-
-
[原创]BUUCTF逆向题:[GWCTF 2019]xxor
-
发表于: 2022-3-23 23:44 6386
-
64位,无壳,ELF文件
先look一下主函数:
大概看一下最后判断的是v7的值和a2的值,然后往上看到for循环v7的值来自于v6。
a2是一个指针,v6每次给它一个地址,然后由a2接收输入的值,总共输入6个值每个值32占位空间
这里有个点需要主要的就是LODWORD、HIDWORD的区别:
LODWORD是取DWORD的低16位
HIDWORD是取DWORD的高16位
所以虽然 j 的循环只跑了3次实际上它是对数组中的6个值全进行了加密操作
这个函数的参数有两个一个是dword_601078,一个是a2指向的dword_601060。先去查看一下a2的值
a2为数组值为:[2,2,3,4]
这个函数就是最后的验证,if那一坨很明显就是需要用到z3模块,脚本如下:
重新排列一下:
接下来就是逆循环二的加密了:
flag{re_is_great!}
__int64 __fastcall main(
int
a1, char
*
*
a2, char
*
*
a3)
{
int
i;
/
/
[rsp
+
8h
] [rbp
-
68h
]
int
j;
/
/
[rsp
+
Ch] [rbp
-
64h
]
__int64 v6[
6
];
/
/
[rsp
+
10h
] [rbp
-
60h
] BYREF
__int64 v7[
6
];
/
/
[rsp
+
40h
] [rbp
-
30h
] BYREF
v7[
5
]
=
__readfsqword(
0x28u
);
puts(
"Let us play a game?"
);
puts(
"you have six chances to input"
);
puts(
"Come on!"
);
v6[
0
]
=
0LL
;
v6[
1
]
=
0LL
;
v6[
2
]
=
0LL
;
v6[
3
]
=
0LL
;
v6[
4
]
=
0LL
;
for
( i
=
0
; i <
=
5
;
+
+
i )
{
printf(
"%s"
,
"input: "
);
a2
=
(char
*
*
)((char
*
)v6
+
4
*
i);
__isoc99_scanf(
"%d"
, a2);
}
v7[
0
]
=
0LL
;
v7[
1
]
=
0LL
;
v7[
2
]
=
0LL
;
v7[
3
]
=
0LL
;
v7[
4
]
=
0LL
;
for
( j
=
0
; j <
=
2
;
+
+
j )
{
dword_601078
=
v6[j];
dword_60107C
=
HIDWORD(v6[j]);
a2
=
(char
*
*
)dword_601060;
crypto_1((unsigned
int
*
)&dword_601078, dword_601060);
LODWORD(v7[j])
=
dword_601078;
HIDWORD(v7[j])
=
dword_60107C;
}
if
( (unsigned
int
)cry_check(v7, a2) !
=
1
)
{
puts(
"NO NO NO~ "
);
exit(
0
);
}
puts(
"Congratulation!\n"
);
puts(
"You seccess half\n"
);
puts(
"Do not forget to change input to hex and combine~\n"
);
puts(
"ByeBye"
);
return
0LL
;
}
__int64 __fastcall main(
int
a1, char
*
*
a2, char
*
*
a3)
{
int
i;
/
/
[rsp
+
8h
] [rbp
-
68h
]
int
j;
/
/
[rsp
+
Ch] [rbp
-
64h
]
__int64 v6[
6
];
/
/
[rsp
+
10h
] [rbp
-
60h
] BYREF
__int64 v7[
6
];
/
/
[rsp
+
40h
] [rbp
-
30h
] BYREF
v7[
5
]
=
__readfsqword(
0x28u
);
puts(
"Let us play a game?"
);
puts(
"you have six chances to input"
);
puts(
"Come on!"
);
v6[
0
]
=
0LL
;
v6[
1
]
=
0LL
;
v6[
2
]
=
0LL
;
v6[
3
]
=
0LL
;
v6[
4
]
=
0LL
;
for
( i
=
0
; i <
=
5
;
+
+
i )
{
printf(
"%s"
,
"input: "
);
a2
=
(char
*
*
)((char
*
)v6
+
4
*
i);
__isoc99_scanf(
"%d"
, a2);
}
v7[
0
]
=
0LL
;
v7[
1
]
=
0LL
;
v7[
2
]
=
0LL
;
v7[
3
]
=
0LL
;
v7[
4
]
=
0LL
;
for
( j
=
0
; j <
=
2
;
+
+
j )
{
dword_601078
=
v6[j];
dword_60107C
=
HIDWORD(v6[j]);
a2
=
(char
*
*
)dword_601060;
crypto_1((unsigned
int
*
)&dword_601078, dword_601060);
LODWORD(v7[j])
=
dword_601078;
HIDWORD(v7[j])
=
dword_60107C;
}
if
( (unsigned
int
)cry_check(v7, a2) !
=
1
)
{
puts(
"NO NO NO~ "
);
exit(
0
);
}
puts(
"Congratulation!\n"
);
puts(
"You seccess half\n"
);
puts(
"Do not forget to change input to hex and combine~\n"
);
puts(
"ByeBye"
);
return
0LL
;
}
puts(
"Let us play a game?"
);
puts(
"you have six chances to input"
);
puts(
"Come on!"
);
v6[
0
]
=
0LL
;
v6[
1
]
=
0LL
;
v6[
2
]
=
0LL
;
v6[
3
]
=
0LL
;
v6[
4
]
=
0LL
;
for
( i
=
0
; i <
=
5
;
+
+
i )
{
printf(
"%s"
,
"input: "
);
a2
=
(char
*
*
)((char
*
)v6
+
4
*
i);
__isoc99_scanf(
"%d"
, a2);
puts(
"Let us play a game?"
);
puts(
"you have six chances to input"
);
puts(
"Come on!"
);
v6[
0
]
=
0LL
;
v6[
1
]
=
0LL
;
v6[
2
]
=
0LL
;
v6[
3
]
=
0LL
;
v6[
4
]
=
0LL
;
for
( i
=
0
; i <
=
5
;
+
+
i )
{
printf(
"%s"
,
"input: "
);
a2
=
(char
*
*
)((char
*
)v6
+
4
*
i);
__isoc99_scanf(
"%d"
, a2);
v7[
0
]
=
0LL
;
v7[
1
]
=
0LL
;
v7[
2
]
=
0LL
;
v7[
3
]
=
0LL
;
v7[
4
]
=
0LL
;
for
( j
=
0
; j <
=
2
;
+
+
j )
{
dword_601078
=
v6[j];
dword_60107C
=
HIDWORD(v6[j]);
a2
=
(char
*
*
)dword_601060;
crypto_1((unsigned
int
*
)&dword_601078, dword_601060);
LODWORD(v7[j])
=
dword_601078;
HIDWORD(v7[j])
=
dword_60107C;
}
v7[
0
]
=
0LL
;
v7[
1
]
=
0LL
;
v7[
2
]
=
0LL
;
v7[
3
]
=
0LL
;
v7[
4
]
=
0LL
;
for
( j
=
0
; j <
=
2
;
+
+
j )
{
dword_601078
=
v6[j];
dword_60107C
=
HIDWORD(v6[j]);
a2
=
(char
*
*
)dword_601060;
crypto_1((unsigned
int
*
)&dword_601078, dword_601060);
LODWORD(v7[j])
=
dword_601078;
HIDWORD(v7[j])
=
dword_60107C;
}
__int64 __fastcall crypto_1(unsigned
int
*
a1, _DWORD
*
a2)
{
__int64 result;
/
/
rax
unsigned
int
v3;
/
/
[rsp
+
1Ch
] [rbp
-
24h
]
unsigned
int
v4;
/
/
[rsp
+
20h
] [rbp
-
20h
]
int
v5;
/
/
[rsp
+
24h
] [rbp
-
1Ch
]
unsigned
int
i;
/
/
[rsp
+
28h
] [rbp
-
18h
]
v3
=
*
a1;
v4
=
a1[
1
];
v5
=
0
;
for
( i
=
0
; i <
=
0x3F
;
+
+
i )
{
v5
+
=
1166789954
;
v3
+
=
(v4
+
v5
+
11
) ^ ((v4 <<
6
)
+
*
a2) ^ ((v4 >>
9
)
+
a2[
1
]) ^
0x20
;
v4
+
=
(v3
+
v5
+
20
) ^ ((v3 <<
6
)
+
a2[
2
]) ^ ((v3 >>
9
)
+
a2[
3
]) ^
0x10
;
}
*
a1
=
v3;
result
=
v4;
a1[
1
]
=
v4;
return
result;
}
__int64 __fastcall crypto_1(unsigned
int
*
a1, _DWORD
*
a2)
{
__int64 result;
/
/
rax
unsigned
int
v3;
/
/
[rsp
+
1Ch
] [rbp
-
24h
]
unsigned
int
v4;
/
/
[rsp
+
20h
] [rbp
-
20h
]
赞赏记录
参与人
雪币
留言
时间
心游尘世外
看雪因你而更加精彩!
2024-8-21 06:40
QinBeast
感谢你的贡献,论坛因你而更加精彩!
2024-8-20 02:09
伟叔叔
为你点赞~
2023-3-18 03:30
一笑人间万事
为你点赞~
2023-1-12 18:13
赞赏
他的文章
- 关于迷宫题的一些求解思路 11225
- [原创]攻防世界PWN新手区:int_overflow 7860
- [原创]攻防世界PWN新手区:guess_num 11574
- [原创]攻防世界PWN新手区:level2 11850
- [原创]攻防世界PWN新手区:level0 6145
看原图
赞赏
雪币:
留言: