Reverse 高校网络信息安全运维挑战赛

  1 signed int sub_403CC0()
  2 {
  3   unsigned int v0; // eax
  4   int key_lens; // eax
  5   FILE *v2; // eax
  6   FILE *v3; // eax
  7   signed int result; // eax
  8   int data; // [esp+10h] [ebp-44h]
  9   int v6; // [esp+14h] [ebp-40h]
 10   int v7; // [esp+18h] [ebp-3Ch]
 11   int v8; // [esp+1Ch] [ebp-38h]
 12   int v9; // [esp+20h] [ebp-34h]
 13   int v10; // [esp+24h] [ebp-30h]
 14   int v11; // [esp+28h] [ebp-2Ch]
 15   int v12; // [esp+2Ch] [ebp-28h]
 16   int mykey[8]; // [esp+30h] [ebp-24h]
 17 
 18   sub_401AD0();
 19   data = 'F2A1';                                // 1A2F943C4D8C5B6EA3C9BCAD7E
 20   v6 = 'C349';
 21   v0 = 0;
 22   v7 = 'C8D4';
 23   v8 = 'E6B5';
 24   v9 = '9C3A';
 25   v10 = 'DACB';
 26   v11 = 'E7';
 27   v12 = 0;
 28   do
 29   {
 30     mykey[v0] = 0;
 31     ++v0;
 32   }
 33   while ( v0 < 8 );
 34   puts("input your key:");
 35   scanf("%s", mykey);
 36   key_lens = strlen((const char *)mykey);
 37   if ( key_lens <= 19 )
 38   {
 39     printf("too short!");
 40     result = -1;
 41   }
 42   else if ( key_lens > 30 )
 43   {
 44     printf("too long!");
 45     result = -1;
 46   }
 47   else
 48   {
 49     if ( check_4014A0((char *)mykey, (char *)&data, key_lens) )
 50       printf("congratulations, your input is the flag ^_^");
 51     else
 52       printf("try agian");
 53     v2 = (FILE *)((char *)iob[1] - 1);
 54     iob[1] = v2;
 55     if ( (signed int)v2 < 0 )
 56     {
 57       filbuf(iob[0]);
 58       v2 = iob[1];
 59     }
 60     else
 61     {
 62       ++iob[0];
 63     }
 64     v3 = (FILE *)((char *)v2 - 1);
 65     iob[1] = v3;
 66     if ( (signed int)v3 < 0 )
 67       filbuf(iob[0]);
 68     else
 69       ++iob[0];
 70     result = 0;
 71   }
 72   return result;
 73 }signed int sub_403CC0()
 74 {
 75   unsigned int v0; // eax
 76   int key_lens; // eax
 77   FILE *v2; // eax
 78   FILE *v3; // eax
 79   signed int result; // eax
 80   int data; // [esp+10h] [ebp-44h]
 81   int v6; // [esp+14h] [ebp-40h]
 82   int v7; // [esp+18h] [ebp-3Ch]
 83   int v8; // [esp+1Ch] [ebp-38h]
 84   int v9; // [esp+20h] [ebp-34h]
 85   int v10; // [esp+24h] [ebp-30h]
 86   int v11; // [esp+28h] [ebp-2Ch]
 87   int v12; // [esp+2Ch] [ebp-28h]
 88   int mykey[8]; // [esp+30h] [ebp-24h]
 89 
 90   sub_401AD0();
 91   data = 'F2A1';                                // 1A2F943C4D8C5B6EA3C9BCAD7E
 92   v6 = 'C349';
 93   v0 = 0;
 94   v7 = 'C8D4';
 95   v8 = 'E6B5';
 96   v9 = '9C3A';
 97   v10 = 'DACB';
 98   v11 = 'E7';
 99   v12 = 0;
100   do
101   {
102     mykey[v0] = 0;
103     ++v0;
104   }
105   while ( v0 < 8 );
106   puts("input your key:");
107   scanf("%s", mykey);
108   key_lens = strlen((const char *)mykey);
109   if ( key_lens <= 19 )
110   {
111     printf("too short!");
112     result = -1;
113   }
114   else if ( key_lens > 30 )
115   {
116     printf("too long!");
117     result = -1;
118   }
119   else
120   {
121     if ( check_4014A0((char *)mykey, (char *)&data, key_lens) )
122       printf("congratulations, your input is the flag ^_^");
123     else
124       printf("try agian");
125     v2 = (FILE *)((char *)iob[1] - 1);
126     iob[1] = v2;
127     if ( (signed int)v2 < 0 )
128     {
129       filbuf(iob[0]);
130       v2 = iob[1];
131     }
132     else
133     {
134       ++iob[0];
135     }
136     v3 = (FILE *)((char *)v2 - 1);
137     iob[1] = v3;
138     if ( (signed int)v3 < 0 )
139       filbuf(iob[0]);
140     else
141       ++iob[0];
142     result = 0;
143   }
144   return result;
145 }

关键函数check_4014A0((char *)mykey, (char *)&data, key_lens)

 1 signed int __cdecl check_4014A0(char *mykey, char *data, int key_lens)
 2 {
 3   unsigned int v3; // ebx
 4   int j; // eax
 5   int k; // ebx
 6   char v7; // dl
 7   int i; // eax
 8   char v9; // [esp+Ah] [ebp-4Ah]
 9   char v10; // [esp+Bh] [ebp-49h]
10   char v11; // [esp+Ch] [ebp-48h]
11   char v12; // [esp+Dh] [ebp-47h]
12   char v13; // [esp+Eh] [ebp-46h]
13   char v14; // [esp+Fh] [ebp-45h]
14   char v15; // [esp+10h] [ebp-44h]
15   char v16; // [esp+11h] [ebp-43h]
16   char v17; // [esp+12h] [ebp-42h]
17   char v18; // [esp+13h] [ebp-41h]
18   char v19; // [esp+14h] [ebp-40h]
19   char v20; // [esp+15h] [ebp-3Fh]
20   char v21; // [esp+16h] [ebp-3Eh]
21   char v22; // [esp+17h] [ebp-3Dh]
22   char v23; // [esp+18h] [ebp-3Ch]
23   char v24; // [esp+19h] [ebp-3Bh]
24   char v25; // [esp+1Ah] [ebp-3Ah]
25   char v26; // [esp+1Bh] [ebp-39h]
26   char v27; // [esp+1Ch] [ebp-38h]
27   char v28; // [esp+1Dh] [ebp-37h]
28   char v29; // [esp+1Eh] [ebp-36h]
29   char v30; // [esp+1Fh] [ebp-35h]
30   char v31; // [esp+20h] [ebp-34h]
31   char v32; // [esp+21h] [ebp-33h]
32   char v33; // [esp+22h] [ebp-32h]
33   int v34; // [esp+24h] [ebp-30h]
34   char v35[44]; // [esp+28h] [ebp-2Ch]
35 
36   v3 = 0;
37   v34 = 0;
38   do
39   {
40     *(_DWORD *)(&v11 + v3) = 0;
41     v3 += 4;                                    // 置零初始化
42   }
43   while ( v3 < ((&v9 - &v11 + 30) & 0xFFFFFFFC) );// <28
44   v9 = 0xF;                      //encryptArray
45   v10 = 0x87u;
46   v11 = 0x62;
47   v12 = 0x14;
48   v13 = 1;
49   v14 = 0xC6u;
50   v15 = 0xF0u;
51   v16 = 33;
52   v17 = 48;
53   v18 = 17;
54   v19 = 80;
55   v20 = 0xD0u;
56   v21 = 0x82u;
57   v22 = 35;
58   v23 = 0xAEu;
59   v24 = 35;
60   v25 = 0xEEu;
61   v26 = 0xA9u;
62   v27 = 0xB4u;
63   v28 = 82;
64   v29 = 120;
65   v30 = 87;
66   v31 = 12;
67   v32 = 0x86u;
68   v33 = 0x8Bu;                                  // 0F 87 62 14 01 C6 F0 21 30 11 50 D0 82 23 AE 23 EE A9 B4 52 78 57 0C 86 8B
69                                                 // 
70                                                 // 
71   if ( key_lens == 25 )
72   {
73     j = 0;
74     do
75     {
76       v35[j] = __ROL1__(mykey[j], 2);           // 循环左移2位
77       ++j;
78     }
79     while ( j != 25 );
80     k = 0;
81     do
82     {
83       v35[k] ^= numb_401460(data, k);           // data：(ASCII "1A2F943C4D8C5B6EA3C9BCAD7E")
84                                                 // numb函数根据data、k生成一系列数，
85                                                 // 
86       ++k;
87     }
88     while ( k != 25 );
89     v7 = 15;
90     for ( i = 0; v35[i] == v7; v7 = *(&v9 + i) )//关键比较，v35存储内容：（key循环左移2位 异或 numb数据）      结果与encryptArray比较
91     {
92       if ( ++i == 25 )
93         return 1;
94     }
95   }
96   return 0;
97 }

numb_401460(data, k)函数：

int __cdecl sub_401460(char *data, int index)
{
  char a; // al
  char b; // cl
  int x; // eax
  int y; // edx 1A2F943C4D8C5B6EA3C9BCAD7E

  a = data[index];
  b = data[index + 1];
  if ( (unsigned __int8)(a - 0x30) > 9u )
    a -= 0x37;
  x = a & 0xF;
  y = (b - 0x37) & 0xF;
  if ( (unsigned __int8)(b - 0x30) <= 9u )
    y = b & 0xF;
  return y | 16 * x;

‘wp:

 1 encryptArray=[0x0F, 0x87, 0x62, 0x14, 0x01, 0xC6, 0xF0, 0x21, 0x30, 0x11, 0x50, 0xD0, 0x82, 0x23, 0xAE, 0x23,0xEE, 0xA9, 0xB4, 0x52, 0x78, 0x57, 0x0C, 0x86, 0x8B]
 2 data='1A2F943C4D8C5B6EA3C9BCAD7E'
 3 numbs=[]
 4 # numbs=[0x1a, 0xa2, 0x2f, 0xf9, 0x94, 0x43, 0x3c, 0xc4, 0x4d, 0xd8, 0x8c, 0xc5, 0x5b, 0xb6, 0x6e, 0xea, 0xa3, 0x3c, 0xc9, 0x9b, 0xbc, 0xca, 0xad, 0xd7, 0x7e]
 5 
 6 # def ROLN_(val,N,n):
 7 # 假如将一个无符号的数据val，长度为N，需要循环移动n位。可以利用下面的公式：
 8     # 循环左移：(val >> (N - n) | (val << n))
 9     # 循环右移：(val << (32 - n) | (val >> n))
10 def ROL_2(val):#8字节数循环左移2位
11     return ((val>>6)&0xff)|((val<<2)&0xff)
12 def ROR_2(val):#8字节数循环右移2位
13     return ((val<<6)&0xff)|((val>>2)&0xff)
14 def numb(data,index):
15     a = ord(data[index]);
16     b = ord(data[index + 1]);
17     if ((a - 0x30) > 9):
18         a -= 0x37;
19     x = a & 0xF;
20     y = (b - 0x37) & 0xF;
21     if ((b - 0x30) <= 9):
22         y = b & 0xF;
23     return y | 16 * x;
24 
25 for i in range(25):
26     numbs.append(numb(data,i))
27 print('numbs=[',','.join(map(hex,numbs)),']')
28 
29 key=[]
30 for i in range(25):
31     x=encryptArray[i]^numbs[i]
32     x=ROR_2(x)
33     key.append(chr(x))
34 print(''.join(key))

EIS{ea3y_r7Eve0rSe_r1ghT}

在攻防世界中提交失败0.0，Orz