[HNCTF 2022 WEEK2]e@sy_flower

img

先查壳,32位,并且没有加壳

直接拖进ida

img

看到这一部分,可能是花指令

我们把前面的E9改为90

img

img

在main函数按P生成一下,再f5转换

img

img

发现有两段加密代码

第一段

img

这个的作用是将原本的字符串重排,循环的次数=字符串长度/2

第二段主要就是一个异或

img

我们可以利用脚本来解决这个问题

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#include<stdio.h>
#include<string.h>

int main(int argc, char const *argv[])
{
    char flag[] = "c~scvdzKCEoDEZ[^roDICUMC";
    char v5;
    int len = strlen(flag);

    for (int i = 0; i < len / 2; ++i)
    {
        v5 = flag[2 * i];
        flag[2 * i] = flag[2 * i + 1];
        flag[2 * i + 1] = v5;
    }

    for (int j = 0; j < len; j++)
    {
        flag[j] ^= 0x30;
    }

    printf("%s", flag);

    return 0;
}

img

1
NSSCTF{Just_junk_Bytess}

[NISACTF 2022]string

先查壳

img

我是直接进入main函数,直接就看到了关键部分

img

我们看到flag(v4),你点开后,能看到

img

看到了flag的长度为13

img

我们转换一下进制

img

编写脚本,

1
2
3
4
5
6
7
8
9
10
11
12
13
#include <stdio.h>
#include <stdlib.h>
int main() {
    int seed = 0x2766;
    int m;
    int v4;
    
    srand(seed);
    for ( m = 0; m < 13; ++m ) {
        v4 = rand();
        printf("%d", (unsigned int)(v4 % 8 + 1));
    }
}

运行出结果

img

但是不知道为啥不对,看网上别人的wp中说的是要在linux下运行正确

1
NSSCTF{5353316611126}

[LitCTF 2023]enbase64

img

看到我们的主函数

img

img

跟进base64

img

看到有一个换表操作

跟进一下

img

发现换了48次,并且有数值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
v3[0] = 16;
 v3[1] = 34;
 v3[2] = 56;
 v3[3] = 7;
 v3[4] = 46;
 v3[5] = 2;
 v3[6] = 10;
 v3[7] = 44;
 v3[8] = 20;
 v3[9] = 41;
 v3[10] = 59;
 v3[11] = 31;
 v3[12] = 51;
 v3[13] = 60;
 v3[14] = 61;
 v3[15] = 26;
 v3[16] = 5;
 v3[17] = 40;
 v3[18] = 21;
 v3[19] = 38;
 v3[20] = 4;
 v3[21] = 54;
 v3[22] = 52;
 v3[23] = 47;
 v3[24] = 3;
 v3[25] = 11;
 v3[26] = 58;
 v3[27] = 48;
 v3[28] = 32;
 v3[29] = 15;
 v3[30] = 49;
 v3[31] = 14;
 v3[32] = 37;
 v3[34] = 55;
 v3[35] = 53;
 v3[36] = 24;
 v3[37] = 35;
 v3[38] = 18;
 v3[39] = 25;
 v3[40] = 33;
 v3[41] = 43;
 v3[42] = 50;
 v3[43] = 39;
 v3[44] = 12;
 v3[45] = 19;
 v3[46] = 13;
 v3[47] = 42;
 v3[48] = 9;
 v3[49] = 17;
 v3[50] = 28;
 v3[51] = 30;
 v3[52] = 23;
 v3[53] = 36;
 v3[54] = 1;
 v3[55] = 22;
 v3[56] = 57;
 v3[57] = 63;
 v3[58] = 8;
 v3[59] = 27;
 v3[60] = 6;
 v3[61] = 62;
 v3[62] = 45;
 v3[63] = 29;

我们先上一个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
def basechange(base):# 定义一个索引数组,用于置换字符的位置
  index = [0] * 65
  index[0] = 16
  index[1] = 34
  index[2] = 56
  index[3] = 7
  index[4] = 46
  index[5] = 2
  index[6] = 10
  index[7] = 44
  index[8] = 20
  index[9] = 41
  index[10] = 59
  index[11] = 31
  index[12] = 51
  index[13] = 60
  index[14] = 61
  index[15] = 26
  index[16] = 5
  index[17] = 40
  index[18] = 21
  index[19] = 38
  index[20] = 4
  index[21] = 54
  index[22] = 52
  index[23] = 47
  index[24] = 3
  index[25] = 11
  index[26] = 58
  index[27] = 48
  index[28] = 32
  index[29] = 15
  index[30] = 49
  index[31] = 14
  index[32] = 37

  index[34] = 55
  index[35] = 53
  index[36] = 24
  index[37] = 35
  index[38] = 18
  index[39] = 25
  index[40] = 33
  index[41] = 43
  index[42] = 50
  index[43] = 39
  index[44] = 12
  index[45] = 19
  index[46] = 13
  index[47] = 42
  index[48] = 9
  index[49] = 17
  index[50] = 28
  index[51] = 30
  index[52] = 23
  index[53] = 36
  index[54] = 1
  index[55] = 22
  index[56] = 57
  index[57] = 63
  index[58] = 8
  index[59] = 27
  index[60] = 6
  index[61] = 62
  index[62] = 45
  index[63] = 29# 将字符串转换为列表,方便修改
  base = list(base)
  # 进行48次置换for i in range(48):
    # 创建一个临时列表,用于存储置换后的字符
    temp = [0] * 64# 遍历索引数组,按照索引交换字符for j in range(64):
      temp[j] = base[index[j]]
    # 将临时列表赋值给原始列表
    base = temp
  # 将列表转换回字符串,并返回return "".join(base)

# 定义一个字符串,用于测试
table = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"# 调用函数,对字符串进行置换
table = basechange(table)
# 打印置换后的字符串print(table)

运行后得到

1
gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND

再继续替换标准base64编码

1
2
3
4
5
6
import base64
code = "gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND"
flag = "GQTZlSqQXZ/ghxxwhju3hbuZ4wufWjujWrhYe7Rce7ju"
coder = str.maketrans(code, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789==")
print(flag.translate(coder))
print(base64.b64decode(flag.translate(coder)))

img

运行后获得flag

1
LitCTF{B@5E64_l5_tooo0_E3sy!!!!!}

不过我看有的wp直接利用动调获得了flag,还没试

[NISACTF 2022]ezpython

img

我们发现这道题是有打包工具的

这道题涉及到了python反编译,那就先说一下反编译的步骤

下载工具pyinstxtractor.py,并将这道题和工具放在同一个目录下,如下:

img

在当前目录打开终端

并执行python pyinstxtractor.py ez_python.exe

img

我们发现在这个文件夹下多出了一个文件夹

img

打开看到里面src.pyc和struct.pyc两个文件

我们用010打开struct.pyc,复制前十一字节成为src.pyc的前十一个字节

img

https://tool.lu/pyc/

可以用这个网站进行python反编译(珍惜机会,半小时就一次)

成功后得到以下代码,源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
import rsa
import base64
key1 = rsa.PrivateKey.load_pkcs1(base64.b64decode('LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcVFJQkFBS0NBUUVBcVJUZ0xQU3BuT0ZDQnJvNHR1K1FBWXFhTjI2Uk42TzY1bjBjUURGRy9vQ1NJSU00ClNBeEVWaytiZHpSN2FucVNtZ1l5MEhRWGhDZTM2U2VGZTF0ejlrd0taL3UzRUpvYzVBSzR1NXZ4UW5QOWY1cTYKYVFsbVAvVjJJTXB5NFFRNlBjbUVoNEtkNm81ZWRJUlB2SHd6V0dWS09OQ3BpL0taQ082V0tWYkpXcWh3WGpEQgpsSDFNVURzZ1gyVUM4b3Bodnk5dXIyek9kTlBocElJZHdIc1o5b0ZaWWtaMUx5Q0lRRXRZRmlKam1GUzJFQ1RVCkNvcU9acnQxaU5jNXVhZnFvZlB4eHlPb2wwYVVoVGhiaHE4cEpXL3FPSFdYd0xJbXdtNk96YXFVeks4NEYyY3UKYWRiRE5zeVNvaElHaHYzd0lBVThNSlFnOEthd1Z3ZHBzRWhlSXdJREFRQUJBb0lCQURBazdwUStjbEZtWHF1Vgp1UEoyRWxZdUJpMkVnVHNMbHZ0c1ltL3cyQnM5dHQ0bEh4QjgxYlNSNUYyMEJ2UlJ4STZ3OXlVZCtWZzdDd1lMCnA5bHhOL3JJdWluVHBkUEhYalNhaGNsOTVOdWNOWEZ4T0dVU05SZy9KNHk4dUt0VHpkV3NITjJORnJRa0o4Y2IKcWF5czNOM3RzWTJ0OUtrUndjbUJGUHNJalNNQzB5UkpQVEE4cmNqOFkranV3SHZjbUJPNHVFWXZXeXh0VHR2UQova0RQelBqdTBuakhkR055RytkSDdkeHVEV2Jxb3VZQnRMdzllZGxXdmIydTJ5YnZzTXl0NWZTOWF1a01NUjNoCnBhaDRMcU1LbC9ETTU3cE44Vms0ZTU3WE1zZUJLWm1hcEptcVNnSGdjajRPNWE2R1RvelN1TEVoTmVGY0l2Tm8KWFczTEFHRUNnWWtBc0J0WDNVcFQ3aUcveE5BZDdSWER2MENOY1k1QnNZOGY4NHQ3dGx0U2pjSWdBKy9nUjFMZQpzb2gxY1RRd1RadUYyRTJXL1hHU3orQmJDTVVySHNGWmh1bXV6aTBkbElNV3ZhU0dvSlV1OGpNODBlUjRiVTRyCmdYQnlLZVZqelkzNVlLejQ5TEVBcFRQcTZRYTVQbzhRYkF6czhuVjZtNXhOQkNPc0pQQ29zMGtCclFQaGo5M0cKOFFKNUFQWEpva0UrMmY3NXZlazZNMDdsaGlEUXR6LzRPYWRaZ1MvUVF0eWRLUmg2V3VEeGp3MytXeXc5ZjNUcAp5OXc0RmtLRzhqNVRpd1RzRmdzem94TGo5TmpSUWpqb3cyVFJGLzk3b2NxMGNwY1orMUtsZTI1cEJ3bk9yRDJBCkVpMUVkMGVEV3dJR2gzaFhGRmlRSzhTOG5remZkNGFMa1ZxK1V3S0JpRXRMSllIamFZY0N2dTd5M0JpbG1ZK0gKbGZIYkZKTkowaXRhazRZZi9XZkdlOUd6R1h6bEhYblBoZ2JrZlZKeEVBU3ZCOE5NYjZ5WkM5THdHY09JZnpLRApiczJQMUhuT29rWnF0WFNxMCt1UnBJdEkxNFJFUzYySDJnZTNuN2dlMzJSS0VCYnVKb3g3YWhBL1k2d3ZscUhiCjFPTEUvNnJRWk0xRVF6RjRBMmpENmdlREJVbHhWTUVDZVFDQjcyUmRoYktNL3M0TSsvMmYyZXI4Y2hwT01SV1oKaU5Hb3l6cHRrby9sSnRuZ1RSTkpYSXdxYVNCMldCcXpndHNSdEhGZnpaNlNyWlJCdTd5Y0FmS3dwSCtUd2tsNQpoS2hoSWFTNG1vaHhwUVNkL21td1JzbTN2NUNDdXEvaFNtNmNXYTdFOVZxc25heGQzV21tQ2VqTnp0MUxQWUZNCkxZMENnWWdKUHhpVTVraGs5cHB6TVAwdWU0clA0Z2YvTENldEdmQjlXMkIyQU03eW9VM2VsMWlCSEJqOEZ3UFQKQUhKUWtCeTNYZEh3SUpGTUV1RUZSSFFzcUFkSTlYVDBzL2V0QTg1Y3grQjhjUmt3bnFHakFseW1PdmJNOVNrMgptMnRwRi8rYm56ZVhNdFA3c0ZoR3NHOXJ5SEZ6UFNLY3NDSDhXWWx0Y1pTSlNDZHRTK21qblAwelArSjMKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K'))
key2 = rsa.PublicKey.load_pkcs1(base64.b64decode('LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJDZ0tDQVFFQXFSVGdMUFNwbk9GQ0JybzR0dStRQVlxYU4yNlJONk82NW4wY1FERkcvb0NTSUlNNFNBeEUKVmsrYmR6UjdhbnFTbWdZeTBIUVhoQ2UzNlNlRmUxdHo5a3dLWi91M0VKb2M1QUs0dTV2eFFuUDlmNXE2YVFsbQpQL1YySU1weTRRUTZQY21FaDRLZDZvNWVkSVJQdkh3eldHVktPTkNwaS9LWkNPNldLVmJKV3Fod1hqREJsSDFNClVEc2dYMlVDOG9waHZ5OXVyMnpPZE5QaHBJSWR3SHNaOW9GWllrWjFMeUNJUUV0WUZpSmptRlMyRUNUVUNvcU8KWnJ0MWlOYzV1YWZxb2ZQeHh5T29sMGFVaFRoYmhxOHBKVy9xT0hXWHdMSW13bTZPemFxVXpLODRGMmN1YWRiRApOc3lTb2hJR2h2M3dJQVU4TUpRZzhLYXdWd2Rwc0VoZUl3SURBUUFCCi0tLS0tRU5EIFJTQSBQVUJMSUMgS0VZLS0tLS0K'))
 
def encrypt1(message):
    crypto_text = rsa.encrypt(message.encode(), key2)
    return crypto_text
 
 
def decrypt1(message):
    message_str = rsa.decrypt(message, key1).decode()
    return message_str
 
 
def encrypt2(tips, key):
    ltips = len(tips)
    lkey = len(key)
    secret = []
    num = 0
    for each in tips:
        if num >= lkey:
            num = num % lkey
        secret.append(chr(ord(each) ^ ord(key[num])))
        num += 1
    
    return base64.b64encode(''.join(secret).encode()).decode()
 
 
def decrypt2(secret, key):
    tips = base64.b64decode(secret.encode()).decode()
    ltips = len(tips)
    lkey = len(key)
    secret = []
    num = 0
    for each in tips:
        if num >= lkey:
            num = num % lkey
        secret.append(chr(ord(each) ^ ord(key[num])))
        num += 1
    
    return ''.join(secret)
 
flag = 'IAMrG1EOPkM5NRI1cChQDxEcGDZMURptPzgHJHUiN0ASDgUYUB4LGQMUGAtLCQcJJywcFmddNno/PBtQbiMWNxsGLiFuLwpiFlkyP084Ng0lKj8GUBMXcwEXPTJrRDMdNwMiHVkCBFklHgIAWQwgCz8YQhp6E1xUHgUELxMtSh0xXzxBEisbUyYGOx1DBBZWPg1CXFkvJEcxO0ADeBwzChIOQkdwXQRpQCJHCQsaFE4CIjMDcwswTBw4BS9mLVMLLDs8HVgeQkscGBEBFSpQFQQgPTVRAUpvHyAiV1oPE0kyADpDbF8AbyErBjNkPh9PHiY7O1ZaGBADMB0PEVwdCxI+MCcXARZiPhwfH1IfKitGOF42FV8FTxwqPzBPAVUUOAEKAHEEP2QZGjQVV1oIS0QBJgBDLx1jEAsWKGk5Nw03MVgmWSE4Qy5LEghoHDY+OQ9dXE44Th0='
key = 'this is key'
 
try:
    result = input('please input key: ')this is true key
    if result == decrypt2('AAAAAAAAAAAfFwwRSAIWWQ==', key):
        print(decrypt1(base64.b64decode(decrypt2(flag, result))))
    elif result == key:
        print('flag{0e26d898-b454-43de-9c87-eb3d122186bc}')
    else:
        print('key is error.')
except Exception:
    e = None
    
    try:
        pass
    finally:
        e = None
        del e
print(decrypt2('AAAAAAAAAAAfFwwRSAIWWQ==', key))  #补充的

我们需要得到正确的key

img

我们看到正确的key=this is true key

再次运行,得到flag

img

1
flag{5236cb7d-f4a7-4080-9bde-8b9e061609ad}