[NPUCTF2020]Baby Obfuscation [HDCTF2019]MFC
生活随笔
收集整理的這篇文章主要介紹了
[NPUCTF2020]Baby Obfuscation [HDCTF2019]MFC
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
文章目錄
- [NPUCTF2020]Baby Obfuscation
- 把五個Fox分析一下
- F0X1(int a, int b):
- 運用輾轉相除法求得最大公因數(學到一個詞匯:最大公約數GCD,最小公倍數LCM)
- F0X2(bool a, bool b):
- 僅有一種情況返回真:a\==b==0
- F0X3(bool a, bool b):
- 僅有一種情況返回真:a\==b==1
- F0X4(int a, int b):
- 解析
- 返回值是a-b
- F0X5(int a, int b):
- 返回值是a^b^
- 整體分析
- 腳本
- [HDCTF2019]MFC
- 查看程序
- 發消息
- 解密
[NPUCTF2020]Baby Obfuscation
把五個Fox分析一下
F0X1(int a, int b):
int __cdecl F0X1(int a, int b) {int result; // eaxif ( b )result = F0X1(b, a % b);elseresult = a;return result; }運用輾轉相除法求得最大公因數(學到一個詞匯:最大公約數GCD,最小公倍數LCM)
F0X2(bool a, bool b):
bool __cdecl F0X2(bool a, bool b) {return a == b && !a; }僅有一種情況返回真:a==b==0
F0X3(bool a, bool b):
bool __cdecl F0X3(bool a, bool b) {bool v2; // blbool v3; // alv2 = F0X2(b, b);v3 = F0X2(a, a);return F0X2(v3, v2); }僅有一種情況返回真:a==b==1
F0X4(int a, int b):
int __cdecl F0X4(int a, int b) {return ~(~a + b); }解析
00000100 4 00000010 201111011 未知 00000010 201111101 00000010 200000111 7 00000010 201111000 0000001001111010 00000101 500001000 8 00000111 701110111 0000011101111110 0000000101111101 000001111000010011111011 -5返回值是a-b
F0X5(int a, int b):
int __cdecl F0X5(int a, int b) {int ans; // [rsp+Ch] [rbp-4h]ans = 1;while ( b ){if ( (b & 1) != 0 )ans *= a;a *= a;b >>= 1;}return ans; }總結后如下:
a b ans 2 2 1 4 1 4 16 0 411 a b ans 2 3 2 4 1 8 16 0 8a b ans 3 4 1 9 2 1 81 1 81 81*81 0 81返回值是ab
整體分析
_main();memset(A0X1, 0, 0xFA0ui64);A0X1[1000] = 0;memset(A0X3, 0, 0x100ui64);A0X3[64] = 0;for ( i = 0; i <= 64; ++i )A0X3[i] = i + 1;A0X4[0] = 2;A0X4[1] = 3;A0X4[2] = 4;A0X4[3] = 5;A0X5[0] = 2;A0X5[1] = 3;A0X5[2] = 4;A0X5[3] = 5;puts("WHERE IS MY KEY!?");scanf("%32s", A0X2);V0X1 = strlen(A0X2);v3 = F0X1(A0X3[i_0], A0X3[i_0]);for ( i_0 = v3 / A0X3[i_0]; i_0 <= V0X1; ++i_0 )// i_0這個變量從1開始{v4 = (A0X3[i_0] + A0X3[i_0 + 1]) * (A0X3[i_0] + A0X3[i_0 + 1]);// (a+b)的平方if ( v4 >= F0X5(2, 2) * A0X3[i_0] * A0X3[i_0 + 1] )// 4*a*b if中恒為真{v5 = ~A0X2[F0X4(i_0, 1)];v6 = F0X4(i_0, 1);A0X1[i_0] = ~(v5 + A0X4[v6 % F0X5(2, 2)]);}v7 = F0X1(A0X3[i_0], A0X3[i_0 + 1]); // 恒為1if ( v7 > F0X1(A0X3[i_0 + 1], ~(~A0X3[i_0 + 1] + A0X3[i_0])) )// 恒為1 if中恒為假{v8 = A0X1[i_0];v9 = F0X4(i_0, 1);A0X1[i_0] = ~(~v8 + A0X3[v9 % F0X5(2, 2)]) * v8;}v10 = A0X3[i_0 + 1];v11 = F0X5(2, 1) * v10; // v11=2v10v12 = A0X3[i_0];v13 = F0X5(2, 1);v14 = F0X1(v12 * v13, v11); // v14=fox1(2*AOX[i_0],2*AOX[i_0+1])v15 = F0X5(2, 1);if ( v14 == v15 * F0X1(A0X3[i_0], A0X3[i_0 + 1]) )// 2*FOX1(AOX[i_0],AOX[i_0+1])恒為真{v16 = F0X4(i_0, 1);A0X1[i_0] ^= A0X4[v16 % F0X5(2, 2)];}v17 = F0X5(V0X3, A0X3[i_0]);v18 = v17 < A0X3[i_0] + 1; // 恒為0v19 = F0X5(2, 4); // 16if ( F0X3(v19 >= i_0, v18) ) // 恒為假{v20 = ~A0X2[F0X4(i_0, 1)];v21 = F0X4(i_0, 1);A0X1[i_0] ^= ~(v20 + A0X4[v21 % F0X5(2, 2)]);}v22 = F0X5(2, 3);v23 = F0X1(A0X3[i_0], A0X3[i_0]);A0X1[i_0] *= v22 + F0X5(2, v23 / A0X3[i_0]);}v24 = F0X5(2, 4);if ( F0X4(v24, 1) != V0X1 )goto LABEL_23;v25 = F0X1(A0X3[i_1], A0X3[i_1]);for ( i_1 = v25 / A0X3[i_1]; i_1 <= V0X1; ++i_1 ){v26 = A0X1[i_1]; // 取值if ( v26 == F0X4(A0X6[i_1], 1) / 10 ) // 比較++V0X2;}if ( V0X2 == V0X1 )puts("\nPASS");else LABEL_23:puts("\nDENIED");return 0; }關鍵代碼:
v5 = ~A0X2[F0X4(i_0, 1)];v6 = F0X4(i_0, 1);A0X1[i_0] = ~(v5 + A0X4[v6 % F0X5(2, 2)]);v16 = F0X4(i_0, 1);A0X1[i_0] ^= A0X4[v16 % F0X5(2, 2)];v22 = F0X5(2, 3);v23 = F0X1(A0X3[i_0], A0X3[i_0]);A0X1[i_0] *= v22 + F0X5(2, v23 / A0X3[i_0]);v26 == F0X4(A0X6[i_1], 1) / 10腳本
" // " 表示整數除法,返回整數 比如 7/3 結果為2 “ / ” 表示浮點數除法,返回浮點數 (即小數) 比如 8/2 結果為4.0 AOX4=[2,3,4,5] AOX6=[0,7801,7801,8501,5901,8001,6401,11501,4601,9801,9601,11701,5301,9701,10801,12501] inputs=[None]*16 for i in range(1,len(AOX6)):inputs[i]=(AOX6[i]-1)//10//10inputs[i]=inputs[i]^AOX4[(i-1)%4]inputs[i]=inputs[i]+AOX4[(i-1)%4] print(inputs)AOX4=[2,3,4,5] AOX6=[0,7801,7801,8501,5901,8001,6401,11501,4601,9801,9601,11701,5301,9701,10801,12501] for i in range(1,len(AOX6)):AOX6[i]=(AOX6[i]-1)//10//10AOX6[i]=AOX6[i]^AOX4[(i-1)%4]AOX6[i]=AOX6[i]+AOX4[(i-1)%4] print(AOX6)flag=[78,80,85,67,84,70,123,48,98,102,117,53,101,114,125] lists="" for i in range(len(flag)):lists+=chr(flag[i]) print(lists) NPUCTF{0bfu5er}[HDCTF2019]MFC
查看程序
然后利用xspy查看相應的窗口
發現了一個沒有系統庫名的OnMsg,也就是沒有VM_……這串,接下來用SendMessage發送一個0x0464消息試試
發消息
#include <iostream> #include<Windows.h> int main() {HWND handle = FindWindow(NULL, "Flag就在控件里");if (handle == NULL) {printf("沒抓到");}else {SendMessage(handle, 0x0464, NULL, NULL);} }接下來程序變成這樣,找到一個DES key
解密
{I am a Des key}而DES密文在這:
總結
以上是生活随笔為你收集整理的[NPUCTF2020]Baby Obfuscation [HDCTF2019]MFC的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: [SUCTF2018]babyre [A
- 下一篇: [GWCTF 2019]pyre.pyc