这个搜半天各种东西
加密分几块,先是换顺序,这块太乱了,动调。在
UnDecorateSymbolName(v5, outputString, 0x100u, 0);// 修饰
这下个断点,然后输入一串连续的字符31个
然后看断掉以后的结果,在rcx会显示他顺序调换后的结果
然后是反修饰,这个网上搜修饰方法
最后是查表核对,解法就是反过来
a1 = b'(_@4620!08!6_0*0442!@186%%0@3=66!!974*3234=&0^3&1@=&0908!6_0*&'
a2 = b'55565653255552225565565555243466334653663544426565555525555222'
a3 = b'1234567890-=!@#$%^&*()_+qwertyuiop[]QWERTYUIOP{}asdfghjkl;\'ASDFGHJKL:"ZXCVBNM<>?zxcvbnm,./'
tmp = ''
for i in range(62):
for j in range(256):
if a3[j%23] == a1[i] and a3[j//23] == a2[i]:
tmp +=chr(j)
break
print(tmp)
#UnDecorateSymbolName C++反修饰,手工改回
#private: char * __thiscall R0Pxx::My_Aut0_PWN(unsigned char *)
#?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z
#? + func + @ + class + @@ + private + char * + unsigned char * + @Z
#A-Z[\]
#交换顺序的加密,动调得到加密顺序表, 在 UnDecorateSymbolName(v5, outputString, 0x100u, 0); 下断点,输入字符31个,得到rcx的值
#'ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_
print(bytes([i for i in range(0x41, 0x41+31)]))
#1: rcx 000000013FDB57C0 "PQHRSIDTUJVWKEBXYLZ[MF\\]N^_OGCA"
tab = b"PQHRSIDTUJVWKEBXYLZ[MF\\]N^_OGCA"
c = b'?My_Aut0_PWN@R0Pxx@@AAEPADPAE@Z'
m = [0]*31
for i in range(31):
m[tab[i]-0x41] = c[i]
print(bytes(m))
from hashlib import md5
print('flag{'+md5(bytes(m)).hexdigest()+'}')
#flag{63b148e750fed3a33419168ac58083f5}