前言
记录记录
1.Can_you_find_me?
签到题,秒了
2.ea_re
快速定位
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
int v4; // [esp+0h] [ebp-1A0h]
const char **v5; // [esp+4h] [ebp-19Ch]
const char **v6; // [esp+8h] [ebp-198h]
char v7; // [esp+Ch] [ebp-194h]
int i; // [esp+D4h] [ebp-CCh]
int v9; // [esp+E0h] [ebp-C0h]
int v10[24]; // [esp+ECh] [ebp-B4h]
char v11; // [esp+14Fh] [ebp-51h]
char v12[36]; // [esp+178h] [ebp-28h]
v11 = 0;
v10[0] = 1;
v10[1] = 4;
v10[2] = 14;
v10[3] = 10;
v10[4] = 5;
v10[5] = 36;
v10[6] = 23;
v10[7] = 42;
v10[8] = 13;
v10[9] = 19;
v10[10] = 28;
v10[11] = 13;
v10[12] = 27;
v10[13] = 39;
v10[14] = 48;
v10[15] = 41;
v10[16] = 42;
v10[17] = 26;
v10[18] = 20;
v10[19] = 59;
v10[20] = 4;
v10[21] = 0;
printf("plz enter the flag:");
while ( 1 )
{
v7 = getch();
v12[v11] = v7;
if ( !v7 || v12[v11] == 13 )
break;
if ( v12[v11] == 8 )
{
printf("\b\b");
--v11;
}
else
{
printf("%c", v12[v11++]);
}
}
v9 = 0;
for ( i = 0; i < 17; ++i )
{
if ( v12[i] != byte_415768[v10[i]] )
v9 = 1;
}
if ( v12[17] != 49 || v12[18] != 48 || v12[19] != 50 || v12[20] != 52 || v12[21] != 125 )
v9 = 1;
v12[v11] = 0;
printf("\r\n");
if ( v9 )
{
printf("u r wrong\r\n\r\n");
main(v4, v5, v6);
}
else
{
printf("u r right!\r\n");
}
system("pause");
return 0;
}分析一波
ok,开始提取字符
写一个脚本
# 给定的字符串和v10数组
aSkfxeeftFGyryg = "sKfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\\0087138"
v10 = [1, 4, 14, 10, 5, 36, 23, 42, 13, 19, 28, 13, 27, 39, 48, 41, 42]
ending = "1024}"
# 构建flag
flag = ""
for index in v10:
if index < len(aSkfxeeftFGyryg):
flag += aSkfxeeftFGyryg[index]
else:
print(f"Index {index} is out of range for the given string.")
# 如果需要,可以在这里处理超出范围的情况
# 添加已知的结尾字符
flag += ending
print("Possible flag:", flag)输出
完成
3.rere000
打开题目附件,发现是python2.x的字节码
0 LOAD_GLOBAL 0 (raw_input)
3 LOAD_CONST 1 ('plz input your flag:')
6 CALL_FUNCTION 1
9 STORE_FAST 0 (a)
5 12 LOAD_CONST 2 (0)
15 BUILD_LIST 1
18 LOAD_GLOBAL 1 (len)
21 LOAD_FAST 0 (a)
24 CALL_FUNCTION 1
27 BINARY_MULTIPLY
28 STORE_FAST 1 (b)
6 31 LOAD_CONST 3 (68)
34 LOAD_CONST 4 (5)
37 LOAD_CONST 5 (164)
40 LOAD_CONST 6 (100)
43 LOAD_CONST 7 (231)
46 LOAD_CONST 8 (228)
49 LOAD_CONST 9 (175)
52 LOAD_CONST 10 (36)
55 LOAD_CONST 11 (142)
58 LOAD_CONST 9 (175)
61 LOAD_CONST 12 (78)
64 LOAD_CONST 13 (206)
67 LOAD_CONST 14 (4)
70 LOAD_CONST 15 (45)
73 LOAD_CONST 11 (142)
76 LOAD_CONST 16 (174)
79 LOAD_CONST 17 (238)
82 LOAD_CONST 5 (164)
85 LOAD_CONST 15 (45)
88 LOAD_CONST 18 (14)
91 LOAD_CONST 9 (175)
94 LOAD_CONST 19 (46)
97 LOAD_CONST 17 (238)
100 LOAD_CONST 15 (45)
103 LOAD_CONST 5 (164)
106 LOAD_CONST 16 (174)
109 LOAD_CONST 10 (36)
112 LOAD_CONST 9 (175)
115 LOAD_CONST 15 (45)
118 LOAD_CONST 20 (196)
121 LOAD_CONST 20 (196)
124 LOAD_CONST 12 (78)
127 LOAD_CONST 9 (175)
130 LOAD_CONST 10 (36)
133 LOAD_CONST 19 (46)
136 LOAD_CONST 17 (238)
139 LOAD_CONST 20 (196)
142 LOAD_CONST 13 (206)
145 LOAD_CONST 12 (78)
148 LOAD_CONST 12 (78)
151 LOAD_CONST 3 (68)
154 LOAD_CONST 21 (39)
157 BUILD_LIST 42
160 STORE_FAST 2 (c)
7 163 LOAD_GLOBAL 1 (len)
166 LOAD_FAST 0 (a)
169 CALL_FUNCTION 1
172 LOAD_CONST 22 (42)
175 COMPARE_OP 3 (!=)
178 POP_JUMP_IF_FALSE 190
8 181 LOAD_CONST 23 ('wrong length')
184 PRINT_ITEM
185 PRINT_NEWLINE
9 186 LOAD_CONST 2 (0)
189 RETURN_VALUE
10 >> 190 SETUP_LOOP 117 (to 310)
193 LOAD_GLOBAL 2 (range)
196 LOAD_GLOBAL 1 (len)
199 LOAD_FAST 0 (a)
202 CALL_FUNCTION 1
205 CALL_FUNCTION 1
208 GET_ITER
>> 209 FOR_ITER 97 (to 309)
212 STORE_FAST 3 (i)
11 215 LOAD_GLOBAL 3 (ord)
218 LOAD_FAST 0 (a)
221 LOAD_FAST 3 (i)
224 BINARY_SUBSCR
225 CALL_FUNCTION 1
228 LOAD_CONST 24 (3)
231 BINARY_RSHIFT
232 LOAD_GLOBAL 3 (ord)
235 LOAD_FAST 0 (a)
238 LOAD_FAST 3 (i)
241 BINARY_SUBSCR
242 CALL_FUNCTION 1
245 LOAD_CONST 4 (5)
248 BINARY_LSHIFT
249 BINARY_XOR
250 LOAD_CONST 25 (255)
253 BINARY_AND
254 LOAD_FAST 1 (b)
257 LOAD_FAST 3 (i)
260 STORE_SUBSCR
12 261 LOAD_FAST 1 (b)
264 LOAD_FAST 3 (i)
267 DUP_TOPX 2
270 BINARY_SUBSCR
271 LOAD_CONST 26 (136)
274 INPLACE_XOR
275 ROT_THREE
276 STORE_SUBSCR
13 277 LOAD_FAST 1 (b)
280 LOAD_FAST 3 (i)
283 BINARY_SUBSCR
284 LOAD_FAST 2 (c)
287 LOAD_FAST 3 (i)
290 BINARY_SUBSCR
291 COMPARE_OP 3 (!=)
294 POP_JUMP_IF_FALSE 209
14 297 LOAD_CONST 27 ('wrong')
300 PRINT_ITEM
301 PRINT_NEWLINE
15 302 LOAD_CONST 2 (0)
305 RETURN_VALUE
306 JUMP_ABSOLUTE 209
>> 309 POP_BLOCK
16 >> 310 LOAD_CONST 28 ('win')
313 PRINT_ITEM
314 PRINT_NEWLINE
315 LOAD_CONST 0 (None)
318 RETURN_VALUE 然后转换一下
def decrypt_flag():
# 加密后的数组
c = [68, 5, 164, 100, 231, 228, 175, 36, 142, 175, 78, 206, 4, 45, 142,
174, 238, 164, 45, 14, 175, 46, 238, 45, 164, 174, 36, 175, 45, 196,
196, 78, 175, 36, 46, 238, 196, 206, 78, 78, 68, 39]
flag = ''
for val in c:
# 第一步:反向异或136
val ^= 136
# 第二步:尝试所有可能的字符值(0-255)
# 找到经过原始加密算法后能得到当前值的字符
for x in range(256):
if (x >> 3) ^ ((x << 5) & 255) == val:
flag += chr(x)
break
return flag
if __name__ == "__main__":
flag = decrypt_flag()
print("解密后的flag是:", flag)输出一下,解密逻辑就是根据原来加密后数组进行变一个个的逆向暴力破解,然后才能得出正确答案
flag{c9e0962d-013a-4953-a1e9-bb69e53b266f}
4.神奇的小按钮(题目有点小问题)
查壳发现无壳进入ida64中查壳字符串
分析可知
那么对flag[15:]进行与7逐字符异或后提交
写个脚本
encrypted = 'KEYmd57e0cad17016b0>?45?f7c>0>4a>1c3a0'
result = encrypted[:15] # 保持前15位不变
# 对第15位之后的字符进行异或运算
for c in encrypted[15:]:
result += chr(ord(c) ^ 7) # 与7异或得到原始字符
print(result) 输出
KEYmd57e0cad17061e798328a0d9793f96d4f7
然后提交即可
