![\"undefined\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/\u5c4f\u5e55\u622a\u56fe-2024-04-29-132438.png\")
<\/div>\nRE\u9644\u4ef6\uff1aXYCTF<\/a><\/p>\n
Reverse<\/h2>\n
\n\u806a\u660e\u7684\u4fe1\u4f7f<\/h3>\n
\u4e0b\u8f7d\u9644\u4ef6\uff0cIDA\u6253\u5f00\uff1a<\/p>\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n char Str1[100]; \/\/ [esp+18h] [ebp-68h] BYREF\n int v5; \/\/ [esp+7Ch] [ebp-4h]\n\n __main();\n v5 = 9;\n printf("Input your flag:");\n scanf("%s", Str1);\n encrypt(Str1, v5);\n if ( !strcmp(Str1, "oujp{H0d_TwXf_Lahyc0_14_e3ah_Rvy0ac@wc!}") )\n printf("Good job!");\n else\n printf("Try again!");\n return 0;\n}<\/code><\/pre>\n\u53d1\u73b0\u4e00\u4e2a\u5b57\u7b26\u4e32\uff0c\u731c\u6d4b\u662f\u4f4d\u79fb\u5bc6\u7801\uff0c\u8fdb\u5165\u52a0\u5bc6\u51fd\u6570\u9a8c\u8bc1\u4e00\u4e0b\uff1a<\/p>\n
int __cdecl encrypt(char *a1, int a2)\n{\n int result; \/\/ eax\n char v3; \/\/ [esp+Bh] [ebp-5h]\n int i; \/\/ [esp+Ch] [ebp-4h]\n\n for ( i = 0; ; ++i )\n {\n result = a1[i];\n if ( !result )\n break;\n v3 = a1[i];\n if ( v3 <= 96 || v3 > 122 )\n {\n if ( v3 > 64 && v3 <= 90 )\n v3 = (v3 + a2 - 65) % 26 + 65;\n }\n else\n {\n v3 = (v3 + a2 - 97) % 26 + 97;\n }\n a1[i] = v3;\n }\n return result;\n}<\/code><\/pre>\n\u53c8\u77e5\u9053main\u51fd\u6570\u4e2dv5\u4f20\u5165\u52a0\u5bc6\u51fd\u6570\u7684\u53c2\u6570\u4e3a9\uff0c\u52a0\u5bc6\u51fd\u6570\u5bf9\u4e8e\u5927\u5c0f\u5199\u5b57\u6bcd\u8fdb\u884c\u4f4d\u79fb<\/p>\n
\u627e\u4e2a\u5de5\u5177\u76f4\u63a5\u68ad\u4e86\uff1a
\n
![\"\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\nflag{Y0u_KnOw_Crypt0_14_v3ry_Imp0rt@nt!}<\/code><\/p>\n\u7ed9\u963f\u59e8\u5012\u4e00\u676f\u5361\u5e03\u5947\u8bfa<\/h3>\n
\u7528IDA\u6253\u5f00\u4e4b\u540e\u53ef\u4ee5\u770b\u89c1\u5f88\u660e\u663e\u7684\u7a0b\u5e8f\u903b\u8f91<\/p>\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n uint32_t temp[2]; \/\/ [rsp+28h] [rbp-78h] BYREF\n char inp[33]; \/\/ [rsp+30h] [rbp-70h] BYREF\n uint32_t key[4]; \/\/ [rsp+60h] [rbp-40h] BYREF\n uint32_t array[8]; \/\/ [rsp+70h] [rbp-30h]\n int i; \/\/ [rsp+9Ch] [rbp-4h]\n\n _main(argc, argv, envp);\n array[0] = -1691816635;\n array[1] = 341755625;\n array[2] = 1529325251;\n array[3] = -442599979;\n array[4] = -399760128;\n array[5] = -1541333614;\n array[6] = -846574750;\n array[7] = -1503071168;\n key[0] = 1702259047;\n key[1] = 1970239839;\n key[2] = 1886741343;\n key[3] = 1634038879;\n memset(inp, 0, sizeof(inp));\n puts("please input your flag: ");\n scanf("%s", inp);\n if ( strlen(inp) != 32 )\n {\n puts("length error!!");\n exit(0);\n }\n for ( i = 0; i <= 7; i += 2 )\n {\n temp[0] = *&inp[4 * i];\n temp[1] = *&inp[4 * i + 4];\n encrypt(temp, key);\n if ( temp[0] != array[i] || temp[1] != array[i + 1] )\n {\n printf("sorry, your flag is wrong!");\n exit(0);\n }\n }\n printf("success!!your flag is flag{your input}");\n return 0;\n}<\/code><\/pre>\n\u7ed9\u51fa\u4e86\u4e00\u4e9b\u521d\u59cb\u5316\uff0c\u7136\u540e\u8f93\u5165\u7684flag\u62c6\u5206\uff0c\u4e24\u4e24\u4e00\u7ec4\uff0c\u901a\u8fc7for\u5faa\u73af\u653e\u5165encrypt\u52a0\u5bc6\u51fd\u6570<\/p>\n
\u8fdb\u5165\u52a0\u5bc6\u51fd\u6570\uff1a<\/p>\n
void __cdecl encrypt(uint32_t *v, uint32_t *k)\n{\n uint32_t i; \/\/ [rsp+20h] [rbp-10h]\n uint32_t sum; \/\/ [rsp+24h] [rbp-Ch]\n uint32_t v1a; \/\/ [rsp+28h] [rbp-8h]\n uint32_t v1; \/\/ [rsp+28h] [rbp-8h]\n uint32_t v0; \/\/ [rsp+2Ch] [rbp-4h]\n\n v1a = v[1];\n sum = 0;\n data1 ^= *v;\n data2 ^= v1a;\n v0 = data1;\n v1 = data2;\n for ( i = 0; i <= 0x1F; ++i )\n {\n sum += 1853174124;\n v0 += ((v1 >> 5) + k[1]) ^ (v1 + sum) ^ (*k + 16 * v1) ^ (sum + i);\n v1 += ((v0 >> 5) + k[3]) ^ (v0 + sum) ^ (k[2] + 16 * v0) ^ (sum + i);\n }\n data1 = v0;\n data2 = v1;\n *v = v0;\n v[1] = v1;\n}<\/code><\/pre>\n\u53d1\u73b0\u662fTEA\u52a0\u5bc6<\/p>\n
\u628a\u6570\u636e\u63d0\u51fa\u6765
\n
<\/div>
\nsum\uff1a<\/div><\/p>\n\u53d1\u73b0delta\u5e76\u6ca1\u6709\u9b54\u6539\uff0c\u6211\u653e\u8fdb\u6807\u51c6TEA\u811a\u672c\u8dd1\u51fa\u6765\u53d1\u73b0\u662f\u9519\u7684<\/p>\n
\u7531\u4e8e\u6211\u5bf9TEA\u4e0d\u592a\u4e86\u89e3\uff0c\u6700\u5f00\u59cb\u5e76\u6ca1\u6709\u53d1\u73b0\u8fd9\u4e2a\u88ab\u9b54\u6539\u4e86\uff0c\u540e\u9762\u624d\u53d1\u73b0\u7684<\/p>\n
<\/div><\/p>\n\u8fd9\u91cc\u53ef\u4ee5\u770b\u89c1\u5bf9\u521d\u59cb\u503c\u8fdb\u884c\u4e86\u5f02\u6216\uff0c\u8fd8\u6709\u540e\u9762\u7684sum+i<\/p>\n
\u63a5\u4e0b\u6765\u5c31\u53ef\u4ee5\u6413\u6413\u6413\u6413\u6413\u811a\u672c\u4e86\uff1a<\/p>\n
#include <iostream>\n#include <cstdint>\n#include <vector>\n\nusing namespace std;\n\nvector<uint32_t> decrypt(const vector<uint32_t>& v, const vector<uint32_t>& k, const vector<uint32_t>& d) {\n uint32_t v0 = v[0], v1 = v[1];\n const uint32_t delta = 0x6E75316C;\n uint32_t sum1 = delta * 32;\n for (int i = 0; i < 32; ++i) {\n v1 -= (((v0 << 4) + k[2]) ^ (v0 + sum1) ^ ((v0 >> 5) + k[3]) ^ (sum1 + (31 - i)));\n v0 -= (((v1 << 4) + k[0]) ^ (v1 + sum1) ^ ((v1 >> 5) + k[1]) ^ (sum1 + (31 - i)));\n sum1 -= delta;\n }\n v0 ^= d[0];\n v1 ^= d[1];\n return { v0, v1 };\n}\n\nstring n2s(uint32_t num) {\n string result;\n for (int i = 0; i < 4; ++i) {\n char ch = (num >> (i * 8)) & 0xFF;\n result += ch; \/\/ \u540e\u7f6e\u6dfb\u52a0\uff0c\u4e0d\u8fdb\u884c\u53cd\u8f6c\n }\n return result;\n}\n\nint main() {\n vector<uint32_t> c = { 0x5F797274, 0x64726168, 0x9b28ed45, 0x145ec6e9, 0x5b27a6c3, 0xe59e75d5, 0xe82c2500, 0xa4211d92, 0xcd8a4b62, 0xa668f440 };\n vector<uint32_t> key = { 0x65766967, 0x756f795f, 0x7075635f, 0x6165745f };\n string flag;\n for (int i = 1; i < 5; ++i) {\n vector<uint32_t> data = decrypt({ c[i * 2], c[i * 2 + 1] }, key, { c[i * 2 - 2], c[i * 2 - 1] });\n for (int j = 0; j < 2; ++j) {\n flag += n2s(data[j]);\n }\n }\n cout << "XYCTF{" << flag << "}" << endl;\n return 0;\n}\n<\/code><\/pre>\n<\/div><\/p>\n\u4f55\u987b\u76f8\u601d\u716e\u4f59\u5e74<\/h3>\n
\u4e0b\u8f7d\u4e0b\u6765\uff0c\u8fc7\u53ea\u6709\u4e00\u4e2atxt\uff0c\u91cc\u9762\u662f\u4e00\u580616\u8fdb\u5236\u548c\u4e00\u4e2aenc\u6570\u7ec4<\/p>\n
\u63a8\u6d4b16\u8fdb\u5236\u662f\u673a\u5668\u7801\uff0c\u73b0\u5728\u6211\u6240\u9700\u8981\u505a\u7684\u5c31\u662f\u5c06\u673a\u5668\u7801\u8f6c\u6362\u6210\u6c47\u7f16\u8bed\u8a00\uff0c\u5148\u5c06\u673a\u5668\u7801\u6574\u7406\u4e00\u4e0b\uff1a<\/p>\n
55 8B EC 81 EC A8 00 00 00 A1 00 40 41 00 33 C5 89 45 FC 68 9C 00 00 00 6A 00 8D 85 60 FF FF FF 50 E8 7A 0C 00 00 83 C4 0C C7 85 58 FF FF FF 27 00 00 00 C7 85 5C FF FF FF 00 00 00 00 EB 0F 8B 8D 5C FF FF FF 83 C1 01 89 8D 5C FF FF FF 83 BD 5C FF FF FF 27 0F 8D ED 00 00 00 8B 95 5C FF FF FF 81 E2 03 00 00 80 79 05 4A 83 CA FC 42 85 D2 75 25 8B 85 5C FF FF FF 8B 8C 85 60 FF FF FF 03 8D 5C FF FF FF 8B 95 5C FF FF FF 89 8C 95 60 FF FF FF E9 AC 00 00 00 8B 85 5C FF FF FF 25 03 00 00 80 79 05 48 83 C8 FC 40 83 F8 01 75 22 8B 8D 5C FF FF FF 8B 94 8D 60 FF FF FF 2B 95 5C FF FF FF 8B 85 5C FF FF FF 89 94 85 60 FF FF FF EB 73 8B 8D 5C FF FF FF 81 E1 03 00 00 80 79 05 49 83 C9 FC 41 83 F9 02 75 23 8B 95 5C FF FF FF 8B 84 95 60 FF FF FF 0F AF 85 5C FF FF FF 8B 8D 5C FF FF FF 89 84 8D 60 FF FF FF EB 38 8B 95 5C FF FF FF 81 E2 03 00 00 80 79 05 4A 83 CA FC 42 83 FA 03 75 20 8B 85 5C FF FF FF 8B 8C 85 60 FF FF FF 33 8D 5C FF FF FF 8B 95 5C FF FF FF 89 8C 95 60 FF FF FF E9 F7 FE FF FF 33 C0 8B 4D FC 33 CD E8 04 00 00 00 8B E5 5D C3<\/code><\/pre>\n\u6211\u6839\u636e\u4e2a\u4eba\u559c\u597d\u5c06\u5176\u6574\u7406\u6210\u4e86\u8fde\u7eed\u7684\u5927\u519916\u8fdb\u5236\uff0c\u53c8\u5728\u770b\u96ea\u4e0a\u627e\u4e86\u4e00\u4e2a\u5e16\u5b50\uff0c\u7ed9\u51fa\u4e86\u4e00\u4e2a\u5c06\u673a\u5668\u7801\u8f6c\u6210\u6c47\u7f16\u8bed\u8a00\u7684\u5728\u7ebf\u7f51\u7ad9\uff1ahttps:\/\/defuse.ca\/online-x86-assembler.htm<\/a><\/p>\n\u8f6c\u51fa\u6765\uff1a<\/p>\n
0: \u00a055 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0push \u00a0 ebp \n1: \u00a08b ec \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0ebp,esp \n3: \u00a081 ec a8 00 00 00 \u00a0 \u00a0 \u00a0 sub \u00a0 \u00a0esp,0xa8 \n9: \u00a0a1 00 40 41 00 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0mov \u00a0 \u00a0eax,ds:0x414000 \ne: \u00a033 c5 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 xor \u00a0 \u00a0eax,ebp \n10: 89 45 fc \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0mov \u00a0 \u00a0DWORD PTR [ebp-0x4],eax \n13: 68 9c 00 00 00 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0push \u00a0 0x9c \n18: 6a 00 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 push \u00a0 0x0 \n1a: 8d 85 60 ff ff ff \u00a0 \u00a0 \u00a0 lea \u00a0 \u00a0eax,[ebp-0xa0] \n20: 50 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0push \u00a0 eax \n21: e8 7a 0c 00 00 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0call \u00a0 0xca0 \n26: 83 c4 0c \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0add \u00a0 \u00a0esp,0xc \n29: c7 85 58 ff ff ff 27 \u00a0 \u00a0mov \u00a0 \u00a0DWORD PTR [ebp-0xa8],0x27 \n30: 00 00 00 \n33: c7 85 5c ff ff ff 00 \u00a0 \u00a0mov \u00a0 \u00a0DWORD PTR [ebp-0xa4],0x0 \n3a: 00 00 00 \n3d: eb 0f \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 jmp \u00a0 \u00a00x4e \n3f: 8b 8d 5c ff ff ff \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0ecx,DWORD PTR [ebp-0xa4] \n45: 83 c1 01 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0add \u00a0 \u00a0ecx,0x1 \n48: 89 8d 5c ff ff ff \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0DWORD PTR [ebp-0xa4],ecx \n4e: 83 bd 5c ff ff ff 27 \u00a0 \u00a0cmp \u00a0 \u00a0DWORD PTR [ebp-0xa4],0x27 \n55: 0f 8d ed 00 00 00 \u00a0 \u00a0 \u00a0 jge \u00a0 \u00a00x148 \n5b: 8b 95 5c ff ff ff \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0edx,DWORD PTR [ebp-0xa4] \n61: 81 e2 03 00 00 80 \u00a0 \u00a0 \u00a0 and \u00a0 \u00a0edx,0x80000003 \n67: 79 05 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 jns \u00a0 \u00a00x6e \n69: 4a \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0dec \u00a0 \u00a0edx \n6a: 83 ca fc \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0or \u00a0 \u00a0 edx,0xfffffffc \n6d: 42 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0inc \u00a0 \u00a0edx \n6e: 85 d2 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 test \u00a0 edx,edx \n70: 75 25 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 jne \u00a0 \u00a00x97 \n72: 8b 85 5c ff ff ff \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0eax,DWORD PTR [ebp-0xa4] \n78: 8b 8c 85 60 ff ff ff \u00a0 \u00a0mov \u00a0 \u00a0ecx,DWORD PTR [ebp+eax*4-0xa0] \n7f: 03 8d 5c ff ff ff \u00a0 \u00a0 \u00a0 add \u00a0 \u00a0ecx,DWORD PTR [ebp-0xa4] \n85: 8b 95 5c ff ff ff \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0edx,DWORD PTR [ebp-0xa4] \n8b: 89 8c 95 60 ff ff ff \u00a0 \u00a0mov \u00a0 \u00a0DWORD PTR [ebp+edx*4-0xa0],ecx \n92: e9 ac 00 00 00 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0jmp \u00a0 \u00a00x143 \n97: 8b 85 5c ff ff ff \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0eax,DWORD PTR [ebp-0xa4] \n9d: 25 03 00 00 80 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0and \u00a0 \u00a0eax,0x80000003 \na2: 79 05 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 jns \u00a0 \u00a00xa9 \na4: 48 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0dec \u00a0 \u00a0eax \na5: 83 c8 fc \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0or \u00a0 \u00a0 eax,0xfffffffc \na8: 40 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0inc \u00a0 \u00a0eax \na9: 83 f8 01 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0cmp \u00a0 \u00a0eax,0x1 \nac: 75 22 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 jne \u00a0 \u00a00xd0 \nae: 8b 8d 5c ff ff ff \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0ecx,DWORD PTR [ebp-0xa4] \nb4: 8b 94 8d 60 ff ff ff \u00a0 \u00a0mov \u00a0 \u00a0edx,DWORD PTR [ebp+ecx*4-0xa0] \nbb: 2b 95 5c ff ff ff \u00a0 \u00a0 \u00a0 sub \u00a0 \u00a0edx,DWORD PTR [ebp-0xa4] \nc1: 8b 85 5c ff ff ff \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0eax,DWORD PTR [ebp-0xa4] \nc7: 89 94 85 60 ff ff ff \u00a0 \u00a0mov \u00a0 \u00a0DWORD PTR [ebp+eax*4-0xa0],edx \nce: eb 73 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 jmp \u00a0 \u00a00x143 \nd0: 8b 8d 5c ff ff ff \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0ecx,DWORD PTR [ebp-0xa4] \nd6: 81 e1 03 00 00 80 \u00a0 \u00a0 \u00a0 and \u00a0 \u00a0ecx,0x80000003 \ndc: 79 05 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 jns \u00a0 \u00a00xe3 \nde: 49 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0dec \u00a0 \u00a0ecx \ndf: 83 c9 fc \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0or \u00a0 \u00a0 ecx,0xfffffffc \ne2: 41 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0inc \u00a0 \u00a0ecx \ne3: 83 f9 02 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0cmp \u00a0 \u00a0ecx,0x2 \ne6: 75 23 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 jne \u00a0 \u00a00x10b \ne8: 8b 95 5c ff ff ff \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0edx,DWORD PTR [ebp-0xa4] \nee: 8b 84 95 60 ff ff ff \u00a0 \u00a0mov \u00a0 \u00a0eax,DWORD PTR [ebp+edx*4-0xa0] \nf5: 0f af 85 5c ff ff ff \u00a0 \u00a0imul \u00a0 eax,DWORD PTR [ebp-0xa4] \nfc: 8b 8d 5c ff ff ff \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0ecx,DWORD PTR [ebp-0xa4] \n102: \u00a0 \u00a089 84 8d 60 ff ff ff \u00a0 \u00a0mov \u00a0 \u00a0DWORD PTR [ebp+ecx*4-0xa0],eax \n109: \u00a0 \u00a0eb 38 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 jmp \u00a0 \u00a00x143 \n10b: \u00a0 \u00a08b 95 5c ff ff ff \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0edx,DWORD PTR [ebp-0xa4] \n111: \u00a0 \u00a081 e2 03 00 00 80 \u00a0 \u00a0 \u00a0 and \u00a0 \u00a0edx,0x80000003 \n117: \u00a0 \u00a079 05 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 jns \u00a0 \u00a00x11e \n119: \u00a0 \u00a04a \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0dec \u00a0 \u00a0edx \n11a: \u00a0 \u00a083 ca fc \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0or \u00a0 \u00a0 edx,0xfffffffc \n11d: \u00a0 \u00a042 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0inc \u00a0 \u00a0edx \n11e: \u00a0 \u00a083 fa 03 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0cmp \u00a0 \u00a0edx,0x3 \n121: \u00a0 \u00a075 20 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 jne \u00a0 \u00a00x143 \n123: \u00a0 \u00a08b 85 5c ff ff ff \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0eax,DWORD PTR [ebp-0xa4] \n129: \u00a0 \u00a08b 8c 85 60 ff ff ff \u00a0 \u00a0mov \u00a0 \u00a0ecx,DWORD PTR [ebp+eax*4-0xa0] \n130: \u00a0 \u00a033 8d 5c ff ff ff \u00a0 \u00a0 \u00a0 xor \u00a0 \u00a0ecx,DWORD PTR [ebp-0xa4] \n136: \u00a0 \u00a08b 95 5c ff ff ff \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0edx,DWORD PTR [ebp-0xa4] \n13c: \u00a0 \u00a089 8c 95 60 ff ff ff \u00a0 \u00a0mov \u00a0 \u00a0DWORD PTR [ebp+edx*4-0xa0],ecx \n143: \u00a0 \u00a0e9 f7 fe ff ff \u00a0 \u00a0 \u00a0 \u00a0 \u00a0jmp \u00a0 \u00a00x3f \n148: \u00a0 \u00a033 c0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 xor \u00a0 \u00a0eax,eax \n14a: \u00a0 \u00a08b 4d fc \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0mov \u00a0 \u00a0ecx,DWORD PTR [ebp-0x4] \n14d: \u00a0 \u00a033 cd \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 xor \u00a0 \u00a0ecx,ebp \n14f: \u00a0 \u00a0e8 04 00 00 00 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0call \u00a0 0x158 \n154: \u00a0 \u00a08b e5 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 mov \u00a0 \u00a0esp,ebp \n156: \u00a0 \u00a05d \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0pop \u00a0 \u00a0ebp \n157: \u00a0 \u00a0c3 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0ret<\/code><\/pre>\n\u540e\u6765\u53d1\u73b0\u8981\u662f\u771f\u8fd9\u6837\u770b\u7684\u8bdd\u773c\u775b\u4e0d\u90fd\u5f97\u770b\u778e\uff0c\u8fd8\u4e0d\u4e00\u5b9a\u8bb0\u5f97\u4f4f\u6bcf\u4e00\u6761\u6c47\u7f16\u6307\u4ee4\uff0c\u4e8e\u662f\u60f3\u627e\u4e00\u4e2a\u5728\u7ebf\u7f51\u7ad9\u5c06\u5176\u8f6c\u5316\u4e3a\u9ad8\u7ea7\u8bed\u8a00\uff0c\u4e0d\u8fc7\u6ca1\u627e\u5230<\/p>\n
\u8f6c\u5ff5\u4e00\u60f3\uff0cIDA\u4e0d\u662f\u6709\u8fd9\u79cd\u529f\u80fd\u5417\uff0c\u4e8e\u662f\u6211\u521b\u5efa\u4e86\u4e00\u4e2a.txt\u6587\u4ef6\uff0c\u5c06.txt\u540e\u7f00\u5220\u53bb\uff0c\u7136\u540e\u4f7f\u7528010 Editor<\/code>\u6253\u5f00\uff0c\u628a\u4e0a\u9762\u7684\u5b57\u8282\u7801\u5168\u90e8\u590d\u5236\u5230\u7a7a\u767d\u6587\u4ef6\u91cc\uff0c\u4fdd\u5b58\u4e4b\u540e\u4f7f\u7528IDA\u6253\u5f00<\/p>\n<\/div><\/p>\n\u8fd9\u6837\u5c31\u80fd\u66f4\u597d\u7684\u770b\u6c47\u7f16\u4e86\uff0c\u4f46\u662f\u8fd9\u8fd8\u662f\u4e0d\u591f\u7684\uff0c\u56e0\u4e3a\u65e0\u6cd5\u6309\u7a7a\u683c\u952e\u67e5\u770b\u63a7\u5236\u6d41\uff0c\u4e5f\u5c31\u662f\u65e0\u6cd5\u67e5\u770b\u4f2aC\u4ee3\u7801\uff0c\u5b66\u8fc7\u9006\u5411\u7684\u4eba\u90fd\u77e5\u9053\uff0c\u5728IDA\u4e2d\u9009\u4e2d\u4e00\u6bb5\u6c47\u7f16\u4e4b\u540e\u6309P\u53ef\u4ee5\u5b9a\u4e49\u4e00\u6bb5\u51fd\u6570\uff0c\u4e8e\u662f\u6211\u9009\u4e2d\u4e86\u6240\u6709\u7684\u6c47\u7f16\u4ee3\u7801\uff0c\u5c06\u4ed6\u4eec\u5b9a\u4e49\u4e3a\u4e00\u6bb5\u51fd\u6570\uff0c\u8fd9\u6837\u6211\u4eec\u5c31\u53ef\u4ee5\u4f7f\u7528F5\u5927\u6cd5\u4e86<\/p>\n
<\/div><\/p>\n\u6ca1\u60f3\u5230\u903b\u8f91\u5c45\u7136\u80fd\u8fd9\u4e48\u6e05\u6670\uff0c\u6211\u8fd8\u4ee5\u4e3a\u4ee3\u7801\u4f1a\u5f88\u4e11\u5f88\u4e11\uff0c\u7ea2\u8272\u7684\u5730\u65b9\u4e0d\u7ba1\u5b83\u5c31\u662f\u4e86<\/p>\n
\u5199\u4e2a\u811a\u672c\u5c31\u5b8c\u4e8b\u4e86\uff1a<\/p>\n
def reverse_operations(enc): \n v2 = [0] * 39 \n\n for i in range(39): \n if i % 4 == 0: \n v2[i] = enc[i] - i \n elif i % 4 == 1: \n v2[i] = enc[i] + i \n elif i % 4 == 2: \n v2[i] = enc[i] \/\/ i \n elif i % 4 == 3: \n v2[i] = enc[i] ^ i \n\n return v2 \nflag="" \nenc = [88,88,134,87,74,118,318,101,59,92,480,60,65,41,770,110,73,31,918,39,120,27,1188,47,77,24,1352,44,81,23,1680,46,85,15,1870,66,91,16,4750] \nv2 = reverse_operations(enc) \nfor i in range(len(v2)): \n flag+=chr(v2[i]) \nprint(flag)\n#XYCTF{5b3e07567a9034d06851475481507a75}<\/code><\/pre>\n\u9992\u5934<\/h3>\n
\u6253\u5f00IDA\uff0c\u6709\u5173\u4e8e\u54c8\u592b\u66fc\u6811\u7684\u63d0\u793a\uff0c\u8fd8\u539f\u54c8\u592b\u66fc\u6811\u7684\u8282\u70b9\u5c31\u884c\u4e86<\/p>\n
#include <iostream>\n#include <vector>\nusing namespace std;\n\nstruct htNode {\n char data;\n int weight;\n htNode* parent;\n htNode* lch;\n htNode* rch;\n\n \/\/ \u6784\u9020\u51fd\u6570\u521d\u59cb\u5316\u7ed3\u70b9\n htNode(char d = 0, int w = 0, htNode* p = nullptr, htNode* l = nullptr, htNode* r = nullptr) \n : data(d), weight(w), parent(p), lch(l), rch(r) {}\n};\n\nvoid recoverHuffmanTree(htNode*& HT, int enc[], int& index, vector<int>& flag) {\n htNode* lch = new htNode();\n htNode* rch = new htNode();\n HT->lch = lch;\n HT->rch = rch;\n lch->parent = rch->parent = HT;\n lch->lch = lch->rch = rch->lch = rch->rch = nullptr;\n int get = enc[index];\n int nextget = enc[index + 1];\n if (get <= 24) {\n HT->data = get;\n HT->weight = HT->parent->weight - HT->parent->lch->weight;\n flag[HT->data - 1] = HT->weight;\n index++;\n return;\n }\n else {\n if (nextget <= 24) {\n HT->weight = get;\n HT->data = nextget;\n flag[HT->data - 1] = HT->weight;\n index += 2;\n return;\n }\n else {\n HT->weight = get;\n HT->data = 0;\n index++;\n recoverHuffmanTree(lch, enc, index, flag);\n recoverHuffmanTree(rch, enc, index, flag);\n }\n }\n}\n\nint main() {\n int enc[] = { 2270,917,446,217,106,51,20,15,17,229,114,16,11,471,233,116,\n 14,13,238,118,12,7,1353,557,248,123,6,24,309,137,67,3,5,172,84,4,1,796,383,\n 186,89,2,8,197,97,48,23,10,21,413,203,101,22,9,210,104,19,18 };\n vector<int> flag(24, 0);\n int index = 0;\n htNode* HT = new htNode();\n recoverHuffmanTree(HT, enc, index, flag);\n\n \/\/ \u8f93\u51fa\u5b57\u7b26\u6743\u91cd\n for (int i = 0; i < 24; i++)\n cout << char(flag[i]);\n\n return 0;\n}\n<\/code><\/pre>\n\u7b80\u7231<\/h3>\n
\u8fd9\u9898\u2026\u2026\u53ef\u80fd\u6211\u592a\u83dc\u4e86\uff0c\u6709\u70b9\u8ff7\u60d1<\/p>\n
\u51fa\u73b0\u4e86\u4e0d\u77e5\u9053\u6709\u4ec0\u4e48\u4f5c\u7528\u7684TEA\uff0c\u6211\u83dc\u83dc<\/p>\n
\u603b\u4e4b\u77e5\u9053\u662f\u4e2aVM\u5c31\u884c\u4e86\uff0c\u65e2\u7136\u662f\u4e2aVM\u7684\u8bdd\uff0c\u7a0b\u5e8f\u53c8\u4e0d\u590d\u6742\uff0c\u6211\u4eec\u628a\u628avm\u9006\u8fc7\u6765\u5199\u5c31\u53ef\u4ee5\u4e86<\/p>\n
\u7528idapython\u63d0\u53d6\u6570\u636e\uff0c\u63d0\u53d6\u51favm\u7684\u64cd\u4f5c\u7801\uff1a<\/p>\n
import idaapi\ndef extract_dword_from_address(address):\n#\u83b7\u53d64\u4e2a\u5b57\u8282\u7684\u6570\u636e\ndword_bytes = idaapi.get_bytes(address, 4)\nif dword_bytes is None:\nprint("Failed to read bytes at address {:X}".format(address))\nreturn None\n#\u5c06\u5b57\u8282\u6570\u636e\u8f6c\u6362\u4e3aDWORD\ndword_value = int.from_bytes(dword_bytes, byteorder='little')\nreturn dword_value\n#\u6307\u5b9a\u8d77\u59cb\u5730\u5740\nstart_address = 0x7FFDF8422ED0\n#\u6307\u5b9a\u63d0\u53d6\u6b21\u6570\nnum_extract = 1029\n#\u5b58\u50a8\u63d0\u53d6\u7684DWORD\u6570\u636e\u7684\u5217\u8868\ndword_list = []\n#\u5faa\u73af\u63d0\u53d6DWORD\u6570\u636e\nfor i in range(num_extract):\naddress = start_address + i * 4\ndword_value = extract_dword_from_address(address)\nif dword_value is not None:\ndword_list.append(dword_value)\nprint("Extracted {} DWord values starting from address {:X}".format(len(dword_list),\nstart_address))\nprint("DWord values list:", dword_list)<\/code><\/pre>\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1,\n1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,\n1, 1, 1, 1, 1, 2, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 2,\n5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1,\n1, 1, 1, 1, 1, 1, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,\n1, 1, 1, 2, 4, 1, 1, 1, 1, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 2, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 2, 1, 2, 0, 0, 0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 1, 1, 1, 1, 1,\n1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,\n1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0,\n0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 3<\/code><\/pre>\nopcode = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 2, 1, 1, 1, 1, 1, 1, \n1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, \n1, 1, 1, 1, 1, 1, 1, 1, 2, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, \n1, 1, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, \n1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 5, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, \n1, 1, 1, 1, 1, 1, 2, 4, 1, 1, 1, 1, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 2, 4, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 1, 2, 0, 0, 0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 1, 1, \n1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, \n1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, \n0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 3] \n\ndef VMfunction(data): \n opcodeidx = 0 \n dataidx = 0 \n while True : \n if opcode[opcodeidx] == 0: \n data[dataidx] += 1 \n opcodeidx += 1 \n if opcode[opcodeidx] == 1: \n data[dataidx] -= 1 \n opcodeidx += 1 \n if opcode[opcodeidx] == 2: \n #print("data[{}] = {}".format(dataidx,data[dataidx])) \n opcodeidx += 1 \n dataidx += 1 \n if opcode[opcodeidx] == 3: \n #print("data[{}] = {}".format(dataidx,data[dataidx])) \n break \n if opcode[opcodeidx] == 4: \n data[dataidx] = data[dataidx] + data[dataidx+1] - 70 \n opcodeidx += 1 \n if opcode[opcodeidx] == 5: \n data[dataidx] = data[dataidx] - data[dataidx+1] + 70 \n opcodeidx += 1 \n return data \n\ndef ReVMfunction(data): \n opcodeidx = len(opcode)-1 \n dataidx = len(data)-1 \n while opcodeidx != -1 : \n if opcode[opcodeidx] == 0: \n data[dataidx] -= 1 \n opcodeidx -= 1 \n elif opcode[opcodeidx] == 1: \n data[dataidx] += 1 \n opcodeidx -= 1 \n elif opcode[opcodeidx] == 2: \n opcodeidx -= 1 \n dataidx -= 1 \n elif opcode[opcodeidx] == 3: \n print("start!") \n opcodeidx -= 1 \n elif opcode[opcodeidx] == 4: \n data[dataidx] = data[dataidx] - data[dataidx+1] + 70 \n opcodeidx -= 1 \n elif opcode[opcodeidx] == 5: \n data[dataidx] = data[dataidx] + data[dataidx+1] - 70 \n opcodeidx -= 1 \n return data \nflag=[ord(x) for x in "flag{Love_is_not_one_sided_Love}"] \nflag = ReVMfunction(flag) \nprint(flag) \nfor ch1 in flag: \n print(chr(ch1),end="")\n#FLAG{vm_is_A_3ecreT_l0Ve_revers}<\/code><\/pre>\n\u8fd8\u53ef\u4ee5\u7528z3\uff0c\u4f46\u662f\u6211\u61d2\u5f97\u5199\u4e86<\/p>\n
\u4eca\u5915\u662f\u4f55\u5e74<\/h3>\n
\u771f\u7684\uff0c\u8fd0\u884c\u5c31\u6709flag<\/p>\n
\u80af\u5b9a\u6ca1\u8fd9\u4e48\u7b80\u5355\uff0c\u4e8e\u662f\u6211\u5c31\u5148\u53bb\u67e5\u4e86\u4e00\u4e0b\u8fd9\u4e2a\u6587\u4ef6\u7684\u67b6\u6784
\n
<\/div><\/p>\n\u4e0d\u662f \u54e5\u4eec\uff0c\u600e\u4e48\u8fd8\u80fd\u67e5\u51fa\u672a\u77e5\u554a\uff0c\u4f46\u662fqemu\u80af\u5b9a\u80fd\u8dd1\uff0c\u6211\u4eec\u9700\u8981\u505a\u7684\u4fbf\u662f\u5b89\u88c5qemu\u5e93\uff0c\u8be6\u89c1TCPL<\/a><\/p>\n\u88c5\u597d\u4e86\u4e4b\u540e\u76f4\u63a5\u8dd1\u5c31\u51fa\u6765\u4e86\uff1a
\n
<\/div><\/p>\n\u55b5\u55b5\u55b5\u7684flag\u788e\u4e86\u4e00\u5730<\/h3>\n
\u8fd9\u9898\u2026\u2026\u6211\u7eaf\u7eaf\u6ca1\u770b\u61c2\u82f1\u6587\u6d6a\u8d39\u4e86\u4e00\u5806\u65f6\u95f4\uff0c\u540e\u9762\u628a\u82f1\u6587\u7ffb\u8bd1\u4e4b\u540e\u5c31\u968f\u4fbf\u5199\u4e86<\/p>\n
\u4e0b\u8f7d\u9644\u4ef6\uff0c\u4f7f\u7528IDA\u8f7d\u5165\uff1a<\/p>\n
\u4e3b\u51fd\u6570\u7ed9\u4e86\u4e09\u6761\u63d0\u793a\uff0c\u53ebAI\u7ffb\u8bd1\u4e00\u4e0b\uff1a<\/p>\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n _main(argc, argv, envp);\n puts("Hint:");\n puts("1. Open in IDA and Learn about `Strings` to find the first part of the flag");\n puts("2. Learn about `Functions` to find the second part of the flag which is the name of a function");\n puts("3. The hint for the last part is in the function you found in the second part");\n return 0;\n}<\/code><\/pre>\n<\/div><\/p>\n\u6309\u7167hint\u5148shift+F12\u67e5\u627e\u4e00\u4e0b\u5b57\u7b26\u4e32\uff1a
\n
<\/div>
\n\u53cc\u51fb\u5c31\u80fd\u770b\u89c1\u7b2c\u4e00\u90e8\u5206flag\uff1aflag{My_fl@g_h4s_<\/code><\/p>\n\u518d\u6839\u636e\u7b2c\u4e8c\u6761\u63d0\u793a\u67e5\u770b\u51fd\u6570\u7a97\u53e3(ctrl+F\u53ef\u4ee5\u67e5\u627e\u51fd\u6570\uff0c\u4e0d\u8fc7\u6211\u6ca1\u7528\u4e0a):
\n
<\/div>
\n\u5f97\u5230\u7b2c\u4e8c\u90e8\u5206br0ken_4parT_<\/code><\/p>\n\u540e\u8ddf\u7740\u7b2c\u4e09\u6761hint\uff0c\u8fdb\u5165br0ken_4parT_<\/code>\u51fd\u6570\uff1a<\/p>\nint br0ken_4parT_()\n{\n return puts("Learn about `Xref` and Find out which function refers me to get the last part of the flag!");\n}<\/code><\/pre>\n\u53c8\u662f\u4e00\u6bb5\u82f1\u6587\uff0c\u518d\u7ffb\u8bd1\u4e00\u4e0b\uff1a\u5b66\u4e60\u5173\u4e8eXref<\/code>\u5e76\u627e\u51fa\u54ea\u4e2a\u51fd\u6570\u5f15\u7528\u4e86\u6211\u6765\u83b7\u53d6\u6700\u540e\u4e00\u90e8\u5206\u7684\u6807\u5fd7<\/p>\nXref\u7684\u610f\u601d\u662f\u4ea4\u53c9\u5f15\u7528\uff0c\u5728IDA pro\u4e2d\u53ef\u4ee5\u901a\u8fc7ctrl+X\u5b9e\u73b0\uff0c\u4e8e\u662f\u6211\u4eec\u53ef\u4ee5\u5bf9\u4e8ebr0ken_4parT_<\/code>\u51fd\u6570\u8fdb\u884c\u4ea4\u53c9\u5f15\u7528\uff1a
\n<\/div><\/p>\nOK\u4e86\uff0c\u53cc\u51fb\u4e0a\u9762\u51fd\u6570\u7684\u8fdb\u5165fun718\uff1a
\n\u5728text\u754c\u9762\u5c31\u80fd\u770b\u89c1\u5269\u4e0b\u7684flag
\n
<\/div><\/p>\n\u53ef\u4ee5\u5f97\u5230Bu7_Y0u_c@n_f1x_1t!}<\/code><\/p>\n\u62fc\u63a5\u8d77\u6765\u5c31\u662fflag{My_fl@g_h4s_br0ken_4parT_Bu7_Y0u_c@n_f1x_1t!}<\/code><\/p>\n\u4f60\u771f\u7684\u662f\u5927\u5b66\u751f\u5417<\/h3>\n
\u6700\u5f00\u59cb\u6ca1\u770b\u61c2\u4e3a\u4ec0\u4e48IDA\u4e0d\u592a\u597d\u770b\uff0c\u4e8e\u662f\u7528010\u770b\u4e86\u4e00\u4e0b\uff0c\u53d1\u73b0\u6ca1\u6709PE\u5934\uff0c\u6211\u8fd8\u4ee5\u4e3a\u662f\u8981\u4feePE\u5934\uff0c\u540e\u6765\u53d1\u73b0\u8fd9\u662f\u4e2a16\u4f4d\u7a0b\u5e8f\uff0c\u8fd9\u91cc\u9644\u4e0a\u7a0b\u5e8f\u4fe1\u606f\uff1a
\n
<\/div><\/p>\n\u7531\u4e8eIDA\u4e0d\u80fd\u6b63\u5e38\u770b\uff0c\u800c\u4e14IDA\u4e2d\u7684\u6c47\u7f16\u4e5f\u4e0d\u592a\u597d\u770b\uff0c\u6211\u5c31\u53bbghidra\u770b\u4e86\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u4e5f\u633a\u62bd\u8c61\u7684\uff0c\u4f46\u81f3\u5c11\u6bd4IDA\u597d\u591a\u4e86\uff0c\u5728\u53f3\u4fa7\u53ef\u4ee5\u8df3\u8f6c\u5230\u6211\u4eec\u9700\u8981\u5f02\u6216\u7684\u6570\u636e\uff0c\u800c\u4e14\u80fd\u770b\u89c1\u660e\u663e\u7684\u5f02\u6216\u903b\u8f91<\/p>\n
\u5199\u51fa\u811a\u672c\uff1a<\/p>\n
str=[0x76, 0x0E, 0x77, 0x14, 0x60, 0x06, 0x7D, 0x04, 0x6B, 0x1E, \n 0x41, 0x2A, 0x44, 0x2B, 0x5C, 0x03, 0x3B, 0x0B, 0x33, 0x05, \n 0x15] \nflag="" \nfor i in range(1,len(str)): \n flag+=chr((str[i])^str[i-1]) \nprint(flag)<\/code><\/pre>\n\u4e0d\u8fc7\u8fd9\u6bb5\u4ee3\u7801\u53d1\u751f\u4e86\u6570\u7ec4\u8d8a\u754c\uff0c\u4f1a\u5f71\u54cdflag\u6700\u540e\u4e00\u4f4d\u7684\u7ed3\u679c\uff0c\u6211\u4eec\u8fd0\u884c\u4e4b\u540e\u53ef\u4ee5\u5f97\u5230
\nxyctf{you_know_8086\u0010<\/code> \u6700\u540e\u4e00\u4f4d\u5fc5\u4e3a\u201d}\u201c,\u4e8e\u662f\u6211\u4fbf\u61d2\u5f97\u4fee\u6b63\u4e86<\/p>\n\u7838\u6838\u6843<\/h3>\n
\u4e0b\u8f7d\u9644\u4ef6\uff0c\u67e5\u770b\u4e00\u4e0b\u6587\u4ef6\u4fe1\u606f\uff1a
\n
<\/div><\/p>\n\u6700\u5f00\u59cb\u4e0d\u77e5\u9053\u6253\u5305\u5de5\u5177\u662f\u4ec0\u4e48\u610f\u601d\uff0c\u76f4\u63a5\u7528IDA\u770b\u4e86\u8fd9\u4e2a\u7a0b\u5e8f\uff0c\u53d1\u73b0\u8ddf\u672a\u8131\u58f3\u7684UPX\u6253\u5f00\u5f88\u50cf\uff0c\u6211\u624d\u610f\u8bc6\u5230NsPacK\u662f\u4e2a\u6ca1\u89c1\u8fc7\u7684\u58f3\uff0c\u4e8e\u662f\u6211\u53bb\u7f51\u4e0a\u641c\u4e86\u4e00\u4e0b\uff0c\u51c6\u5907\u8ddf\u7740\u6559\u7a0b\u8fdb\u884c\u8131\u58f3<\/p>\n
\u7136\u540e\u53d1\u73b0\u624b\u8131\u8131\u4e00\u534a\u6b7b\u4e86\uff0cxdbg\u95ea\u7ea2\u4e0d\u77e5\u9053\u600e\u4e48\u89e3\u51b3<\/p>\n
\u5b9e\u5728\u6ca1\u529e\u6cd5\uff0c\u53bb\u770b\u96ea\u627e\u4e86\u4e2a\u8131\u58f3\u673a\uff0c\u8131\u5b8c\u58f3\u4e4b\u540e\u5c31\u5230\u4e86\u559c\u95fb\u4e50\u89c1\u7684IDA\u73af\u8282<\/p>\n
\u8fdb\u53bb\u5c31\u662fmain\u51fd\u6570\uff1a<\/p>\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n int v4; \/\/ eax\n char Buffer[52]; \/\/ [esp+4h] [ebp-38h] BYREF\n\n memset(Buffer, 0, 50);\n printf("Please Input Flag:");\n gets_s(Buffer, 0x2Cu);\n if ( strlen(Buffer) == 42 )\n {\n v4 = 0;\n while ( (Buffer[v4] ^ aThisIsNotFlag[v4 % 16]) == dword_402150[v4] )\n {\n if ( ++v4 >= 42 )\n {\n printf("right!\\n");\n return 0;\n }\n }\n printf("error!\\n");\n return 0;\n }\n else\n {\n printf("error!\\n");\n return -1;\n }\n}<\/code><\/pre>\n\u53ef\u4ee5\u53d1\u73b0\u8fd9\u91cc\u505a\u4e86\u5f02\u6216\uff0c\u800c\u4e24\u7ec4\u6570\u636e\u6211\u4eec\u90fd\u6709\uff0c\u5199\u811a\u672c\u5c31\u5b8c\u4e8b\u4e86\uff1a<\/p>\n
dword_402150 = [0x12,0x04,0x08,0x14,0x24,0x5C,0x4A,0x3D,0x56,0x0A,0x10,0x67,0x00,0x41,0x00,0x01,0x46,0x5A,0x44,0x42,0x6E,0x0C,0x44,0x72,0x0C,0x0D,0x40,0x3E,0x4B,0x5F,0x02,0x01,0x4C,0x5E,0x5B,0x17,0x6E,0x0C,0x16,0x68,0x5B,0x12,0x02,0x48,0x0E] \naThisIsNotFlag = "this_is_not_flag" \n\n#\u901a\u8fc7\u5f02\u6216\u64cd\u4f5c\u6765\u89e3\u5bc6Buffer \nBuffer = "" \nfor i in range(42): \n Buffer += chr(ord(aThisIsNotFlag[i % 16]) ^ dword_402150[i]) \n\nprint("Decrypted Buffer:", Buffer) \n#Decrypted Buffer: flag{59b8ed8f-af22-11e7-bb4a-3cf862d1ee75}<\/code><\/pre>\n\u8bb0\u5fc6\u7684\u65f6\u5149\u673a<\/h3>\n
\u88abjmp\u4e86\uff0c\u8fd8\u53bb\u9664\u4e0d\u4e86\uff0c\u65e0\u6240\u8c13\uff0c\u6211\u4f1a\u770b\u6c47\u7f16<\/p>\n
.text:00005602D3177570 loc_5602D3177570:; CODE XREF: sub_5602D3177560+31\u2193j\n.text:00005602D3177570 movzx edi, byte ptr [r12+rbx] ; \u53d6\u51fa\u8f93\u5165\u7684\u4e00\u4e2a\u5b57\u7b26\n.text:00005602D3177575 mov esi, ebx\n.text:00005602D3177577 call enc ; \u8fdb\u884c\u52a0\u5bc6\n.text:00005602D317757C cmp [r13+rbx+0], al ; \u8fdb\u884c\u9a8c\u8bc1\n.text:00005602D3177581 setz al\n.text:00005602D3177584 add rbx, 1; \u5e8f\u53f7\u52a01\n.text:00005602D3177588 movzx eax, al\n.text:00005602D317758B and ebp, eax\n.text:00005602D317758D cmp rbx, 30h ; '0'; \u662f\u5426\u5df2\u7ecf\u9a8c\u8bc10x30\u4e2a\u5b57\u7b26\n.text:00005602D3177591 jnz short loc_5602D3177570 ; \u53d6\u51fa\u8f93\u5165\u7684\u4e00\u4e2a\u5b57\u7b26\n.text:00005602D3177593 jmp loc_5602D31774FE\n.text:00005602D3177593 sub_5602D3177560\nendp<\/code><\/pre>\n\u627e\u5230\u6570\u636e\u52a0\u5bc6\u548c\u9a8c\u8bc1\u7684\u4f4d\u7f6e\uff0c\u63d0\u53d6\u51fa\u76ee\u6807\u6570\u636e<\/p>\n
.text:00005602D3177418 sub_5602D3177418 proc near ; DATA XREF: enc+4D\u2191o\n.text:00005602D3177418 endbr64\n.text:00005602D317741C mov rcx, [rsp+rax*8+0]\n.text:00005602D3177420 add edx, 1\n.text:00005602D3177423 movzx r9d, byte ptr [r11+r10] ; \u53d6\u51fa\u4e00\u4e2akey\u503c\n.text:00005602D3177428 lea eax, [rdx-1]\n.text:00005602D317742B jmp rcx\n.text:00005602D317742B sub_5602D3177418 endp\n.text:00005602D317742B\n.text:00005602D317742B ; \n---------------------------------------------------------\u0002--------------\u0002\n.text:00005602D317742D align 10h\n.text:00005602D3177430\n.text:00005602D3177430 ;\n=============== S U B R O U T I N E=======================================\n.text:00005602D3177430\n.text:00005602D3177430\n.text:00005602D3177430 sub_5602D3177430 proc near ; DATA XREF: enc+3A\u2191o\n.text:00005602D3177430 endbr64\n.text:00005602D3177434 mov rcx, [rsp+rax*8+0]\n.text:00005602D3177438 add edx, 1\n.text:00005602D317743B sub r8d, 6\n.text:00005602D317743F lea eax, [rdx-1]\n.text:00005602D3177442 jmp rcx\n.text:00005602D3177442 sub_5602D3177430 endp\n.text:00005602D3177442\n.text:00005602D3177442 ;\n---------------------------------------------------------\u0002--------------\u0002\n.text:00005602D3177444 align 8\n.text:00005602D3177448\n.text:00005602D3177448 ;\n=============== S U B R O U T I N E=======================================\n.text:00005602D3177448\n.text:00005602D3177448\n.text:00005602D3177448 sub_5602D3177448 proc near ; DATA XREF: enc+27\u2191o\n.text:00005602D3177448 endbr64\n.text:00005602D317744C mov rcx, [rsp+rax*8+0]\n.text:00005602D3177450 xor r8d, esi ; 6\u5f02\u6216\u4e0a\u8f93\u5165\n.text:00005602D3177453 add edx, 1\n.text:00005602D3177456 xor r8d, 66h ; \u518d\u5f02\u6216\u4e0a0x66\n.text:00005602D317745A lea eax, [rdx-1]\n.text:00005602D317745D jmp rcx<\/code><\/pre>\n\u53ef\u4ee5\u770b\u4e0a\u6587\u7684\u6c47\u7f16\u540e\u9762\u7684\u6ce8\u91ca\uff1a
\n\u5148\u5c06\u8f93\u5165\u5f02\u6216\u4e0aidx+6
\n\u518d\u5f02\u6216\u4e0a0x66
\n\u5f97\u5230\u7684\u503c-6
\n\u518d\u5c06\u5f97\u5230\u7684\u503c\u5f02\u6216key\uff0c\u5c31\u662f\u52a0\u5bc6\u7ed3\u679c<\/p>\n
\u6211\u4eec\u63d0\u53d6\u51fakey\u548c\u5bc6\u6587\u5199python\u811a\u672c\uff1a<\/p>\n
target = [0x69, 0x58, 0x61, 0x63, 0x67, 0x4C, 0x4D, 0x32, 0x98, 0x20, 0x4D, 0x51, \n0x7B, 0x25, 0x75, 0x51, 0xA3, 0x58, 0x60, 0x72, 0x42, 0x62, 0x67, 0x66, 0x37, 0x6C, \n0x30, 0x46, 0x66, 0x4F, 0x5D, 0x03, 0x5D, 0xA4, 0x66, 0x01, 0x43, 0x68, 0x7D, 0x7C, \n0x55, 0x4F, 0x7A, 0x3F, 0x6C, 0x12, 0x21, 0x09] \nkey = [ 0x69, 0x5F, 0x68, 0x61, 0x76, 0x65, 0x5F, 0x67, 0x65, 0x74, 0x5F, 0x73, \n0x68, 0x65, 0x6C, 0x6C, 0x5F, 0x62, 0x75, 0x74, 0x5F, 0x77, 0x68, 0x65, 0x72, 0x65, \n0x5F, 0x69, 0x73, 0x5F, 0x79, 0x6F, 0x75, 0x5F, 0x6D, 0x79, 0x5F, 0x64, 0x65, 0x61, \n0x72, 0x5F, 0x62, 0x61, 0x62, 0x79, 0x21, 0x21] \nflag = "" \nv1 = 6 \nfor i in range(len(target)): \n ch = target[i] ^ key[i] \n ch = ( ch + 6 ) &0xff \n ch = ch ^ v1 ^ 0x66 \n flag += chr(ch) \n v1 += 1 \nprint(flag)\n#flag{Br0k3n_m3m0r1es_for3v3r_Sh1n@_1n_The_H3@$T}<\/code><\/pre>\n\u76f8\u9022\u5df2\u662f\u4e0a\u4e0a\u7b7e<\/h3>\n
\u67e5\u770b\u6587\u4ef6\u4fe1\u606f\uff1a
\n
<\/div><\/p>\n\u6700\u5f00\u59cb\u4ee5\u4e3a\u662f16\u4f4d\u7a0b\u5e8f\uff0c\u4f46\u662fIDA\u5c45\u7136\u4e5f\u6253\u4e0d\u5f00\uff08\uff1f<\/p>\n
\u67e5\u770b\u4e00\u4e0b\u6587\u4ef6\u5934\uff1a
\n
<\/div><\/p>\n\u53d1\u73b0\u8fd9\u5e76\u4e0d\u662f\u4e00\u4e2a16\u4f4d\u7684\u7a0b\u5e8f\uff0c\u4ed6\u6709\u6807\u51c6\u7684PE\u5934\u7684<\/p>\n
\u4e0d\u77e5\u9053\u54ea\u91cc\u88ab\u9b54\u6539\u4e86\uff0c\u6253\u5f00\u4e00\u4e2a\u6b63\u5e38\u7684PE\u6587\u4ef6\u770b\u4e00\u4e0b\uff1a
\n
<\/div>
\n\u53ef\u4ee5\u770b\u89c130h\u884c\u7684C\u4f4d00\u88ab\u6539\u6210\u4e8610\uff0c\u6211\u4eec\u6539\u56de\u6765\u5c31\u884c\u4e86<\/p>\n<\/div>
\n\u8fd9\u65f6\u5019\u518d\u770b\u5c31\u6b63\u5e38\u4e86<\/p>\n\u6253\u5f00IDA\uff1a<\/p>\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n int v4; \/\/ [esp+8h] [ebp-50h]\n int i; \/\/ [esp+Ch] [ebp-4Ch]\n int v6[8]; \/\/ [esp+10h] [ebp-48h]\n char Str[4]; \/\/ [esp+30h] [ebp-28h] BYREF\n int v8; \/\/ [esp+34h] [ebp-24h]\n int v9; \/\/ [esp+38h] [ebp-20h]\n int v10; \/\/ [esp+3Ch] [ebp-1Ch]\n int v11; \/\/ [esp+40h] [ebp-18h]\n int v12; \/\/ [esp+44h] [ebp-14h]\n int v13; \/\/ [esp+48h] [ebp-10h]\n int v14; \/\/ [esp+4Ch] [ebp-Ch]\n char v15; \/\/ [esp+50h] [ebp-8h]\n\n *Str = 0;\n v8 = 0;\n v9 = 0;\n v10 = 0;\n v11 = 0;\n v12 = 0;\n v13 = 0;\n v14 = 0;\n v15 = 0;\n v6[0] = 1718186609;\n v6[1] = -1989270907;\n v6[2] = -988247013;\n v6[3] = 1924988163;\n v6[4] = 1400902090;\n v6[5] = 1302415020;\n v6[6] = -2040328853;\n v6[7] = -124282896;\n printf("Please enter your key:");\n scanf("%s", &byte_422918);\n if ( 532 * *(&byte_422918 + 5)\n + 829 * *(&byte_422918 + 4)\n + 258 * *(&byte_422918 + 3)\n + 811 * *(&byte_422918 + 2)\n + 997 * *(&byte_422918 + 1)\n + 593 * byte_422918 == 292512\n && 576 * *(&byte_422918 + 5)\n + 695 * *(&byte_422918 + 4)\n + 602 * *(&byte_422918 + 3)\n + 328 * *(&byte_422918 + 2)\n + 686 * *(&byte_422918 + 1)\n + 605 * byte_422918 == 254496\n && 580 * *(&byte_422918 + 5)\n + 448 * *(&byte_422918 + 4)\n + 756 * *(&byte_422918 + 3)\n + 449 * *(&byte_422918 + 2)\n + (*(&byte_422918 + 1) << 9)\n + 373 * byte_422918 == 222479\n && 597 * *(&byte_422918 + 5)\n + 855 * *(&byte_422918 + 4)\n + 971 * *(&byte_422918 + 3)\n + 422 * *(&byte_422918 + 2)\n + 635 * *(&byte_422918 + 1)\n + 560 * byte_422918 == 295184\n && 524 * *(&byte_422918 + 5)\n + 324 * *(&byte_422918 + 4)\n + 925 * *(&byte_422918 + 3)\n + 388 * *(&byte_422918 + 2)\n + 507 * *(&byte_422918 + 1)\n + 717 * byte_422918 == 251887\n && 414 * *(&byte_422918 + 5)\n + 495 * *(&byte_422918 + 4)\n + 518 * *(&byte_422918 + 3)\n + 884 * *(&byte_422918 + 2)\n + 368 * *(&byte_422918 + 1)\n + 312 * byte_422918 == 211260 )\n {\n printf(&unk_41B19C);\n }\n else\n {\n _loaddll(0);\n }\n printf("Please enter your flag:");\n scanf("%s", Str);\n if ( strlen(Str) != 32 )\n {\n printf("Wrong length\\n");\n _loaddll(0);\n }\n v4 = strlen(Str) \/ 4;\n sub_401000(Str, v4);\n for ( i = 0; i < v4; ++i )\n {\n if ( v6[i] != *&Str[4 * i] )\n {\n printf("Wrong!!!\\n");\n _loaddll(0);\n }\n }\n printf("congratulations\\n");\n system("pause");\n return 0;\n}<\/code><\/pre>\n\u521d\u59cb\u5316\u4e86\u4e00\u4e9b\u6570\u636e\uff0cbyte_422918(key)\u9700\u8981\u7528z3\u89e3\u4e00\u4e0b\uff0c\u7136\u540e\u7ecf\u8fc7\u4e86sub_401000\u51fd\u6570\u52a0\u5bc6\uff1a<\/p>\n
int __cdecl sub_401000(_DWORD *a1, int a2)\n{\n int v2; \/\/ ecx\n int v3; \/\/ eax\n int v4; \/\/ edx\n int result; \/\/ eax\n int v6; \/\/ [esp+4h] [ebp-1Ch]\n int v7; \/\/ [esp+Ch] [ebp-14h]\n unsigned int v8; \/\/ [esp+10h] [ebp-10h]\n unsigned int v9; \/\/ [esp+18h] [ebp-8h]\n unsigned int i; \/\/ [esp+1Ch] [ebp-4h]\n\n if ( a2 > 1 )\n {\n v7 = 52 \/ a2 + 6;\n v8 = 0;\n v9 = a1[a2 - 1];\n do\n {\n v8 -= 1640531527;\n v6 = (v8 >> 2) & 5;\n for ( i = 0; i < a2 - 1; ++i )\n {\n v2 = ((v9 ^ byte_422918[v6 ^ i & 5]) + (a1[i + 1] ^ v8)) ^ (((16 * v9) ^ (a1[i + 1] >> 3))\n + ((4 * a1[i + 1]) ^ (v9 >> 5)));\n v3 = a1[i];\n a1[i] = v2 + v3;\n v9 = v2 + v3;\n }\n v4 = (((v9 ^ byte_422918[v6 ^ i & 5]) + (*a1 ^ v8)) ^ (((16 * v9) ^ (*a1 >> 3)) + ((4 * *a1) ^ (v9 >> 5))))\n + a1[a2 - 1];\n a1[a2 - 1] = v4;\n result = v4;\n v9 = v4;\n --v7;\n }\n while ( v7 );\n }\n return result;\n}<\/code><\/pre>\n\u5148Z3\u6c42key\uff1a<\/p>\n
from z3 import * \n\nbyte_422918 = [BitVec(f'byte_422918_{i}', 8) for i in range(6)] \n\ns = Solver() \n\ns.add(532 * byte_422918[5] + \n 829 * byte_422918[4] + \n 258 * byte_422918[3] + \n 811 * byte_422918[2] + \n 997 * byte_422918[1] + \n 593 * byte_422918[0] == 292512) \n\ns.add(576 * byte_422918[5] + \n 695 * byte_422918[4] + \n 602 * byte_422918[3] + \n 328 * byte_422918[2] + \n 686 * byte_422918[1] + \n 605 * byte_422918[0] == 254496) \n\ns.add(580 * byte_422918[5] + \n 448 * byte_422918[4] + \n 756 * byte_422918[3] + \n 449 * byte_422918[2] + \n (byte_422918[1] << 9) + \n 373 * byte_422918[0] == 222479) \n\ns.add(597 * byte_422918[5] + \n 855 * byte_422918[4] + \n 971 * byte_422918[3] + \n 422 * byte_422918[2] + \n 635 * byte_422918[1] + \n 560 * byte_422918[0] == 295184) \n\ns.add(524 * byte_422918[5] + \n 324 * byte_422918[4] + \n 925 * byte_422918[3] + \n 388 * byte_422918[2] + \n 507 * byte_422918[1] + \n 717 * byte_422918[0] == 251887) \n\ns.add(414 * byte_422918[5] + \n 495 * byte_422918[4] + \n 518 * byte_422918[3] + \n 884 * byte_422918[2] + \n 368 * byte_422918[1] + \n 312 * byte_422918[0] == 211260) \nif s.check() == sat: \n m = s.model() \n for i in range(6): \n print(f"byte_422918[{i}] = {m[byte_422918[i]]}") \n\nelse: \n print("No solution found.")<\/code><\/pre>\nkey\u4e3a"XYCTF!\u201c
\n\u518d\u5957XXTEA\uff1a<\/p>\n
#include <iostream>\n#include <cstdint>\n\nusing namespace std;\n\n#define DELTA 0x9E3779B9\n#define MX (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 5) ^ e] ^ z)))\n\nvoid btea(uint32_t* v, int n, const uint32_t key[6]) {\n uint32_t y, z, sum;\n unsigned p, rounds, e;\n\n if (n > 1) {\n rounds = 6 + 52 \/ n;\n sum = 0;\n z = v[n - 1];\n do {\n sum += DELTA;\n e = (sum >> 2) & 5;\n for (p = 0; p < n - 1; p++) {\n y = v[p + 1];\n z = v[p] += MX;\n }\n y = v[0];\n z = v[n - 1] += MX;\n } while (--rounds);\n }\n else if (n < -1) {\n n = -n;\n rounds = 6 + 52 \/ n;\n sum = rounds * DELTA;\n y = v[0];\n do {\n e = (sum >> 2) & 5;\n for (p = n - 1; p > 0; p--) {\n z = v[p - 1];\n y = v[p] -= MX;\n }\n z = v[n - 1];\n y = v[0] -= MX;\n sum -= DELTA;\n } while (--rounds);\n }\n}\n\nint main() {\n unsigned char ida_chars[] = {\n 113, 114, 105, 102, 133, 34, 110, 137, 27, 140,\n 24, 197, 3, 253, 188, 114, 202, 17, 128, 83,\n 172, 70, 161, 77, 107, 13, 99, 134, 240, 151,\n 151, 248\n };\n uint32_t key[] = {\n 88, 89, 67, 84, 70, 33\n };\n uint32_t* p = reinterpret_cast<uint32_t*>(ida_chars);\n btea(p, -8, key);\n for (int i = 0; i < 32; i++) {\n cout << ida_chars[i];\n }\n cout << endl;\n return 0;\n}\n\/\/XYCTF{XXTEA_AND_Z3_1s_S0_easy!!}<\/code><\/pre>\nbaby unity<\/h3>\n
\u4e0b\u8f7d\u9644\u4ef6\u4e4b\u540e\u8fdb\u53bb\u80fd\u770b\u89c1il2cpp\uff0c\u7136\u540e\u53bb\u7f51\u4e0a\u641c\u4e86\u4e00\u4e0b\uff0c\u867d\u7136\u6ca1\u6709\u7279\u522b\u597d\u7684\u6587\u7ae0\uff0c\u4f46\u662f\u4e5f\u7b97\u662f\u77e5\u9053\u8981\u53bb\u4e0b\u4e00\u4e2aIl2CppDumper.exe\uff0c\u8fd9\u662f\u4e00\u4e2a\u5728github\u4e0a\u5f00\u6e90\u4e86\u7684\u9879\u76ee\uff0c\u80fd\u591fdump\u51fail2cpp\u4e2d\u9690\u85cf\u7684\u6587\u4ef6\u4eec\uff0c\u94fe\u63a5\u5982\u4e0b\uff1a
\nhttps:\/\/github.com\/Perfare\/Il2CppDumper\/<\/a><\/p>\n\u5728\u9879\u76ee\u4e2d\u4e5f\u8bf4\u660e\u4e86Il2CppDumper\u8be5\u5982\u4f55\u4f7f\u7528\uff0c\u8fd9\u91cc\u5c31\u4e0d\u8fc7\u591a\u8d58\u8ff0\u4e86\uff0c\u4f5c\u4e3a\u6ca1\u89c1\u8fc7\u7684\u65b0unity\u9898\u578b\uff0c\u6211\u4e5f\u53ea\u80fd\u505a\u5230\u8fb9\u5b66\u8fb9\u505a<\/p>\n
\u4e0b\u4e00\u6b65\u4fbf\u662f\u4f7f\u7528Il2CppDumper\u63d0\u53d6\u6587\u4ef6\uff0c\u7f51\u4e0a\u53ea\u770b\u89c1\u63d0\u51faapk\u4e2d\u7684libil2cpp.so\u6587\u4ef6\uff0c\u76f8\u5f53\u4e8eapk\u7684dll\uff0c\u4f46\u6211\u4eec\u9700\u8981\u89e3\u51b3\u7684\u662fexe\uff0c\u6682\u65f6\u5361\u4f4f\u4e86\uff0c\u540e\u9762\u7ecf\u8fc7\u6211\u7684\u641c\u7d22\uff0c\u5f97\u5230\u4e86GameAssembly.dll\u6587\u4ef6\u5c31\u76f8\u5f53\u4e8eapk\u7684\u90a3\u4e2a.so\u6587\u4ef6\uff0c\u63a5\u4e0b\u6765\u5c31\u53ef\u4ee5\u8fdb\u884cdump\u4e86<\/p>\n
\u968f\u540e\u6211\u8ddf\u7740\u7f51\u4e0a\u7684\u6559\u7a0b\uff0c\u5374\u51fa\u73b0\u4e86\u62a5\u9519\uff1a
\n
<\/div><\/p>\n\u53c8\u5361\u4f4f\u4e86\uff0c\u5509<\/p>\n
\u540e\u6765\u53d1\u73b0\u90a3\u4e2a\u8be5\u6b7b\u7684dll\u52a0\u4e86\u4e00\u4e2a\u58f3\uff0c\u51fa\u9898\u4eba\u6ce5\u2026\u2026\u6211\u53bb\u53a8\u623f\u7ed9\u4f60\u62ff\u70b9\u94b1
\n
<\/div><\/p>\n\u662f\u4e2a4.21\u7684UPX\u58f3\uff0c\u7531\u4e8e\u4e4b\u524d\u7528\u4f4e\u7248\u672cUPX\u5de5\u5177\u53bb\u8131\u9ad8\u7248\u672cUPX\u58f3\u65f6\u51fa\u73b0\u8fc7\u95ee\u9898\uff0c\u8fd9\u6b21\u6211\u4f7f\u7528\u5bf9\u5e94\u7248\u672c\u7684UPX-d\u5bf9\u5176\u8fdb\u884c\u8131\u58f3\uff1a
\n
<\/div><\/p>\n\u81f3\u6b64\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u4f7f\u7528Il2cppDumper\u8fdb\u884c\u6b63\u5e38dump\u4e86<\/p>\n
<\/div>
\n\u8fd9\u91cc\u5c31\u53ef\u4ee5\u770b\u51fa\u6765\u6211\u4eecdump\u6210\u529f\u4e86\uff0c\u4f46\u7531\u4e8e\u6211\u6ca1\u6709\u6307\u5b9adump\u51fa\u6765\u7684\u8def\u5f84\uff0c\u56e0\u6b64\u6211\u4eec\u9700\u8981\u8fdb\u5165Il2CppDumper.exe\u6240\u5728\u7684\u6587\u4ef6\u5939\u53bb\u5bfb\u627e\u51fa\u6765\u7684\u6587\u4ef6\uff1a
\n<\/div>
\n\u4e0d\u51fa\u610f\u5916\u662f\u80fd\u770b\u89c1\u8fd9\u4e9b\u6587\u4ef6\u7684\uff0c\u6211\u5c06\u5b83\u4eec\u6253\u5305\u5230\u540c\u4e00\u4e2a\u6587\u4ef6\u5939\u91cc\u9762\u4e86\uff0c\u800c\u4e14\u5728DummyDll\u91cc\u9762\u6709\u4e00\u4e2a\u719f\u6089\u7684\u6587\u4ef6Assembly-CSharp.dll\uff0c\u89c1\u8fc7unity\u9006\u5411\u7684\u54e5\u4eec\u5e94\u8be5\u90fd\u77e5\u9053\uff0c\u6211\u4eec\u5e73\u5e38\u7684unity\u90fd\u662f\u901a\u8fc7\u8fd9\u4e2a\u6587\u4ef6\u8fdb\u884c\u9006\u5411\u7684\uff0c\u4f46\u662f\u8fd9\u6b21\u6211\u4f7f\u7528dnSpy\u6253\u5f00\u5374\u6ca1\u6709\u53d1\u73b0\u4efb\u4f55\u4e1c\u897f\uff0c\u53ea\u6709ChackFlag\u8fd9\u4e9b\u51fd\u6570\u540d\uff0c\u6ca1\u6709\u89c1\u5230\u4efb\u4f55\u7684\u5bc6\u6587\u548c\u51fd\u6570\u903b\u8f91\uff0c\u7ebf\u7d22\u5230\u8fd9\u91cc\u53c8\u65ad\u4e86\u2026\u2026<\/p>\n\u76f4\u5230\u540e\u6765\uff0c\u6211\u627e\u5230\u4e86\u4e00\u7bc7\u5e16\u5b50\uff1a[\u539f\u521b]IL2CPP \u9006\u5411\u521d\u63a2-\u8f6f\u4ef6\u9006\u5411-\u770b\u96ea-\u5b89\u5168\u793e\u533a|\u5b89\u5168\u62db\u8058|kanxue.com<\/a>
\n\u6ca1\u60f3\u5230\u662fPZ\u5927\u4f6c\u5199\u7684\uff0c\u800c\u4e14\u5de8\u8be6\u7ec6\uff0c\u6211\u51b3\u5b9a\uff0c\u8ddf\u7740\u8fd9\u4e2a\u5e16\u5b50\u4e00\u6b65\u4e00\u6b65\u5f80\u4e0b\u505a<\/p>\n\u7ed3\u679c\u53c8\u53c8\u53c8\u53c8\u5361\u4f4f\u4e86\uff0c\u4e0d\u77e5\u9053\u600e\u4e48\u5bfc\u5165\u6587\u4ef6\uff0c\u540e\u6765\u81ea\u5df1\u627e\u4e86\u4e00\u4e0b\u624d\u77e5\u9053(\u6211alt+F7\u6ca1\u53cd\u5e94)<\/p>\n
\u7528IDA\u6253\u5f00GameAssembly.dll\uff0c\u56e0\u4e3a\u51fd\u6570\u6bd4\u8f83\u591a\u7684\u7f18\u6545\uff0c\u8fd9\u9700\u8981\u52a0\u8f7d\u4e00\u4f1a<\/p>\n
<\/div><\/p>\nfile\u8fd9\u4e00\u680f\u6709Script file\u9009\u9879\uff0c\u6b63\u597d\u5bf9\u5e94\u7740Alt+F7<\/p>\n
\u6211\u4eec\u70b9\u5f00\u8fd9\u4e2a\uff0c\u9009\u62e9ida_with_struct_py3.py\u6587\u4ef6
\n
<\/div><\/p>\n\u518d\u9009\u62e9script.json\u6587\u4ef6
\n
<\/div><\/p>\n\u518d\u5bfc\u5165il2cpp.h
\n
<\/div><\/p>\n\u6700\u540e\u7b49\u5f85\u4e00\u6bb5\u65f6\u95f4\u8ba9IDA\u52a0\u8f7d\u597d\u51fd\u6570\u540d\u5c31\u884c\u4e86
\n
<\/div><\/p>\n\u8fd9\u6837\u5c31\u7b97\u662f\u6062\u590d\u7b26\u53f7\u8868\u4e86<\/p>\n
\u8fd9\u65f6\u5019\u6211\u4eec\u5c31\u7528dnSpy\u67e5\u770b\u4e00\u4e0bAssembly-CSharp.dll\u91cc\u9762\u6709\u54ea\u4e9b\u51fd\u6570
\n
<\/div>
\n\u6211\u4eec\u53bbIDA\u4e2d\u627e\u5230\u5bf9\u5e94\u7684\u51fd\u6570
\n<\/div><\/p>\n\u8fdb\u5165CheckkkkkkkkkkFlag\u51fd\u6570
\n
<\/div><\/p>\n\u8fd9\u4e00\u6bb5\u5c31\u662f\u4f20\u5165\u6211\u4eec\u7684input\u7684\uff0c\u7136\u540e\u518d\u52a0\u5bc6\u548c\u6bd4\u5bf9\uff0c\u6211\u4eec\u67e5\u770bStringLiteral_4850<\/p>\n
\u63d0\u53d6\u51fa\u5b57\u7b26\u4e32\uff1aXIcKYJU8Buh:UeV:BKN{U[JvUL??VuZ?CXJ;AX^{Ae]gA[]gUecb@K]ei^22<\/code><\/p>\n\u6211\u4eec\u518d\u53bb\u770b\u770b\u52a0\u5bc6\u51fd\u6570EEEEEEEEEEEEEncrypt
\n
<\/div><\/p>\n\u4e0d\u96be\u770b\u51fa\uff0c\u4f20\u5165\u7684\u5b57\u7b26\u4e32\u9996\u5148\u8fdb\u884c\u4e86base64\u7f16\u7801\uff0c\u7136\u540e\u4e0e0xF\u8fdb\u884c\u4e86\u5f02\u6216\uff0c\u6211\u4eec\u636e\u6b64\u53ef\u4ee5\u5199\u51fa\u811a\u672c<\/p>\n
import base64 \n\nenc="" \nflag="" \nstr="XIcKYJU8Buh:UeV:BKN{U[JvUL??VuZ?CXJ;AX^{Ae]gA[]gUecb@K]ei^22" \nfor i in range(len(str)) : \n enc+=chr(ord(str[i])^0xF) \nprint(enc)\n#WFlDVEZ7Mzg5ZjY5MDAtZTEyZC00YzU0LWE4NWQtNjRhNTRhZjlmODRjfQ== \nflag=base64.b64decode(enc) \nprint(flag)\n#XYCTF{389f6900-e12d-4c54-a85d-64a54af9f84c}<\/code><\/pre>\n\u5f53\u7136\uff0c\u6211\u4eec\u8fd8\u53ef\u4ee5\u4f7f\u7528\u8d5b\u535a\u53a8\u5b50\u76f4\u63a5\u70e4\u4e86
\n
<\/div><\/p>\n\u81f3\u6b64\uff0c\u89e3\u51faflag\u4e3aXYCTF{389f6900-e12d-4c54-a85d-64a54af9f84c}<\/p>\n
DebugMe<\/h3>\n
\u4e4b\u524d\u4e00\u76f4\u6ca1\u8bd5\u8fc7\u5b89\u5353\u52a8\u8c03\uff0c\u8fd9\u6b21\u6b63\u597d\u5b66\u4e00\u4e0b\uff0c\u5728\u7f51\u4e0a\u627e\u4e86\u7bc7\u5e16\u5b50\u8ddf\u7740\u505a<\/p>\n
\u5148\u5b89\u88c5\u4e00\u4e0b\u9644\u4ef6\uff0c\u6253\u5f00\u770b\u770b\u4ec0\u4e48\u6210\u5206<\/p>\n
click\u5c31\u4f1a\u51fa\u73b0\u201dflag\u5462\u201c
\n
<\/div><\/p>\n\u7136\u540e\u6211\u518d\u7528jadx\u53cd\u7f16\u8bd1\u4e86\u4e00\u4e0b\uff1a
\n
<\/div>
\n\u6709\u5f88\u591a\u5947\u602a\u7684\u4e1c\u897f\uff0c\u53cd\u6b63\u6211\u662f\u6bdb\u4e5f\u770b\u4e0d\u51fa<\/p>\n\u5c31\u6309\u7167\u9898\u76ee\u63d0\u793a\u53bb\u52a8\u8c03\u5427\uff0c\u8fd9\u8fb9\u6211\u7528\u7684\u662f\u96f7\u75359<\/p>\n
\u5c06ADB\u7684\u8def\u5f84\u586b\u4e0a\u53bb
\n
<\/div><\/p>\n\u7136\u540e\u8fd0\u884c\u7a0b\u5e8f\u5c31\u884c\u4e86<\/p>\n
\u8fd9\u65f6\u5019\u6211\u53d1\u73b0\uff0cClick\u5c31\u4f1a\u51fa\u73b0flag\u4e86\uff0c\u597d\u795e\u5947
\n
<\/div><\/p>\n\u6b64\u5916\uff0c\u6211\u4eec\u8fd8\u53ef\u4ee5\u901a\u8fc7\u4fee\u6539smali\u4ee3\u7801\u8fc7\u8c03\u8bd5\u68c0\u6d4b\uff0c\u66f4\u6539\u5176\u4e2d\u7684if\u5224\u65ad\u5c31\u884c\u4e86\uff0c\u5404\u4f4d\u53ef\u4ee5\u81ea\u884c\u63a2\u7a76<\/p>\n
ez_cube<\/h3>\n
\u9898\u76ee\u63d0\u793a\u7ed9\u4e86\u8bf4\u662f\u9b54\u65b9\uff0c\u5f53\u7136\uff0c\u6211\u8fdb\u53bb\u4e4b\u540e\u4e5f\u80fd\u77e5\u9053\uff0c\u5148\u7528IDA\u6253\u5f00<\/p>\n
\u76f4\u63a5\u80fd\u770b\u89c1main\u51fd\u6570jmp\u5230main_0\u51fd\u6570\uff0c\u8fd9\u5c31\u662f\u4e3b\u8981\u903b\u8f91\u6240\u5728\u5730\uff1a<\/p>\n
int __fastcall main_0(int argc, const char **argv, const char **envp)\n{\n int i; \/\/ [rsp+44h] [rbp+24h]\n char v5; \/\/ [rsp+64h] [rbp+44h]\n int v6; \/\/ [rsp+84h] [rbp+64h]\n\n j___CheckForDebuggerJustMyCode(&unk_7FF73E4E40A2, argv, envp);\n for ( i = 0; i < 9; ++i )\n {\n qword_7FF73E4DFB60[i] = &aRed;\n qword_7FF73E4DFB00[i] = "Blue";\n qword_7FF73E4DFAA0[i] = "Green";\n qword_7FF73E4DFA40[i] = "Orange";\n qword_7FF73E4DF9E0[i] = "Yellow";\n qword_7FF73E4DF980[i] = "White";\n }\n qword_7FF73E4DFB00[1] = &aRed;\n qword_7FF73E4DFB60[1] = "Green";\n qword_7FF73E4DFAA0[1] = "Blue";\n while ( 1 )\n {\n do\n v5 = getchar();\n while ( v5 == 10 );\n switch ( v5 )\n {\n case 'R':\n sub_7FF73E4D1375();\n break;\n case 'U':\n sub_7FF73E4D13BB();\n break;\n case 'r':\n sub_7FF73E4D1366();\n break;\n case 'u':\n sub_7FF73E4D115E();\n break;\n }\n ++dword_7FF73E4DF1C0;\n v6 = sub_7FF73E4D1389();\n if ( v6 == 1 )\n break;\n if ( v6 == 2 )\n goto LABEL_19;\n }\n sub_7FF73E4D119F(&unk_7FF73E4DCCA0);\nLABEL_19:\n system("pause");\n return 0;\n}<\/code><\/pre>\n\u600e\u4e48\u8bf4\u5462\uff0c\u633a\u4e11\u7684\uff0c\u5148\u5206\u6790\u7a0b\u5e8f\u5427\uff1a<\/p>\n
\u7b2c\u4e00\u6b65\u5148\u521d\u59cb\u5316\u516d\u4e2a\u9762\u4e0e\u4e5d\u4e2a\u65b9\u5757\uff0c\u6bcf\u4e2a\u9762\u989c\u8272\u90fd\u76f8\u540c\uff0c\u4e5f\u5c31\u662f\u4e00\u4e2a\u5b8c\u6574\u7684\uff0c\u672a\u88ab\u6253\u4e71\u7684\u9b54\u65b9<\/p>\n
\u63a5\u4e0b\u6765\u6211\u4eec\u66f4\u6362\u4e86\u4e09\u4e2a\u5757\uff0c\u5206\u522b\u662f\u5c06\u84dd\u8272\u9762\u7b2c\u4e00\u884c\u6700\u4e2d\u95f4\u7684\u65b9\u5757\u6362\u6210\u4e86\u7ea2\u8272\uff0c\u5c06\u7ea2\u8272\u9762\u6700\u4e2d\u95f4\u7684\u65b9\u5757\u6362\u6210\u4e86\u7eff\u8272\uff0c\u5c06\u7eff\u8272\u9762\u6700\u4e2d\u95f4\u7684\u65b9\u5757\u6362\u6210\u4e86\u84dd\u8272\uff0c\u4f1a\u73a9\u9b54\u65b9\u7684\u90fd\u77e5\u9053\uff0c\u8fd9\u662f\u4e00\u4e2a\u6807\u51c6\u7684\u4e09\u68f1\u6362<\/p>\n
\u5728\u9b54\u65b9\u4e2d\u8fd9\u901a\u5e38\u662f\u6700\u540e\u4e00\u6b65\uff0c\u53ea\u9700\u8981\u7528\u5230R U' R U R U R U' R' U' R' R'<\/code>\u8fd9\u4e2a\u516c\u5f0f\u5c31\u53ef\u4ee5\u8fd8\u539f\u9b54\u65b9\uff0c\u5f53\u7136\uff0c\u6211\u8fd8\u662f\u8fdb\u53bb\u770b\u4e86\u5224\u65ad\u7684\u5730\u65b9\uff0c\u5b83\u8bf4\u4e0d\u80fd\u5927\u4e8e12\u6b65\uff0c\u8fd9\u4e2a\u516c\u5f0f\u6b63\u597d12\u6b65<\/p>\n\u7ee7\u7eed\u89c2\u5bdf\u4e0a\u8ff0\u7a0b\u5e8f\uff0c\u53d1\u73b0\u4e0b\u9762\u53ea\u6709\u6709R U r u<\/code>\u56db\u79cd\u8fd8\u539f\u65b9\u5f0f\uff0c\u6211\u6709\u70b9\u61d2\u5f97\u8fdb\u53bb\u770b\u4e86\uff0c\u5c31\u731c\u6d4bU\u548cR\u4ee3\u8868\u7740\u6b63\u5e38\u7684U\u548cR\uff0cu\u548cr\u5219\u4ee3\u8868U\u2018\u548cR\u2019\uff0c\u8bd5\u8bd5\u770b\u5427\uff0c\u5982\u679c\u771f\u662f\u6309\u7167\u6211\u6240\u8bf4\u7684\uff0c\u5219\u8def\u5f84\u4e3aRuRURURururr<\/code>\u5426\u5219\u5219\u4e3arUrururURURR<\/code><\/p>\n\u55ef\u2026\u2026\u679c\u7136\u662fflag{RuRURURururr}<\/code>\u770b\u6765\u51fa\u9898\u4eba\u8ddf\u6211\u5b66\u7684\u9b54\u65b9\u516c\u5f0f\u4e00\u6837\uff0c\u563f\u563f\uff0c\u5e78\u597d\u6211\u662f\u9b54\u65b9\u7cd5\u624b\uff01<\/p>\n\u771f\u7684\u662f\uff0c\u641e\u5f97\u6211\u4e00\u8fb9\u73a9\u9b54\u65b9\u4e00\u8fb9\u5199\u9898QAQ<\/p>\n
\u6b64\u5916\uff0c\u6211\u4eec\u8fd8\u53ef\u4ee5\u7206\u7834\u9b54\u65b9\u6b65\u9aa4\uff0c\u8fd9\u91cc\u9644\u4e0a\u4e00\u4e2a\u7206\u7834\u811a\u672c\uff1a<\/p>\n
from itertools import * \n\nred = [''] * 9 \nblue = [''] * 9 \ngreen = [''] * 9 \norange = [''] * 9 \nyellow = [''] * 9 \nwhite = [''] * 9 \n\ndef init_cube(): \n for i in range(9): \n red[i] = "red" \n blue[i] = "Blue" \n green[i] = "Green" \n orange[i] = "Orange" \n yellow[i] = "Yellow" \n white[i] = "White" \n\n blue[1] = "red" \n red[1] = "Green" \n green[1] = "Blue" \n\ndef MOVE_R(): \n v1 = red[2] \n v2 = red[5] \n v3 = red[8] \n red[2] = white[2] \n red[5] = white[5] \n red[8] = white[8] \n white[2] = orange[6] \n white[5] = orange[3] \n white[8] = orange[0] \n orange[0] = yellow[8] \n orange[3] = yellow[5] \n orange[6] = yellow[2] \n yellow[2] = v1 \n yellow[5] = v2 \n yellow[8] = v3 \n v4 = green[1] \n green[1] = green[3] \n green[3] = green[7] \n green[7] = green[5] \n green[5] = v4 \n v5 = green[0] \n green[0] = green[6] \n green[6] = green[8] \n green[8] = green[2] \n green[2] = v5 \n\ndef MOVE_U(): \n v1 = red[0] \n v2 = red[1] \n v3 = red[2] \n red[0] = green[0] \n red[1] = green[1] \n red[2] = green[2] \n green[0] = orange[0] \n green[1] = orange[1] \n green[2] = orange[2] \n orange[0] = blue[0] \n orange[1] = blue[1] \n orange[2] = blue[2] \n blue[0] = v1 \n blue[1] = v2 \n blue[2] = v3 \n v4 = yellow[1] \n yellow[1] = yellow[3] \n yellow[3] = yellow[7] \n yellow[7] = yellow[5] \n yellow[5] = v4 \n v5 = yellow[0] \n yellow[0] = yellow[6] \n yellow[6] = yellow[8] \n yellow[8] = yellow[2] \n yellow[2] = v5 \n\ndef MOVE_r(): \n v1 = red[2] \n v2 = red[5] \n v3 = red[8] \n red[2] = yellow[2] \n red[5] = yellow[5] \n red[8] = yellow[8] \n yellow[2] = orange[6] \n yellow[5] = orange[3] \n yellow[8] = orange[0] \n orange[0] = white[8] \n orange[3] = white[5] \n orange[6] = white[2] \n white[2] = v1 \n white[5] = v2 \n white[8] = v3 \n v4 = green[1] \n green[1] = green[5] \n green[5] = green[7] \n green[7] = green[3] \n green[3] = v4 \n v5 = green[0] \n green[0] = green[2] \n green[2] = green[8] \n green[8] = green[6] \n green[6] = v5 \n\ndef MOVE_u(): \n v1 = red[0] \n v2 = red[1] \n v3 = red[2] \n red[0] = blue[0] \n red[1] = blue[1] \n red[2] = blue[2] \n blue[0] = orange[0] \n blue[1] = orange[1] \n blue[2] = orange[2] \n orange[0] = green[0] \n orange[1] = green[1] \n orange[2] = green[2] \n green[0] = v1 \n green[1] = v2 \n green[2] = v3 \n v4 = yellow[1] \n yellow[1] = yellow[5] \n yellow[5] = yellow[7] \n yellow[7] = yellow[3] \n yellow[3] = v4 \n v5 = yellow[0] \n yellow[0] = yellow[2] \n yellow[2] = yellow[8] \n yellow[8] = yellow[6] \n yellow[6] = v5 \n\ndef Is_right(): \n Count = 0 \n for i in range(9): \n if red[i] == "red": \n Count += 1 \n if blue[i] == "Blue": \n Count += 1 \n if green[i] == "Green": \n Count += 1 \n if orange[i] == "Orange": \n Count += 1 \n if yellow[i] == "Yellow": \n Count += 1 \n if white[i] == "White": \n Count += 1 \n #print(Count) \n if Count != 54: \n return False \n return True \ndef main(flag): \n #print(flag) \n init_cube() \n for i in flag: \n if i == "R": \n MOVE_R() \n if i == "U": \n MOVE_U() \n if i == 'r': \n MOVE_r() \n if i == 'u': \n MOVE_u() \n if Is_right(): \n return flag \n\ndef get_flag(): \n table = "RrUu" \n for string in product(table, repeat=12): \n flag = "".join(string) \n ret = main(flag) \n if ret != None: \n print(ret) \n return \nget_flag()<\/code><\/pre>\nez_rand<\/h3>\n
\u8fd9\u4e2a\u9898\u76ee\u63d0\u793a\u8fd8\u633a\u660e\u663e\u7684\uff0crand\u5c31\u662f\u968f\u673a\u6570\u7684\u610f\u601d\uff0c\u8fd9\u5e94\u8be5\u662f\u4e00\u9053\u6709\u5173\u4f2a\u968f\u673a\u6570\u7684\u9898<\/p>\n
\u6587\u4ef6\u4fe1\u606f\u5982\u4e0b\uff1a
\n
<\/div><\/p>\n\u7528IDA\u770b\u4e00\u4e0b\uff0c\u8fdb\u53bb\u5c31\u662fmain\u51fd\u6570\uff0c\u76f4\u63a5F5\u5c31\u884c\u4e86\uff1a<\/p>\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n unsigned __int64 v3; \/\/ rbx\n unsigned __int16 v4; \/\/ ax\n int v5; \/\/ edi\n __int64 v6; \/\/ rsi\n int v7; \/\/ eax\n int v9[7]; \/\/ [rsp+20h] [rbp-50h]\n char v10; \/\/ [rsp+3Ch] [rbp-34h]\n __int16 v11; \/\/ [rsp+3Dh] [rbp-33h]\n __int128 v12; \/\/ [rsp+40h] [rbp-30h]\n __int64 v13; \/\/ [rsp+50h] [rbp-20h]\n int v14; \/\/ [rsp+58h] [rbp-18h]\n __int16 v15; \/\/ [rsp+5Ch] [rbp-14h]\n char v16; \/\/ [rsp+5Eh] [rbp-12h]\n\n v13 = 0i64;\n v12 = 0i64;\n v14 = 0;\n v15 = 0;\n v16 = 0;\n printf("\u8bf7\u8f93\u5165flag:");\n scanf_s("%s");\n v9[0] = -362017699;\n v11 = 0;\n v3 = -1i64;\n v9[1] = 888936774;\n v9[2] = 119759538;\n v9[3] = -76668318;\n v9[4] = -1443698508;\n v9[5] = -2044652911;\n v9[6] = 1139379931;\n v10 = 77;\n do\n ++v3;\n while ( *(&v12 + v3) );\n v4 = time64(0i64);\n srand(v4);\n v5 = 0;\n if ( v3 )\n {\n v6 = 0i64;\n do\n {\n v7 = rand();\n if ( (*(&v12 + v6) ^ (v7\n + ((((2155905153i64 * v7) >> 32) & 0x80000000) != 0i64)\n + (((2155905153i64 * v7) >> 32) >> 7))) != *(v9 + v6) )\n {\n printf("Error???\\n");\n exit(0);\n }\n ++v5;\n ++v6;\n }\n while ( v5 < v3 );\n }\n printf("Right???\\n");\n system("pause");\n return 0;\n}<\/code><\/pre>\n\u5927\u4f53\u903b\u8f91\u5c31\u662f\u5b9a\u4e49\u4e86v9\u6570\u7ec4\u7684\u6570\u636e\uff0c\u7136\u540e\u751f\u6210\u4e86\u4e00\u4e2a\u7b49\u540c\u4e8ev9\u5143\u7d20\u4e2a\u6570\u7684\u968f\u673a\u6570v7\uff0c\u4f7f\u5176\u4e0ev9\u6570\u7ec4\u8fdb\u884c\u5f02\u6216\u8fd0\u7b97\uff0c\u6211\u4eec\u53cd\u7740\u5f02\u6216\u51fa\u6765\u5c31\u662fflag\u4e86<\/p>\n
\u4f46\u662f\u65e2\u7136\u662f\u968f\u673a\u6570\u6211\u4eec\u5e94\u8be5\u600e\u4e48\u5bf9\u5b83\u8fdb\u884c\u6570\u636e\u63d0\u53d6\u5462\uff1f\u8fd9\u65f6\u5019\u6211\u4eec\u53ef\u4ee5\u770b\u89c1\u4ed6\u7684\u968f\u673a\u6570\u79cd\u5b50\u662f\u901a\u8fc7time\u6765\u53d6\u7684\uff0cC\u8bed\u8a00\u4e2d\u7684srand(time)\u662f\u4f2a\u968f\u673a\uff0c\u6211\u4eec\u9700\u8981\u5bf9\u8fd9\u4e2a\u968f\u673a\u6570\u79cd\u5b50\u8fdb\u884c\u7206\u7834\uff0c\u9898\u76ee\u63cf\u8ff0\u7ed9\u51fa\u4e86flag\u5934\u4e3a"XYCTF"\uff0c\u6211\u4eec\u53ef\u4ee5\u6839\u636e\u8fd9\u4e2a\u4fe1\u606f\u53bb\u7206\u7834\u968f\u673a\u6570\u79cd\u5b50\uff0c\u5373\u6211\u4eec\u5c06v9\u7684\u524d5\u4f4d\u4e0e\u751f\u6210\u7684\u524d\u4e94\u4f4d\u968f\u673a\u6570\u505a\u5f02\u6216\uff0c\u5982\u679c\u7ed3\u679c\u4e0e\u201cXYCTF\u201d\u76f8\u540c\uff0c\u5219\u90a3\u4e2a\u968f\u673a\u6570\u79cd\u5b50\u5c31\u662f\u6211\u4eec\u9700\u8981\u6c42\u7684\u7ed3\u679c<\/p>\n
\u8fd9\u91ccv9\u4e0d\u80fd\u76f4\u63a5\u8bbf\u95ee\uff0c\u4e3a\u4e86\u7701\u4e8b\u6211\u542f\u52a8\u52a8\u6001\u8c03\u8bd5\u63d0\u53d6v9\u7684\u6570\u636e\uff1a
\n
<\/div><\/p>\n\u524d\u4e94\u4f4d\u5219\u5206\u522b\u662f0x5D, 0x0C, 0x6C, 0xEA, 0x46\uff0c\u6211\u4eec\u6839\u636e\u8fd9\u4e2a\u53bb\u7206\u7834\u968f\u673a\u6570<\/p>\n
#include<iostream>\n#include<cstdlib>\nusing namespace std;\n\nint main()\n{\n unsigned char str[5] = { 0x5D, 0x0C, 0x6C, 0xEA, 0x46 };\n unsigned char random[6] = { 0 };\n unsigned char flag[6] = { 'X', 'Y', 'C', 'T', 'F', '\\0' };\n\n for (int i = 0xFFFF; i >= 0; i--) {\n srand(i);\n for (int j = 0; j < 5; j++) {\n random[j] = rand() % 0xFF;\n }\n bool found = true;\n for (int j = 0; j < 5; j++) {\n if ((random[j] ^ str[j]) != flag[j]) {\n found = false;\n break;\n }\n }\n if (found) {\n cout << "\u627e\u5230\u4e86\uff01\u662f\uff1a" << i << endl;\n break;\n }\n else\n cout << "\u4e0d\u662f" << i << "\u634f" << endl;\n }\n\n return 0;\n}\n<\/code><\/pre>\n\u7206\u7834\u51fa\u6765\u968f\u673a\u6570\u662f21308<\/code>\uff0c\u7136\u540e\u6211\u4eec\u518d\u7528\u8fd9\u4e2a\u968f\u673a\u6570\u79cd\u5b50\u751f\u6210\u7b49\u540c\u4e8eflag\u957f\u5ea6(\u537329)\u7684\u4e2a\u6570\u7684\u968f\u673a\u6570<\/p>\n#include<iostream>\n#include<cstdlib>\nusing namespace std;\nint main()\n{\n srand(21308);\n for (int i = 0; i < 29; i++) {\n int num = rand();\n cout << num << ",";\n }\n}<\/code><\/pre>\n\u5f97\u5230\u968f\u673a\u6570\u540e\u5199\u51faPython\u811a\u672c\u6c42\u89e3flag\u53d1\u73b0\u662f\u4e00\u5806\u4e71\u7801\uff0c\u7531\u4e8e\u4e0a\u6587\u7684v9\u662f\u56fa\u5b9a\u7684\uff0c\u80af\u5b9a\u662f\u751f\u6210\u7684\u968f\u673a\u6570\u4e0d\u5bf9\uff0c\u8fd9\u624d\u53d1\u73b0\u968f\u673a\u6570\u6709\u70b9\u592a\u5927\u4e86\uff0c\u7531\u4e8e\u90fd\u662f2\u4f4d\u4e00\u7ec4\u768416\u8fdb\u5236\u6570\u8fdb\u884c\u5f02\u6216\uff0c\u6211\u4eec\u7684rand()\u5e94\u8be5\u5bf90xFF\u53d6\u6a21<\/p>\n
\u4e0b\u9762\u662f\u66f4\u6b63\u4e4b\u540e\u7684\u811a\u672c\uff1a<\/p>\n
#include<iostream>\n#include<cstdlib>\nusing namespace std;\nint main()\n{\n srand(21308);\n for (int i = 0; i < 29; i++) {\n int num = rand() % 0xFF ;\n cout << num << ",";\n }\n}<\/code><\/pre>\n\u5f97\u5230\u8be5\u968f\u673a\u6570\u79cd\u5b50\u751f\u6210\u76842\u4f4d16\u8fdb\u5236\u8303\u56f4\u5185\u7684\u968f\u673a\u6570\uff0c\u7136\u540e\u5c31\u53ef\u4ee5\u5199\u51fapython\u811a\u672c\u4e86\uff1a<\/p>\n
random=[5,85,47,190,0,98,174,116,220,6,124,54,17,125,61,203,235,187,194,246,194,34,126,227,186,253,144,98,48] \nstr=[0x5D, 0x0C, 0x6C, 0xEA, 0x46, 0x19, 0xFC, 0x34, 0xB2, 0x62, \n 0x23, 0x07, 0x62, 0x22, 0x6E, 0xFB, 0xB4, 0xE8, 0xF2, 0xA9, \n 0x91, 0x12, 0x21, 0x86, 0xDB, 0x8E, 0xE9, 0x43, 0x4D] \nflag="" \naaa="" \nfor i in range(len(str)): \n flag+=chr(str[i]^random[i]) \nprint(flag)\n#XYCTF{R@nd_1s_S0_S0_S0_easy!}<\/code><\/pre>\ntrustme<\/h3>\n
\u5b89\u88c5\u597d\u7a0b\u5e8f\u53d1\u73b0\u662f\u4e00\u4e2a\u767b\u5f55\u7cfb\u7edf<\/p>\n
<\/div><\/p>\n\u5c06\u4e0b\u8f7d\u4e0b\u6765\u7684.apk\u4f7f\u7528jadx\u53cd\u7f16\u8bd1\u51fa\u6765\u5c31\u662f\u8fd9\u6837<\/p>\n
package com.swdd.trustme;\n\nimport android.os.Bundle;\nimport android.view.View;\nimport android.widget.TextView;\nimport android.widget.Toast;\nimport androidx.appcompat.app.AppCompatActivity;\n\npublic class MainActivity extends AppCompatActivity {\n public static byte[] RC4(byte[] arr_b, byte[] arr_b1) {\n int[] arr_v = new int[0x100];\n byte[] arr_b2 = new byte[0x100];\n byte[] arr_b3 = new byte[arr_b.length];\n int v = 0;\n int v1;\n for(v1 = 0; v1 < 0x100; ++v1) {\n arr_v[v1] = v1;\n arr_b2[v1] = arr_b1[v1 % arr_b1.length];\n }\n\n int v2 = 0;\n int v3 = 0;\n while(v2 < 0x100) {\n int v4 = arr_v[v2];\n v3 = v3 + v4 + arr_b2[v2] & 0xFF;\n arr_v[v2] = arr_v[v3];\n arr_v[v3] = v4;\n ++v2;\n }\n\n int v5 = 0;\n while(v < arr_b.length) {\n v5 = v5 + 1 & 0xFF;\n int v6 = arr_v[v5];\n v3 = v3 + v6 & 0xFF;\n arr_v[v5] = arr_v[v3];\n arr_v[v3] = v6;\n arr_b3[v] = (byte)(arr_v[arr_v[v5] + v6 & 0xFF] ^ arr_b[v]);\n ++v;\n }\n\n return arr_b3;\n }\n\n public static String bytesToHex(byte[] arr_b) {\n StringBuilder stringBuilder0 = new StringBuilder();\n int v;\n for(v = 0; v < arr_b.length; ++v) {\n String s = Integer.toHexString(arr_b[v] & 0xFF);\n if(s.length() == 1) {\n stringBuilder0.append('0');\n }\n\n stringBuilder0.append(s);\n }\n\n return stringBuilder0.toString();\n }\n\n public void onClick(View view0) {\n TextView textView0 = (TextView)this.findViewById(id.username);\n TextView textView1 = (TextView)this.findViewById(id.password);\n textView0.getText().toString();\n if(MainActivity.bytesToHex(MainActivity.RC4(textView1.getText().toString().getBytes(), "XYCTF".getBytes())).equals("5a3c46e0228b444decc7651c8a7ca93ba4cb35a46f7eb589bef4")) {\n Toast.makeText(this, "\u6210\u529f!", 0);\n }\n }\n\n @Override \/\/ androidx.fragment.app.FragmentActivity\n protected void onCreate(Bundle bundle0) {\n super.onCreate(bundle0);\n this.setContentView(layout.activity_main);\n }\n}\n<\/code><\/pre>\n\u5176\u4e2dRC4\u7684\u5bc6\u6587\u548c\u5bc6\u94a5\u90fd\u7ed9\u51fa\u6765\u4e86\uff0c\u89e3\u5bc6\u4e00\u4e0b\u8bd5\u8bd5
\n
<\/div><\/p>\n\u5f97\u5230\u4e86username\uff0c\u4e0d\u8fc7\u5269\u4e0b\u7684\u5c31\u6ca1\u4ec0\u4e48\u601d\u8def\u4e86<\/p>\n
\u518d\u627e\u627e\u770b\uff0c\u53d1\u73b0\u4e86\u4e00\u4e2a\u65b0\u7684.apk
\n
<\/div><\/p>\n\u6839\u636e.apk\u540d\u79f0\u731c\u6d4b\uff0c\u8fd9\u662f\u4e2a\u88ab\u52a0\u4e86\u58f3\u7684.apk\uff0c\u663e\u7136\u6211\u662f\u4e0d\u4f1a\u8131\u58f3\u7684\uff0c\u4e8e\u662f\u5bfb\u627e\u522b\u7684\u65b9\u6cd5<\/p>\n
<\/div>
\n\u8fd9\u91cc\u627e\u5230\u4e86\u4e00\u4e2a.db\u6587\u4ef6\uff0c\u9996\u5148\u6211\u4eec\u5f97\u77e5\u9053.db\u6587\u4ef6\u662f\u4ec0\u4e48\uff0c\u5728\u5b89\u5353\u5f00\u53d1\u4e2d\uff0c\u6211\u4eec\u5e38\u7528SQLite\u6570\u636e\u5e93\uff0c\u56e0\u4e3a\u5b83\u8f7b\u5de7\uff0c\u800c.db\u6587\u4ef6\u5c31\u662f\u5b83\u7684\u6570\u636e\u5e93\u6587\u4ef6\uff0c\u4e8e\u662f\u6211\u60f3\u5bfc\u51fa\u8fd9\u4e2a.db\u6587\u4ef6\u67e5\u770b\u4e00\u4e0b\uff0c\u5f53\u6211\u53cc\u51fb.db\u7684\u65f6\u5019\uff0cjadx\u7206\u70b8\u4e86\u2026\u2026\u76f4\u63a5\u5361\u4f4f\u6b7b\u673a\uff0c\u6211\u4e5f\u4e0d\u77e5\u9053\u4e3a\u4ec0\u4e48<\/p>\n\u5509\uff0c\u7528JEB\u6253\u5f00\u5427
\n
<\/div><\/p>\n\u5bfc\u51fa\u8fd9\u4e2a\u6587\u4ef6\uff0c\u7528010\u6253\u5f00\u770b\u770b
\n
<\/div><\/p>\n\u53d1\u73b0\u4e86\u8fd9\u4e2a\u6587\u4ef6\u5927\u90e8\u5206\u5730\u65b9\u90fd\u662f\u88abFF\u586b\u5145\u7684
\n\u800c\u4e8b\u5b9e\u5374\u662f\uff1a<\/p>\n
.db\u6587\u4ef6\u901a\u5e38\u662f\u6307 SQLite \u6570\u636e\u5e93\u6587\u4ef6\u3002SQLite \u662f\u4e00\u79cd\u8f7b\u91cf\u7ea7\u7684\u5173\u7cfb\u578b\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\uff0c\u5e7f\u6cdb\u7528\u4e8e\u79fb\u52a8\u8bbe\u5907\u3001\u5d4c\u5165\u5f0f\u7cfb\u7edf\u4ee5\u53ca\u684c\u9762\u5e94\u7528\u7a0b\u5e8f\u4e2d\u3002SQLite \u6570\u636e\u5e93\u5b58\u50a8\u5728\u5355\u4e2a\u6587\u4ef6\u4e2d\uff0c\u5e76\u4f7f\u7528\u4ee5.db\u4f5c\u4e3a\u6587\u4ef6\u6269\u5c55\u540d\u7684\u683c\u5f0f\u3002\n\n\u8fd9\u4e9b.db\u6587\u4ef6\u5305\u542b\u4e86\u8868\u3001\u7d22\u5f15\u3001\u89c6\u56fe\u7b49\u6570\u636e\u5e93\u5bf9\u8c61\u7684\u5b9a\u4e49\uff0c\u4ee5\u53ca\u5b9e\u9645\u5b58\u50a8\u7684\u6570\u636e\u3002SQLite \u662f\u4e00\u4e2a\u81ea\u5305\u542b\u7684\u3001\u96f6\u914d\u7f6e\u7684\u3001\u670d\u52a1\u5668\u4e0d\u95f4\u65ad\u7684\u6570\u636e\u5e93\u5f15\u64ce\uff0c\u4e0d\u9700\u8981\u5355\u72ec\u7684\u670d\u52a1\u5668\u8fdb\u7a0b\u6765\u7ba1\u7406\u6570\u636e\u5e93\u3002\u8fd9\u4f7f\u5f97\u5b83\u975e\u5e38\u9002\u5408\u5d4c\u5165\u5f0f\u8bbe\u5907\u6216\u9700\u8981\u7b80\u5355\u6570\u636e\u5e93\u89e3\u51b3\u65b9\u6848\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\n\n\u5728 SQLite \u7684.db\u6587\u4ef6\u4e2d\uff0c\u672a\u5b58\u653e\u6570\u636e\u7684\u90e8\u5206\u901a\u5e38\u4f1a\u4f7f\u7528\u96f6\u586b\u5145\u3002\u8fd9\u610f\u5473\u7740\u5728\u6587\u4ef6\u88ab\u521b\u5efa\u6216\u8005\u6269\u5c55\u65f6\uff0c\u672a\u4f7f\u7528\u7684\u90e8\u5206\u4f1a\u88ab\u586b\u5145\u4e3a\u96f6\u5b57\u8282\uff0c\u8fd9\u6709\u52a9\u4e8e\u786e\u4fdd\u6587\u4ef6\u7684\u5b8c\u6574\u6027\u5e76\u5360\u636e\u78c1\u76d8\u7a7a\u95f4\u4ee5\u6ee1\u8db3\u6587\u4ef6\u7cfb\u7edf\u7684\u5206\u914d\u9700\u6c42\u3002\n\n\u5982\u679c\u4f60\u67e5\u770b\u4e00\u4e2a.db\u6587\u4ef6\u7684\u5341\u516d\u8fdb\u5236\u8868\u793a\uff0c\u4f60\u53ef\u80fd\u4f1a\u770b\u5230\u4e00\u7cfb\u5217\u7684\u96f6\u5b57\u8282\u586b\u5145\uff0c\u76f4\u5230\u9047\u5230\u5b58\u50a8\u4e86\u6570\u636e\u7684\u90e8\u5206\u3002SQLite \u4f1a\u5728\u6587\u4ef6\u4e2d\u52a8\u6001\u5206\u914d\u7a7a\u95f4\u4ee5\u5b58\u50a8\u6570\u636e\uff0c\u56e0\u6b64\u672a\u4f7f\u7528\u7684\u90e8\u5206\u4f1a\u4fdd\u6301\u96f6\u586b\u5145\u72b6\u6001\u3002<\/code><\/pre>\n\u4f17\u6240\u5468\u77e5\uff0c\u4e00\u4e2a16\u8fdb\u5236\u6570\u5f02\u6216\u672c\u8eab\u7b49\u4e8e0\uff0c\u56e0\u6b64\u6211\u4eec\u53ea\u9700\u8981\u5c06\u8fd9\u4e2a.db\u6587\u4ef6\u5f02\u62160xFF\u5c31\u53ef\u4ee5\u5f97\u5230\u771f\u5b9e\u7684\u6570\u636e\u4e86\uff0c\u8fd9\u65f6\u5019\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7010 Editor\u7684\u5de5\u5177\u5bf9\u6587\u4ef6\u6574\u4f53\u8fdb\u884c\u5f02\u6216\u4e86<\/p>\n
<\/div><\/p>\n\u8fd9\u6837\u6587\u4ef6\u5934\u5c31\u51fa\u73b0\u4e86SQLite\u5b57\u6837\uff0c\u518d\u5f80\u4e0b\u770b\u770b\uff0c\u5b58\u6709\u5b57\u7b26\u4e32\u7684\u5730\u65b9\u5f88\u5c11\uff0c\u5927\u90e8\u5206\u90fd\u662f\u752800\u586b\u5145\u7684<\/p>\n
\u6211\u4eec\u5728\u7b2c\u4e09\u6bb5\u6570\u636e\u4e2d\u627e\u5230\u4e86flag
\n
<\/div><\/p>\nXYCTF{And0r1d_15_V3ryEasy}<\/p>\n
what' this<\/h3>\nfunction Xor(num1, num2)\n local tmp1 = num1\n local tmp2 = num2\n local str = ""\n repeat\n local s1 = tmp1 % 2\n local s2 = tmp2 % 2\n if s1 == s2 then\n str = "0" .. str\n else\n str = "1" .. str\n end\n tmp1 = math.modf(tmp1 \/ 2)\n tmp2 = math.modf(tmp2 \/ 2)\n until tmp1 == 0 and tmp2 == 0\n return tonumber(str, 2)\nend\nvalue = ""\noutput = ""\ni = 1\nwhile true do\n local temp = string.byte(flag, i)\n temp = string.char(Xor(temp, 8) % 256)\n value = value .. temp\n i = i + 1\n if i > string.len(flag) then\n break\n end\nend\nfor _ = 1, 1000 do\n x = 3\n y = x * 3\n z = y \/ 4\n w = z - 5\n if w == 0 then\n print("This line will never be executed")\n end\nend\nfor i = 1, string.len(flag) do\n temp = string.byte(value, i)\n temp = string.char(temp + 3)\n output = output .. temp\nend\nresult = output:rep(10)\ninvalid_list = {\n 1,\n 2,\n 3\n}\nfor _ = 1, 20 do\n table.insert(invalid_list, 4)\nend\nfor _ = 1, 50 do\n result = result .. "A"\n table.insert(invalid_list, 4)\nend\nfor i = 1, string.len(output) do\n temp = string.byte(output, i)\n temp = string.char(temp - 1)\nend\nfor _ = 1, 30 do\n result = result .. string.lower(output)\nend\nfor _ = 1, 950 do\n x = 3\n y = x * 3\n z = y \/ 4\n w = z - 5\n if w == 0 then\n print("This line will never be executed")\n end\nend\nfor _ = 1, 50 do\n x = -1\n y = x * 4\n z = y \/ 2\n w = z - 3\n if w == 0 then\n print("This line will also never be executed")\n end\nend\nrequire("base64")\nobfuscated_output = to_base64(output)\nobfuscated_output = string.reverse(obfuscated_output)\nobfuscated_output = string.gsub(obfuscated_output, "g", "3")\nobfuscated_output = string.gsub(obfuscated_output, "H", "4")\nobfuscated_output = string.gsub(obfuscated_output, "W", "6")\ninvalid_variable = obfuscated_output:rep(5)\nif obfuscated_output == "==AeuFEcwxGPuJ0PBNzbC16ctFnPB5DPzI0bwx6bu9GQ2F1XOR1U" then\n print("You get the flag.")\nelse\n print("F**k!")\nend<\/code><\/pre>\n\u8fd9\u662f\u53cd\u7f16\u8bd1\u51fa\u6765\u7684\u5173\u952e\u90e8\u5206\u4ee3\u7801\uff0c\u6211\u572852\u4e0a\u627e\u4e86\u4e2a.jar\u4ee3\u7801\u53cd\u7f16\u8bd1lua\u7a0b\u5e8f\uff0c\u53cd\u7f16\u8bd1\u51fa\u67651.5w\u591a\u4e2a\u5b57\u7b26\u7684\u4ee3\u7801\uff0c\u800c\u4e14\u5168\u662f\u6df7\u6dc6\uff0c\u4e0d\u8fc7\u8fd8\u597d\uff0c\u5173\u952e\u4ee3\u7801\u90fd\u5728\u4ee3\u7801\u7684\u6700\u540e\u90e8\u5206<\/p>\n
\u5206\u6790\u4e00\u4e0b\uff1a\u6700\u540e\u9762\u5148\u662fbase64\uff0c\u7136\u540e\u53cd\u8f6c\u7f16\u7801\uff0c\u518d\u8fdb\u884c\u5b57\u7b26\u66ff\u6362<\/p>\n
\u6700\u5f00\u59cb\u6211\u4ee5\u4e3a\u53ea\u6709\u8fd9\u4e9b\uff0c\u4f46\u662f\u5904\u7406\u5b8c\u4e4b\u540e\u6ca1\u6709\u4ec0\u4e48\u7528\uff0cbase64\u89e3\u4e0d\u51fa\u6765<\/p>\n
\u53ea\u89e3\u51faSTN_Qv@onmlpoB3<>A>qmqmBo3A?Bn<lppAnx<\/code><\/p>\n\u6240\u4ee5\u8fd8\u6709\u522b\u7684\u64cd\u4f5c\uff0c\u6211\u4eec\u4e3b\u8981\u4e00\u4e2a\u5bfb\u627e\u4ee3\u7801\u4e2d\u5bf9output\u548cflag\u7b49\u5b57\u6837\u7684\u64cd\u4f5c
\n
<\/div>
\n<\/div>
\n\u53d1\u73b0\u8fd9\u4e24\u4e2a\u5730\u65b9\u5148\u5f02\u62168\u540e+3<\/p>\n\u53ef\u4ee5\u5199\u89e3\u5bc6\u811a\u672c\u4e86\uff1a<\/p>\n
str = "STN_Qv@onmlpoB3<>A>qmqmBo3A?Bn<lppAnx" \nflag = "" \nfor i in range(len(str)): \n flag += chr((ord(str[i]) - 3) ^ 8) \nprint(flag)\n#XYCTF{5dcbaed781363fbfb7d8647c1aee6c}<\/code><\/pre>\neasy language<\/h3>\n
\u4ece\u56fe\u6807\u5c31\u53ef\u4ee5\u770b\u51fa\u6765\u662f\u4e00\u4e2a\u6613\u8bed\u8a00\u7a0b\u5e8f<\/p>\n
\u6b63\u5e38\u7528IDA\u662f\u5305\u770b\u4e0d\u4e86\u7684\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u6613\u8bed\u8a00\u63d2\u4ef6IDA\u6613\u8bed\u8a00\u53cd\u7f16\u8bd1\u63d2\u4ef6E-Decompiler - \u300e\u9006\u5411\u8d44\u6e90\u533a\u300f - \u543e\u7231\u7834\u89e3 - LCG - LSG |\u5b89\u5353\u7834\u89e3|\u75c5\u6bd2\u5206\u6790|www.52pojie.cn<\/a>\u4ee5\u53caIDA7.5\u652f\u6301\u4e2d\u6587\u51fd\u6570\u547d\u540d\u7684\u529e\u6cd5 - \u300e\u9006\u5411\u8d44\u6e90\u533a\u300f - \u543e\u7231\u7834\u89e3 - LCG - LSG |\u5b89\u5353\u7834\u89e3|\u75c5\u6bd2\u5206\u6790|www.52pojie.cn<\/a><\/p>\n\u518d\u7528IDA\u53cd\u7f16\u8bd1\u51fa\u6765\u53ef\u4ee5\u770b\u89c1\u4e3b\u903b\u8f91\uff0c\u53d1\u73b0\u662fAES-ECB\u548cbasse64<\/p>\n
\u518d\u53bb\u52a8\u6001\u8c03\u8bd5\u62ff\u53bb\u6570\u636e
\n\u5bc6\u6587
\n
<\/div>
\nkey\uff1a"welcometoxyctf!!"<\/p>\n\u9644\u4e0a\u811a\u672c\uff1a<\/p>\n
from Crypto.Cipher import AES \nimport base64 \n#\u6839\u636e\u52a8\u6001\u8c03\u8bd5\u627e\u5230\u8981\u5bf9\u6bd4\u7684\u76ee\u6807\u6570\u636e\uff01 \ntarget = b'RZy\/zVEWMFxaCbzChAg8x26XZYr51rNVnM+zBoBp3gya93L9QQXpFRin1JE33vyx' \nbase64_decoded = base64.b64decode(target) \nprint("\u89e3\u5bc6\u51fa\u6765\u7684\u6570\u636e:",base64_decoded) \n#\u7ed9\u5b9a\u7684\u5b57\u8282\u4e32 \nbyte_string =b'E\\x9c\\xbf\\xcdQ\\x160\\\\Z\\t\\xbc\\xc2\\x84\\x08<\\xc7n\\x97e\\x8a\\xf9\\xd6\\xb3U\\x9c\\xcf\\xb3\\x06\\x80i\\xde\\x0c\\x9a\\xf7r\\xfdA\\x05\\xe9\\x15\\x18\\xa7\\xd4\\x917\\xde\\xfc\\xb1' \n#\u5c06\u5b57\u8282\u4e32\u8f6c\u6362\u4e3a\u6574\u6570 \ninteger_value = int.from_bytes(byte_string, byteorder='big') \n#\u5c06\u6574\u6570\u62c6\u5206\u4e3a\u4e24\u4e2a\u90e8\u5206\uff0c\u6bcf\u90e8\u5206\u5305\u542b16\u4e2a\u5b57\u8282 \nfirst_part_integer = integer_value >> 128*2 \nsecond_part_integer = (integer_value >> 128) & ((1 << 128) - 1) \nthird_part_integer = (integer_value) & ((1 << 128) - 1) \n#\u5c06\u6bcf\u4e2a\u90e8\u5206\u8f6c\u6362\u56de\u5b57\u8282\u4e32 \nfirst_part_bytes = first_part_integer.to_bytes(16, byteorder='big') \nsecond_part_bytes = second_part_integer.to_bytes(16, byteorder='big') \nthird_part_bytes = third_part_integer.to_bytes(16, byteorder='big') \n#\u6253\u5370\u7ed3\u679c \nprint("\u7b2c\u4e00\u90e8\u5206:", first_part_bytes) \nprint("\u7b2c\u4e8c\u90e8\u5206:", second_part_bytes) \nprint("\u7b2c\u4e09\u90e8\u5206:", third_part_bytes) \nkey = b'welcometoxyctf!!' #\u52a8\u8c03\u5f97\u5230\u7684\u5bc6\u94a5 \ncipher = AES.new(key, AES.MODE_ECB) #\u52a8\u6001\u8c03\u8bd5\u77e5\u9053\u586b\u5145\u6a21\u5f0f\u662fPKCS5Padding \npart1 = cipher.decrypt(first_part_bytes) \npart2 = cipher.decrypt(second_part_bytes) \npart3 = cipher.decrypt(third_part_bytes) \nprint("\u6210\u529f\u89e3\u51faflag \u7b2c\u4e00\u90e8\u5206:",part1) \nprint("\u6210\u529f\u89e3\u51faflag \u7b2c\u4e8c\u90e8\u5206:",part2) \nprint("\u6210\u529f\u89e3\u51faflag \u7b2c\u4e09\u90e8\u5206:",part3) \nprint("flag\u662f\uff1a",part1+part2+part3)<\/code><\/pre>\n<\/div><\/p>\nez_enc<\/h3>\n
<\/div>
\n\u4e0d\u662f \u54e5\u4eec<\/p>\nIDA\u770b\u4e3b\u903b\u8f91\uff1a<\/p>\n
for ( i = 0; i < (j_strlen(Str) - 1); ++i )\n Str[i] = aImouto[i % 6] ^ (Str[i + 1] + Str[i] % 20);\n for ( j = 0; j < j_strlen(Str); ++j )\n {\n if ( Str[j] != byte_14001E008[j] )\n {\n sub_1400111A4("Wrong");\n return 0;\n }\n }\n sub_1400111A4("Right,but where is my Imouto?\\n");\n return 0;\n}<\/code><\/pre>\n\u5355\u5b57\u8282\u6bd4\u5bf9\u52a0\u7b80\u5355\u52a0\u5bc6\uff0c\u76f4\u63a5\u7206\u7206\u7206\u7206\u7206\u7206\u7206<\/p>\n
\u6df1\u641c\u9012\u5f52\u7206\u7834\uff1a<\/p>\n
target = [0x27, 0x24, 0x17, 0x0B, 0x50, 0x03, 0xC8, 0x0C, 0x1F, 0x17, 0x36, 0x55, 0xCB, 0x2D, 0xE9, 0x32, 0x0E, 0x11, 0x26, 0x02, 0x0C, 0x07, 0xFC, 0x27, 0x3D, 0x2D, 0xED, 0x35, 0x59, 0xEB, 0x3C, 0x3E, 0xE4, 0x7D ] \n\naImouto =[0x49, 0x4D, 0x6F, 0x75, 0x74, 0x6F] \nflag = [0]*len(target) \nflag[len(target)-1] = target[len(target)-1] \nprint(flag) \n\ndef checkflag(idx,reslut): \n if(idx == -1): \n print("flag\u7206\u7834\u5b8c\u6210\uff01") \n for i in range(len(reslut)): \n print(chr(reslut[i]),end="") \n print("") \n return \n for ch1 in range(128): \n if(target[idx] == aImouto[idx%6]^(reslut[idx+1]+ch1%20)): \n reslut[idx] = ch1 \n checkflag(idx-1,reslut) \n if(ch1 == 128 and reslut[idx] == 0): \n return \n\ncheckflag(32,flag)<\/code><\/pre>\n\u7531\u4e8e\u52a0\u5bc6\u65b9\u5f0f\u7684\u95ee\u9898\uff0c\u4ece\u540e\u5f80\u524d\u7684\uff0c\u7b2c\u4e00\u4f4d\u662f\u4f1a\u6709\u591a\u89e3\u7684\uff0c\u6211\u4eec\u770b\u89c1flag\u5f00\u5934\u7684\u5c31\u884c\u4e86
\nflag{!_r3ea11y_w4nt_@_cu7e_s1$ter}<\/code><\/p>\nez_math<\/h3>\n
<\/div>
\nPyInstaller\u6253\u5305\u7684exe\uff0c\u7248\u672c\u597d\u50cf\u8fd8\u633a\u65b0\u7684\uff0c\u53bbgithub\u4e0b\u4e00\u4e2a\u6700\u65b0\u7248\u7684pyinstxtractor\u89e3\u5305<\/p>\n\u6211\u7684python3.12\u5bf9\u67d0\u4e9b\u8001\u7248\u672c\u7684pyinstxtractor\u4e0d\u592a\u517c\u5bb9\uff0c\u6240\u4ee5\u7528\u4e86\u6700\u65b0\u7248\u7684<\/p>\n
<\/div>
\n\u518d\u628a\u91cc\u9762\u7684pyc\u53cd\u7f16\u8bd1\u4e00\u4e0b\uff1a<\/p>\n#uncompyle6 version 3.9.1\n#Python bytecode version base 3.8.0 (3413)\n#Decompiled from: Python 3.6.12 (default, Feb 9 2021, 09:19:15) \n#[GCC 8.3.0]\n#Embedded file name: ezmath.py\nflag = [ord(i) for i in input("flag:")]\nif len(flag) == 32:\n if sum([flag[23] for _ in range(flag[23])]) + sum([flag[12] for _ in range(flag[12])]) + sum([flag[1] for _ in range(flag[1])]) - sum([flag[24] for _ in range(222)]) + sum([flag[22] for _ in range(flag[22])]) + sum([flag[31] for _ in range(flag[31])]) + sum([flag[26] for _ in range(flag[26])]) - sum([flag[9] for _ in range(178)]) - sum([flag[29] for _ in range(232)]) + sum([flag[17] for _ in range(flag[17])]) - sum([flag[23] for _ in range(150)]) - sum([flag[6] for _ in range(226)]) - sum([flag[7] for _ in range(110)]) + sum([flag[19] for _ in range(flag[19])]) + sum([flag[2] for _ in range(flag[2])]) - sum([flag[0] for _ in range(176)]) + sum([flag[10] for _ in range(flag[10])]) - sum([flag[12] for _ in range(198)]) + sum([flag[24] for _ in range(flag[24])]) + sum([flag[9] for _ in range(flag[9])]) - sum([flag[3] for _ in range(168)]) + sum([flag[8] for _ in range(flag[8])]) - sum([flag[2] for _ in range(134)]) + sum([flag[14] for _ in range(flag[14])]) - sum([flag[13] for _ in range(170)]) + sum([flag[4] for _ in range(flag[4])]) - sum([flag[10] for _ in range(142)]) + sum([flag[27] for _ in range(flag[27])]) + sum([flag[15] for _ in range(flag[15])]) - sum([flag[15] for _ in range(224)]) + sum([flag[16] for _ in range(flag[16])]) - sum([flag[11] for _ in range(230)]) - sum([flag[1] for _ in range(178)]) + sum([flag[28] for _ in range(flag[28])]) - sum([flag[5] for _ in range(246)]) - sum([flag[17] for _ in range(168)]) + sum([flag[30] for _ in range(flag[30])]) - sum([flag[21] for _ in range(220)]) - sum([flag[22] for _ in range(212)]) - sum([flag[16] for _ in range(232)]) + sum([flag[25] for _ in range(flag[25])]) - sum([flag[4] for _ in range(140)]) - sum([flag[31] for _ in range(250)]) - sum([flag[28] for _ in range(150)]) + sum([flag[11] for _ in range(flag[11])]) + sum([flag[13] for _ in range(flag[13])]) - sum([flag[14] for _ in range(234)]) + sum([flag[7] for _ in range(flag[7])]) - sum([flag[8] for _ in range(174)]) + sum([flag[3] for _ in range(flag[3])]) - sum([flag[25] for _ in range(242)]) + sum([flag[29] for _ in range(flag[29])]) + sum([flag[5] for _ in range(flag[5])]) - sum([flag[30] for _ in range(142)]) - sum([flag[26] for _ in range(170)]) - sum([flag[19] for _ in range(176)]) + sum([flag[0] for _ in range(flag[0])]) - sum([flag[27] for _ in range(168)]) + sum([flag[20] for _ in range(flag[20])]) - sum([flag[20] for _ in range(212)]) + sum([flag[21] for _ in range(flag[21])]) + sum([flag[6] for _ in range(flag[6])]) + sum([flag[18] for _ in range(flag[18])]) - sum([flag[18] for _ in range(178)]) + 297412 == 0:\n print("yes")\n<\/code><\/pre>\n\u6709\u70b9\u8111\u6d1e\uff0c\u4e0d\u77e5\u9053\u600e\u4e48\u5199\uff0cz3\u8dd1\u4e0d\u4e86<\/p>\n
\u540e\u9762\u7ed9\u4e86\u9898\u76ee\u63d0\u793a\uff0c\u5e73\u65b9\uff0c\u6211\u4eec\u53ef\u4ee5\u731c\u6d4b\u4e00\u4e0b\uff1a<\/p>\n
flag = [0]*32 \nflag[24]=222\/\/ 2 \nflag[9]=178\/\/ 2 \nflag[29]=232\/\/ 2 \nflag[23]=150\/\/ 2 \nflag[6]=226\/\/ 2 \nflag[7]=110\/\/ 2 \nflag[0]=176\/\/ 2 \nflag[12]=198\/\/ 2 \nflag[3]=168\/\/ 2 \nflag[2]=134\/\/ 2 \nflag[13]=170\/\/ 2 \nflag[10]=142\/\/ 2 \nflag[15]=224\/\/ 2 \nflag[11]=230\/\/ 2 \nflag[1]=178\/\/ 2 \nflag[5]=246\/\/ 2 \nflag[17]=168\/\/ 2 \nflag[21]=220\/\/ 2 \nflag[22]=212\/\/ 2 \nflag[16]=232\/\/ 2 \nflag[4]=140\/\/ 2 \nflag[31]=250\/\/ 2 \nflag[28]=150\/\/ 2 \nflag[14]=234\/\/ 2 \nflag[8]=174\/\/ 2 \nflag[25]=242\/\/ 2 \nflag[30]=142\/\/ 2 \nflag[26]=170\/\/ 2 \nflag[19]=176\/\/ 2 \nflag[27]=168\/\/ 2 \nflag[20]=212\/\/ 2 \nflag[18]=178\/\/ 2 \nfor i in range(32): \n print(chr(flag[i]),end="")\n#XYCTF{q7WYGscUuptTYXjnjKoyUTKtG}<\/code><\/pre>\nFindme<\/h3>\n
\u53ef\u6076\uff0c\u5c45\u7136\u6709\u4e09\u4e2a\u6587\u4ef6
\n
<\/div><\/p>\ndie\u67e5\u770b\u6587\u4ef6\u4fe1\u606f\uff0c\u53d1\u73b04\u662f\u4e00\u4e2a\u53ef\u6267\u884c\u6587\u4ef6\uff0cIDA\u542f\u52a8\uff1a<\/p>\n
int __fastcall main_0(int argc, const char **argv, const char **envp)\n{\n size_t v3; \/\/ rax\n int v5; \/\/ eax\n FILE *Stream; \/\/ [rsp+28h] [rbp+8h]\n FILE *v7; \/\/ [rsp+48h] [rbp+28h]\n int v8; \/\/ [rsp+64h] [rbp+44h]\n int v9; \/\/ [rsp+84h] [rbp+64h]\n int v10; \/\/ [rsp+A4h] [rbp+84h]\n int v11; \/\/ [rsp+C4h] [rbp+A4h]\n unsigned __int8 v12; \/\/ [rsp+104h] [rbp+E4h]\n unsigned __int8 v13; \/\/ [rsp+144h] [rbp+124h]\n int i; \/\/ [rsp+164h] [rbp+144h]\n\n j___CheckForDebuggerJustMyCode(&unk_1400230A2, argv, envp);\n sub_1400110E1(); \/\/\u751f\u6210512\u4e2a\u6570\n v8 = 0;\n v10 = 0;\n v11 = 0;\n j_memset(FileName, 0, 0x100ui64);\n j_memset(byte_14001D7A0, 0, 0x100ui64);\n GetCurrentDirectoryA(0x100u, FileName); \/\/ \u83b7\u53d6\u5f53\u524d\u76ee\u5f55\u8def\u5f84\n v3 = j_strlen(FileName);\n j_memcpy(byte_14001D7A0, FileName, v3);\n j_strcat(FileName, "\\\\Doraemon3"); \/\/ \u8f93\u5165\u6587\u4ef6\n j_strcat(byte_14001D7A0, "\\\\Doraemon1"); \/\/ \u8f93\u51fa\u6587\u4ef6\n Stream = fopen(FileName, "rb"); \n if ( Stream )\n {\n v7 = fopen(byte_14001D7A0, "wb"); \/\/ \u8f93\u51fa\u662fDoraemon1\u6587\u4ef6\n while ( !feof(Stream) ) \/\/ \u662f\u5426\u8bfb\u53d6\u5230eof\n {\n v10 = (v10 + 1) % 512;\n v11 = (byte_14001D960[v10] + v11) % 512;\n byte_14001D201 = byte_14001D960[v10]; \/\/ \u4ea4\u6362\u6570\u636e\n byte_14001D960[v10] = byte_14001D960[v11];\n byte_14001D960[v11] = byte_14001D201;\n v13 = byte_14001D960[((byte_14001D960[v11] + byte_14001D960[v10]) % 512)];\n v12 = v13 ^ fgetc(Stream); \/\/ \u83b7\u53d6\u8f93\u5165\n fputc(v12, v7); \/\/ \u8f93\u51fa\n srand(byte_14001D960[v8 % 512]);\n v9 = rand() % 4;\n for ( i = 0; i < v9; ++i )\n {\n v5 = rand();\n fputc(v5 % 256, v7);\n }\n ++v8;\n }\n sub_1400111B8("end");\n fclose(Stream);\n fclose(v7);\n system("pause");\n return 0;\n }\n else\n {\n sub_1400111B8("No Such File\\n");\n return 0;\n }\n}<\/code><\/pre>\n\u8fd9\u4e2a\u7684\u903b\u8f91\u5f88\u7b80\u5355\u901a\u8fc7start_1400110E1(); \u751f\u6210\u4e00\u4e2a512\u5b57\u8282\u7684\u6570\u7ec4<\/p>\n
Doraemon3\u662f\u6211\u4eec\u8f93\u5165\u7684\u6587\u4ef6\uff0c\u53d1\u73b0\u4e0b\u9762\u7684\u8fd0\u7b97\u53ea\u6709\u7b80\u5355\u7684\u5f02\u6216\u8fd0\u7b97\u548c\u4f2a\u968f\u673a\u6570\u4fdd\u62a4<\/p>\n
\u4e00\u773c\u6d41\u5bc6\u7801\uff0c\u9b54\u6539RC4<\/p>\n
fputc(ch1, FileIO); \u5c31\u76f8\u5f53\u4e8e\u89e3\u5bc6\u51fa\u4e00\u4e2a\u5b57\u8282\u7684\u6570\u636e\uff1a<\/p>\n
\u5148\u628as\u76d2\u63d0\u51fa\u6765\uff1a<\/p>\n
0xF3, 0x75, 0xC9, 0xB4, 0x2A, 0x3A, 0x9A, 0x90, 0xBE, 0x43, 0x65, 0x33, 0x39, 0xD3,\n0xF0, 0x46, 0xA5, 0x32, 0xCE, 0x4B, 0x8A, 0x6C, 0x60, 0xC7, 0x70, 0x55, 0xEF, 0x96,\n0xB2, 0x08, 0xC7, 0x68, 0x53, 0x6E, 0xD9, 0x0D, 0xD4, 0x69, 0xCD, 0x87, 0x45, 0x01,\n0xE9, 0x93, 0x7B, 0x21, 0x65, 0xDE, 0x8E, 0x24, 0x26, 0xA6, 0xC8, 0x94, 0x7E, 0xFD,\n0x4F, 0xFD, 0xAD, 0x2B, 0x51, 0x28, 0x0A, 0x5C, 0xA1, 0x0E, 0x11, 0x45, 0x25, 0x6D,\n0x6B, 0x9F, 0x75, 0x5D, 0x3E, 0x20, 0xFA, 0xDC, 0x07, 0xA3, 0x77, 0xC6, 0x8C, 0xEC,\n0x8B, 0x3C, 0xCE, 0x2D, 0x18, 0xE3, 0xBA, 0xBD, 0xBC, 0xCA, 0xB7, 0xB4, 0x03, 0x5B,\n0xF0, 0x4D, 0x4C, 0xF2, 0x3B, 0x34, 0x42, 0xB3, 0x39, 0x91, 0x67, 0x23, 0x16, 0xEA,\n0x88, 0x05, 0x08, 0x19, 0xDA, 0xDF, 0xD0, 0xF5, 0x09, 0x23, 0x59, 0x6D, 0x62, 0x13,\n0x85, 0xBD, 0x3D, 0x7E, 0x92, 0xE4, 0x82, 0x06, 0xBB, 0x7B, 0x6A, 0x47, 0xD9, 0xF6,\n0x1E, 0x09, 0x58, 0x1A, 0xD8, 0xFE, 0x29, 0x8C, 0xBF, 0x54, 0xAF, 0xAE, 0xA2, 0x8F,\n0xD6, 0xE7, 0xBB, 0x24, 0x97, 0x7A, 0xD7, 0x7F, 0xCB, 0x40, 0x3F, 0x49, 0x00, 0xDC,\n0xE0, 0x5E, 0xC9, 0xE0, 0x95, 0x4E, 0xC4, 0x90, 0xEB, 0x74, 0x6B, 0xA0, 0x9D, 0xCD,\n0xDE, 0xA2, 0x87, 0x1A, 0xD1, 0x12, 0xC8, 0x1B, 0x80, 0xE2, 0x4A, 0x10, 0x60, 0x79,\n0x37, 0x29, 0x25, 0xBA, 0xAE, 0x04, 0x1B, 0xDB, 0xD5, 0x48, 0xFE, 0x51, 0x05, 0x83,\n0x15, 0x64, 0xC4, 0x76, 0x34, 0xB5, 0xF2, 0xC5, 0x78, 0x6F, 0xC6, 0x10, 0x5F, 0x53,\n0x81, 0xFB, 0x8D, 0x40, 0xE6, 0x71, 0xA8, 0x57, 0xB7, 0x99, 0x20, 0x98, 0x56, 0xF4,\n0xD8, 0x70, 0xB9, 0xF8, 0xE4, 0xB5, 0x7A, 0xAA, 0xFA, 0x3C, 0x73, 0x77, 0xE8, 0xF9,\n0x12, 0x83, 0x2A, 0xB1, 0xC1, 0x9F, 0xF5, 0x5E, 0xF1, 0xF6, 0xD7, 0x89, 0x30, 0x63,\n0xF4, 0x68, 0xA9, 0x0B, 0x36, 0x85, 0xF8, 0xB3, 0x95, 0x64, 0x79, 0x56, 0x97, 0x19,\n0x5F, 0xA8, 0x6C, 0x4C, 0x52, 0x69, 0xB6, 0x5A, 0x54, 0x63, 0x58, 0x16, 0x86, 0x46,\n0xBE, 0x31, 0x1D, 0xCF, 0x42, 0x31, 0x59, 0xEE, 0xEA, 0x0F, 0x28, 0x57, 0x3B, 0x7F,\n0xD0, 0xB9, 0x8D, 0xED, 0x44, 0x30, 0xA7, 0xC1, 0x5B, 0x04, 0x33, 0xAC, 0x02, 0x73,\n0xDB, 0xFF, 0x01, 0x3D, 0xB1, 0x36, 0x9C, 0xA0, 0x4D, 0x9C, 0x3E, 0x72, 0xF1, 0x1F,\n0x88, 0xE5, 0xAD, 0x00, 0x49, 0x0E, 0x3A, 0xE6, 0xD2, 0xE1, 0xE9, 0x44, 0x27, 0x52,\n0x99, 0xEC, 0xBC, 0x47, 0xCC, 0xA6, 0x9E, 0xD2, 0x7C, 0xFB, 0x72, 0xDA, 0xA7, 0x9A,\n0x86, 0x55, 0x8A, 0x76, 0x9B, 0xF3, 0x7C, 0x8F, 0x14, 0x7D, 0xC5, 0x94, 0x17, 0x8B,\n0xAB, 0x15, 0xBF, 0x2E, 0xDD, 0x2C, 0xB0, 0x62, 0x89, 0x71, 0x92, 0x21, 0x9D, 0x0C,\n0xEF, 0x9E, 0xD1, 0x2B, 0x06, 0xF7, 0x4F, 0xC3, 0xCF, 0xFF, 0x6E, 0xE5, 0xEB, 0x96,\n0xF9, 0xDF, 0xCA, 0x07, 0xD4, 0xA3, 0x84, 0xE3, 0x1F, 0x66, 0x1D, 0x18, 0x35, 0x41,\n0x2F, 0x02, 0x66, 0x2E, 0x6F, 0x61, 0xD5, 0x3F, 0x7D, 0x78, 0x1C, 0x32, 0xAB, 0xA4,\n0x67, 0xC2, 0xC0, 0x1C, 0x11, 0xE2, 0x2C, 0x38, 0x8E, 0xB2, 0x48, 0xE1, 0x0A, 0x22,\n0xD3, 0x41, 0xD6, 0x91, 0x0D, 0x03, 0xFC, 0xFC, 0x38, 0xAC, 0xA9, 0x98, 0xAA, 0x14,\n0xCB, 0xCC, 0x4B, 0x81, 0x2D, 0x5C, 0xB8, 0x0F, 0x1E, 0xAF, 0x93, 0xB6, 0x50, 0x50,\n0xE7, 0x35, 0x4A, 0xC2, 0xA5, 0x37, 0x43, 0x9B, 0x22, 0x80, 0xC3, 0xDD, 0xED, 0x5A,\n0x5D, 0x0C, 0x0B, 0x6A, 0x27, 0x2F, 0x74, 0xEE, 0xF7, 0x26, 0x82, 0x84, 0xB8, 0xE8,\n0x61, 0xA4, 0xB0, 0xC0, 0x13, 0x4E, 0xA1, 0x17<\/code><\/pre>\n\u8fd8\u662f\u6413\u811a\u672c\uff1a<\/p>\n
import ctypes \nimport os \n#\u52a0\u8f7d C \u5e93 \nif os.name == 'nt': # \u5982\u679c\u662f Windows \u7cfb\u7edf \n libc = ctypes.CDLL('msvcrt.dll') \nelse: # \u5982\u679c\u662f\u5176\u4ed6\u7cfb\u7edf \n libc = ctypes.CDLL('libc.so.6') \n#\u58f0\u660e srand \u548c rand \u51fd\u6570\u7684\u7b7e\u540d \nlibc.srand.argtypes = [ctypes.c_uint] \nlibc.rand.restype = ctypes.c_int \n#\u5b9a\u4e49 Python \u5c01\u88c5\u51fd\u6570 \ndef set_seed(seed): \n libc.srand(seed) \ndef generate_random(): \n return libc.rand() \ndata = [0xF3, 0x75, 0xC9, 0xB4, 0x2A, 0x3A, 0x9A, 0x90, 0xBE, 0x43, 0x65, 0x33, \n0x39, 0xD3, 0xF0, 0x46, 0xA5, 0x32, 0xCE, 0x4B, 0x8A, 0x6C, 0x60, 0xC7, 0x70, 0x55, \n0xEF, 0x96, 0xB2, 0x08, 0xC7, 0x68, 0x53, 0x6E, 0xD9, 0x0D, 0xD4, 0x69, 0xCD, 0x87, \n0x45, 0x01, 0xE9, 0x93, 0x7B, 0x21, 0x65, 0xDE, 0x8E, 0x24, 0x26, 0xA6, 0xC8, 0x94, \n0x7E, 0xFD, 0x4F, 0xFD, 0xAD, 0x2B, 0x51, 0x28, 0x0A, 0x5C, 0xA1, 0x0E, 0x11, 0x45, \n0x25, 0x6D, 0x6B, 0x9F, 0x75, 0x5D, 0x3E, 0x20, 0xFA, 0xDC, 0x07, 0xA3, 0x77, 0xC6, \n0x8C, 0xEC, 0x8B, 0x3C, 0xCE, 0x2D, 0x18, 0xE3, 0xBA, 0xBD, 0xBC, 0xCA, 0xB7, 0xB4, \n0x03, 0x5B, 0xF0, 0x4D, 0x4C, 0xF2, 0x3B, 0x34, 0x42, 0xB3, 0x39, 0x91, 0x67, 0x23, \n0x16, 0xEA, 0x88, 0x05, 0x08, 0x19, 0xDA, 0xDF, 0xD0, 0xF5, 0x09, 0x23, 0x59, 0x6D, \n0x62, 0x13, 0x85, 0xBD, 0x3D, 0x7E, 0x92, 0xE4, 0x82, 0x06, 0xBB, 0x7B, 0x6A, 0x47, \n0xD9, 0xF6, 0x1E, 0x09, 0x58, 0x1A, 0xD8, 0xFE, 0x29, 0x8C, 0xBF, 0x54, 0xAF, 0xAE, \n0xA2, 0x8F, 0xD6, 0xE7, 0xBB, 0x24, 0x97, 0x7A, 0xD7, 0x7F, 0xCB, 0x40, 0x3F, 0x49, \n0x00, 0xDC, 0xE0, 0x5E, 0xC9, 0xE0, 0x95, 0x4E, 0xC4, 0x90, 0xEB, 0x74, 0x6B, 0xA0, \n0x9D, 0xCD, 0xDE, 0xA2, 0x87, 0x1A, 0xD1, 0x12, 0xC8, 0x1B, 0x80, 0xE2, 0x4A, 0x10, \n0x60, 0x79, 0x37, 0x29, 0x25, 0xBA, 0xAE, 0x04, 0x1B, 0xDB, 0xD5, 0x48, 0xFE, 0x51, \n0x05, 0x83, 0x15, 0x64, 0xC4, 0x76, 0x34, 0xB5, 0xF2, 0xC5, 0x78, 0x6F, 0xC6, 0x10, \n0x5F, 0x53, 0x81, 0xFB, 0x8D, 0x40, 0xE6, 0x71, 0xA8, 0x57, 0xB7, 0x99, 0x20, 0x98, \n0x56, 0xF4, 0xD8, 0x70, 0xB9, 0xF8, 0xE4, 0xB5, 0x7A, 0xAA, 0xFA, 0x3C, 0x73, 0x77, \n0xE8, 0xF9, 0x12, 0x83, 0x2A, 0xB1, 0xC1, 0x9F, 0xF5, 0x5E, 0xF1, 0xF6, 0xD7, 0x89, \n0x30, 0x63, 0xF4, 0x68, 0xA9, 0x0B, 0x36, 0x85, 0xF8, 0xB3, 0x95, 0x64, 0x79, 0x56, \n0x97, 0x19, 0x5F, 0xA8, 0x6C, 0x4C, 0x52, 0x69, 0xB6, 0x5A, 0x54, 0x63, 0x58, 0x16, \n0x86, 0x46, 0xBE, 0x31, 0x1D, 0xCF, 0x42, 0x31, 0x59, 0xEE, 0xEA, 0x0F, 0x28, 0x57, \n0x3B, 0x7F, 0xD0, 0xB9, 0x8D, 0xED, 0x44, 0x30, 0xA7, 0xC1, 0x5B, 0x04, 0x33, 0xAC, \n0x02, 0x73, 0xDB, 0xFF, 0x01, 0x3D, 0xB1, 0x36, 0x9C, 0xA0, 0x4D, 0x9C, 0x3E, 0x72, \n0xF1, 0x1F, 0x88, 0xE5, 0xAD, 0x00, 0x49, 0x0E, 0x3A, 0xE6, 0xD2, 0xE1, 0xE9, 0x44, \n0x27, 0x52, 0x99, 0xEC, 0xBC, 0x47, 0xCC, 0xA6, 0x9E, 0xD2, 0x7C, 0xFB, 0x72, 0xDA, \n0xA7, 0x9A, 0x86, 0x55, 0x8A, 0x76, 0x9B, 0xF3, 0x7C, 0x8F, 0x14, 0x7D, 0xC5, 0x94, \n0x17, 0x8B, 0xAB, 0x15, 0xBF, 0x2E, 0xDD, 0x2C, 0xB0, 0x62, 0x89, 0x71, 0x92, 0x21, \n0x9D, 0x0C, 0xEF, 0x9E, 0xD1, 0x2B, 0x06, 0xF7, 0x4F, 0xC3, 0xCF, 0xFF, 0x6E, 0xE5, \n0xEB, 0x96, 0xF9, 0xDF, 0xCA, 0x07, 0xD4, 0xA3, 0x84, 0xE3, 0x1F, 0x66, 0x1D, 0x18, \n0x35, 0x41, 0x2F, 0x02, 0x66, 0x2E, 0x6F, 0x61, 0xD5, 0x3F, 0x7D, 0x78, 0x1C, 0x32, \n0xAB, 0xA4, 0x67, 0xC2, 0xC0, 0x1C, 0x11, 0xE2, 0x2C, 0x38, 0x8E, 0xB2, 0x48, 0xE1, \n0x0A, 0x22, 0xD3, 0x41, 0xD6, 0x91, 0x0D, 0x03, 0xFC, 0xFC, 0x38, 0xAC, 0xA9, 0x98, \n0xAA, 0x14, 0xCB, 0xCC, 0x4B, 0x81, 0x2D, 0x5C, 0xB8, 0x0F, 0x1E, 0xAF, 0x93, 0xB6, \n0x50, 0x50, 0xE7, 0x35, 0x4A, 0xC2, 0xA5, 0x37, 0x43, 0x9B, 0x22, 0x80, 0xC3, 0xDD, \n0xED, 0x5A, 0x5D, 0x0C, 0x0B, 0x6A, 0x27, 0x2F, 0x74, 0xEE, 0xF7, 0x26, 0x82, 0x84, \n0xB8, 0xE8, 0x61, 0xA4, 0xB0, 0xC0, 0x13, 0x4E, 0xA1, 0x17] \nDoraemon1 = [] \n#\u6253\u5f00\u6587\u4ef6\u5e76\u8bfb\u53d6\u5b57\u8282 \nwith open("Doraemon1", "rb") as file: \n #\u8bfb\u53d6\u6587\u4ef6\u5b57\u8282\u5e76\u8d4b\u503c\u7ed9temp \n Doraemon1 = list(file.read()) \n\noutfile = [] \nidx = 0 \nidx_1 = 0 \nidx_2 = 0 \nDoraemon1idx = 0 \nwhile Doraemon1idx<len(Doraemon1) : \n idx_1 = (idx_1 + 1) % 512 \n idx_2 = (data[idx_1] + idx_2) % 512 \n temp = data[idx_1] \n data[idx_1] = data[idx_2] \n data[idx_2] = temp \n data_ch = data[((data[idx_2] + data[idx_1]) % 512) & 0xff] \n Stream = data_ch ^ Doraemon1[Doraemon1idx] \n Doraemon1idx += 1 \n outfile.append(Stream.to_bytes(1, 'big')) \n set_seed(data[idx % 512]) \n randnum = generate_random() % 4 \n for i in range(randnum): \n Doraemon1idx += 1 \n idx += 1 \nprint(outfile) \n#\u6253\u5f00\u6587\u4ef6\u8fdb\u884c\u5199\u5165 \nwith open("output_file.exe", "wb") as file: \n #\u9010\u5b57\u8282\u5199\u5165\u6587\u4ef6 \n for byte in outfile: \n file.write(byte) #\u5c06\u6bcf\u4e2a\u5b57\u8282\u8f6c\u6362\u4e3a\u5b57\u8282\u6570\u7ec4\u5e76\u5199\u5165\u6587\u4ef6<\/code><\/pre>\n\u8dd1\u51faexe
\n
<\/div>
\n\u7ee7\u7eedIDA\uff1a<\/p>\nint __fastcall main_0(int argc, const char **argv, const char **envp)\n{\n char *v3; \/\/ rdi\n __int64 i; \/\/ rcx\n size_t v5; \/\/ rax\n char v7; \/\/ [rsp+20h] [rbp+0h] BYREF\n char Str[114552]; \/\/ [rsp+30h] [rbp+10h] BYREF\n FILE *Stream; \/\/ [rsp+1BFA8h] [rbp+1BF88h]\n FILE *v10; \/\/ [rsp+1BFC8h] [rbp+1BFA8h]\n int v11; \/\/ [rsp+1BFE4h] [rbp+1BFC4h]\n unsigned __int8 v12; \/\/ [rsp+1C024h] [rbp+1C004h]\n unsigned __int8 v13; \/\/ [rsp+1C044h] [rbp+1C024h]\n int v14; \/\/ [rsp+1C654h] [rbp+1C634h]\n __int64 v15; \/\/ [rsp+1C658h] [rbp+1C638h]\n size_t v16; \/\/ [rsp+1C660h] [rbp+1C640h]\n\n v3 = &v7;\n for ( i = 28694i64; i; --i )\n {\n *(_DWORD *)v3 = -858993460;\n v3 += 4;\n }\n j___CheckForDebuggerJustMyCode(&unk_1400230A3, argv, envp);\n Stream = 0i64;\n v11 = 0;\n j_memset(FileName, 0, 0x100ui64);\n j_memset(byte_14001D920, 0, sizeof(byte_14001D920));\n GetCurrentDirectoryA(0x100u, FileName);\n v5 = j_strlen(FileName);\n j_memcpy(byte_14001D920, FileName, v5);\n j_strcat(FileName, "\\\\Doraemon2");\n j_strcat(byte_14001D920, "\\\\Here");\n sub_1400111BD("\u4f60\u662f\u6765\u627e\u8c01\u7684\u5440\\n");\n sub_1400110A5("%s", Str);\n sub_1400111BD(&unk_14001AD68);\n Stream = fopen(FileName, "rb");\n v10 = fopen(byte_14001D920, "wb");\n while ( !feof(Stream) )\n {\n v12 = fgetc(Stream);\n v14 = v12;\n v15 = v11;\n v16 = j_strlen(Str);\n v13 = Str[v11 % v16] ^ v12 ^ 0x14;\n fputc(v13, v10);\n ++v11;\n }\n fclose(Stream);\n fclose(v10);\n system("pause");\n return 0;\n}<\/code><\/pre>\n\u8fd9\u4e2a\u5c31\u5f88\u7b80\u5355\u4e86\u6839\u636e\u63d0\u793a\u6211\u4eec\u5c31\u53ef\u4ee5\u77e5\u9053\u8981\u627e\u7684\u662f\u54c6\u5566A\u68a6\uff0cDoraemon
\n\u6211\u4eec\u8fd0\u884c\u7a0b\u5e8f\u5c31\u53ef\u4ee5\u83b7\u5f97gif\u52a8\u56feflag \u4e86<\/p>\n
<\/div>
\n\u518d\u6539\u4e00\u4e0b\u540e\u7f00
\n<\/div><\/p>\n","protected":false},"excerpt":{"rendered":"\u5728\u672c\u6b21XYCTF\u4e2d \u6211\u4eec\u7684 \u51cc\u6668\u4eba\u624d\u6218\u961f \u6700\u7ec8\u6392\u540d\u7b2c4<\/p>\n","protected":false},"author":1,"featured_media":90,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-89","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-re"],"_links":{"self":[{"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/posts\/89","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/comments?post=89"}],"version-history":[{"count":6,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/posts\/89\/revisions"}],"predecessor-version":[{"id":288,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/posts\/89\/revisions\/288"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/media\/90"}],"wp:attachment":[{"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/media?parent=89"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/categories?post=89"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/tags?post=89"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240405190851-1.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240416142546.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240416145405.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427153335.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427162338.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410182435.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410183127.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411002303.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411012149.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240405191706.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240405191810.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240405192108.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240405204122.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240405204351.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410222140.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410222405.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410121719.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427174104.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427174407.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427174453.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427174617.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410003739.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410004154.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410004413.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410004559.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410004749.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411185216.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411185325.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411185411.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411185509.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411210302.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411210805.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411211011.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411211227.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411212119.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411213153.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410235456.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411000055.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411001222.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240411001348.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240413010116.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427182941.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410231017.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410230911.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410231704.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410231903.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410233551.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410233727.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410234254.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240410234527.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427171954.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427172010.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427184012.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427184443.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427184921.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427185320.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427190058.png\")
<\/div><\/p>\n![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427191713.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427192134.png\")
<\/div>![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/04\/Pasted-image-20240427192735.png\")
<\/div><\/p>\n","protected":false},"excerpt":{"rendered":"