测试文件:https://wwa.lanzous.com/i54G4drrp1i
代码分析
打开IDA看了下main函数
这里就是将a2[1]与zer0pts{********CENSORED********}比较,a2[1]是我们的输入。
找到对输入字符串变换处
这里就是将输入分为8个一组,与qword_5605DCE75060数组元素,对应相减,得到zer0pts{********CENSORED********}。
因此,我们只需要反向解就行。(注意字符串和HEX数据大端小端存储,需要交换位置)
脚本
#-*- coding:utf-8 -*-
enc = "********CENSORED********"
m = [0x410A4335494A0942, 0x0B0EF2F50BE619F0, 0x4F0A3A064A35282B]
k = [hex(ord(x))[2:] for x in enc]
print (''.join(k))
flag1 = ''
for i in range(0,len(k),8):
s = ''.join(k[i:i+8][::-1]) # 小端排序
flag1 += hex(int(s, 16) + m[i//8])[2:]
print (flag1)
results = ''.join([chr(int(flag1[x:x+2], 16)) for x in range(0,len(flag1),2)])
flag2 = ''
flag1 = [flag1[i:i+2] for i in range(0,len(flag1),2)]
for i in range(0,len(flag1),8):
s = ''.join(flag1[i:i+8][::-1]) # 大端排序
flag2 += s
print (flag2)
results = ''.join([chr(int(flag2[x:x+2], 16)) for x in range(0,len(flag2),2)])
print (results)
更简单的脚本
#-*- coding:utf-8 -*-
enc = "********CENSORED********"
m = [0x410A4335494A0942, 0x0B0EF2F50BE619F0, 0x4F0A3A064A35282B]
import binascii
flag = b''
for i in range(3):
p = enc[i*8:(i+1)*8]
a = binascii.b2a_hex(p.encode('ascii')[::-1])
b = binascii.a2b_hex(hex(int(a,16) + m[i])[2:])[::-1]
flag += b
print (flag)
get flag!
flag{l3ts_m4k3_4_DETOUR_t0d4y}