“网鼎杯”网络安全大赛 2020 青龙组 WP

比赛地址：https://race.ichunqiu.com/login?k=VzZXYVtkVGRUIwJnUzQANQJ6BnEAN1IxVDIDbgZuUWcEZgExWGICNgc%2F

CRYPTO

0x01 boom

ida看代码，printf("flag{%s_%d%d%d_%lld}", &Str, v27, v26, v25, v24);

查询md5得到Str：en5oy

用z3计算，得到v27=74，v26=68，v25=31

用求根公式算出v24=89127561

flag{en5oy_746831_89127561}

0x02 you raise me up

image

利用sagemath求指数，然后long_to_bytes，flag{5f95ca93-1594-762d-ed0b-a9139692cb4a}

0x01 signal
模拟程序，得到运算后的数组

#include

int main()
{
    unsigned char a1[] = {0x0A,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x0B,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x0C,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x21,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x0B,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x0B,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x09,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x51,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x24,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x0C,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x0B,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x25,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x36,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x41,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x25,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x09,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x41,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x0C,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x22,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x3F,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x34,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x32,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x72,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x33,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x18,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xA7,0xFF,0xFF,0xFF,0x07,0x00,0x00,0x00,0x31,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xF1,0xFF,0xFF,0xFF,0x07,0x00,0x00,0x00,0x28,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x84,0xFF,0xFF,0xFF,0x07,0x00,0x00,0x00,0xC1,0xFF,0xFF,0xFF,0x07,0x00,0x00,0x00,0x1E,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x7A,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
    int v10 = 0;
    int v9 = 0;
    int v8 = 0;
    int v7 = 0;
    int v6 = 0;
    int result;
    while(1)
    {
        result = v10;
        if(v10>=4*114)
        return result;
        switch(a1[v10])
        {
            case 1:
                printf("有情下一位\n");
                v10=v10+4;
                ++v7;
                ++v9;
                break;
            case 2:
                printf("+%d\n",a1[v10+4]);
                v10 +=8;
                break;
            case 3:
                printf("-%d\n",a1[v10+4]);
                v10 +=8;
                break;
            case 4:
                printf("^%d\n",a1[v10+4]);
                v10 +=8;
                break;
            case 5:
                printf("*%d\n",a1[v10+4]);
                v10+=8;
                break;
            case 6:
                printf("v10++\n");
                v10+=4;
                break;
            case 7:
                printf("compare：%d\n",a1[v10+4]);
                v10+=8;
                break;
            case 8:
                printf("\n");
                v10+=4;
                break;
            case 10:
                v10+=4;
                break;
            case 11:
                printf("-1\n");
                v10+=4;
                break;
            case 12 :
                printf("+1\n");
                v10+=4;
                break;
            default:
                continue;            
        }
    }
 }

将数组算回去即可，flag{757515121f3d478}

code = [34,63,52,50,114,51,24,0xa7,49,0xf1,40,0x84,0xc1,30,122]
flag = [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
flag[0] = (code[0]+5) ^ 16
flag[1] = (code[1]//3) ^ 32
flag[2] = code[2] +1+2
flag[3] = (code[3]^ 4) -1
flag[4] = (code[4]+33) //3
flag[5] = code[5]+1+1
flag[6] = (code[6]+32) ^ 9
flag[7] = (code[7] ^36) - 81
flag[8] = code[8]+1 -1
flag[9] = (code[9]-37) // 2
flag[10] = (code[10] ^ 65) -54
flag[11] = code[11] -32
flag[12] = (code[12] -37) //3
flag[13] = (code[13] +32) ^ 9
flag[14] = code[14] - 1 -65
 
for i in flag:
    print(chr(i))

0x02 bang
http://www.mz6.net/news/2016-08-09/6591.html
http://www.5577.com/s/302204.html
一键脱壳，jd-gui打开搜索就有flag

“网鼎杯”网络安全大赛 2020 青龙组 WP

你可能感兴趣的:(“网鼎杯”网络安全大赛 2020 青龙组 WP)