• 还是太菜了……..
  • 这周看看把其他题也复现了

Ez Machine

先理解一下每个function,对其重命名

image-20200524201543794

然后对这里直接下断,获取每次的运行的函数

image-20200524201634041

接着可以理解一下流程并调试可知

虚拟机对输入的字符进行了3个判断,小写字母,大写字母和其他字符。小写字母异或0x47 + 1, 大写字母异或0x4b - 1。然后所有字符都会去除16求商求余

接着进行求解:

s = [  0x02, 0x02, 0x0C, 0x02, 0x07, 0x02, 0x01, 0x02, 0x0B, 0x07, 
0x01, 0x03, 0x02, 0x03, 0x03, 0x03, 0x04, 0x03, 0x05, 0x03,
0x06, 0x03, 0x07, 0x03, 0x08, 0x03, 0x09, 0x03, 0x01, 0x03,
0x02, 0x03, 0x0D, 0x07, 0x07, 0x0D, 0x00, 0x05, 0x01, 0x0C,
0x01, 0x00, 0x00, 0x0D, 0x05, 0x0F, 0x00, 0x09, 0x05, 0x0F,
0x03, 0x00, 0x02, 0x05, 0x03, 0x03, 0x01, 0x07, 0x07, 0x0B,
0x02, 0x01, 0x02, 0x07, 0x02, 0x0C, 0x02, 0x02]

s = s[::-1]
s = s[:34]

xor_num1 = 0x47
xor_num2 = 0x4B
add_one = 0x1
sub_one = 0x1

new_s = []

for i in range(0, 17):
t = s[i * 2 + 1] * 0x10
new_s.append(t + s[i * 2])

print(new_s)
print(len(new_s))

flag = ""

small_num = []

for i in range(26):
small_num.append(((ord('a') + i) ^ xor_num1) + 1)

big_num = []
for i in range(26):
big_num.append(((ord('A') + i) ^ xor_num2) - 1)

for i in new_s:
if i in small_num:
flag += chr((i - 1) ^ xor_num1)
elif i in big_num:
flag += chr((i + 1) ^ xor_num2)
else:
print(i)
flag += chr(i)

print(flag)
print(len(flag))
  • 其中s在动态运行的过程中直接dump

Check_1n

开机密码HelloWorld

if ( a1 == 3 && dword_1B6CC08 == 1 && !dword_1C7672C )
{
if ( !strcmp(aHelloworld, byte_1C76740) )
{
sub_401005();
dword_1B6CC08 = 0;
dword_1B379B8 = 0;
byte_1C76740[0] = 0;
}

在字符串中获得提示Base64解密得去玩打砖游戏,直接死亡就能看到flag了(主要是一开始不知道怎么操作…..然后就死了

1

BabyDriver

主逻辑在0x0000000140001380, 很明显是个迷宫题,迷宫大小为16 * 14, 然而在这里卡了很久,因为不知道驱动获得的是键盘扫描码所以卡住了……..

迷宫:

****************
o.*..*......*..*
*.**...**.*.*.**
*.****.**.*.*.**
*...**....*.*.**
***..***.**.*..*
*.**.***.**.**.*
*.**.******.**.*
*.**....***.**.*
*.*****.***....*
*...***.********
**..***......#**
**.*************
****************

键盘扫描码对应:

image-20200524224403948

其实就是WASD控制上下左右

然后直接走迷宫就完事儿了,解密脚本如下:

import hashlib
path = b"DSSSDDSDSSSDDDSSSDDDDDD"

print(path)

print("flag{" + hashlib.md5(path).hexdigest().lower() + "}")

Chellys_identity

image-20200524224403948

首先是输入,然后检查输入长度是否为16,然后对字符串进行操作,然后进行校验

重点在字符串操作那块

首先是取值i,i的范围是0-v8, v8一开始是0,通过下面的v9语句进行自增,也就是说这个i 的范围是从数组的v12从0开始到判断条件结束的值

sub_41325函数主要是返回数组的内容

而判断条件*i < *v11,也就是说,把v12数组中小于v11地址处的值的值取出来,累加到v9, 然后和v11异或保存。而v11就是我们输入的字符串。

接着来看v12数组的值是这么来的

memset_v12函数当然是将v12数组置零

重点看看get_v12函数:

判断一个条件,然后把这个数存入v12数组, 接下来看看check_if函数

如果是质数,那么保存。如此一来我们就可以知道,整个算法是将1-128的质数保存在数组,然后依次遍历每个flag的字符,将比字符小的质数累加的和与该字符异或,最后对比

v11[0] = 438;
v11[1] = 1176;
v11[2] = 1089;
v11[3] = 0x179;
v11[4] = 377;
v11[5] = 1600;
v11[6] = 924;
v11[7] = 377;
v11[8] = 1610;
v11[9] = 924;
v11[10] = 637;
v11[11] = 639;
v11[12] = 376;
v11[13] = 566;
v11[14] = 836;
v11[15] = 830;
v2 = sub_413A2(&v15);
v3 = (_DWORD *)sub_41519(v11, &v12);
sub_4155F(*v3, v3[1], v2);
for ( i = 0; ; ++i )
{
v4 = sub_411D6(a2, a1);
if ( i >= v4 )
break;
v5 = (_DWORD *)sub_41325(a2, a1, i);
if ( *v5 != *(_DWORD *)sub_41325((int)&v17, a1, i) )
{
v14 = 0;
v7 = sub_414D3((int)&v17);
LOBYTE(v7) = v14;
goto LABEL_7;
}
}

解密脚本:

res = [0x000001B6, 0x00000498, 0x00000441, 0x00000179, 0x00000179, 0x00000640, 0x0000039C, 0x00000179, 0x0000064A, 0x0000039C, 0x0000027D, 0x0000027F, 0x00000178, 0x00000236, 0x00000344, 0x0000033E]
fib = [0x00000002, 0x00000003, 0x00000005, 0x00000007, 0x0000000B, 0x0000000D, 0x00000011, 0x00000013, 0x00000017, 0x0000001D, 0x0000001F, 0x00000025, 0x00000029, 0x0000002B, 0x0000002F, 0x00000035, 0x0000003B, 0x0000003D, 0x00000043, 0x00000047, 0x00000049, 0x0000004F, 0x00000053, 0x00000059, 0x00000061, 0x00000065, 0x00000067, 0x0000006B, 0x0000006D, 0x00000071, 0x0000007F]
dic = {}
def get_map(a):
s = 0
for i in fib:
if i<a:
s+=i
return s^a
# print(hex(get_map(ord('f'))))
for i in range(127):
dic[get_map(i)] = chr(i)
print(dic)
s = ""
for i in res:
s+=dic[i]
print(s)

flag:Che11y_1s_EG0IST