360-DSCTF-RE决赛
0x0 前言
https://blog.csdn.net/weixin_45582916/article/details/126142464?spm=1001.2014.3001.5502
学习复现自P1师傅博客
0x1 树莓派渲染分析
通过frame字符串引用到关键函数
算法位置提取里面的参数
0x2 解密
#include <stdio.h>
#include"defs.h"
int32 frame_id = 0;
int32 dword_20000FC8 = 0;
char byte_100068CC[1343128];
int __fastcall sub_1000035C(int* a1)
{
int v1; // r1
_BYTE* i; // r3
int v3; // r4
int v4; // r6
char* v5; // r7
while (1)
{
v1 = a1[2];
if (v1)
break;
v4 = *a1;
v5 = (char*)&byte_100068CC + *a1;
v3 = 0;
for (i = (_BYTE*)v5; ; ++i)
{
v3 |= (*i & 0x7F) << v1;
if ((char)*i >= 0)
break;
LOBYTE(v1) = v1 + 7;
}
a1[2] = v3;
*a1 = v4 + i + 1 - (_BYTE*)v5;
*((_WORD*)a1 + 2) = ~*((_WORD*)a1 + 2);
}
a1[2] = v1 - 1;
return *((unsigned __int16*)a1 + 2);
}
void sub_100003A4(FILE* fp)
{
int i; // r4
_WORD frame_data[43204]; // [sp+0h] [bp-15188h] BYREF
printf("frame: %d\n", frame_id);
for (i = 0; i <= 43199; ++i)
frame_data[i] = sub_1000035C(&dword_20000FC8);
for (int y = 0; y < 180; y++)
{
for (int x = 0; x < 240; x++)
{
if (frame_data[y * 240 + x])
fwrite("*", 1, 1, fp);
else
fwrite("0", 1, 1, fp);
}
fwrite("\n", 1, 1, fp);
}
frame_id++;
return;
}
int main()
{
FILE* fp = NULL;
errno_t err = fopen_s(&fp,"C:\\Users\\96256\\Desktop\\data1", "rb");
if (!err)
{
fseek(fp, 0, SEEK_SET);
fread(byte_100068CC, 1, 1343128, (FILE*)fp);
fclose(fp);
}
else
{
printf("打开失败");
}
errno_t err1 =fopen_s(&fp, "C:\\Users\\96256\\Desktop\\flag", "wb");
if (!err1)
{
for (int i = 0; i < 2192; i++) {
sub_100003A4(fp);
}
fclose(fp);
}
else
{
printf("打开失败!");
}
return 0;
}
其中的defs.h 来自ida定义
可以在plugins中搜索
代码运行环境需要在VSCODE中用g++ 编译器跑,我一开始使用Visual Studio2019跑不出来,然后询问了P1师傅编译器不同。
总结
学习了一下怎么做这种题目
