湖湘杯-RE-replace

文件拖入PEID，查看到UPX壳，使用UPXSHELL进行脱壳。

然后使用IDA打开.

进入main函数，F5反编译。

main函数里的流程是输入一个长度不大于38的字符串，然后进行处理。

进入sub_401090函数。

阅读流程得:

得知flag长度为35，用byte_402150处的字符串每两个一组进行处理 得到V8与V9。

然后进行相关运算比对，35个字符全部验证完后即可通过最终判断。

这里的比对式写的比较复杂，阅读汇编代码观察汇编是如何处理的。、

取出flag的一个字符，存在edi,与esi。 esi右移4位，再与0X8000000F相与，edi则是与0X8000000F相与后再*2*8最后得到

再与v8*v9^0x19进行对比，相等则正确。

于是写出python脚本

b="2a49f69c38395cde96d6de96d6f4e025484954d6195448def6e2dad67786e21d5adae6";

a=[0x63 ,0x7c ,0x77 ,0x7b ,0xf2 ,0x6b ,0x6f ,0xc5 ,0x30 ,0x1 ,0x67 ,0x2b ,0xfe ,0xd7 ,0xab ,0x76 ,0xca ,0x82 ,0xc9 ,0x7d ,0xfa ,0x59 ,0x47 ,0xf0 ,0xad ,0xd4 ,0xa2 ,0xaf ,0x9c ,0xa4 ,0x72 ,0xc0 ,0xb7 ,0xfd ,0x93 ,0x26 ,0x36 ,0x3f ,0xf7 ,0xcc ,0x34 ,0xa5 ,0xe5 ,0xf1 ,0x71 ,0xd8 ,0x31 ,0x15 ,0x4 ,0xc7 ,0x23 ,0xc3 ,0x18 ,0x96 ,0x5 ,0x9a ,0x7 ,0x12 ,0x80 ,0xe2 ,0xeb ,0x27 ,0xb2 ,0x75 ,0x9 ,0x83 ,0x2c ,0x1a ,0x1b ,0x6e ,0x5a ,0xa0 ,0x52 ,0x3b ,0xd6 ,0xb3 ,0x29 ,0xe3 ,0x2f ,0x84 ,0x53 ,0xd1 ,0x0 ,0xed ,0x20 ,0xfc ,0xb1 ,0x5b ,0x6a ,0xcb ,0xbe ,0x39 ,0x4a ,0x4c ,0x58 ,0xcf ,0xd0 ,0xef ,0xaa ,0xfb ,0x43 ,0x4d ,0x33 ,0x85 ,0x45 ,0xf9 ,0x2 ,0x7f ,0x50 ,0x3c ,0x9f ,0xa8 ,0x51 ,0xa3 ,0x40 ,0x8f ,0x92 ,0x9d ,0x38 ,0xf5 ,0xbc ,0xb6 ,0xda ,0x21 ,0x10 ,0xff ,0xf3 ,0xd2 ,0xcd ,0xc ,0x13 ,0xec ,0x5f ,0x97 ,0x44 ,0x17 ,0xc4 ,0xa7 ,0x7e ,0x3d ,0x64 ,0x5d ,0x19 ,0x73 ,0x60 ,0x81 ,0x4f ,0xdc ,0x22 ,0x2a ,0x90 ,0x88 ,0x46 ,0xee ,0xb8 ,0x14 ,0xde ,0x5e ,0xb ,0xdb ,0xe0 ,0x32 ,0x3a ,0xa ,0x49 ,0x6 ,0x24 ,0x5c ,0xc2 ,0xd3 ,0xac ,0x62 ,0x91 ,0x95 ,0xe4 ,0x79 ,0xe7 ,0xc8 ,0x37 ,0x6d ,0x8d ,0xd5 ,0x4e ,0xa9 ,0x6c ,0x56 ,0xf4 ,0xea ,0x65 ,0x7a ,0xae ,0x8 ,0xba ,0x78 ,0x25 ,0x2e ,0x1c ,0xa6 ,0xb4 ,0xc6 ,0xe8 ,0xdd ,0x74 ,0x1f ,0x4b ,0xbd ,0x8b ,0x8a ,0x70 ,0x3e ,0xb5 ,0x66 ,0x48 ,0x3 ,0xf6 ,0xe ,0x61 ,0x35 ,0x57 ,0xb9 ,0x86 ,0xc1 ,0x1d ,0x9e ,0xe1 ,0xf8 ,0x98 ,0x11 ,0x69 ,0xd9 ,0x8e ,0x94 ,0x9b ,0x1e ,0x87 ,0xe9 ,0xce ,0x55 ,0x28 ,0xdf ,0x8c ,0xa1 ,0x89 ,0xd ,0xbf ,0xe6 ,0x42 ,0x68 ,0x41 ,0x99 ,0x2d ,0xf ,0xb0 ,0x54 ,0xbb ,0x16];

for j in range(0,35):

    v5=ord(b[2*j])

    if v5ord('9'):

        v6 = v5 - ord('W')

    else:

        v6 = v5 - ord('0')

    v7=ord(b[2*j+1])

    v8 = 16 * v6

    if v7 < ord('0') or v7 > ord('9'):

            v9 = v7 - ord('W')

    else:

            v9 = v7 - ord('0')

    for i in range(ord('0'),ord('}')):

        num1=(v8+v9)^0x19;

        edi=i&0x8000000F

        esi=(i>>4)

        esi=esi&0X8000000F

        num2=a[edi+esi*16]

        if num1==num2:

            print (chr(i),end='')

            break

 

 

得到flag: