您的位置:首页 > 编程语言 > C语言/C++

BUU_re_[V&N2020 公开赛]strangeCpp

2020-08-15 23:12 1041 查看

拖进IDA,shift+f12查找字符串,发现可疑字符串,跟进去

查看其伪代码

__int64 __fastcall sub_140013AA0(__int64 a1, __int64 a2, __int64 *a3)
{
char *v3; // rdi
signed __int64 i; // rcx
__int64 v5; // rax
__int64 v6; // rax
__int64 v7; // rax
__int64 v8; // rax
char v10; // [rsp+0h] [rbp-20h]
struct _SYSTEM_INFO SystemInfo; // [rsp+28h] [rbp+8h]
__int64 *j; // [rsp+78h] [rbp+58h]
__int64 v13; // [rsp+98h] [rbp+78h]
__int64 *v14; // [rsp+1A0h] [rbp+180h]

v14 = a3;
v3 = &v10;
for ( i = 94i64; i; --i )
{
*(_DWORD *)v3 = -858993460;
v3 += 4;
}
sub_1400110AA(&unk_140027033);
GetSystemInfo(&SystemInfo);
putchar(byte_140021004);
putchar(byte_140021005);
putchar(byte_140021006);
putchar(byte_140021007);
putchar(byte_140021019);
putchar(byte_14002101A);
putchar(byte_140021005);
putchar(10);
puts("Let me have a look at your computer...");
for ( j = v14; *j; ++j )
{
v13 = *j;
sub_140011226("%s\n", v13);
}
std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, sub_140011127);
dword_140021190 = SystemInfo.dwNumberOfProcessors;//这是关键参数,获得cpu数量
sub_140011226("now system cpu num is %d\n", SystemInfo.dwNumberOfProcessors);
if ( dword_140021190 < 8 )
{
puts("Are you in VM?");
_exit(0);
}
if ( GetUserNameA(Str1, &pcbBuffer) ) //获得用户名
{
v5 = sub_140011172(std::cout, "this is useful");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v5, sub_140011127);
}
v6 = std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, sub_140011127);
v7 = sub_140011172(v6, "ok,I am checking...");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v7, sub_140011127);
if ( !j_strcmp(Str1, "cxx") )
{
v8 = sub_140011172(std::cout, "flag{where_is_my_true_flag?}");
std::basic_ostream<char,std::char_traits<char>>::operator<<(v8, sub_140011127);
_exit(0);
}
system("pause");
sub_1400113E3(&v10, &unk_14001DE50);
return 0i64;
}

点进一堆putchar里看看

观察后面的DATA XREF,发现140021008这段字符串被跳过去了,被一个很可疑的函数sub_140013580引用,我们跟进去看一下

__int64 sub_140013580()
{
__int64 *v0; // rdi
signed __int64 i; // rcx
__int64 result; // rax
__int64 v3; // [rsp+0h] [rbp-20h]
int v4; // [rsp+24h] [rbp+4h]
int j; // [rsp+44h] [rbp+24h]
__int64 v6; // [rsp+128h] [rbp+108h]

v0 = &v3;
for ( i = 82i64; i; --i )
{
*(_DWORD *)v0 = -858993460;
v0 = (__int64 *)((char *)v0 + 4);
}
v6 = -2i64;
sub_1400110AA(&unk_140027033);
result = sub_140011384((unsigned int)dword_140021190);
v4 = result;
if ( (_DWORD)result == 607052314 && dword_140021190 <= 14549743 )
{
for ( j = 0; j < 17; ++j )
{
putchar((unsigned __int8)(dword_140021190 ^ byte_140021008[j]));
result = (unsigned int)(j + 1);
}
}
return result;
}

分析,猜测我们需要让putchar实现,所以应该让result = 607052314,往上追溯,发现result与sub_140011384函数有关,跟进去看看,这个函数传进去的变量为dword_140021190。

signed __int64 __fastcall sub_140013890(int a1)
{
__int64 *v1; // rdi
signed __int64 i; // rcx
signed __int64 result; // rax
__int64 v4; // [rsp+0h] [rbp-20h]
int v5; // [rsp+24h] [rbp+4h]
int v6; // [rsp+44h] [rbp+24h]
unsigned int v7; // [rsp+64h] [rbp+44h]
int v8; // [rsp+160h] [rbp+140h]

v8 = a1;
v1 = &v4;
for ( i = 82i64; i; --i )
{
*(_DWORD *)v1 = -858993460;
v1 = (__int64 *)((char *)v1 + 4);
}
sub_1400110AA(&unk_140027033);
v5 = v8 >> 12;
v6 = v8 << 8;
v7 = (v8 << 8) ^ (v8 >> 12);
v7 *= 291;
if ( v7 )
result = v7;
else
result = 987i64;
return result;
}

a1即dword_140021190。关键是返回值result,往上追溯,看到result与v7有关。

脚本:

# -*- coding:utf-8 -*-
import hashlib

result = 0
for v8 in range(14549743):
v7 = (((v8 << 8) ^ (v8 >> 12))*291)&0xFFFFFFFF # 原文是unsigned int,范围为0~0xFFFFFFFF,所以输出的值利用与运算截断
if (v7 == 607052314):
result = v8  #result即dword_140021190此时的值
break

enc = [0x26, 0x2C, 0x21, 0x27, 0x3B, 0x0D, 4, 0x75, 0x68, 0x34, 0x28,
0x25, 0x0E, 0x35, 0x2D, 0x69, 0x3D]

flag = ""
for i in enc:
flag += chr((result ^ i)&0xFF) # unsigned __int8范围是0~0xFF
print (flag)

md = hashlib.md5()
md.update(str(result).encode('utf-8'))
print ("flag{"+md.hexdigest()+"}")

第一次输出的flag提示把数字进行MD5编码 ,猜测是把result的值进行MD5编码

运行结果:

内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航