re学习笔记(61)2020网鼎杯-青龙组-Re部分WP
程序员文章站
2022-05-19 13:38:43
...
新手一枚,如有错误(不足)请指正,谢谢!!
bang
找个软件一键脱壳,jeb打开搜索就有flag,,
signal
虚拟机指令,看了一下貌似不能逆,,就直接用angr跑了
import angr
p = angr.Project('/home/cx330/Desktop/Debugging/signal.exe')
state = p.factory.entry_state()
sm = p.factory.simulation_manager(state)
def good(state):
return b"good" in state.posix.dumps(1)
def bad(state):
return b"what" in state.posix.dumps(1)
sm.explore(find = good, avoid = bad)
if sm.found:
find_state = sm.found[0]
flag = find_state.posix.dumps(0)
print(flag)
输出为
b'757515121f3d478\x00\x89)\x02\xa2\x01\x8c\x00\x00\x01\x00\x01\x08\x02\x00\x8a\x08\x00*)\x00I\x00\x00\x1a\x00\x00\x00\x02\x0e\x00J\x1a\x0eJ\x00\x00J\x08\x02\x02\x00\x8a\x00\x19'
jocker
这题,挺操蛋
main函数无法F5,改一下栈指针。
然后是一个假的验证,验证下面是SMC自解密
附上IDC代码(动调也可以
#include <idc.idc>
static main()
{
auto addr = 0x401500;
auto i = 0;
for(i=0;i<187;i++)
{
PatchByte(addr+i,Byte(addr+i)^0x41);
}
}
解密出来就一个异或运算,不过不全,,,少了5位。
脑洞就很难受
解题脚本
#include <stdio.h>
#include <string.h>
#include "defs.h"
unsigned int date[28] = {
0x0000000E, 0x0000000D, 0x00000009, 0x00000006, 0x00000013, 0x00000005, 0x00000058, 0x00000056,
0x0000003E, 0x00000006, 0x0000000C, 0x0000003C, 0x0000001F, 0x00000057, 0x00000014, 0x0000006B,
0x00000057, 0x00000059, 0x0000000D, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000
};
char str[] = "hahahaha_do_you_find_me?";
int main(void)
{
int i = 0;
char flag[25] = { 0 };
for (i = 0; i < 19; i++)
flag[i] = date[i] ^ str[i];
flag[23] = '}';
flag[22] = '}' ^ 58 ^ 38;
flag[21] = '}' ^ 58 ^ 112;
flag[20] = '}' ^ 58 ^ 116;
flag[19] = '}' ^ 58 ^ 37;
puts(flag);
}