BUUCTF_RE_[MRCTF2020]Transform

64程序无壳

主函数

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char Str[104]; // [rsp+20h] [rbp-70h] BYREF
  int j; // [rsp+88h] [rbp-8h]
  int i; // [rsp+8Ch] [rbp-4h]

  sub_402230(argc, argv, envp);
  sub_40E640("Give me your code:\n");
  sub_40E5F0("%s", Str);
  if ( strlen(Str) != 33 )
  {
    sub_40E640("Wrong!\n");
    system("pause");
    exit(0);
  }
  for ( i = 0; i <= 32; ++i )
  {
    byte_414040[i] = Str[dword_40F040[i]];
    byte_414040[i] ^= LOBYTE(dword_40F040[i]);
  }
  for ( j = 0; j <= 32; ++j )
  {
    if ( byte_40F0E0[j] != byte_414040[j] )
    {
      sub_40E640("Wrong!\n");
      system("pause");
      exit(0);
    }
  }
  sub_40E640("Right!Good Job!\n");
  sub_40E640("Here is your flag: %s\n", Str);
  system("pause");
  return 0;
}

这里关键就是第一个for循环

 

补充:

LOBYTE(11条消息) 对LOWORD, HIWORD, LOBYTE, HIBYTE的理解_happy_xiahuixiax的博客-CSDN博客_lobyte

 但是后来翻了翻别的师傅的wp发现这个函数只是打乱顺序,不是取位

然后这里有俩数组

 

 这里要注意

第一个数组最后的  8dup(0)是重复的8个0的意思

第二个数组同理

打乱顺序之后进行异或

exp

dword_40F040 = [0x9, 0x0A, 0x0F, 0x17, 0x7, 0x18, 0x0C, 0x6, 0x1, 0x10, 0x3, 0x11, 0x20, 0x1D, 0x0B, 0x1E, 0x1B, 0x16, 0x4, 0x0D, 0x13, 0x14, 0x15, 0x2, 0x19, 0x5, 0x1F, 0x8, 0x12, 0x1A, 0x1C, 0x0E, 0]

byte_40F0E0 = [0x67, 0x79, 0x7B, 0x7F, 0x75, 0x2B, 0x3C, 0x52, 0x53, 0x79, 0x57, 0x5E, 0x5D, 0x42, 0x7B, 0x2D, 0x2A, 0x66, 0x42, 0x7E, 0x4C, 0x57, 0x79, 0x41, 0x6B, 0x7E, 0x65, 0x3C, 0x5C, 0x45, 0x6F, 0x62, 0x4D]

str1 = [0] * 33

flag = ''

for i in range(33):
    byte_40F0E0[i] ^= dword_40F040[i]
    str1[dword_40F040[i]] = byte_40F0E0[i]
for i in range(33):
    flag+=chr(str1[i])
print(flag)

MRCTF{Tr4nsp0sltiON_Clph3r_1s_3z}