ADWORLD [rev] elrond32

Posted on

elrond32

IDA Pro 打开rev:

1
2
3
4
5
6
7
8
9
10
11
12
13
int __cdecl main(int a1, char **a2)
{
  if ( a1 > 1 && sub_8048414(a2[1], 0) )
  {
    puts("Access granted");
    sub_8048538(a2[1]);
  }
  else
  {
    puts("Access denied");
  }
  return 0;
}

两个核心函数:sub_8048414 用来检测参数正误;sub_8048538 用来输出flag。

分析sub_8048414

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
int __cdecl sub_8048414(_BYTE *a1, int a2)
{
  int result; // eax

  switch ( a2 )
  {
    case 0:
      if ( *a1 == 'i' )
        goto LABEL_19;
      result = 0;
      break;
    case 1:
      if ( *a1 == 'e' )
        goto LABEL_19;
      result = 0;
      break;
    case 3:
      if ( *a1 == 'n' )
        goto LABEL_19;
      result = 0;
      break;
    case 4:
      if ( *a1 == 'd' )
        goto LABEL_19;
      result = 0;
      break;
    case 5:
      if ( *a1 == 'a' )
        goto LABEL_19;
      result = 0;
      break;
    case 6:
      if ( *a1 == 'g' )
        goto LABEL_19;
      result = 0;
      break;
    case 7:
      if ( *a1 == 's' )
        goto LABEL_19;
      result = 0;
      break;
    case 9:
      if ( *a1 == 'r' )
LABEL_19:
        result = sub_8048414(a1 + 1, 7 * (a2 + 1) % 11);
      else
        result = 0;
      break;
    default:
      result = 1;
      break;
  }
  return result;
}

该函数接收两个参数:str和a,每次根据a的不同,判断当前字符是否为期望字符。

python 脚本模拟:

1
2
3
4
5
6
7
8
9
10
a = [0]   
i = 0                 
while True:                
    if i > 9:              
            break          
    i = 7 * (i + 1) % 11   
    a.append(i)            
                           
print(a)                      
# [0, 7, 1, 3, 6, 5, 9, 4, 2, 10]

只取[0, 7, 1, 3, 6, 5, 9, 4],因为switch语句只有这八个case。

对应的字符组成字符串isengard

运行程序,./rev3000 isengard,得到flag。