Problem: [MoeCTF 2022]chicken_soup
[[toc]]
思路
去花指令,逆向
EXP
去完花指令,进入主函数
{ char v4; // [esp+10h] [ebp-68h] BYREF _BYTE v5[3]; // [esp+11h] [ebp-67h] BYREF puts("I poisoned the program... Can you reverse it?!"); puts("Come on! Give me your flag:"); sub_9612A0("%s", &v4); if ( &v5[strlen(&v4)] - v5 == 38 ) { sub_961000(&v4); sub_961080(&v4); if ( sub_961110((int)&v4, (int)&unk_963000) ) puts("\nTTTTTTTTTTQQQQQQQQQQQQQLLLLLLLLL!!!!"); else puts("\nQwQ, please try again."); return 0; } else { puts("\nQwQ, please try again."); return 0; } }
得到数据
unsigned char ida_chars[] =
{
205, 77, 140, 125, 173, 30, 190, 74, 138, 125,
188, 124, 252, 46, 42, 121, 157, 106, 26, 204,
61, 74, 248, 60, 121, 105, 57, 217, 221, 157,
169, 105, 76, 140, 221, 89, 233, 215, 0
};
进入sub_961080()函数
a1[i] = (16 * a1[i]) | ((int)(unsigned __int8)a1[i] >> 4);
16*相当于左移四位,然后>> 4右移四位,相当于一个二进制的前四位和后四位调换了,我们按照相同的方式调换回去就好了
exp
int main() { int a[]={205, 77, 140, 125, 173, 30, 190, 74, 138, 125, 188, 124, 252, 46, 42, 121, 157, 106, 26, 204, 61, 74, 248, 60, 121, 105, 57, 217, 221, 157, 169, 105, 76, 140, 221, 89, 233, 215}; int i; for(int i=0;i<38;i++) { a[i]=((a[i]<<4)|(a[i]>>4))&0xff; } for(int i=36;i>=0;i--) { a[i]-=a[i+1]&0xff; } for(int i=0;i<38;i++) printf("%c",a[i]); return 0; }
NSSCTF{p4tch_pr0gr4m_t0_d3c0mpi1e_it!}
总结
花指令