安恒杯九月赛_NewDriver
2018-09-22 本文已影响151人
Kirin_say
今天的比赛
因为有事,下午快结束才开始看
只弄了一个简单的逆向
其他的以后复现
NewDriver
找到main函数,F5存在sp指针错误
直接ALT+K修复掉负数指针即可
看到main:
if ( strlen(v11) == 33 )
{
v3 = base64_enc(v11);
sub_F91000(&v7, (int)&v9, strlen(&v9));
sub_F910E0((int)&v7, (int)v3, strlen(v3));
v4 = 0;
v5 = v3 - key;
do
{
if ( key[v5 + v4] != key[v4] )
exit(0);
++v4;
}
while ( v4 < 44 );
printf("Congratulation!!!!!!\n");
}
程序过程:
判断输入长度是否为33
而后对输入进行三次加密
最终与预先定义的key进行比较
三次加密:
第一次很显然是自行定义字母顺序的一个base64加密:
ABCDEFGHIJSTUVWKLMNOPQRXYZabcdqrstuvwxefghijklmnopyz0123456789+/
第二个不用逆,猜测大概是去在v7中生成一段16*16的数据在第三个加密中使用:
第三个
v3 = (v3 + 1) % 256; // v3++;
v6 = *(_BYTE *)(v3 + result); // v6=key2[v3]
v4 = (v6 + v4) % 256;
*(_BYTE *)(v3 + result) = *(_BYTE *)(v4 + result);
*(_BYTE *)(v4 + result) = v6;
*(_BYTE *)(v5++ + base64_enc) ^= *(_BYTE *)((v6 + *(unsigned __int8 *)(v3 + result)) % 256 + result);
}
while ( v5 < len );
}
return result;
}
很简单的矩阵变换(解出flag才想起是rc4,不过这里看不出也不影响)
其最后进行:
*(_BYTE *)(v5++ + base64_enc) ^= *(_BYTE *)((v6 + *(unsigned __int8 *)(v3 + result)) % 256 + result);
我们只需要知道每步的:
*(_BYTE *)((v6 + *(unsigned __int8 *)(v3 + result)) % 256 + result)
(这里直接提取出第二步加密后的v7所指处的数据,套用第三步加密步骤即可)
再与预先的key进行异或即可得到正确的base64_enc
再根据程序自行定义的字母顺序base64_decode即可:
key=[0x66, 0x32, 0xCA, 0xA0, 0xBF, 0x98, 0x2D, 0x76, 0xF1, 0x59, 0x2A, 0x4A, 0xF4, 0x30, 0xAD, 0xD2, 0x1D, 0x02, 0xD8, 0x23, 0x89, 0x5D, 0x83, 0x38, 0x09, 0xF2, 0x74, 0x65, 0x40, 0x19, 0xC6, 0xDD, 0x18, 0xD3, 0x8F, 0x6C, 0x8B, 0xC0, 0xC5, 0x54, 0x2E, 0x81, 0x10, 0xC4, 0x26, 0x56, 0x5F, 0x53, 0x80, 0x43, 0x27, 0x62, 0xEA, 0x3D, 0xE6, 0x00, 0xE7, 0xB7, 0x50, 0x94, 0x90, 0x4C, 0x3F, 0x9D, 0x07, 0xE0, 0xA3, 0x9C, 0x4E, 0x0F, 0x9F, 0xFE, 0x5B, 0x8E, 0xDE, 0x88, 0x72, 0x2F, 0xC1, 0x67, 0x31, 0x70, 0x8D, 0xFD, 0xBE, 0x64, 0xC3, 0xBD, 0x6B, 0x7A, 0xCF, 0x0C, 0x34, 0x1F, 0x6F, 0x01, 0xF0, 0x7C, 0x5E, 0xA4, 0x1E, 0x49, 0x8C, 0x75, 0x1C, 0xE3, 0x20, 0x48, 0x28, 0x79, 0xA5, 0x7F, 0xF5, 0xEC, 0x4F, 0x78, 0x58, 0x11, 0xF7, 0xCD, 0x91, 0x13, 0xFC, 0xB8, 0x2C, 0x04, 0xEE, 0xD5, 0x08, 0x44, 0xA9, 0xE1, 0xB1, 0x42, 0x84, 0x29, 0xA7, 0x47, 0x97, 0x7E, 0xE8, 0xB3, 0x60, 0x0B, 0xF9, 0x4B, 0x3C, 0x77, 0x17, 0x03, 0x82, 0x69, 0x87, 0xD4, 0x95, 0x1A, 0x33, 0x25, 0x6E, 0xCC, 0xD6, 0xBB, 0x99, 0xB0, 0x85, 0x41, 0xB2, 0x0D, 0xDB, 0x35, 0x3B, 0x5C, 0xF8, 0xED, 0x9E, 0xA6, 0x96, 0x39, 0x63, 0x0A, 0x1B, 0x93, 0x21, 0x46, 0x12, 0xD0, 0xB4, 0x22, 0x51, 0xC9, 0x61, 0xD1, 0x2B, 0xAA, 0x45, 0x06, 0x05, 0xCE, 0xFA, 0x92, 0x68, 0xAB, 0x36, 0xDA, 0xC8, 0xE2, 0x37, 0xD9, 0xA2, 0x5A, 0xD7, 0x6A, 0xB5, 0xFF, 0xE9, 0xBA, 0x52, 0x15, 0xF6, 0xBC, 0x9A, 0xB6, 0xEF, 0x6D, 0xCB, 0x4D, 0xAE, 0xE4, 0xA1, 0xAC, 0xEB, 0x0E, 0x71, 0x7B, 0xF3, 0x24, 0xC2, 0xFB, 0x7D, 0x86, 0x55, 0xAF, 0x3A, 0xDF, 0x3E, 0x14, 0xB9, 0x9B, 0x16, 0xDC, 0x73, 0x57, 0xE5, 0xC7, 0x8A, 0xA8, 0x66, 0x6C, 0x61, 0x67, 0x7B, 0x74, 0x68, 0x69, 0x73, 0x5F, 0x69, 0x73, 0x5F, 0x6E, 0x6F, 0x74, 0x5F, 0x74, 0x68, 0x65, 0x5F, 0x66, 0x6C, 0x61, 0x67, 0x5F, 0x68, 0x61, 0x68, 0x61, 0x68, 0x61, 0x7D]
key2=[0x20, 0xC3, 0x1A, 0xAE, 0x97, 0x3C, 0x7A, 0x41, 0xDE, 0xF6, 0x78, 0x15, 0xCB, 0x4B, 0x4C, 0xDC, 0x26, 0x55, 0x8B, 0x55, 0xE5, 0xE9, 0x55, 0x75, 0x40, 0x3D, 0x82, 0x13, 0xA5, 0x60, 0x13, 0x3B, 0xF5, 0xD8, 0x19, 0x0E, 0x47, 0xCF, 0x5F, 0x5E, 0xDE, 0x9D, 0x14, 0xBD]
key3=[]
v3=0
v4=0
v6=0
s=""
for v3 in range(44):
v3+=1
v6=key[v3]
v4=(v6+v4)%256
key[v3]=key[v4]
key[v4]=v6
key3.append(key[(key[v3]+v6)%256])
for i in range(44):
key2[i]^=key3[i]
for i in key2:
s+=chr(i)
print s
base64_decode:
#include<stdio.h>
#include<string.h>
int findchar(char *str,char c){
for(int i=0;str[i];i++)
if(str[i]==c)
return i;
return -1;
}
int main(){
char key[]="ABCDEFGHIJSTUVWKLMNOPQRXYZabcdqrstuvwxefghijklmnopyz0123456789+/";
char str[100];
char ans[100];
int temp[2];
memset(str,0,100);
memset(ans,0,100);
scanf("%s",str);
for(int i=0,j=0;str[i];i+=4,j+=3)
{temp[0]=findchar(key,str[i]);
temp[1]=findchar(key,str[i+1]);
ans[j]=(temp[0]<<2&0xfc)|(temp[1]>>4&0x3);
if(!str[i+2]||str[i+2]=='=')
break;
else{
temp[0]=findchar(key,str[i+2]);
ans[j+1]=(temp[1]<<4&0xf0)|(temp[0]>>2&0xf);
}
if(!str[i+3]||str[i+3]=='=')
break;
else{
temp[1]=findchar(key,str[i+3]);
ans[j+2]=(temp[0]<<6&0xc0)|(temp[1]&0x3f);
}
}
puts(ans);
}
