2020 网鼎杯 Re WP

2023-10-21 21:30
文章标签 2020 wp re 网鼎杯

本文主要是介绍2020 网鼎杯 Re WP,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!

测试文件:https://lanzous.com/b07rlon9c

 

 

-----------青龙组-----------

Misc

签到

回答完问题,输入token之后,在控制台可见。

 

flag{32c7c08cc310048a8605c5e2caba3e99}

 

crypto

boom

首先MD5解密
46e5efe6165a5afb361217446a2dbd01得到en5oy
接着解方程组:x=74,y=68,z=31
解一元二次方程:x=89127561
#include <iostream>using namespace std;int main()
{long long a = 0;long long b = a * (a + 1);while (1) {if (b == 7943722218936282)break;a++;b = a * (a + 1);}cout << a << endl;system("PAUSE");return 0;
}

 

flag{en5oy_746831_89127561}

 

Reverse

bang

梆梆加密免费版,这道主要是使用FART脱壳classes.dex得到

public void onClick(View paramAnonymousView){String str = localEditText.getText().toString();paramAnonymousView = paramBundle.getText().toString();if (str.equals(paramAnonymousView)){MainActivity.showmsg("user is equal passwd");}else if ((str.equals("admin") & paramAnonymousView.equals("pass71487"))){MainActivity.showmsg("success");MainActivity.showmsg("flag is flag{borring_things}");}else{MainActivity.showmsg("wrong");}}

 

flag{borring_things}

 

joker

首先去除代码中的混淆和调整栈平衡之后。

wrong函数,对flag的奇,偶下标分别进行异或下标,减去下标操作。

omg函数,变换后的flag与unk_4030C0比较。

model = [0x66, 0x6B, 0x63, 0x64, 0x7F, 0x61, 0x67, 0x64, 0x3B, 0x56, 0x6B, 0x61, 0x7B, 0x26, 0x3B, 0x50, 0x63, 0x5F,0x4D, 0x5A, 0x71, 0x0C, 0x37, 0x66]flag = ""for i in range(len(model)):if(i % 2 == 0):flag += chr(model[i]^i)else:flag += chr(model[i] + i)
print (flag)

反解得,flag{fak3_alw35_sp_me!!}

使用dbg调试到

这里将flag{fak3_alw35_sp_me!!}与hahahaha_do_you_find_me?前19字符异或得到

[0x0E,0x0D,0x09,0x06,0x13,0x05,0x58,0x56,0x3E,0x06,0x0C,0x3C,0x1F,0x57,0x14,0x6B,0x57,0x59,0x0D,0x00]

反解得到

m = "hahahaha_do_you_find_me?"
n = [0x0E,0x0D,0x09,0x06,0x13,0x05,0x58,0x56,0x3E,0x06,0x0C,0x3C,0x1F,0x57,0x14,0x6B,0x57,0x59,0x0D]for i in range(len(n)):print (chr(ord(m[i])^n[i]),end="")

flag{d07abccf8a410c,还缺少5个字符,最后一位为'}'

在finally函数中,利用了这五位数值

可知,0x3a必然为‘}’,猜测之间的关系为异或(71),得到完整flag。

flag{d07abccf8a410cb37a}

这道题你没办法爆破最后几位,因为这段flag你带入之后过不了checkflag,最后猜测为异或有点脑洞。

 

signal 

VM的题目

首先传入长度114的数组,作为switch操作对象

a=[0x0A,0x04,0x10,0x08,0x03,0x05,0x01,0x04,0x20,0x08,0x05,0x03,0x01,0x03,0x02,0x08,0x0B,0x01,0x0C,0x08,0x04,0x04,0x01,0x05,0x03,0x08,0x03,0x21,0x01,0x0B,0x08,0x0B,0x01,0x04,0x09,0x08,0x03,0x20,0x01,0x02,0x51,0x08,0x04,0x24,0x01,0x0C,0x08,0x0B,0x01,0x05,0x02,0x08,0x02,0x25,0x01,0x02,0x36,0x08,0x04,0x41,0x01,0x02,0x20,0x08,0x05,0x01,0x01,0x05,0x03,0x08,0x02,0x25,0x01,0x04,0x09,0x08,0x03,0x20,0x01,0x02,0x41,0x08,0x0C,0x01,0x07,0x22,0x07,0x3F,0x07,0x34,0x07,0x32,0x07,0x72,0x07,0x33,0x7,0x18,0x7,0xffffffa7,0x7,0x31,0x7,0xffffff,0x7,0x28,0x7,0xffffff84,0x7,0xffffffc1,0x7,0x1e,0x7,0x7a]

动态调试发现在case7中, v4[v8]为定值,记录下eax的值(修改je为jmp)

 

v4 = [0x22,0x3F,0x34,0x32,0x72,0x33,0x18,0xFA7,0x31,0xF1,0x28,0xF84,0xC1,0x1E,0x7A]

a表实际上就是执行switch的选项目录,v3数组就是我们的flag,每次执行case1即为v4赋值一次(v4已知),所以每次到1,就是一段处理,比如4,16,8,3,5,1。手动处理,我们能够写出获取flag的脚本

# -*- coding:utf-8 -*-flag = [0]*15flag[0] = (0x22+5)^0x10
flag[1] = (0x3f//3)^0x20
flag[2] = 0x34+1+2
flag[3] = (0x32^4)-1
flag[4] = (0x72+0x21)//3
flag[5] = 0x33 + 2
flag[6] = (0x18+0x20)^0x9
flag[7] = (0xa7^0x24)-0x51
flag[8] = 0x31+1-1
flag[9] = (0xf1-0x25)//2
flag[10] = (0x28^0x41)-0x36
flag[11] = 0x84-0x20
flag[12] = (0xc1-0x25)//3
flag[13] = (0x1e+0x20)^0x9
flag[14] = 0x7a-0x1-0x41print ('flag{'+''.join([chr(x) for x in flag])+'}')

 

flag{757515121f3d478}

 

 

测试文件:https://lanzous.com/b07rlonfi

 

-----------白虎组------------

刚把第一道题做了家里就停了一天的电。

 

Mics

hidden

改为ZIP文件,zip2john 破解出密码为1235

得到二维码的一半

使用tweakpng修改图片高度

得到flag

flag{04255185-de22-4ac6-a1ae-da4f187ddb8c}

 

Reverse

恶龙

实际这里的coin都是用来兑换eff的,改eff大于5000000就行,F9运行一直选2就能得到flag。

 

flag{0259-6430-726f077b-5959-bf477a78c83b}

 

Py

实际这里考得就是如何从elf文件中提取出pyc文件。(这个elf文件是由Python打包的)

参考链接:https://www.zhihuifly.com/t/topic/1073

值得注意的是,你的输出文件必须是src.pyc,不能使用其他命名。

 

将src.pyc与struct.pyc对比,在src.pyc头部添加

EE 0C 0D 0A 70 79 69 30  10 01 00 00 

得到的pyc文件,转换为py文件,得到

# -*- coding:utf-8 -*-import rsa
import base64key1 = rsa.PrivateKey.load_pkcs1(base64.b64decode('LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcVFJQkFBS0NBUUVBcVJUZ0xQU3BuT0ZDQnJvNHR1K1FBWXFhTjI2Uk42TzY1bjBjUURGRy9vQ1NJSU00ClNBeEVWaytiZHpSN2FucVNtZ1l5MEhRWGhDZTM2U2VGZTF0ejlrd0taL3UzRUpvYzVBSzR1NXZ4UW5QOWY1cTYKYVFsbVAvVjJJTXB5NFFRNlBjbUVoNEtkNm81ZWRJUlB2SHd6V0dWS09OQ3BpL0taQ082V0tWYkpXcWh3WGpEQgpsSDFNVURzZ1gyVUM4b3Bodnk5dXIyek9kTlBocElJZHdIc1o5b0ZaWWtaMUx5Q0lRRXRZRmlKam1GUzJFQ1RVCkNvcU9acnQxaU5jNXVhZnFvZlB4eHlPb2wwYVVoVGhiaHE4cEpXL3FPSFdYd0xJbXdtNk96YXFVeks4NEYyY3UKYWRiRE5zeVNvaElHaHYzd0lBVThNSlFnOEthd1Z3ZHBzRWhlSXdJREFRQUJBb0lCQURBazdwUStjbEZtWHF1Vgp1UEoyRWxZdUJpMkVnVHNMbHZ0c1ltL3cyQnM5dHQ0bEh4QjgxYlNSNUYyMEJ2UlJ4STZ3OXlVZCtWZzdDd1lMCnA5bHhOL3JJdWluVHBkUEhYalNhaGNsOTVOdWNOWEZ4T0dVU05SZy9KNHk4dUt0VHpkV3NITjJORnJRa0o4Y2IKcWF5czNOM3RzWTJ0OUtrUndjbUJGUHNJalNNQzB5UkpQVEE4cmNqOFkranV3SHZjbUJPNHVFWXZXeXh0VHR2UQova0RQelBqdTBuakhkR055RytkSDdkeHVEV2Jxb3VZQnRMdzllZGxXdmIydTJ5YnZzTXl0NWZTOWF1a01NUjNoCnBhaDRMcU1LbC9ETTU3cE44Vms0ZTU3WE1zZUJLWm1hcEptcVNnSGdjajRPNWE2R1RvelN1TEVoTmVGY0l2Tm8KWFczTEFHRUNnWWtBc0J0WDNVcFQ3aUcveE5BZDdSWER2MENOY1k1QnNZOGY4NHQ3dGx0U2pjSWdBKy9nUjFMZQpzb2gxY1RRd1RadUYyRTJXL1hHU3orQmJDTVVySHNGWmh1bXV6aTBkbElNV3ZhU0dvSlV1OGpNODBlUjRiVTRyCmdYQnlLZVZqelkzNVlLejQ5TEVBcFRQcTZRYTVQbzhRYkF6czhuVjZtNXhOQkNPc0pQQ29zMGtCclFQaGo5M0cKOFFKNUFQWEpva0UrMmY3NXZlazZNMDdsaGlEUXR6LzRPYWRaZ1MvUVF0eWRLUmg2V3VEeGp3MytXeXc5ZjNUcAp5OXc0RmtLRzhqNVRpd1RzRmdzem94TGo5TmpSUWpqb3cyVFJGLzk3b2NxMGNwY1orMUtsZTI1cEJ3bk9yRDJBCkVpMUVkMGVEV3dJR2gzaFhGRmlRSzhTOG5remZkNGFMa1ZxK1V3S0JpRXRMSllIamFZY0N2dTd5M0JpbG1ZK0gKbGZIYkZKTkowaXRhazRZZi9XZkdlOUd6R1h6bEhYblBoZ2JrZlZKeEVBU3ZCOE5NYjZ5WkM5THdHY09JZnpLRApiczJQMUhuT29rWnF0WFNxMCt1UnBJdEkxNFJFUzYySDJnZTNuN2dlMzJSS0VCYnVKb3g3YWhBL1k2d3ZscUhiCjFPTEUvNnJRWk0xRVF6RjRBMmpENmdlREJVbHhWTUVDZVFDQjcyUmRoYktNL3M0TSsvMmYyZXI4Y2hwT01SV1oKaU5Hb3l6cHRrby9sSnRuZ1RSTkpYSXdxYVNCMldCcXpndHNSdEhGZnpaNlNyWlJCdTd5Y0FmS3dwSCtUd2tsNQpoS2hoSWFTNG1vaHhwUVNkL21td1JzbTN2NUNDdXEvaFNtNmNXYTdFOVZxc25heGQzV21tQ2VqTnp0MUxQWUZNCkxZMENnWWdKUHhpVTVraGs5cHB6TVAwdWU0clA0Z2YvTENldEdmQjlXMkIyQU03eW9VM2VsMWlCSEJqOEZ3UFQKQUhKUWtCeTNYZEh3SUpGTUV1RUZSSFFzcUFkSTlYVDBzL2V0QTg1Y3grQjhjUmt3bnFHakFseW1PdmJNOVNrMgptMnRwRi8rYm56ZVhNdFA3c0ZoR3NHOXJ5SEZ6UFNLY3NDSDhXWWx0Y1pTSlNDZHRTK21qblAwelArSjMKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K'))
key2 = rsa.PublicKey.load_pkcs1(base64.b64decode('LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJDZ0tDQVFFQXFSVGdMUFNwbk9GQ0JybzR0dStRQVlxYU4yNlJONk82NW4wY1FERkcvb0NTSUlNNFNBeEUKVmsrYmR6UjdhbnFTbWdZeTBIUVhoQ2UzNlNlRmUxdHo5a3dLWi91M0VKb2M1QUs0dTV2eFFuUDlmNXE2YVFsbQpQL1YySU1weTRRUTZQY21FaDRLZDZvNWVkSVJQdkh3eldHVktPTkNwaS9LWkNPNldLVmJKV3Fod1hqREJsSDFNClVEc2dYMlVDOG9waHZ5OXVyMnpPZE5QaHBJSWR3SHNaOW9GWllrWjFMeUNJUUV0WUZpSmptRlMyRUNUVUNvcU8KWnJ0MWlOYzV1YWZxb2ZQeHh5T29sMGFVaFRoYmhxOHBKVy9xT0hXWHdMSW13bTZPemFxVXpLODRGMmN1YWRiRApOc3lTb2hJR2h2M3dJQVU4TUpRZzhLYXdWd2Rwc0VoZUl3SURBUUFCCi0tLS0tRU5EIFJTQSBQVUJMSUMgS0VZLS0tLS0K'))def encrypt1(message):crypto_text = rsa.encrypt(message.encode(), key2)return crypto_textdef decrypt1(message):message_str = rsa.decrypt(message, key1).decode()return message_strdef encrypt2(tips, key):ltips = len(tips)lkey = len(key)secret = []num = 0for each in tips:if num >= lkey:num = num % lkeysecret.append(chr(ord(each) ^ ord(key[num])))num += 1return base64.b64encode(''.join(secret).encode()).decode()def decrypt2(secret, key):tips = base64.b64decode(secret.encode()).decode()ltips = len(tips)lkey = len(key)secret = []num = 0for each in tips:if num >= lkey:num = num % lkeysecret.append(chr(ord(each) ^ ord(key[num])))num += 1return ''.join(secret)flag = 'IAMrG1EOPkM5NRI1cChQDxEcGDZMURptPzgHJHUiN0ASDgUYUB4LGQMUGAtLCQcJJywcFmddNno/PBtQbiMWNxsGLiFuLwpiFlkyP084Ng0lKj8GUBMXcwEXPTJrRDMdNwMiHVkCBFklHgIAWQwgCz8YQhp6E1xUHgUELxMtSh0xXzxBEisbUyYGOx1DBBZWPg1CXFkvJEcxO0ADeBwzChIOQkdwXQRpQCJHCQsaFE4CIjMDcwswTBw4BS9mLVMLLDs8HVgeQkscGBEBFSpQFQQgPTVRAUpvHyAiV1oPE0kyADpDbF8AbyErBjNkPh9PHiY7O1ZaGBADMB0PEVwdCxI+MCcXARZiPhwfH1IfKitGOF42FV8FTxwqPzBPAVUUOAEKAHEEP2QZGjQVV1oIS0QBJgBDLx1jEAsWKGk5Nw03MVgmWSE4Qy5LEghoHDY+OQ9dXE44Th0='
key = 'this is key'try:print(decrypt2('AAAAAAAAAAAfFwwRSAIWWQ==', key))result = input('please input key: ')if result == decrypt2('AAAAAAAAAAAfFwwRSAIWWQ==', key):print(decrypt1(base64.b64decode(decrypt2(flag, result))))elif result == key:print('flag{0e26d898-b454-43de-9c87-eb3d122186bc}')else:print('key is error.')
except Exception:Nonee = NoneNonetry:passfinally:e = Nonedel e

 

flag{5236cb7d-f4a7-4080-9bde-8b9e061609ad}

 

-----------朱雀组------------

Mics

九宫格

首先对二维码批量扫描,得到01的列表

a = [0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1]

8个为一组,转换为ASCII码

# -*- coding:utf-8 -*-a = [0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 1]s = "0b"num = []for i in range(len(a)):if i % 8 != 0 or i == 0:s += str(a[i])continuenum.append(chr(int(s,2)))s = "0b"
print (''.join(num))

得到

U2FsdGVkX19jThxWqKmYTZP1X4AfuFJ/7FlqIF1KHQTR5S63zOkyoX36nZlaOq4X4klwRwqa

这是rabbit加密,通过hint提示九宫格,两条对角线(852456)从小到大排序。

 

 

 得到key=245568

 

flag{2c4fdc156fe74836954a05058c5d0382}

 

key

使用JohnTheRippe对压缩文件解密

得到密码为123

 

将钥.png通过tweakpng修改图片height=width

匙.jpg实际为一个压缩文件,改后缀为zip,这里的密码猜测与上面的图片有关,实际为差分曼切斯特编码。脚本引用自:点击进入

# -*- coding:utf-8 -*-enc = "295965569a596696995a9aa969996a6a9a669965656969996959669566a5655699669aa5656966a566a56656"
s = ""
for c in enc:s += "{:04b}".format(int(c,16))s = s[2:]
r = ""
for i in range(len(s)//2):a = s[i*2]if a == s[i*2-1]:r += '1'else:r += '0'print (hex(int(r,2)))

0x13616b7572615f4c6f76655f53747261776265727279

转换为ASCII码

第一位转换失败了,拿到网上搜了下,应该为Sakura_Love_Strawberry

解压,得到flag

flag{061056cc-980c-4214-b163-230e5cd5c78e}

 

crypto

放射

根据仿射密码的原理就能解出,key1,key2实际就是E(x) = (ax + b) (mod m)中的a,b。m还未确定。解密方法为:D(x) = a-1(x - b) (mod m),m直接爆破就行。

# -*- coding:utf-8 -*-
import gmpy2key1 = 123456
key2 = 321564enc = "kgws{m8u8cm65-ue9k-44k5-8361-we225m76eeww}"
flag = ""
for m in range(1,27):for val in enc:try:if val.islower():flag += chr((gmpy2.invert(key1, m)*(ord(val) - ord('a') - key2)) % m + ord('a'))else:flag += valexcept Exception:flag = ""breakif flag != "":print (flag)

bcde{d8b8dd65-ba9b-44b5-8361-da225d76aadd}


dcgf{a8c8ba65-cf9d-44d5-8361-gf225a76ffgg}


djhc{a8k8ea65-kb9d-44d5-8361-hb225a76bbhh}


flag{c8d8ec65-db9f-44f5-8361-ab225c76bbaa}


jhpn{k8o8fk65-og9j-44j5-8361-pg225k76ggpp}


gnel{m8r8bm65-rh9g-44g5-8361-eh225m76hhee}


tigs{n8m8un65-mo9t-44t5-8361-go225n76oogg}


qhsj{i8b8xi65-bp9q-44q5-8361-sp225i76ppss}

得到flag为

flag{c8d8ec65-db9f-44f5-8361-ab225c76bbaa}

 

Reverse

go

关于go语言的逆向题,打开之后,如果不能反编译,在Options->Compiler中将sizeof(int)改为4。

通过string Windows找到主要函数,

这里有个关键函数main_encode

这个函数实际就是一个变表的Base64加密,变表为

XYZFGHI2+/Jhi345jklmEnopuvwqrABCDKL6789abMNWcdefgstOPQRSTUVxyz01

最后再与nRKKAHzMrQzaqQzKpPHClX比较

# -*- coding:utf-8 -*-
import base64model = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
Str = "XYZFGHI2+/Jhi345jklmEnopuvwqrABCDKL6789abMNWcdefgstOPQRSTUVxyz01"
enc = "nRKKAHzMrQzaqQzKpPHClX"
s = ""for val in enc:s += model[Str.find(val)]
print (s)
for i in range(10):try:print (base64.b64decode(s+'='*i))breakexcept Exception:pass

得到输入为What_is_go_a_A_H

 

flag{e252890b-4f4d-4b85-88df-671dab1d78f3}

 

这篇关于2020 网鼎杯 Re WP的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!



http://www.chinasem.cn/article/257097

相关文章

usaco 1.3 Mixing Milk (结构体排序 qsort) and hdu 2020(sort)

到了这题学会了结构体排序 于是回去修改了 1.2 milking cows 的算法~ 结构体排序核心: 1.结构体定义 struct Milk{int price;int milks;}milk[5000]; 2.自定义的比较函数,若返回值为正,qsort 函数判定a>b ;为负,a<b;为0,a==b; int milkcmp(const void *va,c

013.Python爬虫系列_re正则解析

我 的 个 人 主 页:👉👉 失心疯的个人主页 👈👈 入 门 教 程 推 荐 :👉👉 Python零基础入门教程合集 👈👈 虚 拟 环 境 搭 建 :👉👉 Python项目虚拟环境(超详细讲解) 👈👈 PyQt5 系 列 教 程:👉👉 Python GUI(PyQt5)文章合集 👈👈 Oracle数据库教程:👉👉 Oracle数据库文章合集 👈👈 优

2020年SEO行业发展变化和趋势分析!

一、搜索引擎算法发展轨迹 第一阶段:人工目录(1997年-2001年“雅虎早期搜索模式”); 第二阶段:文本分析(2001年-2004年“以关键词和背景颜色一样,堆积大量关键词,就会有非常好的排名; 第三阶段:链接分析(2004年-2009年“以反向链接为核心算法的阶段”),这时行业内有句话是内容为王,外链为皇; 第四阶段:智能分析(2009年-现在“以满足用户人性化需求的用户浏览行为分析

2020年数据术语的故事

点击上方蓝色字体,选择“设为星标” 回复”资源“获取更多资源 2020年整个技术圈子要说话题最多的,应该是大数据方向。新感念层出不穷,数据湖概念就是其中之一。这篇文章是关于数据仓库、数据湖、数据集市、数据中台等一些列的概念和发展进程。希望给大家带来一个全面的感知。 本文作者:Murkey学习之旅、开心自由天使 本文整理:大数据技术与架构,未经允许不得转载。 如今,随着诸如互联网以及物联网等

汇总(三):2020年12月

1.mysql数据库中,字段类型为tinyint(1)的,在select时,不显示正常的数字而是true或false?  传送门

2020 1.1版本的idea中git的使用场景

1、克隆项目 File-->New-->Project from Version Control 2、拉取远程的分支到本地 右下角-->(Remote Branches)选定分支-->checkout 3、将master分支更新的代码合并至bry分支并提交到远程仓库    (目的:实时与master的最新代码保持一致) 右下角-->(Local Branches)checkout br

Login failed:make sure your username and password are correct and that you’re an admin or moderator

Login failed:make sure your username and password are correct and that you’re an admin or moderator   1.使用MySql查看工具进入数据库,进入表“ofuser”,把字段 plainPassword 改成 123,然后在你的控制台上输入该表的   username跟plainPa

BUUCTF PWN wp--bjdctf_2020_babystack

第一步   checksec一下,该题是64位的,该题目大概率是一道栈溢出(因为题目里面提到了stack) 分析一下这个二进制保护机制: Arch: amd64-64-little 这表示二进制文件是为64位AMD处理器设计的,使用的是小端序(little-endian)格式。RELRO: Partial RELRO RELRO(Relocation Read-Only)是一种安全特性,旨

解决Re-download dependencies and sync project

解决Re-download dependencies and sync project 问题描述 新建一个工程,报错 Error:Failed to open zip file.Gradle's dependency cache may be corrupt (this sometimes occurs after a network connection timeout.)<a hr

BUUCTF—[网鼎杯 2020 朱雀组]phpweb

题解 打开题目是这样子的。 啥也不管抓个包看看,从它返回的信息判断出func后面的是要调用的函数,p后面的是要执行的内容。 那我们直接执行个系统命令看看,可以看到返回了hack,估计是做了过滤。 func=system&p=ls 直接读取源码看看咯,可以看到过滤了好多函数,反正我认识的可以进行命令执行的函数都给禁了。 func=file_get_contents&p=ind