###### tags: `程安` # CS 2019 Fall - Homework 0x01 ### [0x01] Back to the Future 用 IDA Pro (32bit) 打開，找到`main`後直接 decompile，並修飾一下 ```cpp= int __cdecl main(int argc, const char **argv, const char **envp) { const char *v3; // eax struct _PEB *pebCurrent; // [esp+18h] [ebp-20h] _DWORD *v6; // [esp+1Ch] [ebp-1Ch] HMODULE v7; // [esp+20h] [ebp-18h] int k; // [esp+24h] [ebp-14h] int j; // [esp+28h] [ebp-10h] size_t i; // [esp+2Ch] [ebp-Ch] sub_4019E0(); v7 = GetModuleHandleA(0); v6 = (v7 + *(v7 + 15)); pebCurrent = NtCurrentPeb(); if ( *v7 == 23117 && *v6 == 17744 ) { printf(" --------------------------- \n" " | B@ck t0 7he Fu7ur3... \n" " | en.wikipedia.org/wiki/Back_to_the_Future\n" " --------------------------- \n"); year = getLocalYear(v6[2]); printf("[+] It's a time machine built in 1985," "\n\tand you're in %i year now.\n", year); if ( year != 1985 ) puts("[!] WARNING: \n\tit might be some trouble" "if you're not in 1985 year."); if ( pebCurrent->BeingDebugged ) v3 = "[HARMFUL!]"; else v3 = "[SAFE]"; printf("[!] Time Machine Guarder: %s\n", v3); printf("[+] input password to launch time machine: "); gets(input); for ( i = 0; strlen(input) > i; ++i ) input[i] |= 0x20u; printf("[!] reading ... the.... passw0r..d.....\n"); for ( j = 0; j <= 18; ++j ) { input[j] ^= 2 * (year + 63) + pebCurrent->BeingDebugged + 127; if ( input[j] != checker[j] ) { puts("[!] oops... time machine g0t some trouble" "in the 0ld tim3... "); break; } } for ( k = 0; k <= 18; ++k ) input[k] ^= key[k]; printf("[+] a flag found by time machine at %i:\n\t%s\n", year, input); } else { puts("time machine broken, oohoho. please don't patch me ;)"); } return 0; } ``` 我們分段觀察 --- **Part 1** ```cpp=21 year = getLocalYear(v6[2]); printf("[+] It's a time machine built in 1985, \n" "\tand you're in %i year now.\n", year); if ( year != 1985 ) puts("[!] WARNING: \n\tit might be some trouble" "if you're not in 1985 year."); ``` 這邊提示說`year`需等於 1985 --- **Part 2** ```cpp=25 if ( pebCurrent->BeingDebugged ) v3 = "[HARMFUL!]"; else v3 = "[SAFE]"; ``` 這邊程式在執行時會偵測現在是否為 debugging 狀態 --- **Part 3** ```cpp=35 for ( j = 0; j <= 18; ++j ) { input[j] ^= 2 * (year + 63) + pebCurrent->BeingDebugged + 127; if ( input[j] != checker[j] ) { puts("[!] oops... time machine g0t some trouble in the 0ld tim3... "); break; } } ``` 這邊對我們的`input`做運算，並在運算後與一個 array (這邊取名為`checker`) 做比對是否相同。 --- **Part 4** ```cpp=44 for ( k = 0; k <= 18; ++k ) input[k] ^= key[k]; printf("[+] a flag found by time machine at %i:\n\t%s\n", year, input); ``` 經過比對的`input`在這邊與另一個 array (這邊取名為`key`) 做`xor`，並作為 FLAG print 出來 --- **小結** 根據 **Part 3** 和 **Part 4**，其實我們可以不用管我們的`input`要怎麼做出來 (包含要怎麼把`year=1985`和偽裝成非debugging) 因為最後都會在 **Part 3** 與`checker`做比對是否相同，所以我們直接去找`checker`裡面放了什麼即可。 然後再找到`key`並將他與`checker`做`xor`還原即可拿到 FLAG  :::success FLAG{PE_!S_EASY} :::