攻防世界 reverse BabyXor

BabyXor     2019_UNCTF

查壳

脱壳

dump

脱壳后

IDA静态分析

int main_0()
{
  void *v0; // eax
  int v1; // ST5C_4
  char *v2; // ST6C_4
  const char *v3; // ST68_4
  void *v4; // ST64_4
  size_t v5; // eax
  char *v6; // ST60_4

  v0 = (void *)sub_4010B4((int)&unk_4395F0, "世界上最简单的Xor");
  sub_40107D(v0, (int)sub_40102D);
  if ( --stru_436270._cnt < 0 )
  {
    _filbuf(&stru_436270);
  }
  else
  {
    v1 = (unsigned __int8)*stru_436270._ptr;
    ++stru_436270._ptr;
  }
  v2 = first_xor_40108C((int)dword_435DC0, 56); //   for ( i = 0; i < (signed int)(a2 >> 2); ++i )
                                                //     sprintf(&v3[i], "%c", i ^ *(_DWORD *)(a1 + 4 * i));
                                                //   return v3;
                                                //
                                                //
  v3 = second_xor_401041((int)dword_435DC0, (int)dword_435DF8, 56u);//   sprintf(v5, "%c", *(_DWORD *)a2);
                                                //   for ( i = 1; i < (signed int)(a3 >> 2); ++i )
                                                //     sprintf(&v5[i], "%c", *(_DWORD *)(a1 + 4 * i) ^ *(_DWORD *)(a2 + 4 * i) ^ *(_DWORD *)(a1 + 4 * i - 4));
                                                //   return v5;
                                                //
                                                //
  v4 = malloc(0x64u);
  v5 = strlen(v3);
  memcpy(v4, v3, v5);
  v6 = third_xor_4010C3((int)dword_435DC0, (int)v3, (int)dword_435E30, 56);//  v7 = (char *)malloc(a4 - 1);
                                                //   v6 = (char *)malloc(4 * a4 - 1);
                                                //   for ( i = 0; i < (signed int)((a4 >> 2) - 1); ++i )
                                                //   {
                                                //     sprintf(&v6[i], "%c", *(_DWORD *)(a3 + 4 * i + 4) ^ *(char *)(i + a2));
                                                //     sprintf(&v7[i], "%c", i ^ v6[i]);
                                                //   }
                                                //   sprintf(&byte_439558, "%c", dword_435E30[0] ^ dword_435DF8[0]);
                                                //   strcat(&byte_439558, v7);
                                                //   return &byte_439558;
                                                //
                                                //
  sub_40101E((int)v2, (int)v3, (int)v6);
  return 0;
}

动态调试

在401712处下断就可得到flag

wp:

#!/usr/bin/python
dword_435DC0=[102, 109, 99, 100, 127, 55, 53, 48, 48, 107, 58, 60, 59, 32 ]
dword_435DF8=[55, 111, 56, 98, 54, 124, 55, 51, 52, 118, 51, 98, 100, 122]
dword_435E30=[26,0,0,81,5,17,84,86,85,89,29,9,93,18,0,0]
temp=[]
flag=‘‘
for i in range(14):
    flag+=chr(dword_435DC0[i]^i)

flag+=chr(dword_435DF8[0])
temp.append(dword_435DF8[0])
for i in range(1,14):
    x=dword_435DC0[i]^dword_435DF8[i]^dword_435DC0[i-1]
    flag+=chr(x)
    temp.append(x)

x=‘‘
for i in range(13):
    x+=chr(dword_435E30[i+1]^(temp[i])^i)
flag+=chr(dword_435E30[0] ^ dword_435DF8[0])+x
print(flag)

flag{2378b077-7d6e-4564-bdca-7eec8eede9a2}

原文地址:https://www.cnblogs.com/DirWang/p/12232257.html

时间: 2024-08-30 15:47:17

攻防世界 reverse BabyXor的相关文章

攻防世界 reverse 进阶 8-The_Maya_Society Hack.lu-2017

8.The_Maya_Society Hack.lu-2017 在linux下将时间调整为2012-12-21,运行即可得到flag. 下面进行分析 1 signed __int64 __fastcall main(__int64 a1, char **a2, char **a3) 2 { 3 size_t v3; // rbx 4 size_t v4; // rax 5 unsigned __int64 size; // rax 6 unsigned __int64 size_1; // ra

攻防世界 reverse 进阶 10 Reverse Box

攻防世界中此题信息未给全,题目来源为[TWCTF-2016:Reverse] Reverse Box 网上有很多wp是使用gdb脚本,这里找到一个本地还原关键算法,然后再爆破的 https://www.megabeets.net/twctf-2016-reverse-reverse-box/ [TWCTF-2016:Reverse] Reverse Box Writeup 标准 Shak的客座文章. 挑战描述$ ./reverse_box $ {FLAG} 95eeaf95ef942349995

攻防世界 reverse 新手练习区

1.re1 DUTCTF IDA shift+F12 查看字符串 DUTCTF{We1c0met0DUTCTF} 2.game ZSCTF zsctf{T9is_tOpic_1s_v5ry_int7resting_b6t_others_are_n0t} 3.Hello, CTF  Pediy CTF 2018 CrackMeJustForFun 将16进制字符串转ascii字符串得到flag 4.open-source HackYou CTF 参数 51966 25 h4cky0u flag为:

攻防世界 reverse 进阶5-7

5.re-for-50-plz-50  tu-ctf-2016 流程很简单,异或比较 1 x=list('cbtcqLUBChERV[[[email protected]_X^D]X_YPV[CJ') 2 y=0x37 3 z='' 4 for t in x: 5 z+=chr(ord(t)^y) 6 print(z) TUCTF{but_really_whoisjohngalt} 6.key csaw-ctf-2016-quals 运行后打印完?W?h?a?t h?a?p?p?e?n? 便结束

攻防世界 reverse 进阶 16-zorropub

16.zorropub  nullcon-hackim-2016 (linux平台以后整理) https://github.com/ctfs/write-ups-2016/tree/master/nullcon-hackim-2016/re/zorropub-100 nullcon{nu11c0n_s4yz_x0r1n6_1s_4m4z1ng} 原文地址:https://www.cnblogs.com/DirWang/p/11448008.html

攻防世界 reverse 进阶 15-Reversing-x64Elf-100

15.Reversing-x64Elf-100 这题非常简单, 1 signed __int64 __fastcall sub_4006FD(__int64 a1) 2 { 3 signed int i; // [rsp+14h] [rbp-24h] 4 const char *v3; // [rsp+18h] [rbp-20h] 5 const char *v4; // [rsp+20h] [rbp-18h] 6 const char *v5; // [rsp+28h] [rbp-10h] 7

攻防世界 reverse android-app-100

 android-app-100  suctf-2016 jeb启动,找到点击事件: 验证流程: 输入作为参数 --> processObjectArrayFromNative 得到一返回值(ret_a) --> IsCorrect 返回0,失败:返回1,成功 --> 输出"Sharif_CTF("+md5(str(d+ret_a)+” “+”)“      (.d = 0x1BEBE) 可以发现flag的获取关键在于processObjectArrayFromNat

攻防世界 reverse 2ex1

2ex1 CISCN-2018-Quals mark 1 import base64 2 3 std_base= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" 4 mg_base='@,.1fgvw#`/2ehux$~\"3dity%_;4cjsz^+{5bkrA&=}6alqB*-[70mpC()]89noD' 5 6 en_trantab=str.maketrans(std_b

攻防世界 reverse EASYHOOK

EASYHOOK XCTF 4th-WHCTF-2017 1 data=[ 0x61, 0x6A, 0x79, 0x67, 0x6B, 0x46, 0x6D, 0x2E, 0x7F, 0x5F, 2 0x7E, 0x2D, 0x53, 0x56, 0x7B, 0x38, 0x6D, 0x4C, 0x6E, 0x00] 3 data[18]^=0x13 4 for i in range(17,-1,-1): 5 t=i^data[i] 6 if i%2: 7 data[i]=t+i 8 else: