Replace 湖湘杯2018
查壳upx,手动脱壳,修复IAT,去掉重定向便可以运行。
ida查看,流程清晰。关键函数check_E51090。
int __cdecl main(int argc, const char **argv, const char **envp) { int lens; // kr00_4 char Buf; // [esp+4h] [ebp-2Ch] char Dst; // [esp+5h] [ebp-2Bh] Buf = 0; memset(&Dst, 0, 0x27u); printf("Welcome The System\nPlease Input Key:"); gets_s(&Buf, 0x28u); lens = strlen(&Buf); if ( (unsigned int)(lens - 35) <= 2 ) // <=37 { if ( check_E51090(&Buf, lens) == 1 ) printf("Well Done!\n"); else printf("Your Wrong!\n"); } return 0; }
查看check_E51090
signed int __fastcall check_E51090(char *buf, int lens) { char *buf_2; // ebx int i; // edx char a; // al int b; // esi int c; // edi char d; // al int e; // eax char f; // cl int g; // eax int h; // ecx buf_2 = buf; if ( lens != 35 ) return -1; i = 0; while ( 1 ) { a = buf_2[i]; b = (a >> 4) % 16; c = (16 * a >> 4) % 16; d = data_E52150[2 * i]; if ( d < 48 || d > 57 ) e = d - 87; else e = d - 48; f = data_E52150[2 * i + 1]; g = 16 * e; if ( f < 48 || f > 57 ) h = f - 87; else h = f - 48; if ( (unsigned __int8)data[16 * b + c] != ((g + h) ^ 0x19) ) break; if ( ++i >= 35 ) return 1; } return -1; }
wp:
data_E52150=[50, 97, 52, 57, 102, 54, 57, 99, 51, 56, 51, 57, 53, 99, 100, 101, 57, 54, 100, 54, 100, 101, 57, 54, 100, 54, 102, 52, 101, 48, 50, 53, 52, 56, 52, 57, 53, 52, 100, 54, 49, 57, 53, 52, 52, 56, 100, 101, 102, 54, 101, 50, 100, 97, 100, 54, 55, 55, 56, 54, 101, 50, 49, 100, 53, 97, 100, 97, 101, 54] data=[99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, 216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127, 80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73, 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, 231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, 186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, 112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, 225, 248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, 140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22, 72, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] tg=[] for i in range(35): d = data_E52150[2 * i]; if (d < 48 or d > 57): e = d - 87; else: e = d - 48; f = data_E52150[2 * i + 1]; g = 16 * e; if (f < 48 or f > 57): h = f - 87; else: h = f - 48; x=((g + h) ^ 0x19) tg.append(x) flag=‘‘ for i in range(35): flag+=chr(data.index(tg[i])) print(flag)
flag{Th1s_1s_Simple_Rep1ac3_Enc0d3}
原文:https://www.cnblogs.com/DirWang/p/12236700.html