逆向十道题

ipa-2025校赛

后缀改成zip然后解压

将exec文件拖入ida反编译

1747206676676-b1a270f2-a557-4686-a42f-2db66f880c12.png

加载的时候没看到最上面的函数(所以说不能只盯着main函数看)

1747206965205-337d5f3e-4a3e-4c64-ad0e-520ead96d7e1.png

数据在src里面

1747207108017-1a3f6a32-9be5-438c-a7e2-8db30fa5da67.png

1
2
3
4
5
6
a='Ios'
miwen=[0x2F,0x3,0x12,0x2E,0x14,0x21,0x2C,0x19,0x16,0x3B,0x1C,0x16,0x16,0x9,0x43,0x3B,0x30,0x3A,0x79,0x1C,0x2C,0x78,0x1C,0x2C,0x0,0x1,0x7,0x2C,0x1D,0x16,0x3A,0x3B,0x1A,0x27,0x8,0xE]
#print(len(miwen))
for i in range(len(miwen)):
    b=miwen[i]^ord(a[i%3])
    print(chr(b),end='')

1747207305281-7bb2bab9-cc9b-4ca4-900b-35138d365388.png

1747036587351-5ade56f1-b762-4ac8-abee-6d5cb7b60f51.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
int __fastcall main(int argc, const char **argv, const char **envp)
{
  unsigned int seed; // eax
  char s[96]; // [rsp+10h] [rbp-70h] BYREF
  int v6; // [rsp+70h] [rbp-10h]
  int i_1; // [rsp+78h] [rbp-8h]
  int i; // [rsp+7Ch] [rbp-4h]

  memset(s, 0, sizeof(s));
  v6 = 0;
  printf("input:");
  __isoc99_scanf("%s", s);
  if ( strlen(s) == 20 )
  {
    seed = time(0LL);
    srand(seed);
    i_1 = rand() % 100;
    for ( i = 0; i < i_1; ++i )
      ;
    if ( *(unsigned __int16 *)s * *(unsigned __int16 *)&s[2] == 342772773
      && *(unsigned __int16 *)s + *(unsigned __int16 *)&s[2] == 39526
      && *(_DWORD *)&s[4] - *(_DWORD *)&s[8] == 1005712381
      && *(unsigned __int16 *)&s[4] + *(unsigned __int16 *)&s[6] == 56269
      && *(unsigned __int16 *)&s[8] - *(unsigned __int16 *)&s[10] == 15092
      && s[4] * s[8] == 10710
      && s[6] * s[10] == 12051
      && s[7] + s[11] == 172
      && *(unsigned __int16 *)&s[12] * *(unsigned __int16 *)&s[14] == 171593250
      && *(unsigned __int16 *)&s[12] + *(unsigned __int16 *)&s[14] == 26219
      && *(unsigned __int16 *)&s[16] * *(unsigned __int16 *)&s[18] == 376306868
      && *(unsigned __int16 *)&s[16] + *(unsigned __int16 *)&s[18] == 40341 )
    {
      puts("check ok~!");
    }
    else
    {
      puts("check failed~!");
    }
  }
  return 1;
}

harre-鸿蒙逆向了解-2025校赛

主要还是熟悉这个hap怎么逆向的

进去后直接就看到一个base64变表加密

1747036391551-833e913b-1e3a-4554-afd8-edaadb09221e.png

1747036402437-f6099d0d-c0b1-4744-9b67-e4a8c0bc4891.png

1747036261199-f5e1e789-eb78-4835-be0f-3a1b09eae051.png

让我康康你的调试-极客2024

1731737832708-3fd0eab8-76e5-4de8-acf1-a29d5329b6f0.png

不理解这个v7的作用是什么

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from Crypto.Cipher import ARC4
import binascii

# 十六进制字符串
hex_data = "945b7d04c9027aa6390798bc0d68f97e08bdbf9816f804715f1586b69884db61"

# 将十六进制字符串转换为字节
ciphertext = binascii.unhexlify(hex_data)

# RC4 密钥(假设你知道密钥)
key = b'syclover'  # 替换为你的RC4密钥

# 创建 RC4 解密对象
cipher = ARC4.new(key)

# 解密数据
plaintext = cipher.decrypt(ciphertext)

# 输出解密后的内容
print(plaintext.decode('utf-8', errors='ignore'))
for i in range(len(plaintext)):
    flag=plaintext[i]^0x14
    print(chr(flag),end='')

也许你也听jay-极客2024

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#include <stdio.h>

int main() {
   
    char URL[46];
    char o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O0O00OO0OO0O[46];
    strcpy(o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O0O00OO0OO0O, URL);
    char o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O00000O0OO0O[] = {0x96, 0xa1, 0xa0, 0x9b, 0x9b, 0x5f, 0x49, 0x46, 0x85, 0x82, 0x53, 0x95, 0x7d, 0x36, 0x8d, 0x74, 0x82, 0x88, 0x46, 0x7a, 0x81, 0x65, 0x80, 0x6c, 0x78, 0x2f, 0x6b, 0x6a, 0x27, 0x50, 0x61, 0x38, 0x3f, 0x37, 0x33, 0xf1, 0x27, 0x32, 0x34, 0x1f, 0x39, 0x23, 0xde, 0x1c, 0x17, 0xd4};
    int  o00O0OO000OO0oooo0o0oo0O0000oooooooO0O0OO0O0O00OO0OO0O[] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x5B, 0x5C, 0x5D, 0x5E, 0x5F, 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A, 0x7B, 0x7C, 0x7D, 0x7E, 0x7F, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x8D};
    int  o00O0OO000OO0oooo0o0oo0O000O0OO0O0O00OO0OO0O00000[] = {0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x32, 0x31, 0x30, 0x2F, 0x2E, 0x2D, 0x2C, 0x2B, 0x2A, 0x29, 0x28, 0x27, 0x26, 0x25, 0x24, 0x23, 0x22, 0x21, 0x20, 0x1F, 0x1E, 0x1D, 0x1C, 0x1B, 0x1A, 0x19, 0x18, 0x17, 0x16, 0x15, 0x14, 0x13, 0x12, 0x11, 0x10, 0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01};
    int o00O0OO000OO0oooo0o0oo0O000000O00O0O0OO0O0O00OO0OO0O[]={0x65, 0x64, 0x63, 0x62, 0x61, 0x60, 0x5F, 0x5E, 0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x00, 0x31, 0x30, 0x2F};
    int len = strlen(URL);
    for(int i = 0; i < len; i++) {
        o00O0OO000OO0oooo0o0oo0O000000O00O0O0OO0O0O00OO0OO0O[i] ^=  o00O0OO000OO0oooo0o0oo0O000O0OO0O0O00OO0OO0O00000[i+1];  
        
    }
    for(int i = 0; i < len; i++) {
        o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O0O00OO0OO0O[i] ^=  o00O0OO000OO0oooo0o0oo0O0000oooooooO0O0OO0O0O00OO0OO0O[i];  
        
    }
     for(int i = 0; i < len; i++) {
        o00O0OO000OO0oooo0o0oo0O000000O00O0O0OO0O0O00OO0OO0O[i] -=  o00O0OO000OO0oooo0o0oo0O0000oooooooO0O0OO0O0O00OO0OO0O[i];  
        
    }
    for(int i = 0; i < len; i++) {
            o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O0O00OO0OO0O[i] -=  o00O0OO000OO0oooo0o0oo0O0000oooooooO0O0OO0O0O00OO0OO0O[47 + i];  
             o00O0OO000OO0oooo0o0oo0O0000oooooooO0O0OO0O0O00OO0OO0O[i]^=o00O0OO000OO0oooo0o0oo0O000000O00O0O0OO0O0O00OO0OO0O[51];
        
}
    for(int i = 0; i < len; i++) {
        o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O0O00OO0OO0O[i] +=  o00O0OO000OO0oooo0o0oo0O000O0OO0O0O00OO0OO0O00000[i];  
    }
    for(int i=0;i<len;i++){
        if(o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O0O00OO0OO0O[i] != o00O0OO000OO0oooo0o0oo0O0oo000000O0O0OO0O00000O0OO0O[i]){
            printf("Error");
        }
    }
    
    
    return 0;
}

改成这样好看一些,然后re

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include <stdio.h>

int main() {
   
    char URL[46];
    char flag0[46];
    strcpy(flag0, URL);
    char flag1[] = {0x96, 0xa1, 0xa0, 0x9b, 0x9b, 0x5f, 0x49, 0x46, 0x85, 0x82, 0x53, 0x95, 0x7d, 0x36, 0x8d, 0x74, 0x82, 0x88, 0x46, 0x7a, 0x81, 0x65, 0x80, 0x6c, 0x78, 0x2f, 0x6b, 0x6a, 0x27, 0x50, 0x61, 0x38, 0x3f, 0x37, 0x33, 0xf1, 0x27, 0x32, 0x34, 0x1f, 0x39, 0x23, 0xde, 0x1c, 0x17, 0xd4};
    int  flag2[] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x5B, 0x5C, 0x5D, 0x5E, 0x5F, 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A, 0x7B, 0x7C, 0x7D, 0x7E, 0x7F, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x8D};
    int  flag3[] = {0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x32, 0x31, 0x30, 0x2F, 0x2E, 0x2D, 0x2C, 0x2B, 0x2A, 0x29, 0x28, 0x27, 0x26, 0x25, 0x24, 0x23, 0x22, 0x21, 0x20, 0x1F, 0x1E, 0x1D, 0x1C, 0x1B, 0x1A, 0x19, 0x18, 0x17, 0x16, 0x15, 0x14, 0x13, 0x12, 0x11, 0x10, 0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01};
    int  flag4[]={0x65, 0x64, 0x63, 0x62, 0x61, 0x60, 0x5F, 0x5E, 0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x00, 0x31, 0x30, 0x2F};
    int len = strlen(URL);
    for(int i = 0; i < len; i++) {
        flag4[i] ^=  flag3[i+1];  
        
    }
    for(int i = 0; i < len; i++) {
        flag0[i] ^=  flag2[i];  
        
    }
     for(int i = 0; i < len; i++) {
        flag4[i] -=  flag2[i];  
        
    }
    for(int i = 0; i < len; i++) {
            flag0[i] -=  flag2[47 + i];  
            flag2[i]^=flag4[51];
        
}
    for(int i = 0; i < len; i++) {
        flag0[i] +=  flag3[i];  
    }
    for(int i=0;i<len;i++){
        if(flag0[i] !=flag1[i]){
            printf("Error");
        }
    }
    
    
    return 0;
}


exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#include <stdio.h>

int main() {
   
    char URL[46]={};
    char flag0[46]={};

     char flag1[] = {0x96, 0xa1, 0xa0, 0x9b, 0x9b, 0x5f, 0x49, 0x46, 0x85, 0x82, 0x53, 0x95, 0x7d, 0x36, 0x8d, 0x74, 0x82, 0x88, 0x46, 0x7a, 0x81, 0x65, 0x80, 0x6c, 0x78, 0x2f, 0x6b, 0x6a, 0x27, 0x50, 0x61, 0x38, 0x3f, 0x37, 0x33, 0xf1, 0x27, 0x32, 0x34, 0x1f, 0x39, 0x23, 0xde, 0x1c, 0x17, 0xd4};
    int  flag2[] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, 0x3D, 0x3E, 0x3F, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x5B, 0x5C, 0x5D, 0x5E, 0x5F, 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A, 0x7B, 0x7C, 0x7D, 0x7E, 0x7F, 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8A, 0x8B, 0x8C, 0x8D};
    int  flag3[] = {0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x32, 0x31, 0x30, 0x2F, 0x2E, 0x2D, 0x2C, 0x2B, 0x2A, 0x29, 0x28, 0x27, 0x26, 0x25, 0x24, 0x23, 0x22, 0x21, 0x20, 0x1F, 0x1E, 0x1D, 0x1C, 0x1B, 0x1A, 0x19, 0x18, 0x17, 0x16, 0x15, 0x14, 0x13, 0x12, 0x11, 0x10, 0x0F, 0x0E, 0x0D, 0x0C, 0x0B, 0x0A, 0x09, 0x08, 0x07, 0x06, 0x05, 0x04, 0x03, 0x02, 0x01};
    int flag4[]={0x65, 0x64, 0x63, 0x62, 0x61, 0x60, 0x5F, 0x5E, 0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x00, 0x31, 0x30, 0x2F};
    int len = 46,i;
    for(int i = 0; i < len; i++) {
        flag4[i] ^=  flag3[i+1];  
        
    }
    for(i=0;i<len;i++)
    {
        flag1[i]-=flag3[i];     
    }
    for(i=0;i<len;i++)
    {
        flag2[i]^=flag4[51];
        flag1[i]+=flag2[47+i];
    }
    for(i=0;i<len;i++)
    {
        flag4[i] +=  flag2[i];  
    }
    for(int i = 0; i < len; i++) {
      flag1[i] ^=  flag2[i];  
        
    }
    puts(flag1);
    return 0;
}

1731740136954-22b04d8b-11cc-4e68-975f-388449ed438e.png

https://am1re-sudo.github.io/Coisni.github.io/

1731740295598-c781d21a-d0b5-44ca-bdd7-80939f47b3d8.png

1731740258994-d4352f1c-b446-4e32-b6ef-135bab2b8195.png

1731740506704-52bcd9d9-a296-4db9-8ccf-a1cc4c8ecea7.png

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
from Crypto.Cipher import ARC4
import base64

def rc4_encrypt(data, key1):        # 加密
    key = bytes(key1, encoding='utf-8')
    enc = ARC4.new(key)
    res = enc.encrypt(data.encode('utf-8'))
    res=base64.b64encode(res)
    res = str(res,'utf-8')
    return res

def rc4_decrypt(data, key1):        # 解密
    data = base64.b64decode(data)
    key = bytes(key1, encoding='utf-8')
    enc = ARC4.new(key)
    res = enc.decrypt(data)
    res = str(res,'gbk')
    return res


if __name__ == "__main__":
    data = 'Q7u+cyiOQtKHRMqZNzPpApgmTL4j+TE='  # 需要解密的内容
    key = 'lovebeforeBC'  # 加密key
    print('解密后:',rc4_decrypt(data, key))         # 解密方法

好像是python?-极客2024

反汇编后得到字节码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
1           0 LOAD_CONST               0 ('SYC{MD5(input)}')
              2 STORE_NAME               0 (flag)

  2           4 LOAD_NAME                1 (print)
              6 LOAD_CONST               1 ('Please input0:')
              8 CALL_FUNCTION            1
             10 POP_TOP

  3          12 LOAD_CONST               2 ('')
             14 STORE_NAME               2 (input0)

  6          16 LOAD_CONST               3 (<code object test2 at 0x00000245D4F44B30, file "program.py", line 6>)
             18 LOAD_CONST               4 ('test2')
             20 MAKE_FUNCTION            0
             22 STORE_NAME               3 (test2)

 14          24 LOAD_CONST               5 (<code object test at 0x00000245D4F44BE0, file "program.py", line 14>)
             26 LOAD_CONST               6 ('test')
             28 MAKE_FUNCTION            0
             30 STORE_NAME               4 (test)

 28          32 LOAD_CONST               7 (13)
             34 STORE_NAME               5 (a)

 29          36 LOAD_CONST               8 (14)
             38 STORE_NAME               6 (b)

 30          40 LOAD_NAME                5 (a)
             42 LOAD_NAME                6 (b)
             44 LOAD_NAME                5 (a)
             46 BINARY_ADD
             48 BINARY_XOR
             50 STORE_NAME               7 (c)

 31          52 LOAD_NAME                6 (b)
             54 LOAD_CONST               9 (100)
             56 BINARY_MULTIPLY
             58 STORE_NAME               8 (d)

 32          60 LOAD_NAME                5 (a)
             62 LOAD_NAME                6 (b)
             64 BINARY_XOR
             66 STORE_NAME               9 (e)

 33          68 LOAD_NAME                8 (d)
             70 LOAD_NAME                7 (c)
             72 LOAD_CONST              10 (4)
             74 BINARY_MULTIPLY
             76 BINARY_SUBTRACT
             78 LOAD_NAME                9 (e)
             80 BINARY_ADD
             82 LOAD_CONST              11 (1)
             84 BINARY_SUBTRACT
             86 STORE_NAME              10 (m)

 35          88 LOAD_NAME               10 (m)
             90 LOAD_CONST              12 (26)
             92 BINARY_MODULO
             94 STORE_NAME              11 (r)

 37          96 LOAD_NAME                4 (test)
             98 LOAD_NAME                2 (input0)
            100 LOAD_NAME               11 (r)
            102 CALL_FUNCTION            2
            104 STORE_NAME              12 (cipher1)

 38         106 LOAD_NAME                3 (test2)
            108 LOAD_NAME               12 (cipher1)
            110 CALL_FUNCTION            1
            112 STORE_NAME              13 (cipher2)

 39         114 LOAD_CONST              13 (-1)
            116 LOAD_CONST              14 (-36)
            118 LOAD_CONST              12 (26)
            120 LOAD_CONST              15 (-5)
            122 LOAD_CONST               8 (14)
            124 LOAD_CONST              16 (41)
            126 LOAD_CONST              17 (6)
            128 LOAD_CONST              18 (-9)
            130 LOAD_CONST              19 (60)
            132 LOAD_CONST              20 (29)
            134 LOAD_CONST              21 (-28)
            136 LOAD_CONST              22 (17)
            138 LOAD_CONST              23 (21)
            140 LOAD_CONST              24 (7)
            142 LOAD_CONST              25 (35)
            144 LOAD_CONST              26 (38)
            146 LOAD_CONST              12 (26)
            148 LOAD_CONST              27 (48)
            150 BUILD_LIST              18
            152 STORE_NAME              14 (num)

 40         154 LOAD_NAME               15 (range)
            156 LOAD_CONST              28 (18)
            158 CALL_FUNCTION            1
            160 GET_ITER
        >>  162 FOR_ITER                38 (to 202)
            164 STORE_NAME              16 (i)

 41         166 LOAD_NAME               13 (cipher2)
            168 LOAD_NAME               16 (i)
            170 BINARY_SUBSCR
            172 LOAD_NAME               14 (num)
            174 LOAD_NAME               16 (i)
            176 BINARY_SUBSCR
            178 COMPARE_OP               3 (!=)
            180 POP_JUMP_IF_FALSE      192

 42         182 LOAD_NAME                1 (print)
            184 LOAD_CONST              29 ('wrong!')
            186 CALL_FUNCTION            1
            188 POP_TOP
            190 JUMP_ABSOLUTE          162

 44     >>  192 LOAD_NAME                1 (print)
            194 LOAD_CONST              30 ('Rrrright!')
            196 CALL_FUNCTION            1
            198 POP_TOP
            200 JUMP_ABSOLUTE          162
        >>  202 LOAD_CONST              31 (None)
            204 RETURN_VALUE

Disassembly of <code object test2 at 0x00000245D4F44B30, file "program.py", line 6>:
  7           0 LOAD_CONST               1 ('SYC')
              2 STORE_FAST               1 (key)

  8           4 LOAD_CONST               2 (18)
              6 STORE_FAST               2 (length)

  9           8 BUILD_LIST               0
             10 STORE_FAST               3 (cipher)

 10          12 LOAD_GLOBAL              0 (range)
             14 LOAD_FAST                2 (length)
             16 CALL_FUNCTION            1
             18 GET_ITER
        >>   20 FOR_ITER                48 (to 70)
             22 STORE_FAST               4 (i)

 11          24 LOAD_FAST                3 (cipher)
             26 LOAD_METHOD              1 (append)
             28 LOAD_GLOBAL              2 (ord)
             30 LOAD_FAST                0 (s2)
             32 LOAD_FAST                4 (i)
             34 BINARY_SUBSCR
             36 CALL_FUNCTION            1
             38 LOAD_FAST                4 (i)
             40 BINARY_XOR
             42 LOAD_GLOBAL              2 (ord)
             44 LOAD_FAST                1 (key)
             46 LOAD_FAST                4 (i)
             48 LOAD_CONST               3 (3)
             50 BINARY_MODULO
             52 BINARY_SUBSCR
             54 CALL_FUNCTION            1
             56 UNARY_INVERT
             58 LOAD_CONST               4 (1)
             60 BINARY_ADD
             62 BINARY_ADD
             64 CALL_METHOD              1
             66 POP_TOP
             68 JUMP_ABSOLUTE           20

 12     >>   70 LOAD_FAST                3 (cipher)
             72 RETURN_VALUE

Disassembly of <code object test at 0x00000245D4F44BE0, file "program.py", line 14>:
 15           0 BUILD_LIST               0
              2 STORE_FAST               2 (result)

 16           4 LOAD_FAST                0 (s)
              6 GET_ITER
        >>    8 FOR_ITER               218 (to 228)
             10 STORE_FAST               3 (i)

 17          12 LOAD_CONST               1 ('A')
             14 LOAD_FAST                3 (i)
             16 DUP_TOP
             18 ROT_THREE
             20 COMPARE_OP               1 (<=)
             22 POP_JUMP_IF_FALSE       32
             24 LOAD_CONST               2 ('Z')
             26 COMPARE_OP               1 (<=)
             28 POP_JUMP_IF_FALSE       80
             30 JUMP_FORWARD             4 (to 36)
        >>   32 POP_TOP
             34 JUMP_FORWARD            44 (to 80)

 18     >>   36 LOAD_FAST                2 (result)
             38 LOAD_METHOD              0 (append)
             40 LOAD_GLOBAL              1 (chr)
             42 LOAD_GLOBAL              2 (ord)
             44 LOAD_FAST                3 (i)
             46 CALL_FUNCTION            1
             48 LOAD_GLOBAL              2 (ord)
             50 LOAD_CONST               1 ('A')
             52 CALL_FUNCTION            1
             54 BINARY_SUBTRACT
             56 LOAD_FAST                1 (R)
             58 BINARY_ADD
             60 LOAD_CONST               3 (26)
             62 BINARY_MODULO
             64 LOAD_GLOBAL              2 (ord)
             66 LOAD_CONST               1 ('A')
             68 CALL_FUNCTION            1
             70 BINARY_ADD
             72 CALL_FUNCTION            1
             74 CALL_METHOD              1
             76 POP_TOP
             78 JUMP_ABSOLUTE            8

 19     >>   80 LOAD_CONST               4 ('a')
             82 LOAD_FAST                3 (i)
             84 DUP_TOP
             86 ROT_THREE
             88 COMPARE_OP               1 (<=)
             90 POP_JUMP_IF_FALSE      100
             92 LOAD_CONST               5 ('z')
             94 COMPARE_OP               1 (<=)
             96 POP_JUMP_IF_FALSE      148
             98 JUMP_FORWARD             4 (to 104)
        >>  100 POP_TOP
            102 JUMP_FORWARD            44 (to 148)

 20     >>  104 LOAD_FAST                2 (result)
            106 LOAD_METHOD              0 (append)
            108 LOAD_GLOBAL              1 (chr)
            110 LOAD_GLOBAL              2 (ord)
            112 LOAD_FAST                3 (i)
            114 CALL_FUNCTION            1
            116 LOAD_GLOBAL              2 (ord)
            118 LOAD_CONST               4 ('a')
            120 CALL_FUNCTION            1
            122 BINARY_SUBTRACT
            124 LOAD_FAST                1 (R)
            126 BINARY_ADD
            128 LOAD_CONST               3 (26)
            130 BINARY_MODULO
            132 LOAD_GLOBAL              2 (ord)
            134 LOAD_CONST               4 ('a')
            136 CALL_FUNCTION            1
            138 BINARY_ADD
            140 CALL_FUNCTION            1
            142 CALL_METHOD              1
            144 POP_TOP
            146 JUMP_ABSOLUTE            8

 21     >>  148 LOAD_CONST               6 ('0')
            150 LOAD_FAST                3 (i)
            152 DUP_TOP
            154 ROT_THREE
            156 COMPARE_OP               1 (<=)
            158 POP_JUMP_IF_FALSE      168
            160 LOAD_CONST               7 ('9')
            162 COMPARE_OP               1 (<=)
            164 POP_JUMP_IF_FALSE      216
            166 JUMP_FORWARD             4 (to 172)
        >>  168 POP_TOP
            170 JUMP_FORWARD            44 (to 216)

 22     >>  172 LOAD_FAST                2 (result)
            174 LOAD_METHOD              0 (append)
            176 LOAD_GLOBAL              1 (chr)
            178 LOAD_GLOBAL              2 (ord)
            180 LOAD_FAST                3 (i)
            182 CALL_FUNCTION            1
            184 LOAD_GLOBAL              2 (ord)
            186 LOAD_CONST               6 ('0')
            188 CALL_FUNCTION            1
            190 BINARY_SUBTRACT
            192 LOAD_FAST                1 (R)
            194 BINARY_ADD
            196 LOAD_CONST               8 (10)
            198 BINARY_MODULO
            200 LOAD_GLOBAL              2 (ord)
            202 LOAD_CONST               6 ('0')
            204 CALL_FUNCTION            1
            206 BINARY_ADD
            208 CALL_FUNCTION            1
            210 CALL_METHOD              1
            212 POP_TOP
            214 JUMP_ABSOLUTE            8

 24     >>  216 LOAD_FAST                2 (result)
            218 LOAD_METHOD              0 (append)
            220 LOAD_FAST                3 (i)
            222 CALL_METHOD              1
            224 POP_TOP
            226 JUMP_ABSOLUTE            8

 25     >>  228 LOAD_CONST               9 ('')
            230 LOAD_METHOD              3 (join)
            232 LOAD_FAST                2 (result)
            234 CALL_METHOD              1
            236 RETURN_VALUE

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import hashlib
cipher = [-1, -36, 26, -5, 14, 41, 6, -9, 60, 29, -28, 17, 21, 7, 35, 38, 26,
48]
r = 14
key = 'SYC'
data = []
for i in range(18):
    data.append((cipher[i] + ord(key[i % 3])) ^ i)
    print(data)
 # [82, 52, 95, 77, 99, 105, 95, 87, 119, 121, 55, 95, 100, 109, 104, 118, 99,98]
char_list = [chr(num) for num in data]
s1 = ''.join(char_list)
print(s1)
# R4_Mci_Wwy7_dmhvcb
def re_rot13(s, R):
    result = []
    for i in s:
        if 'A' <= i <= 'Z':
            result.append(chr((ord(i) - ord('A') - R) % 26 + ord('A')))
        elif 'a' <= i <= 'z':
            result.append(chr((ord(i) - ord('a') - R) % 26 + ord('a')))
        elif '0' <= i <= '9':
            result.append(chr((ord(i) - ord('0') - R) % 10 + ord('0')))
        else:
            result.append(i)
    return ''.join(result)
s2 = re_rot13(s1, r)
print(s2)
# D0_You_Iik3_python
flag = hashlib.md5(s2.encode()).hexdigest()
print("SYC{" + flag + "}")
#SYC{ed798fdd74e5c382b9c7fcca88500aca}

easy_reverse(python反编译)bugkuctf

1740977315009-12523273-a9a2-4b1f-a210-728c167d22e7.png

1740977452894-bff09cdc-aa7d-46fe-aaba-82333148cc3b.png

1740977526408-05b225e4-05b7-4408-91ff-473d227700b5.png

1740977628433-4bfccc3c-fa25-4d59-90c2-dd6483aad3d0.png

1740977665245-7d539bc9-d042-4435-8043-793a8df1e703.png

baby_re(强网先锋)net逆向

1740978789540-6afedada-be0e-4aa8-b406-671f8f4d68a7.png

1740979093577-f57100d1-c7c1-4a4f-aaf4-621565c01ded.png

1740979429774-a27ec7bd-00a0-4ed4-8081-30510b3fe6d1.png

还有一种方法是修改判断次数,修改num,调试后得到flag

1740979941838-de3ee6d3-1bb7-4cc6-9a7d-214fc162d4de.png

[DASCTF 2024最后一战|寒夜破晓,冬至终章]刻板印象re

1741067788345-54d5222e-ed2d-424a-a1e0-6f292075463f.png

1741067953657-7c1a018b-6e60-4b6a-91db-ccf6b0338f1a.png

len=48

猜测sub_401023为copy函数

看一下sub_40126C这个加密函数

下面是比较函数

1741067987602-c7fa999a-c3bd-41bb-ade3-2416ba4391d3.png

a1就是数据串的初始地址

密文

byte_42F090=”aughter_is_poison_to_fear”;

加密逻辑在sub_401740,但是401795处有修改堆栈返回值的代码,IDA误以为后面没有代码了,nop掉这部分,就可以看到完整的伪C代码。

我说怎么原来解出来是乱码

nop掉这部分

1741069568805-cd41cea8-c021-4bb8-8de5-36e83062dcab.png

方法1、nop掉中间部分,然后修改上面机器码跳转到下面的指令

1741071536293-0aced7b9-5f95-453c-95e8-90065324b866.png

1741071593504-4f420b6d-2dba-4e05-8d75-63b0cf80697f.png

发现是XXTEA

delta是0x11451419

密钥是{What_is_this_?}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
import struct
def XTEAdecrypt(rounds, v, k):
    v0 = v[0]
    v1 = v[1]
    delta = 0x9E3779B9
    x = delta * rounds
    for i in range(rounds):
        v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (x + k[(x >> 11) & 3])
        v1 = v1 & 0xFFFFFFFF
        x -= delta
        x = x & 0xFFFFFFFF
        v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (x + k[x & 3])
        v0 = v0 & 0xFFFFFFFF
#    v[0] = v0
#    v[1] = v1
    return [v0,v1]

def xor(a,b):
    return bytes([i^j for i,j in zip(a,b)])
def shift(z, y, x, k, p, e):
    return ((((z >> 5) ^ (y << 2)) + ((y >> 3) ^ (z << 4))) ^ ((x ^ y) + (k[(p & 3) ^ e] ^ z)))

def XXTEAdecrypt(v, k):
    delta = 0x11451419
    n = len(v)
    rounds = 6 + 52 // (n)
    x = (rounds * delta) & 0xFFFFFFFF
    y = v[0]
    for i in range(rounds):
        e = (x >> 2) & 3
        for p in range(n - 1, 0, -1):
            z = v[p - 1]
            v[p] = (v[p] - shift(z, y, x, k, p, e)) & 0xFFFFFFFF
            y = v[p]
        p -= 1
        z = v[n - 1]
        v[0] = (v[0] - shift(z, y, x, k, p, e)) & 0xFFFFFFFF
        y = v[0]
        x = (x - delta) & 0xFFFFFFFF
    return v
if __name__ == '__main__':
    key=[]
    keys=b'{What_is_this_?}'
    for i in range(4):
        key.append(struct.unpack('<I',keys[i*4:i*4+4])[0])
    enc=bytes.fromhex('18091C14371D162D3C05163E0203102C0E313915043A39030D132B3E06083700170B001D1C0016060717300330060A71')
    enc=xor(enc,bytes.fromhex('8f6ca63f943df5d9366651d7662fb38fc0619ecee9d7e1bf13141614c2e7c33a7f94a1e7240ea75cd377fe4f11dc6923'))
    encrypted=[]
    for i in range(len(enc)//4):
        encrypted.append(struct.unpack('<I',enc[i*4:i*4+4])[0])
    decrypted = XXTEAdecrypt(encrypted, key)
    flag=b''
    for i in range(len(decrypted)):
        flag+=struct.pack('<I',decrypted[i])
    key = [0x756F797B,0x6E69665F,0x74695F64,0x7D3F215F]
    rounds = 32
    enc=flag
    enc=xor(enc,bytes.fromhex('DA3023E3DC398260A54468C2437ABBE450E102C28159EA1EC68B7138278394D8F48D1A2A568A4AD454DC243FB9ED7B9A'))
    encrypted=[]
    flag=b''
    for i in range(len(enc)//4):
        encrypted.append(struct.unpack('<I',enc[i*4:i*4+4])[0])
    for i in range(len(encrypted)//2):
        decrypted = XTEAdecrypt(rounds,encrypted[i*2:i*2+2], key)
        x=struct.pack('<2I',decrypted[0],decrypted[1])
        flag+=x
    print(xor(flag,b'Laughter_is_poison_to_fearLaughter_is_poison_to_fear'))
#DASCTF{You_come_to_me_better_than_all_the_good.}

例题xctf chase(nes逆向)-TPCTF

mapper为0

1741419256964-69856734-4fc1-42ab-9929-d319c6c1fe01.png

1741418395482-843dfd13-99ea-4389-9718-783a3594f4eb.png

1741419165702-57bad6fd-0b9c-4cac-a85f-f4fe2a9d7f28.png

看到机器码从8000

ida用二进制打开 以6502的形式

flag01

1741419767757-5cfb67c8-a43c-4092-b050-7fa0f8a78105.png

可以直接ce开挂,

1741420056271-4f8d75df-b34b-48b9-8325-9b2cb0e792dc.png

TPCTF{D0_Y0U_L1KE_

也可用FCEUX自带的cheat改动1741709266224-553180e2-fb39-44d6-a16b-2e2d6e5e2545.png

flag02

法1

经过不断调试发现AB对应的值和场景有关,每个场景对应值固定且范围普遍在0-60之间,那么尝试爆破,调整AB的值,改内存时发现会有随机性,相同的值不保证每次的闪烁结果相同,这里是尝试到0x15时看到flag2:

1741709756176-dbd26352-cb02-462d-8549-d69b24d71089.png

法2

第二段有点misc的感觉,猜测也是在内存里面只不过不会加载到屏幕上,由于每段flag开头都会有THE FLAG PT我们搜索这几个字符的tile 34 28 25,一共发现两个其实一个是第一段flag,tile D2就是代表字符2 D1也就是字符1

这段是flag1

1741710181978-c9534bf4-ebe6-4cf7-8cd9-45a6069a9013.png

1741710552358-b2720dac-228b-4429-bc6f-d7ad34761324.png

第二段是flag2

1741710162833-33cee26d-da76-4d11-87dc-0609309ade76.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import binascii

data = "34282500262C21270030340ED200262F3200392F35002933000112A4000118302C2139D12ED93DD6202DD3333D00019ABDADAD6D000103B9ADAD6E000103B9ADAD6E0001030D01030001100001000F0F0F0F0F1C2C3C0F1222320F1424340F1132300F1C2C3C0F0927380F1121310F1132300F1121310F0727380F1323330F1132300F1525350F0527380F1323330F1132300F1929390F0B27380F1727370F1132300F1626360F0727380F1828380F0F29300F0F26300F0F24300F0F213000FF490008FF4A0000074B0008074C008000FF4D0108FF4E0100074F01080750018000FF4D0208FF4E0200074F02080750028000FF4D0308FF4E0300074F03080750038077F488F499F4AAF4B0E717F4E1E827F4ACEA37F4C8EC37F448EF37F49BF217F4280044280044280044280044204F10205010205110FF2C2536252C1A000027252D331A0000000F000000002C293625331A000304037A7B7C7D7C7D7E7F80819A9B867B8788898A8B8C8D7D807D909192939495967F94959C9500000000000058E5ADE40BE7FEE48D1C038E1D038D23038E240388B9FFFF8D2D0388B9FFFF8D2C038C2F0320FFFFA0FFD0E860000000000000"

data = binascii.a2b_hex(data)

table = {}
str_1 = ord("A")
for i in range(0x21,0x3B):
    table[i] = chr(str_1)
    str_1 += 1
table[0x20] = "@"
table[0] = " "
table[0x3d] = "_"
str_1 = ord("0")
for i in range(0xD0,0xDA):
    table[i] = chr(str_1)
    str_1 += 1
flag = ""

for i in range(len(data)):
    for key,value in table.items():
        if data[i] == key:
            flag += value
print(flag)

1741710467489-0446e5ee-e3bc-4afd-a9bc-27269875e8eb.png

THE FLAG PT2 FOR YOU IS PLAY1N9_6@M3S_ LBRDTRPLGXAQRPAQGXCSRPEUGXCSRPIYGXGWRPFVGXHXIPFPDPAP GWWWH H H H @@@LEVEL GEMS LIVES CDMLO@0

flag03

看ppu viewer

1741708666856-c2b8147d-30a2-4fe3-91ba-9775a25f2426.png

ON_Y0UR_N3S?}

FLAG:TPCTF{D0_Y0U_L1KE_PLAY1N9_6@M3S_ ON_Y0UR_N3S?}

A_game-MOECTF

看了一下是个数独题目

1748414863970-eee04499-9ae7-495c-80cf-6379bb4c403d.png

提取box,顺便整理一下

1748415326666-9f8543c6-d1a1-4bb9-9c55-af44a9198b9d.png

https://sudokusolving.bmcx.com/

1748415414031-78f0bc0f-c726-4d51-8089-5c774b6c3a01.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
box=[
    0,   0,   5,   0,   0,   4,   3,   6,   0,
    0,   0,   0,   0,   5,   0,   0,   2,   4,
    0,   4,   9,   6,   7,   0,   0,   0,   0,
    1,   0,   6,   0,   2,   0,   0,   3,   0,
    9,   0,   0,   7,   0,   0,   1,   0,   8,
    0,   3,   0,   0,   0,   5,   0,   9,   0,
    2,   0,   0,   5,   0,   7,   0,   0,   9,
    7,   0,   4,   0,   0,   0,   8,   0,   0,
    0,   9,   0,   0,   4,   0,   0,   0,   6]
'''for i in range(len(box)):
print(box[i],end='')'''
magic=[0x6B,0x2,0x66,0x70,0x44,0x69,0x7E,0x6E,0x43,0x4A,0x78,0x4A,0x6D,0x60,0x56,0x0,0x51,0x59,0x50,0x43,0x50,0x51,0x6D,0x74,0x2,0x55,0x50,0x52,0x6E,0x6F,0x79,0x40,0x5D,0x4B,0x1E,0x19,0x1C,0x74,0x3,0x54,0x7,0x4C,0x52,0x6A,0x60,0x50,0x58,0x40,0x58,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0]
buf1='825914367671358924349672581186429735952763148437185692268537419714296853593841276'
buf2='005004360000050024049670000106020030900700108030005090200507009704000800090040006'
buf3='8291767138932581849755263447186268341129653538127'
for i in range(len(buf1)):
    if buf1[i] !=buf2[i]:
        print(buf1[i],end='')
print('\n')
#print(len(buf),len(magic))
for k in range(len(buf3)):
    flag=ord(buf3[k])^magic[k]
print(chr(flag),end='')
#flag='moectf{S0_As_I_prAy_Un1imited_B1ade_WOrks---E1m1ya_Shiro}'

FeatureExtraction-Litctf2025

1748482301251-90b681db-daac-4b45-814c-503ac2502e4e.png

题目提示要特征提取,可能是动调提取44位密文

看加密函数

1748483247730-c9cce732-284c-4fb2-877d-9034d3c357e9.png

key

1748483413217-2b54e9b3-3c6f-487c-875a-43ca42128435.png

1748483476083-756616be-7ab2-46da-b162-f364d63405a1.png

下完断点后提取数据

1748483683733-ed939bcf-8a63-4a84-8ec8-785bb78a7cfb.png

1748483704369-9621be44-8c96-4237-97e9-4bb9978c539b.png

数据以dword形式提取出来

1748484162961-a707b2c0-1bf8-4c34-a53d-d705f1709245.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
key = [ord(c) for c in "LitCTF2025"]

a = [
    5776, 15960, 28657, 34544, 40294, 43824, 51825, 53033, 58165, 58514,
    61949, 56960, 53448, 49717, 47541, 45519, 40607, 40582, 38580, 42320,
    41171, 41269, 39370, 44224, 48760, 49558, 48128, 46531, 47088, 46181,
    46707, 46879, 48098, 52047, 53933, 56864, 60564, 64560, 66744, 63214,
    60873, 58245, 55179, 56857, 51532, 44308, 32392, 27577, 19654, 14342,
    11721, 9112, 6625
]

b = [0] * 44
for k in range(44):
    s = a[k]
    for j in range(1, min(10, k + 1)):
        s -= b[k - j] * key[j]
    if s % key[0] != 0:
        print("Invalid division at k =", k)
    b[k] = s // key[0]

flag = ''
for x in b:
    flag += chr(x)

print(flag)

harre-鸿蒙逆向了解

主要还是熟悉这个hap怎么逆向的

进去后直接就看到一个base64变表加密

1747036391551-833e913b-1e3a-4554-afd8-edaadb09221e.png

1747036402437-f6099d0d-c0b1-4744-9b67-e4a8c0bc4891.png

1747036261199-f5e1e789-eb78-4835-be0f-3a1b09eae051.png

更新: 2025-06-04 14:44:46
原文: https://www.yuque.com/chaye-apqbl/vsc85q/obrhrc6cgz6o1liq

http://example.com/2026/01/19/WP/2025/逆向十道题/
Author
chaye
Posted on
January 19, 2026
Licensed under