MCTF2018-2

identify

ida打开,搜索字符串,找到了提示错误用户名和密码的字符串,并由此找到了关键函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
v17 = xmmword_402210;
v18 = xmmword_402200;
v2 = "WELCOME TO MCTF\n";
v19 = xmmword_402220;
v3 = aWelcomeToMctf[0];
v23 = 0xF5;
v25 = 0;
v20 = xmmword_4021F0;
v21 = xmmword_402240;
v22 = xmmword_402230;
for ( i = 0i64; *v2; v3 = *v2 )
{
putchar(v3);
++v2;
fflush(0);
Sleep(0x64u);
}
if ( a2 == 3 )
{
sub_401040("~checking:");
sub_401080();
v5 = strcmp(*(const char **)(a3 + 4), "Mirage");
if ( v5 )
v5 = -(v5 < 0) | 1;
if ( v5 )
{
sub_401040("Incorrect username\n");
sub_401010("fail\n");
system("pause");
}
sub_401040("\nCorrect Username\n");
v6 = *(const char **)(a3 + 8);
v7 = 0;
if ( strlen(v6) )
{
do
{
v9 = v7 & 0x80000001;
v8 = (v7 & 0x80000001) == 0;
if ( (v7 & 0x80000001 & 0x80000000) != 0 )
{
v10 = ((_BYTE)v9 - 1) | 0xFFFFFFFE;
v8 = v10 == -1;
v9 = v10 + 1;
}
if ( v8 )
{
if ( (v6[v7] ^ 0x88) != *((_DWORD *)&v17 + v7) )
{
v11 = "\nIncorrect password\n";
v12 = 10;
do
{
putchar(v12);
++v11;
fflush(0);
Sleep(0x64u);
v12 = *v11;
}
while ( *v11 );
sub_401010("fail\n");
goto LABEL_25;
}
}
else if ( v9 == 1 && (v6[v7] ^ 0x66) != *((_DWORD *)&v17 + v7) )
{
sub_401040("\nIncorrect password\n");
sub_401010("fail\n");
goto LABEL_25;
}
++v7;
}
while ( v7 < strlen(v6) );
}
v13 = "~checking:";
v14 = 126;
do
{
putchar(v14);
++v13;
fflush(0);
Sleep(0x64u);
v14 = *v13;
}
while ( *v13 );
sub_401080();
v15 = "\nCongratulations!\n";
v16 = 10;
do
{
putchar(v16);
++v15;
fflush(0);
Sleep(0x64u);
v16 = *v15;
}
while ( *v15 );
sub_401010("success\n");
LABEL_25:
system("pause");
result = 0;
}
else
{
sub_401010("[ERROR] Login information missing\n");
sub_401010("Usage: %s <username> <password>\n", *(_DWORD *)a3);
result = 1;
}
return result;

显然用户名是Mirage,而密码就需要进行异或运算了。

密码下标为偶数的部分异或0x88后与固定字符串相等。

密码下标为奇数的部分异或0x66后与固定字符串相等。

逆运算脚本如下:

1
2
3
4
5
6
7
8
key=[0xc5,0x25,0xdc,0x20,0xf3,0x3e,0xb8,0x14,0xd7,0x57,0xfb,0x39,0xf9,0x13,0xb9,0x12,0xed,0x39,0xfb,0x57,0xe5,0x16,0xe4,0x53,0xf5]
flag=""
for i in range(len(key)):
if i&1 == 0:
flag+=chr(key[i]^0x88)
if i&1 == 1:
flag+=chr(key[i]^0x66)
print flag

吃鲨鱼

peid看了一下发现是c#,拖进dnspy:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
private void button1_Click(object sender, EventArgs e)
{
string text = this.textBox1.Text;
string[] array = new string[]
{
"69691c7bdcc3ce6d5d8a1361f22d04ac",
"0d61f8370cad1d412f80b84d143e1257",
"b9ece18c950afbfa6b0fdbfa4ff731d3",
"800618943025315f869e4e1f09471012",
"f95b70fdc3088560732a5ac135644506",
"4a8a08f09d37b73795649038408b5f33",
"03c7c0ace395d80182db07ae2c30f034",
"2510c39011c5be704182423e3a695e91",
"0cc175b9c0f1b6a831c399e269772661",
"4b43b0aee35624cd95b910189b3dc231",
"83878c91171338902e0fe0fb97a8c47a",
"b14a7b8059d9c055954c92674ce60032",
"6f8f57715090da2632453988d9a1501b",
"8277e0910d750195b448797616e091ad",
"e4da3b7fbbce2345d7772b0674a318d5",
"cbb184dd8e05c9709e5dcaedaa0495cf"
};
if (text.Length > 16)
{
this.label2.Text = "You are wrong!";
return;
}
for (int i = 0; i < text.Length; i++)
{
char[] array2 = new char[]
{
'H'
};
array2[0] = text[i];
string str = new string(array2);
if (array[i].CompareTo(Form1.fivefive(str)) != 0)
{
this.label2.Text = "You are wrong!";
}
else
{
this.label2.Text = "You are right!";
}
}
}

找到了这里,并且发现程序中有一些地方出现了md5,把定义的array的每个字符串md5解密一下得到了flag。

Math for kids

文章目录
  1. 1. identify
  2. 2. 吃鲨鱼
  3. 3. Math for kids
|