首先用upxshell脱壳,再用IDA打开,F5查看主函伪代码。
image.png
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v3; // kr00_4
char Buf; // [esp+4h] [ebp-2Ch]
char Dst; // [esp+5h] [ebp-2Bh]
Buf = 0;
memset(&Dst, 0, 0x27u);
printf("Welcome The System\nPlease Input Key:");
gets_s(&Buf, 0x28u);
v3 = strlen(&Buf);
if ( (unsigned int)(v3 - 35) <= 2 )
{
if ( sub_401090((int)&Buf, v3) == 1 ) // 关键点
printf("Well Done!\n");
else
printf("Your Wrong!\n");
}
return 0;
}
发现sub_401090为关键判断,继续跟进它。
v2 = a1;
if ( a2 != 35 )
return -1;
v4 = 0;
while ( 1 )
{
v5 = *(_BYTE *)(v4 + v2);
v6 = (v5 >> 4) % 16;
v7 = (16 * v5 >> 4) % 16;
v8 = byte_402150[2 * v4];
if ( v8 < 48 || v8 > 57 )
v9 = v8 - 87;
else
v9 = v8 - 48;
v10 = byte_402151[2 * v4];
v11 = 16 * v9;
if ( v10 < 48 || v10 > 57 )
v12 = v10 - 87;
else
v12 = v10 - 48;
if ( (unsigned __int8)byte_4021A0[16 * v6 + v7] != ((v11 + v12) ^ 0x19) ) //关键判断
break;
if ( ++v4 >= 35 )
return 1;
}
return -1;
}
这里我们知道要返回1,那么flag长度为35,并且flag中每个字符满足while循环里的一系列运算。写个脚本爆破。
a="2a49f69c38395cde96d6de96d6f4e025484954d6195448def6e2dad67786e21d5adae6"
b=[0x63 ,0x7c ,0x77 ,0x7b ,0xf2 ,0x6b ,0x6f ,0xc5 ,0x30 ,0x1 ,
0x67 ,0x2b ,0xfe ,0xd7 ,0xab ,0x76 ,0xca ,0x82 ,0xc9 ,0x7d ,
0xfa ,0x59 ,0x47 ,0xf0 ,0xad ,0xd4 ,0xa2 ,0xaf ,0x9c ,0xa4 ,
0x72 ,0xc0 ,0xb7 ,0xfd ,0x93 ,0x26 ,0x36 ,0x3f ,0xf7 ,0xcc ,
0x34 ,0xa5 ,0xe5 ,0xf1 ,0x71 ,0xd8 ,0x31 ,0x15 ,0x4 ,0xc7 ,
0x23 ,0xc3 ,0x18 ,0x96 ,0x5 ,0x9a ,0x7 ,0x12 ,0x80 ,0xe2 ,
0xeb ,0x27 ,0xb2 ,0x75 ,0x9 ,0x83 ,0x2c ,0x1a ,0x1b ,0x6e ,
0x5a ,0xa0 ,0x52 ,0x3b ,0xd6 ,0xb3 ,0x29 ,0xe3 ,0x2f ,0x84 ,
0x53 ,0xd1 ,0x0 ,0xed ,0x20 ,0xfc ,0xb1 ,0x5b ,0x6a ,0xcb ,
0xbe ,0x39 ,0x4a ,0x4c ,0x58 ,0xcf ,0xd0 ,0xef ,0xaa ,0xfb ,
0x43 ,0x4d ,0x33 ,0x85 ,0x45 ,0xf9 ,0x2 ,0x7f ,0x50 ,0x3c ,
0x9f ,0xa8 ,0x51 ,0xa3 ,0x40 ,0x8f ,0x92 ,0x9d ,0x38 ,0xf5 ,
0xbc ,0xb6 ,0xda ,0x21 ,0x10 ,0xff ,0xf3 ,0xd2 ,0xcd ,0xc ,
0x13 ,0xec ,0x5f ,0x97 ,0x44 ,0x17 ,0xc4 ,0xa7 ,0x7e ,0x3d ,
0x64 ,0x5d ,0x19 ,0x73 ,0x60 ,0x81 ,0x4f ,0xdc ,0x22 ,0x2a ,
0x90 ,0x88 ,0x46 ,0xee ,0xb8 ,0x14 ,0xde ,0x5e ,0xb ,0xdb ,
0xe0 ,0x32 ,0x3a ,0xa ,0x49 ,0x6 ,0x24 ,0x5c ,0xc2 ,0xd3 ,
0xac ,0x62 ,0x91 ,0x95 ,0xe4 ,0x79 ,0xe7 ,0xc8 ,0x37 ,0x6d ,
0x8d ,0xd5 ,0x4e ,0xa9 ,0x6c ,0x56 ,0xf4 ,0xea ,0x65 ,0x7a ,
0xae ,0x8 ,0xba ,0x78 ,0x25 ,0x2e ,0x1c ,0xa6 ,0xb4 ,0xc6 ,
0xe8 ,0xdd ,0x74 ,0x1f ,0x4b ,0xbd ,0x8b ,0x8a ,0x70 ,0x3e ,
0xb5 ,0x66 ,0x48 ,0x3 ,0xf6 ,0xe ,0x61 ,0x35 ,0x57 ,0xb9 ,
0x86 ,0xc1 ,0x1d ,0x9e ,0xe1 ,0xf8 ,0x98 ,0x11 ,0x69 ,0xd9 ,
0x8e ,0x94 ,0x9b ,0x1e ,0x87 ,0xe9 ,0xce ,0x55 ,0x28 ,0xdf ,
0x8c ,0xa1 ,0x89 ,0xd ,0xbf ,0xe6 ,0x42 ,0x68 ,0x41 ,0x99 ,
0x2d ,0xf ,0xb0 ,0x54 ,0xbb ,0x16]
for i in range(35):
for j in range(ord('0'),ord('}')+1):
v6 = (j >> 4) % 16
v7 = (16 * j >> 4) % 16
v8 = ord(a[2*i])
if v8 < ord('0') or v8 > ord('9') :
v9 = v8 - ord('W')
else:
v9 = v8 - ord('0')
v10 = ord(a[2*i+1])
v11 = 16 * v9
if v10 < ord('0') or v10 > ord('9') :
v12 = v10 - ord('W')
else:
v12 = v10 - ord('0')
if b[16 * v6 + v7] == (v11 + v12) ^ 0x19:
print(chr(j),end="")
结果:flag{Th1s_1s_Simple_Rep1ac3_Enc0d3}
网友评论