标签:REVERSE get away there CTF no girl asong out
asong加密程序、out加密结果、that_girl加密引用的数据
out:一堆乱码二进制
that_girl:66行英语文字
asong:
一、函数功能解析
main函数
获取用户输入的值,引用that_girl文件做词频统计,对用户的输入值和统计结果进行一通操作后将结果保存输出到out文件
sub_400AAA函数
打开that_girl文件逐字读取,读取的内容给sub_400936函数,计算得到v2,地址(a2+v2)的值加1
sub_400936函数,用case语法判断读取的数字
sub_400E54函数
根据flag获取数组v5,改变v5的数组顺序,对v5的数据进行位移和或操作,将v5写入到out文件
sub_400936函数,用case语法判断读取的数字
sub_400D33函数,改变v5数组的顺序,改变规则是通过index的变换,index的变换由s数组决定
s数组的值
sub_400DB4函数,对v5数组的值进行移位和或运算
sub_400CC0函数,v5写入out文件
二、调试获取统计数据
开始调试,获取that_girl文件词频统计的结果。ida报错“Bochs executable "bochsdbg.exe" is not found:
Please install Bochs and/or specify the location of "bochsdbg.exe" in the dbg_bochs.cfg file.”
进入官网:http://sourceforge.net/projects/bochs/files/bochs/,下载bochs,安装。
进入本地\IDA_Pro_v7.5_Portable\cfg目录找到“dbg_bochs.cfg”文件,修改bochs安装路径,取消注释
报错,“Please ensure that Bochs is installed and configured properly.
Bochs output can be checked in the message window”
是因为boot配置问题,“ROM: couldn't open ROM image file '(null)/BIOS-bochs-latest'.”
对文件“asong.bochsrc”进行配置
还是有问题,算了,自己统计
1.不区分大小写
2.数字和字母的数组index,0开始为数字,10开始为字母
26个英文字母加10个数字,从36开始的index也安排好了
统计词频
s = """there's_a_girl_but_i_let_her_get_away
it's_all_my_fault_cause_pride_got_in_the_way
and_i'd_be_lying_if_i_said_i_was_ok
about_that_girl_the_one_i_let_get_away
i_keep_saying_no
this_can't_be_the_way_we're_supposed_to_be
i_keep_saying_no
there's_gotta_be_a_way_to_get_you_close_to_me
now_i_know_you_gotta
speak_up_if_you_want_somebody
can't_let_him_get_away_oh_no
you_don't_wanna_end_up_sorry
the_way_that_i'm_feeling_everyday
no_no_no_no
there's_no_hope_for_the_broken_heart
no_no_no_no
there's_no_hope_for_the_broken
there's_a_girl_but_i_let_her_get_away
it's_my_fault_cause_i_said_i_needed_space
i've_been_torturing_myself_night_and_day
about_that_girl_the_one_i_let_get_away
i_keep_saying_no
this can't be the way we're supposed to be
i keep saying no
there's gotta be a way to get you
there's gotta be a way
to_get_you_close_to_me
you_gotta
speak_up_if_you_want_somebody
can't_let_him_get_away_oh_no
you_don't_wanna_end_up_sorry
the_way_that_i'm_feeling_everyday
no_no_no_no
there's_no_hope_for_the_broken_heart
no no no no
there's no hope for the broken
no home for me
no home cause i'm broken
no room to breathe
and i got no one to blame
no home for me
no_home_cause_i'm_broken
about_that_girl
the_one_i_let_get_away
so_you_better
speak_up_if_you_want_somebody
you_can't_let_him_bet_away_no_no
you_don't_wanna_end_up_sorry
the_way_that_i'm_feeling_everyday
don't_you_know
no_no_no_no
there's_no_hope_for_the_broken_hearty
don't you know
no no no no
there's no hope for the broken
oh
you don't wanna lose at love
it's only gonna hurt too much
i'm telling you
you_don't_wanna_lose_at_love
it's_only_gonna_hurt_too_much
i'm_telling_you
you_don't_wanna_lose_at_love
cause_there's_no_hope_for_the_broken_heart
that_girl
the_one_i_let_get_away
"""
out = {}
for i in s:
out.update({i:s.count(i)})
out = sorted(out.items())
print(out)
'''
[('\n', 66), (' ', 71), ("'", 40), ('_', 245), ('a', 104), ('b', 30), ('c', 15), ('d', 29), ('e', 169), ('f', 19), ('g', 38), ('h', 67), ('i', 60), ('k', 20), ('l', 39), ('m', 28), ('n', 118), ('o', 165), ('p', 26), ('r', 61), ('s', 51), ('t', 133), ('u', 45), ('v', 7), ('w', 34), ('y', 62)]
没有数字,没有case以外的统计,根据规则重新整理一下数组排序:
[('a', 104), ('b', 30), ('c', 15), ('d', 29), ('e', 169), ('f', 19), ('g', 38), ('h', 67), ('i', 60), ('k', 20), ('l', 39), ('m', 28), ('n', 118), ('o', 165), ('p', 26), ('r', 61), ('s', 51), ('t', 133), ('u', 45), ('v', 7), ('w', 34), ('y', 62),(' ', 71),('_', 245)]
'''
三、解密
对“out”文件的数据进行反向操作,先做移位和或运算,再改变顺序,最后和词频统计换算
程序的位移运算,在255范围内,可以逆运算,只有最后一位不准
后面再补。。。
标签:REVERSE,get,away,there,CTF,no,girl,asong,out 来源: https://www.cnblogs.com/blackicelisa/p/16519265.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。