2025VNCTF Re-wp+复现

hook_fish

运行应用提示输入一串字符并要求联网。

jadx分析，发现在main中，在点击按钮后会调用encrypt()方法对我们输入的数据加密，然后调用fish()方法下载了一个“hook_fish.dex”文件。通过下面的registerReceiver方法创注册了一个广播接收器，只要收到系统下载完成的广播时，就会调用onReceive()方法。

registerReceiver(this.downloadCompleteReceiver, new IntentFilter("android.intent.action.DOWNLOAD_COMPLETE"));

在onReceive()方法中把加密后的的输入传入了MainActivity.this.loadClass();，加载下载来的.dex文件并反射调用了encode(input0);对输入再次加密，最后调用check()方法检查结果。然后删除本地的“hook_fish.dex”文件。

我们先hook file.delete()方法，在删除前转移出dex文件(脚本1);

在savedDexFile.dex中我们可以发现是一个自定义的加密方法，并且还附带了解密函数，和密文，我们直接拿下来用，用java写解题脚本就行(脚本2)。（在官方的脚本中通过hook调用decode方法先解密密文，再逆向写出decrypt解密）。

脚本1

Java.perform(function(){ 
//     var File = Java.use('java.io.File');
// File.delete.implementation = function() {
//     var filePath = this.getAbsolutePath();  // 获取文件路径
//     console.log("文件将在删除之前被保存: " + filePath);

//     // 在删除之前复制文件到其他位置
//     var newFile = Java.use('java.io.File');
//     var destPath = "/data/data/com.example.hihitt/files/savedDexFile.dex";  // 新文件路径
//     var sourceFile = this;
//     var inputStream = Java.use('java.io.FileInputStream').$new(sourceFile);
//     var outputStream = Java.use('java.io.FileOutputStream').$new(destPath);
    
//     var buffer = Java.array('byte', [1024]);  // 缓冲区
//     var bytesRead;
//     while ((bytesRead = inputStream.read(buffer)) !== -1) {
//         outputStream.write(buffer, 0, bytesRead);
//     }
//     inputStream.close();
//     outputStream.close();
//     console.log("文件已保存到: " + destPath);

//     // 执行原本的删除操作
//     return this.delete();
// };

let MainActivity = Java.use("com.example.hihitt.MainActivity");
MainActivity["code"].implementation = function (a, index) {
    console.log(`MainActivity.code is called: a=${a}, index=${index}`);
    this["code"](a, index);
};

MainActivity["encrypt"].implementation = function (str) {
    console.log(`MainActivity.encrypt is called: str=${str}`);
    let result = this["encrypt"](str);
    console.log(`MainActivity.encrypt result=${result}`);
    return result;
};
})

脚本2(不太会处理java的数据，最后用python来进行最后的异或)

import java.util.HashMap;

public class Main {
    public static void main(String[] args) {

        String strr = "jjjliijijjjjjijiiiiijijiijjiijijjjiiiiijjjjliiijijjjjljjiilijijiiiiiljiijjiiliiiiiiiiiiiljiijijiliiiijjijijjijijijijiilijiijiiiiiijiljijiilijijiiiijjljjjljiliiijjjijiiiljijjijiiiiiiijjliiiljjijiiiliiiiiiljjiijiijiijijijjiijjiijjjijjjljiliiijijiiiijjliijiijiiliiliiiiiiljiijjiiliiijjjliiijjljjiijiiiijiijjiijijjjiiliiliiijiijijijiijijiiijjjiijjijiiiljiijiijilji";
        hookfish hf = new hookfish();
        String result = hf.decode(strr);

        // 输出解码后的结果
        System.out.println("解码结果: " + result);
        String decryptedString = decrypt(result);
        System.out.println("解密后的字符串: " + decryptedString);
    }
    // 解密方法
    public static String decrypt(String str) {
        // 将加密后的字符串转回字符数组
        char[] str3 = str.toCharArray();

        // 逆操作字符数组变换
        for (int i = 0; i < str3.length; i++) {
            if ((char) ((str3[i] - (i % 4)) + '1') >= 'a' && (char) ((str3[i] - (i % 4)) + '1')<= 'f') {
                str3[i] = (char) ((str3[i] - (i % 4)) + '1');
            } else {
                str3[i] = (char) (str3[i] - ('7' + (i % 10)));
            }
        }
        // 恢复异或操作
        code(str3, 0);

        // 将字符数组转为十六进制字符串
        String str2= new String(str3);

        // 将字节数组转换为原始字符串并返回
        return str2;
    }

    // 逆操作异或
    private static void code(char[] a, int index) {
        if (index >= a.length - 1) {
            return;
        }
        a[index] = (char) (a[index] ^ a[index + 1]);
        a[index + 1] = (char) (a[index] ^ a[index + 1]);
        a[index] = (char) (a[index] ^ a[index + 1]);
        code(a, index + 2);

    }


}

public class hookfish {
    private HashMap<String, Character> fish_dcode;
    private HashMap<Character, String> fish_ecode;
    private String strr = "jjjliijijjjjjijiiiiijijiijjiijijjjiiiiijjjjliiijijjjjljjiilijijiiiiiljiijjiiliiiiiiiiiiiljiijijiliiiijjijijjijijijijiilijiijiiiiiijiljijiilijijiiiijjljjjljiliiijjjijiiiljijjijiiiiiiijjliiiljjijiiiliiiiiiljjiijiijiijijijjiijjiijjjijjjljiliiijijiiiijjliijiijiiliiliiiiiiljiijjiiliiijjjliiijjljjiijiiiijiijjiijijjjiiliiliiijiijijijiijijiiijjjiijjijiiiljiijiijilji";

    public hookfish() {
        encode_map();
        decode_map();
    }

    public void encode_map() {
        HashMap<Character, String> hashMap = new HashMap<>();
        this.fish_ecode = hashMap;
        hashMap.put('a', "iiijj");
        this.fish_ecode.put('b', "jjjii");
        this.fish_ecode.put('c', "jijij");
        this.fish_ecode.put('d', "jjijj");
        this.fish_ecode.put('e', "jjjjj");
        this.fish_ecode.put('f', "ijjjj");
        this.fish_ecode.put('g', "jjjji");
        this.fish_ecode.put('h', "iijii");
        this.fish_ecode.put('i', "ijiji");
        this.fish_ecode.put('j', "iiiji");
        this.fish_ecode.put('k', "jjjij");
        this.fish_ecode.put('l', "jijji");
        this.fish_ecode.put('m', "ijiij");
        this.fish_ecode.put('n', "iijji");
        this.fish_ecode.put('o', "ijjij");
        this.fish_ecode.put('p', "jiiji");
        this.fish_ecode.put('q', "ijijj");
        this.fish_ecode.put('r', "jijii");
        this.fish_ecode.put('s', "iiiii");
        this.fish_ecode.put('t', "jjiij");
        this.fish_ecode.put('u', "ijjji");
        this.fish_ecode.put('v', "jiiij");
        this.fish_ecode.put('w', "iiiij");
        this.fish_ecode.put('x', "iijij");
        this.fish_ecode.put('y', "jjiji");
        this.fish_ecode.put('z', "jijjj");
        this.fish_ecode.put('1', "iijjl");
        this.fish_ecode.put('2', "iiilj");
        this.fish_ecode.put('3', "iliii");
        this.fish_ecode.put('4', "jiili");
        this.fish_ecode.put('5', "jilji");
        this.fish_ecode.put('6', "iliji");
        this.fish_ecode.put('7', "jjjlj");
        this.fish_ecode.put('8', "ijljj");
        this.fish_ecode.put('9', "iljji");
        this.fish_ecode.put('0', "jjjli");
    }

    public void decode_map() {
        HashMap<String, Character> hashMap = new HashMap<>();
        this.fish_dcode = hashMap;
        hashMap.put("iiijj", 'a');
        this.fish_dcode.put("jjjii", 'b');
        this.fish_dcode.put("jijij", 'c');
        this.fish_dcode.put("jjijj", 'd');
        this.fish_dcode.put("jjjjj", 'e');
        this.fish_dcode.put("ijjjj", 'f');
        this.fish_dcode.put("jjjji", 'g');
        this.fish_dcode.put("iijii", 'h');
        this.fish_dcode.put("ijiji", 'i');
        this.fish_dcode.put("iiiji", 'j');
        this.fish_dcode.put("jjjij", 'k');
        this.fish_dcode.put("jijji", 'l');
        this.fish_dcode.put("ijiij", 'm');
        this.fish_dcode.put("iijji", 'n');
        this.fish_dcode.put("ijjij", 'o');
        this.fish_dcode.put("jiiji", 'p');
        this.fish_dcode.put("ijijj", 'q');
        this.fish_dcode.put("jijii", 'r');
        this.fish_dcode.put("iiiii", 's');
        this.fish_dcode.put("jjiij", 't');
        this.fish_dcode.put("ijjji", 'u');
        this.fish_dcode.put("jiiij", 'v');
        this.fish_dcode.put("iiiij", 'w');
        this.fish_dcode.put("iijij", 'x');
        this.fish_dcode.put("jjiji", 'y');
        this.fish_dcode.put("jijjj", 'z');
        this.fish_dcode.put("iijjl", '1');
        this.fish_dcode.put("iiilj", '2');
        this.fish_dcode.put("iliii", '3');
        this.fish_dcode.put("jiili", '4');
        this.fish_dcode.put("jilji", '5');
        this.fish_dcode.put("iliji", '6');
        this.fish_dcode.put("jjjlj", '7');
        this.fish_dcode.put("ijljj", '8');
        this.fish_dcode.put("iljji", '9');
        this.fish_dcode.put("jjjli", '0');
    }

    public String encode(String str) {
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < str.length(); i++) {
            sb.append(this.fish_ecode.get(Character.valueOf(str.charAt(i))));
        }
        return sb.toString();
    }

    public String decode(String str) {
        StringBuilder sb = new StringBuilder();
        int i = 0;
        int i2 = 0;
        while (i2 < str.length() / 5) {
            int i3 = i + 5;
            sb.append(this.fish_dcode.get(str.substring(i, i3)));
            i2++;
            i = i3;
        }
        return sb.toString();
    }

    public boolean check(String str) {
        if (str.equals(this.strr)) {
            return true;
        }
        return false;
    }
}


//VNCTF{u_re4l1y_kn0w_H0Ok_my_f1Sh!1l}

hex_str = "9a9287988abfb9a3b6a978b075bda3afb274bba38c7493afa3b1bda3aa7597ac6575b0c1"

# 将十六进制字符串按每8字节（即16个字符）分块
chunk_size = 2
chunks = [hex_str[i:i+chunk_size] for i in range(0, len(hex_str), chunk_size)]

# 将每个块转换为十进制并存入列表
decimal_list = [int(chunk, 16) for chunk in chunks]

# 打印结果
print(decimal_list)
print(chunks)

for i in decimal_list:
    print(chr(i - 68),end='')

---

kotlindroid

在SearchActivityKt初始化加密并验证flag。密文是”MTE0NTE0HMuJKLOW1BqCAi2MxpHYjGjpPq82XXQ/jgx5WYrZ2MV53a9xjQVbRaVdRiXFrSn6EcQPzA==”,iv是”114514”，加密方式是”AES/GCM/NoPadding”。密钥在Button$lambda$7$lambda$6方法内由两部分异或加密后拼接而成，后面传入了check函数中，hook一下就能拿到（也可以自己解）。但是没看到加密的位置，hook一下check的参数，发现输入的数据在经过sec()方法后就被加密了，查看sec方法后发现，数据被传入了SearchActivityKt$sec$1类。

加密逻辑在SearchActivityKt$sec$1类里面，在SearchActivityKt$sec$1方法下我们可以看到，被传入的函数被作为结果函数在最后执行，并接受明文和密钥。加密逻辑在invokeSuspend()方法里。

这里还用JNI.INSTANCE.getAt()方法获取了一个从so层传来的字符串并在updateAAD(bytes)中作为加密的ADD传入。之后进行AES-gcm的加密，最后再转为base64。hook一下JNI.INSTANCE.getAt()获得ADD。从题目提示得知tag也是密文的一部分。AES-GCM的密文结果一般是”iv | encrypt | tag(16bit)”。我们把密文base64解码后获取中间的密文部分。再提取tag，输入数据解密就行。

from base64 import b64decode
from Crypto.Cipher import AES

key = b"atrikeyssyekirta"
data = "MTE0NTE0HMuJKLOW1BqCAi2MxpHYjGjpPq82XXQ/jgx5WYrZ2MV53a9xjQVbRaVdRiXFrSn6EcQPzA=="
aad = b"mysecretadd"

decoded_data = b64decode(data)

iv = decoded_data[:6]
ciphertext = decoded_data[6:-16]
tag = decoded_data[-16:]

enc = AES.new(key, AES.MODE_GCM, nonce=iv)
enc.update(aad)

flag = enc.decrypt_and_verify(ciphertext, tag)

print(flag)

hook脚本

Java.perform(function(){ 
    let TextKt = Java.use("androidx.compose.material3.TextKt");
TextKt["Text--4IGK_g"].overload('java.lang.String', 'androidx.compose.ui.Modifier', 'long', 'long', 'androidx.compose.ui.text.font.FontStyle', 'androidx.compose.ui.text.font.FontWeight', 'androidx.compose.ui.text.font.FontFamily', 'long', 'androidx.compose.ui.text.style.TextDecoration', 'androidx.compose.ui.text.style.TextAlign', 'long', 'int', 'boolean', 'int', 'int', 'kotlin.jvm.functions.Function1', 'androidx.compose.ui.text.TextStyle', 'androidx.compose.runtime.Composer', 'int', 'int', 'int').implementation = function (text, modifier, color, fontSize, fontStyle, fontWeight, fontFamily, letterSpacing, textDecoration, textAlign, lineHeight, overflow, softWrap, maxLines, minLines, function1, style, $composer, $changed, $changed1, i) {
    console.log(`TextKt.m2466Text4IGK_g is called: text=${text}, modifier=${modifier}, color=${color}, fontSize=${fontSize}, fontStyle=${fontStyle}, fontWeight=${fontWeight}, fontFamily=${fontFamily}, letterSpacing=${letterSpacing}, textDecoration=${textDecoration}, textAlign=${textAlign}, lineHeight=${lineHeight}, overflow=${overflow}, softWrap=${softWrap}, maxLines=${maxLines}, minLines=${minLines}, function1=${function1}, style=${style}, $composer=${$composer}, $changed=${$changed}, $changed1=${$changed1}, i=${i}`);
    this["Text--4IGK_g"](text, modifier, color, fontSize, fontStyle, fontWeight, fontFamily, letterSpacing, textDecoration, textAlign, lineHeight, overflow, softWrap, maxLines, minLines, function1, style, $composer, $changed, $changed1, i);
};


let SearchActivityKt = Java.use("com.atri.ezcompose.SearchActivityKt");
SearchActivityKt["check"].implementation = function (text, context, key) {
    console.log(`SearchActivityKt.check is called: text=${text}, context=${context}, key=${key}`);
    this["check"](text, context, key);
};

SearchActivityKt["sec"].implementation = function (context, secretKey, text, function1) {
    console.log(`SearchActivityKt.sec is called: context=${context}, secretKey=${secretKey}, text=${text}, function1=${function1}`);
    this["sec"](context, secretKey, text, function1);
};

SearchActivityKt["check$lambda$14"].implementation = function (context, flag) {
    console.log(`SearchActivityKt.check$lambda$14 is called: context=${context}, flag=${flag}`);

    let result = this["check$lambda$14"](context, flag);
    console.log(`SearchActivityKt.check$lambda$14 result=${result}`);
    return result;
};

let JNI = Java.use("com.atri.ezcompose.JNI");
JNI["getAt"].implementation = function () {
    console.log(`JNI.getAt is called`);
    let result = this["getAt"]();
    console.log(`JNI.getAt result=${result}`);
    return result;
};
let Intrinsics = Java.use("kotlin.jvm.internal.Intrinsics");
Intrinsics["checkNotNullExpressionValue"].implementation = function (value, expression) {
    console.log(`Intrinsics.checkNotNullExpressionValue is called: value=${value}, expression=${expression}`);
    this["checkNotNullExpressionValue"](value, expression);
};
})

---

幸运转盘

鸿蒙逆向。用abc编译器反编译.hap解压后的etc\modules.abc文件。被混淆了，不过不影响分析，用搜索寻找函数的声明与引用就行。

我们可以看到一个Index页面，这是第一个界面，里面有一个#~@0>@1*^d*#()方法。

这里先加载了一个lib库，里面传入了一些数据，我们ctrl+f搜索一下名字就会发现_lexenv_0_1_.numX是输入数据的长度，lexenv_0_1.pw是我们输入的数据，还有一个常量24也被传入。然后把返回的结果传参传给了pages/MyPage。

我们来看MyPage，往下看会看到一串密文。

在lexenv_0_0_ = Uint8Array(buffer.from(lexenv_0_5.result).buffer);中我们发现_lexenv_0_5就是MyPage这个对象，从中我们获取了result这个属性并转为字符串。这就是从Index传来的参数。

往下看ldlexvar.forEach()这个方法对我们的输入进行了一些操作，第一个是(result+1)^7，第二个就是在和_lexenv_0_1也就是密文进行比较。

现在我们看c层对我们的输入进行的操作，ida打开libhello.so搜索MyCry，这是在调用lib库的时候传入参数的的函数。其实在你第一步解密密文时就会发现这是一个base64加密编码，也可以去字符串表找base64的表用交叉引用定位函数。

有一个+3还有两个RC4魔改加密，试两次就行。估计是等于50的那个。

import base64

def KSA(key):
    """ Key-Scheduling Algorithm (KSA) """
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]
    return S


def PRGA(S):
    """ Pseudo-Random Generation Algorithm (PRGA) """
    i, j = 0, 0
    while True:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        K = S[(S[i] + S[j]) % 256]
        yield K


def RC4(key, text):
    """ RC4 encryption/decryption """
    S = KSA(key)
    keystream = PRGA(S)
    res = []
    for char in text:
        res.append(char ^ next(keystream))
    return bytes(res)

s = [101, 74, 76, 49, 101, 76, 117, 87, 55, 69, 118, 68, 118, 69, 55, 67, 61, 83, 62, 111, 81, 77, 115, 101, 53, 73, 83, 66, 68, 114, 109, 108, 75, 66, 97, 117, 93, 127, 115, 124, 109, 82, 93, 115]
enc=""

for i in range(len(s)):
    enc += chr((s[i]^7) -1)
print(enc)

dec = base64.b64decode(enc.encode())

enc_1 = []
for i in dec:
    b = i ^ 0x28
    enc_1.append(b)

key = b'Take_it_easy'

ciphertext = RC4(key, enc_1)
flag = ""
for i in ciphertext:
    flag += chr(i-3)
print(flag)

# aLJ5aJqO/ApBpA/C9S8gUIsa1MSDBtijKDeqYwsziTYs
# VNCTF{JUst_$ne_Iast_dance_2025!} 

AndroidLux

程序在java层用socket与linux虚拟环境进行通信，把输入传给linux进行判断。在Init类下发现解压了assert中的env文件进行初始化，我们解压下来就可以看到linux的rootfs文件。在Service类下可以看到启动了一个服务，就是启动了一个linux虚拟环境并设置执行目录为/root并执行了/root下的env文件。我们在rootfs文件中找到env文件，ida打开分析。里面有些用B和B.IM构成的花指令，用E0 03 00 AA字节码修改掉。发现main函数和一个魔改的base64的加密逻辑。main函数实现了对数据的接受，进行base64编码和最后的比较。直接写出解密脚本发现解密不出。感觉是什么地方被修改了。于是我提取env文件在手机上自启linux虚拟环境运行，同时运行frida进行hook。发现输入的数据并没有被修改。这就纳闷了。那么数据的修改不在env文件里，也不再java层里，那么就在虚拟linux系统上了。

最后看官方的文档，原来是修改了/etc/ld.so.preload配置文件加载了另一个so文件（参考），对read()和strcmp()做了手脚。至于怎么找到的，官方文档说用文件的修改时间对env内所有文件排序就可以看到了。

find . -type f -printf "%T@ %p\n" | sort -nr | head -20 | cut -d' ' -f2-

/etc/ld.so.preload，里面指向的是”\usr\libexec\libexec.so”，ida打开就可以看到逻辑。

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

unsigned char* base64_table = (unsigned char*)"TUVWXYZabcdefghijABCDEF456789GHIJKLMNOPQRSklmnopqrstuvwxyz0123+/";

unsigned char* base64_decode(unsigned char* code)
{
    int table[] = {255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 62, 255, 255, 255, 63, 58, 59, 60, 61, 23, 24, 25, 26, 27, 28, 255, 255, 255, 255, 255, 255, 255, 17, 18, 19, 20, 21, 22, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 0, 1, 2, 3, 4, 5, 6, 255, 255, 255, 255, 255, 255, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255};

    long len;
    long str_len;
    unsigned char* res;
    int i, j;

    //计算解码后的字符串长度  
    len = strlen((const char*)code);
    //判断编码后的字符串后是否有=  
    if (strstr((const char*)code, "=="))
        str_len = len / 4 * 3 - 2;
    else if (strstr((const char*)code, "="))
        str_len = len / 4 * 3 - 1;
    else
        str_len = len / 4 * 3;

    res = (unsigned char*)malloc(sizeof(unsigned char) * str_len + 1);
    res[str_len] = '\0';
    unsigned char a, b,c;

    //以4个字符为一位进行解码  
    for (i = 0, j = 0; i < len - 2; j += 3, i += 4)
    {
        res[j] = (((unsigned char)table[code[i]]) << 2) | (((unsigned char)table[code[i + 1]]) & 3); 
        res[j + 1] = ((((unsigned char)table[code[i + 1]]) & 0x3c) << 2) | (((unsigned char)table[code[i + 2]]) & 0xf); 
        a = (unsigned char)table[code[i + 2]];
        c = a >> 4 << 6;
        b = ((unsigned char)table[code[i + 3]]);
        res[j + 2] =  c|b;   
    }

    return res;

}

int recmp(unsigned char* data) {
    unsigned char* tmp[100];
    unsigned char tmp_a13,tmp_d13;
    
    for (int i = 0; i < 53; i++) {
        tmp_a13 = data[i] + 13;
        tmp_d13 = data[i] - 13;
        if (tmp_d13 <= 64 || tmp_d13 > 77) {
            if (tmp_a13 <= 77 || tmp_a13 > 90) {
                if (tmp_d13 <= 96 || tmp_d13 > 109) {
                    if (tmp_a13 <= 109 || tmp_a13 > 122) {
                        continue;
                    }
                    else data[i] = tmp_a13;
                }
                else  data[i] = tmp_d13;
            }
            else data[i] = tmp_a13;
        }
        else  data[i] = tmp_d13;
    }
    return 0;
}
int rexor(unsigned char* data) {
    for (int i = 0; i < 53; i++) {
        data[i] ^= 1;
    }
    return 0;
}

int main() {
    unsigned char m[] = "RPVIRN40R9PU67ue6RUH88Rgs65Bp8td8VQm4SPAT8Kj97QgVG==";
    
    recmp(m);

    for (int i = 0; i < 53; i++) {
        printf("%c", m[i]);
    }

    unsigned char* result = result = base64_decode(m);;
    
    rexor(result);

    printf("\n");
    for (int i = 0; i < 37; i++) {
        printf("%c", result[i]);
    }
    printf("\n");
    
}

这题的逻辑是proot通过ptrace拦截系统调用，并修改调用指向虚拟环境的位置，从而在虚拟机中执行root命令。同时也限制了调试。参考

Fuko’s_starfish

有些多余的东西可以pacth掉，最后有个反调试，在汇编里把判断改成jz就行。前面的游戏都可以patch一下，比如把猜数字的值改成0，贪吃蛇的分数改成0就通过。

搜索字符串可以找到最终的逻辑，里面有两个aes加密。开头加载密钥，交叉引用一下可以看到密钥初始的位置。

下面还有一个CheckRemoteDebuggerPresent函数，如果不处于调试，密钥异或0x17。写脚本解拿到密钥解AES即可。密文在比较的位置。

查找srand的引用可以找到种子114514

#include <stdio.h>
#include <stdlib.h>

int main() {
	srand(114514);

	for (int i = 0; i < 16; i++) {
		int a = rand();
		printf("%.2x", (a % 255)^0x17);
	}
	
}
//09e5fdeb683175b6b13b840891eb78d2

密文(3D011C190BA090815F672731A89AA47497362167AB2EB4A09418D37D93E646E7)