目录
re2
萌新赛
flag白给
签退
数学不及格
内部赛
批量生产的伪劣产品
来一个派森
好好学习 天天向上
屏幕裂开了
七夕杯
逆向签到
easy_magic
re2
ida分析主函数,将flag.txt内容加密写入enflag.txt
这是密钥加密过程
标准rc4加密
简单异或解密密钥
将enflag.txt进行rc4解密
得flag{RC4&->ENc0d3F1le}
萌新赛
flag白给
查壳,有壳
upx解壳
解壳成功,进入关键函数
找到flag
即flag{HackAv}
签退
python逆向,用pycdc反编译或python反编译 - 在线工具
得到python源代码
import string
c_charset = string.ascii_uppercase + string.ascii_lowercase + string.digits + '()'
flag = 'BozjB3vlZ3ThBn9bZ2jhOH93ZaH9'def encode(origin_bytes):c_bytes = [ '{:0>8}'.format(str(bin(b)).replace('0b', '')) for b in origin_bytes ]resp = ''nums = len(c_bytes) // 3remain = len(c_bytes) % 3integral_part = c_bytes[0:3 * nums]for x in [0,6,12,18]:tmp_unit = [][int(tmp_unit[x:x + 6], 2)]resp += ''.join([ c_charset[i] for i in tmp_unit ])integral_part = integral_part[3:]if remain:remain_part = ''.join(c_bytes[3 * nums:]) + (3 - remain) * '0' * 8tmp_unit = [ int(remain_part[x:x + 6], 2) for x in [0,6,12,18] ][:remain + 1]resp += ''.join([ c_charset[i] for i in tmp_unit ]) + (3 - remain) * '.'return rend(resp)def rend(s):def encodeCh(ch):f = lambda x: chr(((ord(ch) - x) + 2) % 26 + x)if ch.islower():return f(97)if (None,).isupper():return f(65)return (''.join,)((lambda .0: pass)(s))这里的encode其实就是base64加密,换码表有一点改动,对密文没有影响,rend函数就是字符右移两位,写出rend逆向脚本
def rend_reverse(s):decoded = []for c in s:if c.islower():# 小写字母前移2位(循环)decoded_char = chr((ord(c) - 97 - 2) % 26 + 97)elif c.isupper():# 大写字母前移2位(循环)decoded_char = chr((ord(c) - 65 - 2) % 26 + 65)else:decoded_char = c # 数字和括号不变decoded.append(decoded_char)return ''.join(decoded)encrypted_flag = 'BozjB3vlZ3ThBn9bZ2jhOH93ZaH9'
after_rend = rend_reverse(encrypted_flag)
print("逆移位后字符串:", after_rend)
# ZmxhZ3tjX3RfZl9zX2hfMF93XyF9赛博厨子base64解密
flag{c_t_f_s_h_0_w_!}
数学不及格
分析一下主逻辑
判断了四个方程,并且v9=f(v4)
双击跟进f()函数,返回斐波那契数列第n项
于是(v9-v10)+(v9-v11)+(v9-v12)+(v4+v12+v11+v10)=3*v9+v4=0x19d024e75ff,十进制为1773860189695,又v9=f(v4)
写脚本爆破
for v4 in range(3,100):a = [1, 1]for i in range(2,v4):v9=a[i-1]+a[i-2]if 3*v9+v4 == 1773860189695:print(v4)print(v9)a.append(v9)
#58
#591286729879得到v4,v9后解出argv数组
v9=591286729879
v4=58
print(hex(v9-0x233F0E151C))
#argv[1]=0x666c61677b
print(hex(v9-0x1B45F81A32))
#argv[2]=0x6e65776265
print(hex(v9-0x244C071725))
#argv[3]=0x655f686572
print(hex(v4+0x6543))
#argv[4]=0x657d赛博厨子一键16进制解密
得flag{newbee_here}
内部赛
批量生产的伪劣产品
apk文件,jadx打开,查看AndroidManifest.xml
找到app入口appinventor.ai_QA629A242D5E83EFA948B9020CD35CB60.checkme.a
看到ctfshow{群主最爱36D}
来一个派森
python反编译工具pyinstxtractor.py得到.pyc文件
python反编译 - 在线工具得到python源码
def b58encode(tmp = None):tmp = list(map(ord, tmp))temp = tmp[0]base58 = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'for i in range(len(tmp) - 1):temp = temp * 256 + tmp[i + 1]tmp = []while None:temp = temp // 58if temp == 0:breaktemp = ''for i in tmp:temp += base58[i]tmp = []for i in range(len(temp)):tmp.append(chr(ord(temp[i]) ^ i))check = ['A','5','q','O','g','q','d','\x7f','[','\x7f','s','{','G','A','x','`','D','@','K','c','-','c',' ','G','+','+','|','x','}','J','h','\\','l']if tmp == check:return 1flag = input('输入flag:')
if b58encode(flag):print('you win')
else:print('try again')
标准的base58,最后做了一步异或,异或脚本
tmp=['A','5','q','O','g','q','d','\x7f','[','\x7f','s','{','G','A','x','`','D','@','K','c','-','c',' ','G','+','+','|','x','}','J','h','\\','l']
for i in range(len(tmp)):temp.append(chr(ord(tmp[i]) ^ i))
for i in range(len(temp)):print(temp[i],end="")
#A4sLctbxSvypKLvoTQYp9v6P32fcaWvCL再base58解密
得ctfshow{zhe_bu_shi_flag}
好好学习 天天向上
[ctf.show.reverse] 来一个派森,好好学习天天向上_ctfshow 好好学习 天天向上-CSDN博客
flag{good_good_study_day_day_up}
屏幕裂开了
jadx打开
还有native层
定位关键函数checkflag
很明显是rc4加密,但解密不出来
所以S盒打乱那部分要重复 99999 次,贴个大佬的脚本
s = [i for i in range(256)]
k = (b"InfinityLoop"*22) [0:256]for hit_count in range(99999):j = 0for i in range(256):j = (s[i]+j+k[i])%256s[i],s[j] = s[j],s[i]answer =[0xA6,0x3D,0x54,0x0B0,0x74,0xCC,0xBD,0x2A,0x4A,0x0DE,0x0BD,0x35,0x0D1,0x1D,0x80,0x32,0x5F,0x64,0x2F,0x0C5,0x0DD,0x11,0x3E,0x95,0x0CC,0x17,0x13,0x0E5,0x5E,0x65,0x0CE,0x42,0x9E,0x47,0x0C8,0x0F3,0x4D,0x8A,0x0A6,0x1F,0x0F0,0x50,0x27,0x0A2,0x28,0x81,0x24,0x0A7,0x0B4,0x90,0x0FC,0x93,0x8A,0x0C1,0x77,0x0D5,0x16,0x1E,0x0FD,0x87,0x0C7,0x0BB,0x0B3,0x0]v10,v11 = 0,0
v14 = s
tab = [0]*63
for j in range(63):v11 = v11+1v10 = (v14[v11] + v10)& 0xffv14[v11],v14[v10] = v14[v10],v14[v11]tab[j] = v14[(v14[v10]+ v14[v11]) %256]flag = [answer[i]^tab[i] for i in range(63)]
print(bytes(flag))
#flag{i_hope_you_didnt_click_the_button_99999__justRE_in_Static}七夕杯
逆向签到
分析主逻辑汇编代码
用deepseek辅助
mov rax, 7B776F6873667463h ; 小端序为 "ctfshow{"
mov rdx, 5F6E6769735F6572h ; 小端序为 "re_sign_"
mov rax, 5F797361655F7369h ; 小端序为 "is_easy_"
mov [rbp+var_18], 7Dh ; 结束符 "}"即
ctfshow{re_sign_is_easy_}
easy_magic
看到一串16进制,16进制转字符串失败
猜测为md5MD5免费在线解密破解_MD5在线加密-SOMD5
得ctfshow{7x_flag_is_here}
![[贪心算法]最长回文串 增减字符串匹配 分发饼干](https://i-blog.csdnimg.cn/direct/5da450c2bfd8448e8e644edd93adf903.png)
