XYCTF

re

你是真的大学生吗?

8086芯片的汇编,主要逻辑是将flag的一位与下一位异或,顺序为正序然后与上面的数据比较。

1
2
3
4
5
6
7
table = [0x76, 0x0E, 0x77, 0x14, 0x60, 0x06, 0x7D, 0x04, 0x6B, 0x1E,
         0x41, 0x2A, 0x44, 0x2B, 0x5C, 0x03, 0x3B, 0x0B, 0x33, 0x5]
flag = ''

for i in range(len(table) - 1):
    flag += chr(table[i] ^ table[i+1])
print(flag)
1
xyctf{you_know_8086

聪明的信使

1
2
3
4
5
6
7
8
9
10
11
12
13
14
table = 'oujp{H0d_TwXf_Lahyc0_14_e3ah_Rvy0ac@wc!}'
flag = ''

for i in table:
    if i.isupper():
        tmp = chr((ord(i) - 9) if (ord(i) - 9) - 65 >= 0 else (ord(i) - 9) + 26)
    elif i.isalpha():
        tmp = chr((ord(i) - 9) if (ord(i) - 9) - 97 >= 0 else (ord(i) - 9) + 26)
    else:
        tmp = i
    flag += tmp

print(flag)

flag{Y0u_KnOw_Crypt0_14_v3ry_Imp0rt@nt!}

喵喵喵的flag碎了一地

拼flag

1
flag{My_fl@g_h4s_br0ken_4parT_Bu7_Y0u_c@n_f1x_1t}

DebugMe

本题只要apk在调试状态下即可getflag

使用jadx+雷神模拟器,可以直接调试,进入调试界面点击click me,出flag

需要debuggable == “true”,但是我没有添加android:debuggable = “true”到mainfest.xml中,只是附加了进程。flag便出了

ez_cube

操作分析如上

该魔方的初始化为:

面对红的面,黄色在上,RuRURURuruRR秒了

Trustme

是个apk,jadx反编译:

RC4解密一下得到:

The Real username is admin

将admin作为username输入进去,failed,回到jadx发现有个proxyapplication,创建了一个shell.apk,模拟器搜一下,导出来

然后jadx打开,发现是个sql注入漏洞,将username与password作为参数注入,然后查询数据库,数据库是资源文件下assets下的mydb.db,但是在之前创建shell.apk时对数据库文件进行加密,虽然在得到的shell.apk中有解密的代码,但我在模拟器上输入时仍然是failed:

所以手动解密:

1
2
3
4
5
6
7
8
with open("C:\\Users\\86158\\Documents\\leidian9\\Pictures\\shell\\assets\\mydb.db", 'rb') as p:
    cipher = p.read()

encrypted_data = bytes(byte ^ 255 for byte in cipher)

with open("C:\\Users\\86158\\Documents\\leidian9\\Pictures\\shell\\assets\\mydb111.db", 'wb') as f:
    f.write(encrypted_data)

解密后的的db文件winhex打开可以直接看到flag

什么sql注入,不会

XYCTF{And0r1d_15_V3ryEasy}

ez_rand

Windows下的C语言随机数生成,种子未知,应该需要爆破,然后看程序头

6开头,爆破到70000…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <stdio.h>
#include <stdlib.h>
#include <time.h>

int main() {
    int cipher[] = {0x5d, 0xc, 0x6c, 0xea, 0x46, 0x19, 0xfc, 0x34, 0xb2, 0x62, 0x23, 0x7, 0x62,
                     0x22, 0x6e, 0xfb, 0xb4, 0xe8, 0xf2, 0xa9, 0x91, 0x12, 0x21, 0x86, 0xdb, 0x8e,
                     0xe9, 0x43, 0x4d};
    char flag[28] = {0};

    for(long long int i = 0x600000000; i < 0x700000000; i++) {
        srand(i);
        for (int j = 0; j < 28; j++) {
            int tmp = rand();
            int tmp2 = tmp / 255;
            flag[j] = (char) (cipher[j] ^ (tmp + tmp2));
        }
        if(flag[0] == 'X' && flag[1] == 'Y' && flag[2] == 'C' && flag[3] == 'T' && flag[4] == 'F' && flag[5] == '{'){
            for(char x : flag){
                printf("%c", x);
            }
            printf("\n");
            printf("%llx", i);
            break;
        }
    }
    return 0;
}

结果:

砸核桃

NSPack壳,吾爱破解脱壳,找到OEP:

修IAT:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
order = 'this_is_not_flag'
table = [0x12, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x08, 0x00,
         0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00,
         0x5C, 0x00, 0x00, 0x00, 0x4A, 0x00, 0x00, 0x00, 0x3D, 0x00,
         0x00, 0x00, 0x56, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00,
         0x10, 0x00, 0x00, 0x00, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x01, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x5A, 0x00,
         0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00,
         0x6E, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x44, 0x00,
         0x00, 0x00, 0x72, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00,
         0x0D, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x3E, 0x00,
         0x00, 0x00, 0x4B, 0x00, 0x00, 0x00, 0x5F, 0x00, 0x00, 0x00,
         0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x4C, 0x00,
         0x00, 0x00, 0x5E, 0x00, 0x00, 0x00, 0x5B, 0x00, 0x00, 0x00,
         0x17, 0x00, 0x00, 0x00, 0x6E, 0x00, 0x00, 0x00, 0x0C, 0x00,
         0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x68, 0x00, 0x00, 0x00,
         0x5B, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
         0x00, 0x00, 0x00, 0x00, 0x00, 0x00]

flag = ''

for i in range(42):
    flag += chr(table[4*i] ^ ord(order[i % 16]))
print(flag)
1
flag{59b8ed8f-af22-11e7-bb4a-3cf862d1ee75}

ez_math

pyc反编译,得到py代码

本来想用z3解的,写一半发现个规律:)

条件中减去的数都是偶数,并且最后一个元素是减250,125(’}’)的2倍,秒了

1
2
3
4
5
table = [88, 89, 67, 84, 70, 123, 113, 55, 87, 89, 71, 115, 99, 85, 117, 112, 116, 84, 89, 88, 106, 110, 106, 75, 111, 121, 85, 84, 75, 116, 71, 125]

for i in range(len(table)):
    print(chr(table[i]),end='')

1
XYCTF{q7WYGscUuptTYXjnjKoyUTKtG}

what’s this

lua在线反编译,主要逻辑在最后,解密:

1
2
3
4
5
6
7
8
9
10
11
12
13
cipher = '==AeuFEcwxGPuJ0PBNzbC16ctFnPB5DPzI0bwx6bu9GQ2F1XOR1U'
cipher = cipher.replace("6", "W")
cipher = cipher.replace("4", 'H')
cipher = cipher.replace("3", 'g')

print(cipher[::-1])

cipher = 'STN_Qv@onmlpoB3<>A>qmqmBo3A?Bn<lppAnx'
tmp = ''
for i in cipher:
    tmp += chr((ord(i) - 3) ^ 8)
print(tmp)

1
2
U1ROX1F2QG9ubWxwb0IzPD5BPnFtcW1CbzNBP0JuPGxwcEFueA==
XYCTF{5dcbaed781363fbfb7d8647c1aee6c}

给阿姨倒一杯卡布奇诺

变种tea加密:

  1. 在正常tea基础上添加了”^ (sum + i)”操作
  2. 添加了data1和data2对加密时输入的明文进行处理

解密时要注意这两点

解密代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#include <cstdio>

//加密函数
void encrypt (unsigned int* v, const unsigned int* k) {
    unsigned int v0, v1, sum=0, i;           /* set up */
    unsigned int delta=0x6E75316C;                     /* a key schedule constant */
    unsigned int k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */
    unsigned int data1 = 0x5F797274,data2 = 0x64726168;
    data1 ^= *v;
    data2 ^= v[1];
    v0 = data1;
    v1 = data2;
    for (i=0; i < 32; i++) {                       /* basic cycle start */
        sum += delta;
        v0 += ((v1>>5) + k1) ^ (v1 + sum) ^ ((v1<<4) + k0) ^ (sum + i);
        v1 += ((v0>>5) + k3) ^ (v0 + sum) ^ ((v0<<4) + k2)^ (sum + i);
    }                                              /* end cycle */
    v[0]=v0; v[1]=v1;
}

//解密函数
void decrypt (unsigned int* v, const unsigned int* k, unsigned int data1, unsigned int data2) {
    unsigned int v0 = *v, v1 = v[1], i;                 /* set up */
    unsigned int delta=0x6E75316C;                    /* a key schedule constant */
    unsigned int k0=k[0], k1=k[1], k2=k[2], k3=k[3];  /* cache key */
    unsigned int sum = delta * 32;                    /* initialize sum */
    for (i = 0; i < 32; i++) {                        /* basic cycle start */
        v1 -= ((v0>>5) + k3) ^ (v0 + sum) ^ ((v0<<4) + k2) ^ (sum + (31 - i));
        v0 -= ((v1>>5) + k1) ^ (v1 + sum) ^ ((v1<<4) + k0) ^ (sum + (31 - i));
        sum -= delta;                             /* update sum */
    }                                             /* end cycle */
    data1  = data1 ^ v0;
    data2 = data2 ^ v1;
    v0 = data1;
    v1 = data2;
    v[0]=v0; v[1]=v1;
}

int main()
{
//    unsigned int v[8]={0x45ed289b, 0xe9c65e14, 0xc3a6275b, 0xd5759ee5, 0x00252ce8, 0x921d21a4, 0x624b8acd, 0x40f468a6};
//    unsigned int k[4]={0x67697665, 0x5f796f75, 0x5f637570, 0x5f746561};
    unsigned int v[8] = {0x9B28ED45, 0x145EC6E9, 0x5B27A6C3, 0xE59E75D5, 0xE82C2500, 0xA4211D92, 0xCD8A4B62, 0xA668F440};
    unsigned int k[4] = {0x65766967, 0x756F795F, 0x7075635F, 0x6165745F};
    unsigned int data1 = 0x5F797274,data2 = 0x64726168;
    // v为要加密的数据是两个32位无符号整数
    // k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位
//    printf("加密前原始数据:%u %u\n",v[0],v[1]);
//    encrypt(v, k);
//    printf("加密后的数据:%u %u\n",v[0],v[1]);

    unsigned int tmp[2];
    for (int i = 0; i < 7; i += 2 )
    {
        tmp[0] = v[i];
        tmp[1] = v[i+1];
        decrypt(v + i, k, data1, data2);
        data1 = tmp[0];
        data2 = tmp[1];
    }
    printf("解密后的数据:%x, %u, %u, %u, %u, %u, %u, %u\n",v[0],v[1], v[2], v[3], v[4], v[5], v[6], v[7]);
    printf("%s", v);
    return 0;
}


1
XYCTF{133bffe401d223a02385d90c5f1ca377}

misc

熊博士

苦思冥想发现是替换密码,以ABCDEFGHIJKLMNOPQRSTUVWXYZ为表,以左右分别有13个字母的位置为对称线,将对应字母替换为对称的字母。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
table = 'CBXGU{ORF_BV_NVR_BLF_CRZL_QQ}'
flag = ''
import string

# 获取大写字母表
uppercase_letters = string.ascii_uppercase
print(uppercase_letters)


for i in range(len(table)):
    if table[i].isupper():
        flag += uppercase_letters[26 - ord(table[i]) + 64]

print(flag)

XYCTFLIUYEMEIYOUXIAOJJ,然后换成小写+flag头、

osint1

洛阳龙门站,搜目的地为泸州的高铁,只有一个车次,再搜洛阳景区,挨个试,运气比较好,第三次出了,河南洛阳老君山

crypto

Sign1n[签到]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
from Crypto.Util.number import *

a = 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567891134567780012455688902335677900133456899013346778011245567991223466790013355689911234677901134456789122355788001335568990133566789113445778012235578800133556899022356679001245567991223557880012455689912235667991124556780122355788001344578891124566799113445679912234677801124556899023356678001245578801233467789112355779912234577990233556780113
a = list(str(a))
print(a)
tmp = ['0'] * len(a)

for i in range(len(a)):
    tmp[i] = (str((int(a[i]) - i - 1) % 10))

input_list = tmp[::-1]
ree = ''.join(input_list)
ree = int(ree,2)
order = long_to_bytes(ree)
# flag = hex(ree)
# b0b286a88cf6c46ccccc686a72665a70ca66cc5a68c664ca5a726868ca5a606ec2ca6468ccc8c26ec4c4fa
flag = ''
for i in order:
    flag += chr(int(i) // 2)
print(flag)

解密脚本应该是没问题的,不知道为什么得到的结果是错的,而且字节对应的整数除以2就是flag每个字符的ascii