本帖最后由 whyIDA 于 2017-12-2 21:45 编辑
题目下载地址:
https://www.52pojie.cn/thread-670606-1-1.html
先脱壳,然后ida载入;
[Asm] 纯文本查看 复制代码 .text:0040DAA0 _main_0 proc near ; CODE XREF: _main↑j
.text:0040DAA0 var_10C = byte ptr -10Ch
.text:0040DAA0 var_CC = dword ptr -0CCh
.text:0040DAA0 var_C8 = byte ptr -0C8h
.text:0040DAA0 var_C5 = byte ptr -0C5h
.text:0040DAA0 arg_0 = dword ptr 8
.text:0040DAA0 arg_4 = dword ptr 0Ch
.text:0040DAA0
.text:0040DAA0 push ebp
.text:0040DAA1 mov ebp, esp
.text:0040DAA3 sub esp, 10Ch
.text:0040DAA9 push ebx
.text:0040DAAA push esi
.text:0040DAAB push edi
.text:0040DAAC lea edi, [ebp+var_10C]
.text:0040DAB2 mov ecx, 43h
.text:0040DAB7 mov eax, 0CCCCCCCCh
.text:0040DABC rep stosd
.text:0040DABE cmp [ebp+arg_0], 2
.text:0040DAC2 jge short loc_40DAD8
.text:0040DAC4 push offset aGoodGoodLearnD ; "good good learn,day day up~\n"
.text:0040DAC9 call _printf
.text:0040DACE add esp, 4
.text:0040DAD1 xor eax, eax
.text:0040DAD3 jmp loc_40DB6B
.text:0040DAD8 ; ---------------------------------------------------------------------------
.text:0040DAD8
.text:0040DAD8 loc_40DAD8: ; CODE XREF: _main_0+22↑j
.text:0040DAD8 mov eax, [ebp+arg_4]
.text:0040DADB mov ecx, [eax+4]
.text:0040DADE push ecx ; char *
.text:0040DADF lea edx, [ebp+var_C8]
.text:0040DAE5 push edx ; char *
.text:0040DAE6 call _strcpy
.text:0040DAEB add esp, 8
.text:0040DAEE movsx eax, [ebp+var_C5]
.text:0040DAF5 cmp eax, 30h
.text:0040DAF8 jnz short loc_40DB0E
.text:0040DAFA lea ecx, [ebp+var_C8]
.text:0040DB00 push ecx ; char *
.text:0040DB01 call _strlen
.text:0040DB06 add esp, 4
.text:0040DB09 cmp eax, 0Dh
.text:0040DB0C jz short loc_40DB13
.text:0040DB0E
.text:0040DB0E loc_40DB0E: ; CODE XREF: _main_0+58↑j
.text:0040DB0E call sub_401005
.text:0040DB13 ; ---------------------------------------------------------------------------
.text:0040DB13
.text:0040DB13 loc_40DB13: ; CODE XREF: _main_0+6C↑j
.text:0040DB13 lea edx, [ebp+var_C8]
.text:0040DB19 push edx ; char *
.text:0040DB1A call sub_401019
.text:0040DB1F add esp, 4
.text:0040DB22 mov [ebp+var_CC], eax
.text:0040DB28 cmp [ebp+var_CC], 7
.text:0040DB2F jnz short loc_40DB64
.text:0040DB31 lea eax, [ebp+var_C8]
.text:0040DB37 push eax
.text:0040DB38 call sub_40100F
.text:0040DB3D add esp, 4
.text:0040DB40 mov esi, eax
.text:0040DB42 lea ecx, [ebp+var_C8]
.text:0040DB48 push ecx ; char *
.text:0040DB49 call sub_40101E
.text:0040DB4E add esp, 4
.text:0040DB51 add esi, eax
.text:0040DB53 cmp esi, 1
.text:0040DB56 jle short loc_40DB5D
.text:0040DB58 call sub_40100A
.text:0040DB5D ; ---------------------------------------------------------------------------
.text:0040DB5D
.text:0040DB5D loc_40DB5D: ; CODE XREF: _main_0+B6↑j
.text:0040DB5D call sub_401005
.text:0040DB62 ; ---------------------------------------------------------------------------
.text:0040DB62 jmp short loc_40DB69
.text:0040DB64 ; ---------------------------------------------------------------------------
.text:0040DB64
.text:0040DB64 loc_40DB64: ; CODE XREF: _main_0+8F↑j
.text:0040DB64 call sub_401005
.text:0040DB69 ; ---------------------------------------------------------------------------
.text:0040DB69
.text:0040DB69 loc_40DB69: ; CODE XREF: _main_0+C2↑j
.text:0040DB69 xor eax, eax
.text:0040DB6B
.text:0040DB6B loc_40DB6B: ; CODE XREF: _main_0+33↑j
.text:0040DB6B pop edi
.text:0040DB6C pop esi
.text:0040DB6D pop ebx
.text:0040DB6E add esp, 10Ch
.text:0040DB74 cmp ebp, esp
.text:0040DB76 call __chkesp
.text:0040DB7B mov esp, ebp
.text:0040DB7D pop ebp
.text:0040DB7E retn
.text:0040DB7E _main_0 endp
f5 得到伪c代码:
[C] 纯文本查看 复制代码 int __cdecl main_0(signed int a1, int a2)
{
BOOL v3; // esi
char v4; // [esp+50h] [ebp-C8h]
char v5; // [esp+53h] [ebp-C5h]
if ( a1 >= 2 )
{
strcpy(&v4, *(const char **)(a2 + 4));
if ( v5 != 0x30 || strlen(&v4) != 13 )
sub_401005();
if ( sub_401019(&v4) == 7 )
{
v3 = sub_40100F((int)&v4);
if ( sub_40101E(&v4) + v3 > 1 )
sub_40100A();
sub_401005();
}
sub_401005();
}
printf("good good learn,day day up~\n");
return 0;
}
第4位必须为0,第8位为0x5F,长度位13
记事本写一段 “ OllyICE.exe win1.exe 1230567_9abcd,保存为ctf.bat。双击运行ctf.bat
很容易得到前8位。
第9位~第13位代码
[C] 纯文本查看 复制代码 BOOL __cdecl sub_40D9D0(char *a1)
{
signed int i; // [esp+4Ch] [ebp-24h]
char v3; // [esp+50h] [ebp-20h]
char v4; // [esp+57h] [ebp-19h]
char v5; // [esp+58h] [ebp-18h]
char v6; // [esp+59h] [ebp-17h]
char v7; // [esp+5Ah] [ebp-16h]
char v8; // [esp+5Bh] [ebp-15h]
char v9; // [esp+5Ch] [ebp-14h]
strcpy(&v3, a1);
for ( i = 0; i < 5; ++i )
{
if ( *(&v4 + i) >= 0x61 )
{
if ( *(&v4 + i) >= 0x61 )
*(&v5 + i) -= 0x20;
}
else
{
*(&v5 + i) += 0x20;
}
}
return v5 == 0x79 && v6 == 0x4E && v7 == 0x63 && v8 == 0x54 && v9 == 0x66;
}
大于等于0x61则减0x20否则加0x20.逆运算一下就可得flag
[Python] 纯文本查看 复制代码 v=[0x79,0x4E,0x63,0x54,0x66]
w=''
for i in range(len(v)):
if (v[i]>=0x61):
w+=chr(v[i]-0x20)
else:
w+=chr(v[i]+0x20)
print(w)
| 
发表于 2017-12-2 21:17
