2017 HCTF 逆向level1 解题wp

| categories writeups  | tags CTF 

程序检测了OD,IDA的进程名,也有用IsDebuggerPresent和ntdll!NtQueryInformationProcess来检查调试器 大部分的分析工作都是用IDA静态分析,因为很久没做逆向了,因此光是分析就花了很长时间,写脚本也花了不少时间。因此感觉一般。

题目下载链接: Evr_Q_a1bad588324e19cda44e20fd8cb291b5a735470ef4736f7969aa30fe4ec10ac3.zip

import string


enc_flag = [0x1E, 0x15, 0x2, 0x10, 0x0D, 0x48, 0x48, 0x6F, 0xDD, 0xDD, 0x48, 0x64, 0x63, 0xD7, 0x2E, 0x2C, 0xFE, 0x6A, 0x6D, 0x2A, 0xF2, 0x6F, 0x9A, 0x4D, 0x8B, 0x4B, 0xCF, 0xBF, 0x4F, 0x47, 0x4E, 0x13, 0x10, 0x43, 0x0B]


def enc1(word, i):
        word = ord(word) ^ 0x76 ^ 0xAD
        temp1 = (word & 0xAA) >> 1
        temp2 = 2 * word & 0xAA
        word = temp1 | temp2
        return word

def enc2(word, i):        
        word = ord(word) ^ 0x76 ^ 0xBE
        temp1 = (word & 0xCC) >> 2
        temp2 = 4 * word & 0xCC
        word = temp1 | temp2
        return word


def enc3(word,i):
        word = ord(word) ^ 0x76 ^ 0xEF
        temp1 = (word & 0xF0) >> 4
        temp2 = 16 * word & 0xF0
        word = temp1 | temp2
        return word 

for i in range(0,7):
    print chr(enc_flag[i] ^ 0x76)

for i in range(0,7):
    for word1 in string.printable:
        res1 = enc1(word1, i)
        if(res1 == enc_flag[7+i]):
            print chr(ord(word1))

for i in range(0,7):
    for word1 in string.printable:
        res1 = enc2(word1, i)
        if(res1 == enc_flag[14+i]):
            print chr(ord(word1))

for i in range(0,7):
    for word1 in string.printable:
        res1 = enc3(word1, i)
        if(res1 == enc_flag[21+i]):
            print chr(ord(word1))

for i in range(0,7):
    print chr(enc_flag[28+i] ^ 0x76)

整个flag长度是35,算法每7个为1组进行加密,因为是7个,而且单个字符是可以直接跟加密后的flag比较的,因此可以直接穷举生成随机的字符串组合,将字符串组合扔去加密函数后再和enc_flag相应位置进行比较就可以了。

忘记提一句,在一开始的用户名部分也有一段简单的加密,就不做分析了。


Previous     Next