BUUCTF Re部分wp(二)

[2019红帽杯]easyRE

这题有点坑。。。

两次输入,第一次

a=[0x49,0x6f,0x64,0x6c,0x3e,0x51,0x6e,0x62,0x28,0x6f,0x63,0x79,0x7f,0x79,0x2e,0x69,0x7f,0x64,0x60,0x33,0x77,0x7d,0x77,0x65,0x6b,0x39,0x7b,0x69,0x79,0x3d,0x7e,0x79,0x4c,0x40,0x45,0x43]

for i in range(len(a)):
    print(chr(a[i]^i),end="")

得到Info:The first four chars are `flag`

第二次是一个经过多次base64的密文,解密得https://bbs.pediy.com/thread-254172.htm

这文章看看,字里行间写满了坑人二字,也知道自己被带到沟里了,但如何找到正确的函数有点困难,在进行了两次输出后,fini里用了个sub_400D35

 有f和g,结合第一次输入的提示,大概可猜到是这个函数

byte_6CC0A0=[0x40,0x35,0x20,0x56,0x5D,0x18,0x22,0x45,0x17,0x2F,0x24,0x6E,0x62,0x3C,0x27,0x54,0x48,0x6C,0x24,0x6E,0x72,0x3C,0x32,0x45,0x5B]
f="flag"
v5=[0,0,0,0]
b=[0x40,0x35,0x20,0x56]
flag=[]
for i in range(4):
    v5[i]=b[i]^ord(f[i])

for i in range(len(byte_6CC0A0)):
    flag.append(v5[i%4]^byte_6CC0A0[i])
for i in flag:
    print(chr(i),end="")

得到flag

[SUCTF2019]SignIn

 看到65537就大概可以猜到是rsa了,比较v6,v7,前面是一些字符串的赋值,给了n和e的值,v7是密文,v6为输入的明文

import gmpy2
import rsa

e=65537
n=103461035900816914121390101299049044413950405173712170434161686539878160984549
p=282164587459512124844245113950593348271
q=366669102002966856876605669837014229419

phin = (p-1) * (q-1)
d=gmpy2.invert(e, phin)

key=rsa.PrivateKey(n,e,int(d),p,q)

c=0xad939ff59f6e70bcbfad406f2494993757eee98b91bc244184a377520d06fc35

m=gmpy2.powmod(c,d,n)

print hex(m)[2:].decode('hex')

[GUET-CTF2019]re

elf,upx壳,脱壳后发现关键部分

 体力活

flag = []
flag.append(166163712/1629056)
flag.append(731332800/6771600)
flag.append(357245568/3682944)
flag.append(1074393000/10431000)
flag.append(489211344/3977328)
flag.append(518971936/5138336)
flag.append(406741500/7532250)
flag.append(294236496/5551632)
flag.append(177305856/3409728)
flag.append(650683500/13013670)
flag.append(298351053/6088797)
flag.append(386348487/7884663)
flag.append(438258597/8944053)
flag.append(249527520/5198490)
flag.append(445362764/4544518)
flag.append(981182160/10115280)
flag.append(174988800/3645600)
flag.append(493042704/9667504)
flag.append(257493600/5364450)
flag.append(767478780/13464540)
flag.append(312840624/5488432)
flag.append(1404511500/14479500)
flag.append(316139670/6451830)
flag.append(619005024/6252576)
flag.append(372641472/7763364)
flag.append(373693320/7327320)
flag.append(498266640/8741520)
flag.append(452465676/8871876)
flag.append(208422720/4086720)
flag.append(515592000/9374400)
flag.append(719890500/5759124)

for i in range(len(flag)):
    print(chr(int(flag[i])),end="")

print(len(flag))

注:这里少给了一位a[6]=1

[FlareOn4]login

emm,给了个网页,可看见关键代码为

 document.getElementById("prompt").onclick = function () {
                var flag = document.getElementById("flag").value;
                var rotFlag = flag.replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);});
                if ("PyvragFvqrYbtvafNerRnfl@syner-ba.pbz" == rotFlag) {
                    alert("Correct flag!");
                } else {
                    alert("Incorrect flag, rot again");
                }
            }
        

就是一个移13位的加密,按凯撒密码解就行,得到ClientSideLoginsAreEasy@flare-on.com

[GWCTF 2019]xxor

 输入6个数,在加密后在sub_400770进行验证

from z3 import*

f=Solver()
x=[Int('x%d'%i) for i in range(6)]

f.add(x[1] == 0x20CAACF4)
f.add(x[5] == 0x84F30420)
f.add(x[0] == 0xDF48EF7E)
f.add(x[2] - x[3] == 0x84A236FF)
f.add(x[3] + x[4] == 0xFA6CB703)
f.add(x[2] - x[4] == 0x42D731A8)


if f.check() == sat:
    for i in range(6):
        print(hex(f.model()[x[i]].as_long()))

得到加密后的数据

再看加密部分

 可以看出这应该是个魔改过的TEA

#include <stdint.h>
void decipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
    unsigned int i;
    uint32_t v0=v[0], v1=v[1], delta=0x458BCD42, sum=delta*num_rounds;
    for (i=0; i < num_rounds; i++) {
        v1 -= (v0+sum+20)^((v0<<6)+key[2])^((v0>>9)+key[3])^0x10;
        v0 -= (v1+sum+11)^((v1<<6)+key[0])^((v1 >> 9)+key[1])^0x20;
        sum -= delta;
    }
    v[0]=v0; v[1]=v1;
}

int main()  {
    uint32_t v[3][2]={0xdf48ef7e,0x20caacf4,0xe0f30fd5,0x5c50d8d6,0x9e1bde2d,0x84f30420};
    uint32_t const k[4]={2,2,3,4};
    unsigned int r=64;
    for(int i=0;i<3;i++){
        decipher(r, v[i], k);
        printf("%u 解密后的数据:%x %x\n",r,v[i][0],v[i][1]);
    }
    return 0;
}

再转为字符串

def hex_str(x):
    temp=''
    for i in range(len(x)//2):
        temp+=chr(int(x[2*i:2*i+2],16))
    return temp
a = ["666c61","677b72","655f69","735f67","726561","74217d"]
for i in range(6):
    print(hex_str(a[i]),end="")

得到flag

[ACTF新生赛2020]usualCrypt

改了表的base64

a="A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 + /"
a=a.split()
for i in range(6,15):
    temp = a[i+10]
    a[i+10] = a[i]
    a[i] = temp

for i in range(len(a)):
    print(a[i],end="")

得到改后的表

此处又进行了大小写转换,将密文转换后求base64得到flag

[HDCTF2019]Maze

简单的迷宫题

*******+********* ******    ****   ******* **F******    **************
1111111211
1111111311
1111333311
1133311111
1131141111
1133331111
1111111111
//因为字体问题,改成了数字,由2开始到4结束,3为路1为墙

程序加了花,不能f5,不过也不需要,直接动调得到输入为wasd,走一遍得到flag

[BJDCTF2020]JustRE

搜索字符串

sprintf("bjd{%d%d2069a45792d233ac}",19999,0)

得到flag

[V&N2020 公开赛]strangeCpp

看字符串找到主函数,找到一段数据

插了一段数组,找到调用

 

不知道dword_7FF7B86F1190的值,在sub_7FF7B86E1384中

可根据result爆破得到dword_7FF7B86F1190

# -*- coding:utf-8 -*-
a=[0x26,0x2C,0x21,0x27,0x3B,0x0D,0x04,0x75,0x68,0x34,0x28,0x25,0x0E,0x35,0x2D,0x69,0x3D]

result=607052314
n=0
for i in range(14549743):
    v=(((i<<8)^(i>>12))*291)&0xffffffff
    n=i
    if(v==result):
        print(str(i))   
        break
for i in range(17):
    print(chr((a[i]^n)&0xff),end="")

得到

[ACTF新生赛2020]easyre

upx,脱壳后托入ida

逻辑十分简单,输入{}里作为索引替换表

# -*- coding:utf-8 -*-
table="~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$# !\""
cmp="*F'\"N,\"(I?+@"
flag=""
print(len(cmp))
for i in range(len(cmp)):
    for j in range(len(table)):
        if(cmp[i]==table[j]):
            print(chr(j+1),end="")
            continue
#ACTF{U9X_1S_W6@T?}

 emmm所以他给的另一个文件是啥

[ACTF新生赛2020]rome

没啥可说的

a="Qsw3sj_lz4_Ujw@l"
for j in range(len(a)):  
    for i in range(48,123):
        if(i<90 and i>64):
            t=(i-51)%26+65
            if(ord(a[j])==t):
                print(chr(i),end="")
                break
        elif(i>96):
            t=(i-79)%26+97
            if(ord(a[j])==t):
                print(chr(i),end="")
                break
        else:
            if(i==ord(a[j])):
                print(chr(i),end="")
                break

[MRCTF2020]Transform

还是没啥可说的题,先换顺序再异或

a="67 79 7B 7F 75 2B 3C 52 53 79 57 5E 5D 42 7B 2D 2A 66 42 7E 4C 57 79 41 6B 7E 65 3C 5C 45 6F 62 4D"
b="09 0A 0F 17 07 18 0C 06 01 10 03 11 20 1D 0B 1E 1B 16 04 0D 13 14 15 02 19 05 1F 08 12 1A 1C 0E 00"
flag=[]
a=a.split()
b=b.split()
for i in range(len(a)):
    t="0x"+a[i]
    a[i]=eval(t)
    t="0x"+b[i]
    b[i]=eval(t)

for i in range(len(a)):
    a[i]=(a[i]^b[i])
for i in range(len(a)):
    flag.append(0)
for i in range(len(a)):
    flag[b[i]]=a[i]
for i in range(len(a)):
    print(chr(flag[i]),end="")

[MRCTF2020]Xor

依然没啥可说的,直接异或

a="MSAWB~FXZ:J:`tQJ\"N@ bpdd}8g"

for i in range(len(a)):
    print(chr(ord(a[i])^i),end="")

[WUSTCTF2020]Cr0ssfun

没啥可说的,拼字符串

[WUSTCTF2020]level3

在init_array里base64换表,不过给了O_OLookAtYou就没什么意思了

[ACTF新生赛2020]Universe_final_answer

直接z3

from z3 import *

v1,v2,v3,v4,v5,v6,v7,v8,v9,v11=BitVecs('v1 v2 v3 v4 v5 v6 v7 v8 v9 v11',16)

f=Solver()
f.add(-85 * v9 + 58 * v8 + 97 * v6 + v7 + -45 * v5 + 84 * v4 + 95 * v2 - 20 * v1 + 12 * v3 == 12613)
f.add(30 * v11 + -70 * v9 + -122 * v6 + -81 * v7 + -66 * v5 + -115 * v4 + -41 * v3 + -86 * v1 - 15 * v2 - 30 * v8 == -54400)
f.add(-103 * v11 + 120 * v8 + 108 * v7 + 48 * v4 + -89 * v3 + 78 * v1 - 41 * v2 + 31 * v5 - (v6 << 6) - 120 * v9 == -10283)
f.add(71 * v6 + (v7 << 7) + 99 * v5 + -111 * v3 + 85 * v1 + 79 * v2 - 30 * v4 - 119 * v8 + 48 * v9 - 16 * v11 == 22855)
f.add(5 * v11 + 23 * v9 + 122 * v8 + -19 * v6 + 99 * v7 + -117 * v5 + -69 * v3 + 22 * v1 - 98 * v2 + 10 * v4 == -2944)
f.add(-54 * v11 + -23 * v8 + -82 * v3 + -85 * v2 + 124 * v1 - 11 * v4 - 8 * v5 - 60 * v7 + 95 * v6 + 100 * v9 == -2222)
f.add(-83 * v11 + -111 * v7 + -57 * v2 + 41 * v1 + 73 * v3 - 18 * v4 + 26 * v5 + 16 * v6 + 77 * v8 - 63 * v9 == -13258)
f.add(81 * v11 + -48 * v9 + 66 * v8 + -104 * v6 + -121 * v7 + 95 * v5 + 85 * v4 + 60 * v3 + -85 * v2 + 80 * v1 == -1559)
f.add(101 * v11 + -85 * v9 + 7 * v6 + 117 * v7 + -83 * v5 + -101 * v4 + 90 * v3 + -28 * v1 + 18 * v2 - v8 == 6308)
f.add(99 * v11 + -28 * v9 + 5 * v8 + 93 * v6 + -18 * v7 + -127 * v5 + 6 * v4 + -9 * v3 + -93 * v1 + 58 * v2 == -1697)

if f.check() == sat:
        print(f.model())

 

posted @ 2020-05-11 16:25  Harmonica11  阅读(740)  评论(0编辑  收藏  举报