[网鼎杯 2020 青龙组]jocker

发表于 更新于 分类于

开始网鼎杯的jocker学习

1

修复sp

2

3

4

可是encrypt函数还是进不去

5

这是个smc动调解密函数,进入函数后从text:00401500的定义头道endp进行u(undefine)再在定义头p重定义函数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
void __cdecl __noreturn encrypt(char *a1)
{
  int v1[19]; // [esp+1Ch] [ebp-6Ch] BYREF
  int v2; // [esp+68h] [ebp-20h]
  int i; // [esp+6Ch] [ebp-1Ch]

  v2 = 1;
  qmemcpy(v1, &unk_403040, sizeof(v1));
  for ( i = 0; i <= 18; ++i )
  {
    if ( (char)(a1[i] ^ Buffer[i]) != v1[i] )
    {
      puts("wrong ~");
      v2 = 0;
      exit(0);
    }
  }
  puts("come here");
}

得到加密函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# 预定义的 unk_403040 数组
unk_403040 = [
    0x0E, 0x0D, 0x09,
    0x06, 0x13,
    0x05, 0x58, 0x56,
    0x3E, 0x06,
    0x0C, 0x3C, 0x1F,
    0x57, 0x14,
    0x6B, 0x57, 0x59,
    0x0D
]

# Buffer 字符串
buffer_str = 'hahahaha_do_you_find_me?'
# 解密过程
decrypted = ''
for i in range(len(unk_403040)):
    # 异或操作
    decrypted_char = chr(unk_403040[i] ^ ord(buffer_str[i]))
    decrypted += decrypted_char

print("Decrypted string:", decrypted)
#Decrypted string: flag{d07abccf8a410c

得到了一半flag,我们刚刚分析的时候有个finally的函数进去看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
int __cdecl finally(char *a1)
{
  unsigned int v1; // eax
  __time32_t *Time; // [esp+0h] [ebp-28h]
  char v4[9]; // [esp+13h] [ebp-15h] BYREF
  int v5; // [esp+1Ch] [ebp-Ch]

  strcpy(v4, "%tp&:");
  v1 = time(0);
  srand(v1);
  v5 = rand() % 100;
  v4[6] = 0;
  *(_WORD *)&v4[7] = 0;
  if ( (v4[(unsigned __int8)v4[5]] != a1[(unsigned __int8)v4[5]]) == v5 )
    return puts((const char *)Time);
  else
    return puts("I hide the last part, you will not succeed!!!");
}

根据最后一个字符 ‘}’ 猜测

1
2
3
4
5
6
7
8
9
10
11
12
13
encrypted = "%tp&:"
known_plaintext = '}'
known_ciphertext = encrypted[-1]  # ':'

# 计算异或密钥
key = ord(known_ciphertext) ^ ord(known_plaintext)
print(f"找到密钥: {key}")

# 解密整个字符串
decrypted = ''.join(chr(ord(c) ^ key) for c in encrypted)
print(f"解密后的字符串: {decrypted}")    
#找到密钥: 71
#解密后的字符串: b37a}
1
flag{d07abccf8a410cb37a}