BUUCTF[2019红帽杯]easyRE
进入ida,shift+F12,查找flag没有结果,有可疑字符串进入
双击黄色部分,然后F5看伪代码
先是异或加密
v12="Iodl>Qnb(ocy"
v12=list(v12) # 转为字符列表
for i in range(0,len(v12)):
v12[i]=ord(v12[i]) #字符转ASCII码
v12.append(127) # 补第13字节:127
v13="y.i"
v13=list(v13)
for i in range(0,len(v13)):
v13[i]=ord(v13[i])
v12.extend(v13) #v13拼接到v12后
v12.append(127)
v14="d`3w}wek9{iy=~yL@EC"
v14=list(v14)
for i in range(0,len(v14)):
v14[i]=ord(v14[i])
v12.extend(v14) #v14拼接到v12后
print(v12)
v15=''
for i in range(0,len(v12)):
v15+=chr(v12[i]^i)
print(v15)
输出:Info:The first four chars are `flag`
接着是十个base64加密后得v11=off_6CC090
厨子解
十个base64解密得一个网址,进入之后是文章,说明找错了不是flag
注意到off_6CC090下面有数据
进入sub_400D35
v4=v1
f和g可以想到是flag中的,恰好byte_6CC0A0[0]和byte_6CC0A3中间还有两个数据,所以v4分别异或0x40,0x35,0x20,0x56得到'flag'
'flag' ^ 0x40,0x35,0x20,0x56求出v4
j=0 → byte_6CC0A0[0] ^ v4[0]
j=1 → byte_6CC0A0[1] ^ v4[1]
j=2 → byte_6CC0A0[2] ^ v4[2]
j=3 → byte_6CC0A0[3] ^ v4[3]
j=4 → byte_6CC0A0 [4] ^ v4 [0](4%4=0,循环使用第 0 字节)
脚本求出flag
byte_6cc0a0=[0x40,0x35,0x20,0x56,0x5d,0x18,0x22,0x45,0x17,0x2f,0x24,0x6e,0x62,0x3c,0x27,0x54,0x48,0x6c,0x24,0x6e,0x72,0x3c,0x32,0x45,0x5b] tmp=[102,108,97,103] #flag的ASCII码 v4=[] for i in range(0,4): v4.append(tmp[i]^byte_6cc0a0[i]) print(v4) flag='' for i in range(0,25): flag+=chr(byte_6cc0a0[i]^v4[i%4]) print(flag) byte_6cc0a0=[0x40,0x35,0x20,0x56,0x5d,0x18,0x22,0x45,0x17,0x2f,0x24,0x6e,0x62,0x3c,0x27,0x54,0x48,0x6c,0x24,0x6e,0x72,0x3c,0x32,0x45,0x5b] tmp=[102,108,97,103] #flag的ASCII码 v4=[] for i in range(0,4): v4.append(tmp[i]^byte_6cc0a0[i]) print(v4) flag='' for i in range(0,25): flag+=chr(byte_6cc0a0[i]^v4[i%4]) print(flag) byte_6cc0a0=[0x40,0x35,0x20,0x56,0x5d,0x18,0x22,0x45,0x17,0x2f,0x24,0x6e,0x62,0x3c,0x27,0x54,0x48,0x6c,0x24,0x6e,0x72,0x3c,0x32,0x45,0x5b] tmp=[102,108,97,103] #flag的ASCII码 v4=[] for i in range(0,4): v4.append(tmp[i]^byte_6cc0a0[i]) print(v4) flag='' for i in range(0,25): flag+=chr(byte_6cc0a0[i]^v4[i%4]) print(flag)flag{Act1ve_Defen5e_Test}
