继续整理Re方向的WP
慕然回首,那人却在灯火阑珊处
一个走迷宫的题,查看字符串把迷宫抠出来
题目也给了要求从S走到E
那么最短路径就是ddsssdssaasssddddddwd
ezRe
pyinstxtractor逆向exe
填充一下magic number
pycdc反编译
解base64即可
SQCTF{5ed2be45-2e83-48d2-b631-c088e51ee964}
圣人当仁不让
对输入的字符串与0xAA异或,然后加上5减去2,再base64得到/P7sAe/U0s7c1vjb0vjfyt==
import base64encoded_str = "/P7sAe/U0s7c1vjb0vjfyt=="decoded_data = base64.b64decode(encoded_str)for i in decoded_data:print(chr((i-3)%256^0xaa),end="")
补充一个大括号得到SQCTF{easy_re_vm}
鹅鹅鹅,曲项向天歌
pyinstxtractor逆向exe
填充一下magic number
pycdc反编译
很明显flag前7位+5,中间不变,后面-7得到itd~tzw_know_sanmenxbZ8,编写脚本
ciphertext = 'itd~tzw_know_sanmenxbZ8'tmp = ''part2_1 = ciphertext[:7]part2_2 = ciphertext[7:20]part2_3 = ciphertext[20:]for i in range(len(part2_1)):tmp += chr(ord(part2_1[i]) - 5)for i in range(len(part2_2)):tmp += chr(ord(part2_2[i]) + 0)for i in range(len(part2_3)):tmp += chr(ord(part2_3[i]) + 7)print(tmp)
得到结果SQCTF{do_your_know_sanmenxia?}
往事暗沉不可追
pyinstxtractor逆向exe
填充一下magic number
pycdc反编译
分析一下vm指令对每个字符先异或85,再异或170得到encrypted_data
直接反向异或得到原字符串128,124,130,132,120,128,122,132,130,124,128,120,124,132,120,130
提交SQCTF{128,124,130,132,120,128,122,132,130,124,128,120,124,132,120,130}即可
遇事不决,可问春风
Apk逆向
再次异或即可
得到wakuwaku,拼接上头和尾得到SQCTF{i_am_a_wakuwaku}
春风也有春风愁
异或0xa5再加55后逐位和v6做比较,直接逆向即可
提交发现不对,试了一下去掉多余的a就行了
提交SQCTF{easy_xor}即可
你若安好便是晴
看到使用了TEA加密
开头给出了明文,没有给出密文,估计是程序加密完就是flag了,直接动调
在最后一个异或函数处下断点,str就是tea加密后的结果,对应的寄存器是rcx
直接抠出str的内容然后异或22即可
得到结果SQCTF{nihaobuhaobuhaoxixi}
唧唧复唧唧,木兰当户织
发现存在upx壳
Base64解码即可
提交英文符号的SQCTF{xixibuxixi,mulandanghuzhi}即可
天下谁人不识君
Ai一把梭
s = 'wesyvbniazxchjko1973652048@$+-&*<>'char_to_pos = {c: i for i, c in enumerate(s)}# Given the encoded result, replace 'encoded_result' with the actual stringencoded_result = 'v7b3boika$h4h5j0jhkh161h79393i5x010j0y8n$i'flag =for i in range(len(encoded_result) // 2):c1 = encoded_result[2*i]c2 = encoded_result[2*i + 1]pos1 = char_to_pos[c1]pos2 = char_to_pos[c2]# Compute s1s1 = (pos1 - i) % 34if not (0 <= s1 <= 15):raise ValueError(f"Invalid s1 at index {i}")# Compute s2temp = (-pos2 - i - 1) % 34s2 = temp % 17# Reconstruct the original characterord_char = 17 * s1 + s2flag.append(chr(ord_char))print(''.join(flag))
看山不是山
pyinstxtractor逆向exe
填充一下magic number
pyc反编译
Ai一把梭
def decrypt(encrypted_data):result = []key = 439041101for i, byte in enumerate(encrypted_data):# Reverse the addition of idecrypted_byte = (byte - i) % 256# Calculate the key byte for the current positionkey_shift = (i % 4) * 8key_byte = (key >> key_shift) & 0xFF# Reverse the XOR operationoriginal_byte = decrypted_byte ^ key_byteresult.append(original_byte)return bytes(result)data = decrypt(bytes.fromhex('738495a6b7c8d9e0f123456789abcdef'))print(data.hex())
提交SQCTF{3ebfb8b9fefff8c3a426104630a294fa}即可
即随本心
pyinstxtractor逆向exe,怎么这么多python逆向
填充一下magic number
pyc反编译
aes加密之后前面拼上iv再base64得到expected_encrypted_data
反过来解密即可
得到SQCTF{qianniananshi_yidengjiming}
不劳春风解我忧
很明显的xxtea算法
搜了一下xxtea的加解密c语言代码对照一下ida反编译的结果来写解密脚本
voidbtea(uint32_t *v, int n, uint32_tconst key[4]){uint32_t y, z, sum;unsigned p, rounds, e;if (n > 1) /* Coding Part */{rounds = 6 + 52/n;sum = 0;z = v[n-1];do{sum += DELTA;e = (sum >> 2) & 3;for (p=0; p<n-1; p++){y = v;
z = v+= MX;
}y = v[0];z = v[n-1] += MX;}while (--rounds);}else if (n < -1) /* Decoding Part */{n = -n;rounds = 6 + 52/n;sum = rounds*DELTA;y = v[0];do{e = (sum >> 2) & 3;for (p=n-1; p>0; p--){z = v;
y = v-= MX;
}z = v[n-1];y = v[0] -= MX;sum -= DELTA;}while (--rounds);}}intmain(){uint32_t v[2]= {1,2};uint32_t const k[4]= {2,2,3,4};int n= 2; //n的绝对值表示v的长度,取正表示加密,取负表示解密// v为要加密的数据是两个32位无符号整数// k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位printf("加密前原始数据:%u %un",v[0],v[1]);btea(v, n, k);printf("加密后的数据:%u %un",v[0],v[1]);btea(v, -n, k);printf("解密后的数据:%u %un",v[0],v[1]);return 0;}
写不动了,拷打一下AI
voiddecrypt(uint32_t *v, int n, uint32_tconst key[4]){uint32_t y, z, sum;unsigned p, rounds, e;if (n > 1) {rounds = 6 + 52 / n;sum = rounds * 0x9E3779B9;y = v[0];do {e = (sum >> 2) & 3;for (p = n - 1; p > 0; p--) {z = v;
v-= (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p ^ e) & 3] ^ z)));
y = v;
}z = v[n - 1];v[0] -= (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(0 ^ e) & 3] ^ z)));y = v[0];sum -= 0x9E3779B9;} while (--rounds);}}intmain(){uint32_t encrypted[2] = {0x8F748963, 0xCB1D96A8};uint32_t key[4] = {0x12345678, 0x9ABCDEF0, 0xFEDCBA98, 0x87654321};decrypt(encrypted, 2, key);// Convert to bytes in little-endian orderunsigned char *bytes = (unsigned char *)encrypted;printf("Decrypted bytes: ");for (int i = 0; i < 8; i++) {printf("%02x ", bytes[i]);}printf("nFlag: ");for (int i = 0; i < 8; i++) {if (bytes[i] == 0) break;printf("%c", bytes[i]);}printf("n");return 0;}
提交SQCTF{tyandctf}即可
人生自古谁无死
前面生成加密key的过程有点复杂,patch一下动调检测的代码
key=[0x83,0xf0,0x57,0xe3,0x1e,0x81,0xf7,0xf4,0x20,0x3f,0x44,0x3,0x50,0xca,0xc6,0x6a,0x48,0xf9,0xed,0x77,0x28,0xb,0x87,0x55,0xa4,0x2a,0x88,0xe3,0xf7,0x95,0xc,0x8d,0x84,0x4b,0x5f,0xa7,0x72,0xc,0xf7,0x76,0xb0,0xa,0xed,0x44,0x7,0x86,0x9d,0x98,0x4f,0x22,0xf5,0x7e,0x9c,0xae,0x77,0x18,0xac,0xe4,0xd1,0x5f,0x59,0xb1,0xc5,0xc3]with open('1.enc','rb') as f1:data=f1.read()print(data)for i in range(len(data)):print(chr(data[i]^key[i]),end='')with open('2.enc','rb') as f1:data=f1.read()print(data)for i in range(len(data)):print(chr(data[i]^key[i]),end='')
好像非预期了,用的加密算法是chacha20,得到SQCTF{real_chacha20_flag}
击败abyssun
想要CE改血量好像有点想多了,直接内存里搜SQCTF字符串就行了
得到SQCTF{Defeat_abyssun}
原文始发于微信公众号(智佳网络安全):【WP】第四届SQCTF网络安全及信息对抗大赛Re方向题目全解
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论