title: REVERSE刷题记录
date: 2023-12-19 20:27:11
categories: CTF刷题
tags:
- reverse
[SWPUCTF 2021 新生赛]re1
打开后注意找到main函数
然后看到伪代码如
int __cdecl main(int argc, const char **argv, const char **envp)
{
char Str2[1008]; // [rsp+20h] [rbp-60h] BYREF
char Str1[1000]; // [rsp+410h] [rbp+390h] BYREF
int i; // [rsp+7FCh] [rbp+77Ch]
_main();
strcpy(Str2, "{34sy_r3v3rs3}");
printf("please put your flag:");
scanf("%s", Str1);
for ( i = 0; i <= 665; ++i )
{
if ( Str1[i] == 101 )
Str1[i] = 51;
}
for ( i = 0; i <= 665; ++i )
{
if ( Str1[i] == 97 )
Str1[i] = 52;
}
if ( strcmp(Str1, Str2) )
printf("you are wrong,see again!");
else
printf("you are right!");
system("pause");
return 0;
}
这个应该是把str2的字符替换如str1一样,我们按照上面伪代码的思路把这个替换回来
#include <stdio.h>
#include <string.h>
char Str2[1008]; // [rsp+20h] [rbp-60h] BYREF
int i; // [rsp+7FCh] [rbp+77Ch]
int main() {
strcpy(Str2, "{34sy_r3v3rs3}");
for ( i = 0; i <= 665; ++i )
{
if ( Str2[i] == 51 )
Str2[i] = 101;
}
for ( i = 0; i <= 665; ++i )
{
if ( Str2[i] == 52 )
Str2[i] = 97;
}
printf("%s",Str2);
}
[NSSCTF 2022 Spring Recruit]easy C
直接给的源代码
#include <stdio.h>
#include <string.h>
int main(){
char a[]="wwwwwww";
char b[]="d`vxbQd";
//try to find out the flag
printf("please input flag:");
scanf(" %s",&a);
if(strlen(a)!=7){
printf("NoNoNo\n");
system("pause");
return 0;
}
for(int i=0;i<7;i++){
a[i]++;
a[i]=a[i]^2;
}
if(!strcmp(a,b)){
printf("good!\n");
system("pause");
return 0;
}
printf("NoNoNo\n");
system("pause");
return 0;
//flag 记得包上 NSSCTF{} 再提交!!!
}
这种题一看都是要求b被加密前的字符就是flag
求异或还原直接进行一次异或即可
#include <stdio.h>
#include <string.h>
int main() {
char a[] = "d`vxbQd";
char result[20]; // 创建一个足够大的数组来保存结果
strcpy(result, a); // 将 a 的内容复制到 result
// 对 result 进行两次异或操作
for (int i = 0; i <7; i++) {
result[i]=(result[i]^4)-1;
}
// 将还原后的结果打印出来
printf("%s\n", result);
return 0;
}
因为上面使用了加1这里就需要使用减1才行
[LitCTF 2023]世界上最棒的程序员
└─$ strings 世界最高のプログラマーです.exe|grep CTF
Hello CTFer~!
Flag: LitCTF{I_am_the_best_programmer_ever}直接使用strings查找即可或者使用ida查看rdata段
[SWPUCTF 2021 新生赛]re2
int __cdecl main(int argc, const char **argv, const char **envp)
{
char Str2[64]; // [rsp+20h] [rbp-90h] BYREF
char Str[68]; // [rsp+60h] [rbp-50h] BYREF
int v7; // [rsp+A8h] [rbp-8h]
int i; // [rsp+ACh] [rbp-4h]
_main();
strcpy(Str2, "ylqq]aycqyp{");
printf(&Format);
gets(Str);
v7 = strlen(Str);
for ( i = 0; i < v7; ++i )
{
if ( (Str[i] <= 96 || Str[i] > 98) && (Str[i] <= 64 || Str[i] > 66) )
Str[i] -= 2;
else
Str[i] += 24;
}
if ( strcmp(Str, Str2) )
printf(&byte_404024);
else
printf(aBingo);
system("pause");
return 0;
}
源代码如上
直接修改如下即可
#include <stdio.h>
#include <string.h>
int main()
{
char Str[68]; // [rsp+60h] [rbp-50h] BYREF
int v7; // [rsp+A8h] [rbp-8h]
int i; // [rsp+ACh] [rbp-4h]
strcpy(Str, "ylqq]aycqyp{");
v7 = strlen(Str);
for ( i = 0; i < v7; ++i )
{
if ( (Str[i] <= 96 || Str[i] > 98) && (Str[i] <= 64 || Str[i] > 66) )
Str[i] += 2;
else
Str[i] -= 24;
}
printf("%s",Str);
}
[WUSTCTF 2020]level2
拖入pe查看发现是upx壳子直接使用upx -d 进行脱壳在ida32打开发现flag或者使用strings
[SWPUCTF 2021 新生赛]非常简单的逻辑题
给了一个python代码
# flag = 'abcdefgqwrtyuiop'
# s = 'wesyvbniazxchjko1973652048@$+-&*<>'
# result = ''
# for i in range(len(flag)):
# s1 = ord(flag[i])//17
# s2 = ord(flag[i])%17
# result += s[(s1+i)%34]+s[-(s2+i+1)%34]
# print(result)
我自己写了一个
result = 'v0b9n1nkajz@j0c4jjo3oi1h1i937b395i5y5e0e$i'
s = 'wesyvbniazxchjko1973652048@$+-&*<>'
flag = ''
flag1=''
for i in range(len(result)):
for j in range(0,len(s)):
if result[i]==s[j]:
flag+=str(j+1)+" "
flag=flag.split(" ")
print(flag)
for i in range(1,len(flag),2):
flag[i]=str(abs(int(flag[i])-34))
print(flag)
bb=0
for i in range(0,42,2):
bb+=1
s1=int("".join(flag[i:i+1]))-bb
s2=int("".join(flag[i+1:i+2]))-bb+1
flag1+=chr(s1*17+s2)
print(flag1)
发现自己写的麻烦的要死
思路是
# s1 = ord(flag[i])//17
# s2 = ord(flag[i])%17
# result += s[(s1+i)%34]+s[-(s2+i+1)%34
这里的话result += s[(s1+i)%34]+s[-(s2+i+1)%34相当于2个字符一组
那可以来利用s1*17+s2来进行还原
在网上我还看到一个简介的
flag = ' '
s = 'wesyvbniazxchjko1973652048@$+-&*<>'
result = 'v0b9n1nkajz@j0c4jjo3oi1h1i937b395i5y5e0e$i'
for i in range(21):
#先找到在原s中对应的索引值,然后再减去附加的i得到s1和s2
s1 = s.find(result[i*2]) - i
s2 = 34 - s.find(result[i*2+1]) -i -1
# result = -(s2+i+1)%34
# result = 34 - (s2+i+1)%34
# result + 34*k = 34 - (s2+i+1)
# s2 = 34 - result -i -1
#题目中,s[-(s2+i+1)%34] 得到的是正数,所以此处的s2也应当是正数
if s2 < 0:
s2 = s2+34
else:
flag += chr(s1*17 + s2)
print(flag)
还有的话就是通过爆破来得到
s = 'wesyvbniazxchjko1973652048@$+-&*<>'
result1 = 'v0b9n1nkajz@j0c4jjo3oi1h1i937b395i5y5e0e$i'
result = [result1[i:i+2] for i in range(0,len(result1),2)]
print(result)
#flag就是'c', 通过c来爆破
flag = ''
for i in range(len(result)):
for c in range(32,127):
s1 = c // 17
s2 = c % 17
flag = s[(s1+i)%34]+s[-(s2+i+1)%34]
if flag == result[i]:
print(chr(c),end='')
这里面最欣赏这个爆破太有思路了
[HUBUCTF 2022 新生赛]simple_RE
好家伙这题都不需要用ida
使用strings打开文件后看到
5Mc58bPHLiAx7J8ocJIlaVUxaJvMcoYMaoPMaOfg15c475tscHfM/8==
qvEJAfHmUYjBac+u8Ph5n9Od17FrICL/X0gVtM4Qk6T2z3wNSsyoebilxWKGZpRD
please input the flag:
failed!
success!
判断
5Mc58bPHLiAx7J8ocJIlaVUxaJvMcoYMaoPMaOfg15c475tscHfM/8==
为base64
然后
qvEJAfHmUYjBac+u8Ph5n9Od17FrICL/X0gVtM4Qk6T2z3wNSsyoebilxWKGZpRD
这个应该就是码表了
放进CyberChef试试
就得到flag
[GFCTF 2021]wordy
打开后找不到strings找不到
IDA打开存在大量jmp跳转,导致程序无法正常编译,尝试将跳转nop掉
startaddr = 0x1135
endaddr = 0x3100
for i in range(startaddr,endaddr):
if get_wide_byte(i) == 0xEB:
if get_wide_byte(i+1) == 0xFF:
patch_byte(i,0x90)
print("[+] Addr {} is patched".format(hex(i)))
t:0000000000002D59 mov edi, 47h ; 'G'
.text:0000000000002D5E call _putchar
.text:0000000000002D63 nop
.text:0000000000002D64 inc eax
.text:0000000000002D66 mov edi, 46h ; 'F'
.text:0000000000002D6B call _putchar
.text:0000000000002D70 nop
.text:0000000000002D71 inc eax
.text:0000000000002D73 mov edi, 43h ; 'C'
.text:0000000000002D78 call _putchar
.text:0000000000002D7D nop
.text:0000000000002D7E inc eax
.text:0000000000002D80 mov edi, 54h ; 'T'
.text:0000000000002D85 call _putchar
.text:0000000000002D8A nop
.text:0000000000002D8B inc eax
.text:0000000000002D8D mov edi, 46h ; 'F'
.text:0000000000002D92 call _putchar
.text:0000000000002D97 nop
.text:0000000000002D98 inc eax
.text:0000000000002D9A mov edi, 7Bh ; '{'
.text:0000000000002D9F call _putchar
.text:0000000000002DA4 nop
.text:0000000000002DA5 inc eax
.text:0000000000002DA7 mov edi, 75h ; 'u'
.text:0000000000002DAC call _putchar
.text:0000000000002DB1 nop
.text:0000000000002DB2 inc eax
.text:0000000000002DB4 mov edi, 5Fh ; '_'
.text:0000000000002DB9 call _putchar
.text:0000000000002DBE nop
.text:0000000000002DBF inc eax
.text:0000000000002DC1 mov edi, 61h ; 'a'
.text:0000000000002DC6 call _putchar
.text:0000000000002DCB nop
.text:0000000000002DCC inc eax
.text:0000000000002DCE mov edi, 72h ; 'r'
.text:0000000000002DD3 call _putchar
.text:0000000000002DD8 nop
.text:0000000000002DD9 inc eax
.text:0000000000002DDB mov edi, 65h ; 'e'
.text:0000000000002DE0 call _putchar
.text:0000000000002DE5 nop
.text:0000000000002DE6 inc eax
.text:0000000000002DE8 mov edi, 32h ; '2'
.text:0000000000002DED call _putchar
.text:0000000000002DF2 nop
.text:0000000000002DF3 inc eax
.text:0000000000002DF5 mov edi, 77h ; 'w'
.text:0000000000002DFA call _putchar
.text:0000000000002DFF nop
.text:0000000000002E00 inc eax
.text:0000000000002E02 mov edi, 6Fh ; 'o'
.text:0000000000002E07 call _putchar
.text:0000000000002E0C nop
.text:0000000000002E0D inc eax
.text:0000000000002E0F mov edi, 72h ; 'r'
.text:0000000000002E14 call _putchar
.text:0000000000002E19 nop
.text:0000000000002E1A inc eax
.text:0000000000002E1C mov edi, 64h ; 'd'
.text:0000000000002E21 call _putchar
.text:0000000000002E26 nop
.text:0000000000002E27 inc eax
.text:0000000000002E29 mov edi, 79h ; 'y'
.text:0000000000002E2E call _putchar
.text:0000000000002E33 nop
.text:0000000000002E34 inc eax
.text:0000000000002E36 mov edi, 7Dh ; '}'
.text:0000000000002E3B call _putchar
并且这个hexview也能看到flag
或者简洁一点
startaddr=0x1135
endaddr=0x3100
for i in range(startaddr,endaddr):
if get_wide_byte(i)==0xC0:
print(chr(idaapi.get_byte(i+2)),end="")
[SWPUCTF 2021 新生赛]fakerandom
这个题的话经过调试即可得到
import random
flag = [201, 8, 198, 68, 131, 152, 186, 136, 13, 130, 190, 112, 251, 93, 212, 1, 31, 214, 116, 244]
random.seed(1)
l = []
for i in range(4):
l.append(random.getrandbits(8))
print(l)
flag1=''
result=[]
for i in range(len(l)):
random.seed(l[i])
for n in range(5):
result=flag[i*5+n]^random.getrandbits(8)
print(result)
flag1+=chr(result)
print(flag1)
[SWPUCTF 2022 新生赛]base64
这个题的话strings进行查看
[]A\A]A^A_
TlNTQ1RGe2Jhc2VfNjRfTlRXUTRaR0ROQzdOfQ==
This is flag!!
This is wrong
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
:*3$"
GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
base64换码表即可得到flag
[NISACTF 2022]string
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main()
{
int m;
int v4;
int seed=0x2766;
srand(seed);
printf("NSSCTF{");
for ( m = 0; m < 13; ++m )
{
v4 = rand();
printf("%d", (unsigned int)(v4 % 8 + 1));
}
putchar(125);
}
[HDCTF 2023]easy_re
使用upx -d进行脱壳然后在利用ida64来查看base64加密后的信息,在base64解密得到flag
[NSSRound#3 Team]jump_by_jump
使用strings直接查看到flag
└─$ strings jump_by_jump.exe |grep CTF
NSSCTF{Jump_b9_jump!}
[NISACTF 2022]sign-ezc++
void __cdecl Human::give_flag(Human *const this)
{
int i; // [rsp+2Ch] [rbp-54h]
for ( i = 0; i < strlen(flag); ++i )
flag[i] ^= 0xAu;
}
>>> d=[0x44, 0x59, 0x59, 0x49, 0x5E, 0x4C, 0x71, 0x7E, 0x62, 0x63,
... 0x79, 0x55, 0x63, 0x79, 0x55, 0x44, 0x43, 0x59, 0x4B, 0x55,
... 0x78, 0x6F, 0x55, 0x79, 0x63, 0x6D, 0x64, 0x77, 0x00, 0x00,
... 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
... 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]
>>> for i in d:
... print(chr(i^0xa),end="")
...
NSSCTF{this_is_NISA_re_sign}
[HNCTF 2022 Week1]超级签到
将{hello_world}里面的o变成0即可
[SWPUCTF 2022 新生赛]babyre
└─$ strings p01.exe |grep }
The flag is: NSSCTF{this_is_the_first_flag}
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
[SWPUCTF 2022 新生赛]easyre
└─$ strings p02.exe |grep }
|$X;D$@}
/5}A
NSSCTF{oh_you_find_it}
[UTCTF 2020]Basics(RE)
└─$ strings calc|grep }
utflag{str1ngs_1s_y0ur_fr13nd}
[HNCTF 2022 WEEK2]e@sy_flower
进入ida然后发现有报错,需要先把那个报错改一下把e9变成90也就是nop然后按p编译后得到main函数f5查看伪代码
sub_401020("please input flag\n", v8);
sub_401050("%s", (char)Arglist);
v3 = strlen(Arglist);
for ( i = 0; i < v3 / 2; ++i )
{
v5 = Arglist[2 * i];
Arglist[2 * i] = Arglist[2 * i + 1];
Arglist[2 * i + 1] = v5;
}
for ( j = 0; j < strlen(Arglist); ++j )
Arglist[j] ^= 0x30u;
v7 = strcmp(Arglist, "c~scvdzKCEoDEZ[^roDICUMC");
if ( v7 )
v7 = v7 < 0 ? -1 : 1;
if ( !v7 )
{
sub_401020("yes", v9);
exit(0);
}
这个相当于c~scvdzKCEoDEZ[^roDICUMC的加密过程然后还使用的异或,这种时候我们在使用一次异或就还原回来了
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main()
{
signed int v3; // kr00_4
int i; // edx
char v5; // cl
unsigned int j; // edx
int v7; // eax
char v8; // [esp+0h] [ebp-44h]
char v9; // [esp+0h] [ebp-44h]
char Arglist[48]; // [esp+10h] [ebp-34h] BYREF
scanf("%s",Arglist);
v3 = strlen(Arglist);
for ( i = 0; i < v3 / 2; ++i )
{
v5 = Arglist[2 * i];
Arglist[2 * i] = Arglist[2 * i + 1];
Arglist[2 * i + 1] = v5;
}
for ( j = 0; j < strlen(Arglist); ++j ){
Arglist[j] ^= 0x30u;}
printf("%s",Arglist);
}
代码逻辑很简单,每两个一组然后进行异或换位如果不足两个就不换
直接复制粘贴代码本地跑一次即可得到flag
[LitCTF 2023]ez_XOR
又是一个异或题
打开后粘贴复制xor函数
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main()
{
size_t result; // eax
int i; // [esp+2Ch] [ebp-Ch]
char Str[50];
int a2;
a2=3;
scanf("%s",Str);
Str[13]='0';
for ( i = 0; ; ++i )
{
result = strlen(Str);
if ( i >= result )
break;
Str[i] ^= 3 * a2;
}
printf("%s",Str);
}
[SWPUCTF 2021 新生赛]fakebase
s_box = 'qwertyuiopasdfghjkzxcvb123456#$'
s = 'u#k4ggia61egegzjuqz12jhfspfkay'
flag=""
for k in range(5):
b1=k
for i in s[::-1]:
b1 = b1*31+s_box.index(i)
t = str(bin(b1)[2:])
t = str(t.zfill((len(t) // 8 + 1) * 8))
for i in range(0,len(t),8):
flag = flag +chr(int(t[i:i+8],2))
print(flag)
[BJDCTF 2020]JustRE
很简单ida打开就有
[NISACTF 2022]ezpython
这个ida打开后看到了pythonstring直接使用uncompyle6 src.pyc >ss.py来得到源码
然后修改代码
# uncompyle6 version 3.9.0
# Python bytecode version base 3.4 (3310)
# Decompiled from: Python 3.8.6 (tags/v3.8.6:db45529, Sep 23 2020, 15:52:53) [MSC v.1927 64 bit (AMD64)]
# Embedded file name: src.py
# Compiled at: 1995-09-28 00:18:56
# Size of source mod 2**32: 272 bytes
import rsa, base64
key1 = rsa.PrivateKey.load_pkcs1(base64.b64decode('LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcVFJQkFBS0NBUUVBcVJUZ0xQU3BuT0ZDQnJvNHR1K1FBWXFhTjI2Uk42TzY1bjBjUURGRy9vQ1NJSU00ClNBeEVWaytiZHpSN2FucVNtZ1l5MEhRWGhDZTM2U2VGZTF0ejlrd0taL3UzRUpvYzVBSzR1NXZ4UW5QOWY1cTYKYVFsbVAvVjJJTXB5NFFRNlBjbUVoNEtkNm81ZWRJUlB2SHd6V0dWS09OQ3BpL0taQ082V0tWYkpXcWh3WGpEQgpsSDFNVURzZ1gyVUM4b3Bodnk5dXIyek9kTlBocElJZHdIc1o5b0ZaWWtaMUx5Q0lRRXRZRmlKam1GUzJFQ1RVCkNvcU9acnQxaU5jNXVhZnFvZlB4eHlPb2wwYVVoVGhiaHE4cEpXL3FPSFdYd0xJbXdtNk96YXFVeks4NEYyY3UKYWRiRE5zeVNvaElHaHYzd0lBVThNSlFnOEthd1Z3ZHBzRWhlSXdJREFRQUJBb0lCQURBazdwUStjbEZtWHF1Vgp1UEoyRWxZdUJpMkVnVHNMbHZ0c1ltL3cyQnM5dHQ0bEh4QjgxYlNSNUYyMEJ2UlJ4STZ3OXlVZCtWZzdDd1lMCnA5bHhOL3JJdWluVHBkUEhYalNhaGNsOTVOdWNOWEZ4T0dVU05SZy9KNHk4dUt0VHpkV3NITjJORnJRa0o4Y2IKcWF5czNOM3RzWTJ0OUtrUndjbUJGUHNJalNNQzB5UkpQVEE4cmNqOFkranV3SHZjbUJPNHVFWXZXeXh0VHR2UQova0RQelBqdTBuakhkR055RytkSDdkeHVEV2Jxb3VZQnRMdzllZGxXdmIydTJ5YnZzTXl0NWZTOWF1a01NUjNoCnBhaDRMcU1LbC9ETTU3cE44Vms0ZTU3WE1zZUJLWm1hcEptcVNnSGdjajRPNWE2R1RvelN1TEVoTmVGY0l2Tm8KWFczTEFHRUNnWWtBc0J0WDNVcFQ3aUcveE5BZDdSWER2MENOY1k1QnNZOGY4NHQ3dGx0U2pjSWdBKy9nUjFMZQpzb2gxY1RRd1RadUYyRTJXL1hHU3orQmJDTVVySHNGWmh1bXV6aTBkbElNV3ZhU0dvSlV1OGpNODBlUjRiVTRyCmdYQnlLZVZqelkzNVlLejQ5TEVBcFRQcTZRYTVQbzhRYkF6czhuVjZtNXhOQkNPc0pQQ29zMGtCclFQaGo5M0cKOFFKNUFQWEpva0UrMmY3NXZlazZNMDdsaGlEUXR6LzRPYWRaZ1MvUVF0eWRLUmg2V3VEeGp3MytXeXc5ZjNUcAp5OXc0RmtLRzhqNVRpd1RzRmdzem94TGo5TmpSUWpqb3cyVFJGLzk3b2NxMGNwY1orMUtsZTI1cEJ3bk9yRDJBCkVpMUVkMGVEV3dJR2gzaFhGRmlRSzhTOG5remZkNGFMa1ZxK1V3S0JpRXRMSllIamFZY0N2dTd5M0JpbG1ZK0gKbGZIYkZKTkowaXRhazRZZi9XZkdlOUd6R1h6bEhYblBoZ2JrZlZKeEVBU3ZCOE5NYjZ5WkM5THdHY09JZnpLRApiczJQMUhuT29rWnF0WFNxMCt1UnBJdEkxNFJFUzYySDJnZTNuN2dlMzJSS0VCYnVKb3g3YWhBL1k2d3ZscUhiCjFPTEUvNnJRWk0xRVF6RjRBMmpENmdlREJVbHhWTUVDZVFDQjcyUmRoYktNL3M0TSsvMmYyZXI4Y2hwT01SV1oKaU5Hb3l6cHRrby9sSnRuZ1RSTkpYSXdxYVNCMldCcXpndHNSdEhGZnpaNlNyWlJCdTd5Y0FmS3dwSCtUd2tsNQpoS2hoSWFTNG1vaHhwUVNkL21td1JzbTN2NUNDdXEvaFNtNmNXYTdFOVZxc25heGQzV21tQ2VqTnp0MUxQWUZNCkxZMENnWWdKUHhpVTVraGs5cHB6TVAwdWU0clA0Z2YvTENldEdmQjlXMkIyQU03eW9VM2VsMWlCSEJqOEZ3UFQKQUhKUWtCeTNYZEh3SUpGTUV1RUZSSFFzcUFkSTlYVDBzL2V0QTg1Y3grQjhjUmt3bnFHakFseW1PdmJNOVNrMgptMnRwRi8rYm56ZVhNdFA3c0ZoR3NHOXJ5SEZ6UFNLY3NDSDhXWWx0Y1pTSlNDZHRTK21qblAwelArSjMKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K'))
key2 = rsa.PublicKey.load_pkcs1(base64.b64decode('LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJDZ0tDQVFFQXFSVGdMUFNwbk9GQ0JybzR0dStRQVlxYU4yNlJONk82NW4wY1FERkcvb0NTSUlNNFNBeEUKVmsrYmR6UjdhbnFTbWdZeTBIUVhoQ2UzNlNlRmUxdHo5a3dLWi91M0VKb2M1QUs0dTV2eFFuUDlmNXE2YVFsbQpQL1YySU1weTRRUTZQY21FaDRLZDZvNWVkSVJQdkh3eldHVktPTkNwaS9LWkNPNldLVmJKV3Fod1hqREJsSDFNClVEc2dYMlVDOG9waHZ5OXVyMnpPZE5QaHBJSWR3SHNaOW9GWllrWjFMeUNJUUV0WUZpSmptRlMyRUNUVUNvcU8KWnJ0MWlOYzV1YWZxb2ZQeHh5T29sMGFVaFRoYmhxOHBKVy9xT0hXWHdMSW13bTZPemFxVXpLODRGMmN1YWRiRApOc3lTb2hJR2h2M3dJQVU4TUpRZzhLYXdWd2Rwc0VoZUl3SURBUUFCCi0tLS0tRU5EIFJTQSBQVUJMSUMgS0VZLS0tLS0K'))
def encrypt1(message):
crypto_text = rsa.encrypt(message.encode(), key2)
return crypto_text
def decrypt1(message):
message_str = rsa.decrypt(message, key1).decode()
return message_str
def encrypt2(tips, key):
ltips = len(tips)
lkey = len(key)
secret = []
num = 0
for each in tips:
if num >= lkey:
num = num % lkey
secret.append(chr(ord(each) ^ ord(key[num])))
num += 1
return base64.b64encode(''.join(secret).encode()).decode()
def decrypt2(secret, key):
tips = base64.b64decode(secret.encode()).decode()
ltips = len(tips)
lkey = len(key)
secret = []
num = 0
for each in tips:
if num >= lkey:
num = num % lkey
secret.append(chr(ord(each) ^ ord(key[num])))
num += 1
return ''.join(secret)
flag = 'IAMrG1EOPkM5NRI1cChQDxEcGDZMURptPzgHJHUiN0ASDgUYUB4LGQMUGAtLCQcJJywcFmddNno/PBtQbiMWNxsGLiFuLwpiFlkyP084Ng0lKj8GUBMXcwEXPTJrRDMdNwMiHVkCBFklHgIAWQwgCz8YQhp6E1xUHgUELxMtSh0xXzxBEisbUyYGOx1DBBZWPg1CXFkvJEcxO0ADeBwzChIOQkdwXQRpQCJHCQsaFE4CIjMDcwswTBw4BS9mLVMLLDs8HVgeQkscGBEBFSpQFQQgPTVRAUpvHyAiV1oPE0kyADpDbF8AbyErBjNkPh9PHiY7O1ZaGBADMB0PEVwdCxI+MCcXARZiPhwfH1IfKitGOF42FV8FTxwqPzBPAVUUOAEKAHEEP2QZGjQVV1oIS0QBJgBDLx1jEAsWKGk5Nw03MVgmWSE4Qy5LEghoHDY+OQ9dXE44Th0='
key = 'this is key'
result = decrypt2('AAAAAAAAAAAfFwwRSAIWWQ==', key)
print(decrypt1(base64.b64decode(decrypt2(flag, result))))
[LitCTF 2023]enbase64
import base64
cipher = 'GQTZlSqQXZ/ghxxwhju3hbuZ4wufWjujWrhYe7Rce7ju'
table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
table_list = []
for s in table:
table_list.append(ord(s))
v3 = [16, 34, 56, 7, 46, 2, 10, 44, 20, 41, 59, 31, 51, 60, 61, 26, 5, 40, 21, 38, 4, 54, 52, 47, 3, 11, 58, 48, 32, 15,
49, 14, 37, 0, 55, 53, 24, 35, 18, 25, 33, 43, 50, 39, 12, 19, 13, 42, 9, 17, 28, 30, 23, 36, 1, 22, 57, 63, 8,
27, 6, 62, 45, 29]
t_list = table_list.copy()
for i in range(48):
for j in range(64):
table_list[j] = t_list[v3[j]]
t_list = table_list.copy()
t = ''
for x in table_list:
t += chr(x)
table = str.maketrans(t, table)
flag = base64.b64decode(cipher.translate(table)).decode()
print(flag)
[NSSCTF 2022 Spring Recruit]easy Python
打开后将那个加密字符进行base64解密即可得到flag
[SWPUCTF 2021 新生赛]easyapp
使用file查看文件发现是一个zip改成zip后打开里面有个apk雷电模拟器启动后发现
package com.example.ilililililil;
/* loaded from: classes.dex */
public class Encoder {
private int key = 123456789;
public String encode(String str) {
StringBuilder sb = new StringBuilder();
for (char c : str.toCharArray()) {
sb.append((char) (c ^ this.key));
}
return sb.toString();
}
}
package com.example.ilililililil;
import java.lang.reflect.Field;
/* loaded from: classes.dex */
public class MainActlvity {
public MainActlvity() {
try {
Field declaredField = Encoder.class.getDeclaredField("key");
declaredField.setAccessible(true);
declaredField.set(MainActivity.encoder, 987654321);
} catch (IllegalAccessException | NoSuchFieldException e) {
e.printStackTrace();
}
}
}
package com.example.ilililililil;
import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
import androidx.appcompat.app.AppCompatActivity;
/* loaded from: classes.dex */
public class MainActivity extends AppCompatActivity {
public static Encoder encoder;
public static MainActlvity mainActlvity;
/* JADX INFO: Access modifiers changed from: protected */
@Override // androidx.appcompat.app.AppCompatActivity, androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
final EditText editText = (EditText) findViewById(R.id.edit_text);
encoder = new Encoder();
mainActlvity = new MainActlvity();
((Button) findViewById(R.id.button)).setOnClickListener(new View.OnClickListener() { // from class: com.example.ilililililil.-$$Lambda$MainActivity$i-SDaQT6aGr2btgF05Lf-fvXXSo
@Override // android.view.View.OnClickListener
public final void onClick(View view) {
MainActivity.this.lambda$onCreate$0$MainActivity(editText, view);
}
});
}
public /* synthetic */ void lambda$onCreate$0$MainActivity(final EditText editText, View v) {
System.out.println(encoder.encode(editText.getText().toString()));
if (encoder.encode(editText.getText().toString()).equals("棿棢棢棲棥棷棊棐棁棚棨棨棵棢棌")) {
Toast.makeText(this, "YES", 0).show();
} else {
Toast.makeText(this, "NO", 0).show();
}
}
}
意思就要需要这个
equals(“棿棢棢棲棥棷棊棐棁棚棨棨棵棢棌”)
那么我们就要去为了得到这个来进行异或
code='棿棢棢棲棥棷棊棐棁棚棨棨棵棢棌'
print(len(code))
key = 987654321
flag=""
for i in code:
flag+=chr((ord(i)^key)%128) #确定在0~128
print(len(flag))
[HUBUCTF 2022 新生赛]ezPython
使用uncompyle6得到python文件,然后根据样式直接进行逆向解密即可
from Crypto.Util.number import *
ans = 22385992650816784030032474165
ans = long_to_bytes(ans)
print(ans)
[GDOUCTF 2023]Check_Your_Luck
from z3 import *
s=Solver()
v,w,x,y,z=Ints('v w x y z')
s.add(v * 23 + w * -32 + x * 98 + y * 55 + z * 90 == 333322)
s.add(v * 123 + w * -322 + x * 68 + y * 67 + z * 32 == 707724)
s.add(v * 266 + w * -34 + x * 43 + y * 8 + z * 32 == 1272529)
s.add(v * 343 + w * -352 + x * 58 + y * 65 + z * 5 == 1672457)
s.add(v * 231 + w * -321 + x * 938 + y * 555 + z * 970 == 3372367)
if s.check()==sat:
a=s.model()
print("flag{" +str(a[v])+ "_" + str(a[w]) + "_" + str(a[x]) + "_" + str(a[y]) + "_" + str(a[z]) + "}")
就是一个cpp的题目使用z3来解出这个5元一次方程即可
[HNCTF 2022 Week1]贝斯是什么乐器啊?
这个直接使用脚本就能解出
import base64
d="TlJRQFBBdTs4alsrKFI6MjgwNi5p".encode()
a=base64.b64decode(d).decode()
a=[i for i in a]
for i in range(len(a)):
c=ord(a[i])
c+=i
print(chr(c),end="")
[SWPUCTF 2022 新生赛]base64-2
使用strings可以得到
GyAGD1ETr3AcGKNkZ19PLKAyAwEsAIELHx1nFSH2IwyGsD==
This is flag!!
This is wrong
NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm0123456789+/
[HNCTF 2022 Week1]X0r
a=[0x3FE, 0x3EB, 0x3FB, 0x3E4, 0x3F6, 0x3D3, 0x3D0, 0x388,0x3CA, 0x3EF, 0x389, 0x3CB, 0x3EF, 0x3CB, 0x388, 0x3EF, 0x3D5,0x3D9, 0x3CB, 0x3D1, 0x3CD, 0x0A]
c=""
for i in range(len(a)):
d=((a[i]-900)^0x34)%128
print(chr(d),end="")
c+=chr(d)
记住要128来控制他不超出ascii值
[HGAME 2022 week1]easyasm
a=[0x91, 0x61, 0x01, 0xC1, 0x41, 0xA0, 0x60, 0x41, 0xD1, 0x21,0x14, 0xC1, 0x41, 0xE2, 0x50, 0xE1, 0xE2, 0x54, 0x20, 0xC1, 0xE2, 0x60, 0x14, 0x30, 0xD1, 0x51, 0xC0, 0x17]
c=""
for i in range(len(a)):
d=a[i]^0x17
c += chr((d>>4)+(d<<4)&0xff)
print(c)
[BJDCTF 2020]Easy
ida修改程序使call调转到_ques然后保存运行
* * * ***** * * ***** ***** * * ***** * * * *
* * * * * * * * * * * * * * ** *
***** ***** * *** * * ***** *** * * * * *
* * * * * * ** * * * * * * * **
* * * * ***** * * ***** * * * ***** * *
提交flag即可
[HUBUCTF 2022 新生赛]help
得到迷宫
[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
[1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1]
[1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1]
[1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1]
[1, 0, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1]
[1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1]
[1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1]
[1, 0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1]
[1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1]
[1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1]
[1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 1]
[1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1]
[1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1]
[1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 0]
[1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1]
[1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
写一个脚本来完成迷宫
from collections import deque
def bfs(maze, start, end):
# 定义四个移动方向
directions = [(0, 1, 'd'), (1, 0, 's'), (0, -1, 'a'), (-1, 0, 'w')]
# 队列中的元素是(当前坐标,到达当前坐标的路径)
queue = deque([(start, [])])
# 创建集合保存已访问的点
visited = set()
visited.add(start)
while queue:
# 当前位置和路径
(x, y), path = queue.popleft()
for dx, dy, direction in directions:
# 下一个可能的位置
next_x, next_y = x + dx, y + dy
# 如果这个位置在迷宫范围内并且没有被访问过
if 0 <= next_x < len(maze) and 0 <= next_y < len(maze[0]) and (next_x, next_y) not in visited:
if maze[next_x][next_y] == 0 or (next_x, next_y) == end:
visited.add((next_x, next_y)) # 标记为已访问
new_path = path + [direction] # 新路径添加移动方向
# 如果到达终点,则返回路径
if (next_x, next_y) == end:
return new_path
# 否则,将新位置和新路径添加到队列中
queue.append(((next_x, next_y), new_path))
# 如果所有可能都走完了还没找到终点,那么返回 None
return None
# 定义迷宫
maze = [
[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1],
[1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1],
[1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1],
[1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1],
[1, 0, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1],
[1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1],
[1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1],
[1, 0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1],
[1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1],
[1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1],
[1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 1],
[1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1],
[1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1],
[1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 0],
[1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1],
[1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
]
# 寻找起点
start = (15,1)
end = (13,15)
# 执行广度优先搜索
path = bfs(maze, start,end)
if path:
print("Found path:", ''.join(path))
else:
print("No path found with the exact length of 54.")
[SWPUCTF 2022 新生赛]upx
upx -d脱壳然后xor2即可得到flag
[SWPUCTF 2021 新生赛]老鼠走迷宫
拖入ida发现这个是一个python安装的题目使用pyinstxtractor得到pyc后使用uncompyle6即可得到源代码需要使用特定的头
使用代码
from collections import deque
def bfs(maze, start, end):
# 定义四个移动方向
directions = [(0, 1, 'd'), (1, 0, 's'), (0, -1, 'a'), (-1, 0, 'w')]
# 队列中的元素是(当前坐标,到达当前坐标的路径)
queue = deque([(start, [])])
# 创建集合保存已访问的点
visited = set()
visited.add(start)
while queue:
# 当前位置和路径
(x, y), path = queue.popleft()
for dx, dy, direction in directions:
# 下一个可能的位置
next_x, next_y = x + dx, y + dy
# 如果这个位置在迷宫范围内并且没有被访问过
if 0 <= next_x < len(maze) and 0 <= next_y < len(maze[0]) and (next_x, next_y) not in visited:
if maze[next_x][next_y] == 0 or (next_x, next_y) == end:
visited.add((next_x, next_y)) # 标记为已访问
new_path = path + [direction] # 新路径添加移动方向
# 如果到达终点,则返回路径
if (next_x, next_y) == end:
return new_path
# 否则,将新位置和新路径添加到队列中
queue.append(((next_x, next_y), new_path))
# 如果所有可能都走完了还没找到终点,那么返回 None
return None
# 定义迷宫
maze = [
[1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1],
[1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1],
[1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1],
[1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1],
[1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1],
[1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],
[1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1],
[1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1],
[1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1],
[1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1],
[1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1],
[1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],
[1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1],
[1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1],
[1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1],
[1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1],
[1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1],
[1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],
[1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1],
[1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1],
[1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1],
[1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1],
[1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1],
[1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1],
[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1]]
# 寻找起点
start = (1,0)
end = (24,23)
# 执行广度优先搜索
path = bfs(maze, start,end)
if path:
print("Found path:", ''.join(path))
else:
print("No path found with the exact length of 54.")
即可得到flag
reverse2
替换掉r和i为1即可得到flag
内涵的软件
这个是strings直接得到flag
新年快乐
upx脱壳即可得到flag
xor
a='f\nk\fw&O.@\x11x\rZ;U\x11p\x19F\x1Fv\"M#D\x0Eg\x06h\x0FG2O'
a=[ord(i) for i in a]
b=''
print(a)
for i in range(len(a)-1):
a[i]^=a[i+1]
print(chr(a[i]),end="")
helloword
打开jadx即可得到flag
reverse3
得到
e3nifIH9b_C@n@dH
然后就是他每一位减去了一个值在进行base64
import base64
a='e3nifIH9b_C@n@dH'
a=[ord(i) for i in a]
c=""
for i in range(len(a)):
a[i]-=i
c+=chr(a[i])
c=c.encode()
print(base64.b64decode(c))
不一样的flag
迷宫得到flag
*1111
01000
01010
00010
1111#
222441144222
SimpleRev
#include<stdio.h>
int main()
{
char key[] = "adsfkndcls"; //key字符串是adsfkndcls
char text[] = "killshadow"; //text字符串是killshadow
int i; //定义了变量 i
int v2 = 0;
int v3 = 10;//v3的长度为10 ,因为在大写字母变小写的时候,v3会++,而字符串变了10次。
int v5 = 10;
for (int i = 0; i < v5; i++)//开始循环
{
for (int j = 0; j < 123; j++)//开始第二重循环 j = v1;
{
if ((j < 'A' || j > 'Z') || (j < 'z' && j > 'a'))//|| 和 && 交换 > 和 < 交换 ,让j不再那个范围之内
{
continue;//如果不在范围之内,就跳过本次循环。
}
if ((j - 39 - key[v3 % 10] + 97) % 26 + 97 == text[i])//执行这个算法,跟text字符串相比,如果相等就输出
{
printf("%c",j);
v3++;//注意算法里面 v3++,所以这里也要把v3++;
break;
}
}
}
}
需要使用ida的r来查看
Java逆向解密
代码很简单就是一个java的
// Source code is decompiled from a .class file using FernFlower decompiler.
import java.util.ArrayList;
import java.util.Scanner;
public class Reverse {
public Reverse() {
}
public static void main(String[] args) {
Scanner s = new Scanner(System.in);
System.out.println("Please input the flag \uff1a");
String str = s.next();
System.out.println("Your input is \uff1a");
System.out.println(str);
char[] stringArr = str.toCharArray();
Encrypt(stringArr);
}
public static void Encrypt(char[] arr) {
ArrayList<Integer> Resultlist = new ArrayList();
for(int i = 0; i < arr.length; ++i) {
int result = arr[i] + 64 ^ 32;
Resultlist.add(result);
System.out.println(Resultlist);
}
int[] KEY = new int[]{180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65};
ArrayList<Integer> KEYList = new ArrayList();
for(int j = 0; j < KEY.length; ++j) {
KEYList.add(KEY[j]);
}
System.out.println("Result:");
if (Resultlist.equals(KEYList)) {
System.out.println("Congratulations\uff01");
} else {
System.err.println("Error\uff01");
}
}
}
创建了两个数组让两个数组一样即可正确,意思就是
180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65
找到原始值
一开始是arr[i]+6432变成arr[i]-6432即可
a=[180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65]
b=""
for i in range(len(a)):
b+=chr(a[i]- 64 ^ 32)
print(b)
[GXYCTF2019]luck_guy
根据提示strcat得到f1+f2就等于flag
f2="icug`of\x7F"
f2=[ord(i) for i in f2]
for i in range(8):
if i%2==1:
f2[i]-=2
else:
f2[i]-=1
f2=[chr(i) for i in f2]
print("".join(f2))
刮开有奖
#include <stdio.h>
int sub_4010F0(char* a1, int a2, int a3)
{
int result; // eax
int i; // esi
int v5; // ecx
int v6; // edx
result = a3;
for ( i = a2; i <= a3; a2 = i )
{
v5 = i;
v6 = i[a1];
if ( a2 < result && i < result )
{
do
{
if ( v6 > a1[result])
{
if ( i >= result )
break;
++i;
a1[v5] = a1[result];
if ( i >= result )
break;
while ( a1[i] <= v6 )
{
if ( ++i >= result )
goto LABEL_13;
}
if ( i >= result )
break;
v5 = i;
a1[result] = a1[i];
}
--result;
}
while ( i < result );
}
LABEL_13:
a1[result] = v6 ;
sub_4010F0(a1, a2, i - 1);
result = a3;
++i;
}
return result;
}
int main()
{
char str[] = "ZJSECaNH3ng";
sub_4010F0(str,0,10);
printf("%s", str);
return 0;
}
得到加密后的字符串
if ( String[0] == v7[0] + 34
&& String[1] == v10
&& 4 * String[2] - 141 == 3 * v8
&& String[3] / 4 == 2 * (v13 / 9)
&& !strcmp(v4, "ak1w")
&& !strcmp(v5, "V1Ax") )
通过这几个判断即可得到flag
简单注册器
这个题很好做
xx.length() == 32 && xx.charAt(31) == 'a' && xx.charAt(1) == 'b' && (xx.charAt(0) + xx.charAt(2)) + (-48) == 56)
满足这个或者
x = list("dd2940c04462b4dd7c450528835cca15")
x=[ord(i) for i in x]
x[2] =((x[2] + x[3]) - 50)
x[4] =((x[2] + x[5]) - 48)
x[30] =((x[31] + x[9]) - 48)
x[14] =((x[27] + x[28]) - 97)
for i in range(16):
a=x[31-i]
x[31-i]=x[i]
x[i]=a
x="".join(chr(i) for i in x)
print(x)
得到flag
[GWCTF 2019]pyre
a=['\x1f', '\x12', '\x1d', '(', '0', '4', '\x01', '\x06', '\x14', '4', ',', '\x1b', 'U', '?', 'o', '6', '*', ':', '\x01', 'D', ';', '%', '\x13']
l = len(a)
a=[ord(i) for i in a]
for i in range(l-2,-1,-1):
a[i] = a[i] ^ a[i +1]
c=''
for i in range(l):
num = (a[i] - i)%128
c += chr(num)
print(c)
要注意是怎么异或的
[ACTF新生赛2020]easyre
注意c的内存
v4="*F'\"N,\"(I?+@"
a=[chr(i) for i in range(32,127)]
a="".join(a[::-1])
b=''
print(a)
for i in range(len(v4)):
b+=chr(a.index(v4[i])+1)
print("flag{"+b+"}")
# v4 = "*F'\"N,\"(I?+@"
# d = chr(0x7e) + "}|{zyxwvutsrqponmlkjihgfedcba`_^]\\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)(" + chr(0x27) + "&%" + '$# !"'
# s = ""
# for i in range(12):
# s += chr(d.index(v4[i]) + 1)
# print("flag{" + s + "}")
第一个不知道为什么有点问题
findit
a=['p', 'v', 'k', 'q', '{', 'm', '1', '6', '4', '6', '7', '5', '2', '6', '2', '0', '3', '3', 'l', '4', 'm', '4', '9', 'l', 'n', 'p', '7', 'p', '9', 'm', 'n', 'k', '2', '8', 'k', '7', '5', '}']
print("".join(a))
每个字符ord-10即可得到flag
[FlareOn4]login
<!DOCTYPE Html />
<html>
<head>
<title>FLARE On 2017</title>
</head>
<body>
<input type="text" name="flag" id="flag" value="Enter the flag" />
<input type="button" id="prompt" value="Click to check the flag" />
<script type="text/javascript">
document.getElementById("prompt").onclick = function () {
var flag = document.getElementById("flag").value;
var rotFlag = flag.replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);});
if ("PyvragFvqrYbtvafNerRnfl@syner-ba.pbz" == rotFlag) {
alert("Correct flag!");
} else {
alert(rotFlag);
}
}
</script>
</body>
</html>
把PyvragFvqrYbtvafNerRnfl@syner-ba.pbz传入进去得到flag
[WUSTCTF2020]level1
file=open("output.txt","r")
for i in range(1,20):
flag=file.readline()
if i&1!=0:
print(chr(int(flag)>>i),end="")
else:
print(chr(int(flag)//i),end="")