functiontest_pw(e, _) { var t = stoh(atob(getBase64Image("eye"))) , r = 4096 , m = 8192 , R = 12288 , a = new uc.Unicorn(uc.ARCH_ARM,uc.MODE_ARM); a.reg_write_i32(uc.ARM_REG_R9, m), a.reg_write_i32(uc.ARM_REG_R10, R), a.reg_write_i32(uc.ARM_REG_R8, _.length), a.mem_map(r, 4096, uc.PROT_ALL); for (var o = 0; o < o1.length; o++) a.mem_write(r + o, [t[o1[o]]]); a.mem_map(m, 4096, uc.PROT_ALL), a.mem_write(m, stoh(_)), a.mem_map(R, 4096, uc.PROT_ALL), a.mem_write(R, stoh(e)); var u = r , c = r + o1.length; return a.emu_start(u, c, 0, 0), a.reg_read_i32(uc.ARM_REG_R5) } functionenc_pw(e) { var _ = stoh(atob(getBase64Image("frei"))) , t = 4096 , r = 8192 , m = 12288 , R = new uc.Unicorn(uc.ARCH_ARM,uc.MODE_ARM); R.reg_write_i32(uc.ARM_REG_R8, r), R.reg_write_i32(uc.ARM_REG_R9, m), R.reg_write_i32(uc.ARM_REG_R10, e.length), R.mem_map(t, 4096, uc.PROT_ALL); for (var a = 0; a < o2.length; a++) R.mem_write(t + a, [_[o2[a]]]); R.mem_map(r, 4096, uc.PROT_ALL), R.mem_write(r, stoh(e)), R.mem_map(m, 4096, uc.PROT_ALL); var o = t , u = t + o2.length; return R.emu_start(o, u, 0, 0), htos(R.mem_read(m, e.length)) } functionget_pw() { for (var e = stoh(atob(getBase64Image("templar"))), _ = "", t = 0; t < o3.length; t++) _ += String.fromCharCode(e[o3[t]]); return _ }
secret.js
functiontest_pw(e, _) { var t = stoh(atob(getBase64Image("eye"))) , r = 4096 , m = 8192 , R = 12288 , a = new uc.Unicorn(uc.ARCH_ARM,uc.MODE_ARM); a.reg_write_i32(uc.ARM_REG_R9, m), a.reg_write_i32(uc.ARM_REG_R10, R), a.reg_write_i32(uc.ARM_REG_R8, _.length), a.mem_map(r, 4096, uc.PROT_ALL); for (var o = 0; o < o1.length; o++) a.mem_write(r + o, [t[o1[o]]]); a.mem_map(m, 4096, uc.PROT_ALL), a.mem_write(m, stoh(_)), a.mem_map(R, 4096, uc.PROT_ALL), a.mem_write(R, stoh(e)); var u = r , c = r + o1.length; return a.emu_start(u, c, 0, 0), a.reg_read_i32(uc.ARM_REG_R5) } functionenc_pw(e) { var _ = stoh(atob(getBase64Image("frei"))) , t = 4096 , r = 8192 , m = 12288 , R = new uc.Unicorn(uc.ARCH_ARM,uc.MODE_ARM); R.reg_write_i32(uc.ARM_REG_R8, r), R.reg_write_i32(uc.ARM_REG_R9, m), R.reg_write_i32(uc.ARM_REG_R10, e.length), R.mem_map(t, 4096, uc.PROT_ALL); for (var a = 0; a < o2.length; a++) R.mem_write(t + a, [_[o2[a]]]); R.mem_map(r, 4096, uc.PROT_ALL), R.mem_write(r, stoh(e)), R.mem_map(m, 4096, uc.PROT_ALL); var o = t , u = t + o2.length; return R.emu_start(o, u, 0, 0), htos(R.mem_read(m, e.length)) } functionget_pw() { for (var e = stoh(atob(getBase64Image("templar"))), _ = "", t = 0; t < o3.length; t++) _ += String.fromCharCode(e[o3[t]]); return _ }
defenc_pw(s): res = '' f = 0 for i, c in enumerate(s): c = ord(c) if f == 1: c += i & 3 c += 6 f = c & 1 res += chr(c) return res
test_pw:
deftest_pw(s, t): for i, (c, d) in enumerate(zip(s, t)): c, d = ord(c), ord(d) c += 5 if i & 1: c -= 3 if c != d: return0 return1
解密脚本:
import string
defenc_pw(s): res = '' f = 0 for i, c in enumerate(s): c = ord(c) if f == 1: c += i & 3 c += 6 f = c & 1 res += chr(c) return res
encrypted = 'XYzaSAAX_PBssisodjsal_sSUVWZYYYb' flag = '' for i, c in enumerate(encrypted): c = ord(c) c -= 5 if i & 1 != 0: c += 3 for d in string.printable: if enc_pw(flag + d)[i] == chr(c): flag += d break print flag