BUU[SUCTF2018]babyre
分析
首先查壳,64位无壳
然后放入IDA中分析
这里的加密部分就是简单的while语句里头的,最后的输出是v6也就是我们的flag
脚本
#include<stdio.h>
#include<string.h>
int main()
{
char v4[300];
char flag[100]={0};
int v9,v10;
v4[0] = 2;
v4[1] = 3;
v4[2] = 2;
v4[3] = 1;
v4[4] = 4;
v4[5] = 7;
v4[6] = 4;
v4[7] = 5;
v4[8] = 10;
v4[9] = 11;
v4[10] = 10;
v4[11] = 9;
v4[12] = 14;
v4[13] = 15;
v4[14] = 12;
v4[15] = 13;
v4[16] = 16;
v4[17] = 19;
v4[18] = 16;
v4[19] = 17;
v4[20] = 20;
v4[21] = 23;
v4[22] = 22;
v4[23] = 19;
v4[24] = 28;
v4[25] = 25;
v4[26] = 30;
v4[27] = 31;
v4[28] = 28;
v4[29] = 25;
v4[30] = 26;
v4[31] = 31;
memcpy(&v4[32], "$!\"'$!\"#().+$-&/81:;4=>7092;<567HIBBDDFGHIJJMMONPPRSUTVWYYZ[\\]^^``ccdeggiikklmnnpprstuwwxy{{}}", 94);
v4[126] = 0x7F;
v4[127] = 0x7F;
v4[128] = 0x81;
v4[129] = 0x81;
v4[130] = 0x83;
v4[131] = 0x83;
v4[132] = 0x8C;
v4[133] = 0x8D;
v4[134] = 0x8E;
v4[135] = 0x8F;
v4[136] = 0x88;
v4[137] = 0x89;
v4[138] = 0x8A;
v4[139] = 0x8B;
v4[140] = 0x8C;
v4[141] = 0x8D;
v4[142] = 0x8E;
v4[143] = 0x87;
v4[144] = 152;
v4[145] = -111;
v4[146] = 0x92;
v4[147] = 147;
v4[148] = 0x94;
v4[149] = 0x95;
v4[150] = 0x96;
v4[151] = -105;
v4[152] = -104;
v4[153] = -103;
v4[154] = -102;
v4[155] = -102;
v4[156] = -100;
v4[157] = -100;
v4[158] = -98;
v4[159] = -98;
v4[160] = -96;
v4[161] = -96;
v4[162] = -94;
v4[163] = -94;
v4[164] = -92;
v4[165] = -92;
v4[166] = -90;
v4[167] = -90;
v4[168] = -88;
v4[169] = -88;
v4[170] = -86;
v4[171] = -86;
v4[172] = -84;
v4[173] = -84;
v4[174] = -82;
v4[175] = -82;
v4[176] = 0xB0;
v4[177] = 0xB1;
v4[178] = 178;
v4[179] = 179;
for(int k=0;k<0x10000;k++)
{
memset(flag, 0, 0x1F);
flag[30]=8;
while(flag[30])
{
--flag[30];
for(int i=22;i;flag[i]|=v10<<flag[30])
{
v9=v4[22*flag[30]+--i];
v10=(v9>>((k>>(2*flag[30]))&3))&1;
}
}
if (flag[0] == 'S' && flag[1] == 'U' && flag[2] == 'C' && flag[3] == 'T' && flag[4] == 'F')
{
for (int j = 0; j < 22; j++)
printf("%c", flag[j]);
}
}
}
|
