int __fastcall main(int argc, const char **argv, const char **envp)\n{\n __int64 v3; \/\/ rax\n __int64 v4; \/\/ rax\n __int64 v5; \/\/ rax\n __int64 v6; \/\/ rax\n __int64 v7; \/\/ rax\n __int64 v8; \/\/ rax\n __int64 v9; \/\/ rax\n __int64 v10; \/\/ rax\n __int64 v11; \/\/ rbx\n __int64 v12; \/\/ rax\n __int64 v13; \/\/ rax\n char v15[32]; \/\/ [rsp+20h] [rbp-80h] BYREF\n char v16[32]; \/\/ [rsp+40h] [rbp-60h] BYREF\n char v17[40]; \/\/ [rsp+60h] [rbp-40h] BYREF\n char v18[8]; \/\/ [rsp+88h] [rbp-18h] BYREF\n int v19; \/\/ [rsp+90h] [rbp-10h] BYREF\n char v20; \/\/ [rsp+97h] [rbp-9h] BYREF\n __int64 v21; \/\/ [rsp+98h] [rbp-8h]\n\n _main(argc, argv, envp);\n v3 = std::operator<<<std::char_traits<char>>(refptr__ZSt4cout, " \\n");\n v4 = std::operator<<<std::char_traits<char>>(v3, "TJ TJTJ TJTJTJTJ TJTJTJ TJTJTJTJ TJTJTJTJ \\n");\n v5 = std::operator<<<std::char_traits<char>>(v4, "TJ TJ TJ TJ TJ TJ TJ \\n");\n v6 = std::operator<<<std::char_traits<char>>(v5, "TJ TJ TJ TJ TJ TJ \\n");\n v7 = std::operator<<<std::char_traits<char>>(v6, "TJ TJ TJ TJ TJ TJTJTJ \\n");\n v8 = std::operator<<<std::char_traits<char>>(v7, "TJ TJ TJ TJ TJ TJ \\n");\n v9 = std::operator<<<std::char_traits<char>>(v8, "TJ TJ TJ TJ TJ TJ TJ \\n");\n v10 = std::operator<<<std::char_traits<char>>(v9, "TJTJTJTJ TJTJ TJ TJTJTJ TJ TJ \\n");\n std::operator<<<std::char_traits<char>>(v10, " \\n");\n v19 = 1;\n std::chrono::duration<long long,std::ratio<1ll,1ll>>::duration<int,void>(v18, &v19);\n std::this_thread::sleep_for<long long,std::ratio<1ll,1ll>>(v18);\n std::string::basic_string(v17);\n std::operator<<<std::char_traits<char>>(refptr__ZSt4cout, &unk_4051A4);\n std::getline<char,std::char_traits<char>,std::allocator<char>>(refptr__ZSt3cin, v17);\n v11 = operator new(0x20ui64);\n text_72(v11);\n v21 = v11;\n LODWORD(v11) = std::string::length(v17);\n v12 = std::string::c_str(v17);\n LitCTF_tanji_calculate::Encode[abi:cxx11](v16, v21, v12, v11);\n std::allocator<char>::allocator(&v20);\n std::string::basic_string(v15, "tgL0q1rgEZaZmdm0zwq4lweYzgeTngfHnI1ImMm5ltaXywnLowuYnJmWmx0=", &v20);\n std::allocator<char>::~allocator(&v20);\n std::operator<<<std::char_traits<char>>(refptr__ZSt4cout, "\u63a2\u59ec\u6b63\u5728\u75af\u72c2\u53e3\u7b97");\n printProgress();\n std::ostream::operator<<(refptr__ZSt4cout, refptr__ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_);\n if ( std::operator==<char>(v16, v15) )\n v13 = std::operator<<<std::char_traits<char>>(refptr__ZSt4cout, &unk_405208);\n else\n v13 = std::operator<<<std::char_traits<char>>(refptr__ZSt4cout, &unk_40522D);\n std::ostream::operator<<(v13, refptr__ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_);\n std::operator<<<std::char_traits<char>>(refptr__ZSt4cout, "\u6309 Enter \u952e\u9000\u51fa...");\n std::istream::get(refptr__ZSt3cin);\n std::string::~string(v15);\n std::string::~string(v16);\n std::string::~string(v17);\n return 0;\n}<\/code><\/pre>\n\u53ef\u4ee5\u770b\u89c1\u5f88\u660e\u663e\u7684base\u7cfb\u5217\u5b57\u7b26\u4e32\uff0c\u8fdb\u5165Encode\u51fd\u6570\u786e\u5b9a\u662fbase64\u7f16\u7801\uff0c\u7136\u540e\u76f4\u63a5\u53bb\u89e3\u7801\u53d1\u73b0\u4e0d\u5bf9\uff0c\u5e94\u8be5\u662f\u6362\u8868\u4e86
\n![\"\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/a>
\n\u627e\u5230base64\u7f16\u7801\u8868\u89e3\u5bc6\u5c31\u53ef\u4ee5\u4e86
\n<\/div><\/a><\/p>\nimport base64 \nimport string \n\nstr1 = "tgL0q1rgEZaZmdm0zwq4lweYzgeTngfHnI1ImMm5ltaXywnLowuYnJmWmx0=" #\u5f85\u89e3\u79d8\u5b57\u7b26\u4e32 \n\nstring1 = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+\/" #\u65b0\u8868 \nstring2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/" \n\nprint(base64.b64decode(str1.translate(str.maketrans(string1, string2)))) \n#b'LitCTF{03034ed8-a2da-4aa6-b2c9-01ace9e26301}'<\/code><\/pre>\nezpython\uff01\uff01\uff01\uff01\uff01<\/h3>\n
\u8fd9\u9898\u9700\u8981\u4f7f\u7528\u5bf9\u5e94\u7248\u672c\u7684python\u8fdb\u884c\u89e3\u5305\uff0c\u5426\u5219\u65e0\u6cd5\u89e3\u5305\u51fa\u5e93\u6587\u4ef6\u5bfc\u81f4\u89e3\u9898\u51fa\u73b0\u56f0\u96be<\/p>\n
\u4e0b\u8f7d\u9644\u4ef6\u53d1\u73b0\u662fpython\u6253\u5305\u7684exe\u6587\u4ef6\uff0c\u6211\u4eec\u4f7f\u7528pyinstxtractor\u89e3\u5305\uff0c\u8fd9\u662f\u4e00\u4e2agithub\u4e0a\u7684\u5f00\u6e90\u9879\u76ee\uff0c\u5404\u4f4d\u53ef\u4ee5\u81ea\u884c\u641c\u7d22<\/p>\n
\u6211\u4eec\u4f7f\u7528\u5176\u89e3\u5305\u4e4b\u540e\u5728\u7ebf\u53cd\u7f16\u8bd1<\/p>\n
#!\/usr\/bin\/env python\n#visit https:\/\/tool.lu\/pyc\/ for more information\n#Version: Python 3.11\n\nimport Litctfbase64\nflag = input('flag:')\nflag = Litctfbase64.b64decode(flag)\nif flag == 'X=3o4hx=0EZwf=mMv13gX=3o4hx=qje2ZjtgZQmEKXZog4==':\n print('win')\n return None\nprint('no')\n<\/code><\/pre>\n\u7ed3\u679c\u53d1\u73b0\u867d\u7136\u662fbase64\uff0c\u4f46\u662f\u5b83\u4f7f\u7528\u7684\u4e0d\u6b63\u5e38\u7684base64\u5e93\uff0c\u6211\u5728\u89e3\u5305\u51fa\u6765\u7684\u6587\u4ef6\u5939\u5bfb\u627e\u4e86\u5f88\u4e45\u6ca1\u6709\u627e\u5230\uff0c\u540e\u6765\u624d\u53d1\u73b0\u8fd9\u662fpython3.11\u7684\u6587\u4ef6\uff0c\u800c\u6211\u89e3\u5305\u4f7f\u7528\u7684\u5374\u662f3.12\uff0c\u6211\u4eec\u5207\u6362\u7248\u672c\u91cd\u65b0\u89e3\u5305\u5c31\u53ef\u4ee5\u5728PYZ-00.pyz_extracted\u6587\u4ef6\u5939\u627e\u5230Litctfbase64.pyc\uff0c\u53cd\u7f16\u8bd1\u53ef\u4ee5\u5f97\u5230BASE64_ALPHABET = '8kuWYm=1JiUPs7DT4x+X5tcqZKfGvA0gFLB6y3QbV2rNOlRdMwnEohjzSe9\/HIa-'<\/code>
\n\u5373\u65b0\u7684base64\u7f16\u7801\u8868\uff0c\u6b63\u5e38\u89e3\u7801\u5c31\u53ef\u4ee5\u4e86
\n<\/div><\/a><\/p>\nimport base64 \nimport string \n\nstr1 = "X=3o4hx=0EZwf=mMv13gX=3o4hx=qje2ZjtgZQmEKXZog4==" # \u5f85\u89e3\u79d8\u5b57\u7b26\u4e32 \n\nstring1 = "8kuWYm=1JiUPs7DT4x+X5tcqZKfGvA0gFLB6y3QbV2rNOlRdMwnEohjzSe9\/HIa-" # \u65b0\u8868 \nstring2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/" \n\nprint(base64.b64decode(str1.translate(str.maketrans(string1, string2)))) \n#b'LitCTF{61happy_LitCTF_nice_base64}\\x01\\x86'<\/code><\/pre>\nezrc4<\/h3>\n
\u4e0b\u8f7d\u9644\u4ef6\uff0cIDA\u6253\u5f00\u8fdbmain\u51fd\u6570<\/p>\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n unsigned int v3; \/\/ esi\n unsigned int v4; \/\/ eax\n char Str[32]; \/\/ [rsp+20h] [rbp-168h] BYREF\n __int64 Buf1[2]; \/\/ [rsp+40h] [rbp-148h] BYREF\n int v8; \/\/ [rsp+50h] [rbp-138h]\n char v9; \/\/ [rsp+54h] [rbp-134h]\n char v10[296]; \/\/ [rsp+60h] [rbp-128h] BYREF\n\n _main(argc, argv, envp);\n IsDebuggerPresent_1();\n Buf1[0] = 0x606EA290DC7CB2D5i64;\n Buf1[1] = 0x3190B05971E41306i64;\n v8 = -685914190;\n v9 = 127;\n printf(" ___ ___ \\n");\n printf(" ___ ___ \/ \/\\\\ ___ \/ \/\\\\ \\n");\n printf(" \/ \/\\\\ \/ \/\\\\ \/ \/:\/ \/ \/\\\\ \/ \/:\/_ \\n");\n printf(" ___ ___ \/ \/:\/ \/ \/:\/ \/ \/:\/ \/ \/:\/ \/ \/:\/ \/\\\\\\n");\n printf(" \/__\/\\\\ \/ \/\\\\\/__\/::\\\\ \/ \/:\/ \/ \/:\/ ___ \/ \/:\/ \/ \/:\/ \/:\/\\n");\n printf(" \\\\ \\\\:\\\\ \/ \/:\/\\\\__\\\\\/\\\\:\\\\__ \/ \/::\\\\\/__\/:\/ \/ \/\\\\\/ \/::\\\\\/__\/:\/ \/:\/ \\n");\n printf(" \\\\ \\\\:\\\\ \/:\/ \\\\ \\\\::\/\\\\__\/:\/\\\\:\\\\ \\\\:\\\\ \/ \/:\/__\/:\/\\\\:\\\\ \\\\:\\\\\/:\/ \\n");\n printf(" \\\\ \\\\:\\\\\/:\/ \\\\__\\\\\/\\\\__\\\\\/ \\\\:\\\\ \\\\:\\\\ \/:\/\\\\__\\\\\/ \\\\:\\\\ \\\\::\/ \\n");\n printf(" \\\\ \\\\::\/ \/__\/:\/ \\\\ \\\\:\\\\ \\\\:\\\\\/:\/ \\\\ \\\\:\\\\ \\\\:\\\\ \\n");\n printf(" \\\\__\\\\\/ \\\\__\\\\\/ \\\\__\\\\\/\\\\ \\\\::\/ \\\\__\\\\\/\\\\ \\\\:\\\\ \\n");\n printf(" \\\\__\\\\\/ \\\\__\\\\\/ \\n");\n printf("\u6b22\u8fce\u6765\u5230litctf,\u8c22\u8c22\u4f60\u7684\u5230\u6765,\u4e0b\u9762\u9898\u76ee\u5c31\u6765\u54af\\n");\n printf(aCtf);\n printf(aRc4);\n printf(aRc4_0);\n printf("input flag:");\n scanf("%s21", Str);\n v3 = strlen(Str);\n v4 = strlen(key);\n rc4_init(v10, key, v4);\n rc4_crypt(v10, Str, v3);\n if ( !memcmp(Buf1, Str, 0x15ui64) )\n printf("win!!!!!!!!!!!!!!!!!!\\n");\n else\n printf("nonono\\n");\n return 0;\n}<\/code><\/pre>\n\u9898\u76ee\u8bf4\u4e86\u662fRC4\uff0c\u4f46\u662f\u6211\u6ca1\u770b\u89c1\u4e00\u4e9b\u6570\u636e\uff0c\u7ed9\u51fa\u4e86key\u4e3afenkey?<\/code>\uff0c\u60f3\u542f\u52a8\u52a8\u8c03\u518d\u770b\u770b\u7684\uff0c\u7ed3\u679c\u4e00\u542f\u52a8\u5c31\u95ea\u9000\uff0c\u53d1\u73b0\u4e3b\u51fd\u6570\u4e2d\u6709IsDebuggerPresent_1();\u53cd\u8c03\u8bd5\uff0c\u4e8e\u662f\u6211\u53bb\u5916\u9762\u628a\u5b83nop\u6389\uff0c\u8fd8\u662f\u542f\u52a8\u4e0d\u4e86
\n<\/div><\/a>
\n\u53d1\u73b0\u8fd8\u6709\u4e00\u4e2a\u51fd\u6570main_0\u8c03\u7528\u4e86\u53cd\u8c03\u8bd5\u51fd\u6570\uff0c\u7136\u540e\u6211\u53c8\u8fdb\u53bbnop\u4e86\u4e00\u5927\u5806\u7ed3\u679c\u8fd8\u662f\u8dd1\u4e0d\u8d77\u6765\uff0c\u53ea\u80fd\u7528\u53e6\u4e00\u79cd\u65b9\u6cd5\u4e86<\/p>\n\u5982\u679c\u4e86\u89e3\u4e00\u4e9b\u53cd\u8c03\u8bd5\u7684\u77e5\u8bc6\u5c31\u53ef\u4ee5\u77e5\u9053\uff0cIsDebuggerPresent\u51fd\u6570\u4f1a\u76f4\u63a5\u8bfb\u53d6PEB\uff08Process Environment Block\uff0c\u8fdb\u7a0b\u73af\u5883\u5757\uff09\u4e2d\u7684BeingDebugged\u5b57\u6bb5\uff0c\u7136\u540e\u901a\u8fc7jnz\u6307\u4ee4\u5b9e\u73b0\u8df3\u8f6c\uff0c\u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u66f4\u6539\u5bc4\u5b58\u5668\u4e2d\u7684\u503c\u4f7f\u5176\u4e0d\u53d1\u751f\u9000\u51fa\u8fdb\u7a0b\u7684\u8df3\u8f6c<\/p>\n
<\/div><\/a><\/p>\n\u5728main_0\u51fd\u6570\u4e2d\u4e0b\u4e00\u4e2a\u65ad\u70b9\uff0c\u5355\u6b65\u6267\u884c\u5230jnz\u6307\u4ee4
\n<\/div><\/a><\/p>\n\u8fd9\u65f6\u5c06ZF\u5bc4\u5b58\u5668\u7684\u503c\u6539\u4e3a1\u5c31\u53ef\u4ee5\u8d70\u5165\u5de6\u8fb9\u7684\u5206\u652f\u4ece\u800c\u907f\u514d\u89e6\u53d1exit<\/p>\n
\u518d\u4e00\u76f4\u7ee7\u7eed\u5355\u6b65\u76f4\u5230\u8d70\u5230main\u51fd\u6570
\n<\/div><\/a><\/p>\n\u5728\u8fd9F7\u6b65\u5165\u51fd\u6570
\n<\/div><\/a><\/p>\n\u518d\u5355\u6b65\u8fdb\u53cd\u8c03\u8bd5\u51fd\u6570\u91cd\u590d\u4e0a\u8ff0\u64cd\u4f5c\u7ed5\u8fc7\u53cd\u8c03\u8bd5<\/p>\n
\u5176\u5b9e\u4e0d\u7528\u7ed5\u8fc7\u4e3b\u51fd\u6570\u4e2d\u7684\u8fd9\u4e2a\u53cd\u8c03\u8bd5\u597d\u50cf\u4e5f\u53ef\u4ee5\u5199<\/p>\n
\u6211\u4eec\u5c31\u53ef\u4ee5\u53d1\u73b0\u771f\u6b63\u7684key\u5176\u5b9e\u662flitctf!<\/code>\uff0c\u8fd9\u65f6\u518d\u63d0\u51fa\u5bc6\u6587Buf1<\/p>\n<\/div><\/a><\/p>\n\u5c31\u53ef\u4ee5\u8fdb\u884c\u89e3\u5bc6\u4e86
\n<\/div><\/a><\/p>\nhello_upx<\/h3>\n
\u9898\u76ee\u540d\u5c31\u53ebupx\uff0c\u8fd9\u9898\u80af\u5b9a\u8003\u5bdf\u7684\u662fupx\u58f3\uff0c\u4e0b\u8f7d\u9644\u4ef6\u4e4b\u540e\u7528upx\u5de5\u5177\u53d1\u73b0\u8131\u58f3\u5931\u8d25\uff0c\u6587\u4ef6\u88ab\u4fee\u6539\u4e86\uff0c\u4e8e\u662f\u6253\u5f00010
\n\u9700\u8981\u4fee\u6539\u4e0b\u9762\u7684\u56db\u4e2a\u5730\u65b9\uff0c\u51fa\u9898\u4eba\u5c06\u5927\u5199\u7684UPX\u6539\u6210\u4e86\u5c0f\u5199\u7684(\u4e0d\u77e5\u9053\u6211\u8fd9\u91cc\u4e3a\u4ec0\u4e48U\u548cu\u663e\u793a\u7684\u90fd\u662f\u4e71\u7801)\uff0c\u6211\u4eec\u5c0616\u8fdb\u5236\u5b57\u8282\u7801\u6539\u6210UPX\u5bf9\u5e94\u768416\u8fdb\u5236ASCII\u5c31\u53ef\u4ee5\u4e86
\n<\/div><\/a>
\n\u4fee\u6539\u5b8c\u4e4b\u540e\u7528IDA\u6253\u5f00\uff0c\u8fdb\u53bb\u5c31\u662fmain\u51fd\u6570<\/p>\nint __fastcall main(int argc, const char **argv, const char **envp)\n{\n __int64 v4[3]; \/\/ [rsp+20h] [rbp-50h]\n __int16 v5; \/\/ [rsp+38h] [rbp-38h]\n char v6[40]; \/\/ [rsp+40h] [rbp-30h] BYREF\n int v7; \/\/ [rsp+68h] [rbp-8h]\n int i; \/\/ [rsp+6Ch] [rbp-4h]\n\n _main();\n v4[0] = 0x707541504072684Ci64;\n v4[1] = 0x655158612559632Bi64;\n v4[2] = 0x4F5E4E601E5A4E20i64;\n v5 = 101;\n v7 = 1;\n printf("welcome to LitCTF2024\\nplease inputs you flag:");\n scanf("%s", v6);\n for ( i = 0; i <= 24; ++i )\n v6[i] -= i;\n for ( i = 0; i <= 24; ++i )\n {\n if ( *(v4 + i) != v6[i] )\n v7 = 0;\n }\n if ( v7 )\n printf(aGood);\n else\n printf("nononononno!");\n return 0;\n}<\/code><\/pre>\n\u6211\u4eec\u63d0\u53d6\u51fav4\u7684\u6570\u636e\u5199\u811a\u672c\u5c31\u53ef\u4ee5\u5f97\u5230flag<\/p>\n
str = [0x4C, 0x68, 0x72, 0x40, 0x50, 0x41, 0x75, 0x70, 0x2B, 0x63, \n 0x59, 0x25, 0x61, 0x58, 0x51, 0x65, 0x20, 0x4E, 0x5A, 0x1E, \n 0x60, 0x4E, 0x5E, 0x4F, 0x65] \nflag = "" \nfor i in range(25): \n flag += chr(str[i] + i) \nprint(flag) \n#LitCTF{w3lc0me_t0_l1tctf}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u8fd9\u9898\u76ee\u592aez\u4e86\uff0c\u6ca1\u4ec0\u4e48\u597d\u770b\u7684<\/p>\n","protected":false},"author":1,"featured_media":329,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-328","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-re"],"_links":{"self":[{"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/posts\/328","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/comments?post=328"}],"version-history":[{"count":1,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/posts\/328\/revisions"}],"predecessor-version":[{"id":340,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/posts\/328\/revisions\/340"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/media\/329"}],"wp:attachment":[{"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/media?parent=328"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/categories?post=328"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/noobxiaomeng.top\/index.php\/wp-json\/wp\/v2\/tags?post=328"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/06\/Pasted-image-20240601163821.png\")
<\/div><\/a>