小白做完了re还是很开心的
RE部分
Day 1 helloRe
第一天的第一道题~~这道题是真.签到题啊
进入ida,没有明显的main函数,F12查找字符串,看到input flag点进去
发现主函数应该是sub_1400014C0
逻辑很简单,脚本也挺好写的
#include<iostream>
using namespace std;
int main()
{
char memory[30] = "";
int v6 = 0x0FF;
char asc_[23] = "棛湋瀬憹洑毇仐畝儚攭櫁";
for (int i = 0; i < 23; i++)
{
memory[i] = asc_[i] ^ (v6--);
}
printf("%s", memory);
}
Day 2 pypy
第一次做python反汇编,好在题目比较友好,没有太复杂
照着类似题的wp和dis–python字节码反汇编可以硬翻。。
下面写了注释的哦
0 LOAD_GLOBAL 0 (input)
2 LOAD_CONST 1 ('give me your flag:\n')
4 CALL_FUNCTION 1
6 STORE_FAST 0 (raw_flag)
5 8 LOAD_GLOBAL 1 (list)
10 LOAD_FAST 0 (raw_flag)
12 LOAD_CONST 2 (6)
14 LOAD_CONST 3 (-1)
16 BUILD_SLICE 2 取raw_flag的第六位到倒数第一位
18 BINARY_SUBSCR 所以最后要包上hgame{}才是flag
20 CALL_FUNCTION 1
22 STORE_FAST 1 (cipher)
6 24 LOAD_GLOBAL 2 (len)
26 LOAD_FAST 1 (cipher)
28 CALL_FUNCTION 1 length=len(cipher)
30 STORE_FAST 2 (length)
8 32 LOAD_GLOBAL 3 (range)
34 LOAD_FAST 2 (length)
36 LOAD_CONST 4 (2)
38 BINARY_FLOOR_DIVIDE
40 CALL_FUNCTION 1
42 GET_ITER
>> 44 FOR_ITER 54 (to 100)
46 STORE_FAST 3 (i)
9 48 LOAD_FAST 1 (cipher)
50 LOAD_CONST 4 (2)
52 LOAD_FAST 3 (i)
54 BINARY_MULTIPLY
56 LOAD_CONST 5 (1)
58 BINARY_ADD
60 BINARY_SUBSCR cipher[2i+1]
62 LOAD_FAST 1 (cipher)
64 LOAD_CONST 4 (2)
66 LOAD_FAST 3 (i)
68 BINARY_MULTIPLY
70 BINARY_SUBSCR cipher[2i]
72 ROT_TWO
74 LOAD_FAST 1 (cipher)
76 LOAD_CONST 4 (2)
78 LOAD_FAST 3 (i)
80 BINARY_MULTIPLY
82 STORE_SUBSCR
84 LOAD_FAST 1 (cipher)
86 LOAD_CONST 4 (2)
88 LOAD_FAST 3 (i)
90 BINARY_MULTIPLY
92 LOAD_CONST 5 (1)
94 BINARY_ADD
96 STORE_SUBSCR 这一段就是x,y=y,x
98 JUMP_ABSOLUTE 44 交换了cipher[2i+1]和cipher[2i]
12 >> 100 BUILD_LIST 0
102 STORE_FAST 4 (res) #创建一个list
13 104 LOAD_GLOBAL 3 (range)
106 LOAD_FAST 2 (length)
108 CALL_FUNCTION 1
110 GET_ITER
>> 112 FOR_ITER 26 (to 140)
114 STORE_FAST 3 (i)
14 116 LOAD_FAST 4 (res)
118 LOAD_METHOD 4 (append)
120 LOAD_GLOBAL 5 (ord)
122 LOAD_FAST 1 (cipher)
124 LOAD_FAST 3 (i)
126 BINARY_SUBSCR
128 CALL_FUNCTION 1
130 LOAD_FAST 3 (i)
132 BINARY_XOR res.append(ord(cipher[i])^i)
134 CALL_METHOD 1
136 POP_TOP
138 JUMP_ABSOLUTE 112
15 >> 140 LOAD_GLOBAL 6 (bytes)
142 LOAD_FAST 4 (res)
144 CALL_FUNCTION 1
146 LOAD_METHOD 7 (hex)
148 CALL_METHOD 0
150 STORE_FAST 4 (res) 把res里的数据转成16进制
16 152 LOAD_GLOBAL 8 (print)
154 LOAD_CONST 6 ('your flag: ')
156 LOAD_FAST 4 (res)
158 BINARY_ADD 输出res
160 CALL_FUNCTION 1
162 POP_TOP
164 LOAD_CONST 0 (None)
166 RETURN_VALUE
# your flag: 30466633346f59213b4139794520572b45514d61583151576638643a
其实就几行代码,因本废物只能看懂一点python但不会写,所以还是用的C++写脚本
#include<iostream>
using namespace std;
int main()
{
int cipher[28] = { 0x30,0x46,0x66,0x33,0x34,0x6f,0x59,0x21,0x3b,0x41,0x39,0x79,0x45,0x20,
0x57,0x2b,0x45,0x51,0x4d,0x61,0x58,0x31,0x51,0x57,0x66,0x38,0x64,0x3a };
int raw_flag[20] = { };
char flag1[28] = {};
//char temp;
for (int i = 0; i < 28; i++)
{
flag1[i] = char(cipher[i] ^ i);
}
for (int i = 0; i < 17; i++)
{
swap(flag1[2 * i], flag1[2 * i + 1]);
}
for (int i = 0; i < 28; i++)
{
printf("%c", flag1[i]);
}
return 0;
}
hgame{}包上,提交~(讲真这个flag有点,,不好看,我一直以为自己哪里写错了还
Day 3-5 apacha
压轴,对于我这种废物小白,这道题确实有一丢丢难
其实就是个xxtea加密,但也是看了好多篇wp加之超级可爱的学长的帮助下才做完的
再把dword_5020里的数据转换成16进制数
void hex()
{
uint32_t v[] = { 35, 179, 78, 231, 54, 40, 167, 183, 226, 111,
202, 89, 193, 197, 124, 150, 116, 38, 128, 231,
230, 84, 45, 61, 86, 3, 157, 138, 156, 195,
220, 153, 237, 216, 38, 112, 173, 253, 51, 106,
10, 85, 150, 244, 158, 111, 156, 92, 76, 208,
229, 27, 23, 174, 35, 103, 194, 165, 112, 82,
10, 19, 66, 172, 178, 103, 190, 132, 121, 199,
92, 112, 152, 61, 81, 92, 45, 218, 54, 251,
69, 150, 23, 34, 157, 82, 227, 92, 251, 225,
137, 209, 137, 212, 91, 232, 31, 209, 200, 115,
150, 193, 181, 84, 144, 180, 124, 182, 202, 228,
23, 33, 148, 249, 227, 157, 170, 161, 90, 47,
253, 1, 232, 167, 171, 110, 13, 195, 156, 220,
173, 27, 74, 176, 83, 52, 249, 6, 164, 146, };
for (int i = 1; i <= 35; i++)
{
printf("0x");
for (int j = i * 4 - 1; j > (i - 1) * 4 - 1; j--)
if (v[j] < 16)
{
printf("0%x", v[j]);
}
else printf("%x", v[j]);
printf(", ");
}
}
对了,密钥的位置传入的是&v6,所以密钥就是1,2,3,4
上网搜解密脚本套用即可
#include <stdio.h>
#include <stdint.h>
#include<iostream>
#define DELTA 0x9e3779b9
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))
using namespace std;
uint32_t v3[] = { 0xe74eb323, 0xb7a72836, 0x59ca6fe2, 0x967cc5c1, 0xe7802674,
0x3d2d54e6, 0x8a9d0356,0x99dcc39c, 0x7026d8ed, 0x6a33fdad, 0xf496550a, 0x5c9c6f9e,
0x1be5d04c, 0x6723ae17, 0x5270a5c2, 0xac42130a,
0x84be67b2, 0x705cc779, 0x5c513d98, 0xfb36da2d, 0x22179645, 0x5ce3529d, 0xd189e1fb,
0xe85bd489, 0x73c8d11f,
0x54b5c196, 0xb67cb490, 0x2117e4ca, 0x9de3f994, 0x2f5aa1aa, 0xa7e801fd, 0xc30d6eab,
0x1baddc9c, 0x3453b04a, 0x92a406f9, };
void btea(uint32_t* v, int n, uint32_t const key[4])
{
uint32_t y, z, sum;
unsigned p, rounds, e;
if (n > 1) /* Coding Part */
{
rounds = 3;
sum = 0;
z = v[n - 1];
do
{
sum += DELTA;
e = (sum >> 2) & 3;
for (p = 0; p < n - 1; p++)
{
y = v[p + 1];
z = v[p] += MX;
}
y = v[0];
z = v[n - 1] += MX;
} while (--rounds);
}
else if (n < -1) /* Decoding Part */
{
n = -n;
rounds = 6 + 52 / n;
sum = rounds * DELTA;
y = v[0];
do
{
e = (sum >> 2) & 3;
for (p = n - 1; p > 0; p--)
{
z = v[p - 1];
y = v[p] -= MX;
}
z = v[n - 1];
y = v[0] -= MX;
sum -= DELTA;
} while (--rounds);
}
}
int main()
{
uint32_t const k[4] = { 1,2,3,4 };
int n = 35; //n的绝对值表示v的长度,取正表示加密,取负表示解密
// v为要加密的数据是两个32位无符号整数
// k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位
//printf("加密前原始数据:%u %u\n", v[0], v[1]);
//btea(v, n, k);
// printf("加密后的数据:%u %u\n", v[0], v[1]);
btea(v3, -n, k);
for (int i = 0; i < 35; i++)
{
printf("%c", v3[i]);
}
return 0;
}
呜呜呜week2就不会做了,我还是太废物了。。。
WEB
只做了常规套娃的签到题
GET不行。。改成POST。。。之后就全程跟着提示安静套娃
改一下UA
加个Referer头
加个XFF:127.0.0.1
搞定。。
CRYPTO
题目里的那串md5想不通什么意思,而且md5也不好解,先看txt
乱中有序哈哈哈哈,替换加密,已知qypyh=hgame可以直接爆破
解密网站链接
据提示要在最后加年份。。试了2003。。不行。。头秃。。
灵光一现。。试个2021。。。成功!
打开文件,摩斯电码,找个在线网站解一下
盲猜是ASCII码,VS里跑一下是一串base64(等号结尾很明显)
据提示维吉尼亚密码,密钥Liki。。。
}KccnYt!1NlPpu!zeE1{C+9pfrhLB_Fz~uGy4n
然后我就不会了,下面是神仙操作:
栅栏 6 :}!!Ch~K1z+LucNe9BGclEp_ynP1fF4Yp{rzntu
rot13:}!!Pu~X1m+YhpAr9OTpyRc_laC1sS4Lc{emagh
reverse:hgame{cL4Ss1Cal_cRypTO9rAphY+m1X~uP!!}
(问神仙,神仙说他是猜的。。)
MISC
真.签到题,base64,base32,base16一通解就行
唉,差点没被这道题套娃套死
给了张图片,据提示应该是藏了压缩包,binwalk分离
得到加密压缩包,提示密码是八位数字,暴力破解即可
又来一层加密,很明显的明文攻击,试了好久不行,根据提示storage
在给明文压缩时选择压缩方式为存储,密码为zip传统加密即可
又来加密压缩包。。。看了一眼不是伪加密.。。。求助学长,被秒解,原来旁边这一串是html编码。。。。是我见识太少,意识太差了呜呜呜
PWN
。。。除了最最最基础的栈溢出能对着wp做其他我都不会,于是签到题就跪了
。。。pwn太难了呜呜呜。。。