做出兩道re,被大佬們帶躺了個12
Enjoyit-1
這題送分題
.net程式,用dnspy反編譯,主要邏輯如下
b.b檢查輸入是否在’_'和’z’之間
b.c是一個改表base64
寫腳本解出符合條件的輸入
import base64
src='abcdefghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZ='
aaa='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
ss='yQXHyBvN3g/81gv51QXG1QTBxRr/yvXK1hC='
tmp=''
for i in range(len(ss)):
tmp+=aaa[src.index(ss[i])]
print(base64.b64decode(tmp))
#combustible_oolong_tea_plz
由主函數邏輯得知在獲得正确輸入後程式會在等待很長事間後自動生成flag,這裡就不對生成邏輯做逆向了,直接動調跳過等待的時間直接生成flag
replace
這題采用了hook将IsDebuggerPresent函數hook掉
sub_401ae7函數是個假的加密,并沒有用
真正的加密函數在sub_1925
sub_4015c3函數有花指令,無法解析,,發現使用了jz和jnz連在一起,在以下無法解析的指令處按u,
f5反編譯
先進行5輪的單表替換,再進行一個栅欄密碼加密,解密腳本如下
src='416f6b116549435c2c0f1143174339023d4d4c0f183e7828'
t=[int(src[i:i+2],16) for i in range(0,len(src),2) ]
print(t)
s=[128, 101, 47, 52, 18, 55, 125, 64, 38, 22, 75, 77, 85, 67, 92, 23, 63, 105, 121, 83, 24, 2, 6, 97]
data=[0x80,0x65,0x2F,0x34,0x12,0x37,0x7D,0x40,0x26,0x16,0x4B,0x4D,0x55,0x43,0x5C,0x17,0x3F,0x69,0x79,0x53,0x18,0x02,0x06,0x61,0x27,0x08,0x49,0x4A,0x64,0x23,0x56,0x5B,0x6F,0x11,0x4F,0x14,0x04,0x1E,0x5E,0x2D,0x2A,0x32,0x2B,0x6C,0x74,0x09,0x6E,0x42,0x70,0x5A,0x71,0x1C,0x7B,0x2C,0x75,0x54,0x30,0x7E,0x5F,0x0E,0x01,0x46,0x1D,0x20,0x3C,0x66,0x6B,0x76,0x63,0x47,0x6A,0x29,0x25,0x4E,0x31,0x13,0x50,0x51,0x33,0x59,0x1A,0x5D,0x44,0x3E,0x28,0x0F,0x19,0x2E,0x05,0x62,0x4C,0x3A,0x21,0x45,0x1F,0x38,0x7F,0x57,0x3D,0x1B,0x3B,0x24,0x41,0x77,0x6D,0x7A,0x52,0x73,0x07,0x10,0x35,0x0A,0x0D,0x03,0x0B,0x48,0x67,0x15,0x78,0x0C,0x60,0x39,0x36,0x22,0x7C,0x58,0x72,0x68,0x00]
li={}
#列舉出所有的字元對應的替換字元
for i in range(30,128):
li[i]=i
for j in range(5):
li[i]=data[li[i]]
print(li)
flag=''
for i in range(24):
for j in range(30,128):
if li[j]==t[i]:
flag+=chr(j)
if len(flag)==24:
print(flag)
#fhudl1_3atd_g_ei{yctSo0}
#栅欄密碼的解密直接用線上網站吧,懶得寫了