主工控的比赛但一道工控的都没看。。。
Re
freestyle
第一个函数
4 * (3 * atoi(s) / 9 - 9) != 4400 计算得 3327
第二个函数 2 * (atoi(s) % 56) != 98 计算得 105
3327105,md5 加密即可
flag{31a364d51abd0c8304106c16779d83b1}
Re_function
将压缩包的二进制信息提出,发现为一张图片
密码为 3CF8
解压得到两个文件
第一个文件
nop掉花指令
int __cdecl main(int argc, const char **argv, const char **envp)
{
FILE *v3; // eax
int v4; // kr00_4
int i; // ecx
int v6; // ecx
char v7; // dl
char v8; // bl
__int128 v10; // [esp+Ch] [ebp-3Ch]
int v11; // [esp+1Ch] [ebp-2Ch]
int v12; // [esp+20h] [ebp-28h]
int v13; // [esp+24h] [ebp-24h]
char Buffer[16]; // [esp+28h] [ebp-20h] BYREF
__int64 v15; // [esp+38h] [ebp-10h]
int v16; // [esp+40h] [ebp-8h]
*(_OWORD *)Buffer = 0i64;
v15 = 0i64;
v16 = 0;
v10 = xmmword_402120;
v11 = 1919318081;
v12 = 1314814017;
v13 = 1024348765;
puts("please input flag: ");
v3 = _acrt_iob_func(0);
fgets(Buffer, 28, v3);
v4 = strlen(Buffer);
for ( i = 0; i < v4; i += 2 )
Buffer[i] ^= 0x37u;
v6 = 0;
if ( v4 <= 0 )
goto LABEL_7;
do
{
v7 = *((_BYTE *)&v10 + v6);
v8 = Buffer[v6++];
}
while ( v6 < v4 );
if ( v8 == v7 )
puts("Get!!!");
else
LABEL_7:
puts("Error!!!");
return 0;
}
脚本
#include <iostream>
int main()
{
char v1[] = {0x64, 0x71, 0x54, 0x54, 0x64, 0x78, 0x74, 0x78, 0x64, 0x41,
0x40, 0x48, 0x70, 0x6D, 0x18, 0x4A, 0x41, 0x78, 0x66, 0x72, 0x41, 0x78, 0x5E, 0x4E, 0x5D, 0x52, 0x0E, 0x3D};
// int data[3];
// data[0] = 0x72667841;
// data[1] = 0x4E5E7841;
// data[2] = 0x3D0E525D;
for (int i = 0; i < 28; i += 2)
v1[i] = v1[i] ^ 0x37;
for (int i = 0; i < 28; i++)
printf("%c", (*((char *)v1 + i)));
return 0;
}
// SqcTSxCxSAwHGm/JvxQrvxiNjR9=
第二个文件为base64
import base64
import string
str1 = "FeVYKw6a0lDIOsnZQ5EAf2MvjS1GUiLWPTtH4JqRgu3dbC8hrcNo9/mxzpXBky7+"
str2 = string.ascii_uppercase+string.ascii_lowercase+string.digits+"+/"
s = "SqcTSxCxSAwHGm/JvxQrvxiNjR9="
print(base64.b64decode(s.translate(str.maketrans(str1, str2))))
# b'flag{we1come_t0_wrb}'
定时启动
队友做出来的
运行
修改系统时间后再运行一次
flag{c4c728s9ccbc87e4b5ce2f}
ez_algorithm
算法逆向即可
def fun3(s):
if (s > 64 and s <= 70 or s > 96 and s <= 102):
return s + 20
if (s > 84 and s <= 90 or s > 116 and s <= 122):
return s - 20
if (s > 71 and s <= 77 or s > 103 and s <= 109):
return s + 6
if (s > 77 and s <= 83 or s > 109 and s <= 115):
return s - 6
if (s == 71 or s == 103):
return s + 13
if (s == 84 or s == 116):
return s - 13
if (s > 47 and s <= 57):
return 105 - s
def fun2(s): # 大写转小写,小写转大写,数字不变
if s > 64 and s <= 90:
return fun3(s + 32)
if s > 96 and s <= 122:
return fun3(s - 32)
if s > 47 and s <= 57:
return fun3(s)
str = [38, 43, 42, 92, 63, 36, 35]
v17 = 'ckagevdxizblqnwtmsrpufyhoj'
v16 = 'TMQZWKGOIAGLBYHPCRJSUXEVND'
def fun1(s, i):
if s in str:
return ord('_')
if s > 122 or s == 58:
return s
if s >= 48 and s <= 57:
return fun2(s)
if s >= 65 and s <= 90:
m = chr(fun2(s))
if i % 4 == 1:
a = (v17.find(m))
if i % 4 == 2:
a = (v17.find(m) ^ 2)
if i % 4 == 3:
a = (v17.find(m)-3)
if i % 4 == 0:
a = (v17.find(m))
return (a+97)
if s >= 97 and s <= 122:
m = chr(fun2(s))
if i % 4 == 1:
a = (v16.find(m)-1)
if i % 4 == 2:
a = (v16.find(m) & 3)
if i % 4 == 3:
a = (v16.find(m) ^ 3)
if i % 4 == 0:
a = (v16.find(m))
return (a+65)
s = "BRUF{E6oU9Ci#J9+6nWAhwMR9n:}"
flag = []
for i in range(len(s)):
flag.append(chr(fun1(ord(s[i]), i)))
print(''.join(flag))
# flag{w3Lc0mE_t0_3NcrYPti0N:}
Misc
玩坏的winxp
打不开,设置下好的 Windows XPSP3 镜像(iso),
添加 SCSI 硬盘,设置 Windows XP Professional.vmdk 的路径,
即可进入系统。 设置好可以看到隐藏文件
在10个t的学习资料里有一个隐藏文件meiren.png,binwalk 解包得f1ag.png继续解包得到41E7.zip。需要解压密码,密码在有围脖的软件里,盲猜qq
火狐打不开,重下一个火狐xp版。
在火狐最长访问里可以找到
http://10.30.7.1:8000/login.html?qq=1272045963
在1272045963的qq空间里可以找到密码
dc45445a8a099e63fbb9b8480d57723a md5解密
密码:xiaomin520,即可解压压缩包
flag{this_is_what_u_want8}
