newsctf
周末一直被hxd缠着要我去帮他AK逆向,最后只出了四道,最后两道都拿了一血。(Q神太强了!!!
题目还算简单,不知道为啥没人做。。。。
2021.6.1萌新赛-re_signin
拿到文件解压,发现是个pyc文件。拿去反编译得到源码。
# uncompyle6 version 3.7.4
# Python bytecode 3.8 (3413)
# Decompiled from: Python 3.8.6 (tags/v3.8.6:db45529, Sep 23 2020, 15:52:53) [MSC v.1927 64 bit (AMD64)]
# Embedded file name: /home/mumuzi/����/flag.py
# Compiled at: 2021-05-28 16:16:08
# Size of source mod 2**32: 528 bytes
flag = 'xxxx{xxxxxxxxxxxxxxxxxx}'
import random
c = [0] * len(flag)
for i in range(len(flag)):
c[i] = ord(flag[i])
else:
print(c)
t = 0
for i in range(2000):
num = range(0, 100)
nums = random.sample(num, 22)
numss = nums.copy()
for i in range(len(nums) - 1):
for j in range(len(nums) - i - 1):
if nums[j] > nums[(j + 1)]:
nums[j], nums[j + 1] = nums[(j + 1)], nums[j]
if count == c[t]:
print(numss)
t += 1
if t == 24:
break
# okay decompiling flag.pyc
题目就是将冒泡排序的次数等于flag中字符的ascii码。
直接跑一次计数然后转chr输出就行了
numss= [[73, 69, 60, 20, 64, 68, 99, 4, 36, 9, 91, 42, 75, 43, 8, 77, 55, 70, 84, 37, 3, 93],
[85, 46, 47, 99, 58, 35, 83, 3, 57, 18, 52, 17, 97, 16, 6, 51, 84, 62, 1, 41, 88, 87],
[97, 34, 31, 80, 19, 57, 10, 84, 4, 50, 43, 63, 65, 88, 30, 72, 21, 36, 27, 41, 86, 79],
[31, 23, 68, 67, 30, 47, 27, 40, 73, 63, 11, 89, 18, 5, 9, 74, 88, 38, 8, 20, 50, 83],
[88, 5, 85, 82, 36, 74, 6, 15, 40, 55, 95, 8, 84, 47, 96, 33, 25, 29, 77, 67, 26, 39],
[54, 53, 0, 37, 66, 91, 39, 38, 57, 6, 47, 28, 49, 92, 29, 85, 88, 84, 90, 13, 35, 52],
[80, 18, 26, 91, 10, 52, 11, 99, 85, 75, 60, 48, 36, 74, 55, 51, 86, 49, 89, 29, 82, 16],
[35, 70, 42, 44, 18, 65, 84, 71, 26, 14, 38, 28, 21, 86, 20, 54, 30, 11, 66, 10, 69, 77],
[71, 25, 43, 23, 29, 6, 33, 44, 5, 30, 32, 18, 47, 13, 76, 8, 83, 87, 57, 26, 16, 19],
[29, 51, 7, 62, 94, 32, 57, 1, 71, 84, 92, 16, 18, 19, 56, 52, 40, 80, 98, 44, 82, 33],
[67, 14, 93, 91, 78, 80, 7, 37, 10, 82, 38, 83, 23, 27, 17, 76, 74, 18, 66, 24, 99, 43],
[29, 56, 44, 54, 70, 31, 10, 38, 8, 85, 18, 22, 32, 49, 2, 21, 50, 5, 25, 48, 90, 84],
[23, 33, 90, 7, 42, 71, 25, 58, 5, 47, 54, 18, 97, 72, 2, 1, 68, 64, 76, 85, 69, 49],
[77, 67, 52, 31, 35, 6, 56, 94, 81, 23, 78, 50, 15, 10, 28, 69, 43, 91, 82, 72, 99, 38],
[20, 47, 52, 27, 73, 64, 9, 62, 3, 57, 2, 97, 44, 35, 89, 10, 18, 29, 58, 56, 74, 84],
[66, 11, 76, 91, 70, 9, 6, 75, 32, 71, 44, 48, 88, 20, 98, 97, 79, 63, 47, 78, 60, 81],
[43, 13, 70, 23, 31, 69, 52, 30, 2, 78, 0, 37, 73, 93, 18, 1, 51, 62, 25, 68, 65, 87],
[24, 86, 29, 0, 93, 51, 53, 47, 16, 40, 94, 98, 88, 64, 41, 83, 44, 35, 45, 75, 17, 46],
[33, 12, 63, 77, 25, 24, 47, 58, 6, 89, 97, 27, 21, 96, 92, 50, 82, 76, 5, 62, 56, 44],
[12, 36, 16, 44, 19, 62, 43, 80, 58, 98, 69, 97, 1, 7, 49, 26, 70, 34, 53, 13, 65, 48],
[51, 74, 76, 98, 33, 78, 44, 45, 4, 65, 99, 84, 80, 93, 37, 56, 77, 9, 6, 94, 52, 88],
[80, 38, 88, 66, 7, 40, 70, 24, 2, 12, 76, 18, 57, 73, 58, 83, 33, 17, 89, 69, 77, 67],
[18, 53, 14, 24, 94, 42, 61, 75, 62, 60, 73, 2, 65, 48, 80, 23, 44, 91, 7, 0, 31, 71],
[16, 54, 87, 75, 8, 23, 33, 56, 22, 63, 1, 2, 25, 6, 84, 80, 4, 49, 17, 42, 14, 43]]
for k in range(len(numss)):
nums=numss[k]
count=0
for i in range(len(nums) - 1):
for j in range(len(nums) - i - 1):
if nums[j] > nums[(j + 1)]:
nums[j], nums[j + 1] = nums[(j + 1)], nums[j]
count+=1
print(chr(count),end='')
#synt{jrypbzr_gb_arjfpgs}
发现字符串怪怪的,有点像凯撒,拿去,发现偏移为13出现flag。
#flag{welcome_to_newsctf}
2021.6.1萌新赛-1+1的签到题
ida打开发现,upx加壳了。
使用upx -d 脱壳,
再用ida打开。发现,程序写得乱糟糟的。。
首先是一个换表base58.
???又得到一个表
发现,还有两串奇怪得编码
想到上面得到了一串表好像base64,再拿去解码。
secret2能解码出:
!!C0ngr4Tu1atl0n5!!
尝试发现,secret1还是用最开始的那个表解base58
然后审计程序,发现还有一处输入,发现是利用srand()生成一个种子,然后随机出来的值,异或操作等于一个固定的值,那么我们可以动调或者写源码调用这个种子生成的随机值,然后异或,得到最后的值。
得到两个数分别为 198469000 395774304
然后算出a1
0x453473793fv6=198469000
v7=395774304*20
print(hex(v6^v7 ^ 0x235FFFA864 ^ 0x67B7940F53))
print(long_to_bytes(0x453473793f))
#b'E4sy?'
合并起来就是:
#flag{E4sy?_Up_t0_Y0u!!!C0ngr4Tu1atl0n5!!}
2021.6.1萌新赛-开门啊-2
安卓逆向,
so层分析
总得来说就是一个输入用户名,注册码,,且用户名用于注册码的生成.
主要分析三个函数
前两个只是赋值,
第三个才是关键函数,
点击要等于5次,此时gV3=15且tom1()要返回1,
tom1只是将
输入的字符串1异或后与
这个数组前十四位进行比较。
全相同则返回一。
tom2()
函数则是对注册码的比较
讲第一个输入的字符串,逐个异或后,与一个数组进行逐个比较。
dd=[ 0x3B, 0x39, 0x39, 0x36, 0x37, 0x33, 0x31, 0x4F, 0x33, 0x33,
0x32, 0x32, 0x32, 0x31]
key=[]
for i in range(len(dd)):
for k in range(0x20,0x7f):
if (k+i)^15==dd[i]:
key.append(k)
dd2=[ 0x52, 0x59, 0x55, 0x51, 0x4F, 0x00,
0x0D, 0x0F, 0x0D, 0x02, 0x01, 0x01, 0x06, 0x05, 0x01, 0x03,
0x03, 0x00, 0x00, 0x02, 0x45]
for i in range(len(dd2)):
print(chr(dd2[i]^key[i%len(key)]),end='')
#flag{756912374567645}
2021.6.1萌新赛-开门啊-1
程序有点绕,不过动调后可以得到,g.0=15,然后输入的字符串,每一个字符的ascii加15。然后对比下图的那个数组。
异或后然后再减去15就是输入的字符串。
flag{16498356746434}