ctfshow REVERSE re2 萌新賽內部賽七夕杯 WP

re2

萌新賽

flag白給

簽退?

數學不及格?

內部賽

批量生產的偽劣產品?

來一個派森?

好好學習天天向上?

屏幕裂開了

七夕杯

逆向簽到?

easy_magic?

re2

ida分析主函數，將flag.txt內容加密寫入enflag.txt

這是密鑰加密過程

標準rc4加密

簡單異或解密密鑰?

將enflag.txt進行rc4解密?

得flag{RC4&->ENc0d3F1le}

萌新賽

flag白給

查殼，有殼

upx解殼?

解殼成功，進入關鍵函數

找到flag

即flag{HackAv}

簽退?

python逆向，用pycdc反編譯或python反編譯 - 在線工具

得到python源代碼

import string
c_charset = string.ascii_uppercase + string.ascii_lowercase + string.digits + '()'
flag = 'BozjB3vlZ3ThBn9bZ2jhOH93ZaH9'def encode(origin_bytes):c_bytes = [ '{:0>8}'.format(str(bin(b)).replace('0b', '')) for b in origin_bytes ]resp = ''nums = len(c_bytes) // 3remain = len(c_bytes) % 3integral_part = c_bytes[0:3 * nums]for x in [0,6,12,18]:tmp_unit = [][int(tmp_unit[x:x + 6], 2)]resp += ''.join([ c_charset[i] for i in tmp_unit ])integral_part = integral_part[3:]if remain:remain_part = ''.join(c_bytes[3 * nums:]) + (3 - remain) * '0' * 8tmp_unit = [ int(remain_part[x:x + 6], 2) for x in [0,6,12,18] ][:remain + 1]resp += ''.join([ c_charset[i] for i in tmp_unit ]) + (3 - remain) * '.'return rend(resp)def rend(s):def encodeCh(ch):f = lambda x: chr(((ord(ch) - x) + 2) % 26 + x)if ch.islower():return f(97)if (None,).isupper():return f(65)return (''.join,)((lambda .0: pass)(s))

這里的encode其實就是base64加密，換碼表有一點改動，對密文沒有影響，rend函數就是字符右移兩位，寫出rend逆向腳本

def rend_reverse(s):decoded = []for c in s:if c.islower():# 小寫字母前移2位（循環）decoded_char = chr((ord(c) - 97 - 2) % 26 + 97)elif c.isupper():# 大寫字母前移2位（循環）decoded_char = chr((ord(c) - 65 - 2) % 26 + 65)else:decoded_char = c  # 數字和括號不變decoded.append(decoded_char)return ''.join(decoded)encrypted_flag = 'BozjB3vlZ3ThBn9bZ2jhOH93ZaH9'
after_rend = rend_reverse(encrypted_flag)
print("逆移位后字符串:", after_rend)
# ZmxhZ3tjX3RfZl9zX2hfMF93XyF9

賽博廚子base64解密?

flag{c_t_f_s_h_0_w_!}?

數學不及格?

分析一下主邏輯

判斷了四個方程，并且v9=f(v4)

雙擊跟進f()函數，返回斐波那契數列第n項

于是(v9-v10)+(v9-v11)+(v9-v12)+(v4+v12+v11+v10)=3*v9+v4=0x19d024e75ff，十進制為1773860189695，又v9=f(v4)

寫腳本爆破?

for v4 in range(3,100):a = [1, 1]for i in range(2,v4):v9=a[i-1]+a[i-2]if 3*v9+v4 == 1773860189695:print(v4)print(v9)a.append(v9)
#58
#591286729879

?得到v4，v9后解出argv數組

v9=591286729879
v4=58
print(hex(v9-0x233F0E151C))
#argv[1]=0x666c61677b
print(hex(v9-0x1B45F81A32))
#argv[2]=0x6e65776265
print(hex(v9-0x244C071725))
#argv[3]=0x655f686572
print(hex(v4+0x6543))
#argv[4]=0x657d

賽博廚子一鍵16進制解密?

得flag{newbee_here}

內部賽

批量生產的偽劣產品?

apk文件，jadx打開，查看AndroidManifest.xml

找到app入口appinventor.ai_QA629A242D5E83EFA948B9020CD35CB60.checkme.a

看到ctfshow{群主最愛36D}?

來一個派森?

python反編譯工具pyinstxtractor.py得到.pyc文件

python反編譯 - 在線工具得到python源碼

def b58encode(tmp = None):tmp = list(map(ord, tmp))temp = tmp[0]base58 = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'for i in range(len(tmp) - 1):temp = temp * 256 + tmp[i + 1]tmp = []while None:temp = temp // 58if temp == 0:breaktemp = ''for i in tmp:temp += base58[i]tmp = []for i in range(len(temp)):tmp.append(chr(ord(temp[i]) ^ i))check = ['A','5','q','O','g','q','d','\x7f','[','\x7f','s','{','G','A','x','`','D','@','K','c','-','c',' ','G','+','+','|','x','}','J','h','\\','l']if tmp == check:return 1flag = input('輸入flag：')
if b58encode(flag):print('you win')
else:print('try again')

標準的base58，最后做了一步異或，異或腳本

tmp=['A','5','q','O','g','q','d','\x7f','[','\x7f','s','{','G','A','x','`','D','@','K','c','-','c',' ','G','+','+','|','x','}','J','h','\\','l']
for i in range(len(tmp)):temp.append(chr(ord(tmp[i]) ^ i))
for i in range(len(temp)):print(temp[i],end="")
#A4sLctbxSvypKLvoTQYp9v6P32fcaWvCL

再base58解密

得ctfshow{zhe_bu_shi_flag}

好好學習天天向上?

[ctf.show.reverse] 來一個派森，好好學習天天向上_ctfshow 好好學習天天向上-CSDN博客?

flag{good_good_study_day_day_up}

屏幕裂開了

jadx打開?

還有native層?

定位關鍵函數checkflag?

很明顯是rc4加密，但解密不出來

所以S盒打亂那部分要重復 99999 次，貼個大佬的腳本

s = [i for i in range(256)]
k = (b"InfinityLoop"*22) [0:256]for hit_count in range(99999):j = 0for i in range(256):j = (s[i]+j+k[i])%256s[i],s[j] = s[j],s[i]answer =[0xA6,0x3D,0x54,0x0B0,0x74,0xCC,0xBD,0x2A,0x4A,0x0DE,0x0BD,0x35,0x0D1,0x1D,0x80,0x32,0x5F,0x64,0x2F,0x0C5,0x0DD,0x11,0x3E,0x95,0x0CC,0x17,0x13,0x0E5,0x5E,0x65,0x0CE,0x42,0x9E,0x47,0x0C8,0x0F3,0x4D,0x8A,0x0A6,0x1F,0x0F0,0x50,0x27,0x0A2,0x28,0x81,0x24,0x0A7,0x0B4,0x90,0x0FC,0x93,0x8A,0x0C1,0x77,0x0D5,0x16,0x1E,0x0FD,0x87,0x0C7,0x0BB,0x0B3,0x0]v10,v11 = 0,0
v14 = s 
tab = [0]*63
for j in range(63):v11 = v11+1v10 = (v14[v11] + v10)& 0xffv14[v11],v14[v10] = v14[v10],v14[v11]tab[j] = v14[(v14[v10]+ v14[v11]) %256]flag = [answer[i]^tab[i] for i in range(63)]
print(bytes(flag))
#flag{i_hope_you_didnt_click_the_button_99999__justRE_in_Static}

七夕杯

逆向簽到?

分析主邏輯匯編代碼?

用deepseek輔助?

mov ? ? rax, 7B776F6873667463h ?; 小端序為 "ctfshow{"
mov ? ? rdx, 5F6E6769735F6572h ?; 小端序為 "re_sign_"
mov ? ? rax, 5F797361655F7369h ?; 小端序為 "is_easy_"
mov ? ? [rbp+var_18], 7Dh ? ? ? ?;? ? ? ? 結束符 "}"

即ctfshow{re_sign_is_easy_}

easy_magic?

看到一串16進制，16進制轉字符串失敗?

猜測為md5MD5免費在線解密破解_MD5在線加密-SOMD5

得ctfshow{7x_flag_is_here}?

本文來自互聯網用戶投稿，該文觀點僅代表作者本人，不代表本站立場。本站僅提供信息存儲空間服務，不擁有所有權，不承擔相關法律責任。
如若轉載，請注明出處：http://www.pswp.cn/news/898871.shtml
繁體地址，請注明出處：http://hk.pswp.cn/news/898871.shtml
英文地址，請注明出處：http://en.pswp.cn/news/898871.shtml

如若內容造成侵權/違法違規/事實不符，請聯系多彩編程網進行投訴反饋email:809451989@qq.com，一經查實，立即刪除！