Re百题计划(

1.你是真的大学生吗?

硬读汇编
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
start          					 proc near
seg001:0000                 mov     ax, seg dseg
seg001:0003                 mov     ds, ax
seg001:0005                 assume ds:dseg
seg001:0005                 lea     dx, unk_10000
seg001:0009                 mov     ah, 9
seg001:000B                 int     21h             ; DOS - PRINT STRING
seg001:000B                                         ; DS:DX -> string terminated by "$"
seg001:000D                 lea     dx, unk_1002D
seg001:0011                 mov     ah, 0Ah
seg001:0013                 int     21h             ; DOS - BUFFERED KEYBOARD INPUT
seg001:0013                                         ; DS:DX -> buffer
seg001:0015                 lea     dx, unk_10010
seg001:0019                 mov     ah, 9
seg001:001B                 int     21h             ; DOS - PRINT STRING
seg001:001B                                         ; DS:DX -> string terminated by "$"
seg001:001D                 xor     cx, cx
seg001:001F                 xor     ax, ax
seg001:0021                 mov     cl, byte_1002E
seg001:0025                 mov     si, 2Fh ; '/'
seg001:0028                 mov     al, [si]
seg001:002A                 add     si, cx
seg001:002C
seg001:002C loc_1007C:                              ; CODE XREF: start+37↓j
seg001:002C                 sub     si, 1
seg001:002F                 xor     [si], al
seg001:0031                 mov     al, [si]
seg001:0033                 dec     cx
seg001:0034                 cmp     cx, 0
seg001:0037                 jnz     short loc_1007C
seg001:0039                 lea     si, unk_1002F
seg001:003D                 lea     di, unk_10019///////
seg001:0041
seg001:0041 loc_10091:                              ; CODE XREF: start+50↓j
seg001:0041                 mov     al, [si]
seg001:0043                 mov     bl, [di]
seg001:0045                 add     si, 1
seg001:0048                 inc     di
seg001:0049                 cmp     al, bl
seg001:004B                 jnz     short loc_100AA
seg001:004D                 cmp     cx, 0
seg001:0050                 jnz     short loc_10091
seg001:0052                 lea     dx, unk_10013
seg001:0056                 mov     ah, 9
seg001:0058                 int     21h             ; DOS - PRINT STRING
seg001:0058                                         ; DS:DX -> string terminated by "$"
seg001:005A
seg001:005A loc_100AA:                              ; CODE XREF: start+4B↑j
seg001:005A                 mov     ah, 4Ch
seg001:005C                 int     21h             ; DOS - 2+ - QUIT WITH EXIT CODE (EXIT)
seg001:005C start           endp                    ; AL = exit code
seg001:005C
seg001:005C seg001          ends

没有找到其他方法,硬读汇编qwq
输入—-每一位与后面一位异或—–与d数组比对。
#看到说是循环异或

image-20240428202306830

解密:(最后一个没出,但是可能和第一个异或?

1
2
3
4
5
6
7
8
9
10
11
12
13
cipher = [0x76, 0x0E, 0x77, 0x14, 0x60, 0x06, 0x7D, 0x04, 0x6B, 0x1E, 0x41,
0x2A, 0x44, 0x2B, 0x5C, 0x03, 0x3B, 0x0B, 0x33, 0x05]
for i in range(len(cipher) - 1):
	cipher[i] = cipher[i] ^ cipher[i + 1]
flag = ''
#print(flag)
for i in range(len(cipher)):
	if i != (len(cipher) - 1):
		flag += chr(cipher[i])
	else:
		flag += chr(cipher[i] ^ cipher[0])
print(flag)
# xyctf{you_know_8086}#又是8086

#放个16位
image-20240428204644536

2.Debugme

动态调试apk

说是动态调试apk

http://t.csdnimg.cn/Xk9op
1、jeb打开apk,分析源码,下好断点;
2、启动模拟器,安装好apk;
3、adb命令连接模拟器,启动apk,adb shell am start -D -n (包名)/(.主窗体)
4、jeb附加对应的进程,开始愉快的调试。

1
adb shell am start -D -n com.xyctf.ezapk/.MainActivity

3.*Trustme

#放个jadx支持的文件种类:apk、dex、jar、zip、class、aar

http://t.csdnimg.cn/35N5aadb连接MuMu、逍遥、夜神、雷电模拟器以及腾讯手游助手以及断开连接_雷电adb连接地址-CSDN博客

?放一下

4.ez_cube

模拟+拧魔方?

image-20240428222750041

分别是面颜色–现在状态–操作行为

#拿着魔方拧一下

cmp函数是验证是否复原,以及复原步骤是否<=12

拿魔方手操:RuRURURuruRR

5.今夕是何年

龙芯loongarch

#image-20240428222956978

image-20240428223006225

6.*baby unity

好难

7.ez_rand

随机数种子
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
int __fastcall main(int argc, const char **argv, const char **envp)
{
  unsigned __int64 v3; // rbx
  unsigned __int16 v4; // ax
  int v5; // edi
  __int64 v6; // rsi
  int v7; // eax
  int v9[7]; // [rsp+20h] [rbp-50h]
  char v10; // [rsp+3Ch] [rbp-34h]
  __int16 v11; // [rsp+3Dh] [rbp-33h]
  __int128 v12; // [rsp+40h] [rbp-30h]
  __int64 v13; // [rsp+50h] [rbp-20h]
  int v14; // [rsp+58h] [rbp-18h]
  __int16 v15; // [rsp+5Ch] [rbp-14h]
  char v16; // [rsp+5Eh] [rbp-12h]

  v13 = 0i64;
  v12 = 0i64;
  v14 = 0;
  v15 = 0;
  v16 = 0;
  sub_140001020("请输入flag:");
  sub_140001080("%s");
  v9[0] = 0xEA6C0C5D;
  v11 = 0;
  v3 = -1i64;
  v9[1] = 0x34FC1946;
  v9[2] = 0x72362B2;
  v9[3] = 0xFB6E2262;
  v9[4] = 0xA9F2E8B4;
  v9[5] = 0x86211291;
  v9[6] = 0x43E98EDB;
  v10 = 77;
  do
    ++v3;
  while ( *((_BYTE *)&v12 + v3) );
  v4 = time64(0i64);
  srand(v4);
  v5 = 0;
  if ( v3 )
  {
    v6 = 0i64;
    do
    {
      v7 = rand();
      if ( (*((_BYTE *)&v12 + v6) ^ (unsigned __int8)(v7
                                                    + ((((unsigned __int64)(2155905153i64 * v7) >> 32) & 0x80000000) != 0i64)
                                                    + ((int)((unsigned __int64)(2155905153i64 * v7) >> 32) >> 7))) != *((_BYTE *)v9 + v6) )
      {
        sub_140001020("Error???\n");
        exit(0);
      }
      ++v5;
      ++v6;
    }
    while ( v5 < v3 );
  }
  sub_140001020("Right???\n");
  system("pause");
  return 0;
}

v4是种子,srand函数和rand函数根据种子来生成随机数,input加密逻辑使用v7

那么首先想到的是爆破种子,来推flag

再看v4,unsigned __int16 v4无符号16位整数型,v4范围为0~2**16-1(65535),结合flag固定格式

XYCTF{}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <time.h>
int containsXYCTF(const char *str)
{
if (strstr(str, "XYCTF") != NULL)
{
return 1; // 包含"XYCTF"
}
else
{
return 0; // 不包含"XYCTF"
}
}
int main()
{
unsigned char cipher[29] = {0x5D, 0x0C, 0x6C, 0xEA, 0x46, 0x19, 0xFC, 0x34,
0xB2, 0x62, 0x23, 0x07, 0x62, 0x22, 0x6E, 0xFB, 0xB4, 0xE8, 0xF2, 0xA9, 0x91,
0x12, 0x21, 0x86, 0xDB, 0x8E, 0xE9, 0x43, 0x4D};
unsigned int v7;
char flag[29] = {0};
for (unsigned int seed = 0; seed < 65536; seed++)
{
srand(seed);
for (int i = 0; i < 29; i++)
{
v7 = rand();
int num = (int)((unsigned __int64)(2155905153 * v7) >> 32);
unsigned __int8 data = (unsigned __int8)(v7 + ((num & 0x80000000) !=
0) + (num >> 7));
flag[i] = cipher[i] ^ data;
}
if (containsXYCTF(flag))
{
printf("success\n");
printf("seed = %d\n", seed);
    puts(flag);
}
}
}
// seed = 21308
// XYCTF{R@nd_1s_S0_S0_S0_easy!}

8.何须相思煮余年

转汇编,去花指令

一堆十六进制应该是要转汇编

朝的脚本转二进制:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
hex_data = "0x55 0x8b 0xec 0x81 0xec 0xa8 0x0 0x0 0x0 0xa1 0x0 0x40 0x41 0x0
0x33 0xc5 0x89 0x45 0xfc 0x68 0x9c 0x0 0x0 0x0 0x6a 0x0 0x8d 0x85 0x60 0xff 0xff
0xff 0x50 0xe8 0x7a 0xc 0x0 0x0 0x83 0xc4 0xc 0xc7 0x85 0x58 0xff 0xff 0xff 0x27
0x0 0x0 0x0 0xc7 0x85 0x5c 0xff 0xff 0xff 0x0 0x0 0x0 0x0 0xeb 0xf 0x8b 0x8d 0x5c
0xff 0xff 0xff 0x83 0xc1 0x1 0x89 0x8d 0x5c 0xff 0xff 0xff 0x83 0xbd 0x5c 0xff
0xff 0xff 0x27 0xf 0x8d 0xed 0x0 0x0 0x0 0x8b 0x95 0x5c 0xff 0xff 0xff 0x81 0xe2
0x3 0x0 0x0 0x80 0x79 0x5 0x4a 0x83 0xca 0xfc 0x42 0x85 0xd2 0x75 0x25 0x8b 0x85
0x5c 0xff 0xff 0xff 0x8b 0x8c 0x85 0x60 0xff 0xff 0xff 0x3 0x8d 0x5c 0xff 0xff
0xff 0x8b 0x95 0x5c 0xff 0xff 0xff 0x89 0x8c 0x95 0x60 0xff 0xff 0xff 0xe9 0xac
0x0 0x0 0x0 0x8b 0x85 0x5c 0xff 0xff 0xff 0x25 0x3 0x0 0x0 0x80 0x79 0x5 0x48
0x83 0xc8 0xfc 0x40 0x83 0xf8 0x1 0x75 0x22 0x8b 0x8d 0x5c 0xff 0xff 0xff 0x8b
0x94 0x8d 0x60 0xff 0xff 0xff 0x2b 0x95 0x5c 0xff 0xff 0xff 0x8b 0x85 0x5c 0xff
0xff 0xff 0x89 0x94 0x85 0x60 0xff 0xff 0xff 0xeb 0x73 0x8b 0x8d 0x5c 0xff 0xff
0xff 0x81 0xe1 0x3 0x0 0x0 0x80 0x79 0x5 0x49 0x83 0xc9 0xfc 0x41 0x83 0xf9 0x2
0x75 0x23 0x8b 0x95 0x5c 0xff 0xff 0xff 0x8b 0x84 0x95 0x60 0xff 0xff 0xff 0xf
0xaf 0x85 0x5c 0xff 0xff 0xff 0x8b 0x8d 0x5c 0xff 0xff 0xff 0x89 0x84 0x8d 0x60
0xff 0xff 0xff 0xeb 0x38 0x8b 0x95 0x5c 0xff 0xff 0xff 0x81 0xe2 0x3 0x0 0x0 0x80
0x79 0x5 0x4a 0x83 0xca 0xfc 0x42 0x83 0xfa 0x3 0x75 0x20 0x8b 0x85 0x5c 0xff
0xff 0xff 0x8b 0x8c 0x85 0x60 0xff 0xff 0xff 0x33 0x8d 0x5c 0xff 0xff 0xff 0x8b
0x95 0x5c 0xff 0xff 0xff 0x89 0x8c 0x95 0x60 0xff 0xff 0xff 0xe9 0xf7 0xfe 0xff
0xff 0x33 0xc0 0x8b 0x4d 0xfc 0x33 0xcd 0xe8 0x4 0x0 0x0 0x0 0x8b 0xe5 0x5d
0xc3"
# 去除空格并将十六进制数据字符串分割成十六进制值的列表
hex_values = hex_data.split()
# 将每个十六进制值转换为相应的整数值
int_values = [int(value, 16) for value in hex_values]
# 将整数值列表转换为字节
binary_data = bytes(int_values)
# 将二进制数据写入文件
with open("output", "wb") as f:
	f.write(binary_data)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *
context.arch = 'i386'
code =
b'\x55\x8b\xec\x81\xec\xa8\x00\x00\x00\xa1\x00\x40\x41\x00\x33\xc5\x89\x
45\xfc\x68\x9c\x00\x00\x00\x6a\x00\x8d\x85\x60\xff\xff\xff\x50\xe8\x7a\x
0c\x00\x00\x83\xc4\x0c\xc7\x85\x58\xff\xff\xff\x27\x00\x00\x00\xc7\x85\x
5c\xff\xff\xff\x00\x00\x00\x00\xeb\x0f\x8b\x8d\x5c\xff\xff\xff\x83\xc1\x
01\x89\x8d\x5c\xff\xff\xff\x83\xbd\x5c\xff\xff\xff\x27\x0f\x8d\xed\x00\x
00\x00\x8b\x95\x5c\xff\xff\xff\x81\xe2\x03\x00\x00\x80\x79\x05\x4a\x83\x
ca\xfc\x42\x85\xd2\x75\x25\x8b\x85\x5c\xff\xff\xff\x8b\x8c\x85\x60\xff\x
ff\xff\x03\x8d\x5c\xff\xff\xff\x8b\x95\x5c\xff\xff\xff\x89\x8c\x95\x60\x
ff\xff\xff\xe9\xac\x00\x00\x00\x8b\x85\x5c\xff\xff\xff\x25\x03\x00\x00\x
80\x79\x05\x48\x83\xc8\xfc\x40\x83\xf8\x01\x75\x22\x8b\x8d\x5c\xff\xff\x
ff\x8b\x94\x8d\x60\xff\xff\xff\x2b\x95\x5c\xff\xff\xff\x8b\x85\x5c\xff\x
ff\xff\x89\x94\x85\x60\xff\xff\xff\xeb\x73\x8b\x8d\x5c\xff\xff\xff\x81\x
e1\x03\x00\x00\x80\x79\x05\x49\x83\xc9\xfc\x41\x83\xf9\x02\x75\x23\x8b\x
95\x5c\xff\xff\xff\x8b\x84\x95\x60\xff\xff\xff\x0f\xaf\x85\x5c\xff\xff\x
ff\x8b\x8d\x5c\xff\xff\xff\x89\x84\x8d\x60\xff\xff\xff\xeb\x38\x8b\x95\x
5c\xff\xff\xff\x81\xe2\x03\x00\x00\x80\x79\x05\x4a\x83\xca\xfc\x42\x83\x
fa\x03\x75\x20\x8b\x85\x5c\xff\xff\xff\x8b\x8c\x85\x60\xff\xff\xff\x33\x
8d\x5c\xff\xff\xff\x8b\x95\x5c\xff\xff\xff\x89\x8c\x95\x60\xff\xff\xff\x
e9\xf7\xfe\xff\xff\x33\xc0\x8b\x4d\xfc\x33\xcd\xe8\x04\x00\x00\x00\x8b\x
e5\x5d\xc3'
assembly = disasm(code)
print(assembly)
#这个直接读汇编出exp?

image-20240429004853677

这里的call和下面的call的地址一眼假,当作花指令nop掉

u、p操作复原函数

image-20240429005643337image-20240429005753142

EXP:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
cipher = [88, 88, 134, 87, 74, 118, 318, 101, 59, 92, 480, 60, 65, 41, 770, 110,
73, 31, 918, 39, 120, 27, 1188, 47, 77,
24, 1352, 44, 81, 23, 1680, 46, 85, 15, 1870, 66, 91, 16, 4750]
flag = ''
for i in range(len(cipher)):
	if i % 4 == 0:
		flag += chr(cipher[i] - i)
	elif i % 4 == 1:
		flag += chr(cipher[i] + i)
	elif i % 4 == 2:
		flag += chr(int(cipher[i] / i))
	elif i % 4 == 3:
		flag += chr(cipher[i] ^ i)
print(flag)
# XYCTF{5b3e07567a9034d06851475481507a75}

9.砸核桃

NsPack壳儿

[原创]NsPack 3.7 浅析 (7.3更新脱壳机和源码)-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

脱壳后简单分析:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
true_cipher = [0x00000012, 0x00000004, 0x00000008, 0x00000014, 0x00000024,
0x0000005C, 0x0000004A, 0x0000003D,0x00000056, 0x0000000A, 0x00000010, 0x00000067, 0x00000000,0x00000041, 0x00000000, 0x00000001,
0x00000046, 0x0000005A, 0x00000044, 0x00000042, 0x0000006E,
0x0000000C, 0x00000044, 0x00000072,
0x0000000C, 0x0000000D, 0x00000040, 0x0000003E, 0x0000004B,
0x0000005F, 0x00000002, 0x00000001,
0x0000004C, 0x0000005E, 0x0000005B, 0x00000017, 0x0000006E,
0x0000000C, 0x00000016, 0x00000068,
0x0000005B, 0x00000012, 0x00000000, 0x00000000, 0x00000048]
XOR = [0x74, 0x68, 0x69, 0x73, 0x5F, 0x69, 0x73, 0x5F, 0x6E, 0x6F, 0x74, 0x5F,
0x66, 0x6C, 0x61, 0x67, 0x00]
flag = ''
for j in range(len(true_cipher)):
flag += chr(true_cipher[j] ^ XOR[j % 16])
print(flag)
# flag{59b8ed8f-af22-11e7-bb4a-3cf862d1ee75}

10.ezmath

exe-py-Z3求解器

(?要经常更新pyexe库啊。。)

其实这个题还是很考验分析的,

太长了分开

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
data="sum([flag[23] for _ in range(flag[23])]) + sum([flag[12] for _ in range(flag[12])]) + sum([flag[1] for _ in range(flag[1])]) - sum([flag[24] for _ in range(222)]) + sum([flag[22] for _ in range(flag[22])]) + sum([flag[31] for _ in range(flag[31])]) + sum([flag[26] for _ in range(flag[26])]) - sum([flag[9] for _ in range(178)]) - sum([flag[29] for _ in range(232)]) + sum([flag[17] for _ in range(flag[17])]) - sum([flag[23] for _ in range(150)]) - sum([flag[6] for _ in range(226)]) - sum([flag[7] for _ in range(110)]) + sum([flag[19] for _ in range(flag[19])]) + sum([flag[2] for _ in range(flag[2])]) - sum([flag[0] for _ in range(176)]) + sum([flag[10] for _ in range(flag[10])]) - sum([flag[12] for _ in range(198)]) + sum([flag[24] for _ in range(flag[24])]) + sum([flag[9] for _ in range(flag[9])]) - sum([flag[3] for _ in range(168)]) + sum([flag[8] for _ in range(flag[8])]) - sum([flag[2] for _ in range(134)]) + sum([flag[14] for _ in range(flag[14])]) - sum([flag[13] for _ in range(170)]) + sum([flag[4] for _ in range(flag[4])]) - sum([flag[10] for _ in range(142)]) + sum([flag[27] for _ in range(flag[27])]) + sum([flag[15] for _ in range(flag[15])]) - sum([flag[15] for _ in range(224)]) + sum([flag[16] for _ in range(flag[16])]) - sum([flag[11] for _ in range(230)]) - sum([flag[1] for _ in range(178)]) + sum([flag[28] for _ in range(flag[28])]) - sum([flag[5] for _ in range(246)]) - sum([flag[17] for _ in range(168)]) + sum([flag[30] for _ in range(flag[30])]) - sum([flag[21] for _ in range(220)]) - sum([flag[22] for _ in range(212)]) - sum([flag[16] for _ in range(232)]) + sum([flag[25] for _ in range(flag[25])]) - sum([flag[4] for _ in range(140)]) - sum([flag[31] for _ in range(250)]) - sum([flag[28] for _ in range(150)]) + sum([flag[11] for _ in range(flag[11])]) + sum([flag[13] for _ in range(flag[13])]) - sum([flag[14] for _ in range(234)]) + sum([flag[7] for _ in range(flag[7])]) - sum([flag[8] for _ in range(174)]) + sum([flag[3] for _ in range(flag[3])]) - sum([flag[25] for _ in range(242)]) + sum([flag[29] for _ in range(flag[29])]) + sum([flag[5] for _ in range(flag[5])]) - sum([flag[30] for _ in range(142)]) - sum([flag[26] for _ in range(170)]) - sum([flag[19] for _ in range(176)]) + sum([flag[0] for _ in range(flag[0])]) - sum([flag[27] for _ in range(168)]) + sum([flag[20] for _ in range(flag[20])]) - sum([flag[20] for _ in range(212)]) + sum([flag[21] for _ in range(flag[21])]) + sum([flag[6] for _ in range(flag[6])]) + sum([flag[18] for _ in range(flag[18])]) - sum([flag[18] for _ in range(178)])"
temp = data.split(" + ")
final = []

for i in range(32):
    print(i)
    final = []
    for j in temp:
        	t=j.split(" - ")
            final.extend(t)
    for k in final:
        if f"flag[{j}]" in k:
            print(k)
 ####
0
 sum([flag[0] for _ in range(176)]) 
 sum([flag[0] for _ in range(flag[0])]) 
1
 sum([flag[1] for _ in range(flag[1])]) 
 sum([flag[1] for _ in range(178)]) 
2
 sum([flag[2] for _ in range(flag[2])]) 
 sum([flag[2] for _ in range(134)]) 
3
 sum([flag[3] for _ in range(168)]) 
 sum([flag[3] for _ in range(flag[3])]) 
4
 sum([flag[4] for _ in range(flag[4])]) 
 sum([flag[4] for _ in range(140)])

image-20240429234131401

image-20240429234223092

1
2
for i in range(32):
	print(chr(flag[i]),end="")

11.给阿姨倒一杯卡布奇诺

tea
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

 array[0] = 0x9B28ED45;
  array[1] = 0x145EC6E9;
  array[2] = 0x5B27A6C3;
  array[3] = 0xE59E75D5;
  array[4] = 0xE82C2500;
  array[5] = 0xA4211D92;
  array[6] = 0xCD8A4B62;
  array[7] = 0xA668F440;
  key[0] = 0x65766967;
  key[1] = 0x756F795F;
  key[2] = 0x7075635F;
  key[3] = 0x6165745F;
sum += 0x6E75316C;
data1           dd 5F797274h            ; DATA XREF: encrypt+2A↑r
.data:0000000000403010                                         ; encrypt+33↑w ...
.data:0000000000403014                 public data2
.data:0000000000403014 ; uint32_t data2
.data:0000000000403014 data2           dd 64726168h            ; DATA XREF: encrypt+39↑r
.data:0000000000403014                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#include <stdio.h>
unsigned int data1 = 0x5F797274;
unsigned int data2 = 0x64726168;

void decrypto(unsigned int *cipher, unsigned int *key)
{
	unsigned int v0, v1;
	unsigned int t0, t1;
	unsigned long long int sum = 0x6E75316CULL * 32;
	
    v0 = *cipher;
	v1 = cipher[1];
	t0 = v0;
	t1 = v1;
	for (int i = 31; i >= 0; --i)
	{
		v1 -= ((v0 >> 5) + key[3]) ^ (v0 + sum) ^ (key[2] + 16 * v0) ^ (sum +i);
		v0 -= ((v1 >> 5) + key[1]) ^ (v1 + sum) ^ (*key + 16 * v1) ^ (sum + i);
			sum -= 0x6E75316C;
	}
	*cipher = v0 ^ data1;
	cipher[1] = v1 ^ data2;
	data1 = t0;
	data2 = t1;
}
int main()
{
unsigned int cipher[8];
unsigned int key[4];
int length, i;
cipher[0] = 2603150661;
cipher[1] = 0x145EC6E9;
cipher[2] = 0x5B27A6C3;
cipher[3] = 0xE59E75D5;
cipher[4] = 0xE82C2500;
cipher[5] = 0xA4211D92;
cipher[6] = 0xCD8A4B62;
cipher[7] = 0xA668F440;
key[0] = 0x65766967;
key[1] = 0x756F795F;
key[2] = 0x7075635F;
key[3] = 0x6165745F;
length = sizeof(cipher);
unsigned int *in = (unsigned int *)cipher;
unsigned char *out = (unsigned char *)cipher;
for (i = 0; i < 8; i += 2)
    decrypto(in + i, key);
printf("flag{");
for (i = 0; i < length; i++)
	printf("%c", out[i]);
printf("}");
return 0;
}
// flag{133bffe401d223a02385d90c5f1ca377}

image-20240430002632073

12.what’s this

Lua加密?

image-20240430010432485

使用XOR函数将字符与数字8进行异或操作,再加上3,base64加密,再进行字符替换

直接逆向逻辑,exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import base64
cipher = "==AeuFEcwxGPuJ0PBNzbC16ctFnPB5DPzI0bwx6bu9GQ2F1XOR1U"
new_cipher = cipher[::-1]
new_cipher = new_cipher.replace("3", "g")
new_cipher = new_cipher.replace("4", "H")
new_cipher = new_cipher.replace("6", "W")
def Xor(num1, num2):
tmp1 = num1
tmp2 = num2
str_result = ""
while tmp1 != 0 or tmp2 != 0:
s1 = tmp1 % 2
s2 = tmp2 % 2
if s1 == s2:
str_result = "0" + str_result
else:
str_result = "1" + str_result
tmp1 = tmp1 // 2
tmp2 = tmp2 // 2
return int(str_result, 2)
d_cipher = base64.b64decode(new_cipher)
flag = ""
for char in d_cipher:
flag += chr(Xor(char - 3, 8))
print(flag)
# XYCTF{5dcbaed781363fbfb7d8647c1aee6c}

13.馒头

哈夫曼编码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
data = [0x000008DE, 0x00000395, 0x000001BE, 0x000000D9, 0x0000006A, 0x00000033,
0x00000014, 0x0000000F, 0x00000011,
0x000000E5, 0x00000072, 0x00000010, 0x0000000B, 0x000001D7, 0x000000E9,
0x00000074, 0x0000000E, 0x0000000D,
0x000000EE, 0x00000076, 0x0000000C, 0x00000007, 0x00000549, 0x0000022D,
0x000000F8, 0x0000007B, 0x00000006,
0x00000018, 0x00000135, 0x00000089, 0x00000043, 0x00000003, 0x00000005,
0x000000AC, 0x00000054, 0x00000004,
0x00000001, 0x0000031C, 0x0000017F, 0x000000BA, 0x00000059, 0x00000002,
0x00000008, 0x000000C5, 0x00000061,
0x00000030, 0x00000017, 0x0000000A, 0x00000015, 0x0000019D, 0x000000CB,
0x00000065, 0x00000016, 0x00000009,
0x000000D2, 0x00000068, 0x00000013, 0x00000012]
num = []
print(len(data))
for i in range(len(data)):
num.append(data[i])
print(num)
#[2270, 917, 446, 217, 106, 51, 20, 15, 17, 229, 114, 16, 11, 471, 233, 116, 14,
13, 238, 118, 12, 7, 1353, 557, 248, 123, 6, 24, 309, 137, 67, 3, 5, 172, 84, 4,
1, 796, 383, 186, 89, 2, 8, 197, 97, 48, 23, 10, 21, 413, 203, 101, 22, 9, 210,
104, 19, 18]

15.舔狗四部曲—记忆的时光机

linux动态调试 看汇编(qwq

16.舔狗四部曲—简爱

.o编译 ?

17.舔狗四部曲—相逢已是上上签

修复损坏的DOS文件 魔改key的xxtea

image-20240501003325519

18.舔狗四部曲—我的白月光

什么病毒?

19.ez_enc

z3

20.easy lauguage

base64+AES

没换表

21.钩子

反调试 hook rc4