當(dāng)前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

[NPUCTF2020]Baby Obfuscation [HDCTF2019]MFC

發(fā)布時(shí)間：2025/3/21 编程问答 25 豆豆

生活随笔收集整理的這篇文章主要介紹了 [NPUCTF2020]Baby Obfuscation [HDCTF2019]MFC 小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

文章目錄

[NPUCTF2020]Baby Obfuscation
- 把五個(gè)Fox分析一下
- - F0X1(int a, int b)：
  - - 運(yùn)用輾轉(zhuǎn)相除法求得最大公因數(shù)（學(xué)到一個(gè)詞匯：最大公約數(shù)GCD，最小公倍數(shù)LCM）
  - F0X2(bool a, bool b)：
  - - 僅有一種情況返回真：a\==b==0
  - F0X3(bool a, bool b)：
  - - 僅有一種情況返回真：a\==b==1
  - F0X4(int a, int b)：
  - - 解析
    - 返回值是a-b
  - F0X5(int a, int b)：
  - 返回值是a^b^
- 整體分析
- 腳本
[HDCTF2019]MFC
- 查看程序
- 發(fā)消息
- 解密

[NPUCTF2020]Baby Obfuscation

把五個(gè)Fox分析一下

F0X1(int a, int b)：

int __cdecl F0X1(int a, int b) {int result; // eaxif ( b )result = F0X1(b, a % b);elseresult = a;return result; }

運(yùn)用輾轉(zhuǎn)相除法求得最大公因數(shù)（學(xué)到一個(gè)詞匯：最大公約數(shù)GCD，最小公倍數(shù)LCM）

F0X2(bool a, bool b)：

bool __cdecl F0X2(bool a, bool b) {return a == b && !a; }

僅有一種情況返回真：a==b==0

F0X3(bool a, bool b)：

bool __cdecl F0X3(bool a, bool b) {bool v2; // blbool v3; // alv2 = F0X2(b, b);v3 = F0X2(a, a);return F0X2(v3, v2); }

僅有一種情況返回真：a==b==1

F0X4(int a, int b)：

int __cdecl F0X4(int a, int b) {return ~(~a + b); }

解析

00000100 4 00000010 201111011 未知 00000010 201111101 00000010 200000111 7 00000010 201111000 0000001001111010 00000101 500001000 8 00000111 701110111 0000011101111110 0000000101111101 000001111000010011111011 -5

返回值是a-b

F0X5(int a, int b)：

int __cdecl F0X5(int a, int b) {int ans; // [rsp+Ch] [rbp-4h]ans = 1;while ( b ){if ( (b & 1) != 0 )ans *= a;a *= a;b >>= 1;}return ans; }

總結(jié)后如下：

a b ans 2 2 1 4 1 4 16 0 411 a b ans 2 3 2 4 1 8 16 0 8a b ans 3 4 1 9 2 1 81 1 81 81*81 0 81

返回值是a^b

整體分析

_main();memset(A0X1, 0, 0xFA0ui64);A0X1[1000] = 0;memset(A0X3, 0, 0x100ui64);A0X3[64] = 0;for ( i = 0; i <= 64; ++i )A0X3[i] = i + 1;A0X4[0] = 2;A0X4[1] = 3;A0X4[2] = 4;A0X4[3] = 5;A0X5[0] = 2;A0X5[1] = 3;A0X5[2] = 4;A0X5[3] = 5;puts("WHERE IS MY KEY!?");scanf("%32s", A0X2);V0X1 = strlen(A0X2);v3 = F0X1(A0X3[i_0], A0X3[i_0]);for ( i_0 = v3 / A0X3[i_0]; i_0 <= V0X1; ++i_0 )// i_0這個(gè)變量從1開始{v4 = (A0X3[i_0] + A0X3[i_0 + 1]) * (A0X3[i_0] + A0X3[i_0 + 1]);// (a+b)的平方if ( v4 >= F0X5(2, 2) * A0X3[i_0] * A0X3[i_0 + 1] )// 4*a*b if中恒為真{v5 = ~A0X2[F0X4(i_0, 1)];v6 = F0X4(i_0, 1);A0X1[i_0] = ~(v5 + A0X4[v6 % F0X5(2, 2)]);}v7 = F0X1(A0X3[i_0], A0X3[i_0 + 1]); // 恒為1if ( v7 > F0X1(A0X3[i_0 + 1], ~(~A0X3[i_0 + 1] + A0X3[i_0])) )// 恒為1 if中恒為假{v8 = A0X1[i_0];v9 = F0X4(i_0, 1);A0X1[i_0] = ~(~v8 + A0X3[v9 % F0X5(2, 2)]) * v8;}v10 = A0X3[i_0 + 1];v11 = F0X5(2, 1) * v10; // v11=2v10v12 = A0X3[i_0];v13 = F0X5(2, 1);v14 = F0X1(v12 * v13, v11); // v14=fox1(2*AOX[i_0],2*AOX[i_0+1])v15 = F0X5(2, 1);if ( v14 == v15 * F0X1(A0X3[i_0], A0X3[i_0 + 1]) )// 2*FOX1(AOX[i_0],AOX[i_0+1])恒為真{v16 = F0X4(i_0, 1);A0X1[i_0] ^= A0X4[v16 % F0X5(2, 2)];}v17 = F0X5(V0X3, A0X3[i_0]);v18 = v17 < A0X3[i_0] + 1; // 恒為0v19 = F0X5(2, 4); // 16if ( F0X3(v19 >= i_0, v18) ) // 恒為假{v20 = ~A0X2[F0X4(i_0, 1)];v21 = F0X4(i_0, 1);A0X1[i_0] ^= ~(v20 + A0X4[v21 % F0X5(2, 2)]);}v22 = F0X5(2, 3);v23 = F0X1(A0X3[i_0], A0X3[i_0]);A0X1[i_0] *= v22 + F0X5(2, v23 / A0X3[i_0]);}v24 = F0X5(2, 4);if ( F0X4(v24, 1) != V0X1 )goto LABEL_23;v25 = F0X1(A0X3[i_1], A0X3[i_1]);for ( i_1 = v25 / A0X3[i_1]; i_1 <= V0X1; ++i_1 ){v26 = A0X1[i_1]; // 取值if ( v26 == F0X4(A0X6[i_1], 1) / 10 ) // 比較++V0X2;}if ( V0X2 == V0X1 )puts("\nPASS");else LABEL_23:puts("\nDENIED");return 0; }

關(guān)鍵代碼：

v5 = ~A0X2[F0X4(i_0, 1)];v6 = F0X4(i_0, 1);A0X1[i_0] = ~(v5 + A0X4[v6 % F0X5(2, 2)]);v16 = F0X4(i_0, 1);A0X1[i_0] ^= A0X4[v16 % F0X5(2, 2)];v22 = F0X5(2, 3);v23 = F0X1(A0X3[i_0], A0X3[i_0]);A0X1[i_0] *= v22 + F0X5(2, v23 / A0X3[i_0]);v26 == F0X4(A0X6[i_1], 1) / 10

腳本

" // " 表示整數(shù)除法，返回整數(shù) 比如 7/3 結(jié)果為2 “ / ” 表示浮點(diǎn)數(shù)除法，返回浮點(diǎn)數(shù) （即小數(shù)）比如 8/2 結(jié)果為4.0 AOX4=[2,3,4,5] AOX6=[0,7801,7801,8501,5901,8001,6401,11501,4601,9801,9601,11701,5301,9701,10801,12501] inputs=[None]*16 for i in range(1,len(AOX6)):inputs[i]=(AOX6[i]-1)//10//10inputs[i]=inputs[i]^AOX4[(i-1)%4]inputs[i]=inputs[i]+AOX4[(i-1)%4] print(inputs)AOX4=[2,3,4,5] AOX6=[0,7801,7801,8501,5901,8001,6401,11501,4601,9801,9601,11701,5301,9701,10801,12501] for i in range(1,len(AOX6)):AOX6[i]=(AOX6[i]-1)//10//10AOX6[i]=AOX6[i]^AOX4[(i-1)%4]AOX6[i]=AOX6[i]+AOX4[(i-1)%4] print(AOX6)flag=[78,80,85,67,84,70,123,48,98,102,117,53,101,114,125] lists="" for i in range(len(flag)):lists+=chr(flag[i]) print(lists)

NPUCTF{0bfu5er}

[HDCTF2019]MFC

查看程序

然后利用xspy查看相應(yīng)的窗口

發(fā)現(xiàn)了一個(gè)沒有系統(tǒng)庫名的OnMsg，也就是沒有VM_……這串，接下來用SendMessage發(fā)送一個(gè)0x0464消息試試

發(fā)消息

#include <iostream> #include<Windows.h> int main() {HWND handle = FindWindow(NULL, "Flag就在控件里");if (handle == NULL) {printf("沒抓到");}else {SendMessage(handle, 0x0464, NULL, NULL);} }

接下來程序變成這樣，找到一個(gè)DES key

解密

{I am a Des key}

而DES密文在這：

944c8d100f82f0c18b682f63e4dbaa207a2f1e72581c2f1b

thIs_Is_real_kEy_hahaaa

總結(jié)

以上是生活随笔為你收集整理的[NPUCTF2020]Baby Obfuscation [HDCTF2019]MFC的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

上一篇： [SUCTF2018]babyre [A
下一篇： [GWCTF 2019]pyre.pyc