2024 鹏城杯初赛 re部分wp
joyVBS
先用正则表达式把原来的vbs语法改成python语法,由于代码量太大,只给出一小部分
print(chr(1646-1569),end='')
print(chr(846170//7358),end='')
print(chr(569487//5529),end='')
print(chr(571824//8664),end='')
print(chr(8409-8298),end='')
print(chr(2893-2773),end='')
print(chr(7979-7947),end='')
print(chr(3597-3563),end='')
print(chr(-515+601),end='')
print(chr(489456//7416),end='')
print(chr(-4892+4975),end='')
print(chr(4109-4010),end='')
print(chr(-9287+9401),end='')
print(chr(1007160//9592),end='')
print(chr(152656//1363),end='')
print(chr(-2648+2764),end='')
print(chr(419144//9526),end='')
print(chr(88416//2763),end='')
print(chr(8380-8269),end='')
print(chr(24480//240),end='')
print(chr(-4597+4713),end='')
print(chr(648-547),end='')
print(chr(-8146+8256),end='')
print(chr(-9478+9510),end='')
print(chr(2699-2602),end='')
print(chr(-1620+1718),end='')
print(chr(-196+294),end='')
print(chr(-1186+1300),end='')
print(chr(-9642+9743),end='')
print(chr(614544//5208),end='')
print(chr(-4654+4759),end='')
print(chr(872612//8996),end='')
print(chr(6703-6587),end='')
print(chr(-5002+5103),end='')
print(chr(843300//8433),end='')
print(chr(-3604+3636),end='')
print(chr(-2400+2497),end='')
print(chr(-5531+5646),end='')运行得到
MsgBox "VBScript, often abbreviated as VBS, is an event-driven programming language developed by Microsoft, primarily used for scripting in the Windows environment."
MsgBox "It is based on the Visual Basic programming language and is designed to be simple and easy to use, especially for those familiar with the BASIC programming language."
MsgBox "And for me, it is the first programming language that I've leart"
MsgBox "Hackers! Have fun with this VBS challenge!"
flag = InputBox("Enter the FLAG:", "Hack for fun")
wefbuwiue = "NalvN3hKExBtALBtInPtNHTnKJ80L3JtqxTboRA/MbF3LnT0L2zHL2SlqnPtJLAnFbIlL2SnFT8lpzFzA2JHrRTiNmT9"
qwfe = 9+2+2+1
Function Base64Decode(base64EncodedString)
Dim xml, elem
Set xml = CreateObject("MSXML2.DOMDocument")
Set elem = xml.createElement("tmp")
elem.dataType = "bin.base64"
elem.text = base64EncodedString
Dim stream
Set stream = CreateObject("ADODB.Stream")
stream.Type = 1 'Binary
stream.Open
stream.Write elem.nodeTypedValue
stream.Position = 0
stream.Type = 2 'Text
stream.Charset = "utf-8"
Base64Decode = stream.ReadText
stream.Close
End Function
Function Caesar(str,offset)
Dim length,char,i
Caesar = ""
length = Len(str)
For i = 1 To length
char = Mid(str,i,1)
If char >= "A" And char <= "Z" Then
char = Asc("A") + (Asc(char) - Asc("A") + offset) Mod 26
Caesar = Caesar & Chr(char)
ElseIf char >= "a" And char <= "z" Then
char = Asc("a") + (Asc(char) - Asc("a") + offset) Mod 26
Caesar = Caesar & Chr(char)
Else
Caesar = Caesar & char
End If
Next
End Function
If flag = Base64Decode(Caesar(wefbuwiue, 26-qwfe)) Then
MsgBox "Congratulations! Correct FLAG!"
Else
MsgBox "Wrong flag."
End If这显然是正向加密然后比较,只需要修改一下代码,就可以让程序自动运行输出flag
wefbuwiue = "NalvN3hKExBtALBtInPtNHTnKJ80L3JtqxTboRA/MbF3LnT0L2zHL2SlqnPtJLAnFbIlL2SnFT8lpzFzA2JHrRTiNmT9"
qwfe = 9+2+2+1
Function Base64Decode(base64EncodedString)
Dim xml, elem
Set xml = CreateObject("MSXML2.DOMDocument")
Set elem = xml.createElement("tmp")
elem.dataType = "bin.base64"
elem.text = base64EncodedString
Dim stream
Set stream = CreateObject("ADODB.Stream")
stream.Type = 1 'Binary
stream.Open
stream.Write elem.nodeTypedValue
stream.Position = 0
stream.Type = 2 'Text
stream.Charset = "utf-8"
Base64Decode = stream.ReadText
stream.Close
End Function
Function Caesar(str,offset)
Dim length,char,i
Caesar = ""
length = Len(str)
For i = 1 To length
char = Mid(str,i,1)
If char >= "A" And char <= "Z" Then
char = Asc("A") + (Asc(char) - Asc("A") + offset) Mod 26
Caesar = Caesar & Chr(char)
ElseIf char >= "a" And char <= "z" Then
char = Asc("a") + (Asc(char) - Asc("a") + offset) Mod 26
Caesar = Caesar & Chr(char)
Else
Caesar = Caesar & char
End If
Next
End Function
flag = Base64Decode(Caesar(wefbuwiue, 26-qwfe))
MsgBox flag
exec
附件代码量太大,直接用python运行却报错,报错说少了一个引号,这应该是出题人故意的,没办法,开始解这个套娃代码
经过
base64解密,base85解密,base85解密,base32解密,basebas464解密,base32解密,base85解密,base85解密,base32解密,base64解密,base32解密,base85解密,base85解密,base32解密,base32解密,base85解密,base85解密,base85解密,base85解密,base85解密,base64解密,base32解密,base64解密,base85解密,base64解密,base32解密,base85解密,base85解密,base85解密
后,得到
a=True
d=len
G=list
g=range
s=next
R=bytes
o=input
Y=print
def l(S):
i=0
j=0
while a:
i=(i+1)%256
j=(j+S[i])%256
S[i],S[j]=S[j],S[i]
K=S[(S[i]+S[j])%256]
yield K
def N(key,O):
I=d(key)
S=G(g(256))
j=0
for i in g(256):
j=(j+S[i]+key[i%I])%256
S[i],S[j]=S[j],S[i]
z=l(S)
n=[]
for k in O:
n.append(k^s(z)+2)
return R(n)
def E(s,parts_num):
Q=d(s.decode())
S=Q//parts_num
u=Q%parts_num
W=[]
j=0
for i in g(parts_num):
T=j+S
if u>0:
T+=1
u-=1
W.append(s[j:T])
j=T
return W
if __name__=='__main__':
L=o('input the flag: >>> ').encode()
assert d(L)%2==0,'flag length should be even'
t=b'v3ry_s3cr3t_p@ssw0rd'
O=E(L,2)
U=[]
for i in O:
U.append(N(t,i).hex())
if U==['1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60','2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a']:
Y('Congratulations! You got the flag!')
else:
Y('Wrong flag!')
分析知,只有一个魔改的rc4算法,中间有一个字符串分割函数,只需要把分割的两部分分别解密即可
rc4只魔改了一个加2的操作
from Crypto.Util.number import *
x = [0x1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60,0x2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a]
for i in x:
print(long_to_bytes(i))#把上个py输出的两个bytes分别填入enc,得到flag的两个部分
enc = b''
key = "v3ry_s3cr3t_p@ssw0rd"
# init(S)
s_box = list(range(256))
j = 0
for i in range(256):
j = (j + s_box[i] + ord(key[i % len(key)])) % 256
s_box[i], s_box[j] = s_box[j], s_box[i]
res = []
i = j = 0
for s in enc:
i = (i + 1) % 256
j = (j + s_box[i]) % 256
s_box[i], s_box[j] = s_box[j], s_box[i]
t = (s_box[i] + s_box[j]) % 256
k = s_box[t]
res.append(chr(s ^ k + 2))
cipher = "".join(res)
print(cipher)
把两部分拼起来即可
Rafflesia
先查壳,32位无壳
ida打开有花指令,去除后反编译得到
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
int v3; // ecx
int v4; // edi
size_t v5; // eax
char v7; // [esp+0h] [ebp-280h]
char v8; // [esp+0h] [ebp-280h]
char Str[52]; // [esp+ECh] [ebp-194h] BYREF
unsigned int v10; // [esp+120h] [ebp-160h]
char Buf2[136]; // [esp+12Ch] [ebp-154h] BYREF
char v12[136]; // [esp+1B4h] [ebp-CCh] BYREF
char Buf1[64]; // [esp+23Ch] [ebp-44h] BYREF
v7 = -8;
*(_DWORD *)(v3 + 14) = v4;
qmemcpy(Buf1, "H@^jHwpsH)[jH{M/\\tBBK_|-O{W.iJZ7\\)|~zaB^H+Lwv{SS|-j@\\_[Y", 4 * v3 + 1);
v10 = sub_411352(Buf1, v12);
if ( v10 >= 0x80 )
j____report_rangecheckfailure(4268536);
v12[v10] = 0;
sub_4110E6("input flag:", v7);
sub_4113FC("%s42", Str);
j_strlen(Str);
v5 = j_strlen(Str);
sub_4111E0(Str, Buf2, v5);
if ( !j_memcmp(Buf1, Buf2, 0x38u) )
sub_4110E6("win!!!!!!!!!!!!!!!!!!\n", v8);
else
sub_4110E6("nonono\n", v8);
system("pause");
return 0;
}
其中sub_4110e6对str进行了加密,点进后发现是base64加密,同时还有一次异或操作,调试时发现有反调试,修改逻辑绕过,得到base64的换表:“HElRNYGmBOMWnbDvUCgcpu1QdPqJIS+iTry39KXse4jLh/x26Ff5Z7Vokt8wzAa0”
换表解密代码:
#include <iostream>
int main()
{
char enc[57] = "H@^jHwpsH)[jH{M/\\tBBK_|-O{W.iJZ7\\)|~zaB^H+Lwv{SS|-j@\\_[Y";
for (int i = 0; i < 56; i++) {
printf("%c", enc[i] ^ 0x18u);
}
}
最后用赛博厨子解密
转载
分享
0 条评论
可输入 255 字
发布投稿
