Javis-OJ-wp

Javis OJ的题目还是很不错的，可以仔细研究研究

re

Findkey

DIE看看发现是pyc文件，试一下uncompyle6发现直接成功没加任何保护，看看代码

import sys
lookup = [
 196, 153, 149, 206, 17, 221, 10, 217, 167, 18, 36, 135, 103, 61, 111, 31, 92, 152, 21, 228, 105, 191, 173, 41, 2, 245, 23, 144, 1, 246, 89, 178, 182, 119, 38, 85, 48, 226, 165, 241, 166, 214, 71, 90, 151, 3, 109, 169, 150, 224, 69, 156, 158, 57, 181, 29, 200, 37, 51, 252, 227, 93, 65, 82, 66, 80, 170, 77, 49, 177, 81, 94, 202, 107, 25, 73, 148, 98, 129, 231, 212, 14, 84, 121, 174, 171, 64, 180, 233, 74, 140, 242, 75, 104, 253, 44, 39, 87, 86, 27, 68, 22, 55, 76, 35, 248, 96, 5, 56, 20, 161, 213, 238, 220, 72, 100, 247, 8, 63, 249, 145, 243, 155, 222, 122, 32, 43, 186, 0, 102, 216, 126, 15, 42, 115, 138, 240, 147, 229, 204, 117, 223, 141, 159, 131, 232, 124, 254, 60, 116, 46, 113, 79, 16, 128, 6, 251, 40, 205, 137, 199, 83, 54, 188, 19, 184, 201, 110, 255, 26, 91, 211, 132, 160, 168, 154, 185, 183, 244, 78, 33, 123, 28, 59, 12, 210, 218, 47, 163, 215, 209, 108, 235, 237, 118, 101, 24, 234, 106, 143, 88, 9, 136, 95, 30, 193, 176, 225, 198, 197, 194, 239, 134, 162, 192, 11, 70, 58, 187, 50, 67, 236, 230, 13, 99, 190, 208, 207, 7, 53, 219, 203, 62, 114, 127, 125, 164, 179, 175, 112, 172, 250, 133, 130, 52, 189, 97, 146, 34, 157, 120, 195, 45, 4, 142, 139]
pwda = [
 188, 155, 11, 58, 251, 208, 204, 202, 150, 120, 206, 237, 114, 92, 126, 6, 42]
pwdb = [53, 222, 230, 35, 67, 248, 226, 216, 17, 209, 32, 2, 181, 200, 171, 60, 108]
flag = raw_input('Input your Key:').strip()
if len(flag) != 17:
    print 'Wrong Key!!'
    sys.exit(1)
flag = flag[::-1]
for i in range(0, len(flag)):
    if ord(flag[i]) + pwda[i] & 255 != lookup[(i + pwdb[i])]:
        print 'Wrong Key!!'
        sys.exit(1)

print 'Congratulations!!'

简单写个脚本逆一下

lookup = [
    196, 153, 149, 206, 17, 221, 10, 217, 167, 18, 36, 135, 103, 61, 111, 31, 92, 152, 21, 228, 105, 191, 173, 41, 2,
    245, 23, 144, 1, 246, 89, 178, 182, 119, 38, 85, 48, 226, 165, 241, 166, 214, 71, 90, 151, 3, 109, 169, 150, 224,
    69, 156, 158, 57, 181, 29, 200, 37, 51, 252, 227, 93, 65, 82, 66, 80, 170, 77, 49, 177, 81, 94, 202, 107, 25, 73,
    148, 98, 129, 231, 212, 14, 84, 121, 174, 171, 64, 180, 233, 74, 140, 242, 75, 104, 253, 44, 39, 87, 86, 27, 68, 22,
    55, 76, 35, 248, 96, 5, 56, 20, 161, 213, 238, 220, 72, 100, 247, 8, 63, 249, 145, 243, 155, 222, 122, 32, 43, 186,
    0, 102, 216, 126, 15, 42, 115, 138, 240, 147, 229, 204, 117, 223, 141, 159, 131, 232, 124, 254, 60, 116, 46, 113,
    79, 16, 128, 6, 251, 40, 205, 137, 199, 83, 54, 188, 19, 184, 201, 110, 255, 26, 91, 211, 132, 160, 168, 154, 185,
    183, 244, 78, 33, 123, 28, 59, 12, 210, 218, 47, 163, 215, 209, 108, 235, 237, 118, 101, 24, 234, 106, 143, 88, 9,
    136, 95, 30, 193, 176, 225, 198, 197, 194, 239, 134, 162, 192, 11, 70, 58, 187, 50, 67, 236, 230, 13, 99, 190, 208,
    207, 7, 53, 219, 203, 62, 114, 127, 125, 164, 179, 175, 112, 172, 250, 133, 130, 52, 189, 97, 146, 34, 157, 120,
    195, 45, 4, 142, 139]
pwda = [
    188, 155, 11, 58, 251, 208, 204, 202, 150, 120, 206, 237, 114, 92, 126, 6, 42]
pwdb = [53, 222, 230, 35, 67, 248, 226, 216, 17, 209, 32, 2, 181, 200, 171, 60, 108]
flag = ''
for i in range(17):
    index = 16 - i
    flag += chr((lookup[(index + pwdb[index])] - pwda[index])&255)
print(flag)

# PCTF{PyC_Cr4ck3r}

Classical Crackme

这题有confuser的混淆，想脱掉这个壳有点困难，所以先看看代码

private void \u202C\u200B\u206A\u202A\u206D\u206B\u202D\u206F\u202D\u200C\u200E\u206B\u202E\u202E\u202C\u202B\u206A\u206D\u206E\u202B\u206E\u200F\u202D\u200E\u202C\u200F\u200D\u200F\u202B\u200C\u202A\u206D\u206A\u206E\u202D\u200D\u200C\u206B\u202A\u202D\u202E(object A_1, EventArgs A_2)
	{
		string s = this.\u200E\u206F\u206A\u200F\u206E\u202C\u206C\u200C\u206A\u200B\u206E\u202D\u206B\u202D\u200F\u206B\u202B\u200C\u206B\u202D\u206D\u202B\u206B\u200C\u206F\u206D\u206A\u202D\u200F\u202E\u200B\u206D\u202C\u200D\u200D\u202C\u200F\u202E\u202E\u206A\u202E.Text.ToString();
		byte[] bytes = Encoding.Default.GetBytes(s);
		string a = Convert.ToBase64String(bytes);
		string b = "UENURntFYTV5X0RvX05ldF9DcjRjazNyfQ==";
		if (a == b)
		{
			MessageBox.Show("注册成功！", "提示", MessageBoxButtons.OK);
		}
		else
		{
			MessageBox.Show("注册失败！", "提示", MessageBoxButtons.OK, MessageBoxIcon.Hand);
		}
	}

找到关键部分，发现是简单对输入base64处理，然后直接对比，所以base64解码之后就可以了

Classic Crackme2

这题和上一个基本相似，也是c#+confuser，不过这次想直接找到关键代码有点困难，所以调试解决，在主函数下断点

断点处这一串奇怪的字符串名应该就是关键的类，启动调试，跟进去

调试过程中发现了关键的比较

text1是我们的输入，去看看text2是什么

发现加密方式是AES-ECB方式加密，填充方式也已知，key在局部变量窗口可以获得，最后应该还有个比较，接着调试

发现了我们的输入被加密之后和另一串进行了一个比较，然后就可以写个脚本来跑一跑

import base64
from Crypto.Cipher import AES

cipher = "x/nzolo0TTIyrEISd4AP1spCzlhSWJXeNbY81SjPgmk="
cipher = base64.b64decode(cipher)
key="pctf2016pctf2016pctf2016pctf2016"
cryptor = AES.new(key, AES.MODE_ECB)
plain_text = cryptor.decrypt(cipher)
print(plain_text)

#b'PCTF{Dot_Net_UnPack3r_yoo}\x06\x06\x06\x06\x06\x06'

Smali

Smali的语法我还是不是很会，不过这题比较简单，可以很容易看出来，也是简单的AES加密

import base64
from Crypto.Cipher import AES

cipher = "sSNnx1UKbYrA1+MOrdtDTA=="
cipher = base64.b64decode(cipher)
key = "cGhyYWNrICBjdGYgMjAxNg=="
key = base64.b64decode(key)
cryptor = AES.new(key, AES.MODE_ECB)
plain_text = cryptor.decrypt(cipher)
print(plain_text)

#b'PCTF{Sm4liRiver}'