Misc
簽到
回答完問題,輸入token以後,在控制檯可見。ios
flag{32c7c08cc310048a8605c5e2caba3e99}數組
crypto
boom
#include <iostream> using namespace std; int main() { long long a = 0; long long b = a * (a + 1); while (1) { if (b == 7943722218936282) break; a++; b = a * (a + 1); } cout << a << endl; system("PAUSE"); return 0; }
flag{en5oy_746831_89127561}函數
Reverse
bang
梆梆加密免費版,這道主要是使用FART脫殼classes.dex獲得加密
public void onClick(View paramAnonymousView) { String str = localEditText.getText().toString(); paramAnonymousView = paramBundle.getText().toString(); if (str.equals(paramAnonymousView)) { MainActivity.showmsg("user is equal passwd"); } else if ((str.equals("admin") & paramAnonymousView.equals("pass71487"))) { MainActivity.showmsg("success"); MainActivity.showmsg("flag is flag{borring_things}"); } else { MainActivity.showmsg("wrong"); } }
flag{borring_things}spa
joker
首先去除代碼中的混淆和調整棧平衡以後。調試
wrong函數,對flag的奇,偶下標分別進行異或下標,減去下標操做。code
omg函數,變換後的flag與unk_4030C0比較。對象
model = [0x66, 0x6B, 0x63, 0x64, 0x7F, 0x61, 0x67, 0x64, 0x3B, 0x56, 0x6B, 0x61, 0x7B, 0x26, 0x3B, 0x50, 0x63, 0x5F, 0x4D, 0x5A, 0x71, 0x0C, 0x37, 0x66] flag = "" for i in range(len(model)): if(i % 2 == 0): flag += chr(model[i]^i) else: flag += chr(model[i] + i) print (flag)
反解得,flag{fak3_alw35_sp_me!!}blog
使用dbg調試到token
這裏將flag{fak3_alw35_sp_me!!}與hahahaha_do_you_find_me?前19字符異或獲得
[0x0E,0x0D,0x09,0x06,0x13,0x05,0x58,0x56,0x3E,0x06,0x0C,0x3C,0x1F,0x57,0x14,0x6B,0x57,0x59,0x0D,0x00]
反解獲得
m = "hahahaha_do_you_find_me?" n = [0x0E,0x0D,0x09,0x06,0x13,0x05,0x58,0x56,0x3E,0x06,0x0C,0x3C,0x1F,0x57,0x14,0x6B,0x57,0x59,0x0D] for i in range(len(n)): print (chr(ord(m[i])^n[i]),end="")
flag{d07abccf8a410c,還缺乏5個字符,最後一位爲'}'
在finally函數中,利用了這五位數值
可知,0x3a必然爲‘}’,猜想之間的關係爲異或(71),獲得完整flag。
flag{d07abccf8a410cb37a}
這道題你沒辦法爆破最後幾位,由於這段flag你帶入以後過不了checkflag,最後猜想爲異或有點腦洞。
signal
VM的題目
首先傳入長度114的數組,做爲switch操做對象
a=[0x0A,0x04,0x10,0x08,0x03,0x05,0x01,0x04,0x20,0x08,0x05,0x03,0x01,0x03,0x02,0x08,0x0B,0x01,0x0C,0x08,0x04,0x04,0x01,0x05,0x03,0x08,0x03,0x21,0x01,0x0B,0x08,0x0B,0x01,0x04,0x09,0x08,0x03,0x20,0x01,0x02,0x51,0x08,0x04,0x24,0x01,0x0C,0x08,0x0B,0x01,0x05,0x02,0x08,0x02,0x25,0x01,0x02,0x36,0x08,0x04,0x41,0x01,0x02,0x20,0x08,0x05,0x01,0x01,0x05,0x03,0x08,0x02,0x25,0x01,0x04,0x09,0x08,0x03,0x20,0x01,0x02,0x41,0x08,0x0C,0x01,0x07,0x22,0x07,0x3F,0x07,0x34,0x07,0x32,0x07,0x72,0x07,0x33,0x7,0x18,0x7,0xffffffa7,0x7,0x31,0x7,0xffffff,0x7,0x28,0x7,0xffffff84,0x7,0xffffffc1,0x7,0x1e,0x7,0x7a]
動態調試發如今case7中, v4[v8]爲定值,記錄下eax的值(修改je爲jmp)
v4 = [0x22,0x3F,0x34,0x32,0x72,0x33,0x18,0xFA7,0x31,0xF1,0x28,0xF84,0xC1,0x1E,0x7A]
而a表實際上就是執行switch的選項目錄,v3數組就是咱們的flag,每次執行case1即爲v4賦值一次(v4已知),因此每次到1,就是一段處理,好比4,16,8,3,5,1。手動處理,咱們可以寫出獲取flag的腳本
# -*- coding:utf-8 -*- flag = [0]*15 flag[0] = (0x22+5)^0x10 flag[1] = (0x3f//3)^0x20 flag[2] = 0x34+1+2 flag[3] = (0x32^4)-1 flag[4] = (0x72+0x21)//3 flag[5] = 0x33 + 2 flag[6] = (0x18+0x20)^0x9 flag[7] = (0xa7^0x24)-0x51 flag[8] = 0x31+1-1 flag[9] = (0xf1-0x25)//2 flag[10] = (0x28^0x41)-0x20 flag[11] = 0x84-0x20 flag[12] = (0xc1-0x25)//3 flag[13] = (0x1e+0x20)^0x9 flag[14] = 0x7a-0x1-0x41 print ('flag{'+''.join([chr(x) for x in flag])+'}')
flag{757515121fId478}