almost 9 years ago

ISG2014 BT

ARM 逆向,不得不說 Hex-rays 的 decompiler 真厲害 ...

  1. .text:86D4 根據 .rodata:8C10 這個表的內容建一個 tree,node 的結構是 {value, left, right}
  2. .text:8790 從樹根開始 dfs,並且填好 .bss:11258 這個表,dfs 是用位在 .bss:11058 的棧實現的
  3. 查表檢查 input 的每個字元是否正確,且長度為 34

計算和檢查的過程,重新寫成 python 如下,檢查的部份已經改為反查找出正確的字元

# .rodata:8C10

s = ("677B3371394F4C4E5A5F62565743794A"  
"6B20206C202073682020632020617820"
"20722020643620204120204D59202074"
"20204976202050202034752020692020"
"54532020512020654220206E2020587A"
"20206F20205237202048202055322020"
"702020463520204720204B6D20203820"
"20447720207D2020456A202066202000").decode('hex')

i = 0
tb = {}

# 建樹跟計算 table .bss:11258 的值 ([0x11258+z]=y) 

def dfs(x,y):  
  global i,tb
  if i<len(s):
    z = s[i]
    i += 1
    if z!=' ':
      tb[y] = z
      dfs(x+1,48*(x+1)+y)
      dfs(x+1,49*(x+1)+y)

dfs(0,0)
v = [3179,2649,729,48,487,3189,2177,2650,5789,4380,2160,
    1350,5789,1736,144,2160,4393,1014,5054,3755,49,5789,
    724,5067,6544,2160,3189,724,2160,4368,1743,720,1008,293]
print ''.join(tb[x] for x in v)

Flag: ISG{8in4rY_7re3_tRavEr5Al_i5_CoOL}

← ISG2014 Cryptobaby ISG2014 SQLMAP →