测试文件:https://wwa.lanzous.com/i54G4drrp1i
代码分析
打开IDA看了下main函数
这里就是将a2[1]与zer0pts{********CENSORED********}比较,a2[1]是我们的输入。
找到对输入字符串变换处
这里就是将输入分为8个一组,与qword_5605DCE75060数组元素,对应相减,得到zer0pts{********CENSORED********}。
因此,我们只需要反向解就行。(注意字符串和HEX数据大端小端存储,需要交换位置)
脚本
#-*- coding:utf-8 -*- enc = "********CENSORED********" m = [0x410A4335494A0942, 0x0B0EF2F50BE619F0, 0x4F0A3A064A35282B] k = [hex(ord(x))[2:] for x in enc] print (''.join(k)) flag1 = '' for i in range(0,len(k),8): s = ''.join(k[i:i+8][::-1]) # 小端排序 flag1 += hex(int(s, 16) + m[i//8])[2:] print (flag1) results = ''.join([chr(int(flag1[x:x+2], 16)) for x in range(0,len(flag1),2)]) flag2 = '' flag1 = [flag1[i:i+2] for i in range(0,len(flag1),2)] for i in range(0,len(flag1),8): s = ''.join(flag1[i:i+8][::-1]) # 大端排序 flag2 += s print (flag2) results = ''.join([chr(int(flag2[x:x+2], 16)) for x in range(0,len(flag2),2)]) print (results)
更简单的脚本
#-*- coding:utf-8 -*- enc = "********CENSORED********" m = [0x410A4335494A0942, 0x0B0EF2F50BE619F0, 0x4F0A3A064A35282B] import binascii flag = b'' for i in range(3): p = enc[i*8:(i+1)*8] a = binascii.b2a_hex(p.encode('ascii')[::-1]) b = binascii.a2b_hex(hex(int(a,16) + m[i])[2:])[::-1] flag += b print (flag)
get flag!
flag{l3ts_m4k3_4_DETOUR_t0d4y}