re
查壳发现是upx
用upx工具脱壳
进入IDA看到
这题简单a1就是flag,附上脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31def calculate_a1_to_string():
# 定义所有的乘数和期望结果
multipliers = [1629056, 6771600, 3682944, 10431000, 3977328, 5138336, None,
7532250, 5551632, 3409728, 13013670, 6088797, 7884663, 8944053,
5198490, 4544518, 10115280, 3645600, 9667504, 5364450,
13464540, 5488432, 14479500, 6451830, 6252576, 7763364,
7327320, 8741520, 8871876, 4086720, 9374400, 5759124]
results = [166163712, 731332800, 357245568, 1074393000, 489211344, 518971936,
None, 406741500, 294236496, 177305856, 650683500, 298351053,
386348487, 438258597, 249527520, 445362764, 981182160, 174988800,
493042704, 257493600, 767478780, 312840624, 1404511500, 316139670,
619005024, 372641472, 373693320, 498266640, 452465676, 208422720,
515592000, 719890500]
a1 = []
for i in range(len(multipliers)):
if multipliers[i] is None: # 对于a1[6],我们不知道具体的乘数,所以这里可以随意设置一个值或者保持为None
a1.append('?') # 在此位置添加一个占位符
else:
value = results[i] // multipliers[i] # 计算出正确的a1[i]值
try:
char = chr(value) # 将数值转换为对应的字符
except ValueError:
char = '?' # 如果值不在有效的ASCII范围内,则使用'?'作为占位符
a1.append(char)
# 将数组转换为字符串格式
return ''.join(a1)
print(calculate_a1_to_string())由于a1[6]不知道先设成’?’,在一个个试,最后试出来是1
得到flag
1
flag{e165421110ba03099a1c039337}