sundry

Reverse writeup of "jiaweisi Cup" in Shanghai in 2019

 https://ws3.sinaimg.cn/large/005BYqpggy1g1lwdiva4dj30jv08q40c.jpg
### obfuse

32-bit ELF file, shell free, find key code through key string during loading
![]( )
However, if you find that F5 is not easy to use, you can only look at the assembly. First, output "password:" and then read a string of strings from the cache and enter the sub\_ 8048580 is used to verify. If 0 is returned, the input is wrong; if 1 is returned, it is correct
![]( )

In sub\_ 8048580 function is a bit by bit check
```
_ BOOL4 __ cdecl sub_ 8048580(int a1, signed int a2)
{
signed int v2; // edx
char v3; // al
_ BOOL4 result; // eax
char v5[33]; // [esp+Ch] [ebp-A0h]
char b20_ 1; // [esp+2Dh] [ebp-7Fh]
char b1f_ 1; // [esp+2Eh] [ebp-7Eh]
char b1e_ 1; // [esp+30h] [ebp-7Ch]
char b1d_ 1; // [esp+31h] [ebp-7Bh]
char b1c_ 1; // [esp+32h] [ebp-7Ah]
char b1b_ 1; // [esp+33h] [ebp-79h]
char b1a_ 1; // [esp+35h] [ebp-77h]
char b19_ 1; // [esp+36h] [ebp-76h]
char b18_ 1; // [esp+37h] [ebp-75h]
char b17_ 1; // [esp+38h] [ebp-74h]
char b16_ 1; // [esp+39h] [ebp-73h]
char b15_ 1; // [esp+3Ah] [ebp-72h]
char b14_ 1; // [esp+3Ch] [ebp-70h]
char b13_ 0; // [esp+3Dh] [ebp-6Fh]
char b12_ 0; // [esp+3Eh] [ebp-6Eh]
char b11_ 0; // [esp+3Fh] [ebp-6Dh]
char b10_ 0; // [esp+40h] [ebp-6Ch]
char bf_ 0; // [esp+41h] [ebp-6Bh]
char be_ 0; // [esp+42h] [ebp-6Ah]
char bd_ 0; // [esp+43h] [ebp-69h]
char bc_ 1; // [esp+44h] [ebp-68h]
char bb_ 1; // [esp+45h] [ebp-67h]
char ba_ 1; // [esp+56h] [ebp-56h]
char b9_ 0; // [esp+7Ch] [ebp-30h]
char b8_ 0; // [esp+7Dh] [ebp-2Fh]
char b7_ 0; // [esp+7Eh] [ebp-2Eh]
char b6_ 0; // [esp+7Fh] [ebp-2Dh]
char b5_ 1; // [esp+80h] [ebp-2Ch]
char b4_ 1; // [esp+81h] [ebp-2Bh]
char b3_ 1; // [esp+82h] [ebp-2Ah]
char b2_ 1; // [esp+83h] [ebp-29h]
char b1_ 1; // [esp+85h] [ebp-27h]
unsigned int v38; // [esp+8Ch] [ebp-20h]

v38 = __ readgsdword(0x14u);
v2 = a2;
while ( 2 )
{
memset(v5, 0, 0x80u);
v3 = *(_ BYTE *)(a1 + v2);
v5[(v3 + 64) % 128] = 1;
if ( (unsigned __ int8)(v3 - 10) <= 0x70u )
{
switch ( v3 )
{
case '\n':
return v2 == 13 && ba_ 1 != 0;
case '0':
if ( v2 || !b9_ 0 )
return 0;
v2 = 1;
continue;
case '1':
if ( v2 == 14 && b8_ 0 )
goto LABEL_ 12;
return 0;
case '2':
if ( v2 == 20 && b7_ 0 )
goto LABEL_ 15;
return 0;
case '3':
if ( v2 != 89 || !b6_ 0 )
return 0;
v2 = 90;
continue;
case '4':
if ( v2 != 15 || !b5_ 1 )
return 0;
v2 = 16;
continue;
case '5':
if ( v2 != 14 || !b4_ 1 )
return 0;
LABEL_ 12:
v2 = 15;
continue;
case '6':
if ( v2 != 12 || !b3_ 1 )
return 0;
v2 = 13;
continue;
case '7':
if ( v2 != 5 || !b2_ 1 )
return 0;
v2 = 6;
continue;
case '8':
result = 0;
if ( b1_ 1 )
result = v2 == 33 || v2 == 2;
return result;
case '9':
if ( v2 != 1 || !b1_ 1 )
return 0;
v2 = 2;
continue;
case 'a':
if ( v2 != 35 || !b20_ 1 )
return 0;
v2 = 36;
continue;
case 'b':
if ( v2 != 11 || !b1f_ 1 )
return 0;
v2 = 12;
continue;
case 'c':
if ( v2 != 32 || !b20_ 1 )
return 0;
v2 = 33;
continue;
case 'd':
if ( v2 != 3 || !b1e_ 1 )
return 0;
v2 = 4;
continue;
case 'e':
if ( v2 != 7 || !b1d_ 1 )
return 0;
v2 = 8;
continue;
case 'f':
if ( !b1c_ 1 || v2 != 8 && v2 != 4 )
return 0;
goto LABEL_ 53;
case 'g':
return v2 == 12 && b10_ 0 != 0;
case 'h':
if ( v2 != 13 || !b1b_ 1 )
return 0;
v2 = 14;
continue;
case 'i':
if ( v2 != 9 || !b1a_ 1 )
return 0;
v2 = 10;
continue;
case 'j':
if ( v2 != 10 || !b19_ 1 )
return 0;
v2 = 11;
continue;
case 'k':
return v2 == 12 && b18_ 1 != 0;
case 'l':
if ( v2 != 19 || !b17_ 1 )
return 0;
v2 = 20;
continue;
case 'm':
if ( v2 != 17 || !b16_ 1 )
return 0;
v2 = 18;
continue;
case 'n':
return v2 == 18 && b16_ 1 != 0;
case 'o':
if ( !b15_ 1 || v2 != 6 && v2 != 28 )
return 0;
LABEL_ 53:
++v2;
continue;
case 'p':
if ( v2 != 30 || !b14_ 1 )
return 0;
v2 = 31;
continue;
case 'q':
if ( v2 != 29 || !b13_ 0 )
return 0;
v2 = 30;
continue;
case 'r':
if ( v2 != 20 || !b12_ 0 )
return 0;
LABEL_ 15:
v2 = 21;
continue;
case 's':
if ( v2 != 25 || !b11_ 0 )
return 0;
v2 = 26;
continue;
case 't':
return v2 == 24 && b12_ 0 != 0;
case 'u':
if ( v2 != 26 || !bf_ 0 )
return 0;
v2 = 27;
continue;
case 'v':
if ( v2 != 2 || !be_ 0 )
return 0;
v2 = 3;
continue;
case 'w':
if ( v2 != 6 || !bd_ 0 )
return 0;
v2 = 7;
continue;
case 'x':
if ( v2 != 22 || !bc_ 1 )
return 0;
v2 = 23;
continue;
case 'y':
if ( v2 != 23 || !bb_ 1 )
return 0;
v2 = 24;
continue;
case 'z':
return v2 == 21 && b20_ 1 != 0;
default:
return 0;
}
}
return 0;
}
}
```
According to the value of case in switch and if condition in case, the correct flag can be deduced
#### flag:09vdf7wefijbk

### Auth.exe
32-bit windows executable file, no shell, first run the following program:
![]( )

It is also loaded into IDA to find the key code through the key string (main function). This function defines a lot of data before, and finally passes through sub_ 401500 treatment

```
int __ cdecl main(int argc, const char **argv, const char **envp)
{
const CHAR *v3; // ebx
HMODULE v4; // eax
void (__ stdcall *v5)(HMODULE, LPCSTR); // eax
char v7; // [esp+1h] [ebp-157h]
char v8[4]; // [esp+15h] [ebp-143h]
int v9; // [esp+20h] [ebp-138h]
int v10; // [esp+26h] [ebp-132h]
int v11; // [esp+2Ah] [ebp-12Eh]
int v12; // [esp+2Eh] [ebp-12Ah]
int v13; // [esp+32h] [ebp-126h]
int v14; // [esp+36h] [ebp-122h]
int v15; // [esp+3Ah] [ebp-11Eh]
__ int16 v16; // [esp+3Eh] [ebp-11Ah]
int v17; // [esp+40h] [ebp-118h]
int v18; // [esp+44h] [ebp-114h]
int v19; // [esp+48h] [ebp-110h]
int v20; // [esp+4Ch] [ebp-10Ch]
int v21; // [esp+50h] [ebp-108h]
int v22; // [esp+54h] [ebp-104h]
int v23; // [esp+58h] [ebp-100h]
int v24; // [esp+5Ch] [ebp-FCh]
int v25; // [esp+60h] [ebp-F8h]
int v26; // [esp+64h] [ebp-F4h]
int v27; // [esp+68h] [ebp-F0h]
int v28; // [esp+6Ch] [ebp-ECh]
int v29; // [esp+70h] [ebp-E8h]
char v30; // [esp+74h] [ebp-E4h]
int a_ 2; // [esp+75h] [ebp-E3h]
int v32; // [esp+79h] [ebp-DFh]
int v33; // [esp+7Dh] [ebp-DBh]
int v34; // [esp+81h] [ebp-D7h]
int v35; // [esp+85h] [ebp-D3h]
int v36; // [esp+89h] [ebp-CFh]
int v37; // [esp+8Dh] [ebp-CBh]
int v38; // [esp+91h] [ebp-C7h]
__ int16 v39; // [esp+95h] [ebp-C3h]
int a_ 1; // [esp+97h] [ebp-C1h]
int v41; // [esp+9Bh] [ebp-BDh]
int v42; // [esp+9Fh] [ebp-B9h]
int v43; // [esp+A3h] [ebp-B5h]
int v44; // [esp+A7h] [ebp-B1h]
int v45; // [esp+ABh] [ebp-ADh]
int v46; // [esp+AFh] [ebp-A9h]
int v47; // [esp+B3h] [ebp-A5h]
char v48; // [esp+B7h] [ebp-A1h]
int v49; // [esp+B8h] [ebp-A0h]
int v50; // [esp+BEh] [ebp-9Ah]
int v51; // [esp+C2h] [ebp-96h]
int v52; // [esp+C6h] [ebp-92h]
int v53; // [esp+CAh] [ebp-8Eh]
int v54; // [esp+CEh] [ebp-8Ah]
int v55; // [esp+D2h] [ebp-86h]
int v56; // [esp+D6h] [ebp-82h]
int v57; // [esp+DAh] [ebp-7Eh]
char v58; // [esp+DEh] [ebp-7Ah]
int v59; // [esp+DFh] [ebp-79h]
int v60; // [esp+E3h] [ebp-75h]
int v61; // [esp+E7h] [ebp-71h]
int v62; // [esp+EBh] [ebp-6Dh]
int v63; // [esp+EFh] [ebp-69h]
int v64; // [esp+F3h] [ebp-65h]
int v65; // [esp+F7h] [ebp-61h]
int v66; // [esp+FBh] [ebp-5Dh]
__ int16 v67; // [esp+FFh] [ebp-59h]
int v68; // [esp+101h] [ebp-57h]
int v69; // [esp+105h] [ebp-53h]
char v70; // [esp+109h] [ebp-4Fh]
int v71; // [esp+10Ah] [ebp-4Eh]
int v72; // [esp+10Eh] [ebp-4Ah]
int v73; // [esp+112h] [ebp-46h]
int v74; // [esp+116h] [ebp-42h]
int v75; // [esp+11Ah] [ebp-3Eh]
int v76; // [esp+11Eh] [ebp-3Ah]
int v77; // [esp+122h] [ebp-36h]
int v78; // [esp+126h] [ebp-32h]
int v79; // [esp+12Ah] [ebp-2Eh]
int v80; // [esp+12Eh] [ebp-2Ah]
int v81; // [esp+132h] [ebp-26h]
int v82; // [esp+136h] [ebp-22h]
int v83; // [esp+13Ah] [ebp-1Eh]
int v84; // [esp+13Eh] [ebp-1Ah]
int v85; // [esp+142h] [ebp-16h]
int v86; // [esp+146h] [ebp-12h]
int v87; // [esp+14Ah] [ebp-Eh]
__ int16 v88; // [esp+14Eh] [ebp-Ah]
int *v89; // [esp+150h] [ebp-8h]

v89 = &argc;
sub_ 402940();
puts(
"            .     \n"
"           _ |_     ROBOTIC AUTHENTICATION SYSTEM\n"
"    /\\/\\  (. .)  /\n"
"    `||'   |#|  \n"
"     ||__ .-\"-\"-.___    \n"
"     `---| . . |--.\\  \n"
"         | : : |  ,||,\n"
"         `..-..'  \\/\\/\n"
"          || ||   \n"
"          || ||    \n"
"         |__ |__ |  \n");
v49 = 0x539;
v50 = 0x60646D51;
v51 = 0x64216472;
v52 = 0x7364756F;
v53 = 0x64697521;
v54 = 0x73686721;
v55 = 0x51217572;
v56 = 0x76727260;
v57 = 0x3B65736E;
v58 = 1;
a_ 1 = 0x60646D51;
v41 = 0x64216472;
v42 = 0x7364756F;
v43 = 0x64697521;
v44 = 0x73686721;
v45 = 0x51217572;
v46 = 0x76727260;
v47 = 0x3B65736E;
v48 = 1;
v59 = 0x60646D51;
v60 = 0x64216472;
v61 = 0x7364756F;
v62 = 0x64697521;
v63 = 0x62647221;
v64 = 0x21656F6E;
v65 = 0x72726051;
v66 = 0x65736E76;
v67 = 315;
a_ 2 = 0x60646D51;                             // Please enter the second Password
v32 = 0x64216472;
v33 = 0x7364756F;
v34 = 0x64697521;
v35 = 0x62647221;
v36 = 0x21656F6E;
v37 = 0x72726051;
v38 = 0x65736E76;
v39 = 315;
v68 = 0x6F6F3074;
v69 = 0x666D3367;
v70 = 3;
v28 = 0x6F6F3074;
v29 = 0x666D3367;
v30 = 3;
v71 = 0x6F73646A;
v72 = 0x33326D64;
v73 = 0x6D6D652F;
v74 = 0x13F0101;
v24 = 0x6F73646A;
v25 = 0x33326D64;
v26 = 0x6D6D652F;
v27 = 0x13F0101;
v75 = 0x57656540;
v76 = 0x6E756264;
v77 = 0x44656473;
v78 = 0x71646279;
v79 = 0x6F6E6875;
v80 = 0x656F6049;
v81 = 0x173646D;
v17 = 0x57656540;
v18 = 0x6E756264;
v19 = 0x44656473;
v20 = 0x71646279;
v21 = 0x6F6E6875;
v22 = 0x656F6049;
v23 = 0x173646D;
v82 = 0x21746E58;
v83 = 0x2F6F6876;
v84 = 0x6F6E4221;
v85 = 0x75607366;
v86 = 0x75606D74;
v87 = 0x726F6E68;
v88 = 0x120;
v10 = 0x21746E58;
v11 = 0x2F6F6876;
v12 = 0x6F6E4221;
v13 = 0x75607366;
v14 = 0x75606D74;
v15 = 0x726F6E68;
v16 = 0x120;
v9 = 0x539;
strcpy(v8, "r0b0RUlez!");
dword_ 40AD94 = (int)&v9;
dword_ 40ADA0 = (int)&v49;
dword_ 40AD8C = (char *)&a_ 1;
dword_ 40AD90 = (char *)&a_ 2;
dword_ 40AD98 = (int)&v28;
lpProcName = (LPCSTR)&v17;
lpModuleName = (LPCSTR)&v24;
dword_ 40ADA4 = (char *)&v10;
sub_ 401500(0);
v3 = lpProcName;
v4 = GetModuleHandleA(lpModuleName);
v5 = (void (__ stdcall *)(HMODULE, LPCSTR))GetProcAddress(v4, v3);
v5((HMODULE)1, (LPCSTR)sub_ 40157F);
puts(dword_ 40AD8C);
scanf("%20s", &v7);
if ( !strcmp(&v7, v8) )
{
puts("You passed level1!");
sub_ 4015EA(0);
}
return 0;
}
```
In sub\_ Each bit of the data just defined in the 401500 function is XOR with 1
![]( )
First decrypt the data:
```
data1="516D6460726421646F756473217569642167687372752151607272766E73653B"
str1 =""
for x in range(0,len(data1),2):
str1 += chr(eval("0x"+data1[x:x+2])^1)
print str1

data2 = "516D6460726421646F75647321756964217264626E6F652151607272766E73653B"

str2 =""
for x in range(0,len(data2),2):
str2 += chr(eval("0x"+data2[x:x+2])^1)
print str2

data3 = "74306F6F67336D66"

str3 =""
for x in range(0,len(data3),2):
str3 += chr(eval("0x"+data3[x:x+2])^1)
print str3

data4 = "6A64736F646D32332F656D6D"
str4 = ""
for x in range(0,len(data4),2):
str4 += chr(eval("0x"+data4[x:x+2])^1)
print str4

data5 = "406565576462756E736465447962647175686E6F49606F656D6473"
str5 = ""
for x in range(0,len(data5),2):
str5 += chr(eval("0x"+data5[x:x+2])^1)
print str5

data6 = "586E742176686F2F21426E6F66736075746D6075686E6F7220"
str6 = ""
for x in range(0,len(data6),2):
str6 += chr(eval("0x"+data6[x:x+2])^1)
print str6
```
Output results:
![]( )
Some of the output strings need to be found

Next, the program receives a string and compares it with the string "r0b0rulez!", which is the first level restriction, and then comes to the function sub\_ 4015ea, an exception is constructed in this. When the program goes here, an exception occurs and a jump is made. Before the jump, a data is changed. The second jump is in this function. Then we will follow the first one
![]( )

After following up, we come to a function, receive a string, and enter sub\_ Compare 154407
![]( )

In sub\_ In the 401547 function, every bit of the string "u1nnf2lg" is XOR to 2
![]( )

Decryption results in "w3lld0ne"
```
flag = "u1nnf2lg"
real_ flag =""
for x in range(len(flag)):
real_ flag+=chr(ord(flag[x])^2)
print real_ flag
```

Finally, the strings are spliced together
#### flag:r0b0RUlez!\_ w3lld0ne

fabulous ( four )

This paper is written by Ji Changxin Creation, article address: https://blog.isoyu.com/archives/2019-shanghaijiaweisibeinixiang-writeup.html
use Knowledge sharing signature 4.0 International license agreement. Except for the reprint / source, they are all original or translated by our website. Please sign before reprinting. Last editing time: March 31, 2019 at 01:12 PM

Hot articles

Comments:

7 comments, 3 visitors, 4 bloggers
  1.  Rookie leader
    Rookie leader Published on:

    Why can't I reply to you. There is no class for study. I'm looking for an internship.

    •  Ji Changxin
      Ji Changxin Published on:

      Yes, it's going on

    •  Ji Changxin
      Ji Changxin Published on:

      Yes, my back is cold. I almost went to restore the snapshot

    •  Ji Changxin
      Ji Changxin Published on:

      Just guessed that the big man's comment how to avoid the audit, thought that the big man intruded into the database, search the comment to find that the big man had come before

  2.  Ji Changxin
    Ji Changxin Published on:

    Good morning

Comment

[required]

invisibility?

Please wait three seconds after submitting to avoid unsuccessful submission and repetition