Table of contents
challenge
Open it with notepad and find the main function. First, two strings will be output through function calls and corresponding input is required.
Above, two arrays are defined
Find the function that calls the corresponding two arrays
is a simple XOR operation
into English is
Input the first function, which has 6 parameters and the third named gLIhR:
Input the second function, which has 3 callers and invokes the function named cHZv5op8rOmlAkb6:
Then find out the strings nFAzj and CuSkl that need to be entered according to the requirements.
The first string (function) required to be found needs to have six parameters and the name of the third parameter is gLIhR
Global search for functions containing gLIhR
Find the function ZlXDJkH3OZN4Mayd that meets the requirements
The second string (function) you are looking for has 3 callers and calls a function named cHZv5op8rOmlAkb6:
Directly search for the string cHZv5op8rOmlAkb6
Try each function manually in order to see who has three callers
Find the corresponding function hnCm82SDGE0zLYO
At this time, the corresponding strings that need to be entered are as follows:
Next, this function processes the first input string
I have never learned Go, but I can probably guess that the string is converted to a hexadecimal string first, and then some letters are selected from it to synthesize the final flag.
The final string variable vNvUO is 3A4E76449355C414
Next is the function
Process the second string
Followed until this point
During the competition, I thought it was returning a string directly, but in fact it was calling the UhnCm82SDGE0zLYO function again.
Come to the corresponding function
It can be seen that only some variables are defined, and only the first variable (parameter) is valid
Go to the corresponding function again
It can be seen that it is just a simple XOR and returns the flag worth the second part.
8ce3da2b46019f75
The final combination is the final answer
flag{3a4e76449355c4148ce3da2b46019f75}
Fakeshell
Try to open it directly with ida64. There is no key information. It is judged that the shell has been added.
Then I tried shelling and found that it couldn't be shelled.
Searching for information online, I found that this question uses some methods to prevent direct shelling.
https://www.52pojie.cn/thread-326995-1-1.html
Open it with any binary viewer and find that there may be an error here
Change FUK to UPX
Then put it into the unpacking software or put it directly into kali for unpacking, then the unpacking will be successful.
Then open it with IDA64 (it is recommended to use version 7.7, lower versions may not be able to display the main function)
Find the main function, find the key points, and ignore some useless instructions
Find the first processing function for the input string
Click to analyze
Among them, a1 is the input string. As for the above j___intrinsic_setjmp function, it may be
https://blog.csdn.net/qq_21438461/article/details/125754216
The program first enters sub_140011230 (v7 is 0)
Enter the analysis and find the key string a1
It is found that if the length of a1 is not 20 at this time, the program jumps back to setjmp (see above picture), and v7 is assigned the current string length value, and then returns 0
If 0 is returned, it can be seen from the main function that an error message is output at this time.
So we know that the input length needs to be 20
After judging the length of the input string, it was found that the program performed XOR processing on the string.
After XOR, jump to setjmp and return 20
In the main function, the program performs setjmp again, and at this time enters sub_1400111E5, and passes the parameter 20
Enter this function analysis
Find the keys a1 (string), a2 (20, which is v8)
In the bottom loop body from 0 to 20, the program passes the XOR values of the string to the function one by one
Enter function view
Find the key parameters a1, a2 (v8), and find that the XOR value of the string is compared with the memory word_14001D000 one by one. If one of them is different, it will jump to the previous setjmp position and return 1
From the main function, if it returns 1 (that is, v7 is 1), then "wrong" is output.
Check memory status
Based on the above analysis, the length of the original string is judged, and then the XOR operation is performed. After adding 10, the XOR operation is performed again. Finally, it is compared with the hexadecimal value in the memory. If the same, the correct information is output.
Finally, write the script output
flag{why_m0dify _pUx_SheLL}