BUU_re_[V&N2020 公开赛]strangeCpp
2020-08-15 23:12
1041 查看
拖进IDA,shift+f12查找字符串,发现可疑字符串,跟进去
查看其伪代码
__int64 __fastcall sub_140013AA0(__int64 a1, __int64 a2, __int64 *a3) { char *v3; // rdi signed __int64 i; // rcx __int64 v5; // rax __int64 v6; // rax __int64 v7; // rax __int64 v8; // rax char v10; // [rsp+0h] [rbp-20h] struct _SYSTEM_INFO SystemInfo; // [rsp+28h] [rbp+8h] __int64 *j; // [rsp+78h] [rbp+58h] __int64 v13; // [rsp+98h] [rbp+78h] __int64 *v14; // [rsp+1A0h] [rbp+180h] v14 = a3; v3 = &v10; for ( i = 94i64; i; --i ) { *(_DWORD *)v3 = -858993460; v3 += 4; } sub_1400110AA(&unk_140027033); GetSystemInfo(&SystemInfo); putchar(byte_140021004); putchar(byte_140021005); putchar(byte_140021006); putchar(byte_140021007); putchar(byte_140021019); putchar(byte_14002101A); putchar(byte_140021005); putchar(10); puts("Let me have a look at your computer..."); for ( j = v14; *j; ++j ) { v13 = *j; sub_140011226("%s\n", v13); } std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, sub_140011127); dword_140021190 = SystemInfo.dwNumberOfProcessors;//这是关键参数,获得cpu数量 sub_140011226("now system cpu num is %d\n", SystemInfo.dwNumberOfProcessors); if ( dword_140021190 < 8 ) { puts("Are you in VM?"); _exit(0); } if ( GetUserNameA(Str1, &pcbBuffer) ) //获得用户名 { v5 = sub_140011172(std::cout, "this is useful"); std::basic_ostream<char,std::char_traits<char>>::operator<<(v5, sub_140011127); } v6 = std::basic_ostream<char,std::char_traits<char>>::operator<<(std::cout, sub_140011127); v7 = sub_140011172(v6, "ok,I am checking..."); std::basic_ostream<char,std::char_traits<char>>::operator<<(v7, sub_140011127); if ( !j_strcmp(Str1, "cxx") ) { v8 = sub_140011172(std::cout, "flag{where_is_my_true_flag?}"); std::basic_ostream<char,std::char_traits<char>>::operator<<(v8, sub_140011127); _exit(0); } system("pause"); sub_1400113E3(&v10, &unk_14001DE50); return 0i64; }
点进一堆putchar里看看
观察后面的DATA XREF,发现140021008这段字符串被跳过去了,被一个很可疑的函数sub_140013580引用,我们跟进去看一下
__int64 sub_140013580() { __int64 *v0; // rdi signed __int64 i; // rcx __int64 result; // rax __int64 v3; // [rsp+0h] [rbp-20h] int v4; // [rsp+24h] [rbp+4h] int j; // [rsp+44h] [rbp+24h] __int64 v6; // [rsp+128h] [rbp+108h] v0 = &v3; for ( i = 82i64; i; --i ) { *(_DWORD *)v0 = -858993460; v0 = (__int64 *)((char *)v0 + 4); } v6 = -2i64; sub_1400110AA(&unk_140027033); result = sub_140011384((unsigned int)dword_140021190); v4 = result; if ( (_DWORD)result == 607052314 && dword_140021190 <= 14549743 ) { for ( j = 0; j < 17; ++j ) { putchar((unsigned __int8)(dword_140021190 ^ byte_140021008[j])); result = (unsigned int)(j + 1); } } return result; }
分析,猜测我们需要让putchar实现,所以应该让result = 607052314,往上追溯,发现result与sub_140011384函数有关,跟进去看看,这个函数传进去的变量为dword_140021190。
signed __int64 __fastcall sub_140013890(int a1) { __int64 *v1; // rdi signed __int64 i; // rcx signed __int64 result; // rax __int64 v4; // [rsp+0h] [rbp-20h] int v5; // [rsp+24h] [rbp+4h] int v6; // [rsp+44h] [rbp+24h] unsigned int v7; // [rsp+64h] [rbp+44h] int v8; // [rsp+160h] [rbp+140h] v8 = a1; v1 = &v4; for ( i = 82i64; i; --i ) { *(_DWORD *)v1 = -858993460; v1 = (__int64 *)((char *)v1 + 4); } sub_1400110AA(&unk_140027033); v5 = v8 >> 12; v6 = v8 << 8; v7 = (v8 << 8) ^ (v8 >> 12); v7 *= 291; if ( v7 ) result = v7; else result = 987i64; return result; }
a1即dword_140021190。关键是返回值result,往上追溯,看到result与v7有关。
脚本:
# -*- coding:utf-8 -*- import hashlib result = 0 for v8 in range(14549743): v7 = (((v8 << 8) ^ (v8 >> 12))*291)&0xFFFFFFFF # 原文是unsigned int,范围为0~0xFFFFFFFF,所以输出的值利用与运算截断 if (v7 == 607052314): result = v8 #result即dword_140021190此时的值 break enc = [0x26, 0x2C, 0x21, 0x27, 0x3B, 0x0D, 4, 0x75, 0x68, 0x34, 0x28, 0x25, 0x0E, 0x35, 0x2D, 0x69, 0x3D] flag = "" for i in enc: flag += chr((result ^ i)&0xFF) # unsigned __int8范围是0~0xFF print (flag) md = hashlib.md5() md.update(str(result).encode('utf-8')) print ("flag{"+md.hexdigest()+"}")
第一次输出的flag提示把数字进行MD5编码 ,猜测是把result的值进行MD5编码
运行结果:
相关文章推荐
- CVPR2020:语义分割Strip Pooling条形池化: Rethinking Spatial Pooling for Scene Parsing
- 小白学习笔记(24)BUUCTF-re-[2019红帽杯]childRE
- AAAI2020|Tracklet Self-Supervised Learning for Unsupervised Person Re-Identification
- Buuctf re write up(慢慢更新)
- AAAI2020|Viewpoint-Aware Loss with Angular Regularization for Person Re-Identification
- BUU_re_[ACTF新生赛2020]rome
- BUU-re-rsa(2)
- Sponsoring Amazon re:MARS 2020 Can Help Grow Your Artificial Intelligence Business
- De1CTF_2020_wp_re_parser
- Multi-Scale Deep Feature Fusion for Vehicle Re-Identification翻译(IEEE2020)
- buuctf re之[BJDCTF2020]easy(od的使用)
- RethinkX:2020-2030交通运输业反思报告
- [V&N2020 公开赛]h01k_re
- BUUCTF Crypto [WUSTCTF2020]B@se wp
- 【论文笔记】CVPR2020 Rethinking Computer-aided Tuberculosis Diagnosis
- 萌新详细调试[V&N2020 公开赛]simpleHeap,带你走进堆利用
- spoj SUBLEX (Lexicographical Substring Search) RE的欢迎来看看
- 图像分类:CVPR2020论文解读
- java并发【ReentrantLock Condition】