逆向
jungle
PEID 查殼,沒有殼,32位。IDA打開大致看了看,C++寫的,靜態太難了,直接OD動態調試,
檢測長度 大於0x1E
格式 flag{xx-xxxx-xxxx-xxxx}
第一個是一個md5解密,可以直接搜到md5字符串,猜測應該是字符串拼接,還能搜到兩個base64編碼,解密后拼接,第二個檢測,不知道怎么弄,4個字符爆破唄。。。
upx
題目upx,那肯定是upx殼啊,手脫,用工具都可以。這道題沒什么難度,最難得應該就是脫殼了吧。
查找關鍵字,交叉引用。
來到主函數,使用R鍵將數字轉換為字符,可以找出三個字符串,然后異或求解。
s1 = '6ljh,!;:+&p%i*a=Sc4#pt*%'
s2 = '1zsw438oOFu5i4nd0f_cH2z1'
s3 = 'azxxcqabRW5qb3llZ2FtZwgi'
flag = ''
for i in range(len(s1)):
flag += chr(ord(s1[i]) ^ ord(s2[i]) ^ ord(s3[i]))
print(flag)
跑腳本就完事了。
RE2
一個游戲,64位,ELF文件,IDA載入分析,發現流程很簡單。
一大串字符串,應該是用來進行解密的,然后有個‘flag’關鍵字符串的函數,進去看看。
動態調試。num是從0開始的,每次選擇第一個選項的時候就會+1.沒什么其他難點了,動態調試有反調試,很簡單,直接jmp就行。因為只能輸入7次,所以得爆破九百萬個數,牛批。
上爆破腳本:
for w in range(1111111, 9999999):
flag = ['0x21', '0x45', '0x58', '0x4c', '0x83', '0x19', '0x18', '0x23', '0x1c', '0x40', '0x4e', '0x35', '0x26',
'0x5b',
'0x3', '0x67', '0x2c', '0x71', '0x32', '0x48', '0x37', '0x3f', '0x30', '0x39', '0x3a', '0x47', '0x3e',
'0x34',
'0x21', '0x4f', '0x5d', '0x69', '0x4a', '0x28', '0x27', '0xa', '0x56']
s1 = str(w)
n = 0
result = ''
for j in range(7):
r = 0
if n % 2 == 1:
for i in range(37):
flag[i] = hex(int(flag[i], 16) - ((i * int(s1[j])) % 37))
else:
for i in range(37):
flag[i] = hex(int(flag[i], 16) + ((i * int(s1[j])) % 37))
for z in range(len(flag)):
if 33 > int(flag[z], 16) or int(flag[z], 16) > 126:
r = 1
if r == 0:
for p in flag:
s2 = chr(int(p, 16))
result += s2
print(result)
n += 1
crypto
base
沒提示還不知道咋做。base全家桶,直接上py2腳本:
import base92, base58, base64
a = '4%_,,I,*xt];Y@(6Hk]jrF.2:gR_Ss&-=S<Eil^TnIW%U+(XJXk_Fr.A4!Y)o\'[AIT%:U3\Z55IUmVJPIP<%&Rb2Pujy+rE)<,SLEg*os4]9lQXa;-w#SWbC5MiY=;Da5KuI&V[S:auU?Ub&4gT$lY6=PRhxBng,<,H-A@^v$:QHTg1;@au)]]B'
b = base92.decode(a)
c = base58.b58decode(b)
d = base64.b64decode(c)
e = base64.b32decode(d)
f = base64.b16decode(e)
print f
easy_rsa
所有信息都很明顯,根據p,q,e算出D,然后解密密文。
simple_crypto
提示quip,有個解密網站的域名好像是這個名字,詞頻分析吧,試試,
那肯定是cryptoooo啊。
超級凱撒
很腦洞,我要是上課聽課了,肯定也做不出來,哈哈。
ascii碼 每次相差 0x7e 遞減2, 說不清楚, 看腳本吧,簡單易懂。
s = 'e7f09ae1e994d9dfddd08b88baccc780c4c8bbbf76bdc58a6eb2b6a9adbf7875776f6e6968986a62605f5e605c58835983534b4e7c477642733f6c386b367f'
s1 = []
for i in range(0, len(s), 2):
a = '0x' + s[i:i+2]
s1.append(a)
s2 = ''
d = 0x7e
for i in range(len(s1)):
c = chr(int(s1[i], 16) - d)
s2 += c
d -= 2
print(s2)
it is good! The flag is: flag{6593412d82234864a9e716f3d2e3b0e2}
web
pastejacking
右鍵粘貼復制。JS代碼好像是不讓復制什么的,不是很懂,好像快捷鍵不行吧,我審計JS代碼快捷鍵粘貼也出錯了,手殘沒復制對?
ez_cmd
一堆過濾,慢慢過waf吧,最后是%0a截斷,然后 cd ../../../ 忘了在哪個目錄了,最后 cat ../../../flag.txt!
web很渣,我不知道我學了一年web,卻還是這么渣。。。。
MISC
wireshark
流量分析,在一堆ICMP報文中有很多可疑的ttl 像是ascii碼,提取出來是,strong+passwordstrong+password
以為是flag,交上去不對,又翻了翻HTTP協議,發現有個壓縮包,把文件dump出來,需要解壓密碼,就是上邊的字符串。
解壓出來一張圖片,這么多關卡,啊,雜項唄,慢慢搞,最后發現是lsb隱寫。
找吧
很多{} 猜測詞頻分析 ,一波現成腳本打上去。
# -*- coding:utf-8 -*-
import operator
str = '''
flM{Sg_i_igl1S_ll__SfM_FF_1ilfM{Sa11gagc1lSSMgfnafg_fMa1n5iaF_c1lSFiSaf_1f{S_l_FalS5_faSl_fgl5M1_{ll!{i5c}if1__fg5{__M{ngU{1l1gff1f1iS__Mf5iFMlciSgaU{glgUF5M_1aa_f_i5{nflllla1S1FS!cSg{fUfFcS1{{ag1lU51acfUSffMcMSgfSfalFg_g_gfgfiSfla1i{{{n{_lg_}{ggi{gglg{{flnliF{M5faF1ig_agal{_{{aMMilfUSa{a5ggiiigfSSg{M_Mng{a}fcMf1_Fl{cM{1fiflMSSM{_l!Scf5FFcn{g{SFnMlf{l__aScMl{{c_lS1Sic1!l5ga1_gfggllcllccaagMU1iala55FSfia5lScMMFiMaFff{{g{fcicM!l_{iffcg{UlcMa{{5f5Mc{McfagcM_Ma1Slcf{cSg_SflM5U11_5i_fcc{FagglaMUfS1g_{lSc5f_lag5Sg_ccclca___ala1g1aSMfa_fcaFnSSi{a1a{gUif_FgaS{lacSgfga{F1fgScf1_M__{1ag_5MMSiga11g_aMl5fM15a_gla5f1_UllgcSc{Sagac{accS_i{Mf{Sgccg_ici{fgcl_gaMlffS{{i{nnfaM}aallSSg1ilUif{Mi1SMiMl1aaMUl{alaglM!1lgngScMac1fa1acafS1fgfM__S11_SM{f}la_cM_g{fniifgc1M{_lM!M5}g5_l1USg{cgl{SaccigSU1fMgl5lcaiggMFfcaca1l{Ugf_lalg1_g!{iaala_M5l1Mc11afcgfgl5f1g_c{llaUMf1lM1aF{af1Sl5lf5l1l5a_cc_c_1ff}f_ff}MlU{afM_1fcla{{gM{_Sl_M_{gM_{g5gaMaFU{{!S1ala1lfl1lifl_Mlf5F{l_g{li__aM_gfSU{lM_agM{giff{ii_{ff_naaaif1gf_ag__lnFacgiSlSac_Ma5M{fg{{fac{gllfaa{Mi5MnMff{{gc!fn_iU{ll5i_Saa5M{Mi}{g{Ffl{Ffac!a{afffgl!_gMalF_c{lac_MFMg5acMFcla5cMlU5aSff{l_UFf_Ug1!g1F_c{{aMMg{SlgUa1ca1ff5_c1g5{fligg11_lla_fcf1{Mla1MnglM{5lSl1g__Sll_cUc5MSa{_fiMiiS1c{M1g_SSUifi1!Saa{_glS1aaal{llF1cFgig_Sf{acf{Uf1c1fa!gfFM_aS51lgaMa1aa_gfif_ia{M_a_M1fMSaSSfMSl{1gFcl151l_lFfMilffgf1gSSgcaf_SfMgaf{}ilaUMM_MU5ff551i5SnFgc15nSMa1M{{_fSlMg{{5fcS1g5fSgMMUi{_ig5falf1nfgFaUMlff!g__la_F_c1{i1!{lc{i{1iglM_fUgl___a5fnMaFf{_lfll_igf1lcalniMag_5nFS1MMaiM1ll5SlMiaf_5l{af__MMgac_Mf__fUa1fc{1{_55SF!llfgU1l1U_Mal_l{alglSglcnlfSfaacgSSgSc_Maa{ffg51MaSfca1U_{gfS1ff5l{{f1Ml_gSgc_n5iS1Sg_l__1nnM1lM15MillfaMff1!nl1fFSM5Fflf{acagl{Sf{ggfSi1f!FSagf{{lFf5la5{ff__lM{M_fUlSgi
'''
payloads = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!0}{123456789_\n'
#payloads = payloads.upper()
# print payloads
dists = {}
for x in payloads:
dists[x] = 0
# print x,dists[x]
for s in str:
dists[s] += 1
ans = ''
res = sorted(dists.iteritems(), key=operator.itemgetter(1), reverse=True)
for r in res:
ans += r[0]
print r
print ans
跑出來是這個,哦,不對,看着也出來了,應該腳本的問題吧,自己慢慢改對了,憑經驗, 應該是misc_is_fun
文體兩開花
提示 \u 和中國話, 那就先 unicode試試,先分離,
s = '5e1d4f9d5927662f545076e785a94f84681759629053602f80fd573063d0602f6240654553574f848f3869c35922545066f066f04e09670b8c468af380367f3d91af601b8af35e1d8f384f845492602f963f601b68b566f076a44ea67f3d53c368b5537354c66f2b596290535937624068b56f2b5450522951a57a76602f6ec5771f54504e16545096407f3d67095c3c54c6803676e781f34f5b602f5a4676a4608967094f8459227f8569c350e77adf96c68af3795e59625927545059ea6d85540968b5745f7b49601b5373963f5a468b395a46720d96408c467adf608954c685dd5ea6602f5f9768177f3d300254c64e0954c68ae6820d9060803654c65937822c820d57304f9d77e551a59060601676a46c9968b59ebc76a47adf4e16602f5fc383e9964054c676e75bc65beb59624ee54ff1985b54c6591c602f822c77e5602f6ce24ff17919964096e296e24e00602f592283e9602f771f5b558af38a368af38af882e6602f59ea4f8484996089660e8dcb9ebc5f4c66f0545085dd84994ff15fc37f3d80366ce24ea676a467095962985b8af382e554c6720d4ff15beb596260895962662f4f8476e154c685dd76a47b4982e5545090606bbf7f70771f905369c35450795e68b56c995beb5357771f596290fd6578745f54c64ea67f3d9ebc68b55a4685d08b394ff180057f3d6b7b9060820d5e1d802868b5535796e2559d76e74ed6573050e768b5559d68b54e1653574f3d4ed659624e165bc6602f860753737f704e00670b54c68b39'
f = ''
for i in range(0, len(s), 4):
f += "\\u" + s[i:i + 4]
print(f.encode('GBK').decode('GBK'))
然后解密:
中國話, 與佛論禪吧,試試。。。
黑白
gif動圖,只有黑的和白的,肯定是01二進制轉ascii碼啊,直接python腳本分離,然后去像素轉換0和1
from PIL import Image
from PIL import ImageSequence
frames = []
img = Image.open('./hei.gif')
for frame in ImageSequence.Iterator(img):
f = frame.copy().convert("RGB")
r1, g1, b1 = f.getpixel((111,52))
if r1 == 0 and g1 == 0 and b1 == 0:
print('0',end='')
else:
print('1',end='')
人生
分不高,一個png,難度應該不大,最簡單的來吧,改高度試試。
洋蔥
洋蔥,一層一層的剝開,哦。。。
foremost 分割, 找到一個 4 文件,不知道是個啥,后來有提示。pkt ,百度pkt怎么打開, 下載思科的軟件,打開直接復制flag。
