这比赛唯一的一道Re??
exe,看字符串
找到主函数
看到判断的地方为loc_404600,去看一下
像是SMC,找修改404600处的函数
此处用到了loc_404600,找到这个函数为
这里将loc_404600与mnbv循环的异或
写个脚本处理下
#include <idc.idc>
static decrypt(from, size) {
auto i, x,key1,key2,key3,key4;
key1 = 0x6D;
key2 = 0x6E;
key3 = 0x62;
key4 = 0x76;
for ( i=0; i != size; i=i+1 ) {
if(i%4==0){
x = Byte(from);
x = (x^key1);
PatchByte(from,x);
}
if(i%4==1){
x = Byte(from);
x = (x^key2);
PatchByte(from,x);
}
if(i%4==2){
x = Byte(from);
x = (x^key3);
PatchByte(from,x);
}
from = from + 1;
}
Message("\n" + "Decrypt Complete\n");
}
decrypt(0x00404600,0x260);
修改后重新分析创建函数得到
看check
对输入的前16位进行转换使之等于“66733~6775”
光看ida分析这段实在是太难了,结合ollydbg分析,逻辑是将前十六个输入循环的与greatctf异或后平方再乘12345679
flag=‘‘
a=667339003789000121539302795007135856775//12345679
b=pow(a,0.5)
c=str(b)
key=‘greatctf‘
for i in range(16):
flag+=chr(ord(c[i])^ord(key[i%8]))
print(flag)
再看check2
先搞随机数,在解四元一次方程
#include<stdlib.h>
#include<stdio.h>
int main(){
int v15,v8,v14,v13;
srand(0xbc6146);
v15 = rand() % 360;
v8 = rand() % 360;
v13 = rand() % 360;
v14 = rand() % 360;
printf("v5=%x,v8=%x,V13=%x,v14=%x\n",v15,v8,v13,v14);
return 0;
}
在这我出了个小错误,我最开始是在Linux里跑的,结果随机数与程序里不一样(??
from z3 import*
def hex_str(x):
temp=‘‘
for i in range(len(x)//2):
temp+=chr(int(x[2*i:2*i+2],16))
return temp
f=Solver()
x=[Int(‘x%d‘%i) for i in range(4)]
f.add(x[0]+3*x[3]-1000*2 == 0x1A06491E7)
f.add(x[2]*0xc0-x[3]*0xb == 0x244BFD2B9C)
f.add(2*(x[1]+0x37a)+x[2]*0x1f == 0x71CE119D5)
f.add(x[1]*0x1f*136-0xc0*x[0] == 0x431E9A36840)
if f.check() == sat:
for i in range(4):
print(hex_str(hex(f.model()[x[i]].as_long())[2:])[::-1])
输出
simp 0CTF __36 leRe
顺序修改一下就可以了
原文地址:https://www.cnblogs.com/harmonica11/p/11723241.html
时间: 2024-11-05 18:43:22