Geek 2024

MISC

ez_jpg

base64后是jpg倒序

修改宽高

SYC{Steg_4nd_Zip_1s_G00d!}

雪

密码W3LC0M4，提取盲水印

Th1si4st8eK3y

Truth of Word

cimbar

对着图片敲二进制就行

0101 0011 0101 1001 0100 0011 0111 1011

0100 0001 0110 1110 0011 0000 0111 0100

0110 1000 0011 0011 0111 0010 0101 1111

0100 0001 0110 1101 0100 0000 0111 1010

0011 0001 0110 1110 0011 1001 0101 1111

0101 0001 0101 0010 0101 1111 0100 0011

0110 1111 0011 0100 0110 0101 0111 1101

# 给定的二进制数据
binary_data = """
01010011010110010100001101111011
01000001011011100011000001110100
01101000001100110111001001011111
01000001011011010100000001111010
00110001011011100011100101011111
01010001010100100101111101000011
01101111001101000110010101111101
"""

# 将所有二进制数据合并为一个字符串
binary_data = binary_data.replace(" ", "").replace("\n", "")

# 将每 8 位转换为一个字符
text = ""
for i in range(0, len(binary_data), 8):
    byte = binary_data[i:i+8]
    char = chr(int(byte, 2))  # 将 8 位二进制转换为整数，再转换为字符
    text += char

# 输出结果
print("转换后的字符是：")
print(text)

舔狗的觉醒

# 打开并读取原始文件内容
with open(r'D:\wangzhanxiazai\exppy\1.txt', 'rb') as f:
    a = f.read()

# 去掉原始数据中的换行符、空格等不可见字符
a = a.replace(b'\n', b'').replace(b'\r', b'').replace(b' ', b'')

# 将内容逆序
a = a[::-1]

# 将逆序内容写入新的文件
with open(r'D:\wangzhanxiazai\exppy\new.txt', 'wb') as new:
    new.write(a)

# 读取逆序后的文件内容
with open(r'D:\wangzhanxiazai\exppy\new.txt', 'rb') as f:
    b = f.read()

# 将内容转换为可变的字节数组
blist = bytearray(b)

# 按两个字节为一组进行交换
for i in range(0, len(blist) - 1, 2):
    blist[i], blist[i + 1] = blist[i + 1], blist[i]

# 打开目标文件以写入最终内容
with open(r'D:\wangzhanxiazai\exppy\flag.txt', 'wb') as flag:
    # 将所有处理后的字节内容连续写入文件
    flag.write(blist)

# 打印最终处理的内容（以逆序显示）
print(blist)
def format_hex_data_from_file(input_file, output_file):
    # 读取文件内容
    with open(input_file, 'r') as file:
        hex_data = file.read().strip()

    # 将字符串分成每两个字符一组
    grouped_data = [hex_data[i:i + 2] for i in range(0, len(hex_data), 2)]

    # 以16组为一行，每组之间用空格隔开
    formatted_data = '\n'.join([' '.join(grouped_data[i:i + 16]) for i in range(0, len(grouped_data), 16)])

    # 将格式化后的数据写入输出文件
    with open(output_file, 'w') as file:
        file.write(formatted_data)


# 输入和输出文件路径
input_file = r'D:\wangzhanxiazai\exppy\flag.txt'
output_file = r'D:\wangzhanxiazai\exppy\newflag.txt'

# 格式化并写入输出文件
format_hex_data_from_file(input_file, output_file)

f = open('D:/wangzhanxiazai/exppy/flag.txt','rb')
a = f.read()
a = a[::-1]
new = open('D:/wangzhanxiazai/exppy/flag2.txt','wb')
new.write(a)
print(a[::-1])

解压得到加密pdf然后在线解密

https://smallpdf.com/cn/unlock-pdf#r=result&t=cb132a3b714307af0f6f8ebfe985580a&i=unlock

ez_pcap_1

乌龟

sunset.wav

得到密码Be4uti7ulSun5e7

是logo语言，找个在线网站运行一下

https://www.calormen.com/jslogo/

SYC{TU3T1E_P4INTING}

（当时一直在想E为什么是反过来的，崩不住了，3第一时间想成反方向的E）

也是跳出固定思维了

Web

RE

.file
"chal_custom.c"
.text
.section.rodata
.LC0:
.string
"%s"
.LC1:
.string
"maybe try again!"
.LC2:
.string
"good job!"
.data
target_data:
.string
"TTDv^jrZu`Gg6tXfi+pZojpZSjXmbqbmt.&x"
.text
.globl
main
.type main,

@function


main:
endbr64
pushq % rbp
movq % rsp, %rbp
subq    $96, %rsp
movq % fs: 40, %rax
movq % rax, -8( % rbp)
xorl % eax, %eax
leaq - 80( % rbp), %rax
movq % rax, %rsi
leaq.LC0( % rip), %rax
movq % rax, %rdi
movl    $0, %eax
call
__isoc99_scanf @ PLT
movl    $0, -84( % rbp)
leaq - 80( % rbp), %rdi
jmp.L2
.L3:
movl - 84( % rbp), %eax
movl % eax, %ecx
shl % ecx
movzbl( % rdi, %rcx), %eax
xorb    $7, %al
movb % al, (%rdi, %rcx)
movzbl
1( % rdi, %rcx), %eax
subb    $5, %al
movb % al, 1( % rdi, %rcx)
addl    $1, -84( % rbp)

.L2:
movl - 84( % rbp), %eax
imull   $2, %eax
cmpl    $36, %eax
jl.L3

leaq
target_data( % rip), %rsi
leaq - 80( % rbp), %rdi
call
strcmp @ PLT
testl % eax, %eax
jne.L4

leaq.LC2( % rip), %rax
jmp.L5
.L4:
leaq.LC1( % rip), %rax
.L5:
movq % rax, %rdi
call
puts @ PLT

movl    $0, %eax
movq - 8( % rbp), %rdx
subq % fs: 40, %rdx
je.L6
call
__stack_chk_fail @ PLT
.L6:
leave
ret
.size
main,.-main
.ident
"GCC: (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0"
.section.note.GNU - stack, "",


@progbits

.section.note.gnu.property, "a"
.align
8
.long
1
f - 0
f
.long
4
f - 1
f
.long
5
0:
.string
"GNU"
1:
.align
8
.long
0xc0000002
.long
3
f - 2
f
2:
.long
0x3
3:
.align
8
4:

.L3:
    movl    -84(%rbp), %eax          # 加载计数器
    movl    %eax, %ecx               # 将计数器复制到 ecx
    shl     %ecx                      # 左移 ecx
    movzbl  (%rdi,%rcx), %eax        # 获取字符
    xorb    $7, %al                  # 对字符异或 7
    movb    %al, (%rdi,%rcx)         # 存储结果
    movzbl  1(%rdi,%rcx), %eax       # 获取下一个字符
    subb    $5, %al                  # 减去 5
    movb    %al, 1(%rdi,%rcx)        # 存储结果
    addl    $1, -84(%rbp)            # 更新计数器
.L2:
    movl    -84(%rbp), %eax
    imull   $2, %eax                  # 计数器乘以 2
    cmpl    $36, %eax                 # 比较计数器是否小于 36
    jl      .L3

a='TTDv^jrZu`Gg6tXfi+pZojpZSjXmbqbmt.&x'
b=[]
for i in range(len(a)):
    if(2*i<len(a)):
        c=chr(((ord(a[2*i]))^7)%128)
    d=chr(ord(a[2*i+1])+5)
    if(c!=''):
        print(c,end='')
    if(d!=''):
        print(d,end='')

hellore

a = [0x0, 0x1, 0x2, 0x34, 0x3, 0x60, 0x2f, 0x1c, 0x6b, 0x0f, 0x9, 0x18, 0x2d, 0x3e, 0x3c, 0x2, 0x11, 0x7b, 0x27, 0x3a, 0x29, 0x30, 0x60, 0x1a, 0x8, 0x34, 0x3f, 0x64, 0x21, 0x6a, 0x7a, 0x30]
a2 = 0x5245564F4C435953

# 将 a2 拆解为字节序列
a3 = [(a2 >> (8 * i)) & 0xFF for i in range(8)]  # 提取每个字节

print("a3:", a3)

for i in range(32):
    a[i] = i ^ a[i] ^ a3[i % 8]
    print(chr(a[i]), end='')

让我康康你的调试

不理解这个v7的作用是什么

from Crypto.Cipher import ARC4
import binascii

# 十六进制字符串
hex_data = "945b7d04c9027aa6390798bc0d68f97e08bdbf9816f804715f1586b69884db61"

# 将十六进制字符串转换为字节
ciphertext = binascii.unhexlify(hex_data)

# RC4 密钥（假设你知道密钥）
key = b'syclover'  # 替换为你的RC4密钥

# 创建 RC4 解密对象
cipher = ARC4.new(key)

# 解密数据
plaintext = cipher.decrypt(ciphertext)

# 输出解密后的内容
print(plaintext.decode('utf-8', errors='ignore'))
for i in range(len(plaintext)):
    flag=plaintext[i]^0x14
    print(chr(flag),end='')

也许你也听jay

#include <stdio.h>

int main() {
   
    char URL[46];
    char o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O0O00OO0OO0O[46];
    strcpy(o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O0O00OO0OO0O, URL);
    char o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O00000O0OO0O[] = {0x96, 0xa1, 0xa0, 0x9b, 0x9b, 0x5f, 0x49, 0x46, 0x85, 0x82, 0x53, 0x95, 0x7d, 0x36, 0x8d, 0x74, 0x82, 0x88, 0x46, 0x7a, 0x81, 0x65, 0x80, 0x6c, 0x78, 0x2f, 0x6b, 0x6a, 0x27, 0x50, 0x61, 0x38, 0x3f, 0x37, 0x33, 0xf1, 0x27, 0x32, 0x34, 0x1f, 0x39, 0x23, 0xde, 0x1c, 0x17, 0xd4};
    int  o00O0OO000OO0oooo0o0oo0O0000oooooooO0O0OO0O0O00OO0OO0O[] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x5B, 0x5C, 0x5D, 0x5E, 0x5F, 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A, 0x7B, 0x7C, 0x7D, 0x7E, 0x7F, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x8D};
    int  o00O0OO000OO0oooo0o0oo0O000O0OO0O0O00OO0OO0O00000[] = {0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x32, 0x31, 0x30, 0x2F, 0x2E, 0x2D, 0x2C, 0x2B, 0x2A, 0x29, 0x28, 0x27, 0x26, 0x25, 0x24, 0x23, 0x22, 0x21, 0x20, 0x1F, 0x1E, 0x1D, 0x1C, 0x1B, 0x1A, 0x19, 0x18, 0x17, 0x16, 0x15, 0x14, 0x13, 0x12, 0x11, 0x10, 0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01};
    int o00O0OO000OO0oooo0o0oo0O000000O00O0O0OO0O0O00OO0OO0O[]={0x65, 0x64, 0x63, 0x62, 0x61, 0x60, 0x5F, 0x5E, 0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x00, 0x31, 0x30, 0x2F};
    int len = strlen(URL);
    for(int i = 0; i < len; i++) {
        o00O0OO000OO0oooo0o0oo0O000000O00O0O0OO0O0O00OO0OO0O[i] ^=  o00O0OO000OO0oooo0o0oo0O000O0OO0O0O00OO0OO0O00000[i+1];  
        
    }
    for(int i = 0; i < len; i++) {
        o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O0O00OO0OO0O[i] ^=  o00O0OO000OO0oooo0o0oo0O0000oooooooO0O0OO0O0O00OO0OO0O[i];  
        
    }
     for(int i = 0; i < len; i++) {
        o00O0OO000OO0oooo0o0oo0O000000O00O0O0OO0O0O00OO0OO0O[i] -=  o00O0OO000OO0oooo0o0oo0O0000oooooooO0O0OO0O0O00OO0OO0O[i];  
        
    }
    for(int i = 0; i < len; i++) {
            o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O0O00OO0OO0O[i] -=  o00O0OO000OO0oooo0o0oo0O0000oooooooO0O0OO0O0O00OO0OO0O[47 + i];  
             o00O0OO000OO0oooo0o0oo0O0000oooooooO0O0OO0O0O00OO0OO0O[i]^=o00O0OO000OO0oooo0o0oo0O000000O00O0O0OO0O0O00OO0OO0O[51];
        
}
    for(int i = 0; i < len; i++) {
        o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O0O00OO0OO0O[i] +=  o00O0OO000OO0oooo0o0oo0O000O0OO0O0O00OO0OO0O00000[i];  
    }
    for(int i=0;i<len;i++){
        if(o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O0O00OO0OO0O[i] != o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O00000O0OO0O[i]){
            printf("Error");
        }
    }
    
    
    return 0;
}

改成这样好看一些，然后re

#include <stdio.h>

int main() {
   
    char URL[46];
    char flag0[46];
    strcpy(flag0, URL);
    char flag1[] = {0x96, 0xa1, 0xa0, 0x9b, 0x9b, 0x5f, 0x49, 0x46, 0x85, 0x82, 0x53, 0x95, 0x7d, 0x36, 0x8d, 0x74, 0x82, 0x88, 0x46, 0x7a, 0x81, 0x65, 0x80, 0x6c, 0x78, 0x2f, 0x6b, 0x6a, 0x27, 0x50, 0x61, 0x38, 0x3f, 0x37, 0x33, 0xf1, 0x27, 0x32, 0x34, 0x1f, 0x39, 0x23, 0xde, 0x1c, 0x17, 0xd4};
    int  flag2[] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x5B, 0x5C, 0x5D, 0x5E, 0x5F, 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A, 0x7B, 0x7C, 0x7D, 0x7E, 0x7F, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x8D};
    int  flag3[] = {0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x32, 0x31, 0x30, 0x2F, 0x2E, 0x2D, 0x2C, 0x2B, 0x2A, 0x29, 0x28, 0x27, 0x26, 0x25, 0x24, 0x23, 0x22, 0x21, 0x20, 0x1F, 0x1E, 0x1D, 0x1C, 0x1B, 0x1A, 0x19, 0x18, 0x17, 0x16, 0x15, 0x14, 0x13, 0x12, 0x11, 0x10, 0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01};
    int  flag4[]={0x65, 0x64, 0x63, 0x62, 0x61, 0x60, 0x5F, 0x5E, 0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x00, 0x31, 0x30, 0x2F};
    int len = strlen(URL);
    for(int i = 0; i < len; i++) {
        flag4[i] ^=  flag3[i+1];  
        
    }
    for(int i = 0; i < len; i++) {
        flag0[i] ^=  flag2[i];  
        
    }
     for(int i = 0; i < len; i++) {
        flag4[i] -=  flag2[i];  
        
    }
    for(int i = 0; i < len; i++) {
            flag0[i] -=  flag2[47 + i];  
            flag2[i]^=flag4[51];
        
}
    for(int i = 0; i < len; i++) {
        flag0[i] +=  flag3[i];  
    }
    for(int i=0;i<len;i++){
        if(flag0[i] !=flag1[i]){
            printf("Error");
        }
    }
    
    
    return 0;
}

exp

#include <stdio.h>

int main() {
   
    char URL[46]={};
    char flag0[46]={};

     char flag1[] = {0x96, 0xa1, 0xa0, 0x9b, 0x9b, 0x5f, 0x49, 0x46, 0x85, 0x82, 0x53, 0x95, 0x7d, 0x36, 0x8d, 0x74, 0x82, 0x88, 0x46, 0x7a, 0x81, 0x65, 0x80, 0x6c, 0x78, 0x2f, 0x6b, 0x6a, 0x27, 0x50, 0x61, 0x38, 0x3f, 0x37, 0x33, 0xf1, 0x27, 0x32, 0x34, 0x1f, 0x39, 0x23, 0xde, 0x1c, 0x17, 0xd4};
    int  flag2[] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x5B, 0x5C, 0x5D, 0x5E, 0x5F, 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A, 0x7B, 0x7C, 0x7D, 0x7E, 0x7F, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x8D};
    int  flag3[] = {0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x32, 0x31, 0x30, 0x2F, 0x2E, 0x2D, 0x2C, 0x2B, 0x2A, 0x29, 0x28, 0x27, 0x26, 0x25, 0x24, 0x23, 0x22, 0x21, 0x20, 0x1F, 0x1E, 0x1D, 0x1C, 0x1B, 0x1A, 0x19, 0x18, 0x17, 0x16, 0x15, 0x14, 0x13, 0x12, 0x11, 0x10, 0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01};
    int flag4[]={0x65, 0x64, 0x63, 0x62, 0x61, 0x60, 0x5F, 0x5E, 0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x00, 0x31, 0x30, 0x2F};
    int len = 46,i;
    for(int i = 0; i < len; i++) {
        flag4[i] ^=  flag3[i+1];  
        
    }
    for(i=0;i<len;i++)
    {
        flag1[i]-=flag3[i];     
    }
    for(i=0;i<len;i++)
    {
        flag2[i]^=flag4[51];
        flag1[i]+=flag2[47+i];
    }
    for(i=0;i<len;i++)
    {
        flag4[i] +=  flag2[i];  
    }
    for(int i = 0; i < len; i++) {
      flag1[i] ^=  flag2[i];  
        
    }
    puts(flag1);
    return 0;
}

https://am1re-sudo.github.io/Coisni.github.io/

exp

from Crypto.Cipher import ARC4
import base64

def rc4_encrypt(data, key1):        # 加密
    key = bytes(key1, encoding='utf-8')
    enc = ARC4.new(key)
    res = enc.encrypt(data.encode('utf-8'))
    res=base64.b64encode(res)
    res = str(res,'utf-8')
    return res

def rc4_decrypt(data, key1):        # 解密
    data = base64.b64decode(data)
    key = bytes(key1, encoding='utf-8')
    enc = ARC4.new(key)
    res = enc.decrypt(data)
    res = str(res,'gbk')
    return res


if __name__ == "__main__":
    data = 'Q7u+cyiOQtKHRMqZNzPpApgmTL4j+TE='  # 需要解密的内容
    key = 'lovebeforeBC'  # 加密key
    print('解密后:',rc4_decrypt(data, key))         # 解密方法

好像是python？

1           0 LOAD_CONST               0 ('SYC{MD5(input)}')
              2 STORE_NAME               0 (flag)

  2           4 LOAD_NAME                1 (print)
              6 LOAD_CONST               1 ('Please input0:')
              8 CALL_FUNCTION            1
             10 POP_TOP

  3          12 LOAD_CONST               2 ('')
             14 STORE_NAME               2 (input0)

  6          16 LOAD_CONST               3 (<code object test2 at 0x00000245D4F44B30, file "program.py", line 6>)
             18 LOAD_CONST               4 ('test2')
             20 MAKE_FUNCTION            0
             22 STORE_NAME               3 (test2)

 14          24 LOAD_CONST               5 (<code object test at 0x00000245D4F44BE0, file "program.py", line 14>)
             26 LOAD_CONST               6 ('test')
             28 MAKE_FUNCTION            0
             30 STORE_NAME               4 (test)

 28          32 LOAD_CONST               7 (13)
             34 STORE_NAME               5 (a)

 29          36 LOAD_CONST               8 (14)
             38 STORE_NAME               6 (b)

 30          40 LOAD_NAME                5 (a)
             42 LOAD_NAME                6 (b)
             44 LOAD_NAME                5 (a)
             46 BINARY_ADD
             48 BINARY_XOR
             50 STORE_NAME               7 (c)

 31          52 LOAD_NAME                6 (b)
             54 LOAD_CONST               9 (100)
             56 BINARY_MULTIPLY
             58 STORE_NAME               8 (d)

 32          60 LOAD_NAME                5 (a)
             62 LOAD_NAME                6 (b)
             64 BINARY_XOR
             66 STORE_NAME               9 (e)

 33          68 LOAD_NAME                8 (d)
             70 LOAD_NAME                7 (c)
             72 LOAD_CONST              10 (4)
             74 BINARY_MULTIPLY
             76 BINARY_SUBTRACT
             78 LOAD_NAME                9 (e)
             80 BINARY_ADD
             82 LOAD_CONST              11 (1)
             84 BINARY_SUBTRACT
             86 STORE_NAME              10 (m)

 35          88 LOAD_NAME               10 (m)
             90 LOAD_CONST              12 (26)
             92 BINARY_MODULO
             94 STORE_NAME              11 (r)

 37          96 LOAD_NAME                4 (test)
             98 LOAD_NAME                2 (input0)
            100 LOAD_NAME               11 (r)
            102 CALL_FUNCTION            2
            104 STORE_NAME              12 (cipher1)

 38         106 LOAD_NAME                3 (test2)
            108 LOAD_NAME               12 (cipher1)
            110 CALL_FUNCTION            1
            112 STORE_NAME              13 (cipher2)

 39         114 LOAD_CONST              13 (-1)
            116 LOAD_CONST              14 (-36)
            118 LOAD_CONST              12 (26)
            120 LOAD_CONST              15 (-5)
            122 LOAD_CONST               8 (14)
            124 LOAD_CONST              16 (41)
            126 LOAD_CONST              17 (6)
            128 LOAD_CONST              18 (-9)
            130 LOAD_CONST              19 (60)
            132 LOAD_CONST              20 (29)
            134 LOAD_CONST              21 (-28)
            136 LOAD_CONST              22 (17)
            138 LOAD_CONST              23 (21)
            140 LOAD_CONST              24 (7)
            142 LOAD_CONST              25 (35)
            144 LOAD_CONST              26 (38)
            146 LOAD_CONST              12 (26)
            148 LOAD_CONST              27 (48)
            150 BUILD_LIST              18
            152 STORE_NAME              14 (num)

 40         154 LOAD_NAME               15 (range)
            156 LOAD_CONST              28 (18)
            158 CALL_FUNCTION            1
            160 GET_ITER
        >>  162 FOR_ITER                38 (to 202)
            164 STORE_NAME              16 (i)

 41         166 LOAD_NAME               13 (cipher2)
            168 LOAD_NAME               16 (i)
            170 BINARY_SUBSCR
            172 LOAD_NAME               14 (num)
            174 LOAD_NAME               16 (i)
            176 BINARY_SUBSCR
            178 COMPARE_OP               3 (!=)
            180 POP_JUMP_IF_FALSE      192

 42         182 LOAD_NAME                1 (print)
            184 LOAD_CONST              29 ('wrong!')
            186 CALL_FUNCTION            1
            188 POP_TOP
            190 JUMP_ABSOLUTE          162

 44     >>  192 LOAD_NAME                1 (print)
            194 LOAD_CONST              30 ('Rrrright!')
            196 CALL_FUNCTION            1
            198 POP_TOP
            200 JUMP_ABSOLUTE          162
        >>  202 LOAD_CONST              31 (None)
            204 RETURN_VALUE

Disassembly of <code object test2 at 0x00000245D4F44B30, file "program.py", line 6>:
  7           0 LOAD_CONST               1 ('SYC')
              2 STORE_FAST               1 (key)

  8           4 LOAD_CONST               2 (18)
              6 STORE_FAST               2 (length)

  9           8 BUILD_LIST               0
             10 STORE_FAST               3 (cipher)

 10          12 LOAD_GLOBAL              0 (range)
             14 LOAD_FAST                2 (length)
             16 CALL_FUNCTION            1
             18 GET_ITER
        >>   20 FOR_ITER                48 (to 70)
             22 STORE_FAST               4 (i)

 11          24 LOAD_FAST                3 (cipher)
             26 LOAD_METHOD              1 (append)
             28 LOAD_GLOBAL              2 (ord)
             30 LOAD_FAST                0 (s2)
             32 LOAD_FAST                4 (i)
             34 BINARY_SUBSCR
             36 CALL_FUNCTION            1
             38 LOAD_FAST                4 (i)
             40 BINARY_XOR
             42 LOAD_GLOBAL              2 (ord)
             44 LOAD_FAST                1 (key)
             46 LOAD_FAST                4 (i)
             48 LOAD_CONST               3 (3)
             50 BINARY_MODULO
             52 BINARY_SUBSCR
             54 CALL_FUNCTION            1
             56 UNARY_INVERT
             58 LOAD_CONST               4 (1)
             60 BINARY_ADD
             62 BINARY_ADD
             64 CALL_METHOD              1
             66 POP_TOP
             68 JUMP_ABSOLUTE           20

 12     >>   70 LOAD_FAST                3 (cipher)
             72 RETURN_VALUE

Disassembly of <code object test at 0x00000245D4F44BE0, file "program.py", line 14>:
 15           0 BUILD_LIST               0
              2 STORE_FAST               2 (result)

 16           4 LOAD_FAST                0 (s)
              6 GET_ITER
        >>    8 FOR_ITER               218 (to 228)
             10 STORE_FAST               3 (i)

 17          12 LOAD_CONST               1 ('A')
             14 LOAD_FAST                3 (i)
             16 DUP_TOP
             18 ROT_THREE
             20 COMPARE_OP               1 (<=)
             22 POP_JUMP_IF_FALSE       32
             24 LOAD_CONST               2 ('Z')
             26 COMPARE_OP               1 (<=)
             28 POP_JUMP_IF_FALSE       80
             30 JUMP_FORWARD             4 (to 36)
        >>   32 POP_TOP
             34 JUMP_FORWARD            44 (to 80)

 18     >>   36 LOAD_FAST                2 (result)
             38 LOAD_METHOD              0 (append)
             40 LOAD_GLOBAL              1 (chr)
             42 LOAD_GLOBAL              2 (ord)
             44 LOAD_FAST                3 (i)
             46 CALL_FUNCTION            1
             48 LOAD_GLOBAL              2 (ord)
             50 LOAD_CONST               1 ('A')
             52 CALL_FUNCTION            1
             54 BINARY_SUBTRACT
             56 LOAD_FAST                1 (R)
             58 BINARY_ADD
             60 LOAD_CONST               3 (26)
             62 BINARY_MODULO
             64 LOAD_GLOBAL              2 (ord)
             66 LOAD_CONST               1 ('A')
             68 CALL_FUNCTION            1
             70 BINARY_ADD
             72 CALL_FUNCTION            1
             74 CALL_METHOD              1
             76 POP_TOP
             78 JUMP_ABSOLUTE            8

 19     >>   80 LOAD_CONST               4 ('a')
             82 LOAD_FAST                3 (i)
             84 DUP_TOP
             86 ROT_THREE
             88 COMPARE_OP               1 (<=)
             90 POP_JUMP_IF_FALSE      100
             92 LOAD_CONST               5 ('z')
             94 COMPARE_OP               1 (<=)
             96 POP_JUMP_IF_FALSE      148
             98 JUMP_FORWARD             4 (to 104)
        >>  100 POP_TOP
            102 JUMP_FORWARD            44 (to 148)

 20     >>  104 LOAD_FAST                2 (result)
            106 LOAD_METHOD              0 (append)
            108 LOAD_GLOBAL              1 (chr)
            110 LOAD_GLOBAL              2 (ord)
            112 LOAD_FAST                3 (i)
            114 CALL_FUNCTION            1
            116 LOAD_GLOBAL              2 (ord)
            118 LOAD_CONST               4 ('a')
            120 CALL_FUNCTION            1
            122 BINARY_SUBTRACT
            124 LOAD_FAST                1 (R)
            126 BINARY_ADD
            128 LOAD_CONST               3 (26)
            130 BINARY_MODULO
            132 LOAD_GLOBAL              2 (ord)
            134 LOAD_CONST               4 ('a')
            136 CALL_FUNCTION            1
            138 BINARY_ADD
            140 CALL_FUNCTION            1
            142 CALL_METHOD              1
            144 POP_TOP
            146 JUMP_ABSOLUTE            8

 21     >>  148 LOAD_CONST               6 ('0')
            150 LOAD_FAST                3 (i)
            152 DUP_TOP
            154 ROT_THREE
            156 COMPARE_OP               1 (<=)
            158 POP_JUMP_IF_FALSE      168
            160 LOAD_CONST               7 ('9')
            162 COMPARE_OP               1 (<=)
            164 POP_JUMP_IF_FALSE      216
            166 JUMP_FORWARD             4 (to 172)
        >>  168 POP_TOP
            170 JUMP_FORWARD            44 (to 216)

 22     >>  172 LOAD_FAST                2 (result)
            174 LOAD_METHOD              0 (append)
            176 LOAD_GLOBAL              1 (chr)
            178 LOAD_GLOBAL              2 (ord)
            180 LOAD_FAST                3 (i)
            182 CALL_FUNCTION            1
            184 LOAD_GLOBAL              2 (ord)
            186 LOAD_CONST               6 ('0')
            188 CALL_FUNCTION            1
            190 BINARY_SUBTRACT
            192 LOAD_FAST                1 (R)
            194 BINARY_ADD
            196 LOAD_CONST               8 (10)
            198 BINARY_MODULO
            200 LOAD_GLOBAL              2 (ord)
            202 LOAD_CONST               6 ('0')
            204 CALL_FUNCTION            1
            206 BINARY_ADD
            208 CALL_FUNCTION            1
            210 CALL_METHOD              1
            212 POP_TOP
            214 JUMP_ABSOLUTE            8

 24     >>  216 LOAD_FAST                2 (result)
            218 LOAD_METHOD              0 (append)
            220 LOAD_FAST                3 (i)
            222 CALL_METHOD              1
            224 POP_TOP
            226 JUMP_ABSOLUTE            8

 25     >>  228 LOAD_CONST               9 ('')
            230 LOAD_METHOD              3 (join)
            232 LOAD_FAST                2 (result)
            234 CALL_METHOD              1
            236 RETURN_VALUE

exp

import hashlib
cipher = [-1, -36, 26, -5, 14, 41, 6, -9, 60, 29, -28, 17, 21, 7, 35, 38, 26,
48]
r = 14
key = 'SYC'
data = []
for i in range(18):
    data.append((cipher[i] + ord(key[i % 3])) ^ i)
    print(data)
 # [82, 52, 95, 77, 99, 105, 95, 87, 119, 121, 55, 95, 100, 109, 104, 118, 99,98]
char_list = [chr(num) for num in data]
s1 = ''.join(char_list)
print(s1)
# R4_Mci_Wwy7_dmhvcb
def re_rot13(s, R):
    result = []
    for i in s:
        if 'A' <= i <= 'Z':
            result.append(chr((ord(i) - ord('A') - R) % 26 + ord('A')))
        elif 'a' <= i <= 'z':
            result.append(chr((ord(i) - ord('a') - R) % 26 + ord('a')))
        elif '0' <= i <= '9':
            result.append(chr((ord(i) - ord('0') - R) % 10 + ord('0')))
        else:
            result.append(i)
    return ''.join(result)
s2 = re_rot13(s1, r)
print(s2)
# D0_You_Iik3_python
flag = hashlib.md5(s2.encode()).hexdigest()
print("SYC{" + flag + "}")
#SYC{ed798fdd74e5c382b9c7fcca88500aca}

Pwn

Crypto

#2024比赛

Geek 2024

http://example.com/2024/12/30/极客大挑战-Alkiad/

Author

chaye

Posted on

December 30, 2024

Licensed under

测试命令 Previous

ssh连接 Next

Geek 2024

MISC

ez_jpg

雪

Truth of Word

cimbar

舔狗的觉醒

ez_pcap_1

乌龟

Web

RE

signin

hellore

让我康康你的调试

也许你也听jay

好像是python？

Pwn

Crypto