main部分,就是要逆这部分shellcode,程序把data段里面的东西复制到bss段去执行,期间包含解码操作。
v19 = 0;
puts("Please input your flag: ");
__isoc99_scanf("%s", s);
if ( strlen(s) != 38 )
{
puts("Wrong length!");
exit(0);
}
for ( i = 0; i <= 37; ++i )
{
exec = shellcode;
*(&loc_404144 + 4) = MEMORY[0x404068];
loc_404150 = loc_404070;
*(&MEMORY[0x404154] + 4) = MEMORY[0x404078];
MEMORY[0x404160] = loc_404080;
MEMORY[0x404168] = unk_404088;
MEMORY[0x404170] = unk_404090;
MEMORY[0x404178] = loc_404098;
MEMORY[0x404180] = loc_4040A0;
MEMORY[0x404188] = MEMORY[0x4040A8];
loc_404190 = loc_4040B0;
loc_404198 = loc_4040B8;
loc_4041A0 = loc_4040C0;
MEMORY[0x4041A8] = MEMORY[0x4040C8];
v19 = (exec)(s[i]);
*(s1 + i) = v19;
}
if ( !memcmp(s1, &enc, 0x26uLL) )
puts("Congratulations~");
else
puts("Sorry try again.");
return 0;
}
这里貌似就是smc(self-Modifying Code)的部分,并不是生成flag的代码
这部分才是真正生成flag的代码
字节高四位和第四位互换,然后-3,然后xor 0x1c。
149 push r15
.bss:000000000040414B push r14
.bss:000000000040414D mov r15, rdi
.bss:000000000040414D
.bss:0000000000404150
.bss:0000000000404150 loc_404150: ; DATA XREF: main+181↑w
.bss:0000000000404150 and r15, 0FFh
.bss:0000000000404157
.bss:0000000000404157 loc_404157: ; DATA XREF: main+188↑w
.bss:0000000000404157 and r15, 0Fh
.bss:000000000040415B mov r14, rdi
.bss:000000000040415E
.bss:000000000040415E loc_40415E: ; DATA XREF: main+19D↑w
.bss:000000000040415E and r14, 0FFh
.bss:0000000000404165
.bss:0000000000404165 loc_404165: ; DATA XREF: main+1A4↑w
.bss:0000000000404165 sar r14, 4
.bss:0000000000404169 and r14, 0Fh
.bss:000000000040416D
.bss:000000000040416D loc_40416D: ; DATA XREF: main+1B9↑w
.bss:000000000040416D shl r15, 4
.bss:0000000000404171 or r14, r15
.bss:0000000000404174 mov rax, r14
.bss:0000000000404177
.bss:0000000000404177 loc_404177: ; DATA XREF: main+1C0↑w
.bss:0000000000404177 dec al
.bss:0000000000404179 dec al
.bss:000000000040417B dec al
.bss:000000000040417D xor al, 1Ch
.bss:000000000040417F
.bss:000000000040417F loc_40417F: ; DATA XREF: main+1D5↑w
.bss:000000000040417F pop r14
.bss:0000000000404181 pop r15
.bss:0000000000404183 jmp short loc_4041A5
enc=[0x7F, 0xDF, 0x0F, 0x6F, 0xA8, 0x7F, 0x7C, 0x3C, 0x0C, 0x4C, 0x5C, 0x9C, 0x4F, 0x3F, 0x4F, 0x3C, 0x0C, 0x0F, 0x4C, 0x3C, 0x5F, 0x9C, 0x4C, 0x9C, 0x7C, 0x9C, 0x0C, 0x5F, 0x2C, 0x2F, 0x4F, 0x5C, 0x5C, 0x8C, 0x2F, 0x9C, 0x5F, 0xC8, 0x81]
print(len(enc))
# offset=0x65
# for index in range(offset,offset+1):
l=''
for i in range(len(enc)):
temp=(enc[i]^0x1c)+3
l+=chr(((temp<<4|temp>>4)&0xff))
# if 'flag' in l or '}' in l[-1]:
print(l,l.encode(),len(l))
# flag=b'flag'
# for i in range(4):
# print((flag[i]^0x65)%enc[i])
#flag{f621548ebe21a52d858681d3ce449c8d}
![[C#]使用OpenCvSharp图像滤波中值滤波均值滤波高通滤波双边滤波锐化滤波自定义滤波](https://img-blog.csdnimg.cn/direct/0182889615b0479cb66697ecbd8ea9be.png)
