2024西湖论剑WP(reverse_MZ)

逆向板块就做出这一题。

思路大概就是先进行转换然后SHA1加密

#include<stdio.h> 
#include<Windows.h> 
#include <stdint.h> 
#include <string.h> 
#include"defs.h" 
unsigned int box[10000] = {
//data
}

int main()
{
    char encflag[49] = { 0 };
    char flag[49] = { 0 };
    unsigned int *memory = box;
    unsigned int aaa = 0;
    for (int i = 0; i < 48; ++i)
    {
        for(int j=32;j<128;j++)
        {

            int v5 = memory[2 * j];
            if (j - 5 == v5)
            {
                encflag[i] = ~(j + 1);
            }
            else
            {
                if (j + 5 != v5)
                {
                    continue;
                }
                encflag[i] = ~(j - 1);
            }
            flag[i] = j;
            memory = &box[(box[j * 2 + 1 + memory-box] - 0x169078)/4];
            aaa = j * 2 + 1;
            break;
        }
    }
    printf("%s", flag);
}

有函数可知，根据转换得到48位的字符串并进行SHA1加密，密文为dc0562f86bec0a38508e704aa9faa347101e1fdb

 因为转换过程中有多种可能，所以需要进行一些手搓的步骤，逐渐得到flag

arr = []
v9 = [0] * 0x100
i = 0x2E
Str = [ord(i) for i in "Somet1mes_ch0ice_i5_more_import@nt_tHan_effort~"] + (48 - i) * [33]

# 计算数组索引
ind = 0x74B8 // 4

# 遍历可打印字符的 ASCII 范围
for j in range(33, 127):
    # 尝试使用当前字符替换 Str[i]
    Str[i] = j
    
    # 遍历从 i 到 48 的字符
    for k in range(i, 48):
        c = Str[k]
        cc = arr[2 * c + ind]
        
        # 根据条件更新 v9[i] 的值
        if c - 5 == cc:
            v9[i] = ~(c + 1)
        elif c + 5 != cc:
            break
        else:
            v9[i] = ~(c - 1)
        
        # 打印当前字符和 Str
        print(j)
        print("".join([chr(i) for i in Str]))