VNCTF 2022 wp

16 minutes read (About 2381 words)

题目质量还不错,断断续续做了一天,最后第9也还可以。

misc

问卷

填问卷

仔细找找

图片转成黑白,可以直接看到flag

1

vnctf{34aE@w}

Web

GameV4.0

源码data里找到flag

2

解一下base64得到flag

3

Crypto

ezmath

满足
$$
2^n-1\mod15=0
$$
只需要满足 n=4x
$$
2^{4x}-1\mod15=0
$$

$$
16^x-1\mod15=0
$$

$$
(15+1)^x-1\mod15=0
$$

$$
\Sigma_{k=0}^xC_x^k15^k-1\mod15=0
$$

$$
\Sigma_{k=1}^xC_x^k15^k\mod15=0
$$

满足要求,解析出来数字直接乘4就可以了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from pwn import *
from pwnlib.util.iters import mbruteforce
import re
import hashlib
p=remote("node4.buuoj.cn",26203)

s=p.recvline().decode()
res=re.findall(r'XXXX\+(.*)\) == (.*)\n',s)[0]
part1=res[0]
part2=res[1]

charset = string.ascii_letters+string.digits
proof = mbruteforce(lambda x: hashlib.sha256((x+part1).encode()).hexdigest() ==
part2, charset, 4, method='fixed')
p.recvuntil(b":")
p.sendline(proof.encode())

for i in range(777):
    p.recvuntil(b"the ")
    n=p.recvuntil(b"t")[:-1]
    # print(n)
    p.recv()
    p.sendline(str(4*int(n)).encode())

print(p.recv())

re

BabyMaze

pyc文件,前面加花,直接反编译会卡死,去花可以反编译,但是程序不难,直接看也能很容易看懂

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
0       LOAD_CONST              1: 1
                2       STORE_FAST              0: x
                4       LOAD_CONST              1: 1
                6       STORE_FAST              1: y
                8       LOAD_GLOBAL             0: input
                10      CALL_FUNCTION           0
                12      STORE_FAST              2: step
                14      LOAD_GLOBAL             1: range
                16      LOAD_GLOBAL             2: len
                18      LOAD_FAST               2: step
                20      CALL_FUNCTION           1
                22      CALL_FUNCTION           1
                24      GET_ITER                
                26      FOR_ITER                142 (to 170)
                28      STORE_FAST              3: i
                30      LOAD_FAST               2: step
                32      LOAD_FAST               3: i
                34      BINARY_SUBSCR           
                36      LOAD_CONST              2: 'w'
                38      COMPARE_OP              2 (==)
                40      POP_JUMP_IF_FALSE       52
                42      LOAD_FAST               0: x
                44      LOAD_CONST              1: 1
                46      INPLACE_SUBTRACT        
                48      STORE_FAST              0: x
                50      JUMP_FORWARD            72 (to 124)
                52      LOAD_FAST               2: step
                54      LOAD_FAST               3: i
                56      BINARY_SUBSCR           
                58      LOAD_CONST              3: 's'
                60      COMPARE_OP              2 (==)
                62      POP_JUMP_IF_FALSE       74
                64      LOAD_FAST               0: x
                66      LOAD_CONST              1: 1
                68      INPLACE_ADD             
                70      STORE_FAST              0: x
                72      JUMP_FORWARD            50 (to 124)
                74      LOAD_FAST               2: step
                76      LOAD_FAST               3: i
                78      BINARY_SUBSCR           
                80      LOAD_CONST              4: 'a'
                82      COMPARE_OP              2 (==)
                84      POP_JUMP_IF_FALSE       96
                86      LOAD_FAST               1: y
                88      LOAD_CONST              1: 1
                90      INPLACE_SUBTRACT        
                92      STORE_FAST              1: y
                94      JUMP_FORWARD            28 (to 124)
                96      LOAD_FAST               2: step
                98      LOAD_FAST               3: i
                100     BINARY_SUBSCR           
                102     LOAD_CONST              5: 'd'
                104     COMPARE_OP              2 (==)
                106     POP_JUMP_IF_FALSE       118
                108     LOAD_FAST               1: y
                110     LOAD_CONST              1: 1
                112     INPLACE_ADD             
                114     STORE_FAST              1: y
                116     JUMP_FORWARD            6 (to 124)
                118     POP_TOP                 
                120     LOAD_CONST              6: False
                122     RETURN_VALUE            
                124     LOAD_GLOBAL             3: _map
                126     LOAD_FAST               0: x
                128     BINARY_SUBSCR           
                130     LOAD_FAST               1: y
                132     BINARY_SUBSCR           
                134     LOAD_CONST              1: 1
                136     COMPARE_OP              2 (==)
                138     POP_JUMP_IF_FALSE       146
                140     POP_TOP                 
                142     LOAD_CONST              6: False
                144     RETURN_VALUE            
                146     LOAD_FAST               0: x
                148     LOAD_CONST              7: 29
                150     COMPARE_OP              2 (==)
                152     POP_JUMP_IF_FALSE       26
                154     LOAD_FAST               1: y
                156     LOAD_CONST              7: 29
                158     COMPARE_OP              2 (==)
                160     POP_JUMP_IF_FALSE       26
                162     POP_TOP                 
                164     LOAD_CONST              8: True
                166     RETURN_VALUE            
                168     JUMP_ABSOLUTE           26
                170     LOAD_CONST              0: None
                172     RETURN_VALUE

wasd移动,导出地图,发现地图很小没必要写深搜,走一遍就行了

1
2
3
4
5
ans="ssssddssaassddddwwwwddwwddddddwwddddddssddwwddddddddssssaawwaassaassaassddssaassaawwwwwwaaaaaaaassaassddddwwddssddssssaassddssssaaaaaawwddwwaawwwwaassssssssssssddddssddssddddddddwwaaaaaawwwwddssddwwwwwwwwddssddssssssssddddss"
import hashlib
m=hashlib.md5()
m.update(ans.encode())
print(m.hexdigest())

cm狗

vm,简单解析一下指令看看程序是不是很复杂

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
opcodes = [0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000057, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000065, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006C, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000063, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006F, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006D, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000065, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000020, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000074, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006F, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000020, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000056, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000004E, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000043, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000054, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000046, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000032, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000030, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000032, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000032, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000021, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000000A, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000069, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006E, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000070, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000075, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000074, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000020, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000066, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006C, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000061, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000067, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000003A, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000000A, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000013, 0x00000049, 0x00000001, 0x00000003, 0x00000000, 0x00000001, 0x00000001, 0x0000002B, 0x00000001, 0x00000002, 0x00000001, 0x00000061, 0x00000000, 0x00000000, 0x00000005, 0x00000000, 0x00000000, 0x00000008, 0x00000001, 0x00000002, 0x0000000E, 0x00000001, 0x00000003, 0x00000001, 0x00000000, 0x00000000, 0x00000005, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000006, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000006, 0x00000000, 0x00000002, 0x00000000, 0x00000006, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000006, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000006, 0x00000000, 0x00000002, 0x00000000, 0x00000006, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000006, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000006, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000007, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000007, 0x00000000, 0x00000002, 0x00000000, 0x00000007, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000007, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000007, 0x00000000, 0x00000002, 0x00000000, 0x00000007, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000007, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000007, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000008, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000008, 0x00000000, 0x00000002, 0x00000000, 0x00000008, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000008, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000008, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000009, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000009, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000009, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000009, 0x00000000, 0x00000002, 0x00000000, 0x00000009, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000009, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000009, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000A, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000A, 0x00000000, 0x00000002, 0x00000000, 0x0000000A, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000A, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000A, 0x00000000, 0x00000002, 0x00000000, 0x0000000A, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000A, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000A, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000B, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000B, 0x00000000, 0x00000002, 0x00000000, 0x0000000B, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000B, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000B, 0x00000000, 0x00000002, 0x00000000, 0x0000000B, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000B, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000B, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000C, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000C, 0x00000000, 0x00000002, 0x00000000, 0x0000000C, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000C, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000C, 0x00000000, 0x00000002, 0x00000000, 0x0000000C, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000C, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000C, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000D, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000D, 0x00000000, 0x00000002, 0x00000000, 0x0000000D, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000D, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000D, 0x00000000, 0x00000002, 0x00000000, 0x0000000D, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000D, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000D, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000E, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000E, 0x00000000, 0x00000002, 0x00000000, 0x0000000E, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000E, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000E, 0x00000000, 0x00000002, 0x00000000, 0x0000000E, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000E, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000E, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000F, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000F, 0x00000000, 0x00000002, 0x00000000, 0x0000000F, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000F, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000F, 0x00000000, 0x00000002, 0x00000000, 0x0000000F, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x0000000F, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x0000000F, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000005, 0x00000100, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000010, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000010, 0x00000000, 0x00000002, 0x00000000, 0x00000010, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000010, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000010, 0x00000000, 0x00000002, 0x00000000, 0x00000010, 0x0000000A, 0x00000000, 0x00000005, 0x00000002, 0x00000010, 0x00000000, 0x00000006, 0x00000000, 0x00000000, 0x00000007, 0x00000010, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000005, 0x00000006, 0x00000000, 0x00000005, 0x00000007, 0x00000000, 0x00000005, 0x00000008, 0x00000000, 0x00000005, 0x00000009, 0x00000000, 0x00000005, 0x0000000A, 0x00000000, 0x00000005, 0x0000000B, 0x00000000, 0x00000005, 0x0000000C, 0x00000000, 0x00000005, 0x0000000D, 0x00000000, 0x00000005, 0x0000000E, 0x00000000, 0x00000005, 0x0000000F, 0x00000000, 0x00000005, 0x00000010, 0x00000000, 0x00000006, 0x00000001, 0x00000000, 0x00000006, 0x00000002, 0x00000000, 0x00000001, 0x00000014, 0x0000011C, 0x00000001, 0x00000000, 0x00000154, 0x0000000C, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0xE8D1D5DF, 0x00000001, 0x00000013, 0x00000183, 0x00000001, 0x00000014, 0x00000153, 0x0000000E, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0xF5E3C114, 0x0000000E, 0x00000002, 0x00000000, 0x00000006, 0x00000001, 0x00000000, 0x00000006, 0x00000002, 0x00000000, 0x00000001, 0x00000014, 0x00000127, 0x00000001, 0x00000000, 0x00000154, 0x0000000C, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x228EC216, 0x00000001, 0x00000013, 0x00000183, 0x00000001, 0x00000014, 0x00000153, 0x0000000E, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x89D45A61, 0x0000000E, 0x00000002, 0x00000000, 0x00000006, 0x00000001, 0x00000000, 0x00000006, 0x00000002, 0x00000000, 0x00000001, 0x00000014, 0x00000132, 0x00000001, 0x00000000, 0x00000154, 0x0000000C, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x655B8F69, 0x00000001, 0x00000013, 0x00000183, 0x00000001, 0x00000014, 0x00000153, 0x0000000E, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x2484A07A, 0x0000000E, 0x00000002, 0x00000000, 0x00000006, 0x00000001, 0x00000000, 0x00000006, 0x00000002, 0x00000000, 0x00000001, 0x00000014, 0x0000013D, 0x00000001, 0x00000000, 0x00000154, 0x0000000C, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0xD9E5E7F8, 0x00000001, 0x00000013, 0x00000183, 0x00000001, 0x00000014, 0x00000153, 0x0000000E, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x3A441532, 0x0000000E, 0x00000002, 0x00000000, 0x00000006, 0x00000001, 0x00000000, 0x00000006, 0x00000002, 0x00000000, 0x00000001, 0x00000014, 0x00000148, 0x00000001, 0x00000000, 0x00000154, 0x0000000C, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x91AB7E88, 0x00000001, 0x00000013, 0x00000183, 0x00000001, 0x00000014, 0x00000153, 0x0000000E, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x69FC64BC, 0x0000000E, 0x00000002, 0x00000000, 0x00000006, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x007D3765, 0x0000000E, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x00000189, 0x0000000C, 0x00000000, 0x00000000, 0x00000063, 0x00000000, 0x00000000, 0x00000001, 0x00000003, 0x9E3779B9, 0x00000001, 0x00000004, 0x00095C4C, 0x00000001, 0x00000005, 0x0000871D, 0x00000001, 0x00000006, 0x0001A7B7, 0x00000001, 0x00000007, 0x0012C7C7, 0x00000001, 0x00000008, 0x00000000, 0x00000001, 0x00000011, 0x00000010, 0x00000001, 0x00000012, 0x00000020, 0x00000001, 0x00000013, 0x00000160, 0x00000001, 0x0000000A, 0x00000000, 0x00000001, 0x0000000B, 0x00000020, 0x00000001, 0x0000000C, 0x00000001, 0x00000007, 0x00000008, 0x00000003, 0x00000002, 0x00000000, 0x00000002, 0x0000000A, 0x00000000, 0x00000011, 0x00000007, 0x00000000, 0x00000004, 0x00000002, 0x0000000E, 0x00000000, 0x00000002, 0x00000000, 0x00000002, 0x00000007, 0x00000000, 0x00000008, 0x00000002, 0x0000000F, 0x00000000, 0x00000002, 0x00000000, 0x00000002, 0x00000009, 0x00000000, 0x00000012, 0x00000007, 0x00000000, 0x00000005, 0x00000002, 0x00000010, 0x00000000, 0x00000002, 0x00000000, 0x0000000E, 0x0000000B, 0x00000000, 0x0000000F, 0x0000000B, 0x00000000, 0x00000010, 0x00000007, 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000001, 0x0000000A, 0x00000000, 0x00000011, 0x00000007, 0x00000000, 0x00000006, 0x00000002, 0x0000000E, 0x00000000, 0x00000002, 0x00000000, 0x00000001, 0x00000007, 0x00000000, 0x00000008, 0x00000002, 0x0000000F, 0x00000000, 0x00000002, 0x00000000, 0x00000001, 0x00000009, 0x00000000, 0x00000012, 0x00000007, 0x00000000, 0x00000007, 0x00000002, 0x00000010, 0x00000000, 0x00000002, 0x00000000, 0x0000000E, 0x0000000B, 0x00000000, 0x0000000F, 0x0000000B, 0x00000000, 0x00000010, 0x00000007, 0x00000002, 0x00000000, 0x00000008, 0x0000000B, 0x0000000C, 0x0000000E, 0x0000000B, 0x0000000A, 0x0000000C, 0x00000014, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006E, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x0000006F, 0x00000062, 0x00000000, 0x00000000, 0x0000000C, 0x00000014, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000079, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000065, 0x00000062, 0x00000000, 0x00000000, 0x00000001, 0x00000000, 0x00000073, 0x00000062, 0x00000000, 0x00000000, 0x0000000C, 0x00000014, 0x00000000]

print(len(opcodes)//3*3)
op = 0
arg1 = 0
arg2 = 0
arr = [0 for _ in range(20)]
stack = [0 for _ in range(0x3e8)]
i = 0
while i < len(opcodes):
    op = opcodes[i]
    arg1 = opcodes[i+1]
    arg2 = opcodes[i+2]
    match op:
        case 0:
            print(i, "nop")
        case 1:
            print(i, f"arr[{arg1}]={arg2}")
        case 2:
            print(i, f"arr[{arg1}]=arr[{arg2}]")
        case 3:
            print(i, f"arr[{arg1}]=stack[{arg2}]")
        case 4:
            print(i, f"stack[{arg1}]=arr[{arg2}]")
        case 5:
            print(i, f"push arr[{(arg2<<8)+arg1}]")
        case 6:
            print(i, f"pop arr[{(arg2<<8)+arg1}]")
        case 7:
            print(i, f"arr[{arg1}]+=arr[{arg2}]")
        case 8:
            print(i, f"arr[{arg1}]-=arr[{arg2}]")
        case 9:
            print(i, f"arr[{arg1}]/=arr[{arg2}]")
        case 10:
            print(i, f"arr[{arg1}]*=arr[{arg2}]")
        case 11:
            print(i, f"arr[{arg1}]^=arr[{arg2}]")
        case 12:
            print(i, f"jmp 3*arr[{(arg2<<8)+arg1}]")
        case 13:
            print(i, f"if arr[{arg1}]==arr[{arg2}]:\n  jmp 3*arr[19]")
        case 14:
            print(i, f"if arr[{arg1}]!=arr[{arg2}]:\n  jmp 3*arr[19]")
        case 15:
            print(i, f"if arr[{arg1}]>arr[{arg2}]:\n  jmp 3*arr[19]")
        case 16:
            print(i, f"if arr[{arg1}]<arr[{arg2}]:\n  jmp 3*arr[19]")
        case 0x61:
            print(i, f"arr[{(arg2<<8)+arg1}]=getchar()")
        case 0x62:
            print(i, f"putchar(arr[{(arg2<<8)+arg1}])")
        case 0x63:
            print(i, f"quitVM!")
    i += 3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
0 nop
3 nop
6 arr[0]=87
9 putchar(arr[0])
12 arr[0]=101
15 putchar(arr[0])
18 arr[0]=108
21 putchar(arr[0])
24 arr[0]=99
27 putchar(arr[0])
30 arr[0]=111
33 putchar(arr[0])
36 arr[0]=109
39 putchar(arr[0])
42 arr[0]=101
45 putchar(arr[0])
48 arr[0]=32
51 putchar(arr[0])
54 arr[0]=116
57 putchar(arr[0])
60 arr[0]=111
63 putchar(arr[0])
66 arr[0]=32
69 putchar(arr[0])
72 arr[0]=86
75 putchar(arr[0])
78 arr[0]=78
81 putchar(arr[0])
84 arr[0]=67
87 putchar(arr[0])
90 arr[0]=84
93 putchar(arr[0])
96 arr[0]=70
99 putchar(arr[0])
102 arr[0]=50
105 putchar(arr[0])
108 arr[0]=48
111 putchar(arr[0])
114 arr[0]=50
117 putchar(arr[0])
120 arr[0]=50
123 putchar(arr[0])
126 arr[0]=33
129 putchar(arr[0])
132 arr[0]=10
135 putchar(arr[0])
138 arr[0]=105
141 putchar(arr[0])
144 arr[0]=110
147 putchar(arr[0])
150 arr[0]=112
153 putchar(arr[0])
156 arr[0]=117
159 putchar(arr[0])
162 arr[0]=116
165 putchar(arr[0])
168 arr[0]=32
171 putchar(arr[0])
174 arr[0]=102
177 putchar(arr[0])
180 arr[0]=108
183 putchar(arr[0])
186 arr[0]=97
189 putchar(arr[0])
192 arr[0]=103
195 putchar(arr[0])
198 arr[0]=58
201 putchar(arr[0])
204 arr[0]=10
207 putchar(arr[0])
210 arr[19]=73
213 arr[3]=0
216 arr[1]=43
219 arr[2]=1
222 arr[0]=getchar()
225 push arr[0]
228 arr[1]-=arr[2]
231 if arr[1]!=arr[3]:
  jmp 3*arr[19]
234 arr[0]=0
237 push arr[0]
240 nop
243 nop
246 pop arr[0]
249 arr[5]=256
252 arr[0]*=arr[5]
255 arr[6]=arr[0]
258 pop arr[0]
261 arr[6]+=arr[0]
264 arr[0]=arr[6]
267 arr[0]*=arr[5]
270 arr[6]=arr[0]
273 pop arr[0]
276 arr[6]+=arr[0]
279 arr[0]=arr[6]
282 arr[0]*=arr[5]
285 arr[6]=arr[0]
288 pop arr[0]
291 arr[6]+=arr[0]
294 nop
297 pop arr[0]
300 arr[5]=256
303 arr[0]*=arr[5]
306 arr[7]=arr[0]
309 pop arr[0]
312 arr[7]+=arr[0]
315 arr[0]=arr[7]
318 arr[0]*=arr[5]
321 arr[7]=arr[0]
324 pop arr[0]
327 arr[7]+=arr[0]
330 arr[0]=arr[7]
333 arr[0]*=arr[5]
336 arr[7]=arr[0]
339 pop arr[0]
342 arr[7]+=arr[0]
345 nop
348 pop arr[0]
351 arr[5]=256
354 arr[0]*=arr[5]
357 arr[8]=arr[0]
360 pop arr[0]
363 arr[8]+=arr[0]
366 arr[0]=arr[8]
369 arr[0]*=arr[5]
372 arr[8]=arr[0]
375 pop arr[0]
378 arr[8]+=arr[0]
381 arr[0]=arr[8]
384 arr[0]*=arr[5]
387 arr[8]=arr[0]
390 pop arr[0]
393 arr[8]+=arr[0]
396 nop
399 pop arr[0]
402 arr[5]=256
405 arr[0]*=arr[5]
408 arr[9]=arr[0]
411 pop arr[0]
414 arr[9]+=arr[0]
417 arr[0]=arr[9]
420 arr[0]*=arr[5]
423 arr[9]=arr[0]
426 pop arr[0]
429 arr[9]+=arr[0]
432 arr[0]=arr[9]
435 arr[0]*=arr[5]
438 arr[9]=arr[0]
441 pop arr[0]
444 arr[9]+=arr[0]
447 nop
450 pop arr[0]
453 arr[5]=256
456 arr[0]*=arr[5]
459 arr[10]=arr[0]
462 pop arr[0]
465 arr[10]+=arr[0]
468 arr[0]=arr[10]
471 arr[0]*=arr[5]
474 arr[10]=arr[0]
477 pop arr[0]
480 arr[10]+=arr[0]
483 arr[0]=arr[10]
486 arr[0]*=arr[5]
489 arr[10]=arr[0]
492 pop arr[0]
495 arr[10]+=arr[0]
498 nop
501 pop arr[0]
504 arr[5]=256
507 arr[0]*=arr[5]
510 arr[11]=arr[0]
513 pop arr[0]
516 arr[11]+=arr[0]
519 arr[0]=arr[11]
522 arr[0]*=arr[5]
525 arr[11]=arr[0]
528 pop arr[0]
531 arr[11]+=arr[0]
534 arr[0]=arr[11]
537 arr[0]*=arr[5]
540 arr[11]=arr[0]
543 pop arr[0]
546 arr[11]+=arr[0]
549 nop
552 pop arr[0]
555 arr[5]=256
558 arr[0]*=arr[5]
561 arr[12]=arr[0]
564 pop arr[0]
567 arr[12]+=arr[0]
570 arr[0]=arr[12]
573 arr[0]*=arr[5]
576 arr[12]=arr[0]
579 pop arr[0]
582 arr[12]+=arr[0]
585 arr[0]=arr[12]
588 arr[0]*=arr[5]
591 arr[12]=arr[0]
594 pop arr[0]
597 arr[12]+=arr[0]
600 nop
603 pop arr[0]
606 arr[5]=256
609 arr[0]*=arr[5]
612 arr[13]=arr[0]
615 pop arr[0]
618 arr[13]+=arr[0]
621 arr[0]=arr[13]
624 arr[0]*=arr[5]
627 arr[13]=arr[0]
630 pop arr[0]
633 arr[13]+=arr[0]
636 arr[0]=arr[13]
639 arr[0]*=arr[5]
642 arr[13]=arr[0]
645 pop arr[0]
648 arr[13]+=arr[0]
651 nop
654 pop arr[0]
657 arr[5]=256
660 arr[0]*=arr[5]
663 arr[14]=arr[0]
666 pop arr[0]
669 arr[14]+=arr[0]
672 arr[0]=arr[14]
675 arr[0]*=arr[5]
678 arr[14]=arr[0]
681 pop arr[0]
684 arr[14]+=arr[0]
687 arr[0]=arr[14]
690 arr[0]*=arr[5]
693 arr[14]=arr[0]
696 pop arr[0]
699 arr[14]+=arr[0]
702 nop
705 pop arr[0]
708 arr[5]=256
711 arr[0]*=arr[5]
714 arr[15]=arr[0]
717 pop arr[0]
720 arr[15]+=arr[0]
723 arr[0]=arr[15]
726 arr[0]*=arr[5]
729 arr[15]=arr[0]
732 pop arr[0]
735 arr[15]+=arr[0]
738 arr[0]=arr[15]
741 arr[0]*=arr[5]
744 arr[15]=arr[0]
747 pop arr[0]
750 arr[15]+=arr[0]
753 nop
756 pop arr[0]
759 arr[5]=256
762 arr[0]*=arr[5]
765 arr[16]=arr[0]
768 pop arr[0]
771 arr[16]+=arr[0]
774 arr[0]=arr[16]
777 arr[0]*=arr[5]
780 arr[16]=arr[0]
783 pop arr[0]
786 arr[16]+=arr[0]
789 arr[0]=arr[16]
792 arr[0]*=arr[5]
795 arr[16]=arr[0]
798 pop arr[0]
801 arr[16]+=arr[0]
804 nop
807 push arr[6]
810 push arr[7]
813 push arr[8]
816 push arr[9]
819 push arr[10]
822 push arr[11]
825 push arr[12]
828 push arr[13]
831 push arr[14]
834 push arr[15]
837 push arr[16]
840 pop arr[1]
843 pop arr[2]
846 arr[20]=284
849 arr[0]=340
852 jmp 3*arr[0]
855 arr[0]=3906065887
858 arr[19]=387
861 arr[20]=339
864 if arr[1]!=arr[0]:
  jmp 3*arr[19]
867 arr[0]=4125344020
870 if arr[2]!=arr[0]:
  jmp 3*arr[19]
873 pop arr[1]
876 pop arr[2]
879 arr[20]=295
882 arr[0]=340
885 jmp 3*arr[0]
888 arr[0]=579781142
891 arr[19]=387
894 arr[20]=339
897 if arr[1]!=arr[0]:
  jmp 3*arr[19]
900 arr[0]=2312395361
903 if arr[2]!=arr[0]:
  jmp 3*arr[19]
906 pop arr[1]
909 pop arr[2]
912 arr[20]=306
915 arr[0]=340
918 jmp 3*arr[0]
921 arr[0]=1700499305
924 arr[19]=387
927 arr[20]=339
930 if arr[1]!=arr[0]:
  jmp 3*arr[19]
933 arr[0]=612671610
936 if arr[2]!=arr[0]:
  jmp 3*arr[19]
939 pop arr[1]
942 pop arr[2]
945 arr[20]=317
948 arr[0]=340
951 jmp 3*arr[0]
954 arr[0]=3655723000
957 arr[19]=387
960 arr[20]=339
963 if arr[1]!=arr[0]:
  jmp 3*arr[19]
966 arr[0]=977540402
969 if arr[2]!=arr[0]:
  jmp 3*arr[19]
972 pop arr[1]
975 pop arr[2]
978 arr[20]=328
981 arr[0]=340
984 jmp 3*arr[0]
987 arr[0]=2443935368
990 arr[19]=387
993 arr[20]=339
996 if arr[1]!=arr[0]:
  jmp 3*arr[19]
999 arr[0]=1778148540
1002 if arr[2]!=arr[0]:
  jmp 3*arr[19]
1005 pop arr[1]
1008 arr[0]=8206181
1011 if arr[1]!=arr[0]:
  jmp 3*arr[19]
1014 arr[0]=393
1017 jmp 3*arr[0]
1020 quitVM!
1023 arr[3]=2654435769
1026 arr[4]=613452
1029 arr[5]=34589
1032 arr[6]=108471
1035 arr[7]=1230791
1038 arr[8]=0
1041 arr[17]=16
1044 arr[18]=32
1047 arr[19]=352
1050 arr[10]=0
1053 arr[11]=32
1056 arr[12]=1
1059 arr[8]+=arr[3]
1062 arr[0]=arr[2]
1065 arr[0]*=arr[17]
1068 arr[0]+=arr[4]
1071 arr[14]=arr[0]
1074 arr[0]=arr[2]
1077 arr[0]+=arr[8]
1080 arr[15]=arr[0]
1083 arr[0]=arr[2]
1086 arr[0]/=arr[18]
1089 arr[0]+=arr[5]
1092 arr[16]=arr[0]
1095 arr[0]=arr[14]
1098 arr[0]^=arr[15]
1101 arr[0]^=arr[16]
1104 arr[1]+=arr[0]
1107 arr[0]=arr[1]
1110 arr[0]*=arr[17]
1113 arr[0]+=arr[6]
1116 arr[14]=arr[0]
1119 arr[0]=arr[1]
1122 arr[0]+=arr[8]
1125 arr[15]=arr[0]
1128 arr[0]=arr[1]
1131 arr[0]/=arr[18]
1134 arr[0]+=arr[7]
1137 arr[16]=arr[0]
1140 arr[0]=arr[14]
1143 arr[0]^=arr[15]
1146 arr[0]^=arr[16]
1149 arr[2]+=arr[0]
1152 arr[11]-=arr[12]
1155 if arr[11]!=arr[10]:
  jmp 3*arr[19]
1158 jmp 3*arr[20]
1161 nop
1164 arr[0]=110
1167 putchar(arr[0])
1170 arr[0]=111
1173 putchar(arr[0])
1176 jmp 3*arr[20]
1179 nop
1182 arr[0]=121
1185 putchar(arr[0])
1188 arr[0]=101
1191 putchar(arr[0])
1194 arr[0]=115
1197 putchar(arr[0])
1200 jmp 3*arr[20]

程序很简单,循环输入,每四个Byte按照小端序转换成DWORD,前10个DWORD进行tea加密,然后对比一下结果就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <stdio.h>
#include <stdint.h>

void decrypt(uint32_t *v, uint32_t *k)
{
    uint32_t v0 = v[0], v1 = v[1], sum = 0xC6EF3720, i;
    uint32_t delta = 0x9e3779b9;
    uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
    for (i = 0; i < 32; i++)
    {
        v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
        v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
        sum -= delta;
    }
    v[0] = v0;
    v[1] = v1;
}

int main()
{
    uint32_t v[11] = {3906065887, 4125344020, 579781142, 2312395361, 1700499305, 612671610, 3655723000, 977540402, 2443935368, 1778148540, 8206181}, k[4] = {613452, 34589, 108471, 1230791};
    for (int i = 0; i < 10; i += 2)
    {
        decrypt(v + i, k);
    }

    for (int i = 0; i < 11; i++)
    {
        for (int j = 0; j < 4; j++)
        {
            printf("%c", v[i] >> (j * 8) & 0xff);
        }
    }
    return 0;
}

cm1

android,动态加载dex,主要的代码逻辑都在动态加载的dex里,直接运行然后把生成的classes.dex拷贝出来

4

密文,密钥,加密方式都有,很明显是xxtea,写脚本直接解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#include <stdio.h>
#include <stdint.h>
#define DELTA 0x9e3779b9
#define MX (((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4)) ^ ((sum ^ y) + (key[(p & 3) ^ e] ^ z)))

void btea(uint32_t *v, int n, uint32_t const key[4])
{
    uint32_t y, z, sum;
    unsigned p, rounds, e;

    rounds = 6 + 52 / n;
    sum = rounds * DELTA;
    y = v[0];
    do
    {
        e = (sum >> 2) & 3;
        for (p = n - 1; p > 0; p--)
        {
            z = v[p - 1];
            y = v[p] -= MX;
        }
        z = v[n - 1];
        y = v[0] -= MX;
        sum -= DELTA;
    } while (--rounds);
}

int main()
{
    uint32_t v[11] = {1822697284, 3377000110, 187091018, 3630257212, 2925741911, 3106891896, 553699270, 3654559274, 1560179140, 850622133, 2518690695};
    uint32_t const k[4] = {1349530696, 1314283353, 558257219, 1333153569};
    int n = 11;
    btea(v, n, k);
    for (int i = 0; i < 11; i++)
    {
        for (int j = 0; j < 4; j++)
        {
            printf("%c", v[i] >> (j * 8) & 0xff);
        }
    }
    return 0;
}
#writeup #ctf #vnctf
corctf2022_wp L3HCTF re double-joy 题解

Comments

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×