一天好几场比赛,玩不过来了。随便选了几题简单的做(我是fw
先Das吧
easymath
数学题,C++写的,逻辑清晰,求解即可
关键的处理流程在sub_41218F
__int64 __cdecl sub_41CC90(__int64 a1)
{
int v1; // eax
_DWORD *v2; // eax
_DWORD *v3; // eax
_QWORD *v4; // esi
__int64 v5; // rdi
__int64 i; // [esp+F8h] [ebp-3Ch]
__int64 v8; // [esp+108h] [ebp-2Ch]
__int64 v9; // [esp+118h] [ebp-1Ch]
__CheckForDebuggerJustMyCode(&unk_434032);
if ( a1 <= 1 || a1 > 200 ) // 限定范围
return 0i64;
sub_411FA5(0x10u);
v1 = sub_411F87();
sub_411F14(a1, v1);
v2 = (_DWORD *)sub_411F4B(0);
*v2 = 1;
v2[1] = 0;
v3 = (_DWORD *)sub_411F4B(1);
*v3 = 1;
v3[1] = 0;
v8 = 0i64;
for ( i = 2i64; i < a1; ++i )
{
v4 = (_QWORD *)sub_411F4B(i - 1);
v5 = *(_QWORD *)sub_411F4B(i - 1) + *v4;
*(_QWORD *)sub_411F4B(i) = v5;
v8 = *(_QWORD *)sub_411F4B(i);
}
v9 = v8;
sub_411F5F();
return v9;
}
读一下代码,虽然看起来比较像斐波那契
但不同于斐波那契的arr[i] = arr[i-1] + arr[i-2],这里是arr[i] = arr[i-1] + arr[i-1]
范围不大,直接暴力枚举
import struct
def Fiboaccai(i):
farr = [1, 1]
for j in range(2, i):
farr.append((farr[j-1] & 0xFFFFFFFFFFFFFFFF) + (farr[j-1] & 0xFFFFFFFFFFFFFFFF))
return farr[-1] & 0xFFFFFFFFFFFFFFFF
datt = []
for j in range(0, 200):
datt.append(Fiboaccai(j))
print(datt)
for j in datt:
v29 = (j + 0x61536369217D) & 0xFFFFFFFFFFFFFFFF
v28 = (j + 0x586531316F) & 0xFFFFFFFFFFFFFFFF
v27 = (j + 0x5F3631626F4E) & 0xFFFFFFFFFFFFFFFF
if (j + v27 + v28+ v29) & 0xFFFFFFFFFFFFFFFF == 0xC121F9FCC23A:
print(j, datt.index(j))
print(struct.pack(">Q", 0x666C616755 + datt.index(j)).replace(b"\x00", b"") + struct.pack(">Q", v28).replace(b"\x00", b"") + struct.pack(">Q", v27).replace(b"\x00", b"") + struct.pack(">Q", v29).replace(b"\x00", b""))
pig_brain_king
还是C++写的,程序要求到达1000次输入正确字符串,而字符串是随机的且每次长度自增1
虽然输出用了码表的方式,但是隐藏不了关键的信息- –
定位00C8CB7B直接强制跳转
当然也可以patch一下判断点,然后根据他说的运行1000次
# -*- coding:utf-8 -*-
import subprocess
cmd = subprocess.Popen([r"D:\Downloads\Programs\pig_brain_king.exe"], shell=True, text=True, stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stderr=subprocess.PIPE, close_fds=True)
for line in cmd.stdout:
if line.startswith("1000"):
break
print(line)
if line.startswith("*"):
cmd.stdin.write("123\t")
cmd.stdin.flush()
wasm1
长安杯的题,wasm逆向
看到标题就是wasm2c,不过题目给了tips,jeb针对wasm反汇编的处理相对比较完善
简单分析下就知道rc4的key,但是不清楚有没有魔改。
直接躺下,开http server动调,修改内存
let data = [
0x8F, 0xEF, 0x7C, 0xE4, 0x09, 0x9D, 0x3B, 0x7F, 0x91, 0x19, 0x46, 0x9E, 0x12, 0x0C, 0x0E, 0xDB,
0x39, 0xAD, 0x47, 0xA9, 0x3F, 0x1C
];
let me = new Uint8Array(memories["$env.memory"].buffer);
for (let i = 0; i< 22;i++) {
me[0x00500D30+i] = data[i]
}
流加密之后的数据在0x00501130上
发表回复