ACTF新生赛2020_easyre

文章发布时间:

最后更新时间:

文章总字数:
275

预计阅读时间:
1 分钟

upx加壳 32位

脱壳完后代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
int __cdecl main(int argc, const char **argv, const char **envp)
{
  _BYTE v4[12]; // [esp+12h] [ebp-2Eh] BYREF
  _DWORD v5[3]; // [esp+1Eh] [ebp-22h]
  _BYTE v6[5]; // [esp+2Ah] [ebp-16h] BYREF
  int v7; // [esp+2Fh] [ebp-11h]
  int v8; // [esp+33h] [ebp-Dh]
  int v9; // [esp+37h] [ebp-9h]
  char v10; // [esp+3Bh] [ebp-5h]
  int i; // [esp+3Ch] [ebp-4h]

  __main();
  qmemcpy(v4, "*F'\"N,\"(I?+@", sizeof(v4));
  printf("Please input:");
  scanf("%s", v6);
  if ( v6[0] != 'A' || v6[1] != 67 || v6[2] != 84 || v6[3] != 70 || v6[4] != 123 || v10 != 125 )
    return 0;
  v5[0] = v7;
  v5[1] = v8;
  v5[2] = v9;
  for ( i = 0; i <= 11; ++i )
  {
    if ( v4[i] != _data_start__[*(v5 + i) - 1] )
      return 0;
  }
  printf("You are correct!");
  return 0;
}

注意一下数组的一个元素是四个字节 所以v5存储的是用户输入的12个字节

data_start_[*(v5 + i) - 1] 即用户输入的字符转化为ascii码后再-1 这个值为n v4等于 = _data_start[n]

所以逆向程序可以写成

1
2
3
4
5
6
a = [42,70,39,34,78,44,34,40,73,63,43,64]
b = "~}|{zyxwvutsrqponmlkjihgfedcba`_^]\\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$# !\""
flag = ""
for i in a:
    flag = chr(b.find(chr(i))+1)
    print(flag,end="")