[buuctf.reverse] 084_[SCTF2019]creakme

这种感觉很难，怎么放在这里？

用ida打开它找不到它在做什么，在函数列表中__except_handler4 搜索后处理异常。反向搜索引用，被引用sub_402320调用。sub_402320调用sub_402450通过key解密404000元，异反

int __usercall sub_402450@<eax>(int a1@<edx>, int a2@<ecx>, int a3, int a4) {   int result; // eax   int v7; // edx   char v8; // cl    result = 0;   if ( a1 > 0 )   {     while ( 1 )     {       v7 = 0;       if ( a4 > 0 )         break; LABEL_5:       if ( result >= a1 )         return result;     }     while ( result < a1 )     {       v8 = aSycloversyclov[v7  ];               // sycloversyclover       *(_BYTE *)(result   a2) = ~(*(_BYTE *)(result   a2) ^ v8);         result;       if ( v7 >= a4 )         goto LABEL_5;     }   }   return result; }

写程序解密，然后放入ida

key = b'sycloversyclover' data = list(open('attachment.exe', 'rb').read()) for i in range(0x3400, 0x3600):     data[i] = 0xff - data[i]^key[i] open('a3.exe', 'wb').write(bytes(data))

该函数对密文进入-1和反向处理

unsigned int sub_404000() {   unsigned int i; // edx   unsigned int v1; // esi   unsigned int result; // eax   int v3; // eax   char v4; // dl    for ( i = 0; i < strlen(aPvfqyc4ttc2uxr);   i )     --aPvfqyc4ttc2uxr[i];                       // 减1   v1 = 0;   result = strlen(aPvfqyc4ttc2uxr);   if ( (result & 0xFFFFFFFE) != 0 )   {     do     {       v3 = result - v1;                         // 反向       v4 = *(_BYTE *)(v3   0x409017);       *(_BYTE *)(v3   4231191) = aPvfqyc4ttc2uxr[v1];       aPvfqyc4ttc2uxr[v1  ] = v4;       result = strlen(aPvfqyc4ttc2uxr);     }     while ( v1 < result >> 1 );   }   return result; }

再用ida查密是AES，从字符表中找到两个串

sycloversyclover sctfsctfsctfsctf

两个都是16字符，符合要求AES的key和iv用第一个作为特征key第2个作iv解到的密文base64解码后作为密文解密

#查密AES  cipher = b'>pvfqYc,4tTc2UxRmlJ,sB{Fh4Ck2:CFOb4ErhtIcoLo' #猜 cipher = bytes([i-1 for i in cipher[:-1]) print(cipher) #密文为base64编码，先解码再进行AES解密 from base64 import b64decode cipher = b64decode(cipher)  key = b'sycloversyclover'  #两个猜 iv  = b'sctfsctfsctfsctf'  from Crypto.Cipher import AES import base64  aes = AES.new(key, AES.MODE_CBC, iv) m = aes.decrypt(cipher) print(m)  #sctf{Ae3_C8c_I28_pKcs79ad4} #flag{Ae3_C8c_I28_pKcs79ad4}