swpu2019 ReverseMe

发表于2022-11-05更新于2023-01-13

[SWPU2019]ReverseMe

ida 32 位

程序有点复杂,要靠动调来猜测

image-20221105152613063

32位输入

先和key异或

image-20221105152649366

函数加密后在和flag比较

image-20221105152757168

image-20221105152808059

关键在于如何处理加密函数

函数很复杂但真正影响到的只有这个异或

image-20221105152911380

异或的值是动态生成的,直接动调

image-20221105152941395

调用这个函数会生成一个值,返回到eax寄存器里面

image-20221105153056753

eax中的值就是异或的值

写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
enc = [
    0xB3, 0x37, 0x0F, 0xF8, 0xBC, 0xBC, 0xAE, 0x5D, 0xBA, 0x5A,
    0x4D, 0x86, 0x44, 0x97, 0x62, 0xD3, 0x4F, 0xBA, 0x24, 0x16,
    0x0B, 0x9F, 0x72, 0x1A, 0x65, 0x68, 0x6D, 0x26, 0xBA, 0x6B,
    0xC8, 0x67]

xor = [0x86, 0xc, 0x3e, 0xca, 0x98, 0xd7, 0xae, 0x19,
       0xe2, 0x77, 0x6b, 0xa6, 0x6a, 0xa1, 0x77, 0xb0,
       0x69, 0x91, 0x37, 0x5, 0x7a, 0xf9, 0x7b, 0x30,
       0x43, 0x5a, 0x4b, 0x10, 0x86, 0x7d, 0xd4, 0x28]

key = "SWPU_2019_CTF"

for i in range(32):
    x = enc[i] ^ xor[i]
    x = x ^ ord(key[i % len(key)])
    print(chr(x & 0xff), end="")

1
flag{Y0uaretheB3st!#@_VirtualCC}