fpbe

根据知乎这篇文章 https://zhuanlan.zhihu.com/p/467647354
作者在编写程序中 有用到fpbe.bpf.c这个源文件,而在这个文件中用到了BPF_KPROBE(uprobe),这个函数就是在那个fpbe程序中的uprobed_function之前执行,但是BPF_KPROBE(uprobe) 是ebpf字节码形式的,IDA看不到,所以先binwalk提取出用ebpf字节码的那部分来,然后用llvm-objdump -d xxx.o 提取,就可以看到验证的函数了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

F4018.elf:	file format ELF64-BPF

Disassembly of section uprobe/func:
uprobe:
       0:	79 12 68 00 00 00 00 00 	r2 = *(u64 *)(r1 + 104)
       1:	67 02 00 00 20 00 00 00 	r2 <<= 32
       2:	77 02 00 00 20 00 00 00 	r2 >>= 32
       3:	79 13 70 00 00 00 00 00 	r3 = *(u64 *)(r1 + 112)
       4:	67 03 00 00 20 00 00 00 	r3 <<= 32
       5:	77 03 00 00 20 00 00 00 	r3 >>= 32
       6:	bf 34 00 00 00 00 00 00 	r4 = r3
       7:	27 04 00 00 c0 6d 00 00 	r4 *= 28096
       8:	bf 25 00 00 00 00 00 00 	r5 = r2
       9:	27 05 00 00 88 fb 00 00 	r5 *= 64392
      10:	0f 45 00 00 00 00 00 00 	r5 += r4
      11:	79 14 60 00 00 00 00 00 	r4 = *(u64 *)(r1 + 96)
      12:	67 04 00 00 20 00 00 00 	r4 <<= 32
      13:	77 04 00 00 20 00 00 00 	r4 >>= 32
      14:	bf 40 00 00 00 00 00 00 	r0 = r4
      15:	27 00 00 00 fb 71 00 00 	r0 *= 29179
      16:	0f 05 00 00 00 00 00 00 	r5 += r0
      17:	79 11 58 00 00 00 00 00 	r1 = *(u64 *)(r1 + 88)
      18:	b7 00 00 00 00 00 00 00 	r0 = 0
      19:	73 0a f8 ff 00 00 00 00 	*(u8 *)(r10 - 8) = r0
      20:	7b 0a f0 ff 00 00 00 00 	*(u64 *)(r10 - 16) = r0
      21:	7b 0a e8 ff 00 00 00 00 	*(u64 *)(r10 - 24) = r0
      22:	67 01 00 00 20 00 00 00 	r1 <<= 32
      23:	77 01 00 00 20 00 00 00 	r1 >>= 32
      24:	bf 10 00 00 00 00 00 00 	r0 = r1
      25:	27 00 00 00 8e cc 00 00 	r0 *= 52366
      26:	0f 05 00 00 00 00 00 00 	r5 += r0
      27:	b7 06 00 00 01 00 00 00 	r6 = 1
      28:	18 00 00 00 95 59 73 a1 00 00 00 00 18 be 00 00 	r0 = 209012997183893 ll
      30:	5d 05 42 00 00 00 00 00 	if r5 != r0 goto +66 <LBB0_5>
      31:	bf 35 00 00 00 00 00 00 	r5 = r3
      32:	27 05 00 00 bf f1 00 00 	r5 *= 61887
      33:	bf 20 00 00 00 00 00 00 	r0 = r2
      34:	27 00 00 00 e5 6a 00 00 	r0 *= 27365
      35:	0f 50 00 00 00 00 00 00 	r0 += r5
      36:	bf 45 00 00 00 00 00 00 	r5 = r4
      37:	27 05 00 00 d3 ad 00 00 	r5 *= 44499
      38:	0f 50 00 00 00 00 00 00 	r0 += r5
      39:	bf 15 00 00 00 00 00 00 	r5 = r1
      40:	27 05 00 00 84 92 00 00 	r5 *= 37508
      41:	0f 50 00 00 00 00 00 00 	r0 += r5
      42:	18 05 00 00 40 03 54 e5 00 00 00 00 56 a5 00 00 	r5 = 181792633258816 ll
      44:	5d 50 34 00 00 00 00 00 	if r0 != r5 goto +52 <LBB0_5>
      45:	bf 35 00 00 00 00 00 00 	r5 = r3
      46:	27 05 00 00 85 dd 00 00 	r5 *= 56709
      47:	bf 20 00 00 00 00 00 00 	r0 = r2
      48:	27 00 00 00 28 80 00 00 	r0 *= 32808
      49:	0f 50 00 00 00 00 00 00 	r0 += r5
      50:	bf 45 00 00 00 00 00 00 	r5 = r4
      51:	27 05 00 00 2d 65 00 00 	r5 *= 25901
      52:	0f 50 00 00 00 00 00 00 	r0 += r5
      53:	bf 15 00 00 00 00 00 00 	r5 = r1
      54:	27 05 00 00 12 e7 00 00 	r5 *= 59154
      55:	0f 50 00 00 00 00 00 00 	r0 += r5
      56:	18 05 00 00 a3 4d 48 74 00 00 00 00 f3 a6 00 00 	r5 = 183564558159267 ll
      58:	5d 50 26 00 00 00 00 00 	if r0 != r5 goto +38 <LBB0_5>
      59:	bf 35 00 00 00 00 00 00 	r5 = r3
      60:	27 05 00 00 2c 82 00 00 	r5 *= 33324
      61:	bf 20 00 00 00 00 00 00 	r0 = r2
      62:	27 00 00 00 43 ca 00 00 	r0 *= 51779
      63:	0f 50 00 00 00 00 00 00 	r0 += r5
      64:	bf 45 00 00 00 00 00 00 	r5 = r4
      65:	27 05 00 00 8e 7c 00 00 	r5 *= 31886
      66:	0f 50 00 00 00 00 00 00 	r0 += r5
      67:	bf 15 00 00 00 00 00 00 	r5 = r1
      68:	27 05 00 00 3a f2 00 00 	r5 *= 62010
      69:	0f 50 00 00 00 00 00 00 	r0 += r5
      70:	18 05 00 00 77 72 5a 48 00 00 00 00 9c b9 00 00 	r5 = 204080879923831 ll
      72:	5d 50 18 00 00 00 00 00 	if r0 != r5 goto +24 <LBB0_5>
      73:	63 1a f4 ff 00 00 00 00 	*(u32 *)(r10 - 12) = r1
      74:	63 4a f0 ff 00 00 00 00 	*(u32 *)(r10 - 16) = r4
      75:	63 2a ec ff 00 00 00 00 	*(u32 *)(r10 - 20) = r2
      76:	63 3a e8 ff 00 00 00 00 	*(u32 *)(r10 - 24) = r3
      77:	18 01 00 00 43 54 46 7b 00 00 00 00 25 73 7d 0a 	r1 = 755886917287302211 ll
      79:	7b 1a d8 ff 00 00 00 00 	*(u64 *)(r10 - 40) = r1
      80:	18 01 00 00 46 4c 41 47 00 00 00 00 3a 20 48 46 	r1 = 5064333215653776454 ll
      82:	7b 1a d0 ff 00 00 00 00 	*(u64 *)(r10 - 48) = r1
      83:	18 01 00 00 45 21 20 59 00 00 00 00 4f 55 52 20 	r1 = 2329017756590022981 ll
      85:	7b 1a c8 ff 00 00 00 00 	*(u64 *)(r10 - 56) = r1
      86:	18 01 00 00 57 45 4c 4c 00 00 00 00 20 44 4f 4e 	r1 = 5642803763628229975 ll
      88:	7b 1a c0 ff 00 00 00 00 	*(u64 *)(r10 - 64) = r1
      89:	b7 06 00 00 00 00 00 00 	r6 = 0
      90:	73 6a e0 ff 00 00 00 00 	*(u8 *)(r10 - 32) = r6
      91:	bf a1 00 00 00 00 00 00 	r1 = r10
      92:	07 01 00 00 c0 ff ff ff 	r1 += -64
      93:	bf a3 00 00 00 00 00 00 	r3 = r10
      94:	07 03 00 00 e8 ff ff ff 	r3 += -24
      95:	b7 02 00 00 21 00 00 00 	r2 = 33
      96:	85 00 00 00 06 00 00 00 	call 6

LBB0_5:
      97:	bf 60 00 00 00 00 00 00 	r0 = r6
      98:	95 00 00 00 00 00 00 00 	exit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
from z3 import *
from Crypto.Util.number import *

r2 = Int('r2')     # flag[2]
r3 = Int('r3')     # flag[3]
r4 = Int('r4')     # flag[1]
r1 = Int('r1')     # flag[0]

s = Solver()
s.add(r3 * 28096 + r2 * 64392 + r4 * 29179 + r1 * 52366 == 209012997183893)
s.add(r3 * 61887 + r2 * 27365 + r4 * 44499 + r1 * 37508 == 181792633258816)
s.add(r3 * 56709 + r2 * 32808 + r4 * 25901 + r1 * 59154 == 183564558159267)
s.add(r3 * 33324 + r2 * 51779 + r4 * 31886 + r1 * 62010 == 204080879923831)


assert s.check() == sat

flag = b""
m = s.model()
# for i in [r1, r4, r2, r3]:
#     flag += long_to_bytes(m[i].as_long())[::-1]

for i in [r3, r2, r4, r1]:
    flag += long_to_bytes(m[i].as_long())[::-1]

print(flag)
# 0vR3sAlbs8pD2h53

the_shellcode

执行程序,dump下来,IDA打开dump文件分析,配合OD动态调试程序,发现↓
程序逻辑为先输入base64加密的shellcode(len=352),然后shellcode解密,每一个字节执行rol 3操作,再魔改的xxtea解密,然后再输入flag(len=14),再根据shellcode验证flag

xxtea密文是 byte_1A3310[264]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
unsigned char ida_chars[] =
{
  0xA1, 0x89, 0x6B, 0x4B, 0x53, 0x54, 0xC1, 0x74, 0x6E, 0xA0, 
  0x92, 0x40, 0x07, 0x0C, 0x9B, 0x42, 0x84, 0x1E, 0x28, 0x40, 
  0xC9, 0x44, 0x5B, 0x8B, 0x7B, 0xB3, 0xFE, 0x66, 0x03, 0xA6, 
  0x77, 0x3C, 0x2D, 0x89, 0xC5, 0x79, 0x97, 0xDA, 0x7A, 0x0D, 
  0x56, 0xAA, 0x51, 0x1D, 0x03, 0xD7, 0xD4, 0x02, 0xBA, 0x26, 
  0xA5, 0x4F, 0x4A, 0xD6, 0xFA, 0x32, 0x91, 0x60, 0x0F, 0x0C, 
  0x93, 0x75, 0x2B, 0x56, 0x67, 0xDD, 0x9A, 0xDB, 0x63, 0x55, 
  0x16, 0x76, 0x15, 0x93, 0xF7, 0xA5, 0x1D, 0x99, 0xEB, 0x3A, 
  0xD4, 0x21, 0xB7, 0x1A, 0x2C, 0x9D, 0xCD, 0xAA, 0x27, 0x2B, 
  0x5C, 0x82, 0x1A, 0x76, 0xA7, 0x76, 0x18, 0x5F, 0x00, 0xB4, 
  0x63, 0x37, 0x7F, 0x11, 0x40, 0xC5, 0x2C, 0x51, 0x6F, 0xA1, 
  0x94, 0xC5, 0x8C, 0x4F, 0xE2, 0xD0, 0xE9, 0xE2, 0xA3, 0x9C, 
  0xD5, 0xC2, 0x9C, 0x0A, 0x1D, 0xE6, 0x29, 0x46, 0xE3, 0x29, 
  0x71, 0x63, 0xD7, 0x8A, 0x4E, 0xCA, 0x71, 0xAF, 0xDF, 0xF5, 
  0xAB, 0x68, 0x4E, 0x47, 0x3A, 0xBC, 0x2F, 0x54, 0x17, 0x16, 
  0x74, 0xD6, 0xE5, 0xBB, 0x0D, 0xAD, 0xE3, 0xBB, 0xF7, 0x62, 
  0x07, 0x8C, 0xD6, 0xC8, 0x0E, 0x95, 0x0E, 0x88, 0xBA, 0x25, 
  0x0F, 0xF8, 0x4C, 0x26, 0x7A, 0x76, 0x14, 0xE0, 0x7C, 0x9A, 
  0xEE, 0xC9, 0x8B, 0x5C, 0xD4, 0xF7, 0x9E, 0x5D, 0xDE, 0xAC, 
  0x99, 0xB9, 0x13, 0x8E, 0xEC, 0xB2, 0x2D, 0x23, 0x68, 0xEE, 
  0xCE, 0x5F, 0x7C, 0x92, 0x5D, 0xA8, 0xE3, 0xC9, 0x6B, 0xB5, 
  0x74, 0xAC, 0x12, 0xE7, 0xB6, 0x42, 0xDA, 0x98, 0x28, 0xCD, 
  0x58, 0x1C, 0xF1, 0xFC, 0xEE, 0x75, 0x70, 0xF5, 0x78, 0xE6, 
  0x76, 0x50, 0x35, 0x6A, 0xD6, 0xD4, 0xB9, 0x5A, 0x10, 0x95, 
  0x03, 0x44, 0xB0, 0x1B, 0x59, 0xB9, 0x40, 0xB2, 0x1A, 0x26, 
  0x4E, 0x7B, 0xD8, 0x29, 0xD1, 0x23, 0xCD, 0x52, 0xE7, 0xF5, 
  0x70, 0x8F, 0xA7, 0x4E
};

魔改为 #define MX (((z>>6^ (y * 4)) + (y>>3^ (z*16))) ^ ((sum^y) + (key[(p&3)^e] ^ z)))

解密shellcode的脚本为

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#include <stdio.h>  
#include <stdint.h>  
#define DELTA 0x61C88647  
#define MX (((z>>6^ (y * 4)) + (y>>3^ (z*16))) ^ ((sum^y) + (key[(p&3)^e] ^ z)))  

void btea(uint32_t* v, int n, uint32_t const key[4])
{
	uint32_t y, z, sum;
	unsigned p, rounds, e;
	if (n > 1)            /* Coding Part */
	{
		rounds = 6 + 52 / n;
		sum = 0;
		z = v[n - 1];
		do
		{
			sum -= DELTA;
			e = (sum >> 2) & 3;
			for (p = 0; p < n - 1; p++)
			{
				y = v[p + 1];
				z = v[p] += MX;
			}
			y = v[0];
			z = v[n - 1] += MX;
		} while (--rounds);
	}
	else if (n < -1)      /* Decoding Part */
	{
		n = -n;
		rounds = 6 + 52 / n;
		sum = 0 - rounds * DELTA;
		y = v[0];
		do
		{
			e = (sum >> 2) & 3;
			for (p = n - 1; p > 0; p--)
			{
				z = v[p - 1];
				y = v[p] -= MX;
			}
			z = v[n - 1];
			y = v[0] -= MX;
			sum += DELTA;
		} while (--rounds);
	}
}

unsigned char enc_shellcode[] =
{
  0xA1, 0x89, 0x6B, 0x4B, 0x53, 0x54, 0xC1, 0x74, 0x6E6, 0xA0,
  0x92, 0x40, 0x07, 0x0C, 0x9B, 0x42, 0x84, 0x1E, 0x28, 0x40,
  0xC9, 0x44, 0x5B, 0x8B, 0x7B, 0xB3, 0xFE, 0x66, 0x03, 0xA6,
  0x77, 0x3C, 0x2D, 0x89, 0xC5, 0x79, 0x97, 0xDA, 0x7A, 0x0D,
  0x56, 0xAA, 0x51, 0x1D, 0x03, 0xD7, 0xD4, 0x02, 0xBA, 0x26,
  0xA5, 0x4F, 0x4A, 0xD6, 0xFA, 0x32, 0x91, 0x60, 0x0F, 0x0C,
  0x93, 0x75, 0x2B, 0x56, 0x67, 0xDD, 0x9A, 0xDB, 0x63, 0x55,
  0x16, 0x76, 0x15, 0x93, 0xF7, 0xA5, 0x1D, 0x99, 0xEB, 0x3A,
  0xD4, 0x21, 0xB7, 0x1A, 0x2C, 0x9D, 0xCD, 0xAA, 0x27, 0x2B,
  0x5C, 0x82, 0x1A, 0x76, 0xA7, 0x76, 0x18, 0x5F, 0x00, 0xB4,
  0x63, 0x37, 0x7F, 0x11, 0x40, 0xC5, 0x2C, 0x51, 0x6F, 0xA1,
  0x94, 0xC5, 0x8C, 0x4F, 0xE2, 0xD0, 0xE9, 0xE2, 0xA3, 0x9C,
  0xD5, 0xC2, 0x9C, 0x0A, 0x1D, 0xE6, 0x29, 0x46, 0xE3, 0x29,
  0x71, 0x63, 0xD7, 0x8A, 0x4E, 0xCA, 0x71, 0xAF, 0xDF, 0xF5,
  0xAB, 0x68, 0x4E, 0x47, 0x3A, 0xBC, 0x2F, 0x54, 0x17, 0x16,
  0x74, 0xD6, 0xE5, 0xBB, 0x0D, 0xAD, 0xE3, 0xBB, 0xF7, 0x62,
  0x07, 0x8C, 0xD6, 0xC8, 0x0E, 0x95, 0x0E, 0x88, 0xBA, 0x25,
  0x0F, 0xF8, 0x4C, 0x26, 0x7A, 0x76, 0x14, 0xE0, 0x7C, 0x9A,
  0xEE, 0xC9, 0x8B, 0x5C, 0xD4, 0xF7, 0x9E, 0x5D, 0xDE, 0xAC,
  0x99, 0xB9, 0x13, 0x8E, 0xEC, 0xB2, 0x2D, 0x23, 0x68, 0xEE,
  0xCE, 0x5F, 0x7C, 0x92, 0x5D, 0xA8, 0xE3, 0xC9, 0x6B, 0xB5,
  0x74, 0xAC, 0x12, 0xE7, 0xB6, 0x42, 0xDA, 0x98, 0x28, 0xCD,
  0x58, 0x1C, 0xF1, 0xFC, 0xEE, 0x75, 0x70, 0xF5, 0x78, 0xE6,
  0x76, 0x50, 0x35, 0x6A, 0xD6, 0xD4, 0xB9, 0x5A, 0x10, 0x95,
  0x03, 0x44, 0xB0, 0x1B, 0x59, 0xB9, 0x40, 0xB2, 0x1A, 0x26,
  0x4E, 0x7B, 0xD8, 0x29, 0xD1, 0x23, 0xCD, 0x52, 0xE7, 0xF5,
  0x70, 0x8F, 0xA7, 0x4E
};

int main()
{
	uint32_t* v = (uint32_t *)enc_shellcode;
	uint32_t const k[4] = {116, 111, 114, 97 };
	btea(v, -66, k);

	for (int i = 0; i < 264; i++)
	{
		enc_shellcode[i] = ((enc_shellcode[i] >> 3) & 0XFF) | ((enc_shellcode[i] << 5) & 0XFF);
	}

	for (int i = 0; i < 264; i++)
	{
		printf("\\x%02x", enc_shellcode[i]);
	}


	return 0;
}

base64加密后是:
YPxoTHcmBzPSZItSMItSDItSFItyKA+3SiYz/zPArDxhfAIsIMHPDQP44vBSV4tSEItCPAPCi0B4hcAPhL4AAAADwlCLSBiLWCAD2oP5AA+EqQAAAEmLNIsD8jP/M8Cswc8NA/g6xHX0A3wkBDt8JAx12TP/M8mDwlAPtgQKwc8NA/hBg/kOdfHBzw1XM/8zyYtUJDxSD7YcDrhnZmZm9+vR+ovCwegfA8KNBIAr2FoPtgQKK8PBzw0D+EGD+Q511MHPDTs8JHQWaCVzAACLxGhubwAAVFCLXCRI/9PrFGglcwAAi8RoeWVzAFRQi1wkSP/TWFhYWFhYWFhYYcNYX1qLEukL////

写程序,直接F5看shellcode

1
2
3
4
5
6
7
8
9
10
11
12
#include <stdio.h>  

char shellcode[] = { 0x60, 0xfc, 0x68, 0x4c, 0x77, 0x26, 0x7, 0x33, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0xc, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0xf, 0xb7, 0x4a, 0x26, 0x33, 0xff, 0x33, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x2, 0x2c, 0x20, 0xc1, 0xcf, 0xd, 0x3, 0xf8, 0xe2, 0xf0, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x3, 0xc2, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0xf, 0x84, 0xbe, 00, 00, 00, 0x3, 0xc2, 0x50, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x3, 0xda, 0x83, 0xf9, 00, 0xf, 0x84, 0xa9, 00, 00, 00, 0x49, 0x8b, 0x34, 0x8b, 0x3, 0xf2, 0x33, 0xff, 0x33, 0xc0, 0xac, 0xc1, 0xcf, 0xd, 0x3, 0xf8, 0x3a, 0xc4, 0x75, 0xf4, 0x3, 0x7c, 0x24, 0x4, 0x3b, 0x7c, 0x24, 0xc, 0x75, 0xd9, 0x33, 0xff, 0x33, 0xc9, 0x83, 0xc2, 0x50, 0xf, 0xb6, 0x4, 0xa, 0xc1, 0xcf, 0xd, 0x3, 0xf8, 0x41, 0x83, 0xf9, 0xe, 0x75, 0xf1, 0xc1, 0xcf, 0xd, 0x57, 0x33, 0xff, 0x33, 0xc9, 0x8b, 0x54, 0x24, 0x3c, 0x52, 0xf, 0xb6, 0x1c, 0xe, 0xb8, 0x67, 0x66, 0x66, 0x66, 0xf7, 0xeb, 0xd1, 0xfa, 0x8b, 0xc2, 0xc1, 0xe8, 0x1f, 0x3, 0xc2, 0x8d, 0x4, 0x80, 0x2b, 0xd8, 0x5a, 0xf, 0xb6, 0x4, 0xa, 0x2b, 0xc3, 0xc1, 0xcf, 0xd, 0x3, 0xf8, 0x41, 0x83, 0xf9, 0xe, 0x75, 0xd4, 0xc1, 0xcf, 0xd, 0x3b, 0x3c, 0x24, 0x74, 0x16, 0x68, 0x25, 0x73, 00, 00, 0x8b, 0xc4, 0x68, 0x6e, 0x6f, 00, 00, 0x54, 0x50, 0x8b, 0x5c, 0x24, 0x48, 0xff, 0xd3, 0xeb, 0x14, 0x68, 0x25, 0x73, 00, 00, 0x8b, 0xc4, 0x68, 0x79, 0x65, 0x73, 00, 0x54, 0x50, 0x8b, 0x5c, 0x24, 0x48, 0xff, 0xd3, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x61, 0xc3, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xe9, 0xb, 0xff, 0xff, 0xff };
int main()
{
	__asm {
		lea eax, shellcode;
		push eax;
		ret
	}
	return 0;
}

配合OD动调分析如下图

写脚本解密即可

1
2
3
4
5
6
7
8
9
key = [1, 1, 2, 0, 1, 0, 3, 4, 2, 4, 1, 4, 0, 0]
flag_fake = b"is program can"

flag = [flag_fake[i] + key[i] for i in range(14)]
print(bytes(flag))
# b'jt"psojvcq!gan'
a = b"YPxoTHcmBzPSZItSMItSDItSFItyKA+3SiYz/zPArDxhfAIsIMHPDQP44vBSV4tSEItCPAPCi0B4hcAPhL4AAAADwlCLSBiLWCAD2oP5AA+EqQAAAEmLNIsD8jP/M8Cswc8NA/g6xHX0A3wkBDt8JAx12TP/M8mDwlAPtgQKwc8NA/hBg/kOdfHBzw1XM/8zyYtUJDxSD7YcDrhnZmZm9+vR+ovCwegfA8KNBIAr2FoPtgQKK8PBzw0D+EGD+Q511MHPDTs8JHQWaCVzAACLxGhubwAAVFCLXCRI/9PrFGglcwAAi8RoeWVzAFRQi1wkSP/TWFhYWFhYWFhYYcNYX1qLEukL////" + b'jt"psojvcq!gan'
print("HFCTF{" + md5(a).hexdigest() + "}")
# HFCTF{2b794e95022f2fe46106c21bbf57a755}