lazy,只写了一部分
馒:
感觉这种不是考加密算法的,都是脑洞
直接拿数据去猜就行
这道题就是,你发现构建哈夫曼树缺一些数据和一些数据不匹配,
缺的数据就是flag,然后后面对应的那些不匹配的数据就是他在flag的第几个
看了很久都没明白他的哈夫曼树咋来的
# for i in range(25):
# print('a',end='')
import string
ans1=[0x000008DE, 0x00000395, 0x000001BE, 0x000000D9, 0x0000006A, 0x00000033, 0x00000014, 0x0000000F,
0x00000011, 0x000000E5, 0x00000072, 0x00000010, 0x0000000B, 0x000001D7, 0x000000E9, 0x00000074,
0x0000000E, 0x0000000D, 0x000000EE, 0x00000076, 0x0000000C, 0x00000007, 0x00000549, 0x0000022D,
0x000000F8, 0x0000007B, 0x00000006, 0x00000018, 0x00000135, 0x00000089, 0x00000043, 0x00000003,
0x00000005, 0x000000AC, 0x00000054, 0x00000004, 0x00000001, 0x0000031C, 0x0000017F, 0x000000BA,
0x00000059, 0x00000002, 0x00000008, 0x000000C5, 0x00000061, 0x00000030, 0x00000017, 0x0000000A,
0x00000015, 0x0000019D, 0x000000CB, 0x00000065, 0x00000016, 0x00000009, 0x000000D2, 0x00000068,
0x00000013, 0x00000012,]
print(ans1[27])
flag=[0 for i in range(25)]
flag[0]=ord(' ')
a=[0x6a,0xc5]
b=[0xe5,0xe9,0xee,0xf8,0x89,0xac,0xba,0xcb,0xd2]
for j in b:
for i in range(len(ans1)):
if(ans1[i]==j):
flag[ans1[i+3]]=j-ans1[i+1]
flag[ans1[i+2]]=ans1[i+1]
for i in range(len((ans1))):
if(ans1[i]==0x6a):
flag[ans1[i+2]]=ans1[i+1]
flag[ans1[i+3]]=ans1[i]-ans1[i+1]
flag[ans1[i+4]]=0xd9-ans1[i]
for i in range(len((ans1))):
if(ans1[i]==0x61):
flag[ans1[i+2]]=ans1[i+1]
flag[ans1[i+3]]=ans1[i]-ans1[i+1]
flag[ans1[i+4]]=0xc5-ans1[i]
for i in range(1,len(flag)):
print(chr(flag[i]),end='')
what is this:
1b 4c 75 61 代表这是lua文件,51代表版本为5.1
这是lua文件,5.1的,文件
Lua逆向神器之二luadec - 『逆向资源区』 - 吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cncj
工具就参考这篇文章吧(太长了,不放了)
代码很长,但是让ai简化一下,就很简单
import random
import base64
def xor_bytes(num1, num2):
tmp1 = num1
tmp2 = num2
str_result = ""
while tmp1 != 0 or tmp2 != 0:
s1 = tmp1 % 2
s2 = tmp2 % 2
if s1 == s2:
str_result = "0" + str_result
else:
str_result = "1" + str_result
tmp1 = tmp1 // 2
tmp2 = tmp2 // 2
return int(str_result, 2)
def encrypt_flag(flag):
value = ""
for i in range(len(flag)):
temp = ord(flag[i])
temp = chr(xor_bytes(temp, 8) % 256)
value += temp
output = ""
for i in range(len(value)):
temp = ord(value[i])
temp = chr(temp + 3)
output += temp
# 注意:以下无关紧要的循环操作已省略,它们不影响最终加密结果
obfuscated_output = base64.b64encode(output.encode()).decode()
obfuscated_output = obfuscated_output[::-1]
obfuscated_output = obfuscated_output.replace("g", "3").replace("H", "4").replace("W", "6")
# 预设的固定字符串
fixed_string = "==AeuFEcwxGPuJ0PBNzbC16ctFnPB5DPzI0bwx6bu9GQ2F1XOR1U "
if obfuscated_output == fixed_string:
print("You get the flag.")
else:
print("F**k!")
# 示例用法
encrypt_flag("your_flag_here")这段代码定义了一个名为 encrypt_flag 的函数,其目的是对输入的字符串(flag)进行一系列的加密操作,并与预设的固定字符串进行比较。如果加密后的结果与预设字符串相等,则输出 "You get the flag.";否则输出 "F**k!"。以下是代码的具体解释:
-
定义
xor_bytes函数:- 输入:两个整数
num1和num2 - 功能:逐位对
num1和num2进行异或运算(相同为0,不同为1),将结果转换为二进制字符串,并返回对应的十进制整数。 - 实现:通过循环依次取出
num1和num2的最低位,计算异或结果并拼接到str_result前面。然后将num1和num2向右无符号移位一位(相当于除以2取整),直到两数都为0为止。
- 输入:两个整数
-
定义
encrypt_flag函数:- 输入:待加密的字符串
flag - 功能:对
flag进行多步加密操作,包括异或、字符偏移和混淆编码,最后与预设固定字符串对比。
加密步骤详解: a. 异或操作:
- 遍历
flag中的每个字符,将其 ASCII 码与整数 8 进行异或运算(使用xor_bytes函数),结果对 256 取模,确保在 0-255 范围内。 - 将得到的新整数转换回对应的字符,累加到
value字符串中。
b. 字符偏移:
- 再次遍历
value中的每个字符,将其 ASCII 码加 3,得到新的字符。 - 将这些新字符累加到
output字符串中。
c. 混淆编码:
- 使用
base64.b64encode对output进行 Base64 编码,得到字节串,再用decode()转换为字符串。 - 反转该字符串(即从后往前读取)。
- 将其中的字符 'g' 替换为 '3','H' 替换为 '4','W' 替换为 '6',得到最终的
obfuscated_output。
d. 结果比较:
- 比较
obfuscated_output与预设的固定字符串fixed_string是否相等。若相等,则输出 "You get the flag.",否则输出 "F**k!"。
- 输入:待加密的字符串
-
示例用法:
- 调用
encrypt_flag("your_flag_here"),传入待加密的字符串 "your_flag_here",执行加密过程并进行结果比较。
- 调用
注意:代码中注释提到“以下无关紧要的循环操作已省略”,这部分可能涉及对加密结果的进一步处理,但不影响最终与预设固定字符串的对比。实际运行时,应根据完整代码进行分析
把那个字符串翻转一下再base64,最后把里面的6都换成W就OK了
import string
flag='==AeuFEcwxGPuJ0PBNzbC16ctFnPB5DPzI0bwx6bu9GQ2F1XOR1U'
print(flag[::-1])
t='STN_Qv@ono¬poB3<>A>qmqmBo3A?Bn<lppAnx'
t='STN_Qv@onmlpoB3<>A>qmqmBo3A?Bn<lppAnx'
for j in range(len(t)):
for i in string.printable:
h=ord(i)
if((h^8)%255) +3 == ord(t[j]):
print(i,end='')XYCTF{5dcbaed781363fbfb7d8647c1aee6c}
ezmath:
# Source Generated with Decompyle++
# File: ezmath.pyc (Python 3.8)
flag = (lambda x: [ ord(i) for i in x ])(input('flag:'))
if len(flag) == 32 and (((((((((((((((((((((sum((lambda x: [ flag[23] for _ in x ])(range(flag[23]))) + sum((lambda x: [ flag[12] for _ in x ])(range(flag[12]))) + sum((lambda x: [ flag[1] for _ in x ])(range(flag[1]))) - sum((lambda x: [ flag[24] for _ in x ])(range(222)))) + sum((lambda x: [ flag[22] for _ in x ])(range(flag[22]))) + sum((lambda x: [ flag[31] for _ in x ])(range(flag[31]))) + sum((lambda x: [ flag[26] for _ in x ])(range(flag[26]))) - sum((lambda x: [ flag[9] for _ in x ])(range(178))) - sum((lambda x: [ flag[29] for _ in x ])(range(232)))) + sum((lambda x: [ flag[17] for _ in x ])(range(flag[17]))) - sum((lambda x: [ flag[23] for _ in x ])(range(150))) - sum((lambda x: [ flag[6] for _ in x ])(range(226))) - sum((lambda x: [ flag[7] for _ in x ])(range(110)))) + sum((lambda x: [ flag[19] for _ in x ])(range(flag[19]))) + sum((lambda x: [ flag[2] for _ in x ])(range(flag[2]))) - sum((lambda x: [ flag[0] for _ in x ])(range(176)))) + sum((lambda x: [ flag[10] for _ in x ])(range(flag[10]))) - sum((lambda x: [ flag[12] for _ in x ])(range(198)))) + sum((lambda x: [ flag[24] for _ in x ])(range(flag[24]))) + sum((lambda x: [ flag[9] for _ in x ])(range(flag[9]))) - sum((lambda x: [ flag[3] for _ in x ])(range(168)))) + sum((lambda x: [ flag[8] for _ in x ])(range(flag[8]))) - sum((lambda x: [ flag[2] for _ in x ])(range(134)))) + sum((lambda x: [ flag[14] for _ in x ])(range(flag[14]))) - sum((lambda x: [ flag[13] for _ in x ])(range(170)))) + sum((lambda x: [ flag[4] for _ in x ])(range(flag[4]))) - sum((lambda x: [ flag[10] for _ in x ])(range(142)))) + sum((lambda x: [ flag[27] for _ in x ])(range(flag[27]))) + sum((lambda x: [ flag[15] for _ in x ])(range(flag[15]))) - sum((lambda x: [ flag[15] for _ in x ])(range(224)))) + sum((lambda x: [ flag[16] for _ in x ])(range(flag[16]))) - sum((lambda x: [ flag[11] for _ in x ])(range(230))) - sum((lambda x: [ flag[1] for _ in x ])(range(178)))) + sum((lambda x: [ flag[28] for _ in x ])(range(flag[28]))) - sum((lambda x: [ flag[5] for _ in x ])(range(246))) - sum((lambda x: [ flag[17] for _ in x ])(range(168)))) + sum((lambda x: [ flag[30] for _ in x ])(range(flag[30]))) - sum((lambda x: [ flag[21] for _ in x ])(range(220))) - sum((lambda x: [ flag[22] for _ in x ])(range(212))) - sum((lambda x: [ flag[16] for _ in x ])(range(232)))) + sum((lambda x: [ flag[25] for _ in x ])(range(flag[25]))) - sum((lambda x: [ flag[4] for _ in x ])(range(140))) - sum((lambda x: [ flag[31] for _ in x ])(range(250))) - sum((lambda x: [ flag[28] for _ in x ])(range(150)))) + sum((lambda x: [ flag[11] for _ in x ])(range(flag[11]))) + sum((lambda x: [ flag[13] for _ in x ])(range(flag[13]))) - sum((lambda x: [ flag[14] for _ in x ])(range(234)))) + sum((lambda x: [ flag[7] for _ in x ])(range(flag[7]))) - sum((lambda x: [ flag[8] for _ in x ])(range(174)))) + sum((lambda x: [ flag[3] for _ in x ])(range(flag[3]))) - sum((lambda x: [ flag[25] for _ in x ])(range(242)))) + sum((lambda x: [ flag[29] for _ in x ])(range(flag[29]))) + sum((lambda x: [ flag[5] for _ in x ])(range(flag[5]))) - sum((lambda x: [ flag[30] for _ in x ])(range(142))) - sum((lambda x: [ flag[26] for _ in x ])(range(170))) - sum((lambda x: [ flag[19] for _ in x ])(range(176)))) + sum((lambda x: [ flag[0] for _ in x ])(range(flag[0]))) - sum((lambda x: [ flag[27] for _ in x ])(range(168)))) + sum((lambda x: [ flag[20] for _ in x ])(range(flag[20]))) - sum((lambda x: [ flag[20] for _ in x ])(range(212)))) + sum((lambda x: [ flag[21] for _ in x ])(range(flag[21]))) + sum((lambda x: [ flag[6] for _ in x ])(range(flag[6]))) + sum((lambda x: [ flag[18] for _ in x ])(range(flag[18]))) - sum((lambda x: [ flag[18] for _ in x ])(range(178)))) + 297412 == 0:
print('yes')
else:print('no')
两道公序下来——pyinstxtractor,pycdc得到上面的代码
看不到lam表达式,ai转一下
def ascii_value(c):
return ord(c)
def repeat_count(n):
return [n] * n
def fixed_range_count(n, k):
return [n] * k
def main():
flag="XYCTF{"
flag += input('flag:XYCTF{')
def f(index):
return [ascii_value(flag[index]) for _ in range(flag[index])]
def g(index, k):
print(index,":",k/2)
return [ascii_value(flag[index]) for _ in range(k)]
terms = [
sum(f(23)) + sum(f(12)) + sum(f(1)) - sum(g(24, 222)),
sum(f(22)) + sum(f(31)) + sum(f(26)) - sum(g(9, 178)),
sum(f(17)) - sum(g(23, 150)) - sum(g (6, 226)) - sum(g(7, 110)),
sum(f(19)) + sum(f(2)) - sum(g(0, 176)),
sum(f(10)) - sum(g(12, 198)),
sum(f(24)) + sum(f(9)) - sum(g(3, 168)),
sum(f(8)) - sum(g(2, 134)),
sum(f(14)) - sum(g(13, 170)),
sum(f(4)) - sum(g(10, 142)),
sum(f(27)) + sum(f(15)) - sum(g(15, 224)),
sum(f(16)) - sum(g(11, 230)) - sum(g(1, 178)),
sum(f(28)) - sum(g(5, 246)) - sum(g(17, 168)),
sum(f(30)) - sum(g(21, 220)) - sum(g(22, 212)) - sum(g(16, 232)),
sum(f(25)) - sum(g(4, 140)) - sum(g(31, 250)) - sum(g(28, 150)),
sum(f(11)) + sum(f(13)) - sum(g(14, 234)),
sum(f(7)) - sum(g(8, 174)),
sum(f(3)) - sum(g(25, 242)),
sum(f(29)) + sum(f(5)) - sum(g(30, 142)) - sum(g(26, 170)) - sum(g(19, 176)),
sum(f(0)) - sum(g(27, 168)),
sum(f(20)) - sum(g(20, 212)),
sum(f(21)) + sum(f(6)) + sum(f(18)) - sum(g(18, 178))
]
total_sum = sum(terms) + 297412
if total_sum == 0:
print('yes')
else:
print('no')
main()如跟着这个代码思维就是,flag里面32个,每一个的平方=297412
这里有个很重要的地方,其实每个g(x,y)里面,x是flag下标,y就是ord(flag【x】**2)
这个有点脑洞的, 我观察到第一个和第二个刚好少2个,然后就按着这个思路发现了
最开始脑子抽了,想用dfs爆破的,太大了
#include "bits/stdc++.h"
using namespace std;
typedef long long ll;
string printable="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~ ";
string flag="XYCTF{";
stack<char> t;
bool dfs(ll sum,ll len){
if(len==32&&sum==297412){
return 1;
}
else if(len==32&&sum!=293412){
return 0;
}
for(int i=0;i<=printable.size();i++){
int h=printable[i];
h=h*h;
if(dfs(sum+h,len+1)){
t.push(printable[i]);
return 1;
}
}
return 0;
}
int main(){
if(dfs(47239,5)){
for(int i;i<t.size();i++){
char ch=t.top();
t.pop();
cout<<ch;
}
}
else
cout<<'wrong';
return 0;
}然后后面突然意思到,自己真是sb
flag = [1] * 32 # 初始化一个长度为32的列表,所有元素均为1
# 使用索引来设定特定位置的值
flag[24] = 222
flag[9] = 178
flag[6] = 226
flag[7] = 110
flag[0] = 176
flag[12] = 198
# 更正逗号分隔的赋值(应为单独的赋值语句)
flag[3] = 168
flag[2] = 134
flag[13] = 170
flag[10] = 142
flag[15] = 224
flag[11] = 230
flag[1] = 178
flag[5] = 246
flag[17] = 168
flag[21] = 220
flag[22] = 212
flag[16] = 232
flag[4] = 140
flag[31] = 250
flag[28] = 150
flag[14] = 234
# 修复逗号分隔的赋值
flag[8] = 174
flag[25] = 242
flag[30] = 142
flag[26] = 170
flag[19] = 176
flag[27] = 168
flag[20] = 212 # 删除多余的逗号和无效语法
# 修复括号及逗号错误,假设此处意为将178赋值给第18个元素
flag[18] = 178
for i in range(len(flag)):#23,29
if(flag[i]==1):
print('?',end='')
continue
print(chr(int(flag[i]/2)),end='')
# 整理后,flag 列表已完成初始化XYCTF{q7WYGscUuptTYXjnj?oyUTK?G} 其中23和29是空的
import string
sum=0
flag=[176,178,134,168,140,246,226,110,174,178,142,230,198,170,234,224,232,168,178,176,212,220,212,1,222,242,170,168,150,1,142,250,]
for i in flag:
if(i==0):
continue
t=int(i/2)
sum+=t*t
for i in string.printable:
for j in string.printable:
a=ord(i)
b=ord(j)
ans=a*a+b*b
if(sum+ans==297412):
print(i,j)
这样就直接爆破出,是t和K
都试一次
就知道了flag为
XYCTF{q7WYGscUuptTYXjnjKoyUTKtG}
ez——rand:
这是一个新知识点
这里time(0)不懂的自己去百度一下,返回编译结束的时间——1970什么的秒数
srand和rand有相关——如果rand前有srand(x),那么rand得到的数字是固定的,仅由x决定
那这个v4,我们已经知道是双字节(动调看见的)
那么我们直接爆破
找到v4(利用已知flag头是XY得到v4)
#include "bits/stdc++.h"
using namespace std;
int enc[29] = {
0x5D, 0x0C, 0x6C, 0xEA, 0x46, 0x19, 0xFC, 0x34, 0xB2, 0x62,
0x23, 0x07, 0x62, 0x22, 0x6E, 0xFB, 0xB4, 0xE8, 0xF2, 0xA9,
0x91, 0x12, 0x21, 0x86, 0xDB, 0x8E, 0xE9, 0x43, 0x4D
};
int main(){
// if (
// (*(&v10 + v6) ^ (v7+ ((((2155905153 * v7) >> 32) & 0x80000000) != 0) + (((2155905153 * v7) >> 32) >> 7))) != *(v9 + v6)
// )
long long data[3];
for (int i = 0; i <= 0xffff; ++i) {
srand(i);
for (int j = 0; j < 2; ++j) {
data[j] = rand();
}
long long a = 'X',b = 'Y';
if(((a ^ ((data[0]+ ((((2155905153 * data[0]) >> 32) & 0x80000000) != 0) + (((2155905153 * data[0]) >> 32) >> 7)))) & 0xff) == enc[0]){
if (((b ^ ((data[1]+ ((((2155905153 * data[1]) >> 32) & 0x80000000) != 0) + (((2155905153 * data[1]) >> 32) >> 7)))) & 0xff) == enc[1]){
cout << i << endl;
}
}
}
// srand(21308);
// int data[29];
// for (int i = 0; i < 29; ++i) {
// data[i] = rand();
// }
// for (int i = 0; i < 29; ++i) {
// for (int j = 0; j < 128; ++j) {
// if(((j ^ ((data[i]+ ((((2155905153 * data[i]) >> 32) & 0x80000000) != 0) + (((2155905153 * data[i]) >> 32) >> 7)))) & 0xff) == enc[i]){
// cout << char(j);
// }
// }
//
// }
return 0;
}
这里有个很坑的地方
这个4189,大于一个字节了,所以必须与0xff,不然永远没答案
得到了种子是21308
#include "bits/stdc++.h"
using namespace std;
int enc[29] = {
0x5D, 0x0C, 0x6C, 0xEA, 0x46, 0x19, 0xFC, 0x34, 0xB2, 0x62,
0x23, 0x07, 0x62, 0x22, 0x6E, 0xFB, 0xB4, 0xE8, 0xF2, 0xA9,
0x91, 0x12, 0x21, 0x86, 0xDB, 0x8E, 0xE9, 0x43, 0x4D
};
int main(){
// if (
// (*(&v10 + v6) ^ (v7+ ((((2155905153 * v7) >> 32) & 0x80000000) != 0) + (((2155905153 * v7) >> 32) >> 7))) != *(v9 + v6)
// )
// long long data[3];
// for (int i = 0; i <= 0xffff; ++i) {
// srand(i);
// for (int j = 0; j < 2; ++j) {
// data[j] = rand();
// }
// long long a = 'X',b = 'Y';
// if(((a ^ ((data[0]+ ((((2155905153 * data[0]) >> 32) & 0x80000000) != 0) + (((2155905153 * data[0]) >> 32) >> 7)))) & 0xff) == enc[0]){
// if (((b ^ ((data[1]+ ((((2155905153 * data[1]) >> 32) & 0x80000000) != 0) + (((2155905153 * data[1]) >> 32) >> 7)))) & 0xff) == enc[1]){
// cout<<((a ^ ((data[0]+ ((((2155905153 * data[0]) >> 32) & 0x80000000) != 0) + (((2155905153 * data[0]) >> 32) >> 7)))) )<<endl;
// cout << i << endl;
// }
// }
// }
srand(21308);
int data[29];
for (int i = 0; i < 29; ++i) {
data[i] = rand();
}
for (int i = 0; i < 29; ++i) {
for (int j = 0; j < 128; ++j) {
if(((j ^ ((data[i]+ ((((2155905153 * data[i]) >> 32) & 0x80000000) != 0) + (((2155905153 * data[i]) >> 32) >> 7)))) & 0xff) == enc[i]){
cout << char(j);
}
}
}
return 0;
}
得到flag
给阿姨倒一杯卡布奇诺:
经典t加密算法
import libnum
from ctypes import *
def decrypt(v7, v6, key):
v6=c_uint32(v6)
v7=c_uint32(v7)
delta = 0x6E75316C
v4 = c_uint32(delta * 32)
for i in range(31, -1, -1):
v6.value -= ((v7.value >> 5) + key[3]) ^ (v7.value + v4.value) ^ (key[2] + 16 * v7.value) ^ (v4.value + i)
v7.value -= ((v6.value >> 5) + key[1]) ^ (v6.value + v4.value) ^ (key[0] + 16 * v6.value) ^ (v4.value + i)
v4.value -= delta
return v7.value, v6.value
key = [1702259047, 1970239839, 1886741343, 1634038879]
a = [
0x9B28ED45, 0x145EC6E9, 0x5B27A6C3, 0xE59E75D5,
0xE82C2500, 0xA4211D92, 0xCD8A4B62, 0xA668F440
]
ans = []
data=[1601794676,1685217640,0x9B28ED45, 0x145EC6E9, 0x5B27A6C3, 0xE59E75D5,
0xE82C2500, 0xA4211D92,]
for j in range(0, 8, 2):
ans0, ans1 = decrypt(a[j], a[j + 1], key)
print((ans0^data[j]))
print(ans1^data[j+1])
ans.append(ans0^data[j])
ans.append(ans1^data[j+1])
flag = ''.join([libnum.n2s(i).decode('utf-8')[::-1] for i in ans])
print(flag)
ez_enc:
第一个字符肯定是flag的f或者XYCTF的X
试一下,发现是f(不想试,也可以从最后一个开始,最后一个一定是})
import string
enc=[39, 36, 23, 11, 80, 3, 200, 12, 31, 23,
54, 85, 203, 45, 233, 50, 14, 17, 38, 2,
12, 7, 252, 39, 61, 45, 237, 53, 89, 235,
60, 62, 228, 125,]
a='IMouto'
flag='f'
for i in range(len(enc)):
for j in string.printable:
if(enc[i]==(ord(flag[i])%20+ord(j))^ord(a[i%6])):
flag+=j
print(flag)切记切记啊,这里一定要加上break,因为如果是下面这段代码
import string
enc=[39, 36, 23, 11, 80, 3, 200, 12, 31, 23,
54, 85, 203, 45, 233, 50, 14, 17, 38, 2,
12, 7, 252, 39, 61, 45, 237, 53, 89, 235,
60, 62, 228, 125,]
a='IMouto'
flag='f'
for i in range(len(enc)):
for j in range(0,128):
if(enc[i]==(ord(flag)%20+j)^ord(a[i%6])):
print(chr(j),end='')
flag=chr(j)
break
print(flag)
如果不加break,在i=2的时候, 有个u可以匹配flag= 'g'然后,就导致后面会错(血泪教训)
这篇博客看到,TNND 居然还可以用Z3
from z3 import *
res = [110,105,120,126,36,108,129,65,112,98,66,58,130,96,134,71,122,126,111,79,99,114,136,72,116,96,130,64,45,132,117,115,139]
# 创建Z3变量
str = [Int('str_%d' % i) for i in range(34)]
# 创建Z3 Solver
solver = Solver()
# 添加约束条件
for i in range(33):
solver.add(str[i+1] + str[i] % 20 == res[i])
# 最后一个数为125
solver.add(str[-1] == 125)
# 求解方程组
if solver.check() == sat:
model = solver.model()
solution = [model[str[i]].as_long() for i in range(34)]
print("Solution found:")
print(solution)
else:
print("No solution found.")
a = [108, 97, 103, 123, 33, 95, 114, 51, 101, 97, 49, 49, 121, 95, 119, 52, 110, 116, 95, 64, 95, 99, 117, 55, 101, 95, 115, 49, 36, 116, 101, 114, 125]
for i in a:
print(chr(i),end="")剥核桃
一个nspack加壳的文件
[原创]Nspack 3.x脱壳机 v1.0-资源下载-看雪-安全社区|安全招聘|kanxue.com
大佬的脱壳机
一个很简单的异或
a=[0x00000012, 0x00000004, 0x00000008, 0x00000014, 0x00000024, 0x0000005C, 0x0000004A, 0x0000003D,
0x00000056, 0x0000000A, 0x00000010, 0x00000067, 0x00000000, 0x00000041, 0x00000000, 0x00000001,
0x00000046, 0x0000005A, 0x00000044, 0x00000042, 0x0000006E, 0x0000000C, 0x00000044, 0x00000072,
0x0000000C, 0x0000000D, 0x00000040, 0x0000003E, 0x0000004B, 0x0000005F, 0x00000002, 0x00000001,
0x0000004C, 0x0000005E, 0x0000005B, 0x00000017, 0x0000006E, 0x0000000C, 0x00000016, 0x00000068,
0x0000005B, 0x00000012, 0x00000000, 0x00000000, 0x00000048]
b="this_is_not_flag"
for i in range(len(a)):
print(chr(ord(b[i%16])^a[i]),end='')
print(len(b))何须相思煮余年
我也是第一次见到这道题,记录一下
下载是一个二进制文件
下面这个enc我拿掉了
复制上面的16进制
打开010
文件——新建16进制文件
记住记住!!!!!!
这里要按shift+ctrl+v,这样是只复制在左边
然后保存这个文件,用IDA32打开,(不知道为什么64不行)
在IDA界面按一下u(不行就按c,强制)再按一下p编译
p
然后就是一个很ok的函数了
import string
enc = [88,88,134,87,74,118,318,101,59,92,480,60,65,41,770,110,73,31,918,39,120,27,1188,47,77,24,1352,44,81,23,1680,46,85,15,1870,66,91,16,4750]
for i in range(len(enc)):
t=i%4
for j in string.printable:
temp=ord(j)
if(t!=0):
if(t==1):
if(enc[i]==temp-i):
print(j,end='')
elif (t == 2):
if (enc[i] == temp *i):
print(j, end='')
elif (t == 3):
if (enc[i] == temp ^ i):
print(j, end='')
else:
if(temp+i==enc[i]):
print(j,end='')tip:hex()返回的是string
DebugMe
就是监测你有没有动调环境的
随便下个断点就有ok
动调之后点一下就有flag
Trust me
打开文件一个RC4加密 告诉你 用户名是admin
然后提示是个漏洞
问了下web的,就是只要用SQL写的代码,admin or 1 不管密码怎样都OK
baby unity
li2cpp逆向-CSDN博客
easy language
没写出来,
find me:
XYCTF2024 Writeup | jht3の个人站 (jht3qaq.github.io)
XYCTF 2024 (Reverse) Writeup by 摸鱼 (xinshi.fun)
#include<stdio.h>
#include<string.h>
#include<stdint.h>
#include<stdlib.h>
#include<assert.h>
uint8_t byte_14001D960[512];
const char* Str = "Find_Doraemon";
uint8_t byte_14001D201;
void init(){
char v9[532];
int j;
int v7 = strlen(Str);
int v11 = 0;
int v12 = 0;
memset(v9, 0, 0x200);
for ( j = 0; j < 0x200; ++j )
{
byte_14001D960[j] = -(char)j;
v9[j] = Str[j % v7];
}
while ( v11 < 512 )
{
v12 = ((unsigned __int8)v9[v11] + byte_14001D960[v11] + v12) % 512;
byte_14001D201 = byte_14001D960[v11];
byte_14001D960[v11] = byte_14001D960[v12];
byte_14001D960[v12] = byte_14001D201;
++v11;
}
}
int main(){
int v13=0,v14=0,v11=0,v12,i,v8;
uint8_t v15,v16;
init();
for(int i=0;i<512;i++){
if(i%16==0)printf("\n");
printf("%02X ",byte_14001D960[i]);
}
FILE* fin=fopen(R"(D:\CTF\problem\XYctf\re\Findme\Doraemon1)","rb");
FILE* fout=fopen(R"(D:\CTF\problem\XYctf\re\Findme\Doraemon3)","wb");
while(!feof(fin)){
v13 = (v13 + 1) % 512;
v14 = (byte_14001D960[v13] + v14) % 512;
byte_14001D201 = byte_14001D960[v13];
byte_14001D960[v13] = byte_14001D960[v14];
byte_14001D960[v14] = byte_14001D201;
v16 = byte_14001D960[(unsigned __int8)((byte_14001D960[v14] + byte_14001D960[v13]) % 512)];
v15 = v16 ^ fgetc(fin);
fputc(v15, fout);
srand(byte_14001D960[v11 % 512]);
v12 = rand() % 4;
//printf("v12 %d\n",v12);
for ( i = 0; i < v12; ++i )
{
v8 = rand();
if(!feof(fin))assert(v8 % 0x100==fgetc(fin));
else break;
}
++v11;
}
fclose(fin);
fclose(fout);
return 0;
}
demon2的010保存,然后在厨子里面(厨子太牛逼了,这个图片也能直接出)
扫一扫
383
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
