BUU_RE

findit

String m = String.valueOf(x)

valueOf()将不同类型数据转换为字符串

m.equals(edit.getText().toString())

edit.getText()通常用于从用户界面中获取文本输入，toString()方法将其转换为字符串，然后使用equals()方法进行比较

我改成了c++代码，结果有问题

改成python，跑出来了

a = ['T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e']
b = ['p', 'v', 'k', 'q', '{', 'm', '1', '6', '4', '6', '7', '5', '2', '6', '2', '0', '3', '3', 'l', '4', 'm', '4', '9', 'l', 'n', 'p', '7', 'p', '9', 'm', 'n', 'k', '2', '8', 'k', '7', '5', '}']
x = [''] * 17
y = [''] * 38
for i in range(17):if (a[i] < 'I' and a[i] >= 'A') or (a[i] < 'i' and a[i] >= 'a'):x[i] = chr(ord(a[i]) + 18)elif (a[i] >= 'A' and a[i] <= 'Z') or (a[i] >= 'a' and a[i] <= 'z'):x[i] = chr(ord(a[i]) - 8)else:x[i] = a[i]
for i2 in range(38):if (b[i2] >= 'A' and b[i2] <= 'Z') or (b[i2] >= 'a' and b[i2] <= 'z'):y[i2] = chr(ord(b[i2]) + 16)if (y[i2] > 'Z' and y[i2] < 'a') or y[i2] >= 'z':y[i2] = chr(ord(y[i2]) - 26)else:y[i2] = b[i2]
# 输出字符列表中的所有元素
print(''.join(y))
# flag{c164675262033b4c49bdf7f9cda28a75}

[FlareOn4]login

是个html代码，输入flag的，看不太懂


<!DOCTYPE Html />
<html><head><title>FLARE On 2017</title></head><body><input type="text" name="flag" id="flag" value="Enter the flag" /><input type="button" id="prompt" value="Click to check the flag" /><script type="text/javascript">document.getElementById("prompt").onclick = function () {var flag = document.getElementById("flag").value;var rotFlag = flag.replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);});if ("PyvragFvqrYbtvafNerRnfl@syner-ba.pbz" == rotFlag) {alert("Correct flag!");} else {alert("Incorrect flag, rot again");}}</script></body>
</html>

gpt转换一下，其实也就是凯撒密码，偏移量为13

enc='PyvragFvqrYbtvafNerRnfl@syner-ba.pbz'
for i in range(len(enc)):k=ord(enc[i])if 65<=k<=90:if k-13<65:print(chr(k-13+26),end='')else:print(chr(k-13),end='')elif 97<=k<=122:if k-13<97:print(chr(k-13+26),end='')else:print(chr(k-13),end='')else:print(enc[i],end='')
# ClientSideLoginsAreEasy@flare-on.com

[WUSTCTF2020]level1

ptr = [198, 232, 816, 200, 1536, 300, 6144, 984, 51200, 570, 92160,1200, 565248, 756, 1474560, 800, 6291456, 1782, 65536000]for i in range(19):if (i+1) & 1:print(chr(ptr[i] >> (i+1)), end="")else:print(chr(ptr[i] // (i+1)), end="")

或者

key = [0,198,232,816,200,1536,300,6144,984,51200,570,92160,1200,565248,
756,1474560,800,6291456,1782,65536000]
for i in range(1,20)://i是从1开始的。if i%2 == 1:print(chr(key[i] >> i),end='')else:print(chr(key[i]//(整除符)i),end='')、

[WUSTCTF2020]level2

还是是不能有那个括号，去除了就成功了。

flag就出来了。

[WUSTCTF2020]level3

简单替换后，解密得到flag

import base64
table='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
enc='d2G0ZjLwHjS7DmOzZAY0X2lzX3CoZV9zdNOydO9vZl9yZXZlcnGlfD=='
hh=list(table)
for i in range(10):v1=table[i]hh[i]=hh[19-i]hh[19-i]=v1
print(''.join(hh))
str='TSRQPONMLKJIHGFEDCBAUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
print(base64.b64decode(enc.translate(str.maketrans(str,table))))

[ACTF新生赛2020]rome

  strcpy(v12, "Qsw3sj_lz4_Ujw@l");printf("Please input:");scanf("%s", &input);result = input;if ( input == 'A' ){result = v3;if ( v3 == 'C' ){result = v4;if ( v4 == 'T' ){result = v5;if ( v5 == 'F' ){result = v6;if ( v6 == '{' ){result = v11;if ( v11 == '}' ){v1[0] = v7;v1[1] = v8;v1[2] = v9;v1[3] = v10;*&v12[17] = 0;while ( *&v12[17] <= 15 ){if ( *(v1 + *&v12[17]) > 64 && *(v1 + *&v12[17]) <= 90 )// A-Z*(v1 + *&v12[17]) = (*(v1 + *&v12[17]) - 51) % 26 + 65;if ( *(v1 + *&v12[17]) > 96 && *(v1 + *&v12[17]) <= 122 )// a-z*(v1 + *&v12[17]) = (*(v1 + *&v12[17]) - 79) % 26 + 97;++*&v12[17];}*&v12[17] = 0;while ( *&v12[17] <= 15 ){result = v12[*&v12[17]];if ( *(v1 + *&v12[17]) != result )return result;++*&v12[17];}return printf("You are correct!");}}}}}}

看到有取模，嗯就想到了爆破，并且%26+65肯定还是大写字母，范围没变。

enc='Qsw3sj_lz4_Ujw@l'
for i in range(len(enc)):k=ord(enc[i])if 65<=k<=90:for m in range(65,91,1):if k==(m-51)%26+65:print(chr(m),end='')breakelif 97<=k<=122:for n in range(97,123,1):if k==(n-79)%26+97:print(chr(n),end='')breakelse:print(enc[i],end='')

[FlareOn4]IgniteMe

汇编语言指令 ROL
循环左移指令：ROL DEST，COUNT
指令功能：把目的地址中的数据循环左移COUNT次，每次从最高位（最左）移出的数据位都补充到最低位（最右），最后从最高位（最左）移出的数据位保存到CF标志位。
标志位影响：CF标志用于保存最后从最高位移出的数据位。如果COUNT=1，OF标志有意义，如果移位前后数据的符号位发生了变化，OF=1；如果符号位没有发生变化，OF=0。如果COUNT>1，OF标志不确定（没有意义）。

(unsigned __int16)__ROL4__(0x80070000, 4) >> 1; ROL4就是左移4位，v4=00700004

v4本来等于0x00700004的，我的理解是：因为目标字符里面都是两位的，其实v4也应该保留两位，不然就行不通

嗯，突然想到不知道这个汇编指令，也可以通过动调，找到这个值

byte30=[0x0D, 0x26, 0x49, 0x45, 0x2A, 0x17, 0x78, 0x44, 0x2B, 0x6C,0x5D, 0x5E, 0x45, 0x12, 0x2F, 0x17, 0x2B, 0x44, 0x6F, 0x6E,0x56, 0x09, 0x5F, 0x45, 0x47, 0x73, 0x26, 0x0A, 0x0D, 0x13,0x17, 0x48, 0x42, 0x01, 0x40, 0x4D, 0x0C, 0x02, 0x69]
v4=0x04
date=[]
print(len(byte30))
for i in range(len(byte30)-1,-1,-1):k=byte30[i]^v4date.append(k)v4=k
for i in range(39):print(chr(date[38-i]),end='')

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.mzph.cn/diannao/4908.shtml

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈email:809451989@qq.com，一经查实，立即删除！