XYNU2024信安杯-REVERSE(复现)
前言
记录记录
1.Can_you_find_me?
签到题,秒了
2.ea_re
快速定位
int __cdecl main_0(int argc, const char **argv, const char **envp)
{int v4; // [esp+0h] [ebp-1A0h]const char **v5; // [esp+4h] [ebp-19Ch]const char **v6; // [esp+8h] [ebp-198h]char v7; // [esp+Ch] [ebp-194h]int i; // [esp+D4h] [ebp-CCh]int v9; // [esp+E0h] [ebp-C0h]int v10[24]; // [esp+ECh] [ebp-B4h]char v11; // [esp+14Fh] [ebp-51h]char v12[36]; // [esp+178h] [ebp-28h]v11 = 0;v10[0] = 1;v10[1] = 4;v10[2] = 14;v10[3] = 10;v10[4] = 5;v10[5] = 36;v10[6] = 23;v10[7] = 42;v10[8] = 13;v10[9] = 19;v10[10] = 28;v10[11] = 13;v10[12] = 27;v10[13] = 39;v10[14] = 48;v10[15] = 41;v10[16] = 42;v10[17] = 26;v10[18] = 20;v10[19] = 59;v10[20] = 4;v10[21] = 0;printf("plz enter the flag:");while ( 1 ){v7 = getch();v12[v11] = v7;if ( !v7 || v12[v11] == 13 )break;if ( v12[v11] == 8 ){printf("\b\b");--v11;}else{printf("%c", v12[v11++]);}}v9 = 0;for ( i = 0; i < 17; ++i ){if ( v12[i] != byte_415768[v10[i]] )v9 = 1;}if ( v12[17] != 49 || v12[18] != 48 || v12[19] != 50 || v12[20] != 52 || v12[21] != 125 )v9 = 1;v12[v11] = 0;printf("\r\n");if ( v9 ){printf("u r wrong\r\n\r\n");main(v4, v5, v6);}else{printf("u r right!\r\n");}system("pause");return 0;
}分析一波
ok,开始提取字符
写一个脚本
# 给定的字符串和v10数组
aSkfxeeftFGyryg = "sKfxEeft}f{gyrYgthtyhifsjei53UUrrr_t2cdsef66246087138\\0087138"
v10 = [1, 4, 14, 10, 5, 36, 23, 42, 13, 19, 28, 13, 27, 39, 48, 41, 42]
ending = "1024}"# 构建flag
flag = ""
for index in v10:if index < len(aSkfxeeftFGyryg):flag += aSkfxeeftFGyryg[index]else:print(f"Index {index} is out of range for the given string.")# 如果需要,可以在这里处理超出范围的情况# 添加已知的结尾字符
flag += endingprint("Possible flag:", flag)输出
完成
3.rere000
打开题目附件,发现是python2.x的字节码
0 LOAD_GLOBAL 0 (raw_input)3 LOAD_CONST 1 ('plz input your flag:')6 CALL_FUNCTION 19 STORE_FAST 0 (a)5 12 LOAD_CONST 2 (0)15 BUILD_LIST 118 LOAD_GLOBAL 1 (len)21 LOAD_FAST 0 (a)24 CALL_FUNCTION 127 BINARY_MULTIPLY 28 STORE_FAST 1 (b)6 31 LOAD_CONST 3 (68)34 LOAD_CONST 4 (5)37 LOAD_CONST 5 (164)40 LOAD_CONST 6 (100)43 LOAD_CONST 7 (231)46 LOAD_CONST 8 (228)49 LOAD_CONST 9 (175)52 LOAD_CONST 10 (36)55 LOAD_CONST 11 (142)58 LOAD_CONST 9 (175)61 LOAD_CONST 12 (78)64 LOAD_CONST 13 (206)67 LOAD_CONST 14 (4)70 LOAD_CONST 15 (45)73 LOAD_CONST 11 (142)76 LOAD_CONST 16 (174)79 LOAD_CONST 17 (238)82 LOAD_CONST 5 (164)85 LOAD_CONST 15 (45)88 LOAD_CONST 18 (14)91 LOAD_CONST 9 (175)94 LOAD_CONST 19 (46)97 LOAD_CONST 17 (238)100 LOAD_CONST 15 (45)103 LOAD_CONST 5 (164)106 LOAD_CONST 16 (174)109 LOAD_CONST 10 (36)112 LOAD_CONST 9 (175)115 LOAD_CONST 15 (45)118 LOAD_CONST 20 (196)121 LOAD_CONST 20 (196)124 LOAD_CONST 12 (78)127 LOAD_CONST 9 (175)130 LOAD_CONST 10 (36)133 LOAD_CONST 19 (46)136 LOAD_CONST 17 (238)139 LOAD_CONST 20 (196)142 LOAD_CONST 13 (206)145 LOAD_CONST 12 (78)148 LOAD_CONST 12 (78)151 LOAD_CONST 3 (68)154 LOAD_CONST 21 (39)157 BUILD_LIST 42160 STORE_FAST 2 (c)7 163 LOAD_GLOBAL 1 (len)166 LOAD_FAST 0 (a)169 CALL_FUNCTION 1172 LOAD_CONST 22 (42)175 COMPARE_OP 3 (!=)178 POP_JUMP_IF_FALSE 1908 181 LOAD_CONST 23 ('wrong length')184 PRINT_ITEM 185 PRINT_NEWLINE 9 186 LOAD_CONST 2 (0)189 RETURN_VALUE 10 >> 190 SETUP_LOOP 117 (to 310)193 LOAD_GLOBAL 2 (range)196 LOAD_GLOBAL 1 (len)199 LOAD_FAST 0 (a)202 CALL_FUNCTION 1205 CALL_FUNCTION 1208 GET_ITER >> 209 FOR_ITER 97 (to 309)212 STORE_FAST 3 (i)11 215 LOAD_GLOBAL 3 (ord)218 LOAD_FAST 0 (a)221 LOAD_FAST 3 (i)224 BINARY_SUBSCR 225 CALL_FUNCTION 1228 LOAD_CONST 24 (3)231 BINARY_RSHIFT 232 LOAD_GLOBAL 3 (ord)235 LOAD_FAST 0 (a)238 LOAD_FAST 3 (i)241 BINARY_SUBSCR 242 CALL_FUNCTION 1245 LOAD_CONST 4 (5)248 BINARY_LSHIFT 249 BINARY_XOR 250 LOAD_CONST 25 (255)253 BINARY_AND 254 LOAD_FAST 1 (b)257 LOAD_FAST 3 (i)260 STORE_SUBSCR 12 261 LOAD_FAST 1 (b)264 LOAD_FAST 3 (i)267 DUP_TOPX 2270 BINARY_SUBSCR 271 LOAD_CONST 26 (136)274 INPLACE_XOR 275 ROT_THREE 276 STORE_SUBSCR 13 277 LOAD_FAST 1 (b)280 LOAD_FAST 3 (i)283 BINARY_SUBSCR 284 LOAD_FAST 2 (c)287 LOAD_FAST 3 (i)290 BINARY_SUBSCR 291 COMPARE_OP 3 (!=)294 POP_JUMP_IF_FALSE 20914 297 LOAD_CONST 27 ('wrong')300 PRINT_ITEM 301 PRINT_NEWLINE 15 302 LOAD_CONST 2 (0)305 RETURN_VALUE 306 JUMP_ABSOLUTE 209>> 309 POP_BLOCK 16 >> 310 LOAD_CONST 28 ('win')313 PRINT_ITEM 314 PRINT_NEWLINE 315 LOAD_CONST 0 (None)318 RETURN_VALUE 然后转换一下
def decrypt_flag():# 加密后的数组c = [68, 5, 164, 100, 231, 228, 175, 36, 142, 175, 78, 206, 4, 45, 142, 174, 238, 164, 45, 14, 175, 46, 238, 45, 164, 174, 36, 175, 45, 196, 196, 78, 175, 36, 46, 238, 196, 206, 78, 78, 68, 39]flag = ''for val in c:# 第一步:反向异或136val ^= 136# 第二步:尝试所有可能的字符值(0-255)# 找到经过原始加密算法后能得到当前值的字符for x in range(256):if (x >> 3) ^ ((x << 5) & 255) == val:flag += chr(x)breakreturn flagif __name__ == "__main__":flag = decrypt_flag()print("解密后的flag是:", flag)输出一下,解密逻辑就是根据原来加密后数组进行变一个个的逆向暴力破解,然后才能得出正确答案
flag{c9e0962d-013a-4953-a1e9-bb69e53b266f}
4.神奇的小按钮(题目有点小问题)
查壳发现无壳进入ida64中查壳字符串
分析可知
那么对flag[15:]进行与7逐字符异或后提交
写个脚本
encrypted = 'KEYmd57e0cad17016b0>?45?f7c>0>4a>1c3a0'
result = encrypted[:15] # 保持前15位不变# 对第15位之后的字符进行异或运算
for c in encrypted[15:]:result += chr(ord(c) ^ 7) # 与7异或得到原始字符print(result) 输出
KEYmd57e0cad17061e798328a0d9793f96d4f7
然后提交即可