基础:
f5:反编译,f12:查看字符串,Ctrl+x交叉引用,shirt+e提取,f2:下断点,f9:调试,Ctrl+f:查找函数/字符串,
You are good at ida
签到题:查壳,发现无壳,且为64位
可以看出flag第一部分是Y0u_4Re_
提示你点f12,查看字符串
点击第三行,并Ctrl+X,交叉引用
提取出来:900d_47_
The last part is in a named Interesting,最后一部分在Interesting函数
最后一部分:id4
flag:BaseCTF{Y0u_4Re_900d_47_id4}
UPX mini
前面重复的查壳(不放图了)
发现有upx,就解壳,cmd 再输命令,upx.exe -d a.exe(这个是最简单的查壳,比这个难的是修改特征值查壳,更难的是手动去壳(我还没写过不嘻嘻))
发现这就是简单的Base64加密
ez_maze
h和r转化的16进制ascii码之类
++v9:往后一位
v9+=15:往下一行....d:右w:上s:下a:左
shift+12
shirt+e
总共是225个数据
# 原始数据
data = [
3, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 1, 1, 1, 1, 1,
1, 0, 0, 0, 0, 0, 0, 0, 0, 0,
1, 0, 1, 0, 0, 1, 0, 0, 1, 1,
1, 1, 1, 0, 0, 1, 0, 1, 0, 0,
0, 1, 1, 0, 0, 0, 0, 1, 0, 0,
1, 0, 0, 0, 1, 1, 1, 0, 0, 0,
0, 0, 1, 0, 0, 1, 0, 0, 0, 1,
0, 1, 1, 0, 1, 0, 0, 0, 0, 0,
1, 0, 0, 0, 1, 0, 1, 0, 0, 1,
1, 1, 0, 0, 0, 1, 1, 1, 1, 1,
0, 1, 1, 1, 1, 0, 1, 0, 0, 0,
0, 0, 0, 0, 0, 0, 1, 1, 1, 1,
1, 1, 0, 0, 0, 0, 0, 0, 0, 0,
0, 1, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 1, 1, 1, 1, 0, 0, 1,
1, 1, 0, 0, 0, 0, 0, 0, 1, 1,
1, 1, 1, 1, 1, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 1,
0, 0, 1, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 1, 0, 1, 0, 0, 0,
0, 0, 0, 0, 0, 0, 1, 1, 1, 1,
1, 1, 1, 1, 4,
]
# 转换为15x15的二维数组
array_15x15 = []
for i in range(15):
row = data[i*15:(i+1)*15]
array_15x15.append(row)
# 输出结果
for row in array_15x15:
print(row)
//
3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0
1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 1, 0, 0
1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 0
1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0
1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0
1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 1, 0, 0, 0
1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0
0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 0, 0
0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0
0, 0, 0, 1, 1, 1, 1, 0, 0, 1, 1, 1, 0, 0, 0
0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0
0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0
0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0
0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 4
sssssssddddwwwddsssssssdddsssddddd
BaseCTF{131b7d6e60e8a34cb01801ae8de07efe}
BasePlus
密文:lvfzBiZiOw7<lhF8dDOfEbmI]i@bdcZfEc^z>aD!
Encode(v5, Str1)加密函数
base64:/128GhIoPQROSTeUbADfgHijKLM+n0pFWXY456xyzB7=39VaqrstJklmNuZvwcdEC
(说实话没见过)
变形异或
(a2 + v8) = v4[v8] ^ 0xE
Ez Xor
f5看主函数的反编译
密文为:Str,v11,v12,"@;%,其中Str,v11,v12涉及到大小端序,怎么解决,举个例子Str = 0x1D0B2D2625050901i64,转化一下就是:0x01,0x09,0x05,0x25,0x26,0x2D,0x0B,0x1D,从后往前,俩俩一组
加密过程为:KeyStream函数和encrypt函数
v4 = 0x726F58为key
点着函数右键,可以改函数类型,int改成char,也可以改参数名字
逆向出来exp:
def key_stream(key):
key_box = []
for i in range(28): # 确保密钥流长度为 30
key_box.append(key[i % 3] ^ i) # 使用 i % 4 避免超出索引
return key_box
def decrypt(enc, key):
flag = ""
key = key[::-1] # 反转密钥流
for i in range(len(enc)):
flag += chr(enc[i] ^ key[i])
return flag
# 用列表 a 替换 enc1, enc2, enc3, enc4
a = [0x01, 0x09, 0x05, 0x25, 0x26, 0x2D, 0x0B, 0x1D, 0x24, 0x7A, 0x31, 0x20, 0x1E, 0x49, 0x3D, 0x67, 0x4D, 0x50, 0x08, 0x25, 0x2E, 0x6E, 0x05, 0x34, 0x22, 0x40, 0x3B, 0x25]
enc = bytes(a) # 将列表 a 转换为字节流
print("Encrypted data (enc):", enc)
# 使用字节序列 58 6F 72 00 作为密钥
key = bytes([0x58, 0x6F, 0x72])
key_box = key_stream(key)
print("Key stream (key_box):", key_box)
# 解密数据
flag = decrypt(enc, key_box)
print("Decrypted flag:", flag)
//BaseCTF{X0R_I5_345Y_F0r_y0U}