ReW_ p

classic exe

：

v18 It's from us ;v5 It's the string with dots ;v0 Is the length of the string we entered ;
Look at functions sub_4116c7：

In groups of three , Take the top six 、 Take the last two digits 、 Take the first two , and 0x30、f、3f Conduct and operate . Such a familiar operation , Remembered base64 encryption . Look at the encrypted string ：

Be able to determine , yes base64 encryption
And look down
v1 Is the length of the encrypted string ;
Then go to the function sub_411389：

It is still encrypted , Only the last two digits of the watch have been changed .
Look down at the function sub_411023：

Is to add a dot to the encrypted string , Add to the first place :a2 The first point of the is , then a2 The second is a1 First of all , Then transpose in turn .
The next function is to add points , It's just added to the 22 On a
The next function uses the idea of explosion ：
Personal understanding ： The first is the visible string ASCII Code value ,x representative ASCII Code value ,a Representative array 1,b Representative array 2,c Representative array 3
If a First of all x Corresponding b First of all , Then let c The first bit of is assigned as x
Script ：

int main()
{
    
    char Str[100];
    int a[100];
    char a1[]=".W1BqthGbfGBqoXBmVZRQd.W5VoXNJcMR6XNBxoM5FoFDucMWyWNfBpXNAoF0.";
    int a2 = 2;
    int len = strlen(a1);
     for ( int i = 0;i<len ; i++ )
  {
    
      for(int j = 0;j < 128;j++){
    
            a[i] = j;
    if ( a[i] < 65 || a[i] > 90 )// If a[i] The value is less than 65 Or greater than 90 Go in and continue 
    {
    
      if ( a[i] >= 97 && a[i] <= 122 )// If it's worth （97,122） It happens to be 25 Less than 26, that ASCII Value plus 97, It's capitalized 26 One of the letters 
        a[i] = (a[i] + a2 - 97) % 26 + 97;
    }
    else
    {
    
      a[i] = (a[i] + a2 - 65) % 26 + 65;// If it's worth （65,90） It happens to be 25 Less than 26, that ASCII Value plus 65, Become lowercase 26 One of the letters 
    }
    if((char)a[i] == a1[i]){
    
        Str[i] = j;
    }
  }
  }
  for(int i = 0;i<len;i++){
    
  printf("%c",Str[i]);
  }
  return 0;
}

The solved string is then clicked twice base64 Decrypt it

classic base

Check the pseudo code , We found a base58 encryption （Base58 Use numbers 、 Capital 、 Lowercase letters , Disambiguate characters 0（ zero ）、O（ Capital O）、I（ Capital i）、l（ Lowercase letters L）, A total of 58 An alphabet of characters as a code, that is ：123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz）
Let's just use icyberchef：

from base58 Convert to string

classic re1

use x64dbg After the open , function , And then right-click > Search for > Current area > character string , then ctrl+f Search for flag find

classic re2

use ida open

First of all, let's enter v7, And then v7 The value is assigned to v10, Then enter while loop , The process is to v7 Each of the values of is associated with 7 Exclusive or , And then exit the loop , If v8 And that unk The same value in the function is yes
So all we have to do is find unk Value in function , Then we XOR each value 7 that will do
Then enter unk function

Found nothing , This requires dynamic debugging ,unk The value of should be the value that the program runs to a certain place before it runs out
About ida Dynamic adjustment of ： First, find a suitable debugger

Then find... In the file directory dbgsrv

We're going to use 64 Bit

Put the port 、ip Fill in

Start debugging


Find this string , It was found that they entered unk In the function
stay ida Inside , Get into unk function

You can find mov A lot of values into the function , We use it f5 Look at the code


But I don't know why there is no string behind it .....
Then write a simple script to get flag

squid

Put it in linux Run inside

Pull in ida,shift+f12 Look at the string , Found a lot of py At the beginning

It means a python The file is packaged into exe file
use pyinstxtractor.py file
adopt readme.txt Get how to use

Successfully unpacked

For a long time , according to cmd The prompt inside found , They said they wanted to use it python3.6 Go unpack , So I put python Version changed to 3.6, Then unpack ,PYZ-00.pyz_extracted There is something in the folder .
After the struct The file header inside is for pyc Add , Then put it online python Decompile to get

open PCcharm Run to get

cheems

Check the shell first

ida There are no strings or functions in it
Then you can see that upx

But put it in 010 Found to be cpx, Weird , Change manually

All right
then ida Find string