携手创作,共同成长!这是我参与「掘金日新计划 · 8 月更文挑战」的第22天,点击查看活动详情
REVERSE
Encode
快速幂取模,题目也说了线性,直接逆向encode函数
end = [
0x23,0x4a,0x7,0x2b,0x1d,0x6,0x3f,0x36,0x36,
0x2b,0x5,0x7,0x6,0x39,0x2,0x6,0x38,
0x21,0x4b,0x1a,0x2d,0x2d,0x39,0x2,0x0
]
key = [0x7,0xb,0xd,0x4d]
def pow_mod(num1,key1,key2):
ans = 1
aa = num1 % key2
while key1:
if (key1 % 2)==1:
ans = aa*ans%key2
key1 //= 2
aa = aa*aa%key2
return ans
m = []
for i in range(len(end)):
for j in range(128):
if pow_mod(j,key[2],key[3]) == end[i]:
m.append(j)
break
for i in range(len(m)):
m[i] = (m[i]+0x46)^0x3f
for i in range(len(m)-1,0,-1):
print(chr(m[i]^0xf),end='')
通过这个题目学会了逆向encode函数的使用。还有rsa解密。
Easyre
要去花指令,还有反混淆
之后f5反编译后直接写脚本解一下即可
三个函数,反向推导一下就是,与key的前三位异或,与key的中间三位相加,后三位异或
#include<iostream>
using namespace std;
int main(){
unsigned char s1[] = "^<L^<LX:LX.MJ.MJ9PJ9VF$VF$T@$T];";
unsigned char key[] = "enc!@#key";
for (int i = 0; i < 32; ++i) {
s1[i] ^= key[i % 3 + 6];
}
for (int i = 0; i < 32; ++i) {
s1[i] -= key[i % 3 + 3];
}
for (int i = 0; i < 32; ++i) {
s1[i] ^= key[i % 3];
printf("%c",s1[i]);
}
return 0;
}
这个题目收获到去花指令,反混淆,异或函数.
JoJo 上不了的天堂
这个flag也是分成了两部分进行的加密
第一部分
Tea加密
#include <windows.h>
#include <stdio.h>
#include <cstdint>
void decrypt(uint64_t* v, uint64_t*k){
uint64_t vθ= v[θ], v1 = v[1], sum=0x13c6ef3720,i;
uint64_t delta = 0x9e3779b9;
uint64_t kθ = k[θ], k1 = k[1], k2 = k[2], k3 =k[3];
for(i=0;1 <32;1++){
v1-=((v0<4)+k2)^(vθ+sum)^((vθ >5)+ k3);
vθ-=(Cv1 «4) + kθ) ^ (v1 + sum) ^ ((v1 » 5) + k1);sum-=delta;
}
v[0]=vθ;v[1]=v1;}
int main()
{
//v为要加解密的数据,两个32位无符号整数uint64_t v[2] = { θxff4f7caeeaaba7aa,θx660a9d3c7678a23b};
//k为加解密密钥,4个32位无符号整数,密钥长度为128位
uint64_t k[4]={17,4,37,15};decrypt(v,k);
printf("解密后的数据:θx%llx θx%llx\n", v[θ],v[1]);
printf("\n");
return 0;
}
得到
第二部分:
k = 'Disco'
enc=[0x27, 0x00, 0x2C,0x27,0x2E]
for i in range(len(enc)):
print(chr(enc[i]^ord(k[i])),end='')
相连起来就行ISCC{Heaven_KO_NO_Pucci_DA}
对于Tea加密解密,第一次学习,很有意思。
rerere?
简单的异或加密
key = [0x9e,0xe6,0xfb,0x39,0x3c,0xea,0x24,0x9c,0x38,0xd0,0x62,0x55,0x8b,0x33,0x11,0x43,0x5c,0x40,0x34,0x9c,0x29,0x28,0xd6
,0x27,0xbc,0x0c,0xd4,0xab,0x17,0x0d,0x65,0xe0]
enc = [0xD7 ,0xB5 ,0xB8 ,0x7A ,0x47 ,0x8B ,0x46 ,0xFF ,0x5C ,0xB5 ,0x04 ,0x32 ,0xE3 ,0x5A ,0x7B
,0x28 ,0x30 ,0x2D ,0x5A ,0xF3 ,0x59 ,0x59 ,0xA4
,0x54 ,0xC8 ,0x79 ,0xA2 ,0xDC ,0x6F ,0x74 ,0x1F
,0x9D]
for i in range(len(enc)):
print(chr(enc[i]^key[i]),end='')
通过这个题目熟悉了异或算法。
Slef-reverse
Elf的upx壳,脱壳后拖进ida
找到加密函数
第一个for循环是把flag一位一位赋值给v122并打乱顺序,第二个循环是一个乘3+1
这里直接爆破一下即可
题目说了06段,直接找到debug6段
for p in range(16):
for i in range(128):
v42=p
v43=i*3+1
a = 3 * i + 1
if i==89:
print(a)
if v123[p]==a&0xff:
flag[((p^0xD)+1)%16]=chr(i)
print(flag)
print(''.join('%s' %i for i in flag))
这个题目学到了Elf的upx壳技术。
