avatar

天翼杯-Re-Wp

Mobile

就做了一道简单mobile题

image-20200801002941162

关键函数在so里面,ida打开

主要函数如下

image-20200801005157409

后来想了想是矩阵乘法,正好学深度学习看了看numpy,那就用用吧

# x xx两个数组 
xArr = np.array(xArr)
xxArr = np.array(xxArr)
xxArr = np.resize(xxArr, (32, 32))
xxArr_inv = np.linalg.inv(xxArr.T)
# 转置再求逆
solve = np.dot(xArr, xxArr_inv)
print(solve)

结果得到FAKE{th15_15_n07_7h3_r341_f14g!}

看了看init_array,果然换表了

image-20200801003831781

image-20200801003843767

对于换表操作,似曾相识(去年Xman入营选拔赛)

发现AB0是进栈了寄存器后做了些验证,于是可以从跳转到的AC8位置创建函数,但是不好看代码啊,那就动调,然后得到数据

xArr=[    230633,  241616,  235681,  243044,  215926,  247340,  226354,  208221,  233269,  218105,  219068,  223956,  243594,  269613,  193282,  278408,  250240,  248290,  209107,  252851,  250114,  260688,  230815,  235191,  210685,  220035,  235265,  262900,  221536,  246427,  226293,  277096]
xxArr=[ 0x0D, 0x90, 0x81, 0x24, 0x3A, 0x26, 0x35, 0x28, 0x67, 0x7D, 0x61, 0x13, 0x44, 0x84, 0x1F, 0x94, 0x96, 0x60, 0x76, 0x25, 0x1E, 0x8F, 0x86, 0x25, 0x60, 0x2A, 0x81, 0x54, 0x6F, 0x42, 0x0D, 0x30, 0x7F, 0x6F, 0x66, 0x11, 0x6F, 0x64, 0x78, 0x49, 0x22, 0x90, 0x4E, 0x56, 0x85, 0x30, 0x40, 0x8D, 0x6E, 0x0F, 0x0A, 0x25, 0x80, 0x77, 0x44, 0x68, 0x89, 0x0C, 0x61, 0x1D, 0x2E, 0x0B, 0x74, 0x74, 0x83, 0x7C, 0x36, 0x39, 0x37, 0x7A, 0x4A, 0x7B, 0x39, 0x2C, 0x3F, 0x83, 0x51, 0x56, 0x38, 0x5C, 0x1F, 0x76, 0x62, 0x87, 0x42, 0x73, 0x33, 0x80, 0x66, 0x43, 0x29, 0x28, 0x29, 0x90, 0x35, 0x54, 0x69, 0x79, 0x4A, 0x84, 0x28, 0x42, 0x3E, 0x3D, 0x12, 0x67, 0x6B, 0x33, 0x85, 0x55, 0x84, 0x89, 0x34, 0x2A, 0x45, 0x4F, 0x46, 0x93, 0x36, 0x2B, 0x32, 0x91, 0x36, 0x45, 0x3A, 0x3A, 0x2F, 0x88, 0x4A, 0x2A, 0x3A, 0x41, 0x3E, 0x86, 0x35, 0x38, 0x8F, 0x4A, 0x46, 0x54, 0x21, 0x70, 0x24, 0x3D, 0x29, 0x11, 0x5D, 0x6F, 0x42, 0x55, 0x3E, 0x25, 0x85, 0x95, 0x90, 0x29, 0x67, 0x37, 0x10, 0x7D, 0x84, 0x75, 0x35, 0x39, 0x68, 0x7D, 0x0A, 0x4E, 0x13, 0x22, 0x19, 0x7E, 0x86, 0x8B, 0x5A, 0x16, 0x8A, 0x8E, 0x38, 0x57, 0x2B, 0x74, 0x27, 0x4A, 0x69, 0x3D, 0x36, 0x30, 0x3E, 0x88, 0x57, 0x81, 0x44, 0x84, 0x1C, 0x66, 0x45, 0x47, 0x24, 0x48, 0x3B, 0x72, 0x60, 0x37, 0x47, 0x4B, 0x7E, 0x4C, 0x59, 0x6A, 0x74, 0x21, 0x8A, 0x8F, 0x90, 0x0F, 0x41, 0x56, 0x3D, 0x4F, 0x40, 0x18, 0x3E, 0x0A, 0x63, 0x0E, 0x18, 0x8D, 0x2D, 0x44, 0x19, 0x7C, 0x78, 0x6C, 0x1D, 0x47, 0x26, 0x0A, 0x53, 0x3F, 0x79, 0x2C, 0x1E, 0x70, 0x6B, 0x55, 0x42, 0x52, 0x38, 0x89, 0x27, 0x22, 0x27, 0x3A, 0x74, 0x7D, 0x2D, 0x3E, 0x78, 0x67, 0x37, 0x94, 0x38, 0x51, 0x59, 0x63, 0x33, 0x71, 0x50, 0x4F, 0x66, 0x29, 0x1B, 0x2E, 0x3E, 0x21, 0x4A, 0x46, 0x64, 0x38, 0x25, 0x81, 0x66, 0x70, 0x89, 0x0D, 0x30, 0x91, 0x34, 0x3D, 0x3C, 0x2F, 0x39, 0x50, 0x6F, 0x96, 0x2C, 0x4E, 0x10, 0x3B, 0x83, 0x18, 0x2D, 0x6A, 0x33, 0x4E, 0x92, 0x13, 0x71, 0x69, 0x89, 0x10, 0x2F, 0x60, 0x54, 0x21, 0x59, 0x87, 0x3C, 0x8B, 0x3C, 0x7B, 0x79, 0x0A, 0x1C, 0x41, 0x2B, 0x6F, 0x90, 0x76, 0x0B, 0x1A, 0x25, 0x54, 0x67, 0x0C, 0x0E, 0x39, 0x7E, 0x36, 0x1B, 0x74, 0x4E, 0x67, 0x80, 0x49, 0x87, 0x6B, 0x66, 0x3F, 0x62, 0x4E, 0x3C, 0x43, 0x3A, 0x30, 0x77, 0x36, 0x4E, 0x0A, 0x2D, 0x2E, 0x78, 0x8A, 0x43, 0x1B, 0x94, 0x3D, 0x45, 0x1D, 0x22, 0x68, 0x74, 0x37, 0x48, 0x62, 0x58, 0x89, 0x48, 0x56, 0x76, 0x4F, 0x1D, 0x71, 0x43, 0x3E, 0x77, 0x46, 0x88, 0x7D, 0x2F, 0x91, 0x1B, 0x50, 0x4B, 0x45, 0x28, 0x91, 0x25, 0x25, 0x61, 0x29, 0x72, 0x5A, 0x63, 0x57, 0x90, 0x82, 0x42, 0x0A, 0x2A, 0x2B, 0x90, 0x82, 0x47, 0x6E, 0x70, 0x7B, 0x8A, 0x75, 0x76, 0x34, 0x40, 0x78, 0x5A, 0x8C, 0x5F, 0x7A, 0x16, 0x21, 0x7B, 0x1D, 0x93, 0x64, 0x85, 0x5C, 0x6A, 0x27, 0x30, 0x65, 0x1E, 0x95, 0x56, 0x75, 0x0F, 0x3D, 0x1C, 0x60, 0x4C, 0x24, 0x6F, 0x8B, 0x35, 0x10, 0x5D, 0x4A, 0x84, 0x18, 0x7B, 0x31, 0x5B, 0x18, 0x57, 0x28, 0x20, 0x4A, 0x82, 0x49, 0x0D, 0x87, 0x58, 0x2E, 0x69, 0x35, 0x28, 0x31, 0x30, 0x3F, 0x0F, 0x22, 0x83, 0x59, 0x85, 0x91, 0x70, 0x7C, 0x51, 0x81, 0x69, 0x4E, 0x79, 0x45, 0x0A, 0x81, 0x85, 0x1B, 0x7B, 0x6C, 0x75, 0x79, 0x37, 0x7A, 0x26, 0x80, 0x88, 0x35, 0x51, 0x1D, 0x46, 0x2D, 0x7F, 0x28, 0x86, 0x85, 0x33, 0x3F, 0x7C, 0x6E, 0x2F, 0x75, 0x4B, 0x22, 0x94, 0x1D, 0x70, 0x5A, 0x57, 0x53, 0x7B, 0x19, 0x14, 0x94, 0x51, 0x26, 0x5F, 0x81, 0x75, 0x48, 0x30, 0x21, 0x68, 0x26, 0x15, 0x8F, 0x72, 0x8D, 0x12, 0x4B, 0x47, 0x71, 0x78, 0x30, 0x25, 0x3B, 0x66, 0x85, 0x78, 0x50, 0x71, 0x31, 0x8A, 0x17, 0x4E, 0x4B, 0x0B, 0x8D, 0x4C, 0x48, 0x11, 0x17, 0x76, 0x3D, 0x69, 0x53, 0x42, 0x87, 0x71, 0x53, 0x69, 0x5C, 0x66, 0x18, 0x3A, 0x7E, 0x2E, 0x17, 0x22, 0x53, 0x59, 0x3E, 0x66, 0x45, 0x10, 0x66, 0x67, 0x93, 0x2E, 0x1C, 0x65, 0x2A, 0x14, 0x11, 0x1B, 0x0B, 0x84, 0x85, 0x77, 0x44, 0x41, 0x29, 0x5F, 0x29, 0x86, 0x87, 0x87, 0x35, 0x26, 0x83, 0x5D, 0x47, 0x52, 0x31, 0x73, 0x30, 0x50, 0x44, 0x32, 0x33, 0x1C, 0x5A, 0x65, 0x22, 0x18, 0x91, 0x4B, 0x92, 0x78, 0x3C, 0x5D, 0x70, 0x18, 0x52, 0x8B, 0x96, 0x71, 0x80, 0x24, 0x82, 0x2F, 0x20, 0x5D, 0x35, 0x7A, 0x27, 0x60, 0x13, 0x83, 0x21, 0x2A, 0x7B, 0x50, 0x71, 0x6C, 0x18, 0x49, 0x75, 0x83, 0x51, 0x1D, 0x42, 0x14, 0x95, 0x1C, 0x7C, 0x38, 0x23, 0x3B, 0x78, 0x60, 0x71, 0x57, 0x6F, 0x50, 0x7B, 0x86, 0x40, 0x57, 0x57, 0x72, 0x92, 0x7B, 0x17, 0x7D, 0x37, 0x73, 0x3D, 0x24, 0x4D, 0x7C, 0x69, 0x17, 0x8D, 0x6E, 0x31, 0x70, 0x55, 0x74, 0x56, 0x36, 0x96, 0x55, 0x56, 0x6C, 0x56, 0x2D, 0x24, 0x57, 0x7A, 0x33, 0x36, 0x4B, 0x2C, 0x68, 0x67, 0x23, 0x80, 0x8F, 0x49, 0x45, 0x0D, 0x2F, 0x26, 0x44, 0x0C, 0x7A, 0x32, 0x41, 0x1B, 0x6D, 0x69, 0x3C, 0x7C, 0x5A, 0x0C, 0x33, 0x3D, 0x1A, 0x8F, 0x8C, 0x25, 0x41, 0x0D, 0x34, 0x8B, 0x4D, 0x59, 0x8A, 0x72, 0x6B, 0x17, 0x8D, 0x17, 0x55, 0x4A, 0x77, 0x6A, 0x5A, 0x74, 0x14, 0x40, 0x8A, 0x34, 0x17, 0x61, 0x34, 0x26, 0x87, 0x41, 0x1A, 0x86, 0x87, 0x0E, 0x8F, 0x20, 0x6E, 0x34, 0x32, 0x50, 0x85, 0x42, 0x45, 0x5A, 0x4E, 0x14, 0x93, 0x1C, 0x73, 0x1B, 0x5D, 0x30, 0x51, 0x60, 0x79, 0x3E, 0x91, 0x5E, 0x0A, 0x16, 0x69, 0x17, 0x7D, 0x69, 0x2A, 0x82, 0x8B, 0x55, 0x1D, 0x13, 0x26, 0x33, 0x62, 0x8B, 0x55, 0x50, 0x6A, 0x37, 0x29, 0x2A, 0x95, 0x91, 0x0C, 0x4A, 0x12, 0x84, 0x48, 0x79, 0x8A, 0x61, 0x68, 0x4A, 0x28, 0x51, 0x21, 0x67, 0x71, 0x55, 0x20, 0x1D, 0x92, 0x58, 0x1B, 0x89, 0x24, 0x7E, 0x20, 0x38, 0x25, 0x1D, 0x52, 0x59, 0x4F, 0x64, 0x57, 0x48, 0x5A, 0x5D, 0x44, 0x57, 0x34, 0x4B, 0x8A, 0x7A, 0x8A, 0x54, 0x8D, 0x0D, 0x3B, 0x71, 0x66, 0x77, 0x89, 0x37, 0x1B, 0x92, 0x34, 0x12, 0x41, 0x4E, 0x2C, 0x87, 0x8B, 0x58, 0x6B, 0x8A, 0x74, 0x10, 0x2C, 0x64, 0x8B, 0x65, 0x0D, 0x4C, 0x44, 0x11, 0x38, 0x4A, 0x48, 0x1B, 0x66, 0x1C, 0x46, 0x6C, 0x2E, 0x27, 0x22, 0x2E, 0x8E, 0x11, 0x8D, 0x3C, 0x34, 0x67, 0x88, 0x46, 0x14, 0x66, 0x93, 0x62, 0x37, 0x11, 0x0E, 0x21, 0x4D, 0x86, 0x93, 0x4B, 0x7C, 0x3C, 0x52, 0x74, 0x1A, 0x92, 0x31, 0x6E, 0x2C, 0x80, 0x36, 0x93, 0x6B, 0x3A, 0x42, 0x8F, 0x18, 0x5A, 0x16, 0x5C, 0x8B, 0x49, 0x8D, 0x81, 0x86, 0x54, 0x1B, 0x3E, 0x2E, 0x22, 0x3A, 0x90, 0x2B, 0x88, 0x6B, 0x0B, 0x52, 0x5F, 0x18, 0x75, 0x39, 0x71, 0x49, 0x2C, 0x5B, 0x8D, 0x2C, 0x3C, 0x80, 0x8E, 0x60, 0x39, 0x7F, 0x3C, 0x4A, 0x36, 0x8A, 0x77, 0x76, 0x3D, 0x82, 0x92, 0x0B, 0x41, 0x5C, 0x52, 0x3C, 0x72, 0x36, 0x8B, 0x94, 0x54, 0x6E, 0x8D, 0x8E, 0x54, 0x15, 0x46, 0x36, 0x78, 0x30, 0x5D, 0x68, 0x62, 0x27, 0x67, 0x1D, 0x68]

结合上面代码即可推出flag

flag{we11_y0u_f0und_17_c0ngr47z}

文章作者: X Mεl0n
文章链接: http://www.zrzz.site/2020/08/01/%E5%A4%A9%E7%BF%BC%E6%9D%AF-Re-Wp/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 X Mεl0n | 随手记

评论