inside
根据 hint,去https://github.com/ergrelet/unlicense下载脱壳机,直接拖拽文件脱壳.
里面一看,是个被魔改的 base64,把 key 和密文 dump 出来,扔给 gpt 一把梭写脚本,即得到 flag.
def custom_base64_decrypt(encoded_bytes):
# 映射表
v11 = "BACDEFGHIJKLMNOPQRSTUVWXZYabcdefghijklmnopqrstuvwxyz01234567+/89"
# 解密的逆向 XOR 操作值
xor_values = [21, 0x55, 69, 51]
# 逆向映射表
reverse_v11 = {v: i for i, v in enumerate(v11)}
decoded_bytes = []
for i in range(0, len(encoded_bytes), 4):
chunk = encoded_bytes[i:i+4]
# 解密:先 XOR,然后通过映射表逆向查找
indices = []
for j, c in enumerate(chunk):
decoded_char = chr(c ^ xor_values[j])
if decoded_char in reverse_v11:
indices.append(reverse_v11[decoded_char])
else:
indices.append(0) # 防止异常字符
# 将索引恢复为原始的三个字节
if len(indices) == 4:
b1 = (indices[0] << 2) | (indices[1] >> 4)
b2 = ((indices[1] & 0xF) << 4) | (indices[2] >> 2)
b3 = ((indices[2] & 0x3) << 6) | indices[3]
decoded_bytes.extend([b1, b2, b3])
# 移除填充的多余字节
return bytes(decoded_bytes)
# 被加密的密文
encrypted_data = [
0x44, 0x65, 0x0F, 0x77, 0x43, 0x10, 0x1C, 0x04, 0x71, 0x11, 0x29, 0x58, 0x4D, 0x66, 0x22, 0x01,
0x76, 0x39, 0x6A, 0x5A, 0x58, 0x38, 0x03, 0x49, 0x58, 0x39, 0x6A, 0x40, 0x5B, 0x66, 0x17, 0x55,
0x4C, 0x3F, 0x03, 0x55, 0x4C, 0x67, 0x6A, 0x1C
]
# 解密结果
plaintext = custom_base64_decrypt(encrypted_data)
print(plaintext.decode('utf-8', errors='ignore'))
in_inside
这题与其说是我自己做的,不如说早就被学长透完了.
不会用 dbg,也看不懂壳,没有工具.学长说这是 vmp,是强壳,不能脱,直接动调.于是就用着笨办法,一步一步调,看出了逻辑,本质上就是两个字节的四位互换,然后再异或 0x11,0x22(这里我把他们当成了十进制
标签:2024CBCTF,安卓,unsigned,Len,char,long,key,pyc,256 From: https://www.cnblogs.com/T0fV404/p/18674684