Misc
签到
回答完问题,输入token以后,在控制台可见。ios
flag{32c7c08cc310048a8605c5e2caba3e99}数组
crypto
boom
#include <iostream> using namespace std; int main() { long long a = 0; long long b = a * (a + 1); while (1) { if (b == 7943722218936282) break; a++; b = a * (a + 1); } cout << a << endl; system("PAUSE"); return 0; }
flag{en5oy_746831_89127561}函数
Reverse
bang
梆梆加密免费版,这道主要是使用FART脱壳classes.dex获得加密
public void onClick(View paramAnonymousView) { String str = localEditText.getText().toString(); paramAnonymousView = paramBundle.getText().toString(); if (str.equals(paramAnonymousView)) { MainActivity.showmsg("user is equal passwd"); } else if ((str.equals("admin") & paramAnonymousView.equals("pass71487"))) { MainActivity.showmsg("success"); MainActivity.showmsg("flag is flag{borring_things}"); } else { MainActivity.showmsg("wrong"); } }
flag{borring_things}spa
joker
首先去除代码中的混淆和调整栈平衡以后。调试
wrong函数,对flag的奇,偶下标分别进行异或下标,减去下标操做。code
omg函数,变换后的flag与unk_4030C0比较。对象
model = [0x66, 0x6B, 0x63, 0x64, 0x7F, 0x61, 0x67, 0x64, 0x3B, 0x56, 0x6B, 0x61, 0x7B, 0x26, 0x3B, 0x50, 0x63, 0x5F, 0x4D, 0x5A, 0x71, 0x0C, 0x37, 0x66] flag = "" for i in range(len(model)): if(i % 2 == 0): flag += chr(model[i]^i) else: flag += chr(model[i] + i) print (flag)
反解得,flag{fak3_alw35_sp_me!!}blog
使用dbg调试到token
这里将flag{fak3_alw35_sp_me!!}与hahahaha_do_you_find_me?前19字符异或获得
[0x0E,0x0D,0x09,0x06,0x13,0x05,0x58,0x56,0x3E,0x06,0x0C,0x3C,0x1F,0x57,0x14,0x6B,0x57,0x59,0x0D,0x00]
反解获得
m = "hahahaha_do_you_find_me?" n = [0x0E,0x0D,0x09,0x06,0x13,0x05,0x58,0x56,0x3E,0x06,0x0C,0x3C,0x1F,0x57,0x14,0x6B,0x57,0x59,0x0D] for i in range(len(n)): print (chr(ord(m[i])^n[i]),end="")
flag{d07abccf8a410c,还缺乏5个字符,最后一位为'}'
在finally函数中,利用了这五位数值
可知,0x3a必然为‘}’,猜想之间的关系为异或(71),获得完整flag。
flag{d07abccf8a410cb37a}
这道题你没办法爆破最后几位,由于这段flag你带入以后过不了checkflag,最后猜想为异或有点脑洞。
signal
VM的题目
首先传入长度114的数组,做为switch操做对象
a=[0x0A,0x04,0x10,0x08,0x03,0x05,0x01,0x04,0x20,0x08,0x05,0x03,0x01,0x03,0x02,0x08,0x0B,0x01,0x0C,0x08,0x04,0x04,0x01,0x05,0x03,0x08,0x03,0x21,0x01,0x0B,0x08,0x0B,0x01,0x04,0x09,0x08,0x03,0x20,0x01,0x02,0x51,0x08,0x04,0x24,0x01,0x0C,0x08,0x0B,0x01,0x05,0x02,0x08,0x02,0x25,0x01,0x02,0x36,0x08,0x04,0x41,0x01,0x02,0x20,0x08,0x05,0x01,0x01,0x05,0x03,0x08,0x02,0x25,0x01,0x04,0x09,0x08,0x03,0x20,0x01,0x02,0x41,0x08,0x0C,0x01,0x07,0x22,0x07,0x3F,0x07,0x34,0x07,0x32,0x07,0x72,0x07,0x33,0x7,0x18,0x7,0xffffffa7,0x7,0x31,0x7,0xffffff,0x7,0x28,0x7,0xffffff84,0x7,0xffffffc1,0x7,0x1e,0x7,0x7a]
动态调试发如今case7中, v4[v8]为定值,记录下eax的值(修改je为jmp)
v4 = [0x22,0x3F,0x34,0x32,0x72,0x33,0x18,0xFA7,0x31,0xF1,0x28,0xF84,0xC1,0x1E,0x7A]
而a表实际上就是执行switch的选项目录,v3数组就是咱们的flag,每次执行case1即为v4赋值一次(v4已知),因此每次到1,就是一段处理,好比4,16,8,3,5,1。手动处理,咱们可以写出获取flag的脚本
# -*- coding:utf-8 -*- flag = [0]*15 flag[0] = (0x22+5)^0x10 flag[1] = (0x3f//3)^0x20 flag[2] = 0x34+1+2 flag[3] = (0x32^4)-1 flag[4] = (0x72+0x21)//3 flag[5] = 0x33 + 2 flag[6] = (0x18+0x20)^0x9 flag[7] = (0xa7^0x24)-0x51 flag[8] = 0x31+1-1 flag[9] = (0xf1-0x25)//2 flag[10] = (0x28^0x41)-0x20 flag[11] = 0x84-0x20 flag[12] = (0xc1-0x25)//3 flag[13] = (0x1e+0x20)^0x9 flag[14] = 0x7a-0x1-0x41 print ('flag{'+''.join([chr(x) for x in flag])+'}')
flag{757515121fId478}