Bridgesk's Blog
0%

dmd-50

发表于 更新于 分类于

dmd-50

64位elf文件

拖入ida中,反编译得main函数如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
int __cdecl main(int argc, const char **argv, const char **envp)
{
  __int64 v3; // rax
  __int64 v4; // rax
  __int64 v5; // rax
  __int64 v6; // rax
  __int64 v7; // rax
  __int64 v8; // rax
  __int64 v9; // rax
  __int64 v10; // rax
  __int64 v11; // rax
  __int64 v12; // rax
  __int64 v13; // rax
  __int64 v14; // rax
  __int64 v15; // rax
  __int64 v16; // rax
  __int64 v17; // rax
  __int64 v18; // rax
  __int64 v19; // rax
  __int64 v20; // rax
  __int64 v21; // rax
  __int64 v23; // rax
  __int64 v24; // rax
  __int64 v25; // rax
  __int64 v26; // rax
  __int64 v27; // rax
  __int64 v28; // rax
  __int64 v29; // rax
  __int64 v30; // rax
  __int64 v31; // rax
  __int64 v32; // rax
  __int64 v33; // rax
  __int64 v34; // rax
  __int64 v35; // rax
  __int64 v36; // rax
  __int64 v37; // rax
  char v38; // [rsp+Fh] [rbp-71h] BYREF
  char v39[16]; // [rsp+10h] [rbp-70h] BYREF
  char v40[8]; // [rsp+20h] [rbp-60h] BYREF
  __int64 v41; // [rsp+28h] [rbp-58h]
  char v42[56]; // [rsp+30h] [rbp-50h] BYREF
  unsigned __int64 v43; // [rsp+68h] [rbp-18h]

  v43 = __readfsqword(0x28u);
  std::operator<<<std::char_traits<char>>(&std::cout, "Enter the valid key!\n", envp);
  std::operator>><char,std::char_traits<char>>(&edata, v42);
  std::allocator<char>::allocator(&v38);
  std::string::string(v39, v42, &v38);
  md5((MD5 *)v40, (const std::string *)v39);
  v41 = std::string::c_str((std::string *)v40);
  std::string::~string((std::string *)v40);
  std::string::~string((std::string *)v39);
  std::allocator<char>::~allocator((__int64)&v38);
  if ( *(_WORD *)v41 == 14391
    && *(_BYTE *)(v41 + 2) == '0'
    && *(_BYTE *)(v41 + 3) == '4'
    && *(_BYTE *)(v41 + 4) == '3'
    && *(_BYTE *)(v41 + 5) == 56
    && *(_BYTE *)(v41 + 6) == 100
    && *(_BYTE *)(v41 + 7) == 53
    && *(_BYTE *)(v41 + 8) == 98
    && *(_BYTE *)(v41 + 9) == 54
    && *(_BYTE *)(v41 + 10) == 101
    && *(_BYTE *)(v41 + 11) == 50
    && *(_BYTE *)(v41 + 12) == 57
    && *(_BYTE *)(v41 + 13) == 100
    && *(_BYTE *)(v41 + 14) == 98
    && *(_BYTE *)(v41 + 15) == 48
    && *(_BYTE *)(v41 + 16) == 56
    && *(_BYTE *)(v41 + 17) == 57
    && *(_BYTE *)(v41 + 18) == 56
    && *(_BYTE *)(v41 + 19) == 98
    && *(_BYTE *)(v41 + 20) == 99
    && *(_BYTE *)(v41 + 21) == 52
    && *(_BYTE *)(v41 + 22) == 102
    && *(_BYTE *)(v41 + 23) == 48
    && *(_BYTE *)(v41 + 24) == 50
    && *(_BYTE *)(v41 + 25) == 50
    && *(_BYTE *)(v41 + 26) == 53
    && *(_BYTE *)(v41 + 27) == 57
    && *(_BYTE *)(v41 + 28) == 51
    && *(_BYTE *)(v41 + 29) == 53
    && *(_BYTE *)(v41 + 30) == 'c'
    && *(_BYTE *)(v41 + 31) == '0' )
  {
    v3 = std::operator<<<std::char_traits<char>>(&std::cout, 'T');
    v4 = std::operator<<<std::char_traits<char>>(v3, 'h');
    v5 = std::operator<<<std::char_traits<char>>(v4, 'e');
    v6 = std::operator<<<std::char_traits<char>>(v5, ' ');
    v7 = std::operator<<<std::char_traits<char>>(v6, 'k');
    v8 = std::operator<<<std::char_traits<char>>(v7, 'e');
    v9 = std::operator<<<std::char_traits<char>>(v8, 'y');
    v10 = std::operator<<<std::char_traits<char>>(v9, ' ');
    v11 = std::operator<<<std::char_traits<char>>(v10, 'i');
    v12 = std::operator<<<std::char_traits<char>>(v11, 's');
    v13 = std::operator<<<std::char_traits<char>>(v12, ' ');
    v14 = std::operator<<<std::char_traits<char>>(v13, 'v');
    v15 = std::operator<<<std::char_traits<char>>(v14, 'a');
    v16 = std::operator<<<std::char_traits<char>>(v15, 'l');
    v17 = std::operator<<<std::char_traits<char>>(v16, 'i');
    v18 = std::operator<<<std::char_traits<char>>(v17, 'd');
    v19 = std::operator<<<std::char_traits<char>>(v18, ' ');
    v20 = std::operator<<<std::char_traits<char>>(v19, ':');
    v21 = std::operator<<<std::char_traits<char>>(v20, ')');
    std::ostream::operator<<(v21, &std::endl<char,std::char_traits<char>>);
    return 0;
  }
  else
  {
    v23 = std::operator<<<std::char_traits<char>>(&std::cout, 73LL);
    v24 = std::operator<<<std::char_traits<char>>(v23, 110LL);
    v25 = std::operator<<<std::char_traits<char>>(v24, 118LL);
    v26 = std::operator<<<std::char_traits<char>>(v25, 97LL);
    v27 = std::operator<<<std::char_traits<char>>(v26, 108LL);
    v28 = std::operator<<<std::char_traits<char>>(v27, 105LL);
    v29 = std::operator<<<std::char_traits<char>>(v28, 100LL);
    v30 = std::operator<<<std::char_traits<char>>(v29, 32LL);
    v31 = std::operator<<<std::char_traits<char>>(v30, 75LL);
    v32 = std::operator<<<std::char_traits<char>>(v31, 101LL);
    v33 = std::operator<<<std::char_traits<char>>(v32, 121LL);
    v34 = std::operator<<<std::char_traits<char>>(v33, 33LL);
    v35 = std::operator<<<std::char_traits<char>>(v34, 32LL);
    v36 = std::operator<<<std::char_traits<char>>(v35, 58LL);
    v37 = std::operator<<<std::char_traits<char>>(v36, 40LL);
    std::ostream::operator<<(v37, &std::endl<char,std::char_traits<char>>);
    return 0;
  }
}

第49行调用md5加密,整理得加密后的字符串为

1
780438d5b6e29db0898bc4f0225935c0

在线解密

从类型中可知,这是进行了2次md5解密,所以flag就是将grape进行md5加密一次

得flag即为

1
b781cbb29054db12f88f08c6e161c199