buuctf [2019紅帽杯]easyRE
阿新 • • 發佈:2021-08-07
拖入IDA64 strings F5檢視
前面是一段賦值
推測424BA0是檢測長度的函式,並且從v12開始取36個長度的字元
也就是這一段:
先做第一個指令碼
v12 = [73,111,100,108,62,81,110,98,40,111,99,121,127,121,46,105,127,100,96,51,119,125,119,101,107,57,123,105,121,61,126,121,76,64,69,67] partflag = '' for i in range(len(v12)): partflag += chr(v12[i]^i) print(partflag) Info:The first four chars are `flag`
PS 關於輸入
放在memset後面且距離很近的函式很可能是輸入函式
檢視字串,明顯的base64加密
十次base64加密後與6CC090進行對比
寫第二段指令碼
import base64 partflag = 'Vm0wd2VHUXhTWGhpUm1SWVYwZDRWVll3Wkc5WFJsbDNXa1pPVlUxV2NIcFhhMk0xVmpKS1NHVkdXbFpOYmtKVVZtcEtTMUl5VGtsaVJtUk9ZV3hhZVZadGVHdFRNVTVYVW01T2FGSnRVbGhhVjNoaFZWWmtWMXBFVWxSTmJFcElWbTAxVDJGV1NuTlhia0pXWWxob1dGUnJXbXRXTVZaeVdrWm9hVlpyV1hwV1IzaGhXVmRHVjFOdVVsWmlhMHBZV1ZSR1lWZEdVbFZTYlhSWFRWWndNRlZ0TVc5VWJGcFZWbXR3VjJKSFVYZFdha1pXWlZaT2NtRkhhRk5pVjJoWVYxZDBhMVV3TlhOalJscFlZbGhTY1ZsclduZGxiR1J5VmxSR1ZXSlZjRWhaTUZKaFZqSktWVkZZYUZkV1JWcFlWV3BHYTFkWFRrZFRiV3hvVFVoQ1dsWXhaRFJpTWtsM1RVaG9hbEpYYUhOVmJUVkRZekZhY1ZKcmRGTk5Wa3A2VjJ0U1ExWlhTbFpqUldoYVRVWndkbFpxUmtwbGJVWklZVVprYUdFeGNHOVhXSEJIWkRGS2RGSnJhR2hTYXpWdlZGVm9RMlJzV25STldHUlZUVlpXTlZadE5VOVdiVXBJVld4c1dtSllUWGhXTUZwell6RmFkRkpzVWxOaVNFSktWa1phVTFFeFduUlRhMlJxVWxad1YxWnRlRXRXTVZaSFVsUnNVVlZVTURrPQ==' for i in range(10): partflag = base64.b64decode(partflag).decode("utf-8") #必須先轉碼成byte型,因為python3中字元都為unicode編碼,但是b64encode函式的引數為byte型別 print(partflag) //也可以線上解碼十次 https://bbs.pediy.com/thread-254172.htm
參考:https://blog.csdn.net/qq_44625297/article/details/105155727
——————————————————————餘下明天再寫