測試文件:https://wwa.lanzous.com/i54G4drrp1i
代碼分析
打開IDA看了下main函數
這里就是將a2[1]與zer0pts{********CENSORED********}比較,a2[1]是我們的輸入。
找到對輸入字符串變換處
這里就是將輸入分為8個一組,與qword_5605DCE75060數組元素,對應相減,得到zer0pts{********CENSORED********}。
因此,我們只需要反向解就行。(注意字符串和HEX數據大端小端存儲,需要交換位置)
腳本
#-*- coding:utf-8 -*- enc = "********CENSORED********" m = [0x410A4335494A0942, 0x0B0EF2F50BE619F0, 0x4F0A3A064A35282B] k = [hex(ord(x))[2:] for x in enc] print (''.join(k)) flag1 = '' for i in range(0,len(k),8): s = ''.join(k[i:i+8][::-1]) # 小端排序 flag1 += hex(int(s, 16) + m[i//8])[2:] print (flag1) results = ''.join([chr(int(flag1[x:x+2], 16)) for x in range(0,len(flag1),2)]) flag2 = '' flag1 = [flag1[i:i+2] for i in range(0,len(flag1),2)] for i in range(0,len(flag1),8): s = ''.join(flag1[i:i+8][::-1]) # 大端排序 flag2 += s print (flag2) results = ''.join([chr(int(flag2[x:x+2], 16)) for x in range(0,len(flag2),2)]) print (results)
更簡單的腳本
#-*- coding:utf-8 -*- enc = "********CENSORED********" m = [0x410A4335494A0942, 0x0B0EF2F50BE619F0, 0x4F0A3A064A35282B] import binascii flag = b'' for i in range(3): p = enc[i*8:(i+1)*8] a = binascii.b2a_hex(p.encode('ascii')[::-1]) b = binascii.a2b_hex(hex(int(a,16) + m[i])[2:])[::-1] flag += b print (flag)
get flag!
flag{l3ts_m4k3_4_DETOUR_t0d4y}