rev-basic-6 문제도 마찬가지로 문자열을 역참조해서
문자열을 암호화시키는 함수를 찾을 수 있다. 위 링크 참조하기 바람.
암호화시키는 함수만 들여다보면 아래와 같다.
sub_140001000 ... movsxd rax, [rsp+18h+var_18] mov rcx, [rsp+18h+arg_0] movzx eax, byte ptr [rcx+rax] lea rcx, byte_140003020 movzx eax, byte ptr [rcx+rax] movsxd rcx, [rsp+18h+var_18] lea rdx, byte_140003000 movzx ecx, byte ptr [rdx+rcx] cmp eax, ecx ...
movsxd rax, [rsp+18h+var_18] mov rcx, [rsp+18h+arg_0] movzx eax, byte ptr [rcx+rax]
받은 문자열 중 0번째 문자값을 EAX 레지스터에 저장시킨다.
lea rcx, byte_140003020 movzx eax, byte ptr [rcx+rax]
byte_140003020이라는 256byte 크기를 가진 문자열이 있는데
그 문자열 중 ‘EAX 레지스터 값이 인덱스’가 되는,
그러니까 ‘0번째 문자값이 인덱스가 되는’ 하나의 문자가 EAX 레지스터에 저장된다.
EAX 값 = byte_140003020[0번째 문자값]
movsxd rcx, [rsp+18h+var_18] lea rdx, byte_140003000 movzx ecx, byte ptr [rdx+rcx] cmp eax, ecx
그리고 EAX값인 ‘byte_140003020[0번째 문자값]’와 ‘암호화된 문자열 중 0번째 문자값’이랑 비교한다.
암호화된 문자열은(byte_140003000)은 아래와 같았다.
\x00\x4D\x51\x50\xEF\xFB\xC3\xCF\x92\x45\x4D\xCF\xF5\x04\x40\x50\x43\x63
아래와 같이 한문자씩 계속 비교한다고 보면 된다.
0x00 != byte_140003020[0번째 문자값] 0x4D != byte_140003020[1번째 문자값] 0x51 != byte_140003020[2번째 문자값] ... 0x63 != byte_140003020[17번째 문자값]
enc_str = b'\x00\x4D\x51\x50\xEF\xFB\xC3\xCF\x92\x45\x4D\xCF\xF5\x04\x40\x50\x43\x63'
byte_140003020 = b'\x63\x7C\x77\x7B\xF2\x6B\x6F\xC5\x30\x01\x67\x2B\xFE\xD7\xAB\x76'
byte_140003020 = byte_140003020 + b'\xCA\x82\xC9\x7D\xFA\x59\x47\xF0\xAD\xD4\xA2\xAF\x9C\xA4\x72\xC0'
byte_140003020 = byte_140003020 + b'\xB7\xFD\x93\x26\x36\x3F\xF7\xCC\x34\xA5\xE5\xF1\x71\xD8\x31\x15'
byte_140003020 = byte_140003020 + b'\x04\xC7\x23\xC3\x18\x96\x05\x9A\x07\x12\x80\xE2\xEB\x27\xB2\x75'
byte_140003020 = byte_140003020 + b'\x09\x83\x2C\x1A\x1B\x6E\x5A\xA0\x52\x3B\xD6\xB3\x29\xE3\x2F\x84'
byte_140003020 = byte_140003020 + b'\x53\xD1\x00\xED\x20\xFC\xB1\x5B\x6A\xCB\xBE\x39\x4A\x4C\x58\xCF'
byte_140003020 = byte_140003020 + b'\xD0\xEF\xAA\xFB\x43\x4D\x33\x85\x45\xF9\x02\x7F\x50\x3C\x9F\xA8'
byte_140003020 = byte_140003020 + b'\x51\xA3\x40\x8F\x92\x9D\x38\xF5\xBC\xB6\xDA\x21\x10\xFF\xF3\xD2'
byte_140003020 = byte_140003020 + b'\xCD\x0C\x13\xEC\x5F\x97\x44\x17\xC4\xA7\x7E\x3D\x64\x5D\x19\x73'
byte_140003020 = byte_140003020 + b'\x60\x81\x4F\xDC\x22\x2A\x90\x88\x46\xEE\xB8\x14\xDE\x5E\x0B\xDB'
byte_140003020 = byte_140003020 + b'\xE0\x32\x3A\x0A\x49\x06\x24\x5C\xC2\xD3\xAC\x62\x91\x95\xE4\x79'
byte_140003020 = byte_140003020 + b'\xE7\xC8\x37\x6D\x8D\xD5\x4E\xA9\x6C\x56\xF4\xEA\x65\x7A\xAE\x08'
byte_140003020 = byte_140003020 + b'\xBA\x78\x25\x2E\x1C\xA6\xB4\xC6\xE8\xDD\x74\x1F\x4B\xBD\x8B\x8A'
byte_140003020 = byte_140003020 + b'\x70\x3E\xB5\x66\x48\x03\xF6\x0E\x61\x35\x57\xB9\x86\xC1\x1D\x9E'
byte_140003020 = byte_140003020 + b'\xE1\xF8\x98\x11\x69\xD9\x8E\x94\x9B\x1E\x87\xE9\xCE\x55\x28\xDF'
byte_140003020 = byte_140003020 + b'\x8C\xA1\x89\x0D\xBF\xE6\x42\x68\x41\x99\x2D\x0F\xB0\x54\xBB\x16'
dec_str = ""
for i in range(len(enc_str)):
for j in range(len(byte_140003020)):
if(byte_140003020[j] == enc_str[i]):
dec_str = dec_str + chr(j)
print(dec_str)
ubuntu@WSL:~/CTF/dreamhack.io/chall6$ python3 chall6.py Replac3_the_w0rld
