携手创作,共同成长!这是我参与「掘金日新计划 · 8 月更文挑战」的第22天,点击查看活动详情
REVERSE
GetTheTable
直接上IDA,可以看出到这是一个base58算法。
密文就是ERaQux2sG1yhTracrk1ZrZ6qnc,解出来就是flag。
**
Amy's Code
这是三十二位的程序
在main函数中,输入的v4给v3,然后传入sub_4115FF(),
输入的值都按位异或,之后在传进
根据这里构造出脚本
v6='LWHFUENGDJGEFHYDHIGJ'
v9=[149,169,137,134,212,188,177,184,177,197,192,179,153,140,175,146,105,157,104,184]
str=''
flag=''
for i in range(len(v6)):
str+=chr(v9[i]-ord(v6[i]))
for i in range(len(v9)):
flag+=chr(ord(str[i])^i)
print(flag)
VigenereLike
import base64
string = ['I', 'S', 'C', 'C', 'Y', 'E', 'S']
string2 = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 "
dai = 'rJFsLqVyFKZBHDkIqr5wu LZlu1Eo1pZLommCrv=' # base64
flag = ''
for i in range(0, len(dai)):
if dai[i] in string2:
v = string2.find(dai[i])
v2 = string2.find(string[i % 7])
out = string2[v - v2]
flag += out
else:
flag += dai[i]
print(flag)
flag = base64.b64decode(flag)
print(flag)
flag = list(flag)
for o in range(len(flag)):
flag[o] = chr(flag[o] ^ ((o % 7) + 1))
print(''.join(flag)[:-4])
How_decode
在encode里看到了sum=0x61c88648,这是xxtea加密,秘钥就是k数组的4位。密文是main函数前面的长串。
解密算法:
#include <stdio.h>
#include <stdint.h>
#define DELTA 0x9e3779b9
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[e^p&3] ^ z)))
void btea(uint32_t* v, int n, uint32_t const key[4])
{
int y, z, sum, t;
unsigned p, rounds, e;
if (n > 1) /* Coding Part */
{
rounds = 6 + 52 / n;
sum = 0;
z = v[n - 1];
do
{
sum += DELTA;
e = (sum >> 2) & 3;
for (p = 0; p < n - 1; p++)
{
y = v[p + 1];
t = v[p];
t += MX;
z = t;
}
y = v[0];
z = v[n - 1] += MX;
} while (--rounds);
}
else if (n < -1) /* Decoding Part */
{
n = -n;
rounds = 6 + 52 / n;
sum = rounds * DELTA;
y = v[0];
do
{
e = (sum >> 2) & 3;
for (p = n - 1; p > 0; p--)
{
z = v[p - 1];
y = v[p] -= MX;
}
z = v[n - 1];
y = v[0] -= MX;
sum -= DELTA;
} while (--rounds);
}
}
int main()
{
uint32_t v[] = { 0x583A2755,0x15F437DE,
0xEB4BF8AF,0xD9F98EF2,
0x42CCAB39,0x7A857094,
0x912E821D,0xCD3148B7,
0x743BC712,0x487532A5,
0x5A630997,0x80576CDB,
0x11783A4D,0x73D2C70E,
0xD6EE81AC,0xDAFA0F09,
0xAC79A9EC,0x91F4B9B7 };
uint32_t const k[4] = { 73,83,67,67 };
int n = 18; //n的绝对值表示v的长度,取正表示加密,取负表示解密
//btea(v, n, k);
btea(v, -n, k);
for (int i = 0; i < 18; i++) {
printf("%x ", v[i]);
}
return 0;
}
Sad Code
32位ida打开,将里面的内容替换。 exp1:
from z3 import *
s = Solver()
v16=[Int('v16[%d]'%i) for i in range(7)]
v15=Int('v15')
s.add(v16[1] + 7 * v16[0] - 4 * v15 - 2 * v16[2] == )
s.add(5 * v16[2] + 3 * v16[1] - v16[0] - 2 * v15 == )
s.add(2 * v16[0] + 8 * v16[2] + 10 * v15 - 5 * v16[1] == )
s.add(7 * v15 + 15 * v16[0] - 3 * v16[2] - 2 * v16[1] == )
s.add(15 * v16[3] + 35 * v16[6] - v16[4] - v16[5] == )
s.add(38 * v16[5] + v16[3] + v16[6] - 24 * v16[4] == )
s.add(38 * v16[4] + 32 * v16[3] - v16[5] - v16[6] == )
s.add(v16[3] + 41 * v16[5] - v16[4] - 25 * v16[6] == )
if s.check():
print(s.model())
exp2:(exp1运行结果放入exp2之中)
from Crypto.Util.number import long_to_bytes
v16=[0]*7
v16[2] =
v16[4] =
v15 =
v16[6] =
v16[3] =
v16[1] =
v16[5] =
v16[0] =
flag=long_to_bytes(v15)
for i in v16:
flag+=long_to_bytes(i)
print(flag)
Ruststr
Base64解密异或, 然后判断大小写再异或
b = [
0x9A, 0x78, 0xB6, 0x12, 0xBE, 0x66, 0x8D, 0xCF, 0x51, 0x9E,
0x63, 0xCB, 0x4A, 0xD1, 0x1A, 0x59, 0x78, 0x1C, 0x17, 0x73,
0xF2, 0x1D, 0x05, 0x2F, 0xF0, 0xD7, 0xB3, 0x22, 0x5D, 0xAD,
0x0B, 0xE2
]
c = [0xe4,0x09,0xd9,0x47,0xf8,0x10,0xa3,0xb8,0x09,0xce,0x30,
0x8c,0x64,0x97,0x4e,0x0a,0x3e,0x4b,0x51,0x07,0x8f,0x79,0x60,0x5b,0x9b]
m = []
for i in range(len(c)):
m.append(c[i]^b[i])
key = [0x32, 0x63, 0x65, 0x61, 0x39, 0x66, 0x30, 0x34, 0x63,
0x36, 0x33, 0x62, 0x34, 0x32, 0x38, 0x33, 0x39, 0x34, 0x30, 0x65,
0x63, 0x30, 0x65, 0x36, 0x64, 0x32, 0x39, 0x62, 0x65, 0x32, 0x38,
0x64]
def lll(a,b):
if a>b:
return 0
else:
return -1
f = ''
for i in range(len(m)):
for j in range(128):
if (lll((key[i]+0xd0)&0xff,0xa) + j +2)&0xff == m[i]:
f += chr(j)
print(f)
break
p = list(f[::-1])
print()
def ppp(num):
a = num&1
return a==0
for i in range(len(p)):
if ord('a')<=ord(p[i])<=ord('z'):
p[i] = chr(ord(p[i])^0x20)
elif ord('A')<=ord(p[i])<=ord('Z'):
p[i] = chr(ord(p[i])^0x20)
elif ord('0') <=ord(p[i])<=ord('9'):
a = ord(p[i]) + 1
b = ord(p[i]) - 1
if ppp(ord(p[i])):
p[i] = chr(a)
else:
p[i] = chr(b)
else:
pass
for i in range(len(p)):
print(p[i],end='')
Bob's Code
在主函数中的sub_4116C7这个函数跟进去是一个base64加密。
sub_411389跟进去也是一个base64加密,这里进行了换表
下面是对字符串进行加点
sub_4116E0是对字符串进行位移变换,
payload
#include<iostream>
using namespace std;
void one();
int main(){
one();
return 0;
}
void one() {
char Str[100];
int a[100];
char a1[] = ".W1BqthGbfGvLc3IaAWByo.W15oXRKXiUyXXBYe01VoVlKX2zWVNJUuilkoF0.";
int a2 = 2;
int len = strlen(a1);
for (int i = 0; i < len; i++) {
for (int j = 0; j < 128; j++) {
a[i] = j;
if (a[i] < 65 || a[i] > 90)
{
if (a[i] >= 97 && a[i] <= 122) {
a[i] = (a[i] + a2 - 97) % 26 + 97;
}
}
else
{
a[i] = (a[i] + a2 - 65) % 26 + 65;
}
if ((char)a[i] == a1[i]) {
Str[i] = j;
}
}
}
for (int num = 0; num < len; num++) {
cout << Str[num];
}
cout << endl;
}
得到的密文去点进行换表base64解密,在进行base64解密
import base64
import string
str1 = "U1ZorfEzdEtJa3GyYUZwmU15mVPIVgSwVVZWc01TmTjIV2xUTLHSsgjimD0===="
string1 = "ABCDEfghijklmnopqrsTUVWXYZabcdeFGHIJKLMNOPQRStuvwxyz0123456789-_"
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
flag1 = base64.b64decode(str1.translate(str.maketrans(string1,string2)))
flag = base64.b64decode(flag1)
print(flag)
