##include <stdio.h>\n\nint main(void) {\n unsigned int ret = 0x685ee20;\n \/\/printf("%x\\n", ret);\n\n for (int i = 0; i < 20; i++) {\n cipher[i] ^= 0xee20;\n cipher[i] -= 0x0685;\n\t }\n printf("%s", cipher);\n}\n<\/code><\/pre>\nBasicLoader<\/h2>\n
\u7a0b\u5e8f\u88c5\u8f7d\u4e86\u53cd\u8c03\u8bd5,\u5728TLS\u56de\u8c03\u51fd\u6570\u4e2dpatch\u6389\u53cd\u8c03\u8bd5\u68c0\u6d4b\u540e\u5373\u53ef\u6b63\u5e38\u8c03\u8bd5,\u540c\u65f6TLS\u521d\u59cb\u5316\u4e86\u4e00\u5757\u5730\u5740<\/p>\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n const char **envp_1; \/\/ r8\n HANDLE hHandle; \/\/ [rsp+30h] [rbp-108h]\n _BYTE Parameter[112]; \/\/ [rsp+40h] [rbp-F8h] BYREF\n _BYTE v7[112]; \/\/ [rsp+B0h] [rbp-88h] BYREF\n\n memset(Parameter, 0, 0x64uLL);\n sub_7FF769DFD920(std::cout, "input flag> ", envp);\n std::istream::getline(std::cin, v7, 99LL);\n if ( sub_7FF769DD1140(v7, Parameter) )\n {\n hHandle = CreateThread(0LL, 0x1000uLL, StartAddress, Parameter, 0, 0LL);\n WaitForSingleObject(hHandle, 0xFFFFFFFF);\n }\n else\n {\n sub_7FF769DFD920(std::cout, "wrong flag!\\n", envp_1);\n }\n return 0;\n}\n<\/code><\/pre>\n\u53d1\u73b0main\u51fd\u6570\u4f1a\u521b\u9020\u7ebf\u7a0b,\u8fdb\u5165StartAddress,\u5728TLS\u521d\u59cb\u5316\u7684shellcode\u4e2d\u53ef\u4ee5\u770b\u5230,\u53d1\u73b0\u662frc4\u89e3\u5bc6\u51fa\u6765\u6570\u636e<\/p>\n
#include <stdio.h>\n#include <string.h>\n\nunsigned char data[] = {\n 0x68, 0x60, 0x0C, 0x1B, 0x2A, 0xB3, 0xEE, 0x4A, 0x17, 0x7C, 0xB7, 0xF6, 0x91, 0xEA, 0x92, 0x2D,\n 0x6B, 0xAD, 0x61, 0xC2, 0x5F, 0x70, 0x2C, 0x14, 0x74, 0x0E, 0xA2, 0xAF, 0x8A, 0x57, 0xFF, 0x16,\n 0xD2, 0x18, 0xDF, 0x4C, 0xB4, 0x4D, 0x80, 0x8C, 0xDA, 0xB0, 0x81, 0x41, 0xB5, 0x64, 0x8B, 0x71,\n 0xE5, 0x36, 0x39, 0x46, 0x10, 0xF2, 0x97, 0x25, 0xB0, 0x05, 0x10, 0x00, 0x7F, 0x96, 0xE4, 0x64,\n 0x0C, 0x0B, 0x14, 0xBC, 0x52, 0xEA, 0x64, 0xB6, 0xE5, 0xDE, 0x03, 0xB5, 0x52, 0x4E, 0x8D, 0x1F,\n 0x66, 0xCD, 0x68, 0x19, 0x65, 0x93, 0x5F, 0xC1, 0x30, 0xBC, 0xD0, 0x52, 0x86, 0x01, 0x4D, 0xB6,\n 0x99, 0x45, 0x40, 0x66, 0x3B, 0xBE, 0x13, 0x42, 0x4E, 0x9B, 0x18, 0x6D, 0xBA, 0x00, 0x74, 0x99,\n 0xB2, 0x65, 0xEC, 0x6C, 0xDF, 0x51, 0x17, 0x8A, 0x84, 0x3A, 0xF3, 0x5D, 0xC8, 0xE9, 0x88, 0x65,\n 0x9D, 0x5B, 0x4F, 0x1D, 0xC1, 0x16, 0xB5, 0x96, 0xC4, 0x8C, 0xFB, 0xEA, 0xA2, 0x16, 0x23, 0x38,\n 0x8E, 0xE4, 0x09, 0x99, 0x55, 0x58, 0x4A, 0x4F\n};\n\nstatic const size_t data_len = sizeof(data);\n\n\/\/ RC4\u5bc6\u94a5\u8c03\u5ea6\u7b97\u6cd5 (KSA)\nvoid RC4_KSA(unsigned char *key, int keyLength, unsigned char *S) {\n int i, j = 0;\n unsigned char temp;\n \n for (i = 0; i < 256; i++) {\n S[i] = i;\n }\n \n for (i = 0; i < 256; i++) {\n j = (j + S[i] + key[i % keyLength]) % 256;\n \n \/\/ \u4ea4\u6362 S[i] \u548c S[j]\n temp = S[i];\n S[i] = S[j];\n S[j] = temp;\n }\n}\n\n\/\/ RC4\u4f2a\u968f\u673a\u751f\u6210\u7b97\u6cd5 (PRGA)\nvoid RC4_PRGA(unsigned char *S, unsigned char *data, int dataLength) {\n int i = 0, j = 0, k;\n unsigned char temp;\n \n for (k = 0; k < dataLength; k++) {\n i = (i + 1) % 256;\n j = (j + S[i]) % 256;\n \n \/\/ \u4ea4\u6362 S[i] \u548c S[j]\n temp = S[i];\n S[i] = S[j];\n S[j] = temp;\n \n \/\/ \u83b7\u53d6\u4f2a\u968f\u673a\u5b57\u8282\u5e76\u4e0e\u6570\u636e\u8fdb\u884c\u5f02\u6216\n data[k] ^= S[(S[i] + S[j]) % 256];\n }\n}\n\nint main() {\n unsigned char key[] = "babyflag"; \/\/ \u5bc6\u94a5\n \n int keyLength = strlen((char *)key);\n int dataLength = sizeof(data) \/ sizeof(data[0]);\n \n unsigned char S[256]; \/\/ \u72b6\u6001\u5411\u91cf\n\n \/\/ \u5bc6\u94a5\u8c03\u5ea6\u7b97\u6cd5 (KSA)\n RC4_KSA(key, keyLength, S);\n \n \/\/ \u4f2a\u968f\u673a\u751f\u6210\u7b97\u6cd5 (PRGA) \u7528\u4e8e\u52a0\u5bc6\u6570\u636e\n RC4_PRGA(S, data, dataLength);\n\n printf("Encrypted text: ");\n for (int i = 0; i < dataLength; i++) {\n printf("%02X ", data[i]);\n }\n printf("\\n");\n\n \/\/ \u89e3\u5bc6\u65f6\uff0c\u76f4\u63a5\u4f7f\u7528\u76f8\u540c\u7684\u52a0\u5bc6\u8fc7\u7a0b\n RC4_KSA(key, keyLength, S);\n RC4_PRGA(S, data, dataLength);\n\n printf("Decrypted text: %s\\n", data);\n \n return 0;\n}\n<\/code><\/pre>\n\u628a\u89e3\u5bc6\u51fa\u6765\u7684shellcode\u4e8c\u8fdb\u5236\u5199\u5165\u6587\u4ef6,\u518d\u62d6\u5165ida\u53cd\u7f16\u8bd1<\/p>\n
char __fastcall sub_0(__int64 a1, __int64 a2, __int64 a3, __int64 a4, __int64 a5, __int64 a6, int key)\n{\n unsigned __int64 i; \/\/ r8\n _DWORD v9[8]; \/\/ [rsp+0h] [rbp-20h] BYREF\n\n if ( !a4 )\nLABEL_6:\n JUMPOUT(0x98LL);\n i = 0LL;\n v9[0] = 536952951;\n v9[1] = 1997148275;\n v9[2] = 2081112864;\n v9[3] = 1934771314;\n v9[4] = 1934627112;\n v9[5] = 542524535;\n v9[6] = 1996755745;\n v9[7] = 1917994785;\n key = 1144201745;\n do\n {\n if ( *(v9 + i) != (*(v9 + i + a4 - v9) ^ *(&key + (i & 3))) )\n goto LABEL_6;\n ++i;\n }\n while ( i < 0x20 );\n return 1;\n}\n<\/code><\/pre>\n\u89e3\u5bc6\u811a\u672c<\/h3>\n#include <stdio.h>\n\nint main() {\n unsigned v9[8];\n v9[0] = 0x20014077;\n v9[1] = 0x770A1073;\n v9[2] = 0x7C0B4320;\n v9[3] = 0x73524472;\n v9[4] = 0x73501128;\n v9[5] = 0x20564477;\n v9[6] = 0x77041321;\n v9[7] = 0x72524721;\n\n unsigned int key = 0x44332211;\n for (int i = 0; i < 8; i++) {\n v9[i] ^= key;\n }\n\n printf("%.32s", v9);\n}\n<\/code><\/pre>\nChal<\/h2>\n\u7a0b\u5e8f\u5206\u6790<\/h3>\n
\u53d1\u73b0\u9644\u4ef6\u63d0\u4f9b\u4e86\u4e00\u4e2aoutput_file\u6587\u4ef6,\u731c\u6d4b\u662f\u4f1a\u8bfb\u53d6\u4e00\u4e2a\u6587\u4ef6\u52a0\u5bc6\u540e\u4ea7\u751foutpu_file
\n\u5728ida\u4e2d\u641c\u7d22\u53ef\u4ee5input_file\u5b57\u7b26\u4e32,\u8ddf\u8e2a\u540e\u6253\u65ad\u70b9\u53ef\u4ee5\u53d1\u73b0\u4e3b\u7a0b\u5e8f<\/p>\n
\u8ddf\u8e2a\u7a0b\u5e8f\u53ef\u4ee5\u53d1\u73b0\u5f00\u59cb\u662f\u53d6\u4e86\u5934\u56db\u4e2a\u5b57\u8282\u4f5c\u4e3a\u5bc6\u94a5\u8fdb\u884c\u4e86rc4\u52a0\u5bc6<\/p>\n
\/\/ Hidden C++ exception states: ##wind=6\n_OWORD *__fastcall RC4_KSA(_OWORD *Sbox, _BYTE *input, __int64 length_n4)\n{\n _BYTE *inp_end; \/\/ r15\n unsigned __int8 tmp; \/\/ al\n _BYTE *p_input_start; \/\/ rcx\n _BYTE *p_input_end; \/\/ rdx\n __int64 i; \/\/ rdi\n char sbox_i; \/\/ r8\n\n memset(Sbox, 0, 0x102uLL);\n *Sbox = xmmword_7FF703BB5E70;\n Sbox[1] = xmmword_7FF703BB5E80;\n qmemcpy(Sbox + 2, " !\\"##$%&'()*+,-.\/0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\\\]^_`abcdefghijklmno", 80);\n Sbox[7] = xmmword_7FF703BB5EE0;\n Sbox[8] = xmmword_7FF703BB5EF0;\n Sbox[9] = xmmword_7FF703BB5F00;\n Sbox[10] = xmmword_7FF703BB5F10;\n Sbox[11] = xmmword_7FF703BB5F20;\n Sbox[12] = xmmword_7FF703BB5F30;\n Sbox[13] = xmmword_7FF703BB5F40;\n Sbox[14] = xmmword_7FF703BB5F50;\n Sbox[15] = xmmword_7FF703BB5F60;\n \/\/ \u521d\u59cb\u5316sbox\n if ( length_n4 )\n {\n inp_end = &input[length_n4];\n tmp = 0;\n p_input_start = input;\n p_input_end = inp_end;\n for ( i = 0LL; i != 256; ++i )\n {\n if ( p_input_start == p_input_end )\n {\n p_input_end = inp_end;\n p_input_start = input;\n }\n sbox_i = *(Sbox + i);\n tmp += sbox_i + *p_input_start;\n *(Sbox + i) = *(Sbox + tmp);\n ++p_input_start;\n *(Sbox + tmp) = sbox_i;\n }\n }\n return Sbox;\n}\n<\/code><\/pre>\n\/\/ Hidden C++ exception states: ##wind=6\n__int64 __fastcall RC4_PRGA(_BYTE *sbox)\n{\n unsigned __int8 v1; \/\/ al\n __int64 v2; \/\/ r8\n char v3; \/\/ dl\n unsigned __int8 v4; \/\/ al\n\n v1 = sbox[256] + 1;\n sbox[256] = v1;\n v2 = v1;\n v3 = sbox[v1];\n v4 = v3 + sbox[257];\n sbox[257] = v4;\n sbox[v2] = sbox[v4];\n sbox[v4] = v3;\n return sbox[(sbox[v2] + v3)];\n}\n<\/code><\/pre>\n\u4e4b\u540e\u901a\u8fc7FindCrypt\u63d2\u4ef6\u53ef\u4ee5\u53d1\u73b0\u8fd8\u6709\u4e00\u4e2asalsa20\u52a0\u5bc6\u7b97\u6cd5,\u901a\u8fc7\u52a8\u6001\u8c03\u8bd5\u53ef\u4ee5\u53d1\u73b0\u662f\u7ee7\u7eed\u53d6\u5230\u5934\u56db\u4e2a\u5b57\u8282\u91cd\u590d4\u6b21\u7ee7\u7eed\u4f5c\u4e3akey,\u5e76\u4e14\u751f\u6210\u4e86\u4e00\u4e2a\u968f\u673a\u7684nounce,\u4f46\u662f\u53d1\u73b0\u4f1a\u5c06\u8fd9\u4e2anounce\u8ffd\u52a0\u5230output_file\u6587\u4ef6\u7684\u672b\u5c3e\u8f93\u51fa,\u7136\u540e\u89e3\u5bc6\u5373\u53ef<\/p>\n
\u89e3\u5bc6\u6d41\u7a0b<\/h4>\n
\u4fee\u6539\u7a0b\u5e8f\u4e2d\u7684nounce\u4e3a\u6587\u4ef6\u672b\u5c3e\u7684\u6570\u636e,\u518d\u4fee\u6539key\u4e3aDASC.
\n\u7ecf\u8fc7\u7a0b\u5e8f\u8fd0\u7b97\u540e\u53d6rc4\u52a0\u5bc6\u540e\u7684\u6570\u636e\u548csalsa20\u52a0\u5bc6\u540e\u7684\u6570\u636e,\u4e24\u8005\u5f02\u6216\u8fd0\u7b97\u540e\u53ef\u4ee5\u5f97\u5230keystream<\/p>\n
keystream = [0x66,0x38,0x1,0x5d,0x8c,0x31,0xbe,0x78,0x6,0x9b,0x5f,0x73,0x5e,0x4b,0xf1,0x90,0xac,0x30,0xf8,0x47,0xb0,0x76,0x89,0xd,0x8,0xea,0x3b,0x32,0xfb,0x80,0x9,0x24,0xb2,0x17,0xef,0xad,0xd3,0x3a,0xc2,0xca]\n<\/code><\/pre>\n\u62ff\u7740\u8fd9\u4e2akeystream\u4ee5\u540eoutp_file\u7a0b\u5e8f\u4e2d\u7684\u5185\u5bb9,\u518d\u8fdb\u884crc4\u89e3\u5bc6\u5373\u53ef\u5f97\u5230flag<\/p>\n
def KSA(key):\n """ KSA \u5bc6\u94a5\u62d3\u5c55 """\n """ \u7528\u6765\u6269\u6563\u5bc6\u94a5 """\n S = list(range(256))\n tmp = 0\n for i in range(256):\n tmp = (tmp + S[i] + key[i % len(key)]) % 256\n S[i], S[tmp] = S[tmp], S[i]\n return S\n \ndef PRGA(S):\n """ PRGA \u4f2a\u968f\u673a\u6570\u751f\u6210\u7b97\u6cd5 """\n i, j = 0, 0\n while True:\n i = (i + 1) % 256\n j = (j + S[i]) % 256\n S[i], S[j] = S[j], S[i]\n K = S[(S[i] + S[j]) % 256]\n yield K\n \ndef RC4(key, text):\n """ RC4 \u52a0\u5bc6\u6d41\u7a0b """\n S = KSA(key)\n keystream = PRGA(S)\n res = []\n for char in text:\n res.append(char ^ next(keystream))\n return bytes(res)\n\ndef main():\n buffer = b''.join([\n b'\\xD3\\x7E\\x95\\x3D\\xC6\\xB4\\xE2\\x87\\xBC\\x95\\x7D\\xA9\\x3B\\x60\\x45\\x7B',\n b'\\x9B\\xC4\\x99\\x80\\xC6\\x00\\xF0\\x0E\\x0F\\x4B\\x0D\\xDD\\xF1\\x4D\\x2F\\x80',\n b'\\xAF\\x31\\x92\\xA1\\xE7\\x76\\xC9\\x32'])\n\n keystream = [0x66,0x38,0x1,0x5d,0x8c,0x31,0xbe,0x78,0x6,0x9b,0x5f,0x73,0x5e,0x4b,0xf1,0x90,0xac,0x30,0xf8,0x47,0xb0,0x76,0x89,0xd,0x8,0xea,0x3b,0x32,0xfb,0x80,0x9,0x24,0xb2,0x17,0xef,0xad,0xd3,0x3a,0xc2,0xca]\n\n target = []\n for i in range(len(buffer)):\n target.append(buffer[i] ^ keystream[i])\n\n out = RC4(b"DASC", bytes(target))\n print(out)\n\nif __name__ == "__main__":\n main()\n<\/code><\/pre>\nDASCTF{6d175aa7-84cb-4d2d-81ae-f7b984440229}<\/p>\n
\u51b3\u8d5b<\/h1>\n\u5929\u547d\u4eba<\/h2>\n
\u6839\u636e\u7b97\u6cd5dump\u51fa\u89e3\u5bc6\u5373\u53ef,\u6bd4\u8f83\u7b80\u5355<\/p>\n
cipher = [0x44,0x40,0x51,0x40,0x50,0x43,0x7d,0x3e,0x38,0x6c,0x3a,0x3f,0x3e,0x6f,0x38,0x6d,0x23,0x21,0x24,0x20,0x2d,0x74,0x20,0x74,0x2c,0x2f,0x2e,0x28,0x25,0x25,0x78,0x2d,0x12,0x43,0x44,0x47,0x10,0x15,0x40,0x5a]\n\nflag = []\n\nfor i in range(0, len(cipher)):\n print(chr(cipher[i] ^ i),end='')\n<\/code><\/pre>\nAndroidtest<\/h2>\n
\u8ddf\u8e2a\u5230\u8fd9\u91cc\u9762\u91cd\u5199\u7684OnClick\u51fd\u6570<\/p>\n
![\"image.png|600\"](\"https:\/\/cloud-map-bed-1351541725.cos.ap-nanjing.myqcloud.com\/pic\/20251117114014.png\")
<\/p>\n
fridahook\u5b57\u7b26\u4e32\u5f97\u5230\u6362\u8fc7\u8868\u7684base32<\/p>\n
Java.perform(function() {\n\u00a0 \u00a0 var MainActivity = Java.use("com.example.myapplication.MainActivity")\n\n\u00a0 \u00a0 var str = MainActivity.z;\n\u00a0 \u00a0 console.log("str is:" + str);\n})\n<\/code><\/pre>\nABCDEFGHIJKLMNOPQRSTUVWXYZ234567=<\/p>\n
lib\u4e2d\u53ef\u4ee5\u770b\u5230ret_str\u51fd\u6570,\u53d1\u73b0\u662f\u548c\u4e00\u4e2a\u7f16\u7801\u7684\u5b57\u7b26\u4e32\u6bd4\u8f83,\u4ece\u4e2ddump\u51fa\u6570\u636e\u6362\u8868\u540e\u5f02\u6216\u5373\u53ef
\n\u7528cyberchef\u89e3\u5bc6<\/p>\n
DASCTF{android_anti_and_test_is_interesting}<\/p>\n
\n- \u8fd9\u9053\u9898\u76ee\u6211\u53d1\u73b0jeb\u4f3c\u4e4e\u5728java\u5c42\u53cd\u7f16\u8bd1\u4e0a\u548cjadx\u5dee\u4e0d\u591a,\u800c\u4e14\u8fd8\u662f\u6bd4\u8f83\u5b8c\u5584\u7684,\u4ee5\u540e\u8fd8\u662f\u591a\u7528jeb\u5427<\/li>\n
- frida hook\u8fd8\u662f\u4e0d\u591f\u719f\u7ec3,\u5f53\u65f6\u6298\u817e\u4e86\u597d\u4e45\u624dhook\u6210\u529f<\/li>\n
- \u662f\u65f6\u5019\u641e\u641e\u5b89\u5353\u7684\u52a8\u8c03\u4e86<\/li>\n<\/ul>\n
Warning<\/h2>\n
\u4e00\u9053\u865a\u62df\u673a\u7684\u9898\u76ee,\u6bd4\u8d5b\u7684\u65f6\u5019\u6ca1\u6709\u505a\u51fa\u6765,\u8d5b\u540e\u590d\u73b0\u4e00\u4e0b.
\n\u9644\u4ef6\u91cc\u9762\u53ef\u4ee5\u770b\u5230\u4e00\u4e2awarning\u6587\u4ef6\u548cprogram,\u521d\u6b65\u5206\u6790\u540e\u53d1\u73b0\u8fd9\u4e00\u4e2a\u5e94\u8be5\u662f\u4e00\u4e2a\u865a\u62df\u673a\u7a0b\u5e8f,program\u91cc\u9762\u5b58\u50a8\u7684\u662f\u7a0b\u5e8f\u7684\u5b57\u8282\u7801.<\/p>\n
__int64 __fastcall main(int a1, char **a2, char **a3)\n{\n FILE *stream; \/\/ rbp\n int n; \/\/ ebx\n char *src; \/\/ rbp\n size_t input_len; \/\/ rax\n int input_len_1; \/\/ ebx\n __int64 v8; \/\/ rdx\n __int64 v9; \/\/ r8\n __int64 v10; \/\/ r9\n int dest_1[1552]; \/\/ [rsp-1C40h] [rbp-34A8h] BYREF\n _BYTE buf[1024]; \/\/ [rsp-400h] [rbp-1C68h] BYREF\n _BYTE dest[6208]; \/\/ [rsp+0h] [rbp-1868h] BYREF\n __int64 v15; \/\/ [rsp+1840h] [rbp-28h] BYREF\n\n if ( a1 <= 1 )\n return 0xFFFFFFFFLL;\n memset(dest, 0, sizeof(dest));\n stream = fopen("program", "rb");\n \/\/ \u79fb\u52a8\u5230\u6587\u4ef6\u5f00\u5934\n fseek(stream, 0LL, 2);\n n = ftell(stream);\n fseek(stream, 0LL, 0);\n memset(buf, 0, sizeof(buf));\n fread(buf, 1uLL, n, stream);\n memcpy(dest, buf, n);\n src = a2[1];\n if ( !*src )\n return 0xFFFFFFFFLL;\n\n \/\/ \u83b7\u53d6\u8f93\u5165\u53c2\u6570\u7684\u957f\u5ea6\n input_len = strlen(a2[1]);\n input_len_1 = input_len;\n if ( input_len > 0x40 )\n return 0xFFFFFFFFLL;\n memcpy(&dest[2048], src, input_len);\n qmemcpy(dest_1, dest, sizeof(dest_1));\n func(input_len_1, &v15, v8, 0LL, v9, v10, dest_1[0]);\n return 0LL;\n}\n<\/code><\/pre>\n\u8fd9\u91cc\u662f\u4e3b\u51fd\u6570,\u53d1\u73b0\u4eceprogram\u6587\u4ef6\u4e2d\u8bfb\u53d6\u6570\u636e\u540e\u8c03\u7528func\u51fd\u6570,\u6b65\u5165func\u51fd\u6570\u67e5\u770b\u4e00\u4e0b.<\/p>\n
![\"image.png|900\"](\"https:\/\/cloud-map-bed-1351541725.cos.ap-nanjing.myqcloud.com\/pic\/20251119220433.png\")
<\/p>\n
\u53cd\u7f16\u8bd1\u6709\u70b9\u96be\u770b,\u4f46\u662f\u5927\u6982\u80fd\u591f\u770b\u51fa\u6765\u662f\u4e00\u4e2a\u865a\u62df\u673a\u7684opcode\u5904\u7406\u903b\u8f91(\u5f53\u65f6\u770b\u5230\u8fd9\u91cc\u76f4\u63a5\u5fae\u8ddd\u4e86…)
\n\u6ca1\u529e\u6cd5\u53ea\u80fd\u52a8\u8c03\u4e86,\u5f53\u65f6\u6211\u52a8\u8c03\u4e86\u597d\u4e45\u90fd\u6ca1\u6709\u770b\u51fa\u6765\u903b\u8f91…\u770b\u4e86writeup\u76f4\u63a5trace\u540e\u9762\u7684\u5f02\u6216\u8fd0\u7b97\u4e86…<\/p>\n
case 5:\n\tv18 = *(&program + STACK[0x1010] + 1) & 7;\n\tinput_str[v18] ^= *(&STACK[0x1010] + ((*(&program + STACK[0x1010] + 1) >> 3) & 7));\n\tgoto LABEL_8;\n<\/code><\/pre>\n\u53d1\u73b0\u8fd9\u91cc\u5e94\u8be5\u662f\u5f02\u6216\u8fd0\u7b97,\u5728\u8fd9\u91cc\u6253\u4e0b\u6761\u4ef6\u65ad\u70b9,\u770b\u770b\u8fd0\u7b97\u7684\u5b57\u7b26<\/p>\n
FirstEncode\n0x31 xor 0x0\n0x31 xor 0x1\n0x31 xor 0x2\n0x31 xor 0x3\n0x32 xor 0x4\n0x32 xor 0x5\n0x32 xor 0x6\n0x32 xor 0x7\n0x33 xor 0x8\n0x33 xor 0x9\n0x33 xor 0xa\n0x33 xor 0xb\n0x34 xor 0xc\n0x34 xor 0xd\n0x34 xor 0xe\n0x34 xor 0xf\n0x31 xor 0x10\n0x31 xor 0x11\n0x31 xor 0x12\n0x31 xor 0x13\n0x32 xor 0x14\n0x32 xor 0x15\n0x32 xor 0x16\n0x32 xor 0x17\n0x33 xor 0x18\n0x33 xor 0x19\n0x33 xor 0x1a\n0x33 xor 0x1b\n0x34 xor 0x1c\n0x34 xor 0x1d\n0x34 xor 0x1e\n0x34 xor 0x1f\n0x31 xor 0x20\n0x31 xor 0x21\n0x31 xor 0x22\n0x31 xor 0x23\n0x32 xor 0x24\n0x32 xor 0x25\n0x32 xor 0x26\n0x32 xor 0x27\n0x33 xor 0x28\n0x33 xor 0x29\n0x33 xor 0x2a\n0x33 xor 0x2b\n0x34 xor 0x2c\n0x34 xor 0x2d\n0x34 xor 0x2e\n0x34 xor 0x2f\n\nSecondEncode\n0x31 xor 0x50\n0x30 xor 0x67\n0x33 xor 0x21\n0x32 xor 0x2b\n0x36 xor 0xce\n0x37 xor 0xd7\n0x34 xor 0x84\n0x35 xor 0x3a\n0x3b xor 0xf5\n0x3a xor 0xc2\n0x39 xor 0xc2\n0x38 xor 0x22\n0x38 xor 0x48\n0x39 xor 0x1d\n0x3a xor 0x14\n0x3b xor 0x2a\n0x21 xor 0x71\n0x20 xor 0x25\n0x23 xor 0xa7\n0x22 xor 0x73\n0x26 xor 0x3c\n0x27 xor 0x9c\n0x24 xor 0x72\n0x25 xor 0xfe\n0x2b xor 0x3c\n0x2a xor 0xb7\n0x29 xor 0xad\n0x28 xor 0x80\n0x28 xor 0xa9\n0x29 xor 0x6f\n0x2a xor 0x37\n0x2b xor 0x46\n0x11 xor 0x91\n0x10 xor 0x32\n0x13 xor 0xb4\n0x12 xor 0xf7\n0x16 xor 0xa5\n0x17 xor 0xad\n0x14 xor 0xd8\n0x15 xor 0x6b\n0x1b xor 0x35\n0x1a xor 0x8c\n0x19 xor 0xe4\n0x18 xor 0x0\n0x18 xor 0x20\n0x19 xor 0x2e\n<\/code><\/pre>\n\u7136\u540e\u53d1\u73b0\u5c31\u662f\u4e00\u4e2a\u6d41\u52a0\u5bc6,\u5bf9\u8f93\u5165\u5148\u8fdb\u884c\u4ece0-len(input)\u7684\u5b57\u8282\u5f02\u6216,\u7136\u540e\u518d\u548c\u4e00\u6bb5keystream\u5f02\u6216……(\u6211\u771f\u6ca1\u62db\u4e86,\u6211\u771f\u7684\u597d\u8822)<\/p>\n
int __fastcall sub_5555555555C0(__int64 a1)\n{\n __int64 n46; \/\/ rax\n int v2; \/\/ edx\n bool v3; \/\/ cl\n __m128i si128; \/\/ [rsp+0h] [rbp-38h]\n __m128i v6[2]; \/\/ [rsp+10h] [rbp-28h]\n\n n46 = 0LL;\n LOBYTE(v2) = 1;\n si128 = _mm_load_si128(&xmmword_555555556060);\n v6[0] = _mm_load_si128(&xmmword_555555556070);\n *(v6 + 14) = _mm_load_si128(&xmmword_555555556080);\n do\n {\n v3 = si128.m128i_i8[n46] == *(a1 + n46);\n ++n46;\n v2 = v3 & v2;\n }\n while ( n46 != 46 );\n if ( v2 )\n return puts("Correct!");\n else\n return puts("Try Again!");\n}\n<\/code><\/pre>\n\u6700\u540e\u8fd9\u91cc\u7684\u8fd9\u4e2a\u51fd\u6570\u52a8\u8c03\u5f97\u5230\u5bc6\u6587\u89e3\u5bc6\u5c31\u53ef\u4ee5\u4e86…\u54ce,\u600e\u4e48\u5c31\u6ca1\u505a\u51fa\u6765\u5462…<\/p>\n
\u89e3\u5bc6\u811a\u672c<\/h3>\nkey_stream = [0x50,0x67,0x21,0x2b,0xce,0xd7,0x84,0x3a,0xf5,0xc2,0xc2,0x22,0x48,0x1d,0x14,0x2a,0x71,0x25,0xa7,0x73,0x3c,0x9c,0x72,0xfe,0x3c,0xb7,0xad,0x80,0xa9,0x6f,0x37,0x46,0x91,0x32,0xb4,0xf7,0xa5,0xad,0xd8,0x6b,0x35,0x8c,0xe4,0x00,0x20,0x2e]\n\ncipher = [0x14, 0x27, 0x70, 0x6B, 0x9E, 0x94, 0xF9, 0x51, 0x8E, 0x9F, 0xB2, 0x51, 0x69, 0x73, 0x2F, 0x46, 0x53, 0x5, 0xDC, 0x36, 0x69, 0xA4, 0x3, 0x86, 0x4B, 0xC4, 0xC6, 0xD5, 0xE6, 0x5F, 0x50, 0x37, 0xF7, 0x5C, 0xC6, 0x86, 0xF9, 0xA5, 0xCA, 0x74, 0x24, 0xCC, 0xBA, 0x7E, 0x64, 0x7E]\n\nprint(f"cipher length: {len(cipher)}\\nkey_stream length: {len(key_stream)}")\n\nlist = []\n\nfor i in range(46):\n list.append(cipher[i] ^ key_stream[i])\n\nprint(len(list))\n\nfor i in range(46):\n print(chr(list[i]^i), end="")\n<\/code><\/pre>\n\nDASCTF{lsTzx-c5c21iVA-goojqNS-ynFOPRx-489itUh}<\/code> \u6700\u540e\u8fd8\u662f\u9057\u61be\u4e86,\u53ea\u62ff\u5230\u4e86\u4e8c\u7b49\u5956,\u8981\u662f\u80fd\u89e3\u51fa\u8fd9\u9053\u5c31\u62ff\u4e00\u7b49\u4e86…<\/li>\n- \u8fd8\u662f\u8981\u4ed4\u7ec6\u7814\u7a76\u4e00\u4e0bVM\u662f\u600e\u4e48\u5b9e\u73b0\u7684,\u6211\u5bf9\u91cc\u9762\u7684\u4e00\u4e9b\u4ee3\u7801\u7684\u5199\u6cd5\u90fd\u4e0d\u719f\u6089,\u90fd\u4e0d\u77e5\u9053\u5b83\u662f\u5e72\u561b\u7684…<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
\u521d\u8d5b Don’t DeBugMe \u52a8\u6001\u83b7\u5f97\u6570\u636e\u89e3\u5bc6\u5373\u53ef ##include <stdio.h […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-28","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/28","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/comments?post=28"}],"version-history":[{"count":1,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/28\/revisions"}],"predecessor-version":[{"id":29,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/28\/revisions\/29"}],"wp:attachment":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/media?parent=28"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/categories?post=28"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/tags?post=28"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}