[LitCTF 2023]enbase64
base 64
里面有一个换表的函数
写代码
#include<stdio.h>
#include<string.h>
#include<stdlib.h>
int main()
{
char *result;
char Destination[65];
int v3[65];
int j;
int i;
char Source[]="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
memset(v3, 0, sizeof(v3));
v3[0] = 16;
v3[1] = 34;
v3[2] = 56;
v3[3] = 7;
v3[4] = 46;
v3[5] = 2;
v3[6] = 10;
v3[7] = 44;
v3[8] = 20;
v3[9] = 41;
v3[10] = 59;
v3[11] = 31;
v3[12] = 51;
v3[13] = 60;
v3[14] = 61;
v3[15] = 26;
v3[16] = 5;
v3[17] = 40;
v3[18] = 21;
v3[19] = 38;
v3[20] = 4;
v3[21] = 54;
v3[22] = 52;
v3[23] = 47;
v3[24] = 3;
v3[25] = 11;
v3[26] = 58;
v3[27] = 48;
v3[28] = 32;
v3[29] = 15;
v3[30] = 49;
v3[31] = 14;
v3[32] = 37;
v3[34] = 55;
v3[35] = 53;
v3[36] = 24;
v3[37] = 35;
v3[38] = 18;
v3[39] = 25;
v3[40] = 33;
v3[41] = 43;
v3[42] = 50;
v3[43] = 39;
v3[44] = 12;
v3[45] = 19;
v3[46] = 13;
v3[47] = 42;
v3[48] = 9;
v3[49] = 17;
v3[50] = 28;
v3[51] = 30;
v3[52] = 23;
v3[53] = 36;
v3[54] = 1;
v3[55] = 22;
v3[56] = 57;
v3[57] = 63;
v3[58] = 8;
v3[59] = 27;
v3[60] = 6;
v3[61] = 62;
v3[62] = 45;
v3[63] = 29;
result = strcpy(Destination, Source);
for ( i = 0; i <= 47; ++i )
{
for ( j = 0; j <= 63; ++j )
Source[j] = Destination[v3[j]];
result = strcpy(Destination, Source);
}
puts(Destination);
//gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND
return 0;
}得到
gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND
得到换的表以后,套了一个脚本就出来了
import base64
import string
str1 = "GQTZlSqQXZ/ghxxwhju3hbuZ4wufWjujWrhYe7Rce7ju"
string1 = "gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND"
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
print(base64.b64decode(str1.translate(str.maketrans(string1, string2))))
#LitCTF{B@5E64_l5_tooo0_E3sy!!!!!}LitCTF{B@5E64_l5_tooo0_E3sy!!!!!}
[LitCTF 2023]snake
.pyc
010 打开,第一行是空的,需要补齐,
提示了python3.7版本
Python 2.7: \x03\xf3\x0d\x0a\0\0\0\0
Python 3.0: \x3b\x0c\x0d\x0a\0\0\0\0
Python 3.1: \x4f\x0c\x0d\x0a\0\0\0\0
Python 3.2: \x6c\x0c\x0d\x0a\0\0\0\0
Python 3.3: \x9e\x0c\x0d\x0a\0\0\0\0\0\0\0\0
Python 3.4: \xee\x0c\x0d\x0a\0\0\0\0\0\0\0\0
Python 3.5: \x17\x0d\x0d\x0a\0\0\0\0\0\0\0\0
Python 3.6: \x33\x0d\x0d\x0a\0\0\0\0\0\0\0\0
Python 3.7: \x42\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0
Python 3.8: \x55\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0
Python 3.9: \x61\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0
Python 3.10: \x6f\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0转py
关键代码
下面那个逗号,写的很迷,然后AI转了一下,emmm,人工智障,,。
找了一个别的,要加一个中间变量
脚本
#include<stdio.h>
#include<string.h>
int main()
{
char flag[] = {30, 196, 52, 252, 49, 220, 7, 243, 3, 241, 24, 224, 40, 230,
25, 251, 28, 233, 40, 237, 4, 225, 4, 215, 40, 231, 22, 237, 14, 251, 10, 169};
int len;
int i;
char tmp;
len=strlen(flag);
for(i=0;i<len;i=i+2)
{
tmp=flag[i];
flag[i] = flag[i+1 ] ^ 136;
flag[i+1] = tmp ^ 119;
}
puts(flag);
//LitCTF{python_snake_is_so_easy!}
return 0;
}
[LitCTF 2023]程序和人有一个能跑就行了
题目提示动态调试
找到主函数
rc4加密,buf2是一个256字节的s盒,密钥是litctf
把那个buf1转为十六进制
进入下面那个4015A0
rc4脚本
def rc4_decrypt(ciphertext, key):
# 初始化 S-box
S = list(range(256))
j = 0
for i in range(256):
j = (j + S[i] + key[i % len(key)]) % 256
S[i], S[j] = S[j], S[i]
# 初始化变量
i = j = 0
plaintext = []
# 解密过程
for byte in ciphertext:
i = (i + 1) % 256
j = (j + S[i]) % 256
S[i], S[j] = S[j], S[i]
k = S[(S[i] + S[j]) % 256]
plaintext.append(byte ^ k)
return bytes(plaintext)
# 示例用法
encrypted_data = [
0x8D, 0x6C, 0x85, 0x76, 0x32, 0x72, 0xB7, 0x40, 0x88, 0x7E, 0x95, 0xEE, 0xC5, 0xED, 0x2E, 0x71, 0x37, 0xF1, 0x4A,
0x99, 0x35, 0x18, 0xA7, 0xB0, 0, 0x96, 0xB7] # 替换成你的密文
encryption_key = b'litctf' # 替换成你的密钥
decrypted_data = rc4_decrypt(encrypted_data, encryption_key)
print("Decrypted Data:", decrypted_data.decode('utf-8'))
# Decrypted Data: LitCTF{this_is_a_fake_flag}
一个假的flag,再继续分析别的
five five
参考:http://t.csdnimg.cn/Ye0hc
动态调试
emmmm
直接看main的汇编吧
这个就是buf1得到假的flag的那个
这个是buf2可以得到正确flag
粘的代码,下面的改改以后就可以套用了,嘿嘿
rc4解密脚本
def rc4(key, ciphertext):
# 初始化S盒
sbox = list(range(256))
j = 0
for i in range(256):
j = (j + sbox[i] + key[i % len(key)]) % 256
sbox[i], sbox[j] = sbox[j], sbox[i]
# 生成密钥流
i = 0
j = 0
keystream = []
for _ in range(len(ciphertext)):
i = (i + 1) % 256
j = (j + sbox[i]) % 256
sbox[i], sbox[j] = sbox[j], sbox[i]
k = sbox[(sbox[i] + sbox[j]) % 256]
keystream.append(k)
# 解密密文
plaintext = []
for i in range(len(ciphertext)):
m = ciphertext[i] ^ keystream[i]
plaintext.append(m)
# 将明文转换为字符串
return ''.join([chr(p) for p in plaintext])
# 测试
key = b'litctf'
ciphertext = [0x8D, 0x6C, 0x85, 0x76, 0x32, 0x72, 0xB7, 0x43, 0x85, 0x7B, 0x85, 0xDE, 0xC1, 0xFB, 0x2E, 0x64, 0x07,
0xC8, 0x5F, 0x9A, 0x35, 0x18, 0xAD, 0xB5, 0x15, 0x92, 0xBE, 0x1B, 0x88]
plaintext = rc4(key, ciphertext)
print(plaintext)
这个题怎么说呢,得到了一个假的flag,然后有去找了一组数据,这种没用动态调试,思路后面的找数据就很奇怪,啊,可能因为我动态调试卡住了。
[LitCTF 2023]debase64--wait
参考:http://t.csdnimg.cn/mPUBT
32位,盲猜有SMC,猜错了,用不到,阿巴阿巴
4015220函数进入
学习
[LitCTF 2023]For Aiur
python逆向
怎么看出来的,大概是
玩的时候
出现了py吗,可能吧
啊不是
打开附件,可以看到是一个exe文件,用exeinfope查看可以看到是python编写的文件
需要将exe文件反编译为pyc文件,进而得到py文件,拿到python源码
我们可以使用pyinstxtractor.py来将exe文件反编译为pyc文件。
参考:http://t.csdnimg.cn/Ye0hc
python pyinstxtractor.py XXXX.exe
放放
