简单的re
一道rc4题,没有复杂的操作,每次处理两个字符
unsigned __int64 __fastcall sub_400C9D(unsigned int *a1)
{
unsigned __int64 result; // rax
int v2; // [rsp+18h] [rbp-38h]
unsigned int v3; // [rsp+1Ch] [rbp-34h]
unsigned int v4; // [rsp+20h] [rbp-30h]
int i; // [rsp+24h] [rbp-2Ch]
unsigned __int64 v6; // [rsp+48h] [rbp-8h]
v6 = __readfsqword(0x28u);
v2 = 0;
v3 = *a1;
v4 = a1[1];
for ( i = 0; i <= 31; ++i )
{
v2 += 1865817980;
v3 += (v4 + v2) ^ (16 * v4 + 111) ^ ((v4 >> 5) + 54);
v4 += (v3 + v2) ^ (16 * v3 + 31) ^ ((v3 >> 5) + 124);
}
*a1 = v3;
a1[1] = v4;
result = __readfsqword(0x28u) ^ v6;
if ( result )
exit();
return result;
}这些天净作RC4了
直接弄个改吧改吧就行了
chk = [1350288828,731421218,1671728960,2831241988,1951471770,2319350991,1657444641,236674178,
3281411241,3592850081,581718275,2597100926,575307203,3582510352,3410176996,3064018193,
1278546908,1875831745,2741062944,2277786060,2717472665,1047384394,1864926511,1387033695,
2442177625,383659259]
v2 = 0
tab = [0]*32
for i in range(32):
v2 += 1865817980
v2 &= 0xffffffff
tab[i] = v2
def enc(v3,v4):
for i in range(31,-1,-1):
v4 -= (v3+tab[i])^(16*v3 + 31)^((v3>>5)+124)
v4 &= 0xffffffff
v3 -= (v4+tab[i])^(16*v4 + 111)^((v4>>5)+54)
v3 &= 0xffffffff
print(chr(v3&0xff)+chr(v4&0xff),end='')
for i in range(0,26,2):
enc(chk[i],chk[i+1])
#ctfshow{just_a_simple_re}sigin_keys
需要输入8次,每次取个小串(+10)作个加法然后与序号异或,然后跟输入比较,这个居然都是正向而不是逆向的
int __cdecl main(int argc, const char **argv, const char **envp)
{
char *v3; // edi
int v4; // ebx
size_t v5; // eax
char *v6; // eax
char v8[16]; // [esp+10h] [ebp-FCh] BYREF
char v9[16]; // [esp+20h] [ebp-ECh] BYREF
char v10[16]; // [esp+30h] [ebp-DCh] BYREF
char Src[16]; // [esp+40h] [ebp-CCh] BYREF
_DWORD v12[22]; // [esp+50h] [ebp-BCh] BYREF
_DWORD v13[25]; // [esp+A8h] [ebp-64h] BYREF
v3 = ch; // 12/4-.
v4 = 0;
__main();
v12[5] = 0;
v12[4] = 0;
v12[0] = 0x67452301;
v12[1] = 0xEFCDAB89;
v12[2] = 0x98BADCFE;
v12[3] = 0x10325476;
v13[5] = 0;
v13[4] = 0;
v13[0] = 0x67452301;
v13[1] = 0xEFCDAB89;
v13[2] = 0x98BADCFE;
v13[3] = 0x10325476;
puts("input the keys and then I will give you flag:");
while ( 1 )
{
v5 = strlen(v3);
if ( v5 )
{
Src[0] = *v3 - v4;
if ( v5 != 1 )
{
Src[1] = (v3[1] + 1 - v4) ^ 1;
if ( v5 != 2 )
{
Src[2] = (v3[2] + 2 - v4) ^ 2;
if ( v5 != 3 )
{
Src[3] = (v3[3] + 3 - v4) ^ 3;
if ( v5 != 4 )
{
Src[4] = (v3[4] + 4 - v4) ^ 4;
if ( v5 != 5 )
{
Src[5] = (v3[5] + 5 - v4) ^ 5;
if ( v5 != 6 )
{
Src[6] = (v3[6] + 6 - v4) ^ 6;
if ( v5 != 7 )
{
Src[7] = (v3[7] + 7 - v4) ^ 7;
if ( v5 == 9 )
Src[8] = (v3[8] + 8 - v4) ^ 8;
}
}
}
}
}
}
}
v6 = &Src[v5];
}
else
{
v6 = Src;
}
*v6 = 0;
++v4;
MD5Update(v12, Src, strlen(Src));
MD5Final((int)v10, v12);
printf("input the %dth key: ", v4);
scanf("%s", v8);
MD5Update(v13, v8, strlen(v8));
MD5Final((int)v9, v13); // 123456
if ( v9[0] != v10[0]
|| v9[1] != v10[1]
|| v9[2] != v10[2]
|| v9[3] != v10[3]
|| v9[4] != v10[4]
|| v9[5] != v10[5]
|| v9[6] != v10[6]
|| v9[7] != v10[7]
|| v9[8] != v10[8]
|| v9[9] != v10[9]
|| v9[10] != v10[10]
|| v9[11] != v10[11]
|| v9[12] != v10[12]
|| v9[13] != v10[13]
|| v9[14] != v10[14]
|| v9[15] != v10[15] )
{
break;
}
v3 += 10;
if ( v4 == 8 )
{
puts("the keys is right, your flag is: flag{md5(your input)}");
system("pause");
return 0;
}
}
puts("no no no, the key is wrong!");
system("pause");
return 0;
}只需要把给定的串用这个方法处理一下就是输入内容,然后md5即可
flag = []
b = [b'12/4-.', b'745.30', b'cdaf_`', b'42764/', b'uyirp{', b'fvigdm', b'\x80~exhl', b'xzv{zbf']
for v4,ch in enumerate(b):
flag += [(v+i-v4)^i for i,v in enumerate( ch )]
print(bytes(flag))
from hashlib import md5
print(md5(bytes(flag)).hexdigest())
#123456654321abcdef114514qwertyasdfghzxcvbnqustsec
#61970f40f232b7d9dd1f0da5be56a124
#ctfshow{61970f40f232b7d9dd1f0da5be56a124}逆向签到
这个真是个签到ida打开就看到了,两段拼一起
int __cdecl main(int argc, const char **argv, const char **envp)
{
__int64 v4[2]; // [rsp+10h] [rbp-50h] BYREF
char v5[24]; // [rsp+20h] [rbp-40h] BYREF
char v6[24]; // [rsp+40h] [rbp-20h] BYREF
unsigned __int64 v7; // [rsp+58h] [rbp-8h]
v7 = __readfsqword(0x28u);
v4[1] = 1865817980LL;
v4[0] = 0LL;
strcpy(v5, "cfhwcfhwja_igi_o}");
strcpy(v6, "tso{tso_unkn_syu}");
puts(&s);
__isoc99_scanf(&unk_917, v4);
puts(&byte_920);
return 0;
}
#ctfshow{tcfshow_juan_king_is_you}
