sundry

2019 Shanghai's "Jia Wei Si Cup" reverse writeup

 Https://ws3.sinaimg.cn/large/005BYqpggy1g1lwdiva4dj30jv08q40c.jpg
Obfuse

32 bit ELF file, shell less, loading through key strings to find the key code.
! )
However, it was found that F5 was not good enough, so it could only be seen in assembly. First, output "password:", then read a string from the cache, and go to sub\_8048580 to verify. If returned 0, the input is wrong, and if returns 1, the input is correct.
! )

In the sub\_8048580 function, it is a one bit check.

_BOOL4 __cdecl sub_8048580 (int A1, signed int A2)
{
Signed int V2; / / EDX
Char V3; / / Al
_BOOL4 result; / / eax
Char v5[33]; / / [esp+Ch] [ebp-A0h]
Char b20_1; / / [esp+2Dh] [ebp-7Fh]
Char b1f_1; / / [esp+2Eh] [ebp-7Eh]
Char b1e_1; / / [esp+30h] [ebp-7Ch]
Char b1d_1; / / [esp+31h] [ebp-7Bh]
Char b1c_1; / / [esp+32h] [ebp-7Ah]
Char b1b_1; / / [esp+33h] [ebp-79h]
Char b1a_1; / / [esp+35h] [ebp-77h]
Char b19_1; / / [esp+36h] [ebp-76h]
Char b18_1; / / [esp+37h] [ebp-75h]
Char b17_1; / / [esp+38h] [ebp-74h]
Char b16_1; / / [esp+39h] [ebp-73h]
Char b15_1; / / [esp+3Ah] [ebp-72h]
Char b14_1; / / [esp+3Ch] [ebp-70h]
Char b13_0; / / [esp+3Dh] [ebp-6Fh]
Char b12_0; / / [esp+3Eh] [ebp-6Eh]
Char b11_0; / / [esp+3Fh] [ebp-6Dh]
Char b10_0; / / [esp+40h] [ebp-6Ch]
Char bf_0; / / [esp+41h] [ebp-6Bh]
Char be_0; / / [esp+42h] [ebp-6Ah]
Char bd_0; / / [esp+43h] [ebp-69h]
Char bc_1; / / [esp+44h] [ebp-68h]
Char bb_1; / / [esp+45h] [ebp-67h]
Char ba_1; / / [esp+56h] [ebp-56h]
Char b9_0; / / [esp+7Ch] [ebp-30h]
Char b8_0; / / [esp+7Dh] [ebp-2Fh]
Char b7_0; / / [esp+7Eh] [ebp-2Eh]
Char b6_0; / / [esp+7Fh] [ebp-2Dh]
Char b5_1; / / [esp+80h] [ebp-2Ch]
Char b4_1; / / [esp+81h] [ebp-2Bh]
Char b3_1; / / [esp+82h] [ebp-2Ah]
Char b2_1; / / [esp+83h] [ebp-29h]
Char b1_1; / / [esp+85h] [ebp-27h]
Unsigned int v38; / / [esp+8Ch] [ebp-20h]

V38 = __readgsdword (0x14u);
V2 = A2;
While (2)
{
Memset (V5, 0, 0x80u);
V3 = * (_BYTE *) (a1 + V2);
V5[(V3 + 64)% 128] = 1;
If ((unsigned __int8) (V3 - 10) < = 0x70u)
{
Switch (V3)
{
Case'\n':
Return V2 = = 13 & & ba_1! = 0;
Case'0':
If (V2 b9_0!)
Return 0;
V2 = 1;
Continue;
Case'1':
If (V2 = = 14 & b8_0)
Goto LABEL_12;
Return 0;
Case'2':
If (V2 = = 20 & b7_0)
Goto LABEL_15;
Return 0;
Case'3':
If (V2! = 89, b6_0!)
Return 0;
V2 = 90;
Continue;
Case'4':
If (V2! = 15, b5_1!)
Return 0;
V2 = 16;
Continue;
Case'5':
If (V2! = 14, b4_1!)
Return 0;
LABEL_12:
V2 = 15;
Continue;
Case'6':
If (V2! = 12, b3_1!)
Return 0;
V2 = 13;
Continue;
Case'7':
If (V2! = 5, b2_1!)
Return 0;
V2 = 6;
Continue;
Case'8':
Result = 0;
If (b1_1)
Result = V2 = = 33, V2 = = 2;
Return result;
Case'9':
If (V2! = 1, b1_1!)
Return 0;
V2 = 2;
Continue;
Case'a':
If (V2! = 35, b20_1!)
Return 0;
V2 = 36;
Continue;
Case'b':
If (V2! = 11, b1f_1!)
Return 0;
V2 = 12;
Continue;
Case'c':
If (V2! = 32, b20_1!)
Return 0;
V2 = 33;
Continue;
Case'd':
If (V2! = 3, b1e_1!)
Return 0;
V2 = 4;
Continue;
Case'e':
If (V2! = 7, b1d_1!)
Return 0;
V2 = 8;
Continue;
Case'f':
If (! B1c_1 V2! = 8 & & V2! = 4)
Return 0;
Goto LABEL_53;
Case'g':
Return V2 = = 12 & & b10_0! = 0;
Case'H':
If (V2! = 13, b1b_1!)
Return 0;
V2 = 14;
Continue;
Case'i':
If (V2! = 9, b1a_1!)
Return 0;
V2 = 10;
Continue;
Case'j':
If (V2! = 10, b19_1!)
Return 0;
V2 = 11;
Continue;
Case'k':
Return V2 = = 12 & & b18_1! = 0;
Case'l':
If (V2! = 19, b17_1!)
Return 0;
V2 = 20;
Continue;
Case'm':
If (V2! = 17, b16_1!)
Return 0;
V2 = 18;
Continue;
Case'n':
Return V2 = = 18 & & b16_1! = 0;
Case'o':
If (! B15_1 V2! = 6 & & V2! = 28)
Return 0;
LABEL_53:
++v2;
Continue;
Case'p':
If (V2! = 30, b14_1!)
Return 0;
V2 = 31;
Continue;
Case'q':
If (V2! = 29, b13_0!)
Return 0;
V2 = 30;
Continue;
Case'r':
If (V2! = 20, b12_0!)
Return 0;
LABEL_15:
V2 = 21;
Continue;
Case's':
If (V2! = 25, b11_0!)
Return 0;
V2 = 26;
Continue;
Case't':
Return V2 = = 24 & & b12_0! = 0;
Case'u':
If (V2! = 26, bf_0!)
Return 0;
V2 = 27;
Continue;
Case'v':
If (V2! = 2, be_0!)
Return 0;
V2 = 3;
Continue;
Case'w':
If (V2! = 6, bd_0!)
Return 0;
V2 = 7;
Continue;
Case'x':
If (V2! = 22, bc_1!)
Return 0;
V2 = 23;
Continue;
Case'y':
If (V2! = 23, bb_1!)
Return 0;
V2 = 24;
Continue;
Case'z':
Return V2 = = 21 & & b20_1! = 0;
Default:
Return 0;
}
}
Return 0;
}
}

According to the value of case in switch and the if condition in case, we can deduce the correct flag.
Flag:09vdf7wefijbk

Auth.exe
The 32 bit windows executable file, shell less, run the program first.
! )

The same is also loaded into the IDA through the key string to find the key code (main function), this function defines a lot of data before, and finally through sub_401500 processing.


Int __cdecl main (int argc, const char **argv, const char **envp)
{
Const CHAR *v3; / / ebx
HMODULE V4; / / eax
Void (__stdcall *v5) (HMODULE, LPCSTR); / / eax
Char V7; / / [esp+1h] [ebp-157h]
Char v8[4]; / / [esp+15h] [ebp-143h]
Int V9; / / [esp+20h] [ebp-138h]
Int V10; / / [esp+26h] [ebp-132h]
Int V11; / / [esp+2Ah] [ebp-12Eh]
Int V12; / / [esp+2Eh] [ebp-12Ah]
Int V13; / / [esp+32h] [ebp-126h]
Int V14; / / [esp+36h] [ebp-122h]
Int V15; / / [esp+3Ah] [ebp-11Eh]
__int16 V16; / / [esp+3Eh] [ebp-11Ah]
Int V17; / / [esp+40h] [ebp-118h]
Int v18; / / [esp+44h] [ebp-114h]
Int v19; / / [esp+48h] [ebp-110h]
Int V20; / / [esp+4Ch] [ebp-10Ch]
Int v21; / / [esp+50h] [ebp-108h]
Int V22; / / [esp+54h] [ebp-104h]
Int V23; / / [esp+58h] [ebp-100h]
Int V24; / / [esp+5Ch] [ebp-FCh]
Int v25; / / [esp+60h] [ebp-F8h]
Int V26; / / [esp+64h] [ebp-F4h]
Int v27; / / [esp+68h] [ebp-F0h]
Int V28; / / [esp+6Ch] [ebp-ECh]
Int V29; / / [esp+70h] [ebp-E8h]
Char V30; / / [esp+74h] [ebp-E4h]
Int a_2; / / [esp+75h] [ebp-E3h]
Int V32; / / [esp+79h] [ebp-DFh]
Int V33; / / [esp+7Dh] [ebp-DBh]
Int v34; / / [esp+81h] [ebp-D7h]
Int V35; / / [esp+85h] [ebp-D3h]
Int V36; / / [esp+89h] [ebp-CFh]
Int v37; / / [esp+8Dh] [ebp-CBh]
Int v38; / / [esp+91h] [ebp-C7h]
__int16 v39; / / [esp+95h] [ebp-C3h]
Int a_1; / / [esp+97h] [ebp-C1h]
Int V41; / / [esp+9Bh] [ebp-BDh]
Int v42; / / [esp+9Fh] [ebp-B9h]
Int v43; / / [esp+A3h] [ebp-B5h]
Int v44; / / [esp+A7h] [ebp-B1h]
Int V45; / / [esp+ABh] [ebp-ADh]
Int v46; / / [esp+AFh] [ebp-A9h]
Int v47; / / [esp+B3h] [ebp-A5h]
Char V48; / / [esp+B7h] [ebp-A1h]
Int v49; / / [esp+B8h] [ebp-A0h]
Int V50; / / [esp+BEh] [ebp-9Ah]
Int V51; / / [esp+C2h] [ebp-96h]
Int V52; / / [esp+C6h] [ebp-92h]
Int V53; / / [esp+CAh] [ebp-8Eh]
Int V54; / / [esp+CEh] [ebp-8Ah]
Int V55; / / [esp+D2h] [ebp-86h]
Int V56; / / [esp+D6h] [ebp-82h]
Int V57; / / [esp+DAh] [ebp-7Eh]
Char V58; / / [esp+DEh] [ebp-7Ah]
Int V59; / / [esp+DFh] [ebp-79h]
Int V60; / / [esp+E3h] [ebp-75h]
Int v61; / / [esp+E7h] [ebp-71h]
Int v62; / / [esp+EBh] [ebp-6Dh]
Int v63; / / [esp+EFh] [ebp-69h]
Int V64; / / [esp+F3h] [ebp-65h]
Int v65; / / [esp+F7h] [ebp-61h]
Int v66; / / [esp+FBh] [ebp-5Dh]
__int16 v67; / / [esp+FFh] [ebp-59h]
Int v68; / / [esp+101h] [ebp-57h]
Int v69; / / [esp+105h] [ebp-53h]
Char V70; / / [esp+109h] [ebp-4Fh]
Int v71; / / [esp+10Ah] [ebp-4Eh]
Int V72; / / [esp+10Eh] [ebp-4Ah]
Int V73; / / [esp+112h] [ebp-46h]
Int V74; / / [esp+116h] [ebp-42h]
Int V75; / / [esp+11Ah] [ebp-3Eh]
Int v76; / / [esp+11Eh] [ebp-3Ah]
Int v77; / / [esp+122h] [ebp-36h]
Int v78; / / [esp+126h] [ebp-32h]
Int V79; / / [esp+12Ah] [ebp-2Eh]
Int V80; / / [esp+12Eh] [ebp-2Ah]
Int v81; / / [esp+132h] [ebp-26h]
Int v82; / / [esp+136h] [ebp-22h]
Int V83; / / [esp+13Ah] [ebp-1Eh]
Int v84; / / [esp+13Eh] [ebp-1Ah]
Int v85; / / [esp+142h] [ebp-16h]
Int v86; / / [esp+146h] [ebp-12h]
Int v87; / / [esp+14Ah] [ebp-Eh]
__int16 V88; / / [esp+14Eh] [ebp-Ah]
Int *v89; / / [esp+150h] [ebp-8h]

V89 = &argc;
Sub_402940 ();
Puts (
"\n."
"ROBOTIC AUTHENTICATION SYSTEM\n"
"/ / / \" (.) /\n
"
\n "
"\n" - "-".
" - -. "\n."
"\n:"
"
... - '\\/\\/\n'.
"\n"
"\n"
"\n".
V49 = 0x539;
V50 = 0x60646D51;
V51 = 0x64216472;
V52 = 0x7364756F;
V53 = 0x64697521;
V54 = 0x73686721;
V55 = 0x51217572;
V56 = 0x76727260;
V57 = 0x3B65736E;
V58 = 1;
A_1 = 0x60646D51;
V41 = 0x64216472;
V42 = 0x7364756F;
V43 = 0x64697521;
V44 = 0x73686721;
V45 = 0x51217572;
V46 = 0x76727260;
V47 = 0x3B65736E;
V48 = 1;
V59 = 0x60646D51;
V60 = 0x64216472;
V61 = 0x7364756F;
V62 = 0x64697521;
V63 = 0x62647221;
V64 = 0x21656F6E;
V65 = 0x72726051;
V66 = 0x65736E76;
V67 = 315;
A_2 = 0x60646D51; / / Please enter the second Password
V32 = 0x64216472;
V33 = 0x7364756F;
V34 = 0x64697521;
V35 = 0x62647221;
V36 = 0x21656F6E;
V37 = 0x72726051;
V38 = 0x65736E76;
V39 = 315;
V68 = 0x6F6F3074;
V69 = 0x666D3367;
V70 = 3;
V28 = 0x6F6F3074;
V29 = 0x666D3367;
V30 = 3;
V71 = 0x6F73646A;
V72 = 0x33326D64;
V73 = 0x6D6D652F;
V74 = 0x13F0101;
V24 = 0x6F73646A;
V25 = 0x33326D64;
V26 = 0x6D6D652F;
V27 = 0x13F0101;
V75 = 0x57656540;
V76 = 0x6E756264;
V77 = 0x44656473;
V78 = 0x71646279;
V79 = 0x6F6E6875;
V80 = 0x656F6049;
V81 = 0x173646D;
V17 = 0x57656540;
V18 = 0x6E756264;
V19 = 0x44656473;
V20 = 0x71646279;
V21 = 0x6F6E6875;
V22 = 0x656F6049;
V23 = 0x173646D;
V82 = 0x21746E58;
V83 = 0x2F6F6876;
V84 = 0x6F6E4221;
V85 = 0x75607366;
V86 = 0x75606D74;
V87 = 0x726F6E68;
V88 = 0x120;
V10 = 0x21746E58;
V11 = 0x2F6F6876;
V12 = 0x6F6E4221;
V13 = 0x75607366;
V14 = 0x75606D74;
V15 = 0x726F6E68;
V16 = 0x120;
V9 = 0x539;
Strcpy (V8, "r0b0RUlez!");
Dword_40AD94 = (int) &v9;
Dword_40ADA0 = (int) &v49;
Dword_40AD8C = (char *) &a_1;
Dword_40AD90 = (char *) &a_2;
Dword_40AD98 = (int) &v28;
LpProcName = (LPCSTR) &v17;
LpModuleName = (LPCSTR) &v24;
Dword_40ADA4 = (char *) &v10;
Sub_401500 (0);
V3 = lpProcName;
V4 = GetModuleHandleA (lpModuleName);
V5 = (void (__stdcall *) (HMODULE, LPCSTR)) GetProcAddress (V4, V3);
V5 ((HMODULE) 1, (LPCSTR) sub_40157F);
Puts (dword_40AD8C);
Scanf ("%20s", &v7);
If (StrCmp (&v7, V8))
{
Puts ("You passed level1!");
Sub_4015EA (0);
}
Return 0;
}

In the sub\_401500 function, every bit of data that is just defined and 1 XOR
! )
First, decrypt the data:

Data1= "516D6460726421646F756473217569642167687372752151607272766E73653B"
STR1 = ""
For X in range (0, len (data1), 2):
STR1 + = Chr (EVAL ("0x" +data1[x:x+2]) ^1)
Print STR1

Data2 = "516D6460726421646F75647321756964217264626E6F652151607272766E73653B"

STR2 = ""
For X in range (0, len (data2), 2):
STR2 + = Chr (EVAL ("0x" +data2[x:x+2]) ^1)
Print STR2

Data3 = "74306F6F67336D66"

Str3 = ""
For X in range (0, len (data3), 2):
Str3 + = Chr (EVAL ("0x" +data3[x:x+2]) ^1)
Print str3

Data4 = "6A64736F646D32332F656D6D"
Str4 = ""
For X in range (0, len (Data4), 2):
Str4 + = Chr (EVAL ("0x" +data4[x:x+2]) ^1)
Print str4

Data5 = "406565576462756E736465447962647175686E6F49606F656D6473"
Str5 = ""
For X in range (0, len (data5), 2):
Str5 + = Chr (EVAL ("0x" +data5[x:x+2]) ^1)
Print str5

Data6 = "586E742176686F2F21426E6F66736075746D6075686E6F7220"
Str6 = ""
For X in range (0, len (data6), 2):
Str6 + = Chr (EVAL ("0x" +data6[x:x+2]) ^1)
Print str6

Output results:
! )
It is found that some strings need output.

Next, the program receives a string and compares it with the string "r0b0RUlez!". This is the first level of restriction. Then it comes to function sub\_4015EA, where an exception is constructed. When the program comes here, an exception occurs and jumps, and a data is changed before the jump. The second hop is in this function. Then we will follow up the first one.
! )

Follow up to a function, then receive a string, enter sub\_401547 for comparison.
! )

In the sub\_401547 function, the string "u1nnf2lg" is each with 2 XOR.
! )

Decryption gets "w3lld0ne".

Flag = "u1nnf2lg"
Real_flag = ""
For X in range (len (flag)):
Real_flag+=chr (ord (flag[x]) ^2)
Print real_flag
`

Finally, string together.
Flag:r0b0RUlez \_w3lld0ne!

Fabulous ( Three )

This article is composed of Ji Chang Xin Creation, article address: Https://blog.isoyu.com/archives/2019-shanghaijiaweisibeinixiang-writeup.html
Use Knowledge sharing signature 4 The international license agreement is licensed. In addition to the reprint / provenance, all originals or translations of this site must be signed before retransmission. The final editing time is March, 31, 2019 at 01:12 afternoon.

Hot articles

Commentary:

7 comments, visitors: 3, blogger: 4
  1.  Rookie head
    Rookie head Published in:

    How can I not reply to you? No classes, no internship.

    •  Ji Chang Xin
      Ji Chang Xin Published in:

      Yes, in progress.

    •  Ji Chang Xin
      Ji Chang Xin Published in:

      Yes, my back is getting cold. I almost recovered the snapshot.

  2.  Rookie head
    Rookie head Published in:

    This is a big guy. This is a real big guy.

    •  Ji Chang Xin
      Ji Chang Xin Published in:

      Just guessing how the big guy's comments were reviewed, and thought that the big guys had invaded the database.

  3.  Ji Chang Xin
    Ji Chang Xin Published in:

    Morning.

Comment

[required]

Invisibility?

Please wait three seconds after submission, so as not to cause unsuccessful successes and duplication.