1625-5 Wang Ziang summary 《2017 year 9 month 13 day 》 【 In a row 346 Day summary 】
A. Q & D cup question bank - reverse
B.

look for flag

After running is a simple text input box and gray GetFlag Button
Drag in IDA Decompile , No, main function , only start function
start There's nothing to go on , Direct search string :

At a glance flag, Submit excitedly
error OTZ
So it seems that there is something wrong with the procedure flag Treatment of , Double click to track to memory and press x View cross references

There are two calls , View in turn , Find this interesting function
int sub_401000() { char *v0; // eax@1 CHAR Text; // [sp+0h] [bp-38h]@1 char
Dst;// [sp+1h] [bp-37h]@1 char v4; // [sp+Fh] [bp-29h]@1 Text = 0; memset(&Dst,
0, 0x30u); strncpy_s(&Text, 0x31u,
"flag:{NSCTF_md57e0cad17016b0>?45?f7c>0>4a>1c3a0}", 0x30u);// take flag character string copy here we are Text in
v0 = &v4;//v4 The address of v0 in , In fact, it is Text[15] if ( v4 != 125 ) { do { *v0 ^= 7u;// Character by character exclusive or loop
++v0; }while ( *v0 != 125 ); } return MessageBoxA(0, &Text, "Flag", 0); }

At first glance, in the cycle v0 and v4 Both follow strings and Text It doesn't matter , But in fact Text and v4 All in the stack ,v4 In fact, it is Text Of the 15 Characters ,IDA It is considered as a new local variable when decompiling ( In a sense, it can be regarded as Text Let's spill over 233), When operating on strings IDA It's a common misconception , Attention is needed

So right flag[15:] Conduct and 7 Submit character by character XOR , correct ~

NSCTF_md50b7dfc60761e798328a0d9793f96d4f7

If we go back to the source, we can find out
int __thiscall sub_401070(int this) { int v1; // edx@8 int v2; // esi@8 int
result;// eax@18 if ( ((unsigned __int8)byte_403028 ^ 7) != *(_BYTE *)this || ((
unsigned __int8)byte_403027 ^ 7) != *(_BYTE *)(this + 1) || ((unsigned
__int8)byte_403026 ^7) != *(_BYTE *)(this + 2) || ((unsigned __int8)byte_403025
^7) != *(_BYTE *)(this + 3) || ((unsigned __int8)byte_403024 ^ 7) != *(_BYTE *)(
this + 4) || ((unsigned __int8)byte_403023 ^ 7) != *(_BYTE *)(this + 5) || ((
unsigned __int8)byte_403022 ^ 7) != *(_BYTE *)(this + 6) ) { v1 = byte_403380;
v2 = dword_403018; }else { v1 = byte_403380 + 2; v2 = dword_403018 - 1;
byte_403380 +=2; --dword_403018; } if ( ((unsigned __int8)byte_403021 ^ 0x33)
== *(_BYTE *)(this + 7) && ((unsigned __int8)byte_403020 ^ 0x33) == *(_BYTE *)(
this + 8) && ((unsigned __int8)byte_40301F ^ 0x33) == *(_BYTE *)(this + 9) && ((
unsigned __int8)byte_40301E ^ 0x33) == *(_BYTE *)(this + 10) && ((unsigned
__int8)byte_40301D ^0x33) == *(_BYTE *)(this + 11) && ((unsigned
__int8)byte_40301C ^0x33) == *(_BYTE *)(this + 12) ) { --v1; v2 += 2;
byte_403380 = v1; dword_403018 = v2; }if ( v2 + v1 == 3 ) result = sub_401000();
// The output is correct flag else result = MessageBoxA(0,
"flag:{NSCTF_md57e0cad17016b0>?45?f7c>0>4a>1c3a0}", "Flag", 0);// error flag
dword_403018 =1; byte_403380 = 0; return result; }
In this function pair this Compare with memory , Follow the result v1 and v2, Last but not least call sub_401000, Otherwise, it will be displayed directly ( FALSE )flag
Obviously this It's the pointer to the input string ,byte_403028-byte_40301c use IDC script dump come down , Write an XOR transformation to get the correct input :
a = [78, 98, 87, 71, 57, 59, 50] b = [106, 88, 106, 70, 80, 74] for i in a:
print(chr(i ^ 7), end='') for i in b: print(chr(i ^ 0x33), end='')
Enter this string into the program , The button is still gray
After checking the original program, we didn't find out EnableMainItem This can modify the usability API, It is estimated that the control property is set
Before CrackMe I met this kind of thing , The containing control can be found in memory ID Property settings for , take Enable Modify the attribute
Check the boss's WriteUp It can be used directly Spy++ Things like that , Change the button to available and click , The right one pops up flag

Although this is the most orthodox way to pass , however MessageBox Medium flag As Lable It can't be copied …… I don't know what to say OTZ
C. Plan for tomorrow
Tripod cup reverse

Technology