先用PE查壳,一开始没看清楚,以为没壳,动调了半天,后来才看到是个ASP壳
用工具脱壳后分析main函数
int __cdecl main(int argc, const char **argv, const char **envp)
{
_BYTE v4[50]; // [esp+1Ch] [ebp-74h] BYREF
_BYTE v5[50]; // [esp+4Eh] [ebp-42h] BYREF
_DWORD v6[3]; // [esp+80h] [ebp-10h] BYREF
int v7; // [esp+8Ch] [ebp-4h]
sub_40DCF0();
sub_41A070((int)v6);
v7 = sub_41A078((int)v6);
sub_47C7D0(&dword_487F00, v5); // 输入函数,输入到v5
if ( sub_41A038((int)v5) != 42 ) // 长度为42
{
sub_47BAB0(&dword_488140, (int)aWrong);
sub_41A060(0);
}
if ( v5[0] != 'D' || v5[1] != 'A' || v5[2] != 'S' || v5[3] != 'C' || v5[4] != 'T' || v5[5] != 'F' )
{
sub_47BAB0(&dword_488140, (int)aWrong);
sub_41A060(0);
}
sub_41A080((int)v4, (int)v5); // 拷贝
v6[2] = *(_DWORD *)(v7 + 20) + 1900;
v6[1] = 0;
sub_4019BE((int)v5); //
sub_401771((int)v4); // 加密函数
sub_41A088(aPause);
return 0;
}
加密函数
_DWORD *__cdecl sub_401771(int a1)
{
int v2[50]; // [esp+1Ch] [ebp-DCh] BYREF
int v3; // [esp+E4h] [ebp-14h]
int j; // [esp+E8h] [ebp-10h]
int i; // [esp+ECh] [ebp-Ch]
v3 = sub_41A038(a1); // 长度
sub_401500(); // dword_492040[i] = i,最大为255
sub_40152B(); // byte_492440[i] = 1~6,最大为255
sub_401593();
sub_401619(a1, v3);
for ( i = 0; i < v3; ++i )
byte_492A60[i] = (LOBYTE(dword_492940[i]) ^ *(_BYTE *)(i + a1)) + 71;
memset(v2, 0, sizeof(v2));
v2[0] = -61;
v2[1] = -128;
v2[2] = -43;
v2[3] = -14;
v2[4] = -101;
v2[5] = 48;
v2[6] = 11;
v2[7] = -76;
v2[8] = 85;
v2[9] = -34;
v2[10] = 34;
v2[11] = -125;
v2[12] = 47;
v2[13] = -105;
v2[14] = -72;
v2[15] = 32;
v2[16] = 29;
v2[17] = 116;
v2[18] = -47;
v2[19] = 1;
v2[20] = 115;
v2[21] = 26;
v2[22] = -78;
v2[23] = -56;
v2[24] = -59;
v2[25] = 116;
v2[26] = -64;
v2[27] = 91;
v2[28] = -9;
v2[29] = 15;
v2[30] = -45;
v2[31] = 1;
v2[32] = 85;
v2[33] = -78;
v2[34] = -92;
v2[35] = -82;
v2[36] = 123;
v2[37] = -84;
v2[38] = 92;
v2[39] = 86;
v2[40] = -68;
v2[41] = 35;
for ( j = 0; j <= 41; ++j )
{
if ( v2[j] != byte_492A60[j] )
sub_41A060(0);
}
return sub_47BAB0(&dword_488140, (int)aRight);
}
把里面这些复制出来运行就能看到flag,但是我比赛的时候得到的只有大部分的flag,有些字符不正确,然后我就一直在那调代码,结果还是如下图
后面调着调着感觉问题越来越大,然后卡那了
#include <stdio.h>
#include <stdlib.h>
int main()
{
int v2[50] = {0}; //v2是加密后的密文
int i,j,k;
v2[0] = -61;
v2[1] = -128;
v2[2] = -43;
v2[3] = -14;
v2[4] = -101;
v2[5] = 48;
v2[6] = 11;
v2[7] = -76;
v2[8] = 85;
v2[9] = -34;
v2[10] = 34;
v2[11] = -125;
v2[12] = 47;
v2[13] = -105;
v2[14] = -72;
v2[15] = 32;
v2[16] = 29;
v2[17] = 116;
v2[18] = -47;
v2[19] = 1;
v2[20] = 115;
v2[21] = 26;
v2[22] = -78;
v2[23] = -56;
v2[24] = -59;
v2[25] = 116;
v2[26] = -64;
v2[27] = 91;
v2[28] = -9;
v2[29] = 15;
v2[30] = -45;
v2[31] = 1;
v2[32] = 85;
v2[33] = -78;
v2[34] = -92;
v2[35] = -82;
v2[36] = 123;
v2[37] = -84;
v2[38] = 92;
v2[39] = 86;
v2[40] = -68;
v2[41] = 35;
int dword_492040[257];
char byte_492440[257];
char v1[8] = "123456";
for ( i = 0; i <= 255; ++i )
{
dword_492040[i] = i;
byte_492440[i] = v1[i % 6];
}
int v3 = 0;
int v8 = 0;
for ( i = 0; i <= 255; ++i )
{
v3 = ((char)byte_492440[i] + v3 + dword_492040[i]) % 256;
v8 = dword_492040[i]; // 交换顺序
dword_492040[i] = dword_492040[v3];
dword_492040[v3] = v8;
}
int v5 = 0;
int v6 = 0;
int v4 = 0;
int a2 = 42;
int dword_492940[73];
for ( i = 0; a2--; dword_492940[v5++] = dword_492040[(dword_492040[v6] + dword_492040[i]) % 256] )
{
i = (i + 1) % 256;
v6 = (v6 + dword_492040[i] ) % 256;
v4 = dword_492040[i] + 66;
dword_492040[i] = dword_492040[v6] - 33;
dword_492040[i] ^= 2;
dword_492040[v6] = 5 * v4;
dword_492040[v6] = dword_492040[i] - 10;
dword_492040[v6] += dword_492040[i];
dword_492040[i] -= 18;
}
unsigned char flag[43] = {0};
for ( j = 0; j <= 41; ++j )
{
flag[j] = ((v2[j] - 71) ^ dword_492940[j]);
//printf("%d %c %d\n",flag[j],flag[j],j);
printf("%c",flag[j]);
}
return 0;
}
最后运行出来得到
DASCbF{Welc0me-t0?j01n-SU l0ve-suyuQ1Sg1e}
我看了下别人的wp,他们的脚本运行出来都不能完整的得到flag,总会有几个字符对不上,就很奇怪,他们的flag都是最后一个个试的么。
最终flag是:DASCTF{Welc0me-t0-j01n-SU-l0ve-suyug1eg1e}