-
BUUCTF reverse wp 76 - 80
[CISCN2018]2ex
四处游走寻找关键代码
int __fastcall sub_400430(int a1, unsigned int a2, int a3) { unsigned int v3; // $v0 int v4; // $v0 int v5; // $v0 int v6; // $v0 unsigned int i; // [sp+8h] [+8h] unsigned int v9; // [sp+8h] [+8h] int v10; // [sp+Ch] [+Ch] v10 = 0; for ( i = 0; i < a2; ++i ) { v3 = i % 3; if ( i % 3 == 1 ) { v5 = v10++; *(_BYTE *)(a3 + v5) = byte_410200[16 * (*(_BYTE *)(a1 + i - 1) & 3) + ((*(unsigned __int8 *)(a1 + i) >> 4) & 0xF)]; } else if ( v3 == 2 ) { *(_BYTE *)(a3 + v10) = byte_410200[4 * (*(_BYTE *)(a1 + i - 1) & 0xF) + ((*(unsigned __int8 *)(a1 + i) >> 6) & 3)]; v6 = v10 + 1; v10 += 2; *(_BYTE *)(a3 + v6) = byte_410200[*(_BYTE *)(a1 + i) & 0x3F]; } else if ( !v3 ) { v4 = v10++; *(_BYTE *)(a3 + v4) = byte_410200[(*(unsigned __int8 *)(a1 + i) >> 2) & 0x3F]; } } v9 = i - 1; if ( v9 % 3 ) { if ( v9 % 3 == 1 ) { *(_BYTE *)(a3 + v10) = byte_410200[4 * (*(_BYTE *)(a1 + v9) & 0xF)]; *(_BYTE *)(a3 + v10 + 1) = 61; } } else { *(_BYTE *)(a3 + v10) = byte_410200[16 * (*(_BYTE *)(a1 + v9) & 3)]; *(_BYTE *)(a3 + v10 + 1) = 61; *(_BYTE *)(a3 + v10 + 2) = 61; } return 0; }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
变表base64, 拿板子秒了
import base64 encodestr = '_r-+_Cl5;vgq_pdme7#7eC0=' changebase64 = '@,.1fgvw#`/2ehux$~\"3dity%_;4cjsz^+{5bkrA&=}6alqB*-[70mpC()]89noD' # print(len(changebase64)) originbase64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" trans_encodestr = encodestr.translate(str.maketrans(changebase64,originbase64)) flag = base64.b64decode(trans_encodestr) print(flag)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
[watevrCTF 2019]Timeout
打开发现是一大堆数据, 打开方式不对, 尝试ELF64格式再打开
得到反编译伪码int __cdecl main(int argc, const char **argv, const char **envp) { signal(14, sig); alarm(1u); delay(6000000LL); can_continue = 1337; return 0; } unsigned __int64 generate() { char s[131]; // [rsp+0h] [rbp-B0h] BYREF char v2[14]; // [rsp+83h] [rbp-2Dh] BYREF char v3[31]; // [rsp+91h] [rbp-1Fh] BYREF *(_QWORD *)&v3[23] = __readfsqword(0x28u); if ( can_continue == 1337 ) { s[64] = 35; s[65] = 60; s[66] = 73; s[67] = 100; s[68] = 85; s[69] = 46; s[70] = 119; s[71] = 32; s[72] = 45; s[73] = 115; s[74] = 63; s[75] = 125; s[76] = 44; s[77] = 56; s[78] = 108; s[79] = 83; s[80] = 84; s[81] = 42; s[82] = 90; s[83] = 106; s[84] = 87; s[85] = 58; s[86] = 102; s[87] = 94; s[88] = 77; s[89] = 54; s[90] = 101; s[91] = 110; s[92] = 112; s[93] = 104; s[94] = 99; s[95] = 47; s[96] = 79; s[97] = 118; s[98] = 37; s[99] = 75; s[100] = 11; s[101] = 52; s[102] = 76; s[103] = 82; s[104] = 103; s[105] = 96; s[106] = 95; s[107] = 69; s[108] = 123; s[109] = 114; s[110] = 59; s[111] = 126; s[112] = 74; s[113] = 10; s[114] = 107; s[115] = 113; s[116] = 67; s[117] = 36; s[118] = 92; s[119] = 40; s[120] = 34; s[121] = 64; s[122] = 50; s[123] = 68; s[124] = 98; s[125] = 80; s[126] = 13; s[127] = 38; s[128] = 49; s[129] = 55; s[130] = 12; qmemcpy(v2, "]y>=xaVYA[BF3", 13); v2[13] = (unsigned __int8)&unk_400BB4; strcpy(v3, "!tQHu0Xi5|\t9N+zmG)o"); strcpy(s, "watevr{3ncrytion_is_overrated_youtube.com/watch?v=OPf0YbXqDm0}"); puts(s); } return __readfsqword(0x28u) ^ *(_QWORD *)&v3[23]; }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
主要逻辑就是经过
delay(6000000LL);一大段时间, 最后generate函数直接给flag[RoarCTF2019]polyre
main函数直接就是控制流平坦化
用修复后的脚本去混淆, 参考 https://ylcao.top/2022/01/16/%E7%AC%A6%E5%8F%B7%E6%89%A7%E8%A1%8C%E5%8E%BB%E6%8E%A7%E5%88%B6%E6%B5%81%E5%B9%B3%E5%9D%A6%E5%8C%96/>python deflat.py attachment 0x400620 *******************relevant blocks************************ prologue: 0x400620 main_dispatcher: 0x40063f pre_dispatcher: 0x4020cc retn: 0x401f54 relevant_blocks: ['0x4015d4', '0x40201b', '0x401e00', '0x401f2d', '0x401481', '0x401c69', '0x401efa', '0x401830', '0x401642', '0x401f97', '0x40180b', '0x401eb9', '0x401748', '0x4013ef', '0x4012f6', '0x401fb5', '0x402033', '0x40197d', '0x40136c', '0x401a73', '0x401d9a', '0x40204d', '0x402096', '0x4015c5', '0x401567', '0x401909', '0x401f09', '0x401c2b', '0x4014ae', '0x40199b', '0x401435', '0x401fa6', '0x401861', '0x401b34', '0x401b5d', '0x401f3c', '0x401521', '0x401caf', '0x4013cf', '0x4014f7', '0x401f60', '0x401960', '0x4016a0', '0x4018a7', '0x4011de', '0x401739', '0x4020c2', '0x401506', '0x4019e1', '0x4014d2', '0x401d2d', '0x401849', '0x4017fc', '0x4017ab', '0x401b25', '0x402072', '0x401d03', '0x401ad3', '0x4015fc', '0x401926', '0x401b75', '0x401326', '0x4016e6', '0x401e0f', '0x40200c', '0x401e73', '0x4015b6', '0x401a3d', '0x401ff4', '0x401305', '0x401fe5', '0x401d54', '0x401198', '0x4013b2', '0x401c1c', '0x40124f', '0x401c46', '0x401490', '0x401a8d', '0x401b4e', '0x401d45', '0x401765', '0x401bbb', '0x4018fa', '0x401691', '0x401c0d', '0x4015ed', '0x401a4c', '0x401d12', '0x40125e', '0x401fcd', '0x4012a4', '0x401940', '0x4014e8', '0x401121', '0x401e2d', '0x401ed6', '0x4020b3', '0x401117'] *******************symbolic execution********************* -------------------dse 0x4015d4--------------------- WARNING | 2023-09-25 22:23:16,740 | angr.storage.memory_mixins.default_filler_mixin | The program is accessing register with an unspecified value. This could indicate unwanted behavior. ... ... ... 0x4012a4: ['0x4012f6', '0x401f97'] 0x401940: ['0x401960'] 0x4014e8: ['0x4015d4'] 0x401121: ['0x401198'] 0x401e2d: ['0x401e73', '0x4020c2'] 0x401ed6: ['0x401efa'] 0x4020b3: ['0x401d9a'] 0x401117: ['0x4015d4'] 0x400620: ['0x401121'] 0x401f54: [] ************************patch***************************** Successful! The recovered file: attachment_recovered- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
打开之后, 发现还有不少花指令
IDApython去花, IDA API版本是7.4+
参考API更新文档进行脚本编写 https://hex-rays.com/products/ida/support/ida74_idapython_no_bc695_porting_guide.shtmlfrom idc import * st = 0x0000000000401117 end = 0x0000000000402144 def patch_nop(start,end): for i in range(start,end): patch_byte(i, 0x90) def next_instr(addr): return addr + get_item_size(addr) addr = st while(addr<end): next = next_instr(addr) if "ds:dword_603054" in GetDisasm(addr): while(True): addr = next next = next_instr(addr) if "jnz" in GetDisasm(addr): dest = get_operand_value(addr, 0) patch_byte(addr, 0xe9) patch_byte(addr+5, 0x90) offset = dest - (addr + 5) patch_dword(addr + 1, offset) print("patch bcf: 0x%x"%addr) addr = next break else: addr = next print('---- patching done ----')- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
最后还原出主要代码
__int64 __fastcall main(int a1, char **a2, char **a3) { __int64 v3; // rax unsigned __int64 v4; // rcx __int64 v6; // [rsp+1E0h] [rbp-110h] int v7; // [rsp+1E8h] [rbp-108h] int v8; // [rsp+1ECh] [rbp-104h] char s1[48]; // [rsp+1F0h] [rbp-100h] BYREF char s[60]; // [rsp+220h] [rbp-D0h] BYREF unsigned int v11; // [rsp+25Ch] [rbp-94h] char *v12; // [rsp+260h] [rbp-90h] int v13; // [rsp+288h] [rbp-68h] bool v14; // [rsp+28Fh] [rbp-61h] char *v15; // [rsp+290h] [rbp-60h] int v16; // [rsp+298h] [rbp-58h] bool v17; // [rsp+29Fh] [rbp-51h] __int64 v18; // [rsp+2A0h] [rbp-50h] bool v19; // [rsp+2AFh] [rbp-41h] __int64 v20; // [rsp+2B0h] [rbp-40h] __int64 v21; // [rsp+2B8h] [rbp-38h] __int64 v22; // [rsp+2C0h] [rbp-30h] __int64 v23; // [rsp+2C8h] [rbp-28h] int v24; // [rsp+2D0h] [rbp-20h] int v25; // [rsp+2D4h] [rbp-1Ch] char *v26; // [rsp+2D8h] [rbp-18h] int v27; // [rsp+2E0h] [rbp-10h] int v28; // [rsp+2E4h] [rbp-Ch] bool v29; // [rsp+2EBh] [rbp-5h] v11 = 0; memset(s, 0, 0x30uLL); memset(s1, 0, sizeof(s1)); printf("Input:"); v12 = s; v3 = 3824974737LL; v4 = 3788079310LL; LABEL_7: v6 = v4 ^ v3; LABEL_9: v24 = v8++; while ( 1 ) { v16 = v8; v17 = v8 < 64; if ( v8 < 64 ) { v18 = v6; v19 = v6 < 0; if ( v6 < 0 ) { v20 = 2 * v6; v21 = 2 * v6; v3 = 2 * v6; v4 = 0xB0004B7679FA26B3LL; goto LABEL_7; } v22 = v6; v23 = 2 * v6; v6 *= 2LL; goto LABEL_9; } v25 = 8 * v7; v26 = &s1[8 * v7]; *(_QWORD *)v26 = v6; v27 = ++v7; v13 = v7; v14 = v7 < 6; if ( v7 >= 6 ) break; v15 = s; v6 = *(_QWORD *)&s[8 * v7]; v8 = 0; } v28 = memcmp(s1, &unk_402170, 0x30uLL); v29 = v28 != 0; if ( v28 ) puts("Wrong!"); else puts("Correct!"); return v11; }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
CRC32编码, 输入 48 字节,平分 6 组,将每组 8 字节转化为 long 类型的值,对每组进行加密,先判断正负,然后将值乘 2,随后根据正负异或 0xB0004B7679FA26B3,循环 64 次,最后进行比较
checklist = [ '96','62','53','43','6D', 'F2','8F','BC','16','EE', '30','05','78','00','01', '52','EC','08','5F','93', 'EA','B5','C0','4D','50', 'F4','53','D8','AF','90', '2B','34','81','36','2C', 'AA','BC','0E','25','8B', 'E4','8A','C6','A2','81', '9F','75','55' ] idx = 0 flag = '' for i in range(6): v4 = '0x' + checklist[idx + 7] + checklist[idx + 6] + \ checklist[idx + 5] + checklist[idx + 4] + checklist[idx + 3] + \ checklist[idx + 2] + checklist[idx + 1] + checklist[idx] s = int(v4, 16) for j in range(64): if s & 1 == 1: s = ((s ^ int('0xB0004B7679FA26B3', 16)) >> 1) | 0x8000000000000000 else: s = s >> 1 idx = idx + 8 j = 0 while j < 8: flag += chr(s & 0xFF) s >>= 8 j += 1 print(flag)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
[ACTF新生赛2020]fungame
int __cdecl sub_401340(int a1) { char i; // [esp+1Fh] [ebp-9h] printf("Please input:"); scanf("%s", a1); for ( i = 0; i <= 15; ++i ) { if ( (*(_BYTE *)(i + a1) ^ *((_BYTE *)y1 + i)) != y2[i] ) exit(0); } return 0; }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
逆
#includeunsigned char y2[] = { 113, 4, 97, 88, 39, 30, 75, 34, 94, 100, 3, 38, 94, 23, 60, 122, 255, 255, 255, 255, 0, 64, 0, 0 }; unsigned char y1[] = { 35, 97, 62, 105, 84, 65, 24, 77, 110, 59, 101, 83, 48, 121, 69, 91 }; int main() { char flag[17] = {0}; for (int i = 0; i <= 15; ++i) { flag[i] = y1[i] ^ y2[i]; } printf("%s\n", flag); } - 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
[羊城杯 2020]Bytecode
4 0 LOAD_CONST 0 (3) 3 LOAD_CONST 1 (37) 6 LOAD_CONST 2 (72) 9 LOAD_CONST 3 (9) 12 LOAD_CONST 4 (6) 15 LOAD_CONST 5 (132) 18 BUILD_LIST 6 21 STORE_NAME 0 (en) 5 24 LOAD_CONST 6 (101) 27 LOAD_CONST 7 (96) 30 LOAD_CONST 8 (23) 33 LOAD_CONST 9 (68) 36 LOAD_CONST 10 (112) 39 LOAD_CONST 11 (42) 42 LOAD_CONST 12 (107) 45 LOAD_CONST 13 (62) 48 LOAD_CONST 7 (96) 51 LOAD_CONST 14 (53) 54 LOAD_CONST 15 (176) 57 LOAD_CONST 16 (179) 60 LOAD_CONST 17 (98) 63 LOAD_CONST 14 (53) 66 LOAD_CONST 18 (67) 69 LOAD_CONST 19 (29) 72 LOAD_CONST 20 (41) 75 LOAD_CONST 21 (120) 78 LOAD_CONST 22 (60) 81 LOAD_CONST 23 (106) 84 LOAD_CONST 24 (51) 87 LOAD_CONST 6 (101) 90 LOAD_CONST 25 (178) 93 LOAD_CONST 26 (189) 96 LOAD_CONST 6 (101) 99 LOAD_CONST 27 (48) 102 BUILD_LIST 26 105 STORE_NAME 1 (output) 7 108 LOAD_CONST 28 ('welcome to GWHT2020') 111 PRINT_ITEM 112 PRINT_NEWLINE 9 113 LOAD_NAME 2 (raw_input) 116 LOAD_CONST 29 ('please input your flag:') 119 CALL_FUNCTION 1 122 STORE_NAME 3 (flag) 10 125 LOAD_NAME 3 (flag) 128 STORE_NAME 4 (str) 12 131 LOAD_NAME 5 (len) 134 LOAD_NAME 4 (str) 137 CALL_FUNCTION 1 140 STORE_NAME 6 (a) 13 143 LOAD_NAME 6 (a) 146 LOAD_CONST 30 (38) 149 COMPARE_OP 0 (<) 152 POP_JUMP_IF_FALSE 173 14 155 LOAD_CONST 31 ('lenth wrong!') 158 PRINT_ITEM 159 PRINT_NEWLINE 15 160 LOAD_NAME 7 (exit) 163 LOAD_CONST 32 (0) 166 CALL_FUNCTION 1 169 POP_TOP 170 JUMP_FORWARD 0 (to 173) 17 >> 173 LOAD_NAME 8 (ord) 176 LOAD_NAME 4 (str) 179 LOAD_CONST 32 (0) 182 BINARY_SUBSCR 183 CALL_FUNCTION 1 186 LOAD_CONST 33 (2020) 189 BINARY_MULTIPLY 190 LOAD_NAME 8 (ord) 193 LOAD_NAME 4 (str) 196 LOAD_CONST 34 (1) 199 BINARY_SUBSCR 200 CALL_FUNCTION 1 203 BINARY_ADD 204 LOAD_CONST 33 (2020) 207 BINARY_MULTIPLY 208 LOAD_NAME 8 (ord) 211 LOAD_NAME 4 (str) 214 LOAD_CONST 35 (2) 217 BINARY_SUBSCR 218 CALL_FUNCTION 1 221 BINARY_ADD 222 LOAD_CONST 33 (2020) 225 BINARY_MULTIPLY 226 LOAD_NAME 8 (ord) 229 LOAD_NAME 4 (str) 232 LOAD_CONST 0 (3) 235 BINARY_SUBSCR 236 CALL_FUNCTION 1 239 BINARY_ADD 240 LOAD_CONST 33 (2020) 243 BINARY_MULTIPLY 244 LOAD_NAME 8 (ord) 247 LOAD_NAME 4 (str) 250 LOAD_CONST 36 (4) 253 BINARY_SUBSCR 254 CALL_FUNCTION 1 257 BINARY_ADD 258 LOAD_CONST 37 (1182843538814603) 261 COMPARE_OP 2 (==) 264 POP_JUMP_IF_FALSE 275 18 267 LOAD_CONST 38 ('good!continue\xe2\x80\xa6\xe2\x80\xa6') 270 PRINT_ITEM 271 PRINT_NEWLINE 272 JUMP_FORWARD 15 (to 290) 20 >> 275 LOAD_CONST 39 ('bye~') 278 PRINT_ITEM 279 PRINT_NEWLINE 21 280 LOAD_NAME 7 (exit) 283 LOAD_CONST 32 (0) 286 CALL_FUNCTION 1 289 POP_TOP 23 >> 290 BUILD_LIST 0 293 STORE_NAME 9 (x) 24 296 LOAD_CONST 40 (5) 299 STORE_NAME 10 (k) 25 302 SETUP_LOOP 128 (to 433) 305 LOAD_NAME 11 (range) 308 LOAD_CONST 41 (13) 311 CALL_FUNCTION 1 314 GET_ITER >> 315 FOR_ITER 114 (to 432) 318 STORE_NAME 12 (i) 26 321 LOAD_NAME 8 (ord) 324 LOAD_NAME 4 (str) 327 LOAD_NAME 10 (k) 330 BINARY_SUBSCR 331 CALL_FUNCTION 1 334 STORE_NAME 13 (b) 27 337 LOAD_NAME 8 (ord) 340 LOAD_NAME 4 (str) 343 LOAD_NAME 10 (k) 346 LOAD_CONST 34 (1) 349 BINARY_ADD 350 BINARY_SUBSCR 351 CALL_FUNCTION 1 354 STORE_NAME 14 (c) 28 357 LOAD_NAME 14 (c) 360 LOAD_NAME 0 (en) 363 LOAD_NAME 12 (i) 366 LOAD_CONST 4 (6) 369 BINARY_MODULO 370 BINARY_SUBSCR 371 BINARY_XOR 372 STORE_NAME 15 (a11) 29 375 LOAD_NAME 13 (b) 378 LOAD_NAME 0 (en) 381 LOAD_NAME 12 (i) 384 LOAD_CONST 4 (6) 387 BINARY_MODULO 388 BINARY_SUBSCR 389 BINARY_XOR 390 STORE_NAME 16 (a22) 30 393 LOAD_NAME 9 (x) 396 LOAD_ATTR 17 (append) 399 LOAD_NAME 15 (a11) 402 CALL_FUNCTION 1 405 POP_TOP 31 406 LOAD_NAME 9 (x) 409 LOAD_ATTR 17 (append) 412 LOAD_NAME 16 (a22) 415 CALL_FUNCTION 1 418 POP_TOP 32 419 LOAD_NAME 10 (k) 422 LOAD_CONST 35 (2) 425 INPLACE_ADD 426 STORE_NAME 10 (k) 429 JUMP_ABSOLUTE 315 >> 432 POP_BLOCK 33 >> 433 LOAD_NAME 9 (x) 436 LOAD_NAME 1 (output) 439 COMPARE_OP 2 (==) 442 POP_JUMP_IF_FALSE 453 34 445 LOAD_CONST 38 ('good!continue\xe2\x80\xa6\xe2\x80\xa6') 448 PRINT_ITEM 449 PRINT_NEWLINE 450 JUMP_FORWARD 15 (to 468) 36 >> 453 LOAD_CONST 42 ('oh,you are wrong!') 456 PRINT_ITEM 457 PRINT_NEWLINE 37 458 LOAD_NAME 7 (exit) 461 LOAD_CONST 32 (0) 464 CALL_FUNCTION 1 467 POP_TOP 39 >> 468 LOAD_NAME 5 (len) 471 LOAD_NAME 4 (str) 474 CALL_FUNCTION 1 477 STORE_NAME 18 (l) 40 480 LOAD_NAME 8 (ord) 483 LOAD_NAME 4 (str) 486 LOAD_NAME 18 (l) 489 LOAD_CONST 43 (7) 492 BINARY_SUBTRACT 493 BINARY_SUBSCR 494 CALL_FUNCTION 1 497 STORE_NAME 19 (a1) 41 500 LOAD_NAME 8 (ord) 503 LOAD_NAME 4 (str) 506 LOAD_NAME 18 (l) 509 LOAD_CONST 4 (6) 512 BINARY_SUBTRACT 513 BINARY_SUBSCR 514 CALL_FUNCTION 1 517 STORE_NAME 20 (a2) 42 520 LOAD_NAME 8 (ord) 523 LOAD_NAME 4 (str) 526 LOAD_NAME 18 (l) 529 LOAD_CONST 40 (5) 532 BINARY_SUBTRACT 533 BINARY_SUBSCR 534 CALL_FUNCTION 1 537 STORE_NAME 21 (a3) 43 540 LOAD_NAME 8 (ord) 543 LOAD_NAME 4 (str) 546 LOAD_NAME 18 (l) 549 LOAD_CONST 36 (4) 552 BINARY_SUBTRACT 553 BINARY_SUBSCR 554 CALL_FUNCTION 1 557 STORE_NAME 22 (a4) 44 560 LOAD_NAME 8 (ord) 563 LOAD_NAME 4 (str) 566 LOAD_NAME 18 (l) 569 LOAD_CONST 0 (3) 572 BINARY_SUBTRACT 573 BINARY_SUBSCR 574 CALL_FUNCTION 1 577 STORE_NAME 23 (a5) 45 580 LOAD_NAME 8 (ord) 583 LOAD_NAME 4 (str) 586 LOAD_NAME 18 (l) 589 LOAD_CONST 35 (2) 592 BINARY_SUBTRACT 593 BINARY_SUBSCR 594 CALL_FUNCTION 1 597 STORE_NAME 24 (a6) 46 600 LOAD_NAME 19 (a1) 603 LOAD_CONST 0 (3) 606 BINARY_MULTIPLY 607 LOAD_NAME 20 (a2) 610 LOAD_CONST 35 (2) 613 BINARY_MULTIPLY 614 BINARY_ADD 615 LOAD_NAME 21 (a3) 618 LOAD_CONST 40 (5) 621 BINARY_MULTIPLY 622 BINARY_ADD 623 LOAD_CONST 44 (1003) 626 COMPARE_OP 2 (==) 629 POP_JUMP_IF_FALSE 807 47 632 LOAD_NAME 19 (a1) 635 LOAD_CONST 36 (4) 638 BINARY_MULTIPLY 639 LOAD_NAME 20 (a2) 642 LOAD_CONST 43 (7) 645 BINARY_MULTIPLY 646 BINARY_ADD 647 LOAD_NAME 21 (a3) 650 LOAD_CONST 3 (9) 653 BINARY_MULTIPLY 654 BINARY_ADD 655 LOAD_CONST 45 (2013) 658 COMPARE_OP 2 (==) 661 POP_JUMP_IF_FALSE 807 48 664 LOAD_NAME 19 (a1) 667 LOAD_NAME 20 (a2) 670 LOAD_CONST 46 (8) 673 BINARY_MULTIPLY 674 BINARY_ADD 675 LOAD_NAME 21 (a3) 678 LOAD_CONST 35 (2) 681 BINARY_MULTIPLY 682 BINARY_ADD 683 LOAD_CONST 47 (1109) 686 COMPARE_OP 2 (==) 689 POP_JUMP_IF_FALSE 804 49 692 LOAD_NAME 22 (a4) 695 LOAD_CONST 0 (3) 698 BINARY_MULTIPLY 699 LOAD_NAME 23 (a5) 702 LOAD_CONST 35 (2) 705 BINARY_MULTIPLY 706 BINARY_ADD 707 LOAD_NAME 24 (a6) 710 LOAD_CONST 40 (5) 713 BINARY_MULTIPLY 714 BINARY_ADD 715 LOAD_CONST 48 (671) 718 COMPARE_OP 2 (==) 721 POP_JUMP_IF_FALSE 801 50 724 LOAD_NAME 22 (a4) 727 LOAD_CONST 36 (4) 730 BINARY_MULTIPLY 731 LOAD_NAME 23 (a5) 734 LOAD_CONST 43 (7) 737 BINARY_MULTIPLY 738 BINARY_ADD 739 LOAD_NAME 24 (a6) 742 LOAD_CONST 3 (9) 745 BINARY_MULTIPLY 746 BINARY_ADD 747 LOAD_CONST 49 (1252) 750 COMPARE_OP 2 (==) 753 POP_JUMP_IF_FALSE 798 51 756 LOAD_NAME 22 (a4) 759 LOAD_NAME 23 (a5) 762 LOAD_CONST 46 (8) 765 BINARY_MULTIPLY 766 BINARY_ADD 767 LOAD_NAME 24 (a6) 770 LOAD_CONST 35 (2) 773 BINARY_MULTIPLY 774 BINARY_ADD 775 LOAD_CONST 50 (644) 778 COMPARE_OP 2 (==) 781 POP_JUMP_IF_FALSE 795 52 784 LOAD_CONST 51 ('congraduation!you get the right flag!') 787 PRINT_ITEM 788 PRINT_NEWLINE 789 JUMP_ABSOLUTE 795 792 JUMP_ABSOLUTE 798 >> 795 JUMP_ABSOLUTE 801 >> 798 JUMP_ABSOLUTE 804 >> 801 JUMP_ABSOLUTE 807 >> 804 JUMP_FORWARD 0 (to 807) >> 807 LOAD_CONST 52 (None) 810 RETURN_VALUE- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 314
- 315
- 316
- 317
- 318
- 319
- 320
- 321
- 322
- 323
- 324
- 325
- 326
- 327
- 328
- 329
- 330
- 331
- 332
- 333
- 334
- 335
- 336
- 337
- 338
- 339
- 340
- 341
- 342
- 343
- 344
- 345
- 346
- 347
- 348
- 349
- 350
- 351
- 352
- 353
- 354
- 355
- 356
- 357
- 358
- 359
- 360
- 361
- 362
- 363
- 364
- 365
- 366
- 367
bytecode 逆向, 直接读字节码, 人工还原到python源码, 没有现成的工具(有机会可以写一个), 唯硬逆一途
en = [3, 37, 72, 9, 6, 132] output = [101, 96, 23, 68, 112, 42, 107, 62, 96, 53, 176, 179, 98, 53, 67, 29, 41, 120, 60, 106, 51, 101, 178, 189, 101, 48] print('welcome to GWHT2020') flag = input('please input your flag:') str = flag a = len(str) if a < 38: print('lenth wrong!') exit(0) if ord(str[0]) + 2020 * ord(str[1]) + 2020 * ord(str[3]) + 2020 * ord(str[4]) == 1182843538814603: print('good!continue\xe2\x80\xa6\xe2\x80\xa6') else: print('bye~') exit(0) x = [] k = 5 for i in range(13): b = ord(str[k]) c = ord(str[k + 1]) a11 = c ^ en[i % 6] a22 = b ^ en[i % 6] x.append(a11) x.append(a22) k += 2 if x == output: print('good!continue\xe2\x80\xa6\xe2\x80\xa6') else: print('oh,you are wrong!') exit(0) l = len(str) a1 = ord(str[l - 7]) a2 = ord(str[l - 6]) a3 = ord(str[l - 5]) a4 = ord(str[l - 4]) a5 = ord(str[l - 3]) a6 = ord(str[l - 2]) if a1 * 3 + a2 * 2 + a3 * 5 == 1003: if a1 * 4 + a2 * 7 + a3 * 9 == 2013: if a1 + a2 * 8 + a3 * 2 == 1109: if a1 * 3 + a5 * 2 + a6 * 5 == 671: if a4 * 4 + a5 * 7 + a6 * 9 == 1252: if a4 + a5 * 8 + a6 * 2 == 644: print('congraduation!you get the right flag!')- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
z3解方程
import z3 s = z3.Solver() en = [3, 37, 72, 9, 6, 132] output = [101, 96, 23, 68, 112, 42, 107, 62, 96, 53, 176, 179, 98, 53, 67, 29, 41, 120, 60, 106, 51, 101, 178, 189, 101, 48] flag = [z3.Int(f'a{x}') for x in range(45)] t1 = flag[0] * 2020 + flag[1] t2 = t1 * 2020 + flag[2] t3 = t2 * 2020 + flag[3] t4 = t3 * 2020 + flag[4] s.add(t4 == 1182843538814603) for i in range(5): s.add(flag[i] > 0) s.add(flag[i] < 128) k = 5 for i in range(13): s.add(flag[k+1] == output[2*i] ^ en[i % 6]) s.add(flag[k] == output[2*i+1] ^ en[i % 6]) k += 2 l = len(flag) a1 = flag[l - 7] a2 = flag[l - 6] a3 = flag[l - 5] a4 = flag[l - 4] a5 = flag[l - 3] a6 = flag[l - 2] s.add((a1 * 3 + a2 * 2 + a3 * 5) == 1003) s.add((a1 * 4 + a2 * 7 + a3 * 9) == 2013) s.add((a1 + a2 * 8 + a3 * 2) == 1109) s.add((a4 * 3 + a5 * 2 + a6 * 5) == 671) s.add((a4 * 4 + a5 * 7 + a6 * 9) == 1252) s.add((a4 + a5 * 8 + a6 * 2) == 644) for i in flag: s.add(i > 0) s.add(i < 128) c = s.check() if c == z3.unsat: print('fail') else: model = s.model() result = {} for x in model: key = int(str(x).replace('a', '')) result[key] = model[x] flag_result = [result[x].as_long() for x in sorted(result)] flag_result = [chr(x) for x in flag_result] print(''.join(flag_result)) # GWHT{cfa2b87b3f746a8f0ac5c5963faeff73- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
-
相关阅读:
Redis02-持久化策略
XTU OJ 1381表格
C++:面试二叉树的遍历
删除字符串字符,使输出结果不包含回文串
openGauss学习笔记-97 openGauss 数据库管理-访问外部数据库-dblink
MySQL:事务管理
JDK动态代理Demo
虫情测报灯如何实现自动化测报?
Spring 源码学习笔记10——Spring AOP
路线中桩测量计算程序浅析
- 原文地址:https://blog.csdn.net/qq_33976344/article/details/133281014
