測試文件:https://lanzous.com/ibh1vch
代碼分析
void __noreturn start() { DWORD NumberOfBytesWritten; // [esp+0h] [ebp-4h] NumberOfBytesWritten = 0; hFile = GetStdHandle(0xFFFFFFF6); dword_403074 = GetStdHandle(0xFFFFFFF5); WriteFile(dword_403074, aG1v3M3T3hFl4g, 0x13u, &NumberOfBytesWritten, 0); sub_4010F0(); if ( sub_401050() ) WriteFile(dword_403074, aG00dJ0b, 0xAu, &NumberOfBytesWritten, 0); else WriteFile(dword_403074, aN0tT00H0tRWe7r, 0x24u, &NumberOfBytesWritten, 0); ExitProcess(0); }
這里面分析好sub_4010F0和sub_401050函數就行了。
sub_4010F0函數
signed int sub_4010F0() { unsigned int v0; // eax char Buffer[260]; // [esp+0h] [ebp-110h] DWORD NumberOfBytesRead; // [esp+104h] [ebp-Ch] unsigned int i; // [esp+108h] [ebp-8h] char v5; // [esp+10Fh] [ebp-1h] v5 = 0; for ( i = 0; i < 0x104; ++i ) Buffer[i] = 0; ReadFile(hFile, Buffer, 0x104u, &NumberOfBytesRead, 0); for ( i = 0; ; ++i ) { v0 = sub_401020(Buffer); if ( i >= v0 ) break; v5 = Buffer[i]; if ( v5 != 10 && v5 != 13 ) { if ( v5 ) byte_403078[i] = v5; } } return 1; }
sub_401050函數
signed int sub_401050() { int v0; // ST04_4 int i; // [esp+4h] [ebp-8h] unsigned int j; // [esp+4h] [ebp-8h] char v4; // [esp+Bh] [ebp-1h] v0 = sub_401020(byte_403078); v4 = sub_401000(); for ( i = v0 - 1; i >= 0; --i ) { byte_403180[i] = v4 ^ byte_403078[i]; v4 = byte_403078[i]; } for ( j = 0; j < 0x27; ++j ) { if ( byte_403180[j] != (unsigned __int8)byte_403000[j] ) return 0; } return 1; }
還是倒過來分析
sub_401050函數就是將字符串逆向做了異或操作之后,與已知字符串byte_403000對比。
sub_4010F0函數就是把我們輸入字符串中的/r/n去掉。
腳本
# -*- coding:utf-8 -*- arr2 = [0x0D,0x26,0x49,0x45,0x2A,0x17,0x78,0x44,0x2B,0x6C,0x5D,0x5E,0x45,0x12,0x2F,0x17, 0x2B,0x44,0x6F,0x6E,0x56,0x09,0x5F,0x45,0x47,0x73,0x26,0x0A,0x0D,0x13,0x17,0x48, 0x42,0x01,0x40,0x4D,0x0C,0x02,0x69] arr1 = [] v4 = 4 for i in range(len(arr2)-1,-1,-1): arr1.append(arr2[i] ^ v4) v4 = arr1[-1] print ('flag{'+''.join([chr(x) for x in arr1[::-1]])+'}')
get flag!
flag{R_y0u_H0t_3n0ugH_t0_1gn1t3@flare-on.com}