网鼎杯 Re WP

时间:2024-03-18 17:09:59

测试文件:https://lanzous.com/b07rlon9c

 

 

-----------青龙组-----------

Misc

签到

回答完问题,输入token之后,在控制台可见。

 

flag{32c7c08cc310048a8605c5e2caba3e99}

 

crypto

boom

首先MD5解密
46e5efe6165a5afb361217446a2dbd01得到en5oy
接着解方程组:x=74,y=68,z=31
解一元二次方程:x=89127561
#include <iostream>

using namespace std;

int main()
{
    long long a = 0;
    long long b = a * (a + 1);
    while (1) {
        if (b == 7943722218936282)
            break;
        a++;
        b = a * (a + 1);
    }
    cout << a << endl;
    system("PAUSE");
    return 0;
}

2020 网鼎杯 Re WP

 

flag{en5oy_746831_89127561}

 

Reverse

bang

梆梆加密免费版,这道主要是使用FART脱壳classes.dex得到

public void onClick(View paramAnonymousView)
      {
        String str = localEditText.getText().toString();
        paramAnonymousView = paramBundle.getText().toString();
        if (str.equals(paramAnonymousView))
        {
          MainActivity.showmsg("user is equal passwd");
        }
        else if ((str.equals("admin") & paramAnonymousView.equals("pass71487")))
        {
          MainActivity.showmsg("success");
          MainActivity.showmsg("flag is flag{borring_things}");
        }
        else
        {
          MainActivity.showmsg("wrong");
        }
      }

 

flag{borring_things}

 

joker

首先去除代码中的混淆和调整栈平衡之后。

wrong函数,对flag的奇,偶下标分别进行异或下标,减去下标操作。

omg函数,变换后的flag与unk_4030C0比较。

model = [0x66, 0x6B, 0x63, 0x64, 0x7F, 0x61, 0x67, 0x64, 0x3B, 0x56, 0x6B, 0x61, 0x7B, 0x26, 0x3B, 0x50, 0x63, 0x5F,
         0x4D, 0x5A, 0x71, 0x0C, 0x37, 0x66]

flag = ""

for i in range(len(model)):
    if(i % 2 == 0):
        flag += chr(model[i]^i)
    else:
        flag += chr(model[i] + i)
print (flag)

反解得,flag{fak3_alw35_sp_me!!}

使用dbg调试到

2020 网鼎杯 Re WP

这里将flag{fak3_alw35_sp_me!!}与hahahaha_do_you_find_me?前19字符异或得到

[0x0E,0x0D,0x09,0x06,0x13,0x05,0x58,0x56,0x3E,0x06,0x0C,0x3C,0x1F,0x57,0x14,0x6B,0x57,0x59,0x0D,0x00]

反解得到

m = "hahahaha_do_you_find_me?"
n = [0x0E,0x0D,0x09,0x06,0x13,0x05,0x58,0x56,0x3E,0x06,0x0C,0x3C,0x1F,0x57,0x14,0x6B,0x57,0x59,0x0D]

for i in range(len(n)):
    print (chr(ord(m[i])^n[i]),end="")

flag{d07abccf8a410c,还缺少5个字符,最后一位为'}'

在finally函数中,利用了这五位数值

2020 网鼎杯 Re WP

可知,0x3a必然为‘}’,猜测之间的关系为异或(71),得到完整flag。

flag{d07abccf8a410cb37a}

这道题你没办法**最后几位,因为这段flag你带入之后过不了checkflag,最后猜测为异或有点脑洞。

 

signal 

VM的题目

首先传入长度114的数组,作为switch操作对象

a=[0x0A,0x04,0x10,0x08,0x03,0x05,0x01,0x04,0x20,0x08,0x05,0x03,0x01,0x03,0x02,0x08,0x0B,0x01,0x0C,0x08,0x04,0x04,0x01,0x05,0x03,0x08,0x03,0x21,0x01,0x0B,0x08,0x0B,0x01,0x04,0x09,0x08,0x03,0x20,0x01,0x02,0x51,0x08,0x04,0x24,0x01,0x0C,0x08,0x0B,0x01,0x05,0x02,0x08,0x02,0x25,0x01,0x02,0x36,0x08,0x04,0x41,0x01,0x02,0x20,0x08,0x05,0x01,0x01,0x05,0x03,0x08,0x02,0x25,0x01,0x04,0x09,0x08,0x03,0x20,0x01,0x02,0x41,0x08,0x0C,0x01,0x07,0x22,0x07,0x3F,0x07,0x34,0x07,0x32,0x07,0x72,0x07,0x33,0x7,0x18,0x7,0xffffffa7,0x7,0x31,0x7,0xffffff,0x7,0x28,0x7,0xffffff84,0x7,0xffffffc1,0x7,0x1e,0x7,0x7a]

动态调试发现在case7中, v4[v8]为定值,记录下eax的值(修改je为jmp)

2020 网鼎杯 Re WP

 

v4 = [0x22,0x3F,0x34,0x32,0x72,0x33,0x18,0xFA7,0x31,0xF1,0x28,0xF84,0xC1,0x1E,0x7A]

a表实际上就是执行switch的选项目录,v3数组就是我们的flag,每次执行case1即为v4赋值一次(v4已知),所以每次到1,就是一段处理,比如4,16,8,3,5,1。手动处理,我们能够写出获取flag的脚本

# -*- coding:utf-8 -*-

flag = [0]*15

flag[0] = (0x22+5)^0x10
flag[1] = (0x3f//3)^0x20
flag[2] = 0x34+1+2
flag[3] = (0x32^4)-1
flag[4] = (0x72+0x21)//3
flag[5] = 0x33 + 2
flag[6] = (0x18+0x20)^0x9
flag[7] = (0xa7^0x24)-0x51
flag[8] = 0x31+1-1
flag[9] = (0xf1-0x25)//2
flag[10] = (0x28^0x41)-0x36
flag[11] = 0x84-0x20
flag[12] = (0xc1-0x25)//3
flag[13] = (0x1e+0x20)^0x9
flag[14] = 0x7a-0x1-0x41

print ('flag{'+''.join([chr(x) for x in flag])+'}')

 

flag{757515121f3d478}

 

 

测试文件:https://lanzous.com/b07rlonfi

 

-----------白虎组------------

刚把第一道题做了家里就停了一天的电。

 

Mics

hidden

改为ZIP文件,zip2john **出密码为1235

2020 网鼎杯 Re WP

得到二维码的一半

2020 网鼎杯 Re WP

使用tweakpng修改图片高度

2020 网鼎杯 Re WP

得到flag

flag{04255185-de22-4ac6-a1ae-da4f187ddb8c}

 

Reverse

恶龙

实际这里的coin都是用来兑换eff的,改eff大于5000000就行,F9运行一直选2就能得到flag。

2020 网鼎杯 Re WP

 

flag{0259-6430-726f077b-5959-bf477a78c83b}

 

Py

实际这里考得就是如何从elf文件中提取出pyc文件。(这个elf文件是由Python打包的)

参考链接:https://www.zhihuifly.com/t/topic/1073

值得注意的是,你的输出文件必须是src.pyc,不能使用其他命名。

2020 网鼎杯 Re WP

 

将src.pyc与struct.pyc对比,在src.pyc头部添加

EE 0C 0D 0A 70 79 69 30  10 01 00 00 

得到的pyc文件,转换为py文件,得到

# -*- coding:utf-8 -*-

import rsa
import base64

key1 = rsa.PrivateKey.load_pkcs1(base64.b64decode(
    'LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcVFJQkFBS0NBUUVBcVJUZ0xQU3BuT0ZDQnJvNHR1K1FBWXFhTjI2Uk42TzY1bjBjUURGRy9vQ1NJSU00ClNBeEVWaytiZHpSN2FucVNtZ1l5MEhRWGhDZTM2U2VGZTF0ejlrd0taL3UzRUpvYzVBSzR1NXZ4UW5QOWY1cTYKYVFsbVAvVjJJTXB5NFFRNlBjbUVoNEtkNm81ZWRJUlB2SHd6V0dWS09OQ3BpL0taQ082V0tWYkpXcWh3WGpEQgpsSDFNVURzZ1gyVUM4b3Bodnk5dXIyek9kTlBocElJZHdIc1o5b0ZaWWtaMUx5Q0lRRXRZRmlKam1GUzJFQ1RVCkNvcU9acnQxaU5jNXVhZnFvZlB4eHlPb2wwYVVoVGhiaHE4cEpXL3FPSFdYd0xJbXdtNk96YXFVeks4NEYyY3UKYWRiRE5zeVNvaElHaHYzd0lBVThNSlFnOEthd1Z3ZHBzRWhlSXdJREFRQUJBb0lCQURBazdwUStjbEZtWHF1Vgp1UEoyRWxZdUJpMkVnVHNMbHZ0c1ltL3cyQnM5dHQ0bEh4QjgxYlNSNUYyMEJ2UlJ4STZ3OXlVZCtWZzdDd1lMCnA5bHhOL3JJdWluVHBkUEhYalNhaGNsOTVOdWNOWEZ4T0dVU05SZy9KNHk4dUt0VHpkV3NITjJORnJRa0o4Y2IKcWF5czNOM3RzWTJ0OUtrUndjbUJGUHNJalNNQzB5UkpQVEE4cmNqOFkranV3SHZjbUJPNHVFWXZXeXh0VHR2UQova0RQelBqdTBuakhkR055RytkSDdkeHVEV2Jxb3VZQnRMdzllZGxXdmIydTJ5YnZzTXl0NWZTOWF1a01NUjNoCnBhaDRMcU1LbC9ETTU3cE44Vms0ZTU3WE1zZUJLWm1hcEptcVNnSGdjajRPNWE2R1RvelN1TEVoTmVGY0l2Tm8KWFczTEFHRUNnWWtBc0J0WDNVcFQ3aUcveE5BZDdSWER2MENOY1k1QnNZOGY4NHQ3dGx0U2pjSWdBKy9nUjFMZQpzb2gxY1RRd1RadUYyRTJXL1hHU3orQmJDTVVySHNGWmh1bXV6aTBkbElNV3ZhU0dvSlV1OGpNODBlUjRiVTRyCmdYQnlLZVZqelkzNVlLejQ5TEVBcFRQcTZRYTVQbzhRYkF6czhuVjZtNXhOQkNPc0pQQ29zMGtCclFQaGo5M0cKOFFKNUFQWEpva0UrMmY3NXZlazZNMDdsaGlEUXR6LzRPYWRaZ1MvUVF0eWRLUmg2V3VEeGp3MytXeXc5ZjNUcAp5OXc0RmtLRzhqNVRpd1RzRmdzem94TGo5TmpSUWpqb3cyVFJGLzk3b2NxMGNwY1orMUtsZTI1cEJ3bk9yRDJBCkVpMUVkMGVEV3dJR2gzaFhGRmlRSzhTOG5remZkNGFMa1ZxK1V3S0JpRXRMSllIamFZY0N2dTd5M0JpbG1ZK0gKbGZIYkZKTkowaXRhazRZZi9XZkdlOUd6R1h6bEhYblBoZ2JrZlZKeEVBU3ZCOE5NYjZ5WkM5THdHY09JZnpLRApiczJQMUhuT29rWnF0WFNxMCt1UnBJdEkxNFJFUzYySDJnZTNuN2dlMzJSS0VCYnVKb3g3YWhBL1k2d3ZscUhiCjFPTEUvNnJRWk0xRVF6RjRBMmpENmdlREJVbHhWTUVDZVFDQjcyUmRoYktNL3M0TSsvMmYyZXI4Y2hwT01SV1oKaU5Hb3l6cHRrby9sSnRuZ1RSTkpYSXdxYVNCMldCcXpndHNSdEhGZnpaNlNyWlJCdTd5Y0FmS3dwSCtUd2tsNQpoS2hoSWFTNG1vaHhwUVNkL21td1JzbTN2NUNDdXEvaFNtNmNXYTdFOVZxc25heGQzV21tQ2VqTnp0MUxQWUZNCkxZMENnWWdKUHhpVTVraGs5cHB6TVAwdWU0clA0Z2YvTENldEdmQjlXMkIyQU03eW9VM2VsMWlCSEJqOEZ3UFQKQUhKUWtCeTNYZEh3SUpGTUV1RUZSSFFzcUFkSTlYVDBzL2V0QTg1Y3grQjhjUmt3bnFHakFseW1PdmJNOVNrMgptMnRwRi8rYm56ZVhNdFA3c0ZoR3NHOXJ5SEZ6UFNLY3NDSDhXWWx0Y1pTSlNDZHRTK21qblAwelArSjMKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K'))
key2 = rsa.PublicKey.load_pkcs1(base64.b64decode(
    'LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJDZ0tDQVFFQXFSVGdMUFNwbk9GQ0JybzR0dStRQVlxYU4yNlJONk82NW4wY1FERkcvb0NTSUlNNFNBeEUKVmsrYmR6UjdhbnFTbWdZeTBIUVhoQ2UzNlNlRmUxdHo5a3dLWi91M0VKb2M1QUs0dTV2eFFuUDlmNXE2YVFsbQpQL1YySU1weTRRUTZQY21FaDRLZDZvNWVkSVJQdkh3eldHVktPTkNwaS9LWkNPNldLVmJKV3Fod1hqREJsSDFNClVEc2dYMlVDOG9waHZ5OXVyMnpPZE5QaHBJSWR3SHNaOW9GWllrWjFMeUNJUUV0WUZpSmptRlMyRUNUVUNvcU8KWnJ0MWlOYzV1YWZxb2ZQeHh5T29sMGFVaFRoYmhxOHBKVy9xT0hXWHdMSW13bTZPemFxVXpLODRGMmN1YWRiRApOc3lTb2hJR2h2M3dJQVU4TUpRZzhLYXdWd2Rwc0VoZUl3SURBUUFCCi0tLS0tRU5EIFJTQSBQVUJMSUMgS0VZLS0tLS0K'))


def encrypt1(message):
    crypto_text = rsa.encrypt(message.encode(), key2)
    return crypto_text


def decrypt1(message):
    message_str = rsa.decrypt(message, key1).decode()
    return message_str


def encrypt2(tips, key):
    ltips = len(tips)
    lkey = len(key)
    secret = []
    num = 0
    for each in tips:
        if num >= lkey:
            num = num % lkey
        secret.append(chr(ord(each) ^ ord(key[num])))
        num += 1

    return base64.b64encode(''.join(secret).encode()).decode()


def decrypt2(secret, key):
    tips = base64.b64decode(secret.encode()).decode()
    ltips = len(tips)
    lkey = len(key)
    secret = []
    num = 0
    for each in tips:
        if num >= lkey:
            num = num % lkey
        secret.append(chr(ord(each) ^ ord(key[num])))
        num += 1

    return ''.join(secret)


flag = 'IAMrG1EOPkM5NRI1cChQDxEcGDZMURptPzgHJHUiN0ASDgUYUB4LGQMUGAtLCQcJJywcFmddNno/PBtQbiMWNxsGLiFuLwpiFlkyP084Ng0lKj8GUBMXcwEXPTJrRDMdNwMiHVkCBFklHgIAWQwgCz8YQhp6E1xUHgUELxMtSh0xXzxBEisbUyYGOx1DBBZWPg1CXFkvJEcxO0ADeBwzChIOQkdwXQRpQCJHCQsaFE4CIjMDcwswTBw4BS9mLVMLLDs8HVgeQkscGBEBFSpQFQQgPTVRAUpvHyAiV1oPE0kyADpDbF8AbyErBjNkPh9PHiY7O1ZaGBADMB0PEVwdCxI+MCcXARZiPhwfH1IfKitGOF42FV8FTxwqPzBPAVUUOAEKAHEEP2QZGjQVV1oIS0QBJgBDLx1jEAsWKGk5Nw03MVgmWSE4Qy5LEghoHDY+OQ9dXE44Th0='
key = 'this is key'

try:
    print(decrypt2('AAAAAAAAAAAfFwwRSAIWWQ==', key))
    result = input('please input key: ')
    if result == decrypt2('AAAAAAAAAAAfFwwRSAIWWQ==', key):
        print(decrypt1(base64.b64decode(decrypt2(flag, result))))
    elif result == key:
        print('flag{0e26d898-b454-43de-9c87-eb3d122186bc}')
    else:
        print('key is error.')
except Exception:
    None
    e = None
    None

    try:
        pass
    finally:
        e = None
        del e

 

flag{5236cb7d-f4a7-4080-9bde-8b9e061609ad}

 

-----------朱雀组------------

Mics

九宫格

首先对二维码批量扫描,得到01的列表

a = [0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1]

8个为一组,转换为ASCII码

# -*- coding:utf-8 -*-

a = [0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1]

s = "0b"

num = []

for i in range(len(a)):
    if i % 8 != 0 or i == 0:
        s += str(a[i])
        continue
    num.append(chr(int(s,2)))
    s = "0b"
print (''.join(num))

得到

U2FsdGVkX19jThxWqKmYTZP1X4AfuFJ/7FlqIF1KHQTR5S63zOkyoX36nZlaOq4X4klwRwqa

这是rabbit加密,通过hint提示九宫格,两条对角线(852456)从小到大排序。

2020 网鼎杯 Re WP

 

 

 得到key=245568

2020 网鼎杯 Re WP

 

flag{2c4fdc156fe74836954a05058c5d0382}

 

key

使用JohnTheRippe对压缩文件解密

2020 网鼎杯 Re WP

得到密码为123

 

将钥.png通过tweakpng修改图片height=width

2020 网鼎杯 Re WP

匙.jpg实际为一个压缩文件,改后缀为zip,这里的密码猜测与上面的图片有关,实际为差分曼切斯特编码。脚本引用自:点击进入

# -*- coding:utf-8 -*-

enc = "295965569a596696995a9aa969996a6a9a669965656969996959669566a5655699669aa5656966a566a56656"
s = ""
for c in enc:
    s += "{:04b}".format(int(c,16))

s = s[2:]
r = ""
for i in range(len(s)//2):
    a = s[i*2]
    if a == s[i*2-1]:
        r += '1'
    else:
        r += '0'

print (hex(int(r,2)))

0x13616b7572615f4c6f76655f53747261776265727279

转换为ASCII码

2020 网鼎杯 Re WP

第一位转换失败了,拿到网上搜了下,应该为Sakura_Love_Strawberry

2020 网鼎杯 Re WP

解压,得到flag

flag{061056cc-980c-4214-b163-230e5cd5c78e}

 

crypto

放射

根据仿射密码的原理就能解出,key1,key2实际就是E(x) = (ax + b) (mod m)中的a,b。m还未确定。解密方法为:D(x) = a-1(x - b) (mod m),m直接**就行。

# -*- coding:utf-8 -*-
import gmpy2

key1 = 123456
key2 = 321564

enc = "kgws{m8u8cm65-ue9k-44k5-8361-we225m76eeww}"
flag = ""
for m in range(1,27):
    for val in enc:
        try:
            if val.islower():
                flag += chr((gmpy2.invert(key1, m)*(ord(val) - ord('a') - key2)) % m + ord('a'))
            else:
                flag += val
        except Exception:
            flag = ""
            break
    if flag != "":
        print (flag)

bcde{d8b8dd65-ba9b-44b5-8361-da225d76aadd}


dcgf{a8c8ba65-cf9d-44d5-8361-gf225a76ffgg}


djhc{a8k8ea65-kb9d-44d5-8361-hb225a76bbhh}


flag{c8d8ec65-db9f-44f5-8361-ab225c76bbaa}


jhpn{k8o8fk65-og9j-44j5-8361-pg225k76ggpp}


gnel{m8r8bm65-rh9g-44g5-8361-eh225m76hhee}


tigs{n8m8un65-mo9t-44t5-8361-go225n76oogg}


qhsj{i8b8xi65-bp9q-44q5-8361-sp225i76ppss}

得到flag为

flag{c8d8ec65-db9f-44f5-8361-ab225c76bbaa}

 

Reverse

go

关于go语言的逆向题,打开之后,如果不能反编译,在Options->Compiler中将sizeof(int)改为4。

通过string Windows找到主要函数,

2020 网鼎杯 Re WP

这里有个关键函数main_encode

2020 网鼎杯 Re WP

这个函数实际就是一个变表的Base64加密,变表为

XYZFGHI2+/Jhi345jklmEnopuvwqrABCDKL6789abMNWcdefgstOPQRSTUVxyz01

最后再与nRKKAHzMrQzaqQzKpPHClX比较

# -*- coding:utf-8 -*-
import base64

model = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Str = "XYZFGHI2+/Jhi345jklmEnopuvwqrABCDKL6789abMNWcdefgstOPQRSTUVxyz01"
enc = "nRKKAHzMrQzaqQzKpPHClX"
s = ""

for val in enc:
    s += model[Str.find(val)]
print (s)
for i in range(10):
    try:
        print (base64.b64decode(s+'='*i))
        break
    except Exception:
        pass

2020 网鼎杯 Re WP

得到输入为What_is_go_a_A_H

2020 网鼎杯 Re WP

 

flag{e252890b-4f4d-4b85-88df-671dab1d78f3}