RE
1. 聪明的信使
基础爆破
#include<stdio.h>
#include<string.h>
int main()
{char enc[] = "oujp{H0d_TwXf_Lahyc0_14_e3ah_Rvy0ac@wc!}";char flag[41] = {0};int i, j;for (i = 0; i < strlen(enc); i++){for (j = 33; j < 127; j++){if ((j <= 96) || (j > 'z')){if ((j > '@') && (j <= 'Z')){if (((j + 9 - 65) % 26 + 65) == enc[i]){flag[i] = j;}};}else{if (((j + 9 - 97) % 26 + 97) == enc[i]) { flag[i] = j;}}}if(!flag[i]){flag[i] = enc[i];};}printf("%s", flag);
}
2. 喵喵喵的flag碎了一地
3. 你是真的大学生吗?
看汇编翻译一下
#大学生 wp
enc = [ 0x76, 0x0E, 0x77, 0x14, 0x60, 0x06, 0x7D, 0x04, 0x6B, 0x1E, 0x41, 0x2A, 0x44, 0x2B, 0x5C, 0x03, 0x3B, 0x0B, 0x33, 0x05]
for i in range(len(enc)-1):enc[i] ^= enc[i+1]
flag = ''
for i in enc:flag += chr(i)
print(flag)4. Debug
jadx动调直接出
5. trustme
看起来是个很简单的RC4
但是只得到用户名 admin
法一:猜Sql注入,直接万能密码
6. 今夕是何年
ubuntu上运行不成功,改kali装qemu就可以了
kail安装指令:
sudo apt updat
apt install qemu-user
然后直接运行即可
7. ez_cube
就是个解魔方算法
国际三阶魔方求解器- 最棒的在线免费app
分析一下四个字母的含义
U是上层顺时针90度,就不多分析了
u,r实际上是指U',R'
魔方弟_三阶魔方的各种术语及公式表示法
在线解魔方乱七八糟,可能有多解,多数不止涉及到RU,只能靠魔方经验做
这是一个三棱换,公式是R U' R U R U R U' R' U' R2
翻译一下就是RuRURURururr
flag{RuRURURururr}
8. baby unity
TMdll被加密了
工具使用参考,但是PC的unity逆向没有so文件,用的是GameAssembly.dll
【游戏开发进阶】教你使用IL2CppDumper从Unity il2cpp的二进制文件中获取类型、方法、字段等(反编译)-CSDN博客
dnspy看一下Assembly-CSharp.dll
可以查看到关键函数的地址
在IDA打开GameAssembly.dll跳转到相应地址
非常难看,尝试恢复一下符号表
[原创]IL2CPP 逆向初探-软件逆向-看雪-安全社区|安全招聘|kanxue.com
恢复了部分符号
注意这个Check$$OnClick函数
汇编能找到类似密文的东西
StringLiteral_4850也在最后的判断里出现了
扔给厨子是个好习惯,当然代码逻辑也能看
9. 砸核桃
xvlk秒脱壳
逻辑很简单,就是异或
#crack walnutes wp
enc = [ 0x00000012, 0x00000004, 0x00000008, 0x00000014, 0x00000024, 0x0000005C, 0x0000004A, 0x0000003D, 0x00000056, 0x0000000A, 0x00000010, 0x00000067, 0x00000000, 0x00000041, 0x00000000, 0x00000001, 0x00000046, 0x0000005A, 0x00000044, 0x00000042, 0x0000006E, 0x0000000C, 0x00000044, 0x00000072, 0x0000000C, 0x0000000D, 0x00000040, 0x0000003E, 0x0000004B, 0x0000005F, 0x00000002, 0x00000001, 0x0000004C, 0x0000005E, 0x0000005B, 0x00000017, 0x0000006E, 0x0000000C, 0x00000016, 0x00000068, 0x0000005B, 0x00000012, 0x00000000, 0x00000000, 0x00000048]
key = 'this_is_not_flag'
flag = ''
for i in range(0,42):flag += chr(enc[i]^ord(key[i%16]))
print(flag)
#flag{59b8ed8f-af22-11e7-bb4a-3cf862d1ee75}
10. ez_enc
一个比较高级的爆破,因为存在多解和不满足条件的树,所以需要深度递归爆破
#ez_enc wp
enc = [ 0x27, 0x24, 0x17, 0x0B, 0x50, 0x03, 0xC8, 0x0C, 0x1F, 0x17, 0x36, 0x55, 0xCB, 0x2D, 0xE9, 0x32, 0x0E, 0x11, 0x26, 0x02, 0x0C, 0x07, 0xFC, 0x27, 0x3D, 0x2D, 0xED, 0x35, 0x59, 0xEB, 0x3C, 0x3E, 0xE4, 0x7D] #34
flag = [0]*34
flag[33] = 0x7D
#print(flag)
key = 'IMouto'
def findflag(i, flag):if(i == -1):for k in flag:print(chr(k),end='')print("")for j in range(32,127):if enc[i] == ord(key[i%6]) ^ (flag[i+1]+j%20):flag[i] = jfindflag(i-1,flag)
findflag(32, flag)
'''
*lag{!_r3ea11y_w4nt_@_cu7e_s1$ter}
>lag{!_r3ea11y_w4nt_@_cu7e_s1$ter}
Rlag{!_r3ea11y_w4nt_@_cu7e_s1$ter}
flag{!_r3ea11y_w4nt_@_cu7e_s1$ter}
zlag{!_r3ea11y_w4nt_@_cu7e_s1$ter}
'''最后手动筛选一下
11. ez_rand
随机数异或,就是要爆种子
我以为是文件时间戳,结果是从0开始爆……
#include<stdio.h>
#include<string.h>
int main()
{unsigned int seed;unsigned char enc[] ={0x5D, 0x0C, 0x6C, 0xEA, 0x46, 0x19, 0xFC, 0x34, 0xB2, 0x62,0x23, 0x07, 0x62, 0x22, 0x6E, 0xFB, 0xB4, 0xE8, 0xF2, 0xA9,0x91, 0x12, 0x21, 0x86, 0xDB, 0x8E, 0xE9, 0x43, 0x4D, 0x00,0x00, 0xFC, 0x31};unsigned char flag[33];int i,key;for (seed = 0; ; seed++){srand(seed);int right = 1;for (int i = 0; i <= 32; i++){key = rand() % 255;flag[i] = key ^ enc[i];switch (i){case 0:if (flag[i] != 'X'){right = 0;}break;case 1:if (flag[i] != 'Y'){right = 0;}break;case 2:if (flag[i] != 'C'){right = 0;}break;case 3:if (flag[i] != 'T'){right = 0;}break;case 4:if (flag[i] != 'F'){right = 0;}break;case 5:if (flag[i] != '{'){right = 0;}break;default:continue;}if (right == 0){break;}}if (right == 1){printf("%d\n", seed);printf("%s", flag);break;}else {printf("not %u\n", seed);}}
}
//21308
//XYCTF{R@nd_1s_S0_S0_S0_easy!}Misc
1. TCPL
qemu起一个riscv64的虚拟进程
1换成0
FLAG{PLCT_An4_r0SCv_x0huann0}
Ubuntu的qemu安装方法参照
https://arcsin2.cloud/2023/03/03/Ubuntu-22-04-%E5%AE%89%E8%A3%85-QEMU-%E6%B5%81%E7%A8%8B/
版本改成最新的就行
https://download.qemu.org/
