Problem: [MoeCTF 2021]PEPEPE
思路
- PE文件无法运行,010editor分析,发现dosheader最后的pe header偏移量被清零了,修改为80后可以正常执行
- 分析修正后的pe文件,发现是读入一个key,从file_org中读取文件明文,用key循环做xor,然后取反写入file
- 接下来通过文件头来推测key,png, zip均看不出重复,尝试pe头,发现key出现了20字节重复的pattern
- 编写脚本解密题目中给出的密文文件,拿到第二个pe文件,运行或者拖进ida中看,可以直接拿到flag
EXP
- 具体攻击代码
from Crypto.Util.strxor import strxor from itertools import cycle pe_header = open('main.exe', 'rb').read(32) with open('file', 'rb') as fp: data = fp.read(32) data = bytes([(~x) + 0x100 for x in data]) t3 = strxor(pe_header, data) print(t3) key = b'reverierwilllikeyou!' print(len(key)) file_ct = open('file', 'rb').read() l = [(~(a ^ b)) + 0x100 for a, b in zip(file_ct, cycle(key))] with open('out.exe', 'wb') as fp: fp.write(bytes(l))
总结
- PE结构(NT头偏移量)和一点misc经验