逆向攻防世界CTF系列12-666

image-20241019143740502

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
int __fastcall main(int argc, const char **argv, const char **envp)
{
  char s[240]; // [rsp+0h] [rbp-1E0h] BYREF
  char v5[240]; // [rsp+F0h] [rbp-F0h] BYREF

  memset(s, 0, 0x1EuLL);
  printf("Please Input Key: ");
  __isoc99_scanf("%s", v5);
  encode(v5, s);
  if ( strlen(v5) == key )
  {
    if ( !strcmp(s, enflag) )
      puts("You are Right");
    else
      puts("flag{This_1s_f4cker_flag}");
  }
  return 0;
}

encode应该是个加密函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
int __fastcall encode(const char *a1, __int64 a2)
{
  char v3[32]; // [rsp+10h] [rbp-70h]
  char v4[32]; // [rsp+30h] [rbp-50h]
  char v5[40]; // [rsp+50h] [rbp-30h]
  int v6; // [rsp+78h] [rbp-8h]
  int i; // [rsp+7Ch] [rbp-4h]

  i = 0;
  v6 = 0;
  if ( strlen(a1) != key )
    return puts("Your Length is Wrong");
  for ( i = 0; i < key; i += 3 )  {
    v5[i] = key ^ (a1[i] + 6);
    v4[i + 1] = (a1[i + 1] - 6) ^ key;
    v3[i + 2] = a1[i + 2] ^ 6 ^ key;
    *(_BYTE *)(a2 + i) = v5[i];
    *(_BYTE *)(a2 + i + 1LL) = v4[i + 1];
    *(_BYTE *)(a2 + i + 2LL) = v3[i + 2];
  }
  return a2;
}

看看key

image-20241019145353907

key时12h也就是18

看看enflag

image-20241019145509917

转换16进制

69 7a 77 68 72 6f 7a 22 22 77 22 76 2e 4b 22 2e 4e 69

再看看加密脚本,进行逆运算就行,写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

string = 'izwhroz""w"v.K".Ni'
# 转10进制
decimal_list = [ord(c) for c in string]

print(decimal_list)

flag = ''

for i in range(0,18,3):
    flag += chr((18 ^ decimal_list[i]) - 6)
    flag += chr((18 ^ decimal_list[i + 1]) + 6)
    flag += chr(18 ^ decimal_list[i + 2] ^ 6)

print(flag)

^优先级比+-低

1
2
3
4
5
6
v5[i] = key ^ (a1[i] + 6);
v4[i + 1] = (a1[i + 1] - 6) ^ key;
v3[i + 2] = a1[i + 2] ^ 6 ^ key;
*(_BYTE *)(a2 + i) = v5[i];
*(_BYTE *)(a2 + i + 1LL) = v4[i + 1];
*(_BYTE *)(a2 + i + 2LL) = v3[i + 2];

这里v5其实就是a2+0,v4就是a2+1,v3就是a2+2