当前位置:网站首页>[2022安恒夏令营] 5个小题
[2022安恒夏令营] 5个小题
2022-08-03 22:51:00 【石氏是时试】
这个比赛的人比较少,中间又有强网杯,作了5个小题
目录
crypto
题目
from secret import flag
from Crypto.Util.number import *
seed = bytes_to_long(flag)
bits = seed.bit_length()
while True:
p = getPrime(bits + 1)
if p > seed:
break
print(p)
a = getRandomRange(1, p)
b = getRandomRange(1, p)
for _ in range(3):
seed = (a * seed + b) % p
print(seed)
# 31893593182018727625473530765941216190921866039118147474754069955393226712079257707838327486268599271803
# 25820280412859586557218124484272275594433027771091486422152141535682739897353623931875432576083022273940
# 24295465524789348024814588142969609603624462580932512051939198335014954252359986260009296537423802567677
# 14963686422550871447791815183480974143372785034397446416396172429864269108509521776424254168481536292904
flag是第一个seed,然后每次用seed = (a*seed +b)%p得到下一个,可以用手工得到两个方程
s3-s2 = a(s2-s1) mod p #求a
s3 = a*s2 + b mod p #求b
得到a,b以后就能直接得到flag
p = 31893593182018727625473530765941216190921866039118147474754069955393226712079257707838327486268599271803
s1= 25820280412859586557218124484272275594433027771091486422152141535682739897353623931875432576083022273940
s2= 24295465524789348024814588142969609603624462580932512051939198335014954252359986260009296537423802567677
s3= 14963686422550871447791815183480974143372785034397446416396172429864269108509521776424254168481536292904
from gmpy2 import *
# s3-s2 = a(s2-s1) mod p
t = invert(s2-s1, p)
a = (t*(s3-s2))%p
a = 25714049524051800625758372225598770398614533519595256157902456884372427008002817231382013589153912429484
# s3 = a*s2 + b mod p
b = (s3 - a*s2 )%p
b = 10170297191068284996927402215696494489341479919496467043387273609973505047115652911086290426648313876559
#s1 = a*s0 + b mod p
a1 = invert(a,p)
s0 = ((s1 - b)*a1 )%p
s0 = 14337636555117933152506165016723944787939761429733562849369091223517166614830298165864272285381681301117
bytes.fromhex(hex(s0)[2:])
#flag{e4syRsa1snotdifficult5996642D0A7415EF}
#e4syRsa1snotdifficult5996642D0A7415EF
misc 2
题目程序
# from flag import FLAG
import random
from PIL import Image
from hashlib import md5
from Crypto.Util.number import long_to_bytes as n2b
FLAG = b'A'*28
random.seed(793211)
def pbl(bits):
num = random.getrandbits(bits)
bins = []
while num:
bins.append(num & 1)
num >>= 1
while len(bins) != bits:
bins.append(0)
return bins
assert len(FLAG) == 28
cat = Image.open('1.png')
cat1 = Image.new('L', cat.size)
cat2 = Image.new('L', cat.size)
cat3 = Image.new('L', cat.size)
x, y = cat.size
bits = x * y
r1, r2 = pbl(bits), pbl(bits)
r3 = FLAG + n2b(random.getrandbits((bits - len(FLAG)) * 8))
r3 = list(r3)
random.shuffle(r3)
for i in range(x):
for j in range(y):
pix = cat.getpixel((i, j))
cat1.putpixel((i, j), pix[0] ^ r1[i * y + j])
cat2.putpixel((i, j), pix[1] ^ r2[i * y + j])
cat3.putpixel((i, j), pix[2] ^ r3[i * y + j])
img = Image.new('RGB', cat.size)
for p1, p3 in zip(cat1.getdata(), cat3.getdata()):
print(p1, p3)
break
#img.putdata([(p1, 0, p3) for p1, p3 in zip(cat1.getdata(), cat3.getdata())])
#img.save('xx.png')
附件给了两个图片,然后给定加密程序,可以看到 第2个图的B通道是第1个图片B通过与flag异或的结果,异或序列是一个随机数序列,seed已经给出,通过seed可以得到这个序列。
import random
from PIL import Image
from hashlib import md5
from Crypto.Util.number import long_to_bytes as n2b
def pbl(bits):
num = random.getrandbits(bits)
bins = []
while num:
bins.append(num & 1)
num >>= 1
while len(bins) != bits:
bins.append(0)
return bins
cat = Image.open('1.png')
xx = Image.open('xx.png')
x, y = cat.size
bits = x * y
r3 = [0]*bits
for i in range(x):
for j in range(y):
pix = cat.getpixel((i, j))
pxx = xx.getpixel((i, j))
r3[i * y + j] = pix[2]^pxx[2]
#print(r3)
r_ord = [i for i in range(bits)]
random.seed(793211)
r1, r2 = pbl(bits), pbl(bits)
random.getrandbits((bits - 28) * 8)
random.shuffle(r_ord)
#print(r_ord)
flag = [0]*28
for i in range(bits):
if r_ord[i]<28:
flag[r_ord[i]] = r3[i]
print(bytes(flag))
#flag{lovely_cat_with_random}
misc 3
这个给了一个pyc的文件,无法反编译,先用dis打印出来可视字节码再手工翻译
import marshal
import dis
import numpy as np
def a1():
code = open('whatisthis.cpython-38.pyc', 'rb').read()[16:]
code = marshal.loads(code)
dis.dis(code)
输出
2 0 LOAD_CONST 0 (0)
2 LOAD_CONST 1 (None)
4 IMPORT_NAME 0 (marshal)
6 STORE_NAME 0 (marshal)
8 LOAD_CONST 0 (0)
10 LOAD_CONST 1 (None)
12 IMPORT_NAME 1 (numpy)
14 STORE_NAME 2 (np)
16 LOAD_CONST 2 (235)
18 LOAD_CONST 3 (26)
20 LOAD_CONST 4 (15)
22 LOAD_CONST 5 (8)
...同上都是数据,此处略掉十万行...
259458 LOAD_CONST 19 (18)
259460 LOAD_CONST 123 (7)
259462 EXTENDED_ARG 1
259464 EXTENDED_ARG 506
259466 BUILD_LIST 129723
259468 STORE_NAME 3 (LKmDJNIyYcklUJMlklygvZUBQUjRuhRGVrWiKDrdMsRjAshBxlXysnzMLXrrIHpovIRyoQWZQjvPbolMpJBkxXFMJtrfuQmXoNUXPfHZwdAYdYwDkuGOtJZLcYUnzCnm)
4 259470 LOAD_CONST 133 ("Don't try to reverse this python script. You will be disappointed about it ")
259472 STORE_NAME 4 (SrvcwKKBZzolvVvpsMTzdEwhhsZYRBHaCjDkbjjaeTtrvMAYGjFHGGJofdCqlwsVlHZardbOZULepuWWTLSbZwjixarkVXPHOeMpPdArcybkUWoaMvoZrxGVzKPsUUAn)
5 259474 LOAD_CONST 134 ('475')
259476 STORE_NAME 5 (EPwKMzdvDfYeFVrZDDSRPDqULNPDfaOYUKVpGuxabUwVBfovYMvOjkRbvwTxzTpgUXJOKvlUFGGJbfEEvIlyQBdsCEoTcmMWEqLKTrMwWLdjVsYnfNJsXtRKefaSastz)
6 259478 LOAD_NAME 2 (np)
259480 LOAD_ATTR 6 (random)
259482 LOAD_METHOD 7 (seed)
259484 LOAD_NAME 2 (np)
259486 LOAD_METHOD 8 (sum)
259488 LOAD_CONST 135 (<code object <listcomp> at 0x0000022FAE5EA6B0, file "/root/share/vm_share/³ö̢/notDefined/new/NotDefined_obfu.py", line 5>)
259490 LOAD_CONST 136 ('<listcomp>')
259492 MAKE_FUNCTION 0
259494 LOAD_NAME 5 (EPwKMzdvDfYeFVrZDDSRPDqULNPDfaOYUKVpGuxabUwVBfovYMvOjkRbvwTxzTpgUXJOKvlUFGGJbfEEvIlyQBdsCEoTcmMWEqLKTrMwWLdjVsYnfNJsXtRKefaSastz)
259496 GET_ITER
259498 CALL_FUNCTION 1
259500 CALL_METHOD 1
259502 CALL_METHOD 1
259504 POP_TOP
7 259506 LOAD_NAME 9 (range)
259508 LOAD_NAME 10 (len)
259510 LOAD_NAME 3 (LKmDJNIyYcklUJMlklygvZUBQUjRuhRGVrWiKDrdMsRjAshBxlXysnzMLXrrIHpovIRyoQWZQjvPbolMpJBkxXFMJtrfuQmXoNUXPfHZwdAYdYwDkuGOtJZLcYUnzCnm)
259512 CALL_FUNCTION 1
259514 CALL_FUNCTION 1
259516 GET_ITER
259518 FOR_ITER 32 (to 259584)
259520 STORE_NAME 11 (EFAAANzoMBMeiWmpiPLHzCedWRoczlJwzpxHuBDPSWIlfFxpOqFiIZmWbvpOgrVNCsngbdYnwnxskvnFKLFfwMYNRmzfDisiWwXruLUffUyerjtrsmPoNzMUMpAatNWH)
8 259522 LOAD_NAME 3 (LKmDJNIyYcklUJMlklygvZUBQUjRuhRGVrWiKDrdMsRjAshBxlXysnzMLXrrIHpovIRyoQWZQjvPbolMpJBkxXFMJtrfuQmXoNUXPfHZwdAYdYwDkuGOtJZLcYUnzCnm)
259524 LOAD_NAME 11 (EFAAANzoMBMeiWmpiPLHzCedWRoczlJwzpxHuBDPSWIlfFxpOqFiIZmWbvpOgrVNCsngbdYnwnxskvnFKLFfwMYNRmzfDisiWwXruLUffUyerjtrsmPoNzMUMpAatNWH)
259526 DUP_TOP_TWO
259528 BINARY_SUBSCR
259530 LOAD_NAME 2 (np)
259532 LOAD_ATTR 6 (random)
259534 LOAD_METHOD 12 (randint)
259536 LOAD_CONST 137 (27)
259538 CALL_METHOD 1
259540 INPLACE_XOR
259542 ROT_THREE
259544 STORE_SUBSCR
259546 EXTENDED_ARG 3
259548 EXTENDED_ARG 1013
259550 JUMP_ABSOLUTE 259518 (to 519036)
259552 LOAD_NAME 13 (exec)
259554 LOAD_NAME 0 (marshal)
259556 LOAD_METHOD 14 (loads)
259558 LOAD_NAME 15 (bytearray)
259560 LOAD_NAME 3 (LKmDJNIyYcklUJMlklygvZUBQUjRuhRGVrWiKDrdMsRjAshBxlXysnzMLXrrIHpovIRyoQWZQjvPbolMpJBkxXFMJtrfuQmXoNUXPfHZwdAYdYwDkuGOtJZLcYUnzCnm)
259562 CALL_FUNCTION 1
259564 CALL_METHOD 1
259566 CALL_FUNCTION 1
259568 POP_TOP
259570 LOAD_CONST 1 (None)
259572 RETURN_VALUE
Disassembly of <code object <listcomp> at 0x0000022FAE5EA6B0, file "/root/share/vm_share/³ö̢/notDefined/new/NotDefined_obfu.py", line 5>:
5 0 BUILD_LIST 0
2 LOAD_FAST 0 (.0)
4 FOR_ITER 12 (to 30)
6 STORE_FAST 1 (EFAAANzoMBMeiWmpiPLHzCedWRoczlJwzpxHuBDPSWIlfFxpOqFiIZmWbvpOgrVNCsngbdYnwnxskvnFKLFfwMYNRmzfDisiWwXruLUffUyerjtrsmPoNzMUMpAatNWH)
>> 8 LOAD_GLOBAL 0 (ord)
10 LOAD_FAST 1 (EFAAANzoMBMeiWmpiPLHzCedWRoczlJwzpxHuBDPSWIlfFxpOqFiIZmWbvpOgrVNCsngbdYnwnxskvnFKLFfwMYNRmzfDisiWwXruLUffUyerjtrsmPoNzMUMpAatNWH)
12 CALL_FUNCTION 1
14 LIST_APPEND 2
16 JUMP_ABSOLUTE 4 (to 8)
18 RETURN_VALUE
手工翻译结果
import marshal
import numpy as np
LKmD = [...]
Srvc = "Don't try to reverse this python script. You will be disappointed about it "
EPwK = '475'
np.random.seed(np.sum([ord(i) for i in EPwK]))
for EFAA in range(len(LKmD)):
LKmD[EFAA] ^= np.random.randint(27)
exec(marshal.loads(bytearray(LKmD)))
大意是前边那个数组与已知seed的随机序列异或得到一个串再执行,写函数处理一下,再用dis输出
def a2():
fp = open('aaa.txt')
[fp.readline() for i in range(8)]
v = [int(fp.readline().split('(')[1].split(')')[0]) for i in range(129723)]
EPwK = '475'
np.random.seed(np.sum([ord(i) for i in EPwK]))
for i in range(len(v)):
v[i] ^= np.random.randint(27)
code = marshal.loads(bytes(v))
dis.dis(code)
后边的结果就更简单了,就是直接给一个字符串的原码,然后执行,翻译后
import marshal
sv1 = [...略掉十成个数字...]
def sv2(key):
sv3 = list(range(256))
sv4 = 0
for sv5 in range(256):
sv4 = (sv4 + sv3[sv5] + ord(key[sv5 % len(key)])) % 256
sv3[sv5], sv3[sv4] = sv3[sv4], sv3[sv5]
return sv3
def sv6(p):
sv7 = sv2('h0lyduck')
sv8 = []
sv5 = sv4 = 0
for sv9 in p:
sv5 = (sv5 + 1) % 256
sv4 = (sv4 + sv7[sv5]) % 256
sv7[sv5], sv7[sv4] = sv7[sv4], sv7[sv5]
sva = (sv7[sv5] + sv7[sv4]) % 256
svb = sv7[sva]
sv8.append(sv9 ^ svb)
return sv8
#exec(marshal.loads(bytearray(sv6(sv1))))
import dis
code = marshal.loads(bytearray(sv6(sv1)))
dis.dis(code)
第3得到都是直接的串,同样方法处理
import marshal
import struct
from typing import List
sv1 = [...略掉数据...]
class sv2:
def __init__(self, val: int):
assert isinstance(val, int)
self.val = val
def __add__(self, other):
return sv2((self.val + other.val) & 0xffffffff)
def __xor__(self, other):
return sv2(self.val ^ other.val)
def __lshift__(self, nbit: int):
sv3 = (self.val << nbit % 32) & 0xffffffff
sv4 = (self.val & 0xffffffff) >> (32 - (nbit % 32))
return sv2(sv3 | sv4)
def __repr__(self):
return hex(self.val)
def __int__(self):
return int(self.val)
def sv5(sv6: sv2, b: sv2, sv7: sv2, d: sv2):
sv6 += b
d ^= sv6
d <<= 16
sv7 += d
b ^= sv7
b <<= 12
sv6 += b
d ^= sv6
d <<= 8
sv7 += d
b ^= sv7
b <<= 7
return sv6, b, sv7, d
def sv8(sv9: List[sv2], idx1, idx2, idx3, idx4):
sv9[idx1], sv9[idx2], sv9[idx3], sv9[idx4] = \
sv5(sv9[idx1], sv9[idx2], sv9[idx3], sv9[idx4])
def sva(sv9: List[sv2]):
sv8(sv9, 0, 4, 8, 12)
sv8(sv9, 1, 5, 9, 13)
sv8(sv9, 2, 6, 10, 14)
sv8(sv9, 3, 7, 11, 15)
sv8(sv9, 0, 5, 10, 15)
sv8(sv9, 1, 6, 11, 12)
sv8(sv9, 2, 7, 8, 13)
sv8(sv9, 3, 4, 9, 14)
return sv9
def svb(sv9: List[sv2]) -> List[bytes]:
return b''.join([struct.pack('<I', int(svc)) for svc in sv9])
def svd(sve: bytes, svf: int, svg: bytes) -> bytes:
svh = [sv2(svj) for svj in struct.unpack('<IIII', b'expand 32-byte k')]
sve = [sv2(svj) for svj in struct.unpack('<IIIIIIII', sve)]
svf = [sv2(svf)]
svg = [sv2(svj) for svj in struct.unpack('<III', svg)]
sv9 = svh + sve + svf + svg
svk = sv9[:]
for svm in range(10):
sv9 = sva(sv9)
sv9 = [svc + svn for svc, svn in zip(sv9, svk)]
return svb(sv9)
def svp(svj: bytes, y: bytes):
return bytes(sv6 ^ b for sv6, b in zip(svj, y))
def svq(sve: bytes, svf: int, svg: bytes, plaintext: bytes):
sv7 = bytearray(0)
for svr in range(len(plaintext) // 64):
svs = svd(sve, svf + svr, svg)
svt = plaintext[svr * 64:(svr + 1) * 64]
sv7 += svp(svt, svs)
if len(plaintext) % 64 != 0:
svr = len(plaintext) // 64
svs = svd(sve, svf + svr, svg)
svt = plaintext[svr * 64:]
sv7 += svp(svt, svs)
return sv7
sve = bytes.fromhex(
'000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f')
svf = 0x00000001
svg = bytes.fromhex('000000000000004a00000000')
sv6 = svq(sve, svf, svg, bytearray(sv1))
code = marshal.loads(sv6)
import dis
dis.dis(code)
最后一次得到的文件,可以看到flag
3 0 LOAD_CONST 0 (0)
2 LOAD_CONST 1 (None)
4 IMPORT_NAME 0 (builtins)
6 STORE_NAME 0 (builtins)
5 8 LOAD_CONST 2 ('flag{[email protected]_MaSt3r_0F_Not_d3f1neD}')
10 STORE_NAME 1 (flag)
19 12 LOAD_CONST 3 (<code object enc at 0x000002567BCAD370, file "", line 5>)
14 LOAD_CONST 4 ('enc')
16 MAKE_FUNCTION 0
18 STORE_NAME 2 (enc)
re1
main里边直接调用加密程序,然后与密文核对
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v3; // rcx
__int64 v4; // rdx
__int128 v6[2]; // [rsp+20h] [rbp-38h] BYREF
char v7; // [rsp+40h] [rbp-18h]
memset(v6, 0, sizeof(v6));
v7 = 0;
sub_140001020("I prefer TeaProPlus! can you give me this?\n");
sub_140001020("TeaProPlus code:");
sub_140001080("%32s", (const char *)v6);
sub_1400010E0(v3, (unsigned int *)v6);
v4 = 0i64;
while ( *((_BYTE *)v6 + v4) == byte_1400032F0[v4] )
{
if ( (unsigned __int64)++v4 >= 0x20 )
{
sub_140001020("Oh yeah! Good code! flag{(your input)}\n");
return 0;
}
}
puts("oh NO!I want to drink TeaProPlus");
return -1;
}
加密程序是一个变种的tea
__int64 __fastcall sub_1400010E0(__int64 a1, unsigned int *a2)
{
unsigned int v7; // r9d
unsigned int key; // edi
unsigned int v1; // ebp
unsigned int v0; // esi
unsigned int v2; // r14d
unsigned int v3; // r15d
unsigned int v4; // r12d
unsigned int v5; // r13d
_DWORD *key2; // r11
_DWORD *v11; // r10
__int64 v12; // rbx
_DWORD *v13; // r9
__int64 result; // rax
bool v15; // zf
unsigned int v6; // [rsp+40h] [rbp+8h]
int round; // [rsp+48h] [rbp+10h]
unsigned int v18; // [rsp+50h] [rbp+18h]
v7 = a2[7];
key = 0;
v1 = a2[1];
v0 = *a2;
v2 = a2[2];
v3 = a2[3];
v4 = a2[4];
v5 = a2[5];
v6 = a2[6];
v18 = v7;
round = 12;
do
{
key -= 0x61C88647;
key2 = &key3[(key >> 2) & 3];
v0 += ((key ^ v1) + (*key2 ^ v7)) ^ (((16 * v7) ^ (v1 >> 3)) + ((v7 >> 5) ^ (4 * v1)));
*a2 = v0;
v11 = &key3[(key >> 2) & 3 ^ 1i64];
v1 += ((*v11 ^ v0) + (key ^ v2)) ^ (((16 * v0) ^ (v2 >> 3)) + ((v0 >> 5) ^ (4 * v2)));
a2[1] = v1;
v12 = (key >> 2) & 3 ^ 3i64;
v13 = &key3[(key >> 2) & 3 ^ 2i64];
v2 += ((key ^ v3) + (*v13 ^ v1)) ^ (((16 * v1) ^ (v3 >> 3)) + ((v1 >> 5) ^ (4 * v3)));
a2[2] = v2;
v3 += ((key ^ v4) + (key3[v12] ^ v2)) ^ (((16 * v2) ^ (v4 >> 3)) + ((v2 >> 5) ^ (4 * v4)));
a2[3] = v3;
v4 += ((key ^ v5) + (*key2 ^ v3)) ^ (((16 * v3) ^ (v5 >> 3)) + ((v3 >> 5) ^ (4 * v5)));
a2[4] = v4;
v5 += ((*v11 ^ v4) + (key ^ v6)) ^ (((16 * v4) ^ (v6 >> 3)) + ((v4 >> 5) ^ (4 * v6)));
a2[5] = v5;
LODWORD(key2) = (((key ^ v18) + (*v13 ^ v5)) ^ (((16 * v5) ^ (v18 >> 3)) + ((v5 >> 5) ^ (4 * v18)))) + v6;
a2[6] = (unsigned int)key2;
v6 = (unsigned int)key2;
result = key ^ v0;
v18 += (result + (key3[v12] ^ (unsigned int)key2)) ^ (((16 * (_DWORD)key2) ^ (v0 >> 3))
+ (((unsigned int)key2 >> 5) ^ (4 * v0)));
v15 = round-- == 1;
v7 = v18;
a2[7] = v18;
}
while ( !v15 );
return result;
}
解密程序
from pwn import u32,p32
s = bytes.fromhex('473BBD10F9E05561C5EBF76A5F43238D0516091AEF403DD4676AB1B4A978356B')
c = [0]*8
for i in range(8):
c[i] = u32(s[i*4: i*4+4])
key = [0]*13
k = 0
for i in range(13):
k = (k - 0x61C88647)%0x100000000
key[i] = k
key3 = [0x1234, 0x2345, 0x4567, 0x6789]
for i in range(11, -1, -1):
for j in range(7, -1, -1):
p_next = (j+1)%8
p_pre = (j-1)%8
t = j%4
c[j] = ( c[j] -
( ((key[i]^c[p_next]) + (key3[((key[i]>>2)&3) ^ t]^c[p_pre]) )
^ (((c[p_pre]<<4)^(c[p_next]>>3)) + ((c[p_pre]>>5)^(c[p_next]<<2)) ) )
) %0x100000000
print(hex(key[i]))
flag = b''
for i in range(8):
flag += p32(c[i])
print(flag)
#7f943921724d63dc0ac9c6febf99fa88
re2
main里边啥都没有,发现有反调,调用了TlsCallback_0
void __stdcall TlsCallback_0(int a1, DWORD flOldProtect, int a3)
{
int i; // eax
if ( flOldProtect == 1 )
{
VirtualProtect(StartAddress, 0x320u, 0x40u, &flOldProtect);
for ( i = 0; i < 0x320; ++i )
*((_BYTE *)StartAddress + i) ^= i;
CreateThread(0, 0, StartAddress, 0, 0, 0);
}
}
函数对程序块异或解密后起线程执行,先用程序给程序patch
a1 = open('re2.exe', 'rb').read()
a1 = list(a1)
for i in range(800):
a1[0x440 + i ] ^= i&0xff
open('re_patch.exe', 'wb').write(bytes(a1))
然后用ida打开patch后的程序可以看到加密代码
DWORD __stdcall StartAddress(LPVOID lpThreadParameter)
{
int k; // ebx
int v4[65534]; // [esp+Ch] [ebp-50530h]
char v5[66816]; // [esp+40004h] [ebp-10538h] BYREF
int v6[6]; // [esp+50504h] [ebp-38h]
char *v7; // [esp+5051Ch] [ebp-20h]
int v8; // [esp+50520h] [ebp-1Ch]
int v9; // [esp+50524h] [ebp-18h]
int v10; // [esp+50528h] [ebp-14h]
int v11; // [esp+5052Ch] [ebp-10h]
int i; // [esp+50530h] [ebp-Ch]
int v13; // [esp+50534h] [ebp-8h]
int j; // [esp+50538h] [ebp-4h]
while ( !dword_41B2E4 )
Sleep(0x3E8u);
for ( i = 0; i < 112; ++i )
byte_41B30A += *((_BYTE *)&loc_401450 + i);
for ( i = 0; byte_41B2EC[i]; ++i )
byte_41B2EC[i] ^= byte_41B30A;
v6[0] = 81;
v6[1] = 102;
v6[2] = 114;
v6[3] = 111;
v6[4] = 115;
v6[5] = 116;
for ( j = 0; j < 256; ++j )
*(_DWORD *)&v5[4 * j + 0x10100] = j;
for ( j = 0; j < 256; ++j )
v5[j + 0x10000] = v6[j % 6]; // key
v13 = 0;
for ( j = 0; j < 256; ++j )
{
v13 = (v5[j + 0x10000] + *(_DWORD *)&v5[4 * j + 65792] + v13) % 256;
v10 = *(_DWORD *)&v5[4 * j + 65792];
*(_DWORD *)&v5[4 * j + 65792] = *(_DWORD *)&v5[4 * v13 + 65792];
*(_DWORD *)&v5[4 * v13 + 65792] = v10;
}
v11 = dword_41B2E8;
v9 = 0;
v13 = 0;
j = 0;
while ( v11-- )
{
j = (j + 1) % 256;
v13 = (*(_DWORD *)&v5[4 * j + 65792] + v13) % 256;
v10 = *(_DWORD *)&v5[4 * j + 65792];
*(_DWORD *)&v5[4 * j + 65792] = *(_DWORD *)&v5[4 * v13 + 65792];
*(_DWORD *)&v5[4 * v13 + 65792] = v10;
v8 = (*(_DWORD *)&v5[4 * v13 + 65792] + *(_DWORD *)&v5[4 * j + 65792]) % 256;
v4[v9++] = *(_DWORD *)&v5[4 * v8 + 65792];
}
for ( j = 0; j < dword_41B2E8; ++j )
v5[j] = LOBYTE(v4[j]) ^ byte_41B2EC[j];
v7 = v5;
for ( k = 0; k < dword_41B2E8; ++k )
{
if ( v7[k] != *(_BYTE *)(k + 0x401307) )
{
puts(0x401345);
_loaddll(0);
break;
}
}
puts((int)"right\n");
j___fgetchar();
return 0;
}
感觉好像叫RC4还是啥来着,先生成加密流,再与明文异或。反正对应写程序就行了
a1 = open('re_patch.exe', 'rb').read()[0x707: 0x707+ 0x100]
v6 = b'Qfrost'
v51 = [i for i in range(256)]
key = [v6[j%6] for j in range(256)]
v13 = 0
for j in range(256):
v13 = (key[j] + v51[j] + v13) % 256
v51[j], v51[v13] = v51[v13], v51[j]
flen = 50
v13 = 0
v4 = [0]*flen
j = 0
for i in range(flen):
j = (j+1)%256
v13 = (v51[j] + v13)%256
v51[j], v51[v13] = v51[v13], v51[j]
v8 = (v51[j] + v51[v13])%256
v4[i] = v51[v8]^a1[i]
for i in range(256):
tmp = bytes([i^v for v in v4])
#if b'flag{' in tmp:
print(tmp)
#QDbg-Is_an_1ntereSting-Game!
边栏推荐
- 完全二叉树问题
- 2022-08-02 mysql/stonedb slow SQL-Q18 - memory usage surge analysis
- Causes of Mysql Disk Holes and Several Ways to Rebuild Tables
- 工作小计 QT打包
- 静态文件快速建站
- Golang Chapter 1: Getting Started
- 云平台建设解决方案
- node连接mysql数据库报错:Client does not support authentication protocol requested by server
- Diazo Biotin-PEG3-DBCO | Diazo Compound Modified Biotin-Tripolyethylene Glycol-Dibenzocyclooctyne
- Live Preview | Build Business Intelligence, Quickly Embrace Financial Digital Transformation
猜你喜欢
随机推荐
rosbridge-WSL2 && carla-win11
代码随想录笔记_动态规划_416分割等和子集
Quickly build a website with static files
Websocket multi-threaded sending message error TEXT_PARTIAL_WRITING--Use case of spin lock replacing synchronized exclusive lock
Embedded Systems: GPIO
剑指offer第22题-链表中倒数第K个节点
On the Qixi Festival of 2022, I will offer 7 exquisite confession codes, and at the same time teach you to quickly change the source code for your own use
Basic Concepts of Graphs
HDU 5655 CA Loves Stick
pikachu Over permission 越权
2022-08-02 mysql/stonedb慢SQL-Q18-内存使用暴涨分析
《数字经济全景白皮书》金融数字用户篇 重磅发布!
utlis 线程池
ML's yellowbrick: A case of interpretability (threshold map) for LoR logistic regression model using yellowbrick based on whether Titanic was rescued or not based on the two-class prediction dataset
Teach a Man How to Fish - How to Query the Properties of Any SAP UI5 Control by Yourself Documentation and Technical Implementation Details Demo
静态文件快速建站
举一个 web worker 的例子
【bug】汇总Elipse项目中代码中文乱码解决方法!
UVa 1025 - A Spy in the Metro(白书)
PowerMockup 4.3.4::::Crack