默认分类

2025广东设计大赛数据安全赛逆向reverse wp

霍雅

2025-06-08

6 评论

133 阅读

正在检测是否收录...

06/08

re全一血，两题都ak，一血加15%，加了45分

题目一EasyReee

签到题

sub_55B88BC541C9对s数组进行操作

进去看是个亦或，写脚本

def sub_11C9(a1, a2):
    return (a1 + 75) ^ ((a2 - 75) & 0xFF)  
  
dword_4020 = [
    0x1A, 0x1A, 0xC8, 0x16, 0xC6, 0x14, 0x3A, 0x3D, 0xC5, 0x13,
    0xC2, 0x40, 0xBD, 0xBA, 0xBC, 0x74, 0xBB, 0x76, 0xBF, 0x4B,
    0x4B, 0x4B, 0x7B, 0xB4, 0x4D, 0x62, 0x61, 0xAD, 0x60, 0x56,
    0x63, 0xAF, 0x78, 0x54, 0x56, 0x74
]  
  
flag = []
for i in range(36):
    if i < len(dword_4020):  
        v4_i = dword_4020[i]
    else:  
        v4_i = 0 

    for c in range(256):  
        computed = sub_11C9(c, i)
        if computed == v4_i:  
            flag.append(chr(c))
            break

print(''.join(flag))

题目二Easyre

题目提示smc

分析代码有个base64，但是是个假的flag，smc是异或去解密sub_140003010是异或0x35

把sub_140003010的16进制全部提取下来去异或0x35

Exp

nums = [0xCC, 0xB4, 0xD9, 0xED, 0x35, 0x35, 0x35, 0x7D, 0xBE, 0x30,  0xDF, 0x1A, 0x35, 0x35, 0x7D, 0x06, 0xF1, 0x7D, 0xBC, 0xB1,  0x11, 0xFD, 0x35, 0x35, 0x35, 0x7D, 0xB8, 0x20, 0xFD, 0x27,  0x35, 0x35, 0x7D, 0xBE, 0x38, 0x6C, 0x25, 0x35, 0x35, 0xDD,  0xF1, 0xEA, 0xCA, 0xCA, 0x7D, 0xB8, 0x20, 0xA8, 0xD6, 0xCA,  0xCA, 0x7D, 0xBE, 0xFD, 0xCA, 0x20, 0x69, 0x25, 0x35, 0x35,  0x7D, 0xB8, 0x20, 0x80, 0x27, 0x35, 0x35, 0x7D, 0xBE, 0x38,  0x03, 0x25, 0x35, 0x35, 0xDD, 0x94, 0xEA, 0xCA, 0xCA, 0xF2,  0x71, 0x11, 0x55, 0x23, 0x35, 0x35, 0x35, 0xF2, 0x71, 0x11,  0x51, 0x31, 0x35, 0x35, 0x35, 0xF2, 0x71, 0x11, 0x5D, 0x30,  0x35, 0x35, 0x35, 0xF2, 0x71, 0x11, 0x59, 0x33, 0x35, 0x35,  0x35, 0xF2, 0x71, 0x11, 0x45, 0x33, 0x35, 0x35, 0x35, 0xF2,  0x71, 0x11, 0x41, 0x20, 0x35, 0x35, 0x35, 0xF2, 0x71, 0x11,  0x4D, 0x1C, 0x35, 0x35, 0x35, 0xF2, 0x71, 0x11, 0x49, 0x04,  0x35, 0x35, 0x35, 0xF2, 0xB1, 0x11, 0xB5, 0x35, 0x35, 0x35,  0x0B, 0x35, 0x35, 0x35, 0xF2, 0xB1, 0x11, 0xB1, 0x35, 0x35,  0x35, 0x19, 0x35, 0x35, 0x35, 0xF2, 0xB1, 0x11, 0xBD, 0x35,  0x35, 0x35, 0x14, 0x35, 0x35, 0x35, 0xF2, 0xB1, 0x11, 0xB9,  0x35, 0x35, 0x35, 0x39, 0x35, 0x35, 0x35, 0xF2, 0xB1, 0x11,  0xA5, 0x35, 0x35, 0x35, 0x0E, 0x35, 0x35, 0x35, 0xF2, 0xB1,  0x11, 0xA1, 0x35, 0x35, 0x35, 0x03, 0x35, 0x35, 0x35, 0xF2,  0xB1, 0x11, 0xAD, 0x35, 0x35, 0x35, 0x3C, 0x35, 0x35, 0x35,  0xF2, 0xB1, 0x11, 0xA9, 0x35, 0x35, 0x35, 0x04, 0x35, 0x35,  0x35, 0xF2, 0xB1, 0x11, 0x95, 0x35, 0x35, 0x35, 0x0F, 0x35,  0x35, 0x35, 0xF2, 0xB1, 0x11, 0x91, 0x35, 0x35, 0x35, 0x03,  0x35, 0x35, 0x35, 0xF2, 0xB1, 0x11, 0x9D, 0x35, 0x35, 0x35,  0x38, 0x35, 0x35, 0x35, 0xF2, 0xB1, 0x11, 0x99, 0x35, 0x35,  0x35, 0x02, 0x35, 0x35, 0x35, 0xF2, 0xB1, 0x11, 0x85, 0x35,  0x35, 0x35, 0x06, 0x35, 0x35, 0x35, 0xF2, 0x71, 0x11, 0x0D,  0x04, 0x35, 0x35, 0x35, 0xF2, 0x71, 0x11, 0x09, 0x09, 0x35,  0x35, 0x35, 0xF2, 0x71, 0x11, 0x75, 0x3A, 0x35, 0x35, 0x35,  0xF2, 0x71, 0x11, 0x71, 0x03, 0x35, 0x35, 0x35, 0xF2, 0x71,  0x11, 0x7D, 0x09, 0x35, 0x35, 0x35, 0xF2, 0x71, 0x11, 0x79,  0x04, 0x35, 0x35, 0x35, 0xF2, 0x71, 0x11, 0x65, 0x02, 0x35,  0x35, 0x35, 0xF2, 0x71, 0x11, 0x61, 0x18, 0x35, 0x35, 0x35,  0x7D, 0xBE, 0x30, 0xF6, 0x24, 0x35, 0x35, 0x7D, 0xBC, 0xB1,  0x11, 0xF5, 0x35, 0x35, 0x35, 0xF2, 0x71, 0x11, 0x15, 0x35,  0x35, 0x35, 0x35, 0xDE, 0x3F, 0xBE, 0x71, 0x11, 0x15, 0xCA,  0xF5, 0xBC, 0x71, 0x11, 0x15, 0xB6, 0x49, 0x11, 0x15, 0x20,  0x48, 0x0F, 0x7D, 0x56, 0x71, 0x11, 0x15, 0x7D, 0xBC, 0x71,  0x11, 0x05, 0xBE, 0x71, 0x11, 0x15, 0xAC, 0x8C, 0x33, 0x35,  0x35, 0x35, 0xC2, 0xCC, 0xBE, 0xF7, 0x7D, 0xAD, 0x3A, 0x8B,  0xB1, 0x31, 0xF5, 0x35, 0x35, 0x35, 0x7D, 0xBE, 0x79, 0x11,  0x05, 0xBE, 0x79, 0xB9, 0x55, 0x06, 0xFD, 0xBE, 0xF4, 0x7D,  0x56, 0x79, 0x11, 0x15, 0xBC, 0x71, 0xB9, 0x55, 0xDE, 0x80,  0xF2, 0x71, 0x11, 0x11, 0x35, 0x35, 0x35, 0x35, 0xDE, 0x3F,  0xBE, 0x71, 0x11, 0x11, 0xCA, 0xF5, 0xBC, 0x71, 0x11, 0x11,  0xB6, 0x49, 0x11, 0x11, 0x3D, 0x48, 0x2E, 0x7D, 0x56, 0x71,  0x11, 0x11, 0x3A, 0x8B, 0x79, 0x11, 0x1D, 0xBE, 0x71, 0xB1,  0x0D, 0x06, 0xF4, 0x7D, 0x56, 0x79, 0x11, 0x11, 0xBC, 0x71,  0xB9, 0x0D, 0xDE, 0xE1, 0x79, 0xB8, 0x71, 0x11, 0x0D, 0x8F,  0x61, 0x35, 0x35, 0x35, 0x7D, 0xB8, 0x79, 0x11, 0x55, 0xCA,  0x20, 0x26, 0x25, 0x35, 0x35, 0x7D, 0xB8, 0x20, 0x29, 0x24,  0x35, 0x35, 0x7D, 0xBE, 0x38, 0x50, 0x3B, 0x35, 0x35, 0xDD,  0xE5, 0xE8, 0xCA, 0xCA, 0x7D, 0xB8, 0x61, 0x11, 0x55, 0x7D,  0xBE, 0xFD, 0xCA, 0x20, 0x57, 0x3B, 0x35, 0x35, 0x7D, 0xB8,  0x20, 0xAE, 0xD4, 0xCA, 0xCA, 0x7D, 0xBE, 0xFD, 0xCA, 0x20,  0x6F, 0x3B, 0x35, 0x35, 0x7D, 0xBE, 0xB9, 0x11, 0xFD, 0x35,  0x35, 0x35, 0x7D, 0x06, 0xF9, 0xDD, 0xA7, 0xDF, 0xCA, 0xCA,  0x7D, 0xB4, 0xF1, 0xED, 0x35, 0x35, 0x35, 0xF6]  # 输入数组  
hex_value = 0x35  # 十进制的85  
def int_to_hex(x):    
    return format(x, 'x')  # 这里使用了format格式化函数，输出不带前缀的小写字母  
  
  
# 使用列表推导式进行异或操作和格式转换  
result = [int_to_hex(x ^ hex_value) for x in nums]  
  
# 打印结果数组  
print(result)

然后给他patch回去，再把smc部分的代码nop掉

Dump下来就是这样

进去看，有个亦或，异或直接下断点调试

但是flag不完整

还有一组数组Source也进行了亦或操作，但是v11是空的

题目提示去异或一个}才能得到真正的flag，直接爆破得到key是80

nums=[0x2D]
def int_to_hex(x):
    return format(x, 'x')
for i in range(10000):  
    result = [int_to_hex(x ^ i) for x in nums]

    if result == ['7d']:
        print(i)  
  
  
nums = [0x31, 0x3C, 0x0F,0x36, 0x3C,0x31, 0x37, 0x2D]  # 输入数组
hex_value = 80  # 十进制的85  
  
  
# 定义一个转换函数，将数值转换为十六进制字符串
def int_to_hex(x):
    return format(x, 'x')  # 这里使用了format格式化函数，输出不带前缀的小写字母

# 使用列表推导式进行异或操作和格式转换

# 使用列表推导式进行异或操作和格式转换
result = [int_to_hex(x ^ hex_value) for x in nums]  
result = [chr(x ^ hex_value) for x in nums]
# 打印结果数组
print(''.join(result))

最后把动调的flag和脚本跑的拼接起来就是flag

朗读

版权属于：

霍雅的博客

本文链接：

https://www.huoya.work/bk/index.php/archives/526/（转载时请注明本文出处及文章链接）

作品采用：

《署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0)》许可协议授权

arr 作者
Windows 10 · Google Chrome

123

2025-06-11 回复
arr 作者
Windows 10 · Google Chrome

123

2025-06-11 回复
test 作者
Windows 10 · Google Chrome

123123123

2025-06-11 回复
test1 作者
Windows 10 · Google Chrome

123213123123

2025-06-11 回复
1. 霍雅作者
  Windows 10 · Google Chrome
  
  @test1
  
  123123123
  
  2025-06-11 回复
霍雅作者
Windows 10 · Google Chrome

test

2025-06-11 回复

2025广东设计大赛数据安全赛逆向reverse wp

题目一EasyReee

题目二Easyre

人生倒计时