攻防世界新手区re

re题目新手区练习

re1

od打开字符串搜一下。
DUTCTF{We1c0met0DUTCTF}

re2

随便乱输一下
zsctf{T9is_tOpic_1s_v5ry_int7resting_b6t_others_are_n0t}

emm，实质就是比较灯。这里没有算法，直接全nop就行了

re3

将输入的转为16进制与已知16进制串对比

#!/usr/bin/env python
# coding=utf-8
flag = ""
string = "437261636b4d654a757374466f7246756e"
for i in range(0, len(string), 2):
    flag += chr(int(string[i:i+2], 16))

print(flag)
#CrackMeJustForFun

re4

1. 第一段输入0xcafe
2. 第二段为就是8
3. 第三段为h4cky0u
4. 第四段 first * 31337 + (second % 17) * 11 + strlen(argv[3]) - 1615810207;

>>> 0xcafe
51966
>>> 8*25
200
>>> 51966*31337 + 8*11 + 7 - 1615810207
12648430
>>> hex(12648430)
'0xc0ffee'
>>>

第一次带了0x没提交上。。

re5

upx -d 脱掉壳就拿到flag了。。

flag{Upx_1s_n0t_a_d3liv3r_c0mp4ny}

re6

>>> len(':\"AL_RT^L*.?+6/46')
17

#!/usr/bin/env python
# coding=utf-8
v7 = hex(0x65626D61726168)[2:]
v7 = [int(v7[i:i+2], 16) for i in range(0, len(v7), 2) ][::-1]
string = ':\"AL_RT^L*.?+6/46'
flag = ""
for i in range(len(string)):
    first = v7[i % 7]
    second = ord(string[i]) ^ first
    flag += chr(second)
print(flag)
# RC3-2016-XORISGUD

坑点，小端序列，我转成int后忘了倒序，一直是错的。。

re7

???
9447{This_is_a_flag}

re8

python写个算法跑一下

#!/usr/bin/env python
# coding=utf-8
List1 = [0x3A, 0x14, 0x00, 0x00, 0x36, 0x14, 0x00, 0x00, 0x37, 0x14, 0x00, 0x00, 0x3B, 0x14, 0x00, 0x00, 0x80, 0x14, 0x00, 0x00, 0x7A, 0x14, 0x00, 0x00, 0x71, 0x14, 0x00, 0x00, 0x78, 0x14, 0x00, 0x00, 0x63, 0x14, 0x00, 0x00, 0x66, 0x14, 0x00, 0x00, 0x73, 0x14, 0x00, 0x00, 0x67, 0x14, 0x00, 0x00, 0x62, 0x14, 0x00, 0x00, 0x65, 0x14, 0x00, 0x00, 0x73, 0x14, 0x00, 0x00, 0x60, 0x14, 0x00, 0x00, 0x6B, 0x14, 0x00, 0x00, 0x71, 0x14, 0x00, 0x00, 0x78, 0x14, 0x00, 0x00, 0x6A, 0x14, 0x00, 0x00, 0x73, 0x14, 0x00, 0x00, 0x70, 0x14, 0x00, 0x00, 0x64, 0x14, 0x00, 0x00, 0x78, 0x14, 0x00, 0x00, 0x6E, 0x14, 0x00, 0x00, 0x70, 0x14, 0x00, 0x00, 0x70, 0x14, 0x00, 0x00, 0x64, 0x14, 0x00, 0x00, 0x70, 0x14, 0x00, 0x00, 0x64, 0x14, 0x00, 0x00, 0x6E, 0x14, 0x00, 0x00, 0x7B, 0x14, 0x00, 0x00, 0x76, 0x14, 0x00, 0x00, 0x78, 0x14, 0x00, 0x00, 0x6A, 0x14, 0x00, 0x00, 0x73, 0x14, 0x00, 0x00, 0x7B, 0x14, 0x00, 0x00, 0x80, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00]
List2 = [0x01, 0x14, 0x00, 0x00, 0x02, 0x14, 0x00, 0x00, 0x03, 0x14, 0x00, 0x00, 0x04, 0x14, 0x00, 0x00, 0x05, 0x14, 0x00, 0x00]

v6 = len(List1)
v4 = 0
v7 = len(List2)
while(v4 < v6):
    List1[v4] -= List2[v4%v7]
    v4 += 1

List1 = [i for i in List1 if i!= 0][:-2]
flag = ""
for i in List1:
    flag += chr(i)
    print(flag)

9
94
944
9447
9447{
9447{y
9447{yo
9447{you
9447{you_
9447{you_a
9447{you_ar
9447{you_are
9447{you_are_
9447{you_are_a
9447{you_are_an
9447{you_are_an_
9447{you_are_an_i
9447{you_are_an_in
9447{you_are_an_int
9447{you_are_an_inte
9447{you_are_an_inter
9447{you_are_an_intern
9447{you_are_an_interna
9447{you_are_an_internat
9447{you_are_an_internati
9447{you_are_an_internatio
9447{you_are_an_internation
9447{you_are_an_internationa
9447{you_are_an_international
9447{you_are_an_international_
9447{you_are_an_international_m
9447{you_are_an_international_my
9447{you_are_an_international_mys
9447{you_are_an_international_myst
9447{you_are_an_international_myste
9447{you_are_an_international_myster
9447{you_are_an_international_mystery
9447{you_are_an_international_mystery}

re9

看下算法，跑下就行了，还是小端序问题

#!/usr/bin/env python
# coding=utf-8
List1 =[0xBCA0CCBB, 0xB8BED1DC, 0xAEBECFCD, 0x82ABC4D2, 0xB393D9D2, 0xA993DED4, 0x82B8CBD3, 0xB9BECBD3, 0x00CCD79A]
v2 = 0xDDCCAABB

flag = ""
for i in range(len(List1)):
    result = hex( List1[i] ^ v2 )[2:]
    for i in range(3, -1, -1):
        temp = int(result[2*i:2*i+2], 16)
        flag += chr(temp)
        
    #flag += chr(result)

print(flag)

re10

#!/usr/bin/env python
# coding=utf-8
string = "c61b68366edeb7bdce3c6820314b7498"
flag =""

for i in range(len(string)):
    v3 = 1 if i&1 else -1
    result = ord(string[i])+v3
    flag += chr(result)

# S
flag0 = "SharifCTF{"
flag1 = "}"

flag = flag0 + flag + flag1
print(flag)

好坑的一道题。。少了个S，我还以为我做错了

re11

pyc反编译

#!/usr/bin/env python
# encoding: utf-8
# 如果觉得不错，可以推荐给你的朋友！http://tool.lu/pyc
import base64

def encode(message):
    s = ''
    for i in message:
        x = ord(i) ^ 32
        x = x + 16
        s += chr(x)
    
    return base64.b64encode(s)

correct = 'XlNkVmtUI1MgXWBZXCFeKY+AaXNt'
flag = ''
print 'Input flag:'
flag = raw_input()
if encode(flag) == correct:
    print 'correct'
else:
    print 'wrong'

#!/usr/bin/env python
# coding=utf-8
import base64

correct = 'XlNkVmtUI1MgXWBZXCFeKY+AaXNt'
correct = base64.b64decode(correct)

def decode(message):
    s = ''
    for i in message:
        x= ord(i) - 16
        x = x ^ 32
        s += chr(x)
    return s

flag = decode(correct)
print(flag)
#nctf{d3c0mpil1n9_PyC}

re12

#!/usr/bin/env python
# coding=utf-8
control = '''
O -1 左
o +1 右
. -1 上
0 +1 下
'''
print (control)

maze = '  *******   *  **** * ****  * ***  *#  *** *** ***     *********'

for i in range(8):
    print(maze[8*i:8*i+8])

result = raw_input()
flag = ""
for i in result:
    if i == 'w':
        flag += '.'
    elif i == 'a':
        flag += 'O'
    elif i == 's':
        flag += '0'
    else:
        flag += 'o'

#flag = "nctf{oo00OOOO...o...OO.}"
flag0 = "nctf{"
print(flag0+flag + "}")

输入dsddssasssddddwwaa

得到flag nctf{o0oo00O000oooo..OO}

emm，有点坑。。我开头以为是从#号触发反过来走，然后错了，方向键我是盲猜的，我只能看运气，1/2

bool __fastcall sub_400650(_DWORD *a1)
{
  int v1; // eax

  v1 = (*a1)--;
  return v1 > 0;
}

bool __fastcall sub_400660(int *a1)
{
  int v1; // eax

  v1 = *a1 + 1;
  *a1 = v1;
  return v1 < 8;
}

sub_400660(&v9 + 1)
sub_400680(&v9);

结合这4句，推测存储结构，一个__int64 8个字节， 2个字节一个分割，所以相当于 0x上下左右

sub_400690(asc_601060, SHIDWORD(v9), v9) )

在结合这句，SHIDWORD

#define SHIDWORD(x)  (*((int32*)&(x)+1))

所以&v9+1的话就是左右部分，在看内部实现，就是左右了

本文作者：NoOne
本文地址： https://noonegroup.xyz/posts/ff286fcb/
版权声明：转载请注明出处！