https://buuoj.cn/challenges#[FlareOn4]IgniteMe
32 exe
void __noreturn start()
{
DWORD NumberOfBytesWritten; // [esp+0h] [ebp-4h] BYREF
NumberOfBytesWritten = 0;
hFile = GetStdHandle(0xFFFFFFF6);
stdHandle = GetStdHandle(0xFFFFFFF5);
WriteFile(stdHandle, str_givemeflag, 0x13u, &NumberOfBytesWritten, 0);
front();
if ( check() )
WriteFile(stdHandle, str_goodjob, 0xAu, &NumberOfBytesWritten, 0);
else
WriteFile(stdHandle, str_wrong, 0x24u, &NumberOfBytesWritten, 0);
ExitProcess(0);
}两个关键函数 front() 和 check()
int front()
{
unsigned int v0; // eax
char Buffer[260]; // [esp+0h] [ebp-110h] BYREF
DWORD NumberOfBytesRead; // [esp+104h] [ebp-Ch] BYREF
unsigned int i; // [esp+108h] [ebp-8h]
char v5; // [esp+10Fh] [ebp-1h]
v5 = 0;
for ( i = 0; i < 260; ++i )
Buffer[i] = 0;
ReadFile(hFile, Buffer, 260u, &NumberOfBytesRead, 0);
for ( i = 0; ; ++i )
{
v0 = str_len(Buffer);
if ( i >= v0 )
break;
v5 = Buffer[i];
if ( v5 != '\n' && v5 != '\r' )
{
if ( v5 )
next[i] = v5;
}
}
return 1;
}把去回车的字符放到新的字符串里面
int check()
{
int v1; // [esp+0h] [ebp-Ch]
int i; // [esp+4h] [ebp-8h]
unsigned int j; // [esp+4h] [ebp-8h]
char v4; // [esp+Bh] [ebp-1h]
v1 = str_len(next);
v4 = magicnum();
for ( i = v1 - 1; i >= 0; --i )
{
res[i] = v4 ^ next[i];
v4 = next[i];
}
for ( j = 0; j < 0x27; ++j )
{
if ( res[j] != (unsigned __int8)key[j] )
return 0;
}
return 1;
}倒着做一个连续异或,最开始异或的数字是多少呢?
__ROL4__(-2147024896, 4) >> 1it’s some kind of shifts and just needed qualification - at least there’re two versions - for 16-bit values (ROR 2) and for 32-bit (ROR 4).
循环移位 R or L
考虑动调没有反调试,得到是 4
脚本
key = [13, 38, 73, 69, 42, 23, 120, 68, 43, 108,
93, 94, 69, 18, 47, 23, 43, 68, 111, 110,
86, 9, 95, 69, 71, 115, 38, 10, 13, 19,
23, 72, 66, 1, 64, 77, 12, 2, 105]
key[-1] ^= 4
for i in range(len(key) - 1, 0, -1):
key[i - 1] ^= key[i]
print("".join([chr(i) for i in key]))R_y0u_H0t_3n0ugH_t0_1gn1t3@flare-on.com