0x01. 进入环境,下载附件
给出了一个无后缀文件,我们尝试用exeinfo PE查看一下文件,如图:
发现结果如图,提示是32位的无加壳文件,使用32位IDA打开文件。
0x02. 问题分析
我们将文件丢入IDA中,找到mian函数,F5反编译,查看伪代码:
int __cdecl main(int argc, const char **argv, const char **envp)
{
time_t v3; // ebx
__pid_t v4; // eax
unsigned int v5; // ST18_4
unsigned int v6; // ST1C_4
char v7; // ST20_1
signed int i; // [esp+14h] [ebp-44h]
char s; // [esp+24h] [ebp-34h]
char v11; // [esp+25h] [ebp-33h]
char v12; // [esp+26h] [ebp-32h]
char v13; // [esp+27h] [ebp-31h]
char v14; // [esp+28h] [ebp-30h]
char v15; // [esp+29h] [ebp-2Fh]
char v16; // [esp+2Ah] [ebp-2Eh]
char v17; // [esp+2Bh] [ebp-2Dh]
char v18; // [esp+2Ch] [ebp-2Ch]
char v19; // [esp+2Dh] [ebp-2Bh]
char v20; // [esp+2Eh] [ebp-2Ah]
char v21; // [esp+2Fh] [ebp-29h]
char v22; // [esp+30h] [ebp-28h]
char v23; // [esp+31h] [ebp-27h]
char v24; // [esp+32h] [ebp-26h]
char v25; // [esp+33h] [ebp-25h]
char v26; // [esp+34h] [ebp-24h]
char v27; // [esp+35h] [ebp-23h]
char v28; // [esp+36h] [ebp-22h]
char v29; // [esp+37h] [ebp-21h]
char v30; // [esp+38h] [ebp-20h]
char v31; // [esp+39h] [ebp-1Fh]
char v32; // [esp+3Ah] [ebp-1Eh]
char v33; // [esp+3Bh] [ebp-1Dh]
char v34; // [esp+3Ch] [ebp-1Ch]
char v35; // [esp+3Dh] [ebp-1Bh]
char v36; // [esp+3Eh] [ebp-1Ah]
char v37; // [esp+3Fh] [ebp-19h]
char v38; // [esp+40h] [ebp-18h]
char v39; // [esp+41h] [ebp-17h]
char v40; // [esp+42h] [ebp-16h]
char v41; // [esp+43h] [ebp-15h]
char v42; // [esp+44h] [ebp-14h]
char v43; // [esp+45h] [ebp-13h]
char v44; // [esp+46h] [ebp-12h]
char v45; // [esp+47h] [ebp-11h]
char v46; // [esp+48h] [ebp-10h]
char v47; // [esp+49h] [ebp-Fh]
char v48; // [esp+4Ah] [ebp-Eh]
char v49; // [esp+4Bh] [ebp-Dh]
unsigned int v50; // [esp+4Ch] [ebp-Ch]
v50 = __readgsdword(0x14u);
s = 83;
v11 = 69;
v12 = 67;
v13 = 67;
v14 = 79;
v15 = 78;
v16 = 123;
v17 = 87;
v18 = 101;
v19 = 108;
v20 = 99;
v21 = 111;
v22 = 109;
v23 = 101;
v24 = 32;
v25 = 116;
v26 = 111;
v27 = 32;
v28 = 116;
v29 = 104;
v30 = 101;
v31 = 32;
v32 = 83;
v33 = 69;
v34 = 67;
v35 = 67;
v36 = 79;
v37 = 78;
v38 = 32;
v39 = 50;
v40 = 48;
v41 = 49;
v42 = 52;
v43 = 32;
v44 = 67;
v45 = 84;
v46 = 70;
v47 = 33;
v48 = 125;
v49 = 0;
v3 = time(0);
v4 = getpid();
srand(v3 + v4);
for ( i = 0; i <= 99; ++i )
{
v5 = rand() % 0x28u;
v6 = rand() % 0x28u;
v7 = *(&s + v5);
*(&s + v5) = *(&s + v6);
*(&s + v6) = v7;
}
puts(&s);
return 0;
}
我们可以看到,定义了巨多的变量,同时使用for循环,产生随机数,进行赋值,达到干扰的目的。因此,众多的v变量才是真实的隐藏信息。我们将其拷贝出来,上代码:
data = [83, 69, 67, 67, 79, 78, 123, 87, 101, 108, 99, 111, 109, 101, 32, 116, 111, 32, 116, 104, 101, 32, 83, 69, 67,
67, 79, 78, 32, 50, 48, 49, 52, 32, 67, 84, 70, 33, 125, 0]
flag = ''
for i in range(len(data)):
flag += chr(data[i])
print(flag)
得到最终的结果为:SECCON{Welcome to the SECCON 2014 CTF!}
或者使用右键,如图:
可以以字符的形式展示字符!