![\"\"](\"https:\/\/noobxiaomeng.top\/wp-content\/uploads\/2024\/11\/Pasted-image-20240208160117.png\")
<\/div><\/a><\/p>\n\u4f7f\u7528IDA\u6253\u5f00\uff0c\u8fdb\u5165main\u51fd\u6570<\/p>\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n int b; \/\/ [rsp+28h] [rbp-8h] BYREF\n int a; \/\/ [rsp+2Ch] [rbp-4h] BYREF\n\n _main();\n scanf("%d%d", &a, &b);\n if ( a == b )\n printf("flag{this_Is_a_EaSyRe}");\n else\n printf("sorry,you can't get flag");\n return 0;\n}<\/code><\/pre>\n\u76f4\u63a5\u5c31\u6709flag<\/p>\n
reverse1<\/h3>\n
64\u4f4d\u65e0\u58f3\uff0cIDA\u6253\u5f00<\/p>\n
![\"\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/a><\/p>\n\u8fdb\u5165main\u51fd\u6570<\/p>\n
int __fastcall main_0(int argc, const char **argv, const char **envp)\n{\n char *v3; \/\/ rdi\n __int64 i; \/\/ rcx\n size_t v5; \/\/ rax\n char v7; \/\/ [rsp+0h] [rbp-20h] BYREF\n int j; \/\/ [rsp+24h] [rbp+4h]\n char Str1[224]; \/\/ [rsp+48h] [rbp+28h] BYREF\n __int64 v10; \/\/ [rsp+128h] [rbp+108h]\n\n v3 = &v7;\n for ( i = 82i64; i; --i )\n {\n *(_DWORD *)v3 = -858993460;\n v3 += 4;\n }\n for ( j = 0; ; ++j )\n {\n v10 = j;\n if ( j > j_strlen(Str2) )\n break;\n if ( Str2[j] == 'o' )\n Str2[j] = '0';\n }\n sub_1400111D1("input the flag:");\n sub_14001128F("%20s", Str1);\n v5 = j_strlen(Str2);\n if ( !strncmp(Str1, Str2, v5) )\n sub_1400111D1("this is the right flag!\\n");\n else\n sub_1400111D1("wrong flag\\n");\n return 0;\n}<\/code><\/pre>\n\u67e5\u770bStr2<\/p>\n
Str2 db '{hello_world}',0<\/code><\/pre>\n\u5c06Str2\u4e2d\u7684o\u66ff\u6362\u62100\uff1aflag{hell0_w0rld}<\/p>\n
reverse2<\/h3>\n
64\u4f4d\u7684ELF\u6587\u4ef6<\/p>\n
<\/div><\/a><\/p>\n\u7528IDA\u6253\u5f00\uff0c\u8fdb\u5165main\u51fd\u6570<\/p>\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n int stat_loc; \/\/ [rsp+4h] [rbp-3Ch] BYREF\n int i; \/\/ [rsp+8h] [rbp-38h]\n __pid_t pid; \/\/ [rsp+Ch] [rbp-34h]\n char s2[24]; \/\/ [rsp+10h] [rbp-30h] BYREF\n unsigned __int64 v8; \/\/ [rsp+28h] [rbp-18h]\n\n v8 = __readfsqword(0x28u);\n pid = fork();\n if ( pid )\n {\n waitpid(pid, &stat_loc, 0);\n }\n else\n {\n for ( i = 0; i <= strlen(&flag); ++i )\n {\n if ( *(&flag + i) == 'i' || *(&flag + i) == 'r' )\n *(&flag + i) = '1';\n }\n }\n printf("input the flag:");\n __isoc99_scanf("%20s", s2);\n if ( !strcmp(&flag, s2) )\n return puts("this is the right flag!");\n else\n return puts("wrong flag!");\n}<\/code><\/pre>\n\u67e5\u770bif\u6bd4\u8f83\u5904\u7684&flag\uff1a<\/p>\n
.data:0000000000601080 flag db '{' ; DATA XREF: main+34\u2191r\n.data:0000000000601080 ; main+44\u2191r ...\n.data:0000000000601081 aHackingForFun db 'hacking_for_fun}',0<\/code><\/pre>\n\u5c06flag\u4e2d\u7684\u2018i\u2019\u548c\u2018r\u2019\u66ff\u6362\u62101\uff1aflag{hack1ng_fo1_fun}<\/p>\n
\u5185\u6db5\u7684\u8f6f\u4ef6<\/h3>\n
\u4e0b\u8f7d\u9644\u4ef6\uff0c32\u4f4d\u65e0\u58f3exe\uff0c\u8fdb\u5165IDA\u540e\u67e5\u627e\u5b57\u7b26\u4e32+\u4ea4\u53c9\u5f15\u7528\u76f4\u63a5\u5c31\u80fd\u770b\u89c1flag<\/p>\n
int __cdecl main_0(int argc, const char **argv, const char **envp)\n{\n char v4[4]; \/\/ [esp+4Ch] [ebp-Ch] BYREF\n const char *v5; \/\/ [esp+50h] [ebp-8h]\n int v6; \/\/ [esp+54h] [ebp-4h]\n\n v6 = 5;\n v5 = "DBAPP{49d3c93df25caad81232130f3d2ebfad}";\n while ( v6 >= 0 )\n {\n printf(&byte_4250EC, v6);\n sub_40100A();\n --v6;\n }\n printf(asc_425088);\n v4[0] = 1;\n scanf("%c", v4);\n if ( v4[0] == 'Y' )\n {\n printf(aOd);\n return sub_40100A();\n }\n else\n {\n if ( v4[0] == 'N' )\n printf(&byte_425034);\n else\n printf(&byte_42501C);\n return sub_40100A();\n }\n}<\/code><\/pre>\n\u65b0\u5e74\u5feb\u4e50<\/h3>\n
\u4e0b\u8f7d\u9644\u4ef6\uff0c\u53d1\u73b0\u662f\u4e00\u4e2a32\u4f4d\u5e26\u6709UPX\u58f3\u7684\u7a0b\u5e8f\uff0c\u4f7f\u7528\u5de5\u5177\u8131\u58f3\u540e\u8fdb\u5165IDA<\/p>\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n char Str2[14]; \/\/ [esp+12h] [ebp-3Ah] BYREF\n char Str1[44]; \/\/ [esp+20h] [ebp-2Ch] BYREF\n\n __main();\n strcpy(Str2, "HappyNewYear!");\n memset(Str1, 0, 32);\n printf("please input the true flag:");\n scanf("%s", Str1);\n if ( !strncmp(Str1, Str2, strlen(Str2)) )\n return puts("this is true flag!");\n else\n return puts("wrong!");\n}<\/code><\/pre>\nStr2\u5c31\u662f\u6211\u4eec\u7684flag\uff1aflag{HappyNewYear!}<\/p>\n
xor<\/h3>\n
64\u4f4d\u65e0\u58f3\uff0c\u4ece\u540d\u5b57\u5c31\u53ef\u4ee5\u770b\u51fa\u8fd9\u9898\u6d89\u53ca\u5230\u5f02\u6216\u8fd0\u7b97\uff0c\u7528IDA\u6253\u5f00<\/p>\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n int i; \/\/ [rsp+2Ch] [rbp-124h]\n char __b[264]; \/\/ [rsp+40h] [rbp-110h] BYREF\n\n memset(__b, 0, 0x100uLL);\n printf("Input your flag:\\n");\n get_line(__b, 256LL);\n if ( strlen(__b) != 33 )\n goto LABEL_7;\n for ( i = 1; i < 33; ++i )\n __b[i] ^= __b[i - 1];\n if ( !strncmp(__b, global, 0x21uLL) )\n printf("Success");\n else\nLABEL_7:\n printf("Failed");\n return 0;<\/code><\/pre>\n\u4e0d\u96be\u770b\u51fa\u6211\u4eec\u7684\u8f93\u5165\u4ece\u7b2c\u4e8c\u4f4d\u5f00\u59cb\u6bcf\u4e00\u4f4d\u90fd\u4e0e\u524d\u4e00\u4f4d\u505a\u5f02\u6216\u8fd0\u7b97\uff0c\u7136\u540e\u4e0eglobal\u4f5c\u6bd4\u8f83<\/p>\n
\u67e5\u770bglobal\u7684\u503c\uff1a<\/p>\n
__cstring:0000000100000F6E aFKWOXZUPFVMDGH db 'f',0Ah ; DATA XREF: __data:_global\u2193o\n__cstring:0000000100000F70 db 'k',0Ch,'w&O.@',11h,'x',0Dh,'Z;U',11h,'p',19h,'F',1Fh,'v"M#D',0Eh,'g'\n__cstring:0000000100000F89 db 6,'h',0Fh,'G2O',0<\/code><\/pre>\n\u5199\u51fa\u89e3\u5bc6\u811a\u672c\uff1a<\/p>\n
num=[0x66, 0x0A, 0x6B, 0x0C, 0x77, 0x26, 0x4F, 0x2E, 0x40, 0x11, \n 0x78, 0x0D, 0x5A, 0x3B, 0x55, 0x11, 0x70, 0x19, 0x46, 0x1F, \n 0x76, 0x22, 0x4D, 0x23, 0x44, 0x0E, 0x67, 0x06, 0x68, 0x0F, \n 0x47, 0x32, 0x4F,] \nflag="f" \nfor i in range(1,33): \n flag+=chr(num[i]^num[i-1]) \nprint(flag)<\/code><\/pre>\nflag{QianQiuWanDai_YiTongJiangHu}<\/p>\n
reverse3<\/h3>\n
32\u4f4d\u65e0\u58f3\uff0cIDA\u6253\u5f00<\/p>\n
int __cdecl main_0(int argc, const char **argv, const char **envp)\n{\n size_t v3; \/\/ eax\n const char *v4; \/\/ eax\n size_t v5; \/\/ eax\n char v7; \/\/ [esp+0h] [ebp-188h]\n char v8; \/\/ [esp+0h] [ebp-188h]\n signed int j; \/\/ [esp+DCh] [ebp-ACh]\n int i; \/\/ [esp+E8h] [ebp-A0h]\n signed int v11; \/\/ [esp+E8h] [ebp-A0h]\n char Destination[108]; \/\/ [esp+F4h] [ebp-94h] BYREF\n char Str[28]; \/\/ [esp+160h] [ebp-28h] BYREF\n char v14[8]; \/\/ [esp+17Ch] [ebp-Ch] BYREF\n\n for ( i = 0; i < 100; ++i )\n {\n if ( (unsigned int)i >= 0x64 )\n j____report_rangecheckfailure();\n Destination[i] = 0; \/\/ \u521d\u59cb\u5316\n }\n sub_41132F("please enter the flag:", v7);\n sub_411375("%20s", (char)Str);\n v3 = j_strlen(Str);\n v4 = (const char *)sub_4110BE(Str, v3, v14); \/\/ \u8fd9\u91cc\u662f\u4e2aBase64\u52a0\u5bc6\n strncpy(Destination, v4, 0x28u);\n v11 = j_strlen(Destination);\n for ( j = 0; j < v11; ++j )\n Destination[j] += j;\n v5 = j_strlen(Destination);\n if ( !strncmp(Destination, Str2, v5) ) \/\/ \u6bd4\u8f83\u7ed3\u679c\n sub_41132F("rigth flag!\\n", v8);\n else\n sub_41132F("wrong flag!\\n", v8);\n return 0;\n}<\/code><\/pre>\n\u53d1\u73b0sub_4110BE\u51fd\u6570\u662f\u4e2aBase64\u52a0\u5bc6\uff0c\u540c\u65f6\u67e5\u627e\u5b57\u7b26\u4e32<\/p>\n
<\/div><\/a><\/p>\n\u5f88\u660e\u663e\u80fd\u770b\u89c1base64input\u548cbase64\u7801\u8868\uff0c\u4e8e\u662f\u67e5\u770bStr2\u7684\u503c<\/p>\n
.data:0041A034 Str2 db 'e3nifIH9b_C@n@dH',0 ; DATA XREF: _main_0+142\u2191o<\/code><\/pre>\n\u5199\u51fa\u6c42\u89e3\u811a\u672c\uff1a<\/p>\n
import base64 \n\n# \u8981\u89e3\u7801\u7684 Base64 \u7f16\u7801\u6587\u672c \nencoded_text = "" \n\nStr="e3nifIH9b_C@n@dH" \nfor i in range(16): \n encoded_text+=chr(ord(Str[i])-i) \n\n# \u4f7f\u7528 base64 \u6a21\u5757\u8fdb\u884c\u89e3\u7801 \ndecoded_bytes = base64.b64decode(encoded_text) \n\n# \u6253\u5370\u89e3\u7801\u7ed3\u679c \nprint(decoded_bytes)\n\n#b'{i_l0ve_you}'<\/code><\/pre>\nflag{i_l0ve_you}<\/p>\n
helloword<\/h3>\n
\u4e0b\u8f7d\u9644\u4ef6\uff0c\u662f\u4e2a.apk\u6587\u4ef6\uff0c\u4e5f\u5c31\u662f\u6211\u4eec\u5e38\u8bf4\u7684\u5b89\u5353\uff0c\u4f7f\u7528JEB\u6253\u5f00<\/p>\n
<\/div><\/a><\/p>\n\u8fdb\u5230\u4e3b\u51fd\u6570\u91cc\u9762\uff0c\u8fd8\u53ef\u4ee5\u6309tab\u952e\u67e5\u770b\u4ee3\u7801\uff1a<\/p>\n
package com.example.helloword;\n\nimport android.os.Bundle;\nimport android.support.v7.app.ActionBarActivity;\nimport android.view.Menu;\nimport android.view.MenuItem;\n\npublic class MainActivity extends ActionBarActivity {\n public MainActivity() {\n super();\n }\n\n protected void onCreate(Bundle arg5) {\n super.onCreate(arg5);\n this.setContentView(0x7F030018);\n "flag{7631a988259a00816deda84afb29430a}".compareTo("xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");\n }\n\n public boolean onCreateOptionsMenu(Menu arg3) {\n this.getMenuInflater().inflate(0x7F0C0000, arg3);\n return 1;\n }\n\n public boolean onOptionsItemSelected(MenuItem arg3) {\n boolean v1 = arg3.getItemId() == 0x7F05003C ? true : super.onOptionsItemSelected(arg3);\n return v1;\n }\n}<\/code><\/pre>\nflag\u76f4\u63a5\u5c31\u51fa\u6765\u4e86<\/p>\n
\u4e0d\u4e00\u6837\u7684flag<\/h3>\n
<\/div><\/a><\/p>\n\u9898\u76ee\u5df2\u7ecf\u7ed9\u4e86\u63d0\u793a\uff0c\u4e0b\u8f7d\u9644\u4ef6\u770b\u770b<\/p>\n
\u65e0\u58f3\uff0c32\u4f4d\uff0c\u7528IDA\u6253\u5f00<\/p>\n
main\u51fd\u6570\u5982\u4e0b<\/p>\n
int __cdecl __noreturn main(int argc, const char **argv, const char **envp)\n{\n _BYTE v3[29]; \/\/ [esp+17h] [ebp-35h] BYREF\n int v4; \/\/ [esp+34h] [ebp-18h]\n int v5; \/\/ [esp+38h] [ebp-14h] BYREF\n int i; \/\/ [esp+3Ch] [ebp-10h]\n _BYTE v7[12]; \/\/ [esp+40h] [ebp-Ch] BYREF\n\n __main();\n v3[26] = 0; \/\/ \u521d\u59cb\u5316\n *(_WORD *)&v3[27] = 0;\n v4 = 0;\n strcpy(v3, "*11110100001010000101111#"); \/\/ \u5730\u56fe\n while ( 1 )\n {\n puts("you can choose one action to execute");\/\/ \u5206\u522b\u4ee3\u8868\u4e0a\u4e0b\u5de6\u53f3\n puts("1 up");\n puts("2 down");\n puts("3 left");\n printf("4 right\\n:");\n scanf("%d", &v5);\n if ( v5 == 2 )\n {\n ++*(_DWORD *)&v3[25]; \/\/ [5][5]\u7684\u4e8c\u7ef4\u6570\u7ec4\uff0c\u7528\u4e8e\u6784\u5efa\u5730\u56fe\n }\n else if ( v5 > 2 )\n {\n if ( v5 == 3 )\n {\n --v4;\n }\n else\n {\n if ( v5 != 4 )\nLABEL_13:\n exit(1);\n ++v4;\n }\n }\n else\n {\n if ( v5 != 1 )\n goto LABEL_13;\n --*(_DWORD *)&v3[25];\n }\n for ( i = 0; i <= 1; ++i )\n {\n if ( *(_DWORD *)&v3[4 * i + 25] >= 5u )\n exit(1);\n }\n if ( v7[5 * *(_DWORD *)&v3[25] - 41 + v4] == '1' )\/\/ \u78b0\u52301\u65f6\u5c31\u7ed3\u675f\n exit(1);\n if ( v7[5 * *(_DWORD *)&v3[25] - 41 + v4] == '#' )\/\/ \u7ed3\u675f\u4e8e#\n {\n puts("\\nok, the order you enter is the flag!");\n exit(0);\n }\n }\n}<\/code><\/pre>\n\u4e0d\u96be\u770b\u51fa\uff0c\u8fd9\u662f\u4e00\u4e2a\u8ff7\u5bab\u9898\uff0c\u5c06 *11110100001010000101111#<\/code> \u53d8\u6210\u4e00\u4e2a5*5<\/code>\u7684\u8ff7\u5bab\uff0c\u5982\u4e0b\uff1a<\/p>\n*1111\n01000\n01010\n00010\n1111#<\/code><\/pre>\n\u78b0\u52301\u5c31\u505c\u6b62\uff08\u5373\u8d700\u7684\u8def\u5f84\uff09\uff0c\u78b0\u5230#\u5c31\u5f97\u51faflag\uff08\u5373#\u4e3a\u51fa\u53e3\u5904\uff09<\/p>\n
\u5f97\u5230\u4e0b\u4e0b\u4e0b\u53f3\u53f3\u4e0a\u4e0a\u53f3\u53f3\u4e0b\u4e0b\u4e0b\uff0c\u5373222441144222<\/p>\n
\u6240\u4ee5flag\u5c31\u662fflag{222441144222}<\/p>\n
SimpleRev<\/h3>\n
64\u4f4dELF\uff0c\u7528IDA\u6253\u5f00<\/p>\n
\u4e3b\u51fd\u6570\uff1a<\/p>\n
int __fastcall __noreturn main(int argc, const char **argv, const char **envp)\n{\n int v3; \/\/ eax\n char v4; \/\/ [rsp+Fh] [rbp-1h]\n\n while ( 1 )\n {\n while ( 1 )\n {\n printf("Welcome to CTF game!\\nPlease input d\/D to start or input q\/Q to quit this program: ");\n v4 = getchar();\n if ( v4 != 'd' && v4 != 'D' )\n break;\n Decry("Welcome to CTF game!\\nPlease input d\/D to start or input q\/Q to quit this program: ", argv);\n }\n if ( v4 == 'q' || v4 == 'Q' )\n Exit("Welcome to CTF game!\\nPlease input d\/D to start or input q\/Q to quit this program: ", argv);\n puts("Input fault format!");\n v3 = getchar();\n putchar(v3);\n }\n}<\/code><\/pre>\n\u4e3b\u51fd\u6570\u6ca1\u4ec0\u4e48\u597d\u770b\u7684\uff0c\u4e3b\u8981\u770b\u4e3b\u51fd\u6570\u4e2d\u5f15\u7528\u7684Decry\u51fd\u6570<\/p>\n
\u8fdb\u5165Decry\u51fd\u6570\uff1a<\/p>\n
<\/div><\/a><\/p>\n\u6211\u4eec\u53ef\u4ee5\u770b\u89c1src\u548cv9\uff0c\u8fd9\u91cc\u9700\u8981\u6ce8\u610fx86\u7684\u5927\u5c0f\u7aef\u5e8f\u95ee\u9898\uff0c\u8f6c\u4e3a\u5b57\u7b26\u4e32\u4e4b\u540e\u5e94\u8be5\u53cd\u8f6c\u8fc7\u6765<\/p>\n
\u4e0b\u9762\u662f\u6574\u7406\u8fc7\u540e\u4e14\u52a0\u8fc7\u6ce8\u91ca\u7684Decry\u51fd\u6570\uff1a<\/p>\n
unsigned __int64 Decry()\n{\n char v1; \/\/ [rsp+Fh] [rbp-51h]\n int v2; \/\/ [rsp+10h] [rbp-50h]\n int v3; \/\/ [rsp+14h] [rbp-4Ch]\n int i; \/\/ [rsp+18h] [rbp-48h]\n int v5; \/\/ [rsp+1Ch] [rbp-44h]\n char src[8]; \/\/ [rsp+20h] [rbp-40h] BYREF\n __int64 v7; \/\/ [rsp+28h] [rbp-38h]\n int v8; \/\/ [rsp+30h] [rbp-30h]\n __int64 v9[2]; \/\/ [rsp+40h] [rbp-20h] BYREF\n int v10; \/\/ [rsp+50h] [rbp-10h]\n unsigned __int64 v11; \/\/ [rsp+58h] [rbp-8h]\n\n v11 = __readfsqword(0x28u);\n *(_QWORD *)src = 'SLCDN'; \/\/ NDCLS\n v7 = 0LL;\n v8 = 0;\n v9[0] = 'wodah'; \/\/ hadow\n v9[1] = 0LL;\n v10 = 0;\n text = (char *)join(key3, v9); \/\/ key3="kills" text=key3+v9\n strcpy(key, key1); \/\/ key1="ADSFK"\n strcat(key, src); \/\/ key=key1+src\n v2 = 0;\n v3 = 0;\n getchar();\n v5 = strlen(key);\n for ( i = 0; i < v5; ++i )\n {\n if ( key[v3 % v5] > '@' && key[v3 % v5] <= 'Z' )\/\/ \u5982\u679ckey[]\u4e3a\u5927\u5199\u5b57\u6bcd\n key[i] = key[v3 % v5] + 32; \/\/ \u5c06key\u4e2d\u7684\u5927\u5199\u5b57\u6bcd\u53d8\u4e3a\u5c0f\u5199\u5b57\u6bcd\n ++v3;\n }\n printf("Please input your flag:");\n while ( 1 )\n {\n v1 = getchar();\n if ( v1 == 10 )\n break;\n if ( v1 == 32 )\n {\n ++v2;\n }\n else\n {\n if ( v1 <= '`' || v1 > 'z' )\n {\n if ( v1 > '@' && v1 <= 'Z' )\n {\n str2[v2] = (v1 - 39 - key[v3 % v5] + 97) % 26 + 97;\n ++v3;\n }\n }\n else\n {\n str2[v2] = (v1 - 39 - key[v3 % v5] + 97) % 26 + 97;\/\/ \u4e3b\u8981\u52a0\u5bc6\u8fc7\u7a0b\n ++v3;\n }\n if ( !(v3 % v5) )\n putchar(32);\n ++v2;\n }\n }\n if ( !strcmp(text, str2) ) \/\/ \u6bd4\u8f83text\u4e8estr2\uff0c\u5176\u4e2dtext\u6211\u4eec\u5df2\u7ecf\u77e5\u9053\uff0cstr2\u53ef\u4ee5\u7531key\u5f97\u51fa\n puts("Congratulation!\\n");\n else\n puts("Try again!\\n");\n return __readfsqword(0x28u) ^ v11;\n}<\/code><\/pre>\n\u5199\u51fa\u7206\u7834\u811a\u672c\uff1a<\/p>\n
#include<stdio.h> \n\nint main()\n{\n char key[] = "adsfkndcls";\n char text[] = "killshadow";\n int i;\n int v3=10;\/\/\u957f\u5ea6 \n for (int i = 0; i < 10; i++)\n {\n for (int j = 0; j < 128; j++)\n {\n if (j < 'A' || j > 'z' || j > 'Z' && j < 'a') \/\/\u9650\u5236\u5728\u5b57\u6bcd\u5185\u7206\u7834 \n {\n continue;\n }\n if ((j - 39 - key[v3 % 10] + 97) % 26 + 97 == text[i]) \/\/\u6ee1\u8db3\u5224\u65ad\u6761\u4ef6\u5219\u8f93\u51fa \n {\n printf("%c",j);\n v3++;\n break;\n }\n }\n }\n}\n<\/code><\/pre>\nflag{KLDQCUDFZO}<\/p>\n
[GXYCTF2019]luck_guy<\/h3>\n
ELF\u6587\u4ef6\uff0cIDA\u6253\u5f00\u8fdb\u5165main\u51fd\u6570\uff1a<\/p>\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n int v4; \/\/ [rsp+14h] [rbp-Ch] BYREF\n unsigned __int64 v5; \/\/ [rsp+18h] [rbp-8h]\n\n v5 = __readfsqword(0x28u);\n welcome();\n puts("_________________");\n puts("try to patch me and find flag");\n v4 = 0;\n puts("please input a lucky number");\n __isoc99_scanf("%d", &v4);\n patch_me(v4);\n puts("OK,see you again");\n return 0;\n}<\/code><\/pre>\n\u8fdb\u5165patch_me\u51fd\u6570\uff0c\u518d\u8fdb\u5165get_flag\u51fd\u6570\uff1a<\/p>\n
unsigned __int64 get_flag()\n{\n unsigned int v0; \/\/ eax\n int i; \/\/ [rsp+4h] [rbp-3Ch]\n int j; \/\/ [rsp+8h] [rbp-38h]\n __int64 s; \/\/ [rsp+10h] [rbp-30h] BYREF\n char v5; \/\/ [rsp+18h] [rbp-28h]\n unsigned __int64 v6; \/\/ [rsp+38h] [rbp-8h]\n\n v6 = __readfsqword(0x28u);\n v0 = time(0LL);\n srand(v0);\n for ( i = 0; i <= 4; ++i )\n {\n switch ( rand() % 200 )\n {\n case 1:\n puts("OK, it's flag:");\n memset(&s, 0, 0x28uLL);\n strcat((char *)&s, f1); \/\/ f1="GXY{do_not_"\n strcat((char *)&s, &f2);\n printf("%s", (const char *)&s);\n break;\n case 2:\n printf("Solar not like you");\n break;\n case 3:\n printf("Solar want a girlfriend");\n break;\n case 4:\n s = 0x7F666F6067756369LL; \/\/\u6ce8\u610f\u5927\u5c0f\u7aef\n v5 = 0;\n strcat(&f2, (const char *)&s);\n break;\n case 5:\n for ( j = 0; j <= 7; ++j )\n {\n if ( j % 2 == 1 )\n *(&f2 + j) -= 2;\n else\n --*(&f2 + j);\n }\n break;\n default:\n puts("emmm,you can't find flag 23333");\n break;\n }\n }\n return __readfsqword(0x28u) ^ v6;\n}<\/code><\/pre>\n\u5df2\u77e5f1\uff0c\u518d\u901a\u8fc7s\u6c42\u51faf2\u7684\u503c\u62fc\u63a5\u5c31\u53ef\u4ee5\u5f97\u5230flag\u4e86<\/p>\n
exp<\/p>\n
s=[0x69,0x63,0x75,0x67,0x60,0x6F,0x66,0x7F] \nflag="" \nfor i in range(8): \n if i%2==1: \n s[i]=s[i]-2 \n else: \n s[i]=s[i]-1 \n flag+=chr(s[i]) \nprint(flag)<\/code><\/pre>\n\u8f93\u51fa\u7ed3\u679c\u4e3a\uff1ahate_me}<\/p>\n
\u6240\u4ee5flag=GXY{do_not_hate_me}<\/p>\n
Java\u9006\u5411\u89e3\u5bc6<\/h3>\n
\u4e0b\u8f7d\u9644\u4ef6\uff0c\u53d1\u73b0\u662f\u4e00\u4e2a.class\u6587\u4ef6\uff0c\u6700\u5f00\u59cb\u6211\u7528JEB\u6253\u5f00\u53d1\u73b0\u770b\u4e0d\u4e86\uff0c\u7136\u540e\u770b\u770bwp\u4e0a\u90fd\u7528\u7684jadx\uff0c\u7136\u540e\u6211\u60f3\u8d77\u6765\u4e4b\u524d\u4e0b\u8fc7\uff0c\u5c31\u8bd5\u4e86\u8bd5\u7528jadx\u6253\u5f00\uff1a<\/p>\n
package defpackage;\n\nimport java.util.ArrayList;\n\nimport java.util.Scanner;\n\n\/* renamed from: Reverse reason: default package *\/\n\n\/* loaded from: Reverse.class *\/\n\npublic class Reverse {\n\n public static void main(String[] args) {\n\n Scanner s = new Scanner(System.in);\n\n System.out.println("Please input the flag \uff1a");\n\n String str = s.next();\n\n System.out.println("Your input is \uff1a");\n\n System.out.println(str);\n\n char[] stringArr = str.toCharArray();\n\n Encrypt(stringArr);\n\n }\n\n public static void Encrypt(char[] arr) {\n\n ArrayList<Integer> Resultlist = new ArrayList<>();\n\n for (char c : arr) {\n\n int result = (c + '@') ^ 32;\n\n Resultlist.add(Integer.valueOf(result));\n\n }\n\n int[] KEY = {180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65};\n\n ArrayList<Integer> KEYList = new ArrayList<>();\n\n for (int i : KEY) {\n\n KEYList.add(Integer.valueOf(i));\n\n }\n\n System.out.println("Result:");\n\n if (Resultlist.equals(KEYList)) {\n\n System.out.println("Congratulations\uff01");\n\n } else {\n\n System.err.println("Error\uff01");\n\n }\n\n }\n\n}<\/code><\/pre>\n\u53d1\u73b0\u662fKEY\u52a0\u4e0a@\u7684ASCII\u7801\u518d\u4e0e32\u505a\u5f02\u6216\u8fd0\u7b97\u5f97\u5230flag\uff0c\u5f00\u59cb\u5199\u811a\u672c\uff1a<\/p>\n
flag="" \nkey=[180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65] \nfor i in range(18): \n flag+=chr((key[i]-ord('@'))^32) \nprint(flag)<\/code><\/pre>\nThis_is_theflag<\/em>!<\/p>\n\u6700\u540e\u6362\u4e86\u4e2aJEB\uff0c\u53ef\u4ee5\u6253\u5f00\u4e86<\/p>\n
[BJDCTF2020]JustRE<\/h3>\n\u6cd5\u4e00\uff1a<\/h4>\n
\u4e0b\u8f7d\u9644\u4ef6\u4e4b\u540e\u70b9\u5f00\u8fd9\u4e2a\u7a0b\u5e8f\uff0c\u53d1\u73b0\u5b83\u5c45\u7136\u53ea\u9700\u8981\u70b9\u51fb\u5c31\u53ef\u4ee5\u5f97\u5230flag<\/p>\n
<\/div><\/a><\/p>\n32\u4f4d\u7684\u7a0b\u5e8f\uff0c\u7528IDA\u6253\u5f00\uff0c\u67e5\u627e\u5b57\u7b26\u4e32\u4e4b\u540e\u53ef\u4ee5\u4ea4\u53c9\u5f15\u7528\u5230\u5173\u952e\u51fd\u6570\uff1a<\/p>\n
INT_PTR __stdcall DialogFunc(HWND hWnd, UINT a2, WPARAM a3, LPARAM a4)\n{\n CHAR String[100]; \/\/ [esp+0h] [ebp-64h] BYREF\n\n if ( a2 != 272 )\n {\n if ( a2 != 273 )\n return 0;\n if ( (_WORD)a3 != 1 && (_WORD)a3 != 2 )\n {\n sprintf(String, Format, ++dword_4099F0);\n if ( dword_4099F0 == 19999 )\n {\n sprintf(String, " BJD{%d%d2069a45792d233ac}", 19999, 0);\n SetWindowTextA(hWnd, String);\n return 0;\n }\n SetWindowTextA(hWnd, String);\n return 0;\n }\n EndDialog(hWnd, (unsigned __int16)a3);\n }\n return 1;\n}<\/code><\/pre>\n\u5f88\u660e\u663e\u53ef\u4ee5\u770b\u89c1BJD\u5f00\u5934\u7684flag\uff0c\u518d\u7ed3\u5408\u540e\u9762\u768419999\u548c0\u5c31\u53ef\u4ee5\u5f97\u5230flag\u4e86<\/p>\n
\u6cd5\u4e8c\uff1a<\/h4>\n
\u7531\u4e8e\u8fd9\u9898\u592a\u8fc7\u7b80\u5355\uff0c\u505a\u5b8c\u4e4b\u540e\u6211\u7ee7\u7eed\u518d\u601d\u8003\u6709\u6ca1\u6709\u5176\u4ed6\u7684\u89e3\u6cd5\uff0c\u6700\u540e\u8fd8\u662f\u627e\u5230\u4e86<\/p>\n
\u57fa\u4e8e\u6cd5\u4e00\u4e2d\u7ed9\u51fa\u7684\u51fd\u6570\uff0c\u6211\u4eec\u53ef\u4ee5\u5206\u6790\u5f97\u51fa\u5f53\u6211\u4eec\u70b9\u51fb19999\u6b21\u65f6\u5c31\u53ef\u4ee5\u5f97\u5230flag\u4e86\uff0c\u4e8e\u662f\u5728\u90a3\u53e5if\u5224\u65ad\u662f\u5426\u70b9\u51fb19999\u6b21\u7684\u5730\u65b9\u4e0b\u4e00\u4e2a\u65ad\u70b9<\/p>\n
\u542f\u52a8\u52a8\u6001\u8c03\u8bd5\uff1a<\/p>\n
\u4e00\u8defF8\u8fd0\u884c\uff0c\u76f4\u5230\u51fa\u73b0\u8df3\u8f6c\u5904\u4e3a\u6b62<\/p>\n
<\/div><\/a><\/p>\n\u8fd9\u91cc\u53ef\u4ee5\u770b\u89c1\u6709\u4e2ajnz\uff0c\u6211\u4eec\u9700\u8981\u4f7f\u5176\u5f80\u5de6\u8fb9\u8d70\u8f93\u51faflag\uff0c\u4e8e\u662f\u60f3\u5230\u53ef\u4ee5\u66f4\u6539ZF\u5bc4\u5b58\u5668\u7684\u503c\uff0c\u4f7f\u5224\u65ad\u53ef\u4ee5\u901a\u8fc7<\/p>\n
<\/div><\/a><\/p>\n\u8fd9\u65f6F8\u5c31\u53ef\u4ee5\u770b\u89c1\u7a0b\u5e8f\u5f80\u4e0b\u8d70\u4e86\uff1a<\/p>\n
<\/div><\/a><\/p>\n\u7136\u540e\u7ee7\u7eedF8<\/p>\n
<\/div><\/a><\/p>\nflag\u5c31\u51fa\u6765\u4e86\uff01<\/p>\n
\u522e\u5f00\u6709\u5956<\/h3>\n
\u8fd9\u9898\u6d89\u53ca\u5230WindowsAPI\uff0c\u6211\u5c06\u5176\u4f5c\u4e3aBUUCTF\u7b2c\u4e00\u9875Windows\u9006\u5411\u7684\u6700\u540e\u4e00\u9898\u6765\u7ed9\u6211\u5b66\u4e60\u7684\u7b2c\u4e00\u4e2a\u9636\u6bb5\u5212\u4e0a\u4e00\u4e2a\u53e5\u53f7<\/p>\n
\u7528IDA\u6253\u5f00\uff0c\u80fd\u770b\u89c1\u5f88\u591aAPI\uff0c\u800c\u4e14\u6ca1\u627e\u5230\u4e3b\u51fd\u6570\uff0c\u67e5\u627e\u5b57\u7b26\u4e32\u770b\u770b<\/p>\n
<\/div><\/a><\/p>\n\u53d1\u73b0\u6709\u4e00\u4e2abase64\u8868\uff0c\u731c\u6d4b\u8fd9\u9898\u4e0ebase64\u52a0\u5bc6\u6709\u5173\uff0c\u8fd8\u770b\u89c1\u4e86\u4e0b\u9762\u7684U g3t 1T\uff01\uff0c\u8fd9\u4ee3\u8868\u7740\u5176\u6240\u5728\u4f4d\u7f6e\u5f88\u53ef\u80fd\u662f\u6211\u4eec\u8fd9\u9898\u7684\u4e3b\u903b\u8f91\u6240\u5728\u5730\uff0c\u4ea4\u53c9\u5f15\u7528\u5230\u8c03\u7528\u5b83\u7684\u51fd\u6570\uff1a<\/p>\n
INT_PTR __stdcall DialogFunc(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4)\n{\n const char *v4; \/\/ esi\n const char *v5; \/\/ edi\n int v7[2]; \/\/ [esp+8h] [ebp-20030h] BYREF\n int v8; \/\/ [esp+10h] [ebp-20028h]\n int v9; \/\/ [esp+14h] [ebp-20024h]\n int v10; \/\/ [esp+18h] [ebp-20020h]\n int v11; \/\/ [esp+1Ch] [ebp-2001Ch]\n int v12; \/\/ [esp+20h] [ebp-20018h]\n int v13; \/\/ [esp+24h] [ebp-20014h]\n int v14; \/\/ [esp+28h] [ebp-20010h]\n int v15; \/\/ [esp+2Ch] [ebp-2000Ch]\n int v16; \/\/ [esp+30h] [ebp-20008h]\n CHAR String[65536]; \/\/ [esp+34h] [ebp-20004h] BYREF\n char v18[65536]; \/\/ [esp+10034h] [ebp-10004h] BYREF\n\n if ( a2 == 272 )\n return 1;\n if ( a2 != 273 )\n return 0;\n if ( (_WORD)a3 == 1001 )\n {\n memset(String, 0, 0xFFFFu);\n GetDlgItemTextA(hDlg, 1000, String, 0xFFFF);\n if ( strlen(String) == 8 )\n {\n v7[0] = 90;\n v7[1] = 74;\n v8 = 83;\n v9 = 69;\n v10 = 67;\n v11 = 97;\n v12 = 78;\n v13 = 72;\n v14 = 51;\n v15 = 110;\n v16 = 103;\n sub_4010F0(v7, 0, 10);\n memset(v18, 0, 0xFFFFu);\n v18[0] = String[5];\n v18[2] = String[7];\n v18[1] = String[6];\n v4 = (const char *)sub_401000(v18, strlen(v18));\n memset(v18, 0, 0xFFFFu);\n v18[1] = String[3];\n v18[0] = String[2];\n v18[2] = String[4];\n v5 = (const char *)sub_401000(v18, strlen(v18));\n if ( String[0] == v7[0] + 34\n && String[1] == v10\n && 4 * String[2] - 141 == 3 * v8\n && String[3] \/ 4 == 2 * (v13 \/ 9)\n && !strcmp(v4, "ak1w")\n && !strcmp(v5, "V1Ax") )\n {\n MessageBoxA(hDlg, "U g3t 1T!", "@_@", 0);\n }\n }\n return 0;\n }\n if ( (_WORD)a3 != 1 && (_WORD)a3 != 2 )\n return 0;\n EndDialog(hDlg, (unsigned __int16)a3);\n return 1;\n}<\/code><\/pre>\n\u4e0a\u9762\u7684API\u51fd\u6570\u548c\u5224\u65ad\u5b57\u7b26\u4e32\u4e0d\u7ba1\uff0c\u67e5\u770b\u8fd9\u6bb5\u51fd\u6570\u8c03\u7528\u7684\u7b2c\u4e00\u4e2a\u51fd\u6570 sub_4010F0()\uff1a<\/p>\n
int __cdecl sub_4010F0(int a1, int a2, int a3)\n{\n int result; \/\/ eax\n int i; \/\/ esi\n int v5; \/\/ ecx\n int v6; \/\/ edx\n\n result = a3;\n for ( i = a2; i <= a3; a2 = i )\n {\n v5 = 4 * i;\n v6 = *(4 * i + a1);\n if ( a2 < result && i < result )\n {\n do\n {\n if ( v6 > *(a1 + 4 * result) )\n {\n if ( i >= result )\n break;\n ++i;\n *(v5 + a1) = *(a1 + 4 * result);\n if ( i >= result )\n break;\n while ( *(a1 + 4 * i) <= v6 )\n {\n if ( ++i >= result )\n goto LABEL_13;\n }\n if ( i >= result )\n break;\n v5 = 4 * i;\n *(a1 + 4 * result) = *(4 * i + a1);\n }\n --result;\n }\n while ( i < result );\n }\nLABEL_13:\n *(a1 + 4 * result) = v6;\n sub_4010F0(a1, a2, i - 1);\n result = a3;\n ++i;\n }\n return result;\n}<\/code><\/pre>\n\u8fd9\u6bb5\u51fd\u6570\u5927\u81f4\u610f\u601d\u662f\u5c06v7\u6570\u7ec4\u4ece\u5c0f\u5230\u5927\u6392\u5217\uff0c\u5373ASCII\u7801\u6392\u5e8f\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u811a\u672c\u5c06\u5176\u8fd8\u539f\uff1a<\/p>\n
#include <iostream>\n\nusing namespace std;\n\nvoid restore(int* num, int size) {\n for (int j = 0; j < size - 1; j++) {\n for (int i = 0; i < size - 1 - j; i++) {\n if (num[i] > num[i + 1]) {\n int temp = num[i];\n num[i] = num[i + 1];\n num[i + 1] = temp;\n }\n }\n }\n}\n\nint main() {\n int v7[11] = { 90, 74, 83, 69, 67, 97, 78, 72, 51, 110, 103 };\n restore(v7, 11);\n for (int i = 0; i < 11; i++) {\n cout << char(v7[i]);\n }\n return 0;\n}\n<\/code><\/pre>\n\u8f93\u51fa3CEHJNSZagn<\/code><\/p>\n\u518d\u5f80\u4e0b\u770b\u770b\u89c1\u4e00\u4e9b\u8d4b\u503c\u4ee5\u53ca\u8c03\u7528\u4e86\u4e24\u6b21sub_401000()\u51fd\u6570\u5bf9v4\u548cv5\u8fdb\u884c\u8d4b\u503c\uff0c\u800csub_401000()\u51fd\u6570\u662f\u4e00\u4e2abase64\u7f16\u7801\u51fd\u6570\uff0c\u56e0\u6b64\u5c06\u4e0b\u65b9\u7684v4\u548cv5\u89e3\u5bc6\uff1a<\/p>\n
v4="jMp"\uff0cv5="WP1"<\/p>\n
\u4f46\u662f\u7531\u4e8e\u524d\u9762\u7684\u5224\u65ad\u5b57\u7b26\u4e32\u957f\u5ea6\uff0cflag\u663e\u7136\u662f8\u4f4d\u7684\uff0c\u800c\u6211\u4eec\u89e3\u7801\u51fa\u6765\u53ea\u67096\u4f4d\uff0c\u56e0\u6b64\u8fd8\u8981\u5bfb\u627e\u4e24\u4e2a\u5b57\u7b26\u5e76\u4e14\u5bf9\u5b83\u4eec\u8fdb\u884c\u6392\u5e8f\uff0c\u8fd9\u65f6\u5019\u4e3b\u51fd\u6570\u4e2d\u7684\u6700\u540e\u90a3\u6bb5if\u663e\u7136\u5c31\u662f\u6211\u4eec\u5bfb\u627eflag\u7684\u5173\u952e\uff0cString\u6570\u7ec4\u4e3aflag<\/p>\n
String[0] == v7[0] + 34<\/code> flag\u7b2c\u4e00\u4f4d\u662f\u4e0a\u9762\u8f93\u51fa\u4e2d\u7b2c\u4e00\u4f4d\u7684ASCII\u7801\u52a0\u4e0a34\u7684\u5b57\u7b26\u537351+34="U"
\nString[1] == v10<\/code> flag\u7b2c\u4e8c\u4f4dv10\u662f\u4e0a\u9762\u8f93\u51fa\u7684\u7b2c5\u4f4d\u5373\u4e3a"J"
\n4 * String[2] - 141 == 3 * v8<\/code> flag\u7b2c\u4e09\u4f4d\u7684ASCII\u7801\u4e584\u51cf\u53bb141\u4e0e\u4e0a\u9762\u8f93\u51fa\u7684\u7b2c\u4e09\u4f4dv8\u4e583\u76f8\u7b49\uff0c\u5219flag\u7b2c\u4e09\u4f4d\u4e3a"W"<\/p>\n\u57fa\u4e8e\u4e0a\u8ff0\u5b57\u7b26\u53ef\u4ee5\u63a8\u65ad\uff0cString\u4e2d\u7684\u524d\u4e09\u4e2a\u5143\u7d20\u4e3a\u201dUJW\u201c\uff0c\u5219WP1\u5728jMp\u524d\u9762<\/p>\n
\u56e0\u6b64\u53ef\u4ee5\u5f97\u5230\uff0cString="UJWP1jMp"<\/p>\n
[ACTF\u65b0\u751f\u8d5b2020]easyre<\/h3>\n
\u672a\u9b54\u6539\u7684UPX\u58f3\uff0c\u5c31\u4e0d\u591a\u4ecb\u7ecd\u4e86<\/p>\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n _BYTE v4[12]; \/\/ [esp+12h] [ebp-2Eh] BYREF\n _DWORD v5[3]; \/\/ [esp+1Eh] [ebp-22h]\n _BYTE v6[5]; \/\/ [esp+2Ah] [ebp-16h] BYREF\n int v7; \/\/ [esp+2Fh] [ebp-11h]\n int v8; \/\/ [esp+33h] [ebp-Dh]\n int v9; \/\/ [esp+37h] [ebp-9h]\n char v10; \/\/ [esp+3Bh] [ebp-5h]\n int i; \/\/ [esp+3Ch] [ebp-4h]\n\n __main();\n qmemcpy(v4, "*F'\\"N,\\"(I?+@", sizeof(v4));\n printf("Please input:");\n scanf("%s", v6);\n if ( v6[0] != 'A' || v6[1] != 'C' || v6[2] != 'T' || v6[3] != 'F' || v6[4] != '{' || v10 != '}' )\n return 0;\n v5[0] = v7;\n v5[1] = v8;\n v5[2] = v9;\n for ( i = 0; i <= 11; ++i )\n {\n if ( v4[i] != _data_start__[*((char *)v5 + i) - 1] )\n return 0;\n }\n printf("You are correct!");\n return 0;\n}<\/code><\/pre>\n\u903b\u8f91\u4e5f\u5f88\u6e05\u6670_data_start__\u662f\u4e00\u4e2a\u8868\uff0c\u76f4\u63a5\u6413\u811a\u672c<\/p>\n
v4 = [42, 70, 39, 34, 78, 44, 34, 40, 73, 63, 43, 64] #v4\u63d0\u51fa\u6765\u7684\u6570\u636e\nflag = ''\n__data_start__ = '~}|{zyxwvutsrqponmlkjihgfedcba`_^]\\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210\/.-,+*)(\\'&%$# !"' \nfor i in v4:\n flag = flag + chr(__data_start__.find(chr(i)) + 1)\n print(flag)<\/code><\/pre>\nflag{U9X_1S_W6@T?}<\/p>\n
\u7b80\u5355\u6ce8\u518c\u5668<\/h3>\n
\u4e0b\u8f7d\u9644\u4ef6\uff0c\u662f\u4e2aapk\uff0c\u7528JEB\u6253\u5f00\u770b\u770b\uff0c\u80fd\u76f4\u63a5\u770b\u5230main\uff0ctab\u770b\u770b\u4ee3\u7801<\/p>\n
package com.example.flag;\n\nimport android.os.Bundle;\nimport android.support.v4.app.Fragment;\nimport android.support.v7.app.ActionBarActivity;\nimport android.view.LayoutInflater;\nimport android.view.Menu;\nimport android.view.MenuItem;\nimport android.view.View.OnClickListener;\nimport android.view.View;\nimport android.view.ViewGroup;\nimport android.widget.Button;\nimport android.widget.EditText;\nimport android.widget.TextView;\n\npublic class MainActivity extends ActionBarActivity {\n public static class PlaceholderFragment extends Fragment {\n @Override \/\/ android.support.v4.app.Fragment\n public View onCreateView(LayoutInflater inflater, ViewGroup container, Bundle savedInstanceState) {\n return inflater.inflate(0x7F030018, container, false); \/\/ layout:fragment_main\n }\n }\n\n @Override \/\/ android.support.v7.app.ActionBarActivity\n protected void onCreate(Bundle savedInstanceState) {\n super.onCreate(savedInstanceState);\n this.setContentView(0x7F030017); \/\/ layout:activity_main\n if(savedInstanceState == null) {\n this.getSupportFragmentManager().beginTransaction().add(0x7F05003C, new PlaceholderFragment()).commit(); \/\/ id:container\n }\n\n Button button = (Button)this.findViewById(0x7F05003F); \/\/ id:button1\n TextView textview = (TextView)this.findViewById(0x7F05003E); \/\/ id:textView1\n button.setOnClickListener(new View.OnClickListener() {\n @Override \/\/ android.view.View$OnClickListener\n public void onClick(View v) {\n int flag = 1;\n String s = ((EditText)this.findViewById(0x7F05003D)).getText().toString(); \/\/ id:editText1\n if(s.length() != 0x20 || s.charAt(0x1F) != 97 || s.charAt(1) != 98 || s.charAt(0) + s.charAt(2) - 0x30 != 56) {\n flag = 0;\n }\n\n if(flag == 1) {\n char[] arr_c = "dd2940c04462b4dd7c450528835cca15".toCharArray();\n arr_c[2] = (char)(arr_c[2] + arr_c[3] - 50);\n arr_c[4] = (char)(arr_c[2] + arr_c[5] - 0x30);\n arr_c[30] = (char)(arr_c[0x1F] + arr_c[9] - 0x30);\n arr_c[14] = (char)(arr_c[27] + arr_c[28] - 97);\n int i;\n for(i = 0; i < 16; ++i) {\n char a = arr_c[0x1F - i];\n arr_c[0x1F - i] = arr_c[i];\n arr_c[i] = a;\n }\n\n textview.setText("flag{" + String.valueOf(arr_c) + "}");\n return;\n }\n\n textview.setText("\u8f93\u5165\u6ce8\u518c\u7801\u9519\u8bef");\n }\n });\n }\n\n @Override \/\/ android.app.Activity\n public boolean onCreateOptionsMenu(Menu menu) {\n this.getMenuInflater().inflate(0x7F0C0000, menu); \/\/ menu:main\n return true;\n }\n\n @Override \/\/ android.app.Activity\n public boolean onOptionsItemSelected(MenuItem item) {\n return item.getItemId() == 0x7F050040 ? true : super.onOptionsItemSelected(item); \/\/ id:action_settings\n }\n}\n<\/code><\/pre>\n\u663e\u7136\u4e2d\u95f4\u8fd9\u6bb5\u5c31\u662f\u4e3b\u903b\u8f91\uff1a<\/p>\n
<\/div><\/a><\/p>\n\u8bd5\u8bd5\u80fd\u4e0d\u80fd\u5199\u4e2a\u811a\u672c<\/p>\n
<\/div><\/a><\/p>\n\u6700\u5f00\u59cb\u5199\u51fa\u6765\u662f\u8fd9\u6837\uff0c\u53d1\u73b0\u8fd0\u884c\u62a5\u9519\u4e86\uff0c\u7136\u540e\u53bb\u67e5\u4e86\u4e00\u4e0b\uff0c\u5e94\u8be5\u662fstr\u7c7b\u578b\u7684\u95ee\u9898\uff0c\u8981\u5c06\u5176\u8f6c\u6362\u4e3a\u5217\u8868\u624d\u80fd\u8fdb\u884c\u6b63\u5e38\u7684\u8d4b\u503c\u8fd0\u7b97\uff0c\u91cd\u65b0\u5199\u811a\u672c\uff1a<\/p>\n
str=['d','d','2','9','4','0','c','0','4','4','6','2','b','4','d','d','7','c','4','5','0','5','2','8','8','3','5','c','c','a','1','5'] \na="" \nflag="" \nstr[2]=chr(ord(str[2])+ord(str[3])-50) \nstr[4]=chr(ord(str[2])+ord(str[5])-0x30) \nstr[30]=chr(ord(str[0x1F])+ord(str[9])-0x30) \nstr[14]=chr(ord(str[27])+ord(str[28])-97) \nfor i in range(16): \n a=str[0x1F-i] \n str[0x1F-i]=str[i] \n str[i]=a \nfor i in range(len(str)): \n flag+=chr(ord(str[i])) \nprint(flag)<\/code><\/pre>\n59acc538825054c7de4b26440c0999dd<\/code><\/p>\n[GWCTF 2019]pyre<\/h3>\n
\u4e0b\u8f7d\u4e0b\u6765\u662f\u4e00\u4e2apyc\u6587\u4ef6\uff0c\u76f4\u63a5\u7528\u5728\u7ebf\u7f51\u7ad9\u53cd\u7f16\u8bd1\u4e86<\/p>\n
#!\/usr\/bin\/env python\n# visit https:\/\/tool.lu\/pyc\/ for more information\n# Version: Python 2.7\n\nprint 'Welcome to Re World!'\nprint 'Your input1 is your flag~'\nl = len(input1)\nfor i in range(l):\n num = ((input1[i] + i) % 128 + 128) % 128\n code += num\n\nfor i in range(l - 1):\n code[i] = code[i] ^ code[i + 1]\n\nprint code\ncode = [\n '%1f',\n '%12',\n '%1d',\n '(',\n '0',\n '4',\n '%01',\n '%06',\n '%14',\n '4',\n ',',\n '%1b',\n 'U',\n '?',\n 'o',\n '6',\n '*',\n ':',\n '%01',\n 'D',\n ';',\n '%',\n '%13']<\/code><\/pre>\n\u6c42\u89e3\u811a\u672c\uff1a<\/p>\n
# \u5047\u8bbe\u7684\u52a0\u5bc6\u540e\u7684code\u5217\u8868\uff0c\u5c06\u7279\u6b8a\u683c\u5f0f\u8f6c\u6362\u4e3a\u5bf9\u5e94\u7684ASCII\u7801\nencrypted_code = [\n 0x1f, 0x12, 0x1d, ord('('), ord('0'), ord('4'), 0x01, 0x06,\n 0x14, ord('4'), ord(','), 0x1b, ord('U'), ord('?'), ord('o'),\n ord('6'), ord('*'), ord(':'), 0x01, ord('D'), ord(';'), ord('%'), 0x13]\n\n# \u7b2c\u4e00\u6b65\uff1a\u9006\u5411\u5f02\u6216\u64cd\u4f5c\noriginal_code = [0] * len(encrypted_code)\noriginal_code[-1] = encrypted_code[-1] # \u6700\u540e\u4e00\u4e2a\u5143\u7d20\u4e0d\u53d8\nfor i in range(len(encrypted_code) - 2, -1, -1):\n original_code[i] = encrypted_code[i] ^ original_code[i + 1]\n\n# \u7b2c\u4e8c\u6b65\uff1a\u9006\u5411\u8ba1\u7b97input1\ninput1 = [''] * len(original_code)\nfor i in range(len(original_code)):\n num = original_code[i]\n original_input1_i = (num - i) % 128\n input1[i] = chr(original_input1_i)\n\n# \u6253\u5370\u539f\u59cb\u8f93\u5165\nprint(''.join(input1))<\/code><\/pre>\nfindit<\/h3>\n
\u4f7f\u7528JEB\u770b\u770b\uff1a<\/p>\n
package com.example.findit;\n\nimport android.os.Bundle;\nimport android.support.v7.app.ActionBarActivity;\nimport android.view.MenuItem;\nimport android.view.View.OnClickListener;\nimport android.view.View;\nimport android.widget.Button;\nimport android.widget.EditText;\nimport android.widget.TextView;\n\npublic class MainActivity extends ActionBarActivity {\n @Override \/\/ android.support.v7.app.ActionBarActivity\n protected void onCreate(Bundle savedInstanceState) {\n super.onCreate(savedInstanceState);\n this.setContentView(0x7F030018); \/\/ layout:activity_main\n Button btn = (Button)this.findViewById(0x7F05003D); \/\/ id:widget3\n EditText edit = (EditText)this.findViewById(0x7F05003E); \/\/ id:widget2\n TextView text = (TextView)this.findViewById(0x7F05003F); \/\/ id:widget1\n btn.setOnClickListener(new View.OnClickListener() {\n @Override \/\/ android.view.View$OnClickListener\n public void onClick(View v) {\n char[] x = new char[17];\n char[] y = new char[38];\n int i;\n for(i = 0; i < 17; ++i) {\n if(new char[]{'T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e'}[i] < 73 && new char[]{'T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e'}[i] >= 65 || new char[]{'T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e'}[i] < 105 && new char[]{'T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e'}[i] >= 97) {\n x[i] = (char)(new char[]{'T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e'}[i] + 18);\n }\n else if(new char[]{'T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e'}[i] >= 65 && new char[]{'T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e'}[i] <= 90 || new char[]{'T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e'}[i] >= 97 && new char[]{'T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e'}[i] <= 0x7A) {\n x[i] = (char)(new char[]{'T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e'}[i] - 8);\n }\n else {\n x[i] = new char[]{'T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e'}[i];\n }\n }\n\n if(String.valueOf(x).equals(edit.getText().toString())) {\n int v1;\n for(v1 = 0; v1 < 38; ++v1) {\n if(new char[]{'p', 'v', 'k', 'q', '{', 'm', '1', '6', '4', '6', '7', '5', '2', '6', '2', '0', '3', '3', 'l', '4', 'm', '4', '9', 'l', 'n', 'p', '7', 'p', '9', 'm', 'n', 'k', '2', '8', 'k', '7', '5', '}'}[v1] >= 65 && new char[]{'p', 'v', 'k', 'q', '{', 'm', '1', '6', '4', '6', '7', '5', '2', '6', '2', '0', '3', '3', 'l', '4', 'm', '4', '9', 'l', 'n', 'p', '7', 'p', '9', 'm', 'n', 'k', '2', '8', 'k', '7', '5', '}'}[v1] <= 90 || new char[]{'p', 'v', 'k', 'q', '{', 'm', '1', '6', '4', '6', '7', '5', '2', '6', '2', '0', '3', '3', 'l', '4', 'm', '4', '9', 'l', 'n', 'p', '7', 'p', '9', 'm', 'n', 'k', '2', '8', 'k', '7', '5', '}'}[v1] >= 97 && new char[]{'p', 'v', 'k', 'q', '{', 'm', '1', '6', '4', '6', '7', '5', '2', '6', '2', '0', '3', '3', 'l', '4', 'm', '4', '9', 'l', 'n', 'p', '7', 'p', '9', 'm', 'n', 'k', '2', '8', 'k', '7', '5', '}'}[v1] <= 0x7A) {\n y[v1] = (char)(new char[]{'p', 'v', 'k', 'q', '{', 'm', '1', '6', '4', '6', '7', '5', '2', '6', '2', '0', '3', '3', 'l', '4', 'm', '4', '9', 'l', 'n', 'p', '7', 'p', '9', 'm', 'n', 'k', '2', '8', 'k', '7', '5', '}'}[v1] + 16);\n if(y[v1] > 90 && y[v1] < 97 || y[v1] >= 0x7A) {\n y[v1] = (char)(y[v1] - 26);\n }\n }\n else {\n y[v1] = new char[]{'p', 'v', 'k', 'q', '{', 'm', '1', '6', '4', '6', '7', '5', '2', '6', '2', '0', '3', '3', 'l', '4', 'm', '4', '9', 'l', 'n', 'p', '7', 'p', '9', 'm', 'n', 'k', '2', '8', 'k', '7', '5', '}'}[v1];\n }\n }\n\n text.setText(String.valueOf(y));\n return;\n }\n\n text.setText("\u7b54\u6848\u9519\u4e86\u80bf\u4e48\u529e\u3002\u3002\u3002\u4e0d\u7ed9\u4f60\u53c8\u4e0d\u597d\u610f\u601d\u3002\u3002\u3002\u54ce\u5440\u597d\u7ea0\u7ed3\u554a~~~");\n }\n });\n }\n\n @Override \/\/ android.app.Activity\n public boolean onOptionsItemSelected(MenuItem item) {\n return item.getItemId() == 0x7F050040 ? true : super.onOptionsItemSelected(item); \/\/ id:action_settings\n }\n}\n<\/code><\/pre>\n\u53d1\u73b0\u4ee3\u7801\u5f88\u4e71\uff0c\u518d\u7528jadx\u770b\u770b\uff1a<\/p>\n
package com.example.findit;\n\nimport android.os.Bundle;\n\nimport android.support.v7.app.ActionBarActivity;\n\nimport android.view.MenuItem;\n\nimport android.view.View;\n\nimport android.widget.Button;\n\nimport android.widget.EditText;\n\nimport android.widget.TextView;\n\n\/* loaded from: classes.dex *\/\n\npublic class MainActivity extends ActionBarActivity {\n\n \/* JADX INFO: Access modifiers changed from: protected *\/\n\n @Override \/\/ android.support.v7.app.ActionBarActivity, android.support.v4.app.FragmentActivity, android.app.Activity\n\n public void onCreate(Bundle savedInstanceState) {\n\n super.onCreate(savedInstanceState);\n\n setContentView(R.layout.activity_main);\n\n Button btn = (Button) findViewById(R.id.widget3);\n\n final EditText edit = (EditText) findViewById(R.id.widget2);\n\n final TextView text = (TextView) findViewById(R.id.widget1);\n\n final char[] a = {'T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e'};\n\n final char[] b = {'p', 'v', 'k', 'q', '{', 'm', '1', '6', '4', '6', '7', '5', '2', '6', '2', '0', '3', '3', 'l', '4', 'm', '4', '9', 'l', 'n', 'p', '7', 'p', '9', 'm', 'n', 'k', '2', '8', 'k', '7', '5', '}'};\n\n btn.setOnClickListener(new View.OnClickListener() { \/\/ from class: com.example.findit.MainActivity.1\n\n @Override \/\/ android.view.View.OnClickListener\n\n public void onClick(View v) {\n\n char[] x = new char[17];\n\n char[] y = new char[38];\n\n for (int i = 0; i < 17; i++) {\n\n if ((a[i] < 'I' && a[i] >= 'A') || (a[i] < 'i' && a[i] >= 'a')) {\n\n x[i] = (char) (a[i] + 18);\n\n } else if ((a[i] >= 'A' && a[i] <= 'Z') || (a[i] >= 'a' && a[i] <= 'z')) {\n\n x[i] = (char) (a[i] - '\\b');\n\n } else {\n\n x[i] = a[i];\n\n }\n\n }\n\n String m = String.valueOf(x);\n\n if (m.equals(edit.getText().toString())) {\n\n for (int i2 = 0; i2 < 38; i2++) {\n\n if ((b[i2] >= 'A' && b[i2] <= 'Z') || (b[i2] >= 'a' && b[i2] <= 'z')) {\n\n y[i2] = (char) (b[i2] + 16);\n\n if ((y[i2] > 'Z' && y[i2] < 'a') || y[i2] >= 'z') {\n\n y[i2] = (char) (y[i2] - 26);\n\n }\n\n } else {\n\n y[i2] = b[i2];\n\n }\n\n }\n\n String n = String.valueOf(y);\n\n text.setText(n);\n\n return;\n\n }\n\n text.setText("\u7b54\u6848\u9519\u4e86\u80bf\u4e48\u529e\u3002\u3002\u3002\u4e0d\u7ed9\u4f60\u53c8\u4e0d\u597d\u610f\u601d\u3002\u3002\u3002\u54ce\u5440\u597d\u7ea0\u7ed3\u554a~~~");\n\n }\n\n });\n\n }\n\n @Override \/\/ android.app.Activity\n\n public boolean onOptionsItemSelected(MenuItem item) {\n\n int id = item.getItemId();\n\n if (id == R.id.action_settings) {\n\n return true;\n\n }\n\n return super.onOptionsItemSelected(item);\n\n }\n\n}<\/code><\/pre>\n\u8fd9\u4e2a\u6e05\u695a\u591a\u4e86<\/p>\n
\u6709\u4e24\u884c\u53ef\u7591\u5b57\u7b26\u4e32\uff0c\u5206\u522b\u4e3aThisIsTheFlagHome<\/code>\u548cpvkq{m164675262033l4m49lnp7p9mnk28k75}<\/code><\/p>\n\u7136\u540e\u6211\u5c06\u82b1\u62ec\u53f7\u4e2d\u7684\u5b57\u7b26\u4e32\u4f5c\u4e3aflag\u4ea4\u4e86\u4e0a\u53bb\uff0c\u53d1\u73b0\u4e0d\u5bf9\uff0c\u8fd9\u4e2a\u5b57\u7b26\u4e32\u5e94\u8be5\u662f\u7ecf\u8fc7\u4e86\u67d0\u79cd\u4f4d\u79fb<\/p>\n
\u4f7f\u7528\u5de5\u5177\u770b\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/a><\/p>\n\u53ef\u4ee5\u770b\u89c1\u90a3\u884cflag\u4e86\uff1aflag{c164675262033b4c49bdf7f9cda28a75}<\/code><\/p>\n[ACTF\u65b0\u751f\u8d5b2020]rome<\/h3>\n
32\u4f4d\u65e0\u58f3\uff0c\u7528IDA\u6253\u5f00\uff0c\u6ca1\u627e\u5230\u4e3b\u8981\u52a0\u5bc6\u51fd\u6570\uff0c\u67e5\u627e\u5b57\u7b26\u4e32\u4e4b\u540e\u4ea4\u53c9\u5f15\u7528\u5230\u5173\u952e\u51fd\u6570<\/p>\n
\u8fdb\u5165func\u51fd\u6570\uff1a<\/p>\n
int func()\n{\n int result; \/\/ eax\n int v1[4]; \/\/ [esp+14h] [ebp-44h]\n unsigned __int8 v2; \/\/ [esp+24h] [ebp-34h] BYREF\n unsigned __int8 v3; \/\/ [esp+25h] [ebp-33h]\n unsigned __int8 v4; \/\/ [esp+26h] [ebp-32h]\n unsigned __int8 v5; \/\/ [esp+27h] [ebp-31h]\n unsigned __int8 v6; \/\/ [esp+28h] [ebp-30h]\n int v7; \/\/ [esp+29h] [ebp-2Fh]\n int v8; \/\/ [esp+2Dh] [ebp-2Bh]\n int v9; \/\/ [esp+31h] [ebp-27h]\n int v10; \/\/ [esp+35h] [ebp-23h]\n unsigned __int8 v11; \/\/ [esp+39h] [ebp-1Fh]\n char v12[29]; \/\/ [esp+3Bh] [ebp-1Dh] BYREF\n\n strcpy(v12, "Qsw3sj_lz4_Ujw@l");\n printf("Please input:");\n scanf("%s", &v2);\n result = v2;\n if ( v2 == 'A' )\n {\n result = v3;\n if ( v3 == 'C' )\n {\n result = v4;\n if ( v4 == 'T' )\n {\n result = v5;\n if ( v5 == 'F' )\n {\n result = v6;\n if ( v6 == '{' )\n {\n result = v11;\n if ( v11 == '}' )\n {\n v1[0] = v7;\n v1[1] = v8;\n v1[2] = v9;\n v1[3] = v10;\n *(_DWORD *)&v12[17] = 0;\n while ( *(int *)&v12[17] <= 15 )\n {\n if ( *((char *)v1 + *(_DWORD *)&v12[17]) > '@' && *((char *)v1 + *(_DWORD *)&v12[17]) <= 'Z' )\n *((_BYTE *)v1 + *(_DWORD *)&v12[17]) = (*((char *)v1 + *(_DWORD *)&v12[17]) - 51) % 26 + 65;\n if ( *((char *)v1 + *(_DWORD *)&v12[17]) > '`' && *((char *)v1 + *(_DWORD *)&v12[17]) <= 'z' )\n *((_BYTE *)v1 + *(_DWORD *)&v12[17]) = (*((char *)v1 + *(_DWORD *)&v12[17]) - 79) % 26 + 97;\n ++*(_DWORD *)&v12[17];\n }\n *(_DWORD *)&v12[17] = 0;\n while ( *(int *)&v12[17] <= 15 )\n {\n result = (unsigned __int8)v12[*(_DWORD *)&v12[17]];\n if ( *((_BYTE *)v1 + *(_DWORD *)&v12[17]) != (_BYTE)result )\n return result;\n ++*(_DWORD *)&v12[17];\n }\n return printf("You are correct!");\n }\n }\n }\n }\n }\n }\n return result;\n}<\/code><\/pre>\n\u5206\u6790\u51fd\u6570\uff1a
\n\u4e3b\u4f53\u52a0\u5bc6\u4e3a\u7b2c\u4e00\u4e2awhile\u5faa\u73af\uff0c\u4e24\u4e2aif\u5206\u522b\u4ee3\u8868v12\u5b57\u7b26\u4e32\u4e2d\u7684\u5927\u5c0f\u5199\u5b57\u7b26\u8fdb\u884c\u52a0\u5bc6\uff0c\u6700\u540e\u4e0eresult\u4f5c\u6bd4\u8f83\uff0c\u6b63\u786e\u7684\u8bdd\u5c31\u4f1a\u8f93\u51facorrect<\/p>\n
exp<\/p>\n
#include<stdio.h>\nint main()\n{\n char str[]="Qsw3sj_lz4_Ujw@l";\n int i;\n char flag[17]={0};\n for(i=0;i<=15;i++)\n {\n if(str[i]>'@'&&str[i]<='Z')\n {\n flag[i]=str[i]-65+51;\n if(flag[i]<64)\n {\n flag[i]+=26;\n }\n }\n else if(str[i]>'`'&&str[i]<='z')\n {\n flag[i]=str[i]-97+79;\n if(flag[i]<96)\n {\n flag[i]+=26;\n }\n }\n else \n flag[i]=str[i];\n }\n for(i = 0 ; i < 16 ; i ++)\n {\n printf("%c",flag[i]);\n }\n} <\/code><\/pre>\nflag{Cae3ar_th4_Gre@t}<\/p>\n
rsa<\/h3>\n
\u5bc6\u7801\u9898\u522b\u6765\u6cbe\u8fb9<\/p>\n
[FlareOn4]login<\/h3>\n
\u4e0b\u8f7d\u9644\u4ef6\uff0c\u53d1\u73b0\u662f\u4e2ahtml\uff0c\u6253\u5f00\u8fd9\u4e2a\u7f51\u7ad9\u67e5\u770b\u6e90\u4ee3\u7801\uff1a<\/p>\n
<!DOCTYPE Html \/>\n<html>\n<head>\n<title>FLARE On 2017<\/title>\n<\/head>\n<body>\n<input type="text" name="flag" id="flag" value="Enter the flag" \/>\n<input type="button" id="prompt" value="Click to check the flag" \/>\n<script type="text\/javascript">|\ndocument.getElementById("prompt").onclick = function () {\nvar flag = document.getElementById("flag").value;\nvar rotFlag = flag.replace(\/[a-zA-Z]\/g, function(c){return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);});\nif ("PyvragFvqrYbtvafNerRnfl@syner-ba.pbz" == rotFlag) {\nalert("Correct flag!");\n} else {\nalert("Incorrect flag, rot again");\n}\n}\n<\/script>\n<\/body>\n<\/html><\/code><\/pre>\n\u662f\u4e2aJS\u4ee3\u7801\uff0c\u7531\u4e8e\u6211\u6ca1\u5b66\uff0c\u5c31\u76f4\u63a5\u4e22\u7ed9AI\u4e86\uff1a<\/p>\n
\u8fd9\u6bb5HTML\u4ee3\u7801\u5b9e\u73b0\u4e86\u4e00\u4e2a\u7b80\u5355\u7684\u7f51\u9875\uff0c\u5305\u542b\u4e00\u4e2a\u6587\u672c\u8f93\u5165\u6846\u548c\u4e00\u4e2a\u6309\u94ae\u3002\u7528\u6237\u53ef\u4ee5\u5728\u6587\u672c\u6846\u4e2d\u8f93\u5165\u6570\u636e\uff0c\u5e76\u901a\u8fc7\u70b9\u51fb\u6309\u94ae\u6765\u68c0\u67e5\u8f93\u5165\u7684\u6570\u636e\u662f\u5426\u7b26\u5408\u7279\u5b9a\u6761\u4ef6\u3002\u8fd9\u4e2a\u68c0\u67e5\u662f\u901a\u8fc7JavaScript\u811a\u672c\u5b9e\u73b0\u7684\u3002<\/em><\/p>\nJavaScript\u4ee3\u7801\u7684\u6838\u5fc3\u529f\u80fd\u662f\u5bf9\u7528\u6237\u8f93\u5165\u7684\u6570\u636e\u8fdb\u884cROT13\u52a0\u5bc6\uff0c\u7136\u540e\u5c06\u52a0\u5bc6\u540e\u7684\u7ed3\u679c\u4e0e\u9884\u8bbe\u7684\u5b57\u7b26\u4e32"PyvragFvqrYbtvafNerRnfl@syner-ba.pbz"<\/code>\u6bd4\u8f83\u3002\u5982\u679c\u4e24\u8005\u76f8\u7b49\uff0c\u5219\u5f39\u51fa\u63d0\u793a\u6846\u663e\u793a\u201cCorrect flag!\u201d\uff1b\u5982\u679c\u4e0d\u76f8\u7b49\uff0c\u5219\u63d0\u793a\u201cIncorrect flag, rot again\u201d\u3002<\/em><\/p>\nROT13\u662f\u4e00\u79cd\u7b80\u5355\u7684\u5b57\u7b26\u66ff\u6362\u52a0\u5bc6\u65b9\u6cd5\uff0c\u5b83\u5c06\u5b57\u6bcd\u8868\u4e2d\u7684\u6bcf\u4e2a\u5b57\u6bcd\u66ff\u6362\u4e3a\u5b83\u5728\u5b57\u6bcd\u8868\u4e2d13\u4f4d\u4e4b\u540e\u7684\u5b57\u6bcd\u3002\u8fd9\u79cd\u52a0\u5bc6\u65b9\u6cd5\u662f\u53ef\u9006\u7684\uff0c\u5373\u5bf9\u52a0\u5bc6\u540e\u7684\u6587\u672c\u518d\u6b21\u5e94\u7528ROT13\u52a0\u5bc6\uff0c\u5c31\u80fd\u5f97\u5230\u539f\u6587\u3002<\/em><\/p>\n\u8981\u627e\u5230\u6b63\u786e\u7684flag\uff0c\u6211\u4eec\u9700\u8981\u5bf9\u7ed9\u5b9a\u7684\u5b57\u7b26\u4e32"PyvragFvqrYbtvafNerRnfl@syner-ba.pbz"<\/code>\u8fdb\u884cROT13\u89e3\u5bc6\u3002<\/em><\/p>\nflag{ClientSideLoginsAreEasy@flare-on.com}<\/code><\/p>\n[WUSTCTF2020]level1<\/h3>\n
\u4e0b\u8f7d\u9644\u4ef6\uff0c\u6709\u4e00\u4e2aELF\u548c\u4e00\u4e2aoutput.txt\u6587\u4ef6\uff0c\u5148\u7528IDA64\u67e5\u770bELF\u6587\u4ef6<\/p>\n
\u8fdb\u5165main\u51fd\u6570\uff1a<\/p>\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n int i; \/\/ [rsp+4h] [rbp-2Ch]\n FILE *stream; \/\/ [rsp+8h] [rbp-28h]\n char ptr[24]; \/\/ [rsp+10h] [rbp-20h] BYREF\n unsigned __int64 v7; \/\/ [rsp+28h] [rbp-8h]\n\n v7 = __readfsqword(0x28u);\n stream = fopen("flag", "r");\n fread(ptr, 1uLL, 0x14uLL, stream);\n fclose(stream);\n for ( i = 1; i <= 19; ++i )\n {\n if ( (i & 1) != 0 )\n printf("%ld\\n", (unsigned int)(ptr[i] << i));\n else\n printf("%ld\\n", (unsigned int)(i * ptr[i]));\n }\n return 0;\n}<\/code><\/pre>\n\n- \u901a\u8fc7\u4e00\u4e2afor\u5faa\u73af\uff0c\u4ece1\u8fed\u4ee3\u523019\uff08\u5305\u542b\uff09\uff0c\u5bf9
ptr<\/code>\u6570\u7ec4\u4e2d\u7684\u6bcf\u4e2a\u5b57\u7b26\u8fdb\u884c\u5904\u7406\u548c\u8f93\u51fa\u3002<\/li>\n- \u5982\u679c
i<\/code>\u662f\u5947\u6570\uff0c\u5c06ptr[i]<\/code>\u7684\u503c\u5de6\u79fbi<\/code>\u4f4d\uff08\u5373ptr[i] << i<\/code>\uff09\uff0c\u7136\u540e\u8f93\u51fa\u3002<\/li>\n- \u5982\u679c
i<\/code>\u662f\u5076\u6570\uff0c\u8ba1\u7b97i<\/code>\u4e0eptr[i]<\/code>\u7684\u4e58\u79ef\uff08\u5373i * ptr[i]<\/code>\uff09\uff0c\u7136\u540e\u8f93\u51fa\u3002<\/li>\n<\/ul>\n\u518d\u770b\u770b\u90a3\u4e2a.txt\u6587\u4ef6\uff0c\u91cc\u9762\u662f\u4e00\u4e32\u6570\u5b57<\/p>\n
<\/div><\/a><\/p>\n\u90a3\u5c31\u5e94\u8be5\u662f\u5c06flag\u6587\u4ef6\u8fdb\u884c\u4e0a\u8ff0\u8fd0\u7b97\u6700\u540e\u5f97\u5230output\uff0c\u7136\u540e\u5c31\u53ef\u4ee5\u5f00\u59cb\u5199\u9006\u5411\u6c42\u89e3\u811a\u672c\u4e86:<\/p>\n
#include<stdio.h>\nint main()\n{\n int output[]={1,198,232,816,200,1536,300,6144,984,51200,570,92160,1200,565248,756,1474560,800,6291456,1782,65536000};\n int i;\n char flag[20]="0";\n for ( i = 1; i <= 19; ++i )\n {\n if ( (i & 1) != 0 )\n flag[i]=char((output[i])>>i);\n else\n flag[i]=char((output[i])\/i);\n }\n flag[i]='\\0';\n printf("%s",flag);\n}\n\/\/\uff08\u6ce8\u610f\u5faa\u73af\u662f\u4ece1\u5f00\u59cb\u7684\uff0ctxt\u4e2d\u53ea\u670919\u4f4d\uff0c\u9996\u4f4d\u6ca1\u6709\uff0c\u5148\u968f\u4fbf\u5199\u4e00\u4e2a\uff09<\/code><\/pre>\nflag{d9-dE6-20c}<\/p>\n
[GUET-CTF2019]re<\/h3>\n
\u7b80\u5355\u7684UPX\u58f3\uff0c\u8fdb\u53bb\u6ca1\u6709main\u51fd\u6570\uff0c\u76f4\u63a5\u67e5\u627e\u5b57\u7b26\u4e32<\/p>\n
\u6700\u7ec8\u5b9a\u4f4d\u5230\u4e3b\u4f53<\/p>\n
__int64 __fastcall sub_400E28(__int64 a1, int a2, int a3, int a4, int a5, int a6)\n{\n int v6; \/\/ edx\n int v7; \/\/ ecx\n int v8; \/\/ r8d\n int v9; \/\/ r9d\n __int64 result; \/\/ rax\n __int64 v11; \/\/ [rsp+0h] [rbp-30h] BYREF\n unsigned __int64 v12; \/\/ [rsp+28h] [rbp-8h]\n\n v12 = __readfsqword(0x28u);\n sub_40F950((unsigned int)"input your flag:", a2, a3, a4, a5, a6, 0LL, 0LL, 0LL, 0LL);\n sub_40FA80((unsigned int)"%s", (unsigned int)&v11, v6, v7, v8, v9, v11);\n if ( (unsigned int)sub_4009AE(&v11) )\n sub_410350("Correct!");\n else\n sub_410350("Wrong!");\n result = 0LL;\n if ( __readfsqword(0x28u) != v12 )\n sub_443550();\n return result;\n}<\/code><\/pre>\n\u4e0d\u96be\u770b\u51fasub_4009AE\u662f\u5173\u952e\u7684\u51fd\u6570\uff0c\u70b9\u8fdb\u53bb\u53d1\u73b0\u662f\u4e00\u4e2az3<\/p>\n
_BOOL8 __fastcall sub_4009AE(char *a1)\n{\n if ( 1629056 * *a1 != 166163712 )\n return 0LL;\n if ( 6771600 * a1[1] != 731332800 )\n return 0LL;\n if ( 3682944 * a1[2] != 357245568 )\n return 0LL;\n if ( 10431000 * a1[3] != 1074393000 )\n return 0LL;\n if ( 3977328 * a1[4] != 489211344 )\n return 0LL;\n if ( 5138336 * a1[5] != 518971936 )\n return 0LL;\n if ( 7532250 * a1[7] != 406741500 )\n return 0LL;\n if ( 5551632 * a1[8] != 294236496 )\n return 0LL;\n if ( 3409728 * a1[9] != 177305856 )\n return 0LL;\n if ( 13013670 * a1[10] != 650683500 )\n return 0LL;\n if ( 6088797 * a1[11] != 298351053 )\n return 0LL;\n if ( 7884663 * a1[12] != 386348487 )\n return 0LL;\n if ( 8944053 * a1[13] != 438258597 )\n return 0LL;\n if ( 5198490 * a1[14] != 249527520 )\n return 0LL;\n if ( 4544518 * a1[15] != 445362764 )\n return 0LL;\n if ( 3645600 * a1[17] != 174988800 )\n return 0LL;\n if ( 10115280 * a1[16] != 981182160 )\n return 0LL;\n if ( 9667504 * a1[18] != 493042704 )\n return 0LL;\n if ( 5364450 * a1[19] != 257493600 )\n return 0LL;\n if ( 13464540 * a1[20] != 767478780 )\n return 0LL;\n if ( 5488432 * a1[21] != 312840624 )\n return 0LL;\n if ( 14479500 * a1[22] != 1404511500 )\n return 0LL;\n if ( 6451830 * a1[23] != 316139670 )\n return 0LL;\n if ( 6252576 * a1[24] != 619005024 )\n return 0LL;\n if ( 7763364 * a1[25] != 372641472 )\n return 0LL;\n if ( 7327320 * a1[26] != 373693320 )\n return 0LL;\n if ( 8741520 * a1[27] != 498266640 )\n return 0LL;\n if ( 8871876 * a1[28] != 452465676 )\n return 0LL;\n if ( 4086720 * a1[29] != 208422720 )\n return 0LL;\n if ( 9374400 * a1[30] == 515592000 )\n return 5759124 * a1[31] == 719890500;\n return 0LL;\n}<\/code><\/pre>\n\u7136\u540e\u7528Python\u5199\u4e86\u4e2az3\u6c42\u89e3\uff0c\u53d1\u73b0\u6c42\u4e0d\u51fa\u6765\uff0c\u67e5\u4e86\u4e00\u4e0b\u8bf4\u4f2a\u4ee3\u7801\u5c11\u4e86a1[6],\u800c\u4e14a1[16],a1[17]\u53cd\u4e86\uff0c\u7206\u7834\u51fa\u6765a1[6]=1\uff0c\u53ef\u4ee5\u5199\u811a\u672c\u4e86<\/p>\n
from z3 import *\na1 = [Int(f'a1[{i}]') for i in range(32)]\nflag=""\nsolver = Solver()\nsolver.add(1629056 * a1[0] == 166163712)\nsolver.add(6771600 * a1[1] == 731332800)\nsolver.add(3682944 * a1[2] == 357245568)\nsolver.add(10431000 * a1[3] == 1074393000)\nsolver.add(3977328 * a1[4] == 489211344)\nsolver.add(5138336 * a1[5] == 518971936)\nsolver.add(a1[6]==ord('1'))\nsolver.add(7532250 * a1[7] == 406741500)\nsolver.add(5551632 * a1[8] == 294236496)\nsolver.add(3409728 * a1[9] == 177305856)\nsolver.add(13013670 * a1[10] == 650683500)\nsolver.add(6088797 * a1[11] == 298351053)\nsolver.add(7884663 * a1[12] == 386348487)\nsolver.add(8944053 * a1[13] == 438258597)\nsolver.add(5198490 * a1[14] == 249527520)\nsolver.add(4544518 * a1[15] == 445362764)\nsolver.add(10115280 * a1[16] == 981182160)\nsolver.add(3645600 * a1[17] == 174988800)\nsolver.add(9667504 * a1[18] == 493042704)\nsolver.add(5364450 * a1[19] == 257493600)\nsolver.add(13464540 * a1[20] == 767478780)\nsolver.add(5488432 * a1[21] == 312840624)\nsolver.add(14479500 * a1[22] == 1404511500)\nsolver.add(6451830 * a1[23] == 316139670)\nsolver.add(6252576 * a1[24] == 619005024)\nsolver.add(7763364 * a1[25] == 372641472)\nsolver.add(7327320 * a1[26] == 373693320)\nsolver.add(8741520 * a1[27] == 498266640)\nsolver.add(8871876 * a1[28] == 452465676)\nsolver.add(4086720 * a1[29] == 208422720)\nsolver.add(9374400 * a1[30] == 515592000)\nsolver.add(5759124 * a1[31] == 719890500)\nif solver.check() == sat:\n model = solver.model()\n solution = [model[a1[i]].as_long() for i in range(32)]\n print("Solution found:")\n print(solution)\nelse:\n print("No solution found.")\nfor j in range(len(solution)):\n flag+=chr(solution[j])\nprint(flag)<\/code><\/pre>\nCrackRTF<\/h3>\n
\u626b\u4e86\u4e00\u773c\uff0c\u8fd9\u9898\u597d\u50cf\u6709\u70b9\u96be\u5ea6\uff0c\u4e8e\u662f\u4e00\u8fb9\u770bwp\u4e00\u8fb9\u5199\u5199\u770b<\/p>\n
\u76f4\u63a5\u53ef\u4ee5\u8fdb\u5165\u4e3b\u903b\u8f91\u51fd\u6570\uff1a<\/p>\n
int __cdecl main_0(int argc, const char **argv, const char **envp)\n{\n DWORD v3; \/\/ eax\n DWORD v4; \/\/ eax\n char Str[260]; \/\/ [esp+4Ch] [ebp-310h] BYREF\n int v7; \/\/ [esp+150h] [ebp-20Ch]\n char String1[260]; \/\/ [esp+154h] [ebp-208h] BYREF\n char Destination[260]; \/\/ [esp+258h] [ebp-104h] BYREF\n\n memset(Destination, 0, sizeof(Destination));\n memset(String1, 0, sizeof(String1));\n v7 = 0;\n printf("pls input the first passwd(1): ");\n scanf("%s", Destination); \/\/ \u8f93\u5165\u7b2c\u4e00\u4e2a\u5bc6\u7801\n if ( strlen(Destination) != 6 ) \/\/ \u957f\u5ea6\u4e0d\u4e3a6\u9000\u51fa\n {\n printf("Must be 6 characters!\\n");\n ExitProcess(0);\n }\n v7 = atoi(Destination);\n if ( v7 < 100000 ) \/\/ \u5bc6\u7801\u5c0f\u4e8e100000\u9000\u51fa\n ExitProcess(0);\n strcat(Destination, "@DBApp"); \/\/ \u62fc\u63a5\u51fd\u6570\n v3 = strlen(Destination);\n sub_40100A((BYTE *)Destination, v3, String1); \/\/ SHA-1\n if ( !_strcmpi(String1, "6E32D0943418C2C33385BC35A1470250DD8923A9") )\/\/ \u6bd4\u8f83\u54c8\u5e0c\u503c\n {\n printf("continue...\\n\\n");\n printf("pls input the first passwd(2): ");\n memset(Str, 0, sizeof(Str));\n scanf("%s", Str); \/\/ \u8f93\u5165\u7b2c\u4e8c\u4e2a\u5bc6\u7801\n if ( strlen(Str) != 6 ) \/\/ \u957f\u5ea6\u4e0d\u4e3a6\u9000\u51fa\n {\n printf("Must be 6 characters!\\n");\n ExitProcess(0);\n }\n strcat(Str, Destination);\n memset(String1, 0, sizeof(String1));\n v4 = strlen(Str);\n sub_401019((BYTE *)Str, v4, String1); \/\/ MD5\n if ( !_strcmpi("27019e688a4e62a649fd99cadaafdb4e", String1) )\n {\n if ( !(unsigned __int8)sub_40100F(Str) ) \/\/ \u751f\u6210\u5305\u542bflag\u7684\u6587\u4ef6\n {\n printf("Error!!\\n");\n ExitProcess(0);\n }\n printf("bye ~~\\n");\n }\n }\n return 0;\n}<\/code><\/pre>\n\u5728sub_40100A\u51fd\u6570\u4e2d\u53ef\u4ee5\u901a\u8fc7\u54c8\u5e0c\u7b97\u6cd5\u6807\u8bc6\u7b26\u5224\u65ad\u51fa\u662fSHA-1<\/p>\n
\u7b2c\u4e00\u4e2a\u5bc6\u7801\u7ed9\u4e86\u9650\u5236\u6761\u4ef6\uff0c\u53ef\u4ee5\u901a\u8fc7\u54c8\u5e0c\u503c\u7206\u7834\u51fa\u7b2c\u4e00\u4e2a\u5bc6\u7801\uff1a<\/p>\n
import hashlib\nstring='@DBApp'\nfor i in range(100000,999999):\n flag=str(i)+string\n x = hashlib.sha1(flag.encode("utf8"))\n y = x.hexdigest()\n if "6e32d0943418c2c33385bc35a1470250dd8923a9" == y:\n print(flag)\n break\n<\/code><\/pre>\n\u7206\u7834\u51fa\u6765\u662f\u5bc6\u7801\u662f123321<\/code><\/p>\n\u5f80\u540e\u770b\u53d1\u73b0\u7b2c\u4e8c\u4e2a\u5bc6\u7801\u53ea\u7ed9\u4e86MD5\u503c\uff0c\u5e76\u6ca1\u6709\u7ed9\u5176\u4ed6\u7684\u9650\u5236\u6761\u4ef6\uff0c\u56e0\u6b64\u7206\u7834\u662f\u5f88\u56f0\u96be\u7684\uff0c\u53ea\u77e5\u9053\u662f\u4e00\u4e2a6\u4f4d\u5bc6\u7801<\/p>\n
\u5728\u540e\u9762\u5224\u65ad\u7684\u65f6\u5019\u6709\u4e00\u4e2asub_40100F\u51fd\u6570\uff0c\u5e94\u8be5\u662f\u5173\u952e\u51fd\u6570\uff0c\u8fdb\u53bb\u770b\u770b<\/p>\n
\u8df3\u8f6c\u5230sub_4014D0\u51fd\u6570<\/p>\n
char __cdecl sub_4014D0(LPCSTR lpString)\n{\n LPCVOID lpBuffer; \/\/ [esp+50h] [ebp-1Ch]\n DWORD NumberOfBytesWritten; \/\/ [esp+58h] [ebp-14h] BYREF\n DWORD nNumberOfBytesToWrite; \/\/ [esp+5Ch] [ebp-10h]\n HGLOBAL hResData; \/\/ [esp+60h] [ebp-Ch]\n HRSRC hResInfo; \/\/ [esp+64h] [ebp-8h]\n HANDLE hFile; \/\/ [esp+68h] [ebp-4h]\n\n hFile = 0;\n hResData = 0;\n nNumberOfBytesToWrite = 0;\n NumberOfBytesWritten = 0;\n hResInfo = FindResourceA(0, (LPCSTR)0x65, "AAA");\n if ( !hResInfo )\n return 0;\n nNumberOfBytesToWrite = SizeofResource(0, hResInfo);\n hResData = LoadResource(0, hResInfo);\n if ( !hResData )\n return 0;\n lpBuffer = LockResource(hResData);\n sub_401005(lpString, (int)lpBuffer, nNumberOfBytesToWrite);\n hFile = CreateFileA("dbapp.rtf", 0x10000000u, 0, 0, 2u, 0x80u, 0);\n if ( hFile == (HANDLE)-1 )\n return 0;\n if ( !WriteFile(hFile, lpBuffer, nNumberOfBytesToWrite, &NumberOfBytesWritten, 0) )\n return 0;\n CloseHandle(hFile);\n return 1;\n}<\/code><\/pre>\n\u770b\u4e0d\u61c2\u8fd9\u5806\uff0c\u53ea\u80fd\u95ee\u4e00\u4e0bAI\u4e86\uff1a<\/p>\n
<\/div><\/a><\/p>\n\u518d\u53bb\u67e5\u4e86\u4e00\u4e0b\uff0c\u4f7f\u7528ResourceHacker\u53ef\u4ee5\u67e5\u627e\u5230\u201cAAA\u201d\u7684\u6587\u4ef6\u6e90\uff0c\u4e0b\u9762\u8fd8\u6709\u4e00\u4e2asub_401005\u51fd\u6570\uff1a<\/p>\n
unsigned int __cdecl sub_401420(LPCSTR lpString, int a2, unsigned int a3)\n{\n unsigned int result; \/\/ eax\n unsigned int i; \/\/ [esp+4Ch] [ebp-Ch]\n unsigned int v5; \/\/ [esp+54h] [ebp-4h]\n\n v5 = lstrlenA(lpString);\n for ( i = 0; ; ++i )\n {\n result = i;\n if ( i >= a3 )\n break;\n *(_BYTE *)(i + a2) ^= lpString[i % v5];\n }\n return result;\n}<\/code><\/pre>\n\u53d1\u73b0\u662f\u7b80\u5355\u7684\u5f02\u6216\uff0c\u518d\u53bb\u95ee\u4e86\u95ee\u5b66\u957f\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u8f93\u51fa\u7684\u6587\u4ef6\u53ef\u7528\uff0c\u9700\u4fdd\u8bc1\u5176\u6587\u4ef6\u5934\u4e3a.rtf\u6587\u4ef6\uff0c\u4e8e\u662f\u5bfb\u627e.rtf\u6587\u4ef6\u7684\u6587\u4ef6\u5934\uff1a{\\rtf1<\/code><\/p>\n<\/div><\/a><\/p>\n\u5bc6\u7801\u4e0e\u201cAAA\u201d\u5f02\u6216\u5f97\u5230.rtf\u6587\u4ef6<\/p>\n
\u518d\u67e5\u770b\u201cAAA\u201d\u4e2d\u7684\u524d\u516d\u4f4d16\u8fdb\u5236<\/p>\n
<\/div><\/a><\/p>\n\u56e0\u4e3a\u5f02\u6216\u662f\u53ef\u9006\u8fd0\u7b97\uff0c\u6240\u4ee5\u5c31\u53ef\u4ee5\u6c42\u89e3\u5bc6\u7801\u4e86<\/p>\n
\u6284\u4e2a\u811a\u672c\uff1a<\/p>\n
rtf = '{\\\\rtf1' \\\\\u9700\u8981\u6ce8\u610f\uff0c\\r\u9700\u8981\u8f6c\u4e49\uff0c\u53d8\u6210\\\\r\nA = [0x05, 0x7D, 0x41, 0x15, 0x26, 0x01]\npassword=''\nfor i in range(len(rtf)):\n x = ord(rtf[i]) ^ A[i]\n password+=chr(x)\nprint(password)\n<\/code><\/pre>\n\u5f97\u5230\u7b2c\u4e8c\u4e2a\u5bc6\u7801\u662f~!3a@0<\/code><\/p>\n\u8fd9\u65f6\u5c31\u53ef\u4ee5\u53bb\u7a0b\u5e8f\u4e2d\u9a8c\u8bc1\u4e86\uff0c\u8f93\u5165\u4e24\u6b21\u5bc6\u7801\u4e4b\u540e\u63a7\u5236\u53f0\u5c31\u5173\u6389\u4e86\uff0c\u7136\u540e\u684c\u9762\u4e0a\u5c31\u751f\u6210\u4e86\u4e00\u4e2a.rtf\u6587\u4ef6<\/p>\n
<\/div><\/a><\/p>\n\u6253\u5f00\u6587\u4ef6\u5c31\u662fflag\u5566\uff1aFlag{N0_M0re_Free_Bugs}<\/p>\n
[WUSTCTF2020]level2<\/h3>\n
\u4e0b\u8f7d\u9644\u4ef6\uff0c\u67e5\u58f3\u53d1\u73b0\u6709\u4e00\u4e2aUPX\u58f3<\/p>\n
<\/div><\/a><\/p>\n\u8131\u5b8c\u58f3\u4e4b\u540e\u7528IDA\u6253\u5f00<\/p>\n
<\/div><\/a><\/p>\nflag\u76f4\u63a5\u5c31\u9001\u4e86\uff0c\u6211\u6ca1\u60f3\u5230\u5c45\u7136\u8fd9\u4e48\u7b80\u5355<\/p>\n
[MRCTF2020]Transform<\/h3>\n
\u4e0b\u8f7d\u9644\u4ef6\uff0c\u7528IDA\u6253\u5f00\uff0c\u8fdb\u53bb\u4e4b\u540e\u5c31\u662f\u51fd\u6570\u7684\u4e3b\u903b\u8f91:<\/p>\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n char Str[104]; \/\/ [rsp+20h] [rbp-70h] BYREF\n int j; \/\/ [rsp+88h] [rbp-8h]\n int i; \/\/ [rsp+8Ch] [rbp-4h]\n\n sub_402230(argc, argv, envp);\n printf("Give me your code:\\n");\n scanf("%s", Str);\n if ( strlen(Str) != 33 )\n {\n printf("Wrong!\\n");\n system("pause");\n exit(0);\n }\n for ( i = 0; i <= 32; ++i )\n {\n result[i] = Str[init[i]];\n result[i] ^= LOBYTE(init[i]);\n }\n for ( j = 0; j <= 32; ++j )\n {\n if ( byte_40F0E0[j] != result[j] )\n {\n printf("Wrong!\\n");\n system("pause");\n exit(0);\n }\n }\n printf("Right!Good Job!\\n");\n printf("Here is your flag: %s\\n", Str);\n system("pause");\n return 0;\n}<\/code><\/pre>\n\u53d1\u73b0\u662f\u4e00\u4e2a\u6253\u4e71\u5b57\u7b26\u4e32\u5728\u5f02\u6216\u8fd0\u7b97\u7684\u64cd\u4f5c\uff0cLOBYTE()\u7684\u610f\u601d\u662f\u53d6\u516b\u4f4d\u6700\u4f4e\u5b57\u8282\uff0c\u5982\u56fe\u6240\u793a\uff1a<\/p>\n
<\/div><\/a><\/p>\n\u6700\u540e\u8fd8\u8981\u52a0\u4e2a00\uff0c\u7136\u540e\u6211\u4eec\u5c31\u53ef\u4ee5\u53d6\u5f97\u9700\u8981\u8fdb\u884c\u5f02\u6216\u7684\u4e24\u4e2a\u6570\u7ec4\u4e86\uff0c\u7531\u6b64\u5199\u51fa\u811a\u672c<\/p>\n
result=[0x67,0x79,0x7B,0x7F,0x75,0x2B,0x3C,0x52,0x53,0x79,0x57,0x5E,0x5D,0x42,0x7B,0x2D,0x2A,0x66,0x42,0x7E,0x4C,0x57,0x79,0x41,0x6B,0x7E,0x65,0x3C,0x5C,0x45,0x6F,0x62,0x4D] \ninit =[0x09,0x0A,0x0F,0x17,0x07,0x18,0x0C,0x06,0x01,0x10,0x03,0x11,0x20,0x1D,0x0B,0x1E,0x1B,0x16,0x04,0x0D,0x13,0x14,0x15,0x02,0x19,0x05,0x1F,0x08,0x12,0x1A,0x1C,0x0E,0x00] \nstr=[0]*33 \nflag="" \nfor i in range(33): \n result[i]^=init[i] \nfor j in range(33): \n str[init[j]]=result[j] \nfor k in range(33): \n flag+=chr(str[k]) \nprint(flag)<\/code><\/pre>\nMRCTF{Tr4nsp0sltiON_Clph3r_1s_3z}<\/p>\n
[2019\u7ea2\u5e3d\u676f]easyRE<\/h3>\n
\u6700\u5f00\u59cb\u5199\u4e86\u4e00\u4e0b\uff0c\u9006\u5929\u9898\u76ee<\/p>\n
elf\u6587\u4ef6\uff0c\u7528IDA64\u6253\u5f00\uff0c\u53d1\u73b0\u91cc\u9762\u6709\u5f88\u591a\u51fd\u6570\uff0cshift+F12\u67e5\u627e\u4e00\u4e0b<\/p>\n
<\/div><\/a><\/p>\n\u53d1\u73b0\u6709\u4e00\u957f\u4e32\u5b57\u7b26\u548c\u4e00\u4e2a\u8868\uff0c\u770b\u7740\u5c31\u662fbase64<\/p>\n
<\/div><\/a><\/p>\n\u672c\u6765\u4ee5\u4e3a\u89e3\u5bc6\u4e4b\u540e\u5c31\u80fd\u5f97\u5230flag\u4e86\uff0c\u8fd8\u662f\u6211\u60f3\u7684\u592a\u7b80\u5355\u4e86<\/p>\n
\u89e3\u5bc6\u4e4b\u540e\u53d1\u73b0\u8fd8\u662f\u4e2abase64\u52a0\u5bc6\uff0c\u7136\u540e\u4e00\u76f4\u4e00\u76f4\u4e00\u76f4\u89e3\u5bc6\uff0c10\u6b21\u4e4b\u540e\u5f97\u5230\u4e00\u4e2a\u7f51\u7ad9\uff0c\u662f\u770b\u96ea\u7684\u5e16\u5b50<\/p>\n
\u88ab\u9a97\u4e86\uff01\uff01\uff01<\/p>\n
\u7136\u540e\u4ece\u67e5\u627e\u5230\u7684you found me\u5165\u624b\uff0c\u4e00\u76f4\u4ea4\u53c9\u5f15\u7528\u627e\u5230\u4e3b\u8981\u51fd\u6570\uff1a<\/p>\n
__int64 sub_4009C6()\n{\n __int64 result; \/\/ rax\n int i; \/\/ [rsp+Ch] [rbp-114h]\n __int64 v2; \/\/ [rsp+10h] [rbp-110h]\n __int64 v3; \/\/ [rsp+18h] [rbp-108h]\n __int64 v4; \/\/ [rsp+20h] [rbp-100h]\n __int64 v5; \/\/ [rsp+28h] [rbp-F8h]\n __int64 v6; \/\/ [rsp+30h] [rbp-F0h]\n __int64 v7; \/\/ [rsp+38h] [rbp-E8h]\n __int64 v8; \/\/ [rsp+40h] [rbp-E0h]\n __int64 v9; \/\/ [rsp+48h] [rbp-D8h]\n __int64 v10; \/\/ [rsp+50h] [rbp-D0h]\n __int64 v11; \/\/ [rsp+58h] [rbp-C8h]\n char v12[13]; \/\/ [rsp+60h] [rbp-C0h] BYREF\n char v13[4]; \/\/ [rsp+6Dh] [rbp-B3h] BYREF\n char v14[19]; \/\/ [rsp+71h] [rbp-AFh] BYREF\n char v15[32]; \/\/ [rsp+90h] [rbp-90h] BYREF\n int v16; \/\/ [rsp+B0h] [rbp-70h]\n char v17; \/\/ [rsp+B4h] [rbp-6Ch]\n char v18[72]; \/\/ [rsp+C0h] [rbp-60h] BYREF\n unsigned __int64 v19; \/\/ [rsp+108h] [rbp-18h]\n\n v19 = __readfsqword(0x28u);\n qmemcpy(v12, "Iodl>Qnb(ocy", 12);\n v12[12] = 127;\n qmemcpy(v13, "y.i", 3);\n v13[3] = 127;\n qmemcpy(v14, "d`3w}wek9{iy=~yL@EC", sizeof(v14));\n memset(v15, 0, sizeof(v15));\n v16 = 0;\n v17 = 0;\n sub_4406E0(0LL, v15, 37LL);\n v17 = 0;\n if ( sub_424BA0(v15) == 36 )\n {\n for ( i = 0; i < (unsigned __int64)sub_424BA0(v15); ++i )\n {\n if ( (unsigned __int8)(v15[i] ^ i) != v12[i] )\n {\n result = 4294967294LL;\n goto LABEL_13;\n }\n }\n sub_410CC0("continue!");\n memset(v18, 0, 65);\n sub_4406E0(0LL, v18, 64LL);\n v18[39] = 0;\n if ( sub_424BA0(v18) == 39 )\n {\n v2 = sub_400E44(v18);\n v3 = sub_400E44(v2);\n v4 = sub_400E44(v3);\n v5 = sub_400E44(v4);\n v6 = sub_400E44(v5);\n v7 = sub_400E44(v6);\n v8 = sub_400E44(v7);\n v9 = sub_400E44(v8);\n v10 = sub_400E44(v9);\n v11 = sub_400E44(v10);\n if ( !(unsigned int)sub_400360(v11, off_6CC090) )\n {\n sub_410CC0("You found me!!!");\n sub_410CC0("bye bye~");\n }\n result = 0LL;\n }\n else\n {\n result = 4294967293LL;\n }\n }\n else\n {\n result = 0xFFFFFFFFLL;\n }\nLABEL_13:\n if ( __readfsqword(0x28u) != v19 )\n sub_444020();\n return result;\n}<\/code><\/pre>\n\u53d1\u73b0\u51fd\u6570\u5f00\u5934\u7684\u5730\u65b9\u505a\u4e86\u4e00\u4e2a\u4f4d\u79fb\u5f02\u6216\u8fd0\u7b97\uff0c\u5199\u4e2a\u811a\u672c\u89e3\u5bc6\u4e00\u4e0b\uff1a<\/p>\n
v12="Iodl>Qnb(ocy\\x7Fy.i\\x7Fd`3w}wek9{iy=~yL@EC" \nv15="" \nfor i in range(len(v12)): \n v15+=chr(ord(v12[i])^i) \nprint(v15)<\/code><\/pre>\n\u5f97\u5230\u7684\u7ed3\u679c\u662f\uff1aInfo:The first four chars are flag<\/code><\/p>\n\u524d\u56db\u4e2a\u5b57\u8282\u662fflag\u2026\u2026\u4f60\u4e0d\u8bf4\u6211\u4e5f\u77e5\u9053\u7684<\/p>\n
\u518d\u5f80\u4e0b\u770b\u5c31\u662fbase64\u4e86\uff0c\u4f46\u662f\u8fd9\u91cc\u5e76\u6ca1\u6709\u770b\u89c1\u4e4b\u524d\u9700\u8981\u89e3\u5bc6\u7684\u5b57\u7b26\u4e32<\/p>\n
if\u5224\u65ad\u90a3\u91cc\u6709\u4e00\u884c<\/p>\n