没打捏，薅了题目过来

re1

签到题
手动过掉反调试
V5返回值是eax=0x0685EE20

把这个算法逆回去就行

密文是这个

BUF1 = bytes([0xE9,0xA9,0xF8,0xA7,0xF9,0xA2,0x20,0xD6,0x9A,0xD6,0xC8,0xD9,0x99,0xD3,0xCB,0x85,0x9B,0xD2,0xC7,0xD5,0x96,0x84,0xC9,0xD4,0x9A,0xD8,0xCA,0xD7,0x9C,0xD5,0xC8,0x85,0x97,0xD5,0x9E,0x85,0x9C,0xD4,0xCA,0x6D
])

def words_from_bytes_le(b):
    return [b[i] | (b[i+1] << 8) for i in range(0, len(b), 2)]

def recover_flag_from_v5(v5):
    low = v5 & 0xFFFF
    hi  = (v5 >> 16) & 0xFFFF
    words = words_from_bytes_le(BUF1)
    out = bytearray()
    for w in words:
        orig = ((w ^ low) - hi) & 0xFFFF
        out.append(orig & 0xFF)
        out.append((orig >> 8) & 0xFF)
    return bytes(out)

if __name__ == "__main__":
    v5 = 0x0685EE20  
    recovered = recover_flag_from_v5(v5)
    print(recovered.decode('utf-8'))

re2

输入一个值给v7
然后经过一个函数判断
把输入的除了dasctf给掉buf

下面线程函数，不知道有什么作用，很大，一直给栈赋值0

给他ret了看了一下没东西

Ida调试不了，猜测可能写了个段，然后给了可执行权限做了个类似于tls或者是其他反调试

直接给他过掉，然后输入合适长度的
Flag长度是40 格式是DASCTF{}
调了一下，发现一直都在
全在kernelbase和user32里

Dump也不让，没辙了
从tls入手

可以看到这个tls
做了反调试

然后输出一个hack 并退出，
把jz改成jnz调试起来

动态起来

然后去看VirtualProtect这个函数
发现他调用了一个函数


把硬编码的值rc4解密然后作为shellcode执行
Key是babyflag

exp

h_signed = [  
    0x68, 0x60, 0xc, 0x1b, 0x2a, 0xb3, 0xee, 0x4a, 0x17, 0x7c, 0xb7, 0xf6, 0x91, 0xea, 0x92, 0x2d, 0x6b, 0xad, 0x61, 0xc2, 0x5f, 0x70, 0x2c, 0x14, 0x74, 0xe, 0xa2, 0xaf, 0x8a, 0x57, 0xff, 0x16, 0xd2, 0x18, 0xdf, 0x4c, 0xb4, 0x4d, 0x80, 0x8c, 0xda, 0xb0, 0x81, 0x41, 0xb5, 0x64, 0x8b, 0x71, 0xe5, 0x36, 0x39, 0x46, 0x10, 0xf2, 0x97, 0x25, 0xb0, 0x5, 0x10, 0x0, 0x7f, 0x96, 0xe4, 0x64, 0xc, 0xb, 0x14, 0xbc, 0x52, 0xea, 0x64, 0xb6, 0xe5, 0xde, 0x3, 0xb5, 0x52, 0x4e, 0x8d, 0x1f, 0x66, 0xcd, 0x68, 0x19, 0x65, 0x93, 0x5f, 0xc1, 0x30, 0xbc, 0xd0, 0x52, 0x86, 0x1, 0x4d, 0xb6, 0x99, 0x45, 0x40, 0x66, 0x3b, 0xbe, 0x13, 0x42, 0x4e, 0x9b, 0x18, 0x6d, 0xba, 0x0, 0x74, 0x99, 0xb2, 0x65, 0xec, 0x6c, 0xdf, 0x51, 0x17, 0x8a, 0x84, 0x3a, 0xf3, 0x5d, 0xc8, 0xe9, 0x88, 0x65, 0x9d, 0x5b, 0x4f, 0x1d, 0xc1, 0x16, 0xb5, 0x96, 0xc4, 0x8c, 0xfb, 0xea, 0xa2, 0x16, 0x23, 0x38, 0x8e, 0xe4, 0x9, 0x99  
]  
  
h = [(x + 256) % 256 for x in h_signed] + [0] * (152 - len(h_signed))  
  
key = b"babyflag"  
  
  
def rc4(data, key):  
    S = list(range(256))  
    j = 0  
    keylen = len(key)  
  
    for i in range(256):  
        j = (j + S[i] + key[i % keylen]) % 256  
        S[i], S[j] = S[j], S[i]  
  
    i = 0;  
    j = 0  
    out = bytearray()  
    for byte in data:  
        i = (i + 1) % 256  
        j = (j + S[i]) % 256  
        S[i], S[j] = S[j], S[i]  
        K = S[(S[i] + S[j]) % 256]  
        out.append(byte ^ K)  
    return bytes(out)  
  
  
dec = rc4(h, key)  
  
path = "3.bin"  
with open(path, "wb") as f:  
    f.write(dec)

有几个dowrd的值，然后去key xor
Key是44332211h

import struct   
dwords = [  
    0x20014077, 0x770A1073, 0x7C0B4320, 0x73524472,  
    0x73501128, 0x20564477, 0x77041321, 0x72524721  
]  
   
table = b''.join(struct.pack('<I', d) for d in dwords)  
key_dword = 0x44332211  
key = struct.pack('<I', key_dword)  
print(flag)