终于知道花指令怎么来的了
题目给了原码,直接打开,看里边加了好多花指令
_asm
{
call sub10
_emit 0xE8
jmp label10
sub10:
add dword ptr[esp],1
retn
label10:
}
还有反调试,其实不用调试因为有了原码可以直接改
if(*((unsigned char *)(*(DWORD*)(__readfsdword(0x18)+0x30))+0x2))
sleep();
这里只是key不知道,可以在函数里加上。去掉反调试和花指令,加上输出key的功能,运行就能得到key了
bool encode(char* ur_flag)
{
unsigned int k=0,bk=0;
cout<<hex<<key[0]<<endl;
cout<<hex<<key[1]<<endl;
cout<<hex<<key[2]<<endl;
cout<<hex<<key[3]<<endl;
cout<<hex<<key[4]<<endl;
cout<<hex<<key[5]<<endl;
return true;
}
please input your flag:
111111111111111111111111
3
10
d
4
13
b
Wrong!
Process returned 0 (0x0) execution time : 8.965 s
然后把这些移位反着作一遍就行了
from libnum import s2n,n2s
ks= [0x8c2c133a,0xf74cb3f6,0xfedfa6f2,0xab293e3b,0x26cf8a2a,0x88a1f279]
key = [3,0x10,0xd,4,0x13,0xb]
flag = b''
for i in range(6):
if i>0:
k = ks[i]^ks[i-1]
else:
k = ks[i]
k = (k^(1<<key[i])) & 0xffffffff
k = ((k >>16)| (((~k)&0xffff)<<16))
k = ((k<<key[i])&0xffffffff) | (k>>(32-key[i]))
flag +=n2s(k)
print(flag)
#flag{a_3a2y_re_for_test}