MRCTF2020 Transform

https://buuoj.cn/challenges#[MRCTF2020]Transform

64 exe 只有一个主函数需要分析

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char input[104]; // [rsp+20h] [rbp-70h] BYREF
  int j; // [rsp+88h] [rbp-8h]
  int i; // [rsp+8Ch] [rbp-4h]
 
  sub_402230(argc, argv, envp);
  print("Give me your code:\n");
  scan("%s", input);
  if ( strlen(input) != 33 )
  {
    print("Wrong!\n");
    system("pause");
    exit(0);
  }
  for ( i = 0; i <= 32; ++i )
  {
    byte_414040[i] = input[dword_40F040[i]];
    byte_414040[i] ^= LOBYTE(dword_40F040[i]);
  }
  for ( j = 0; j <= 32; ++j )
  {
    if ( byte_40F0E0[j] != byte_414040[j] )
    {
      print("Wrong!\n");
      system("pause");
      exit(0);
    }
  }
  print("Right!Good Job!\n");
  print("Here is your flag: %s\n", input);
  system("pause");
  return 0;
}

数组可以看成是一个函数 f

对所有 byte_414040 的元素做 f 变换，再异或，最后比较

逆向回来先复制，再异或，最后反过来求解 f 变换 → 数组变换

$$\begin{array}{rl}{d}^{\prime }(i)& =in(d(i))\\ x^{\prime }& =in(x)\end{array}$$

所以对所有 $d(i)$ 进行定义域上的覆盖，试图解出对应关系 in (input)

注意两个表的大小不一样，用 0 补齐

key = [9, 10, 15, 23, 7, 24, 12, 6, 1, 16, 3, 17, 32, 29, 11, 30, 27, 22, 4, 13, 19, 20, 21, 2, 25, 5, 31, 8, 18, 26,  
       28, 14, 0]  
  
code = [103, 121, 123, 127, 117, 43, 60, 82, 83, 121, 87, 94, 93, 66, 123, 45, 42, 102, 66, 126, 76, 87, 121, 65, 107,  
        126, 101, 60, 92, 69, 111, 98, 77]  
  
flag = [0 for i in range(len(code))]  
# 两个列表长度相等才行  
print(len(key))  
print(len(code))  
  
code = [code[i] ^ key[i] for i in range(len(code))]  
  
for i in range(len(code)):  
    flag[key[i]] = chr(code[i])  
  
print(''.join(flag))

MRCTF{Tr4nsp0sltiON_Clph3r_1s_3z}