标签:__ BUUCTF N1book rbp RE int64 v5 v8 rsp
64位,无壳
主函数:
__int64 __fastcall main(int a1, char **a2, char **a3)
{
__int64 result; // rax
int i; // [rsp+Ch] [rbp-E4h]
char v5[16]; // [rsp+10h] [rbp-E0h] BYREF
char s[64]; // [rsp+20h] [rbp-D0h] BYREF
char v7[64]; // [rsp+60h] [rbp-90h] BYREF
char v8[72]; // [rsp+A0h] [rbp-50h] BYREF
unsigned __int64 v9; // [rsp+E8h] [rbp-8h]
v9 = __readfsqword(0x28u);
memset(v8, 0, 0x40uLL);
v8[0] = -58;
v8[1] = 33;
v8[2] = -54;
v8[3] = -65;
v8[4] = 81;
v8[5] = 67;
v8[6] = 55;
v8[7] = 49;
v8[8] = 117;
v8[9] = -28;
v8[10] = -114;
v8[11] = -64;
v8[12] = 84;
v8[13] = 111;
v8[14] = -113;
v8[15] = -18;
v8[16] = -8;
v8[17] = 90;
v8[18] = -94;
v8[19] = -63;
v8[20] = -21;
v8[21] = -91;
v8[22] = 52;
v8[23] = 109;
v8[24] = 113;
v8[25] = 85;
v8[26] = 8;
v8[27] = 7;
v8[28] = -78;
v8[29] = -88;
v8[30] = 47;
v8[31] = -12;
v8[32] = 81;
v8[33] = -114;
v8[34] = 12;
v8[35] = -52;
qmemcpy(&v8[36], "3S1", 3);
v8[40] = 64;
v8[41] = -42;
v8[42] = -54;
v8[43] = -20;
v8[44] = -44;
puts("Input flag: ");
__isoc99_scanf("%63s", s);
if ( strlen(s) == 45 )
{
strcpy(v5, "Nu1Lctf233");
sub_400874(v5, s, v7);
for ( i = 0; i <= 44; ++i )
{
if ( v7[i] != v8[i] )
{
puts("GG!");
return 0LL;
}
}
puts("Congratulations!");
result = 0LL;
}
else
{
puts("GG!");
result = 0LL;
}
return result;
}
__int64 __fastcall main(int a1, char **a2, char **a3)
{
__int64 result; // rax
int i; // [rsp+Ch] [rbp-E4h]
char v5[16]; // [rsp+10h] [rbp-E0h] BYREF
char s[64]; // [rsp+20h] [rbp-D0h] BYREF
char v7[64]; // [rsp+60h] [rbp-90h] BYREF
char v8[72]; // [rsp+A0h] [rbp-50h] BYREF
unsigned __int64 v9; // [rsp+E8h] [rbp-8h]
v9 = __readfsqword(0x28u);
memset(v8, 0, 0x40uLL);
v8[0] = -58;
v8[1] = 33;
v8[2] = -54;
v8[3] = -65;
v8[4] = 81;
v8[5] = 67;
v8[6] = 55;
v8[7] = 49;
v8[8] = 117;
v8[9] = -28;
v8[10] = -114;
v8[11] = -64;
v8[12] = 84;
v8[13] = 111;
v8[14] = -113;
v8[15] = -18;
v8[16] = -8;
v8[17] = 90;
v8[18] = -94;
v8[19] = -63;
v8[20] = -21;
v8[21] = -91;
v8[22] = 52;
v8[23] = 109;
v8[24] = 113;
v8[25] = 85;
v8[26] = 8;
v8[27] = 7;
v8[28] = -78;
v8[29] = -88;
v8[30] = 47;
v8[31] = -12;
v8[32] = 81;
v8[33] = -114;
v8[34] = 12;
v8[35] = -52;
qmemcpy(&v8[36], "3S1", 3);
v8[40] = 64;
v8[41] = -42;
v8[42] = -54;
v8[43] = -20;
v8[44] = -44;
puts("Input flag: ");
__isoc99_scanf("%63s", s);
if ( strlen(s) == 45 )
{
strcpy(v5, "Nu1Lctf233");
sub_400874(v5, s, v7);
for ( i = 0; i <= 44; ++i )
{
if ( v7[i] != v8[i] )
{
puts("GG!");
return 0LL;
}
}
puts("Congratulations!");
result = 0LL;
}
else
{
puts("GG!");
result = 0LL;
}
return result;
}
一长串数组赋值
然后关键函数很明显是
sub_400874
__int64 __fastcall sub_400874(__int64 a1, __int64 a2, __int64 a3)
{
char v5[264]; // [rsp+20h] [rbp-110h] BYREF
unsigned __int64 v6; // [rsp+128h] [rbp-8h]
v6 = __readfsqword(0x28u);
sub_40067A(a1, v5);
sub_400753(v5, a2, a3);
return 0LL;
}
这里面又有两个函数
sub_40067A
__int64 __fastcall sub_40067A(const char *a1, __int64 a2)
{
int v3; // [rsp+10h] [rbp-10h]
int i; // [rsp+14h] [rbp-Ch]
int j; // [rsp+18h] [rbp-8h]
int v6; // [rsp+1Ch] [rbp-4h]
v6 = strlen(a1);
v3 = 0;
for ( i = 0; i <= 255; ++i )
*(_BYTE *)(i + a2) = i;
for ( j = 0; j <= 255; ++j )
{
v3 = (*(unsigned __int8 *)(j + a2) + v3 + a1[j % v6]) % 256;
sub_400646(j + a2, a2 + v3);
}
return 0LL;
}
sub_400753
__int64 __fastcall sub_400753(__int64 a1, const char *a2, __int64 a3)
{
int v5; // [rsp+24h] [rbp-1Ch]
int v6; // [rsp+28h] [rbp-18h]
size_t v7; // [rsp+30h] [rbp-10h]
size_t v8; // [rsp+38h] [rbp-8h]
v5 = 0;
v6 = 0;
v7 = 0LL;
v8 = strlen(a2);
while ( v7 < v8 )
{
v5 = (v5 + 1) % 256;
v6 = (v6 + *(unsigned __int8 *)(v5 + a1)) % 256;
sub_400646(v5 + a1, a1 + v6);
*(_BYTE *)(a3 + v7) = a2[v7] ^ *(_BYTE *)((unsigned __int8)(*(_BYTE *)(v5 + a1) + *(_BYTE *)(v6 + a1)) + a1);
++v7;
}
return 0LL;
}
其实这两个函数都有一个共同的特征
%256
典型的RC4的特征
那么主函数的strcpy就是key密钥
Nu1Lctf233
但是有个问题就是数组的解出来是乱码,这里base64加utf-8编码就可以得到密文
import base64
a=[0xc6,0x21,0xca,0xbf,0x51,0x43,0x37,0x31,0x75,0xe4,0x8e,0xc0,0x54,0x6f,0x8f,0xee,0xf8,0x5a,0xa2,0xc1,0xeb,0xa5,0x34,0x6d,0x71,0x55,0x8,0x7,0xb2,0xa8,0x2f,0xf4,0x51,0x8e,0xc,0xcc,0x33,0x53,0x31,0x0,0x40,0xd6,0xca,0xec,0xd4]
s=""
for i in a:
s+=chr(i)
print(s)
print(str(base64.b64encode(s.encode('utf-8')), 'utf-8'))
w4Yhw4rCv1FDNzF1w6TCjsOAVG/Cj8Ouw7hawqLDgcOrwqU0bXFVCAfCssKoL8O0UcKODMOMM1MxAEDDlsOKw6zDlA==
然后就是直接解
n1book{us1nG_f3atur3s_7o_de7erm1n3_4lg0ri7hm}
标签:__,BUUCTF,N1book,rbp,RE,int64,v5,v8,rsp 来源: https://www.cnblogs.com/1ucky/p/16274644.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。