前言
記錄記錄
1.LoginToMe
int __fastcall main(int argc, const char **argv, const char **envp)
{unsigned int v3; // eaxchar s[96]; // [rsp+10h] [rbp-70h] BYREFint v6; // [rsp+70h] [rbp-10h]int v7; // [rsp+78h] [rbp-8h]int i; // [rsp+7Ch] [rbp-4h]memset(s, 0, sizeof(s));v6 = 0;printf("input:");__isoc99_scanf("%s", s);if ( strlen(s) == 20 ){v3 = time(0LL);srand(v3);v7 = rand() % 100;for ( i = 0; i < v7; ++i );if ( *(unsigned __int16 *)s * *(unsigned __int16 *)&s[2] == 342772773&& *(unsigned __int16 *)s + *(unsigned __int16 *)&s[2] == 39526&& *(_DWORD *)&s[4] - *(_DWORD *)&s[8] == 1005712381&& *(unsigned __int16 *)&s[4] + *(unsigned __int16 *)&s[6] == 56269&& *(unsigned __int16 *)&s[8] - *(unsigned __int16 *)&s[10] == 15092&& s[4] * s[8] == 10710&& s[6] * s[10] == 12051&& s[7] + s[11] == 172&& *(unsigned __int16 *)&s[12] * *(unsigned __int16 *)&s[14] == 171593250&& *(unsigned __int16 *)&s[12] + *(unsigned __int16 *)&s[14] == 26219&& *(unsigned __int16 *)&s[16] * *(unsigned __int16 *)&s[18] == 376306868&& *(unsigned __int16 *)&s[16] + *(unsigned __int16 *)&s[18] == 40341 ){puts("check ok~!");}else{puts("check failed~!");}}return 1;
}分析可知這是一個驗證程序輸入的問題,如果多輪程序輸入的與條件一樣則是會檢查正確,會進入該輪的下一輪,否則會輸出錯誤,逆向的話要對其爆破一個唯一解,這里可以用z3庫進行操作
import libnum
from z3 import *for i in (range(33, 128)):x = Solver()ans = []s = [BitVec(('%d' % i), 32) for i in range(5)]x.add(s[0] & 0xff == i)x.add((s[0] & 0xffff) * (s[0] >> 16) == 342772773, (s[0] & 0xffff) + (s[0] >> 16) == 39526, s[1] - s[2] == 1005712381, (s[1] & 0xffff) + (s[1] >> 16) == 56269, (s[2] & 0xffff) - (s[2] >> 16) == 15092, ((s[1]) & 0xff) * ((s[2]) & 0xff) == 10710, ((s[1] >> 16) & 0xff) * ((s[2] >> 16) & 0xff) == 12051, ((s[1]) >> 24) + ((s[2]) >> 24) == 172, (s[3] & 0xffff) * (s[3] >> 16) == 171593250, (s[3] & 0xffff) + (s[3] >> 16) == 26219, (s[4] & 0xffff) * (s[4] >> 16) == 376306868, (s[4] & 0xffff) + (s[4] >> 16) == 40341)if x.check() == sat:model = x.model()for j in s:print(libnum.n2s(model[j].as_long())[::-1].decode(), end='')print()
然后輸出就會爆出一個唯一解
由于比賽有環境,賽后沒有環境,所以這道題就這樣了
2.茶(tea)
主函數
int __fastcall main(int argc, const char **argv, const char **envp)
{char Str[64]; // [rsp+20h] [rbp-70h] BYREFchar v5[39]; // [rsp+60h] [rbp-30h]char v6[3]; // [rsp+87h] [rbp-9h] BYREFint i; // [rsp+8Ch] [rbp-4h]_main(argc, argv, envp);v5[0] = -119;v5[1] = -48;v5[2] = -121;v5[3] = 54;v5[4] = -55;v5[5] = 69;v5[6] = -39;v5[7] = -48;v5[8] = 113;v5[9] = 59;v5[10] = 54;v5[11] = -109;v5[12] = 24;v5[13] = -65;v5[14] = 1;v5[15] = 99;v5[16] = -87;v5[17] = 54;v5[18] = 126;v5[19] = -9;v5[20] = -1;v5[21] = 32;v5[22] = 25;v5[23] = -126;v5[24] = -51;v5[25] = 119;v5[26] = 123;v5[27] = -118;v5[28] = 18;v5[29] = 48;v5[30] = 34;v5[31] = 80;v5[32] = -106;v5[33] = -87;v5[34] = -53;v5[35] = 92;v5[36] = 43;v5[37] = 33;v5[38] = -109;qmemcpy(v6, "ta}", sizeof(v6));printf("plz input your flag:");scanf("%42s", Str);if ( strlen(Str) != 42 ){printf("wrong length");exit(0);}for ( i = 0; i <= 39; i += 8 )encrypt((unsigned int *)&Str[i], key);for ( i = 0; i <= 41; ++i ){if ( Str[i] != v5[i] ){printf("error");exit(0);}}printf("win");return 0;
}加密流程
DWORD *__fastcall encrypt(unsigned int *a1, _DWORD *a2)
{_DWORD *result; // raxunsigned int i; // [rsp+20h] [rbp-10h]int v4; // [rsp+24h] [rbp-Ch]unsigned int v5; // [rsp+28h] [rbp-8h]unsigned int v6; // [rsp+2Ch] [rbp-4h]v6 = *a1;v5 = a1[1];v4 = 0;for ( i = 0; i <= 0x1F; ++i ){v4 -= 1640531527;v6 += (v5 + v4) ^ (*a2 + 16 * v5) ^ ((v5 >> 5) + a2[1]);v5 += (v6 + v4) ^ (a2[2] + 16 * v6) ^ ((v6 >> 5) + a2[3]);}*a1 = v6;result = a1 + 1;a1[1] = v5;return result;
}key
0x78, 0x56, 0x34, 0x12, 0x0D, 0xF0, 0xAD, 0x0B, 0x14, 0x13,
0x20, 0x05, 0x21, 0x43, 0x65, 0x87腳本
#include <stdio.h>int main() {// Encrypted data blocks, each block is 8 bytes (two unsigned integers)unsigned int a1[] = {0x3687d089, 0xd0d945c9,0x93363b71, 0x6301bf18,0xf77e36a9, 0x821920ff,0x8a7b77cd, 0x50223012,0x5ccba996, 0x7493212b};// Key used for encryption/decryptionunsigned int a2[4] = { 0x12345678, 0x0BADF00D, 0x5201314, 0x87654321 };// Decrypt each block of datafor (int i = 0; i <= 9; i += 2) {int j = 0;unsigned int delta = 0xc6ef3720;unsigned int v5 = a1[i + 1];unsigned int v6 = a1[i];// Perform the decryption roundsdo {++j;v5 -= (v6 + delta) ^ (a2[2] + 16 * v6) ^ ((v6 >> 5) + a2[3]);v6 -= (v5 + delta) ^ (*a2 + 16 * v5) ^ ((v5 >> 5) + a2[1]);delta += 1640531527;} while (j <= 31);// Store the decrypted values back into the arraya1[i + 1] = v5;a1[i] = v6;}// Print the decrypted data as charactersfor (int i = 0; i <= 9; i++) {for (int j = 0; j <= 3; j++) {printf("%c", (a1[i] >> (j * 8)) & 0xFF);}}return 0;
}輸出
flag{7b06c572-d317-49cf-8ff2-8e402e1ea53}
3.VM
加密是固定的單字節加密,動調程序獲取數據后進行簡單解密即可
#include <stdio.h>
#include <stdint.h>int main() {// Encrypted data arrayuint8_t codee[] = {0x05, 0x82, 0x02, 0x01,0x41, 0xA5, 0xE6, 0x00,0x2D, 0xA0, 0xDF, 0x00,0x16, 0xCB, 0x81, 0x00,0x8F, 0xBC, 0xA6, 0x00,0xF6, 0xC0, 0xA3, 0x00,0x6D, 0xB0, 0xD2, 0x00,0xA4, 0x9D, 0xE7, 0x00,0xB9, 0xD2, 0x7A, 0x00,0x7B, 0xB4, 0xB3, 0x00,0xF3, 0xCA, 0x8C, 0x00,0x4C, 0xC2, 0x87, 0x00,0xC7, 0xEE, 0x26, 0x00,0x53, 0x8B, 0x06, 0x01,0x41, 0x91, 0x0E, 0x01,0xA1, 0xB7, 0x9D, 0x00,0xD6, 0xD3, 0x77, 0x00,0x54, 0xAE, 0xCF, 0x00,0x2D, 0x99, 0xF6, 0x00,0xAE, 0xBA, 0xA9, 0x00,0x67, 0xA7, 0xD2, 0x00,0x31, 0xA6, 0xF2, 0x00,0xA1, 0xEE, 0x26, 0x00,0xE4, 0x87, 0x15, 0x01,0x4A, 0xF2, 0x1D, 0x00,0x82, 0xC3, 0xA3, 0x00,0x21, 0x90, 0x02, 0x01,0x4B, 0xB9, 0xB5, 0x00,0xA0, 0xCB, 0x6D, 0x00,0x7D, 0x86, 0x2E, 0x01,0x70, 0xA5, 0xEF, 0x00,0xE3, 0xC7, 0x85, 0x00,0xDB, 0xF0, 0x26, 0x00};// Process the encrypted data and print characters in reverse orderfor (int i = sizeof(codee) / sizeof(codee[0]) - 4; i >= 0; i -= 4) {uint16_t low_word = (codee[i + 1] << 8) | codee[i];uint16_t high_word = (codee[i + 3] << 8) | codee[i + 2];printf("%c", (0xffff ^ low_word) / high_word);}// Another set of data to be printed in reverse orderint aa[] = {125, 101, 110, 106, 105, 100, 97, 109, 96, 109, 98, 118, 122, 114, 105, 119,96, 101, 107, 106, 108, 95, 123, 111, 129, 96, 111, 101, 124, 103, 97, 109, 108};printf("\n\n\n"); // Print three newlines// Print the reversed data from 'aa'for (int i = 0; i < sizeof(aa) / sizeof(aa[0]); ++i) {printf("%c ", aa[sizeof(aa) / sizeof(aa[0]) - i - 1]);}// Print additional characters based on bitwise operationsprintf("%c", (0xffff ^ 0xf0db) / 0x26);printf("%c", (0xffff ^ 0xc7e3) / 0x85);printf("%c", (0xffff ^ 0xa570) / 0xef);return 0;
}輸出
flag{do_you_like_virtual_machine}
:解析經典數據分析框架,助力創業增長)
)
—內置組件》)
方法會出現什么情況?)
)
)
