2022 网刃杯 wp

http://www.snowywar.top/?p=3099
https://mp.weixin.qq.com/s/HOWrp-dehXGraYz2uuGOjw

已读

需要安全感
carefulguy
喜欢移动的黑客
xyp07

ICS

easyiec

直接流量追踪就显示

LEDBOOM

包都导出来。看长度频次为3的。 长度为123.找到123长度的包。

from collections import Counter

a = [87,301,87,105,54,87,275,54,60,54,55,60,60,54,55,60,60,54,55,60,60,54,55,60,87,87,54,87,60,95,54,87,111,54,60,54,55,60,133,95,54,133,95,54,133,95,54,133,95,133,95,133,95,54,233,80,233,80,233,80,54,233,80,233,80,54,233,80,233,80,54,87,301,87,105,54,87,301,87,301,87,127,54,87,301,87,301,87,127,54,87,301,87,301,87,127,54,87,301,87,301,87,127,54,87,301,87,301,87,127,54,87,60,301,87,301,87,127,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,301,87,105,54,87,123,54,87,115,54,87,115,54,87,74,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,60,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,91,74,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,301,87,105,54,87,123,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,87,74,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,60,115,54,91,74,54,87,115,54,87,115,87,60,301,87,105,54,87,123,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,115,54,87,301,87,60,105,54,60,54,55,60,60,54,55,60,60,54,55,60,60,54,55,60,60,54,55,60,60,54,55,60,60,54,55,60,]
counter = Counter(a)
print(counter)

585,692,787 拼在一起 585692787 。aes解密 U2FsdGVkX19cOOV8qLVgcso8U4fse+7LirQKiHFkn9HU9BuwFAivH1siJXg/Rk6z

flag{tietie_tietie_tiet13}

Re

Re_function

zip 可爆破 ，也有注释 hex转图片。密码 : 3CF8
动调。。发现在Buffer上面多了一串。把这些拼在一起 偶数位^0x37得到 part1
SqcTSxCxSAwHGm/JvxQrvxiNjR9=

re_easy_func2打开一看只有个base换表。
FeVYKw6a0lDIOsnZQ5EAf2MvjS1GUiLWPTtH4JqRgu3dbC8hrcNo9/mxzpXBky7+

直接换表得flag。

ez_algorithm

--分析太慢。线性变换应该直接打印出来码表。再变换。

ida查看。没有难点。慢慢看。 变换如下。

enc = 'BRUF{E6oU9Ci#J9+6nWAhwMR9n:}',0
U-Z u-z  -20
A-F a-f +20
H-M +6
N-S -6
G + 13
t - 13
0-9  105-?

a-z
0 换表  lower[*cur - 97 - i % 4])
1         (*cur - 97) * (i % 4)
2 (*cur - 97) ^ (i % 4)
3 [*cur - 97 + i % 4]

A-Z
0 upper[*cur - 65 - i % 4]
1 upper[*cur - 65 + i % 4]
2 ((HIDWORD(v4) >> 30) + (unsigned __int8)i * (*cur - 65)) & 3) - (HIDWORD(v4) >> 30)
3 (*cur - 65) ^ (i % 4)

直接打出码表替换

txt = "BRUF{E6oU9Ci#J9+6nWAhwMR9n:}"
print(txt)

A = "UVWXYZTNOPQRSHIJKLMGABCDEFuvwxyztnopqrshijklmgabcdef:$#+9876543210"
B = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz____0123456789"
txt2 = txt.translate(str.maketrans(A, B))
print(txt2)

A = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
B = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
txt3 = txt2.translate(str.maketrans(A, B))
print(txt3)


lower = "ckagevdxizblqnwtmsrpufyhoj"
upper = "TMQZWKGOIAGLBYHPCRJSUXEVND"
flag = ''
for i in range(len(txt3)):
    c = txt3[i]
    mode = i % 4
    if c in lower:
        idx = lower.index(c)
        if mode == 0:
            flag += chr(idx + 97)
        if mode == 1:
            flag += chr(idx + 97)
        if mode == 2:
            flag += chr((idx ^ 2) + 97)
        if mode == 3:
            flag += chr(idx - 3 + 97)
    elif c in upper:
        idx = upper.index(c)
        if mode == 0:
            flag += chr(idx + 65)
        if mode == 1:
            flag += chr(idx - 1 + 65)
        if mode == 2:
            flag += chr(idx + 2 + 65)
        if mode == 3:
            flag += chr((idx ^ 3) + 65)
        pass
    else:
        flag += c
print(flag)
# _可能是别的字符。替换一下提交。
# flag{w3Lc0mE_t0_3NcrYPti0N_}
# flag{w3Lc0mE_t0_3NcrYPti0N:}     #正确