逆向攻防世界CTF系列42-reverse_re3
逆向攻防世界CTF系列42-reverse_re3
参考:CTF-reverse-reverse_re3(全网最详细wp,超4000字有效解析)_ctfreverse题目-CSDN博客
64位无壳
_int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
int v4; // [rsp+4h] [rbp-Ch]
sub_11B4(a1, a2, a3);
do
v4 = sub_940();
while ( v4 != 1 && v4 != -1 );
return 0LL;
}
跟进sub_11B4
__readfsqword(0x28u)经常会出现,反调试,先记住
下面是dowhile v4必须要为1或者-1最后
跟进sub_940
__int64 sub_940()
{
int v0; // eax
int v2; // [rsp+8h] [rbp-218h]
int v3; // [rsp+Ch] [rbp-214h]
char v4[520]; // [rsp+10h] [rbp-210h] BYREF
unsigned __int64 v5; // [rsp+218h] [rbp-8h]
v5 = __readfsqword(0x28u);
v3 = 0;
memset(v4, 0, 0x200uLL);
_isoc99_scanf(&unk_1278, v4, v4);
while ( 1 ){
do{
v2 = 0;
sub_86C();
v0 = v4[v3];
if ( v0 == 100 ){
v2 = sub_E23();
}
else if ( v0 > 100 ){
if ( v0 == 115 ){
v2 = sub_C5A();
}
else if ( v0 == 119 ){
v2 = sub_A92();
}
}
else{
if ( v0 == 27 ) return 0xFFFFFFFFLL;
if ( v0 == 97 ) v2 = sub_FEC();
}
++v3;
}
while ( v2 != 1 );
if ( dword_202AB0 == 2 ) break;
++dword_202AB0;
}
puts("success! the flag is flag{md5(your input)}");
return 1LL;
}
一开始没反应过来后来发现是dsaw这几个判断,跟进这几个sub函数
__int64 sub_A92()
{
if ( dword_202AB4 )
{
if ( dword_202020[225 * dword_202AB0 - 15 + 15 * dword_202AB4 + dword_202AB8] == 1 )
{
dword_202020[225 * dword_202AB0 - 15 + 15 * dword_202AB4 + dword_202AB8] = 3;
dword_202020[225 * dword_202AB0 + 15 * dword_202AB4 + dword_202AB8] = 1;
}
else if ( dword_202020[225 * dword_202AB0 - 15 + 15 * dword_202AB4 + dword_202AB8] == 4 )
{
return 1LL;
}
}
return 0LL;
}
在跟进dowrd_202020
_DWORD dword_202020[675]放了675个数据
dup是重复的意思 5dup(1) 就是 1 1 1 1 1
看样子是个迷宫题
if ( v0 == ‘\x1B’ ) 代表退出,记住是Esc
其实流程已经清晰了,输入可能是路径,最后要puts(“success! the flag is flag{md5(your input)}”);
还涉及md5
dword_202AB0一开始被赋值为0,可能也在计数最后要让它为2才能退出,也就是0,1,2三次才能退出
而到达这一步的条件是v2必须三次为1,最后一次通过dword_202AB0判断
unsigned __int64 sub_86C()
{
int i; // [rsp+0h] [rbp-10h]
int j; // [rsp+4h] [rbp-Ch]
unsigned __int64 v3; // [rsp+8h] [rbp-8h]
v3 = __readfsqword(0x28u);
for ( i = 0; i <= 14; ++i )
{
for ( j = 0; j <= 14; ++j )
{
if ( dword_202020[225 * dword_202AB0 + 15 * i + j] == 3 )
{
dword_202AB4 = i;
dword_202AB8 = j;
break;
}
}
}
return __readfsqword(0x28u) ^ v3;
}
像个初始化(其实只是转化),再分析分析
dword_202AB0之前说了只能是0,1,2
_DWORD dword_202020[675]放了675个数据,225*3,暂时不懂为什么这么干
先看右移d
__int64 sub_E23()
{
if ( dword_202AB8 != 14 )
{
if ( dword_202020[225 * dword_202AB0 + 1 + 15 * dword_202AB4 + dword_202AB8] == 1 )
{
dword_202020[225 * dword_202AB0 + 1 + 15 * dword_202AB4 + dword_202AB8] = 3;
dword_202020[225 * dword_202AB0 + 15 * dword_202AB4 + dword_202AB8] = 1;
}
else if ( dword_202020[225 * dword_202AB0 + 1 + 15 * dword_202AB4 + dword_202AB8] == 4 )
{
return 1LL;
}
}
return 0LL;
}
dword_202020只会有四种数字:0134,并且在为4的时候才会返回1
B4和B8的作用根据15 * dword_202AB4 + dword_202AB8可以才出来是行列,B4是行
if ( dword_202020[225 * dword_202AB0 + 1 + 15 * dword_202AB4 + dword_202AB8] == 1 )
{
dword_202020[225 * dword_202AB0 + 1 + 15 * dword_202AB4 + dword_202AB8] = 3;
dword_202020[225 * dword_202AB0 + 15 * dword_202AB4 + dword_202AB8] = 1;
因为是右移d,左边的是走过的,右边是未来要去的,那么可以推测,1代表的是走过的地方,3代表的是当前所在的地方(初始时,数组元素为3的地方,就相当于起点!),4代表的是终点
回头看之前的if ( dword_202020[225 * dword_202AB0 + 15 * i + j] == 3 ) 这就是在找最初的起点,那么一切都可以理解了,要走三个迷宫,每个迷宫都有一个初始起点
其实这里看不懂也没事,先把迷宫拿出了,已经知道是三个迷宫了,直接写程序提就行
shift+e(注意这里踩坑了,要选导出C变量)
#include<iostream>
using namespace std;
int dword_202020[675] =
{
1,
1,
1,
1,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
1,
1,
1,
1,
0,
3,
1,
1,
0,
0,
0,
0,
0,
0,
1,
1,
1,
1,
1,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
1,
1,
1,
1,
1,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
1,
1,
1,
1,
1,
0,
0,
0,
1,
1,
1,
1,
1,
0,
0,
1,
1,
1,
1,
1,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
1,
1,
1,
1,
1,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
1,
1,
1,
1,
1,
0,
0,
0,
0,
0,
0,
0,
1,
1,
0,
1,
1,
1,
1,
1,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
1,
1,
1,
1,
1,
0,
0,
0,
0,
0,
0,
0,
0,
4,
0,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
1,
0,
3,
1,
1,
1,
1,
1,
0,
0,
0,
0,
0,
0,
1,
1,
0,
1,
1,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
1,
1,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
1,
1,
0,
1,
1,
0,
0,
0,
1,
1,
1,
1,
1,
0,
0,
1,
1,
0,
1,
1,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
1,
1,
0,
1,
1,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
1,
1,
0,
1,
1,
0,
0,
0,
0,
0,
1,
1,
1,
1,
0,
1,
1,
0,
1,
1,
0,
0,
0,
0,
0,
1,
0,
0,
1,
0,
1,
1,
0,
1,
1,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
1,
1,
0,
1,
1,
1,
1,
1,
1,
0,
1,
0,
1,
1,
0,
1,
1,
0,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
0,
1,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
4,
0,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
3,
1,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
1,
1,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
1,
1,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
1,
1,
0,
1,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
1,
1,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
1,
1,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
1,
1,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
4,
0
};
int main() {
for (int i = 0; i <= 14; i++) {
for (int j = 0; j <= 14; j++) {
cout << dword_202020[i * 15 + j] << " ";
}
cout << endl;
}
cout << endl;
for (int i = 0; i <= 14; i++) {
for (int j = 0; j <= 14; j++) {
cout << dword_202020[225 + i * 15 + j] << " ";
}
cout << endl;
}
cout << endl;
for (int i = 0; i <= 14; i++) {
for (int j = 0; j <= 14; j++) {
cout << dword_202020[450 + i * 15 + j] << " ";
}
cout << endl;
}
}
迷宫
1 1 1 1 1 0 0 0 0 0 0 0 0 0 0
1 1 1 1 1 0 3 1 1 0 0 0 0 0 0
1 1 1 1 1 0 0 0 1 0 0 0 0 0 0
1 1 1 1 1 0 0 0 1 0 0 0 0 0 0
1 1 1 1 1 0 0 0 1 1 1 1 1 0 0
1 1 1 1 1 0 0 0 0 0 0 0 1 0 0
1 1 1 1 1 0 0 0 0 0 0 0 1 0 0
1 1 1 1 1 0 0 0 0 0 0 0 1 1 0
1 1 1 1 1 0 0 0 0 0 0 0 0 1 0
1 1 1 1 1 0 0 0 0 0 0 0 0 4 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 0 0 0 0 0 0 0 0 0 0 0 0 0
1 1 0 3 1 1 1 1 1 0 0 0 0 0 0
1 1 0 1 1 0 0 0 1 0 0 0 0 0 0
1 1 0 0 0 0 0 0 1 0 0 0 0 0 0
1 1 0 1 1 0 0 0 1 1 1 1 1 0 0
1 1 0 1 1 0 0 0 0 0 0 0 1 0 0
1 1 0 1 1 0 0 0 0 0 0 0 1 0 0
1 1 0 1 1 0 0 0 0 0 1 1 1 1 0
1 1 0 1 1 0 0 0 0 0 1 0 0 1 0
1 1 0 1 1 0 0 0 0 0 1 0 0 0 0
1 1 0 1 1 1 1 1 1 0 1 0 1 1 0
1 1 0 1 1 1 1 1 1 1 1 1 1 1 0
1 1 0 0 0 0 0 0 0 0 0 0 0 4 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 3 1 1 0 0 0 0 0 0 0 0 0 0 0
0 0 0 1 0 1 1 1 0 0 0 0 0 0 0
0 0 0 1 1 1 0 1 0 0 0 0 0 0 0
0 0 0 0 1 0 0 1 0 0 0 0 0 0 0
0 1 1 0 1 0 0 1 0 0 0 0 0 0 0
0 0 1 1 1 0 0 1 0 0 0 0 0 0 0
0 0 0 0 0 0 0 1 0 0 0 0 0 0 0
0 0 0 0 0 0 0 1 1 1 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 1 1 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 4 0
懒得搞,放大佬的吧
ddsssddddsssdssdddddsssddddsssaassssdddsddssddwddssssssdddssssdddss
给md5加密
flag{aeea66fcac7fa80ed8f79f38ad5bb953}
1 1 0 0 0 0 0 0 0 1 0 0
1 1 0 1 1 0 0 0 0 0 0 0 1 0 0
1 1 0 1 1 0 0 0 0 0 1 1 1 1 0
1 1 0 1 1 0 0 0 0 0 1 0 0 1 0
1 1 0 1 1 0 0 0 0 0 1 0 0 0 0
1 1 0 1 1 1 1 1 1 0 1 0 1 1 0
1 1 0 1 1 1 1 1 1 1 1 1 1 1 0
1 1 0 0 0 0 0 0 0 0 0 0 0 4 0
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 3 1 1 0 0 0 0 0 0 0 0 0 0 0
0 0 0 1 0 1 1 1 0 0 0 0 0 0 0
0 0 0 1 1 1 0 1 0 0 0 0 0 0 0
0 0 0 0 1 0 0 1 0 0 0 0 0 0 0
0 1 1 0 1 0 0 1 0 0 0 0 0 0 0
0 0 1 1 1 0 0 1 0 0 0 0 0 0 0
0 0 0 0 0 0 0 1 0 0 0 0 0 0 0
0 0 0 0 0 0 0 1 1 1 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 0 0 0 0 0 1 1 1 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 4 0
懒得搞,放大佬的吧
[外链图片转存中...(img-4yftBx0H-1733058965243)]
ddsssddddsssdssdddddsssddddsssaassssdddsddssddwddssssssdddssssdddss
给md5加密
flag{aeea66fcac7fa80ed8f79f38ad5bb953}
注意CTF要小写的MD5一般