360CTF Re wp

這比賽惟一的一道Re😊

exe，看字符串

 

找到主函數

 

看到判斷的地方爲loc_404600,去看一下

 

像是SMC，找修改404600處的函數

 

 此處用到了loc_404600,找到這個函數爲

 

 

 

這裏將loc_404600與mnbv循環的異或

寫個腳本處理下

 

#include <idc.idc>
static decrypt(from, size) { auto i, x,key1,key2,key3,key4; key1 = 0x6D; key2 = 0x6E; key3 = 0x62; key4 = 0x76; for ( i=0; i != size; i=i+1 ) { if(i%4==0){ x = Byte(from); x = (x^key1); PatchByte(from,x); } if(i%4==1){ x = Byte(from); x = (x^key2); PatchByte(from,x); } if(i%4==2){ x = Byte(from); x = (x^key3); PatchByte(from,x); } if(i%4==3){ x = Byte(from); x = (x^key4); PatchByte(from,x); } from = from + 1; } Message("\n" + "Decrypt Complete\n"); }

 

decrypt(0x00404600,0x260);

 

 

修改後從新分析建立函數獲得

 

 

 看check

 

 

 

 

對輸入的前16位進行轉換使之等於「66733～6775」

光看ida分析這段實在是太難了，結合ollydbg分析，邏輯是將前十六個輸入循環的與greatctf異或後平方再乘12345679

flag='' a=667339003789000121539302795007135856775//12345679
b=pow(a,0.5) c=str(b) key='greatctf'
for i in range(16): flag+=chr(ord(c[i])^ord(key[i%8])) print(flag)

 

再看check2

 

 先搞隨機數，在解四元一次方程

#include<stdlib.h> #include<stdio.h>
int main(){ int v15,v8,v14,v13; srand(0xbc6146); v15 = rand() % 360; v8 = rand() % 360; v13 = rand() % 360; v14 = rand() % 360; printf("v5=%x,v8=%x,V13=%x,v14=%x\n",v15,v8,v13,v14); return 0; }

 在這我出了個小錯誤，我最開始是在Linux裏跑的，結果隨機數與程序裏不同（🍑

from z3 import* def hex_str(x): temp=''
    for i in range(len(x)//2):
        temp+=chr(int(x[2*i:2*i+2],16)) return temp f=Solver() x=[Int('x%d'%i) for i in range(4)] f.add(x[0]+3*x[3]-1000*2 == 0x1A06491E7) f.add(x[2]*0xc0-x[3]*0xb == 0x244BFD2B9C) f.add(2*(x[1]+0x37a)+x[2]*0x1f == 0x71CE119D5) f.add(x[1]*0x1f*136-0xc0*x[0] == 0x431E9A36840) if f.check() == sat: for i in range(4): print(hex_str(hex(f.model()[x[i]].as_long())[2:])[::-1])

 輸出

simp
0CTF
__36
leRe

順序修改一下就能夠了