1. 技术文章
  2. BUUCTF--[MRCTF2020]Transform

BUUCTF--[MRCTF2020]Transform

陌路散爱 提交于 2020-05-04 09:23:42

测试文件:https://lanzous.com/ic33b6f

 

代码分析

// local variable allocation has failed, the output may be wrong!
int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rdx
  __int64 v4; // rdx
  char v6[104]; // [rsp+20h] [rbp-70h]
  int j; // [rsp+88h] [rbp-8h]
  int i; // [rsp+8Ch] [rbp-4h]

  sub_402230(argc, argv, envp);
  puts(argc, (__int64)argv, v3, (__int64)"Give me your code:\n");
  scanf(argc, (__int64)argv, (__int64)v6, (__int64)"%s");
  if ( strlen(*(const char **)&argc) != 33 )    // flag长度为33
  {
    puts(argc, (__int64)argv, v4, (__int64)"Wrong!\n");
    system(*(const char **)&argc);
    exit(argc);
  }
  for ( i = 0; i <= 32; ++i )
  {
    byte_414040[i] = v6[dword_40F040[i]];
    v4 = i;
    byte_414040[i] ^= LOBYTE(dword_40F040[i]);
  }
  for ( j = 0; j <= 32; ++j )
  {
    v4 = j;
    if ( byte_40F0E0[j] != byte_414040[j] )
    {
      puts(argc, (__int64)argv, j, (__int64)"Wrong!\n");
      system(*(const char **)&argc);
      exit(argc);
    }
  }
  puts(argc, (__int64)argv, v4, (__int64)"Right!Good Job!\n");
  puts(argc, (__int64)argv, (__int64)v6, (__int64)"Here is your flag: %s\n");
  system(*(const char **)&argc);
  return 0;
}
.data:000000000040F040 dword_40F040    dd 9, 0Ah, 0Fh, 17h, 7, 18h, 0Ch, 6, 1, 10h, 3, 11h, 20h
.data:000000000040F040                                         ; DATA XREF: main+79↑o
.data:000000000040F040                                         ; main+B8↑o
.data:000000000040F040                 dd 1Dh, 0Bh, 1Eh, 1Bh, 16h, 4, 0Dh, 13h, 14h, 15h, 2, 19h
.data:000000000040F040                 dd 5, 1Fh, 8, 12h, 1Ah, 1Ch, 0Eh, 8 dup(0)
.data:000000000040F0E0 ; _BYTE byte_40F0E0[96]
.data:000000000040F0E0 byte_40F0E0     db 67h, 79h, 7Bh, 7Fh, 75h, 2Bh, 3Ch, 52h, 53h, 79h, 57h
.data:000000000040F0E0                                         ; DATA XREF: main+EF↑o
.data:000000000040F0E0                 db 5Eh, 5Dh, 42h, 7Bh, 2Dh, 2Ah, 66h, 42h, 7Eh, 4Ch, 57h
.data:000000000040F0E0                 db 79h, 41h, 6Bh, 7Eh, 65h, 3Ch, 5Ch, 45h, 6Fh, 62h, 4Dh
.data:000000000040F0E0                 db 3Fh dup(0)

 

  1. 将输入的flag使用dword_40F040数组作为索引,打乱顺序;
  2. 再将打乱后的flag数组,与dword_40F040数组异或,得到byte_40F0E0

 

脚本

# -*- coding:utf-8 -*-

model = [0x9, 0x0A, 0x0F, 0x17, 0x7, 0x18, 0x0C, 0x6, 0x1, 0x10, 0x3, 0x11, 0x20, 0x1D, 0x0B, 0x1E, 0x1B, 0x16, 0x4, 0x0D, 0x13, 0x14, 0x15, 0x2, 0x19, 0x5, 0x1F, 0x8, 0x12, 0x1A, 0x1C, 0x0E, 0]
model1 = [0x67, 0x79, 0x7B, 0x7F, 0x75, 0x2B, 0x3C, 0x52, 0x53, 0x79, 0x57, 0x5E, 0x5D, 0x42, 0x7B, 0x2D, 0x2A, 0x66, 0x42, 0x7E, 0x4C, 0x57, 0x79, 0x41, 0x6B, 0x7E, 0x65, 0x3C, 0x5C, 0x45, 0x6F, 0x62, 0x4D]

flag = [0]*33

for i in range(len(model)):
    model1[i] ^= model[i]

for i in range(len(model)):
    flag[model[i]] = model1[i]
print (''.join([chr(x) for x in flag]))

 

get flag!

flag{Tr4nsp0sltiON_Clph3r_1s_3z}

标签
X3C
Here
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!