霍雅
追求源于热爱,极致源于梦想!
宁波市第八届网络安全大赛 reverse wp
08/17
没报名,忘了报名,薅了别人的题目 只做了re
re1
检查长度
等于40进入下一步
看下面
判断flag的地址等不等于cipher
中间这一大串就是对flag操作
但是是混淆的写法,类似于
flag[i]+x
flag[i]^60
这种
都是flag字符串的地址
有几个是多余的
只需要截取flag+40的操作
然后逆向还原上去,
这种傻逼题建议直接丢给ai
# recover_flag.py
# Run: python3 recover_flag.py
BASE = 0x897040 # flag 起始地址
L = 0x28 # 比较长度:40 bytes
# ========== 你最初给的 _cipher[](程序比较时的目标 40 bytes) ==========
cipher_final = [
0x7F, 0x11, 0x4A, 0x9D, 0xA5, 0xD5, 0x99, 0x9F, 0xAC, 0xD3,
0xD4, 0xBC, 0x1A, 0x53, 0x46, 0xF4, 0xE7, 0x37, 0x03, 0x60,
0x17, 0xBA, 0x67, 0xAC, 0x09, 0xDA, 0xA0, 0xFB, 0x2D, 0x8E,
0xCB, 0x11, 0x02, 0xC4, 0x17, 0xF7, 0x1B, 0x8F, 0x67, 0x52
]
assert len(cipher_final) == L
# ========== 反编译里按原始顺序列出的操作(正向) ==========
# 我把所有在反编译中对 byte_8970xx 或 flag 的修改都列在这里(按你最初贴出的顺序)
# 类型: ("add"/"sub"/"xor"/"inc"/"dec", address, value_or_None)
ops = [
("sub", 0x89704D, 120),
("xor", 0x897070, 0x4F),
("sub", 0x897055, 30),
("sub", 0x897064, 93),
("add", 0x897048, 95),
("add", 0x89704A, 103),
("xor", 0x89705C, 0x82),
("add", 0x897069, 52),
("xor", 0x89705E, 3),
("add", 0x897041, 71),
("xor", 0x897076, 0xE0),
("sub", 0x89706D, 44),
("sub", 0x897044, 127),
("sub", 0x897075, 71),
("xor", 0x897060, 0xAA),
("sub", 0x89704E, 119),
("xor", 0x897062, 0x0A),
("sub", 0x89707D, 48),
("add", 0x897075, 55),
("add", 0x89705B, 111),
("xor", 0x89706E, 0x32),
("sub", 0x89706C, 92),
("xor", 0x89705F, 0x29),
("add", 0x897041, 79),
("add", 0x89704A, 58),
("sub", 0x897062, 17),
("add", 0x89705A, 123),
("sub", 0x897075, 100),
("sub", 0x89705C, 64),
("sub", 0x897056, 89),
("xor", 0x897070, 0x73),
("xor", 0x897062, 0x61),
("add", 0x89706E, 118),
("add", 0x897062, 41),
("add", 0x897070, 78),
("sub", 0x897055, 11),
("xor", 0x89704F, 0x5E),
("xor", 0x897070, 0xB2),
("sub", 0x897066, 66),
("xor", 0x897046, 0xEC),
("xor", 0x897062, 0xD1),
("sub", 0x897046, 99),
("sub", 0x897069, 49),
("add", 0x897046, 32),
("add", 0x897066, 61),
("xor", 0x897042, 0x42),
("sub", 0x897055, 109),
("add", 0x897070, 14),
("sub", 0x89707B, 52),
("sub", 0x89706E, 94),
("add", 0x897074, 57),
("sub", 0x89705D, 30),
("sub", 0x89705E, 107),
("add", 0x897048, 55),
("sub", 0x89704C, 27),
("sub", 0x89706F, 88),
("sub", 0x89707A, 105),
# flag += 25 -> interpret as affecting flag[0] (addr BASE)
("add", BASE, 25),
("add", 0x89704C, 73),
("sub", 0x89706F, 80),
("add", 0x897070, 125),
("sub", 0x89706E, 44),
("add", 0x89707A, 11),
("xor", 0x897068, 0x57),
("add", 0x897062, 117),
("add", 0x897056, 92),
("xor", 0x89705B, 0x7A),
("add", 0x897043, 33),
("xor", 0x897045, 0xC3),
("add", 0x89705E, 19),
("sub", 0x897064, 46),
("sub", 0x897065, 45),
("xor", 0x897067, 0xB0),
("sub", 0x89704F, 69),
("xor", 0x897061, 0xDC),
("add", 0x897046, 69),
("add", 0x89707E, 116),
("xor", 0x89704B, 0x22),
("xor", 0x897063, 0x7E),
("add", 0x897054, 18),
("sub", 0x897072, 11),
("xor", 0x89704E, 5),
("add", 0x89706E, 58),
("add", 0x897048, 44),
("xor", 0x89706D, 0xE4),
("sub", 0x897068, 30),
("add", 0x897063, 96),
("sub", 0x897047, 49),
("add", 0x897062, 83),
("add", 0x89707A, 53),
("xor", 0x89706A, 0x21),
("add", 0x89707C, 49),
("add", 0x89705B, 11),
("sub", 0x897070, 105),
("sub", 0x897063, 47),
("sub", 0x897073, 67),
("add", 0x897047, 94),
("add", 0x89707E, 78),
("sub", 0x89704F, 96),
("xor", 0x89707A, 0xD3),
("add", 0x897043, 115),
("sub", 0x89705E, 127),
("sub", 0x89707A, 86),
("add", 0x897074, 32),
("xor", 0x897067, 0x5C),
("sub", 0x897049, 64),
("xor", 0x89706B, 0x8E),
("add", 0x89707E, 121),
("sub", 0x897054, 98),
("xor", 0x897074, 0x22),
("sub", 0x89704F, 12),
("xor", 0x897045, 0x2D),
("sub", 0x89707C, 44),
("sub", 0x89704D, 74),
("xor", 0x897061, 0x82),
("xor", 0x897068, 0xED),
("xor", 0x897071, 0xBE),
("add", 0x897077, 4),
("sub", 0x89705E, 120),
("add", 0x89704B, 67),
("sub", 0x897072, 52),
("xor", 0x897042, 0x87),
("sub", 0x897067, 38),
("xor", 0x89707B, 0xFA),
("add", 0x897072, 90),
("sub", 0x89706E, 9),
("xor", 0x897077, 0x2F),
("add", 0x897049, 83),
("xor", 0x89706B, 0xD6),
("sub", 0x897062, 6),
("sub", 0x897048, 119),
("sub", 0x897061, 118),
("sub", 0x897062, 75),
("sub", 0x897068, 52),
# flag -= 108
("sub", BASE, 108),
("add", 0x89706A, 28),
("xor", 0x89707C, 0x4C),
("xor", 0x89706C, 0x4A),
("xor", 0x897061, 0xFD),
("add", 0x897063, 125),
("xor", 0x897041, 0x6C),
("add", 0x897075, 25),
("sub", 0x897071, 7),
("sub", 0x89707D, 119),
("sub", 0x89706F, 16),
("add", 0x897064, 53),
("xor", 0x897066, 0x56),
("xor", 0x897042, 0xF2),
("add", 0x89706B, 115),
("sub", 0x897055, 37),
("sub", 0x897072, 51),
("sub", 0x897041, 107),
("sub", 0x89704F, 116),
("add", 0x89705C, 46),
("sub", 0x897065, 67),
("add", 0x89704C, 113),
("add", 0x897061, 114),
("add", 0x89704E, 69),
("add", 0x897060, 99),
("xor", 0x897064, 0x88),
("sub", 0x897079, 37),
("xor", 0x89705E, 0x76),
("add", 0x897070, 95),
("add", 0x89707A, 51),
("xor", 0x897074, 0xD3),
("sub", 0x89704F, 86),
# flag -= 6
("sub", BASE, 6),
("sub", 0x89707C, 8),
("xor", 0x897071, 0x30),
("add", 0x89705B, 29),
("add", 0x897070, 65),
("xor", 0x89705D, 0xEE),
("sub", 0x897047, 31),
("sub", 0x897061, 16),
("add", 0x897071, 9),
("sub", 0x897064, 46),
("xor", 0x897049, 0xDE),
("xor", 0x897054, 0x6D),
("sub", 0x897065, 91),
("add", 0x897077, 119),
("sub", 0x89707D, 8),
# --byte_897061 (decrement)
("dec", 0x897061, None),
("add", 0x897075, 124),
("add", 0x897068, 3),
("sub", 0x897059, 22),
("xor", 0x897060, 0xD3),
("xor", 0x897072, 0xA4),
# flag ^= 0xA8
("xor", BASE, 0xA8),
("add", 0x89707F, 50),
("xor", 0x89707E, 0x4D),
("add", 0x897070, 60),
("add", 0x89704B, 49),
("add", 0x89707B, 3),
("sub", 0x89706A, 20),
("sub", 0x897060, 38),
("sub", 0x897063, 2),
("sub", 0x89707B, 108),
("sub", 0x89707E, 71),
("add", 0x89706E, 111),
# flag ^= 0xD9
("xor", BASE, 0xD9),
("add", 0x89704E, 76),
("xor", 0x89706F, 0xF6),
("add", 0x89705B, 26),
# flag -= 27
("sub", BASE, 27),
("sub", 0x897060, 80),
("sub", 0x897078, 27),
("add", 0x89705B, 7),
("inc", 0x897073, None),
("xor", 0x897075, 0xDD),
("sub", 0x897043, 127),
("add", 0x897072, 116),
("sub", 0x897069, 70),
("xor", 0x897065, 0x9B),
("sub", 0x897059, 34),
("sub", 0x89704B, 127),
("xor", 0x89707F, 0x0B),
("sub", 0x897058, 65),
("xor", 0x89704B, 0x83),
("xor", 0x897059, 0xB6),
("sub", 0x897067, 25),
("sub", 0x897042, 94),
("xor", 0x897061, 0x7E),
("sub", 0x897072, 69),
("sub", 0x897077, 72),
("xor", 0x897060, 0xF7),
("sub", 0x897043, 11),
("xor", 0x897069, 0x64),
("xor", 0x897075, 0x0E),
("sub", 0x897073, 111),
("xor", 0x897065, 0x7A),
("sub", 0x89706B, 7),
("add", 0x897060, 103),
("xor", 0x89707D, 0xF4),
("add", 0x897077, 16),
("xor", 0x89705C, 0x89),
("sub", 0x897041, 20),
("xor", 0x89707A, 0x3F),
("sub", 0x89704D, 31),
("add", 0x897073, 98),
("sub", 0x897073, 5),
("sub", 0x897061, 30),
("add", 0x89704C, 73),
("sub", 0x897054, 6),
("xor", 0x897071, 0x56),
("xor", 0x89705B, 3),
("sub", 0x897055, 119),
("add", 0x89706D, 37),
("add", 0x89705E, 4),
("sub", 0x897044, 48),
("xor", 0x897076, 0xF4),
("xor", 0x897053, 0x10),
("xor", 0x897059, 0x47),
("xor", 0x897060, 0xE2),
("sub", 0x89704E, 16),
("xor", 0x89705E, 0xD2),
("add", 0x897042, 70),
("sub", 0x897060, 91),
("xor", 0x897041, 0x12),
("sub", 0x897042, 81),
("add", 0x897047, 92),
("sub", 0x897055, 77),
("xor", 0x89705D, 0x7D),
("xor", 0x897070, 0x4A),
("sub", 0x897074, 25),
("sub", 0x897074, 127),
("add", 0x89704B, 121),
("add", 0x89706C, 64),
("xor", 0x89707A, 0x58),
("sub", 0x89704B, 123),
("add", 0x897078, 42),
("sub", 0x897071, 89),
("xor", 0x89707E, 0x99),
("sub", 0x897043, 6),
("xor", 0x897045, 0x7D),
("sub", 0x897042, 14),
("add", 0x897064, 96),
("add", 0x897058, 26),
("add", 0x89706E, 54),
("sub", 0x897052, 86),
("xor", 0x89705D, 0x4E),
("sub", 0x897055, 15),
("sub", 0x897078, 32),
("add", 0x897057, 75),
("add", 0x89706E, 66),
("add", 0x897053, 101),
("sub", 0x89705E, 59),
("xor", 0x89706B, 0xFA),
("add", 0x897042, 93),
("sub", 0x897073, 123),
("add", 0x89707C, 31),
("xor", 0x897064, 0xA2),
("sub", 0x897073, 32),
("xor", 0x89705A, 0x11),
("add", 0x89707D, 121),
("sub", 0x897074, 99),
("xor", 0x897054, 0x68),
("sub", 0x89706D, 75),
("sub", 0x897041, 117),
("add", 0x897043, 92),
("add", 0x897041, 88),
("sub", 0x89704D, 4),
("xor", 0x897052, 0x43),
("add", 0x89704B, 8),
("sub", 0x89706A, 82),
("add", 0x897055, 56),
("add", 0x897049, 43),
("xor", 0x897075, 0xD1),
("xor", 0x89705D, 0x1B),
("sub", 0x897052, 74),
("sub", 0x89707B, 104),
("sub", 0x897073, 6),
("sub", 0x897053, 120),
("sub", 0x897043, 6),
("sub", 0x897069, 2),
("xor", 0x89705E, 0xFE),
("xor", 0x89707E, 0x45),
("add", 0x897052, 5),
("xor", 0x897068, 0x36),
("sub", 0x897051, 42),
("xor", 0x897050, 0xD6)
]
# ===================================================================
# Apply inverse operations to cipher_final to recover original input.
# We only care about the first L bytes: addresses BASE .. BASE+L-1
# Inverse rules:
# - original ("add", addr, v) => inverse is sub v
# - original ("sub", addr, v) => inverse is add v
# - original ("xor", addr, v) => inverse is xor v (self-inverse)
# - original ("inc", addr) => inverse is dec
# - original ("dec", addr) => inverse is inc
# ===================================================================
def u8(x): return x & 0xFF
# copy to mutable list
recovered = cipher_final[:] # represents modified-flag bytes (memcmp target)
# process ops in reverse order
for typ, addr, val in reversed(ops):
# only affect bytes that are within the compared flag range
if addr < BASE or addr >= BASE + L:
continue
idx = addr - BASE
if typ == "add":
# original did flag[idx] += val -> inverse: subtract
recovered[idx] = u8(recovered[idx] - (val & 0xFF))
elif typ == "sub":
# original did flag[idx] -= val -> inverse: add
recovered[idx] = u8(recovered[idx] + (val & 0xFF))
elif typ == "xor":
# xor is self-inverse
recovered[idx] = u8(recovered[idx] ^ (val & 0xFF))
elif typ == "inc":
# original ++ -> inverse: decrement
recovered[idx] = u8(recovered[idx] - 1)
elif typ == "dec":
# original -- -> inverse: increment
recovered[idx] = u8(recovered[idx] + 1)
else:
raise RuntimeError("unknown op")
# print results
print("Recovered bytes (hex):")
print(' '.join(f"{b:02x}" for b in recovered))
# Attempt to show ASCII if printable
try:
s = bytes(recovered).decode('ascii')
printable = all(32 <= c < 127 for c in recovered)
print()
if printable:
print("Recovered ASCII:")
print(s)
else:
print("Recovered ASCII (non-printable may exist):")
print(s)
except Exception:
print("\nRecovered as latin1:")
print(bytes(recovered).decode('latin1'))
re2
aes
key=58453eec4d16ae234a10b597dfe1f6a6
enc
from Crypto.Cipher import AES
key = b"58453eec4d16ae234a10b597dfe1f6a6"
buf2 = bytes([
0x29, 0x70, 0x8F, 0x19, 0x80, 0xCC, 0xE4, 0x0F, 0x46, 0xAB,
0xAC, 0x14, 0x8D, 0x48, 0x8C, 0xA8, 0x37, 0x16, 0xFE, 0x1D,
0x39, 0x72, 0x02, 0x79, 0x7B, 0x19, 0x99, 0x16, 0x62, 0x65,
0x62, 0x3E, 0x8F, 0x76, 0x12, 0x85, 0xCB, 0x28, 0xE2, 0x56,
0xB3, 0x81, 0x16, 0x77, 0x61, 0xE4, 0x10, 0x94
])
cipher = AES.new(key, AES.MODE_ECB)
plaintext = cipher.decrypt(buf2)
flag = plaintext.rstrip(b"\x00")
print("解密结果:", flag.decode())