reee
主要就是这个函数
void __noreturn sub_401640()
{
char Buffer[52]; // [esp+0h] [ebp-60h] BYREF
char ArgList[16]; // [esp+34h] [ebp-2Ch] BYREF
int v2; // [esp+44h] [ebp-1Ch]
CHAR Text[13]; // [esp+48h] [ebp-18h] BYREF
int v4; // [esp+55h] [ebp-Bh]
__int16 v5; // [esp+59h] [ebp-7h]
char v6; // [esp+5Bh] [ebp-5h]
memset(Buffer, 0, 0x32u);
v4 = 0;
v5 = 0;
v6 = 0;
strcpy(ArgList, "Input ur flag: ");
v2 = 0;
strcpy(Text, "try agin bro");
sub_401010("%s", (char)ArgList);
gets_s(Buffer, 0x32u);
if ( strlen(Buffer) != 24 )
{
MessageBoxA(0, Text, "0.0", 0);
exit(0);
}
sub_401430(Buffer);
((void (__cdecl *)(char *))loc_4011B0)(Buffer);
sub_401010("\npress any key to quit...\n", Buffer[0]);
getwch();
ExitProcess(0);
}
修复了下花指令,_security_cookie = 0BB40E64E,感觉修了和没修一样,估计就是个比对
这个应该就是加密后的flag了
加密函数
加密算法
int __usercall sub_401130@<eax>(int a1@<edx>, int a2@<ecx>, unsigned int a3)
{
int result; // eax
int v4; // edi
unsigned int i; // ebx
unsigned __int8 v6; // dl
int v8; // [esp+10h] [ebp-4h]
result = 0;
v4 = 0;
v8 = a2;
for ( i = 0; i < a3; a2 = v8 )
{
v4 = (v4 + 1) % 256;
v6 = *(_BYTE *)(v4 + a2);
result = (v6 + result) % 256;
*(_BYTE *)(v4 + v8) = *(_BYTE *)(result + a2);
*(_BYTE *)(result + v8) = v6;
*(_BYTE *)(i + a1) ^= *(_BYTE *)((unsigned __int8)(v6 + *(_BYTE *)(v4 + v8)) + v8);
++i;
}
return result;
}
写个脚本出来就行
flag = [86,97,99,164,34,164,
80,125,205,141,19,61,
74,79,13,98,136,171,
252,233,187,30,160,144]
s = [ord(i) for i in "D0g3"]
a2 = [0] * 256
v16 = [0] * 256
for i in range(256):
v16[i] = s[i % 4]
a2[i] = i
v9 = 0
for i in range(256):
v10 = a2[i]
v9 = (a2[i] + v16[i] + v9) % 256
a2[i] = a2[v9]
a2[v9] = v10
print("a2 = ",a2)
v4 = 0
result = 0
for i in range(24):
v4 = (v4 + 1) % 256
v6 = a2[v4]
result = (v6 + result) % 256
a2[v4] = a2[result]
a2[result] = v6
flag[i] ^= a2[(a2[v4] + v6) % 256]
for i in range(24):
print(chr(flag[i]),end='')
print(flag)
flag: d0g3{This_15_FindWind0w}
Misc GumpKing
打开是个游戏,我想着给他解包出来看的,结果解出来一堆素材,看了半天也找不到flag,看别人wp说玩到100下就行(
这玩意我玩不到10下,鼠标滑动来控制左右,但是不知道咋的跳几下就划不动了。。。)
虚幻4(ue4)引擎加密pak解包教程
直接拿ce试试
跳完得到的分数输进去扫描一次,扫三次就行了0x240CDF64存的就是得分
看下是哪个地方改写了分数
一共有两个地方,第一个是+1,第二个是清零
直接给第二个下落的代码改成加0x100
只要跳一下,数字就出来了,就是有点臭。。。。
flag: d0g3{1145141919810}
