):
b = bytes([((v2^v3) + 34)&0xff for v2 in data])
print(v3)
tmp = disasm(b)
if '(bad)' not in tmp and '.byte' not in tmp:
print(tmp)
当看到162时,眼前一亮,这一堆6x,7x的数字不就是ASCII码吗,直接转出来就行。这里_和e预存在dl和bl需要用到多次。
161
162
0: b3 65 mov bl, 0x65
2: 88 5d d5 mov BYTE PTR [ebp-0x2b], bl
5: c6 45 d6 74 mov BYTE PTR [ebp-0x2a], 0x74
9: b2 5f mov dl, 0x5f
b: 88 55 d7 mov BYTE PTR [ebp-0x29], dl
e: c6 45 d8 74 mov BYTE PTR [ebp-0x28], 0x74
12: c6 45 d9 75 mov BYTE PTR [ebp-0x27], 0x75
16: 88 55 da mov BYTE PTR [ebp-0x26], dl
19: c6 45 db 62 mov BYTE PTR [ebp-0x25], 0x62
1d: c6 45 dc 72 mov BYTE PTR [ebp-0x24], 0x72
21: c6 45 dd 75 mov BYTE PTR [ebp-0x23], 0x75
25: c6 45 de 74 mov BYTE PTR [ebp-0x22], 0x74
29: 88 5d df mov BYTE PTR [ebp-0x21], bl
2c: 88 55 e0 mov BYTE PTR [ebp-0x20], dl
2f: c6 45 e1 66 mov BYTE PTR [ebp-0x1f], 0x66
33: c6 45 e2 6f mov BYTE PTR [ebp-0x1e], 0x6f
37: c6 45 e3 72 mov BYTE PTR [ebp-0x1d], 0x72
3b: c6 45 e4 63 mov BYTE PTR [ebp-0x1c], 0x63
3f: 88 5d e5 mov BYTE PTR [ebp-0x1b], bl
42: c6 45 e6 40 mov BYTE PTR [ebp-0x1a], 0x40
46: c6 45 e7 66 mov BYTE PTR [ebp-0x19], 0x66
4a: c6 45 e8 6c mov BYTE PTR [ebp-0x18], 0x6c
4e: c6 45 e9 61 mov BYTE PTR [ebp-0x17], 0x61
52: c6 45 ea 72 mov BYTE PTR [ebp-0x16], 0x72
56: 88 5d eb mov BYTE PTR [ebp-0x15], bl
59: c6 45 ec 2d mov BYTE PTR [ebp-0x14], 0x2d
5d: c6 45 ed 6f mov BYTE PTR [ebp-0x13], 0x6f
61: c6 45 ee 6e mov BYTE PTR [ebp-0x12], 0x6e
65: c6 45 ef 2e mov BYTE PTR [ebp-0x11], 0x2e
69: c6 45 f0 63 mov BYTE PTR [ebp-0x10], 0x63
6d: c6 45 f1 6f mov BYTE PTR [ebp-0xf], 0x6f
71: c6 45 f2 6d mov BYTE PTR [ebp-0xe], 0x6d
75: c6 45 f3 00 mov BYTE PTR [ebp-0xd], 0x0
#[email protected]
#flag{[email protected]}边栏推荐
猜你喜欢

你知道多少,深度解析,值得收藏

Use the five number generalization method to determine the outliers in the data set

无法在debug时进入ArrayList底层解决方案

物联网低代码平台如何使用操作日志?

简单有趣的小蛇成长游戏--贪吃蛇

6% equity transfer of Fujian tulougou Cultural Tourism Development Co., Ltd., shared by tamigou

第二章应用层

Computer selection 1

Daily question -1232 Dotted line

redis中的string类型是怎么组织的?
随机推荐
一次内存泄漏的问题记录
Nacos配置中心实战,盘古微服务开发标配组件
Li Ning copy the bottom Clarks
自己建设网站需要做哪些准备
"Chinese characteristics" of Web3
GaussDB(DWS) 之数据迁移【这次高斯不是数学家】
The latest Camtasia 2022 free computer screen recording tool
Bidirectional BFS
6% equity transfer of Fujian tulougou Cultural Tourism Development Co., Ltd., shared by tamigou
In modern society, people are more and more dependent on semiconductor products
Protobuf介绍以及简单使用
TemplateDoesNotExist at /users/register/
简单有趣的小蛇成长游戏--贪吃蛇
Tencent, Shanghai Jiao Tong and Zhejiang University proposed pyramid clip to align the semantic within the hierarchy and cross hierarchy relationship. The zero shot effect is better than clip
移动端拉起键盘后遮挡问题
母带编辑制作工具WaveLab 11 Pro
建造者模式
Gaussdb (DWS) data migration [Gauss is not a mathematician this time]
More than observation | Alibaba cloud observable Technology Summit officially launched
Multi engine database management tool DataGrid 2022.1.5 Chinese version