doubledelete's revenge:
这道题给了两个附件:reveng1(elf)和一个未知格式文件 flag.txt.enc
hxd看一下这个文件
应该是加密过的文件
再来分析一下elf
程序逻辑是读取文件,然后进行加密,然后再写出文件,刚才那个 flag.txt.enc
加密过程:
fread(ptr, 1uLL, 0x30uLL, stream); // 读取数据到ptr
for ( i = 0; i <= 11; ++i )
ptr[i] = __ROL4__(ptr[i], 13);
看伪代码猜测是读取的数据每四个字节循环左移13位,可以看一下汇编判断
loc_1260:
mov eax, [rbp+var_5C]
shl eax, 2
cdqe
lea rdx, [rbp+ptr]
add rax, rdx
mov [rbp+var_48], rax
mov rax, [rbp+var_48]
mov eax, [rax]
rol eax, 0Dh
mov edx, eax
mov rax, [rbp+var_48]
mov [rax], edx
add [rbp+var_5C], 1
确实是循环左移13位,那解密直接循环右移13位即可
f=open("flag.txt.enc","rb")
byte_data=f.read()
reversed_byte_data = byte_data[::-1]
def rol(num, bits):
return ((num >> bits) | (num << (32-bits))) & 0xFFFFFFFF
data=[]
for i in range(0,len(byte_data),4):
hex_data=int(reversed_byte_data[i:i+4].hex(),16)
data.append(hex_data)
print(hex(hex_data))
data.reverse()
flag=""
for num in data:
new_num=rol(num,13)
print(hex(new_num))
by_data = new_num.to_bytes(4, byteorder='little')
for i in by_data:
flag+=chr(i)
print(flag)
#wctf{i_th1nk_y0u_m1sund3rst00d_h0w_r0t13_w0rk5}
标签:题目,eax,mov,rbp,RE,num,rax,var,WolvCTF2024 From: https://www.cnblogs.com/GGbomb/p/18085681