做出两道re,被大佬们带躺了个12
Enjoyit-1
这题送分题
.net程序,用dnspy反编译,主要逻辑如下
b.b检查输入是否在’_'和’z’之间
b.c是一个改表base64
写脚本解出符合条件的输入
import base64
src='abcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZ='
aaa='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
ss='yQXHyBvN3g/81gv51QXG1QTBxRr/yvXK1hC='
tmp=''
for i in range(len(ss)):
tmp+=aaa[src.index(ss[i])]
print(base64.b64decode(tmp))
#combustible_oolong_tea_plz
由主函数逻辑得知在获得正确输入后程序会在等待很长事间后自动生成flag,这里就不对生成逻辑做逆向了,直接动调跳过等待的时间直接生成flag
replace
这题采用了hook将IsDebuggerPresent函数hook掉
sub_401ae7函数是个假的加密,并没有用
真正的加密函数在sub_1925
sub_4015c3函数有花指令,无法解析,,发现使用了jz和jnz连在一起,在以下无法解析的指令处按u,
f5反编译
先进行5轮的单表替换,再进行一个栅栏密码加密,解密脚本如下
src='416f6b116549435c2c0f1143174339023d4d4c0f183e7828'
t=[int(src[i:i+2],16) for i in range(0,len(src),2) ]
print(t)
s=[128, 101, 47, 52, 18, 55, 125, 64, 38, 22, 75, 77, 85, 67, 92, 23, 63, 105, 121, 83, 24, 2, 6, 97]
data=[0x80,0x65,0x2F,0x34,0x12,0x37,0x7D,0x40,0x26,0x16,0x4B,0x4D,0x55,0x43,0x5C,0x17,0x3F,0x69,0x79,0x53,0x18,0x02,0x06,0x61,0x27,0x08,0x49,0x4A,0x64,0x23,0x56,0x5B,0x6F,0x11,0x4F,0x14,0x04,0x1E,0x5E,0x2D,0x2A,0x32,0x2B,0x6C,0x74,0x09,0x6E,0x42,0x70,0x5A,0x71,0x1C,0x7B,0x2C,0x75,0x54,0x30,0x7E,0x5F,0x0E,0x01,0x46,0x1D,0x20,0x3C,0x66,0x6B,0x76,0x63,0x47,0x6A,0x29,0x25,0x4E,0x31,0x13,0x50,0x51,0x33,0x59,0x1A,0x5D,0x44,0x3E,0x28,0x0F,0x19,0x2E,0x05,0x62,0x4C,0x3A,0x21,0x45,0x1F,0x38,0x7F,0x57,0x3D,0x1B,0x3B,0x24,0x41,0x77,0x6D,0x7A,0x52,0x73,0x07,0x10,0x35,0x0A,0x0D,0x03,0x0B,0x48,0x67,0x15,0x78,0x0C,0x60,0x39,0x36,0x22,0x7C,0x58,0x72,0x68,0x00]
li={}
#列举出所有的字符对应的替换字符
for i in range(30,128):
li[i]=i
for j in range(5):
li[i]=data[li[i]]
print(li)
flag=''
for i in range(24):
for j in range(30,128):
if li[j]==t[i]:
flag+=chr(j)
if len(flag)==24:
print(flag)
#fhudl1_3atd_g_ei{yctSo0}
#栅栏密码的解密直接用在线网站吧,懒得写了