HGAME& BeginCTF 202401

CTF
发布日期:   2024-01-31

HGAME 20240129

MISC

签到

日常关注微信号–flag

SignIn

侧着看着图片w(经典

simple——attack

明文爆破zip

来自星尘的问候

六位弱加密

希儿希儿希尔

希尔加密,但是图片怎么修复?

RE

ezIDA

打开IDA就是

ezUPX

UPX脱壳,看伪代码,

flag xor 0x32 后为一个数组

写入010editor,转换一下就出来了

(一定要抄对((别抄,直接shift e导出((

ezASM

根据汇编:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
data:
    c = [74, 69, 67, 79, 71, 89, 99, 113, 111, 125, 107, 81, 125, 107, 79, 82, 18, 80, 86, 22, 76, 86, 125, 22, 125, 112, 71, 84, 17, 80, 81, 17, 95, 34]
    flag = [0, 0, ..., 0]  # 33 elements initialized to 0
    format = "plz input your flag: "
    success = "Congratulations!"
    failure = "Sry, plz try again"

text:
    function check_flag():
        esi = 0
        while esi < 33:
            temp = flag[esi] XOR 0x22
            if temp != c[esi]:
                return false
            esi += 1
        return true

    procedure _start():
        # Print prompt
        system_call(4, 1, format, 20)

        # Read user input
        system_call(3, 0, flag, 33)

        # Check flag
        if check_flag():
            # Print success message
            system_call(4, 1, success, 14)
        else:
            # Print failure message
            system_call(4, 1, failure, 18)

        # Exit
        system_call(1, 0, 0)

    function system_call(eax, ebx, ecx, edx):
        # Simulate system call
        # This function depends on the specific system's calling convention
        # and how system calls are made (e.g., int 0x80 in this case).

    # Entry point
    _start()

写脚本出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
def xor_with_0x22(byte_array):
    result = []
    for byte in byte_array:
       hex_value = hex(byte)[2:].zfill(2)
        
       xor_result = hex(byte ^ 0x22)[2:].zfill(2)
        
       result.append((hex_value, xor_result))
    
    return result

byte_array = [74, 69, 67, 79, 71, 89, 99, 113, 111, 125, 107, 81, 125, 107, 79, 82, 18, 80, 86, 22, 76, 86, 125, 22, 125, 112, 71, 84, 17, 80, 81, 17, 95, 34]

result = xor_with_0x22(byte_array)
for hex_value, xor_result in result:
    print(f"{hex_value} XOR 0x22 = {xor_result}")

ezPYC

感觉是控制流平坦化后的程序。没做出来

怀疑是python deflat.py -f ezPYC.exe –addr 0x140008F41 留一下

哈哈,不是,就是普通pyc

刚学了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.8

flag = [
    87,
    75,
    71,
    69,
    83,
    121,
    83,
    125,
    117,
    106,
    108,
    106,
    94,
    80,
    48,
    114,
    100,
    112,
    112,
    55,
    94,
    51,
    112,
    91,
    48,
    108,
    119,
    97,
    115,
    49,
    112,
    112,
    48,
    108,
    100,
    37,
    124,
    2]
c = [
    1,
    2,
    3,
    4]
input_str = ''
for i in range(0, 36, 1):
    input_str += chr(c[i % 4] ^ flag[i])

print(input_str)

BeginCTF 20240131

MISC

signin

1
MJSWO2LOPNLUKTCDJ5GWKX3UN5PUEM2HNFXEGVCGL4ZDAMRUL5EDAUDFL5MU6VK7O5UUYMK7GEYWWZK7NE3X2===

base32

tupper

脚本把所有文件信息提取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import zipfile
import os

def extract_text_from_zip(zip_path, output_file):
    with zipfile.ZipFile(zip_path, 'r') as zip_ref:
        with open(output_file, 'w', encoding='utf-8') as output_txt:
            for file_info in zip_ref.infolist():
                if file_info.filename.endswith('.txt'):
                    with zip_ref.open(file_info) as file:
                        text = file.read().decode('utf-8')
                        output_txt.write(text)
                        #output_txt.write('\n\n')  # 可以根据需要增加分隔符

if __name__ == "__main__":
    desktop_path = os.path.join(os.path.expanduser("~"), "Desktop")  # 桌面路径,根据实际情况修改
    zip_file_path = os.path.join(desktop_path, "tupper.zip")  # 压缩包路径,根据实际情况修改
    output_file_path = os.path.join(desktop_path, "output.txt")  # 输出文件路径,根据实际情况修改

    extract_text_from_zip(zip_file_path, output_file_path)

看题目是tupper,说不定是个加密方式,一搜,哈真是

代码急转弯——Tupper(塔珀自指公式)

https://tuppers-formula.ovh/

上面output.txt内容–>bese64–>k–>flag

where is crazyman v1.0

google识图

devil’s word

1
leu lia leu ng leu cai leu jau leu e cai b cai jau sa leng cai ng ng f leu b leu e sa leng cai cai ng f cai cai sa sa leu e cai a leu bo leu f cai ng ng f leu sii leu jau sa sii leu c leu ng leu sa cai sii cai d

我的解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
leu lia 62 
leu ng 65
leu cai 67
leu jau 69
leu e 61
cai b 78
cai jau 79
sa leng 32
cai ng 75
ng f 58
leu b 68
leu e 65
sa leng 32
cai cai 77
ng f 58
cai cai 77
sa sa 33
leu e 61
cai a 71
leu bo 68
leu f 68
cai ng 75
ng f 58
leu sii 64
leu jau 69
sa sii 34
leu c 67
leu ng 65
leu sa 63
cai sii 74
cai d 76

RE

xor

agh{^bvuwTooahlYocPtmyiijj|ek

63290794207715587679621386735000

反调试

real checkin xor

1
2
3
4
5
6
7
8
9
10
11
def decrypt_func(encrypted, key):
    decrypted = []
    for i in range(len(encrypted)):
        decrypted.append(chr(encrypted[i] ^ ord(key[i % len(key)])))
    return ''.join(decrypted)

key = "ez_python_xor_reverse"
ciper = [7, 31, 56, 25, 23, 15, 91, 21, 49, 15, 33, 88, 26, 48, 60, 58, 4, 86, 36, 64, 23, 54, 63, 0, 54, 22, 6, 55, 59, 38, 108, 39, 45, 23, 102, 27, 11, 56, 32, 0, 82, 24]

decrypted_text = decrypt_func(ciper, key)
print("解密后的文本:", decrypted_text)

Forensics

逆向工程(reverse)入门指南

pdf隐写

文章作者: W3nL0u
文章链接: https://github.com/xyy9233/xyy9233.github.io.git/2024/01/31/zui-jin-da-bi-sai-de-yi-xie-writeup/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 W3nL0u !
CTF
  目录