BUUCTF[2019红帽杯]easyRE

📅 2026/7/12 19:46:42 👁️ 阅读次数 📝 编程学习
BUUCTF[2019红帽杯]easyRE

进入ida,shift+F12,查找flag没有结果,有可疑字符串进入

双击黄色部分,然后F5看伪代码

先是异或加密

v12="Iodl>Qnb(ocy"

v12=list(v12) # 转为字符列表

for i in range(0,len(v12)):

v12[i]=ord(v12[i]) #字符转ASCII码

v12.append(127) # 补第13字节:127

v13="y.i"

v13=list(v13)

for i in range(0,len(v13)):

v13[i]=ord(v13[i])

v12.extend(v13) #v13拼接到v12后

v12.append(127)

v14="d`3w}wek9{iy=~yL@EC"

v14=list(v14)

for i in range(0,len(v14)):

v14[i]=ord(v14[i])

v12.extend(v14) #v14拼接到v12后

print(v12)

v15=''

for i in range(0,len(v12)):

v15+=chr(v12[i]^i)

print(v15)

输出:Info:The first four chars are `flag`

接着是十个base64加密后得v11=off_6CC090

厨子解

十个base64解密得一个网址,进入之后是文章,说明找错了不是flag

注意到off_6CC090下面有数据

进入sub_400D35

v4=v1

f和g可以想到是flag中的,恰好byte_6CC0A0[0]和byte_6CC0A3中间还有两个数据,所以v4分别异或0x40,0x35,0x20,0x56得到'flag'

'flag' ^ 0x40,0x35,0x20,0x56求出v4

j=0 → byte_6CC0A0[0] ^ v4[0]

j=1 → byte_6CC0A0[1] ^ v4[1]

j=2 → byte_6CC0A0[2] ^ v4[2]

j=3 → byte_6CC0A0[3] ^ v4[3]

j=4 → byte_6CC0A0 [4] ^ v4 [0](4%4=0,循环使用第 0 字节)

脚本求出flag

byte_6cc0a0=[0x40,0x35,0x20,0x56,0x5d,0x18,0x22,0x45,0x17,0x2f,0x24,0x6e,0x62,0x3c,0x27,0x54,0x48,0x6c,0x24,0x6e,0x72,0x3c,0x32,0x45,0x5b] tmp=[102,108,97,103] #flag的ASCII码 v4=[] for i in range(0,4): v4.append(tmp[i]^byte_6cc0a0[i]) print(v4) flag='' for i in range(0,25): flag+=chr(byte_6cc0a0[i]^v4[i%4]) print(flag) byte_6cc0a0=[0x40,0x35,0x20,0x56,0x5d,0x18,0x22,0x45,0x17,0x2f,0x24,0x6e,0x62,0x3c,0x27,0x54,0x48,0x6c,0x24,0x6e,0x72,0x3c,0x32,0x45,0x5b] tmp=[102,108,97,103] #flag的ASCII码 v4=[] for i in range(0,4): v4.append(tmp[i]^byte_6cc0a0[i]) print(v4) flag='' for i in range(0,25): flag+=chr(byte_6cc0a0[i]^v4[i%4]) print(flag) byte_6cc0a0=[0x40,0x35,0x20,0x56,0x5d,0x18,0x22,0x45,0x17,0x2f,0x24,0x6e,0x62,0x3c,0x27,0x54,0x48,0x6c,0x24,0x6e,0x72,0x3c,0x32,0x45,0x5b] tmp=[102,108,97,103] #flag的ASCII码 v4=[] for i in range(0,4): v4.append(tmp[i]^byte_6cc0a0[i]) print(v4) flag='' for i in range(0,25): flag+=chr(byte_6cc0a0[i]^v4[i%4]) print(flag)

flag{Act1ve_Defen5e_Test}