GFSJ0104-【babymips】
mips 架构 但都简单 xor 左移右移
main函数一个xor
int __fastcall main(int a1, char **a2, char **a3)
{
int i; // [sp+18h] [+18h] BYREF
char v5[36]; // [sp+1Ch] [+1Ch] BYREF
setbuf(stdout, nullptr);
setbuf(stdin, nullptr);
printf("Give me your flag:");
scanf("%32s", v5);
for ( i = 0; i < 32; ++i )
v5[i] ^= 32 - (_BYTE)i;
if ( !strncmp(v5, fdata, 5u) )
return sub_4007F0(v5);
else
return puts("Wrong");
}
sub_4007F0 一个对字符串换位置
int __fastcall sub_4007F0(const char *a1)
{
char v1; // $v1
size_t i; // [sp+18h] [+18h]
for ( i = 5; i < strlen(a1); ++i )
{
if ( (i & 1) != 0 )
v1 = (a1[i] >> 2) | (a1[i] << 6);
else
v1 = (4 * a1[i]) | (a1[i] >> 6);
a1[i] = v1;
}
if ( !strncmp(a1 + 5, off_410D04, 0x1Bu) )
return puts("Right!");
else
return puts("Wrong!");
}
提取一下数据
IDA_400b90 = b'Q|j{g\x00'
IDA_400b98 = [0x52, 0xfd, 0x16, 0xa4, 0x89, 0xbd, 0x92, 0x80, 0x13, 0x41, 0x54, 0xa0, 0x8d, 0x45, 0x18, 0x81, 0xde, 0xfc, 0x95, 0xf0, 0x16, 0x79, 0x1a, 0x15, 0x5b, 0x75, 0x1f, 0x0]
int __fastcall main(int a1, char **a2, char **a3)
{
int i; // [sp+18h] [+18h] BYREF
char v5[36]; // [sp+1Ch] [+1Ch] BYREF
setbuf(stdout, nullptr);
setbuf(stdin, nullptr);
printf("Give me your flag:");
scanf("%32s", v5);
for ( i = 0; i < 32; ++i )
v5[i] ^= 32 - (_BYTE)i;
if ( !strncmp(v5, fdata, 5u) )
return sub_4007F0(v5);
else
return puts("Wrong");
}
int __fastcall sub_4007F0(const char *a1)
{
char v1; // $v1
size_t i; // [sp+18h] [+18h]
for ( i = 5; i < strlen(a1); ++i )
{
if ( (i & 1) != 0 )
v1 = (a1[i] >> 2) | (a1[i] << 6);
else
v1 = (4 * a1[i]) | (a1[i] >> 6);
a1[i] = v1;
}
if ( !strncmp(a1 + 5, off_410D04, 0x1Bu) )
return puts("Right!");
else
return puts("Wrong!");
}
IDA_400b98 = [0x52, 0xfd, 0x16, 0xa4, 0x89, 0xbd, 0x92, 0x80, 0x13, 0x41, 0x54, 0xa0, 0x8d, 0x45, 0x18, 0x81, 0xde, 0xfc, 0x95, 0xf0, 0x16, 0x79, 0x1a, 0x15, 0x5b, 0x75, 0x1f, 0x0]
IDA_400b90 = b'Q|j{g\x00'
exp
def rol8(x, n):
return ((x << n) & 0xff) | (x >> (8 - n))
def ror8(x, n):
return (x >> n) | ((x << (8 - n)) & 0xff)
enc = [
0x52, 0xfd, 0x16, 0xa4, 0x89, 0xbd, 0x92, 0x80,
0x13, 0x41, 0x54, 0xa0, 0x8d, 0x45, 0x18, 0x81,
0xde, 0xfc, 0x95, 0xf0, 0x16, 0x79, 0x1a, 0x15,
0x5b, 0x75, 0x1f
]
fdata = b'Q|j{g\x00'
flag = bytearray()
for i in range(5):
flag.append(fdata[i] ^ (32 - i))
for j, c in enumerate(enc):
i = j + 5
if i & 1:
x = rol8(c, 2)
else:
x = ror8(c, 2)
x ^= 32 - i
flag.append(x)
print(flag.decode())
flag
qctf{ReA11y_4_B@89_mlp5_4_XmAn_}
一把梭
评论