YCBCTF2020 re

Bytecode

chall.txt

  4           0 LOAD_CONST               0 (3)
              3 LOAD_CONST               1 (37)
              6 LOAD_CONST               2 (72)
              9 LOAD_CONST               3 (9)
             12 LOAD_CONST               4 (6)
             15 LOAD_CONST               5 (132)
             18 BUILD_LIST               6
             21 STORE_NAME               0 (en)

  5          24 LOAD_CONST               6 (101)
             27 LOAD_CONST               7 (96)
             30 LOAD_CONST               8 (23)
             33 LOAD_CONST               9 (68)
             36 LOAD_CONST              10 (112)
             39 LOAD_CONST              11 (42)
             42 LOAD_CONST              12 (107)
             45 LOAD_CONST              13 (62)
             48 LOAD_CONST               7 (96)
             51 LOAD_CONST              14 (53)
             54 LOAD_CONST              15 (176)
             57 LOAD_CONST              16 (179)
             60 LOAD_CONST              17 (98)
             63 LOAD_CONST              14 (53)
             66 LOAD_CONST              18 (67)
             69 LOAD_CONST              19 (29)
             72 LOAD_CONST              20 (41)
             75 LOAD_CONST              21 (120)
             78 LOAD_CONST              22 (60)
             81 LOAD_CONST              23 (106)
             84 LOAD_CONST              24 (51)
             87 LOAD_CONST               6 (101)
             90 LOAD_CONST              25 (178)
             93 LOAD_CONST              26 (189)
             96 LOAD_CONST               6 (101)
             99 LOAD_CONST              27 (48)
            102 BUILD_LIST              26
            105 STORE_NAME               1 (output)

  7         108 LOAD_CONST              28 ('welcome to GWHT2020')
            111 PRINT_ITEM          
            112 PRINT_NEWLINE       

  9         113 LOAD_NAME                2 (raw_input)
            116 LOAD_CONST              29 ('please input your flag:')
            119 CALL_FUNCTION            1
            122 STORE_NAME               3 (flag)

 10         125 LOAD_NAME                3 (flag)
            128 STORE_NAME               4 (str)

 12         131 LOAD_NAME                5 (len)
            134 LOAD_NAME                4 (str)
            137 CALL_FUNCTION            1
            140 STORE_NAME               6 (a)

 13         143 LOAD_NAME                6 (a)
            146 LOAD_CONST              30 (38)
            149 COMPARE_OP               0 (<)
            152 POP_JUMP_IF_FALSE      173

 14         155 LOAD_CONST              31 ('lenth wrong!')    len(flag)!<38
            158 PRINT_ITEM          
            159 PRINT_NEWLINE       

 15         160 LOAD_NAME                7 (exit)
            163 LOAD_CONST              32 (0)
            166 CALL_FUNCTION            1
            169 POP_TOP             
            170 JUMP_FORWARD             0 (to 173)

 17     >>  173 LOAD_NAME                8 (ord)
            176 LOAD_NAME                4 (str)
            179 LOAD_CONST              32 (0)
            182 BINARY_SUBSCR       
            183 CALL_FUNCTION            1
            186 LOAD_CONST              33 (2020)
            189 BINARY_MULTIPLY     
            190 LOAD_NAME                8 (ord)
            193 LOAD_NAME                4 (str)
            196 LOAD_CONST              34 (1)
            199 BINARY_SUBSCR       
            200 CALL_FUNCTION            1
            203 BINARY_ADD          
            204 LOAD_CONST              33 (2020)
            207 BINARY_MULTIPLY     
            208 LOAD_NAME                8 (ord)
            211 LOAD_NAME                4 (str)
            214 LOAD_CONST              35 (2)
            217 BINARY_SUBSCR       
            218 CALL_FUNCTION            1
            221 BINARY_ADD          
            222 LOAD_CONST              33 (2020)
            225 BINARY_MULTIPLY     
            226 LOAD_NAME                8 (ord)
            229 LOAD_NAME                4 (str)
            232 LOAD_CONST               0 (3)
            235 BINARY_SUBSCR       
            236 CALL_FUNCTION            1
            239 BINARY_ADD          
            240 LOAD_CONST              33 (2020)
            243 BINARY_MULTIPLY     
            244 LOAD_NAME                8 (ord)
            247 LOAD_NAME                4 (str)
            250 LOAD_CONST              36 (4)
            253 BINARY_SUBSCR       
            254 CALL_FUNCTION            1
            257 BINARY_ADD          
            258 LOAD_CONST              37 (1182843538814603)
            261 COMPARE_OP               2 (==)
            264 POP_JUMP_IF_FALSE      275

 18         267 LOAD_CONST              38 ('good!continue\xe2\x80\xa6\xe2\x80\xa6')
            270 PRINT_ITEM          
            271 PRINT_NEWLINE       
            272 JUMP_FORWARD            15 (to 290)

 20     >>  275 LOAD_CONST              39 ('bye~')
            278 PRINT_ITEM          
            279 PRINT_NEWLINE       

 21         280 LOAD_NAME                7 (exit)
            283 LOAD_CONST              32 (0)
            286 CALL_FUNCTION            1
            289 POP_TOP             

 23     >>  290 BUILD_LIST               0
            293 STORE_NAME               9 (x)

 24         296 LOAD_CONST              40 (5)
            299 STORE_NAME              10 (k)

 25         302 SETUP_LOOP             128 (to 433)
            305 LOAD_NAME               11 (range)
            308 LOAD_CONST              41 (13)
            311 CALL_FUNCTION            1
            314 GET_ITER            
        >>  315 FOR_ITER               114 (to 432)
            318 STORE_NAME              12 (i)

 26         321 LOAD_NAME                8 (ord)     ord(str[k])
            324 LOAD_NAME                4 (str)
            327 LOAD_NAME               10 (k)
            330 BINARY_SUBSCR       
            331 CALL_FUNCTION            1
            334 STORE_NAME              13 (b)

 27         337 LOAD_NAME                8 (ord)     ord(str[k+1])
            340 LOAD_NAME                4 (str)
            343 LOAD_NAME               10 (k)
            346 LOAD_CONST              34 (1)
            349 BINARY_ADD          
            350 BINARY_SUBSCR       
            351 CALL_FUNCTION            1
            354 STORE_NAME              14 (c)

 28         357 LOAD_NAME               14 (c)
            360 LOAD_NAME                0 (en)      en[i%6]
            363 LOAD_NAME               12 (i)
            366 LOAD_CONST               4 (6)
            369 BINARY_MODULO       
            370 BINARY_SUBSCR       
            371 BINARY_XOR                           
            372 STORE_NAME              15 (a11)     a11=en[i%6]^ord(str[k+1])

 29         375 LOAD_NAME               13 (b)
            378 LOAD_NAME                0 (en)
            381 LOAD_NAME               12 (i)
            384 LOAD_CONST               4 (6)
            387 BINARY_MODULO       
            388 BINARY_SUBSCR       
            389 BINARY_XOR          
            390 STORE_NAME              16 (a22)     a22=en[i%6]^ord(str[k])

 30         393 LOAD_NAME                9 (x)       x.append(a11)
            396 LOAD_ATTR               17 (append)
            399 LOAD_NAME               15 (a11)    
            402 CALL_FUNCTION            1
            405 POP_TOP             

 31         406 LOAD_NAME                9 (x)       x.append(a22)
            409 LOAD_ATTR               17 (append)
            412 LOAD_NAME               16 (a22)
            415 CALL_FUNCTION            1
            418 POP_TOP             

 32         419 LOAD_NAME               10 (k)       k+=2
            422 LOAD_CONST              35 (2)
            425 INPLACE_ADD         
            426 STORE_NAME              10 (k)
            429 JUMP_ABSOLUTE          315
        >>  432 POP_BLOCK           

 33     >>  433 LOAD_NAME                9 (x)
            436 LOAD_NAME                1 (output)
            439 COMPARE_OP               2 (==)
            442 POP_JUMP_IF_FALSE      453

 34         445 LOAD_CONST              38 ('good!continue\xe2\x80\xa6\xe2\x80\xa6')
            448 PRINT_ITEM          
            449 PRINT_NEWLINE       
            450 JUMP_FORWARD            15 (to 468)

 36     >>  453 LOAD_CONST              42 ('oh,you are wrong!')
            456 PRINT_ITEM          
            457 PRINT_NEWLINE       

 37         458 LOAD_NAME                7 (exit)
            461 LOAD_CONST              32 (0)
            464 CALL_FUNCTION            1
            467 POP_TOP             

 39     >>  468 LOAD_NAME                5 (len)
            471 LOAD_NAME                4 (str)
            474 CALL_FUNCTION            1
            477 STORE_NAME              18 (l)

 40         480 LOAD_NAME                8 (ord)
            483 LOAD_NAME                4 (str)
            486 LOAD_NAME               18 (l)
            489 LOAD_CONST              43 (7)
            492 BINARY_SUBTRACT     
            493 BINARY_SUBSCR       
            494 CALL_FUNCTION            1
            497 STORE_NAME              19 (a1)

 41         500 LOAD_NAME                8 (ord)
            503 LOAD_NAME                4 (str)
            506 LOAD_NAME               18 (l)
            509 LOAD_CONST               4 (6)
            512 BINARY_SUBTRACT     
            513 BINARY_SUBSCR       
            514 CALL_FUNCTION            1
            517 STORE_NAME              20 (a2)

 42         520 LOAD_NAME                8 (ord)
            523 LOAD_NAME                4 (str)
            526 LOAD_NAME               18 (l)
            529 LOAD_CONST              40 (5)
            532 BINARY_SUBTRACT     
            533 BINARY_SUBSCR       
            534 CALL_FUNCTION            1
            537 STORE_NAME              21 (a3)

 43         540 LOAD_NAME                8 (ord)
            543 LOAD_NAME                4 (str)
            546 LOAD_NAME               18 (l)
            549 LOAD_CONST              36 (4)
            552 BINARY_SUBTRACT     
            553 BINARY_SUBSCR       
            554 CALL_FUNCTION            1
            557 STORE_NAME              22 (a4)

 44         560 LOAD_NAME                8 (ord)
            563 LOAD_NAME                4 (str)
            566 LOAD_NAME               18 (l)
            569 LOAD_CONST               0 (3)
            572 BINARY_SUBTRACT     
            573 BINARY_SUBSCR       
            574 CALL_FUNCTION            1
            577 STORE_NAME              23 (a5)

 45         580 LOAD_NAME                8 (ord)
            583 LOAD_NAME                4 (str)
            586 LOAD_NAME               18 (l)
            589 LOAD_CONST              35 (2)
            592 BINARY_SUBTRACT     
            593 BINARY_SUBSCR       
            594 CALL_FUNCTION            1
            597 STORE_NAME              24 (a6)

 46         600 LOAD_NAME               19 (a1)
            603 LOAD_CONST               0 (3)
            606 BINARY_MULTIPLY     
            607 LOAD_NAME               20 (a2)
            610 LOAD_CONST              35 (2)
            613 BINARY_MULTIPLY     
            614 BINARY_ADD          
            615 LOAD_NAME               21 (a3)
            618 LOAD_CONST              40 (5)
            621 BINARY_MULTIPLY     
            622 BINARY_ADD          
            623 LOAD_CONST              44 (1003)
            626 COMPARE_OP               2 (==)
            629 POP_JUMP_IF_FALSE      807

 47         632 LOAD_NAME               19 (a1)
            635 LOAD_CONST              36 (4)
            638 BINARY_MULTIPLY     
            639 LOAD_NAME               20 (a2)
            642 LOAD_CONST              43 (7)
            645 BINARY_MULTIPLY     
            646 BINARY_ADD          
            647 LOAD_NAME               21 (a3)
            650 LOAD_CONST               3 (9)
            653 BINARY_MULTIPLY     
            654 BINARY_ADD          
            655 LOAD_CONST              45 (2013)
            658 COMPARE_OP               2 (==)
            661 POP_JUMP_IF_FALSE      807

 48         664 LOAD_NAME               19 (a1)
            667 LOAD_NAME               20 (a2)
            670 LOAD_CONST              46 (8)
            673 BINARY_MULTIPLY     
            674 BINARY_ADD          
            675 LOAD_NAME               21 (a3)
            678 LOAD_CONST              35 (2)
            681 BINARY_MULTIPLY     
            682 BINARY_ADD          
            683 LOAD_CONST              47 (1109)
            686 COMPARE_OP               2 (==)
            689 POP_JUMP_IF_FALSE      804

 49         692 LOAD_NAME               22 (a4)
            695 LOAD_CONST               0 (3)
            698 BINARY_MULTIPLY     
            699 LOAD_NAME               23 (a5)
            702 LOAD_CONST              35 (2)
            705 BINARY_MULTIPLY     
            706 BINARY_ADD          
            707 LOAD_NAME               24 (a6)
            710 LOAD_CONST              40 (5)
            713 BINARY_MULTIPLY     
            714 BINARY_ADD          
            715 LOAD_CONST              48 (671)
            718 COMPARE_OP               2 (==)
            721 POP_JUMP_IF_FALSE      801

 50         724 LOAD_NAME               22 (a4)
            727 LOAD_CONST              36 (4)
            730 BINARY_MULTIPLY     
            731 LOAD_NAME               23 (a5)
            734 LOAD_CONST              43 (7)
            737 BINARY_MULTIPLY     
            738 BINARY_ADD          
            739 LOAD_NAME               24 (a6)
            742 LOAD_CONST               3 (9)
            745 BINARY_MULTIPLY     
            746 BINARY_ADD          
            747 LOAD_CONST              49 (1252)
            750 COMPARE_OP               2 (==)
            753 POP_JUMP_IF_FALSE      798

 51         756 LOAD_NAME               22 (a4)
            759 LOAD_NAME               23 (a5)
            762 LOAD_CONST              46 (8)
            765 BINARY_MULTIPLY     
            766 BINARY_ADD          
            767 LOAD_NAME               24 (a6)
            770 LOAD_CONST              35 (2)
            773 BINARY_MULTIPLY     
            774 BINARY_ADD          
            775 LOAD_CONST              50 (644)
            778 COMPARE_OP               2 (==)
            781 POP_JUMP_IF_FALSE      795

 52         784 LOAD_CONST              51 ('congraduation!you get the right flag!')
            787 PRINT_ITEM          
            788 PRINT_NEWLINE       
            789 JUMP_ABSOLUTE          795
            792 JUMP_ABSOLUTE          798
        >>  795 JUMP_ABSOLUTE          801
        >>  798 JUMP_ABSOLUTE          804
        >>  801 JUMP_ABSOLUTE          807
        >>  804 JUMP_FORWARD             0 (to 807)
        >>  807 LOAD_CONST              52 (None)
            810 RETURN_VALUE 

分为三个部分
第一个部分首先判断len(flag) 接下来猜得出来是判断flag的前缀是否为GWHT{
接下来的部分是对开头给出的en[]str[]作了一个变换 最后x要与output相等
这里我们反着按逻辑做一次就能还原flag了
这里有个注意点是 ik是分开的
原来的字节码k是从5开始这里我们只取了中间的所以改为从0开始

第三部分:
str[len-7]~str[len-2]这6个数作了一个约束
直接z3约束求解即可
至于最后一个字符肯定是}

solution.py

from z3 import *
en = [3,37,72,9,6,132]
output = [101,96,23,68,112,42,107,62,96,53,176,179,98,53,67,29,41,120,60,106,51,101,178,189,101,48]
flag = ''
k = 0
for i in range(0,13):
    flag += chr((output[k+1])^en[i%6])
    flag += chr(output[k]^en[i%6])
    k+=2
a1,a2,a3,a4,a5,a6 = Ints('a1 a2 a3 a4 a5 a6')
s = Solver()
s.add(3*a1+2*a2+5*a3==1003)
s.add(4*a1+7*a2+9*a3==2013)
s.add(a1+8*a2+2*a3==1109)
s.add(3*a4+2*a5+5*a6==671)
s.add(4*a4+7*a5+9*a6==1252)
s.add(a4+8*a5+2*a6==644)
check = s.check()
# print(s.model())
# [a5 = 55, a2 = 101, a6 = 51, a3 = 102, a4 = 102, a1 = 97]
qwq = [97,101,102,102,55,51]
for qaq in qwq:
    flag += chr(qaq)
print('GWHT{'+flag+'}')

easyre

三段加密
image
分别逆向即可
solution.py

from base64 import *
Str2 = 'EmBmP5Pmn7QcPU4gLYKv5QcMmB3PWHcP5YkPq3=cT6QckkPckoRG'
flag = ''
for c in Str2:
    c = ord(c)
    if 48<=c<=48+9:
        for v5 in range(48,57):
            if (v5 - 48 + 3) % 10 + 48 == c:
                flag += chr(v5)
                break
    elif 97<=c<=97+25:
        for v5 in range(97,123):
            if (v5 - 97 + 3) % 26 + 97 == c:
                flag += chr(v5)
                break
    elif 65<=c<=65+25:
        for v5 in range(65,91):
            if (v5 - 65 + 3) % 26 + 65 == c:
                flag += chr(v5)
                break
    else:
        flag += chr(c)
print(flag)
flag = 'BjYjM2Mjk4NzMR1dIVHs2NzJjY0MTEzM2VhMn0=zQ3NzhhMzhlOD'
f = []
for c in flag:
    f.append(c)
flag = f
fflag = [0]*52
for i in range(13):
    fflag[26+i] = flag[i]
    fflag[i] = flag[i+13]
    fflag[i+39] = flag[i+26]
    fflag[i+13] = flag[i+39]
flag = ''
for c in fflag:
    flag += c
print(b64decode(flag.encode()))

image

posted @ 2023-10-20 16:17  N0zoM1z0  阅读(8)  评论(0编辑  收藏  举报