(相關(guān)資料圖)
ida打開,找到主函數(shù),可以看出函數(shù)是通過線程池調(diào)用的。在輸入的地方下斷點,運行會直接退出。猜測有反調(diào)試,搜索字符串debug,有Isdebugpresent字符串,交叉引用下斷點后并沒有成功斷下。這里提供一個思路。就是在所有調(diào)用exit的函數(shù)下斷點。看看會斷在哪里??梢园l(fā)現(xiàn)確實可以斷下來。但是沒有什么用。在輸入下斷運行還是退出。于是去看函數(shù)表,可以看到函數(shù)比較少。于是直接一個一個翻看。果然看到了有的函數(shù)調(diào)用了系統(tǒng)函數(shù)exitprocess。然后再下斷,修改??梢蕴^反調(diào)試這里貼一下反調(diào)試關(guān)鍵函數(shù)
int encrypt(){ HANDLE CurrentThread; // esi CONTEXT Context; // [esp+4h] [ebp-2D0h] BYREF memset(&Context.Dr0, 0, 0x2C8u); Context.ContextFlags = 65599; CurrentThread = GetCurrentThread(); if ( !GetThreadContext(CurrentThread, &Context) || !Context.Dr7 ) return 0; Context.Dr7 = 0; SetThreadContext(CurrentThread, &Context); Context.ContextFlags = 65599; if ( GetThreadContext(CurrentThread, &Context) ) { if ( Context.Dr7 ) //這里下斷點,改掉判斷 ExitProcess(0xFFFFFF9D); } return 1;}
#include #include void decrypt(uint32_t* v) {uint32_t v0 = v[0], v1 = v[1], sum = 3337565984, i; uint32_t delta = 0x61C88647; for (i = 0; i < 32; i++) { v1 -= ((v0 << 4) + 0x3) ^ (v0 + sum) ^ ((v0 >> 5) + 0x4); v0 -= ((v1 << 4) + 0x1) ^ (v1 + sum) ^ ((v1 >> 5) + 0x2);sum += delta;} v[0] = v0; v[1] = v1;}int main(){uint32_t v[] = { 2293224150, 1069434279, 665506233, 2360599838, 154439674, 3785309250, 4292676998, 3988353923, 314884287, 459783449, 4154791126, 418992724, 2869955760, 13345079, 44635922, 3314355614 };uint32_t tmp[2] = { 0 };for (int i = 0; i < 16; i+=2) {tmp[0] = v[i];tmp[1] = v[i + 1];decrypt(tmp);v[i] = tmp[0];v[i + 1] = tmp[1];}unsigned char *bytes = (unsigned char *)v;for (size_t i = 0; i < sizeof(v); i++) {printf("%c", bytes[i]);}printf("\n");return 0;} //NepCTF{c9cdnwdi3iu41m0pv3x7kllzu8pdq6mt9n2nwjdp6kat8ent4dhn5r158
int __usercall encrypt2@(int a1@){ int v1; // ecx unsigned int i; // ecx unsigned int v3; // edi unsigned int v4; // esi int v5; // ebx unsigned int k; // edx unsigned int m; // ecx unsigned int j; // [esp+0h] [ebp-A0h] int v10; // [esp+4h] [ebp-9Ch] _DWORD v11[16]; // [esp+8h] [ebp-98h] int v12; // [esp+48h] [ebp-58h] int v13; // [esp+4Ch] [ebp-54h] int v14; // [esp+50h] [ebp-50h] int v15; // [esp+54h] [ebp-4Ch] int v16[15]; // [esp+58h] [ebp-48h] __int16 v17; // [esp+94h] [ebp-Ch] char v18; // [esp+96h] [ebp-Ah] int v19; // [esp+97h] [ebp-9h] char v20; // [esp+9Bh] [ebp-5h] int v21; // [esp+9Ch] [ebp-4h] v21 = a1; v1 = *(_DWORD *)(a1 + 504); v20 = HIBYTE(v1); v10 = v1 + a1 + 20; v16[0] = 0x1DC74989; v16[1] = 0xD979AF77; v16[2] = 0x888D136D; v16[3] = 0x8E26DB7F; v16[4] = 0xC10C3CC9; v16[5] = 0xC3845D40; v16[6] = 0xC6E04459; v16[7] = 0xA2EBDF07; v16[8] = 0xD484388D; v16[9] = 0x12F956A2; v16[10] = 0x5ED7EE59; v16[11] = 0x43137F85; v16[12] = 0xEF43F9F0; v16[13] = 0xB29683AA; v16[14] = 0x8E3640B4; v17 = 0x6177; v18 = 0xD3; v19 = 0xC2; for ( i = 0; i < 0x10; ++i ) v11[i] = *(_DWORD *)(v10 + 4 * i); v12 = 18; v13 = 52; v14 = 86; v15 = 120; for ( j = 0; j < 8; ++j ) { v3 = v11[2 * j]; v4 = v11[2 * j + 1]; v5 = 0; for ( k = 0; k < 0x20; ++k ) { v5 -= 1640531527; v3 += (v13 + (v4 >> 5)) ^ (v4 + v5) ^ (v12 + 16 * v4); v4 += (v15 + (v3 >> 5)) ^ (v5 + v3) ^ (v14 + 16 * v3); } v11[2 * j] = v3; v11[2 * j + 1] = v4; } for ( m = 0; m < 0x10; ++m ) { if ( v11[m] != v16[m] ) return 0; } return 1;}
先upx脫殼,程序開了aslr,使用studype++關(guān)閉aslr。然后調(diào)試就不會飄紅了。同樣,與上題類似,程序開了線程池和反調(diào)試。跟進gets_s函數(shù)
_BYTE *__cdecl common_gets(_BYTE *a1, int a2, char a3){ _BYTE *v3; // esi _BYTE *v5; // edi FILE *v6; // eax FILE *v7; // eax FILE *v8; // eax int v9; // eax int v10; // ecx FILE *v11; // eax _BYTE *v12; // edx FILE *v13; // eax FILE *v14; // eax _BYTE *v15; // [esp+18h] [ebp-24h] CPPEH_RECORD ms_exc; // [esp+24h] [ebp-18h] BYREF v3 = a1; if ( !a1 || !a2 ) { *_errno() = 22; _invalid_parameter_noinfo(); return 0; } v5 = a1; v6 = __acrt_iob_func(0); _lock_file(v6); ms_exc.registration.TryLevel = 0; v7 = __acrt_iob_func(0); if ( (unsigned __int8)__acrt_stdio_char_traits::validate_stream_is_ansi_if_required(v7) ) { v8 = __acrt_iob_func(0); v9 = _getc_nolock(v8); if ( v9 == -1 ) { v5 = 0; if ( a3 ) goto LABEL_23; } v10 = a2; if ( a2 == -1 ) { while ( v9 != 10 && v9 != -1 ) { *v3++ = v9; v11 = __acrt_iob_func(0); v9 = _getc_nolock(v11); } *v3 = 0; goto LABEL_23; } v12 = a1; v15 = a1; while ( v9 != 10 && v9 != -1 ) { if ( v10 ) { a2 = v10 - 1; *v12 = v9; v15 = v12 + 1; } v13 = __acrt_iob_func(0); v9 = _getc_nolock(v13); v10 = a2; v12 = v15; } if ( !v10 )//這里原本是v10,這里修改為!v10即可繞過反調(diào)試 { *v12 = 0; goto LABEL_23; } *a1 = 0; *_errno() = 34; _invalid_parameter_noinfo(); _local_unwind4(&__security_cookie, (int)&ms_exc.registration, 0xFFFFFFFE); return 0; } v5 = 0;LABEL_23: v14 = __acrt_iob_func(0); _unlock_file(v14); return v5;}
然后再繞過下面的Isdebugpresent反調(diào)試。來到關(guān)鍵部分。通過findcrypto插件識別到crc32,aes,tea的特征。然后交叉引用可以發(fā)現(xiàn)程序先進行魔改xtea加密。然后再根據(jù)加密后結(jié)果前一位與后一位是否一致來生成aes密鑰,接著aes加密后與flag密文比較。aes密鑰以為要爆破。沒想到試了第一個就是。解題代碼
#include #include void decipher(uint32_t v[], uint32_t const key[4]) {unsigned int i;uint32_t delta = 0x61C88647, sum = 0x2e2ac13a,v6;int round = 10;do {v[11] -= ((v[0] ^ sum) + (v[10] ^ key[((sum >> 2) & 3) ^ 0xb & 3])) ^ (((16 * v[10]) ^ (v[0] >> 3)) + ((v[10] >> 5) ^ (4 * v[0])));for (i = 0xa; i >0; i--) {v[i] -= ((v[i + 1] ^ sum) + (v[i-1] ^ key[((sum >> 2) & 3) ^ i & 3])) ^ (((16 * v[i - 1]) ^ (v[i + 1] >> 3)) + ((v[i - 1] >> 5) ^ (4 * v[i + 1])));}v[0] -= ((v[1] ^ sum) + (v[11] ^ key[((sum >> 2) & 3) ^ 0 & 3])) ^ (((16 * v[11]) ^ (v[1] >> 3)) + ((v[11] >> 5) ^ (4 * v[1])));sum += delta;round -= 1;} while (round);}int main(){uint32_t v[] = { 2309579534, 3094518205, 2274467788, 4072683167, 418971191, 2065596768, 236488259, 3759075494, 2770389782, 2907179657, 384852496, 1019579761 };uint32_t const k[4] = { 0x19,0,0x6e,3 };unsigned int r = 10; decipher(v, k);unsigned char *bytes = (unsigned char *)v;for (size_t i = 0; i < sizeof(v); i++) {printf("%c", bytes[i]);}printf("\n");return 0;}
題目描述就有flag
直接問chatgpt拿到腳本,就能解出flag為Nepctf{huffman_zip_666}
填問卷就有flag
抽到h3,用大招打敗t佬得flag先創(chuàng)一個用戶名,然后用該用戶名進行sql注入1"--。給了源碼中有exp沒刪
關(guān)鍵詞:
新聞發(fā)布平臺 |科極網(wǎng) |環(huán)球周刊網(wǎng) |tp錢包官網(wǎng)下載 |中國創(chuàng)投網(wǎng) |教體產(chǎn)業(yè)網(wǎng) |中國商界網(wǎng) |萬能百科 |薄荷網(wǎng) |資訊_時尚網(wǎng) |連州財經(jīng)網(wǎng) |劇情啦 |5元服裝包郵 |中華網(wǎng)河南 |網(wǎng)購省錢平臺 |海淘返利 |太平洋裝修網(wǎng) |勵普網(wǎng)校 |九十三度白茶網(wǎng) |商標注冊 |專利申請 |啟哈號 |速挖投訴平臺 |深度財經(jīng)網(wǎng) |深圳熱線 |財報網(wǎng) |財報網(wǎng) |財報網(wǎng) |咕嚕財經(jīng) |太原熱線 |電路維修 |防水補漏 |水管維修 |墻面翻修 |舊房維修 |參考經(jīng)濟網(wǎng) |中原網(wǎng)視臺 |財經(jīng)產(chǎn)業(yè)網(wǎng) |全球經(jīng)濟網(wǎng) |消費導報網(wǎng) |外貿(mào)網(wǎng) |重播網(wǎng) |國際財經(jīng)網(wǎng) |星島中文網(wǎng) |手機測評 |品牌推廣 |名律網(wǎng) |項目大全 |整形資訊 |整形新聞 |美麗網(wǎng) |佳人網(wǎng) |稅法網(wǎng) |法務網(wǎng) |法律服務 |法律咨詢 |成報網(wǎng) |媒體采購網(wǎng) |聚焦網(wǎng) |參考網(wǎng)
亞洲資本網(wǎng) 版權(quán)所有
Copyright © 2011-2020 亞洲資本網(wǎng) All Rights Reserved. 聯(lián)系網(wǎng)站:55 16 53 8 @qq.com