[NPUCTF2020]Anti-IDA
[NPUCTF2020]Anti-IDA
buuctf刷题碰到的。
没见到网上有wp就写一份吧
很多无关的操作,只要不对输入数据影响就不需要管,最后exp如下
enc = b"\x33\x44\x33\x39\x33\x41\x33\x37\x33\x34\x33\x43\x33\x39\x33\x37\x33\x41\x33\x34\x33\x41\x33\x37\x33\x44\x33\x36\x33\x36\x33\x41\x33\x42\x33\x39\x33\x34\x33\x33\x33\x35\x33\x39\x33\x36\x33\x34\x33\x37\x33\x37\x33\x39\x33\x34\x33\x38\x33\x37\x33\x36\x33\x37\x33\x42\x33\x38\x33\x33\x33\x44\x33\x44\x33\x44\x33\x37\x33\x31\x33\x43\x33\x42\x33\x41\x33\x36\x33\x35\x33\x43\x33\x39\x33\x34\x33\x37\x33\x37\x33\x43\x33\x38\x33\x45\x33\x34\x33\x34\x33\x34\x33\x39\x33\x42\x33\x34\x33\x34\x33\x43\x33\x37\x33\x34\x33\x45\x33\x37\x33\x42\x33\x43\x33\x39\x33\x38\x33\x34\x33\x43\x33\x43\x33\x39\x33\x38\x33\x32\x33\x38\x33\x37\x33\x46\x33\x36\x33\x32\x33\x43\x33\x43\x33\x39\x33\x33\x33\x38\x33\x39\x33\x39\x33\x36\x33\x35\x33\x35\x33\x37\x33\x41\x33\x37\x33\x35\x33\x35\x33\x39\x33\x46\x33\x37\x33\x44\x33\x34\x33\x37\x33\x43\x33\x34\x33\x35\x33\x35\x33\x39\x33\x43\x33\x39\x33\x38\x33\x33\x33\x36\x33\x36\x33\x42\x33\x37\x33\x33\x33\x36\x33\x39\x33\x35\x33\x34\x33\x35\x33\x39\x33\x42\x33\x44\x33\x31\x33\x36\x33\x36\x33\x36\x33\x42\x33\x35\x33\x36\x33\x38\x33\x33\x33\x38\x33\x44\x33\x35\x33\x33\x33\x45\x33\x41\x33\x35\x33\x32\x33\x38\x33\x38\x33\x37\x33\x35\x33\x34\x33\x38\x33\x37\x33\x45\x33\x37\x33\x34\x33\x37\x33\x34\x33\x45\x33\x34\x33\x36\x33\x41\x33\x44\x33\x41\x33\x32\x33\x33\x33\x39\x33\x39\x33\x39\x33\x32\x33\x37\x33\x35\x33\x39\x33\x41\x33\x44\x33\x36\x33\x42\x33\x42\x33\x37\x33\x36\x33\x33\x33\x42\x33\x43\x33\x34\x33\x36\x33\x31\x33\x46\x33\x43\x33\x44\x33\x34\x33\x35\x33\x36\x33\x35\x33\x37\x33\x35\x33\x37\x33\x39\x33\x34\x33\x41\x33\x33\x33\x34\x33\x32\x33\x39\x33\x38\x33\x33\x33\x34\x33\x36\x33\x45\x33\x33\x33\x39\x33\x37\x33\x42\x33\x37\x33\x41\x33\x36\x33\x34\x33\x37\x33\x44\x33\x42\x33\x36\x33\x32\x33\x37\x33\x43\x33\x42\x33\x35\x33\x32\x33\x44\x33\x37\x33\x37\x33\x32\x33\x38\x33\x37\x33\x39\x33\x35\x33\x34\x33\x35\x33\x35\x33\x41\x33\x38\x33\x34\x33\x35\x33\x35\x33\x38\x33\x34\x33\x39\x33\x34".decode()
enc = bytes.fromhex(enc)
add = [0x00000004, 0x00000005, 0x00000002, 0x00000003, 0x00000001, 0x00000004, 0x00000002]
xor = [0x00000001, 0x00000003, 0x00000005, 0x00000007, 0x00000009, 0x0000000B]
mul = [0x00000036, 0x00000002, 0x00000003, 0x00000005, 0x00000007, 0x0000000B, 0x0000000D]
enc = enc[::-1]
enc = list(enc)
for i in range(len(enc)):
enc[i]-=i%4 + add[i%7]
enc = bytes(enc).decode()
enc_s = []
print(len(enc))
for i in range(len(enc)//5):
enc_s.append(int(enc[i*5:i*5+5]))
print(" ".join(map(hex,enc_s)))
print(len(enc_s))
for i in range(len(enc_s)):
enc_s[i]-=i*(i-1)
enc_s[i]//=mul[i%7]
enc_s[i]-=2*i
enc_s[i]^=xor[i%6]^(i%4)
enc_s[i]-=add[i%7]
enc = bytes(enc_s).decode()
enc = enc[::-1]
enc = bytes.fromhex(enc)
print(enc)
enc = list(enc)
for i in range(1,len(enc),1):
enc[i]-=enc[i-1]
enc[i]&=0xff
enc[-1]-=10
enc[-1]&=0xff
for i in range(len(enc)-2,-1,-1):
enc[i]-=enc[i+1]
enc[i] &= 0xff
for i in range(len(enc)):
enc[i]+=0x20
enc[i] &= 0xff
print(bytes(enc))
程序无关操作干扰计算操作比较多,但整体算法比较简单加上近似为无的花指令勉强算道中等题吧XD