REverse
Turtle
- 用
Exeinfo PE打开发现是upx壳,而且题目也提示了需要脱壳,upx壳被魔改过了,用普通脱壳工具无效,于是手动脱壳。
ps:有的魔改后的upx壳可以在010editor中改(把add0->upx0,add1->upx1……,本题为只读文件改不了)
- 用xdbg64打开,oep脱壳定律找到大跳转,打断点
- F9运行,接着用
ScyllaDump,oep为00000000004014E0,生成Turtle_dump.exe
接着先后点击IAT Autosearch,Get Imports,Fix Dump,这里打开Turtle_dump.exe,之后打开文件夹就会看到新生成的Turtle_dump_SCY.exe文件了。
- 将Turtle_dump_SCY.exe用IDA(64)打开,发现可以正常地看到函数了,找到main函数,F5反汇编一下
- 点开函数后可以看出sub_401550是rc4 init,而sub_40163E(标准)和sub_40175A(魔改)是两个rc4
- 解出flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
| from Crypto.Cipher.ARC4 import *
enc_key = bytes([
0xCD,
0x8F,
0x25,
0x3D,
0xE1,
])
enc_key += b'QJ'
cipher = new(b'yekyek')
dec_key = cipher.decrypt(enc_key)
print(dec_key)
enc_flag = [0 for i in range(40)]
v5 = enc_flag
v5[0] = -8
v5[1] = -43
v5[2] = 98
v5[3] = -49
v5[4] = 67
v5[5] = -70
v5[6] = -62
v5[7] = 35
v5[8] = 21
v5[9] = 74
v5[10] = 81
v5[11] = 16
v5[12] = 39
v5[13] = 16
v5[14] = -79
v5[15] = -49
v5[16] = -60
v5[17] = 9
v5[18] = -2
v5[19] = -29
v5[20] = -97
v5[21] = 73
v5[22] = -121
v5[23] = -22
v5[24] = 89
v5[25] = -62
v5[26] = 7
v5[27] = 59
v5[28] = -87
v5[29] = 17
v5[30] = -63
v5[31] = -68
v5[32] = -3
v5[33] = 75
v5[34] = 87
v5[35] = -60
v5[36] = 126
v5[37] = -48
v5[38] = -86
v5[39] = 10
add_bytes = new(b'ecg4ab6').encrypt(b'\x00' * 40)
flag = ''
for i in range(40):
flag += chr((enc_flag[i] + add_bytes[i]) & 0xff)
print(flag)
|
flag: hgame{Y0u’r3_re4l1y_g3t_0Ut_of_th3_upX!}
