攻防世界逆向wp

reverse-box

在平台上题目描述不全,少了一个重要的提示信息

原题题目描述

$ ./reverse_box ${FLAG}
95eeaf95ef94234999582f722f492f72b19a7aaf72e6e776b57aee722fe77ab5ad9aaeb156729676ae7a236d99b1df4a

也就是说,当输入争取的flag的时候,程序应该输出的是这一个字符串(如果少了这个信息,我请问怎么做,mmp)

主函数很简单:
攻防世界逆向wp
会根据我们的输入当成索引在box里面输出对应的值

make_boxs函数:
攻防世界逆向wp
根据时间中下srand的种子,然后生成一个随机数,然后把随机生成的这个数字带进去生成boxs的数据,可以看到,程序中将随机生成的种子转成了unsigned __int8类型,这个类型只有一个字节大小,所以范围是0~255,所以我们可以**一下,flag开头是“T”,对应的是0x95

第一处断点:0x80485b4

.text:080485B4                 cmp     [ebp+var_C], 0
.text:080485B8                 jz      short loc_80485A7
.text:080485BA                 mov     eax, [ebp+var_C]

断下之后将ebp-0xc的值变成0~255
第二处断点:0x8048704

.text:080486FF                 movzx   eax, byte ptr [esp+eax+1Ch]
.text:08048704                 movzx   eax, al
.text:08048707                 mov     [esp+4], eax
.text:0804870B                 mov     dword ptr [esp], offset a02x ; "%02x"

与输出的字符和0x95比较,若相等,则本次的box数据是正确的,将全部的数据输出出来

Breakpoint 2, 0x08048704 in ?? ()
$1 = 214
0xffffd04c:	0xd6	0xc9	0xc2	0xce	0x47	0xde	0xda	0x70
0xffffd054:	0x85	0xb4	0xd2	0x9e	0x4b	0x62	0x1e	0xc3
0xffffd05c:	0x7f	0x37	0x7c	0xc8	0x4f	0xec	0xf2	0x45
0xffffd064:	0x18	0x61	0x17	0x1a	0x29	0x11	0xc7	0x75
0xffffd06c:	0x02	0x48	0x26	0x93	0x83	0x8a	0x42	0x79
0xffffd074:	0x81	0x10	0x50	0x44	0xc4	0x6d	0x84	0xa0
0xffffd07c:	0xb1	0x72	0x96	0x76	0xad	0x23	0xb0	0x2f
0xffffd084:	0xb2	0xa7	0x35	0x57	0x5e	0x92	0x07	0xc0
0xffffd08c:	0xbc	0x36	0x99	0xaf	0xae	0xdb	0xef	0x15
0xffffd094:	0xe7	0x8e	0x63	0x06	0x9c	0x56	0x9a	0x31
0xffffd09c:	0xe6	0x64	0xb5	0x58	0x95	0x49	0x04	0xee
0xffffd0a4:	0xdf	0x7e	0x0b	0x8c	0xff	0xf9	0xed	0x7a
0xffffd0ac:	0x65	0x5a	0x1f	0x4e	0xf6	0xf8	0x86	0x30
0xffffd0b4:	0xf0	0x4c	0xb7	0xca	0xe5	0x89	0x2a	0x1d
0xffffd0bc:	0xe4	0x16	0xf5	0x3a	0x27	0x28	0x8d	0x40
0xffffd0c4:	0x09	0x03	0x6f	0x94	0xa5	0x4a	0x46	0x67
0xffffd0cc:	0x78	0xb9	0xa6	0x59	0xea	0x22	0xf1	0xa2
0xffffd0d4:	0x71	0x12	0xcb	0x88	0xd1	0xe8	0xac	0xc6
0xffffd0dc:	0xd5	0x34	0xfa	0x69	0x97	0x9f	0x25	0x3d
0xffffd0e4:	0xf3	0x5b	0x0d	0xa1	0x6b	0xeb	0xbe	0x6e
0xffffd0ec:	0x55	0x87	0x8f	0xbf	0xfc	0xb3	0x91	0xe9
0xffffd0f4:	0x77	0x66	0x19	0xd7	0x24	0x20	0x51	0xcc
0xffffd0fc:	0x52	0x7d	0x82	0xd8	0x38	0x60	0xfb	0x1c
0xffffd104:	0xd9	0xe3	0x41	0x5f	0xd0	0xcf	0x1b	0xbd
0xffffd10c:	0x0f	0xcd	0x90	0x9b	0xa9	0x13	0x01	0x73
0xffffd114:	0x5d	0x68	0xc1	0xaa	0xfe	0x08	0x3e	0x3f
0xffffd11c:	0xc5	0x8b	0x00	0xd3	0xfd	0xb6	0x43	0xbb
0xffffd124:	0xd4	0x80	0xe2	0x0c	0x33	0x74	0xa8	0x2b
0xffffd12c:	0x54	0x4d	0x2d	0xa4	0xdc	0x6c	0x3b	0x21
0xffffd134:	0x2e	0xab	0x32	0x5c	0x7b	0xe0	0x9d	0x6a
0xffffd13c:	0x39	0x14	0x3c	0xb8	0x0a	0x53	0xf7	0xdd
0xffffd144:	0xf4	0x2c	0x98	0xba	0x05	0xe1	0x0e	0xa3

最后将flag还原出来:

data = [0xd6,0xc9,0xc2,0xce,0x47,0xde,0xda,0x70,0x85,0xb4,0xd2,0x9e,0x4b,0x62,0x1e,0xc3,0x7f,0x37,0x7c,0xc8,0x4f,0xec,0xf2,0x45,0x18,0x61,0x17,0x1a,0x29,0x11,0xc7,0x75,0x02,0x48,0x26,0x93,0x83,0x8a,0x42,0x79,0x81,0x10,0x50,0x44,0xc4,0x6d,0x84,0xa0,0xb1,0x72,0x96,0x76,0xad,0x23,0xb0,0x2f,0xb2,0xa7,0x35,0x57,0x5e,0x92,0x07,0xc0,0xbc,0x36,0x99,0xaf,0xae,0xdb,0xef,0x15,0xe7,0x8e,0x63,0x06,0x9c,0x56,0x9a,0x31,0xe6,0x64,0xb5,0x58,0x95,0x49,0x04,0xee,0xdf,0x7e,0x0b,0x8c,0xff,0xf9,0xed,0x7a,0x65,0x5a,0x1f,0x4e,0xf6,0xf8,0x86,0x30,0xf0,0x4c,0xb7,0xca,0xe5,0x89,0x2a,0x1d,0xe4,0x16,0xf5,0x3a,0x27,0x28,0x8d,0x40,0x09,0x03,0x6f,0x94,0xa5,0x4a,0x46,0x67,0x78,0xb9,0xa6,0x59,0xea,0x22,0xf1,0xa2,0x71,0x12,0xcb,0x88,0xd1,0xe8,0xac,0xc6,0xd5,0x34,0xfa,0x69,0x97,0x9f,0x25,0x3d,0xf3,0x5b,0x0d,0xa1,0x6b,0xeb,0xbe,0x6e,0x55,0x87,0x8f,0xbf,0xfc,0xb3,0x91,0xe9,0x77,0x66,0x19,0xd7,0x24,0x20,0x51,0xcc,0x52,0x7d,0x82,0xd8,0x38,0x60,0xfb,0x1c,0xd9,0xe3,0x41,0x5f,0xd0,0xcf,0x1b,0xbd,0x0f,0xcd,0x90,0x9b,0xa9,0x13,0x01,0x73,0x5d,0x68,0xc1,0xaa,0xfe,0x08,0x3e,0x3f,0xc5,0x8b,0x00,0xd3,0xfd,0xb6,0x43,0xbb,0xd4,0x80,0xe2,0x0c,0x33,0x74,0xa8,0x2b,0x54,0x4d,0x2d,0xa4,0xdc,0x6c,0x3b,0x21,0x2e,0xab,0x32,0x5c,0x7b,0xe0,0x9d,0x6a,0x39,0x14,0x3c,0xb8,0x0a,0x53,0xf7,0xdd,0xf4,0x2c,0x98,0xba,0x05,0xe1,0x0e,0xa3]

index = "95eeaf95ef94234999582f722f492f72b19a7aaf72e6e776b57aee722fe77ab5ad9aaeb156729676ae7a236d99b1df4a"
#https://docs.microsoft.com/zh-cn/previous-versions/s3f49ktz(v=vs.120)
list1 = []
for x in range(0,len(index),2):
	list1.append(eval("0x"+index[x:x+2]))

flag = ""
for x in range(len(list1)):
	flag+=chr(data.index(list1[x]))
print flag

相关文章:

猜你喜欢
相关资源
相似解决方案
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode