sub_47A180中crypto.cipher.new_cbc_encrypter: IV length must equal block size
F8步过sub_443380可以知道是memcpy
步过sub_47A2D0 字符串被改变
将他的key和iv dump出来
使用cyberchef加密aes 和他的操作对上了
上面部分是两字符变一byte(此时输入还没有被改变)
步过sub_47C0D0发现字符被改变了
往里面F7看了半天发现只有一处用到了输入
由于被异或的操作数与输入无关
于是输入000然后dump结果即可知道异或数组
解题脚本如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
from Crypto.Cipher import AES from binascii import b2a_hex, a2b_hex mode = AES.MODE_CBC key = b'\xC4\x92\xA1\x76\x2F\x26\x0E\x6F\x3B\xBF\xA4\xE9\xDB\x54\x25\x4E' iv = b'\xB6\x4C\x8A\x9D\xC5\xEA\xF4\xA6\xFA\xF6\x70\x16\xD7\xE6\x6D\xB9' text = b'\x16\xF0\x3F\x5B\x38\xB9\x80\x90\x1D\xA3\x58\xD8\xE6\xED\x97\xE3' cryptos = AES.new(key, mode ,iv) cipher_text = cryptos.decrypt(text) print(b2a_hex(cipher_text)) #5f793d30a1a9dd85c12005e3e61af37a
c=[0x5f,0x79,0x3d,0x30,0xa1,0xa9,0xdd,0x85,0xc1,0x20,0x05,0xe3,0xe6,0x1a,0xf3,0x7a] x=[0x7C,0x55,0x3B,0xF4,0xCB,0x74,0x38,0xEA,0x2B,0xEB,0xA8,0x67,0x5D,0x13,0x9C,0xBB] print('flag{',end='') for i in range(len(c)): print('%02x' % (c[i]^x[i]),end='') print('}')