UPX
脱壳
打开
moectf{ec5390dd-f8cf-4b02-bc29-3bb0c5604c29}就是flag
dymanic
打开后寻找字符串
定位到可疑字符串
交叉引用进新函数
这里提示“Your Flag has REencrypted.”也就是在这句话前面还是正确的flag,在合适的位置下断点
调试
跟踪进v5
flag就是这个了
upx_revenge
upx -d 脱壳失败了,那么需要手动脱壳
用ESP定律脱完壳后用插件生成去壳的文件,用ida打开
跟进aMoectf554ea35c里面
flag直接就出了。
xtea
打开
寻找字符串
跟进去
输入十二个字节的数据,然后前面8个字节进行一次加密,后面第5到第12个字节再进行加密,两次加密后的结果再与数据比较。跟进加密函数
是一个魔改了的tea加密,编写脚本如下:
#include<stdio.h>
#include<stdint.h>
void decrypt(uint32_t* v,uint32_t* key)
{
uint32_t k0,k2,k3,k1;
uint32_t v0,v1;
v0=v[0],v1=v[1];
k0=key[0],k1=key[1],k2=key[2],k3=key[3];
uint32_t delta=0x33004445,sum=0-0x33004445*32;
for(int i=0;i<32;i++)
{
v1-=(v0 + ((v0 >> 5) ^ (16 * v0)) ) ^ (key[ ((sum >> 11) & 3)]+ sum);
sum+=delta;
v0-=(key[ (sum & 3)]+ sum) ^ (v1 + ((v1 >> 5) ^ (16 * v1)));
}
v[0]=v0,v[1]=v1;
}
int main()
{
char s[12]={0xA3, 0x69, 0x96, 0x26, 0xBD, 0x78, 0x0B, 0x3D, 0x9D, 0xA5, 0x28, 0x62 };
uint32_t key[4]={2,0,2,4};
decrypt((uint32_t*)&s[4],key);
decrypt((uint32_t*)&s[0],key);
printf("%s",s);
}
运行
d0tN3t
用dnspy打开
输入数据进行加密后比较,加密流程:
直接暴力解法:
#include <stdio.h>
#include <stdint.h>
int main()
{
uint8_t arr[]={173, 146, 161, 174, 132, 179, 187, 234, 231, 244,
177, 161, 65, 13, 18, 12, 166, 247, 229, 207,
125, 109, 67, 180, 230, 156, 125, 127, 182, 236,
105, 21, 215, 148, 92, 18, 199, 137, 124, 38,
228, 55, 62, 164};
int x;
for(int i=0;i<44;i++)
{
for(int j=0;j<127;j++)
{
if((uint8_t)((int)(((uint8_t)j + 114) ^ 114) ^ (i * i)) == arr[i])
{
printf("%c",j);
}
}
}
return 0;
}
运行:
rc4
打开后查找字符串
跟进
这里进行了RC4加密
写脚本
#include<stdio.h>
#include<string.h>
typedef unsigned longULONG;
/*初始化函数*/
void rc4_init(unsigned char*s, unsigned char*key, unsigned long Len)
{
int i = 0, j = 0;
char k[256] = { 0 };
unsigned char tmp = 0;
for (i = 0; i<256; i++)
{
s[i] = i;
k[i] = key[i%Len];
}
for (i = 0; i<256; i++)
{
j = (j + s[i] + k[i]) % 256;
tmp = s[i];
s[i] = s[j];//交换s[i]和s[j]
s[j] = tmp;
}
}
/*加解密*/
void rc4_crypt(unsigned char*s, unsigned char*Data, unsigned long Len)
{
int i = 0, j = 0, t = 0;
unsigned long k = 0;
unsigned char tmp;
for (k = 0; k<Len; k++)
{
i = (i + 1) % 256;
j = (j + s[i]) % 256;
tmp = s[i];
s[i] = s[j];//交换s[x]和s[y]
s[j] = tmp;
t = (s[i] + s[j]) % 256;
Data[k] ^= s[t];
}
}
int main()
{
unsigned char flag[]=
{
0xA7,0x1A,0x68,0xEC,0xD8,0x27,0x11,0xCC,0x8C,0x9B,0x16,0x15,0x5C,0xD2,0x67,0x3E,0x82,0xAD,0xCE,0x75,0xD4,
0xBC,0x57,0x56,0xC2,0x8A,0x52,0xB8,0x6B,0xD6,0xCC,0xF8,0xA4,0xBA,0x72,0x2F,0xE0,0x57,0x15,0xB9,0x24,0x11
};
unsigned char key[]="RC4_1s_4w3s0m3";
unsigned char s[256]={0};
rc4_init(s,key,14);
rc4_crypt(s,flag,42);
int i;
for(i=0;i<=42;i++){
printf("%c",flag[i]);
}
运行