BUUCTF Re WriteUp

[FlareOn4]IgniteMe

无壳32位程序

对于key来说最后的key是（eax）0x700004

读取后校验，flag如下

enc_data = [
    0x0D, 0x26, 0x49, 0x45, 0x2A, 0x17, 0x78, 0x44, 0x2B, 0x6C,
    0x5D, 0x5E, 0x45, 0x12, 0x2F, 0x17, 0x2B, 0x44, 0x6F, 0x6E,
    0x56, 0x09, 0x5F, 0x45, 0x47, 0x73, 0x26, 0x0A, 0x0D, 0x13,
    0x17, 0x48, 0x42, 0x01, 0x40, 0x4D, 0x0C, 0x02, 0x69
]

key = 0x4  # 0x700004

flag = ""
counter = len(enc_data)
for i in enc_data[::-1]:
    flag += chr(key ^ i)
    key = key ^ i

print(flag[::-1])

#[email protected]

vn2020-CSRe

使用了.NET框架，估计是.net的c#逆向了。并且有混淆

主逻辑

private static void Main\u0002(string[] \u0002)
{
	if (!\u0003.\u0002())
	{
		return;
	}
	bool flag = true;
	realMain\u0005\u2000 realMain_u0005_u = new realMain\u0005\u2000();
	string str = Console.ReadLine();
	if (realMain\u0005\u2000.toHash\u0002(\u0008\u2000.\u0002(-102257297) + str + \u0008\u2000.\u0002(-102257305)) != \u0008\u2000.\u0002(-102257249))
	{
		flag = false;
	}
	string text = Console.ReadLine();
	string u = realMain\u0005\u2000.toHash\u0002(\u0008\u2000.\u0002(-102257234) + text);
	string text2 = realMain_u0005_u.xored\u0002(u, \u0008\u2000.\u0002(-102257241));
	for (int i = 0; i < text2.Length; i++)
	{
		if (text2[i] != '0')
		{
			flag = false;
		}
	}
	if (flag)
	{
		Console.WriteLine(\u0008\u2000.\u0002(-102257162) + str + text + \u0008\u2000.\u0002(-102257174));
	}
}

用de4dot去混淆

去混淆后的逻辑

private static void Main(string[] args)
{
	if (!Class1.smethod_1())
	{
		return;
	}
	bool flag = true;
	Class3 @class = new Class3();
	string str = Console.ReadLine();
	if (Class3.smethod_0("3" + str + "9") != "B498BFA2498E21325D1178417BEA459EB2CD28F8")
	{
		flag = false;
	}
	string text = Console.ReadLine();
	string string_ = Class3.smethod_0("re" + text);
	string text2 = @class.method_0(string_, "63143B6F8007B98C53CA2149822777B3566F9241");
	for (int i = 0; i < text2.Length; i++)
	{
		if (text2[i] != '0')
		{
			flag = false;
		}
	}
	if (flag)
	{
		Console.WriteLine("flag{" + str + text + "}");
	}
}

public string XorEnc(string string_0, string string_1)
{
    string text = string.Empty;
    char[] array = string_0.ToCharArray();
    char[] array2 = string_1.ToCharArray();
    int num = (array.Length < array2.Length) ? array.Length : array2.Length;
    for (int i = 0; i < num; i++)
    {
        text += (int)(array[i] ^ array2[i]);
    }
    return text;
}

选更短的长度，并且最后xor的结果应该全为0，所以和key是一样的

得到flag：flag{1415turn}