2022DASCTF Apr X FATE 防疫挑战赛
2024-05-24 02:13:39
2022DASCTF Apr X FATE 防疫挑战赛
easy_real
import random
import hashlib
from gmpy2 import *
from libnum import *# flag = 'xxxxxxxxxxxxxxxxxxxx'
# key = random.randint(1,10)
# for i in range(len(flag)):
# crypto += chr(ord(flag[i])^key)
# m = crypto的ascii十六进制
e = 23
n=4197356622576696564490569060686240088884187113566430134461945130770906825187894394672841467350797015940721560434743086405821584185286177962353341322088523
p = 64310413306776406422334034047152581900365687374336418863191177338901198608319
q = n//p
c = 3298176862697175389935722420143867000970906723110625484802850810634814647827572034913391972640399446415991848730984820839735665233943600223288991148186397
d=invert(e,(p-1)*(q-1))
m=int(pow(c,d,n))
print(n2s(m))#b'ndios_;9kgE;WK8e;W?gWn<\\;k|nu'
m='ndios_;9kgE;WK8e;W?gWn<\\;k|nu'
for i in range(11):for j in range(len(m)):print(chr(ord(m[j])^i),end='')print()CrackMe
随便输入一下,提示wrong
通过字符串交叉引用搜到主程序,
int __thiscall sub_B131E0(int this)
{const void *v1; // eaxconst void *v2; // eaxunsigned int Size; // [esp+18h] [ebp-230h]size_t pdwDataLen; // [esp+20h] [ebp-228h] BYREFvoid *Buf1; // [esp+24h] [ebp-224h] BYREFBYTE *v8; // [esp+28h] [ebp-220h] BYREFBYTE *v9; // [esp+2Ch] [ebp-21Ch] BYREFsize_t dwDataLen; // [esp+30h] [ebp-218h] BYREFsize_t v11; // [esp+34h] [ebp-214h] BYREFDWORD v12; // [esp+38h] [ebp-210h] BYREFBYTE v13[260]; // [esp+3Ch] [ebp-20Ch] BYREFchar pbData[260]; // [esp+140h] [ebp-108h] BYREFCWnd::UpdateData((CWnd *)this, 1);memset(pbData, 0, sizeof(pbData));memset(v13, 0, sizeof(v13));Size = std::istreambuf_iterator_char_std::char_traits_char__::operator___void_((void *)(this + 216));pdwDataLen = std::istreambuf_iterator_char_std::char_traits_char__::operator___void_((void *)(this + 212));dwDataLen = 0;v11 = 0;v12 = 0;v1 = (const void *)sub_B12590((void *)(this + 216), Size);memmove(pbData, v1, Size);v2 = (const void *)sub_B12590((void *)(this + 212), pdwDataLen);memmove(v13, v2, pdwDataLen);if ( Size != 8 && pdwDataLen != 32 )return Wrong((CWnd *)this);sub_B13510((BYTE *)pbData, Size >> 1, 0x8003u, (BYTE **)&Buf1, &dwDataLen);sub_B13510((BYTE *)&pbData[4], Size >> 1, 0x8004u, &v8, &v11);sub_B13510((BYTE *)pbData, Size, 0x8003u, &v9, &v12);memcmp(Buf1, (const void *)(this + 220), dwDataLen);if ( memcmp(v8, (const void *)(this + 480), v11) )return Wrong((CWnd *)this);sub_B136E0(v9, v12, v13, &pdwDataLen, 0x104u);if ( !memcmp(v13, (const void *)(this + 740), pdwDataLen) )return sucess((CWnd *)this);elsereturn Wrong((CWnd *)this);
}
准备动调看看怎么回事,发现有反调试
反调试是这个
ZwSetInformationThread 等同于 NtSetInformationThread,通过为线程设置
搜索"ZwSetInformationThread"
发现后改掉参数0x11,
我这里改的是1
((void (__stdcall *)(HANDLE, int, _DWORD, _DWORD))ZwSetInformationThread)(CurrentThread, 1, 0, 0);
根据
if ( Size != 8 && pdwDataLen != 32 )
进行逻辑构造,这里猜flag要32位,key的size要8位
我们动调验证了我们的猜想
接下来关注sub_B13510函数,下面连续调用了三次
发现是调用系统api,关注ALG_ID Algid,发现是分别进行
加密
,进入下面第一个对比
得到key的前4位的md5:
9F77C2A4AC5C0A671321BBE1E9972AF6
明文为:NocT
同样得到key后4位的sha1:D59F8E94B0E1DE6E329518A0C444AA94DE7C8D44
后半部分为:uRne
NocTuRne
然后把key的md5值和我们的input一起做个加密
我们直接去拿密文
0x5B, 0x9C, 0xEE, 0xB2, 0x3B, 0xB7, 0xD7, 0x34, 0xF3, 0x1B, 0x75, 0x14, 0xC6, 0xB2, 0x1F, 0xE8, 0xDE, 0x33, 0x44, 0x74, 0x75, 0x1B, 0x47, 0x6A, 0xD4, 0x37, 0x51, 0x88, 0xFC, 0x67, 0xE6, 0x60
参数是:
md5_key,0x10,input,len_input,0x104
void __stdcall sub_C836E0(BYTE *pbData, DWORD dwDataLen, BYTE *a3, DWORD *pdwDataLen, DWORD dwBufLen)
{HCRYPTKEY phKey; // [esp+Ch] [ebp-10h] BYREFHCRYPTPROV phProv; // [esp+10h] [ebp-Ch] BYREFHCRYPTHASH phHash; // [esp+14h] [ebp-8h] BYREFphProv = 0;phHash = 0;phKey = 0;if ( CryptAcquireContextA(&phProv, 0, 0, 0x18u, 0xF0000000)&& CryptCreateHash(phProv, 0x8003u, 0, 0, &phHash)&& CryptHashData(phHash, pbData, dwDataLen, 0)&& CryptDeriveKey(phProv, 0x660Eu, phHash, 1u, &phKey) ){CryptEncrypt(phKey, 0, 1, 0, a3, pdwDataLen, dwBufLen);}if ( phKey )CryptDestroyKey(phKey);if ( phHash )CryptDestroyHash(phHash);if ( phProv )CryptReleaseContext(phProv, 0);
}
#include<stdio.h>
#include<windows.h>
#include <wincrypt.h>
void __stdcall de(BYTE *pbData, DWORD dwDataLen, BYTE *a3, DWORD *pdwDataLen, DWORD dwBufLen)
{HCRYPTKEY phKey; // [esp+Ch] [ebp-10h] BYREFHCRYPTPROV phProv; // [esp+10h] [ebp-Ch] BYREFHCRYPTHASH phHash; // [esp+14h] [ebp-8h] BYREFphProv = 0;phHash = 0;phKey = 0;if ( CryptAcquireContextA(&phProv, 0, 0, 0x18u, 0xF0000000)&& CryptCreateHash(phProv, 0x8003u, 0, 0, &phHash)&& CryptHashData(phHash, pbData, dwDataLen, 0)&& CryptDeriveKey(phProv, 0x660Eu, phHash, 1u, &phKey) ){CryptDecrypt(phKey, 0, 1, 0, a3, pdwDataLen);printf("%s",a3);}if ( phKey )CryptDestroyKey(phKey);if ( phHash )CryptDestroyHash(phHash);if ( phProv )CryptReleaseContext(phProv, 0);
}
//md5_key,0x10,input,len_input,0x104
int main(){BYTE input[]={ 0x5B, 0x9C, 0xEE, 0xB2, 0x3B, 0xB7, 0xD7, 0x34, 0xF3, 0x1B, 0x75, 0x14, 0xC6, 0xB2, 0x1F, 0xE8, 0xDE, 0x33, 0x44, 0x74, 0x75, 0x1B, 0x47, 0x6A, 0xD4, 0x37, 0x51, 0x88, 0xFC, 0x67, 0xE6, 0x60};BYTE key[]={0x5c,0x53,0xa4,0xa4,0x1d,0x52,0x43,0x7a,0x9f,0xa1,0xe9,0xc2,0x6c,0xa5,0x90,0x90};DWORD len_input=0x20;DWORD dwDataLen = 0x10;DWORD ddwDataLen;DWORD* pdwDataLen = &ddwDataLen;*pdwDataLen = 0x20; de(key,dwDataLen,input,pdwDataLen,(DWORD)0x104);return 0;
}
DASCTF{H@sh_a^d_Aes_6y_W1nCrypt}
FakePica
安卓逆向,先查个壳,发现
使用BlackDex进行脱壳,然后用jadx看,逻辑有点乱,搜下
MainActivity
直接定位到主程序
package com.pica.picapica;import android.content.Intent;
import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
import androidx.appcompat.app.AppCompatActivity;
import com.pica.picacomic.C0897R;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import kotlin.UByte;
import kotlin.jvm.internal.ByteCompanionObject;/* loaded from: E:\360MoveData\Users\Administrator\Desktop\com.ppsuc.ppsucctf\cookie_8836564.dex */
public class MainActivity extends AppCompatActivity {Button checkIn;EditText emailInput;EditText passWordInput;private final IvParameterSpec IV_PARAMETER_SPEC = new IvParameterSpec("0102030405060708".getBytes());byte[] content0 = {-114, 95, -37, ByteCompanionObject.MAX_VALUE, -110, 113, 41, 74, 40, 73, 19, 124, -57, -88, 39, -116, -16, -75, -3, -45, -73, -6, -104, -6, -78, 121, 110, 74, -90, -47, -28, -28};byte[] content1 = {-40, 26, 95, -49, -40, -123, 72, -90, -100, -41, 122, -4, 25, -101, -58, 116};String key = "picapicapicapica";public String encryptIntoHexString(String data, String key) {try {Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");cipher.init(1, new SecretKeySpec(key.getBytes(), "AES"), this.IV_PARAMETER_SPEC);return bytesConvertHexString(cipher.doFinal(Arrays.copyOf(data.getBytes(), ((data.getBytes().length / 16) + 1) * 16)));} catch (Exception e) {e.printStackTrace();return null;}}public String decryptByHexString(String data, String key) {try {Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");cipher.init(2, new SecretKeySpec(key.getBytes(), "AES"), this.IV_PARAMETER_SPEC);return new String(cipher.doFinal(hexStringConvertBytes(data.toLowerCase())), "UTF-8");} catch (Exception e) {e.printStackTrace();return null;}}private String bytesConvertHexString(byte[] data) {StringBuffer result = new StringBuffer();for (byte b : data) {String hexString = Integer.toHexString(b & UByte.MAX_VALUE);result.append(hexString.length() == 1 ? "0" + hexString : hexString);}return result.toString().toUpperCase();}private byte[] hexStringConvertBytes(String data) {int length = data.length() / 2;byte[] result = new byte[length];for (int i = 0; i < length; i++) {int first = Integer.parseInt(data.substring(i * 2, (i * 2) + 1), 16);int second = Integer.parseInt(data.substring((i * 2) + 1, (i * 2) + 2), 16);result[i] = (byte) ((first * 16) + second);}return result;}/* JADX INFO: Access modifiers changed from: protected */@Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activitypublic void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);setContentView(C0897R.layout.activity_main);Intent intent = new Intent();intent.setClass(this, MainActivity2.class);this.emailInput = (EditText) findViewById(C0897R.C0900id.emailInput);this.passWordInput = (EditText) findViewById(C0897R.C0900id.passWordInput);Button button = (Button) findViewById(C0897R.C0900id.login);this.checkIn = button;button.setOnClickListener(new View.OnClickListener() { // from class: com.pica.picapica.MainActivity.1@Override // android.view.View.OnClickListenerpublic void onClick(View view) {MainActivity mainActivity = MainActivity.this;if (mainActivity.check(mainActivity.emailInput.getText().toString().trim(), MainActivity.this.passWordInput.getText().toString().trim())) {Toast.makeText(MainActivity.this, "登录成功", 0).show();try {Thread.sleep(1000L);} catch (InterruptedException e) {e.printStackTrace();}Intent intent2 = new Intent();intent2.setClass(MainActivity.this, MainActivity2.class);MainActivity.this.startActivity(intent2);}}});}public boolean check(String email, String passWord) {byte[] cryData = hexStringConvertBytes(encryptIntoHexString(email, this.key));byte[] cryPW = hexStringConvertBytes(encryptIntoHexString(passWord, this.key));if (!Arrays.equals(cryData, this.content0) || !Arrays.equals(cryPW, this.content1)) {return false;}return true;}
}
使用了AES的CBC模式
直接解就好了
from Crypto.Cipher import AESdef dn(text):EN_CODE= AES.new(b"picapicapicapica", AES.MODE_CBC, b"0102030405060708")dec = EN_CODE.decrypt(text)print(dec)
password = [-40, 26, 95, -49, -40, -123, 72, -90, -100, -41, 122, -4, 25, -101, -58, 116]
email = [-114, 95, -37, 127, -110, 113, 41, 74, 40, 73, 19, 124, -57, -88, 39, -116, -16, -75, -3, -45, -73, -6, -104, -6, -78, 121, 110, 74, -90, -47, -28, -28]content0 =bytes([i&0xff for i in password])
content01 = bytes([i&0xff for i in email])
dn(content0 )
dn(content01)
# b'picacomic\x00\x00\x00\x00\x00\x00\x00'
# b'picacomic@gmail.com\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
奇怪的交易
文件有点大,upx先脱个壳
py文件打包,把源码弄下
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.10from cup import *
if __name__ == '__main__':flag = input('\xe8\xaf\xb7\xe8\xbe\x93\xe5\x85\xa5flag')pub_key = [0x649EE967E7916A825CC9FD3320BEABF263BEAC68C080F52824A0F521EDB6B78577EC52BF1C9E78F4BB71192F9A23F1A17AA76E5979E4D953329D3CA65FB4A71DA57412B59DFD6AEDF0191C5555D3E5F582B81B5E6B23163E9889204A81AFFDF119FE25C92F4ED59BD3285BCD7AAE14824240D2E33C5A97848F4EB7AAC203DE6330D2B4D8FF61691544FBECD120F99A157B3D2F58FA51B2887A9D06CA383C44D071314A12B17928B96F03A06E959A5AFEFA0183664F52CD32B9FC72A04B45913FCB2D5D2D3A415A14F611CF1EAC2D6C785142A8E9CC41B67A6CD85001B06EDB8CA767D367E56E0AE651491BF8A8C17A38A1835DB9E4A9292B1D86D5776C98CC25L,0x647327833ACFEF1F9C83E74E171FC300FA347D4A6769476C33DA82C95120ACB38B62B33D429206FE6E9BB0BB7AB748A1036971BEA36EC47130B749C1C9FF6FE03D0F7D9FC5346EB0E575BDFA6C530AA57CD676894FC080D2DD049AB59625F4B9C78BCFD95CDCD2793E440E26E189D251121CB6EB177FEDB596409034E8B0C5BBD9BD9342235DBB226C9170EFE347FF0FD2CFF9A1F7B647CC83E4D8F005FD7125A89251C768AFE70BDD54B88116814D5030F499BCAC4673CCCC342FB4B6AC58EA5A64546DC25912B6C430529F6A7F449FD96536DE269D1A1B015A4AC6B6E46EE19DCE8143726A6503E290E4BAE6BD78319B5878981F6CFFDB3B818209341FD68BL]m = libnum.s2n(flag)c = str(pow(m, pub_key[1], pub_key[0]))ᘡ = []ᘙ = [0xD28ED952L,1472742623,0xD91BA938L,0xF9F3BD2DL,0x8EF8E43DL,617653972,1474514999,1471783658,1012864704,0xD7821910L,993855884,438456717,0xC83555B7L,0xE8DFF468L,198959101,0xC5B84FEBL,0xD9F837C6L,613157871,0x8EFA4EDDL,97286225,0x8B4B608CL,1471645170,0xC0B62792L,583597118,0xAAB1C22DL,0xBDB9C266L,1384330715,0xAE9F9816L,0xD1F40B3CL,0x8206DDC3L,0xC4E0BADCL,0xE407BD26L,145643141,0x8016C6A5L,0xAF4AB9D3L,506798154,994590281,0x85082A0BL,0xCA0BC95AL,0xA7BE567CL,1105937096,1789727804,0xDFEFB591L,0x93346B38L,1162286478,680814033,0xAEE1A7A2L,0x80E574AEL,0xF154F55FL,2121620700,0xFCBDA653L,0x8E902444L,0xCA742E12L,0xB8424071L,0xB4B15EC2L,0x943BFA09L,0xBC97CD93L,1285603712,798920280,0x8B58328FL,0xF9822360L,0xD1FD15EEL,1077514121,1436444106,0xA2D6C17EL,1507202797,500756149,198754565,0x8E014807L,880454148,1970517398,0xBFC6EE25L,1161840191,560498076,1782600856,0x9D93FEBEL,1285196205,788797746,1195724574,0xF2174A07L,103427523,0x952BFE83L,0xF730AC4CL,617564657,978211984,1781482121,0x8379D23AL,0xEAD737EEL,0xE41555FBL,659557668,0x99F3B244L,1561884856,0x842C31A4L,1189296962,169145316,0xA5CE044CL,1323893433,824667876,408202876,0xE0178482L,0xF412BBBCL,1508996065,162419237,0xDE740B00L,0xB7CB64FDL,0xEBCADB1FL,0x8EAE2326L,0x933C216CL,0xD7D1F649L,481927014,0xA448AC16L,0xBC082807L,1261069441,2063238535,0x8474A61DL,101459755,0xBC5654D1L,1721190841,1078395785,176506553,0xD3C5280FL,1566142515,1938949000,1499289517,0xC59872F8L,829714860,0xE51502A2L,952932374,1283577465,2045007203,0xEBE6A798L,0xE09575CDL,0xADDF4157L,0xC4770191L,482297421,1734231412,0xDAC71054L,0x99807E43L,0xA88D74B1L,0xCB77E028L,1533519803,0xEEEBC3B6L,0xE7E680E5L,272960248,317508587,0xC4B10CDCL,0x91776399L,27470488,1666674386,1737927609,750987808,0x8E364D8FL,0xA0985A77L,562925334,0x837D6DC3L]i = 0if i < len(c):ᘞ = 0for ii in c[i:i + 4]:ᘞ = (ᘞ << 8) + ord(ii)ᘡ.append(ᘞ)i += 4if not i < len(c):ᘝ = [54,54,54,54]ᘠ = len(ᘡ)res = encrypt(ᘠ, ᘡ, ᘝ)if ᘡ == ᘙ:print('You are right!')input('')quit()else:print('Why not drink a cup of tea and have a rest?')continue
encrypt函数在cup库里,被加密了
然后寄了,后面看别人的wp
原因是在https://mp.weixin.qq.com/s?__biz=Mzg3ODY3MzcwMQ==&mid=2247485017&idx=1&sn=8e44e93039c97980727bfb0105688e4d&chksm=cf116c13f866e505deb831f0492ed2e3ef2b81a765e743595302c24097ddfea5491d9fa9cb9c&scene=126&sessionid=1642907039&key=e2a2ab8e639837ac5cd2a0b1bc98e231dbf49bf6d9077de26a92de6a4f8d5530b46168a7e80d35a97461dfe3351b1e172fa3116bf09c6945342a32e2ef192403aa29ac4ae528cc28ffbfb3758ed2c1abedaba4bb5aad8da6ab9211fa4400803f2983d0d560719994989f1b8e9d1d38629a939b85c95bd36c58d633126b159c63&ascene=1&uin=NTY2NTA4NjQ%3D&devicetype=Windows+Server+2016+x64&version=6304051b&lang=zh_CN&exportkey=Awy1d033RrNUGWM%2
这里面有写了,带了key
根据文章中例子,我们找到pyimod00_crypto_key文件
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.10key = '0000000000000tea'使用如下脚本
import tinyaes
import zlibCRYPT_BLOCK_SIZE = 16# 从crypt_key.pyc获取key,也可自行反编译获取
key = bytes('0000000000000tea', 'utf-8')inf = open('cup.pyc.encrypted', 'rb') # 打开加密文件
outf = open('output.pyc', 'wb') # 输出文件# 按加密块大小进行读取
iv = inf.read(CRYPT_BLOCK_SIZE)cipher = tinyaes.AES(key, iv)# 解密
plaintext = zlib.decompress(cipher.CTR_xcrypt_buffer(inf.read()))# 补pyc头(最后自己补也行)
outf.write(b'\x6f\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0')# 写入解密数据
outf.write(plaintext)inf.close()
outf.close()
然后就可以了
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
import libnum
from ctypes import *def MX(z, y, total, key, p, e):temp1 = (z.value >> 5 ^ y.value << 2) + (y.value >> 3 ^ z.value << 4)temp2 = (total.value ^ y.value) + (key[p & 3 ^ e.value] ^ z.value)return c_uint32(temp1 ^ temp2)def encrypt(ᘗ, ᘖ, ᘘ):ᘜ = 0x9E3779B9Lᘛ = 6 + 52 // ᘗtotal = c_uint32(0)ᘔ = c_uint32(ᘖ[ᘗ - 1])ᘕ = c_uint32(0)if ᘛ > 0:total.value += ᘜᘕ.value = total.value >> 2 & 3ᘚ = c_uint32(ᘖ[0])ᘖ[ᘗ - 1] = c_uint32(ᘖ[ᘗ - 1] + MX(ᘔ, ᘚ, total, ᘘ, ᘗ - 1, ᘕ).value).valueᘔ.value = ᘖ[ᘗ - 1]ᘛ -= 1if not ᘛ > 0:return ᘖ
xxtea加密
#include <stdio.h>
#include <stdint.h>#define KEYLEN 4
#define DELTA 0x9e3779b9
#define LUN 32void Encrypt(unsigned int * v, unsigned int * k);
void Decrypt(unsigned int * v, unsigned int * k);#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))void btea(uint32_t *v, int n, uint32_t const key[4])
{uint32_t y, z, sum;unsigned p, rounds, e;if (n > 1) /* Coding Part */{rounds = 6 + 52/n;sum = 0;z = v[n-1];do{sum += DELTA;e = (sum >> 2) & 3;for (p=0; p<n-1; p++){y = v[p+1];z = v[p] += MX;}y = v[0];z = v[n-1] += MX;}while (--rounds);}else if (n < -1) /* Decoding Part */{n = -n;rounds = 6 + 52/n;sum = rounds*DELTA;y = v[0];do{e = (sum >> 2) & 3;for (p=n-1; p>0; p--){z = v[p-1];y = v[p] -= MX;}z = v[n-1];y = v[0] -= MX;sum -= DELTA;}while (--rounds);}
}int main(void)
{uint32_t v[] = { 0xD28ED952, 1472742623, 0xD91BA938, 0xF9F3BD2D, 0x8EF8E43D, 617653972, 1474514999, 1471783658, 1012864704, 0xD7821910, 993855884, 438456717, 0xC83555B7, 0xE8DFF468, 198959101, 0xC5B84FEB, 0xD9F837C6, 613157871, 0x8EFA4EDD, 97286225, 0x8B4B608C, 1471645170, 0xC0B62792, 583597118, 0xAAB1C22D, 0xBDB9C266, 1384330715, 0xAE9F9816, 0xD1F40B3C, 0x8206DDC3, 0xC4E0BADC, 0xE407BD26, 145643141, 0x8016C6A5, 0xAF4AB9D3, 506798154, 994590281, 0x85082A0B, 0xCA0BC95A, 0xA7BE567C, 1105937096, 1789727804, 0xDFEFB591, 0x93346B38, 1162286478, 680814033, 0xAEE1A7A2, 0x80E574AE, 0xF154F55F, 2121620700, 0xFCBDA653, 0x8E902444, 0xCA742E12, 0xB8424071, 0xB4B15EC2, 0x943BFA09, 0xBC97CD93, 1285603712, 798920280, 0x8B58328F, 0xF9822360, 0xD1FD15EE, 1077514121, 1436444106, 0xA2D6C17E, 1507202797, 500756149, 198754565, 0x8E014807, 880454148, 1970517398, 0xBFC6EE25, 1161840191, 560498076, 1782600856, 0x9D93FEBE, 1285196205, 788797746, 1195724574, 0xF2174A07, 103427523, 0x952BFE83, 0xF730AC4C, 617564657, 978211984, 1781482121, 0x8379D23A, 0xEAD737EE, 0xE41555FB, 659557668, 0x99F3B244, 1561884856, 0x842C31A4, 1189296962, 169145316, 0xA5CE044C, 1323893433, 824667876, 408202876, 0xE0178482, 0xF412BBBC, 1508996065, 162419237, 0xDE740B00, 0xB7CB64FD, 0xEBCADB1F, 0x8EAE2326, 0x933C216C, 0xD7D1F649, 481927014, 0xA448AC16, 0xBC082807, 1261069441, 2063238535, 0x8474A61D, 101459755, 0xBC5654D1, 1721190841, 1078395785, 176506553, 0xD3C5280F, 1566142515, 1938949000, 1499289517, 0xC59872F8, 829714860, 0xE51502A2, 952932374, 1283577465, 2045007203, 0xEBE6A798, 0xE09575CD, 0xADDF4157, 0xC4770191, 482297421, 1734231412, 0xDAC71054, 0x99807E43, 0xA88D74B1, 0xCB77E028, 1533519803, 0xEEEBC3B6, 0xE7E680E5, 272960248, 317508587, 0xC4B10CDC, 0x91776399, 27470488, 1666674386, 1737927609, 750987808, 0x8E364D8F, 0xA0985A77, 562925334, 0x837D6DC3, 0 };uint32_t k[] = { 54, 54, 54, 54 };int i, index;int n = 155; btea(v, -n, k);unsigned char * p = (unsigned char *)v;for ( i = 0, index = 0; index < n; i += 4, index++ )printf("%c%c%c%c", p[i + 3], p[i + 2], p[i + 1], p[i]);return 0;
}
flag{You_Need_Some_Tea}
2022DASCTF Apr X FATE 防疫挑战赛相关推荐
- 2022DASCTF Apr X FATE 防疫挑战赛 部分web复现
warmup-php 一个PHP代码审计审计题,给的代码量有点大,第一眼看下去容易劝退,分别有四个文件. Base.php<?phpclass Base {public function __g ...
- 2022DASCTF Apr X FATE 防疫挑战赛复现
misc 第二题: wireshark打开直接搜字符串flag,发现4个字段含有flag,其中一个发现是zip文件,想把它提取出来, 将他数据导入一个新的zip文件,打开 在50段找到密码加密字段,找 ...
- 2022DASCTF Apr X FATE 防疫挑战赛 good_luck
这道题最开始的附件,代码是随机生成一个0~199的数,然后0触发格式化字符串漏洞,1触发栈溢出漏洞,修改后的附件随机数是0或者1 下面是脚本,脚本逻辑:通过栈溢出返回到格式化字符串漏洞函数,泄露lib ...
- [Re]2022DASCTF Apr X FATE 防疫挑战赛
早上打MR去了,然后一上午怀疑人生,又花了两个小时调整心态,之后来DAS做了个re,顺便记录一下. Crackme 一个32位的MFC: 随便输了点东西,确定,然后 MessageBox 弹了个 Wr ...
- 2022DASCTF Apr X FATE 防疫挑战赛WP
NEFU-NSILAB下Maple战队分队于4月23日10:00 - 18:00所产 您也可以点击此处观看 文章目录 队伍信息 解题情况 Crypto special_rsa 题目 总代码 easy_ ...
- [MISC]2022DASCTF Apr X FATE 防疫挑战赛
1.SimpleFlow; 2.熟悉的猫; 3.冰墩墩: 1.SimpleFlow: 下载得到SimpleFlow的压缩包,解压得到SimpleFlow.pcapng,流量分析题目.查找 flag. ...
- 2022DASCTF X SU 三月春季挑战赛 checkin 各种脚本学习分析
只能溢出0x10个字节,刚好能够覆盖返回地址,所以得利用栈迁移来做 第一种:利用magic_gadget修改got表中setvbuf的值 在64位程序的_do_global_dtors_aux中有这么 ...
- 2022DASCTF X SU 三月春季挑战赛 web复现
目录 ezpop Calc: Upgdstore: ezpop <?phpclass crow {public $v1;public $v2;function eval() {echo new ...
- 西湖论剑2022部分misc
文章目录 签到题喵 take_the_zip_easy mp3 机你太美 签到题喵 把文件尾的16进制复制出来,再转换字符串 私信后台即可获得flag take_the_zip_easy 明文攻击 e ...
最新文章
- android-oculus
- Enterprise Library深入解析与灵活应用(3):倘若将Unity、PIAB、Exception Handling引入MVP模式.. .. .....
- 为什么要将表和索引建立在不同的表空间?
- 锁定机制和数据并发管理(笔记)
- “物联网”“云计算” IT业新概念风起云涌
- ES2019 的新功能 flat()
- Python爬取B站弹幕+Gephi梳理主线剧情
- hdu--1077--Catching Fish
- ECMAScript6 新特性——“数组的扩展”
- 国产操作系统(Linux)技术流派
- 能查阅国外文献的8个论文网站(最新整理)
- 【STM32】WS2812B灯珠的PWM+DMA控制(库函数)
- 在夜神模拟器内部安装App
- 机器人行业疫情之下的“危”与“机”
- 混合现实门户SteamVR环境下
- 均质机工作原理动画_高压均质机结构图.doc
- Axure RP 8.1.6授权码
- Kali Linux系统正确安装指南教程(一)MAC安装kail+Vmware Fusion详细教程(吐血本人测试10次)
- 小样本学习在滴滴治理和安全场景应用
- 爱普生EPSON实时时钟芯片-RX8111CE
热门文章
- Document contains at least one immense term in field=“****“ (whose UTF8 encoding is longer than t
- JavaScript语言精粹学习之继承
- Excel-多条件排名时间排名
- 系统优化、服务器优化杂谈
- 【Matlab程序设计知识点合集】新手入门第十五天
- 象你这样出色的男人,无论在什么地方,都像漆黑中的萤火虫一样,那样的鲜明,那样的出众
- 最详细的Python安装教程
- OOP Principles
- 升级每天正常更新欢迎_手机提示“系统升级”,究竟要不要立即更新呢?过来人给你答案!...
- MobileWeb适配(二)