SMC + 花指令

[网鼎杯2020青龙组]jocker

花指令部分

压栈前后栈地址不变,在call调用函数处修改esp = 0

SMC加密部分

一共有两张方法,动态调试/ida脚本

ida脚本

import ida_bytes
address = 0x401500

for i in range(187):
	current_address = address + i
	origin_byte = ida_bytes.get_byte(current_address)
	xor_byte = origin_byte ^ 0x41
	ida_bytes.patch_byte(current_address, xor_byte)	

使用脚本后先undefine,然后转为code
修改后效果

针对encrypt

flag1 = [

    14,

    13,

    9,

    6,

    19,

    5,

    88,

    86,

    62,

    6,

    12,

    60,

    31,

    87,

    20,

    107,

    87,

    89,

    13

]

  

word = "hahahaha_do_you_find_me?"

flag = []

for i in range(len(flag1)):

    flag.append(chr(ord(word[i]) ^ flag1[i]))

print("".join(flag))

针对后5个

最后字符为'}'

str = "%tp&:"

flag2 = []

for i in range(len(str)):

    flag2.append((chr(ord(str[i]) ^ 71)))

flag = flag + flag2

print("".join(flag))

flag{d07abccf8a410cb37a}