[SHCTF 2023 校外赛道] reverse

week1

ez_asm

想不到第1题是个汇编,咱也不知道拿啥能弄成c,不过这题也不难,直接能看懂,关键部分。

取出异或0x1e然后保存,再取出-0xa再保存。

.text:0000000000401566                               loc_401566:                             ; CODE XREF: main+65↓j
.text:0000000000401566 8B 45 FC                      mov     eax, [rbp+var_4]         计数器 指针
.text:0000000000401569 48 98                         cdqe
.text:000000000040156B 48 8D 15 AE 1A 00 00          lea     rdx, flag                       
.text:0000000000401572 0F B6 04 10                   movzx   eax, byte ptr [rax+rdx]  取出1个
.text:0000000000401576 83 F0 1E                      xor     eax, 1Eh                 xor 1e
.text:0000000000401579 89 C1                         mov     ecx, eax
.text:000000000040157B 8B 45 FC                      mov     eax, [rbp+var_4]
.text:000000000040157E 48 98                         cdqe
.text:0000000000401580 48 8D 15 99 1A 00 00          lea     rdx, flag                      
.text:0000000000401587 88 0C 10                      mov     [rax+rdx], cl            保存
.text:000000000040158A 8B 45 FC                      mov     eax, [rbp+var_4]
.text:000000000040158D 48 98                         cdqe
.text:000000000040158F 48 8D 15 8A 1A 00 00          lea     rdx, flag                      
.text:0000000000401596 0F B6 04 10                   movzx   eax, byte ptr [rax+rdx]  再取出1个
.text:000000000040159A 83 E8 0A                      sub     eax, 0Ah                 -a 
.text:000000000040159D 89 C1                         mov     ecx, eax
.text:000000000040159F 8B 45 FC                      mov     eax, [rbp+var_4]
.text:00000000004015A2 48 98                         cdqe
.text:00000000004015A4 48 8D 15 75 1A 00 00          lea     rdx, flag                      
.text:00000000004015AB 88 0C 10                      mov     [rax+rdx], cl            保存
.text:00000000004015AE FF 45 FC                      inc     [rbp+var_4]
>>> a = 'nhuo[M`7mc7uhc$7midgbTf`7`$7%#ubf7 ci5Y'
>>> bytes([ (i+0xa)^0x1e for i in a.encode()])
b'flag{It_is_als0_impor@nt_t0_13arn_4sm!}'

easy_re

IDA打开,逻辑很简单,高低位互换

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char Str[52]; // [rsp+20h] [rbp-40h] BYREF
  int v5; // [rsp+54h] [rbp-Ch]
  int j; // [rsp+58h] [rbp-8h]
  int i; // [rsp+5Ch] [rbp-4h]

  _main();
  printf("Input your flag:");
  scanf("%s", Str);
  v5 = strlen(Str);
  for ( i = 0; i < v5; ++i )
    Str[i] = (Str[i] >> 4) | (16 * Str[i]);
  for ( j = 0; j < v5; ++j )
  {
    if ( Str[j] != des[j] )
    {
      printf("Wrong!");
      exit(0);
    }
  }
  printf("Right!");
  return 0;
}

>>> a = '66C61676B7452797F54703F53703C66733F5478656F52696E6162797F507270326C633D6D7'
>>> bytes([int(a[i:i+2][::-1],16) for i in range(0, len(a),2)])
b'flag{Try_t0_s0lv3_the_binary_pr0bl3m}'

 

seed

10字节随机数的key异或

  printf("Input your flag:");
  scanf("%s", v6);
  srand(seed);
  for ( i = 0; i <= 9; ++i )
  {
    v3 = rand() % 255;
    v5[i] = v3;
  }
  for ( j = 0; j <= 44; ++j )
    *((_BYTE *)v6 + j) ^= v5[j % 10];
  for ( k = 0; k <= 44; ++k )
  {
    if ( *((unsigned __int8 *)v6 + k) != des[k] )
    {
      printf("Wrong!");
      exit(0);
    }
  }
  printf("Right!");

用flag{头可以出来5个,后边的就只能一个个试,看着合适再试下一个

a = bytes.fromhex('402928E9C204A4ED9F535F753CD1CD2BA8C48969152116EFD72792DFCA535F2A3CD1CE03A3EFA578161A2DE1C4')
from pwn import xor

flag = b'flag{Give_'
key = xor(flag, a[:len(flag)])

for i in range(256):
    tkey = key + bytes([i])
    m = xor(tkey.ljust(10, b'\x00'),a)
    if all([0x20<=m[v]<=0x7e for v in range(len(flag),len(a),10)]):
        print(i, m)

#flag{Give_y0u_the_se3d_and_D0_you_w@nt_t0_do}

 

signin

这才是签到,跳过

ez_math

代码是公式,这种很常见,用z3

print("Please input flag:")
flag = input()
if len(flag)!=42:
	print("Check your length!")
	exit()

l=[]
for i in range(6):  #7字符1段,分6段
	s=""
	for j in flag[i*7:i*7+7]:
		s+=hex(ord(j))[2:]
	l.append(int(s,16))
if (
(593*l[0] + 997*l[1] + 811*l[2] + 258*l[3] + 829*l[4] + 532*l[5])== 0x5b8e0aef71d34ff43 and \
(605*l[0] + 686*l[1] + 328*l[2] + 602*l[3] + 695*l[4] + 576*l[5])== 0x551a262360964ef7f and \
(373*l[0] + 512*l[1] + 449*l[2] + 756*l[3] + 448*l[4] + 580*l[5])== 0x49d158a5657d6931c and \
(560*l[0] + 635*l[1] + 422*l[2] + 971*l[3] + 855*l[4] + 597*l[5])== 0x625568d5abbabf4f3 and \
(717*l[0] + 507*l[1] + 388*l[2] + 925*l[3] + 324*l[4] + 524*l[5])== 0x50ee0c025e70e3c23 and \
(312*l[0] + 368*l[1] + 884*l[2] + 518*l[3] + 495*l[4] + 414*l[5])== 0x40e735f8aa2815f65):
	print("Good job!")
else:
	print("Wrong\nTry again!!!")
	exit()
from z3 import *

l = [Int(f'l_{i}') for i in range(6)]
s = Solver()
s.add((593*l[0] + 997*l[1] + 811*l[2] + 258*l[3] + 829*l[4] + 532*l[5])== 0x5b8e0aef71d34ff43)
s.add((605*l[0] + 686*l[1] + 328*l[2] + 602*l[3] + 695*l[4] + 576*l[5])== 0x551a262360964ef7f)
s.add((373*l[0] + 512*l[1] + 449*l[2] + 756*l[3] + 448*l[4] + 580*l[5])== 0x49d158a5657d6931c)
s.add((560*l[0] + 635*l[1] + 422*l[2] + 971*l[3] + 855*l[4] + 597*l[5])== 0x625568d5abbabf4f3)
s.add((717*l[0] + 507*l[1] + 388*l[2] + 925*l[3] + 324*l[4] + 524*l[5])== 0x50ee0c025e70e3c23)
s.add((312*l[0] + 368*l[1] + 884*l[2] + 518*l[3] + 495*l[4] + 414*l[5])== 0x40e735f8aa2815f65)

s.check()
d = s.model()

flag = b''
for i in l:
    flag+=long_to_bytes(d[i].as_long())

#flag{N0_One_kn0ws_m@th_B3tter_Th@n_me!!!!}

 

ez_apk

jadx打开是base58变表,密文和码表不在layout目录里,发现外部有多个dex文件,打开class3.dex找到码表和密文

从classes3.dex找到密文和码表,base58变表解密
enc ='5TAYhycAPT1aAd535TGdWYQ8CvfoRjErGEreqhDpqv1LydTqd3mxuK2hhUp9Pws3u9mq6eX'
code1 = '9LfnoVpi1HrzBSKxhNFeyY745R2g3QmqsTCZJuDvcMdkE8wPGbUXajtAW6'
#flag{Jue_1_ju3_Y0ung_and_G0at_1s_go0d_for_yOuR_body}

week2

签到题?

在堆数字128运算后XXX后边不详,先动调得到这些数据

[SHCTF 2023 校外赛道] reverse_第1张图片

[SHCTF 2023 校外赛道] reverse_第2张图片

可以看到右下角栈里的Arglist的数据,显然是可显示的字符,导出后得到,显示base64

ZmxhZ3thMTBlN2NjYy1iODAyLWUzZWItYzg1OWE3LTMwOTQwZTIyNmR9 

not gcc 未完成

pycode

给的python字节码,一点点手搓。看明白了再反一下就行

import base64 

flag = '....'
value = ''
output = ''

#24
for i in range(1000):
    w = 1024
    x = w%3
    y = w//9
    x = x*y
    w -= z     

#94
for i in range(10000):
    w = 20 
    x = w%6 
    y = w//3 
    z = x*y 
    w += z 

#166
for i in range(1000):
    w = 1024
    x = w%3 
    y = w//9 
    x = x*y 
    w -= z 

#238
for i in range(10000):
    w = 20 
    x = w%6 
    y = w//3 
    z = x*y
    w += z 

#310
for i in range(len(flag)):
    temp = flag[i]
    temp = chr(ord(temp)^8)    
    value += temp

for i in range(len(flag)):
    temp = value[i]
    temp = chr(ord(temp)+3)
    output += temp 

obfuscated_output = base64.b64encode(output.decode())
obfuscated_output = obfuscated_output[::-1]
obfuscated_output = obfuscated_output.replace('0','t')
obfuscated_output = obfuscated_output.replace('c','4')
obfuscated_output = obfuscated_output.replace('+','-')
print(obfuscated_output)

#------------------------------------------------------------
from itertools import product 
from base64 import * 

enc = '==AeAF3M-tzO-giQ-AUQosDQ9tGK7MDPuhC47tDNB5Tb8Yn4sdW4'
enc = enc[::-1].replace('-','+')
a = [('0','t') if v=='t' else ('c','4') if v=='4' else (v) for v in enc]


for k in product(*a):
    try:
        #print(''.join(k))
        b = b64decode(''.join(k).encode())
        #print(b)
        c =bytes([(i-3)^8 for i in b])
        print(c)
    except:
        pass 
        
b'flag{1b36920e-c180-b250-6537-30238f5}'

run!润

从关键代码可以看出有左右上下和上下层,是个三维迷宫,先得到数据

[SHCTF 2023 校外赛道] reverse_第3张图片

数据在这

[SHCTF 2023 校外赛道] reverse_第4张图片 

取出来打印出来看,然后手搓

from pwn import u32 

#每层map 2*32位 8层从上到下
#在memset下断点,动调得到正确的map数据
dat = open('run.dat', 'rb').read()
print(dat.hex())
dat = ''.join([bin(u32(dat[i:i+4]))[2:].zfill(32) for i in range(0, len(dat), 4)])

for i in range(0, len(dat),8):
    if i%64==0: print()
    print(dat[i:i+8])

从后向前走每步编上号,然后从前向后得到串 

j10srqpo
i1111111
hgfe1111
111d1111
111c1111
11111111
11111111
11111111

111t111n
11111111
11111111
11111111
111b1111
11111111
11111111
11111111

111u111m
1111111l
11111ijk
11111111
111a1111
11111111
11111111
11111111

111v1111
111w1111
111x1h11
111y1111
111z1111
11111111
11111111
11111111

11111111
11111111
11111g11
11111111
11111111
11111111
vutsrqpo
11111111

11111111
11111111
abcdef11
z1111111
y1111111
x1111111
w111111n
11111111

11111111
11111111
11111111
11111hij
11111g1k
1111111l
1111111m
11111111

11111111
11111111
11111111
11111111
11111f11
11111e11
11111d11
11111cba

 输入串运行得到flag

C:\2023_ctf\2023_SHCTF\week2_r>run.exe
This is a easy puzzle.
Input your route:
ssdddssuuuwwwwqqqdddduussaauuuaaaaassssqddddddduuwwwaasusssdd
Right!Here are you flag:flag{7a30a122cbf428239147d86fcb3a2a37}

 

Authur's box

[SHCTF 2023 校外赛道] reverse_第5张图片

初始化S和K

[SHCTF 2023 校外赛道] reverse_第6张图片 

S加K交换,很符合RC4加密

[SHCTF 2023 校外赛道] reverse_第7张图片

从汇编里找到对应的k

[SHCTF 2023 校外赛道] reverse_第8张图片 

解密,后部加了异或的RC4


s = [i for i in range(256)]
k = (b'h3rE1Sy0UkEy'*30)[:256]
v3 = 0
for i in range(256):
    v3 = (s[i]+v3+k[i])%256
    s[i],s[v3] = s[v3],s[i]

v6 = 0
v7 = 0
#byte_408A80
ekey = [0]*42
for i in range(42):
    v6 = (v6+1)%256 
    v7 = (v7 + s[v6])%256 
    s[v6],s[v7] = s[v7],s[v6]
    ekey[i] = s[(s[v6]+s[v7])%256]^0x22

str2 = bytes.fromhex('3894E7FE4C620212054AFD714D13EC165437909BD9E9D2EDED5AD4D815596C3DB1DA43CB5A7396F996B7')
from pwn import xor 
print(xor(str2, bytes(ekey)))

 

week3

java是最棒的语言吗

chacha20加密

public class ChaCha20 {
    public static void main(String[] strArr) {
        Scanner scanner = new Scanner(System.in);
        System.out.println("input your flag:");
        String nextLine = scanner.nextLine();
        if (Arrays.equals(encrypt(nextLine.getBytes(StandardCharsets.UTF_8), "Shctf_Welcomes_Have_4_good_t1me_".getBytes(), "HsehrcOedfgs".getBytes()), hexStringToBytes("ce43283af73d106815fe5293b474f5309d44063c7fde19533300c60603dfe528d19aee2f6db615191e45"))) {
            System.out.println("right!");
        } else {
            System.out.println("error!");
        }
    }

    private static byte[] encrypt(byte[] bArr, byte[] bArr2, byte[] bArr3) {
        int[] chachaInit = chachaInit(bArr2, bArr3);
        byte[] bArr4 = new byte[bArr.length];
        byte[] bArr5 = new byte[64];
        for (int i = 0; i < bArr.length; i += 64) {
            chachaBlock(chachaInit, bArr5);
            for (int i2 = 0; i2 < 64 && i + i2 < bArr.length; i2++) {
                bArr4[i + i2] = (byte) (bArr[i + i2] ^ bArr5[i2]);
            }
            chachaInit[12] = chachaInit[12] + 1;
        }
        return bArr4;
    }

    private static int[] chachaInit(byte[] bArr, byte[] bArr2) {
        int[] iArr = new int[16];
        iArr[0] = 1634760805;
        iArr[1] = 857760878;
        iArr[2] = 2036477234;
        iArr[3] = 1797285236;
        for (int i = 0; i < 8; i++) {
            iArr[4 + i] = bytesToIntLittleEndian(bArr, i * 4);
        }
        iArr[12] = 0;
        iArr[13] = 0;
        iArr[14] = bytesToIntLittleEndian(bArr2, 0);
        iArr[15] = bytesToIntLittleEndian(bArr2, 4);
        return iArr;
    }

    private static void chachaBlock(int[] iArr, byte[] bArr) {
        int[] copyOf = Arrays.copyOf(iArr, 16);
        for (int i = 0; i < 10; i++) {
            chachaDoubleRound(copyOf);
        }
        for (int i2 = 0; i2 < 16; i2++) {
            intToBytesLittleEndian(iArr[i2] + copyOf[i2], bArr, i2 * 4);
        }
    }

    private static void chachaDoubleRound(int[] iArr) {
        quarterRound(iArr, 0, 4, 8, 12);
        quarterRound(iArr, 1, 5, 9, 13);
        quarterRound(iArr, 2, 6, 10, 14);
        quarterRound(iArr, 3, 7, 11, 15);
        quarterRound(iArr, 0, 5, 10, 15);
        quarterRound(iArr, 1, 6, 11, 12);
        quarterRound(iArr, 2, 7, 8, 13);
        quarterRound(iArr, 3, 4, 9, 14);
    }

    private static void quarterRound(int[] iArr, int i, int i2, int i3, int i4) {
        iArr[i] = iArr[i] + iArr[i2];
        iArr[i4] = rotateLeft(iArr[i4] ^ iArr[i], 16);
        iArr[i3] = iArr[i3] + iArr[i4];
        iArr[i2] = rotateLeft(iArr[i2] ^ iArr[i3], 12);
        iArr[i] = iArr[i] + iArr[i2];
        iArr[i4] = rotateLeft(iArr[i4] ^ iArr[i], 8);
        iArr[i3] = iArr[i3] + iArr[i4];
        iArr[i2] = rotateLeft(iArr[i2] ^ iArr[i3], 7);
    }

    private static int rotateLeft(int i, int i2) {
        return (i << i2) | (i >>> (32 - i2));
    }

    private static int bytesToIntLittleEndian(byte[] bArr, int i) {
        return ((bArr[i + 3] & 255) << 24) | ((bArr[i + 2] & 255) << 16) | ((bArr[i + 1] & 255) << 8) | (bArr[i] & 255);
    }

    private static void intToBytesLittleEndian(int i, byte[] bArr, int i2) {
        bArr[i2] = (byte) (i & 255);
        bArr[i2 + 1] = (byte) ((i >>> 8) & 255);
        bArr[i2 + 2] = (byte) ((i >>> 16) & 255);
        bArr[i2 + 3] = (byte) ((i >>> 24) & 255);
    }

    private static byte[] hexStringToBytes(String str) {
        int length = str.length();
        byte[] bArr = new byte[length / 2];
        for (int i = 0; i < length; i += 2) {
            bArr[i / 2] = (byte) ((Character.digit(str.charAt(i), 16) << 4) + Character.digit(str.charAt(i + 1), 16));
        }
        return bArr;
    }

    private static String bytesToHexString(byte[] bArr) {
        StringBuilder sb = new StringBuilder();
        int length = bArr.length;
        for (int i = 0; i < length; i++) {
            sb.append(String.format("%02x", Byte.valueOf(bArr[i])));
        }
        return sb.toString();
    }
}

key和密文会给了。这种解释性的语言似乎没有多少隐私。 

k1 = "Shctf_Welcomes_Have_4_good_t1me_"
k2 = "HsehrcOedfgs"
enc = bytes.fromhex("ce43283af73d106815fe5293b474f5309d44063c7fde19533300c60603dfe528d19aee2f6db615191e45")

def encrypt(m,k1,k2):
    chacha = chachainit(k1,k2)
    a4 = [0]*len(m)
    a5 = [0]*64
    for i in range(0, len(m),64):
        block(chacha, b5)
        for i2 in range(64):
            if i2>=len(m): break 
            a4[i+i2] = m[i+i2]^a5[i2]
        chacha[12] += 1 
    return a4 

def chachainit(k1,k2):
    a = [0]*16
    a[0] = 1634760805
    a[1] = 857760878
    a[2] = 2036477234
    a[3] = 1797285236
    for i in range(8):
        a[i+4] = u32(p32(a[i])[::-1])
    a[14] = u32(k2[:4]);
    a[15] = u32(k2[4:]);
    return a

 

ststst

带SMC的程序,先按原程序patch再反编译

[SHCTF 2023 校外赛道] reverse_第9张图片

[SHCTF 2023 校外赛道] reverse_第10张图片 

 

msg = open('ststst','rb').read()
a = msg[:0x696]+bytes([i^0xc3 for i in msg[0x696:0x763]])+ msg[0x763:]
open('st2','wb').write(a)

打开新生成的文件,发现是个tea加密

 RC4和tea是逆向最爱用的,tea可以随便写左右加key,可以保证每次都不一样

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  int i; // [rsp+4h] [rbp-3Ch]
  _QWORD s1[6]; // [rsp+10h] [rbp-30h] BYREF

  s1[5] = __readfsqword(0x28u);
  puts("plz input u fl4g:");
  __isoc99_scanf("%32s", s1);
  sub_400763();
  for ( i = 0; i <= 3; ++i )
    sub_400696(&s1[i], &unk_601080);
  if ( !memcmp(s1, &unk_6010A0, 0x20uLL) )
    puts("yeh~");
  else
    puts("oh,no");
  return 0LL;
}

__int64 __fastcall sub_400696(unsigned int *a1, _DWORD *a2)
{
  __int64 result; // rax
  unsigned int v3; // [rsp+10h] [rbp-10h]
  unsigned int v4; // [rsp+14h] [rbp-Ch]
  int v5; // [rsp+18h] [rbp-8h]
  unsigned int i; // [rsp+1Ch] [rbp-4h]

  v3 = *a1;
  v4 = a1[1];
  v5 = 0;
  for ( i = 0; i <= 0x1F; ++i )
  {
    v5 -= 1640531527;
    v3 += (v4 + v5) ^ (16 * v4 + *a2) ^ ((v4 >> 5) + a2[1]);
    v4 += (v3 + v5) ^ (16 * v3 + a2[2]) ^ ((v3 >> 5) + a2[3]);
  }
  *a1 = v3;
  result = v4;
  a1[1] = v4;
  return result;
}
from pwn import u32,p32
from ctypes import *
'''
  for ( i = 0; i <= 0x1F; ++i )
  {
    v5 -= 1640531527;
    v3 += (v4 + v5) ^ (16 * v4 + *a2) ^ ((v4 >> 5) + a2[1]);
    v4 += (v3 + v5) ^ (16 * v3 + a2[2]) ^ ((v3 >> 5) + a2[3]);
  }
'''
def decrypt(v,k):
    v0 = c_uint32(v[0])
    v1 = c_uint32(v[1])
    delta = 0x9e3779b9
    sum1 = c_uint32((delta) * 32)
    for i in range(32):       
        v1.value -= (sum1.value + v0.value) ^ (k[2] + (v0.value << 4)) ^ (k[3] + (v0.value >> 5))
        v0.value -= (sum1.value + v1.value) ^ (k[0] + (v1.value << 4)) ^ (k[1] + (v1.value >> 5))
        sum1.value -= delta       
    return p32(v0.value) + p32(v1.value)

key = [0x1234567, 0x89ABCDEF, 0xFEDCBA98, 0x76543210]
enc = bytes.fromhex('69258FDBE383CD4080E633A044A6F7FF173A0C6966B821B6A7E2E73492A610AD')
enc = [u32(enc[i:i+4]) for i in range(0,32,4)]

msg = [decrypt(enc[2*i: 2*i+2], key) for i in range(4)]
print(msg)
print(b''.join(msg))
#5ef846656801c9b9714388d2ccd98cdd

 

easyre

把串异或后再当成python运行,这个值爆破得到23

import base64
import marshal
import sympy as sp
encoded_data = b'#`VVVVVVVVVVVVVVVVVVVVVSVVVVFVVVV_YZVVVVMVU|VNFV@pU|V{xUMVYvVzBSMVDSVFRVMFDSV\\VQMV@\x7fVAxPMFU{V@BPp`]vU%B_MF]eVy]VMFY|UxZUVFUbTPBSMVrSVFRVMV\x7fCVT|]N`^VVVVVVVVVVVVVVVpVVVVPVVVVF`VVV_GFVVVVsVU\'V@FUp`PSVO\'TMV].V$FUMVPSVBFVOC".U_`SqV]/UU|VQ`U/V_`RsV]/V^ZUQpVMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVUoPPFTUVU.U_\'SsVXSV_\'QqVQRVQ&pqFM/UPFSQ`U|VENVqFE/V$`TqVFMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVU/Vy`TqVFMV_`TqVZMVUtVMVR@VU|VqFs/UvVRqVM/U\'RVxFRUV_QfqVACVT|RCb|VVFVV!FVVVVSgVFVVVT|Q%pEdvOY\'%pAnN@"yMsxSuPAb%p{~rOE{NO]nNOyvUzQ`tPAbMT|^%pYeMO{vTOUdN@{bsPA#sYxUB.xUvcxUvAx\\N%{`vPAnsPA#sYxRN%\x7f\x7ftcxUv!|Vtp/VVVS!UzM&u~"`rsx[tzZ\'O%AbN$]"t_FUVVVVto`VVVVVVF`UUV^ZVDVU_V^^VFNTTVRZVEVUPpRNVEVTt\x7fRVVVUmT`VVVPA#N@&`uPAqv%A"tnxVVVSN{U!ez%M\'!&&VP ez!UZmA.\'X"g^\'/NUcvXd.TPRTTD!&UB\\`dT.R}Q{!QQUdr~UguyU&sTU"u$An^PMdN@t!rpA&sPNcXQxSr@Am@p]bu\'#gT_^EVVVVtp|VVVUvU@YxM@Ye%pA`tz{bsYxQv@"`sOCvUzAbN%.|MsxRMzo\x7fM&x]M@"}ty{`sPA|tp/VVVUnS`VVV_^GVVVVt\x7fVVVVSvTSocu%E&uPB

转出再反编译 

encoded_data = b'#`VVVVVVVVVVVVVVVVVVVVVSVVVVFVVVV_YZVVVVMVU|VNFV@pU|V{xUMVYvVzBSMVDSVFRVMFDSV\\VQMV@\x7fVAxPMFU{V@BPp`]vU%B_MF]eVy]VMFY|UxZUVFUbTPBSMVrSVFRVMV\x7fCVT|]N`^VVVVVVVVVVVVVVVpVVVVPVVVVF`VVV_GFVVVVsVU\'V@FUp`PSVO\'TMV].V$FUMVPSVBFVOC".U_`SqV]/UU|VQ`U/V_`RsV]/V^ZUQpVMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVUoPPFTUVU.U_\'SsVXSV_\'QqVQRVQ&pqFM/UPFSQ`U|VENVqFE/V$`TqVFMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVU/Vy`TqVFMV_`TqVZMVUtVMVR@VU|VqFs/UvVRqVM/U\'RVxFRUV_QfqVACVT|RCb|VVFVV!FVVVVSgVFVVVT|Q%pEdvOY\'%pAnN@"yMsxSuPAb%p{~rOE{NO]nNOyvUzQ`tPAbMT|^%pYeMO{vTOUdN@{bsPA#sYxUB.xUvcxUvAx\\N%{`vPAnsPA#sYxRN%\x7f\x7ftcxUv!|Vtp/VVVS!UzM&u~"`rsx[tzZ\'O%AbN$]"t_FUVVVVto`VVVVVVF`UUV^ZVDVU_V^^VFNTTVRZVEVUPpRNVEVTt\x7fRVVVUmT`VVVPA#N@&`uPAqv%A"tnxVVVSN{U!ez%M\'!&&VP ez!UZmA.\'X"g^\'/NUcvXd.TPRTTD!&UB\\`dT.R}Q{!QQUdr~UguyU&sTU"u$An^PMdN@t!rpA&sPNcXQxSr@Am@p]bu\'#gT_^EVVVVtp|VVVUvU@YxM@Ye%pA`tz{bsYxQv@"`sOCvUzAbN%.|MsxRMzo\x7fM&x]M@"}ty{`sPA|tp/VVVUnS`VVV_^GVVVVt\x7fVVVVSvTSocu%E&uPB

 又是个rc4

def rc4_encrypt(key, plaintext):
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i],S[j] = S[j],S[i]
    i = j = 0
    ciphertext = []
    for char in plaintext:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i],S[j] = S[j],S[i]
        k = S[(S[i] + S[j]) % 256]
        ciphertext.append(char ^ k)
    print(bytes(ciphertext))

key = b'example_key'
check = b'\xd8\x94\x1e\xab\x9bft\xeb]@\x1b\xba\xe6\xe8\x133W\xdd\x0e\xe6\x924\xf1\x80mh\xeb=\x08a\x02\t.\xb5\x05B\xb0\xb0/D\x8cY'
rc4_encrypt(key, check)

喵喵喵

分别从汇编得到密文和反编译里得到大概的key

[SHCTF 2023 校外赛道] reverse_第11张图片

[SHCTF 2023 校外赛道] reverse_第12张图片 

这是AES+base64只是key和iv未知,大概是上边这个串。用go_parser翻过来的程序参数基本看不出来,看汇编这块可以知道key是023_S0_e4sy_m1ao 然后用解密后的明文异或一下flag{得到iv(这个串的前边16字节:SHCTF_2023_S0_e4)

 网站上解密:flag{GO1an6_REAl1Y_eaSy_10R_D3V3lop_aND_quIckIY_RuN_65601185ae5b}

crackme

lua的字节码,与python,java类似,用unluac.jar解包,这个效果非常不错。

print("please input your flag:")
flag = io.read()
code = {}
secret = {
  54,57,566,532,1014,1,7,508,10,12,498,494,6,24,14,20,489,492,0,10,490,498,517,539,21,528,517,530,543,9,13,0,4,51,562,518,526,7,9,12,5,3,513,575,514,6,519,513,556,31,1,594,117,15
}
l = string.len(flag)
-- 序号从1开始
for i = 1, l do
  num = ((string.byte(flag, i) + i) % 333 + 444) % 555 - 1
  table.insert(code, num)
end
for i = 1, l do
  x = i - 1
  if i + 2 >= l then
    code[i] = code[i % l + 1] ~ code[(i + 1) % l + 1]
  else
    code[i] = code[(i + 1) % l] ~ code[(i + 2) % l]
  end
end
for i = 1, l do
  if secret[i] ~= code[i] then
    print("Incorrect")
    return
  end
end
print("You win,flag is", flag)

lua的数组0是基本不用的,这给反编译带来很大麻烦,已经习惯了从0开始,以后如果出中文的会更更更不方便。

enc = [54,57,566,532,1014,1,7,508,10,12,498,494,6,24,14,20,489,492,0,10,490,498,517,539,21,528,517,530,543,9,13,0,4,51,562,518,526,7,9,12,5,3,513,575,514,6,519,513,556,31,1,594,117,15]
flag = [546,553,543,550,16]+[0]*len(enc)
for i in range(2, len(enc)):
    flag[i] = flag[i-1]^enc[i-2]

for i in range(1,len(enc)+1):
    for j in range(0x20,0x7f):
        if ((j+i)%333+444)%555-1 == flag[i-1]:
            print(chr(j), end= '')
            break 
#flag{C000ngr4tulat1ons!Y0u_Cr4cked_m3_991468a8de6a!!!}

你可能感兴趣的:(java,前端,javascript)