Reverse入门[不断记录]
2024-06-16 09:59:20
文章目录
- 前言
- 一、[SWPUCTF 2021 新生赛]re1
- 二、[SWPUCTF 2021 新生赛]re2
- 三、[GFCTF 2021]wordy[花指令]
- 四、[NSSRound#3 Team]jump_by_jump[花指令]
- 五、[NSSRound#3 Team]jump_by_jump_revenge[花指令]
- 六、[WUSTCTF 2020]level2[UPX脱壳]
- 六、[HUBUCTF 2022 新生赛]simple_RE
- 七、[SWPUCTF 2021 新生赛]easyapp
- 八、[鹏城杯 2022]baby_re[apk反编译+JNI]
- 九、[GWCTF 2019]babyvm[VMre]
- 十、[NISACTF 2022]鸣神的国土
- 十一、[广东强网杯 2021 个人组]goodpy
- 十二、[GXYCTF 2019]luck_guy
- 十三、[HNCTF 2022 Week1]Little Endian
- 十四、[MoeCTF 2021]Realezpy
- 十五、[HGAME 2023 week1]encode
前言
心血来潮,想接触点Reverse,感受下Reverse,于是从CTF的简单题目中慢慢入门
提示:以下是本篇文章正文内容,下面案例可供参考
一、[SWPUCTF 2021 新生赛]re1
1、工具:IDA
直接使用IDA将exe反编译,得到一堆代码。
使用Ctrl+X,查看编译流程,然后使用F5,查看代码。
int __cdecl main(int argc, const char **argv, const char **envp)
{char Str2[1008]; // [rsp+20h] [rbp-60h] BYREFchar Str1[1000]; // [rsp+410h] [rbp+390h] BYREFint i; // [rsp+7FCh] [rbp+77Ch]_main();strcpy(Str2, "{34sy_r3v3rs3}");printf("please put your flag:");scanf("%s", Str1);for ( i = 0; i <= 665; ++i ){if ( Str1[i] == 101 )Str1[i] = 51;}for ( i = 0; i <= 665; ++i ){if ( Str1[i] == 97 )Str1[i] = 52;}if ( strcmp(Str1, Str2) )printf("you are wrong,see again!");elseprintf("you are right!");system("pause");return 0;
}
将输入的字符,ascii为101的变成51,97的变成52,然后与str2对比,一致则成功。
s = '{34sy_r3v3rs3}'
r = ''
for i in s:if ord(i) ==51:r += chr(101)elif ord(i) == 52:r += chr(97)else:r += i
print(r)得到flag
二、[SWPUCTF 2021 新生赛]re2
int __cdecl main(int argc, const char **argv, const char **envp)
{char Str2[64]; // [rsp+20h] [rbp-90h] BYREFchar Str[68]; // [rsp+60h] [rbp-50h] BYREFint v7; // [rsp+A8h] [rbp-8h]int i; // [rsp+ACh] [rbp-4h]_main();strcpy(Str2, "ylqq]aycqyp{");printf(Format);gets(Str);v7 = strlen(Str);for ( i = 0; i < v7; ++i ){if ( (Str[i] <= 96 || Str[i] > 98) && (Str[i] <= 64 || Str[i] > 66) )Str[i] -= 2;elseStr[i] += 24;}if ( strcmp(Str, Str2) )printf(asc_404024);elseprintf(aBingo);system("pause");return 0;
}
s = 'ylqq]aycqyp{'
l = []
for i in s:l.append(ord(i))
# print(l)
l = [121, 108, 113, 113, 93, 97, 121, 99, 113, 121, 112, 123]
r = ''
for i in l:if (i <= 94 or i > 96) and (i <= 62 or i > 64):r += chr(i + 2)else:r += chr(i - 24)
print(r)
得到的结果进行caser,并且猜一下,得到{nss_caesar}
三、[GFCTF 2021]wordy[花指令]
- 花指令实质就是一串垃圾指令,它与程序本身的功能无关,并不影响程序本身的逻辑。在软件保护中,花指令被作为一种手段来增加静态分析的难度,花指令也可以被用在病毒或木马上,通过加入花指令改变程序的特征码,躲避杀软的扫描,从而达到免杀的目的。
- 花指令是让反编译器无法反编译起到混淆租用的指令,一般最常见的就是在机器码中加入 E8,E8 加入后会将汇编代码改变为 CALL,而后续的机器码代表的东西是没有意义的,不是一个函数,所以 CALL 之后反编译器无法识别。
存在大量jmp跳转,导致程序无法正常编译,尝试将跳转nop掉,即将其转换成空指令。
startaddr = 0x1135
endaddr = 0x3100for i in range(startaddr,endaddr):if get_wide_byte(i) == 0xEB:if get_wide_byte(i+1) == 0xFF:patch_byte(i,0x90)print("[+] Addr {} is patched".format(hex(i)))起始地址是main函数的0x1135到结束,通过遍历byte,判断是否和EB FF,即jmp的机械码,是则改成90,即nop。
看到flag为GFCTF{u_are2wordy}
四、[NSSRound#3 Team]jump_by_jump[花指令]
- 先找主函数入口,即main
可以看到0041188C处有call,并且爆红,可以判断为花指令,因此要消除即变成nop,选中41188C,按快捷键D,将其转换为数据。
然后将0E8h改成0x90即nop机器码
快捷键C,将数据再次转换成指令,并将下面黄色的部分依次使用C转换成指令。
最后往上选中main入口,快捷键P生成函数,然后F5,获得函数代码。
int __cdecl main_0(int argc, const char **argv, const char **envp)
{int i; // [esp+D0h] [ebp-2Ch]char v5[28]; // [esp+DCh] [ebp-20h] BYREFstrcpy(v5, "NSSCTF{Jump_b9_jump!}");for ( i = 0; i < 21; ++i )v5[i] = (v5[i] + v5[(i * i + 123) % 21]) % 128;sub_4110CD("%s", (char)v5);return 0;
}
发现flag根本没被加密,直接开始Shift+F12就可以看到字符串。
五、[NSSRound#3 Team]jump_by_jump_revenge[花指令]
跟上面一样,将爆红那里改成空指令,P+F5得到伪代码。
int __cdecl main_0(int argc, const char **argv, const char **envp)
{int i; // [esp+D0h] [ebp-40h]char Str1[36]; // [esp+E8h] [ebp-28h] BYREFsub_411037("%s", (char)Str1);for ( i = 0; i < 29; ++i )Str1[i] = (Str1[i] + Str1[(i * i + 123) % 21]) % 96 + 32;if ( !j_strcmp(Str1, "~4G~M:=WV7iX,zlViGmu4?hJ0H-Q*") )puts("right!");elseputs("nope!");return 0;
}
将flag打乱了,并且进行了变换,逆向解密。
a = ['~', '4', 'G', '~', 'M', ':', '=', 'W', 'V', '7', 'i', 'X', ',', 'z', 'l', 'V', 'i', 'G', 'm', 'u', '4', '?', 'h','J', '0', 'H', '-', 'Q', '*']for i in range(28, -1, -1):k = (i * i + 123) % 21for j in range(5):x = (ord(a[i]) - 32 + j * 96 - ord(a[k]))if 33 <= x <= 126:a[i] = chr(x)break
print("".join(a))
六、[WUSTCTF 2020]level2[UPX脱壳]
- 脱壳,就是说把程序的外壳给脱掉,从而能够看到真正的程序,在程序运行时,首先是壳取得控制权并对程序进行压缩,从而隐藏程序真正的OEP(原始的程序入口点),一般丢进IDX后,函数特别少,是加壳了。
- 程序的脱壳一般总体是三个步骤:
- 找到OEP,程序运行壳代码执行完后会跳转到真正的OEP
- 抓到内存文件,将新得到的源文件保存,可从头到后复制
- 对PE文件进行修复
萌新,手动脱壳不是很现实,一些脱壳工具链接:
UPX脱壳工具
六、[HUBUCTF 2022 新生赛]simple_RE
int __cdecl main(int argc, const char **argv, const char **envp)
{int v4; // [rsp+24h] [rbp-44h] BYREFvoid *Buf1; // [rsp+28h] [rbp-40h] BYREFchar v6[56]; // [rsp+30h] [rbp-38h] BYREFsub_401770(argc, argv, envp);printf("please input the flag:");scanf("%s", v6);Buf1 = 0i64;sub_401570(v6, &Buf1, &v4);if ( !memcmp(Buf1, a5mc58bphliax7j, v4) )printf("\nsuccess!");elseprintf("\nfailed!");if ( Buf1 )free(Buf1);return 0;
}
输入的v6经过sub_401570()函数加密与a5mc58bphliax7j比较,一致则成功,a5mc58bphliax7j的值为5Mc58bPHLiAx7J8ocJIlaVUxaJvMcoYMaoPMaOfg15c475tscHfM/8==,有点像是base64。
但是下面好像还有一串字符串,不知道干什么的,看了下加密函数。
好像加密跟下面的字符串有关,正常的base64也解密不出来,可能是base64换表。
七、[SWPUCTF 2021 新生赛]easyapp
发现PK头,直接改成zip后缀,解压得到一个apk安卓,反编译,得:
Encode类:
package com.example.ilililililil;public class Encoder
{private int key = 123456789;public String encode(String paramString){StringBuilder localStringBuilder = new StringBuilder();paramString = paramString.toCharArray();int i = paramString.length;for (int j = 0; j < i; j++)localStringBuilder.append((char)(paramString[j] ^ this.key));return localStringBuilder.toString();}
}
public /* synthetic */ void lambda$onCreate$0$MainActivity(final EditText editText, View v) {System.out.println(encoder.encode(editText.getText().toString()));if (encoder.encode(editText.getText().toString()).equals("棿棢棢棲棥棷棊棐棁棚棨棨棵棢棌")) {Toast.makeText(this, "YES", 0).show();} else {Toast.makeText(this, "NO", 0).show();}
}
MainActivity类:
package com.example.ilililililil;import java.lang.reflect.Field;public class MainActlvity
{public MainActlvity(){try{Field localField = Encoder.class.getDeclaredField("key");localField.setAccessible(true);localField.set(MainActivity.encoder, Integer.valueOf(987654321));}catch (NoSuchFieldException localNoSuchFieldException){}catch (IllegalAccessException localIllegalAccessException){}localIllegalAccessException.printStackTrace();}
}
可以知道key变成了987654321
所以exp为:
code = '棿棢棢棲棥棷棊棐棁棚棨棨棵棢棌'
key = 987654321
flag = ""
for i in code:flag += chr((ord(i) ^ key) % 128)
print(flag)
得到flag NSSCTF{apkYYDS}
八、[鹏城杯 2022]baby_re[apk反编译+JNI]
反编译得到关键代码:
private static final void onCreate$lambda-0(MainActivity paramMainActivity, int[] paramArrayOfInt, View paramView){Intrinsics.checkNotNullParameter(paramMainActivity, "this$0");Intrinsics.checkNotNullParameter(paramArrayOfInt, "$c");paramView = ((EditText)paramMainActivity._$_findCachedViewById(R.id.input)).getText().toString().chars().toArray();Intrinsics.checkNotNullExpressionValue(paramView, "flag.toArray()");if (Arrays.equals(paramMainActivity.baby_xor(paramView), paramArrayOfInt))Toast.makeText((Context)paramMainActivity, (CharSequence)"Success", 1).show();elseToast.makeText((Context)paramMainActivity, (CharSequence)"Failed", 0).show();}protected void onCreate(Bundle paramBundle){super.onCreate(paramBundle);ActivityMainBinding localActivityMainBinding = ActivityMainBinding.inflate(getLayoutInflater());Intrinsics.checkNotNullExpressionValue(localActivityMainBinding, "inflate(layoutInflater)");this.binding = localActivityMainBinding;paramBundle = localActivityMainBinding;if (localActivityMainBinding == null){Intrinsics.throwUninitializedPropertyAccessException("binding");paramBundle = null;}setContentView((View)paramBundle.getRoot());((Button)_$_findCachedViewById(R.id.btn)).setOnClickListener(new MainActivity..ExternalSyntheticLambda0(this, new int[] { 119, 9, 40, 44, 106, 83, 126, 123, 33, 87, 113, 123, 112, 93, 125, 127, 41, 82, 44, 127, 39, 3, 126, 125, 119, 87, 47, 125, 33, 6, 44, 127, 112, 0, 126, 123, 115, 24 }));}
flag转成了数组,进行baby_xor异或,要等于{ 119, 9, 40, 44, 106, 83, 126, 123, 33, 87, 113, 123, 112, 93, 125, 127, 41, 82, 44, 127, 39, 3, 126, 125, 119, 87, 47, 125, 33, 6, 44, 127, 112, 0, 126, 123, 115, 24 },在反编译的函数中找不到baby_xor,它还给了so文件,放入IDA,会发现存在babyxor函数。
__int64 __fastcall Java_com_example_createso_MainActivity_baby_1xor(__int64 a1, __int64 a2, __int64 a3)
{int i; // [rsp+14h] [rbp-2Ch]__int64 v5; // [rsp+18h] [rbp-28h]unsigned int v6; // [rsp+24h] [rbp-1Ch]v6 = _JNIEnv::GetArrayLength(a1, a3);v5 = _JNIEnv::GetIntArrayElements(a1, a3, 0LL);for ( i = 0; i < (int)v6; ++i )*(_DWORD *)(v5 + 4LL * i) ^= key[i % 4];_JNIEnv::SetIntArrayRegion(a1, a3, 0LL, v6, v5);return a3;
}_DWORD *hide_key(void)
{_DWORD *result; // raxresult = key;key[0] ^= 0x47u;key[1] ^= 0x32u;key[2] ^= 0x11u;key[3] ^= 0x12u;return result;
}
这里就是先将key异或变一下,然后与key[i%4]做异或。
发现key的初始值 0x56 0x57 0x58 0x59
from Crypto.Util.number import long_to_bytesl = [119, 9, 40, 44, 106, 83, 126, 123, 33, 87, 113, 123, 112, 93, 125, 127, 41, 82, 44, 127, 39, 3, 126, 125, 119, 87,47, 125, 33, 6, 44, 127, 112, 0, 126, 123, 115, 24]
key = [0x56, 0x57, 0x58, 0x59]
key[0] ^= 0x47
key[1] ^= 0x32
key[2] ^= 0x11
key[3] ^= 0x12
flag = ''
for i in range(len(l)):flag += chr(l[i] ^ key[i % 4])
print(flag)得到flag
九、[GWCTF 2019]babyvm[VMre]
主函数获取输入:
主要功能在sub_CD1:
函数定义了操作码的功能,可看成是操作码表,202060地址存放操作码,可理解成密文,qword_2022A8存放输入的字符串,其余九是操作码代表的功能,要通过语句推断功能代表的语句,还原程序流程。
0XF1
多个分支,并且都是赋值,推断是mov操作,根据0xE1等分直情况不同,进行不同的表达式,0XE1:mov R0 flag 0XE2:mov R1 flag以此类推
0xF2
xor操作,R0=R0^R1
0xF5
读取长度为21的flag
0xF4
0xF7
mul乘法操作,R0=R0*R3
0xF8
swap交换指令操作,swap R0 R1
0xF6
线性运算 R0=R2+2R1+3R0
知道所有的操作码的含义后,获取密文操作码,从0x202060到0x20229结束,然后翻译操作码
import binascii
from pwn import *
fd = open("babyvm", "rb")
arr = []
offset = 0x2060
while offset <= 0x229e:fd.seek(offset)fr = fd.read(1)arr.append(int(binascii.b2a_hex(fr).decode('utf-8'),16))offset += 1
# print(arr, len(arr))
result = ""
i = 0
while i < 575:if arr[i] == 0xf1:if arr[i + 1] == 0xE1:result += "{0} mov R0 flag[{1}]\n".format(i, arr[i + 2])elif arr[i + 1] == 0xE2:result += "{0} mov R1 flag[{1}]\n".format(i, arr[i + 2])elif arr[i + 1] == 0xE3:result += "{0} mov R2 flag[{1}]\n".format(i, arr[i + 2])elif arr[i + 1] == 0xE4:result += "{0} mov flag[{1}] R0\n".format(i, arr[i + 2])elif arr[i + 1] == 0xE5:result += "{0} mov R3 flag[{1}]\n".format(i, arr[i + 2])elif arr[i + 1] == 0xE7:result += "{0} mov flag[{1}] R1\n".format(i, arr[i + 2])i = i + 6elif arr[i] == 0xf2:result += "{0} xor R0 R1\n".format(i)i += 1elif arr[i] == 0xf5:result += "{0} read flag 21\n".format(i)i += 1elif arr[i] == 0xf4:i += 1elif arr[i] == 0xf7:result += "{0} mul R0 R3\n".format(i)i += 1elif arr[i] == 0xf8:result += "{0} swap R0 R1\n".format(i)i += 1elif arr[i] == 0xf6:result += "{0} mov R0 R2+2*R1+3*R0\n".format(i)i += 1else:i += 1
with open("babyvm.txt", "a+") as tr:tr.write(result)tr.close()
得到:
0 read flag 21
1 mov R0 flag[0]
7 xor R0 R1
8 mov flag[32] R0
14 mov R0 flag[1]
20 xor R0 R1
21 mov flag[33] R0
27 mov R0 flag[2]
33 xor R0 R1
34 mov flag[34] R0
40 mov R0 flag[3]
46 xor R0 R1
47 mov flag[35] R0
53 mov R0 flag[4]
59 xor R0 R1
60 mov flag[36] R0
66 mov R0 flag[5]
72 xor R0 R1
73 mov flag[37] R0
79 mov R0 flag[6]
85 xor R0 R1
86 mov flag[38] R0
92 mov R0 flag[7]
98 xor R0 R1
99 mov flag[39] R0
105 mov R0 flag[8]
111 xor R0 R1
112 mov flag[40] R0
118 mov R0 flag[9]
124 xor R0 R1
125 mov flag[41] R0
131 mov R0 flag[10]
137 xor R0 R1
138 mov flag[42] R0
144 mov R0 flag[11]
150 xor R0 R1
151 mov flag[43] R0
157 mov R0 flag[12]
163 xor R0 R1
164 mov flag[44] R0
170 mov R0 flag[13]
176 xor R0 R1
177 mov flag[45] R0
183 mov R0 flag[14]
189 xor R0 R1
190 mov flag[46] R0
196 mov R0 flag[15]
202 xor R0 R1
203 mov flag[47] R0
209 mov R0 flag[16]
215 xor R0 R1
216 mov flag[48] R0
222 mov R0 flag[17]
228 xor R0 R1
229 mov flag[49] R0
235 mov R0 flag[18]
241 xor R0 R1
242 mov flag[50] R0
248 mov R0 flag[19]
254 xor R0 R1
255 mov flag[51] R0
288 read flag 21
289 mov R0 flag[0]
295 mov R1 flag[1]
301 xor R0 R1
302 mov flag[0] R0
308 mov R0 flag[1]
314 mov R1 flag[2]
320 xor R0 R1
321 mov flag[1] R0
327 mov R0 flag[2]
333 mov R1 flag[3]
339 xor R0 R1
340 mov flag[2] R0
346 mov R0 flag[3]
352 mov R1 flag[4]
358 xor R0 R1
359 mov flag[3] R0
365 mov R0 flag[4]
371 mov R1 flag[5]
377 xor R0 R1
378 mov flag[4] R0
384 mov R0 flag[5]
390 mov R1 flag[6]
396 xor R0 R1
397 mov flag[5] R0
403 mov R0 flag[6]
409 mov R1 flag[7]
415 mov R2 flag[8]
421 mov R3 flag[12]
427 mov R0 R2+2*R1+3*R0
428 mul R0 R3
429 mov flag[6] R0
435 mov R0 flag[7]
441 mov R1 flag[8]
447 mov R2 flag[9]
453 mov R3 flag[12]
459 mov R0 R2+2*R1+3*R0
460 mul R0 R3
461 mov flag[7] R0
467 mov R0 flag[8]
473 mov R1 flag[9]
479 mov R2 flag[10]
485 mov R3 flag[12]
491 mov R0 R2+2*R1+3*R0
492 mul R0 R3
493 mov flag[8] R0
499 mov R0 flag[13]
505 mov R1 flag[19]
511 swap R0 R1
512 mov flag[13] R0
518 mov flag[19] R1
524 mov R0 flag[14]
530 mov R1 flag[18]
536 swap R0 R1
537 mov flag[14] R0
543 mov flag[18] R1
549 mov R0 flag[15]
555 mov R1 flag[17]
561 swap R0 R1
562 mov flag[15] R0
568 mov flag[17] R1有两端read flag操作,但是第一段flag[34]等等,flag长度只有21,所有第二段是正确的,分析第二段
288 read flag 21
289 mov R0 flag[0]
295 mov R1 flag[1]
301 xor R0 R1
302 mov flag[0] R0 //flag[0]=flag[0]^flag[1]
308 mov R0 flag[1]
314 mov R1 flag[2]
320 xor R0 R1
321 mov flag[1] R0 //flag[1]=flag[1]^flag[2]
327 mov R0 flag[2]
333 mov R1 flag[3]
339 xor R0 R1
340 mov flag[2] R0 flag[2]=flag[2]^flag[3]
346 mov R0 flag[3]
352 mov R1 flag[4]
358 xor R0 R1
359 mov flag[3] R0 //flag[3]=flag[3]^flag[4]
365 mov R0 flag[4]
371 mov R1 flag[5]
377 xor R0 R1
378 mov flag[4] R0 //flag[4]=flag[4]^flag[5]
384 mov R0 flag[5]
390 mov R1 flag[6]
396 xor R0 R1
397 mov flag[5] R0 //flag[5]=flag[5]^flag[6]
403 mov R0 flag[6]
409 mov R1 flag[7]
415 mov R2 flag[8]
421 mov R3 flag[12]
427 mov R0 R2+2*R1+3*R0
428 mul R0 R3 //flag[6]=FLAG[8]+2*FLAG[7]+3*FLAG[6]*FLAG[12]
429 mov flag[6] R0
435 mov R0 flag[7]
441 mov R1 flag[8]
447 mov R2 flag[9]
453 mov R3 flag[12]
459 mov R0 R2+2*R1+3*R0
460 mul R0 R3 //flag[7]=flag[9]+2*flag[8]+3*flag[7]*flag[12]
461 mov flag[7] R0
467 mov R0 flag[8]
473 mov R1 flag[9]
479 mov R2 flag[10]
485 mov R3 flag[12]
491 mov R0 R2+2*R1+3*R0
492 mul R0 R3
493 mov flag[8] R0 //flag[8]=(flag[10]+2*flag[9]+3*flag[8])*flag[12]
499 mov R0 flag[13]
505 mov R1 flag[19]
511 swap R0 R1 //swap(flag[13],flag[19])
512 mov flag[13] R0
518 mov flag[19] R1
524 mov R0 flag[14]
530 mov R1 flag[18]
536 swap R0 R1 //swap(flag[14],flag[18])
537 mov flag[14] R0
543 mov flag[18] R1
549 mov R0 flag[15]
555 mov R1 flag[17]
561 swap R0 R1 //swap(flag[15],flag[17])
562 mov flag[15] R0
568 mov flag[17] R1程序的操作大致为:
flag=''
for i in range(6)::flag[i]=flag[i]^flag[i+1]flag[6]=(flag[8]+2*flag[7]+3*flag[6])*flag[12]
flag[7]=(flag[9]+2*flag[8]+3*flag[7])*flag[12]
flag[8]=(flag[10]+2*flag[9]+3*flag[8])*flag[12]
swap(flag[13],flag[19])
swap(flag[14],flag[18])
swap(flag[15],flag[17])
题目真正的check
还原脚本
from pwn import *
re = []
fd = open("babyvm", "rb")
offset = 0x2020
while offset < 0x2034:fd.seek(offset)fr = fd.read(1)re.append(int(binascii.b2a_hex(fr).decode('utf-8'),16))offset += 1
# print(re,len(re))
flag = []
for i in range(20):flag.append(0)
flag[11] = re[11]
flag[12] = re[12]
flag[13] = re[19]
flag[14] = re[18]
flag[15] = re[17]
flag[16] = re[16]
flag[17] = re[15]
flag[18] = re[14]
flag[19] = re[13]
flag[9] = re[9]
flag[10] = re[10]
for i in range(128):if re[8] == ((i * 3 + flag[9] * 2 + flag[10]) * flag[12]) & 0xff:flag[8] = ifor j in range(128):if re[7] == ((j * 3 + flag[8] * 2 + flag[9]) * flag[12]) & 0xff:flag[7] = jfor k in range(128):if re[6] == ((k * 3 + flag[7] * 2 + flag[8]) * flag[12]) & 0xff:flag[6] = k
flag[5] = re[5] ^ flag[6]
flag[4] = re[4] ^ flag[5]
flag[3] = re[3] ^ flag[4]
flag[2] = re[2] ^ flag[3]
flag[1] = re[1] ^ flag[2]
flag[0] = re[0] ^ flag[1]
FLAG = ""
for i in flag:FLAG += chr(i)
print(FLAG)
得到flag
总结一下VMre的解法步骤:
1.根据函数获取操作码表,操作码表中对应的操作,还原程序流程。
2.根据程序流程获得程序的算法。
3.获取flag存放位置并获得加密数据,根据算法还原。
十、[NISACTF 2022]鸣神的国土
.file "test.c".text.section .rodata
.LC0:.string "%s"
.LC1:.string "YES,you get the flag"
.LC2:.string "NO,error".text.globl main.type main, @function
main:
.LFB6:.cfi_startprocendbr64pushq %rbp.cfi_def_cfa_offset 16.cfi_offset 6, -16movq %rsp, %rbp.cfi_def_cfa_register 6pushq %rbxsubq $216, %rsp.cfi_offset 3, -24movq %fs:40, %raxmovq %rax, -24(%rbp)xorl %eax, %eaxmovabsq $7158324656262427505, %raxmovabsq $7163901470557426799, %rdxmovq %rax, -208(%rbp)movq %rdx, -200(%rbp)movabsq $3619001219890117209, %raxmovabsq $5780770822738496110, %rdxmovq %rax, -192(%rbp)movq %rdx, -184(%rbp)movabsq $3838605427404404553, %raxmovabsq $4427116830602054234, %rdxmovq %rax, -176(%rbp)movq %rdx, -168(%rbp)movb $0, -160(%rbp)movl $0, -212(%rbp)leaq -80(%rbp), %raxmovq %rax, %rsileaq .LC0(%rip), %rdimovl $0, %eaxcall __isoc99_scanf@PLTmovl $0, -220(%rbp)jmp .L2
.L15:movl -220(%rbp), %eaxcltqmovzbl -80(%rbp,%rax), %eaxcmpb $64, %aljle .L3movl -220(%rbp), %eaxcltqmovzbl -80(%rbp,%rax), %eaxcmpb $90, %aljle .L4
.L3:movl -220(%rbp), %eaxcltqmovzbl -80(%rbp,%rax), %eaxcmpb $96, %aljle .L5movl -220(%rbp), %eaxcltqmovzbl -80(%rbp,%rax), %eaxcmpb $122, %aljle .L6
.L5:movl -220(%rbp), %eaxcltqmovzbl -80(%rbp,%rax), %edxmovl -220(%rbp), %eaxcltqmovb %dl, -144(%rbp,%rax)jmp .L11
.L6:movl $97, -216(%rbp)jmp .L8
.L10:movl -220(%rbp), %eaxcltqmovzbl -80(%rbp,%rax), %eaxmovsbl %al, %eaxleal -84(%rax), %edxmovslq %edx, %raximulq $1321528399, %rax, %raxshrq $32, %raxmovl %eax, %ecxsarl $3, %ecxmovl %edx, %eaxsarl $31, %eaxsubl %eax, %ecxmovl %ecx, %eaximull $26, %eax, %eaxsubl %eax, %edxmovl %edx, %eaxaddl $97, %eaxcmpl %eax, -216(%rbp)jne .L9movl -216(%rbp), %eaxmovl %eax, %edxmovl -220(%rbp), %eaxcltqmovb %dl, -144(%rbp,%rax)
.L9:addl $1, -216(%rbp)
.L8:cmpl $122, -216(%rbp)jle .L10jmp .L11
.L4:movl $65, -216(%rbp)jmp .L12
.L14:movl -220(%rbp), %eaxcltqmovzbl -80(%rbp,%rax), %eaxmovsbl %al, %eaxleal -52(%rax), %edxmovslq %edx, %raximulq $1321528399, %rax, %raxshrq $32, %raxmovl %eax, %ecxsarl $3, %ecxmovl %edx, %eaxsarl $31, %eaxsubl %eax, %ecxmovl %ecx, %eaximull $26, %eax, %eaxsubl %eax, %edxmovl %edx, %eaxaddl $65, %eaxcmpl %eax, -216(%rbp)jne .L13movl -216(%rbp), %eaxmovl %eax, %edxmovl -220(%rbp), %eaxcltqmovb %dl, -144(%rbp,%rax)
.L13:addl $1, -216(%rbp)
.L12:cmpl $90, -216(%rbp)jle .L14
.L11:addl $1, -220(%rbp)
.L2:movl -220(%rbp), %eaxmovslq %eax, %rbxleaq -80(%rbp), %raxmovq %rax, %rdicall strlen@PLTcmpq %rax, %rbxjb .L15movl $0, -220(%rbp)jmp .L16
.L18:movl -220(%rbp), %eaxcltqmovzbl -208(%rbp,%rax), %edxmovl -220(%rbp), %eaxcltqmovzbl -144(%rbp,%rax), %eaxcmpb %al, %dljne .L17addl $1, -212(%rbp)
.L17:addl $1, -220(%rbp)
.L16:movl -220(%rbp), %eaxmovslq %eax, %rbxleaq -80(%rbp), %raxmovq %rax, %rdicall strlen@PLTcmpq %rax, %rbxjb .L18movl -212(%rbp), %eaxmovslq %eax, %rbxleaq -208(%rbp), %raxmovq %rax, %rdicall strlen@PLTcmpq %rax, %rbxjne .L19leaq .LC1(%rip), %rdicall puts@PLTjmp .L20
.L19:leaq .LC2(%rip), %rdicall puts@PLT
.L20:movl $0, %eaxmovq -24(%rbp), %rsixorq %fs:40, %rsije .L22call __stack_chk_fail@PLT
.L22:addq $216, %rsppopq %rbxpopq %rbp.cfi_def_cfa 7, 8ret.cfi_endproc
.LFE6:.size main, .-main.ident "GCC: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0".section .note.GNU-stack,"",@progbits.section .note.gnu.property,"a".align 8.long 1f - 0f.long 4f - 1f.long 5
0:.string "GNU"
1:.align 8.long 0xc0000002.long 3f - 2f
2:.long 0x3
3:.align 8
4:直接给GNU代码,可以使用as命令将汇编代码编译为二进制代码,让再用gcc编译成程序。
int __cdecl main(int argc, const char **argv, const char **envp)
{int i; // [rsp+4h] [rbp-DCh]int l; // [rsp+4h] [rbp-DCh]int k; // [rsp+8h] [rbp-D8h]int j; // [rsp+8h] [rbp-D8h]int v8; // [rsp+Ch] [rbp-D4h]char v9[128]; // [rsp+10h] [rbp-D0h] BYREFchar s[56]; // [rsp+90h] [rbp-50h] BYREFunsigned __int64 v11; // [rsp+C8h] [rbp-18h]v11 = __readfsqword(0x28u);strcpy(v9, "q3q3YzWcoTyvnJkcYzAioF92nJEyol9PIwSeLwE5ZJ03MGp=");v8 = 0;__isoc99_scanf(&unk_2004, s);for ( i = 0; i < strlen(s); ++i ){if ( s[i] > 64 && s[i] <= 90 ){for ( j = 65; j <= 90; ++j ){if ( j == (s[i] - 52) % 26 + 65 )v9[i + 64] = j;}}else if ( s[i] > 96 && s[i] <= 122 ){for ( k = 97; k <= 122; ++k ){if ( k == (s[i] - 84) % 26 + 97 )v9[i + 64] = k;}}else{v9[i + 64] = s[i];}}for ( l = 0; l < strlen(s); ++l ){if ( v9[l] == v9[l + 64] )++v8;}if ( v8 == strlen(v9) )puts("YES,you get the flag");elseputs("NO,error");return 0;
}
十一、[广东强网杯 2021 个人组]goodpy
1 0 LOAD_CONST 0 (-1)3 LOAD_CONST 1 (None)6 IMPORT_NAME 0 (os)9 STORE_NAME 0 (os)4 12 LOAD_CONST 2 (0)15 STORE_NAME 1 (a)5 18 LOAD_NAME 2 (input)21 CALL_FUNCTION 024 STORE_NAME 3 (flag)6 27 SETUP_LOOP 36 (to 66)30 LOAD_NAME 4 (range)33 LOAD_NAME 5 (len)36 LOAD_NAME 3 (flag)39 CALL_FUNCTION 142 CALL_FUNCTION 145 GET_ITER >> 46 FOR_ITER 16 (to 65)49 STORE_NAME 6 (i)7 52 LOAD_NAME 1 (a)55 LOAD_CONST 3 (1)58 INPLACE_ADD 59 STORE_NAME 1 (a)62 JUMP_ABSOLUTE 46>> 65 POP_BLOCK 9 >> 66 LOAD_NAME 1 (a)69 LOAD_CONST 4 (32)72 COMPARE_OP 3 (!=)75 POP_JUMP_IF_FALSE 9310 78 LOAD_CONST 5 ('error')81 PRINT_ITEM 82 PRINT_NEWLINE 11 83 LOAD_NAME 7 (exit)86 CALL_FUNCTION 089 POP_TOP 90 JUMP_FORWARD 0 (to 93)13 >> 93 LOAD_NAME 3 (flag)96 LOAD_CONST 2 (0)99 BINARY_SUBSCR 100 LOAD_CONST 6 ('f')103 COMPARE_OP 3 (!=)106 POP_JUMP_IF_TRUE 189109 LOAD_NAME 3 (flag)112 LOAD_CONST 3 (1)115 BINARY_SUBSCR 116 LOAD_CONST 7 ('l')119 COMPARE_OP 3 (!=)122 POP_JUMP_IF_TRUE 189125 LOAD_NAME 3 (flag)128 LOAD_CONST 8 (2)131 BINARY_SUBSCR 132 LOAD_CONST 9 ('a')135 COMPARE_OP 3 (!=)138 POP_JUMP_IF_TRUE 189141 LOAD_NAME 3 (flag)144 LOAD_CONST 10 (3)147 BINARY_SUBSCR 148 LOAD_CONST 11 ('g')151 COMPARE_OP 3 (!=)154 POP_JUMP_IF_TRUE 189157 LOAD_NAME 3 (flag)160 LOAD_CONST 12 (4)163 BINARY_SUBSCR 164 LOAD_CONST 13 ('{')167 COMPARE_OP 3 (!=)170 POP_JUMP_IF_TRUE 189173 LOAD_NAME 3 (flag)176 LOAD_CONST 14 (31)179 BINARY_SUBSCR 180 LOAD_CONST 15 ('}')183 COMPARE_OP 3 (!=)186 POP_JUMP_IF_FALSE 20414 >> 189 LOAD_CONST 5 ('error')192 PRINT_ITEM 193 PRINT_NEWLINE 15 194 LOAD_NAME 7 (exit)197 CALL_FUNCTION 0200 POP_TOP 201 JUMP_FORWARD 0 (to 204)17 >> 204 BUILD_LIST 0207 STORE_NAME 8 (tmp)19 210 SETUP_LOOP 37 (to 250)213 LOAD_NAME 4 (range)216 LOAD_NAME 1 (a)219 CALL_FUNCTION 1222 GET_ITER >> 223 FOR_ITER 23 (to 249)226 STORE_NAME 6 (i)20 229 LOAD_NAME 8 (tmp)232 LOAD_ATTR 9 (append)235 LOAD_NAME 3 (flag)238 LOAD_NAME 6 (i)241 BINARY_SUBSCR 242 CALL_FUNCTION 1245 POP_TOP 246 JUMP_ABSOLUTE 223>> 249 POP_BLOCK 22 >> 250 SETUP_LOOP 44 (to 297)253 LOAD_NAME 4 (range)256 LOAD_NAME 1 (a)259 CALL_FUNCTION 1262 GET_ITER >> 263 FOR_ITER 30 (to 296)266 STORE_NAME 6 (i)23 269 LOAD_NAME 10 (ord)272 LOAD_NAME 8 (tmp)275 LOAD_NAME 6 (i)278 BINARY_SUBSCR 279 CALL_FUNCTION 1282 LOAD_CONST 16 (9)285 BINARY_SUBTRACT 286 LOAD_NAME 8 (tmp)289 LOAD_NAME 6 (i)292 STORE_SUBSCR 293 JUMP_ABSOLUTE 263>> 296 POP_BLOCK 25 >> 297 SETUP_LOOP 38 (to 338)300 LOAD_NAME 4 (range)303 LOAD_NAME 1 (a)306 CALL_FUNCTION 1309 GET_ITER >> 310 FOR_ITER 24 (to 337)313 STORE_NAME 6 (i)26 316 LOAD_NAME 8 (tmp)319 LOAD_NAME 6 (i)322 BINARY_SUBSCR 323 LOAD_CONST 17 (51)326 BINARY_XOR 327 LOAD_NAME 8 (tmp)330 LOAD_NAME 6 (i)333 STORE_SUBSCR 334 JUMP_ABSOLUTE 310>> 337 POP_BLOCK 28 >> 338 SETUP_LOOP 38 (to 379)341 LOAD_NAME 4 (range)344 LOAD_NAME 1 (a)347 CALL_FUNCTION 1350 GET_ITER >> 351 FOR_ITER 24 (to 378)354 STORE_NAME 6 (i)29 357 LOAD_NAME 8 (tmp)360 LOAD_NAME 6 (i)363 BINARY_SUBSCR 364 LOAD_CONST 18 (8)367 BINARY_ADD 368 LOAD_NAME 8 (tmp)371 LOAD_NAME 6 (i)374 STORE_SUBSCR 375 JUMP_ABSOLUTE 351>> 378 POP_BLOCK 31 >> 379 LOAD_NAME 8 (tmp)382 LOAD_NAME 1 (a)385 LOAD_CONST 10 (3)388 BINARY_SUBTRACT 389 BINARY_SUBSCR 390 STORE_NAME 11 (tmp1)32 393 LOAD_NAME 8 (tmp)396 LOAD_NAME 1 (a)399 LOAD_CONST 8 (2)402 BINARY_SUBTRACT 403 BINARY_SUBSCR 404 STORE_NAME 12 (tmp2)33 407 LOAD_NAME 8 (tmp)410 LOAD_NAME 1 (a)413 LOAD_CONST 3 (1)416 BINARY_SUBTRACT 417 BINARY_SUBSCR 418 STORE_NAME 13 (tmp3)35 421 SETUP_LOOP 58 (to 482)424 LOAD_NAME 4 (range)427 LOAD_NAME 1 (a)430 LOAD_CONST 10 (3)433 BINARY_SUBTRACT 434 CALL_FUNCTION 1437 GET_ITER >> 438 FOR_ITER 40 (to 481)441 STORE_NAME 6 (i)36 444 LOAD_NAME 8 (tmp)447 LOAD_NAME 1 (a)450 LOAD_CONST 3 (1)453 BINARY_SUBTRACT 454 LOAD_NAME 6 (i)457 BINARY_SUBTRACT 458 LOAD_CONST 10 (3)461 BINARY_SUBTRACT 462 BINARY_SUBSCR 463 LOAD_NAME 8 (tmp)466 LOAD_NAME 1 (a)469 LOAD_CONST 3 (1)472 BINARY_SUBTRACT 473 LOAD_NAME 6 (i)476 BINARY_SUBTRACT 477 STORE_SUBSCR 478 JUMP_ABSOLUTE 438>> 481 POP_BLOCK 38 >> 482 LOAD_NAME 13 (tmp3)485 LOAD_NAME 8 (tmp)488 LOAD_CONST 2 (0)491 STORE_SUBSCR 39 492 LOAD_NAME 12 (tmp2)495 LOAD_NAME 8 (tmp)498 LOAD_CONST 3 (1)501 STORE_SUBSCR 40 502 LOAD_NAME 11 (tmp1)505 LOAD_NAME 8 (tmp)508 LOAD_CONST 8 (2)511 STORE_SUBSCR 42 512 SETUP_LOOP 58 (to 573)515 LOAD_NAME 4 (range)518 LOAD_NAME 1 (a)521 CALL_FUNCTION 1524 GET_ITER >> 525 FOR_ITER 44 (to 572)528 STORE_NAME 6 (i)43 531 LOAD_NAME 6 (i)534 LOAD_CONST 19 (7)537 BINARY_MODULO 538 LOAD_CONST 3 (1)541 COMPARE_OP 2 (==)544 POP_JUMP_IF_FALSE 55344 547 JUMP_ABSOLUTE 525550 JUMP_FORWARD 0 (to 553)45 >> 553 LOAD_NAME 8 (tmp)556 LOAD_NAME 6 (i)559 DUP_TOPX 2562 BINARY_SUBSCR 563 LOAD_CONST 20 (119)566 INPLACE_XOR 567 ROT_THREE 568 STORE_SUBSCR 569 JUMP_ABSOLUTE 525>> 572 POP_BLOCK 48 >> 573 LOAD_NAME 14 (open)576 LOAD_CONST 21 ('out')579 LOAD_CONST 22 ('w')582 CALL_FUNCTION 2585 SETUP_WITH 26 (to 614)588 STORE_NAME 15 (f)49 591 LOAD_NAME 15 (f)594 LOAD_ATTR 16 (write)597 LOAD_NAME 17 (str)600 LOAD_NAME 8 (tmp)603 CALL_FUNCTION 1606 CALL_FUNCTION 1609 POP_TOP 610 POP_BLOCK 611 LOAD_CONST 1 (None)>> 614 WITH_CLEANUP 615 END_FINALLY 616 LOAD_CONST 1 (None)619 RETURN_VALUE python字节码,直接手撕,结构为 源码行号 | 指令在函数中的偏移 | 指令符号 | 指令参数 | 实际参数值。
参考文章:python字节码
字节码
a = [56, 17, 99, 1, 47, 4, 2, 62, 75, 102, 8, 242, 16, 242, 97, 97, 100, 107, 16, 9, 10, 3, 117, 20, 80, 87, 242, 2, 6, 119, 7, 17]
flag = ''
for i in range(len(a)):if i%7==1:flag += (chr(((a[i]-8)^51)+9))else:flag += (chr((((a[i]^119)-8)^51)+9))print(flag)
十二、[GXYCTF 2019]luck_guy
unsigned __int64 get_flag()
{unsigned int v0; // eaxint i; // [rsp+4h] [rbp-3Ch]int j; // [rsp+8h] [rbp-38h]__int64 s; // [rsp+10h] [rbp-30h] BYREFchar v5; // [rsp+18h] [rbp-28h]unsigned __int64 v6; // [rsp+38h] [rbp-8h]v6 = __readfsqword(0x28u);v0 = time(0LL);srand(v0);for ( i = 0; i <= 4; ++i ){switch ( rand() % 200 ){case 1:puts("OK, it's flag:");memset(&s, 0, 0x28uLL);strcat((char *)&s, f1);strcat((char *)&s, &f2);printf("%s", (const char *)&s);break;case 2:printf("Solar not like you");break;case 3:printf("Solar want a girlfriend");break;case 4:s = 0x7F666F6067756369LL;v5 = 0;strcat(&f2, (const char *)&s);break;case 5:for ( j = 0; j <= 7; ++j ){if ( j % 2 == 1 )*(&f2 + j) -= 2;else--*(&f2 + j);}break;default:puts("emmm,you can't find flag 23333");break;}}return __readfsqword(0x28u) ^ v6;
}
flag拼接了f1和f2,f1直接给出,f2与s拼接,并做了case5的处理,注意0x7F666F6067756369LL是小端,逆序的,所以解密的时候要反过来
s = [0x7F, 0x66, 0x6F, 0x60, 0x67, 0x75, 0x63, 0x69][::-1]
flag = 'GXY{do_not_'
for i in range(8):if i % 2 == 1:s[i]-=2else:s[i]-=1flag += chr(s[i])
print(flag)十三、[HNCTF 2022 Week1]Little Endian
int __cdecl main(int argc, const char **argv, const char **envp)
{char v4[36]; // [rsp+20h] [rbp-30h] BYREFint i; // [rsp+44h] [rbp-Ch]char *v6; // [rsp+48h] [rbp-8h]_main();puts("please input your flag");scanf("%s", v4);v6 = v4;for ( i = 0; i <= 5; ++i ){if ( *(_DWORD *)v6 != (enc[i] ^ 0x12345678) ){printf("Data3rr0r!");exit(0);}v6 += 4;}printf("you are right!");return 0;
}
直接从题目可以知道小端存储,即最低位的字节数据存在最低地址上,而次低位的字节数据按次序排列在次低的地址上,所以反着来就好。
enc = [1365706038, 1582239788, 2118132241, 2087782731, 2085961500, 1868183574]
flag = ''
l = []
for i in range(len(enc)):flag = enc[i] ^ 0x12345678l.append(hex(flag).replace('0x',''))
print(l)for k in l:i=len(k)-2while i >= 0:num = k[i:i + 2]print(chr(int(num, 16)), end="")i = i - 2十四、[MoeCTF 2021]Realezpy
# uncompyle6 version 3.8.0
# Python bytecode 3.8.0 (3413)
# Decompiled from: Python 3.9.8 (tags/v3.9.8:bb3fdcf, Nov 5 2021, 20:48:33) [MSC v.1929 64 bit (AMD64)]
# Embedded file name: Ezpython.py
# Compiled at: 2021-07-28 10:01:40
# Size of source mod 2**32: 931 bytes
import time
c = [119, 121, 111, 109, 100, 112, 123, 74, 105, 100, 114, 48, 120, 95, 49, 99, 95, 99, 121, 48, 121, 48, 121, 48, 121, 48, 95, 111, 107, 99, 105, 125]def decrypt(a):result=[]for i in range(len(a)):if ord('a') <= a[i] <= ord('z'):result.append((a[i] - 114 - ord('a')) % 26 + ord('a'))elif ord('A') <= a[i] <= ord('Z'):result.append((a[i] - 514 - ord('A')) % 26 + ord('A'))else:result.append(a[i])else:return result
result=decrypt(c)
flag=''
for i in result:flag+=chr(i)
print(flag)
十五、[HGAME 2023 week1]encode
int __cdecl main(int argc, const char **argv, const char **envp)
{int v4[100]; // [esp+0h] [ebp-1CCh] BYREFchar v5[52]; // [esp+190h] [ebp-3Ch] BYREFint j; // [esp+1C4h] [ebp-8h]int i; // [esp+1C8h] [ebp-4h]memset(v5, 0, 0x32u);memset(v4, 0, sizeof(v4));sub_4011A0(a50s, (char)v5);for ( i = 0; i < 50; ++i ){v4[2 * i] = v5[i] & 0xF;v4[2 * i + 1] = (v5[i] >> 4) & 0xF;}for ( j = 0; j < 100; ++j ){if ( v4[j] != dword_403000[j] ){sub_401160(Format, v4[0]);return 0;}}sub_401160(aYesYouAreRight, v4[0]);return 0;
}
就是将输入的字符串一个字节切割成两部分,即每部分4个字节,然后对比,完全正确则正确。
c = [8, 6, 7, 6, 1, 6, 13, 6, 5, 6, 11, 7, 5, 6, 14, 6, 3, 6, 15, 6, 4, 6, 5, 6, 15, 5, 9, 6, 3, 7, 15, 5, 5, 6, 1, 6,3, 7, 9, 7, 15, 5, 6, 6, 15, 6, 2, 7, 15, 5, 1, 6, 15, 5, 2, 7, 5, 6, 6, 7, 5, 6, 2, 7, 3, 7, 5, 6, 15, 5, 5, 6,14, 6, 7, 6, 9, 6, 14, 6, 5, 6, 5, 6, 2, 7, 13, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
flag = ''
for i in range(50):t = (c[i * 2 + 1] << 4) + c[i * 2]flag += chr(t)
print(flag)Reverse入门[不断记录]相关推荐
- SSM框架入门学习记录
SSM框架入门学习记录 //项目结构 在这里插入图片描述 在这里插入图片描述 包名多种多样,命名习惯问题. 流程:Controller(接受请求)-->Service(biz)(bl)(写业务函 ...
- LaTex入门【记录】
LaTex快速入门[记录] 入门步骤 安装教程 Mathtype中公式转LaTex代码 引用参考文献 快捷键 参考 记录下自己LaTex入门路上整理的一些方法和技巧.大家如果觉得有帮助,欢迎点赞和收藏 ...
- jmeter入门学习记录
jmeter入门学习记录 Jmeter 介绍 下载和运行 发送简单请求测试 第一步:建立Thread Group 第二步:新建一个 HTTP Request 第三步:添加HTTP Head Manag ...
- MOOSE多物理场耦合平台入门学习记录一(稳态热传导程序实例)
MOOSE多物理场耦合平台入门学习记录 MOOSE的简介 MOOSE的安装 Linux和Mac Windows MOOSE程序的一般开发流程-以导热微分方程为例 简单问题的有限元处理 MOOSE程序的 ...
- stm32f103c8t6c语言教程,STM32f103C8T6入门学习记录.doc
STM32f103C8T6入门学习记录 STM32 自 学 笔 记 作者:忙碌的小姚 新浪微博:@忙碌的小姚 新浪博客: /mlxiaoyao222 目录 STM32 自 学 笔 记1 第一章3 我与 ...
- pytorch初入门学习记录
PyTorch第一步 1.Tensor from __future__ import print_function import torch as t # 构建 5x3 矩阵,只是分配了空间,未初始化 ...
- can总线配置读入是什么意思_Simulink(常量amp;总线amp;示波器模块)+嵌入式(AURIX入门学习记录CAN通信配置)...
1 Simulink Simulink-常量&总线&示波器模块a.标量与矩阵的运算 在simulink中使用常量进行加减乘除计算时,系统会自动对标量进行拓展: 若将两个矩阵模块计算时维 ...
- FPGA入门学习记录(1)----自动售货机(VM_FSM)
综述 在写一个自动售货机状态机并仿真,上板的过程中遇到了各种问题.在解决这些零碎的问题后,在防止自己忘记这些经验以及用电子介质取代纸质记录的目的下,写下此文. 这些零碎的经验主要分VeilogHDl语 ...
- 【REVERSE】REVERSE入门
关于REVERSE 写在前面 Hi,这里是关于REVERSE(逆向)的入门.关于逆向,有些话想说.逆向的学习需要理论,也需要实践.广义上,逆向不仅仅是调试二进制可执行格式,反汇编,破解:逆向是心理 ...
最新文章
- 《OpenCV3编程入门》 札记
- php多个 r n如何过滤,php怎么去掉r n
- 如何看oracle 删除完全,如何完全删除Oracle数据库
- 怎么一键执行java程序_如何快速、低成本、低扰动地运行一段Java代码
- oracle apex 链接,Oracle APEX 5.0 新手教程(七) URL格式说明
- 推荐系统实践:从多领域优化到AutoML框架
- linux查看程序中最耗时的代码,【Linux】CPU时间与处理器耗时
- 2021年中国以太网测试设备市场趋势报告、技术动态创新及2027年市场预测
- 专访 Unity 技术总监 Mark Schoennagel、杨栋:基于 Unity 制作影视动画的几点建议!
- 调用vba_VBA代码解决方案的第86讲内容:VBA代码的优化篇
- SAP BW报表使用操作手册——基础操作
- 我们为什么需要实施实验室管理系统?
- 21年美赛F题-DEA模型和逻辑回归模型
- 关于电脑突然没声音(Realtek High definition),电脑声卡驱动安装不上(已解决)
- 基于Fuzzy Logic的人群疏散模型(考虑攻击者的情况)
- OBS视频采集流程分析
- 霜降|JEPaaS提醒您注意防寒保暖
- Ubuntu 设置搜狗输入法 Win+空格 Win+Space切换
- 区块链签章 + 云签约 让合同的法律效力无懈可击
- JVM性能调优3_垃圾收集器与内存分配策略__享学课堂