逆向练习3(python效率编程学习)
BUUCTF——[De1CTF2019]Re_Sign
这道题很早之前和朋友一起做的,我只是脱了壳,但后面没有做出来,这一次自己试着做,这次自己做了出来。
脱壳了的程序不能运行,就用源程序直接动调,静态看脱壳后的ida,关键函数是sub_401f0a,这道题是魔改的base64,所以动调找到改后的表
进入函数动调,发现sub_402160是一个判断的关键点
进入发现了一个正常base64的表,动调发现出来和要对比的byte_41E377相比,发现出来的结果我们输入后第一次魔改base64加密的字符串在正常base64_table里面的位置,所以按照这种方法逆推回去就行(这里用的自己之前写的一个base64加密的脚本,自己写点工具脚本还是挺好的)
def mo64_decode(a):
tb = "0123456789QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm+/" #魔改的表
c=''
for i in range(len(a)):
b=str(bin(tb.index(a[i]))).replace("0b","").zfill(6) #6 base64 5 base32 4 base16
c+=str(b)
m=""
i=0
for i in range(0,len(c),8):
m+=chr(int(c[i:i+8],2))
return m
def mo64_encode(a):
tb='0123456789QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm+/'
c=''
for i in range(len(a)):
b=str(bin(ord(a[i])).replace("0b","")).zfill(8)
c+=str(b)
m=""
i=0
for i in range(0,len(c),6):
m+=tb[int(c[i:i+6],2)]
return m
ch="H6AfGzIeXjSCP3IaHzSBHhRCEFRCOhRWHAohFjxjOeqjCUDxrd"
ph="flag{123456123456123456123456123456}"
tb="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
arr=[0x8,0x3B,0x1,0x20,0x7,0x34,0x9,0x1F,0x18,0x24,0x13,0x3,0x10,0x38,0x9,0x1B,0x8,0x34,0x13,0x2,0x8,0x22,0x12,0x3,0x5,0x6,0x12,0x3,0x0F,0x22,0x12,0x17,0x8,0x1,0x29,0x22,0x6,0x24,0x32,0x24,0x0F,0x1F,0x2B,0x24,0x3,0x15]
for i in arr:
print(tb[i-1],end='')
print()
print(mo64_decode(ch))
print(mo64_encode(ph))
护网杯——re_quiz_middle
参考的大佬的博客才做出来,发现就是一个纯z3的计算题,之前没做出来就是因为z3不会用,从大佬的博客学到了很多python技巧,后面会贴上大佬的博客,这一次收获真的很多
先说python的一些写法究极效率
一行写出for循环
print ['a%d'%i for i in range (21)] #一行循环生成带ind值的数组
d[i] = If((((c[i+1]>>j)&1)==1),d[i]+a[j],d[i]^a[j]) #一行if else
flag="".join([chr(m[each].as_long()) for each in a]) #一行赋值
import time time.time() #可以计算结题时间
# coding:utf-8
from z3 import *
import time
s=Solver()
#print ['a%d'%i for i in range (21)]
t1=time.time()
a = [BitVec('a%d'%i,32) for i in range(15)]
b = [BitVec('b%d' % i, 32) for i in range(13)]
c = [BitVec('c%d' % i, 32) for i in range(13)]
d = [BitVec('d%d' % i, 32) for i in range(12)]
for i in range(15):
s.add(a[i] >= 0x20, a[i] <= 0x7f)
check = [0x21A, 0x110, 0x106, 0x16A, 0x3E4, 0x23A, 0x2E2, 0x13E, 0x2DE, 0x1FE, 0x34A, 0x1E8]
b[0]=((a[14] << 16) + (a[13] << 8) + a[12]);c[0]=b[0]
for i in range(1,13):
b[i]=(0x343FD * b[i - 1] + 0x269EC3)
c[i]=((b[i]>>16)&0x7fff)
for i in range(12):
d[i]=0
for i in range (12):
for j in range(12):
d[i] = If((((c[i+1]>>j)&1)==1),d[i]+a[j],d[i]^a[j])
s.add(d[i]==check[i])
#print s.check
if s.check()==sat:
m=s.model()
flag="".join([chr(m[each].as_long()) for each in a])
print flag
else: print "error"
print time.time()-t1
得到flag:flag{Sylb11ic_2funny}
大佬地址
https://bigkan.github.io/