deedeedee

這題沒說法。。。直接用notepad++打開第二個文件，然后就看到了flag。。。。人傻了。。。

flag{t3mplat3_met4pr0gramming_is_gr8_4_3very0n3}

crazy

這題目呢，無殼，不難，直接拖進ida，主要是費眼。。。

查看偽代碼

int __cdecl main(int argc, const char **argv, const char **envp) {__int64 v3; // rax@1__int64 v4; // rax@1__int64 v5; // rax@1__int64 v6; // rax@1__int64 v7; // rax@1__int64 v8; // rax@1__int64 v9; // rax@1__int64 v10; // rax@1__int64 v11; // rax@2__int64 v12; // rax@2__int64 v13; // rax@2__int64 v14; // rax@2__int64 v15; // rax@2__int64 v16; // rax@2int result; // eax@3__int64 v18; // rcx@3char v19; // [sp+10h] [bp-130h]@1char v20; // [sp+30h] [bp-110h]@1char v21; // [sp+50h] [bp-F0h]@1char v22; // [sp+70h] [bp-D0h]@1char v23; // [sp+90h] [bp-B0h]@2char v24; // [sp+B0h] [bp-90h]@1__int64 v25; // [sp+128h] [bp-18h]@1v25 = *MK_FP(__FS__, 40LL);std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string((__int64)&v19,(__int64)argv,(__int64)envp);std::operator>><char,std::char_traits<char>,std::allocator<char>>(&std::cin, &v19);LODWORD(v3) = std::operator<<<std::char_traits<char>>((__int64)&std::cout,(__int64)"-------------------------------------------");std::ostream::operator<<(v3, &std::endl<char,std::char_traits<char>>);LODWORD(v4) = std::operator<<<std::char_traits<char>>((__int64)&std::cout, (__int64)"Quote from people's champ");std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);LODWORD(v5) = std::operator<<<std::char_traits<char>>((__int64)&std::cout,(__int64)"-------------------------------------------");std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);LODWORD(v6) = std::operator<<<std::char_traits<char>>((__int64)&std::cout,(__int64)"*My goal was never to be the loudest or the craziest. It was to be the most entertaining.");std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>);LODWORD(v7) = std::operator<<<std::char_traits<char>>((__int64)&std::cout,(__int64)"*Wrestling was like stand-up comedy for me.");std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);LODWORD(v8) = std::operator<<<std::char_traits<char>>((__int64)&std::cout,(__int64)"*I like to use the hard times in the past to motivate me today.");std::ostream::operator<<(v8, &std::endl<char,std::char_traits<char>>);LODWORD(v9) = std::operator<<<std::char_traits<char>>((__int64)&std::cout,(__int64)"-------------------------------------------");std::ostream::operator<<(v9, &std::endl<char,std::char_traits<char>>);HighTemplar::HighTemplar(&v24, &v19);LODWORD(v10) = std::operator<<<std::char_traits<char>>((__int64)&std::cout, (__int64)"Checking....");std::ostream::operator<<(v10, &std::endl<char,std::char_traits<char>>);std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string((__int64)&v20,(__int64)&v19);func1((__int64)&v21, (__int64)&v20);func2((__int64)&v22, (__int64)&v21);func3((__int64)&v22, 0);std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string((__int64)&v22);std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string((__int64)&v21);std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string((__int64)&v20);HighTemplar::calculate((HighTemplar *)&v24);if ( (unsigned int)HighTemplar::getSerial((HighTemplar *)&v24) == 0 ){LODWORD(v11) = std::operator<<<std::char_traits<char>>((__int64)&std::cout,(__int64)"/");std::ostream::operator<<(v11, &std::endl<char,std::char_traits<char>>);LODWORD(v12) = std::operator<<<std::char_traits<char>>((__int64)&std::cout,(__int64)"Do not be angry. Happy Hacking :)");std::ostream::operator<<(v12, &std::endl<char,std::char_traits<char>>);LODWORD(v13) = std::operator<<<std::char_traits<char>>((__int64)&std::cout,(__int64)"/");std::ostream::operator<<(v13, &std::endl<char,std::char_traits<char>>);ZN11HighTemplar7getFlagB5cxx11Ev((__int64)&v23, (__int64)&v24);LODWORD(v14) = std::operator<<<std::char_traits<char>>((__int64)&std::cout, (__int64)"flag{");LODWORD(v15) = std::operator<<<char,std::char_traits<char>,std::allocator<char>>(v14, (__int64)&v23);LODWORD(v16) = std::operator<<<std::char_traits<char>>(v15, (__int64)"}");std::ostream::operator<<(v16, &std::endl<char,std::char_traits<char>>);std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string((__int64)&v23);}HighTemplar::~HighTemplar((HighTemplar *)&v24);std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::~basic_string((__int64)&v19);result = 0;v18 = *MK_FP(__FS__, 40LL) ^ v25;return result; }

HighTemplar::HighTemplar((__int64)&v24, (__int64)&v19);
HighTemplar::calculate((HighTemplar *)&v24)
(unsigned int)HighTemplar::getSerial((HighTemplar *)&v24)

HighTemplar::HighTemplar((__int64)&v24, (__int64)&v19);

__int64 __fastcall HighTemplar::HighTemplar(__int64 a1, __int64 a2) {char v3; // [sp+17h] [bp-19h]@1__int64 v4; // [sp+18h] [bp-18h]@1v4 = *MK_FP(__FS__, 40LL);DarkTemplar::DarkTemplar((DarkTemplar *)a1);*(_QWORD *)a1 = &off_401EA0;*(_DWORD *)(a1 + 12) = 0;std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(a1 + 16, a2);std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(a1 + 48, a2);std::allocator<char>::allocator(&v3, a2);std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(a1 + 80,"327a6c4304ad5938eaf0efb6cc3e53dc",&v3);std::allocator<char>::~allocator(&v3);return *MK_FP(__FS__, 40LL) ^ v4; }

這個函數(shù)作用：
初始化a1，那么它是如何初始化的呢？

std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(a1 + 16, a2)這里的話是a2是屬于輸入的值，所以a1+16地址處是屬于輸入賦值

std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(a1 + 48, a2)這里的話a2依然是輸入的值，所以a1+48地址處屬于輸入賦值

std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string( a1 + 80, "327a6c4304ad5938eaf0efb6cc3e53dc",&v3);這里是屬于字符串賦值，字符串已知，即"327a6c4304ad5938eaf0efb6cc3e53dc"，至于這個v3是干嘛的，不重要，估計是為了幫忙賦值，前面一行剛開辟，后面賦值完就立刻被析構了，所以的話，無關緊要

下面只要抓住這三條輸入即可。。
然后只需要注意含有v24 ，v19地方即可

HighTemplar::calculate((HighTemplar *)&v24)

bool __fastcall HighTemplar::calculate(HighTemplar *this) {__int64 v1; // rax@1__int64 v2; // rax@2unsigned __int64 v3; // rax@5_BYTE *v4; // rax@6_BYTE *v5; // rbx@6_BYTE *v6; // rax@6unsigned __int64 v7; // rax@8bool result; // al@8_BYTE *v9; // rax@9_BYTE *v10; // rbx@9_BYTE *v11; // rax@9int i; // [sp+18h] [bp-18h]@4int j; // [sp+1Ch] [bp-14h]@7LODWORD(v1) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);if ( v1 != 32 ){LODWORD(v2) = std::operator<<<std::char_traits<char>>((__int64)&std::cout, (__int64)"Too short or too long");std::ostream::operator<<(v2, &std::endl<char,std::char_traits<char>>);exit(-1);}for ( i = 0; ; ++i ){LODWORD(v3) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);if ( i > v3 )break;LODWORD(v4) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]((char *)this + 16,i);v5 = v4;LODWORD(v6) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]((char *)this + 16,i);*v5 = (*v6 ^ 0x50) + 23;}for ( j = 0; ; ++j ){LODWORD(v7) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);result = j <= v7;if ( !result )break;LODWORD(v9) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]((char *)this + 16,j);v10 = v9;LODWORD(v11) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]((char *)this + 16,j);*v10 = (*v11 ^ 0x13) + 11;}return result; }

首先，

LODWORD(v1) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);if ( v1 != 32 ){LODWORD(v2) = std::operator<<<std::char_traits<char>>((__int64)&std::cout, (__int64)"Too short or too long");std::ostream::operator<<(v2, &std::endl<char,std::char_traits<char>>);exit(-1);}

來判斷輸入長度，是否符合，不符合的話，直接exit
下面兩個for循環(huán)的話，它是把輸入的第一串字符（因為它是(char *)this + 16，長度為32，即到(char *)this + 48的位置）經(jīng)過一些簡單的異或操作變化之后，接下來變化之后肯定得拿去比較。。。。

LODWORD(v4) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]((char *)this + 16,i);v5 = v4;LODWORD(v6) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]((char *)this + 16,i);*v5 = (*v6 ^ 0x50) + 23;

至于為什么要這樣取的話，神操作。。可能編譯器有點傻，把
std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]( (char *)this + 16, i);多搞出一次了吧，別在意這些。。。

(unsigned int)HighTemplar::getSerial((HighTemplar *)&v24)

__int64 __fastcall HighTemplar::getSerial(HighTemplar *this) {unsigned __int64 v1; // rax@2char *v2; // rax@3char v3; // bl@3_BYTE *v4; // rax@3__int64 v5; // rax@4__int64 v6; // rax@4__int64 v7; // rax@5__int64 v8; // rax@5unsigned int i; // [sp+1Ch] [bp-14h]@1for ( i = 0; ; ++i ){LODWORD(v1) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);if ( (signed int)i >= v1 )break;LODWORD(v2) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]((char *)this + 80,(signed int)i);v3 = *v2;LODWORD(v4) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]((char *)this + 16,(signed int)i);if ( v3 != *v4 ){LODWORD(v7) = std::operator<<<std::char_traits<char>>((__int64)&std::cout, (__int64)"You did not pass ");LODWORD(v8) = std::ostream::operator<<(v7, i);std::ostream::operator<<(v8, &std::endl<char,std::char_traits<char>>);*((_DWORD *)this + 3) = 1;return *((_DWORD *)this + 3);}LODWORD(v5) = std::operator<<<std::char_traits<char>>((__int64)&std::cout, (__int64)"Pass ");LODWORD(v6) = std::ostream::operator<<(v5, i);std::ostream::operator<<(v6, &std::endl<char,std::char_traits<char>>);}return *((_DWORD *)this + 3); }

這個函數(shù)作用呢，也就是驗證輸入的東西對不對。。。

for ( i = 0; ; ++i ){LODWORD(v1) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::length((char *)this + 16);if ( (signed int)i >= v1 )break;LODWORD(v2) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]((char *)this + 80,(signed int)i);v3 = *v2;LODWORD(v4) = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::operator[]((char *)this + 16,(signed int)i);

它把(char *)this + 16（輸入且經(jīng)過一系列變換）和 (char *)this + 80（已知字符串賦值）兩個來相比，相同的話，這里比較就沒問題了。那我們只需要把這個已知字符串經(jīng)過反向的異或操作變化回去不就行了嗎？是的，就是這樣

額外分析

那樣我們再來考慮一下，剛才是不是有一段(char *)this + 48，這段怎么沒用到呢？后面就是對這段進行分析，有興趣的可以繼續(xù)看。

ZN11HighTemplar7getFlagB5cxx11Ev((__int64)&v23, (__int64)&v24);

__int64 __fastcall ZN11HighTemplar7getFlagB5cxx11Ev(__int64 a1, __int64 a2) {std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string(a1, a2 + 48);return a1; }

這里就是把a2 + 48賦值給a1，即這里的v23，

然后再把它當flag去輸出就行。。

好家伙，三段字符，只需要輸入一段
一開始數(shù)據(jù)被分為三部分，
一部分(char *)this + 16賦值輸入，后面帶入算法；
一部分（(char *)this + 48）賦值輸入，最后作為flag輸出；
一部分（(char *)this + 80）賦值一個字符串，作為比較對象。

至于std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::basic_string((__int64)&v20,(__int64)&v19);這個函數(shù)，我感覺應該是借用v19來開辟一段空間給v20，并沒有把v19和v20之間扯上直接關系，所以下面三個func

func1((__int64)&v21, (__int64)&v20);func2((__int64)&v22, (__int64)&v21);func3((__int64)&v22, 0);

與flag并無關系，而下面這三個是屬于析構函數(shù)，更無關系

GAMEOVER

#include <iostream> using namespace std; int main() {char b[32];char a[] = { "327a6c4304ad5938eaf0efb6cc3e53dc" };for (int i = 0; i < sizeof(a)-1; i++) {b[i] = ((((a[i] - 11) ^ 0x13) - 23) ^ 0x50);cout << b[i];} }

flag{tMx~qdstOs~crvtwb~aOba}qddtbrtcd} 《新程序員》：云原生和全面數(shù)字化實踐50位技術專家共同創(chuàng)作，文字、視頻、音頻交互閱讀

總結

以上是生活随笔為你收集整理的deedeedee crazy 寒假逆向生涯（11/100）的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。