【攻防世界】Reverse——secret-galaxy-300 writeup

由main函数查看相关代码，但是代码中并没有直接的关于flag的信息：

复制代码

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __main();
  fill_starbase(&starbase);
  print_starbase((int)&starbase);
  return 0;
}
void __cdecl fill_starbase(int a1)
{
  int i; // [esp+8h] [ebp-10h]
  int v2; // [esp+Ch] [ebp-Ch]

  v2 = 0;
  for ( i = 0; i <= 4; ++i )
  {
    *(_DWORD *)(a1 + 24 * i) = galaxy_name[i];
    *(_DWORD *)(24 * i + a1 + 4) = rand();
    *(_DWORD *)(24 * i + a1 + 8) = 0;
    *(_DWORD *)(24 * i + a1 + 12) = 0;
    *(_DWORD *)(24 * i + a1 + 16) = 24 * (i + 1) + a1;
    *(_DWORD *)(a1 + 24 * i + 20) = v2;
    v2 = 24 * i + a1;
  }
}
int __cdecl print_starbase(int a1)
{
  int result; // eax
  const char *v2; // edx
  int i; // [esp+1Ch] [ebp-Ch]

  puts("--------------GALAXY DATABASE-------------");
  printf("%10s | %s | %s\n", "Galaxy name", "Existence of life", "Distance from Earth");
  result = puts("-------------------------------------------");
  for ( i = 0; i <= 4; ++i )
  {
    if ( *(_DWORD *)(24 * i + a1 + 8) == 1 )
      v2 = "INHABITED";
    else
      v2 = "IS NOT INHABITED";
    result = printf("%11s | %17s | %d\n", *(const char **)(24 * i + a1), v2, *(_DWORD *)(24 * i + a1 + 4));
  }
  return result;
}

注意到print_starbase只是打印了5个galaxy，但galaxy_name有6个元素：

c通过交叉引用，找到了下面的代码：

cpp 复制代码

int __libc_csu_gala()
{
  int result; // eax

  sc[0] = off_409014;
  sc[3] = &byte_40DAC0;
  sc[1] = 31337;
  sc[2] = 1;
  byte_40DAC0 = off_409004[0][8];
  byte_40DAC1 = off_409010[0][7];
  byte_40DAC2 = off_409008[0][4];
  byte_40DAC3 = off_409004[0][6];
  byte_40DAC4 = off_409004[0][1];
  byte_40DAC5 = off_409008[0][2];
  byte_40DAC6 = 95;
  byte_40DAC7 = off_409004[0][8];
  byte_40DAC8 = off_409004[0][3];
  byte_40DAC9 = off_40900C[0][5];
  byte_40DACA = 95;
  byte_40DACB = off_409004[0][8];
  byte_40DACC = off_409004[0][3];
  byte_40DACD = off_409004[0][4];
  byte_40DACE = off_409010[0][6];
  byte_40DACF = off_409010[0][4];
  byte_40DAD0 = off_409004[0][2];
  byte_40DAD1 = 95;
  byte_40DAD2 = off_409010[0][6];
  result = *((unsigned __int8 *)off_409008[0] + 3);
  byte_40DAD3 = off_409008[0][3];
  byte_40DAD4 = 0;
  return result;
}

但是上面代码中的result并不是我们要的flag，而是byte_40DAC0数组。解密方法有两种，一种是动态的就是在上面的代码中下断点，另一种是通过静态分析，用python改写上面的代码：

cpp 复制代码

off_409004 = "Andromeda".encode('utf-8')
off_409008= "Messier".encode('utf-8')
off_40900C = "Sombrero".encode('utf-8')
off_409010  = "Triangulum".encode('utf-8')
off_409014 = "DARK SECRET GALAXY".encode('utf-8')

def __libc_csu_gala():
    byte_40DAC = bytearray(21)  

    byte_40DAC[0] = off_409004[8]
    byte_40DAC[1] = off_409010[7]
    byte_40DAC[2] = off_409008[4]
    byte_40DAC[3] = off_409004[6]
    byte_40DAC[4] = off_409004[1]
    byte_40DAC[5] = off_409008[2]
    byte_40DAC[6] = 95
    byte_40DAC[7] = off_409004[8]
    byte_40DAC[8] = off_409004[3]
    byte_40DAC[9] = off_40900C[5]
    byte_40DAC[10] = 95
    byte_40DAC[11] = off_409004[8]
    byte_40DAC[12] = off_409004[3]
    byte_40DAC[13] = off_409004[4]
    byte_40DAC[14] = off_409010[6]
    byte_40DAC[15] = off_409010[4]
    byte_40DAC[16] = off_409004[2]
    byte_40DAC[17] = 95
    byte_40DAC[18] = off_409010[6]

    byte_40DAC[19] = off_409008[3]
    byte_40DAC[20] = 0

    return byte_40DAC.decode('utf-8')  

result = __libc_csu_gala()
print(result)