第二届rdctf逆向Writeup

Hello_Rust#

首先点开exe程序发现

1
Please input the flag:

于是直接搜索对应字符找到对应主函数

1
__int64 __fastcall Hello_Rust::main::h72897955569e0b8d(__int64 a1, __int64 a2)
2
{
3
  _QWORD *v2; // rax
4
  int v3; // r8d
5
  int v4; // r9d
6
  __int64 v5; // rdx
7
  __int64 v6; // rdx
8
  void *v7; // rax
9
  void *v8; // rdx
10
  int v9; // r9d
11
  int v10; // r8d
12
  int v11; // r9d
13
  _QWORD *v12; // rax
14
  void *v13; // rsi
15
  __int64 v14; // rdx
16
  __int64 *v15; // r13
17
  char *v16; // rbp
18
  char *v17; // r9
19
  __int64 v18; // r8
20
  __int64 v19; // rcx
21
  char v20; // r9
22
  __int64 (__fastcall **v21)(size_t *, void *, __int64, _QWORD); // rax
23
  __int64 v22; // r10
24
  __int64 v23; // rdx
25
  __int64 v24; // rcx
26
  unsigned __int8 v25; // al
27
  _BYTE *v26; // rcx
28
  __int64 result; // rax
29
  __int64 v29; // [rsp+30h] [rbp-268h] BYREF
30
  __int64 v30; // [rsp+38h] [rbp-260h]
31
  __int64 v31; // [rsp+40h] [rbp-258h]
32
  const char *v32; // [rsp+48h] [rbp-250h] BYREF
33
  __int64 v33; // [rsp+50h] [rbp-248h]
34
  __int64 v34; // [rsp+58h] [rbp-240h]
35
  size_t Size; // [rsp+60h] [rbp-238h] BYREF
36
  const char *v36; // [rsp+68h] [rbp-230h]
37
  __int64 v37[2]; // [rsp+70h] [rbp-228h] BYREF
38
  __int64 (__fastcall **v38)(size_t *, void *, _QWORD, _QWORD); // [rsp+80h] [rbp-218h]
39
  __int64 v39; // [rsp+88h] [rbp-210h]
40
  __int64 v40; // [rsp+90h] [rbp-208h]
41
  __int64 v41; // [rsp+98h] [rbp-200h]
42
  __int64 v42; // [rsp+A0h] [rbp-1F8h] BYREF
43
  char v43; // [rsp+A8h] [rbp-1F0h] BYREF
44
  __int64 (__fastcall **v44)(size_t *, void *, __int64, _QWORD); // [rsp+B0h] [rbp-1E8h] BYREF
45
  __int64 (__fastcall **v45)(size_t *, void *, __int64, _QWORD); // [rsp+B8h] [rbp-1E0h]
46
  __int64 (__fastcall **v46)(size_t *, void *, __int64, _QWORD); // [rsp+C0h] [rbp-1D8h]
47
  __int64 (__fastcall **v47)(size_t *, void *, __int64, _QWORD); // [rsp+C8h] [rbp-1D0h]
48
  __int64 v48; // [rsp+D0h] [rbp-1C8h]
49
  __int64 v49; // [rsp+D8h] [rbp-1C0h]
50
  char v50; // [rsp+E0h] [rbp-1B8h] BYREF
51
  char v51; // [rsp+E8h] [rbp-1B0h] BYREF
52
  __int64 v52; // [rsp+F0h] [rbp-1A8h]
53
  char *v53; // [rsp+F8h] [rbp-1A0h]
54
  const char *v54; // [rsp+100h] [rbp-198h]
55
  __int64 v55; // [rsp+108h] [rbp-190h]
56
  __int64 v56; // [rsp+110h] [rbp-188h]
57
  __int64 *v57; // [rsp+118h] [rbp-180h]
58
  __int128 v58; // [rsp+120h] [rbp-178h]
59
  __int64 v59; // [rsp+130h] [rbp-168h]
60
  __int64 v60; // [rsp+138h] [rbp-160h] BYREF
61
  _QWORD *v61; // [rsp+140h] [rbp-158h]
62
  __int64 v62; // [rsp+148h] [rbp-150h]
63
  __int64 v63; // [rsp+150h] [rbp-148h] BYREF
64
  void *Src; // [rsp+158h] [rbp-140h]
65
  __int64 v65; // [rsp+160h] [rbp-138h]
66
  void *v66; // [rsp+168h] [rbp-130h] BYREF
67
  __int64 v67; // [rsp+170h] [rbp-128h]
68
  size_t p_Size; // [rsp+178h] [rbp-120h]
69
  __int64 v69; // [rsp+180h] [rbp-118h]
70
  __int64 v70; // [rsp+188h] [rbp-110h]
71
  __int64 v71; // [rsp+198h] [rbp-100h]
72
  __int64 v72[11]; // [rsp+240h] [rbp-58h] BYREF
73

74
  v2 = (_QWORD *)RNvCs691rhTbG0Ee_7___rustc12___rust_alloc(a1, a2, 8LL, 128LL);
75
  if ( !v2 )
76
    alloc::alloc::handle_alloc_error::h3c5fc2000323952a(a1, a2, 128LL, 8LL);
77
  *v2 = "Please inputtheflag:";
78
  v2[1] = 6LL;
79
  v2[2] = " inputtheflag:";
80
  v2[3] = 1LL;
81
  v2[4] = "inputtheflag:";
82
  v2[5] = 5LL;
83
  v2[6] = " inputtheflag:";
84
  v2[7] = 1LL;
85
  v2[8] = "theflag:";
86
  v2[9] = 3LL;
87
  v2[10] = " inputtheflag:";
88
  v2[11] = 1LL;
89
  v2[12] = "flag:";
90
  v2[13] = 5LL;
91
  v2[14] = " inputtheflag:";
92
  v2[15] = 1LL;
93
  v66 = v2;
94
  v67 = (__int64)v2;
95
  p_Size = 8LL;
96
  v69 = (__int64)(v2 + 16);
97
  v70 = 0LL;
98
  v71 = 0LL;
99
  _$LT$alloc..string..String$u20$as$u20$core..iter..traits..collect..FromIterator$LT$char$GT$$GT$::from_iter::hb4f7ccd8f8c26ef4(
100
    a1,
101
    (unsigned int)v72,
102
    (unsigned int)&v66,
103
    (unsigned int)v72,
104
    v3,
105
    v4);
106
  Size = (size_t)v72;
107
  v36 = (const char *)_$LT$alloc..string..String$u20$as$u20$core..fmt..Display$GT$::fmt::hfdc0cc6c70cf0f9f;
108
  v66 = &unk_1400A20E8;
109
  v67 = 1LL;
110
  v70 = 0LL;
111
  p_Size = (size_t)&Size;
112
  v69 = 1LL;
113
  std::io::stdio::_print::hb423c4c57e4fd8e1(a1, v72, v5, &v66);
114
  Size = std::io::stdio::stdout::h802387c29eff3b4c();
115
  v7 = (void *)_$LT$std..io..stdio..Stdout$u20$as$u20$std..io..Write$GT$::flush::hcff5a89562c9cbf7(a1, v72, v6, &Size);
116
  if ( v7 )
117
  {
118
    v66 = v7;
119
    core::result::unwrap_failed::hf125793ccbd5d840(
120
      a1,
121
      (unsigned int)v72,
122
      22,
123
      (unsigned int)"Failed to flush stdoutsrc\\main.rs",
124
      (unsigned int)&v66,
125
      (unsigned int)&off_1400A2090);
126
  }
127
  v29 = 0LL;
128
  v30 = 1LL;
129
  v31 = 0LL;
130
  Size = std::io::stdio::stdin::hae0488c3f631d306();
131
  if ( (std::io::stdio::Stdin::read_line::h51906b3109204308(a1, v72, &v29, &Size) & 1) != 0 )
132
  {
133
    v66 = v8;
134
    core::result::unwrap_failed::hf125793ccbd5d840(
135
      a1,
136
      (unsigned int)v72,
137
      19,
138
      (unsigned int)"Failed to read line",
139
      (unsigned int)&v66,
140
      (unsigned int)&off_1400A2090);
141
  }
142
  v66 = (void *)v30;
143
  v67 = v30 + v31;
144
  LOBYTE(p_Size) = 0;
145
  _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter..SpecFromIter$LT$T$C$I$GT$$GT$::from_iter::he73d87c5766bf13f(
146
    a1,
147
    v72,
148
    &v66,
149
    &Size,
150
    &off_1400A2078);
151
  v66 = (void *)v36;
152
  v67 = (__int64)v36;
153
  p_Size = Size;
154
  v69 = (__int64)&v36[4 * v37[0]];
155
  LOBYTE(v70) = 0;
156
  _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter..SpecFromIter$LT$T$C$I$GT$$GT$::from_iter::h3e8df7d6d04c157d(
157
    (unsigned int)&Size,
158
    (unsigned int)v72,
159
    (unsigned int)&v66,
160
    (unsigned int)&Size,
161
    (unsigned int)&off_1400A2078,
162
    v9);
163
  v66 = (void *)v36;
164
  v67 = (__int64)v36;
165
  p_Size = Size;
166
  v69 = (__int64)&v36[4 * v37[0]];
167
  _$LT$alloc..string..String$u20$as$u20$core..iter..traits..collect..FromIterator$LT$char$GT$$GT$::from_iter::hf11d0f788b4382c5(
168
    (unsigned int)&Size,
169
    (unsigned int)v72,
170
    (unsigned int)&v66,
171
    (unsigned int)&v63,
172
    v10,
173
    v11);
174
  v12 = (_QWORD *)RNvCs691rhTbG0Ee_7___rustc12___rust_alloc(&Size, v72, 8LL, 32LL);
175
  if ( !v12 )
176
    alloc::alloc::handle_alloc_error::h3c5fc2000323952a(&Size, v72, 32LL, 8LL);
177
  *v12 = _$LT$Hello_Rust..XorOp$u20$as$u20$Hello_Rust..Operation$GT$::apply::h39ba18a00a5e6aef;
178
  v12[1] = _$LT$Hello_Rust..AddOp$u20$as$u20$Hello_Rust..Operation$GT$::apply::hb8ca4846c60bec8c;
179
  v12[2] = _$LT$Hello_Rust..SubOp$u20$as$u20$Hello_Rust..Operation$GT$::apply::hc33f064d2a20566c;
180
  v12[3] = _$LT$Hello_Rust..IdxXorOp$u20$as$u20$Hello_Rust..Operation$GT$::apply::h6761405cf33cc523;
181
  v60 = 4LL;
182
  v61 = v12;
183
  v62 = 4LL;
184
  v13 = Src;
185
  v66 = Src;
186
  v67 = (__int64)Src + v65;
187
  p_Size = 0LL;
188
  LOBYTE(v69) = 0;
189
  _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter..SpecFromIter$LT$T$C$I$GT$$GT$::from_iter::h78fb51c0aaaccf06(
190
    &Size,
191
    Src,
192
    &v66,
193
    &v32,
194
    &off_1400A2078);
195
  if ( v34 == 30 )
196
  {
197
    v15 = &v42;
198
    v16 = &v43;
199
    v17 = (char *)v33;
200
    v18 = v33 + 30;
201
    v58 = 0LL;
202
    v59 = 0LL;
203
    Size = (size_t)&unk_1400A20B0;
204
    v36 = "Please inputtheflag:";
205
    v37[0] = 0LL;
206
    v44 = 0LL;
207
    v52 = v33;
208
    v53 = (char *)v33;
209
    v54 = v32;
210
    v55 = v33 + 30;
211
    v56 = 0LL;
212
    v57 = &v60;
213
    v19 = v33;
214
    while ( v17 != (char *)v18 )
215
    {
216
      v53 = v17 + 1;
217
      v20 = *v17;
218
      v14 = v56++;
219
      v21 = (__int64 (__fastcall **)(size_t *, void *, __int64, _QWORD))v57[1];
220
      v22 = (__int64)&v21[v57[2]];
221
      v37[0] = (__int64)v21;
222
      v37[1] = v22;
223
      v38 = v21;
224
      v39 = v22;
225
      v40 = v14 & 3;
226
      v41 = 1LL;
227
      v42 = v14;
228
      v43 = v20;
229
      v17 = v53;
230
      if ( v21 )
231
      {
232
        v41 = 0LL;
233
        if ( (v14 & 3) != 0 )
234
        {
235
          v40 = 0LL;
236
          v21 = (__int64 (__fastcall **)(size_t *, void *, __int64, _QWORD))core::iter::traits::iterator::Iterator::nth::h47ff4efa2abd51fb(
237
                                                                              &Size,
238
                                                                              v13,
239
                                                                              v14 & 3,
240
                                                                              v37,
241
                                                                              v18,
242
                                                                              v53);
243
          if ( v21 )
244
            goto LABEL_26;
245
          v19 = v52;
246
          v37[0] = 0LL;
247
          if ( !v52 )
248
            break;
249
        }
250
        else
251
        {
252
          if ( v21 != (__int64 (__fastcall **)(size_t *, void *, __int64, _QWORD))v22 )
253
          {
254
            v38 = v21 + 1;
255
            goto LABEL_26;
256
          }
257
          v38 = v21;
258
          v39 = v22;
259
          v37[0] = 0LL;
260
          if ( !v19 )
261
            break;
262
        }
263
        v17 = v53;
264
        v18 = v55;
265
      }
266
    }
267
    if ( !v44 || !v49 )
268
      goto LABEL_36;
269
    --v49;
270
    v23 = v48;
271
    if ( v48 )
272
    {
273
      v48 = 0LL;
274
      v21 = (__int64 (__fastcall **)(size_t *, void *, __int64, _QWORD))core::iter::traits::iterator::Iterator::nth::h47ff4efa2abd51fb(
275
                                                                          &Size,
276
                                                                          v13,
277
                                                                          v23,
278
                                                                          &v44,
279
                                                                          v18,
280
                                                                          v17);
281
      if ( !v21 )
282
        goto LABEL_36;
283
    }
284
    else
285
    {
286
      v21 = v46;
287
      if ( v46 == v47 )
288
      {
289
        v14 = (__int64)v45;
290
        v47 = v45;
291
        v21 = v44;
292
        if ( v44 == v45 )
293
          goto LABEL_36;
294
      }
295
      v46 = v21 + 1;
296
    }
297
    v15 = (__int64 *)&v50;
298
    v16 = &v51;
299
LABEL_26:
300
    v25 = (*v21)(&Size, v13, *v15, (unsigned __int8)*v16);
301
    v26 = (_BYTE *)Size;
302
    v14 = (__int64)v36;
303
    if ( (const char *)Size != v36 )
304
    {
305
      ++Size;
306
      LOBYTE(v16) = *v26 == v25;
307
      memcpy(&Size, v13, (size_t)&Size);
308
      if ( (unsigned __int8)_$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::fold::h3f0587534a09e2ec(
309
                              &Size,
310
                              v13,
311
                              (unsigned int)v16,
312
                              &v66) )
313
      {
314
        v32 = "Congratulations! The flag is correct.";
315
        v33 = 37LL;
316
        Size = (size_t)&v32;
317
        v36 = (const char *)_$LT$$RF$T$u20$as$u20$core..fmt..Display$GT$::fmt::h31fa4d9b908ac590;
318
        v66 = &anon_ad88cb96a3fdcaf8c94331b0da292800_3_llvm_3440038967210771795;
319
        v67 = 2LL;
320
        v70 = 0LL;
321
        p_Size = (size_t)&Size;
322
        v69 = 1LL;
323
        result = std::io::stdio::_print::hb423c4c57e4fd8e1(&Size, v13, v14, &v66);
324
        goto LABEL_40;
325
      }
326
      goto LABEL_39;
327
    }
328
LABEL_36:
329
    v24 = v52;
330
    if ( !v52 )
331
      goto LABEL_39;
332
    v14 = (__int64)v54;
333
    if ( !v54 )
334
      goto LABEL_39;
335
    goto LABEL_38;
336
  }
337
  v14 = (__int64)v32;
338
  if ( v32 )
339
  {
340
    v24 = v33;
341
LABEL_38:
342
    RNvCs691rhTbG0Ee_7___rustc14___rust_dealloc(&Size, v13, v14, v24, 1LL);
343
  }
344
LABEL_39:
345
  v32 = (const char *)&unk_1400A2168;
346
  v33 = 24LL;
347
  Size = (size_t)&v32;
348
  v36 = (const char *)_$LT$$RF$T$u20$as$u20$core..fmt..Display$GT$::fmt::h31fa4d9b908ac590;
349
  v66 = &anon_ad88cb96a3fdcaf8c94331b0da292800_3_llvm_3440038967210771795;
350
  v67 = 2LL;
351
  v70 = 0LL;
352
  p_Size = (size_t)&Size;
353
  v69 = 1LL;
354
  result = std::io::stdio::_print::hb423c4c57e4fd8e1(&Size, v13, v14, &v66);
355
LABEL_40:
356
  if ( v60 )
357
    result = RNvCs691rhTbG0Ee_7___rustc14___rust_dealloc(&Size, v13, 8 * v60, v61, 8LL);
358
  if ( v63 )
359
    result = RNvCs691rhTbG0Ee_7___rustc14___rust_dealloc(&Size, v13, v63, v13, 1LL);
360
  if ( v29 )
361
    result = RNvCs691rhTbG0Ee_7___rustc14___rust_dealloc(&Size, v13, v29, v30, 1LL);
362
  if ( v72[0] )
363
    return RNvCs691rhTbG0Ee_7___rustc14___rust_dealloc(&Size, v13, v72[0], v72[1], 1LL);
364
  return result;
365
}

1
// XorOp
2
char __fastcall apply(__int64 a1, __int64 a2, __int64 a3, char a4) {
3
return a4 ^ 0x37;
4
}
5
// AddOp
6
__int64 __fastcall apply(__int64 a1, __int64 a2, __int64 a3, int a4) {
7
return (unsigned int)(a4 + 20);
8
}
9
// SubOp
10
__int64 __fastcall apply(__int64 a1, __int64 a2, __int64 a3, int a4) {
11
return (unsigned int)(a4 - 5);
12
}
13
// IdxXorOp
14
char __fastcall apply(__int64 a1, __int64 a2, char a3, char a4) {
15
return a4 ^ a3; // a3 是索引
16
}

之后直接看校验发现v34 == 30,加密后的flag是unk_1400A20B0处的数据

之后根据主函数逻辑写解密脚本

1
# 加密后的数据（30字节）
2
encrypted = [
3
0x65, 0x58, 0x3e, 0x57, 0x71, 0x8f, 0x4d, 0x72, 0x02, 0x88,
4
0x5a, 0x3a, 0x43, 0x47, 0x6d, 0x3b, 0x43, 0x44, 0x6d, 0x60,
5
0x68, 0x48, 0x6d, 0x24, 0x68, 0x57, 0x2b, 0x2b, 0x5b, 0x91
6
]
7
# 解密
8
flag = []
9
for i, c in enumerate(encrypted):
10
op = i % 4
11
if op == 0:
12
flag.append(chr(c ^ 0x37)) # 逆XorOp
13
elif op == 1:
14
flag.append(chr((c - 20) & 0xFF)) # 逆AddOp
15
elif op == 2:
16
flag.append(chr((c + 5) & 0xFF)) # 逆SubOp
17
elif op == 3:
18
flag.append(chr(c ^ i)) # 逆IdxXorOp
19
print('Flag:', ''.join(flag))

奶龙爱喝花茶#

先拿exeinfo看一眼发现没加壳，之后直接搜字符串

1
Input flag:

本打算定位到主函数，却发现里面充斥各种反反汇编代码混淆

1
0x411BE5: call loc_411BEB
2
0x411BEB: add [esp], 0Ch ; 修改返回地址
3
0x411BF0: retn ; 跳转到 0x411BF6

这种技术通过修改栈上的返回地址来隐藏真正的代码流程，使 IDA 无法正确识别函数边界。实际执行路径从 0x411BF6 开始：

1
0x411BF6: lea eax, [ebp-18h] ; 获取 key 地址
2
0x411BF9: push eax
3
0x411BFA: call 0x4119F0 ; 调用 key 初始化函数

修复前修复后

之后发现需要修复的太多了于是，只修复了部分关键函数，直接看加密逻辑

最后梳理后

1
输入 (24字节)
2
↓
3
分成 3 个 8 字节块
4
↓
5
每块转换为 2 个 DWORD (小端序)
6
↓
7
预处理
8
↓
9
TEA 加密
10
↓
11
存储结果

解密脚本

1
import struct
2
def tea_decrypt(v0, v1, key):
3
"""TEA 解密"""
4
delta = 0x9E3779B9
5
sum_val = (delta * 32) & 0xFFFFFFFF
6
for i in range(32):
7
v1 = (v1 - (((key[3] + (v0 >> 5)) ^ (sum_val + v0) ^ (key[2] + ((v0 << 4) & 0xFFFFFFFF))))) & 0xFFFFFF
8
v0 = (v0 - (((key[1] + (v1 >> 5)) ^ (sum_val + v1) ^ (key[0] + ((v1 << 4) & 0xFFFFFFFF))))) & 0xFFFFFF
9
sum_val = (sum_val - delta) & 0xFFFFFFFF
10
return v0, v1
11
def rol(val, r_bits, max_bits=32):
12
return ((val << r_bits) | (val >> (max_bits - r_bits))) & ((1 << max_bits) - 1)
13
def ror(val, r_bits, max_bits=32):
14
return ((val >> r_bits) | (val << (max_bits - r_bits))) & ((1 << max_bits) - 1)
15
# 正确的 TEA 密钥（动态计算得到）
16
key = [0xFD56276F, 0x725BE59E, 0x03F240A5, 0xEA6E72F5]
17
# sub_411E20 使用的数组
18
v3 = [0x12345678, 0x9ABCDEF0, 0x0FEDCBA9, 0x87654321]
19
# 密文
20
ciphertext = [0x2E06E9DC, 0x11469DD0, 0x481028F0, 0x83FB8766, 0x2EBBAB8C, 0xBC51B3AF]
21
# Step 1: 计算加密后的期望值
22
encrypted_input = []
23
for i in range(6):
24
idx = i & 3
25
shift = (5 * i + 3) & 0x1F
26
mask = rol(v3[idx], shift) ^ 0xDEADBEEF
27
enc = mask ^ ciphertext[i]
28
encrypted_input.append(enc)
29
# Step 2: TEA 解密
30
decrypted_blocks = []
31
for i in range(3):
32
v0 = encrypted_input[i*2]
33
v1 = encrypted_input[i*2+1]
34
p0, p1 = tea_decrypt(v0, v1, key)
35
decrypted_blocks.append((p0, p1))
36
# Step 3: 逆向预处理
37
flag_bytes = b''
38
for p0, p1 in decrypted_blocks:
39
orig_v0 = p0 ^ 0xA5A5A5A5
40
orig_v1 = ror(p1, 7) ^ 0x3C3C3C3C
41
flag_bytes += struct.pack('<I', orig_v0)
42
flag_bytes += struct.pack('<I', orig_v1)
43
print(f"Flag: RDCTF{{{flag_bytes.decode()}}}")

UPX#

首先通过exeinfo发现有upx魔改壳

1
[Tampared file] x64 UPX v3.9 - 5.0 - [4.24]
2
Don't try: upx.exe -d option

发现UPX特征字段都被改成小写了

之后使用Python脚本修复：

1
with open("original.exe", "rb") as f:
2
data = bytearray(f.read())
3
# 修复签名和段名
4
data[0x3E0:0x3E4] = b'UPX!' # upx! -> UPX!
5
data[0x1F8:0x1FC] = b'UPX0' # upx0 -> UPX0
6
data[0x220:0x224] = b'UPX1' # upx1 -> UPX1
7
with open("fixed.exe", "wb") as f:
8
f.write(data)

修复后使用标准UPX工具成功脱壳

分析脱壳后程序发现是一个魔改AES加密(有额外的XOR)

解密脚本

1
SBOX = [0x63, 0x7c, 0x77, 0x7b, ...] # 标准AES S-Box
2
INV_SBOX = [0] * 256
3
for i in range(256):
4
INV_SBOX[SBOX[i]] = i
5
def inv_mix_columns_modified(state):
6
# 关键：先撤销XOR 0x7C
7
state = bytes([b ^ 0x7c for b in state])
8
# 然后执行标准InvMixColumns
9
# ... 标准实现 ...
10
return result
11
def decrypt_block(ciphertext, expanded_key):
12
state = ciphertext
13
state = add_round_key(state, expanded_key[160:176])
14
for round in range(9, 0, -1):
15
state = inv_shift_rows(state)
16
state = inv_sub_bytes(state)
17
state = add_round_key(state, expanded_key[round*16:(round+1)*16])
18
state = inv_mix_columns_modified(state) # 使用修改版
19
state = inv_shift_rows(state)
20
state = inv_sub_bytes(state)
21
state = add_round_key(state, expanded_key[0:16])
22
return state
23
# 解密
24
key = b'rDctf_AES_key_16'
25
ciphertext = bytes.fromhex('341359569651ffae3ed8d2b53be64b3452ba52e9a684b4ef4f39d5bcb1bb68b0')
26
expanded_key = key_expansion(key)
27
pt1 = decrypt_block(ciphertext[:16], expanded_key)
28
pt2 = decrypt_block(ciphertext[16:], expanded_key)
29
print("Flag:", (pt1 + pt2).decode())
30
# Output: RDCTF{MixColXor7C_AES_Rev_2026!}

ezbase#

无壳且逻辑非常简单

读入输入串 Buffer
sub_1400117D0 做前向异或： buf[i] ^= buf[i+1] ，最后一字节不变
sub_140011890 用自定义 Base64 字表编码
与内置字符串 Str2 比较，相同则输出 Correct!

自定义 Base64 字表：

1
QWERTYUIOPASDFGHJKLZXCVBNMabcdefghijklmnopqrstuvwxyz0123456789+/

内置 Str2 ：

1
YgcBTj0DKQPLX11ebUgIby0VW1KKGKxzBlhTKgFEKQXRWgYeV2omLXXqaJXTaUhfV2wtJwdeB2g5CwXEYwQQBI0=

解法思路：先用自定义字表把 Str2 解码为字节流，再从末尾逆推还原原串（因为正向是 buf[i] ^= buf[i+1] ，所以逆向是 orig[i] = t[i] ^ orig[i+1] ）

解密脚本

1
import base64
2
alphabet = b"QWERTYUIOPASDFGHJKLZXCVBNMabcdefghijklmnopqrstuvwxyz0123456789+/"
3
std = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
4
trans = bytes.maketrans(alphabet, std)
5
enc = b"YgcBTj0DKQPLX11ebUgIby0VW1KKGKxzBlhTKgFEKQXRWgYeV2omLXXqaJXTaUhfV2wtJwdeB2g5CwXEYwQQBI0="
6
raw = base64.b64decode(enc.translate(trans))
7
n = len(raw)
8
orig = bytearray(n)
9
orig[-1] = raw[-1]
10
for i in range(n - 2, -1, -1):
11
orig[i] = raw[i] ^ orig[i + 1]
12
print(orig.decode())

ezpy#

有点懒得说了，直接pyinstxtractor.py 对 exe 进行解包，之后反编译pyc文件

发现是一个RC4加密

1
key = b"nailong"
2
target =bytes.fromhex("2ef01fece0420e0e3d2179e97f26eeab020a32ef51e2a73b2ab6d550196858fa89cf284397df709afc")

解密脚本

1
from binascii import unhexlify
2
def rc4(data: bytes, key: bytes) -> bytes:
3
s = list(range(256))
4
j = 0
5
for i in range(256):
6
j = (j + s[i] + key[i % len(key)]) & 0xFF
7
s[i], s[j] = s[j], s[i]
8
i = j = 0
9
out = bytearray()
10
for b in data:
11
i = (i + 1) & 0xFF
12
j = (j + s[i]) & 0xFF
13
s[i], s[j] = s[j], s[i]
14
k = s[(s[i] + s[j]) & 0xFF]
15
out.append(b ^ k)
16
return bytes(out)
17
key = b"nailong"
18
target = unhexlify("2ef01fece0420e0e3d2179e97f26eeab020a32ef51e2a73b2ab6d550196858fa89cf284397df709afc")
19
print(rc4(target, key).decode())

人よ、幸福に生きよ

Hello_Rust#

奶龙爱喝花茶#

UPX#

ezbase#

ezpy#