{"id":27,"date":"2022-10-29T21:46:58","date_gmt":"2022-10-29T13:46:58","guid":{"rendered":"https:\/\/shangwendada.co\/?p=27"},"modified":"2022-11-20T18:56:04","modified_gmt":"2022-11-20T10:56:04","slug":"babyreidapython%e8%a7%a3%e9%a2%98","status":"publish","type":"post","link":"https:\/\/blog.shangwendada.top\/index.php\/2022\/10\/29\/babyreidapython%e8%a7%a3%e9%a2%98\/","title":{"rendered":"[Reverse]BABYRE(idapython\u89e3\u9898)"},"content":{"rendered":"

\u9898\u76ee\u4e0b\u8f7d\u5730\u5740:BABYRE<\/a><\/h3>\n

main:<\/h3>\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  char s[24]; \/\/ [rsp+0h] [rbp-20h] BYREF\n  int v5; \/\/ [rsp+18h] [rbp-8h]\n  int i; \/\/ [rsp+1Ch] [rbp-4h]\n\n  for ( i = 0; i <= 181; ++i )\n    judge[i] ^= 0xCu;\n  printf("Please input flag:");\n  __isoc99_scanf("%20s", s);\n  v5 = strlen(s);\n  if ( v5 == 14 && (*(unsigned int (__fastcall **)(char *))judge)(s) )\n    puts("Right!");\n  else\n    puts("Wrong!");\n  return 0;\n}<\/code><\/pre>\n
\u8fd9\u9053\u9898\u672c\u8eab\u5f88\u7b80\u5355\uff0c\u4f46\u662f\u96be\u5ea6\u51fa\u73b0\u5728\u4e86judge\u51fd\u6570\u8fd9\u91cc\uff0c\u7531\u4e8eida\u5728\u53cd\u7f16\u8bd1\u7684\u65f6\u5019\u8bef\u4ee5\u4e3a\u8fd9\u91cc\u7684judge\u51fd\u6570\u662f\u6570\u636e\uff0c\u4ece\u800c\u5bfc\u81f4\u53cd\u7f16\u8bd1\u51fa\u9519.
\n\u8fd9\u91cc\u63d0\u4f9b\u4e86\u4e24\u79cd\u65b9\u6cd5:<\/p>\n
\u65b9\u6cd5\u4e00:\u52a8\u6001\u8c03\u8bd5:<\/h2>\n
\u7531\u4e8e\u5224\u65ad\u957f\u5ea6\u5728judge\u5224\u65ad\u4e4b\u524d\u6240\u4ee5\u6211\u4eec\u9700\u8981\u8f93\u516514\u4f4d\u7684\u6570\u636e\u6765\u8ba9judge\u51fd\u6570\u751f\u6210<\/p>\n
  ; main+74\u2191o\n.data:0000000000600B00 push    rbp\n.data:0000000000600B01 mov     rbp, rsp\n.data:0000000000600B04 mov     [rbp-28h], rdi\n.data:0000000000600B08 mov     byte ptr [rbp-20h], 66h ; 'f'\n.data:0000000000600B0C mov     byte ptr [rbp-1Fh], 6Dh ; 'm'\n.data:0000000000600B10 mov     byte ptr [rbp-1Eh], 63h ; 'c'\n.data:0000000000600B14 mov     byte ptr [rbp-1Dh], 64h ; 'd'\n.data:0000000000600B18 mov     byte ptr [rbp-1Ch], 7Fh\n.data:0000000000600B1C mov     byte ptr [rbp-1Bh], 6Bh ; 'k'\n.data:0000000000600B20 mov     byte ptr [rbp-1Ah], 37h ; '7'\n.data:0000000000600B24 mov     byte ptr [rbp-19h], 64h ; 'd'\n.data:0000000000600B28 mov     byte ptr [rbp-18h], 3Bh ; ';'\n.data:0000000000600B2C mov     byte ptr [rbp-17h], 56h ; 'V'\n.data:0000000000600B30 mov     byte ptr [rbp-16h], 60h ; '`'\n.data:0000000000600B34 mov     byte ptr [rbp-15h], 3Bh ; ';'\n.data:0000000000600B38 mov     byte ptr [rbp-14h], 6Eh ; 'n'\n.data:0000000000600B3C mov     byte ptr [rbp-13h], 70h ; 'p'\n.data:0000000000600B40 mov     dword ptr [rbp-4], 0\n.data:0000000000600B47 jmp     short loc_600B71\n.data:0000000000600B47\n.data:0000000000600B49 ; ---------------------------------------------------------------------------\n.data:0000000000600B49\n.data:0000000000600B49 loc_600B49:                             ; CODE XREF: .data:0000000000600B75\u2193j\n.data:0000000000600B49 mov     eax, [rbp-4]\n.data:0000000000600B4C movsxd  rdx, eax\n.data:0000000000600B4F mov     rax, [rbp-28h]\n.data:0000000000600B53 add     rax, rdx\n.data:0000000000600B56 mov     edx, [rbp-4]\n.data:0000000000600B59 movsxd  rcx, edx\n.data:0000000000600B5C mov     rdx, [rbp-28h]\n.data:0000000000600B60 add     rdx, rcx\n.data:0000000000600B63 movzx   edx, byte ptr [rdx]\n.data:0000000000600B66 mov     ecx, [rbp-4]\n.data:0000000000600B69 xor     edx, ecx\n.data:0000000000600B6B mov     [rax], dl\n.data:0000000000600B6D add     dword ptr [rbp-4], 1\n.data:0000000000600B6D\n.data:0000000000600B71\n.data:0000000000600B71 loc_600B71:                             ; CODE XREF: .data:0000000000600B47\u2191j\n.data:0000000000600B71 cmp     dword ptr [rbp-4], 0Dh\n.data:0000000000600B75 jle     short loc_600B49\n.data:0000000000600B75\n.data:0000000000600B77 mov     dword ptr [rbp-4], 0\n.data:0000000000600B7E jmp     short loc_600BA9\n.data:0000000000600B7E\n.data:0000000000600B80 ; ---------------------------------------------------------------------------\n.data:0000000000600B80\n.data:0000000000600B80 loc_600B80:                             ; CODE XREF: .data:0000000000600BAD\u2193j\n.data:0000000000600B80 mov     eax, [rbp-4]\n.data:0000000000600B83 movsxd  rdx, eax\n.data:0000000000600B86 mov     rax, [rbp-28h]\n.data:0000000000600B8A add     rax, rdx\n.data:0000000000600B8D movzx   edx, byte ptr [rax]\n.data:0000000000600B90 mov     eax, [rbp-4]\n.data:0000000000600B93 cdqe\n.data:0000000000600B95 movzx   eax, byte ptr [rbp+rax-20h]\n.data:0000000000600B9A cmp     dl, al\n.data:0000000000600B9C jz      short loc_600BA5\n.data:0000000000600B9C\n.data:0000000000600B9E mov     eax, 0\n.data:0000000000600BA3 jmp     short loc_600BB4\n.data:0000000000600BA3\n.data:0000000000600BA5 ; ---------------------------------------------------------------------------\n.data:0000000000600BA5\n.data:0000000000600BA5 loc_600BA5:                             ; CODE XREF: .data:0000000000600B9C\u2191j\n.data:0000000000600BA5 add     dword ptr [rbp-4], 1\n.data:0000000000600BA5\n.data:0000000000600BA9\n.data:0000000000600BA9 loc_600BA9:                             ; CODE XREF: .data:0000000000600B7E\u2191j\n.data:0000000000600BA9 cmp     dword ptr [rbp-4], 0Dh\n.data:0000000000600BAD jle     short loc_600B80\n.data:0000000000600BAD\n.data:0000000000600BAF mov     eax, 1\n.data:0000000000600BAF\n.data:0000000000600BB4\n.data:0000000000600BB4 loc_600BB4:                             ; CODE XREF: .data:0000000000600BA3\u2191j\n.data:0000000000600BB4 pop     rbp\n.data:0000000000600BB5 retn\n.data:0000000000600BB5\n.data:0000000000600BB5 _data ends<\/code><\/pre>\n
\u4ee5\u4e0a\u662f\u751f\u6210\u51fa\u6765\u7684\u51fd\u6570<\/p>\n
\"file\"<\/div>
\n\u9996\u5148\u548c13\u8fdb\u884c\u6bd4\u8f83\uff0c\u5c0f\u4e8e\u6216\u8005\u7b49\u4e8e13\u5c31\u8fdb\u5165\u5faa\u73af<\/p>\n
\u5faa\u73af\u7684\u5185\u5bb9\u662f\u5c06\u4e0a\u9762\u5b57\u7b26\u4e32\u5faa\u73af13\u6b21\u6070\u597d\u7b49\u4e8e[rbp+var_13]\u7684\u957f\u5ea6\uff0c\u4e5f\u5c31\u662f\u8fdb\u884c\u5904\u7406\u5b57\u7b26\u4e32<\/p>\n
\u5904\u7406\u65b9\u5f0f\u5c31\u662f\u8fdb\u884c\u5f02\u6216\uff0cxor edx,ecx  ecx\u5c31\u662f\u5faa\u73af\u7684\u6b21\u6570 \u6bcf\u4e2a\u5b57\u7b26\u4e0e\u5f53\u524d\u5faa\u73af\u7684\u6b21\u6570\u8fdb\u884cxor<\/p>\n
\u5f02\u6216\u7ed3\u675f\u540e\u8c03\u5165\u4e0b\u4e00\u4e2a\u5730\u5740<\/p>\n
\u53c8\u662f\u8fdb\u884c\u5faa\u73af\u5224\u65ad[rbp+var_4]\u4f5c\u4e3a\u5faa\u73af\u56e0\u5b50\u9010\u6b21+1 \u76f4\u5230\u7b49\u4e8e13\u7ed3\u675f
\n
\"file\"<\/div>
\n[rbp+var_4]\u662f\u6b21\u6570\u4f5c\u4e3a\u5143\u7d20\u4e0b\u6807\u5904\u7406\u653e\u5165rdx<\/p>\n
[rbp+var_28]\u662f\u7528\u6237\u8f93\u5165\u7684flag\u653e\u5165rax\u4e2d<\/p>\n
\u6700\u540e\u76f8\u52a0\u662f\u4f9d\u6b21\u5bf9\u8f93\u5165\u7684flag\u8fdb\u884c\u5904\u7406<\/p>\n
\u4e3a\u4e86\u66f4\u76f4\u767d\u7684\u770b\u51fa\u6765
\n\u6211\u4eec\u6309p\u5c06\u51fd\u6570\u58f0\u660e\u4e86\uff0c\u7136\u540e\u6309f5\u53cd\u7f16\u8bd1
\n
\"file\"<\/div>
\n\u8fd9\u6837\u5c31\u80fd\u66f4\u52a0\u76f4\u767d\u7684\u770b\u51faflag\u7684\u5904\u7406\u65b9\u5f0f\u4e86!<\/p>\n
\u65b9\u6cd5\u4e8c:\u5d4c\u5165\u5f0f\u811a\u672c(idapython)<\/h2>\n
\u9996\u5148\u4ecb\u7ecd\u4ee5\u4e0bidapython\u5728ida7.0\u540e\u6309shitf + f2\u53ef\u4ee5\u6253\u5f00\u5982\u4e0b\u7a97\u53e3
\n
\"file\"<\/div>
\n\u6211\u4eec\u53ef\u4ee5\u5728\u5176\u4e2d\u8fd0\u884c\u811a\u672c\u6765\u5bf9\u4ee3\u7801\u8fdb\u884c\u5904\u7406\u3002
\n\u9996\u5148\u6211\u4eec\u8fdb\u5165\u4e3b\u51fd\u6570\u53d1\u73b0
\n
\"file\"<\/div>
\n\u8fd9\u4e00\u6bb5\u5bf9judge\u51fd\u6570\u8fdb\u884c\u4e86\u5904\u7406,\u90a3\u6211\u4eec\u601d\u8def\u5c31\u6765\u4e86\u6211\u4eec\u53ea\u9700\u8981\u6309\u7167\u8fd9\u4e2a\u65b9\u5f0f\u5c06judge\u6570\u7ec4\u91cc\u9762\u7684\u4e1c\u897f\u5904\u7406\u4e86\u4e4b\u540e\u518d\u6309c\u5206\u6790\u4ee3\u7801\u5c31\u53ef\u4ee5\u51fa\u6765judge\u51fd\u6570\u4e86\u3002
\n\u6211\u4eec\u9700\u8981\u7528\u5230\u7684\u662fidc_bc695\u5e93
\n\u8bf4\u660e\u4e00\u4e0b\u8fd9\u4e2a\u5e93\u975e\u5e38\u7684\u79bb\u8c31\u6211\u76847.7ida\u5c45\u7136\u6ca1\u6709\u641e\u5f97\u6211\u5f04\u4e86\u597d\u4e45\u8fd9\u4e2a\u73a9\u610f\uff0c\u540e\u9762\u53d1\u73b0\u6211\u7684ida7.5\u91cc\u9762\u5c45\u7136\u5b58\u5728\u8fd9\u4e2a\u5e93\uff0c\u679c\u65ad\u79fb\u690d\u8fc7\u6765
\n\u9996\u5148\u6211\u4eec\u627e\u5230judge\u7684\u9996\u5730\u57400x0600B00\u7136\u540e\u4ece\u8fd9\u91cc\u5f00\u59cb\u4fee\u6539\u5b83\u3002
\n\u811a\u672c\u5185\u5bb9\u5c31\u662f\u6bcf\u4e00\u4f4d\u6570\u5b57\u5bf90xC\u4e5f\u5c31\u662f12\u8fdb\u884c\u5f02\u6216\uff0c\u6211\u4eec\u8fd9\u91cc\u9700\u8981\u4f7f\u7528\u5230\u7684\u662f PatchByte \u51fd\u6570.(\u6211\u4e2a\u4eba\u7684\u7406\u89e3 PatchByte\u51fd\u6570\u5c31\u662f\u5c06\u540e\u9762\u7684\u503c\u8d4b\u503c\u7ed9\u524d\u9762\u7684\u5730\u5740)
\n\u811a\u672c\u5982\u4e0b:<\/p>\n
from idc_bc695 import*\na = 0x600B00\nfor i in range(182):\n    PatchByte(a+i,Byte(i+a)^0xc)<\/code><\/pre>\n
\"file\"<\/div>
\n\u6211\u4eec\u70b9\u51fb\u4e0b\u9762\u7684run\u8fd0\u884c\u4e4b\u540e\u4f1a\u53d1\u73b0judge\u7684\u503c\u5df2\u7ecf\u88ab\u6211\u4eec\u6539\u53d8\u4e86\u3002
\n\u6211\u4eec\u9009\u4e2d0x600B00\u52300x600BB5\u7684\u6570\u636e\u6309c\u7136\u540e\u9009\u62e9force\u6a21\u5f0f\u5206\u6790\u4ee3\u7801
\n
\"file\"<\/div>
\n\u7136\u540e\u6211\u4eec\u4f9d\u7136\u9700\u8981\u9009\u4e2d\u4ed6\u4eec\u6309p\u58f0\u660e\u4ee3\u7801\u540e\u6309f5\u53cd\u7f16\u8bd1\u5c31\u5f97\u5230\u4e86\u539f\u672c\u7684judge\u51fd\u6570<\/p>\n
__int64 __fastcall judge(__int64 a1)\n{\n  char v2[5]; \/\/ [rsp+8h] [rbp-20h] BYREF\n  char v3[9]; \/\/ [rsp+Dh] [rbp-1Bh] BYREF\n  int i; \/\/ [rsp+24h] [rbp-4h]\n\n  qmemcpy(v2, "fmcd", 4);\n  v2[4] = 127;\n  qmemcpy(v3, "k7d;V`;np", sizeof(v3));\n  for ( i = 0; i <= 13; ++i )\n    *(i + a1) ^= i;\n  for ( i = 0; i <= 13; ++i )\n  {\n    if ( *(i + a1) != v2[i] )\n      return 0LL;\n  }\n  return 1LL;\n}<\/code><\/pre>\n
\u89e3\u9898\u811a\u672c<\/h2>\n
#include<iostream>\nusing namespace std;\nchar flag[] = {\n    0x66,0x6d,0x63,0x64,0x7f,0x6b,0x37,0x64,0x3b,0x56,0x60,0x3b,0x6e,0x70\n};\nint main ()\n{\n    for(int i = 0 ; i < 0xe; i++ )\n    {\n        printf("%c",flag[i]^i);\n    }\n\/\/  printf("%s",flag);\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u9898\u76ee\u4e0b\u8f7d\u5730\u5740:BABYRE main: int __cdecl main(int argc, const ch […]<\/p>\n","protected":false},"author":1,"featured_media":45,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"image","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-27","post","type-post","status-publish","format-image","has-post-thumbnail","hentry","category-uncategorized","post_format-post-format-image"],"_links":{"self":[{"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/posts\/27","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/comments?post=27"}],"version-history":[{"count":10,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/posts\/27\/revisions"}],"predecessor-version":[{"id":63,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/posts\/27\/revisions\/63"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/media\/45"}],"wp:attachment":[{"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/media?parent=27"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/categories?post=27"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.shangwendada.top\/index.php\/wp-json\/wp\/v2\/tags?post=27"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}