长安战疫WP 某些题的flag头是cazy是我没有想到的
RE combat_slogan if (flag == 0 && str5.toString().compareTo("871019511949491089510249103104116951164895101110100951164895101110100959997122121" ) == 0 )
hello_py 反编译
import threadingimport timedef encode_1 (n ): global num if num >= 0 : flag[num] = flag[num] ^ num num -= 1 time.sleep(1 ) if num <= 0 : pass def encode_2 (n ): global num if num >= 0 : flag[num] = flag[num] ^ flag[num + 1 ] num -= 1 time.sleep(1 ) if num < 0 : pass Happy = [44 ,100 ,3 ,50 ,106 ,90 ,5 ,102 ,10 ,112 ] num = 9 f = input ('Please input your flag:' ) if len (f) != 10 : print ('Your input is illegal' ) continue flag = list (f) j = 0 print ("flag to 'ord':" , flag)t1 = threading.Thread(encode_1, (1 ,), **('target' , 'args' )) t2 = threading.Thread(encode_2, (2 ,), **('target' , 'args' )) t1.start() time.sleep(0.5 ) t2.start() t1.join() t2.join() if flag == Happy: print ('Good job!' ) continue print ('No no no!' )continue
脚本
def encode_1 (): global num if num >= 0 : flag[num] = flag[num] ^ num num += 1 def encode_2 (): global num if num >= 0 : flag[num] = flag[num] ^ flag[num + 1 ] num += 1 flag = [44 ,100 ,3 ,50 ,106 ,90 ,5 ,102 ,10 ,112 ] num = 0 for i in range (0 ,10 ,1 ): if i%2 ==0 : encode_2() else : encode_1() for i in range (len (flag)): print (chr (flag[i]),end="" )
lemon 字节码
所有load之后数据将会被压入栈顶,因此先压入的变量会成为函数调用时后面的参数。也就是此处的函数调用约定一律为stdcall
没有store或者setitem方法出现时,原来的变量值不会变更
getattr和getitem,setitem是魔法方法,作为保留字出现call x代表调用函数,调用函数的对象为栈底元素,也就是最先入栈的元素。x代表了调用时需要压入的参数个数
下面的代码明显做了缩减,导致一下子没看出来
0: const 60 ; <module 'main'> 5: module 9 592 11: const 26 ; 83 16: const 27 ; 69 21: const 28 ; 65 26: array 3 31: store 0 0 34: const 30 ; 101 39: const 31 ; 108 44: const 32 ; 111 49: const 33 ; 117 54: const 34 ; 122 59: const 30 ; 101 64: const 35 ; 105 69: const 36 ; 98 74: const 30 ; 101 79: const 31 ; 108 84: const 33 ; 117 89: const 35 ; 105 94: const 37 ; 113 99: const 33 ; 117 104: const 35 ; 105 109: const 37 ; 113 114: array 16 119: store 0 1 122: const 39 ; 0 127: store 0 2 130: array 0 135: store 0 3 138: load 0 2 141: const 42 ; 256 146: lt < 147: jz 184 152: load 0 3 155: const 43 ; append 160: getattr 161: load 0 2 164: call 1 166: pop 167: load 0 2 170: const 44 ; 1 175: add 176: store 0 2 179: jmp 138 184: const 39 ; 0 189: store 0 4 192: load 0 4 195: const 42 ; 256 200: lt 201: jz 271 206: load 0 3 209: load 0 4 212: getitem 213: load 0 0 216: load 0 4 219: const 46 ; 3 224: mod 225: getitem 226: add 227: load 0 1 230: load 0 4 233: const 47 ; 16 238: mod 239: getitem 240: add 241: const 42 ; 256 246: mod 247: load 0 3 250: load 0 4 253: setitem 254: load 0 4 257: const 44 ; 1 262: add 263: store 0 4 266: jmp 192 271: const 39 ; 0 276: store 0 5 279: load 0 5 282: const 46 ; 3 287: lt < 288: jz 448 293: const 39 ; 0 298: store 0 6 301: load 0 6 304: const 42 ; 256 309: lt < 310: jz 366 315: load 0 3 318: load 0 6 321: getitem 322: load 0 3 325: load 0 6 328: const 44 ; 1 333: add 334: const 42 ; 256 339: mod 340: getitem 341: bxor 342: load 0 3 345: load 0 6 348: setitem 349: load 0 6 352: const 44 ; 1 357: add 358: store 0 6 361: jmp 301 366: const 39 ; 0 371: store 0 7 374: load 0 7 377: const 42 ; 256 382: lt 383: jz 431 388: load 0 3 391: load 0 7 394: getitem 395: const 44 ; 1 400: add 401: const 42 ; 256 406: mod 407: load 0 3 410: load 0 7 413: setitem 414: load 0 7 417: const 44 ; 1 422: add 423: store 0 7 426: jmp 374 431: load 0 5 434: const 44 ; 1 439: add 440: store 0 5 443: jmp 279 448: const 39 ; 0 453: store 0 5 456: const 39 ; 0 461: store 0 8 464: load 0 5 467: const 42 ; 256 472: lt 473: jz 509 478: load 0 8 481: load 0 3 484: load 0 5 487: getitem 488: add 489: store 0 8 492: load 0 5 495: const 44 ; 1 500: add 501: store 0 5 504: jmp 464 509: load 0 8 512: const 51 ; 20 517: mul 518: const 52 ; 5 523: add 524: store 0 8 527: load 0 8 530: const 54 ; 30 535: mul 536: const 52 ; 5 541: sub 542: store 0 8 545: load 0 8 548: const 56 ; 40 553: mul 554: const 52 ; 5 559: sub 560: store 0 8 563: load 0 8 566: const 58 ; 50 571: mul 572: const 59 ; 6645 577: add 578: store 0 8 581: const 23 ; <function 'print'> 586: load 0 8 589: call 1 591: pop
分析以下
array_0=[83 ,69 ,65 ] SEA a_1 = [101 ,108 ,111 ,117 ,122 ,101 ,105 ,98 ,101 ,108 ,117 ,105 ,113 ,117 ,105 ,113 ] elouzeibeluiquiq c_2=0 s_3=[] c_2>=256 jmp 184 s_3=[0 -256 ] s_3.append(c_2) c_2+=1 c_4=0 c_4>=256 jmp 271 s_3[c_4]=(s_3[c_4]+(array_0[c_4%3 ]+a1[c_4%16 ]))%256 c_4+=1 c_5=0 while (c_5<3 ) jmp 448 c_6=0 while (c_6>=256 ) jmp 366 s_3[c_6]=s_3[c_6]^ (s_3[(c_6+1 )%256 ]) c_6+=1 c_7=0 while (c_7>=256 ) jmp 431 s_3[c_7]=(s_3[c_7]+1 )%256 c_7+=1 c_5+1 jmp 279 c_5=0 c_8=0 c_5>=256 jmp 509 c_8= +s_3[c_5++] c_8*20 +5 c_8*30 -5 c_8*40 -5 c_8*50 +6645
写脚本
array_0=[83 ,69 ,65 ] array_0=array_0[::-1 ] a1 = [101 ,108 ,111 ,117 ,122 ,101 ,105 ,98 ,101 ,108 ,117 ,105 ,113 ,117 ,105 ,113 ] a1 =a1[::-1 ] c_4=0 s_3=[i for i in range (256 )] for i in range (256 ): s_3[c_4]=((s_3[c_4]+(array_0[c_4%3 ]+a1[c_4%16 ]))%256 ) c_4+=1 c_5=0 while (c_5<3 ): c_6=0 while (c_6<256 ): s_3[c_6]=(s_3[(c_6+1 )%256 ])^ s_3[c_6] c_6+=1 c_7=0 while (c_7<256 ): s_3[c_7]=(s_3[c_7]+1 )%256 c_7+=1 c_5+=1 c_8=0 for i in range (256 ): c_8=c_8+s_3[i] c_8=(c_8*20 )+5 c_8=(c_8*30 )-5 c_8=(c_8*40 )-5 c_8=(c_8*50 )+6645 print (c_8)
当时应该想到要取反的,输出即为flag
23075096395
cute_dog 从系统菜单上看出这个程序应该内置了一个字符串cute_doge,因此我们就去找找这个字符串:
然后就在上面看到个奇怪的字符串
*v42 = QString::fromAscii_helper((QString *)"ZmxhZ3tDaDFuYV95eWRzX2Nhenl9" , (const char *)0x1C , v43); *(_QWORD *)(a1 + 64 ) = v42; *(_DWORD *)(a1 + 56 ) = 0 ; v60 = QString::fromAscii_helper((QString *)"cute_doge" , (const char *)9 , v44);
ZmxhZ3tDaDFuYV95eWRzX2Nhenl9发现base64解密后就是flag
flag{Ch1na_yyds_cazy}
Safelm 没做出来,直接放大佬的
Safelm
Misc 八卦迷宫 卡了好久,结果头不是flag
cazy{zhanchangyangchangzhanyanghechangshanshananzhanyiyizhanyianyichanganyang}
无名天书 发现数据中最大的200 ok 追踪http流发现16进制
504B0304140008000800B16A98530000000000000000E201000008002000666C61672E74787455540D0007DF58C561B564C561B364C56175780B000104F5010000041400000065904112C0200803CFC92BF8FF2B6BD1E242BD6464D624A8D84747C4BB8EC8E2107C719CBA8C1A95223A58C811B11B1E8955BB913B9F441558B06872899C39D8E5D06DC325E62F7C4BC1F0078E6DBB251FBB9037586311D367846B1471871896A01F504B0708BB2C9F9162000000E2010000504B0304140008000800396998530000000000000000F4000000060020006B65792E777355540D00071F56C561B564C561B364C56175780B000104F501000004140000007D8EC10900300803DF11DCE1F69FB25A3FDAD22A0A1E21111012E02637B2E20CA0066A4F454C576CF2F3A8981FA83514693B533852AEC7D0DBC32D7B01504B07087FB167453D000000F4000000504B03041400080008003969985300000000000000000D010000110020005F5F4D41434F53582F2E5F6B65792E777355540D00071F56C561B564C561CF6CC56175780B000104F501000004140000006360156367606260F04D4C56F00F568850800290180327101B01F16D2006F219791988028E212141101658C70120F64553C20415176060904ACECFD54B2C28C849D5CB492C2E292D4E4D49492C49550E0886AABD00C4B60C0CA2087585A589458979259979A90CF2614713910D2ED43730B030B436334C3635353648B176CB2C4A4DCBAFB07672B5B030377034D075347375D2353103B22C5C2C0D758D0C0C0C5D8C1C4D2C5C0C8C1800504B0708B1276E0CAA0000000D010000504B01021403140008000800B16A9853BB2C9F9162000000E2010000080020000000000000000000A48100000000666C61672E74787455540D0007DF58C561B564C561B364C56175780B000104F50100000414000000504B01021403140008000800396998537FB167453D000000F4000000060020000000000000000000A481B80000006B65792E777355540D00071F56C561B564C561B364C56175780B000104F50100000414000000504B0102140314000800080039699853B1276E0CAA0000000D010000110020000000000000000000A481490100005F5F4D41434F53582F2E5F6B65792E777355540D00071F56C561B564C561CF6CC56175780B000104F50100000414000000504B0506000000000300030009010000520200000000
复制入010发现是zip
得到两个文件
flag.txt和 key.ws
发现两个都是透明的
key是Whitespace解密得到秘钥XiAnWillBeSafe
flag snow隐写解密
拿工具解
SNOW.EXE -p XiAnWillBeSafe -C flag.txt
cazy{C4n_y0u_underSt4nd_th3_b0oK_With0ut_Str1ng}
Crypto no_cry_no_can from Crypto.Util.number import *from secret import flag,key assert len (key) <= 5 assert flag[:5 ] == b'cazy{' def can_encrypt (flag,key ): block_len = len (flag) // len (key) + 1 new_key = key * block_len return bytes ([i^j for i,j in zip (flag,new_key)]) c = can_encrypt(flag,key) print (c)
脚本暴力破解出key
flag=b'cazy{' p=b'<pH\x86\x1a&"m\xce\x12\x00pm\x97U1uA\xcf\x0c:NP\xcf\x18~l' password=[] for i in range (5 ): for j in range (256 ): if (flag[i]^j==p[i]): password.append(j) for i in range (len (p)): print (chr (p[i]^password[i%5 ]),end="" )
