[SHCTF 2023 校外赛道] reverse

已于 2023-11-01 11:29:31 修改
阅读量608 收藏 3
点赞数
文章标签: java 前端 javascript
于 2023-10-31 23:01:00 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_52640415/article/details/134149480
版权

week1

ez_asm

想不到第1题是个汇编,咱也不知道拿啥能弄成c,不过这题也不难,直接能看懂,关键部分。

取出异或0x1e然后保存,再取出-0xa再保存。

.text:0000000000401566                               loc_401566:                             ; CODE XREF: main+65↓j
.text:0000000000401566 8B 45 FC                      mov     eax, [rbp+var_4]         计数器 指针
.text:0000000000401569 48 98                         cdqe
.text:000000000040156B 48 8D 15 AE 1A 00 00          lea     rdx, flag                       
.text:0000000000401572 0F B6 04 10                   movzx   eax, byte ptr [rax+rdx]  取出1个
.text:0000000000401576 83 F0 1E                      xor     eax, 1Eh                 xor 1e
.text:0000000000401579 89 C1                         mov     ecx, eax
.text:000000000040157B 8B 45 FC                      mov     eax, [rbp+var_4]
.text:000000000040157E 48 98                         cdqe
.text:0000000000401580 48 8D 15 99 1A 00 00          lea     rdx, flag                      
.text:0000000000401587 88 0C 10                      mov     [rax+rdx], cl            保存
.text:000000000040158A 8B 45 FC                      mov     eax, [rbp+var_4]
.text:000000000040158D 48 98                         cdqe
.text:000000000040158F 48 8D 15 8A 1A 00 00          lea     rdx, flag                      
.text:0000000000401596 0F B6 04 10                   movzx   eax, byte ptr [rax+rdx]  再取出1个
.text:000000000040159A 83 E8 0A                      sub     eax, 0Ah                 -a 
.text:000000000040159D 89 C1                         mov     ecx, eax
.text:000000000040159F 8B 45 FC                      mov     eax, [rbp+var_4]
.text:00000000004015A2 48 98                         cdqe
.text:00000000004015A4 48 8D 15 75 1A 00 00          lea     rdx, flag                      
.text:00000000004015AB 88 0C 10                      mov     [rax+rdx], cl            保存
.text:00000000004015AE FF 45 FC                      inc     [rbp+var_4]

>>> a = 'nhuo[M`7mc7uhc$7midgbTf`7`$7%#ubf7 ci5Y'
>>> bytes([ (i+0xa)^0x1e for i in a.encode()])
b'flag{It_is_als0_impor@nt_t0_13arn_4sm!}'

easy_re

IDA打开,逻辑很简单,高低位互换

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char Str[52]; // [rsp+20h] [rbp-40h] BYREF
  int v5; // [rsp+54h] [rbp-Ch]
  int j; // [rsp+58h] [rbp-8h]
  int i; // [rsp+5Ch] [rbp-4h]

  _main();
  printf("Input your flag:");
  scanf("%s", Str);
  v5 = strlen(Str);
  for ( i = 0; i < v5; ++i )
    Str[i] = (Str[i] >> 4) | (16 * Str[i]);
  for ( j = 0; j < v5; ++j )
  {
    if ( Str[j] != des[j] )
    {
      printf("Wrong!");
      exit(0);
    }
  }
  printf("Right!");
  return 0;
}


>>> a = '66C61676B7452797F54703F53703C66733F5478656F52696E6162797F507270326C633D6D7'
>>> bytes([int(a[i:i+2][::-1],16) for i in range(0, len(a),2)])
b'flag{Try_t0_s0lv3_the_binary_pr0bl3m}'

seed

10字节随机数的key异或

  printf("Input your flag:");
  scanf("%s", v6);
  srand(seed);
  for ( i = 0; i <= 9; ++i )
  {
    v3 = rand() % 255;
    v5[i] = v3;
  }
  for ( j = 0; j <= 44; ++j )
    *((_BYTE *)v6 + j) ^= v5[j % 10];
  for ( k = 0; k <= 44; ++k )
  {
    if ( *((unsigned __int8 *)v6 + k) != des[k] )
    {
      printf("Wrong!");
      exit(0);
    }
  }
  printf("Right!");

用flag{头可以出来5个,后边的就只能一个个试,看着合适再试下一个

a = bytes.fromhex('402928E9C204A4ED9F535F753CD1CD2BA8C48969152116EFD72792DFCA535F2A3CD1CE03A3EFA578161A2DE1C4')
from pwn import xor

flag = b'flag{Give_'
key = xor(flag, a[:len(flag)])

for i in range(256):
    tkey = key + bytes([i])
    m = xor(tkey.ljust(10, b'\x00'),a)
    if all([0x20<=m[v]<=0x7e for v in range(len(flag),len(a),10)]):
        print(i, m)

#flag{Give_y0u_the_se3d_and_D0_you_w@nt_t0_do}

signin

这才是签到,跳过

ez_math

代码是公式,这种很常见,用z3

print("Please input flag:")
flag = input()
if len(flag)!=42:
	print("Check your length!")
	exit()

l=[]
for i in range(6):  #7字符1段,分6段
	s=""
	for j in flag[i*7:i*7+7]:
		s+=hex(ord(j))[2:]
	l.append(int(s,16))
if (
(593*l[0] + 997*l[1] + 811*l[2] + 258*l[3] + 829*l[4] + 532*l[5])== 0x5b8e0aef71d34ff43 and \
(605*l[0] + 686*l[1] + 328*l[2] + 602*l[3] + 695*l[4] + 576*l[5])== 0x551a262360964ef7f and \
(373*l[0] + 512*l[1] + 449*l[2] + 756*l[3] + 448*l[4] + 580*l[5])== 0x49d158a5657d6931c and \
(560*l[0] + 635*l[1] + 422*l[2] + 971*l[3] + 855*l[4] + 597*l[5])== 0x625568d5abbabf4f3 and \
(717*l[0] + 507*l[1] + 388*l[2] + 925*l[3] + 324*l[4] + 524*l[5])== 0x50ee0c025e70e3c23 and \
(312*l[0] + 368*l[1] + 884*l[2] + 518*l[3] + 495*l[4] + 414*l[5])== 0x40e735f8aa2815f65):
	print("Good job!")
else:
	print("Wrong\nTry again!!!")
	exit()

from z3 import *

l = [Int(f'l_{i}') for i in range(6)]
s = Solver()
s.add((593*l[0] + 997*l[1] + 811*l[2] + 258*l[3] + 829*l[4] + 532*l[5])== 0x5b8e0aef71d34ff43)
s.add((605*l[0] + 686*l[1] + 328*l[2] + 602*l[3] + 695*l[4] + 576*l[5])== 0x551a262360964ef7f)
s.add((373*l[0] + 512*l[1] + 449*l[2] + 756*l[3] + 448*l[4] + 580*l[5])== 0x49d158a5657d6931c)
s.add((560*l[0] + 635*l[1] + 422*l[2] + 971*l[3] + 855*l[4] + 597*l[5])== 0x625568d5abbabf4f3)
s.add((717*l[0] + 507*l[1] + 388*l[2] + 925*l[3] + 324*l[4] + 524*l[5])== 0x50ee0c025e70e3c23)
s.add((312*l[0] + 368*l[1] + 884*l[2] + 518*l[3] + 495*l[4] + 414*l[5])== 0x40e735f8aa2815f65)

s.check()
d = s.model()

flag = b''
for i in l:
    flag+=long_to_bytes(d[i].as_long())

#flag{N0_One_kn0ws_m@th_B3tter_Th@n_me!!!!}

ez_apk

jadx打开是base58变表,密文和码表不在layout目录里,发现外部有多个dex文件,打开class3.dex找到码表和密文

从classes3.dex找到密文和码表,base58变表解密
enc ='5TAYhycAPT1aAd535TGdWYQ8CvfoRjErGEreqhDpqv1LydTqd3mxuK2hhUp9Pws3u9mq6eX'
code1 = '9LfnoVpi1HrzBSKxhNFeyY745R2g3QmqsTCZJuDvcMdkE8wPGbUXajtAW6'
#flag{Jue_1_ju3_Y0ung_and_G0at_1s_go0d_for_yOuR_body}

week2

签到题?

在堆数字128运算后XXX后边不详,先动调得到这些数据

可以看到右下角栈里的Arglist的数据,显然是可显示的字符,导出后得到,显示base64

ZmxhZ3thMTBlN2NjYy1iODAyLWUzZWItYzg1OWE3LTMwOTQwZTIyNmR9 

not gcc 

听说.bc是bytecode的码,用clang编译成可执行文件就可以用IDA

clang not_gcc.bc -o not_gcc

程序很简单,是个数独,手搓也容易,网站好办 上sudokufans.org.cn 自备干粮

from pwn import u32
data = open('not_gcc','rb').read()[0x3030:0x3030+81*4]

v = [str(u32(data[i:i+4])) for i in range(0,81*4,4)]
print(''.join(v))

a = '407003208500020900012980004709104800061000470003270006086300040020740630304002000'
t = '497513268538426917612987354759164823261839475843275196986351742125748639374692581'
v = ''.join([t[i] if a[i]=='0' else '0' for i in range(81)])

from hashlib import md5
print('flag{'+md5(v.encode()).hexdigest()+'}')
#flag{afb5d3a138821e30d6e1e6ccce4e5554}

 

pycode

给的python字节码,一点点手搓。看明白了再反一下就行

import base64 

flag = '....'
value = ''
output = ''

#24
for i in range(1000):
    w = 1024
    x = w%3
    y = w//9
    x = x*y
    w -= z     

#94
for i in range(10000):
    w = 20 
    x = w%6 
    y = w//3 
    z = x*y 
    w += z 

#166
for i in range(1000):
    w = 1024
    x = w%3 
    y = w//9 
    x = x*y 
    w -= z 

#238
for i in range(10000):
    w = 20 
    x = w%6 
    y = w//3 
    z = x*y
    w += z 

#310
for i in range(len(flag)):
    temp = flag[i]
    temp = chr(ord(temp)^8)    
    value += temp

for i in range(len(flag)):
    temp = value[i]
    temp = chr(ord(temp)+3)
    output += temp 

obfuscated_output = base64.b64encode(output.decode())
obfuscated_output = obfuscated_output[::-1]
obfuscated_output = obfuscated_output.replace('0','t')
obfuscated_output = obfuscated_output.replace('c','4')
obfuscated_output = obfuscated_output.replace('+','-')
print(obfuscated_output)

#------------------------------------------------------------
from itertools import product 
from base64 import * 

enc = '==AeAF3M-tzO-giQ-AUQosDQ9tGK7MDPuhC47tDNB5Tb8Yn4sdW4'
enc = enc[::-1].replace('-','+')
a = [('0','t') if v=='t' else ('c','4') if v=='4' else (v) for v in enc]


for k in product(*a):
    try:
        #print(''.join(k))
        b = b64decode(''.join(k).encode())
        #print(b)
        c =bytes([(i-3)^8 for i in b])
        print(c)
    except:
        pass 
        
b'flag{1b36920e-c180-b250-6537-30238f5}'

run!润

从关键代码可以看出有左右上下和上下层,是个三维迷宫,先得到数据

数据在这

取出来打印出来看,然后手搓

from pwn import u32 

#每层map 2*32位 8层从上到下
#在memset下断点,动调得到正确的map数据
dat = open('run.dat', 'rb').read()
print(dat.hex())
dat = ''.join([bin(u32(dat[i:i+4]))[2:].zfill(32) for i in range(0, len(dat), 4)])

for i in range(0, len(dat),8):
    if i%64==0: print()
    print(dat[i:i+8])

从后向前走每步编上号,然后从前向后得到串 

j10srqpo
i1111111
hgfe1111
111d1111
111c1111
11111111
11111111
11111111

111t111n
11111111
11111111
11111111
111b1111
11111111
11111111
11111111

111u111m
1111111l
11111ijk
11111111
111a1111
11111111
11111111
11111111

111v1111
111w1111
111x1h11
111y1111
111z1111
11111111
11111111
11111111

11111111
11111111
11111g11
11111111
11111111
11111111
vutsrqpo
11111111

11111111
11111111
abcdef11
z1111111
y1111111
x1111111
w111111n
11111111

11111111
11111111
11111111
11111hij
11111g1k
1111111l
1111111m
11111111

11111111
11111111
11111111
11111111
11111f11
11111e11
11111d11
11111cba

 输入串运行得到flag

C:\2023_ctf\2023_SHCTF\week2_r>run.exe
This is a easy puzzle.
Input your route:
ssdddssuuuwwwwqqqdddduussaauuuaaaaassssqddddddduuwwwaasusssdd
Right!Here are you flag:flag{7a30a122cbf428239147d86fcb3a2a37}

Authur's box

初始化S和K

S加K交换,很符合RC4加密

从汇编里找到对应的k

解密,后部加了异或的RC4


s = [i for i in range(256)]
k = (b'h3rE1Sy0UkEy'*30)[:256]
v3 = 0
for i in range(256):
    v3 = (s[i]+v3+k[i])%256
    s[i],s[v3] = s[v3],s[i]

v6 = 0
v7 = 0
#byte_408A80
ekey = [0]*42
for i in range(42):
    v6 = (v6+1)%256 
    v7 = (v7 + s[v6])%256 
    s[v6],s[v7] = s[v7],s[v6]
    ekey[i] = s[(s[v6]+s[v7])%256]^0x22

str2 = bytes.fromhex('3894E7FE4C620212054AFD714D13EC165437909BD9E9D2EDED5AD4D815596C3DB1DA43CB5A7396F996B7')
from pwn import xor 
print(xor(str2, bytes(ekey)))

week3

java是最棒的语言吗

chacha20加密

public class ChaCha20 {
    public static void main(String[] strArr) {
        Scanner scanner = new Scanner(System.in);
        System.out.println("input your flag:");
        String nextLine = scanner.nextLine();
        if (Arrays.equals(encrypt(nextLine.getBytes(StandardCharsets.UTF_8), "Shctf_Welcomes_Have_4_good_t1me_".getBytes(), "HsehrcOedfgs".getBytes()), hexStringToBytes("ce43283af73d106815fe5293b474f5309d44063c7fde19533300c60603dfe528d19aee2f6db615191e45"))) {
            System.out.println("right!");
        } else {
            System.out.println("error!");
        }
    }

    private static byte[] encrypt(byte[] bArr, byte[] bArr2, byte[] bArr3) {
        int[] chachaInit = chachaInit(bArr2, bArr3);
        byte[] bArr4 = new byte[bArr.length];
        byte[] bArr5 = new byte[64];
        for (int i = 0; i < bArr.length; i += 64) {
            chachaBlock(chachaInit, bArr5);
            for (int i2 = 0; i2 < 64 && i + i2 < bArr.length; i2++) {
                bArr4[i + i2] = (byte) (bArr[i + i2] ^ bArr5[i2]);
            }
            chachaInit[12] = chachaInit[12] + 1;
        }
        return bArr4;
    }

    private static int[] chachaInit(byte[] bArr, byte[] bArr2) {
        int[] iArr = new int[16];
        iArr[0] = 1634760805;
        iArr[1] = 857760878;
        iArr[2] = 2036477234;
        iArr[3] = 1797285236;
        for (int i = 0; i < 8; i++) {
            iArr[4 + i] = bytesToIntLittleEndian(bArr, i * 4);
        }
        iArr[12] = 0;
        iArr[13] = 0;
        iArr[14] = bytesToIntLittleEndian(bArr2, 0);
        iArr[15] = bytesToIntLittleEndian(bArr2, 4);
        return iArr;
    }

    private static void chachaBlock(int[] iArr, byte[] bArr) {
        int[] copyOf = Arrays.copyOf(iArr, 16);
        for (int i = 0; i < 10; i++) {
            chachaDoubleRound(copyOf);
        }
        for (int i2 = 0; i2 < 16; i2++) {
            intToBytesLittleEndian(iArr[i2] + copyOf[i2], bArr, i2 * 4);
        }
    }

    private static void chachaDoubleRound(int[] iArr) {
        quarterRound(iArr, 0, 4, 8, 12);
        quarterRound(iArr, 1, 5, 9, 13);
        quarterRound(iArr, 2, 6, 10, 14);
        quarterRound(iArr, 3, 7, 11, 15);
        quarterRound(iArr, 0, 5, 10, 15);
        quarterRound(iArr, 1, 6, 11, 12);
        quarterRound(iArr, 2, 7, 8, 13);
        quarterRound(iArr, 3, 4, 9, 14);
    }

    private static void quarterRound(int[] iArr, int i, int i2, int i3, int i4) {
        iArr[i] = iArr[i] + iArr[i2];
        iArr[i4] = rotateLeft(iArr[i4] ^ iArr[i], 16);
        iArr[i3] = iArr[i3] + iArr[i4];
        iArr[i2] = rotateLeft(iArr[i2] ^ iArr[i3], 12);
        iArr[i] = iArr[i] + iArr[i2];
        iArr[i4] = rotateLeft(iArr[i4] ^ iArr[i], 8);
        iArr[i3] = iArr[i3] + iArr[i4];
        iArr[i2] = rotateLeft(iArr[i2] ^ iArr[i3], 7);
    }

    private static int rotateLeft(int i, int i2) {
        return (i << i2) | (i >>> (32 - i2));
    }

    private static int bytesToIntLittleEndian(byte[] bArr, int i) {
        return ((bArr[i + 3] & 255) << 24) | ((bArr[i + 2] & 255) << 16) | ((bArr[i + 1] & 255) << 8) | (bArr[i] & 255);
    }

    private static void intToBytesLittleEndian(int i, byte[] bArr, int i2) {
        bArr[i2] = (byte) (i & 255);
        bArr[i2 + 1] = (byte) ((i >>> 8) & 255);
        bArr[i2 + 2] = (byte) ((i >>> 16) & 255);
        bArr[i2 + 3] = (byte) ((i >>> 24) & 255);
    }

    private static byte[] hexStringToBytes(String str) {
        int length = str.length();
        byte[] bArr = new byte[length / 2];
        for (int i = 0; i < length; i += 2) {
            bArr[i / 2] = (byte) ((Character.digit(str.charAt(i), 16) << 4) + Character.digit(str.charAt(i + 1), 16));
        }
        return bArr;
    }

    private static String bytesToHexString(byte[] bArr) {
        StringBuilder sb = new StringBuilder();
        int length = bArr.length;
        for (int i = 0; i < length; i++) {
            sb.append(String.format("%02x", Byte.valueOf(bArr[i])));
        }
        return sb.toString();
    }
}

key和密文会给了。这种解释性的语言似乎没有多少隐私。 

k1 = "Shctf_Welcomes_Have_4_good_t1me_"
k2 = "HsehrcOedfgs"
enc = bytes.fromhex("ce43283af73d106815fe5293b474f5309d44063c7fde19533300c60603dfe528d19aee2f6db615191e45")

def encrypt(m,k1,k2):
    chacha = chachainit(k1,k2)
    a4 = [0]*len(m)
    a5 = [0]*64
    for i in range(0, len(m),64):
        block(chacha, b5)
        for i2 in range(64):
            if i2>=len(m): break 
            a4[i+i2] = m[i+i2]^a5[i2]
        chacha[12] += 1 
    return a4 

def chachainit(k1,k2):
    a = [0]*16
    a[0] = 1634760805
    a[1] = 857760878
    a[2] = 2036477234
    a[3] = 1797285236
    for i in range(8):
        a[i+4] = u32(p32(a[i])[::-1])
    a[14] = u32(k2[:4]);
    a[15] = u32(k2[4:]);
    return a

ststst

带SMC的程序,先按原程序patch再反编译

msg = open('ststst','rb').read()
a = msg[:0x696]+bytes([i^0xc3 for i in msg[0x696:0x763]])+ msg[0x763:]
open('st2','wb').write(a)

打开新生成的文件,发现是个tea加密

 RC4和tea是逆向最爱用的,tea可以随便写左右加key,可以保证每次都不一样

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  int i; // [rsp+4h] [rbp-3Ch]
  _QWORD s1[6]; // [rsp+10h] [rbp-30h] BYREF

  s1[5] = __readfsqword(0x28u);
  puts("plz input u fl4g:");
  __isoc99_scanf("%32s", s1);
  sub_400763();
  for ( i = 0; i <= 3; ++i )
    sub_400696(&s1[i], &unk_601080);
  if ( !memcmp(s1, &unk_6010A0, 0x20uLL) )
    puts("yeh~");
  else
    puts("oh,no");
  return 0LL;
}

__int64 __fastcall sub_400696(unsigned int *a1, _DWORD *a2)
{
  __int64 result; // rax
  unsigned int v3; // [rsp+10h] [rbp-10h]
  unsigned int v4; // [rsp+14h] [rbp-Ch]
  int v5; // [rsp+18h] [rbp-8h]
  unsigned int i; // [rsp+1Ch] [rbp-4h]

  v3 = *a1;
  v4 = a1[1];
  v5 = 0;
  for ( i = 0; i <= 0x1F; ++i )
  {
    v5 -= 1640531527;
    v3 += (v4 + v5) ^ (16 * v4 + *a2) ^ ((v4 >> 5) + a2[1]);
    v4 += (v3 + v5) ^ (16 * v3 + a2[2]) ^ ((v3 >> 5) + a2[3]);
  }
  *a1 = v3;
  result = v4;
  a1[1] = v4;
  return result;
}
from pwn import u32,p32
from ctypes import *
'''
  for ( i = 0; i <= 0x1F; ++i )
  {
    v5 -= 1640531527;
    v3 += (v4 + v5) ^ (16 * v4 + *a2) ^ ((v4 >> 5) + a2[1]);
    v4 += (v3 + v5) ^ (16 * v3 + a2[2]) ^ ((v3 >> 5) + a2[3]);
  }
'''
def decrypt(v,k):
    v0 = c_uint32(v[0])
    v1 = c_uint32(v[1])
    delta = 0x9e3779b9
    sum1 = c_uint32((delta) * 32)
    for i in range(32):       
        v1.value -= (sum1.value + v0.value) ^ (k[2] + (v0.value << 4)) ^ (k[3] + (v0.value >> 5))
        v0.value -= (sum1.value + v1.value) ^ (k[0] + (v1.value << 4)) ^ (k[1] + (v1.value >> 5))
        sum1.value -= delta       
    return p32(v0.value) + p32(v1.value)

key = [0x1234567, 0x89ABCDEF, 0xFEDCBA98, 0x76543210]
enc = bytes.fromhex('69258FDBE383CD4080E633A044A6F7FF173A0C6966B821B6A7E2E73492A610AD')
enc = [u32(enc[i:i+4]) for i in range(0,32,4)]

msg = [decrypt(enc[2*i: 2*i+2], key) for i in range(4)]
print(msg)
print(b''.join(msg))
#5ef846656801c9b9714388d2ccd98cdd

easyre

把串异或后再当成python运行,这个值爆破得到23

import base64
import marshal
import sympy as sp
encoded_data = b'#`VVVVVVVVVVVVVVVVVVVVVSVVVVFVVVV_YZVVVVMVU|VNFV@pU|V{xUMVYvVzBSMVDSVFRVMFDSV\\VQMV@\x7fVAxPMFU{V@BPp`]vU%B_MF]eVy]VMFY|UxZUVFUbTPBSMVrSVFRVMV\x7fCVT|]N`^VVVVVVVVVVVVVVVpVVVVPVVVVF`VVV_GFVVVVsVU\'V@FUp`PSVO\'TMV].V$FUMVPSVBFVOC".U_`SqV]/UU|VQ`U/V_`RsV]/V^ZUQpVMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVUoPPFTUVU.U_\'SsVXSV_\'QqVQRVQ&pqFM/UPFSQ`U|VENVqFE/V$`TqVFMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVU/Vy`TqVFMV_`TqVZMVUtVMVR@VU|VqFs/UvVRqVM/U\'RVxFRUV_QfqVACVT|RCb|VVFVV!FVVVVSgVFVVVT|Q%pEdvOY\'%pAnN@"yMsxSuPAb%p{~rOE{NO]nNOyvUzQ`tPAbMT|^%pYeMO{vTOUdN@{bsPA#sYxUB.xUvcxUvAx\\N%{`vPAnsPA#sYxRN%\x7f\x7ftcxUv!|Vtp/VVVS!UzM&u~"`rsx[tzZ\'O%AbN$]"t_FUVVVVto`VVVVVVF`UUV^ZVDVU_V^^VFNTTVRZVEVUPpRNVEVTt\x7fRVVVUmT`VVVPA#N@&`uPAqv%A"tnxVVVSN{U!ez%M\'!&&VP ez!UZmA.\'X"g^\'/NUcvXd.TPRTTD!&UB\\`dT.R}Q{!QQUdr~UguyU&sTU"u$An^PMdN@t!rpA&sPNcXQxSr@Am@p]bu\'#gT_^EVVVVtp|VVVUvU@YxM@Ye%pA`tz{bsYxQv@"`sOCvUzAbN%.|MsxRMzo\x7fM&x]M@"}ty{`sPA|tp/VVVUnS`VVV_^GVVVVt\x7fVVVVSvTSocu%E&uPB<VFVVV_ZFVVVVTUFRVFFTTVRZVpxTTVR\\Vp**'
xor_key = int(input('Plz input key (0<key<100):'))
x = sp.symbols('x')
f = x ** 2 + x + 1
integral_value = sp.integrate(f, (x, 1, xor_key))
check_value = 13024
if integral_value * 3 == check_value:
    xor_decoded_data = bytes((lambda .0: [ byte ^ xor_key for byte in .0 ])(encoded_data))
    decoded_data = base64.b64decode(xor_decoded_data)
    code_obj = marshal.loads(decoded_data)
    exec(code_obj)
else:
    print('Wrong!!')
    return None

转出再反编译 

encoded_data = b'#`VVVVVVVVVVVVVVVVVVVVVSVVVVFVVVV_YZVVVVMVU|VNFV@pU|V{xUMVYvVzBSMVDSVFRVMFDSV\\VQMV@\x7fVAxPMFU{V@BPp`]vU%B_MF]eVy]VMFY|UxZUVFUbTPBSMVrSVFRVMV\x7fCVT|]N`^VVVVVVVVVVVVVVVpVVVVPVVVVF`VVV_GFVVVVsVU\'V@FUp`PSVO\'TMV].V$FUMVPSVBFVOC".U_`SqV]/UU|VQ`U/V_`RsV]/V^ZUQpVMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVUoPPFTUVU.U_\'SsVXSV_\'QqVQRVQ&pqFM/UPFSQ`U|VENVqFE/V$`TqVFMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVU/Vy`TqVFMV_`TqVZMVUtVMVR@VU|VqFs/UvVRqVM/U\'RVxFRUV_QfqVACVT|RCb|VVFVV!FVVVVSgVFVVVT|Q%pEdvOY\'%pAnN@"yMsxSuPAb%p{~rOE{NO]nNOyvUzQ`tPAbMT|^%pYeMO{vTOUdN@{bsPA#sYxUB.xUvcxUvAx\\N%{`vPAnsPA#sYxRN%\x7f\x7ftcxUv!|Vtp/VVVS!UzM&u~"`rsx[tzZ\'O%AbN$]"t_FUVVVVto`VVVVVVF`UUV^ZVDVU_V^^VFNTTVRZVEVUPpRNVEVTt\x7fRVVVUmT`VVVPA#N@&`uPAqv%A"tnxVVVSN{U!ez%M\'!&&VP ez!UZmA.\'X"g^\'/NUcvXd.TPRTTD!&UB\\`dT.R}Q{!QQUdr~UguyU&sTU"u$An^PMdN@t!rpA&sPNcXQxSr@Am@p]bu\'#gT_^EVVVVtp|VVVUvU@YxM@Ye%pA`tz{bsYxQv@"`sOCvUzAbN%.|MsxRMzo\x7fM&x]M@"}ty{`sPA|tp/VVVUnS`VVV_^GVVVVt\x7fVVVVSvTSocu%E&uPB<VFVVV_ZFVVVVTUFRVFFTTVRZVpxTTVR\\Vp**'

from pwn import xor 
import dis
from base64 import b64decode 

msg = xor(bytes([23]), encoded_data)
msg = b64decode(msg)
open('easyre_1.pyc','wb').write(msg)
dis.dis(msg)

 又是个rc4

def rc4_encrypt(key, plaintext):
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i],S[j] = S[j],S[i]
    i = j = 0
    ciphertext = []
    for char in plaintext:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i],S[j] = S[j],S[i]
        k = S[(S[i] + S[j]) % 256]
        ciphertext.append(char ^ k)
    print(bytes(ciphertext))

key = b'example_key'
check = b'\xd8\x94\x1e\xab\x9bft\xeb]@\x1b\xba\xe6\xe8\x133W\xdd\x0e\xe6\x924\xf1\x80mh\xeb=\x08a\x02\t.\xb5\x05B\xb0\xb0/D\x8cY'
rc4_encrypt(key, check)

喵喵喵

分别从汇编得到密文和反编译里得到大概的key

这是AES+base64只是key和iv未知,大概是上边这个串。用go_parser翻过来的程序参数基本看不出来,看汇编这块可以知道key是023_S0_e4sy_m1ao 然后用解密后的明文异或一下flag{得到iv(这个串的前边16字节:SHCTF_2023_S0_e4)

 网站上解密:flag{GO1an6_REAl1Y_eaSy_10R_D3V3lop_aND_quIckIY_RuN_65601185ae5b}

crackme

lua的字节码,与python,java类似,用unluac.jar解包,这个效果非常不错。

print("please input your flag:")
flag = io.read()
code = {}
secret = {
  54,57,566,532,1014,1,7,508,10,12,498,494,6,24,14,20,489,492,0,10,490,498,517,539,21,528,517,530,543,9,13,0,4,51,562,518,526,7,9,12,5,3,513,575,514,6,519,513,556,31,1,594,117,15
}
l = string.len(flag)
-- 序号从1开始
for i = 1, l do
  num = ((string.byte(flag, i) + i) % 333 + 444) % 555 - 1
  table.insert(code, num)
end
for i = 1, l do
  x = i - 1
  if i + 2 >= l then
    code[i] = code[i % l + 1] ~ code[(i + 1) % l + 1]
  else
    code[i] = code[(i + 1) % l] ~ code[(i + 2) % l]
  end
end
for i = 1, l do
  if secret[i] ~= code[i] then
    print("Incorrect")
    return
  end
end
print("You win,flag is", flag)

lua的数组0是基本不用的,这给反编译带来很大麻烦,已经习惯了从0开始,以后如果出中文的会更更更不方便。

enc = [54,57,566,532,1014,1,7,508,10,12,498,494,6,24,14,20,489,492,0,10,490,498,517,539,21,528,517,530,543,9,13,0,4,51,562,518,526,7,9,12,5,3,513,575,514,6,519,513,556,31,1,594,117,15]
flag = [546,553,543,550,16]+[0]*len(enc)
for i in range(2, len(enc)):
    flag[i] = flag[i-1]^enc[i-2]

for i in range(1,len(enc)+1):
    for j in range(0x20,0x7f):
        if ((j+i)%333+444)%555-1 == flag[i-1]:
            print(chr(j), end= '')
            break 
#flag{C000ngr4tulat1ons!Y0u_Cr4cked_m3_991468a8de6a!!!}

石氏是时试
关注
  • 0
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
C++ reverse介绍及使用
10-09
1、本文详细描述了C++语言reverse函数的使用方法。 2、通过详细示例,让读者更直观地阅读,更清晰的理解。 3、示例代码可直接复制,编译后可直接运行。 4、根据示例以及运行结果,让读者加强记忆及理解。
Scroll Reverse
12-09
MacOS中鼠标滑轮方向与触控板方向不一致,用Scroll Reverse可以加以调节。第一次使用时可设置成开机自动启动。
REVERSE关键字之REVERSE函数
congdingfu1756的博客
09-25 306
昨天说到@dbsnake讲的一个reverse函数索引避免全表扫描的案例,REVERSE关键字可以用于函数和索引。REVERSE函数和REVERSE索引。这次先试试REVERSE函数。REVERSE函数:针对数据库内部存储的对象...
NewStarCTF 公开赛-web
qq_61768489的博客
11-22 1896
cookie 修改admin 源码发现key GET和POST传参即可。
SHCTF 2023 [WEEK 3] PWN
Xzzzz911的博客
11-04 280
最后一周的题直接上强度了,有点受不了T^T,先转载官方的WP吧,后续琢磨透了再来改做的不知所措,云里雾里,还得继续加油!!!
asisctf 2023 web hello wp
Jay17的博客
09-26 416
asisctf 2023 web hello wp
SHCTF2023-校外赛道WP部分
Aluxian_的博客
10-30 1862
SHCTF2023-校外赛道WP部分 由于刚接触CTF没多久 还是属于萌新级别的也没怎么打过比赛记录一下学习的过程大佬绕过即可,后续会继续加油努力。
GDOUCTF2023 Reverse题解
OrientalGlass的博客
04-17 5602
ida分析之后会出现几个新的窗口,最关键的是这个Matched Functions窗口,绿色代表匹配一致,往下翻在最后可以发现。反汇编窗口往下翻可以看到关键函数,这个循环的基本功能应该是对lmao数组的数据进行异或,但并不容易的值用于异或的中间值是什么。然后打开ls-patched.i64文件,选择Edit>Plugins>BinDiff,进来找不到关键函数,查看strings看到类似迷宫的东西,根据字符串可以定位到关键函数。安装时注意路径即可,默认在C盘,可以自己修改,他会自动绑定IDA的路径。
什么是reverse常见的reverse有哪些
05-19
reverse
Reverse printing_Reverse_printing_
09-30
code for Quera challenge : ...
linklist-reverse.rar_linklist reverse
09-24
本程序的功能:创建链表、并逆序显示链表中的各个元素
BUUCTF-NewStarCTF 2023-WEB
m0_74317362的博客
09-25 267
题目中提示了ssti,我们利用ssti的句式让页面显示错误。提示传参number1和number2。要求上传图片,那我们直接上传图片马。改文件后缀为.php。
c语言reverse怎么起作用,reverse的用法
weixin_29021195的博客
05-16 9571
c++ 中reverse函数用法如string ss("hello"); reverse()的参数是什么才能只反转ello,即变成horeverse 函数的作用是 反转元素的顺序。 函数定义如下: template void reverse( BidirectionalIterator _First, BidirectionalIterator _Last ); 参数 _First 指向第一个元素...
2023年四川省网络与信息安全技能大赛初赛 个人赛 Writeup
末初的CSDN博客
10-18 1052
2023年四川省网络与信息安全技能大赛初赛 个人赛 Writeup
java环境部署
JiuMeilove的博客
06-04 406
如果你电脑已经下载了 jdk ,那你可以跳过这一步了我这里下载的是java21 你们可以选择自己需要下载的游览进去的页面是这样子的(相比以前这个页面发生很大变化了),可以看见目前 jdk 已经发行到 17 了,jdk 它又分了三个个操作系统,一个是 Linux、一个是 macOS、以及 windows,如果你是在 windows 操作系统上,那当然就下载 windows 对应的 jdk,其次的话就是还会区分你操作系统的处理器是 32 位的还是 64 位的,可以点击 我的电脑 - 属性 查看。
java中Overload和Override的区别
codedadi的博客
06-04 590
当调用Dog对象的makeSound方法时,将执行Dog类中的方法,而不是Animal类中的方法。定义:在子类中,有一个与父类同名、同参数列表、同返回类型(或协变返回类型)的方法,则称子类中的该方法为父类同名方法的重写。子类方法的访问权限不能低于父类方法的访问权限(如父类方法为public,则子类方法也必须是public)。Override(重写):子类与父类之间,方法名、参数列表和返回类型(或协变返回类型)相同。定义:在同一个类中,方法名相同但参数列表(参数类型、参数数量或参数顺序)不同的多个方法。
JavaScript第九讲:BOM编程
星途码客的博客
06-04 1438
今天星途给大家带来JavaScript倒数第二部分知识:BOM编程,希望对码客们有帮助。
Spring异步任务@Async的默认线程池执行器是如何初始化的
简放视野的专栏
06-03 646
Spring异步任务@Async的默认线程池执行器,是从哪里来?是如何初始化的? 【结论】异步任务@Async的默认线程池执行器是通过TaskExecutionAutoConfiguration#applicationTaskExecutor自动注入的。
Java Map接口 - HashMap类
最新发布
IT深耕十余载,大道之简
06-05 172
当哈希表中的条目数超过容量与负载因子的乘积时,哈希表会重新调整大小(rehash)。是有序的或保证顺序的稳定性)。如果在迭代期间对映射进行了修改(结构修改,如添加或删除元素),则迭代可能会抛出。如果你打算在多线程环境中使用它,你需要额外的同步措施,或者可以考虑使用。不保证映射的顺序,特别是它不保证顺序会随着时间的推移而保持不变。操作(假设哈希函数是均匀的,并且表有足够的容量)。值(value)可以是重复的,并且可以为。提供了多种方法来遍历它的键、值或键值对,如。中,键(key)必须是唯一的,并且不能为。
lambda reverse
03-17
lambda reverse是一个匿名函数,用于反转字符串或列表。它lambda表达式来定义函数,并通过调用该函数来实现反转操作。以下是lambda reverse的示例代码: 1. 反字符串: ```python reverse_str = lambda s: s[::-1] ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值