-
-
[原创]BUUCTF逆向题:FlareOn3]Challenge1
-
2022-3-27 17:29
-
1.基本信息探查:
1.EXEinfo:
2.运行一下:
2.IDA分析:
1.主函数分析:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | int __cdecl main(int argc, const char **argv, const char **envp){ char Buffer[128]; // [esp+0h] [ebp-94h] BYREF char *Str1; // [esp+80h] [ebp-14h] char *Str2; // [esp+84h] [ebp-10h] HANDLE v7; // [esp+88h] [ebp-Ch] HANDLE hFile; // [esp+8Ch] [ebp-8h] DWORD NumberOfBytesWritten; // [esp+90h] [ebp-4h] BYREF hFile = GetStdHandle(0xFFFFFFF5); v7 = GetStdHandle(0xFFFFFFF6); Str2 = "x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q"; WriteFile(hFile, "Enter password:\r\n", 0x12u, &NumberOfBytesWritten, 0); ReadFile(v7, Buffer, 0x80u, &NumberOfBytesWritten, 0); Str1 = (char *)sub_401260(Buffer, NumberOfBytesWritten - 2); if ( !strcmp(Str1, Str2) ) WriteFile(hFile, "Correct!\r\n", 0xBu, &NumberOfBytesWritten, 0); else WriteFile(hFile, "Wrong password\r\n", 0x11u, &NumberOfBytesWritten, 0); return 0;} |
输入一个字串,用Str1变量保存,然后作为参数传到sub_401260 函数进行运算,最后与Str2也就是"x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q"进行字符串比较,两字符串相等则输出“Correct”,所以我们主要分析的是sub_401260 函数对输入的字符串进行了什么操作
2.sub_401260函数分析:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 | _BYTE *__cdecl sub_401260(int a1, unsigned int a2){ int v3; // [esp+Ch] [ebp-24h] int v4; // [esp+10h] [ebp-20h] int v5; // [esp+14h] [ebp-1Ch] int i; // [esp+1Ch] [ebp-14h] unsigned int v7; // [esp+20h] [ebp-10h] _BYTE *v8; // [esp+24h] [ebp-Ch] int v9; // [esp+28h] [ebp-8h] int v10; // [esp+28h] [ebp-8h] unsigned int v11; // [esp+2Ch] [ebp-4h] v8 = malloc(4 * ((a2 + 2) / 3) + 1); if ( !v8 ) return 0; v11 = 0; v9 = 0; while ( v11 < a2 ) { v5 = *(unsigned __int8 *)(v11 + a1); if ( ++v11 >= a2 ) { v4 = 0; } else { v4 = *(unsigned __int8 *)(v11 + a1); ++v11; } if ( v11 >= a2 ) { v3 = 0; } else { v3 = *(unsigned __int8 *)(v11 + a1); ++v11; } v7 = v3 + (v5 << 16) + (v4 << 8); v8[v9] = byte_413000[(v7 >> 18) & 0x3F]; v10 = v9 + 1; v8[v10] = byte_413000[(v7 >> 12) & 0x3F]; v8[++v10] = byte_413000[(v7 >> 6) & 0x3F]; v8[++v10] = byte_413000[v3 & 0x3F]; v9 = v10 + 1; } for ( i = 0; i < dword_413040[a2 % 3]; ++i ) v8[4 * ((a2 + 2) / 3) - i - 1] = 61; v8[4 * ((a2 + 2) / 3)] = 0; return v8;} |
分析代码可以发现这就是一个base编码函数,码表在byte_413000里,双击跟过去
可以发现和正常码表不同它的值为:
1 | ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/ |
这种类似的题以前做过就是buu的level3,比这个难度还大一点,直接利用上次多的脚本改一改,exp就出来了
3.EXP:
1 2 3 4 5 6 7 8 | import base64str1 = "x2dtJEOmyjacxDemx2eczT5cVS9fVUGvWTuZWjuexjRqy24rV29q"string1 = "ZYXABCDEFGHIJKLMNOPQRSTUVWzyxabcdefghijklmnopqrstuvw0123456789+/"string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"print ((base64.b64decode((str1.translate(str.maketrans(string1,string2))).encode())).decode()) |
flag{sh00ting_phish_in_a_barrel@flare-on.com}
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
有什么不好的地方请指正
