[SWPUCTF 2021 新生赛]简单的逻辑
nss上附件都不对
没看明白怎么玩的
dnspy分析有三个 AchievePoint ,
game.Player.Bet -= 22m;
for (int i = 0; i < Program.memory.Length; i++)
{
byte[] array = Program.memory;
int num = i;
array[num] ^= 34;
}
Environment.SetEnvironmentVariable(“AchivePoint1”, game.Player.Balance.ToString());
}
还有
DES 加密好像,不对是AES
感觉这就是加密,但密文呢
这个dll的不对
忘记最前面的了
是对一个文件读取后的操作,上厨子
from z3 import *
x = BitVec('x', 64)
y = BitVec('y', 64)
z = BitVec('z', 64)
s = Solver()
keystream = [101,
5,
80,
213,
163,
26,
59,
38,
19,
6,
173,
189,
198,
166,
140,
183,
42,
247,
223,
24,
106,
20,
145,
37,
24,
7,
22,
191,
110,
179,
227,
5,
62,
9,
13,
17,
65,
22,
37,
5]
arr = [BitVec("arr[%d]" % i, 64) for i in range(len(keystream))]
num = -1
for i in range(320):
x = (((x >> 29 ^ x >> 28 ^ x >> 25 ^ x >> 23) & 1) | x << 1)
y = (((y >> 30 ^ y >> 27) & 1) | y << 1)
z = (((z >> 31 ^ z >> 30 ^ z >> 29 ^ z >> 28 ^ z >> 26 ^ z >> 24) & 1) | z << 1)
flag = i % 8 == 0
if flag:
num += 1
arr[num] = ((arr[num] << 1) | (((z >> 32 & 1 & (x >> 30 & 1)) ^ (((z
>> 32 & 1) ^ 1) & (
y >> 31 & 1))) & 0xffffffff) & 0xff)
for i in range(len(keystream)):
s.add(keystream[i] == arr[i])
if s.check() == sat:
model = s.model()
print(model)
y = 868387187
z = 3131229747
x = 156324965
L = [x, y, z]
flag = [60,
100,
36,
86,
51,
251,
167,
108,
116,
245,
207,
223,
40,
103,
34,
62,
22,
251,
227]
Key = [0] * 12
for i in range(3):
for j in range(4):
Key[i * 4 + j] = (L[i] >> j * 8 & 255)
for j in range(len(flag)):
print(chr(flag[j] ^ Key[j % len(Key)]), end='')
Y0u_@re_G3meM3s7er!
太妙了真的
[NISACTF 2022]鸣神的国土
汇编指令,GNU代码
可以用 kali 的 as命令和gcc编译
真的可以,但是运行好像没有问题
下面有点像凯撒,但是字符串像base64
- 52是 -65 + 13
所以就是 rot13 + base64
import base64
enc='q3q3YzWcoTyvnJkcYzAioF92nJEyol9PIwSeLwE5ZJ03MGp='
flag=''
for i in range(len(enc)):
tmp=ord(enc[i])
if 65<=tmp<=90:
flag+=chr((tmp-13-65)%26+65)
elif 97<=tmp<=122:
flag+=chr((tmp-13-97)%26+97)
# elif 48<=tmp<=57:
# flag+=chr((tmp-13)%10+48)
else:
flag+=enc[i]
print(flag)
print(base64.b64decode(flag))
那个代码 - 13后面还要 - 65,搞半天 0.0
[MoeCTF 2021]EinfachRe
很简单一个异或
一个没加壳的程序调用了一个魔改upx壳的dll里的ttt函数
应该是 XXTEA 加密
void __fastcall ttt(_DWORD *a1, int a2, __int64 a3)
{
unsigned int v5; // ebx
unsigned int v6; // r11d a2=5
__int64 v7; // rax
__int64 v8; // rdi
_DWORD *v9; // r10
__int64 v10; // rbp
unsigned int *v11; // rsi
unsigned int v12; // r8d
__int64 v13; // rcx
bool v14; // zf
int v15; // [rsp+48h] [rbp+10h]
unsigned int *v16; // [rsp+58h] [rbp+20h]
if ( a2 > 1 )
{
v5 = a1[a2 - 1];
v15 = 52 / a2 + 6;
v6 = 0;
v16 = &a1[a2 - 1];
do
{
v6 -= 1640531527;
v7 = (v6 >> 2) & 3;
v8 = 0i64;
v9 = a1;
v10 = (a2 - 1);
v11 = a1 + 1;
do
{
v12 = *v11++;
++v9;
v13 = v7 ^ v8++ & 3;
*(v9 - 1) += ((v6 ^ v12) + (v5 ^ *(a3 + 4 * v13))) ^ (((16 * v5) ^ (v12 >> 3)) + ((v5 >> 5) ^ (4 * v12)));
v5 = *(v9 - 1);
--v10;
}
while ( v10 );
*v16 += ((v6 ^ *a1) + (v5 ^ *(a3 + 4 * (v7 ^ (a2 - 1) & 3)))) ^ (((16 * v5) ^ (*a1 >> 3)) + ((v5 >> 5) ^ (4 * *a1)));
v14 = v15-- == 1;
v5 = *v16;
}
while ( !v14 );
}
}
一直有点搞不明白,只能找脚本了
#include <stdbool.h>
#include <stdio.h>
#define MX \
((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))
bool btea(unsigned int* v, int n, unsigned int* k) {
unsigned int z = v[n - 1], y = v[0], sum = 0, e, DELTA = 0x9e3779b9;
unsigned int p, q;
if (n > 1) { /* Coding Part */
q = 6 + 52 / n;
while (q-- > 0) {
sum += DELTA;
e = (sum >> 2) & 3;
for (p = 0; p < n - 1; p++)
y = v[p + 1], z = v[p] += MX;
y = v[0];
z = v[n - 1] += MX;
}
return 0;
} else if (n < -1) { /* Decoding Part */
n = -n;
q = 6 + 52 / n;
sum = q * DELTA;
while (sum != 0) {
e = (sum >> 2) & 3;
for (p = n - 1; p > 0; p--)
z = v[p - 1], y = v[p] -= MX;
z = v[n - 1];
y = v[0] -= MX;
sum -= DELTA;
}
return 0;
}
return 1;
}
int main(int argc, char const* argv[]) {
// test
unsigned int v[5] = {0x22a577c1,0x1c12c03,0xc74c3ebd,0xa9d03c85,0xadb8ffb3}, key[4] = {55,66,77,88};
//printf("%u,%u\n", v[0], v[1]);
//btea(v, 2, key);
//printf("%u,%u\n", v[0], v[1]);
btea(v, -5, key); //n为要加密的数据个数
char *p=(char *) v;
for(int i=0;i<20;i++){
printf("%c",*p);
p++;
}
//printf("%u,%u\n", v[0], v[1]);
return 0;
}
[HGAME 2023 week3]kunmusic
一个 exe ,一个 c# 的 dll , 一个 json文件
点击发出相应语音
dll 但是空的
json 也不知道在干嘛
先看入口点
发现是将资源文件的data文件异或了
不是 Resource 类哦
dump下来然后异或
fp = open("D:\\ctf附件2\\kmusic\\data", 'rb')
newfp = open("D:\\ctf附件2\\kmusic\\New_data", 'wb')
data = fp.read()
for byte in data:
new_byte = bytes([byte ^ 104]) # 对每个字节执行异或操作,并将结果转换为 bytes 对象
newfp.write(new_byte) # 将处理后的字节写入新文件
fp.close()
newfp.close()
写这个也是改了几遍 0.0
然后010分析又是一个 c# 的 PE 结构
知道了 flag
#num=Ints(['num[%d]'%i] for i in range(13))
num = IntVector('num', 13)
或者
from z3 import *
c = [132, 47, 180, 7, 216, 45, 68, 6, 39, 246, 124, 2, 243, 137, 58, 172, 53, 200, 99, 91, 83, 13, 171, 80, 108, 235, 179, 58, 176, 28, 216, 36, 11, 80, 39, 162, 97, 58, 236, 130, 123, 176, 24, 212, 56, 89, 72]
num = [BitVec(f'flag{i}',8) for i in range(13)]
s = Solver()
s.add(num[0] + 52296 + num[1] - 26211 + num[2] - 11754 + (num[3] ^ 0xA114) + num[4] * 63747 + num[5] - 52714 + num[6] - 10512 + num[7] * 12972 + num[8] + 45505 + num[9] - 21713 + num[10] - 59122 + num[11] - 12840 + (num[12] ^ 0x525F) == 12702282 )
s.add( num[0] - 25228 + (num[1] ^ 0x50DB) + (num[2] ^ 0x1FDE) + num[3] - 65307 + num[4] * 30701 + num[5] * 47555 + num[6] - 2557 + (num[7] ^ 0xBF9F) + num[8] - 7992 + (num[9] ^ 0xE079) + (num[10] ^ 0xE052) + num[11] + 13299 + num[12] - 50966 == 9946829 )
s.add( num[0] - 64801 + num[1] - 60698 + num[2] - 40853 + num[3] - 54907 + num[4] + 29882 + (num[5] ^ 0x3506) + (num[6] ^ 0x533E) + num[7] + 47366 + num[8] + 41784 + (num[9] ^ 0xD1BA) + num[10] * 58436 + num[11] * 15590 + num[12] + 58225 == 2372055 )
s.add( num[0] + 61538 + num[1] - 17121 + num[2] - 58124 + num[3] + 8186 + num[4] + 21253 + num[5] - 38524 + num[6] - 48323 + num[7] - 20556 + num[8] * 56056 + num[9] + 18568 + num[10] + 12995 + (num[11] ^ 0x995C) + num[12] + 25329 == 6732474 )
s.add( num[0] - 42567 + num[1] - 17743 + num[2] * 47827 + num[3] - 10246 + (num[4] ^ 0x3F9C) + num[5] + 39390 + num[6] * 11803 + num[7] * 60332 + (num[8] ^ 0x483B) + (num[9] ^ 0x12BB) + num[10] - 25636 + num[11] - 16780 + num[12] - 62345 == 14020739 )
s.add( num[0] - 10968 + num[1] - 31780 + (num[2] ^ 0x7C71) + num[3] - 61983 + num[4] * 31048 + num[5] * 20189 + num[6] + 12337 + num[7] * 25945 + (num[8] ^ 0x1B98) + num[9] - 25369 + num[10] - 54893 + num[11] * 59949 + (num[12] ^ 0x3099) == 14434062 )
s.add( num[0] + 16689 + num[1] - 10279 + num[2] - 32918 + num[3] - 57155 + num[4] * 26571 + num[5] * 15086 + (num[6] ^ 0x59CA) + (num[7] ^ 0x5B35) + (num[8] ^ 0x3FFD) + (num[9] ^ 0x5A85) + num[10] - 40224 + num[11] + 31751 + num[12] * 8421 == 7433598 )
s.add( num[0] + 28740 + num[1] - 64696 + num[2] + 60470 + num[3] - 14752 + (num[4] ^ 0x507) + (num[5] ^ 0x89C8) + num[6] + 49467 + num[7] - 33788 + num[8] + 20606 + (num[9] ^ 0xAF4A) + num[10] * 19764 + num[11] + 48342 + num[12] * 56511 == 7989404 )
s.add( (num[0] ^ 0x7132) + num[1] + 23120 + num[2] + 22802 + num[3] * 31533 + (num[4] ^ 0x9977) + num[5] - 48576 + (num[6] ^ 0x6F7E) + num[7] - 43265 + num[8] + 22365 + num[9] + 61108 + num[10] * 2823 + num[11] - 30343 + num[12] + 14780 == 3504803 )
s.add( num[0] * 22466 + (num[1] ^ 0xDABF) + num[2] - 53658 + (num[3] ^ 0xB838) + (num[4] ^ 0x30DF) + num[5] * 59807 + num[6] + 46242 + num[7] + 3052 + (num[8] ^ 0x62BF) + num[9] + 30202 + num[10] * 22698 + num[11] + 33480 + (num[12] ^ 0x4175) == 11003580 )
s.add( num[0] * 57492 + (num[1] ^ 0x346D) + num[2] - 13941 + (num[3] ^ 0xBBDC) + num[4] * 38310 + num[5] + 9884 + num[6] - 45500 + num[7] - 19233 + num[8] + 58274 + num[9] + 36175 + (num[10] ^ 0x4888) + num[11] * 49694 + (num[12] ^ 0x2501) == 25546210 )
s.add( num[0] - 23355 + num[1] * 50164 + (num[2] ^ 0x873A) + num[3] + 52703 + num[4] + 36245 + num[5] * 46648 + (num[6] ^ 0x12FA) + (num[7] ^ 0xA376) + num[8] * 27122 + (num[9] ^ 0xA44A) + num[10] * 15676 + num[11] - 31863 + num[12] + 62510 == 11333836 )
s.add( num[0] * 30523 + (num[1] ^ 0x1F36) + num[2] + 39058 + num[3] * 57549 + (num[4] ^ 0xD0C0) + num[5] * 4275 + num[6] - 48863 + (num[7] ^ 0xD88C) + (num[8] ^ 0xA40) + (num[9] ^ 0x3554) + num[10] + 62231 + num[11] + 19456 + num[12] - 13195 == 13863722)
s.add(num[0]==ord('h')^c[0])
s.add(num[1]==ord('g')^c[1])
s.add(num[2]==ord('a')^c[2])
s.add(num[3]==ord('m')^c[3])
s.add(num[4]==ord('e')^c[4])
s.add(num[5]==ord('{')^c[5])
s.check()
m = s.model()
print(m)
key = []
for i in range(13):
key.append(m[num[i]].as_long())
flag = [(c[i]^key[i%13])%128 for i in range(len(c))]
print(bytes(flag))
# b'hgame{z3_1s_very_u5eful_1n_rever5e_engin3ering}'
s.add(num[0]==ord('h')^c[0])
s.add(num[1]==ord('g')^c[1])
s.add(num[2]==ord('a')^c[2])
s.add(num[3]==ord('m')^c[3])
s.add(num[4]==ord('e')^c[4])
s.add(num[5]==ord('{')^c[5])
这个也必须加上,不然跑出来的不对