Xman-babymips

发表于2022-11-06更新于2023-01-13

[QCTF2018]Xman-babymips

ida32位

image-20221106165757833

一个异或加上一个sub_4007F0

sub_4007F0:

image-20221106165833454

从第五位开始到末尾进行移位

提取出off_410D04,写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
flag = [0x51, 0x7C, 0x6A, 0x7B, 0x67, 0x52, 0xFD, 0x16, 0xA4, 0x89,
        0xBD, 0x92, 0x80, 0x13, 0x41, 0x54, 0xA0, 0x8D, 0x45, 0x18,
        0x81, 0xDE, 0xFC, 0x95, 0xF0, 0x16, 0x79, 0x1A, 0x15, 0x5B,
        0x75, 0x1F
        ]

for i in range(5, len(flag)):
    if i & 1 != 0:
        flag[i] = (flag[i] & 0x3f) << 2 | (flag[i] & 0xD0) >> 6
    else:
        flag[i] = (flag[i] & 0xfd) >> 2 | (flag[i] & 0x3) << 6


for i in range(len(flag)):
    flag[i] = flag[i] ^ (32 - i)
    print(chr(flag[i]&0xff), end="")
1
qctf{ReA11y_4_B@89_mlp5_4_XmAn_}