碼上快樂

相關內容    簡體    繁體

2020 網鼎杯 Re WP

本文轉載自   查看原文   2020-05-11 01:15   2430    Reverse--CTF比賽WP/ Reverse(逆向與反匯編)

測試文件:https://lanzous.com/b07rlon9c

 

 

-----------青龍組-----------

Misc

簽到

回答完問題,輸入token之后,在控制台可見。

 

flag{32c7c08cc310048a8605c5e2caba3e99}

 

crypto

boom

首先MD5解密
46e5efe6165a5afb361217446a2dbd01得到 en5oy 
接着解方程組:x=74,y=68,z=31 
解一元二次方程:x=89127561  
#include <iostream>

using namespace std;

int main()
{
    long long a = 0;
    long long b = a * (a + 1);
    while (1) {
        if (b == 7943722218936282)
            break;
        a++;
        b = a * (a + 1);
    }
    cout << a << endl;
    system("PAUSE");
    return 0;
}

 

flag{en5oy_746831_89127561}

 

Reverse

bang

梆梆加密免費版,這道主要是使用FART脫殼classes.dex得到

public void onClick(View paramAnonymousView)
      {
        String str = localEditText.getText().toString();
        paramAnonymousView = paramBundle.getText().toString();
        if (str.equals(paramAnonymousView))
        {
          MainActivity.showmsg("user is equal passwd");
        }
        else if ((str.equals("admin") & paramAnonymousView.equals("pass71487")))
        {
          MainActivity.showmsg("success");
          MainActivity.showmsg("flag is flag{borring_things}");
        }
        else
        {
          MainActivity.showmsg("wrong");
        }
      }

 

flag{borring_things}

 

joker

首先去除代碼中的混淆和調整棧平衡之后。

wrong函數,對flag的奇,偶下標分別進行異或下標,減去下標操作。

omg函數,變換后的flag與unk_4030C0比較。

model = [0x66, 0x6B, 0x63, 0x64, 0x7F, 0x61, 0x67, 0x64, 0x3B, 0x56, 0x6B, 0x61, 0x7B, 0x26, 0x3B, 0x50, 0x63, 0x5F,
         0x4D, 0x5A, 0x71, 0x0C, 0x37, 0x66]

flag = ""

for i in range(len(model)):
    if(i % 2 == 0):
        flag += chr(model[i]^i)
    else:
        flag += chr(model[i] + i)
print (flag)

反解得,flag{fak3_alw35_sp_me!!}

使用dbg調試到

這里將flag{fak3_alw35_sp_me!!}與hahahaha_do_you_find_me?前19字符異或得到

[0x0E,0x0D,0x09,0x06,0x13,0x05,0x58,0x56,0x3E,0x06,0x0C,0x3C,0x1F,0x57,0x14,0x6B,0x57,0x59,0x0D,0x00]

反解得到

m = "hahahaha_do_you_find_me?"
n = [0x0E,0x0D,0x09,0x06,0x13,0x05,0x58,0x56,0x3E,0x06,0x0C,0x3C,0x1F,0x57,0x14,0x6B,0x57,0x59,0x0D]

for i in range(len(n)):
    print (chr(ord(m[i])^n[i]),end="")

flag{d07abccf8a410c,還缺少5個字符,最后一位為'}'

在finally函數中,利用了這五位數值

可知,0x3a必然為‘}’,猜測之間的關系為異或(71),得到完整flag。

flag{d07abccf8a410cb37a}

這道題你沒辦法爆破最后幾位,因為這段flag你帶入之后過不了checkflag,最后猜測為異或有點腦洞。

 

signal 

VM的題目

首先傳入長度114的數組,作為switch操作對象

a=[0x0A,0x04,0x10,0x08,0x03,0x05,0x01,0x04,0x20,0x08,0x05,0x03,0x01,0x03,0x02,0x08,0x0B,0x01,0x0C,0x08,0x04,0x04,0x01,0x05,0x03,0x08,0x03,0x21,0x01,0x0B,0x08,0x0B,0x01,0x04,0x09,0x08,0x03,0x20,0x01,0x02,0x51,0x08,0x04,0x24,0x01,0x0C,0x08,0x0B,0x01,0x05,0x02,0x08,0x02,0x25,0x01,0x02,0x36,0x08,0x04,0x41,0x01,0x02,0x20,0x08,0x05,0x01,0x01,0x05,0x03,0x08,0x02,0x25,0x01,0x04,0x09,0x08,0x03,0x20,0x01,0x02,0x41,0x08,0x0C,0x01,0x07,0x22,0x07,0x3F,0x07,0x34,0x07,0x32,0x07,0x72,0x07,0x33,0x7,0x18,0x7,0xffffffa7,0x7,0x31,0x7,0xffffff,0x7,0x28,0x7,0xffffff84,0x7,0xffffffc1,0x7,0x1e,0x7,0x7a]

動態調試發現在case7中, v4[v8]為定值,記錄下eax的值(修改je為jmp)

 

v4 = [0x22,0x3F,0x34,0x32,0x72,0x33,0x18,0xFA7,0x31,0xF1,0x28,0xF84,0xC1,0x1E,0x7A]

a表實際上就是執行switch的選項目錄,v3數組就是我們的flag,每次執行case1即為v4賦值一次(v4已知),所以每次到1,就是一段處理,比如4,16,8,3,5,1。手動處理,我們能夠寫出獲取flag的腳本

# -*- coding:utf-8 -*-

flag = [0]*15

flag[0] = (0x22+5)^0x10
flag[1] = (0x3f//3)^0x20
flag[2] = 0x34+1+2
flag[3] = (0x32^4)-1
flag[4] = (0x72+0x21)//3
flag[5] = 0x33 + 2
flag[6] = (0x18+0x20)^0x9
flag[7] = (0xa7^0x24)-0x51
flag[8] = 0x31+1-1
flag[9] = (0xf1-0x25)//2
flag[10] = (0x28^0x41)-0x36
flag[11] = 0x84-0x20
flag[12] = (0xc1-0x25)//3
flag[13] = (0x1e+0x20)^0x9
flag[14] = 0x7a-0x1-0x41

print ('flag{'+''.join([chr(x) for x in flag])+'}')

 

flag{757515121f3d478}

 

 

測試文件:https://lanzous.com/b07rlonfi

 

-----------白虎組------------

剛把第一道題做了家里就停了一天的電。

 

Mics

hidden

改為ZIP文件,zip2john 破解出密碼為1235

得到二維碼的一半

使用tweakpng修改圖片高度

得到flag

flag{04255185-de22-4ac6-a1ae-da4f187ddb8c}

 

Reverse

惡龍

實際這里的coin都是用來兌換eff的,改eff大於5000000就行,F9運行一直選2就能得到flag。

 

flag{0259-6430-726f077b-5959-bf477a78c83b}

 

Py

實際這里考得就是如何從elf文件中提取出pyc文件。(這個elf文件是由Python打包的)

參考鏈接:https://www.zhihuifly.com/t/topic/1073

值得注意的是,你的輸出文件必須是src.pyc,不能使用其他命名。

 

將src.pyc與struct.pyc對比,在src.pyc頭部添加

EE 0C 0D 0A 70 79 69 30  10 01 00 00 

得到的pyc文件,轉換為py文件,得到

# -*- coding:utf-8 -*-

import rsa
import base64

key1 = rsa.PrivateKey.load_pkcs1(base64.b64decode(
    'LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcVFJQkFBS0NBUUVBcVJUZ0xQU3BuT0ZDQnJvNHR1K1FBWXFhTjI2Uk42TzY1bjBjUURGRy9vQ1NJSU00ClNBeEVWaytiZHpSN2FucVNtZ1l5MEhRWGhDZTM2U2VGZTF0ejlrd0taL3UzRUpvYzVBSzR1NXZ4UW5QOWY1cTYKYVFsbVAvVjJJTXB5NFFRNlBjbUVoNEtkNm81ZWRJUlB2SHd6V0dWS09OQ3BpL0taQ082V0tWYkpXcWh3WGpEQgpsSDFNVURzZ1gyVUM4b3Bodnk5dXIyek9kTlBocElJZHdIc1o5b0ZaWWtaMUx5Q0lRRXRZRmlKam1GUzJFQ1RVCkNvcU9acnQxaU5jNXVhZnFvZlB4eHlPb2wwYVVoVGhiaHE4cEpXL3FPSFdYd0xJbXdtNk96YXFVeks4NEYyY3UKYWRiRE5zeVNvaElHaHYzd0lBVThNSlFnOEthd1Z3ZHBzRWhlSXdJREFRQUJBb0lCQURBazdwUStjbEZtWHF1Vgp1UEoyRWxZdUJpMkVnVHNMbHZ0c1ltL3cyQnM5dHQ0bEh4QjgxYlNSNUYyMEJ2UlJ4STZ3OXlVZCtWZzdDd1lMCnA5bHhOL3JJdWluVHBkUEhYalNhaGNsOTVOdWNOWEZ4T0dVU05SZy9KNHk4dUt0VHpkV3NITjJORnJRa0o4Y2IKcWF5czNOM3RzWTJ0OUtrUndjbUJGUHNJalNNQzB5UkpQVEE4cmNqOFkranV3SHZjbUJPNHVFWXZXeXh0VHR2UQova0RQelBqdTBuakhkR055RytkSDdkeHVEV2Jxb3VZQnRMdzllZGxXdmIydTJ5YnZzTXl0NWZTOWF1a01NUjNoCnBhaDRMcU1LbC9ETTU3cE44Vms0ZTU3WE1zZUJLWm1hcEptcVNnSGdjajRPNWE2R1RvelN1TEVoTmVGY0l2Tm8KWFczTEFHRUNnWWtBc0J0WDNVcFQ3aUcveE5BZDdSWER2MENOY1k1QnNZOGY4NHQ3dGx0U2pjSWdBKy9nUjFMZQpzb2gxY1RRd1RadUYyRTJXL1hHU3orQmJDTVVySHNGWmh1bXV6aTBkbElNV3ZhU0dvSlV1OGpNODBlUjRiVTRyCmdYQnlLZVZqelkzNVlLejQ5TEVBcFRQcTZRYTVQbzhRYkF6czhuVjZtNXhOQkNPc0pQQ29zMGtCclFQaGo5M0cKOFFKNUFQWEpva0UrMmY3NXZlazZNMDdsaGlEUXR6LzRPYWRaZ1MvUVF0eWRLUmg2V3VEeGp3MytXeXc5ZjNUcAp5OXc0RmtLRzhqNVRpd1RzRmdzem94TGo5TmpSUWpqb3cyVFJGLzk3b2NxMGNwY1orMUtsZTI1cEJ3bk9yRDJBCkVpMUVkMGVEV3dJR2gzaFhGRmlRSzhTOG5remZkNGFMa1ZxK1V3S0JpRXRMSllIamFZY0N2dTd5M0JpbG1ZK0gKbGZIYkZKTkowaXRhazRZZi9XZkdlOUd6R1h6bEhYblBoZ2JrZlZKeEVBU3ZCOE5NYjZ5WkM5THdHY09JZnpLRApiczJQMUhuT29rWnF0WFNxMCt1UnBJdEkxNFJFUzYySDJnZTNuN2dlMzJSS0VCYnVKb3g3YWhBL1k2d3ZscUhiCjFPTEUvNnJRWk0xRVF6RjRBMmpENmdlREJVbHhWTUVDZVFDQjcyUmRoYktNL3M0TSsvMmYyZXI4Y2hwT01SV1oKaU5Hb3l6cHRrby9sSnRuZ1RSTkpYSXdxYVNCMldCcXpndHNSdEhGZnpaNlNyWlJCdTd5Y0FmS3dwSCtUd2tsNQpoS2hoSWFTNG1vaHhwUVNkL21td1JzbTN2NUNDdXEvaFNtNmNXYTdFOVZxc25heGQzV21tQ2VqTnp0MUxQWUZNCkxZMENnWWdKUHhpVTVraGs5cHB6TVAwdWU0clA0Z2YvTENldEdmQjlXMkIyQU03eW9VM2VsMWlCSEJqOEZ3UFQKQUhKUWtCeTNYZEh3SUpGTUV1RUZSSFFzcUFkSTlYVDBzL2V0QTg1Y3grQjhjUmt3bnFHakFseW1PdmJNOVNrMgptMnRwRi8rYm56ZVhNdFA3c0ZoR3NHOXJ5SEZ6UFNLY3NDSDhXWWx0Y1pTSlNDZHRTK21qblAwelArSjMKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K'))
key2 = rsa.PublicKey.load_pkcs1(base64.b64decode(
    'LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJDZ0tDQVFFQXFSVGdMUFNwbk9GQ0JybzR0dStRQVlxYU4yNlJONk82NW4wY1FERkcvb0NTSUlNNFNBeEUKVmsrYmR6UjdhbnFTbWdZeTBIUVhoQ2UzNlNlRmUxdHo5a3dLWi91M0VKb2M1QUs0dTV2eFFuUDlmNXE2YVFsbQpQL1YySU1weTRRUTZQY21FaDRLZDZvNWVkSVJQdkh3eldHVktPTkNwaS9LWkNPNldLVmJKV3Fod1hqREJsSDFNClVEc2dYMlVDOG9waHZ5OXVyMnpPZE5QaHBJSWR3SHNaOW9GWllrWjFMeUNJUUV0WUZpSmptRlMyRUNUVUNvcU8KWnJ0MWlOYzV1YWZxb2ZQeHh5T29sMGFVaFRoYmhxOHBKVy9xT0hXWHdMSW13bTZPemFxVXpLODRGMmN1YWRiRApOc3lTb2hJR2h2M3dJQVU4TUpRZzhLYXdWd2Rwc0VoZUl3SURBUUFCCi0tLS0tRU5EIFJTQSBQVUJMSUMgS0VZLS0tLS0K'))


def encrypt1(message):
    crypto_text = rsa.encrypt(message.encode(), key2)
    return crypto_text


def decrypt1(message):
    message_str = rsa.decrypt(message, key1).decode()
    return message_str


def encrypt2(tips, key):
    ltips = len(tips)
    lkey = len(key)
    secret = []
    num = 0
    for each in tips:
        if num >= lkey:
            num = num % lkey
        secret.append(chr(ord(each) ^ ord(key[num])))
        num += 1

    return base64.b64encode(''.join(secret).encode()).decode()


def decrypt2(secret, key):
    tips = base64.b64decode(secret.encode()).decode()
    ltips = len(tips)
    lkey = len(key)
    secret = []
    num = 0
    for each in tips:
        if num >= lkey:
            num = num % lkey
        secret.append(chr(ord(each) ^ ord(key[num])))
        num += 1

    return ''.join(secret)


flag = 'IAMrG1EOPkM5NRI1cChQDxEcGDZMURptPzgHJHUiN0ASDgUYUB4LGQMUGAtLCQcJJywcFmddNno/PBtQbiMWNxsGLiFuLwpiFlkyP084Ng0lKj8GUBMXcwEXPTJrRDMdNwMiHVkCBFklHgIAWQwgCz8YQhp6E1xUHgUELxMtSh0xXzxBEisbUyYGOx1DBBZWPg1CXFkvJEcxO0ADeBwzChIOQkdwXQRpQCJHCQsaFE4CIjMDcwswTBw4BS9mLVMLLDs8HVgeQkscGBEBFSpQFQQgPTVRAUpvHyAiV1oPE0kyADpDbF8AbyErBjNkPh9PHiY7O1ZaGBADMB0PEVwdCxI+MCcXARZiPhwfH1IfKitGOF42FV8FTxwqPzBPAVUUOAEKAHEEP2QZGjQVV1oIS0QBJgBDLx1jEAsWKGk5Nw03MVgmWSE4Qy5LEghoHDY+OQ9dXE44Th0='
key = 'this is key'

try:
    print(decrypt2('AAAAAAAAAAAfFwwRSAIWWQ==', key))
    result = input('please input key: ')
    if result == decrypt2('AAAAAAAAAAAfFwwRSAIWWQ==', key):
        print(decrypt1(base64.b64decode(decrypt2(flag, result))))
    elif result == key:
        print('flag{0e26d898-b454-43de-9c87-eb3d122186bc}')
    else:
        print('key is error.')
except Exception:
    None
    e = None
    None

    try:
        pass
    finally:
        e = None
        del e

 

flag{5236cb7d-f4a7-4080-9bde-8b9e061609ad}

 

-----------朱雀組------------

Mics

九宮格

首先對二維碼批量掃描,得到01的列表

a = [0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1]

8個為一組,轉換為ASCII碼

# -*- coding:utf-8 -*-

a = [0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1]

s = "0b"

num = []

for i in range(len(a)):
    if i % 8 != 0 or i == 0:
        s += str(a[i])
        continue
    num.append(chr(int(s,2)))
    s = "0b"
print (''.join(num))

得到

U2FsdGVkX19jThxWqKmYTZP1X4AfuFJ/7FlqIF1KHQTR5S63zOkyoX36nZlaOq4X4klwRwqa

這是rabbit加密,通過hint提示九宮格,兩條對角線(852456)從小到大排序。

 

 

 得到key=245568

 

flag{2c4fdc156fe74836954a05058c5d0382}

 

key

使用JohnTheRippe對壓縮文件解密

得到密碼為123

 

將鑰.png通過tweakpng修改圖片height=width

匙.jpg實際為一個壓縮文件,改后綴為zip,這里的密碼猜測與上面的圖片有關,實際為差分曼切斯特編碼。腳本引用自:點擊進入

# -*- coding:utf-8 -*-

enc = "295965569a596696995a9aa969996a6a9a669965656969996959669566a5655699669aa5656966a566a56656"
s = ""
for c in enc:
    s += "{:04b}".format(int(c,16))

s = s[2:]
r = ""
for i in range(len(s)//2):
    a = s[i*2]
    if a == s[i*2-1]:
        r += '1'
    else:
        r += '0'

print (hex(int(r,2)))

0x13616b7572615f4c6f76655f53747261776265727279

轉換為ASCII碼

第一位轉換失敗了,拿到網上搜了下,應該為Sakura_Love_Strawberry

解壓,得到flag

flag{061056cc-980c-4214-b163-230e5cd5c78e}

 

crypto

放射

根據仿射密碼的原理就能解出,key1,key2實際就是E(x) = (ax + b) (mod m)中的a,b。m還未確定。解密方法為:D(x) = a-1(x - b) (mod m),m直接爆破就行。

# -*- coding:utf-8 -*-
import gmpy2

key1 = 123456
key2 = 321564

enc = "kgws{m8u8cm65-ue9k-44k5-8361-we225m76eeww}"
flag = ""
for m in range(1,27):
    for val in enc:
        try:
            if val.islower():
                flag += chr((gmpy2.invert(key1, m)*(ord(val) - ord('a') - key2)) % m + ord('a'))
            else:
                flag += val
        except Exception:
            flag = ""
            break
    if flag != "":
        print (flag)

bcde{d8b8dd65-ba9b-44b5-8361-da225d76aadd}


dcgf{a8c8ba65-cf9d-44d5-8361-gf225a76ffgg}


djhc{a8k8ea65-kb9d-44d5-8361-hb225a76bbhh}


flag{c8d8ec65-db9f-44f5-8361-ab225c76bbaa}


jhpn{k8o8fk65-og9j-44j5-8361-pg225k76ggpp}


gnel{m8r8bm65-rh9g-44g5-8361-eh225m76hhee}


tigs{n8m8un65-mo9t-44t5-8361-go225n76oogg}


qhsj{i8b8xi65-bp9q-44q5-8361-sp225i76ppss}

得到flag為

flag{c8d8ec65-db9f-44f5-8361-ab225c76bbaa}

 

Reverse

go

關於go語言的逆向題,打開之后,如果不能反編譯,在Options->Compiler中將sizeof(int)改為4。

通過string Windows找到主要函數,

這里有個關鍵函數main_encode

這個函數實際就是一個變表的Base64加密,變表為

XYZFGHI2+/Jhi345jklmEnopuvwqrABCDKL6789abMNWcdefgstOPQRSTUVxyz01

最后再與nRKKAHzMrQzaqQzKpPHClX比較

# -*- coding:utf-8 -*-
import base64

model = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Str = "XYZFGHI2+/Jhi345jklmEnopuvwqrABCDKL6789abMNWcdefgstOPQRSTUVxyz01"
enc = "nRKKAHzMrQzaqQzKpPHClX"
s = ""

for val in enc:
    s += model[Str.find(val)]
print (s)
for i in range(10):
    try:
        print (base64.b64decode(s+'='*i))
        break
    except Exception:
        pass

得到輸入為What_is_go_a_A_H

 

flag{e252890b-4f4d-4b85-88df-671dab1d78f3}

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 2020網鼎杯白虎組re 惡龍 wp 2020 網鼎杯wp 2020網鼎杯第一場青龍組re部分wp [網鼎杯2020朱雀組]Web部分wp 2020 第二屆網鼎杯 boom wp 網鼎杯2020 偽虛擬機wp 2020網鼎杯——個人總結 網鼎杯2020 AreUSerialz wp | 2020縱橫杯 | RE 網鼎杯第三場wp
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM