The attachment is an exe program, run as shown in the figure:
put it into PE to view, it is a 32-bit program:
put in 32-bit ida analysis pseudo code:
BOOL __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4)
{
const char *v4; // esi
const char *v5; // edi
int v7; // [esp+8h] [ebp-20030h]
int v8; // [esp+Ch] [ebp-2002Ch]
int v9; // [esp+10h] [ebp-20028h]
int v10; // [esp+14h] [ebp-20024h]
int v11; // [esp+18h] [ebp-20020h]
int v12; // [esp+1Ch] [ebp-2001Ch]
int v13; // [esp+20h] [ebp-20018h]
int v14; // [esp+24h] [ebp-20014h]
int v15; // [esp+28h] [ebp-20010h]
int v16; // [esp+2Ch] [ebp-2000Ch]
int v17; // [esp+30h] [ebp-20008h]
CHAR String; // [esp+34h] [ebp-20004h]
char v19; // [esp+35h] [ebp-20003h]
char v20; // [esp+36h] [ebp-20002h]
char v21; // [esp+37h] [ebp-20001h]
char v22; // [esp+38h] [ebp-20000h]
char v23; // [esp+39h] [ebp-1FFFFh]
char v24; // [esp+3Ah] [ebp-1FFFEh]
char v25; // [esp+3Bh] [ebp-1FFFDh]
char v26; // [esp+10034h] [ebp-10004h]
char v27; // [esp+10035h] [ebp-10003h]
char v28; // [esp+10036h] [ebp-10002h]
if ( a2 == 272 )
return 1;
if ( a2 != 273 )
return 0;
if ( (_WORD)a3 == 1001 )
{
memset(&String, 0, 0xFFFFu);
GetDlgItemTextA(hDlg, 1000, &String, 0xFFFF);
if ( strlen(&String) == 8 )
{
v7 = 90;
v8 = 74;
v9 = 83;
v10 = 69;
v11 = 67;
v12 = 97;
v13 = 78;
v14 = 72;
v15 = 51;
v16 = 110;
v17 = 103;
sub_4010F0(&v7, 0, 10);
memset(&v26, 0, 0xFFFFu);
v26 = v23;
v28 = v25;
v27 = v24;
v4 = (const char *)sub_401000(&v26, strlen(&v26));
memset(&v26, 0, 0xFFFFu);
v27 = v21;
v26 = v20;
v28 = v22;
v5 = (const char *)sub_401000(&v26, strlen(&v26));
if ( String == v7 + 34
&& v19 == v11
&& 4 * v20 - 141 == 3 * v9
&& v21 / 4 == 2 * (v14 / 9)
&& !strcmp(v4, "ak1w")
&& !strcmp(v5, "V1Ax") )
{
MessageBoxA(hDlg, "U g3t 1T!", "@_@", 0);
}
}
return 0;
}
if ( (_WORD)a3 != 1 && (_WORD)a3 != 2 )
return 0;
EndDialog(hDlg, (unsigned __int16)a3);
return 1;
}
The pseudo-code analyzed by ida has some problems. Below is the pseudo-code I found from the Internet,
source link 1
BOOL __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4)
{
const char *v4; // esi
const char *v5; // edi
int v7[11]; // [esp+8h] [ebp-20030h]
CHAR String[9]; // [esp+34h] [ebp-20004h]
CHAR v9[3]; // [esp+10034h] [ebp-10004h]
if ( a2 == 272 )
return 1;
if ( a2 != 273 )
return 0; //
// a2 = 273
if ( a3 == 1001 ) // a3 = 1001
{
memset(String, 0, 0xFFFFu); // 给string清零
GetDlgItemTextA(hDlg, 1000, String, 0xFFFF);// 获取对话框文本,然后赋值给string
if ( strlen(String) == 8 ) // string的长度要为8
{
v7[0] = 90;
v7[1] = 74;
v7[2] = 83;
v7[3] = 69;
v7[4] = 67;
v7[5] = 97;
v7[6] = 78;
v7[7] = 72;
v7[8] = 51;
v7[9] = 110;
v7[10] = 103;
sub_4010F0(v7, 0, 10); // 对v7进行处理,处理后的数据
// 51 67 69 72 74 78 83 90 97 103 110
memset(v9, 0, 0xFFFFu); // 给v16清零
v9[0] = String[5];
v9[2] = String[7];
v9[1] = String[6];
v4 = sub_401000(v9, strlen(v9)); // 对v9进行base64加密然后传递给v4
memset(v9, 0, 0xFFFFu); // 给v9清零
v9[1] = String[3];
v9[0] = String[2];
v9[2] = String[4];
v5 = sub_401000(v9, strlen(v9)); // 对v9进行base64加密然后传递给v4
if ( String[0] == v7[0] + 34 // string[0] = 'U'
&& String[1] == v7[4] // string[1] = 'J'
&& 4 * String[2] - 141 == 3 * v7[2] // string[2] = 'W'
&& String[3] / 4 == 2 * (v7[7] / 9) // string[3] = 'P'
&& !strcmp(v4, "ak1w") // v4 = "ak1w"
&& !strcmp(
v5, // v5 = "V1Ax"
"V1Ax") )
{
MessageBoxA(hDlg, "U g3t 1T!", "@_@", 0);
}
}
return 0;
}
if ( a3 != 1 && a3 != 2 )
return 0;
EndDialog(hDlg, a3);
return 1;
}
After consulting many blogs, I finally figured out the various principles and misunderstandings of this question.
Blog link 2
After analyzing the sub——4010F0 function, we can get the value of v7 after the algorithm is changed. The
C code is as follows
#include <stdio.h>
using namespace std;
int sub(char a1[],int a2,int a3)
{
int i;
int v5;
int v6;
int result;
result=a3;
for (i=a2;i<=a3;a2=i)
{
v5=i;
v6=a1[i];
if (a2<result && i<result)
{
do
{
if (v6>a1[result])
{
if (i>=result)
break;
++i;
a1[v5]=a1[result];
if (i>=result)
break;
while (a1[i]<=v6)
{
if (++i>=result)
goto LABEL_13;
}
if (i>=result)
break;
v5=i;
a1[result]=a1[i];
}
--result;
}
while (i<result);
}
LABEL_13:
a1[result]=v6;
sub(a1,a2,i-1);
result=a3;
++i;
}
return result;
}
int main(int argc, const char *argv[])
{
char v7[11];
v7[0]=90;
v7[1]=74;
v7[2]=83;
v7[3]=69;
v7[4]=67;
v7[5]=97;
v7[6]=78;
v7[7]=72;
v7[8]=51;
v7[9]=110;
v7[10]=103;
sub(v7,0,10);
printf(v7);
return 0;
}
The final result is that
double-click v23 to know that it is the value of string [5].
After modification, as shown in the figure,
analyze the sub_401000 function, and through the byte_407830 inside, it is known that it is base64 encryption.
Analysis of the final if statement continues to determine that part of the string value is
known and the rest is base64 encryption. Yes , after decrypting and sorting the string, we get the
flag{UJWP1jMp}