欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

buuctf 刮开有奖wp

程序员文章站 2022-06-15 13:10:03
...

buuctf 刮开有奖

  1. 正常EXE文件,无壳,直接打开。
    buuctf 刮开有奖wp

  2. 毫无反应,ENTER退出,拖入IDA,F5。
    buuctf 刮开有奖wp

  3. 找到主要部分,开始分析程序。

BOOL __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4)
{
  const char *v4; // esi
  const char *v5; // edi
  int v7; // [esp+8h] [ebp-20030h]
  int v8; // [esp+Ch] [ebp-2002Ch]
  int v9; // [esp+10h] [ebp-20028h]
  int v10; // [esp+14h] [ebp-20024h]
  int v11; // [esp+18h] [ebp-20020h]
  int v12; // [esp+1Ch] [ebp-2001Ch]
  int v13; // [esp+20h] [ebp-20018h]
  int v14; // [esp+24h] [ebp-20014h]
  int v15; // [esp+28h] [ebp-20010h]
  int v16; // [esp+2Ch] [ebp-2000Ch]
  int v17; // [esp+30h] [ebp-20008h]
  CHAR String; // [esp+34h] [ebp-20004h]
  char v19; // [esp+35h] [ebp-20003h]
  char v20; // [esp+36h] [ebp-20002h]
  char v21; // [esp+37h] [ebp-20001h]
  char v22; // [esp+38h] [ebp-20000h]
  char v23; // [esp+39h] [ebp-1FFFFh]
  char v24; // [esp+3Ah] [ebp-1FFFEh]
  char v25; // [esp+3Bh] [ebp-1FFFDh]
  char v26; // [esp+10034h] [ebp-10004h]
  char v27; // [esp+10035h] [ebp-10003h]
  char v28; // [esp+10036h] [ebp-10002h]

  if ( a2 == 272 )
    return 1;
  if ( a2 != 273 )
    return 0;
  if ( (_WORD)a3 == 1001 )
  {
    memset(&String, 0, 0xFFFFu);
    GetDlgItemTextA(hDlg, 1000, &String, 0xFFFF);
    if ( strlen(&String) == 8 )
    {
      v7 = 90;
      v8 = 74;
      v9 = 83;
      v10 = 69;
      v11 = 67;
      v12 = 97;
      v13 = 78;
      v14 = 72;
      v15 = 51;
      v16 = 110;
      v17 = 103;
      sub_4010F0((int)&v7, 0, 10);
      memset(&v26, 0, 0xFFFFu);
      v26 = v23;
      v28 = v25;
      v27 = v24;
      v4 = (const char *)sub_401000(&v26, strlen(&v26));
      memset(&v26, 0, 0xFFFFu);
      v27 = v21;
      v26 = v20;
      v28 = v22;
      v5 = (const char *)sub_401000(&v26, strlen(&v26));
      if ( String == v7 + 34
        && v19 == v11
        && 4 * v20 - 141 == 3 * v9
        && v21 / 4 == 2 * (v14 / 9)
        && !strcmp(v4, "ak1w")
        && !strcmp(v5, "V1Ax") )
      {
        MessageBoxA(hDlg, "U g3t 1T!", "@aaa@qq.com", 0);
      }
    }
    return 0;
  }
  if ( (_WORD)a3 != 1 && (_WORD)a3 != 2 )
    return 0;
  EndDialog(hDlg, (unsigned __int16)a3);
  return 1;
}
  1. sub_4010F0进行了一个数据的变换,直接尝试翻译成C语言执行。

    int __cdecl sub_4010F0(int a1, int a2, int a3)
    {
      int result; // eax
      int i; // esi
      int v5; // ecx
      int v6; // edx
    
      result = a3;
      for ( i = a2; i <= a3; a2 = i )
      {
        v5 = 4 * i;
        v6 = *(_DWORD *)(4 * i + a1);
        if ( a2 < result && i < result )
        {
          do
          {
            if ( v6 > *(_DWORD *)(a1 + 4 * result) )
            {
              if ( i >= result )
                break;
              ++i;
              *(_DWORD *)(v5 + a1) = *(_DWORD *)(a1 + 4 * result);
              if ( i >= result )
                break;
              while ( *(_DWORD *)(a1 + 4 * i) <= v6 )
              {
                if ( ++i >= result )
                  goto LABEL_13;
              }
              if ( i >= result )
                break;
              v5 = 4 * i;
              *(_DWORD *)(a1 + 4 * result) = *(_DWORD *)(4 * i + a1);
            }
            --result;
          }
          while ( i < result );
        }
    LABEL_13:
        *(_DWORD *)(a1 + 4 * result) = v6;
        sub_4010F0(a1, a2, i - 1);
        result = a3;
        ++i;
      }
      return result;
    }
    

    翻译的C语言程序

     #include<stdio.h>
     int sub_40(int a[10],int a2,int a3)
     {
    int result; // eax
     int i; // esi
     int v5; // ecx
     int v6; // edx
    result = a3;
     for ( i = a2; i <= a3; a2 = i )
     {
       v5 = i;
       v6 = a[i];
       if ( a2 < result && i < result )
       {
         do
         {
           if ( v6 > a[result] )
           {
             if ( i >= result )
               break;
             ++i;
             a[v5] = a[result];
             if ( i >= result )
               break;
             while ( a[i] <= v6 )
             {
               if ( ++i >= result )
                 goto LABEL_13;
             }
             if ( i >= result )
               break;
             v5 = i;
            a[result] = a[i];
           }
           --result;
         }
         while ( i < result );
       }
      LABEL_13:
      a[result] = v6;
       sub_40(a, a2, i - 1);
       result = a3;
       ++i;
      	}
     	return result;
     }
     void main()
     {
     	int i;
     	int a[20]={90,74,83,69,67,97,78,72,51,110,103};
     	sub_40(a,0,10);
     	for (i=0;i<=10;i++)
     		printf("%4c",a[i]);
     	printf("\n");
     	for (i=0;i<=10;i++)
     		printf("%4d",a[i]);
     	printf("\n");
     }
    

    运行结果
    buuctf 刮开有奖wp

  2. 继续分析,sub_401000,猜测是一个base64加密过程。
    buuctf 刮开有奖wp
    buuctf 刮开有奖wp

  3. 通过base64解密和上面转换后的数值,得到最后flag中的内容为"UJWP1jMp"

2020年8月8日23点04分

相关标签: 从零开始CTF