# 第六届浙江省大学生网络与信息安全竞赛 - 预赛

被大佬们打爆了 qwq

# Reverse

# pyccc

pycdc 反编译得到源码
直接写脚本解密

	check = [102, 109, 99, 100, 127, 52, 114, 88, 97, 122, 85, 125, 105, 127, 119, 80, 120, 112, 98, 39, 109, 52, 55, 106]

	for i in range(len(check)):
	print(chr(check[i] ^ i), end="")

flag{1t_is_very_hap4y!!}

# easyapk

直接拉进 jadx，分析可以得知 key 为 r3v3rs3car3fully iv 为 0123456789ABCDEF
类名看着是 DES，但是仔细看可以发现实际是 AES 加密

最后 CyberChef 解密即可

DASCTF{e8d1f1c0-f579-491f-a93d-c2f6b23a8a55}

# luare

比完才想出来的......

buf 就是 lua 字节码，提取出来

修补文件头

unluac 反编译一下

java -jar .\unluac.jar .\buf.luac > .\buf.lua

得到源码，分析一下，CheckAns 里 Oo00Oo0 的返回内容与 enc 的每一位比较，那么继续 ida 分析 Oo00Oo0

	function CheckAns(data)
	if #data ~= 40 then
	return false
	end
	dataOut = Oo00Oo0(data)
	enc = {
	109, -73, -72, 46, -73, -5, 99, -100,
	46, 59, 32, -76, 109, 3, 59, 20,
	-61, -56, -119, 48, 100, 118, 36, 118,
	82, 3, 95, 106, 14, -80, 5, -89, 89,
	-85, 5, 14, 46, -73, 7, 127
	}
	i = 1
	while i <= #dataOut do
	if dataOut[i] ~= enc[i] then
	return false
	end
	i = i + 1
	end
	return true
	end
	print("input: ")
	local data = io.read()
	if CheckAns(data) then
	print("true")
	else
	print("false")
	end

可以看到就是一个简单的异或，直接写脚本解密即可

	table = [0x3c, 0x95, 0xc8, 0x28, 0x10, 0x6d, 0x85, 0x60, 0x59, 0x3, 0xb3, 0x4c, 0x76, 0x49, 0x48, 0x96,
	0xb8, 0x5f, 0xb7, 0x79, 0xc4, 0x64, 0x71, 0x2e, 0x38, 0x8c, 0xac, 0xa7, 0x91, 0x72, 0x63, 0x80,
	0xb0, 0x9e, 0x33, 0x4b, 0xae, 0xf3, 0x8b, 0x7b, 0x4d, 0x5b, 0xb4, 0x52, 0xec, 0x6f, 0xe0, 0xcf,
	0xad, 0xc3, 0x20, 0xab, 0xea, 0x67, 0xdc, 0x5, 0x0, 0x9f, 0x40, 0x56, 0xd6, 0xfb, 0xfc, 0x24,
	0x92, 0xca, 0xb, 0x3d, 0x46, 0xd, 0xf0, 0x4a, 0x5a, 0x55, 0x11, 0x1a, 0x3b, 0x8a, 0xbc, 0x7d,
	0x6c, 0xe7, 0xa9, 0x13, 0x75, 0xce, 0x61, 0x30, 0x14, 0xa6, 0x6a, 0x27, 0x7, 0xd0, 0x54, 0x9c,
	0x5c, 0x8e, 0x89, 0xd8, 0x58, 0x1, 0xc2, 0x34, 0xe8, 0x69, 0x35, 0x2f, 0xc0, 0x2a, 0xa0, 0x50,
	0x36, 0x88, 0xff, 0x39, 0x1d, 0x68, 0xe, 0xc, 0x93, 0xe6, 0xb1, 0xfe, 0x18, 0x7f, 0x6e, 0xb6,
	0x78, 0x53, 0x31, 0x2b, 0xe9, 0xd2, 0xf5, 0x29, 0xf, 0x2c, 0x17, 0x84, 0xde, 0xdb, 0xd9, 0x41,
	0x6, 0x19, 0xf7, 0xa1, 0x99, 0xa8, 0x45, 0x7a, 0x3e, 0x23, 0xa5, 0x1b, 0xaf, 0xa, 0xaa, 0xe5,
	0xef, 0xa4, 0xe1, 0xf8, 0xfa, 0x82, 0x3a, 0x9a, 0xdf, 0x8f, 0x1c, 0x65, 0xc7, 0x73, 0xd1, 0xc1,
	0xc5, 0xd7, 0xa2, 0x5e, 0x87, 0xdd, 0x9d, 0x8d, 0xf9, 0xc9, 0x81, 0xcd, 0x90, 0x97, 0xee, 0x66,
	0xda, 0x4f, 0x42, 0x3f, 0xc6, 0x74, 0x8, 0x37, 0x25, 0xcb, 0x77, 0x26, 0xe3, 0x83, 0x32, 0xb9,
	0xbd, 0xd3, 0xf2, 0x44, 0xd5, 0x4e, 0x2d, 0xba, 0x62, 0x98, 0x4, 0x1e, 0x12, 0x21, 0xe4, 0xbf,
	0x47, 0xf6, 0x86, 0xf4, 0xfd, 0x94, 0x16, 0xa3, 0xeb, 0x1f, 0x70, 0x7c, 0xb2, 0x51, 0x2, 0x43,
	0x22, 0x15, 0xcc, 0x7e, 0x9, 0x6b, 0xe2, 0x5d, 0xbb, 0x9b, 0xbe, 0xb5, 0xd4, 0xed, 0x57, 0xf1]

	enc = [0x6d, 0xb7, 0xb8, 0x2e, 0xb7, 0xfb, 0x63, 0x9c, 0x2e, 0x3b, 0x20, 0xb4, 0x6d, 0x3, 0x3b, 0x14, 0xc3, 0xc8, 0x89,
	0x30, 0x64, 0x76, 0x24, 0x76, 0x52, 0x3, 0x5f, 0x6a, 0xe, 0xb0, 0x5, 0xa7, 0x59, 0xab, 0x5, 0xe, 0x2e, 0xb7, 0x7,
	0x7f]

	idx = []

	for i in range(40):
	idx.append(table.index(enc[i]))

	for i in range(38, -1, -1):
	idx[i] = idx[i] ^ idx[i + 1]

	for i in idx:
	print(chr(i), end="")

DASCTF{e:-aSy|u9aPR0gr~AMfo~$RrE^VeR$3!}

# Crypto

# 小小数学家

数学表达式，直接用 python 的 eval 即可

	s = """19+49=?
	96-31=?
	86-3=?
	20+47=?
	29+55=?
	35+35=?
	81+42=?
	73-16=?
	52+48=?
	0+56=?
	55-6=?
	69-20=?
	99-48=?
	100-52=?
	36+13=?
	32+13=?
	84-34=?
	90-34=?
	94-45=?
	85+13=?
	50-5=?
	55-3=?
	77+25=?
	87-35=?
	62+35=?
	88-43=?
	86-30=?
	90+10=?
	66-17=?
	34+63=?
	51-6=?
	22+76=?
	46+5=?
	45+11=?
	20+78=?
	56+45=?
	99/1=?
	47+52=?
	58+44=?
	76-26=?
	92-42=?
	12+44=?
	80-27=?
	5*25=?
	"""
	n = s.split("=?\n")
	for i in n[0:len(n) - 1]:
	print(chr(int(eval(i))), end="")

DASCTF{9d811301-281b-4f4a-8d1a-b38beccf2285}

# Misc

# number game

分析 roll 函数，产生随机数，判断是 0x539 时执行解密代码，弹出 flag
那么看到下面有个判断 _0x1afb7a == 0x539
在这里下断点，roll 一下，断下来的时候在控制台里将_0x1afb7a 的值修改为 0x539
继续运行即可得到 flag

b4By_m1$c_@n3_b4By_f3On7eNd_731cK!