-
-
[原创] KCTF2024 第十题(孩子吃三吃麻了
-
发表于: 2024-9-4 17:56 3079
-
程序text段内容都与flag无关,data段校验code被释放到RWX段后,修正跳转,执行校验:将输入作为3x3数组下标交换数组元素,和目标数组比较是否一致。
一致则在程序本体中打印解密的结果。
看一下程序入口,看起来没有反调试和异常处理,主体只有23k,非常小巧。
首先是在sub_13c0
的字符串解密函数,用第三个参数循环xor第一个参数,一共用过三种XOR Key:
解密出的字符串多是API函数名和输入输出的提示,和flag没什么关系
程序主函数中开了两个线程(sub_930
和sub_6c0
),一个线程读取结果,另一个线程检查flag,但直接看这两个处理函数好像也和flag没什么关系
main里还把3795字节长的数据拷贝到了输入的后面:
进去P一下发现像是函数,但是IDA自动分析出的东西不太能看,人肉跟一下可以发现:
要求两个数组最后的(自定义哈希)一致
逻辑大概就是要通过输入x个两字节的坐标,第一位y第二位x,从(0,0)开始,将原始数组置换为目标数组,每次只能替换0和另一个通过输入指定的非零元素
那么我们这样移动:
输入就是011110202122
目标数组 | 原始数组
123
013
456
526
780
478
目标数组 | 原始数组
123
013
456
526
780
478
xcyberchief
/
CyberChef_v10.
5.2
.html
#recipe=Find_/_Replace(%7B'option':'Simple%20string','string':'E8FFFFFFFFC0'%7D,'E80100000090',true,false,true,false)Find_/_Replace(%7B'option':'Simple%20string','string':'2A'%7D,'00',true,false,true,false)Find_/_Replace(%7B'option':'Regex','string':'83F.F.750D.%7B26%7D'%7D,'909090909090909090909090909090909090',true,false,true,false)From_Hex('Auto')
xcyberchief
/
CyberChef_v10.
5.2
.html
#recipe=Find_/_Replace(%7B'option':'Simple%20string','string':'E8FFFFFFFFC0'%7D,'E80100000090',true,false,true,false)Find_/_Replace(%7B'option':'Simple%20string','string':'2A'%7D,'00',true,false,true,false)Find_/_Replace(%7B'option':'Regex','string':'83F.F.750D.%7B26%7D'%7D,'909090909090909090909090909090909090',true,false,true,false)From_Hex('Auto')
__int64
sub_A()
{
...
v0 = 3751i64;
v1 = (
char
*)(v23 + 34);
do
{
v2 = *v1;
if
( !*v1 )
v2 = 0;
*v1++ = v2;
--v0;
}
while
( v0 );
v26 = v27;
v25 = v24;
v3 = (
__int64
(__fastcall *)(
__int64
, _QWORD))sub_5BF(-124919994);
v28 = sub_5BF(-49588825);
v30 = (
__int64
(__fastcall *)(
__int64
,
__int64
,
__int64
*,
__int64
))sub_5BF(37938943);
v4 = (
__int64
(__fastcall *)(
__int64
,
int
*))sub_5BF(1060402837);
v29 = (
__int64
(__fastcall *)(
__int64
,
int
*))sub_5BF(-1813961927);
v5 = (
void
(__fastcall *)(
__int64
))sub_5BF(480663025);
v6 = (
void
(*)(
void
))sub_5BF(55981281);
v7 = 0i64;
v21 = 568;
v8 = 0;
v9 = v3(2i64, 0i64);
v10 = v9;
if
( v9 == -1 )
return
0xFFFFFFFFi64;
v12 = v4(v9, &v21);
v13 = (
__int64
(__fastcall *)(
__int64
, _QWORD, _QWORD))v28;
for
( i = v29; v12; v12 = i(v10, &v21) )
{
if
( (_DWORD)v22 == ((unsigned
int
(*)(
void
))v6)() )
{
v7 = v13(0x2000000i64, 0i64, (unsigned
int
)v22);
if
( v7 )
{
v15 = 0i64;
while
( v30(v7, v15, &v17, 48i64) )
{
v15 = v17 + v19;
if
( (_DWORD)v20 == 4096 && (_DWORD)v18 == 64 )
{
v6();
v8 = sub_68B(*(_DWORD *)v17);
v16 = (_BYTE *)v17;
if
( v8 )
{
if
( sub_6CB((_BYTE *)(v17 + 4)) )
{
*v16 = 105;
v16[1] = 111;
v16[2] = 32;
}
else
{
*v16 = 109;
v16[1] = 106;
v16[2] = 41;
}
v16[3] = 0;
break
;
}
*(_BYTE *)v17 = 109;
v16[1] = 106;
v16[2] = 41;
v16[3] = 0;
}
}
v13 = (
__int64
(__fastcall *)(
__int64
, _QWORD, _QWORD))v28;
i = v29;
}
if
( v8 )
break
;
}
}
v5(v10);
return
((
__int64
(__fastcall *)(
__int64
))v5)(v7);
}
__int64
sub_A()
{
...
v0 = 3751i64;
v1 = (
char
*)(v23 + 34);
do
{
v2 = *v1;
if
( !*v1 )
v2 = 0;
*v1++ = v2;
--v0;
}
while
( v0 );
v26 = v27;
v25 = v24;
v3 = (
__int64
(__fastcall *)(
__int64
, _QWORD))sub_5BF(-124919994);
v28 = sub_5BF(-49588825);
v30 = (
__int64
(__fastcall *)(
__int64
,
__int64
,
__int64
*,
__int64
))sub_5BF(37938943);
v4 = (
__int64
(__fastcall *)(
__int64
,
int
*))sub_5BF(1060402837);
v29 = (
__int64
(__fastcall *)(
__int64
,
int
*))sub_5BF(-1813961927);
v5 = (
void
(__fastcall *)(
__int64
))sub_5BF(480663025);
v6 = (
void
(*)(
void
))sub_5BF(55981281);
v7 = 0i64;
v21 = 568;
v8 = 0;
v9 = v3(2i64, 0i64);
v10 = v9;
if
( v9 == -1 )
return
0xFFFFFFFFi64;
v12 = v4(v9, &v21);
v13 = (
__int64
(__fastcall *)(
__int64
, _QWORD, _QWORD))v28;
for
( i = v29; v12; v12 = i(v10, &v21) )
{
if
( (_DWORD)v22 == ((unsigned
int
(*)(
void
))v6)() )
{
v7 = v13(0x2000000i64, 0i64, (unsigned
int
)v22);
if
( v7 )
{
v15 = 0i64;
while
( v30(v7, v15, &v17, 48i64) )
{
v15 = v17 + v19;
if
( (_DWORD)v20 == 4096 && (_DWORD)v18 == 64 )
{
v6();
v8 = sub_68B(*(_DWORD *)v17);
v16 = (_BYTE *)v17;
if
( v8 )
{
if
( sub_6CB((_BYTE *)(v17 + 4)) )
{
*v16 = 105;
v16[1] = 111;
v16[2] = 32;
}
else
{
*v16 = 109;
v16[1] = 106;
v16[2] = 41;
}
v16[3] = 0;
break
;
}
*(_BYTE *)v17 = 109;
v16[1] = 106;
v16[2] = 41;
v16[3] = 0;
}
}
v13 = (
__int64
(__fastcall *)(
__int64
, _QWORD, _QWORD))v28;
i = v29;
}
if
( v8 )
break
;
}
}
v5(v10);
return
((
__int64
(__fastcall *)(
__int64
))v5)(v7);
}
bool
__fastcall sub_6CB(
char
*user_input)
{
__int64
(__fastcall *
malloc
)(
__int64
);
// rbx
int
sum_arr_08_b_after_swap;
// edi
__int64
v4;
// rcx
int
v5;
// edx
unsigned
int
index_len_inp;
// er12
unsigned
__int64
user_input_len;
// rsi
char
*i;
// rbx
char
*user_in_ptr1;
// r14
__int64
ri;
// r14
int
*a180p1;
// rbx
int
sum_180_d409d627fc;
// er15
__int64
ci;
// rsi
__int64
v14;
// r15
int
*malloc_space_ptr;
// rbx
__int64
v16;
// r14
unsigned
int
cnt;
// er15
int
*malloc_space_ptrr;
// r13
unsigned
int
*flag_in_ind1;
// rsi
char
v20;
// bl
__int64
v21;
// r14
__int64
v22;
// rbx
unsigned
int
v23;
// eax
unsigned
int
v24;
// ebx
__int128 v25;
// xmm1
__int128 v26;
// xmm0
unsigned
int
raw_arr_shuffered_sum;
// esi
unsigned
int
*arr_shuffered_deep_cpy;
// rbx
int
const_sum;
// er14
__int64
v30;
// r12
__int64
v31;
// r15
int
*const_arr180_ptr;
// rbx
__int64
v33;
// r12
__int64
v34;
// r15
unsigned
int
v35;
// ebx
__int64
v36;
// rsi
unsigned
int
v37;
// er14
__int64
v38;
// r15
__int64
v39;
// r12
__int64
v40;
// rbx
__int64
v41;
// r14
char
v42;
// bl
__int64
v43;
// rbx
__int128 v44;
// xmm1
__int64
v45;
// rcx
__int128 v46;
// xmm0
unsigned
int
v47;
// er12
bool
v48;
// zf
unsigned
int
flag_len_x;
// er15
__int64
v50;
// r14
int
*arr_08_b_after_swap;
// rbx
__int64
v52;
// rsi
unsigned
int
x;
// [rsp+20h] [rbp-E0h]
unsigned
int
v55;
// [rsp+20h] [rbp-E0h]
unsigned
int
flag_len;
// [rsp+24h] [rbp-DCh]
int
*malloced_space_base;
// [rsp+28h] [rbp-D8h]
int
const_sum_180_d409d627fc;
// [rsp+30h] [rbp-D0h]
int
arr_shuffered[10];
// [rsp+38h] [rbp-C8h] BYREF
__int64
v60;
// [rsp+60h] [rbp-A0h]
int
v61;
// [rsp+68h] [rbp-98h]
__int64
v62;
// [rsp+6Ch] [rbp-94h]
int
v63;
// [rsp+74h] [rbp-8Ch]
__int64
v64;
// [rsp+78h] [rbp-88h]
int
v65;
// [rsp+80h] [rbp-80h]
int
v66;
// [rsp+84h] [rbp-7Ch]
__int128 v67[2];
// [rsp+88h] [rbp-78h]
unsigned
int
v68[4];
// [rsp+A8h] [rbp-58h]
unsigned
int
v69[12];
// [rsp+B8h] [rbp-48h] BYREF
int
const_arr_180[9];
// [rsp+E8h] [rbp-18h] BYREF
int
flag_in[80];
// [rsp+110h] [rbp+10h] BYREF
unsigned
int
v72;
// [rsp+260h] [rbp+160h]
unsigned
int
v73;
// [rsp+268h] [rbp+168h]
unsigned
int
should_eq_flag_len;
// [rsp+270h] [rbp+170h]
unsigned
int
y;
// [rsp+278h] [rbp+178h]
unsigned
int
v76;
// [rsp+278h] [rbp+178h]
malloc
= (
__int64
(__fastcall *)(
__int64
))sub_5BF(244391216);
malloced_space_base = (
int
*)
malloc
(17418240i64);
sum_arr_08_b_after_swap = 0;
v4 = 0i64;
v5 = 1;
do
const_arr_180[v4++] = v5++;
while
( v4 < 8 );
const_arr_180[8] = 0;
arr_shuffered[0] = 0;
arr_shuffered[1] = 1;
arr_shuffered[2] = 3;
arr_shuffered[3] = 5;
arr_shuffered[4] = 2;
arr_shuffered[5] = 6;
arr_shuffered[6] = 4;
arr_shuffered[7] = 7;
arr_shuffered[8] = 8;
index_len_inp = 0;
flag_len = 0;
user_input_len = 0i64;
for
( i = user_input; *i; ++i )
++user_input_len;
if
( (user_input_len & 1) == 0 )
{
if
( user_input_len )
{
user_in_ptr1 = user_input;
while
( index_len_inp < 31 )
{
flag_in[2 * index_len_inp] = *user_in_ptr1 - 48;
flag_in[2 * index_len_inp + 1] = user_in_ptr1[1] - 48;
user_in_ptr1 += 2;
flag_len = ++index_len_inp;
if
( user_in_ptr1 - user_input >= user_input_len )
goto
LABEL_10;
}
}
else
{
LABEL_10:
y = 0;
x = 0;
ri = 3i64;
a180p1 = const_arr_180;
sum_180_d409d627fc = 0;
do
{
ci = 3i64;
do
{
sum_180_d409d627fc = *a180p1++ + 31 * sum_180_d409d627fc;
--ci;
}
while
( ci );
const_sum_180_d409d627fc = sum_180_d409d627fc;
--ri;
}
while
( ri );
should_eq_flag_len = 0;
malloced_space_base[9] = 0;
*((_QWORD *)malloced_space_base + 5) = 0i64;
v14 = 3i64;
malloc_space_ptr = malloced_space_base;
// copy 0...8
do
{
v16 = 3i64;
do
{
*malloc_space_ptr = *(
int
*)((
char
*)malloc_space_ptr + (
char
*)arr_shuffered - (
char
*)malloced_space_base);
++malloc_space_ptr;
--v16;
}
while
( v16 );
--v14;
}
while
( v14 );
v72 = 1;
cnt = 0;
malloc_space_ptrr = malloced_space_base;
if
( index_len_inp )
{
flag_in_ind1 = (unsigned
int
*)&flag_in[1];
while
( 1 )
{
v20 = 0;
if
( *(flag_in_ind1 - 1) >= 3 || *flag_in_ind1 >= 3 )
v20 = 1;
v21 = x + 3i64 * y;
if
( arr_shuffered[v21] )
v20 = 1;
if
( v20 )
break
;
v22 = *flag_in_ind1 + 3i64 * *(flag_in_ind1 - 1);
// 第二位+第一位*3
// 作为下标交换
arr_shuffered[v21] = arr_shuffered[v22];
arr_shuffered[v22] = 0;
y = *(flag_in_ind1 - 1);
v23 = *flag_in_ind1;
++cnt;
flag_in_ind1 += 2;
x = v23;
if
( cnt >= index_len_inp )
goto
LABEL_27;
}
}
else
{
LABEL_27:
v24 = 0;
while
( 1 )
{
v25 = *(_OWORD *)&malloc_space_ptrr[12 * v24 + 4];
*(_OWORD *)v69 = *(_OWORD *)&malloc_space_ptrr[12 * v24];
v26 = *(_OWORD *)&malloc_space_ptrr[12 * v24 + 8];
*(_OWORD *)&v69[4] = v25;
*(_OWORD *)&v69[8] = v26;
v73 = v24 + 1;
raw_arr_shuffered_sum = 0;
arr_shuffered_deep_cpy = v69;
const_sum = 0;
v30 = 3i64;
do
{
v31 = 3i64;
do
{
raw_arr_shuffered_sum = *arr_shuffered_deep_cpy++ + 31 * raw_arr_shuffered_sum;
--v31;
}
while
( v31 );
--v30;
}
while
( v30 );
const_arr180_ptr = const_arr_180;
v33 = 3i64;
do
{
v34 = 3i64;
do
{
const_sum = *const_arr180_ptr++ + 31 * const_sum;
--v34;
}
while
( v34 );
--v33;
}
while
( v33 );
if
( const_sum == raw_arr_shuffered_sum )
break
;
v63 = 0;
v61 = -1;
v62 = 1i64;
v64 = 0i64;
v65 = -1;
v66 = 1;
v35 = v69[9];
v36 = 0i64;
v37 = v69[10];
v60 = 4i64;
v38 = v69[10] + 3i64 * v69[9];
do
{
v55 = v35 + *(
int
*)((
char
*)&v61 + v36);
v39 = 3i64;
v40 = 0i64;
v76 = v37 + *(_DWORD *)((
char
*)&v64 + v36);
do
{
v41 = 3i64;
do
{
*(_DWORD *)((
char
*)v67 + v40 * 4) = v69[v40];
++v40;
--v41;
}
while
( v41 );
--v39;
}
while
( v39 );
v42 = 0;
malloc_space_ptrr = malloced_space_base;
if
( v55 >= 3 || v76 >= 3 )
v42 = 1;
if
( *((_DWORD *)v67 + v38) )
v42 = 1;
if
( v42 )
{
v47 = v72;
}
else
{
v43 = v76 + 3i64 * v55;
*((_DWORD *)v67 + v38) = *((_DWORD *)v67 + v43);
*((_DWORD *)v67 + v43) = 0;
*(_QWORD *)&v68[1] = __PAIR64__(v76, v55);
v68[3] = v69[11] + 1;
v44 = v67[1];
v45 = 6i64 * v72;
*(_OWORD *)&malloced_space_base[2 * v45] = v67[0];
v46 = *(_OWORD *)v68;
*(_OWORD *)&malloced_space_base[2 * v45 + 4] = v44;
*(_OWORD *)&malloced_space_base[2 * v45 + 8] = v46;
v47 = ++v72;
}
v35 = v69[9];
v36 += 4i64;
v48 = v60-- == 1;
v37 = v69[10];
}
while
( !v48 );
v24 = v73;
if
( v73 >= v47 )
{
flag_len_x = 0;
goto
LABEL_54;
}
}
flag_len_x = v69[11];
should_eq_flag_len = v69[11];
LABEL_54:
if
( flag_len_x != -1 )
{
v50 = 3i64;
arr_08_b_after_swap = arr_shuffered;
do
{
v52 = 3i64;
do
{
sum_arr_08_b_after_swap = *arr_08_b_after_swap++ + 31 * sum_arr_08_b_after_swap;
--v52;
}
while
( v52 );
--v50;
}
while
( v50 );
if
( flag_len == should_eq_flag_len )
return
sum_arr_08_b_after_swap == const_sum_180_d409d627fc;
}
}
}
}
return
0;
}
bool
__fastcall sub_6CB(
char
*user_input)
{
__int64
(__fastcall *
malloc
)(
__int64
);
// rbx
int
sum_arr_08_b_after_swap;
// edi
__int64
v4;
// rcx
int
v5;
// edx
unsigned
int
index_len_inp;
// er12
unsigned
__int64
user_input_len;
// rsi
char
*i;
// rbx
char
*user_in_ptr1;
// r14
__int64
ri;
// r14
int
*a180p1;
// rbx
int
sum_180_d409d627fc;
// er15
__int64
ci;
// rsi
__int64
v14;
// r15
int
*malloc_space_ptr;
// rbx
__int64
v16;
// r14
unsigned
int
cnt;
// er15
int
*malloc_space_ptrr;
// r13
unsigned
int
*flag_in_ind1;
// rsi
char
v20;
// bl
__int64
v21;
// r14
__int64
v22;
// rbx
unsigned
int
v23;
// eax
unsigned
int
v24;
// ebx
__int128 v25;
// xmm1
__int128 v26;
// xmm0
unsigned
int
raw_arr_shuffered_sum;
// esi
unsigned
int
*arr_shuffered_deep_cpy;
// rbx
int
const_sum;
// er14
__int64
v30;
// r12
__int64
v31;
// r15
int
*const_arr180_ptr;
// rbx
__int64
v33;
// r12
__int64
v34;
// r15
unsigned
int
v35;
// ebx
__int64
v36;
// rsi
unsigned
int
v37;
// er14
__int64
v38;
// r15
__int64
v39;
// r12
__int64
v40;
// rbx
__int64
v41;
// r14
char
v42;
// bl
__int64
v43;
// rbx
__int128 v44;
// xmm1
__int64
v45;
// rcx
__int128 v46;
// xmm0
unsigned
int
v47;
// er12
bool
v48;
// zf
unsigned
int
flag_len_x;
// er15
__int64
v50;
// r14
int
*arr_08_b_after_swap;
// rbx
__int64
v52;
// rsi
unsigned
int
x;
// [rsp+20h] [rbp-E0h]
unsigned
int
v55;
// [rsp+20h] [rbp-E0h]
unsigned
int
flag_len;
// [rsp+24h] [rbp-DCh]
int
*malloced_space_base;
// [rsp+28h] [rbp-D8h]
int
const_sum_180_d409d627fc;
// [rsp+30h] [rbp-D0h]
int
arr_shuffered[10];
// [rsp+38h] [rbp-C8h] BYREF
__int64
v60;
// [rsp+60h] [rbp-A0h]
int
v61;
// [rsp+68h] [rbp-98h]
__int64
v62;
// [rsp+6Ch] [rbp-94h]
int
v63;
// [rsp+74h] [rbp-8Ch]
__int64
v64;
// [rsp+78h] [rbp-88h]
int
v65;
// [rsp+80h] [rbp-80h]
int
v66;
// [rsp+84h] [rbp-7Ch]
__int128 v67[2];
// [rsp+88h] [rbp-78h]
unsigned
int
v68[4];
// [rsp+A8h] [rbp-58h]
unsigned
int
v69[12];
// [rsp+B8h] [rbp-48h] BYREF
int
const_arr_180[9];
// [rsp+E8h] [rbp-18h] BYREF
int
flag_in[80];
// [rsp+110h] [rbp+10h] BYREF
unsigned
int
v72;
// [rsp+260h] [rbp+160h]
unsigned
int
v73;
// [rsp+268h] [rbp+168h]
unsigned
int
should_eq_flag_len;
// [rsp+270h] [rbp+170h]
unsigned
int
y;
// [rsp+278h] [rbp+178h]
unsigned
int
v76;
// [rsp+278h] [rbp+178h]
malloc
= (
__int64
(__fastcall *)(
__int64
))sub_5BF(244391216);
malloced_space_base = (
int
*)
malloc
(17418240i64);
sum_arr_08_b_after_swap = 0;
v4 = 0i64;
v5 = 1;
do
const_arr_180[v4++] = v5++;
while
( v4 < 8 );
const_arr_180[8] = 0;
arr_shuffered[0] = 0;
arr_shuffered[1] = 1;
arr_shuffered[2] = 3;
arr_shuffered[3] = 5;
arr_shuffered[4] = 2;
arr_shuffered[5] = 6;
arr_shuffered[6] = 4;
arr_shuffered[7] = 7;
arr_shuffered[8] = 8;
index_len_inp = 0;
flag_len = 0;
user_input_len = 0i64;
for
( i = user_input; *i; ++i )
++user_input_len;
if
( (user_input_len & 1) == 0 )
{
if
( user_input_len )
{
user_in_ptr1 = user_input;
while
( index_len_inp < 31 )
{
flag_in[2 * index_len_inp] = *user_in_ptr1 - 48;
flag_in[2 * index_len_inp + 1] = user_in_ptr1[1] - 48;
user_in_ptr1 += 2;
flag_len = ++index_len_inp;
if
( user_in_ptr1 - user_input >= user_input_len )
goto
LABEL_10;
}
}
else
{
LABEL_10:
y = 0;
x = 0;
ri = 3i64;
a180p1 = const_arr_180;
sum_180_d409d627fc = 0;
do
{
ci = 3i64;
do
{
sum_180_d409d627fc = *a180p1++ + 31 * sum_180_d409d627fc;
--ci;
}
while
( ci );
const_sum_180_d409d627fc = sum_180_d409d627fc;
--ri;
}
while
( ri );
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
他的文章
看原图
赞赏
雪币:
留言: