其他分享
首页 > 其他分享> > BUUCTF_N1book_RE_[第五章 CTF之RE章]BabyAlgorithm

BUUCTF_N1book_RE_[第五章 CTF之RE章]BabyAlgorithm

作者:互联网

64位,无壳

主函数:

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  __int64 result; // rax
  int i; // [rsp+Ch] [rbp-E4h]
  char v5[16]; // [rsp+10h] [rbp-E0h] BYREF
  char s[64]; // [rsp+20h] [rbp-D0h] BYREF
  char v7[64]; // [rsp+60h] [rbp-90h] BYREF
  char v8[72]; // [rsp+A0h] [rbp-50h] BYREF
  unsigned __int64 v9; // [rsp+E8h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  memset(v8, 0, 0x40uLL);
  v8[0] = -58;
  v8[1] = 33;
  v8[2] = -54;
  v8[3] = -65;
  v8[4] = 81;
  v8[5] = 67;
  v8[6] = 55;
  v8[7] = 49;
  v8[8] = 117;
  v8[9] = -28;
  v8[10] = -114;
  v8[11] = -64;
  v8[12] = 84;
  v8[13] = 111;
  v8[14] = -113;
  v8[15] = -18;
  v8[16] = -8;
  v8[17] = 90;
  v8[18] = -94;
  v8[19] = -63;
  v8[20] = -21;
  v8[21] = -91;
  v8[22] = 52;
  v8[23] = 109;
  v8[24] = 113;
  v8[25] = 85;
  v8[26] = 8;
  v8[27] = 7;
  v8[28] = -78;
  v8[29] = -88;
  v8[30] = 47;
  v8[31] = -12;
  v8[32] = 81;
  v8[33] = -114;
  v8[34] = 12;
  v8[35] = -52;
  qmemcpy(&v8[36], "3S1", 3);
  v8[40] = 64;
  v8[41] = -42;
  v8[42] = -54;
  v8[43] = -20;
  v8[44] = -44;
  puts("Input flag: ");
  __isoc99_scanf("%63s", s);
  if ( strlen(s) == 45 )
  {
    strcpy(v5, "Nu1Lctf233");
    sub_400874(v5, s, v7);
    for ( i = 0; i <= 44; ++i )
    {
      if ( v7[i] != v8[i] )
      {
        puts("GG!");
        return 0LL;
      }
    }
    puts("Congratulations!");
    result = 0LL;
  }
  else
  {
    puts("GG!");
    result = 0LL;
  }
  return result;
}
__int64 __fastcall main(int a1, char **a2, char **a3)
{
  __int64 result; // rax
  int i; // [rsp+Ch] [rbp-E4h]
  char v5[16]; // [rsp+10h] [rbp-E0h] BYREF
  char s[64]; // [rsp+20h] [rbp-D0h] BYREF
  char v7[64]; // [rsp+60h] [rbp-90h] BYREF
  char v8[72]; // [rsp+A0h] [rbp-50h] BYREF
  unsigned __int64 v9; // [rsp+E8h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  memset(v8, 0, 0x40uLL);
  v8[0] = -58;
  v8[1] = 33;
  v8[2] = -54;
  v8[3] = -65;
  v8[4] = 81;
  v8[5] = 67;
  v8[6] = 55;
  v8[7] = 49;
  v8[8] = 117;
  v8[9] = -28;
  v8[10] = -114;
  v8[11] = -64;
  v8[12] = 84;
  v8[13] = 111;
  v8[14] = -113;
  v8[15] = -18;
  v8[16] = -8;
  v8[17] = 90;
  v8[18] = -94;
  v8[19] = -63;
  v8[20] = -21;
  v8[21] = -91;
  v8[22] = 52;
  v8[23] = 109;
  v8[24] = 113;
  v8[25] = 85;
  v8[26] = 8;
  v8[27] = 7;
  v8[28] = -78;
  v8[29] = -88;
  v8[30] = 47;
  v8[31] = -12;
  v8[32] = 81;
  v8[33] = -114;
  v8[34] = 12;
  v8[35] = -52;
  qmemcpy(&v8[36], "3S1", 3);
  v8[40] = 64;
  v8[41] = -42;
  v8[42] = -54;
  v8[43] = -20;
  v8[44] = -44;
  puts("Input flag: ");
  __isoc99_scanf("%63s", s);
  if ( strlen(s) == 45 )
  {
    strcpy(v5, "Nu1Lctf233");
    sub_400874(v5, s, v7);
    for ( i = 0; i <= 44; ++i )
    {
      if ( v7[i] != v8[i] )
      {
        puts("GG!");
        return 0LL;
      }
    }
    puts("Congratulations!");
    result = 0LL;
  }
  else
  {
    puts("GG!");
    result = 0LL;
  }
  return result;
}

一长串数组赋值

然后关键函数很明显是

sub_400874

__int64 __fastcall sub_400874(__int64 a1, __int64 a2, __int64 a3)
{
  char v5[264]; // [rsp+20h] [rbp-110h] BYREF
  unsigned __int64 v6; // [rsp+128h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  sub_40067A(a1, v5);
  sub_400753(v5, a2, a3);
  return 0LL;
}

这里面又有两个函数

sub_40067A

__int64 __fastcall sub_40067A(const char *a1, __int64 a2)
{
  int v3; // [rsp+10h] [rbp-10h]
  int i; // [rsp+14h] [rbp-Ch]
  int j; // [rsp+18h] [rbp-8h]
  int v6; // [rsp+1Ch] [rbp-4h]

  v6 = strlen(a1);
  v3 = 0;
  for ( i = 0; i <= 255; ++i )
    *(_BYTE *)(i + a2) = i;
  for ( j = 0; j <= 255; ++j )
  {
    v3 = (*(unsigned __int8 *)(j + a2) + v3 + a1[j % v6]) % 256;
    sub_400646(j + a2, a2 + v3);
  }
  return 0LL;
}

sub_400753

__int64 __fastcall sub_400753(__int64 a1, const char *a2, __int64 a3)
{
  int v5; // [rsp+24h] [rbp-1Ch]
  int v6; // [rsp+28h] [rbp-18h]
  size_t v7; // [rsp+30h] [rbp-10h]
  size_t v8; // [rsp+38h] [rbp-8h]

  v5 = 0;
  v6 = 0;
  v7 = 0LL;
  v8 = strlen(a2);
  while ( v7 < v8 )
  {
    v5 = (v5 + 1) % 256;
    v6 = (v6 + *(unsigned __int8 *)(v5 + a1)) % 256;
    sub_400646(v5 + a1, a1 + v6);
    *(_BYTE *)(a3 + v7) = a2[v7] ^ *(_BYTE *)((unsigned __int8)(*(_BYTE *)(v5 + a1) + *(_BYTE *)(v6 + a1)) + a1);
    ++v7;
  }
  return 0LL;
}

其实这两个函数都有一个共同的特征

%256

典型的RC4的特征

那么主函数的strcpy就是key密钥

Nu1Lctf233

但是有个问题就是数组的解出来是乱码,这里base64加utf-8编码就可以得到密文

import base64
a=[0xc6,0x21,0xca,0xbf,0x51,0x43,0x37,0x31,0x75,0xe4,0x8e,0xc0,0x54,0x6f,0x8f,0xee,0xf8,0x5a,0xa2,0xc1,0xeb,0xa5,0x34,0x6d,0x71,0x55,0x8,0x7,0xb2,0xa8,0x2f,0xf4,0x51,0x8e,0xc,0xcc,0x33,0x53,0x31,0x0,0x40,0xd6,0xca,0xec,0xd4]
s=""
for i in a:
    s+=chr(i)
print(s)
print(str(base64.b64encode(s.encode('utf-8')), 'utf-8'))

w4Yhw4rCv1FDNzF1w6TCjsOAVG/Cj8Ouw7hawqLDgcOrwqU0bXFVCAfCssKoL8O0UcKODMOMM1MxAEDDlsOKw6zDlA==

然后就是直接解

n1book{us1nG_f3atur3s_7o_de7erm1n3_4lg0ri7hm}

标签:__,BUUCTF,N1book,rbp,RE,int64,v5,v8,rsp
来源: https://www.cnblogs.com/1ucky/p/16274644.html