OLLEH
先查壳,没有加任何保护,拉入ida看看
先分析一下
我们可以下断点动调,得到校验密文
双击v4,在栈中看
直接输入后,得到flag,md5加密后就行了
ez_re
这题一开始常规操作,查壳,拉入ida分析,一堆代码看不懂,在看看dll文件,我们用dnspy反编译一下dll
从程序入口进去,挺清楚的加密过程,直接写脚本,或者改改代码去在线跑一下
login
这是python写的程序,经过封装打包成exe文件
我们通过插件进行反编译
将pyinstxtractor.py和exe文件放在一个文件夹,cmd输入指令
python pyinstxtractor.py login.exe
就会生成这个文件夹
我们真正需要反编译就是这个东西,在这之前需要通过结构体文件进行修复
找到了flag
ppap
这题查壳,发现有upx壳,而且软件脱不了,只能手动
一开始不知道凯撒,直接逆源代码也行
a='WfYe2KYaXv77PYctBWI5ZZInCucHCYcxPZHpAvq71ecmBXE54ZIc'
b=len(a)
for i in range(b):
for m in range(0,128):
if(m<=64 or m>90):
if(m>96 and m<=122):
if(ord(a[i])==((m-97+3)%26+97)):
print(chr(m),end='')
elif(ord(a[i])==((m-65+3)%26+65)):
print(chr(m),end='')
print('\n')
s='TcVb2HVxUs77MVzqYTF5WWFkZrzEZVzuMWEmXsn71bzjYUB54WFz'
得到的少于52位,原因数字两种情况都不满足,直接输出,我们手动加
import base64
import string
str1 = "tCvB2hvXuS77mvZQytf5wwfKzRZezvZUmweMxSN71BZJyub54wfZ"#记得进行大小写互换
string1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ+/"
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
print (base64.b64decode(str1.translate(str.maketrans(string1,string2))))`
EZ
这道题的大体流程:rce+base64换表,tea加密,xtea加密,最后异或
我们可以自己跑一下试试
输出01234567,验证算法作用
我们从网上找解tea加密的脚本
#include<stdio.h>
void decrypt(unsigned int *code , unsigned int *key)
{
unsigned int delta=0x9e3779b9;
unsigned int v0,v1,sum=delta<<5,i;// sum=0xC6EF3720
v0=code[0];
v1=code[1];
for(i=0;i<32;i++)
{
v1-=( (v0<<4)+key[2] ) ^ (v0+sum) ^ ( (v0>>5)+key[3] );
v0-=( (v1<<4)+key[0] ) ^ (v1+sum) ^ ( (v1>>5)+key[1] );
sum-=delta;
}
code[0]=v0;
code[1]=v1;
}
int main()
{
unsigned int key[4]={2,2,3,4};
unsigned int code[2]={0x24BDF90F,0x301B88E8};// 0x9F5FBC48,0xC5517691
decrypt(code,key);
printf("%x %x",code[0],code[1]);
}
xtea解密脚本
#include<stdio.h>
void decrypt(unsigned int r ,unsigned int *code ,unsigned int *key)
{
unsigned int v0,v1,i,delta=0x9e3779b9;
unsigned int sum=delta*r;
v0=code[0];
v1=code[1];
for(i=0;i<r;i++)
{
v1-=( ((v0<<4) ^(v0>>5)) +v0 ) ^ ( sum + key[ (sum>>11)&3 ]);
sum-=delta;
v0-=( ((v1<<4) ^ (v1>>5)) +v1 ) ^ ( sum + key[sum&3] );
}
code[0]=v0;
code[1]=v1;
}
int main()
{
unsigned int key[4]={2,2,3,4};
unsigned int r=32;
unsigned int code[2]={0x8DD02793,0x4F558864};// 0x92750C5A,0xA0D98E0E
decrypt(r,code,key);
printf("%x %x",code[0],code[1]);
}
我们得到v4输入为{1 1 3 4 2 5 8 7}
排序后为{1 1 2 3 4 5 7 8}
异或脚本
#include<stdio.h>
#include<stdlib.h>
int main(){
int v9[48];
v9[0] = 81;
v9[1] = 116;
v9[2] = 91;
v9[3] = 49;
v9[4] = 50;
v9[5] = 81;
v9[6] = 100;
v9[7] = 61;
v9[8] = 85;
v9[9] = 77;
v9[10] = 96;
v9[11] = 98;
v9[12] = 84;
v9[13] = 107;
v9[14] = 72;
v9[15] = 59;
v9[16] = 52;
v9[17] = 96;
v9[18] = 83;
v9[19] = 122;
v9[20] = 61;
v9[21] = 52;
v9[22] = 50;
v9[23] = 107;
v9[24] = 71;
v9[25] = 89;
v9[26] = 58;
v9[27] = 96;
v9[28] = 93; // 加密后的密文
v9[29] = 78;
v9[30] = 49;
v9[31] = 75;
v9[32] = 77;
v9[33] = 83;
v9[34] = 118;
v9[35] = 65;
v9[36] = 79;
v9[37] = 110;
v9[38] = 68;
v9[39] = 126;
v9[40] = 100;
v9[41] = 70;
v9[42] = 63;
v9[43] = 62;
v9[44] = 4;
v9[45] = 5;
v9[46] = 7;
v9[47] = 8;
int v4[8]={1,1,2,3,4,5,7,8};
for (int i =0;i<=47;i++){
v9[i]=v9[i]^v4[i%8];
printf("%c",v9[i]);
}
}
接下来就是换表base64和rc4
动调得到rc4的key
import base64
import string
str1 = "PuY26Tc5TLbaPnO35aQy915cFX8cYK6CLRtBKkCveG=="
string1 = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/"
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
print (list(base64.b64decode(str1.translate(str.maketrans(string1,string2)))))
a=[165, 76, 182, 234, 208, 185, 182, 80, 64, 164, 218, 55, 228, 10, 152, 247, 94, 66, 127, 31, 2, 202, 78, 156, 150, 180, 219, 144, 167, 21, 18]
key=[0x94,0x75,0x81,0xd2,0xfd,0x81,0x9b,0x62,0x73,0xe4,0x91,0x58,0x86,0x6f,0xd8,0xb5,0x3f,0x31,0x14,0x7a,0x76,0xa8,0x2f,0xf0,0xfa,0x97,0xff,0xb5,0xf9,0x33,0x38]
for i in range(len(a)):
print(chr(a[i]^key[i]),end='')