目录
[HNCTF 2022 WEEK3]Help_Me!
[HNCTF 2022 WEEK3]What's 1n DLL?
[HNCTF 2022 WEEK4]ez_maze
这几天在做HNCTF的week3,week4部分,学到了一些不知道的没接触过的东西,所以记录一下
[HNCTF 2022 WEEK3]Help_Me!
题目下载:下载
运行下程序:
发现是让你获得最高的score,并且不能猝死(不能超过某一个值),这个就和 01背包问题很像,这个是第一次接触,宿舍的一个py大佬给我讲了一遍,然后看了视频就一点点理会了。
视频链接:【动态规划】背包问题_哔哩哔哩_bilibili
载入IDA,前面就是一些题目论述和给的一些含金量和“重量”(防止猝死)。重点看一下下面的地方:
可以发现不能超过200,并且会进入func函数,看一下:
发现这里会输出flag,所以只要你满足这个01背包,就会出flag。
#总重量不超过200,根据重量200,物品数量20,所以创建空表格:21行201列
val=[26, 59, 30, 19, 66, 85, 94, 8, 3, 44, 5, 1, 41, 82, 76, 1, 12,81,73,32] #价值
w=[71, 34, 82, 23, 1,88,12,57, 10, 68, 5, 33, 37, 69, 98,24, 26,83, 16, 26] #重量
#建立表格给dp
dp=[[0 for _ in range(201)] for _ in range(21)]
#填表格
for i in range(1,21):
for j in range(1,201):
if j>=w[i-1]:
dp[i][j]=max(dp[i-1][j-w[i-1]]+val[i-1],dp[i-1][j]) #取添加这个物品的价值,和不添加这个物品的价值的最大值
else:
dp[i][j]=dp[i-1][j]
#回溯
i=20
j=200
tmp=dp[i][j] #表格的右下角,即最大价值
res=[] #用来接收含金量的值
while i!=0:
if tmp==dp[i-1][j]:
i=i-1
else:
res.append(val[i-1])
tmp=tmp-val[i-1]
i=i-1
for t in range(j+1):
if dp[i][t]==tmp:
j=t
break
print(res)
# 含金量 [32, 73, 82, 41, 5, 94, 66, 59]
根据获得的含金量就可以根据提示输入了。
[HNCTF 2022 WEEK3]What's 1n DLL?
题目下载:下载
下载完附件发现有一个可执行程序和.dll动态链接库。根据题目就知道需要观察这个.dll文件。先把exe载入IDA
首先输入flag,然后出现v4数组,然后载入Dll1.dll的ttt函数地址,打开这个.dll文件。发现有upx壳,载入十六进制编辑器,把UFO改为UPX在upx -d脱壳就可
IDA载入DLL1.dll。在导出表中找到ttt函数
根据这个格式知道是一个xxtea加密,那前面exe中出现的v4数组就可能是key,所以可以在网上找脚本求解。代码如下
#include <stdbool.h>
#include <stdio.h>
#define MX \
((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))
bool btea(unsigned int* v, int n, unsigned int* k) {
unsigned int z = v[n - 1], y = v[0], sum = 0, e, DELTA = 0x9e3779b9;
unsigned int p, q;
if (n > 1) { /* Coding Part */
q = 6 + 52 / n;
while (q-- > 0) {
sum += DELTA;
e = (sum >> 2) & 3;
for (p = 0; p < n - 1; p++)
y = v[p + 1], z = v[p] += MX;
y = v[0];
z = v[n - 1] += MX;
}
return 0;
} else if (n < -1) { /* Decoding Part */
n = -n;
q = 6 + 52 / n;
sum = q * DELTA;
while (sum != 0) {
e = (sum >> 2) & 3;
for (p = n - 1; p > 0; p--)
z = v[p - 1], y = v[p] -= MX;
z = v[n - 1];
y = v[0] -= MX;
sum -= DELTA;
}
return 0;
}
return 1;
}
int main(int argc, char const* argv[]) {
// test
unsigned int v[5] = {0x22a577c1,0x1c12c03,0xc74c3ebd,0xa9d03c85,0xadb8ffb3}, key[4] = {55,66,77,88};
//printf("%u,%u\n", v[0], v[1]);
//btea(v, 2, key);
//printf("%u,%u\n", v[0], v[1]);
btea(v, -5, key); //n为要加密的数据个数
char *p=(char *) v;
for(int i=0;i<20;i++){
printf("%c",*p);
p++;
}
//printf("%u,%u\n", v[0], v[1]);
return 0;
}
flag:NSSCTF{He110_w0r1d!}
[HNCTF 2022 WEEK4]ez_maze
题目下载:下载
下载完是一个pyc文件,可以在线转化为.pc文件
参考:Python可执行文件反编译教程(exe转py)_python_脚本之家
转化完,查看代码
map1 = [
[
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1],
[
1,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1],
[
1,
0,
1,
0,
1,
1,
1,
1,
1,
1,
1,
1,
1,
0,
1,
1,
1,
1,
1,
0,
1,
0,
1,
1,
1,
1,
1,
1,
1,
0,
1],
[
1,
0,
1,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
1,
0,
0,
0,
1,
0,
1,
0,
0,
0,
1,
0,
1],
[
1,
0,
1,
1,
1,
1,
1,
0,
1,
1,
1,
1,
1,
1,
1,
1,
1,
0,
1,
1,
1,
1,
1,
0,
1,
0,
1,
0,
1,
0,
1],
[
1,
0,
0,
0,
1,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
1,
0,
0,
0,
1],
[
1,
1,
1,
0,
1,
0,
1,
1,
1,
0,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
0,
1,
1,
1,
1,
1,
1,
1],
[
1,
0,
0,
0,
1,
0,
1,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
1,
0,
0,
0,
1,
0,
1],
[
1,
0,
1,
1,
1,
0,
1,
0,
1,
1,
1,
0,
1,
1,
1,
1,
1,
1,
1,
0,
1,
0,
1,
1,
1,
0,
1,
0,
1,
0,
1],
[
1,
0,
0,
0,
0,
0,
1,
0,
1,
0,
0,
0,
1,
0,
0,
0,
1,
0,
1,
0,
1,
0,
0,
0,
1,
0,
1,
0,
0,
0,
1],
[
1,
1,
1,
1,
1,
1,
1,
0,
1,
0,
1,
1,
1,
0,
1,
0,
1,
0,
1,
0,
1,
1,
1,
0,
1,
0,
1,
1,
1,
0,
1],
[
1,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
0,
1,
0,
0,
0,
1,
0,
1,
0,
0,
0,
1,
0,
1,
0,
0,
0,
1],
[
1,
0,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
0,
1,
0,
1,
0,
1,
1,
1,
0,
1,
0,
1,
1,
1],
[
1,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
1,
0,
1,
0,
0,
0,
1,
0,
0,
0,
1,
0,
0,
0,
1],
[
1,
0,
1,
1,
1,
1,
1,
0,
1,
0,
1,
0,
1,
0,
1,
1,
1,
0,
1,
1,
1,
1,
1,
0,
1,
1,
1,
1,
1,
1,
1],
[
1,
0,
1,
0,
0,
0,
1,
0,
1,
0,
1,
0,
1,
0,
1,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1],
[
1,
0,
1,
0,
1,
0,
1,
0,
1,
0,
1,
0,
1,
1,
1,
0,
1,
1,
1,
0,
1,
1,
1,
1,
1,
0,
1,
1,
1,
0,
1],
[
1,
0,
1,
0,
1,
0,
1,
0,
1,
0,
1,
0,
0,
0,
1,
0,
0,
0,
1,
0,
1,
0,
0,
0,
1,
0,
1,
0,
0,
0,
1],
[
1,
0,
1,
0,
1,
1,
1,
0,
1,
0,
1,
1,
1,
0,
1,
1,
1,
0,
1,
0,
1,
0,
1,
0,
1,
1,
1,
0,
1,
1,
1],
[
1,
0,
0,
0,
1,
0,
0,
0,
1,
0,
1,
0,
0,
0,
0,
0,
1,
0,
1,
0,
1,
0,
1,
0,
0,
0,
1,
0,
0,
0,
1],
[
1,
0,
1,
1,
1,
0,
1,
0,
1,
0,
1,
0,
1,
1,
1,
1,
1,
0,
1,
0,
1,
0,
1,
1,
1,
0,
1,
0,
1,
0,
1],
[
1,
0,
1,
0,
0,
0,
1,
0,
1,
0,
1,
0,
0,
0,
0,
0,
0,
0,
1,
0,
1,
0,
1,
0,
1,
0,
1,
0,
1,
0,
1],
[
1,
0,
1,
0,
1,
1,
1,
0,
1,
0,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
0,
1,
0,
1,
0,
1,
0,
1,
0,
1],
[
1,
0,
1,
0,
0,
0,
1,
0,
1,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
1,
0,
1,
0,
1,
0,
1,
0,
1],
[
1,
0,
1,
1,
1,
0,
1,
0,
1,
0,
1,
1,
1,
1,
1,
0,
1,
0,
1,
0,
1,
0,
1,
0,
1,
0,
1,
0,
1,
0,
1],
[
1,
0,
0,
0,
1,
0,
1,
0,
1,
0,
0,
0,
0,
0,
1,
0,
1,
0,
1,
0,
0,
0,
1,
0,
0,
0,
1,
0,
1,
0,
1],
[
1,
1,
1,
1,
1,
0,
1,
1,
1,
1,
1,
1,
1,
0,
1,
1,
1,
0,
1,
1,
1,
1,
1,
1,
1,
0,
1,
1,
1,
0,
1],
[
1,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
0,
1,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
0,
1],
[
1,
0,
1,
1,
1,
1,
1,
0,
1,
1,
1,
0,
1,
1,
1,
0,
1,
1,
1,
1,
1,
1,
1,
0,
1,
1,
1,
1,
1,
0,
1],
[
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
0,
1],
[
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1]]
path = str(input('please input your path:'))
x = 1
y = 1
for i in path:
if i not in 'wasd':
print('lose')
exit(0)
if i == 's':
y += 1
if i == 'w':
y -= 1
if i == 'a':
x -= 1
if i == 'd':
x += 1
if map1[y][x] != 0:
print('lose!')
exit(0)
if x == 29 and y == 29:
print('win!')
print('NSSCTF{md5(path)}')
continue
return None可以知道这是一个简单的迷宫问题,‘wsad’分别代表上下左右,起点是(1,1),终点是(29,29),0是路,1是墙。这道题手动应该也是能走出来的,这里看一下代码求解,使用dfs。
map1=[[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1],
[1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1],
[1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1],
[1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1],
[1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1],
[1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],
[1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1],
[1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1],
[1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1],
[1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1],
[1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1],
[1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1],
[1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1],
[1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],
[1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1],
[1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1],
[1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1],
[1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1],
[1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1],
[1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],
[1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1],
[1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1],
[1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1],
[1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1],
[1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1],
[1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1],
[1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1],
[1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1],
[1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1],
[1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1],
[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
]
map2 = [[0 for i in range(len(map1))] for i in range(len(map1)) ]
flag=""
def DFS(x,y):
global flag
if x == len(map1) - 2 and y == len(map1) - 2: # 判断边界 终点
print(flag)
if map1[x + 1][y] == 0 and map2[x + 1][y] == 0:
map2[x][y] = 1
flag += 's'
DFS(x + 1, y)
flag = flag[:-1]
map2[x][y] = 0
if map1[x - 1][y] == 0 and map2[x - 1][y] == 0:
map2[x][y] = 1
flag += 'w'
DFS(x - 1, y)
flag = flag[:-1]
map2[x][y] = 0
if map1[x][y + 1] == 0 and map2[x][y + 1] == 0:
map2[x][y] = 1
flag += 'd'
DFS(x, y + 1)
flag = flag[:-1]
map2[x][y] = 0
if map1[x][y - 1] == 0 and map2[x][y - 1] == 0:
map2[x][y] = 1
flag += 'a'
DFS(x, y - 1)
flag = flag[:-1]
map2[x][y] = 0
x=1
y=1
DFS(x,y)然后在md5(path)就可获得flag。
