# 第六届浙江省大学生网络与信息安全竞赛 - 预赛
被大佬们打爆了 qwq
# Reverse
# pyccc
-
pycdc 反编译得到源码
-
直接写脚本解密
check = [102, 109, 99, 100, 127, 52, 114, 88, 97, 122, 85, 125, 105, 127, 119, 80, 120, 112, 98, 39, 109, 52, 55, 106] | |
for i in range(len(check)): | |
print(chr(check[i] ^ i), end="") |
flag{1t_is_very_hap4y!!}
# easyapk
直接拉进 jadx,分析可以得知 key 为 r3v3rs3car3fully
iv 为 0123456789ABCDEF
类名看着是 DES,但是仔细看可以发现实际是 AES 加密
最后 CyberChef 解密即可
DASCTF{e8d1f1c0-f579-491f-a93d-c2f6b23a8a55}
# luare
比完才想出来的......
buf 就是 lua 字节码,提取出来
修补文件头
unluac 反编译一下
java -jar .\unluac.jar .\buf.luac > .\buf.lua |
得到源码,分析一下,CheckAns 里 Oo00Oo0 的返回内容与 enc 的每一位比较,那么继续 ida 分析 Oo00Oo0
function CheckAns(data) | |
if #data ~= 40 then | |
return false | |
end | |
dataOut = Oo00Oo0(data) | |
enc = { | |
109, -73, -72, 46, -73, -5, 99, -100, | |
46, 59, 32, -76, 109, 3, 59, 20, | |
-61, -56, -119, 48, 100, 118, 36, 118, | |
82, 3, 95, 106, 14, -80, 5, -89, 89, | |
-85, 5, 14, 46, -73, 7, 127 | |
} | |
i = 1 | |
while i <= #dataOut do | |
if dataOut[i] ~= enc[i] then | |
return false | |
end | |
i = i + 1 | |
end | |
return true | |
end | |
print("input: ") | |
local data = io.read() | |
if CheckAns(data) then | |
print("true") | |
else | |
print("false") | |
end |
可以看到就是一个简单的异或,直接写脚本解密即可
table = [0x3c, 0x95, 0xc8, 0x28, 0x10, 0x6d, 0x85, 0x60, 0x59, 0x3, 0xb3, 0x4c, 0x76, 0x49, 0x48, 0x96, | |
0xb8, 0x5f, 0xb7, 0x79, 0xc4, 0x64, 0x71, 0x2e, 0x38, 0x8c, 0xac, 0xa7, 0x91, 0x72, 0x63, 0x80, | |
0xb0, 0x9e, 0x33, 0x4b, 0xae, 0xf3, 0x8b, 0x7b, 0x4d, 0x5b, 0xb4, 0x52, 0xec, 0x6f, 0xe0, 0xcf, | |
0xad, 0xc3, 0x20, 0xab, 0xea, 0x67, 0xdc, 0x5, 0x0, 0x9f, 0x40, 0x56, 0xd6, 0xfb, 0xfc, 0x24, | |
0x92, 0xca, 0xb, 0x3d, 0x46, 0xd, 0xf0, 0x4a, 0x5a, 0x55, 0x11, 0x1a, 0x3b, 0x8a, 0xbc, 0x7d, | |
0x6c, 0xe7, 0xa9, 0x13, 0x75, 0xce, 0x61, 0x30, 0x14, 0xa6, 0x6a, 0x27, 0x7, 0xd0, 0x54, 0x9c, | |
0x5c, 0x8e, 0x89, 0xd8, 0x58, 0x1, 0xc2, 0x34, 0xe8, 0x69, 0x35, 0x2f, 0xc0, 0x2a, 0xa0, 0x50, | |
0x36, 0x88, 0xff, 0x39, 0x1d, 0x68, 0xe, 0xc, 0x93, 0xe6, 0xb1, 0xfe, 0x18, 0x7f, 0x6e, 0xb6, | |
0x78, 0x53, 0x31, 0x2b, 0xe9, 0xd2, 0xf5, 0x29, 0xf, 0x2c, 0x17, 0x84, 0xde, 0xdb, 0xd9, 0x41, | |
0x6, 0x19, 0xf7, 0xa1, 0x99, 0xa8, 0x45, 0x7a, 0x3e, 0x23, 0xa5, 0x1b, 0xaf, 0xa, 0xaa, 0xe5, | |
0xef, 0xa4, 0xe1, 0xf8, 0xfa, 0x82, 0x3a, 0x9a, 0xdf, 0x8f, 0x1c, 0x65, 0xc7, 0x73, 0xd1, 0xc1, | |
0xc5, 0xd7, 0xa2, 0x5e, 0x87, 0xdd, 0x9d, 0x8d, 0xf9, 0xc9, 0x81, 0xcd, 0x90, 0x97, 0xee, 0x66, | |
0xda, 0x4f, 0x42, 0x3f, 0xc6, 0x74, 0x8, 0x37, 0x25, 0xcb, 0x77, 0x26, 0xe3, 0x83, 0x32, 0xb9, | |
0xbd, 0xd3, 0xf2, 0x44, 0xd5, 0x4e, 0x2d, 0xba, 0x62, 0x98, 0x4, 0x1e, 0x12, 0x21, 0xe4, 0xbf, | |
0x47, 0xf6, 0x86, 0xf4, 0xfd, 0x94, 0x16, 0xa3, 0xeb, 0x1f, 0x70, 0x7c, 0xb2, 0x51, 0x2, 0x43, | |
0x22, 0x15, 0xcc, 0x7e, 0x9, 0x6b, 0xe2, 0x5d, 0xbb, 0x9b, 0xbe, 0xb5, 0xd4, 0xed, 0x57, 0xf1] | |
enc = [0x6d, 0xb7, 0xb8, 0x2e, 0xb7, 0xfb, 0x63, 0x9c, 0x2e, 0x3b, 0x20, 0xb4, 0x6d, 0x3, 0x3b, 0x14, 0xc3, 0xc8, 0x89, | |
0x30, 0x64, 0x76, 0x24, 0x76, 0x52, 0x3, 0x5f, 0x6a, 0xe, 0xb0, 0x5, 0xa7, 0x59, 0xab, 0x5, 0xe, 0x2e, 0xb7, 0x7, | |
0x7f] | |
idx = [] | |
for i in range(40): | |
idx.append(table.index(enc[i])) | |
for i in range(38, -1, -1): | |
idx[i] = idx[i] ^ idx[i + 1] | |
for i in idx: | |
print(chr(i), end="") |
DASCTF{e:-aSy|u9aPR0gr~AMfo~$RrE^VeR$3!}
# Crypto
# 小小数学家
数学表达式,直接用 python 的 eval 即可
s = """19+49=? | |
96-31=? | |
86-3=? | |
20+47=? | |
29+55=? | |
35+35=? | |
81+42=? | |
73-16=? | |
52+48=? | |
0+56=? | |
55-6=? | |
69-20=? | |
99-48=? | |
100-52=? | |
36+13=? | |
32+13=? | |
84-34=? | |
90-34=? | |
94-45=? | |
85+13=? | |
50-5=? | |
55-3=? | |
77+25=? | |
87-35=? | |
62+35=? | |
88-43=? | |
86-30=? | |
90+10=? | |
66-17=? | |
34+63=? | |
51-6=? | |
22+76=? | |
46+5=? | |
45+11=? | |
20+78=? | |
56+45=? | |
99/1=? | |
47+52=? | |
58+44=? | |
76-26=? | |
92-42=? | |
12+44=? | |
80-27=? | |
5*25=? | |
""" | |
n = s.split("=?\n") | |
for i in n[0:len(n) - 1]: | |
print(chr(int(eval(i))), end="") |
DASCTF{9d811301-281b-4f4a-8d1a-b38beccf2285}
# Misc
# number game
分析 roll 函数,产生随机数,判断是 0x539 时执行解密代码,弹出 flag
那么看到下面有个判断 _0x1afb7a == 0x539
在这里下断点,roll 一下,断下来的时候在控制台里将_0x1afb7a 的值修改为 0x539
继续运行即可得到 flag
b4By_m1$c_@n3_b4By_f3On7eNd_731cK!