BUUCTF [FlareOn4]IgniteMe
查壳然后进入ida
NumberOfBytesWritten = 0;把输出字符数清零
hFile = GetStdHandle(0xFFFFFFF6); // 标准输入(键盘) dword_403074 = GetStdHandle(0xFFFFFFF5); // 标准输出(屏幕)0xFFFFFFF6 = (DWORD)-10→STD_INPUT_HANDLE
0xFFFFFFF5 = (DWORD)-11→STD_OUTPUT_HANDLE
作用:
hFile= 读键盘输入
dword_403074= 往屏幕打印文字
WriteFile( dword_403074, // 输出到屏幕 aG1v3M3T3hFl4g, // 字符串内容:Give me the flag 0x13u, // 长度:19 个字符 &NumberOfBytesWritten, 0 );
屏幕打印:G1v3 M3 T3h Fl4g
((void (__cdecl *)(DWORD))sub_4010F0)(NumberOfBytesWritten);调用sub_4010F0
作用:读取用户输入的 flag
重点关注sub_4010F0、sub_401050
sub_4010F0:
sub_4010F0作用就是读取输入的flag到byte_403078[]
sub_401050:
sub_401000:
__ROL4__:循环左移 4 位(Rotate Left 4 bits)→0x00700008
>> 1:逻辑右移 1 位→0x0004
所以sub_401000等价于return 4; 这个函数始终返回4
因此v4=4
for ( j = 0; j < 39; ++j ) { if ( byte_403180[j] != byte_403000[j] )可知byte_403180=unk_403000,flag()是39位
for ( i = v1 - 1; i >= 0; --i ) { byte_403180[i] = v4 ^ byte_403078[i]; v4 = byte_403078[i]; }异或加密,byte_403078=flag
解密:
#include <stdio.h> int main(){ unsigned char byte_403180[] = { 0x0D, 0x26, 0x49, 0x45, 0x2A, 0x17, 0x78, 0x44, 0x2B, 0x6C, 0x5D, 0x5E, 0x45, 0x12, 0x2F, 0x17, 0x2B, 0x44, 0x6F, 0x6E, 0x56, 0x09, 0x5F, 0x45, 0x47, 0x73, 0x26, 0x0A, 0x0D, 0x13, 0x17, 0x48, 0x42, 0x01, 0x40, 0x4D, 0x0C, 0x02, 0x69 }; int v4=4; int byte_403078[40]; for(int i=38;i>=0;i--) { byte_403078[i]=byte_403180[i]^v4; v4=byte_403078[i]; } for (int j = 0; j < 39; ++j ){ printf("%c",byte_403078[j]); } return 0; }flag{R_y0u_H0t_3n0ugH_t0_1gn1t3@flare-on.com}