新手一枚,如有错误(不足)请指正,谢谢!!
<mark>个人博客:点击进入</mark>
题目链接:[GUET-CTF2019]encrypt
IDA64位载入,直接来到main()函数
其中sub_4006B6()函数
可以看到是初始化了一个256长度的S盒,其中参与S盒初始化的数据是固定的data0数组
可以通过动调来获得初始化后的S盒。
在main()函数第30行下断点,Linux远程调试
随便输入,回车,让IDA将程序断下
找到s数组的堆栈地址,拷贝出258个四字节数据
拷贝出来的数据为
int data[258] = {
0x00, 0x00, 0xB0, 0x31, 0x75, 0x70, 0xF8, 0xDF,
0x07, 0x3C, 0x78, 0x71, 0x50, 0x29, 0x2C, 0x16,
0x69, 0x12, 0xC8, 0x2B, 0x3B, 0x7F, 0xB2, 0xE7,
0x4B, 0x68, 0x8C, 0xC5, 0xA6, 0x15, 0x03, 0x58,
0x47, 0x04, 0x13, 0x8D, 0x87, 0x26, 0x09, 0xED,
0x17, 0x8A, 0xC2, 0xF2, 0x43, 0xC0, 0xAC, 0x59,
0x97, 0xF5, 0x3F, 0x67, 0x5E, 0x39, 0x86, 0xD5,
0x72, 0x61, 0xDA, 0xF7, 0x01, 0x05, 0x8B, 0xC3,
0xB1, 0x77, 0xAF, 0x1D, 0x30, 0xC6, 0x45, 0x0E,
0x5F, 0xEE, 0xAE, 0xF0, 0x28, 0xCE, 0xCD, 0xA7,
0x9B, 0x2A, 0x19, 0x48, 0x08, 0x44, 0x20, 0xFE,
0x6D, 0xB5, 0x2E, 0x6A, 0xF1, 0x34, 0xBC, 0x1E,
0x3E, 0xCC, 0x41, 0x92, 0xD8, 0xBD, 0xA5, 0xE8,
0x4D, 0x0A, 0x49, 0x0D, 0xA2, 0xFA, 0x62, 0x74,
0xD4, 0x83, 0x96, 0x94, 0x3D, 0xCB, 0x18, 0x63,
0x99, 0x46, 0xCA, 0xB7, 0x8E, 0xCF, 0xFB, 0xA3,
0x6C, 0x7E, 0x51, 0x27, 0x60, 0x9A, 0x11, 0xF3,
0x5C, 0x6E, 0xBA, 0x42, 0x76, 0x2F, 0xEF, 0xBF,
0x21, 0xAA, 0xE4, 0xD6, 0x1B, 0x55, 0x7D, 0xBE,
0xEA, 0xD3, 0x10, 0xF4, 0xC7, 0x4A, 0x23, 0x79,
0x84, 0xA4, 0x1C, 0xAB, 0x14, 0xDB, 0x4C, 0x3A,
0xB8, 0x52, 0xEC, 0x37, 0x38, 0xB6, 0xD2, 0xA0,
0x5A, 0x5B, 0x98, 0x66, 0x54, 0x9E, 0x4E, 0x4F,
0xB4, 0xC4, 0xC9, 0xD0, 0x25, 0x9C, 0x80, 0xDE,
0x2D, 0x06, 0x22, 0x0B, 0x91, 0x6B, 0x9F, 0xF6,
0xE6, 0xE2, 0xC1, 0x0F, 0x93, 0x90, 0x7B, 0x9D,
0x8F, 0xDD, 0xE5, 0x65, 0x35, 0xAD, 0xA9, 0xDC,
0x82, 0xBB, 0x00, 0x53, 0xD1, 0xA8, 0x33, 0xE9,
0x40, 0x1A, 0xFF, 0xA1, 0x95, 0x36, 0xD9, 0xEB,
0x89, 0xE3, 0x7C, 0x73, 0x85, 0x88, 0x7A, 0xE0,
0xFD, 0x64, 0x0C, 0x57, 0x32, 0xB3, 0xB9, 0x1F,
0xD7, 0xFC, 0x81, 0xE1, 0x02, 0xF9, 0x5D, 0x56,
0x6F, 0x24 };
sub_4007DB()函数对输入字符串进行修改
只进行了一个异或操作,是可逆的。
sub_4008FA()函数主要代码
里面加了一些无用代码,精简后:
_DWORD *__fastcall sub_4008FA(__int64 a1, int len, const char *a3, _DWORD *a4)
{
int v4; // eax
int v5; // eax
char v6; // al
int v7; // eax
char v8; // al
char v9; // ST2F_1
int v10; // eax
int v11; // ST30_4
int v12; // eax
int v13; // eax
int v14; // edx
_DWORD *result; // rax
_DWORD *v16; // [rsp+0h] [rbp-40h]
char v17; // [rsp+2Dh] [rbp-13h]
char v18; // [rsp+2Eh] [rbp-12h]
int v19; // [rsp+30h] [rbp-10h]
int i; // [rsp+34h] [rbp-Ch]
v16 = a4;
v19 = 0;
i = 0;
while ( i < len )
{
v4 = i++;
v17 = *(_BYTE *)(v4 + a1); // v17为int型数据第1个字节
v5 = i++;
v6 = *(_BYTE *)(v5 + a1);
v18 = v6; // v18为int型数据的第二个字节
v7 = i++;
v8 = *(_BYTE *)(v7 + a1);
v9 = v8; // v9为int型数据的第三个字节
v10 = v19;
v11 = v19 + 1;
a3[v10] = ((v17 >> 2) & 0x3F) + 61; // v10 第一个字节
v12 = v11++;
a3[v12] = ((((v18 & 0xFF) >> 4) | 16 * v17) & 0x3F) + 61;// v12 第2个字节
a3[v11] = ((((v9 & 0xFF) >> 6) | 4 * v18) & 0x3F) + 61;// v11 第3个字节
v13 = v11 + 1; // v13,第四个字节
v19 = v11 + 2;
a3[v13] = (v9 & 0x3F) + 61;
}
v14 = strlen(a3);
result = v16;
*v16 = v14;
return result;
}
sub_4008FA()函数主要功能将输入字符串的3个字节转换为4个6位的字符存到输出字符串
像下图这种,x为输入字符串,y为输出字符串
程序流程:
先初始化S盒,然后用S盒将输入字符串异或操作,最后将每三个字符拆成四个字符,最后与存储的数据比较。
写脚本
#include <stdio.h>
int data0[258] = {
0x00, 0x00, 0xB0, 0x31, 0x75, 0x70, 0xF8, 0xDF,
0x07, 0x3C, 0x78, 0x71, 0x50, 0x29, 0x2C, 0x16,
0x69, 0x12, 0xC8, 0x2B, 0x3B, 0x7F, 0xB2, 0xE7,
0x4B, 0x68, 0x8C, 0xC5, 0xA6, 0x15, 0x03, 0x58,
0x47, 0x04, 0x13, 0x8D, 0x87, 0x26, 0x09, 0xED,
0x17, 0x8A, 0xC2, 0xF2, 0x43, 0xC0, 0xAC, 0x59,
0x97, 0xF5, 0x3F, 0x67, 0x5E, 0x39, 0x86, 0xD5,
0x72, 0x61, 0xDA, 0xF7, 0x01, 0x05, 0x8B, 0xC3,
0xB1, 0x77, 0xAF, 0x1D, 0x30, 0xC6, 0x45, 0x0E,
0x5F, 0xEE, 0xAE, 0xF0, 0x28, 0xCE, 0xCD, 0xA7,
0x9B, 0x2A, 0x19, 0x48, 0x08, 0x44, 0x20, 0xFE,
0x6D, 0xB5, 0x2E, 0x6A, 0xF1, 0x34, 0xBC, 0x1E,
0x3E, 0xCC, 0x41, 0x92, 0xD8, 0xBD, 0xA5, 0xE8,
0x4D, 0x0A, 0x49, 0x0D, 0xA2, 0xFA, 0x62, 0x74,
0xD4, 0x83, 0x96, 0x94, 0x3D, 0xCB, 0x18, 0x63,
0x99, 0x46, 0xCA, 0xB7, 0x8E, 0xCF, 0xFB, 0xA3,
0x6C, 0x7E, 0x51, 0x27, 0x60, 0x9A, 0x11, 0xF3,
0x5C, 0x6E, 0xBA, 0x42, 0x76, 0x2F, 0xEF, 0xBF,
0x21, 0xAA, 0xE4, 0xD6, 0x1B, 0x55, 0x7D, 0xBE,
0xEA, 0xD3, 0x10, 0xF4, 0xC7, 0x4A, 0x23, 0x79,
0x84, 0xA4, 0x1C, 0xAB, 0x14, 0xDB, 0x4C, 0x3A,
0xB8, 0x52, 0xEC, 0x37, 0x38, 0xB6, 0xD2, 0xA0,
0x5A, 0x5B, 0x98, 0x66, 0x54, 0x9E, 0x4E, 0x4F,
0xB4, 0xC4, 0xC9, 0xD0, 0x25, 0x9C, 0x80, 0xDE,
0x2D, 0x06, 0x22, 0x0B, 0x91, 0x6B, 0x9F, 0xF6,
0xE6, 0xE2, 0xC1, 0x0F, 0x93, 0x90, 0x7B, 0x9D,
0x8F, 0xDD, 0xE5, 0x65, 0x35, 0xAD, 0xA9, 0xDC,
0x82, 0xBB, 0x00, 0x53, 0xD1, 0xA8, 0x33, 0xE9,
0x40, 0x1A, 0xFF, 0xA1, 0x95, 0x36, 0xD9, 0xEB,
0x89, 0xE3, 0x7C, 0x73, 0x85, 0x88, 0x7A, 0xE0,
0xFD, 0x64, 0x0C, 0x57, 0x32, 0xB3, 0xB9, 0x1F,
0xD7, 0xFC, 0x81, 0xE1, 0x02, 0xF9, 0x5D, 0x56,
0x6F, 0x24 };
unsigned char data[52] = {0x5a,
0x60, 0x54, 0x7A, 0x7A, 0x54, 0x72, 0x44, 0x7C, 0x66, 0x51, 0x50, 0x5B, 0x5F, 0x56, 0x56, 0x4C,
0x7C, 0x79, 0x6E, 0x65, 0x55, 0x52, 0x79, 0x55, 0x6D, 0x46, 0x6B, 0x6C, 0x56, 0x4A, 0x67, 0x4C,
0x61, 0x73, 0x4A, 0x72, 0x6F, 0x5A, 0x70, 0x48, 0x52, 0x78, 0x49, 0x55, 0x6C, 0x48, 0x5C, 0x76,
0x5A, 0x45, 0x3D
};
void bian(unsigned char*flag,int len)
{
int v7, v8,i,v3,v4;
v7 = data0[0];
v8 = data0[1];
int* v9 = data0 + 2;
for (i = 0; i < len; ++i)
{
v7 = (unsigned char)(v7 + 1);
v3 = v9[v7];
v8 = (unsigned char)(v8 + v3);
v4 = v9[v8];
v9[v7] = v4;
v9[v8] = v3;
flag[i] ^= v9[(unsigned char)(v3 + v4)];
}
}
int main()
{
unsigned char flag[40] = { 0 };
int i = 0,j=0;
for (i = 0; i < 52; i++)
data[i] -= 61;
for (i = 0,j=0; i < 52; i += 4,j+=3)
{
flag[j] = data[i] << 2 | data[i + 1] >> 4;
flag[j + 1] = (data[i + 1] & 0xF) << 4 | data[i + 2] >> 2;
flag[j + 2] = (data[i + 2] & 0xF) << 6 | data[i + 3];
}
bian(flag, 39);
puts((char*)flag);
return 0;
得到flag为flag{e10adc3949ba59abbe56e057f20f883e}
京公网安备 11010502036488号