测试文件:https://lanzous.com/b07rlon9c
-----------青龙组-----------
Misc
签到
回答完问题,输入token之后,在控制台可见。
flag{32c7c08cc310048a8605c5e2caba3e99}
crypto
boom
#include <iostream> using namespace std; int main() { long long a = 0; long long b = a * (a + 1); while (1) { if (b == 7943722218936282) break; a++; b = a * (a + 1); } cout << a << endl; system("PAUSE"); return 0; }
flag{en5oy_746831_89127561}
Reverse
bang
梆梆加密免费版,这道主要是使用FART脱壳classes.dex得到
public void onClick(View paramAnonymousView) { String str = localEditText.getText().toString(); paramAnonymousView = paramBundle.getText().toString(); if (str.equals(paramAnonymousView)) { MainActivity.showmsg("user is equal passwd"); } else if ((str.equals("admin") & paramAnonymousView.equals("pass71487"))) { MainActivity.showmsg("success"); MainActivity.showmsg("flag is flag{borring_things}"); } else { MainActivity.showmsg("wrong"); } }
flag{borring_things}
joker
首先去除代码中的混淆和调整栈平衡之后。
wrong函数,对flag的奇,偶下标分别进行异或下标,减去下标操作。
omg函数,变换后的flag与unk_4030C0比较。
model = [0x66, 0x6B, 0x63, 0x64, 0x7F, 0x61, 0x67, 0x64, 0x3B, 0x56, 0x6B, 0x61, 0x7B, 0x26, 0x3B, 0x50, 0x63, 0x5F, 0x4D, 0x5A, 0x71, 0x0C, 0x37, 0x66] flag = "" for i in range(len(model)): if(i % 2 == 0): flag += chr(model[i]^i) else: flag += chr(model[i] + i) print (flag)
反解得,flag{fak3_alw35_sp_me!!}
使用dbg调试到
这里将flag{fak3_alw35_sp_me!!}与hahahaha_do_you_find_me?前19字符异或得到
[0x0E,0x0D,0x09,0x06,0x13,0x05,0x58,0x56,0x3E,0x06,0x0C,0x3C,0x1F,0x57,0x14,0x6B,0x57,0x59,0x0D,0x00]
反解得到
m = "hahahaha_do_you_find_me?" n = [0x0E,0x0D,0x09,0x06,0x13,0x05,0x58,0x56,0x3E,0x06,0x0C,0x3C,0x1F,0x57,0x14,0x6B,0x57,0x59,0x0D] for i in range(len(n)): print (chr(ord(m[i])^n[i]),end="")
flag{d07abccf8a410c,还缺少5个字符,最后一位为'}'
在finally函数中,利用了这五位数值
可知,0x3a必然为‘}’,猜测之间的关系为异或(71),得到完整flag。
flag{d07abccf8a410cb37a}
这道题你没办法**最后几位,因为这段flag你带入之后过不了checkflag,最后猜测为异或有点脑洞。
signal
VM的题目
首先传入长度114的数组,作为switch操作对象
a=[0x0A,0x04,0x10,0x08,0x03,0x05,0x01,0x04,0x20,0x08,0x05,0x03,0x01,0x03,0x02,0x08,0x0B,0x01,0x0C,0x08,0x04,0x04,0x01,0x05,0x03,0x08,0x03,0x21,0x01,0x0B,0x08,0x0B,0x01,0x04,0x09,0x08,0x03,0x20,0x01,0x02,0x51,0x08,0x04,0x24,0x01,0x0C,0x08,0x0B,0x01,0x05,0x02,0x08,0x02,0x25,0x01,0x02,0x36,0x08,0x04,0x41,0x01,0x02,0x20,0x08,0x05,0x01,0x01,0x05,0x03,0x08,0x02,0x25,0x01,0x04,0x09,0x08,0x03,0x20,0x01,0x02,0x41,0x08,0x0C,0x01,0x07,0x22,0x07,0x3F,0x07,0x34,0x07,0x32,0x07,0x72,0x07,0x33,0x7,0x18,0x7,0xffffffa7,0x7,0x31,0x7,0xffffff,0x7,0x28,0x7,0xffffff84,0x7,0xffffffc1,0x7,0x1e,0x7,0x7a]
动态调试发现在case7中, v4[v8]为定值,记录下eax的值(修改je为jmp)
v4 = [0x22,0x3F,0x34,0x32,0x72,0x33,0x18,0xFA7,0x31,0xF1,0x28,0xF84,0xC1,0x1E,0x7A]
而a表实际上就是执行switch的选项目录,v3数组就是我们的flag,每次执行case1即为v4赋值一次(v4已知),所以每次到1,就是一段处理,比如4,16,8,3,5,1。手动处理,我们能够写出获取flag的脚本
# -*- coding:utf-8 -*- flag = [0]*15 flag[0] = (0x22+5)^0x10 flag[1] = (0x3f//3)^0x20 flag[2] = 0x34+1+2 flag[3] = (0x32^4)-1 flag[4] = (0x72+0x21)//3 flag[5] = 0x33 + 2 flag[6] = (0x18+0x20)^0x9 flag[7] = (0xa7^0x24)-0x51 flag[8] = 0x31+1-1 flag[9] = (0xf1-0x25)//2 flag[10] = (0x28^0x41)-0x36 flag[11] = 0x84-0x20 flag[12] = (0xc1-0x25)//3 flag[13] = (0x1e+0x20)^0x9 flag[14] = 0x7a-0x1-0x41 print ('flag{'+''.join([chr(x) for x in flag])+'}')
flag{757515121f3d478}
测试文件:https://lanzous.com/b07rlonfi
-----------白虎组------------
刚把第一道题做了家里就停了一天的电。
Mics
hidden
改为ZIP文件,zip2john **出密码为1235
得到二维码的一半
使用tweakpng修改图片高度
得到flag
flag{04255185-de22-4ac6-a1ae-da4f187ddb8c}
Reverse
恶龙
实际这里的coin都是用来兑换eff的,改eff大于5000000就行,F9运行一直选2就能得到flag。
flag{0259-6430-726f077b-5959-bf477a78c83b}
Py
实际这里考得就是如何从elf文件中提取出pyc文件。(这个elf文件是由Python打包的)
参考链接:https://www.zhihuifly.com/t/topic/1073
值得注意的是,你的输出文件必须是src.pyc,不能使用其他命名。
将src.pyc与struct.pyc对比,在src.pyc头部添加
EE 0C 0D 0A 70 79 69 30 10 01 00 00
得到的pyc文件,转换为py文件,得到
# -*- coding:utf-8 -*- import rsa import base64 key1 = rsa.PrivateKey.load_pkcs1(base64.b64decode( 'LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcVFJQkFBS0NBUUVBcVJUZ0xQU3BuT0ZDQnJvNHR1K1FBWXFhTjI2Uk42TzY1bjBjUURGRy9vQ1NJSU00ClNBeEVWaytiZHpSN2FucVNtZ1l5MEhRWGhDZTM2U2VGZTF0ejlrd0taL3UzRUpvYzVBSzR1NXZ4UW5QOWY1cTYKYVFsbVAvVjJJTXB5NFFRNlBjbUVoNEtkNm81ZWRJUlB2SHd6V0dWS09OQ3BpL0taQ082V0tWYkpXcWh3WGpEQgpsSDFNVURzZ1gyVUM4b3Bodnk5dXIyek9kTlBocElJZHdIc1o5b0ZaWWtaMUx5Q0lRRXRZRmlKam1GUzJFQ1RVCkNvcU9acnQxaU5jNXVhZnFvZlB4eHlPb2wwYVVoVGhiaHE4cEpXL3FPSFdYd0xJbXdtNk96YXFVeks4NEYyY3UKYWRiRE5zeVNvaElHaHYzd0lBVThNSlFnOEthd1Z3ZHBzRWhlSXdJREFRQUJBb0lCQURBazdwUStjbEZtWHF1Vgp1UEoyRWxZdUJpMkVnVHNMbHZ0c1ltL3cyQnM5dHQ0bEh4QjgxYlNSNUYyMEJ2UlJ4STZ3OXlVZCtWZzdDd1lMCnA5bHhOL3JJdWluVHBkUEhYalNhaGNsOTVOdWNOWEZ4T0dVU05SZy9KNHk4dUt0VHpkV3NITjJORnJRa0o4Y2IKcWF5czNOM3RzWTJ0OUtrUndjbUJGUHNJalNNQzB5UkpQVEE4cmNqOFkranV3SHZjbUJPNHVFWXZXeXh0VHR2UQova0RQelBqdTBuakhkR055RytkSDdkeHVEV2Jxb3VZQnRMdzllZGxXdmIydTJ5YnZzTXl0NWZTOWF1a01NUjNoCnBhaDRMcU1LbC9ETTU3cE44Vms0ZTU3WE1zZUJLWm1hcEptcVNnSGdjajRPNWE2R1RvelN1TEVoTmVGY0l2Tm8KWFczTEFHRUNnWWtBc0J0WDNVcFQ3aUcveE5BZDdSWER2MENOY1k1QnNZOGY4NHQ3dGx0U2pjSWdBKy9nUjFMZQpzb2gxY1RRd1RadUYyRTJXL1hHU3orQmJDTVVySHNGWmh1bXV6aTBkbElNV3ZhU0dvSlV1OGpNODBlUjRiVTRyCmdYQnlLZVZqelkzNVlLejQ5TEVBcFRQcTZRYTVQbzhRYkF6czhuVjZtNXhOQkNPc0pQQ29zMGtCclFQaGo5M0cKOFFKNUFQWEpva0UrMmY3NXZlazZNMDdsaGlEUXR6LzRPYWRaZ1MvUVF0eWRLUmg2V3VEeGp3MytXeXc5ZjNUcAp5OXc0RmtLRzhqNVRpd1RzRmdzem94TGo5TmpSUWpqb3cyVFJGLzk3b2NxMGNwY1orMUtsZTI1cEJ3bk9yRDJBCkVpMUVkMGVEV3dJR2gzaFhGRmlRSzhTOG5remZkNGFMa1ZxK1V3S0JpRXRMSllIamFZY0N2dTd5M0JpbG1ZK0gKbGZIYkZKTkowaXRhazRZZi9XZkdlOUd6R1h6bEhYblBoZ2JrZlZKeEVBU3ZCOE5NYjZ5WkM5THdHY09JZnpLRApiczJQMUhuT29rWnF0WFNxMCt1UnBJdEkxNFJFUzYySDJnZTNuN2dlMzJSS0VCYnVKb3g3YWhBL1k2d3ZscUhiCjFPTEUvNnJRWk0xRVF6RjRBMmpENmdlREJVbHhWTUVDZVFDQjcyUmRoYktNL3M0TSsvMmYyZXI4Y2hwT01SV1oKaU5Hb3l6cHRrby9sSnRuZ1RSTkpYSXdxYVNCMldCcXpndHNSdEhGZnpaNlNyWlJCdTd5Y0FmS3dwSCtUd2tsNQpoS2hoSWFTNG1vaHhwUVNkL21td1JzbTN2NUNDdXEvaFNtNmNXYTdFOVZxc25heGQzV21tQ2VqTnp0MUxQWUZNCkxZMENnWWdKUHhpVTVraGs5cHB6TVAwdWU0clA0Z2YvTENldEdmQjlXMkIyQU03eW9VM2VsMWlCSEJqOEZ3UFQKQUhKUWtCeTNYZEh3SUpGTUV1RUZSSFFzcUFkSTlYVDBzL2V0QTg1Y3grQjhjUmt3bnFHakFseW1PdmJNOVNrMgptMnRwRi8rYm56ZVhNdFA3c0ZoR3NHOXJ5SEZ6UFNLY3NDSDhXWWx0Y1pTSlNDZHRTK21qblAwelArSjMKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K')) key2 = rsa.PublicKey.load_pkcs1(base64.b64decode( 'LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJDZ0tDQVFFQXFSVGdMUFNwbk9GQ0JybzR0dStRQVlxYU4yNlJONk82NW4wY1FERkcvb0NTSUlNNFNBeEUKVmsrYmR6UjdhbnFTbWdZeTBIUVhoQ2UzNlNlRmUxdHo5a3dLWi91M0VKb2M1QUs0dTV2eFFuUDlmNXE2YVFsbQpQL1YySU1weTRRUTZQY21FaDRLZDZvNWVkSVJQdkh3eldHVktPTkNwaS9LWkNPNldLVmJKV3Fod1hqREJsSDFNClVEc2dYMlVDOG9waHZ5OXVyMnpPZE5QaHBJSWR3SHNaOW9GWllrWjFMeUNJUUV0WUZpSmptRlMyRUNUVUNvcU8KWnJ0MWlOYzV1YWZxb2ZQeHh5T29sMGFVaFRoYmhxOHBKVy9xT0hXWHdMSW13bTZPemFxVXpLODRGMmN1YWRiRApOc3lTb2hJR2h2M3dJQVU4TUpRZzhLYXdWd2Rwc0VoZUl3SURBUUFCCi0tLS0tRU5EIFJTQSBQVUJMSUMgS0VZLS0tLS0K')) def encrypt1(message): crypto_text = rsa.encrypt(message.encode(), key2) return crypto_text def decrypt1(message): message_str = rsa.decrypt(message, key1).decode() return message_str def encrypt2(tips, key): ltips = len(tips) lkey = len(key) secret = [] num = 0 for each in tips: if num >= lkey: num = num % lkey secret.append(chr(ord(each) ^ ord(key[num]))) num += 1 return base64.b64encode(''.join(secret).encode()).decode() def decrypt2(secret, key): tips = base64.b64decode(secret.encode()).decode() ltips = len(tips) lkey = len(key) secret = [] num = 0 for each in tips: if num >= lkey: num = num % lkey secret.append(chr(ord(each) ^ ord(key[num]))) num += 1 return ''.join(secret) flag = 'IAMrG1EOPkM5NRI1cChQDxEcGDZMURptPzgHJHUiN0ASDgUYUB4LGQMUGAtLCQcJJywcFmddNno/PBtQbiMWNxsGLiFuLwpiFlkyP084Ng0lKj8GUBMXcwEXPTJrRDMdNwMiHVkCBFklHgIAWQwgCz8YQhp6E1xUHgUELxMtSh0xXzxBEisbUyYGOx1DBBZWPg1CXFkvJEcxO0ADeBwzChIOQkdwXQRpQCJHCQsaFE4CIjMDcwswTBw4BS9mLVMLLDs8HVgeQkscGBEBFSpQFQQgPTVRAUpvHyAiV1oPE0kyADpDbF8AbyErBjNkPh9PHiY7O1ZaGBADMB0PEVwdCxI+MCcXARZiPhwfH1IfKitGOF42FV8FTxwqPzBPAVUUOAEKAHEEP2QZGjQVV1oIS0QBJgBDLx1jEAsWKGk5Nw03MVgmWSE4Qy5LEghoHDY+OQ9dXE44Th0=' key = 'this is key' try: print(decrypt2('AAAAAAAAAAAfFwwRSAIWWQ==', key)) result = input('please input key: ') if result == decrypt2('AAAAAAAAAAAfFwwRSAIWWQ==', key): print(decrypt1(base64.b64decode(decrypt2(flag, result)))) elif result == key: print('flag{0e26d898-b454-43de-9c87-eb3d122186bc}') else: print('key is error.') except Exception: None e = None None try: pass finally: e = None del e
flag{5236cb7d-f4a7-4080-9bde-8b9e061609ad}
-----------朱雀组------------
Mics
九宫格
首先对二维码批量扫描,得到01的列表
a = [0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1]
8个为一组,转换为ASCII码
# -*- coding:utf-8 -*- a = [0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1] s = "0b" num = [] for i in range(len(a)): if i % 8 != 0 or i == 0: s += str(a[i]) continue num.append(chr(int(s,2))) s = "0b" print (''.join(num))
得到
U2FsdGVkX19jThxWqKmYTZP1X4AfuFJ/7FlqIF1KHQTR5S63zOkyoX36nZlaOq4X4klwRwqa
这是rabbit加密,通过hint提示九宫格,两条对角线(852456)从小到大排序。
得到key=245568
flag{2c4fdc156fe74836954a05058c5d0382}
key
使用JohnTheRippe对压缩文件解密
得到密码为123
将钥.png通过tweakpng修改图片height=width
匙.jpg实际为一个压缩文件,改后缀为zip,这里的密码猜测与上面的图片有关,实际为差分曼切斯特编码。脚本引用自:点击进入
# -*- coding:utf-8 -*- enc = "295965569a596696995a9aa969996a6a9a669965656969996959669566a5655699669aa5656966a566a56656" s = "" for c in enc: s += "{:04b}".format(int(c,16)) s = s[2:] r = "" for i in range(len(s)//2): a = s[i*2] if a == s[i*2-1]: r += '1' else: r += '0' print (hex(int(r,2)))
0x13616b7572615f4c6f76655f53747261776265727279
转换为ASCII码
第一位转换失败了,拿到网上搜了下,应该为Sakura_Love_Strawberry
解压,得到flag
flag{061056cc-980c-4214-b163-230e5cd5c78e}
crypto
放射
根据仿射密码的原理就能解出,key1,key2实际就是E(x) = (ax + b) (mod m)中的a,b。m还未确定。解密方法为:D(x) = a-1(x - b) (mod m),m直接**就行。
# -*- coding:utf-8 -*- import gmpy2 key1 = 123456 key2 = 321564 enc = "kgws{m8u8cm65-ue9k-44k5-8361-we225m76eeww}" flag = "" for m in range(1,27): for val in enc: try: if val.islower(): flag += chr((gmpy2.invert(key1, m)*(ord(val) - ord('a') - key2)) % m + ord('a')) else: flag += val except Exception: flag = "" break if flag != "": print (flag)
bcde{d8b8dd65-ba9b-44b5-8361-da225d76aadd}
dcgf{a8c8ba65-cf9d-44d5-8361-gf225a76ffgg}
djhc{a8k8ea65-kb9d-44d5-8361-hb225a76bbhh}
flag{c8d8ec65-db9f-44f5-8361-ab225c76bbaa}
jhpn{k8o8fk65-og9j-44j5-8361-pg225k76ggpp}
gnel{m8r8bm65-rh9g-44g5-8361-eh225m76hhee}
tigs{n8m8un65-mo9t-44t5-8361-go225n76oogg}
qhsj{i8b8xi65-bp9q-44q5-8361-sp225i76ppss}
得到flag为
flag{c8d8ec65-db9f-44f5-8361-ab225c76bbaa}
Reverse
go
关于go语言的逆向题,打开之后,如果不能反编译,在Options->Compiler中将sizeof(int)改为4。
通过string Windows找到主要函数,
这里有个关键函数main_encode
这个函数实际就是一个变表的Base64加密,变表为
XYZFGHI2+/Jhi345jklmEnopuvwqrABCDKL6789abMNWcdefgstOPQRSTUVxyz01
最后再与nRKKAHzMrQzaqQzKpPHClX比较
# -*- coding:utf-8 -*- import base64 model = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" Str = "XYZFGHI2+/Jhi345jklmEnopuvwqrABCDKL6789abMNWcdefgstOPQRSTUVxyz01" enc = "nRKKAHzMrQzaqQzKpPHClX" s = "" for val in enc: s += model[Str.find(val)] print (s) for i in range(10): try: print (base64.b64decode(s+'='*i)) break except Exception: pass
得到输入为What_is_go_a_A_H
flag{e252890b-4f4d-4b85-88df-671dab1d78f3}