简单小题
071_[UTCTF2020]babymips
这东西能F5,也就没有难度了,就是个异或
int __fastcall sub_401164(int a1, int a2)
{
int v2; // $v0
int v4; // $v0
unsigned int i; // [sp+1Ch] [+1Ch]
if ( std::string::size(a2) != 0x4E )
{
LABEL_2:
v2 = std::operator<<<std::char_traits<char>>(&std::cout, "incorrect");
return std::ostream::operator<<(v2, &std::endl<char,std::char_traits<char>>);
}
else
{
for ( i = 0; i < std::string::size(a2); ++i )
{
if ( (*(char *)std::string::operator[](a2, i) ^ (i + 23)) != *(char *)(a1 + i) )
goto LABEL_2;
}
v4 = std::operator<<<std::char_traits<char>>(&std::cout, "correct!");
return std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);
}
}
解码,解出一堆乱码,居然正确
c = bytes.fromhex('626C7F767A7B66737650527D405455794049474D74197B6A420A4F527D694F530C64100F1E4A67037C67026A316761377A622C2C0F6E1700160F160A6D62732539762E1C63782B74321620224419')
print(bytes([v^(i+23) for i,v in enumerate(c)]))
#utflag{mips_cpp_gang_5VDm:~`N]ze;\\)5%vZ=C\'C(r#$q=*efD"ZNY_GX>6&sn.wF8$v*mvA@\'}
#flag{mips_cpp_gang_5VDm:~`N]ze;\)5%vZ=C'C(r#$q=*efD"ZNY_GX>6&sn.wF8$v*mvA@'}
072_[NPUCTF2020]你好sao啊
输入数据后直接base64解码然后比较,只是把base64的56改为{}
v5 = std::operator<<<std::char_traits<char>>(&std::cout, "Input Your flag:", v4);
std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);
*(_QWORD *)s2 = '\x0F\xD3p\xFE\xB5\x9C\x9B\x9E';
v15 = '\xDE\xAB\x7F\x02\x9CO\xD1\xB2';
v16 = '\xFA\xCD\x9D@\xE7ceY';
v17 = 4LL;
v18 = 0;
__isoc99_scanf("%33s", s);
s1 = (char *)RxEncode(s, 33);
if ( strlen(s) == 32 )
{
if ( !strcmp(s1, s2) )
v12 = std::operator<<<std::char_traits<char>>(&std::cout, "Congratulations!", v11);
else
v12 = std::operator<<<std::char_traits<char>>(&std::cout, "Wrong!", v11);
std::ostream::operator<<(v12, &std::endl<char,std::char_traits<char>>);
return 0;
}
解码
s2 = b'\x0F\xD3p\xFE\xB5\x9C\x9B\x9E'[::-1]+ b'\xDE\xAB\x7F\x02\x9CO\xD1\xB2'[::-1] + b'\xFA\xCD\x9D@\xE7ceY'[::-1]
#仅56换为{} 的base64
from base64 import b64encode
print(b64encode(s2))
#npuctf5w0w+y0U+cAn+r3lllY+dAnc36
#flag{w0w+y0U+cAn+r3lllY+dAnc3}
073_[GKCTF 2021]QQQQT
程序个头很大,查壳是Enigma Virtual Box打的包,用“Enigma Virtual Box 解包器 v0.59 汉化版”解包后放入ida,没找到开始。从汇编里找到flag,X找逆向引用到sub_4012F0,这里有码表和算法,应该是base58
QLineEdit::text(*(_DWORD *)(this[6] + 4), v15);
v25 = 0;
QString::toLatin1(v15, v16);
LOBYTE(v25) = 1;
v18 = QByteArray::data((QByteArray *)v16);
memset(v23, 0, sizeof(v23));
v24 = 0i64;
strcpy(v22, "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"); //码表
v20 = 138 * strlen(v18) / 0x64;
v13 = v20 + 1;
v1 = 0;
v21 = malloc(v20 + 1);
v2 = v21;
memset(v21, 0, v13);
v3 = v18;
v19 = (int)(v18 + 1);
if ( strlen(v18) )
{
v4 = &v2[v20];
v17 = v4;
while ( 1 )
{
v19 = ((char)*v4 << 8) + v3[v1];
v5 = v19 / 58;
*v4 = v19 % 58;
if ( v5 )
{
do
{
v6 = (char)*--v4;
v7 = (v6 << 8) + v5;
v19 = v7 / 58;
*v4 = v7 % 58;
v5 = v19;
}
while ( v19 );
v4 = v17;
}
if ( ++v1 >= strlen(v18) )
break;
v3 = v18;
}
v2 = v21;
}
v8 = 0;
if ( !*v2 )
{
do
++v8;
while ( !v2[v8] );
}
v9 = v20;
if ( v8 <= v20 )
{
v10 = v2 - (_BYTE *)v23;
do
{
v11 = (char *)v23 + v8++;
*v11 = v22[(char)v11[v10]];
}
while ( v8 <= v9 );
}
if ( !qstrcmp((const char *)v23, "56fkoP8KhwCf3v7CEz") ) //密文
{
if ( v18 )
v12 = strlen(v18);
else
v12 = -1;
v21 = (_BYTE *)QString::fromAscii_helper(v18, v12);
LOBYTE(v25) = 2;
v20 = QString::fromAscii_helper("flag", 4);
LOBYTE(v25) = 3;
QMessageBox::warning(this, &v20, &v21, 1024, 0);
QString::~QString((QString *)&v20);
QString::~QString((QString *)&v21);
}
直接算出明文
code = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"
c = "56fkoP8KhwCf3v7CEz"
i = 0
for v in c:
i = i*58 + code.index(v)
print(i, hex(i), bytes.fromhex(hex(i)[2:]))
#flag{12t4tww3r5e77}