网安实践4-RE

T1.baby

简单的异或

1
2
3
4
5
6
7
8
9
10
11
12
13
int __fastcall main(int argc, const char **argv, const char **envp)
{
  sub_401720(argc, argv, envp);
  puts(Str2);
  puts("Give me your flag!");
  scanf("%s", Str);
  sub_401550(Str, &Str1);
  if ( strlen(Str) == 26 && !strcmp(&Str1, Str2) )
    puts("correct!");
  else
    puts("incorrect,try again!");
  return 0;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
size_t __fastcall sub_401550(const char *a1, __int64 a2)
{
  size_t result; // rax
  size_t v3; // [rsp+20h] [rbp-10h]
  size_t i; // [rsp+28h] [rbp-8h]

  v3 = strlen(a1);
  for ( i = 0i64; ; ++i )
  {
    result = i;
    if ( i >= v3 )
      break;
    *(_BYTE *)(a2 + i) ^= a1[i];
  }
  return result;
}

直接异或得到flag

1
2
3
4
5
6
7
8
9
10
#!/usr/bin/env python

str2 = "welcome_to_2024hustncc!!!!"

str1 = [0x01, 0x08, 0x0F, 0x18, 0x1B, 0x05, 0x0C, 0x2C, 0x2B, 0x06, 0x2C, 0x6D, 0x51, 0x6D, 0x47, 0x01, 0x18, 0x03, 0x18, 0x0B, 0x3C, 0x11, 0x44, 0x57, 0x0F, 0x5C]

flag = "".join([chr(ord(str2[i])^str1[i]) for i in range(26)])

print(flag)
# vmc{this_is_a_simple_rev.}

T2.game

并不需要动调

打开看一下每个函数的内容

sub_403D86很像是读取按键操作的循环,游戏胜利触发sub_403B93

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
__int64 sub_403D86()
{
  clock_t v1; // [rsp+24h] [rbp-Ch]
  unsigned int v2; // [rsp+28h] [rbp-8h]
  clock_t v3; // [rsp+2Ch] [rbp-4h]

  sub_403ED0();
  sub_403195();
  sub_401550(15i64, 0i64);
  sub_4015E8();
  sub_4016E3(0i64);
  v2 = clock();
  v3 = clock();
  sub_401DAF();
  sub_401EC6();
  while ( 1 )
  {
    do
    {
      sub_402E2B();
      if ( kbhit() )
      {
        switch ( getch() )
        {
          case 13:
            sub_4029CE();
            break;
          case 32:
            sub_40298D();
            break;
          case 65:
          case 75:
          case 97:
            sub_4021F4();
            break;
          case 68:
          case 77:
          case 100:
            sub_4022CE();
            break;
          case 71:
          case 103:
            sub_4025B6();
            break;
          case 72:
          case 87:
          case 119:
            sub_4024B4();
            break;
          case 80:
          case 83:
          case 115:
            sub_4020B5();
            break;
          default:
            break;
        }
      }
      v1 = clock();
    }
    while ( (double)(v1 - v3) <= 1000.0 * *(double *)&qword_407228 );
    sub_401B70(v2);
    if ( (unsigned int)sub_4020B5() == -2 )
      break;
    v3 = v1;
  }
  if ( dword_40B030 == 200 )
    sub_403B93();
  sub_402BAF();
  return sub_402CE7();
}

很明显这就是win的时候输出flag的地方

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
int sub_403B93()
{
  __int64 v1[4]; // [rsp+20h] [rbp-B0h] BYREF
  int v2[34]; // [rsp+40h] [rbp-90h]
  unsigned int v3; // [rsp+C8h] [rbp-8h]
  int i; // [rsp+CCh] [rbp-4h]

  v2[0] = 158;
  v2[1] = 149;
  v2[2] = 99;
  v2[3] = 155;
  v2[4] = 113;
  v2[5] = 157;
  v2[6] = 81;
  v2[7] = 156;
  v2[8] = 109;
  v2[9] = 103;
  v2[10] = 97;
  v2[11] = 103;
  v2[12] = 110;
  v2[13] = 157;
  v2[14] = 150;
  v2[15] = 150;
  v2[16] = 153;
  v2[17] = 103;
  v2[18] = 111;
  v2[19] = 92;
  v2[20] = 149;
  v2[21] = 109;
  v2[22] = 103;
  v2[23] = 105;
  v2[24] = 147;
  v2[25] = 150;
  v2[26] = 124;
  v2[27] = 103;
  v2[28] = 105;
  v2[29] = 156;
  v2[30] = 133;
  memset(v1, 0, sizeof(v1));
  for ( i = 0; i <= 30; ++i )
  {
    *((_BYTE *)v1 + i) ^= v2[i];
    *((_BYTE *)v1 + i) ^= 0x14u;
    *((_BYTE *)v1 + i) -= 20;
  }
  v3 = rand() % 16;
  if ( !v3 )
    v3 = 15;
  sub_403F2C(43i64, 4i64);
  sub_403EFF(v3);
  return printf("%s", (const char *)v1);
}

直接把flag算出来

1
2
3
4
5
6
7
#!/usr/bin/env python

ls = [158, 149, 99, 155, 113, 157, 81, 156, 109, 103, 97, 103, 110, 157, 150, 150, 153, 103, 111, 92, 149, 109, 103, 105, 147, 150, 124, 103, 105, 156, 133]

flag = "".join([chr((ls[i] ^ 0x14) - 20) for i in range(len(ls))])
print(flag)
# vmc{Qu1te_a_funny_g4me_isnT_it}

T3.maze

简单的wasd迷宫,需要从@走到#,只能踩-,不能踩*

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
_BOOL8 __fastcall sub_401550(char *a1)
{
  char *v1; // rax
  int v2; // eax
  char *v4; // [rsp+8h] [rbp-8h]

  v4 = asc_40303C;
  while ( *a1 && *v4 != 42 )
  {
    v1 = a1++;
    v2 = *v1;
    if ( v2 == 100 )
    {
      ++v4;
    }
    else if ( v2 > 100 )
    {
      if ( v2 == 115 )
      {
        v4 += 13;
      }
      else
      {
        if ( v2 != 119 )
          return 0i64;
        v4 -= 13;
      }
    }
    else
    {
      if ( v2 != 97 )
        return 0i64;
      --v4;
    }
  }
  return *v4 == 35;
}

把迷宫复制下来

1
2
3
4
5
6
7
8
9
10
#!/usr/bin/env python

maze = "***************************-@***********-***-**-*****--*****-*****-***#**-*****--**----******-*****-******-****--******---**-*******-*-----******-------*****************"

for i in range(len(maze)):
    if (i % 13 == 0):
        print()
    print(maze[i], end='')

print()
1
2
3
4
5
6
7
8
9
10
11
12
13
*************
*************
*-@**********
*-***-**-****
*--*****-****
*-***#**-****
*--**----****
**-*****-****
**-****--****
**---**-*****
**-*-----****
**-------****
*************

肉眼跑一遍得到路径flag

vmc{assssdsssddsdddwwdwwaaaw}

T4.stl_que

cpp题,一边调一边猜

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
int __fastcall main(int argc, const char **argv, const char **envp)
{
  struct _Unwind_Exception *v3; // rax
  unsigned __int8 *v4; // rax
  unsigned __int8 *v5; // rax
  unsigned __int8 *v6; // rax
  unsigned __int8 *v7; // rax
  __int64 v8; // rax
  __int64 v9; // rax
  __int64 v10; // rax
  __m128i v12; // [rsp+20h] [rbp-60h] BYREF
  struct _Unwind_Exception *lpuexcpt[2]; // [rsp+30h] [rbp-50h] BYREF
  __m128i si128; // [rsp+B0h] [rbp+30h] BYREF
  char v15[48]; // [rsp+C0h] [rbp+40h] BYREF
  char v16[32]; // [rsp+F0h] [rbp+70h] BYREF
  char v17[32]; // [rsp+110h] [rbp+90h] BYREF
  char v18[32]; // [rsp+130h] [rbp+B0h] BYREF
  int v19[11]; // [rsp+150h] [rbp+D0h] BYREF
  char v20; // [rsp+17Fh] [rbp+FFh] BYREF
  char v21[518]; // [rsp+180h] [rbp+100h] BYREF
  char v22; // [rsp+386h] [rbp+306h] BYREF
  char v23; // [rsp+387h] [rbp+307h] BYREF
  char v24; // [rsp+388h] [rbp+308h] BYREF
  char v25; // [rsp+389h] [rbp+309h] BYREF
  char v26; // [rsp+38Ah] [rbp+30Ah] BYREF
  char v27; // [rsp+38Bh] [rbp+30Bh] BYREF
  int v28; // [rsp+38Ch] [rbp+30Ch] BYREF
  char v29[32]; // [rsp+390h] [rbp+310h] BYREF
  char v30[40]; // [rsp+3B0h] [rbp+330h] BYREF
  unsigned __int8 v31; // [rsp+3D8h] [rbp+358h]
  unsigned __int8 v32; // [rsp+3D9h] [rbp+359h]
  unsigned __int8 v33; // [rsp+3DAh] [rbp+35Ah]
  unsigned __int8 v34; // [rsp+3DBh] [rbp+35Bh]
  int i; // [rsp+3DCh] [rbp+35Ch]

  sub_401E60();
  std::string::basic_string(v18);
  sub_4054F0(v17);
  v19[0] = -1489400519;
  v19[1] = 2124908670;
  v19[2] = -203522503;
  v19[3] = -1242333678;
  v19[4] = 1933243272;
  v19[5] = 2128507891;
  v19[6] = -1478586966;
  v19[7] = -1478580423;
  v19[8] = -1921075842;
  v12.m128i_i64[0] = (__int64)v19;
  v12.m128i_i64[1] = 9i64;
  sub_403EC0(&v20);
  si128 = _mm_load_si128(&v12);
  sub_405350(v16, &si128, &v20);
  sub_403F30(&v20);
  memcpy(v21, &unk_408020, 0x200ui64);
  lpuexcpt[0] = (struct _Unwind_Exception *)v21;
  lpuexcpt[1] = (struct _Unwind_Exception *)256;
  sub_403E80(&v23);
  si128 = _mm_load_si128((const __m128i *)lpuexcpt);
  sub_404840(v15, &si128, &v22, &v23);
  sub_403EA0(&v23);
  std::operator>><char>(&std::cin, v18);
  if ( std::string::length(v18) != 36 )
    exit(0);
  for ( i = 0; ; i += 4 )
  {
    lpuexcpt[0] = (struct _Unwind_Exception *)i;
    v3 = (struct _Unwind_Exception *)std::string::length(v18);
    if ( lpuexcpt[0] >= v3 )
      break;
    v4 = (unsigned __int8 *)std::string::operator[](v18, i);
    v24 = sub_401550(*v4);
    v34 = *(_BYTE *)sub_404A80(v15, &v24);
    v5 = (unsigned __int8 *)std::string::operator[](v18, i + 1);
    v25 = sub_401550(*v5);
    v33 = *(_BYTE *)sub_404A80(v15, &v25);
    v6 = (unsigned __int8 *)std::string::operator[](v18, i + 2);
    v26 = sub_401550(*v6);
    v32 = *(_BYTE *)sub_404A80(v15, &v26);
    v7 = (unsigned __int8 *)std::string::operator[](v18, i + 3);
    v27 = sub_401550(*v7);
    v31 = *(_BYTE *)sub_404A80(v15, &v27);
    v28 = (v32 << 8) | (v33 << 16) | (v34 << 24) | v31;
    sub_405320(v17, &v28);
  }
  v12.m128i_i64[0] = sub_4052F0(v16);
  lpuexcpt[0] = (struct _Unwind_Exception *)sub_4052C0(v17);
  v8 = sub_4052F0(v17);
  if ( (unsigned __int8)sub_4071D0(v8, lpuexcpt[0], v12.m128i_i64[0]) )
  {
    sub_4073B0(v30, "you find it, flag is vmc{", v18);
    sub_407360(v29, v30, "}");
    v9 = std::operator<<<char>(&std::cout, v29);
    std::ostream::operator<<(v9, &std::endl<char,std::char_traits<char>>);
    std::string::~string(v29);
    std::string::~string(v30);
  }
  else
  {
    v10 = std::operator<<<std::char_traits<char>>(&std::cout, "try again");
    std::ostream::operator<<(v10, &std::endl<char,std::char_traits<char>>);
  }
  sub_404A60(v15);
  sub_405550(v16);
  sub_405550(v17);
  std::string::~string(v18);
  return 0;
}

关键的加密在中间的循环,逐字节加密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
for ( i = 0; ; i += 4 )
{
  lpuexcpt[0] = (struct _Unwind_Exception *)i;
  v3 = (struct _Unwind_Exception *)std::string::length(v18);
  if ( lpuexcpt[0] >= v3 )
    break;
  v4 = (unsigned __int8 *)std::string::operator[](v18, i);
  v24 = sub_401550(*v4);
  v34 = *(_BYTE *)sub_404A80(v15, &v24);
  v5 = (unsigned __int8 *)std::string::operator[](v18, i + 1);
  v25 = sub_401550(*v5);
  v33 = *(_BYTE *)sub_404A80(v15, &v25);
  v6 = (unsigned __int8 *)std::string::operator[](v18, i + 2);
  v26 = sub_401550(*v6);
  v32 = *(_BYTE *)sub_404A80(v15, &v26);
  v7 = (unsigned __int8 *)std::string::operator[](v18, i + 3);
  v27 = sub_401550(*v7);
  v31 = *(_BYTE *)sub_404A80(v15, &v27);
  v28 = (v32 << 8) | (v33 << 16) | (v34 << 24) | v31;
  sub_405320(v17, &v28);
}

动调一下发现每次都是单字节映射,逆算法

既然是单字节映射,直接把表跑出来

patch程序,把0~255的映射算出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
.text:000000000040180E                 lea     r12, [rbp+440h+var_1440]
.text:0000000000401815                 nop
.text:0000000000401816                 nop
.text:0000000000401817                 xor     r14, r14
.text:000000000040181A                 nop
.text:000000000040181B                 nop
.text:000000000040181C                 nop
.text:000000000040181D
.text:000000000040181D loc_40181D:                             ; CODE XREF: main+2D1↓j
.text:000000000040181D                 mov     rax, r14
.text:0000000000401820                 nop
.text:0000000000401821                 nop
.text:0000000000401822                 nop
.text:0000000000401823                 movzx   eax, al
.text:0000000000401826                 mov     ecx, eax
.text:0000000000401828                 call    sub_401550
.text:000000000040182D                 mov     [rbp+440h+var_138], al
.text:0000000000401833                 lea     rdx, [rbp+440h+var_138]
.text:000000000040183A                 lea     rax, [rbp+440h+var_400]
.text:000000000040183E                 mov     rcx, rax
.text:0000000000401841                 call    sub_404A80
.text:0000000000401846                 movzx   eax, byte ptr [rax]
.text:0000000000401849                 mov     [r12+r14], rax
.text:000000000040184D                 nop
.text:000000000040184E                 add     r14, 1
.text:0000000000401852                 mov     rax, r14
.text:0000000000401855                 sub     rax, 100h
.text:000000000040185B                 jnz     short loc_40181D

查表得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/env python

ls = [
  0x47, 0xF0, 0xD9, 0xE5, 0x25, 0xAC, 0x9E, 0x22, 0x1A, 0xF9, 
  0xAD, 0x28, 0xB0, 0x20, 0xFB, 0xCD, 0xFC, 0x81, 0x45, 0x6C, 
  0x8E, 0x6D, 0x98, 0xF4, 0xBE, 0x38, 0xE2, 0x91, 0x0E, 0x19, 
  0x46, 0x1B, 0xE8, 0xC8, 0x1F, 0x42, 0xB4, 0xF8, 0x1C, 0xD1, 
  0x29, 0x6F, 0xB8, 0x17, 0x2B, 0xF3, 0x60, 0xBB, 0xDE, 0x74, 
  0x68, 0x73, 0x7E, 0x64, 0x9F, 0x12, 0xB5, 0xAA, 0x9A, 0x00, 
  0x0C, 0xA4, 0xE9, 0x6E, 0x2C, 0x77, 0x82, 0xEB, 0xEC, 0xF7, 
  0x40, 0x04, 0x03, 0x0A, 0xEE, 0x8B, 0x05, 0xA2, 0x7A, 0xE6, 
  0xD5, 0x37, 0x8C, 0x23, 0x90, 0x56, 0xCC, 0x58, 0x3E, 0x5C, 
  0xD7, 0x9C, 0xE1, 0xD8, 0x89, 0x21, 0x7F, 0x3A, 0x4E, 0xA7, 
  0x88, 0x39, 0x8D, 0xA3, 0x44, 0xC2, 0x4B, 0xE4, 0xD4, 0xED, 
  0x36, 0xB3, 0x1E, 0x95, 0x51, 0x78, 0x70, 0xE3, 0x9D, 0x50, 
  0x9B, 0x0F, 0x2D, 0xD6, 0xEA, 0x07, 0x5A, 0x11, 0x57, 0x2A, 
  0xFA, 0x71, 0x5D, 0x83, 0x16, 0x3C, 0x43, 0xA1, 0x02, 0x52, 
  0x54, 0x18, 0x41, 0xAE, 0xCE, 0xFE, 0x27, 0xC4, 0xB1, 0xFF, 
  0x14, 0xBD, 0x5E, 0xC0, 0x33, 0x85, 0x65, 0x5F, 0x94, 0x4A, 
  0x15, 0x99, 0xA6, 0xB9, 0xDA, 0xE7, 0x3D, 0x69, 0x3F, 0x24, 
  0x6A, 0xD2, 0x6B, 0x72, 0x5B, 0xBA, 0xCA, 0x4D, 0xAB, 0x8F, 
  0x53, 0xA8, 0x7B, 0xCF, 0x92, 0x06, 0x67, 0x55, 0x61, 0xBF, 
  0xB7, 0x96, 0x08, 0x80, 0x75, 0x3B, 0x79, 0xEF, 0xB6, 0xBC, 
  0x84, 0x87, 0x4F, 0xC7, 0x48, 0xDC, 0x66, 0x1D, 0xC9, 0x0B, 
  0x35, 0xA0, 0xF1, 0x7C, 0x93, 0x76, 0x09, 0x49, 0x32, 0x30, 
  0x26, 0x86, 0xDD, 0xC5, 0xDB, 0xC1, 0x01, 0xE0, 0xF6, 0x59, 
  0x31, 0x0D, 0x8A, 0xD3, 0xB2, 0x63, 0xA9, 0x10, 0x34, 0x7D, 
  0x4C, 0xAF, 0xF5, 0xC3, 0xA5, 0x62, 0xFD, 0x97, 0xDF, 0xD0, 
  0xC6, 0x2F, 0xF2, 0x13, 0xCB, 0x2E
]

v19 = [0 for _ in range(9)]
v19[0] = 0xA7398D39
v19[1] = 0x7EA7887E
v19[2] = 0xF3DE7E39
v19[3] = 0xB5F37E12
v19[4] = 0x733AF388
v19[5] = 0x7EDE73F3
v19[6] = 0xA7DE8DAA
v19[7] = 0xA7DEA739
v19[8] = 0x8D7EB57E

flag = ""

for i in range(9):
    for j in range(4):
        k = (v19[i] >> ((3-j)*8)) & 0xFF
        f = ls.index(k)
        flag += chr(f)

print(flag)
# vmc{cefe4cd4-04e8-473a-d403-c0f9c0cef484}

T5.enc

一眼AES

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
.rdata:0000000000405000 ; _BYTE byte_405000[512]
.rdata:0000000000405000 byte_405000     db 63h, 7Ch, 77h, 7Bh, 0F2h, 6Bh, 6Fh, 0C5h, 30h, 1, 67h
.rdata:0000000000405000                                         ; DATA XREF: sub_401550+16B↑o
.rdata:0000000000405000                                         ; sub_401550+182↑o ...
.rdata:000000000040500B                 db 2Bh, 0FEh, 0D7h, 0ABh, 76h, 0CAh, 82h, 0C9h, 7Dh, 0FAh
.rdata:0000000000405015                 db 59h, 47h, 0F0h, 0ADh, 0D4h, 0A2h, 0AFh, 9Ch, 0A4h, 72h
.rdata:000000000040501F                 db 0C0h, 0B7h, 0FDh, 93h, 26h, 36h, 3Fh, 0F7h, 0CCh, 34h
.rdata:0000000000405029                 db 0A5h, 0E5h, 0F1h, 71h, 0D8h, 31h, 15h, 4, 0C7h, 23h
.rdata:0000000000405033                 db 0C3h, 18h, 96h, 5, 9Ah, 7, 12h, 80h, 0E2h, 0EBh, 27h
.rdata:000000000040503E                 db 0B2h, 75h, 9, 83h, 2Ch, 1Ah, 1Bh, 6Eh, 5Ah, 0A0h, 52h
.rdata:0000000000405049                 db 3Bh, 0D6h, 0B3h, 29h, 0E3h, 2Fh, 84h, 53h, 0D1h, 0
.rdata:0000000000405053                 db 0EDh, 20h, 0FCh, 0B1h, 5Bh, 6Ah, 0CBh, 0BEh, 39h, 4Ah
.rdata:000000000040505D                 db 4Ch, 58h, 0CFh, 0D0h, 0EFh, 0AAh, 0FBh, 43h, 4Dh, 33h
.rdata:0000000000405067                 db 85h, 45h, 0F9h, 2, 7Fh, 50h, 3Ch, 9Fh, 0A8h, 51h, 0A3h
.rdata:0000000000405072                 db 40h, 8Fh, 92h, 9Dh, 38h, 0F5h, 0BCh, 0B6h, 0DAh, 21h
.rdata:000000000040507C                 db 10h, 0FFh, 0F3h, 0D2h, 0CDh, 0Ch, 13h, 0ECh, 5Fh, 97h
.rdata:0000000000405086                 db 44h, 17h, 0C4h, 0A7h, 7Eh, 3Dh, 64h, 5Dh, 19h, 73h
.rdata:0000000000405090                 db 60h, 81h, 4Fh, 0DCh, 22h, 2Ah, 90h, 88h, 46h, 0EEh
.rdata:000000000040509A                 db 0B8h, 14h, 0DEh, 5Eh, 0Bh, 0DBh, 0E0h, 32h, 3Ah, 0Ah
.rdata:00000000004050A4                 db 49h, 6, 24h, 5Ch, 0C2h, 0D3h, 0ACh, 62h, 91h, 95h, 0E4h
.rdata:00000000004050AF                 db 79h, 0E7h, 0C8h, 37h, 6Dh, 8Dh, 0D5h, 4Eh, 0A9h, 6Ch
.rdata:00000000004050B9                 db 56h, 0F4h, 0EAh, 65h, 7Ah, 0AEh, 8, 0BAh, 78h, 25h
.rdata:00000000004050C3                 db 2Eh, 1Ch, 0A6h, 0B4h, 0C6h, 0E8h, 0DDh, 74h, 1Fh, 4Bh
.rdata:00000000004050CD                 db 0BDh, 8Bh, 8Ah, 70h, 3Eh, 0B5h, 66h, 48h, 3, 0F6h, 0Eh
.rdata:00000000004050D8                 db 61h, 35h, 57h, 0B9h, 86h, 0C1h, 1Dh, 9Eh, 0E1h, 0F8h
.rdata:00000000004050E2                 db 98h, 11h, 69h, 0D9h, 8Eh, 94h, 9Bh, 1Eh, 87h, 0E9h
.rdata:00000000004050EC                 db 0CEh, 55h, 28h, 0DFh, 8Ch, 0A1h, 89h, 0Dh, 0BFh, 0E6h
.rdata:00000000004050F6                 db 42h, 68h, 41h, 99h, 2Dh, 0Fh, 0B0h, 54h, 0BBh, 16h
.rdata:0000000000405100                 db 52h, 9, 6Ah, 0D5h, 30h, 36h, 0A5h, 38h, 0BFh, 40h, 0A3h
.rdata:000000000040510B                 db 9Eh, 81h, 0F3h, 0D7h, 0FBh, 7Ch, 0E3h, 39h, 82h, 9Bh
.rdata:0000000000405115                 db 2Fh, 0FFh, 87h, 34h, 8Eh, 43h, 44h, 0C4h, 0DEh, 0E9h
.rdata:000000000040511F                 db 0CBh, 54h, 7Bh, 94h, 32h, 0A6h, 0C2h, 23h, 3Dh, 0EEh
.rdata:0000000000405129                 db 4Ch, 95h, 0Bh, 42h, 0FAh, 0C3h, 4Eh, 8, 2Eh, 0A1h, 66h
.rdata:0000000000405134                 db 28h, 0D9h, 24h, 0B2h, 76h, 5Bh, 0A2h, 49h, 6Dh, 8Bh
.rdata:000000000040513E                 db 0D1h, 25h, 72h, 0F8h, 0F6h, 64h, 86h, 68h, 98h, 16h
.rdata:0000000000405148                 db 0D4h, 0A4h, 5Ch, 0CCh, 5Dh, 65h, 0B6h, 92h, 6Ch, 70h
.rdata:0000000000405152                 db 48h, 50h, 0FDh, 0EDh, 0B9h, 0DAh, 5Eh, 15h, 46h, 57h
.rdata:000000000040515C                 db 0A7h, 8Dh, 9Dh, 84h, 90h, 0D8h, 0ABh, 0, 8Ch, 0BCh
.rdata:0000000000405166                 db 0D3h, 0Ah, 0F7h, 0E4h, 58h, 5, 0B8h, 0B3h, 45h, 6, 0D0h
.rdata:0000000000405171                 db 2Ch, 1Eh, 8Fh, 0CAh, 3Fh, 0Fh, 2, 0C1h, 0AFh, 0BDh
.rdata:000000000040517B                 db 3, 1, 13h, 8Ah, 6Bh, 3Ah, 91h, 11h, 41h, 4Fh, 67h, 0DCh
.rdata:0000000000405187                 db 0EAh, 97h, 0F2h, 0CFh, 0CEh, 0F0h, 0B4h, 0E6h, 73h
.rdata:0000000000405190                 db 96h, 0ACh, 74h, 22h, 0E7h, 0ADh, 35h, 85h, 0E2h, 0F9h
.rdata:000000000040519A                 db 37h, 0E8h, 1Ch, 75h, 0DFh, 6Eh, 47h, 0F1h, 1Ah, 71h
.rdata:00000000004051A4                 db 1Dh, 29h, 0C5h, 89h, 6Fh, 0B7h, 62h, 0Eh, 0AAh, 18h
.rdata:00000000004051AE                 db 0BEh, 1Bh, 0FCh, 56h, 3Eh, 4Bh, 0C6h, 0D2h, 79h, 20h
.rdata:00000000004051B8                 db 9Ah, 0DBh, 0C0h, 0FEh, 78h, 0CDh, 5Ah, 0F4h, 1Fh, 0DDh
.rdata:00000000004051C2                 db 0A8h, 33h, 88h, 7, 0C7h, 31h, 0B1h, 12h, 10h, 59h, 27h
.rdata:00000000004051CD                 db 80h, 0ECh, 5Fh, 60h, 51h, 7Fh, 0A9h, 19h, 0B5h, 4Ah
.rdata:00000000004051D7                 db 0Dh, 2Dh, 0E5h, 7Ah, 9Fh, 93h, 0C9h, 9Ch, 0EFh, 0A0h
.rdata:00000000004051E1                 db 0E0h, 3Bh, 4Dh, 0AEh, 2Ah, 0F5h, 0B0h, 0C8h, 0EBh, 0BBh
.rdata:00000000004051EB                 db 3Ch, 83h, 53h, 99h, 61h, 17h, 2Bh, 4, 7Eh, 0BAh, 77h
.rdata:00000000004051F6                 db 0D6h, 26h, 0E1h, 69h, 14h, 63h, 55h, 21h, 0Ch, 7Dh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
__int64 __fastcall sub_401C2A(__int64 a1, __int64 a2)
{
  unsigned __int8 i; // [rsp+2Fh] [rbp-1h]

  sub_40181E(0i64, a1, a2);
  for ( i = 1; ; ++i )
  {
    sub_4018C8(a1);
    sub_401B47(a1);
    if ( i == 10 )
      break;
    sub_401975(a1);
    sub_40181E(i, a1, a2);
  }
  return sub_40181E(10i64, a1, a2);
}

把密文和密钥抠下来cyberchef直接解

1
2
3
4
5
6
7
8
9
10
11
12
#!/usr/bin/env python

crypto = [0xFA, 0xA5, 0x06, 0x3F, 0xFD, 0xBF, 0x25, 0x45, 0x1D, 0xC0, 0x5E, 0x3F, 0x5E, 0xE4, 0xB9, 0x95]
key = [0x27, 0x76, 0xC4, 0xEA, 0x40, 0xC1, 0xB6, 0xD2, 0x83, 0x8F, 0x3D, 0xDB, 0xFA, 0xB7, 0x8F, 0xB1]

# FA A5 06 3F FD BF 25 45 1D C0 5E 3F 5E E4 B9 95

# 27 76 C4 EA 40 C1 B6 D2 83 8F 3D DB FA B7 8F B1

# 一眼AES
# recipe=AES_Decrypt({'option':'Hex','string':'27 76 C4 EA 40 C1 B6 D2 83 8F 3D DB FA B7 8F B1'},{'option':'Hex','string':'27 76 C4 EA 40 C1 B6 D2 83 8F 3D DB FA B7 8F B1'},'ECB/NoPadding','Hex','Raw',{'option':'Hex','string':''},{'option':'Hex','string':''})&input=RkEgQTUgMDYgM0YgRkQgQkYgMjUgNDUgMUQgQzAgNUUgM0YgNUUgRTQgQjkgOTU
# vmc{aa8e45738c8e5096}
ctf-wp
#RE
网安实践4-RE
https://blog.noxke.icu/2024/06/13/ctf_wp/网安实践4-RE/
作者
noxke
发布于
2024年6月13日
许可协议