逆向 工具 可以 用 jeb-mips 但是不是很好看 可以看一个 大概意思。
利用 ida 看 mips 汇编分析程序。
第一段 整体进行 异或 -idx 的操作,比较前5 个操作数。
.text:004009A8 addiu $sp, -0x48
.text:004009AC sw $ra, 0x48+var_4($sp)
.text:004009B0 sw $fp, 0x48+var_8($sp)
.text:004009B4 move $fp, $sp
.text:004009B8 lw $v0, stdout
.text:004009C0 move $a1, $zero # buf
.text:004009C4 move $a0, $v0 # stream
.text:004009C8 jal setbuf
.text:004009CC nop
.text:004009D0 lw $v0, stdin
.text:004009D8 move $a1, $zero # buf
.text:004009DC move $a0, $v0 # stream
.text:004009E0 jal setbuf
.text:004009E4 nop
.text:004009E8 lui $v0, 0x40
.text:004009EC addiu $a0, $v0, (aGiveMeYourFlag - 0x400000) # "Give me your flag:"
.text:004009F0 jal printf
.text:004009F4 nop
.text:004009F8 addiu $v0, $fp, 0x48+var_2C
.text:004009FC move $a1, $v0
.text:00400A00 lui $v0, 0x40
.text:00400A04 addiu $a0, $v0, (a32s - 0x400000) # "%32s"
.text:00400A08 jal scanf
.text:00400A0C nop
.text:00400A10 sw $zero, 0x48+index($fp)
.text:00400A14 b loc_400A78
.text:00400A18 nop
.text:00400A1C # ---------------------------------------------------------------------------
.text:00400A1C
.text:00400A1C loc_400A1C: # CODE XREF: sub_4009A8+DC↓j
.text:00400A1C lw $v0, 0x48+index($fp)
.text:00400A20 addiu $v1, $fp, 0x48+index
.text:00400A24 addu $v0, $v1, $v0
.text:00400A28 lb $v1, 4($v0) # v1 = *(v0+1) ---> flag[v0]
.text:00400A2C lw $v0, 0x48+index($fp)
.text:00400A30 nop
.text:00400A34 andi $v0, 0xFF # v0 &= 0xff
.text:00400A38 li $a0, 32
.text:00400A3C subu $v0, $a0, $v0 # v0 = 32 - v0
.text:00400A40 andi $v0, 0xFF
.text:00400A44 sll $v0, 24
.text:00400A48 sra $v0, 24
.text:00400A4C xor $v0, $v1, $v0 # flag[v0] ^= 0x20
.text:00400A50 sll $v1, $v0, 24
.text:00400A54 sra $v1, 24
.text:00400A58 lw $v0, 0x48+index($fp)
.text:00400A5C addiu $a0, $fp, 0x48+index
.text:00400A60 addu $v0, $a0, $v0 # flag[v0] += v0
.text:00400A64 sb $v1, 4($v0)
.text:00400A68 lw $v0, 0x48+index($fp)
.text:00400A6C nop
.text:00400A70 addiu $v0, 1 # idx + 1
.text:00400A74 sw $v0, 0x48+index($fp)
.text:00400A78
.text:00400A78 loc_400A78: # CODE XREF: sub_4009A8+6C↑j
.text:00400A78 lw $v0, 0x48+index($fp)
.text:00400A7C nop
.text:00400A80 slti $v0, 32
.text:00400A84 bnez $v0, loc_400A1C
.text:00400A88 nop
.text:00400A8C lui $v0, 0x41
.text:00400A90 lw $v1, _fdata # "Q|j{g"
.text:00400A94 addiu $v0, $fp, 0x48+var_2C # flag 地址
.text:00400A98 li $a2, 5 # n
.text:00400A9C move $a1, $v1 # s2
.text:00400AA0 move $a0, $v0 # s1
.text:00400AA4 jal strncmp
.text:00400AA8 nop
.text:00400AAC bnez $v0, loc_400ACC
.text:00400AB0 nop
.text:00400AB4 addiu $v0, $fp, 0x48+var_2C
.text:00400AB8 move $a0, $v0
.text:00400ABC jal sub_4007F0
.text:00400AC0 nop
.text:00400AC4 b loc_400ADC
.text:00400AC8 nop
.text:00400ACC # ---------------------------------------------------------------------------
.text:00400ACC
.text:00400ACC loc_400ACC: # CODE XREF: sub_4009A8+104↑j
.text:00400ACC lui $v0, 0x40
.text:00400AD0 addiu $a0, $v0, (aWrong_0 - 0x400000) # "Wrong"
.text:00400AD4 jal puts
.text:00400AD8 nop
.text:00400ADC
.text:00400ADC loc_400ADC: # CODE XREF: sub_4009A8+11C↑j
.text:00400ADC nop
.text:00400AE0 move $sp, $fp
.text:00400AE4 lw $ra, 0x48+var_4($sp)
.text:00400AE8 lw $fp, 0x48+var_8($sp)
.text:00400AEC addiu $sp, 0x48
.text:00400AF0 jr $ra
.text:00400AF4 nop
.text:00400AF4 # End of function sub_4009A8
.text:00400AF4
第二步 对 后面的的 进行 移位 或操作。分为 奇 偶 来进不同的比较
.text:004007F0 addiu $sp, -0x28
.text:004007F4 sw $ra, 0x28+var_4($sp)
.text:004007F8 sw $fp, 0x28+var_8($sp)
.text:004007FC move $fp, $sp
.text:00400800 sw $a0, 0x28+flag($fp)
.text:00400804 li $v0, 5
.text:00400808 sw $v0, 0x28+idx($fp)
.text:0040080C b loc_400910
.text:00400810 nop
.text:00400814 # ---------------------------------------------------------------------------
.text:00400814
.text:00400814 loc_400814: # CODE XREF: sub_4007F0+13C↓j
.text:00400814 lw $v0, 0x28+idx($fp)
.text:00400818 nop
.text:0040081C andi $v0, 1 # idx &= 1
.text:00400820 beqz $v0, loc_400898 # idx 为奇数
.text:00400824 nop
.text:00400828 lw $v0, 0x28+idx($fp) # idx 为 偶数
.text:0040082C lw $v1, 0x28+flag($fp)
.text:00400830 nop
.text:00400834 addu $v0, $v1, $v0 # v0 = flag[idx]
.text:00400838 lb $v0, 0($v0)
.text:0040083C nop
.text:00400840 sra $v0, 2 # flag[idx] >> 2
.text:00400844 sll $a0, $v0, 24
.text:00400848 sra $a0, 24
.text:0040084C lw $v0, 0x28+idx($fp)
.text:00400850 lw $v1, 0x28+flag($fp)
.text:00400854 nop
.text:00400858 addu $v0, $v1, $v0
.text:0040085C lb $v0, 0($v0)
.text:00400860 nop
.text:00400864 sll $v0, 6 # flag[idx] << 6
.text:00400868 sll $v1, $v0, 24
.text:0040086C sra $v1, 24
.text:00400870 lw $v0, 0x28+idx($fp)
.text:00400874 lw $a1, 0x28+flag($fp)
.text:00400878 nop
.text:0040087C addu $v0, $a1, $v0
.text:00400880 or $v1, $a0, $v1 # flag[idx] >> 2 | flag[idx] << 6
.text:00400884 sll $v1, 24
.text:00400888 sra $v1, 24
.text:0040088C sb $v1, 0($v0)
.text:00400890 b loc_400900
.text:00400894 nop
.text:00400898 # ---------------------------------------------------------------------------
.text:00400898
.text:00400898 loc_400898: # CODE XREF: sub_4007F0+30↑j
.text:00400898 lw $v0, 0x28+idx($fp) # idx 为奇数
.text:0040089C lw $v1, 0x28+flag($fp)
.text:004008A0 nop
.text:004008A4 addu $v0, $v1, $v0
.text:004008A8 lb $v0, 0($v0)
.text:004008AC nop
.text:004008B0 sll $v0, 2 # flag[idx] << 2
.text:004008B4 sll $a0, $v0, 24
.text:004008B8 sra $a0, 24
.text:004008BC lw $v0, 0x28+idx($fp)
.text:004008C0 lw $v1, 0x28+flag($fp)
.text:004008C4 nop
.text:004008C8 addu $v0, $v1, $v0
.text:004008CC lb $v0, 0($v0)
.text:004008D0 nop
.text:004008D4 sra $v0, 6 # flag[idx] >> 6
.text:004008D8 sll $v1, $v0, 24
.text:004008DC sra $v1, 24
.text:004008E0 lw $v0, 0x28+idx($fp)
.text:004008E4 lw $a1, 0x28+flag($fp)
.text:004008E8 nop
.text:004008EC addu $v0, $a1, $v0
.text:004008F0 or $v1, $a0, $v1 # flag[idx] << 2 | flag[idx] >> 6
.text:004008F4 sll $v1, 24
.text:004008F8 sra $v1, 24
.text:004008FC sb $v1, 0($v0)
.text:00400900
.text:00400900 loc_400900: # CODE XREF: sub_4007F0+A0↑j
.text:00400900 lw $v0, 0x28+idx($fp)
.text:00400904 nop
.text:00400908 addiu $v0, 1
.text:0040090C sw $v0, 0x28+idx($fp) # idx ++
.text:00400910
.text:00400910 loc_400910: # CODE XREF: sub_4007F0+1C↑j
.text:00400910 lw $a0, 0x28+flag($fp) # s
.text:00400914 jal strlen
.text:00400918 nop
.text:0040091C move $v1, $v0
.text:00400920 lw $v0, 0x28+idx($fp)
.text:00400924 nop
.text:00400928 sltu $v0, $v1 # idx < len(flag)
.text:0040092C bnez $v0, loc_400814
.text:00400930 nop
.text:00400934 lw $v0, 0x28+flag($fp)
.text:00400938 nop
.text:0040093C addiu $v1, $v0, 5
.text:00400940 lw $v0, off_410D04
.text:00400948 li $a2, 0x1B # n
.text:0040094C move $a1, $v0 # s2
.text:00400950 move $a0, $v1 # s1
.text:00400954 jal strncmp
.text:00400958 nop
.text:0040095C bnez $v0, loc_40097C
.text:00400960 nop
.text:00400964 lui $v0, 0x40
.text:00400968 addiu $a0, $v0, (aRight - 0x400000) # "Right!"
.text:0040096C jal puts
.text:00400970 nop
.text:00400974 b loc_40098C
.text:00400978 nop
.text:0040097C # ---------------------------------------------------------------------------
.text:0040097C
.text:0040097C loc_40097C: # CODE XREF: sub_4007F0+16C↑j
.text:0040097C lui $v0, 0x40
.text:00400980 addiu $a0, $v0, (aWrong - 0x400000) # "Wrong!"
.text:00400984 jal puts
.text:00400988 nop
.text:0040098C
.text:0040098C loc_40098C: # CODE XREF: sub_4007F0+184↑j
.text:0040098C nop
.text:00400990 move $sp, $fp
.text:00400994 lw $ra, 0x28+var_4($sp)
.text:00400998 lw $fp, 0x28+var_8($sp)
.text:0040099C addiu $sp, 0x28
.text:004009A0 jr $ra
.text:004009A4 nop
en = "Q|j{g"
b = [ 0x52, 0xFD, 0x16, 0xA4, 0x89, 0xBD, 0x92, 0x80, 0x13, 0x41,
0x54, 0xA0, 0x8D, 0x45, 0x18, 0x81, 0xDE, 0xFC, 0x95, 0xF0,
0x16, 0x79, 0x1A, 0x15, 0x5B, 0x75, 0x1F]
flag = ""
for i in range(len(en)):
flag += chr(ord(en[i])^32 -i)
print flag # qctf{
x = 5
for i in range(len(b)):
for j in range(128):
temp = j
temp = temp^32-x
if x % 2 == 0:
temp = ((temp >> 6)&0xff)|((temp<<2)&0xff)
if x%2 != 0:
temp = ((temp << 6) & 0xff) | ((temp >> 2) & 0xff)
if temp == b[i]:
flag += chr(j)
x += 1
break
print flag
# qctf{ReA11y_4_B@89_mlp5_4_XmAn_}