[SHCTF-校外赛道]61名

REVERSE

[WEEK1]ez_asm
enc = "nhuo[M`7mc7uhc$7midgbTf`7`$7%#ubf7 ci5Y"
for i in range(len(enc)):
    print(chr((ord(enc[i]) + 0xa) ^ 0x1e), end='')

[WEEK1]easy_re
enc = [0x66, 0xC6, 0x16, 0x76, 0xB7, 0x45, 0x27, 0x97, 0xF5, 0x47,
       0x03, 0xF5, 0x37, 0x03, 0xC6, 0x67, 0x33, 0xF5, 0x47, 0x86,
       0x56, 0xF5, 0x26, 0x96, 0xE6, 0x16, 0x27, 0x97, 0xF5, 0x07,
       0x27, 0x03, 0x26, 0xC6, 0x33, 0xD6, 0xD7, 0x00, 0x00, 0x00,
       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
       0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
       0x00, 0x00, 0x00, 0x00]
for i in range(len(enc)):
    temp = (bin(enc[i])[2:].zfill(8))
    flag = temp[4:] + temp[:4]
    print(chr(int(flag, 2)), end='')

[WEEK1]seed
#include
#include
int main()
{
    int enc[] = { 64,
        41,
        40,
        233,
        194,
        4,
        164,
        237,
        159,
        83,
        95,
        117,
        60,
        209,
        205,
        43,
        168,
        196,
        137,
        105,
        21,
        33,
        22,
        239,
        215,
        39,
        146,
        223,
        202,
        83,
        95,
        42,
        60,
        209,
        206,
        3,
        163,
        239,
        165,
        120,
        22,
        26,
        45,
        225,
        196, };
    int key[10];
    for (int j = 0; j < 11; j++)
    {
        srand(j);
        for (int i = 0; i < 10; i++)
        {
            key[i] = rand() % 255;
        }
        for (int k = 0; k < 45; k++)
        {
            printf("%c", enc[k] ^ key[k % 10]);
        }
    }
}
[WEEK1]signin
import re

# 定义需要处理的汇编指令
s = """
mov     [rbp+var_20], 66h ; 'f'
mov     [rbp+var_1F], 6Ch ; 'l'
mov     [rbp+var_1E], 61h ; 'a'
mov     [rbp+var_1D], 67h ; 'g'
mov     [rbp+var_1C], 7Bh ; '{'
mov     [rbp+var_1B], 66h ; 'f'
mov     [rbp+var_1A], 6Ch ; 'l'
mov     [rbp+var_19], 61h ; 'a'
mov     [rbp+var_18], 67h ; 'g'
mov     [rbp+var_17], 31h ; '1'
mov     [rbp+var_16], 73h ; 's'
mov     [rbp+var_15], 69h ; 'i'
mov     [rbp+var_14], 6Eh ; 'n'
mov     [rbp+var_13], 61h ; 'a'
mov     [rbp+var_12], 72h ; 'r'
mov     [rbp+var_11], 72h ; 'r'
mov     [rbp+var_10], 61h ; 'a'
mov     [rbp+var_F], 79h ; 'y'
mov     [rbp+var_E], 7Dh ; '}'
"""
# 使用正则表达式提取每行逗号和字符h之间的数据
pattern = r',\s*(\S+)h'
# 从字符串 s 中查找所有满足正则表达式模式 pattern 的匹配结果
# 并以列表形式返回这些匹配结果中的所有非重叠子字符串
data_list = re.findall(pattern, s)
print(data_list)
# 在每个列表元素前面加字符串0x
data_list = ['0x' + x for x in data_list]
print(data_list)
# int(j, 16) 将每个 '0x数字' 的字符串转化为整数
data_list = [int(j, 16) for j in data_list]
print(data_list)
print(''.join(chr(j) for j in data_list))

[WEEK1]easy_math
from z3 import *

l = [(Int("n[%d]" % i), 32) for i in range(6)]
s = Solver()
s.append(593 * l[0][0] + 997 * l[1][0] + 811 * l[2][0] + 258 * l[3][0] + 829 * l[4][0] + 532 * l[5][
    0] == 0x5b8e0aef71d34ff43,
         605 * l[0][0] + 686 * l[1][0] + 328 * l[2][0] + 602 * l[3][0] + 695 * l[4][0] + 576 * l[5][
             0] == 0x551a262360964ef7f,
         373 * l[0][0] + 512 * l[1][0] + 449 * l[2][0] + 756 * l[3][0] + 448 * l[4][0] + 580 * l[5][
             0] == 0x49d158a5657d6931c,
         560 * l[0][0] + 635 * l[1][0] + 422 * l[2][0] + 971 * l[3][0] + 855 * l[4][0] + 597 * l[5][
             0] == 0x625568d5abbabf4f3,
         717 * l[0][0] + 507 * l[1][0] + 388 * l[2][0] + 925 * l[3][0] + 324 * l[4][0] + 524 * l[5][
             0] == 0x50ee0c025e70e3c23,
         312 * l[0][0] + 368 * l[1][0] + 884 * l[2][0] + 518 * l[3][0] + 495 * l[4][0] + 414 * l[5][
             0] == 0x40e735f8aa2815f65)
if s.check() == sat:
    s = s.model()
    print(s)
n = [0] * 6
n[2] = 13642136288051316
n[3] = 29378135513658469
n[5] = 30791965425607037
n[0] = 28829613228248624
n[4] = 32192963475959391
n[1] = 26827458353261422
s = []
for i in range(len(n)):
    s.append(n[i].to_bytes(7, byteorder='big'))
print(b''.join(s))

[WEEK1]ez_apk

[SHCTF-校外赛道]61名_第1张图片

[WEEK2]pycode
import base64

flag = '*******************'
value = ''
output = ''

for i in range(1000):
    w = 1024
    x = w % 3
    y = w // 9
    z = x * y
    w -= z

for i in range(10000):
    w = 20
    x = w % 6
    y = w // 3
    z = x * y
    w += z

for i in range(1000):
    w = 1024
    x = w % 3
    y = w // 9
    z = x * y
    w -= z

for i in range(10000):
    w = 20
    x = w % 6
    y = w // 3
    z = x * y
    w += z

for i in range(len(flag)):
    temp = ord(flag[i]) ^ 8
    value += chr(temp)

for i in range(len(value)):
    temp = ord(value[i]) + 3
    output += chr(temp)

obfuscated_output = base64.b64encode(output.encode()).decode()[:-1]
obfuscated_output = obfuscated_output.replace("0", "t").replace("c", "4").replace("+", "-")

print(obfuscated_output)

EXP

import base64

enc = '==AeAF3M-tzO-giQ-AUQosDQ9tGK7MDPuhC47tDNB5Tb8Yn4sdW4'.replace('-', '+').replace('4', 'c').replace('t', '0')
enc = base64.b64decode(enc.encode()[::-1]).decode()
print(enc)
for i in range(len(enc)):
    print(chr((ord(enc[i]) - 3) ^ 8), end='')

[WEEK2]Authur’s_box

动调,输入42位数,修改跳转,得到key

enc = [0xA8, 0xD4, 0x55, 0xAD, 0x89, 0xFA, 0xDE, 0x97, 0xCF, 0xBC,
       0xE4, 0x5B, 0x48, 0xB9, 0x95, 0x13, 0x55, 0xFB, 0x93, 0xBD,
       0x55, 0x96, 0x88, 0x4F, 0x34, 0x25, 0x8F, 0x8A, 0x95, 0x3C,
       0x9E, 0xB5, 0x7E, 0x05, 0x92, 0x49, 0x88, 0xAC, 0x26, 0xD6,
       0xB9, 0x93, ]
key = [0xCE, 0xB8, 0x34, 0xCA, 0xF2, 0xC2, 0xEB, 0xA2, 0xF9, 0xD8,
       0xD3, 0x38, 0x71, 0x94, 0xF7, 0x23, 0x33, 0x9F, 0xBE, 0x89,
       0x33, 0xF3, 0xB9, 0x62, 0x56, 0x14, 0xBF, 0xE9, 0xB8, 0x0C,
       0xA7, 0x83, 0x48, 0x35, 0xF4, 0x2B, 0xBF, 0x99, 0x16, 0xB2,
       0x8C, 0xEE, ]
print(len(enc))
for i in range(len(enc)):
    print(chr(enc[i] ^ key[i]), end='')

[WEEK2]not gcc
import hashlib

import sudokum

map = [4,
       0,
       7,
       0,
       0,
       3,
       2,
       0,
       8,
       5,
       0,
       0,
       0,
       2,
       0,
       9,
       0,
       0,
       0,
       1,
       2,
       9,
       8,
       0,
       0,
       0,
       4,
       7,
       0,
       9,
       1,
       0,
       4,
       8,
       0,
       0,
       0,
       6,
       1,
       0,
       0,
       0,
       4,
       7,
       0,
       0,
       0,
       3,
       2,
       7,
       0,
       0,
       0,
       6,
       0,
       8,
       6,
       3,
       0,
       0,
       0,
       4,
       0,
       0,
       2,
       0,
       7,
       4,
       0,
       6,
       3,
       0,
       3,
       0,
       4,
       0,
       0,
       2,
       0,
       0,
       0]
puzzle = []
for i in range(9):
    tmp = []
    for j in range(9):
        tmp.append(map[i * 9 + j])
    puzzle.append(tmp)
solution = sudokum.solve(puzzle)[1]
dec = []
for i in solution:
    for j in i:
        dec.append(j)
flag = ''
for i in range(len(dec)):
    if map[i] == dec[i]:
        flag += '0'
    else:
        flag += str(dec[i])
print(hashlib.md5(flag.encode()).hexdigest())

[WEEK2]Run?润!

动调,将每层的迷宫打出来,然后跑脚本

1
[0, 1, 0, 0, 0, 0, 0, 0],
[0, 1, 1, 1, 1, 1, 1, 1],
[0, 0, 0, 0, 1, 1, 1, 1],
[1, 1, 1, 0, 1, 1, 1, 1],
[1, 1, 1, 0, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
2
[1, 1, 1, 0, 1, 1, 1, 0],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 0, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
3
[1, 1, 1, 0, 1, 1, 1, 0],
[1, 1, 1, 1, 1, 1, 1, 0],
[1, 1, 1, 1, 1, 0, 0, 0],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 0, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
4
[1, 1, 1, 0, 1, 1, 1, 1],
[1, 1, 1, 0, 1, 1, 1, 1],
[1, 1, 1, 0, 1, 0, 1, 1],
[1, 1, 1, 0, 1, 1, 1, 1],
[1, 1, 1, 0, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
5
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 0, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[0, 0, 0, 0, 0, 0, 0, 0],
[1, 1, 1, 1, 1, 1, 1, 1],
6
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[0, 0, 0, 0, 0, 0, 1, 1],
[0, 1, 1, 1, 1, 1, 1, 1],
[0, 1, 1, 1, 1, 1, 1, 1],
[0, 1, 1, 1, 1, 1, 1, 1],
[0, 1, 1, 1, 1, 1, 1, 0],
[1, 1, 1, 1, 1, 1, 1, 1],
7
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 0, 0, 0],
[1, 1, 1, 1, 1, 0, 1, 0],
[1, 1, 1, 1, 1, 1, 1, 0],
[1, 1, 1, 1, 1, 1, 1, 0],
[1, 1, 1, 1, 1, 1, 1, 1],
8
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 1, 1, 1],
[1, 1, 1, 1, 1, 0, 1, 1],
[1, 1, 1, 1, 1, 0, 1, 1],
[1, 1, 1, 1, 1, 0, 1, 1],
[1, 1, 1, 1, 1, 0, 0, 0],

EXP

from queue import Queue


def bfs(map, start, end):
    # 1. 初始化队列
    q = Queue()
    q.put((start, ""))
    # 2. 开始搜索
    while not q.empty():
        cur, path = q.get()
        # 3. 判断是否到达终点
        if cur == end:
            return path
        # 4. 判断是否越界或者是墙壁
        if cur[0] < 0 or cur[0] >= len(map) or cur[1] < 0 or cur[1] >= len(map[0]) or map[cur[0]][cur[1]] == 1:
            continue
        # 5. 标记为已经走过
        map[cur[0]][cur[1]] = 1
        # 6. 向6个方向扩展
        q.put(((cur[0] - 1, cur[1]), path + "w"))
        q.put(((cur[0] + 1, cur[1]), path + "s"))
        q.put(((cur[0], cur[1] - 1), path + "a"))
        q.put(((cur[0], cur[1] + 1), path + "d"))
        q.put(((cur[0] + 8, cur[1]), path + "u"))
        q.put(((cur[0] - 8, cur[1]), path + "q"))
    # 7. 没有找到路径
    return None


map = [[0, 1, 0, 0, 0, 0, 0, 0],
       [0, 1, 1, 1, 1, 1, 1, 1],
       [0, 0, 0, 0, 1, 1, 1, 1],
       [1, 1, 1, 0, 1, 1, 1, 1],
       [1, 1, 1, 0, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 0, 1, 1, 1, 0],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 0, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 0, 1, 1, 1, 0],
       [1, 1, 1, 1, 1, 1, 1, 0],
       [1, 1, 1, 1, 1, 0, 0, 0],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 0, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 0, 1, 1, 1, 1],
       [1, 1, 1, 0, 1, 1, 1, 1],
       [1, 1, 1, 0, 1, 0, 1, 1],
       [1, 1, 1, 0, 1, 1, 1, 1],
       [1, 1, 1, 0, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 0, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [0, 0, 0, 0, 0, 0, 0, 0],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [0, 0, 0, 0, 0, 0, 1, 1],
       [0, 1, 1, 1, 1, 1, 1, 1],
       [0, 1, 1, 1, 1, 1, 1, 1],
       [0, 1, 1, 1, 1, 1, 1, 1],
       [0, 1, 1, 1, 1, 1, 1, 0],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 0, 0, 0],
       [1, 1, 1, 1, 1, 0, 1, 0],
       [1, 1, 1, 1, 1, 1, 1, 0],
       [1, 1, 1, 1, 1, 1, 1, 0],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 1, 1, 1],
       [1, 1, 1, 1, 1, 0, 1, 1],
       [1, 1, 1, 1, 1, 0, 1, 1],
       [1, 1, 1, 1, 1, 0, 1, 1],
       [1, 1, 1, 1, 1, 0, 0, 0]]
puzzle = [0] * 64 * 8
print("路径:", bfs(map, (0, 0), (63, 7)))

image.png

[WEEK2]签到题?

动调到ArgList未与input运算前
[SHCTF-校外赛道]61名_第2张图片
提取其中的数据,有点misc的味道了
[SHCTF-校外赛道]61名_第3张图片
EXP

import base64

enc = [0x5A, 0x6D, 0x78, 0x68, 0x5A,
       0x33, 0x74, 0x68, 0x4D, 0x54,
       0x42, 0x6C, 0x4E, 0x32, 0x4E,
       0x6A, 0x59, 0x79, 0x31, 0x69,
       0x4F, 0x44, 0x41, 0x79, 0x4C,
       0x57, 0x55, 0x7A, 0x5A, 0x57,
       0x49, 0x74, 0x59, 0x7A, 0x67,
       0x31, 0x4F, 0x57, 0x45, 0x33,
       0x4C, 0x54, 0x4D, 0x77, 0x4F,
       0x54, 0x51, 0x77, 0x5A, 0x54,
       0x49, 0x79, 0x4E, 0x6D, 0x52,
       0x39]
tmp = ''.join(chr(i) for i in enc)
flag = base64.b64decode(tmp)
print(flag)

[WEEK3]ststst

SMC题,可以动调解密,或者自己写个idc脚本
上网找个tea解密脚本:

#include
#include

void decrypt(uint32_t* v, uint32_t* k) 
{
    uint32_t v0 = v[0], v1 = v[1], sum = 0xC6EF3720, i;	
    uint32_t delta = 0x9e3779b9;
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
    for (i = 0; i < 32; i++) {
        v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
        v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
        sum -= delta;
    }
    v[0] = v0; v[1] = v1;
}
int main()
{
    uint32_t enc[8] = { 3683591529,1087210467,2687755904,4294420036,1762408983,3055663206,887612071,2903549586,};
    uint32_t key[4] = { 19088743,2309737967,4275878552,1985229328, };
    for (int j = 0; j < 8; j+=2)
        {
            decrypt(&enc[j], key);
        }
    char* p = (char*)enc;
    for (int j = 0; j < sizeof(enc); j++)
        {
            printf("%c", *(p++));
        }
}
[WEEK3]java是最棒的语言吗

将Java代码copy下来,在下面两处修改一下,将密文和密钥输出
[SHCTF-校外赛道]61名_第4张图片
[SHCTF-校外赛道]61名_第5张图片
流程如下:
image.png
EXP:

key = [-50, 67, 40, 58, -9, 61, 16, 104, 21, -2, 82, -109, -76, 116, -11, 48, -99, 68, 6, 60, 127, -34, 25, 83, 51, 0,
       -58, 6, 3, -33, -27, 40, -47, -102, -18, 47, 109, -74, 21, 25, 30, 69, ]
enc = [-88, 47, 73, 93, -116, 11, 35, 81, 32, -53, 107, -95, -125, 89, -64, 81, -81, 115, 43, 8, 74, -22, 122, 126, 80,
       100, -91, 49, 46, -24, -121, 31, -78, -7, -41, 31, 95, -122, 115, 45, 40, 56, 81, 26, -10, -25, 105, -36, -21,
       59, 122, -97, -89, -102, 81, -116, 52, -61, -106, 85, -81, -54, -123, 119, -32, 32, 105, -37, -117, 6, -128, 89,
       2, -4, -21, -118, -94, -81, 103, 26, 21, 102, -59, 67, 71, -58]
for i in range(len(key)):
    tmp = key[i] ^ enc[i]
    if tmp < 0:
        print(chr(-tmp), end='')
    else:
        print(chr(tmp), end='')

[WEEK3]crackme
# z3 can't solve problems like x%100==1(these mod value equation)
from z3 import *

s = Solver()
secret = [54, 57, 566, 532, 1014, 1, 7, 508, 10, 12, 498, 494, 6, 24, 14, 20, 489, 492, 0, 10, 490, 498, 517, 539, 21,
          528, 517, 530, 543, 9, 13, 0, 4, 51, 562, 518, 14, 527, 520, 0, 517, 57, 575, 512, 1, 572, 515, 60, 18, 31, 1,
          594, 117, 15]
l = len(secret)
flag = [BitVec('%d' % i, 12) for i in range(l)]
code = flag[:]
for i in range(52):
    code[i] = code[i + 1] ^ code[i + 2]
code[52] = code[53] ^ code[0]
code[53] = code[0] ^ code[1]
for i in range(l):
    s.add(secret[i] == code[i])


def crack(a, b):
    for x in range(1, 128):
        if ((x + b) % 333 + 444) % 555 - 1 == a:
            return x
    return ord('f')


if s.check() == sat:
    m = s.model()
    print(''.join([chr(crack(m[flag[i]], i + 1)) for i in range(l)]))

[WEEK3]easyre

爆破一下

import base64
import dis
import marshal

import sympy as sp

encoded_data = b'#`VVVVVVVVVVVVVVVVVVVVVSVVVVFVVVV_YZVVVVMVU|VNFV@pU|V{xUMVYvVzBSMVDSVFRVMFDSV\\VQMV@\x7fVAxPMFU{V@BPp`]vU%B_MF]eVy]VMFY|UxZUVFUbTPBSMVrSVFRVMV\x7fCVT|]N`^VVVVVVVVVVVVVVVpVVVVPVVVVF`VVV_GFVVVVsVU\'V@FUp`PSVO\'TMV].V$FUMVPSVBFVOC".U_`SqV]/UU|VQ`U/V_`RsV]/V^ZUQpVMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVUoPPFTUVU.U_\'SsVXSV_\'QqVQRVQ&pqFM/UPFSQ`U|VENVqFE/V$`TqVFMVUtVMVR@V_\'SqV]/Vo|VqV]/UU|VVpU/Vy`RGVU/Vy`SGVU/Vy`TqVFMV_`TqVZMVUtVMVR@VU|VqFs/UvVRqVM/U\'RVxFRUV_QfqVACVT|RCb|VVFVV!FVVVVSgVFVVVT|Q%pEdvOY\'%pAnN@"yMsxSuPAb%p{~rOE{NO]nNOyvUzQ`tPAbMT|^%pYeMO{vTOUdN@{bsPA#sYxUB.xUvcxUvAx\\N%{`vPAnsPA#sYxRN%\x7f\x7ftcxUv!|Vtp/VVVS!UzM&u~"`rsx[tzZ\'O%AbN$]"t_FUVVVVto`VVVVVVF`UUV^ZVDVU_V^^VFNTTVRZVEVUPpRNVEVTt\x7fRVVVUmT`VVVPA#N@&`uPAqv%A"tnxVVVSN{U!ez%M\'!&&VP ez!UZmA.\'X"g^\'/NUcvXd.TPRTTD!&UB\\`dT.R}Q{!QQUdr~UguyU&sTU"u$An^PMdN@t!rpA&sPNcXQxSr@Am@p]bu\'#gT_^EVVVVtp|VVVUvU@YxM@Ye%pA`tz{bsYxQv@"`sOCvUzAbN%.|MsxRMzo\x7fM&x]M@"}ty{`sPA|tp/VVVUnS`VVV_^GVVVVt\x7fVVVVSvTSocu%E&uPB


# xor_key = int(input('Plz input key (0
def fff(xor_key):
    x = sp.symbols('x')
    f = x ** 2 + x + 1
    integral_value = sp.integrate(f, (x, 1, xor_key))
    check_value = 13024
    if integral_value * 3 == check_value:
        xor_decoded_data = bytes([byte ^ xor_key for byte in encoded_data])
        decoded_data = base64.b64decode(xor_decoded_data)
        code_obj = marshal.loads(decoded_data)
        dis.dis(code_obj)
        print(xor_key)
        exec(code_obj)
    else:
        print('Wrong!!')

for i in range(100):
    fff(i)

炸出key=23,字节码:

  1           0 LOAD_CONST               0 ()
              2 LOAD_CONST               1 ('rc4_encrypt')
              4 MAKE_FUNCTION            0
              6 STORE_NAME               0 (rc4_encrypt)

 21           8 LOAD_CONST               2 (b'example_key')
             10 STORE_NAME               1 (key)

 22          12 LOAD_CONST               3 (b'\xd8\x94\x1e\xab\x9bft\xeb]@\x1b\xba\xe6\xe8\x133W\xdd\x0e\xe6\x924\xf1\x80mh\xeb=\x08a\x02\t.\xb5\x05B\xb0\xb0/D\x8cY')
             14 STORE_NAME               2 (check)

 24          16 LOAD_NAME                3 (print)
             18 LOAD_CONST               4 ('Plz input your flag:')
             20 CALL_FUNCTION            1
             22 POP_TOP

 25          24 LOAD_NAME                4 (input)
             26 CALL_FUNCTION            0
             28 LOAD_METHOD              5 (encode)
             30 LOAD_CONST               5 ('utf-8')
             32 CALL_METHOD              1
             34 STORE_NAME               6 (flag)

 27          36 LOAD_NAME                0 (rc4_encrypt)
             38 LOAD_NAME                1 (key)
             40 LOAD_NAME                6 (flag)
             42 CALL_FUNCTION            2
             44 STORE_NAME               7 (encrypted)

 29          46 LOAD_NAME                7 (encrypted)
             48 LOAD_NAME                2 (check)
             50 COMPARE_OP               2 (==)
             52 POP_JUMP_IF_FALSE       64

 30          54 LOAD_NAME                3 (print)
             56 LOAD_CONST               6 ('yes')
             58 CALL_FUNCTION            1
             60 POP_TOP
             62 JUMP_FORWARD             8 (to 72)

 32     >>   64 LOAD_NAME                3 (print)
             66 LOAD_CONST               7 ('no')
             68 CALL_FUNCTION            1
             70 POP_TOP
        >>   72 LOAD_CONST               8 (None)
             74 RETURN_VALUE

Disassembly of :
  2           0 LOAD_GLOBAL              0 (list)
              2 LOAD_GLOBAL              1 (range)
              4 LOAD_CONST               1 (256)
              6 CALL_FUNCTION            1
              8 CALL_FUNCTION            1
             10 STORE_FAST               2 (S)

  3          12 LOAD_CONST               2 (0)
             14 STORE_FAST               3 (j)

  5          16 LOAD_GLOBAL              1 (range)
             18 LOAD_CONST               1 (256)
             20 CALL_FUNCTION            1
             22 GET_ITER
        >>   24 FOR_ITER                62 (to 88)
             26 STORE_FAST               4 (i)

  6          28 LOAD_FAST                3 (j)
             30 LOAD_FAST                2 (S)
             32 LOAD_FAST                4 (i)
             34 BINARY_SUBSCR
             36 BINARY_ADD
             38 LOAD_FAST                0 (key)
             40 LOAD_FAST                4 (i)
             42 LOAD_GLOBAL              2 (len)
             44 LOAD_FAST                0 (key)
             46 CALL_FUNCTION            1
             48 BINARY_MODULO
             50 BINARY_SUBSCR
             52 BINARY_ADD
             54 LOAD_CONST               1 (256)
             56 BINARY_MODULO
             58 STORE_FAST               3 (j)

  7          60 LOAD_FAST                2 (S)
             62 LOAD_FAST                3 (j)
             64 BINARY_SUBSCR
             66 LOAD_FAST                2 (S)
             68 LOAD_FAST                4 (i)
             70 BINARY_SUBSCR
             72 ROT_TWO
             74 LOAD_FAST                2 (S)
             76 LOAD_FAST                4 (i)
             78 STORE_SUBSCR
             80 LOAD_FAST                2 (S)
             82 LOAD_FAST                3 (j)
             84 STORE_SUBSCR
             86 JUMP_ABSOLUTE           24

  9     >>   88 LOAD_CONST               2 (0)
             90 DUP_TOP
             92 STORE_FAST               4 (i)
             94 STORE_FAST               3 (j)

 10          96 LOAD_GLOBAL              3 (bytearray)
             98 CALL_FUNCTION            0
            100 STORE_FAST               5 (ciphertext)

 12         102 LOAD_FAST                1 (plaintext)
            104 GET_ITER
        >>  106 FOR_ITER                96 (to 204)
            108 STORE_FAST               6 (char)

 13         110 LOAD_FAST                4 (i)
            112 LOAD_CONST               3 (1)
            114 BINARY_ADD
            116 LOAD_CONST               1 (256)
            118 BINARY_MODULO
            120 STORE_FAST               4 (i)

 14         122 LOAD_FAST                3 (j)
            124 LOAD_FAST                2 (S)
            126 LOAD_FAST                4 (i)
            128 BINARY_SUBSCR
            130 BINARY_ADD
            132 LOAD_CONST               1 (256)
            134 BINARY_MODULO
            136 STORE_FAST               3 (j)

 15         138 LOAD_FAST                2 (S)
            140 LOAD_FAST                3 (j)
            142 BINARY_SUBSCR
            144 LOAD_FAST                2 (S)
            146 LOAD_FAST                4 (i)
            148 BINARY_SUBSCR
            150 ROT_TWO
            152 LOAD_FAST                2 (S)
            154 LOAD_FAST                4 (i)
            156 STORE_SUBSCR
            158 LOAD_FAST                2 (S)
            160 LOAD_FAST                3 (j)
            162 STORE_SUBSCR

 16         164 LOAD_FAST                2 (S)
            166 LOAD_FAST                2 (S)
            168 LOAD_FAST                4 (i)
            170 BINARY_SUBSCR
            172 LOAD_FAST                2 (S)
            174 LOAD_FAST                3 (j)
            176 BINARY_SUBSCR
            178 BINARY_ADD
            180 LOAD_CONST               1 (256)
            182 BINARY_MODULO
            184 BINARY_SUBSCR
            186 STORE_FAST               7 (k)

 17         188 LOAD_FAST                5 (ciphertext)
            190 LOAD_METHOD              4 (append)
            192 LOAD_FAST                6 (char)
            194 LOAD_FAST                7 (k)
            196 BINARY_XOR
            198 CALL_METHOD              1
            200 POP_TOP
            202 JUMP_ABSOLUTE          106

 19     >>  204 LOAD_FAST                5 (ciphertext)
            206 RETURN_VALUE

很明显的rc4,写个解密脚本:

from Crypto.Cipher import ARC4

key = b'example_key'
key = ARC4.new(key)
en_flag = b'\xd8\x94\x1e\xab\x9bft\xeb]@\x1b\xba\xe6\xe8\x133W\xdd\x0e\xe6\x924\xf1\x80mh\xeb=\x08a\x02\t.\xb5\x05B\xb0\xb0/D\x8cY'
flag = key.decrypt(en_flag)
print(flag)

[WEEK3]喵?喵。喵!

通过观察汇编,得知这是一个AES+base64组合加密
重点在于AES的key和iv
[SHCTF-校外赛道]61名_第6张图片
接下来就是动调,判断切片的情况。
在存放输入数据的内存处打个断点,进行AES加密时会断下。
[SHCTF-校外赛道]61名_第7张图片
当内存变化时,可以得到key的切片
[SHCTF-校外赛道]61名_第8张图片
[SHCTF-校外赛道]61名_第9张图片
EXP:

import base64

from Crypto.Cipher import AES

enc = "GMPZ5Eaw27Hyx241S0WsqXYHCyahcUyjlooFoLE1aLII8Gq/gXTu3Tplx3BOqZ3xt0yBeimgxH0uOq/OjqkMQrjKg6snFhLpMgrSTrG0mpo="
enc = base64.b64decode(enc.encode())
print(enc)
s = b"SHCTF_2023_S0_e4sy_m1ao"
key = s[7:]
print(key)
iv = s[:16]
print(iv)
aes = AES.new(key, AES.MODE_CBC, iv)
den_text = aes.decrypt(enc)
print("明文:", den_text)

Crypto

[WEEK1]really_ez_rsa

[SHCTF-校外赛道]61名_第10张图片

[WEEK1]what is m

image.png

[WEEK1]难言的遗憾

[SHCTF-校外赛道]61名_第11张图片

[WEEK1]进制

[SHCTF-校外赛道]61名_第12张图片

[WEEK1]okk

[SHCTF-校外赛道]61名_第13张图片

[WEEK1]Crypto_Checkin

[SHCTF-校外赛道]61名_第14张图片

[WEEK1]凯撒大帝

[SHCTF-校外赛道]61名_第15张图片

[WEEK1]残缺的md5
import hashlib
import itertools


def md5_encrypt(text):
    md5 = hashlib.md5()
    md5.update(text.encode('utf-8'))
    return md5.hexdigest().upper()


# 要加密的文本
text_1 = "KCLWG"
text_2 = "K8M9O3"
text_3 = "DE"
text_4 = "84S9"

table_1 = 'abcdefghijklmnopqrstuvwxyz0123456789/'
table_2 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ_{}'
for flag in itertools.product(table_2 + table_1, repeat=3):
    flag = text_1 + flag[0] + text_2 + flag[1] + text_3 + flag[2] + text_4
    if md5_encrypt(flag)[:4] == "F0AF":
        print(md5_encrypt(flag))

[WEEK1]熊斐特

[SHCTF-校外赛道]61名_第16张图片

[WEEK1]迷雾重重

[SHCTF-校外赛道]61名_第17张图片

[WEEK1]黑暗之歌

[SHCTF-校外赛道]61名_第18张图片
[SHCTF-校外赛道]61名_第19张图片
[SHCTF-校外赛道]61名_第20张图片

Pwn

[WEEK1]nc

image.png

[WEEK1]hard nc

[SHCTF-校外赛道]61名_第21张图片
[SHCTF-校外赛道]61名_第22张图片

你可能感兴趣的:(python,逆向,CTF,python,c语言,青少年编程,汇编,c++,开发语言,lua)