蓝桥杯的第二个re

蓝桥杯这次re题目真是藏得太深了:就光写一个我做的最久的题目;

re_02:

main函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
int __fastcall main(int argc, const char **argv, const char **envp)
{
  unsigned int v3; // eax
  _DWORD v5[2]; // [rsp+2Ch] [rbp-14h] BYREF
  unsigned int i; // [rsp+34h] [rbp-Ch]
  int v7; // [rsp+38h] [rbp-8h]
  int v8; // [rsp+3Ch] [rbp-4h]

  _main(argc, argv, envp);
  v8 = 15;
  v3 = time(0LL);
  srand(v3);
  puts("You want my treasure? You can have it all if you want it. Go find it! I hid the treasure chest in the program");
  puts("Number of remaining steps: 15 | 1 to 3 steps per round | The first one to get to the KEY\n");
  v5[1] = 0;
  while ( v8 > 0 )
  {
    printf("Remaining steps: [%d]\n", v8);
    do
    {
      printf("Number of steps (1-3): ");
      while ( scanf("%d", v5) != 1 )
      {
        printf("Input error, please re-enter: ");
        while ( getchar() != 10 )
          ;
      }
      if ( v5[0] > 0 && v5[0] <= 3 )
      {
        if ( v8 < v5[0] )
          printf(aNotEnoughSteps, v8);
      }
      else
      {
        puts(aMustTake13Step);
      }
    }
    while ( v5[0] <= 0 || v5[0] > 3 || v8 < v5[0] );
    v8 -= v5[0];
    printf("* Player walks %d steps, remaining %d\n\n", v5[0], v8);
    if ( v8 <= 0 )
    {
      full_decrypt();
      puts("This is your KEY. You deserve it ! !");
      for ( i = 0; i <= 0x2F; ++i )
        printf("%02X", real_key[i]);
      break;
    }
    v7 = calculate_best_move(v8);
    if ( v7 <= 0 || v7 > 3 )
      v7 = 1;
    if ( v7 > v8 )
      v7 = v8;
    v8 -= v7;
    printf("* The AI takes %d steps, remaining %d\n\n", v7, v8);
    if ( v8 <= 0 )
      puts("This treasure does not belong to you. Go back, Boy");
  }
  printf("\nGame over ! ");
  system("pause");
  return 0;
}

第一个地方,这个竟然是能赢ai的,我真是草了,我一直不知道能赢ai,一直尝试直接hook这个函数,结果一直hook不到最后是能够赢得ai并且自解密的;

image-20250426210419042

这就很淦了;

然后第二个坑:我一直以为这个reallkey就是flag结果他是一个在函数表里藏着一个rc4

我真是

image-20250426210554337

这个地方如果你是写脚本得到的real_key的话你就可以在得到密钥之前不进行异或0x37这个数
image-20250426210730847

感觉这是个弱混淆

image-20250426210856108

这是rc4加密的地方,他把rc4最后的异或换成了高低字节更替,高位去低位,低位去高位;

最后exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
def rc4_init(key):
    # 初始化 S-box
    S = list(range(256))
    j = 0
    key_len = len(key)

    # KSA (Key Scheduling Algorithm)
    for i in range(256):
        modified_key_byte = key[i % key_len] ^ 0x37  # 密钥 XOR 0x37
        j = (modified_key_byte + S[i] + j) % 256
        S[i], S[j] = S[j], S[i]  # 交换 S[i] 和 S[j]

    return S, 0, 0  # 返回 S-box, i, j


def rc4_next(S, i, j):
    # PRGA (Pseudo-Random Generation Algorithm)
    i = (i + 1) % 256
    j = (j + S[i]) % 256
    S[i], S[j] = S[j], S[i]  # 交换 S[i] 和 S[j]

    # 计算密钥流字节
    keystream_byte = S[(S[i] + S[j]) % 256]

    # 逆 nibble-swap (高 4 位和低 4 位交换)
    swapped_byte = ((keystream_byte << 4) | (keystream_byte >> 4)) & 0xFF

    return swapped_byte, i, j


def rc4_decrypt(ciphertext, key):
    S, i, j = rc4_init(key)
    plaintext = []

    for byte in ciphertext:
        keystream_byte, i, j = rc4_next(S, i, j)
        plaintext_byte = byte ^ keystream_byte  # XOR 解密
        plaintext.append(plaintext_byte)

    return bytes(plaintext)


# 示例用法
key = b"EC3700DFCD4F364EC54B19C5E7E26DEF6A25087C4FCDF4F8507A40A9019E3B48BD70129D0141A5B8F089F280F4BE6CCD"  # 替换成你的密钥
ciphertext = [ 0xBB, 0xCA, 0x12, 0x14, 0xD0, 0xF1, 0x99, 0xA7, 0x91, 0x48,
    0xC3, 0x28, 0x73, 0xAD, 0xB7, 0x75, 0x8C, 0x89, 0xCD, 0xDD,
    0x2D, 0x50, 0x5D, 0x7F, 0x95, 0xB1, 0xA4, 0x9D, 0x09, 0x43,
    0xE1, 0xD2, 0xE9, 0x66, 0xEA, 0x18, 0x98, 0xC6, 0xCC, 0x02,
    0x39, 0x18]  # 替换成你的密文

plaintext = rc4_decrypt(ciphertext, key)
print("Decrypted:", plaintext)

还有就是密文是贴着full_decrypt里解密数据下面紧跟的

image-20250426211044616

第一次蓝桥杯只拿下5个题也是得了250分还是太弱了。800来名