![BUUCTF[2019红帽杯]easyRE](http://pic.xiahunao.cn/yaotu/BUUCTF[2019红帽杯]easyRE)
进入idashiftF12查找flag没有结果有可疑字符串进入双击黄色部分然后F5看伪代码先是异或加密v12IodlQnb(ocyv12list(v12) # 转为字符列表for i in range(0,len(v12)):v12[i]ord(v12[i]) #字符转ASCII码v12.append(127) # 补第13字节127v13y.iv13list(v13)for i in range(0,len(v13)):v13[i]ord(v13[i])v12.extend(v13) #v13拼接到v12后v12.append(127)v14d3w}wek9{iy~yLECv14list(v14)for i in range(0,len(v14)):v14[i]ord(v14[i])v12.extend(v14) #v14拼接到v12后print(v12)v15for i in range(0,len(v12)):v15chr(v12[i]^i)print(v15)输出Info:The first four chars are flag接着是十个base64加密后得v11off_6CC090厨子解十个base64解密得一个网址进入之后是文章说明找错了不是flag注意到off_6CC090下面有数据进入sub_400D35v4v1f和g可以想到是flag中的恰好byte_6CC0A0[0]和byte_6CC0A3中间还有两个数据所以v4分别异或0x40,0x35,0x20,0x56得到flagflag ^ 0x40,0x35,0x20,0x56求出v4j0 → byte_6CC0A0[0] ^ v4[0]j1 → byte_6CC0A0[1] ^ v4[1]j2 → byte_6CC0A0[2] ^ v4[2]j3 → byte_6CC0A0[3] ^ v4[3]j4 → byte_6CC0A0 [4] ^ v4 [0]4%40循环使用第 0 字节脚本求出flagbyte_6cc0a0[0x40,0x35,0x20,0x56,0x5d,0x18,0x22,0x45,0x17,0x2f,0x24,0x6e,0x62,0x3c,0x27,0x54,0x48,0x6c,0x24,0x6e,0x72,0x3c,0x32,0x45,0x5b] tmp[102,108,97,103] #flag的ASCII码 v4[] for i in range(0,4): v4.append(tmp[i]^byte_6cc0a0[i]) print(v4) flag for i in range(0,25): flagchr(byte_6cc0a0[i]^v4[i%4]) print(flag) byte_6cc0a0[0x40,0x35,0x20,0x56,0x5d,0x18,0x22,0x45,0x17,0x2f,0x24,0x6e,0x62,0x3c,0x27,0x54,0x48,0x6c,0x24,0x6e,0x72,0x3c,0x32,0x45,0x5b] tmp[102,108,97,103] #flag的ASCII码 v4[] for i in range(0,4): v4.append(tmp[i]^byte_6cc0a0[i]) print(v4) flag for i in range(0,25): flagchr(byte_6cc0a0[i]^v4[i%4]) print(flag) byte_6cc0a0[0x40,0x35,0x20,0x56,0x5d,0x18,0x22,0x45,0x17,0x2f,0x24,0x6e,0x62,0x3c,0x27,0x54,0x48,0x6c,0x24,0x6e,0x72,0x3c,0x32,0x45,0x5b] tmp[102,108,97,103] #flag的ASCII码 v4[] for i in range(0,4): v4.append(tmp[i]^byte_6cc0a0[i]) print(v4) flag for i in range(0,25): flagchr(byte_6cc0a0[i]^v4[i%4]) print(flag)flag{Act1ve_Defen5e_Test}