Solution The first step is to decompile the given binary. Main
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
int __cdecl main(int argc, const char **argv, const char **envp) { size_t i; // [sp+0h] [bp-D0h]@1 size_t v6; // [sp+8h] [bp-C8h]@1 char s2[8]; // [sp+10h] [bp-C0h]@1 char s[136]; // [sp+40h] [bp-90h]@1 __int64 v9; // [sp+C8h] [bp-8h]@1 v9 = *MK_FP(__FS__, 40LL); strcpy(s2, "'連\x11蝐鳥═\x1Bq#ee\x11\x11x05e); puts("Please enter the flag:"); fgets(s, 128, stdin); s[strlen(s) - 1] = 0; v6 = strlen(s); for ( i = 0LL; i < v6; ++i ) s[i] = get_tbl_entry((unsigned int)s[i]); if ( v6 == 37 ) { if ( !strncmp(s, s2, 0x26uLL) ) { puts("CORRECT <3"); result = 0; } else { puts("WRONG"); result = 1; } } else { puts("WRONG"); result = 1; } |
Main_asm
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 |
.text:00000000000008A0 ; int __cdecl main(int argc, const char **argv, const char **envp) .text:00000000000008A0 public main .text:00000000000008A0 main proc near ; DATA XREF: _start+1Do .text:00000000000008A0 .text:00000000000008A0 var_D0 = qword ptr -0D0h .text:00000000000008A0 var_C8 = qword ptr -0C8h .text:00000000000008A0 s2 = byte ptr -0C0h .text:00000000000008A0 var_B8 = qword ptr -0B8h .text:00000000000008A0 var_B0 = qword ptr -0B0h .text:00000000000008A0 var_A8 = qword ptr -0A8h .text:00000000000008A0 var_A0 = dword ptr -0A0h .text:00000000000008A0 var_9C = word ptr -9Ch .text:00000000000008A0 s = byte ptr -90h .text:00000000000008A0 var_8 = qword ptr -8 .text:00000000000008A0 .text:00000000000008A0 push rbp .text:00000000000008A1 mov rbp, rsp .text:00000000000008A4 sub rsp, 0D0h .text:00000000000008AB mov rax, fs:28h .text:00000000000008B4 mov [rbp+var_8], rax .text:00000000000008B8 xor eax, eax .text:00000000000008BA mov rax, 0B1E711F59D73B327h .text:00000000000008C4 mov rdx, 30F4F9F9B399BEB3h .text:00000000000008CE mov qword ptr [rbp+s2], rax .text:00000000000008D5 mov [rbp+var_B8], rdx .text:00000000000008DC mov rax, 0B19965237399711Bh .text:00000000000008E6 mov rdx, 0F9279923BE111165h .text:00000000000008F0 mov [rbp+var_B0], rax .text:00000000000008F7 mov [rbp+var_A8], rdx .text:00000000000008FE mov [rbp+var_A0], 65059923h .text:0000000000000908 mov [rbp+var_9C], 0CEh .text:0000000000000911 lea rdi, s ; "Please enter the flag:" .text:0000000000000918 call _puts .text:000000000000091D mov rdx, cs:stdin@@GLIBC_2_2_5 ; stream .text:0000000000000924 lea rax, [rbp+s] .text:000000000000092B mov esi, 80h ; n .text:0000000000000930 mov rdi, rax ; s .text:0000000000000933 call _fgets .text:0000000000000938 lea rax, [rbp+s] .text:000000000000093F mov rdi, rax ; s .text:0000000000000942 call _strlen .text:0000000000000947 sub rax, 1 .text:000000000000094B mov [rbp+rax+s], 0 .text:0000000000000953 lea rax, [rbp+s] .text:000000000000095A mov rdi, rax ; s .text:000000000000095D call _strlen .text:0000000000000962 mov [rbp+var_C8], rax .text:0000000000000969 mov [rbp+var_D0], 0 .text:0000000000000974 jmp short loc_9B1 .text:0000000000000976 ; --------------------------------------------------------------------------- .text:0000000000000976 .text:0000000000000976 loc_976: ; CODE XREF: main+11Fj .text:0000000000000976 lea rdx, [rbp+s] .text:000000000000097D mov rax, [rbp+var_D0] .text:0000000000000984 add rax, rdx .text:0000000000000987 movzx eax, byte ptr [rax] .text:000000000000098A movsx eax, al .text:000000000000098D mov edi, eax .text:000000000000098F call get_tbl_entry .text:0000000000000994 mov ecx, eax .text:0000000000000996 lea rdx, [rbp+s] .text:000000000000099D mov rax, [rbp+var_D0] .text:00000000000009A4 add rax, rdx .text:00000000000009A7 mov [rax], cl .text:00000000000009A9 add [rbp+var_D0], 1 .text:00000000000009B1 .text:00000000000009B1 loc_9B1: ; CODE XREF: main+D4j .text:00000000000009B1 mov rax, [rbp+var_D0] .text:00000000000009B8 cmp rax, [rbp+var_C8] .text:00000000000009BF jb short loc_976 .text:00000000000009C1 cmp [rbp+var_C8], 25h .text:00000000000009C9 jz short loc_9DE .text:00000000000009CB lea rdi, aWrong ; "WRONG" .text:00000000000009D2 call _puts .text:00000000000009D7 mov eax, 1 .text:00000000000009DC jmp short loc_A24 .text:00000000000009DE ; --------------------------------------------------------------------------- .text:00000000000009DE .text:00000000000009DE loc_9DE: ; CODE XREF: main+129j .text:00000000000009DE lea rcx, [rbp+s2] .text:00000000000009E5 lea rax, [rbp+s] .text:00000000000009EC mov edx, 26h ; n .text:00000000000009F1 mov rsi, rcx ; s2 .text:00000000000009F4 mov rdi, rax ; s1 .text:00000000000009F7 call _strncmp .text:00000000000009FC test eax, eax .text:00000000000009FE jnz short loc_A13 .text:0000000000000A00 lea rdi, aCorrect3 ; "CORRECT <3" .text:0000000000000A07 call _puts .text:0000000000000A0C mov eax, 0 .text:0000000000000A11 jmp short loc_A24 .text:0000000000000A13 ; --------------------------------------------------------------------------- .text:0000000000000A13 .text:0000000000000A13 loc_A13: ; CODE XREF: main+15Ej .text:0000000000000A13 lea rdi, aWrong ; "WRONG" .text:0000000000000A1A call _puts .text:0000000000000A1F mov eax, 1 .text:0000000000000A24 .text:0000000000000A24 loc_A24: ; CODE XREF: main+13Cj .text:0000000000000A24 ; main+171j .text:0000000000000A24 mov rsi, [rbp+var_8] .text:0000000000000A28 xor rsi, fs:28h .text:0000000000000A31 jz short locret_A38 .text:0000000000000A33 call ___stack_chk_fail .text:0000000000000A38 ; --------------------------------------------------------------------------- .text:0000000000000A38 .text:0000000000000A38 locret_A38: ; CODE XREF: main+191j .text:0000000000000A38 leave .text:0000000000000A39 retn .text:0000000000000A39 main endp |
get_tbl_entry
1 2 3 4 5 6 7 8 9 10 11 |
__int64 __fastcall get_tbl_entry(char a1) { unsigned __int64 i; // [sp+Ch] [bp-8h]@1 for ( i = 0LL; i <= 254; ++i ) { if ( a1 == *((_BYTE *)&trans_tbl + 2 * i) ) return byte_201281[2 * i]; } return 0LL; } |
byte_201281
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
.data:0000000000201281 byte_201281 db 0BBh, 2, 9Bh, 3, 0C4h, 4, 6Ch, 5, 4Ah, 6, 2Eh, 7, 22h .data:0000000000201281 ; DATA XREF: get_tbl_entry+33o .data:0000000000201281 db 8, 45h, 9, 33h, 0Ah, 0B8h, 0Bh, 0D5h, 0Ch, 6, 0Dh, 0Ah .data:0000000000201281 db 0Eh, 0BCh, 0Fh, 0FAh, 10h, 79h, 11h, 24h, 12h, 0E1h .data:0000000000201281 db 13h, 0B2h, 14h, 0BFh, 15h, 2Ch, 16h, 0ADh, 17h, 86h .data:0000000000201281 db 18h, 60h, 19h, 0A4h, 1Ah, 0B6h, 1Bh, 0D8h, 1Ch, 59h .data:0000000000201281 db 1Dh, 87h, 1Eh, 41h, 1Fh, 94h, 20h, 77h, 21h, 0F0h, 22h .data:0000000000201281 db 4Fh, 23h, 0CBh, 24h, 61h, 2 dup(25h), 26h, 0C0h, 27h .data:0000000000201281 db 97h, 28h, 2Ah, 29h, 5Ch, 2Ah, 8, 2Bh, 0C9h, 2Ch, 9Fh .data:0000000000201281 db 2Dh, 43h, 2Eh, 4Eh, 2Fh, 0CFh, 30h, 0F9h, 31h, 3Eh .data:0000000000201281 db 32h, 6Fh, 33h, 65h, 34h, 0E7h, 35h, 0C5h, 36h, 39h .data:0000000000201281 db 37h, 0B7h, 38h, 0EFh, 39h, 0D0h, 3Ah, 0C8h, 3Bh, 2Fh .data:0000000000201281 db 3Ch, 0AAh, 3Dh, 0C7h, 3Eh, 47h, 3Fh, 3Ch, 40h, 81h .data:0000000000201281 db 41h, 32h, 42h, 49h, 43h, 0D3h, 44h, 0A6h, 45h, 96h .data:0000000000201281 db 46h, 2Bh, 47h, 58h, 48h, 40h, 49h, 0F1h, 4Ah, 9Ch, 4Bh .data:0000000000201281 db 0EEh, 4Ch, 1Ah, 4Dh, 5Bh, 4Eh, 0C6h, 4Fh, 0D6h, 50h .data:0000000000201281 db 80h, 51h, 2Dh, 52h, 6Dh, 53h, 9Ah, 54h, 3Dh, 55h, 0A7h .data:0000000000201281 db 56h, 93h, 57h, 84h, 58h, 0E0h, 59h, 12h, 5Ah, 3Bh, 5Bh .data:0000000000201281 db 0B9h, 5Ch, 9, 5Dh, 69h, 5Eh, 0BAh, 5Fh, 99h, 60h, 48h .data:0000000000201281 db 61h, 73h, 62h, 0B1h, 63h, 7Ch, 64h, 82h, 65h, 0BEh .data:0000000000201281 db 66h, 27h, 67h, 9Dh, 68h, 0FBh, 69h, 67h, 6Ah, 7Eh, 6Bh .data:0000000000201281 db 0F4h, 6Ch, 0B3h, 6Dh, 5, 6Eh, 0C2h, 6Fh, 5Fh, 70h, 1Bh .data:0000000000201281 db 71h, 54h, 72h, 23h, 73h, 71h, 74h, 11h, 75h, 30h, 76h .data:0000000000201281 db 0D2h, 77h, 0A5h, 78h, 68h, 79h, 9Eh, 7Ah, 3Fh, 7Bh .data:0000000000201281 db 0F5h, 7Ch, 7Ah, 7Dh, 0CEh, 7Eh, 0Bh, 7Fh, 0Ch, 80h .data:0000000000201281 db 85h, 81h, 0DEh, 82h, 63h, 83h, 5Eh, 84h, 8Eh, 85h, 0BDh .data:0000000000201281 db 86h, 0FEh, 87h, 6Ah, 88h, 0DAh, 89h, 26h, 8Ah, 88h .data:0000000000201281 db 8Bh, 0E8h, 8Ch, 0ACh, 8Dh, 3, 8Eh, 62h, 8Fh, 0A8h, 90h .data:0000000000201281 db 0F6h, 91h, 0F7h, 92h, 75h, 93h, 6Bh, 94h, 0C3h, 95h .data:0000000000201281 db 46h, 96h, 51h, 97h, 0E6h, 98h, 8Fh, 99h, 28h, 9Ah, 76h .data:0000000000201281 db 9Bh, 5Ah, 9Ch, 91h, 9Dh, 0ECh, 9Eh, 1Fh, 9Fh, 44h, 0A0h .data:0000000000201281 db 52h, 0A1h, 1, 0A2h, 0FCh, 0A3h, 8Bh, 0A4h, 3Ah, 0A5h .data:0000000000201281 db 0A1h, 0A6h, 0A3h, 0A7h, 16h, 0A8h, 10h, 0A9h, 14h, 0AAh .data:0000000000201281 db 50h, 0ABh, 0CAh, 0ACh, 95h, 0ADh, 92h, 0AEh, 4Bh, 0AFh .data:0000000000201281 db 35h, 0B0h, 0Eh, 0B1h, 0B5h, 0B2h, 20h, 0B3h, 1Dh, 0B4h .data:0000000000201281 db 5Dh, 0B5h, 0C1h, 0B6h, 0E2h, 0B7h, 6Eh, 0B8h, 0Fh, 0B9h .data:0000000000201281 db 0EDh, 0BAh, 90h, 0BBh, 0D4h, 0BCh, 0D9h, 0BDh, 42h .data:0000000000201281 db 0BEh, 0DDh, 0BFh, 98h, 0C0h, 57h, 0C1h, 37h, 0C2h, 19h .data:0000000000201281 db 0C3h, 78h, 0C4h, 56h, 0C5h, 0AFh, 0C6h, 74h, 0C7h, 0D1h .data:0000000000201281 db 0C8h, 4, 0C9h, 29h, 0CAh, 55h, 0CBh, 0E5h, 0CCh, 4Ch .data:0000000000201281 db 0CDh, 0A0h, 0CEh, 0F2h, 0CFh, 89h, 0D0h, 0DBh, 0D1h .data:0000000000201281 db 0E4h, 0D2h, 38h, 0D3h, 83h, 0D4h, 0EAh, 0D5h, 17h, 0D6h .data:0000000000201281 db 7, 0D7h, 0DCh, 0D8h, 8Ch, 0D9h, 8Ah, 0DAh, 0B4h, 0DBh .data:0000000000201281 db 7Bh, 0DCh, 0E9h, 0DDh, 0FFh, 0DEh, 0EBh, 0DFh, 15h .data:0000000000201281 db 0E0h, 0Dh, 0E1h, 2, 0E2h, 0A2h, 0E3h, 0F3h, 0E4h, 34h .data:0000000000201281 db 0E5h, 0CCh, 0E6h, 18h, 0E7h, 0F8h, 0E8h, 13h, 0E9h .data:0000000000201281 db 8Dh, 0EAh, 7Fh, 0EBh, 0AEh, 0ECh, 21h, 0EDh, 0E3h, 0EEh .data:0000000000201281 db 0CDh, 0EFh, 4Dh, 0F0h, 70h, 0F1h, 53h, 0F2h, 0FDh, 0F3h .data:0000000000201281 db 0ABh, 0F4h, 72h, 0F5h, 64h, 0F6h, 1Ch, 0F7h, 66h, 0F8h .data:0000000000201281 db 0A9h, 0F9h, 0B0h, 0FAh, 1Eh, 0FBh, 0D7h, 0FCh, 0DFh .data:0000000000201281 db 0FDh, 36h, 0FEh, 7Dh, 0FFh .data:000000000020147D db 31h ; 1 .data:000000000020147D _data ends |
After have some analysis we know: 1. The program will based on the input to perform table lookup 2. The table format are 00 xx 01 xx 02 xx 03 xx 3. The main encrypt function are get_tbl_entry So, based on this information, we can write the code to get the flag.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
#include #include #include unsigned char ida_chars[] = { 0x01, 0xBB, 0x02, 0x9B, 0x03, 0xC4, 0x04, 0x6C, 0x05, 0x4A, 0x06, 0x2E, 0x07, 0x22, 0x08, 0x45, 0x09, 0x33, 0x0A, 0xB8, 0x0B, 0xD5, 0x0C, 0x06, 0x0D, 0x0A, 0x0E, 0xBC, 0x0F, 0xFA, 0x10, 0x79, 0x11, 0x24, 0x12, 0xE1, 0x13, 0xB2, 0x14, 0xBF, 0x15, 0x2C, 0x16, 0xAD, 0x17, 0x86, 0x18, 0x60, 0x19, 0xA4, 0x1A, 0xB6, 0x1B, 0xD8, 0x1C, 0x59, 0x1D, 0x87, 0x1E, 0x41, 0x1F, 0x94, 0x20, 0x77, 0x21, 0xF0, 0x22, 0x4F, 0x23, 0xCB, 0x24, 0x61, 0x25, 0x25, 0x26, 0xC0, 0x27, 0x97, 0x28, 0x2A, 0x29, 0x5C, 0x2A, 0x08, 0x2B, 0xC9, 0x2C, 0x9F, 0x2D, 0x43, 0x2E, 0x4E, 0x2F, 0xCF, 0x30, 0xF9, 0x31, 0x3E, 0x32, 0x6F, 0x33, 0x65, 0x34, 0xE7, 0x35, 0xC5, 0x36, 0x39, 0x37, 0xB7, 0x38, 0xEF, 0x39, 0xD0, 0x3A, 0xC8, 0x3B, 0x2F, 0x3C, 0xAA, 0x3D, 0xC7, 0x3E, 0x47, 0x3F, 0x3C, 0x40, 0x81, 0x41, 0x32, 0x42, 0x49, 0x43, 0xD3, 0x44, 0xA6, 0x45, 0x96, 0x46, 0x2B, 0x47, 0x58, 0x48, 0x40, 0x49, 0xF1, 0x4A, 0x9C, 0x4B, 0xEE, 0x4C, 0x1A, 0x4D, 0x5B, 0x4E, 0xC6, 0x4F, 0xD6, 0x50, 0x80, 0x51, 0x2D, 0x52, 0x6D, 0x53, 0x9A, 0x54, 0x3D, 0x55, 0xA7, 0x56, 0x93, 0x57, 0x84, 0x58, 0xE0, 0x59, 0x12, 0x5A, 0x3B, 0x5B, 0xB9, 0x5C, 0x09, 0x5D, 0x69, 0x5E, 0xBA, 0x5F, 0x99, 0x60, 0x48, 0x61, 0x73, 0x62, 0xB1, 0x63, 0x7C, 0x64, 0x82, 0x65, 0xBE, 0x66, 0x27, 0x67, 0x9D, 0x68, 0xFB, 0x69, 0x67, 0x6A, 0x7E, 0x6B, 0xF4, 0x6C, 0xB3, 0x6D, 0x05, 0x6E, 0xC2, 0x6F, 0x5F, 0x70, 0x1B, 0x71, 0x54, 0x72, 0x23, 0x73, 0x71, 0x74, 0x11, 0x75, 0x30, 0x76, 0xD2, 0x77, 0xA5, 0x78, 0x68, 0x79, 0x9E, 0x7A, 0x3F, 0x7B, 0xF5, 0x7C, 0x7A, 0x7D, 0xCE, 0x7E, 0x0B, 0x7F, 0x0C, 0x80, 0x85, 0x81, 0xDE, 0x82, 0x63, 0x83, 0x5E, 0x84, 0x8E, 0x85, 0xBD, 0x86, 0xFE, 0x87, 0x6A, 0x88, 0xDA, 0x89, 0x26, 0x8A, 0x88, 0x8B, 0xE8, 0x8C, 0xAC, 0x8D, 0x03, 0x8E, 0x62, 0x8F, 0xA8, 0x90, 0xF6, 0x91, 0xF7, 0x92, 0x75, 0x93, 0x6B, 0x94, 0xC3, 0x95, 0x46, 0x96, 0x51, 0x97, 0xE6, 0x98, 0x8F, 0x99, 0x28, 0x9A, 0x76, 0x9B, 0x5A, 0x9C, 0x91, 0x9D, 0xEC, 0x9E, 0x1F, 0x9F, 0x44, 0xA0, 0x52, 0xA1, 0x01, 0xA2, 0xFC, 0xA3, 0x8B, 0xA4, 0x3A, 0xA5, 0xA1, 0xA6, 0xA3, 0xA7, 0x16, 0xA8, 0x10, 0xA9, 0x14, 0xAA, 0x50, 0xAB, 0xCA, 0xAC, 0x95, 0xAD, 0x92, 0xAE, 0x4B, 0xAF, 0x35, 0xB0, 0x0E, 0xB1, 0xB5, 0xB2, 0x20, 0xB3, 0x1D, 0xB4, 0x5D, 0xB5, 0xC1, 0xB6, 0xE2, 0xB7, 0x6E, 0xB8, 0x0F, 0xB9, 0xED, 0xBA, 0x90, 0xBB, 0xD4, 0xBC, 0xD9, 0xBD, 0x42, 0xBE, 0xDD, 0xBF, 0x98, 0xC0, 0x57, 0xC1, 0x37, 0xC2, 0x19, 0xC3, 0x78, 0xC4, 0x56, 0xC5, 0xAF, 0xC6, 0x74, 0xC7, 0xD1, 0xC8, 0x04, 0xC9, 0x29, 0xCA, 0x55, 0xCB, 0xE5, 0xCC, 0x4C, 0xCD, 0xA0, 0xCE, 0xF2, 0xCF, 0x89, 0xD0, 0xDB, 0xD1, 0xE4, 0xD2, 0x38, 0xD3, 0x83, 0xD4, 0xEA, 0xD5, 0x17, 0xD6, 0x07, 0xD7, 0xDC, 0xD8, 0x8C, 0xD9, 0x8A, 0xDA, 0xB4, 0xDB, 0x7B, 0xDC, 0xE9, 0xDD, 0xFF, 0xDE, 0xEB, 0xDF, 0x15, 0xE0, 0x0D, 0xE1, 0x02, 0xE2, 0xA2, 0xE3, 0xF3, 0xE4, 0x34, 0xE5, 0xCC, 0xE6, 0x18, 0xE7, 0xF8, 0xE8, 0x13, 0xE9, 0x8D, 0xEA, 0x7F, 0xEB, 0xAE, 0xEC, 0x21, 0xED, 0xE3, 0xEE, 0xCD, 0xEF, 0x4D, 0xF0, 0x70, 0xF1, 0x53, 0xF2, 0xFD, 0xF3, 0xAB, 0xF4, 0x72, 0xF5, 0x64, 0xF6, 0x1C, 0xF7, 0x66, 0xF8, 0xA9, 0xF9, 0xB0, 0xFA, 0x1E, 0xFB, 0xD7, 0xFC, 0xDF, 0xFD, 0x36, 0xFE, 0x7D, 0xFF, 0x31 }; unsigned char encFlag[] = { 0x27, 0xb3, 0x73, 0x9d, 0xf5, 0x11, 0xe7, 0xb1, 0xb3, 0xbe, 0x99, 0xb3, 0xf9, 0xf9, 0xf4, 0x30, 0x1b, 0x71, 0x99, 0x73, 0x23, 0x65, 0x99, 0xb1, 0x65, 0x11, 0x11, 0xbe, 0x23, 0x99, 0x27, 0xf9, 0x23, 0x99, 0x05, 0x65, 0xce }; int main(int argc, char** argv) { for(int i = 0;i < sizeof(encFlag); i++){ for(int j = 0;j < sizeof(ida_chars); j++){ if(encFlag[i] == ida_chars[2*j + 1]){ printf("%c",ida_chars[2*j]); break; } } } return 0; } |
Output: flag{t4ble_l00kups_ar3_b3tter_f0r_m3}
Leave a Comment