1、jump_by_jump,
怎么说呢,直接搜字符串吧
2、jump_by_jump revenge
作者这个模不好搞,(哭脸),卡了一会儿,最开始直接看汇编还没看出来,只有去看伪代码了
enc='~4G~M:=WV7iX,zlViGmu4?hJ0H-Q*'
print(len(enc))
print()
arr=[]
for i in range(len(enc)):
arr.append(ord(enc[i]))
for i in range(len(arr)-1,-1,-1):
arr[i]=arr[i]-32-arr[(i*i+123)%21]
if arr[i]<96:
arr[i]+=96
for i in range(len(enc)):
while arr[i]<32 or arr[i]>128 :
arr[i]+=96
arr[i]%=128
for i in range(len(arr)):
print(chr(arr[i]),end='')
print()
print(arr)
3、findxenny
随便输个什么东西,稍微长一点,别被长度判断给报错了
然后走到smc的位置,继续走
在判断里,每个zf位改一下,栈中分三段存的flag:
oh_you_found_our_x3nny,把头补上就行
4、ez_z3
64位的,改了upx的特征码,放到010中改回来,自动脱掉就行
程序本身逻辑不难,改了名字也挺清楚,就是自己写脚本的时候,循环变量搞错了,一直找不到问题在哪,有点小麻,浪费两个小时
而且,在这里异或的时候,最开始没看到是倒序异或,又浪费了一会儿
整个程序不难,跟着走就行,直接上脚本
import math
import z3
key=[7, 0, 0, 0, 7, 0, 0, 0, 7, 0,
0, 0, 9, 0, 0, 0, 5, 0, 0, 0,
6, 0, 0, 0, 7, 0, 0, 0, 7, 0,
0, 0, 7, 0, 0, 0, 9, 0, 0, 0,
7, 0, 0, 0, 7, 0, 0, 0, 5, 0,
0, 0, 7, 0, 0, 0, 7, 0, 0, 0,
7, 0, 0, 0, 5, 0, 0, 0, 7, 0,
0, 0, 9, 0, 0, 0, 7, 0, 0, 0]
keyy=[]
ans=[0x1207,0x4CA0,0x4F21,0x39,0x1A523,0x23A,0x926,0x4CA7,0x6560,0x36,0x1A99B,0x4CA8,0x1BBE0,0x3705,0x926,
0x77D3,0x9A98,0x657B,0x18,0x0B11]
print(len(ans))
for i in range(len(key)):
if key[i]!=0:
keyy.append(key[i])
print((keyy))
v3_arr=[]
a1=[0]*20
'''
for i in range(20):
a1[i]=z3.Int(f"a1[{i}]")
s=z3.Solver()
s.add((20 * a1[19] * 19 * a1[18]
+ 14 * a1[13]
+ 13 * a1[12]
+ 11 * a1[10] * 10 * a1[9]
+ 30 * a1[5]
+ 5 * a1[4]
+ a1[0]
+ 2 * a1[1]
- 3 * a1[2]
- 4 * a1[3]
- 7 * a1[6]
+ 8 * a1[7]
- 9 * a1[8]
- 12 * a1[11]
- 16 * a1[15] * 15 * a1[14]
- 17 * a1[16]
- 18 * a1[17]) == 2582239)
s.add((20 * a1[19] * 19 * a1[18]
+ 14 * a1[13]
+ 13 * a1[12]
+ 11 * a1[10] * 10 * a1[9]
+ 30 * a1[5]
- 7 * a1[6]
+ 8 * a1[7]
- 9 * a1[8]
+ 5 * a1[4]
+ 3 * a1[2]
+ 2 * a1[1] * a1[0]
- 4 * a1[3]
- 12 * a1[11]
- 16 * a1[15] * 15 * a1[14]
- (18 * a1[17]
+ 17 * a1[16])) == 2602741)
s.add((19 * a1[18]
+ 18 * a1[17]
+ 14 * a1[13] * 13 * a1[12]
+ 12 * a1[11] * 11 * a1[10]
+ 9 * a1[8]
+ 7 * a1[6] * 30 * a1[5]
+ a1[0]
- 2 * a1[1]
- 4 * a1[3] * 3 * a1[2]
- 5 * a1[4]
+ 8 * a1[7]
- 10 * a1[9]
- 15 * a1[14]
- 17 * a1[16] * 16 * a1[15]
- 20 * a1[19]) == 2668123)
s.add((20 * a1[19] * 19 * a1[18]
+ 14 * a1[13]
+ (13 * a1[12] + 11 * a1[10] - 12 * a1[11]) * 10 * a1[9]
+ 30 * a1[5]
+ 5 * a1[4]
+ a1[0]
+ 2 * a1[1]
- 3 * a1[2]
- 4 * a1[3]
- 7 * a1[6]
+ 8 * a1[7]
- 9 * a1[8]
- 16 * a1[15] * 15 * a1[14]
- 17 * a1[16]
- 18 * a1[17]) == 2520193)
s.add((18 * a1[17]
+ 17 * a1[16]
+ 15 * a1[14]
+ 13 * a1[12] * 12 * a1[11]
+ 10 * a1[9]
+ 9 * a1[8] * 8 * a1[7]
+ 3 * a1[2] * 2 * a1[1] * a1[0]
- 4 * a1[3]
- 5 * a1[4]
- 30 * a1[5]
- 7 * a1[6]
- 11 * a1[10]
- 14 * a1[13]
- 16 * a1[15]
- 19 * a1[18]
- 20 * a1[19]) == 8904587)
s.add((18 * a1[17]
+ 7 * a1[6] * 30 * a1[5] * 5 * a1[4]
+ 4 * a1[3]
+ 8 * a1[7]
+ a1[0]
- 2 * a1[1]
- 3 * a1[2]
- 9 * a1[8]
- 11 * a1[10] * 10 * a1[9]
- 16 * a1[15] * (13 * a1[12] + 12 * a1[11] - 14 * a1[13] - 15 * a1[14])
- 17 * a1[16]
- 19 * a1[18]
- 20 * a1[19]) == 1227620874)
s.add((20 * a1[19] * 19 * a1[18]
+ 17 * a1[16]
+ 14 * a1[13]
+ 13 * a1[12]
+ 12 * a1[11] * 11 * a1[10] * 10 * a1[9]
+ 7 * a1[6] * 30 * a1[5]
+ 5 * a1[4]
+ 3 * a1[2]
+ a1[0]
+ 2 * a1[1]
+ 4 * a1[3]
+ 8 * a1[7]
- 9 * a1[8]
- 16 * a1[15] * 15 * a1[14]
- 18 * a1[17]) == 1836606059)
s.add((20 * a1[19] * 19 * a1[18]
+ 16 * a1[15] * 15 * a1[14]
+ 14 * a1[13]
+ 13 * a1[12]
+ 12 * a1[11]
+ 7 * a1[6] * 30 * a1[5]
+ 5 * a1[4]
+ 2 * a1[1] * a1[0]
- 3 * a1[2]
+ 4 * a1[3]
+ 8 * a1[7]
- 9 * a1[8]
- 10 * a1[9]
- 11 * a1[10]
- 17 * a1[16]
- 18 * a1[17]) == 8720560)
s.add((20 * a1[19] * 19 * a1[18]
+ 14 * a1[13]
+ 13 * a1[12]
+ 11 * a1[10] * (10 * a1[9] + 30 * a1[5] + 5 * a1[4] + 4 * a1[3] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8])
+ a1[0]
+ 2 * a1[1]
- 3 * a1[2]
- 12 * a1[11]
- (16 * a1[15] - 17 * a1[16] - 18 * a1[17]) * 15 * a1[14]) == 11387045)
s.add((20 * a1[19] * 19 * a1[18]
+ 16 * a1[15] * 15 * a1[14]
+ 14 * a1[13]
+ 11 * a1[10] * 10 * a1[9]
+ 9 * a1[8]
+ 3 * a1[2]
+ a1[0]
- 2 * a1[1]
+ 4 * a1[3]
- 5 * a1[4]
- 30 * a1[5]
- 7 * a1[6]
+ 8 * a1[7]
- 12 * a1[11]
- 13 * a1[12]
- 17 * a1[16]
- 18 * a1[17]) == 7660269)
s.add((20 * a1[19] * 19 * a1[18]
+ 14 * a1[13]
+ 13 * a1[12]
+ 11 * a1[10] * 10 * a1[9]
- 12 * a1[11]
+ a1[0]
+ 2 * a1[1]
- (4 * a1[3] * 3 * a1[2]
- 5 * a1[4]
- 30 * a1[5])
- 7 * a1[6]
+ 8 * a1[7]
- 9 * a1[8]
- 16 * a1[15] * 15 * a1[14]
- 17 * a1[16]
- 18 * a1[17]) == 2461883)
s.add((14 * a1[13]
+ 11 * a1[10] * 10 * a1[9]
+ 9 * a1[8] * 8 * a1[7]
+ 7 * a1[6]
+ 2 * a1[1] * a1[0]
- 4 * a1[3] * 3 * a1[2]
- 5 * a1[4]
- 30 * a1[5]
- 12 * a1[11]
- 13 * a1[12]
- 15 * a1[14]
- 17 * a1[16] * 16 * a1[15]
- 18 * a1[17]
- 19 * a1[18]
- 20 * a1[19]) == -966296)
s.add((14 * a1[13]
+ 13 * a1[12]
+ (11 * a1[10] * 10 * a1[9] + 30 * a1[5] + 5 * a1[4] + 3 * a1[2] + 4 * a1[3] - 7 * a1[6] + 8 * a1[7] - 9 * a1[8])
* 2
* a1[1]
+ a1[0]
- 12 * a1[11]
- 15 * a1[14]
- 16 * a1[15]
- 17 * a1[16]
- 18 * a1[17]
- 20 * a1[19] * 19 * a1[18]) == 254500223)
s.add((16 * a1[15] * 15 * a1[14]
+ 14 * a1[13]
+ 11 * a1[10] * 10 * a1[9]
+ 7 * a1[6] * 30 * a1[5]
+ a1[0]
- 2 * a1[1]
- 3 * a1[2]
- 5 * a1[4] * 4 * a1[3]
+ 8 * a1[7]
- 9 * a1[8]
- 12 * a1[11]
- 13 * a1[12]
- 17 * a1[16]
- 18 * a1[17]
- 19 * a1[18]
- 20 * a1[19]) == 6022286)
s.add((18 * a1[17]
+ 16 * a1[15]
- 17 * a1[16]
+ 14 * a1[13]
+ 12 * a1[11]
+ 11 * a1[10] * 10 * a1[9]
+ 30 * a1[5]
+ 5 * a1[4]
+ 4 * a1[3] * 3 * a1[2]
+ 2 * a1[1] * a1[0]
- 9 * a1[8] * 8 * a1[7] * 7 * a1[6]
- 13 * a1[12]
- 15 * a1[14]
- 19 * a1[18]
- 20 * a1[19]) == -636956022)
s.add((20 * a1[19] * 19 * a1[18]
+ 13 * a1[12]
+ 12 * a1[11]
+ 11 * a1[10] * 10 * a1[9]
+ 7 * a1[6]
+ 30 * a1[5]
+ 5 * a1[4]
+ 3 * a1[2] * 2 * a1[1] * a1[0]
- 4 * a1[3]
- 9 * a1[8] * 8 * a1[7]
- 14 * a1[13]
- 15 * a1[14]
- 16 * a1[15]
- 17 * a1[16]
- 18 * a1[17]) == 10631829)
s.add((20 * a1[19] * 19 * a1[18]
+ 16 * a1[15]
- 17 * a1[16]
- 18 * a1[17]
+ 15 * a1[14] * 14 * a1[13]
+ 13 * a1[12]
+ 11 * a1[10] * 10 * a1[9]
- 12 * a1[11]
+ 7 * a1[6]
+ (4 * a1[3] - 5 * a1[4] - 30 * a1[5]) * 3 * a1[2]
+ a1[0]
+ 2 * a1[1]
+ 8 * a1[7]
- 9 * a1[8]) == 6191333)
s.add((14 * a1[13]
+ 10 * a1[9] * 9 * a1[8] * 8 * a1[7]
+ 5 * a1[4]
+ 4 * a1[3] * 3 * a1[2]
+ 2 * a1[1] * a1[0]
- 7 * a1[6] * 30 * a1[5]
- 11 * a1[10]
- 13 * a1[12] * 12 * a1[11]
- 16 * a1[15] * 15 * a1[14]
- 18 * a1[17] * 17 * a1[16]
- 20 * a1[19] * 19 * a1[18]) == 890415359)
s.add((20 * a1[19]
+ 19 * a1[18]
+ 18 * a1[17]
+ 16 * a1[15]
- 17 * a1[16]
+ 12 * a1[11]
+ 11 * a1[10]
+ 10 * a1[9]
+ 9 * a1[8]
+ 30 * a1[5]
+ a1[0]
+ 4 * a1[3] * 3 * a1[2] * 2 * a1[1]
- 5 * a1[4]
- 7 * a1[6]
+ 8 * a1[7]
- 13 * a1[12]
- 14 * a1[13]
- 15 * a1[14]) == 23493664)
s.add((20 * a1[19] * 19 * a1[18]
+ 13 * a1[12]
+ 12 * a1[11]
+ 10 * a1[9]
+ 3 * a1[2] * 2 * a1[1]
+ a1[0]
- 4 * a1[3]
- 5 * a1[4]
+ 8 * a1[7] * 7 * a1[6] * 30 * a1[5]
- 9 * a1[8]
- 11 * a1[10]
- 14 * a1[13]
- 16 * a1[15] * 15 * a1[14]
- 17 * a1[16]
- 18 * a1[17]) == 1967260144)
for i in range(20):
s.add(a1[i]<=0xff)
s.add(a1[i]>=0)
print(s.check())
print(s.model())'''
a1[7] = 104
a1[1] = 97
a1[17] = 108
a1[19] = 103
a1[2] = 104
a1[13] = 97
a1[14] = 99
a1[0] = 104
a1[4] = 104
a1[15] = 107
a1[8] = 105
a1[18] = 97
a1[9] = 115
a1[16] = 102
a1[3] = 97
a1[10] = 105
a1[6] = 116
a1[11] = 115
a1[5] = 97
a1[12] = 102
for i in a1:
print(chr(i),end='')#hahahathisisfackflag
flag1=[]
for i in range(len(ans)):
flag1.append(ans[i]^a1[20-i-1])#flag1是v3
'''for i in range(len(keyy)):
count=0
while (keyy[i]!=0):
count+=1
keyy[i]>>=2
keyy[i]=count'''
print()
print(keyy)
print(flag1)
for i in range(len(flag1)):
if flag1[i]<128:
print(chr(flag1[i]),end=f'')
continue
for k in range(32,128):
v3=1
j=k
a=keyy[i]
while a!=0:
if (a&1)!=0:
v3*=j
j=(j*j)%1000
a>>=2
if abs(v3-flag1[i])<1:
print(chr(k),end=f'')
def zhiyinshu(n):
i = 2
while i <= n:
if i == n:
print(i, end="")
break
elif n % i == 0:
print(i, end="*")
n = n / i
else:
i += 1
print()
print(chr(95))
print(len("T1e_z_1s_v1r9_3asy!"))
print(len(flag1))
print(ord("3"))
print(6>>2)
'''for i in flag1:
zhiyinshu(i)
print()'''
'''
while ( keyy )
{
if ( (keyy & 1) != 0 )
v3 *= flag;
flag = flag * flag % 1000;
keyy >>= 2;
}
'''
5、hide_and_seek
直接运行就行,有个exit,zf跳过就行,在heap中
6、Shatter_Time
32为程序,直接动调,发现他会给你一个数字,然后会给你flag(多数情况下是假的,但是可能会看到nssctf的头,可以猜想是会自己解密的),
主函数中的循环是靠这个函数的返回值退出的
所以我们需要获得x
for x in range(10000000):
flag=1
if x%100000==0:
print("!!!!",x)
for j in range(500,550):
if x%j!=aaa[j-500]:
flag=0
if flag==1:
print("ture ans",x)
而x是clock的返回值,那么手动patch内存就行了
7、void(V1)
变表base64
8、 untouchable
修改zf位跳过第一个判断,发现是rc4,但是不知道秘钥,去存的位置看看,发现有nssfirst的字样,本来是想随便输一个跟一下的,结果他真是秘钥,flag直接出了
本来我的思路是,就算我不知道秘钥,先跟一下看一下,而且rc4是流密码,万一能找到秘钥流呢,没想到直接出了
9、void(v2)
和void1一样,都是变表base64,不同的是,void1是用函数的方式修改了表,void2是开了一个子进程,我看程序走来差不多了,就强制关掉
就可以继续调试了,搜索字符串,一眼变表base
10、just guess
给我心态搞炸了,vmp的壳,为什么我用x64只要不是f9就直接报错退出呢?
subprocess怎么进行交互啊~~~~~~,到底能不能啊,怎么写啊?来个师傅教一下,球球~~
这道题确实不会做,看了看网上师傅们的做法,有个师傅用ce修改轮数,唉,完全没想到,师傅tql
来个大佬教教其他做法好不好
11、Integer part
给了一个记事本,应该是栈中的内存,42开头的一般是浮点数(不排除是个地址),而且题目有描述,就将42的数提出来,让万能的gpt给我写一个将ieee格式转换成人类能看懂的格式的脚本,然后改改就行了,直接上代码吧,有思路就不难
import struct
def str_to_byte(strr):
strr='0x'+strr
a=int(strr,16)
return a.to_bytes(4,"big")
arr5=["42dd5db2", "42e760c5", "42e75687"]
arr4=["42c75604" ,"42e95687" ,"42cd645a" ,"42f75c29" ,"4246b22d" ,"42e964dd" ]
arr3=["42bf60c5" ,"42d35d2f" ,"42e75604" , "42bf5aa0" ,"42e75a1d" ,"42df60c5"]
arr2=["42bf60c5", "42cb62d1" ,"42c35c29" ,"42e75d2f" ,"42f3645a" ,"42bf599a" ]
arr1=["42e75db2" ,"42e95b23","42c35893", "42c75c29", "42d760c5",
"42fb547b"]
# 定义IEEE浮点数的字节序列
def printfloat(strr):
bytes_value = str_to_byte(strr)
# 使用struct模块的unpack函数进行转换
float_value = struct.unpack('!f', bytes_value)[0]
print(chr(int(float_value)),end='')
def func(j):
for i in range(len(eval("arr"+str(j)))):
printfloat((eval("arr"+str(j))[i]))
for i in range(5,0,-1):
func(i)
nssctf{1t_is_so_easy_stack}
12、Tetris
这个我重来没有接触过,一开始看到他没给附件还以为是不是题的位置放错了,然后点进去就看到了我最不喜欢的wasm,不会调,到最后我都没找到分数是在哪储存的,看师傅的wp,发现可以用ce直接修改浏览器,但要找到对应页面的进程号,在浏览器中shift+esc就ok13
13、Real Ezcheck
拿到一个abab.bin,放入010
猜测是MZ头,而且中间有较为明显的this is program 什么run dos mode之类的
程序逻辑很清晰,如果有dll的话,就怎么怎么样,如果没有,就让输入什么,然后有什么操作,那首先就是恢复dll,直接运该程序,会生成一个dll,但是肯定不是dll的格式,跟进一下,发现是用输入的秘钥,然后tea加密一次,生成一个秘钥,用该秘钥与abab异或,所以只要找到秘钥流就行,而且这个abab看起来就像一个pe格式,那直接和正常的pe格式异或一下,秘钥流就出来了(首先我们跟进程序,发现秘钥流有10位)
key_arr=[ 3, 0, 0, 0, 3, 0, 0, 0, 2, 0,
0, 0, 6, 0, 0, 0, 4, 0, 0, 0,
3, 0, 0, 0, 3, 0, 0, 0, 5, 0,
0, 0, 8, 0, 0, 0, 3, 0, 0, 0]
arr=[]
for i in key_arr:
if i!=0:
arr.append(i)
print(arr,"\t",len(arr))
fbin=open("abab.bin","rb")
fexe=open("check.exe","rb")
fbin_in=fbin.read()
fexe_in=fexe.read()
stream_key=[]
for i in range(10):
stream_key.append(fexe_in[i]^fbin_in[i])
print(stream_key)
crr=[]
for i in range(len(fbin_in)):
crr.append(fbin_in[i]^stream_key[i%len(stream_key)])
with open("Dll2.dll","wb+") as f:
for i in range(len(fbin_in)):
f.write(crr[i].to_bytes(1,"little"))
然后直接运行就行