2024御网杯RE WP详解
1. ez_apk
加密逻辑都在java层
往下翻翻就是cipher
enc = b"fatd{sm_cgrmvc_ylvhokhuk_gxsgffc_wtec}"
key = b"aptxcony"
flag = ""
for i in range(len(enc)):
if 97 <= enc[i] <= 122:
flag += chr((enc[i] - key[i%8]) % 26 + 97)
else:
flag += chr(enc[i])
print(flag)
2. 机器猫
用pycdc反编译失败
改用uncompyle6
# uncompyle6 version 3.7.4
# Python bytecode 3.8 (3413)
# Decompiled from: Python 3.11.9 (tags/v3.11.9:de54cf5, Apr 2 2024, 10:12:12) [MSC v.1938 64 bit (AMD64)]
# Embedded file name: 2.py
import turtle
def flyTo(x, y):
turtle.penup()
turtle.goto(x, y)
turtle.pendown()
def drawEye():
turtle.tracer(False)
a = 2.5
for i in range(120):
if not 0 <= i < 30:
if 60 <= i < 90:
a -= 0.05
else:
a += 0.05
turtle.left(3)
turtle.fd(a)
else:
turtle.tracer(True)
def beard():
flyTo(-37, 135)
turtle.seth(165)
turtle.fd(60)
flyTo(-37, 125)
turtle.seth(180)
turtle.fd(60)
flyTo(-37, 115)
turtle.seth(193)
turtle.fd(60)
flyTo(37, 135)
turtle.seth(15)
turtle.fd(60)
flyTo(37, 125)
turtle.seth(0)
turtle.fd(60)
flyTo(37, 115)
turtle.seth(-13)
turtle.fd(60)
def drawRedScarf():
turtle.fillcolor('red')
turtle.begin_fill()
turtle.seth(0)
turtle.fd(200)
turtle.circle(-5, 90)
turtle.fd(10)
turtle.circle(-5, 90)
turtle.fd(207)
turtle.circle(-5, 90)
turtle.fd(10)
turtle.circle(-5, 90)
turtle.end_fill()
def drawMouse():
flyTo(5, 148)
turtle.seth(270)
turtle.fd(100)
turtle.seth(0)
turtle.circle(120, 50)
turtle.seth(230)
turtle.circle(-120, 100)
def drawRedNose():
flyTo(-10, 158)
turtle.fillcolor('red')
turtle.begin_fill()
turtle.circle(20)
turtle.end_fill()
def drawBlackdrawEye():
turtle.seth(0)
flyTo(-20, 195)
turtle.fillcolor('#000000')
turtle.begin_fill()
turtle.circle(13)
turtle.end_fill()
turtle.pensize(6)
flyTo(20, 205)
turtle.seth(75)
turtle.circle(-10, 150)
turtle.pensize(3)
flyTo(-17, 200)
turtle.seth(0)
turtle.fillcolor('#ffffff')
turtle.begin_fill()
turtle.circle(5)
turtle.end_fill()
flyTo(0, 0)
def drawFace():
turtle.forward(183)
turtle.fillcolor('white')
turtle.begin_fill()
turtle.left(45)
turtle.circle(120, 100)
turtle.seth(90)
drawEye()
turtle.seth(180)
turtle.penup()
turtle.fd(60)
turtle.pendown()
turtle.seth(90)
drawEye()
turtle.penup()
turtle.seth(180)
turtle.fd(64)
turtle.pendown()
turtle.seth(215)
turtle.circle(120, 100)
turtle.end_fill()
def drawHead():
turtle.penup()
turtle.circle(150, 40)
turtle.pendown()
turtle.fillcolor('#00a0de')
turtle.begin_fill()
turtle.circle(150, 280)
turtle.end_fill()
def drawAll():
drawHead()
drawRedScarf()
drawFace()
drawRedNose()
drawMouse()
beard()
flyTo(0, 0)
turtle.seth(0)
turtle.penup()
turtle.circle(150, 50)
turtle.pendown()
turtle.seth(30)
turtle.fd(40)
turtle.seth(70)
turtle.circle(-30, 270)
turtle.fillcolor('#00a0de')
turtle.begin_fill()
turtle.seth(230)
turtle.fd(80)
turtle.seth(90)
turtle.circle(1000, 1)
turtle.seth(-89)
turtle.circle(-1000, 10)
turtle.seth(180)
turtle.fd(70)
turtle.seth(90)
turtle.circle(30, 180)
turtle.seth(180)
turtle.fd(70)
turtle.seth(100)
turtle.circle(-1000, 9)
turtle.seth(-86)
turtle.circle(1000, 2)
turtle.seth(230)
turtle.fd(40)
turtle.circle(-30, 230)
turtle.seth(45)
turtle.fd(81)
turtle.seth(0)
turtle.fd(203)
turtle.circle(5, 90)
turtle.fd(10)
turtle.circle(5, 90)
turtle.fd(7)
turtle.seth(40)
turtle.circle(150, 10)
turtle.seth(30)
turtle.fd(40)
turtle.end_fill()
turtle.seth(70)
turtle.fillcolor('#FFFFFF')
turtle.begin_fill()
turtle.circle(-30)
turtle.end_fill()
flyTo(103.74, -182.59)
turtle.seth(0)
turtle.fillcolor('#FFFFFF')
turtle.begin_fill()
turtle.fd(15)
turtle.circle(-15, 180)
turtle.fd(90)
turtle.circle(-15, 180)
turtle.fd(10)
turtle.end_fill()
flyTo(-96.26, -182.59)
turtle.seth(180)
turtle.fillcolor('#FFFFFF')
turtle.begin_fill()
turtle.fd(15)
turtle.circle(15, 180)
turtle.fd(90)
turtle.circle(15, 180)
turtle.fd(10)
turtle.end_fill()
flyTo(-133.97, -91.81)
turtle.seth(50)
turtle.fillcolor('#FFFFFF')
turtle.begin_fill()
turtle.circle(30)
turtle.end_fill()
flyTo(-103.42, 15.09)
turtle.seth(0)
turtle.fd(38)
turtle.seth(230)
turtle.begin_fill()
turtle.circle(90, 260)
turtle.end_fill()
flyTo(5, -40)
turtle.seth(0)
turtle.fd(70)
turtle.seth(-90)
turtle.circle(-70, 180)
turtle.seth(0)
turtle.fd(70)
flyTo(-103.42, 15.09)
turtle.fd(90)
turtle.seth(70)
turtle.fillcolor('#ffd200')
turtle.begin_fill()
turtle.circle(-20)
turtle.end_fill()
turtle.seth(170)
turtle.fillcolor('#ffd200')
turtle.begin_fill()
turtle.circle(-2, 180)
turtle.seth(10)
turtle.circle(-100, 22)
turtle.circle(-2, 180)
turtle.seth(170)
turtle.circle(100, 22)
turtle.end_fill()
flyTo(-13.42, 15.09)
turtle.seth(250)
turtle.circle(20, 110)
turtle.seth(90)
turtle.fd(15)
turtle.dot(10)
flyTo(0, -150)
drawBlackdrawEye()
def main():
turtle.screensize(800, 6000, '#F0F0F0')
turtle.pensize(3)
turtle.speed(9)
drawAll()
turtle.penup()
turtle.goto(100, -300)
turtle.write('by peak', font=('Bradley Hand ITC', 30, 'bold'))
if __name__ == '__main__':
main()
turtle.mainloop()
print('fVJXNjE0ODBpM2RrZmNSVzYxNDgwaTNka01BSlVPe25oc20=')
# okay decompiling 2.pyc
大部分都是垃圾代码
只看这个:print('fVJXNjE0ODBpM2RrZmNSVzYxNDgwaTNka01BSlVPe25oc20=')
base64解密后是}RW61480i3dkfcRW61480i3dkMAJUO{nhsm
一眼凯撒
再倒序即可
3. 文件分析
给了一个hxx和一个cxx
虽然看不懂pow里面的是什么
但是只要新建一个cxx文件打印就行
#include "22.hxx"
#include <iostream>
#include <cstdlib>
void error()
{
std::cout << "Wrong password" << std::endl;
std::exit(-1);
}
int pow(int x, int n)
{
int ret(1);
for (int i = 1; i <= n; ++i)
ret *= x;
return ret;
}
int main(){
printf("%d\n", pow(I-----I,2) * pow(I-----------I,2) + (I---I));
printf("%d\n", pow(I-------I,2) * pow(I-----I,4) - (I---I));
printf("%d\n", (pow(pow(I-------I,2) * pow(I-----I,3) - (I---I),2) - (I-----I)*(I-------I)));
printf("%d\n", pow((o-------o
| !
! !
! !
o-------o).A,2) * (I-----I)+(I---I));
printf("%d\n", pow((o-----------o
| !
! !
! !
o-----------o).A,2)+(I---I));
printf("%d\n", (pow((o-------------o
| !
! !
! !
o-------------o).A,2)-(I---I))*(I-----I)*pow(I-------I,2));
printf("%d\n", (o-----------o
|L \
| L \
| L \
| o-----------o|!
o | !
L | !
L | !
L| !
o-----------o).V*pow(I-----I,2) - pow((o-------o
| !
! !
o-------o).A,2) + (I---I));
printf("%d\n", (o-----------o
|L \
| L \
| L \
| L \
| L \
| o-----------o
| ! !
o | !
L | !
L | !
L | !
L | !
L| !
o-----------o).V - (I-----I));
printf("%d\n", (o---------------------o
|L \
| L \
| L \
| L \
| L \
| L \
| L \
| L \
| o---------------------o
| ! !
! ! !
o | !
L | !
L | !
L | !
L | !
L | !
L | !
L | !
L| !
o---------------------o).V*(pow(I-------I,2) + (I-----I)) + pow(I-----I,6));
printf("%d\n", (o---------o
|L \
| L \
| L \
| L \
| o---------o
| ! !
! ! !
o | !
L | !
L | !
L | !
L| !
o---------o).V*(I-------I)*pow(I-----I,4)-(I---I));
printf("%d\n", (o-----------o
|L \
| L \
| L \
| L \
| L \
| o-----------o
| ! !
o | !
L | !
L | !
L | !
L | !
L| !
o-----------o).V*pow(I-------I,3) - (I-----------I)*((I-----I)*(I-----------I)+(I---I)));
printf("%d\n", (o-------------o
|L \
| L \
| L \
| L \
| L \
| o-------------o
| ! !
o | !
L | !
L | !
L | !
L | !
L| !
o-------------o).V-(I-----------I));
}
然后z3求解
from z3 import*
s = Solver()
p = [Int('p{}'.format(i)) for i in range(13)]
for i in range(13):
s.add(p[i] <= 128)
s.add(p[0]+p[1] == 101)
s.add(p[1]+p[2] == 143)
s.add(p[0]*p[2] == 5035)
s.add(p[3]+p[5] == 163)
s.add(p[3]+p[4] == 226)
s.add(p[4]*p[5] == 5814)
s.add(p[7]+p[8] == 205)
s.add(p[6]+p[8] == 173)
s.add(p[6]*p[7] == 9744)
s.add(p[9]+p[10]*p[11] == 5375)
s.add(p[10]+p[9]*p[11] == 4670)
s.add(p[9]+p[10] == 205)
s.add(p[12] == 119)
if s.check() == sat:
model = s.model()
solution = [model.eval(p[i]) for i in range(13)]
print("解为:", solution)
else:
print("无解")
# 解为: [53, 48, 95, 112, 114, 51, 84, 116, 89, 95, 110, 48, 119]
arr = [53, 48, 95, 112, 114, 51, 84, 116, 89, 95, 110, 48, 119]
print(bytes(arr))
# 50_pr3TtY_n0w
4. CSMazeee
die查一下发现是C#写的
丢进dnspy里看一下,发现点击100次会进入到一个函数
进入函数,前面就是迷宫的生成
直接动调拿到迷宫
附件:
-
渔网.zip
下载
转载
分享
0 条评论
可输入 255 字
发布投稿
