CTF签到题分析-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

CTF签到题分析

发表于: 2021-5-15 23:26 3389

CTF签到题分析

lcnoob

2021-5-15 23:26

3389

程序运行

1，单步到此处时，程序运行，是个函数，跟进去。

程序运行2

2，可以看到，有运行界面那味了。

运行效果
flag长度，错误位置

3，看到报错信息的位置，以及flag长度（12），长度不为12直接错误，接着往下走。可以看到关于输入信息与flag的比较。

flag
成功提示，及flag处理函数

4，看到成功提示，以及前面一些判断，经过调试，发现处理输入flag的函数，以及要进行判断的原始flag（ZmxhZ3trYW54dWV9）

// a1='flag{123456}' -> *19FE28     a2='12' -> flag长度
char *__fastcall sub_401050(int a1, int a2)
{
  int v3; // edi
  int v4; // edx
  unsigned int v5; // esi
  int v7; // eax
  int v8; // edi
  char v9; // al
  int v10; // edi
  int v11; // [esp+Ch] [ebp-4h]
 
  v11 = a1;
  v3 = 0;
  v4 = 0;
  v5 = 0;
  if ( !a1 )
    return 0;
  if ( !dword_404780 )
  {
    sub_401000();
    a1 = v11;
  }
  if ( a2 )
  {
    // 处理输入的flag
    do
    {
      --a2;
      if ( v5 >= 0x1FFB )
        break;
      v7 = *(unsigned __int8 *)a1;
      ++v4;
      ++a1; // 指向下一个字符
      v8 = v7 + v3; // ascii码 相加 66 + 6c ....
      if ( v4 == 3 ) // 每四个字符进入
      { // byte_403188通过调试发现，此处为（BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789）    
        // 从字符集里 映射 对应字符
        byte_404788[v5] = byte_403188[v8 >> 18];
        byte_404789[v5] = byte_403188[(v8 >> 12) & 0x3F];
        LOBYTE(word_40478A[v5 / 2]) = byte_403188[(v8 >> 6) & 0x3F];
        v9 = byte_403188[v8 & 0x3F];
        v3 = 0;
        HIBYTE(word_40478A[v5 / 2]) = v9;
        v5 += 4;
        v4 = 0; //
      }
      else
      {
        v3 = v8 << 8; // 66 << 8 ---> 6600
      }
    }
    while ( a2 );
    if ( v4 ) // 不进入，混淆视野
    {
      a1 = 8 * (2 - v4);
      v10 = v3 << a1;
      byte_404788[v5] = byte_403188[v10 >> 18];
      byte_404789[v5] = byte_403188[(v10 >> 12) & 0x3F];
      if ( v4 == 1 )
      {
        word_40478A[v5 / 2] = 15677;
      }
      else
      {
        LOBYTE(word_40478A[v5 / 2]) = byte_403188[(v10 >> 6) & 0x3F];
        *(_BYTE *)(v5 + 4212619) = 61;
      }
      v5 += 4;
    }
    if ( v5 >= 0x2000 )
    {
      __report_rangecheckfailure(a1);
      JUMPOUT(0x40117B);
    }
  }
  byte_404788[v5] = 0; // \0
  return byte_404788; // 返回处理后输入的flag
}

5，通过分析后，写出解析程序，通过原始flag（ZmxhZ3trYW54dWV9）解析出flag

let str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
//  "ZmxhZ3trYW54dWV9" 原flag
let dec_str = 'ZmxhZ3trYW54dWV9'
 
decrypt(str, dec_str)
 
function decrypt (str, dec_str) {
    let flagLen = 16
    let v4 = 4
    let myflag_len = 0
    let flag = []
    let strArr = []
    do {
        let char_ = str.indexOf(dec_str[myflag_len])
 
        switch (myflag_len % 4) {
            case 0:
                flag.push((char_ << 18).toString(16))
                break
            case 1:
                flag.push((char_ << (12 & 0x3F)).toString(16))
                break
            case 2:
                flag.push((char_ << (6 & 0x3F)).toString(16))
                break
            case 3:
                flag.push((char_ & 0x3F).toString(16))
                break
        }
 
        --v4
 
        if (v4 == 0) {
            let count = Math.floor(myflag_len / 4)
            strArr.push(
                (parseInt(flag[count * 4 + 0], 16) +
                parseInt(flag[count * 4 + 1], 16) +
                parseInt(flag[count * 4 + 2], 16) +
                parseInt(flag[count * 4 + 3], 16)).toString(16)
            )
            v4 = 4
        }
 
        --flagLen
        ++myflag_len
 
    } while(flagLen)
 
    let flag_str = ''
    strArr.forEach((item, index) => {
        flag_str += String.fromCharCode(parseInt(item.slice(0,2), 16))
        flag_str += String.fromCharCode(parseInt(item.slice(2,4), 16))
        flag_str += String.fromCharCode(parseInt(item.slice(4), 16))
    })
    console.log(flag_str, strArr)
}