一次有意思的CTF题目babyre的逆向过程

WriteUp 2年前 (2022) admin
748 0 0

有朋友说参加了某个比赛,赛后说对这个逆向的题目比较郁闷,于是有了笔者的这次逆向之旅。

脱壳

拿到程序直接 IDA 载入,可以看到 PDB 信息,有些 pdb信息能泄露出题目的加密算法, 不过这里没啥帮助

一次有意思的CTF题目babyre的逆向过程

IDA 分析完后,无法识别出来任何函数。应该是混淆或加壳了

一次有意思的CTF题目babyre的逆向过程

CFF 查看节区信息,有个 Shell 节,基本上就是加壳了。此时 IDA 分析就不大方便了

一次有意思的CTF题目babyre的逆向过程

使用 x64dbg 进行动态调试,为了方便调试避免随机基址的干扰,使用 CFF 将随机基址 抹掉:找到 PE,然后下一行数 6 个,把 02 改成 03 就去除了随机基址了

一次有意思的CTF题目babyre的逆向过程

x64dbg 载入后停留在系统断点,F9 一次运行到 OEP

一次有意思的CTF题目babyre的逆向过程

直接往下翻找到一个大跳 jmp,以往经验来说这个  jmp 就是跳转到脱壳后程序的真正OEP 了,在这里下断

一次有意思的CTF题目babyre的逆向过程

在 0x00408525 处断下来后,F7 来到真正的 OEP。下图示典型的 VS 系列编译的程序的 入口特点“一call,紧接一 jmp”

一次有意思的CTF题目babyre的逆向过程

在 0x00401F34 这里断下来,直接脱壳就行了。使用 x64dbg 自带的 Scylla 进行脱壳就 行:依次点击 IAT Autosearch–>Get Import–>Dump

一次有意思的CTF题目babyre的逆向过程

检查下脱壳后的 babyre_dump.exe 是否能正常运行,这里直接就能跑起来了

代码分析

将脱壳后的 babyre_dump.exe 载入 IDA,进行静态分析。直接找到 main()函数查看伪代码

int __cdecl __noreturn main(int argc, const char **argv, const char **envp){HMODULE v3; // [esp+0h] [ebp-1Ch] signed int i; // [esp+4h] [ebp-18h] int v5; // [esp+8h] [ebp-14h]int v6; // [esp+Ch] [ebp-10h] char v7; // [esp+10h] [ebp-Ch] int v8; // [esp+11h] [ebp-Bh]char v9; // [esp+15h] [ebp-7h]v5 = 0x68546749;v6 = 0x79685365; v7 = 0;v8 = 0;v9 = 0;sub_401C30("please input the flag:"); //printf输出提示语句sub_401C70("%s", g_flag, 33);//scanf()输入flagv3 = GetModuleHandleA(0); sub_401920(v3);if (IsDebuggerPresent())//检测调试器{  for (i = 0; i < 32; ++i) //如果存在调试器则循环异或操作      g_flag[i] ^= i;}sub_4017A0(g_flag, 32, &v5, 8); if (sub_401400(v3))//校验输入是否正确  sub_401C30("nsuccess!");else  sub_401C30("nfailed!");system("pause"); exit(0);

表面上看逻辑很简单,输入flag 后会检测调试器,如果被调试就进行循环异或,最后在sub_401400()函数中校验输入是否正确 接下来就从后向前分析


sub_401400

先看看最终校验的这个函数的伪代码

BOOL sub_401400(){  return memcmp(g_flag, &unk_405000, 0x20u) == 0;}

就是 memecpy()进行比较

目标值 unk_405000,数组大小是 0x20。比较成功的数据是

 E8 B2 BE C7 24 2A 8C B1 2B 7A B8 36 17 78 34 91 7E 52 45 2A 6A FD E9 E4 94 CD 84 7A 79 D5 54 1E

也就是说我们输入的 flag 经过一系列的加密运算中中结果必须是上面这串 16 进制数据

sub_4017A0

接下来分析 sub_4017A0()这个函数

一次有意思的CTF题目babyre的逆向过程

也不用去看 sub_4017A0()函数内部的加密算法是如何加密的 只要是加密函数就有输入和输出,没有输出的加密函数没有任何卵用,可以直接忽略 输入存在的方式一般有:函数的参数、全局变量 输出的方式也是:函数的参数(传指针或引用,在函数内部修改,然后传出去)、全局变量、返回值

这里调用 sub_4017A0()函数,g_flag 就是传入参数之一,内部修改 g_flag(全局变量的 传出方式)

sub_4017A0((int)g_flag, 0x20u, (int)&v5, 8);

重点关注:在调用 sub_4017A0()函数前后g_flag 的变化

先尝试 sub_4017A0()函数是否可逆,可逆的话就完全没必要分析该函数了

x64dbg 调试 babyre_dump.exe,

输入 flag{67890abcdefghijklmnopqrstu}作为 flag,在 执行 sub_4017A0()的地方下断点断下来,查看 g_flag 的值

一次有意思的CTF题目babyre的逆向过程

执行 sub_4017A0()函数前 g_flag的值是

 6A 88 9C E2 16 7D FE ED BD 55 CD 54 F4 64 96 49 A6 3C C2 98 9E B7 09 68 E2 0D C4 DD F2 8B F0 9C

执行完 sub_4017A0()函数后 g_flag的值是

一次有意思的CTF题目babyre的逆向过程

 01 59 11 B8 B4 29 6A 16 3D 24 09 EE E9 5C 1E 72 07 E4 A3 B9 A3 94 A4 27 B3 60 4E A2 02 88 69 6B

判断 sub_4017A0()函数是否可逆?最简单的就是在执行  sub_4017A0()函数前将g_flag设置为

 01 59 11 B8 B4 29 6A 16 3D 24 09 EE E9 5C 1E 72 07 E4 A3 B9 A3 94 A4 27 B3 60 4E A2 02 88 69 6B

然后观察执行完 sub_4017A0()函数后,g_flag的结果是否是

 6A 88 9C E2 16 7D FE ED BD 55 CD 54 F4 64 96 49 A6 3C C2 98 9E B7 09 68 E2 0D C4 DD F2 8B F0 9C

经过验证发现sub_4017A0()是可逆的,所以就不用分析内部实现了

IsDebuggerPresent

接着分析这个逻辑,表面上是检测到调试器就行循环异或操作

一次有意思的CTF题目babyre的逆向过程

实际上这是个大坑,问题就出现在IsDebuggerPresent()这个函数调用上。该函数明明是Windows 系统 API,但是当你调试时会发现,F8 步过该函数会导致 g_flag的值发生变化

说明:IsDebuggerPresent()被 Hook或改装了

只能 F7 跟进IsDebuggerPresent()看看有啥猫腻?

在0x00401B0A下断点,这里就是上图中调用IsDebuggerPresent()的地址,运行后断下来。发现0x00401B0A处已不再是调用IsDebuggerPresent()了,其实是上面有函数修改了调用

一次有意思的CTF题目babyre的逆向过程

dwords ptr ds:[403000]的值是0x004014d0

直接去 IDA中调到该地址看伪代码

signed int sub_4014D0(){int v1; // [esp+4h] [ebp-38h]int v2; // [esp+10h] [ebp-2Ch]int v3; // [esp+18h] [ebp-24h]_DWORD *i; // [esp+24h] [ebp-18h]HMODULE v5; // [esp+28h] [ebp-14h]int j; // [esp+2Ch] [ebp-10h]DWORD flOldProtect; // [esp+34h] [ebp-8h]sub_401430(); // 该函数内部会修改g_flagv5 = GetModuleHandleA(0);for (i = (_DWORD *)((char *)v5 + *(_DWORD *)((char *)v5 + *((_DWORD *)v5 + 15) + 128)); *i; i += 5){  flOldProtect = 0;  v1 = (int)v5 + *i;  v3 = (int)v5 + i[4];  for (j = 0; *(_DWORD *)(v3 + 4 * j); ++j)  {    v2 = strcmp((const char *)v5 + *(_DWORD *)(v1 + 4 * j) + 2, "IsDebuggerPresent");    if (v2)      v2 = -(v2 < 0) | 1;    if (!v2)    {    VirtualProtect((LPVOID)(v3 + 4 * j), 4u, 0x40u, &flOldProtect);    *(_DWORD *)(v3 + 4 * j) = dword_40514C;    VirtualProtect((LPVOID)(v3 + 4 * j), 4u, flOldProtect, &flOldProtect);    }  } }return 1;}

经过调试发现sub_401430()内部会修改g_flag的值,而sub_4014D0()内部会修改内存属性将0x00401B0A处还原为IsDebuggerPresent()调用

重点关注sub_401430()内部的加密算法

sub_401430

查看伪代码

signed int sub_401430(){signed int i; // [esp+0h] [ebp-1050h]char v2; // [esp+4h] [ebp-104Ch]sub_401000(&v2, "Shell", 5);for (i = 0; i < 4; ++i){_mm_lfence();//该函数会修改g_flagsub_401280((int)&v2, (int *)(8 * i + 4215080), (int *)(8 * i + 4215084));}return 1;}

无需过多关注,直接看sub_401280()

sub_401280

伪代码如下:这个函数不是可逆的,需要自己从尾到头进行逆推

int *__cdecl sub_401280(int a1, int *a2, int *a3){int v3; // ST08_4int v4; // ST08_4int v5; // ST10_4int v6; // ST0C_4int *result; // eaxint v8; // [esp+4h] [ebp-Ch]int v9; // [esp+8h] [ebp-8h]__int16 i; // [esp+Ch] [ebp-4h]v9 = *a2;v8 = *a3;for (i = 0; i < 16; ++i){_mm_lfence();v3 = *(_DWORD *)(a1 + 4 * i) ^ v9;v9 = v8 ^ sub_4011D0(a1, v3);v8 = v3;}v4 = v9;v5 = v8;v6 = *(_DWORD *)(a1 + 64) ^ v4;*a2 = *(_DWORD *)(a1 + 68) ^ v5;result = a3;*a3 = v6;return result;}
看起来逻辑不复杂,但是逆推该函数需要很小心,不然特别容易出错
函数sub_401280()的大致逻辑是:
每次去g_flag数组的两个4字节数据记做a、b
然后经历一个16次的循环计算出v8、v9
最后与固定值进行异或:a = 0xC7296F5E ^ v9; b = 0xD2F4B2A9 ^ v8;
逆推需要极大的耐心

keygen

最后根据逆推编写的keygen.cpp源码

#include "stdafx.h"#include <windows.h>
// 从小到大//buf+72=unsigned buf1[256] = { 0xEF0BB3E1, 0xC7641F23, 0x87979882, 0x5ADCD72C, 0xC3F2A5BA, 0xF04B6205, 0x50F515CF, 0x07BE1141, 0x70D5567B, 0xE6828154, 0x6370FED0, 0xAEDB5231,0x5549DED3, 0x90978DAB, 0x9C60F020, 0x7B705CE2, 0xA640B614, 0xE9A79D79, 0x34AB03B6,0x116C3B4E, 0x93DC52AA, 0xCF3C13F0, 0x8723CC10, 0x0114349F, 0xE9E567FB, 0x1B910AC5,0x718BAB91, 0x667D5BF2, 0x214E15D8, 0x0E992E1F, 0xB2885084, 0xFA5529C7, 0x3D99CA53,0x8831640D, 0x561B43A1, 0x9C78429F, 0xFF3C2439, 0x6A872748, 0xC1B351A4, 0x56C2C251,0x7FA2EE3F, 0x447BFDB4, 0x70D472F5, 0x4DECB26B, 0x474A2B6E, 0x19C995DE, 0x7CD0229A,0xAD685768, 0x48256987, 0x12C14D34, 0x0B1537B0, 0xF47F218C, 0xEB90B8FE, 0x7B94EC7F,0xF6D120B2, 0xFE73BFAE, 0x6E1478B2, 0xDAEAC8AE, 0x7670D4FE, 0x53CC021A, 0x8AEE6B2F,0x71EF2670, 0x89DB2511, 0xF2A74FA3, 0x45907EAF, 0xB7A1616D, 0x3FFA6223, 0x5E32F0FD,0xA4740820, 0x9E17523D, 0x58640B7B, 0x730CC44C, 0xFEB1C8AC, 0xA195F59C, 0x564F18E1,0x7394D749, 0xEEE20CED, 0xDA04E8BF, 0xE3841D43, 0x01BC52EE, 0xBDC35BEF, 0xBC3206A7,0x740AE65C, 0xE3FDBB99, 0xD04B23EB, 0x3DCB2A4A, 0xFCFFF22C, 0x19F3D4A5, 0x1163773C,0x377F0B6B, 0xDF834A32, 0x3B0112DC, 0xF3DD6E58, 0x729A63EA, 0x0C99F43A, 0x5B37FA5C,0x2794065B, 0x68551B69, 0x8EBD6769, 0x3BF99B4F, 0x8B442AB8, 0xDB9E601F, 0xCCCEBE87,0xA7390C0C, 0x3047C663, 0x5C0E4E7E, 0x946120AC, 0x1428C4E7, 0x174D67A6, 0xB4FF07A1,0x10882AAC, 0x6833C256, 0xFCA428F1, 0xD65363DD, 0x975C7DB5, 0x09E5D3AE, 0xC5403038,0x51F8D8CE, 0xEF64203E, 0x18E134DD, 0x92D7D607, 0x6C84C922, 0xE4DE8A4B, 0x6E98707F,0x1A805A49, 0xE1724E52, 0xEEA54841, 0xB4D73927, 0x359F9B47, 0x2EC9BFF3, 0x8A4DEA8B,0xC5C6588C, 0xF2B889C9, 0x19984E21, 0x12FC2809, 0x9DF5E958, 0x5BC1EE84, 0x1C6B8137,0x56FEDB4C, 0x7C1E3D30, 0xE31F1431, 0xA142AED1, 0x91AB63E8, 0x67A95F95, 0x558359D7,0xB20B1067, 0xBA729209, 0x6FB8CC8F, 0x3C534718, 0xF975E105, 0x37E418A8, 0xB0633E2F,0xA5BD0743, 0xC2C891A2, 0x00E1EB4D, 0x96B82B47, 0xC64C31D7, 0xB31D1FCE, 0xB973130F,0x52F9F082, 0xB0D0B31B, 0x2D39D2C6, 0xAE06D0EC, 0x6563EDF1, 0xC17E050D, 0x8DEF0CF4,0xEA76BA54, 0x3DC2FF90, 0x75331CCA, 0x34BF42E8, 0xA350086D, 0x093C5094, 0x38846087,0xA6D0E8A8, 0x1120FBE0, 0x08ECC272, 0xDFAD9F13, 0x2C5E820E, 0x2C187994, 0x2F3820F6,
0x9B55B50F, 0x29E780E3, 0x2CEB5AB1, 0xA0C47381, 0xD35E2DFA, 0x36B71C65, 0x10FB2FD8,0x60A4CC70, 0x2E9ADADA, 0x4E228FD5, 0xB2300360, 0xDAA67871, 0x41F5DF9F, 0x37BEEDD4,0x0CD70C21, 0x730B15BE, 0x011D1159, 0x825C2CF9, 0x3A6C7E7B, 0x86D23A99, 0x1E683900,0xE0D8D9A1, 0x8479DCA8, 0x4DAA08E2, 0x5C5A2022, 0x8467546A, 0x870BACB4, 0x01501F73,0x3813E291, 0x91BC3138, 0xC343CADD, 0x836D7DAA, 0x0854E929, 0xAA395180, 0xCC78ACE3,0x43FC070A, 0x4AA3952E, 0x37BC08B7, 0xFE5F908F, 0x2A6FA6F8, 0x95F47C3E, 0x43C571ED,0x38024D96, 0xD0C94E1F, 0x816C1DEC, 0xD16B3AA3, 0x613630E5, 0x8A87FF69, 0xD9F35EE0,0x332B26E1, 0xA72CFA48, 0xC1A70885, 0x07C86E10, 0x6B08B022, 0x7799741C, 0x8E8E58BC,0xE80A6BAD, 0xD328BD5A, 0xC0D15A9F, 0x88B1803B, 0x57D6401A, 0x10485482, 0xF1527C5D,0x7451B1FA, 0x60515AEE, 0x11A8248B, 0xFC870966, 0xDF3DC60B, 0xCE10CBEF, 0xF7FA36F8,0xE9984AED, 0x09EA72A4, 0x6F9742E4, 0x93F8D8B7, 0x44BB3494, 0xCD07C9E3 };//buf+1096=unsigned buf2[256] = { 0xDB61F821, 0x0B83E8D1, 0x37358FD9, 0x994062BB, 0xB75B0A46, 0x29A48673, 0x852F3AC9, 0x64B3EBD3, 0xC22C4F4A, 0x07426AD5, 0x497BA6B1, 0xEEFAA40A,0xFDDEA8F9, 0x1FF44860, 0x7D09B11B, 0x779D3BCD, 0xD0DBC800, 0x66EA45DE, 0x3C78459E,0xC67EEAD3, 0xB3757C05, 0xD1705E4D, 0xA81FB23D, 0x77E7FD2B, 0xA4A7FDF7, 0x71644253,0xA8579BF4, 0xE56AFAE5, 0x88A7F643, 0x906F291D, 0x47F6DD9E, 0x3C6626B2, 0xE258AE89,0x337EE48B, 0xDB13ACB5, 0x776ACE31, 0x8B37771A, 0x0E6C6DB1, 0xF236B53B, 0xB0E35795,0x71C54EF7, 0x690829E8, 0x6122564C, 0x939F4A57, 0x1DD82E69, 0xFEA854D6, 0xA568D8AE,0xD923A34E, 0x67F6F5BE, 0xBDE660AE, 0x954CB773, 0xCE490D8D, 0x21E03236, 0x33387D1C,0x4846253B, 0x1C680DC9, 0xF481FBCC, 0x251B4F7B, 0xE9E95594, 0xC888D055, 0xBC2615B7,0xDF2B4BF8, 0xB469A48A, 0x71179619, 0x1EAE1F63, 0xECBDBE3F, 0xB35DBF7E, 0xA645FF49,0xCBF52671, 0x5510B00D, 0xB84DF3DF, 0x1496C385, 0x8C3E5325, 0xF2AB4418, 0x3BDD2A92,0x075918B3, 0x8E23B115, 0xF8E31506, 0x7355E998, 0x50D70A5C, 0x631397B0, 0xEB454ACC,0x4BAC49EF, 0xF200D577, 0x3C872C78, 0x3B46A242, 0x4A7B10CA, 0x84A2CC73, 0x4DBBA037,0x0B047EF6, 0x31FB3C0F, 0x89D465A4, 0x02245213, 0x5A0DF927, 0xC91A903F, 0x572078AF,0x492144B9, 0x40F1D483, 0x19C2C2DE, 0xD697D3DA, 0xF0B86685, 0x3BD59D7C, 0x8F2DF61D,0x0BCF4B8C, 0xBFE28140, 0x123A5075, 0x7591BE7E, 0xA955FFAB, 0x3A49AEFE, 0x51388F82,0xE29DCAB3, 0x5D25D4C4, 0xB44EF3F8, 0x8BE5FBBD, 0x4D76260A, 0xF78A3B81, 0xD63837FA,0x77DCD367, 0xAC1F9704, 0x252758E4, 0xC95151B9, 0x79C248A3, 0xD5883C94, 0xD8C828A5,0x5826575D, 0x56068763, 0x93986C9E, 0x5C4C085A, 0x8CB2EB74, 0x18E982A5, 0xB0B4EB21,0x857C5356, 0x938DB1C6, 0xEEA3014C, 0x6C1A1A19, 0x5430B9BF, 0x647B7220, 0x2F67B841,0x37F3F4E4, 0x0DC0DE42, 0x1D2E6719, 0x2A216104, 0xD11F9C90, 0x0E9938AC, 0x989483F5,0x52E5A935, 0x97D6E224, 0xE3059A7C, 0xFD9A2210, 0x32E5CA32, 0xF883E382, 0x67B429BD,0x90CA4FA7, 0xCBC97BDE, 0xBEB9DA51, 0x31811182, 0x1C8FA7B4, 0xF172E120, 0x9EB30700,0xCD0687BE, 0xC03C15CB, 0x3C293A7F, 0x6F575101, 0x86396611, 0xF10A3501, 0xE54635EE,0x170BFE34, 0x69FB0E3E, 0x4C912C0F, 0xC5C6561F, 0xB0B31E36, 0xEAD7BBD2, 0x3194FB38,0x8083E8A0, 0x2C65EBB3, 0x3748E4EF, 0x53C184EB, 0x85BD28C8, 0xE99F7BDD, 0x1107A5EE,0x68B0EC41, 0x70F94C39, 0x10AB28F3, 0x8C3A68F5, 0xB5E0B880, 0x932C5163, 0x0649AE8E,0xF047912C, 0xB95D71C3, 0x47BA1269, 0x1C53BA9F, 0x3A3EEC76, 0x1BB0C397, 0x25CF5553,0xC7791483, 0xEDE05D07, 0x3143314D, 0x2B1F26DF, 0x85118B6A, 0x1012EEA0, 0xCFCFED5A,0x89C23754, 0x03350C03, 0x39019EEF, 0xE46C6179, 0x8F25492A, 0x1402C204, 0x8660CF48,0x065BAFC4, 0x2C5865AC, 0x8DD39311, 0x0F79E033, 0xD94D3A63, 0xA991D784, 0x38E021CA,0x87E7B26C, 0xEA9FB88C, 0x7F942DBB, 0x1995260F, 0xC2BB053F, 0x45A97DEC, 0x3E75D828,
0x4E3C6209, 0xCFC96172, 0x4A85C2CD, 0xA5D339F3, 0x4EB1487C, 0xE9EC6B74, 0xA6432A4C,0xFC45B412, 0x9CA2E88C, 0x90B5F058, 0x00FE18C7, 0x3F8249CD, 0x0AE0A0DA, 0xB8B5FC58,0x9B7838D8, 0x145CA4D1, 0xB659C61D, 0x3F7FF279, 0x6402C595, 0x22F7B052, 0xE3D3069F,0x84CCE915, 0x54630987, 0x1646857B, 0x0982406D, 0x6FE03C73, 0x3596E8DF, 0xCC8D4B54,0x8D5ABD25, 0xC8833888, 0xB0F71505, 0x5555DA33, 0x55FB399E, 0x79D1995B };//buf+2120=unsigned buf3[256] = { 0x9A0266DD, 0xF67593F1, 0xC0DCF21F, 0xA67EEA4B, 0xE9057770, 0xB5933966, 0xEEB6B407, 0xEF2A1A57, 0xEB90E7CB, 0xAEF44C5B, 0x1C39F8CE, 0x50610ACB,0x5D01474D, 0xBCD7A8D6, 0xB67DD7E9, 0x5F964FD3, 0x955C5E63, 0x03849ADF, 0xD8C44F5B,0x55B35ED6, 0x76B0501A, 0xE265C933, 0x9AFFEEE2, 0xE1ED43B9, 0x4EE51A77, 0xEA877E52,0x73931F9E, 0x9A66D5D8, 0x2BE08C32, 0x38568B74, 0x47098AC7, 0x8C46B09C, 0x76124629,0x70E43E02, 0x1E6A86CC, 0x7C6FF655, 0x9496C1A5, 0x833C2C2C, 0x29B38ECD, 0xDC5FB7E3,0x626483D8, 0x4AC7AE42, 0x5DEBC331, 0xEE97BB3E, 0x0F69B1C9, 0xC8D60689, 0x70C1B521,0x5876E37B, 0x1AE41635, 0x09A2D53F, 0x26BBF911, 0x6BC1200D, 0x79374ECD, 0x67E894DA,0x4A5CE071, 0xFA0E1C0D, 0xBEA1BFD3, 0xB5976FC7, 0x32FE401A, 0x26CEEEED, 0x5E46CDDD,0xF1F48D33, 0x654BDF51, 0x6C621FE7, 0x009BC06C, 0xA7312528, 0xF9EB959C, 0x0AB7729B,0xA6A9D09B, 0x68ED2427, 0xC6C88BFE, 0x30625121, 0xBECEF1D0, 0x2FAADF3C, 0xE664B751,0xAC0E7068, 0x235480D4, 0x53DCFECD, 0xE331BC4D, 0x8BC7151D, 0x8AF3BECB, 0xBCFBB6E4,0x88C040B1, 0x08710501, 0x57CB78E2, 0xAB2282B8, 0x7F30DB88, 0x63031614, 0x5A4DFC0B,0x3D6DF4E6, 0xCA629129, 0xDD85494B, 0x119C42A1, 0xBC1477CD, 0xE7E3AD2E, 0x3A2F2FF6,0x16A341BF, 0xDB5F9977, 0x3CB335DC, 0xEF5B114F, 0x75BC652F, 0xDBDC8D40, 0xF948BC55,0xDA2BBADF, 0xF62396B2, 0xA15D234E, 0x347BE6F7, 0x77673AFF, 0x93B424CE, 0xE2728245,0xCAA3E43B, 0xD6491E4F, 0xD44825E3, 0xAB697D03, 0x4B3267D4, 0x162A7CFF, 0x22C6DAFA,0xED5E7ED2, 0xF7217703, 0x2470C5DC, 0x2915C683, 0x11FBC7BA, 0xB8468C6F, 0xFB101A14,0x62A701C8, 0x659D1D0B, 0x82D997AC, 0x2D6AC413, 0xFA4E7541, 0x8B453643, 0x06BF1100,0xD8F4029F, 0x65F9B986, 0x93025562, 0xFCC575F8, 0xFA6956E9, 0xF00DBB68, 0xF8F70A52,0x2DF0B51E, 0x6052E4AA, 0xFCCDDC72, 0xCB66AA90, 0x9433B3E7, 0x9B882078, 0xAF60B73A,0xF5794D5D, 0x81E3EA7B, 0x57D6C96C, 0x10515586, 0xBC6D6312, 0x76817FE3, 0x146DB720,0x259C76DC, 0x5E3839BF, 0x2B60D785, 0x8DF965CD, 0xA3E5422E, 0x75B7DF72, 0xD1571C54,0xDD31872E, 0x0B8A3B0D, 0x48E796C2, 0x9A9F4F16, 0x0D9F6296, 0x6B20FDE7, 0x348FDE70,0x7C68CB3D, 0x29E8EEC7, 0xDBD7407A, 0x99A132C2, 0xD55865CF, 0x11767508, 0xD65EFF3F,0x9BD2F6BF, 0xB5AA0E94, 0x549E0593, 0xC19BD33D, 0x8E9F3AA3, 0x91363DF6, 0x6D0FD4C7,0x8ADDBB27, 0x8AA3BF7B, 0x51591F2A, 0x647BE8A6, 0x77DA9F26, 0xCC0B80F0, 0xD98FEF7F,0x420971F0, 0x2DA51528, 0x6C6ECDB5, 0x126ACAC0, 0x7225D34F, 0x2D5DB1D8, 0x939574C9,0x6257F79E, 0xE2B64CFC, 0x6104B3DF, 0x55D9967D, 0x77FADA5B, 0x92EB1E47, 0xD03CF336,0x475F2EE7, 0x16E007CE, 0xDFC8E763, 0x3C76A38C, 0xEC0E6223, 0x67796EA7, 0xC98C0842,0xA42DD073, 0xA31084E1, 0x3238C062, 0x8A9D1B57, 0x85593E68, 0xB095C39A, 0xBC5EB63A,0x8576B9EC, 0xE3A7CCD8, 0xDBC6DB18, 0x37F5F855, 0x69FE58C7, 0x603447BD, 0x15068B2D,0x06A27502, 0xF89AFB63, 0x06A7EF01, 0x5F5CCD4D, 0x1D80CADA, 0x7519A177, 0x69CB7B22,0xF9F0CBBC, 0x4EFCC59E, 0x19E03A12, 0x06E2718C, 0x93844380, 0xF3A7F217, 0x525A574F,0x2AD40BE0, 0xBB839A56, 0xD5398F37, 0xC957024A, 0xC670DA50, 0x9D8A8D73, 0x42804CBB,0x1B65D725, 0xBC1ED015, 0xE6C59D74, 0xE8A828EF, 0x1621136A, 0xDFCD7E70, 0x75599500,0x9271FCCC, 0x6026D1E7, 0x520D078B, 0x932A4A56, 0x01275BB9, 0x5DF144F4 };//buf+3144unsigned buf4[256] = { 0x90370B5D, 0xDA126C22, 0x0950FD75, 0x21AB5650, 0x54AE0BE6, 0xAD50BD78, 0x2C0B7C9E, 0xC8483F66, 0x2772EFCB, 0x6BB57805, 0x9D07C972, 0xB403A5D8,0xE9A5D021, 0x008FD603, 0x6B4B5A9D, 0xAB6E8DF4, 0xAA7A130F, 0xEF3A6FD9, 0x8CBF3B23,0x28E8CC2D, 0xC9AB8082, 0xC68D197D, 0x5CC3D06F, 0x50586386, 0xE49453F6, 0x0A11AFD0,0x8DCB7255, 0x546F203A, 0x732BC8F4, 0x24DB93F3, 0x38A457FB, 0xF082F74C, 0xE6C781B5,0x93FAAE0C, 0x67409E8C, 0x4374A179, 0x13A864AB, 0x4A65C862, 0x315EEE5C, 0x56345A85,0xF7C3B8F2, 0x2D7EE48D, 0xCC5A485B, 0x9AD93CFC, 0xE471EE03, 0x118F8F8A, 0xA1200C93,0x8E36F326, 0xBE4BF139, 0x716778A9, 0x086578E9, 0xB64F51B7, 0xE6D5276C, 0x407A1FAF,0x67951C72, 0x752EBF05, 0x8F89A9FF, 0x0EF638B9, 0x24142A6E, 0xB62E2B5C, 0xBCE66012,0x2468CFAC, 0x16186730, 0xAB92F123, 0x6D79552B, 0xE46C0EA4, 0x645BCB72, 0x18655158,0xACC87162, 0x9C5527EC, 0x95119725, 0x3BD95C64, 0x570034AE, 0x6178766B, 0x665114D0,0x2D5CE599, 0x68EA6703, 0x136EA8A3, 0xBC348E74, 0xAF59E49E, 0xBB9033A3, 0x8FBFA246,0x08ED6FAD, 0x0166F53C, 0x844A8E01, 0x8CEF2AF9, 0xA7D5F741, 0x9F92D0CC, 0xD3BF3DE1,0xC7B84EC9, 0x60E42CD1, 0xDDD0556F, 0xFC958958, 0x34F048BE, 0x039BC2BE, 0x52AEF3F1,0x1A3B10F9, 0x937D80E7, 0x081FFBDA, 0xA85A9FA0, 0xF040C23B, 0x3C7EC53F, 0x45E36327,0x1F6ED87E, 0xB12328E9, 0x52E2BDB2, 0xCE3A3B8C, 0x7C176FF9, 0xF5952A25, 0x38197DF2,0x8A436EA2, 0x25B88F4B, 0x41664E91, 0x586B5B2F, 0xDC5C3282, 0x26381C4C, 0xE1EB8C78,0xB7FDD1D4, 0x3111D2CF, 0x79E31806, 0xFEEE10F9, 0xB918E78A, 0x93992501, 0x5870F32E,0xEC07E12B, 0x7F64518B, 0x698952BF, 0xCCB27D15, 0x019ED8B7, 0xDC1D8AEE, 0xD339EA37,0x8DE638C0, 0x1A8AA5B8, 0x8B91CD6B, 0x32D3FF2D, 0x4835D82F, 0xBF199CA5, 0x91F04A0F,0x3C58F6A0, 0x210C23F6, 0xF581E56A, 0xA8AD1021, 0x4FCF2D5E, 0xA159729F, 0x684315D3,0x515537E2, 0x8A5A23B4, 0xBC90C49A, 0xDEED038E, 0xFD139D40, 0xD0F48E94, 0xED2F1013,0x5C3A1774, 0x812839C7, 0x824EE42E, 0x2E02B15C, 0xE872A1F3, 0xC602D9A8, 0xC16EEDBB,0xE6D1EC43, 0xB4727E0A, 0xF0C3B433, 0x8AB57630, 0xEAFA1B30, 0xB706C504, 0xFCE26374,0x857FC93D, 0xE5106A2C, 0xA0C57FBD, 0xB2246462, 0xB96DA98D, 0x379AB434, 0xA4876A67,0x2E95EB46, 0x7016812F, 0xCEC8C32C, 0xCB5BCBB3, 0x62A20EBF, 0xFC450725, 0x24745C08,0xB2453299, 0x10583283, 0x4DB73E29, 0xA6F95AAC, 0xB987B417, 0x57526C2B, 0x203C56A3,0x9F064C81, 0x5613F2BC, 0x1CEC42E2, 0x2E7BCB27, 0xA54F78AB, 0x783B785D, 0x51F264BF,0x2CEB281B, 0x5CF44E46, 0xC1407494, 0xF673D2FD, 0x573BAE7D, 0xEB577A2B, 0xFDA5353E,0x9D30208D, 0xD37917C9, 0xA834F82B, 0x050FC695, 0xD25FAFAA, 0x38FBAE63, 0x1DAE96B6,0xC118157F, 0x9E384815, 0x613150D8, 0x4BA2D249, 0x7875B96D, 0x7EF301A4, 0x22FFD05F,0xE1E407CF, 0xCA2DF8E6, 0xB8558BA9, 0x9D3ADBD0, 0x41C19126, 0xA2657F30, 0xA47DD9B3,0xF6635E9A, 0x4870D994, 0x00F03D75, 0xB0809CA7, 0x7E46F055, 0xF538653B, 0x95951F91,0x3C0F90C9, 0xB000F312, 0xAFEC7741, 0x8A649B5F, 0x864E9AA5, 0xDC44825E, 0xA3965284,0x7DC1C03D, 0x4E14CB78, 0xA1BF79CC, 0x40A76B95, 0x63ABBDCE, 0xFC95181D, 0x3DFDAC01,0xDD44826E, 0x0F79380F, 0xB9EEEBCA, 0x9DE4FC90, 0xFB362562, 0xFDEA8830, 0x83D7D08D,0xB66E2A20, 0xB3FA3EB1, 0xA09CFAEE, 0x9B421C45, 0xB0A94368, 0x2775CF93 };unsigned int sub_4011D0(unsigned int index);void sub_401280_re(unsigned int* pa, unsigned int* pb);
int _tmain(int argc, _TCHAR* argv[]){/*E8 B2 BE C7 24 2A 8C B1 2B 7A B8 36 17 78 34 91 7E 52 45 2A 6A FD E9 E4 94 CD84 7A 79 D5 54 1E-->调用sub_4017A0得83 63 33 9D 86 7E 18 4A AB 0B 7C 8C 0A 40 BC AA DF 8A 24 0B 57 DE 44 AB C5 A00E 05 89 D6 CD E9-->调用循环xor得83 62 31 9E 82 7B 1E 4D A3 02 76 87 06 4D B2 A5 CF 9B 36 18 43 CB 52 BC DD B914 1E 95 CB D3 F6-->调用sub_401280得 Sangfor{855908672599db85b370dcb}*/unsigned int result[8] = { 0x9D336383, 0x4A187E86, 0x8C7C0BAB, 0xAABC400A, 0x0B248ADF, 0xAB44DE57, 0x050EA0C5, 0xE9CDD689 };unsigned int first = 0; unsigned int second = 0; char szFlag[64] = { 0 };unsigned int* pInt = (unsigned int*)szFlag;char* pChar = (char*)result;for (int i = 0; i < 32; ++i){pChar[i] ^= i;}for (int i = 0; i < 4; ++i){first = result[2 * i]; second = result[2 * i + 1];sub_401280_re(&first, &second); pInt[2 * i] = first;pInt[2 * i + 1] = second;}printf("%sn", szFlag);system("pause");}unsigned int sub_4011D0(unsigned int index){unsigned int a, b, c, d; unsigned int *pa, *pb, *pc, *pd; char buf[4] = { 0 };*((int*)buf) = index;a = (unsigned char)buf[0];b = (unsigned char)buf[1]; c = (unsigned char)buf[2]; d = (unsigned char)buf[3];
pa = (unsigned int *)buf1; pb = (unsigned int *)buf2; pc = (unsigned int *)buf3; pd = (unsigned int *)buf4;
return pd[a] + (pc[b] ^ (pb[c] + pa[d]));}void sub_401280_re(unsigned int* pFirst, unsigned int* pSecond){int index = 0; unsigned int a = 0; unsigned int b = 0;unsigned int buf[16] = { 0x0D57C1A8, 0x17932774, 0x02FE0A07, 0xEECDEAF1, 0x5346F7B2, 0x74CE99FD, 0x59FC8B56, 0x54AEEDA3, 0xE6EDFB69, 0x5248C2B7, 0x187FB925,0xF42831B4, 0x4E7DAFB0, 0x4F3BE710, 0x4822A249, 0xC06B61DB };

b = 0xD2F4B2A9 ^ (*pFirst); a = 0xC7296F5E ^ (*pSecond); index = b;
for (int i = 15; i >= 0; --i){index = b;unsigned int num = sub_4011D0(index); b = a ^ num;a = buf[i] ^ index;//printf("a=%08xtb=%08xn", a, b);}*pFirst = a;*pSecond = b;}

最后算出来的 falg是:

Sangfor{855908672599db85b370dcb}

一次有意思的CTF题目babyre的逆向过程

原文始发于微信公众号(安全初心):一次有意思的CTF题目babyre的逆向过程

版权声明:admin 发表于 2022年10月27日 下午6:59。
转载请注明:一次有意思的CTF题目babyre的逆向过程 | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...