base_64

uncompyle6反编译pyc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# uncompyle6 version 3.9.0
# Python bytecode version base 3.7.0 (3394)
# Decompiled from: Python 3.10.0 (tags/v3.10.0:b494f59, Oct  4 2021, 19:00:18) [MSC v.1929 64 bit (AMD64)]
# Embedded file name: C:\Users\王旭东\Desktop\dasktop\vs\vs_code\moectf2023\re\base_64.py
# Compiled at: 2023-08-07 16:29:30
# Size of source mod 2**32: 685 bytes
import base64
from string import *
str1 = 'yD9oB3Inv3YAB19YynIuJnUaAGB0um0='
string1 = 'ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba0123456789+/'
string2 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
flag = input('welcome to moectf\ninput your flag and I wiil check it:')
enc_flag = base64.b64encode(flag.encode()).decode()
enc_flag = enc_flag.translate(str.maketrans(string2, string1))
if enc_flag == str1:
    print('good job!!!!')
else:
    print('something wrong???')
    exit(0)
# okay decompiling .\base_64.pyc

enc_flag经过str.maketrans方法处理,将string2表中的字母替换成了string1表内的,两个交换一下还原出flag的密文再base64解码一下即可。

moectf{pYc_And_Base64~}

UPX!

peid看到加了upx的壳,upx脱下壳就行。

image-20230822095856028

核心代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
for ( j = 0; ; ++j )
  {
    v8 = j;
    v2 = sub_140073829(v6);
    if ( v8 >= v2 )
      break;
    v6[j] ^= 0x67u;
    if ( byte_140196000[j] != v6[j] )
    {
      sub_140073973("try again~~");
      sub_1400723F7(0i64);
    }
  }
  sub_140073973("you are so clever!");

考点还是异或,没啥说的。

1
2
3
4
5
6
7
8
9
10
11
12

enc = [
    0x0A, 0x08, 0x02, 0x04, 0x13, 0x01, 0x1C, 0x57, 0x0F, 0x38,
    0x1E, 0x57, 0x12, 0x38, 0x2C, 0x09, 0x57, 0x10, 0x38, 0x2F,
    0x57, 0x10, 0x38, 0x13, 0x08, 0x38, 0x35, 0x02, 0x11, 0x54,
    0x15, 0x14, 0x02, 0x38, 0x32, 0x37, 0x3F, 0x46, 0x46, 0x46,
    0x1A
]
flag = ""
for i in range(len(enc)):
    flag += chr(enc[i] ^ 0x67)
print(flag)

moectf{0h_y0u_Kn0w_H0w_to_Rev3rse_UPX!!!}

Xor

核心代码

1
2
3
4
5
6
7
8
9
10
gets(input);
 for ( i = 0; i < 28; ++i )
 {
   if ( enc[i] != (input[i] ^ 0x39) )
   {
     puts("Seems not right");
     exit(0);
   }
 }
 puts("GOOD!");

输入的flag与0x39异或得到密文,再异或个0x39就能还原出flag。

1
2
3
4
5
6
7
8
9
enc = [
    0x54, 0x56, 0x5C, 0x5A, 0x4D, 0x5F, 0x42, 0x60, 0x56, 0x4C,
    0x66, 0x52, 0x57, 0x09, 0x4E, 0x66, 0x51, 0x09, 0x4E, 0x66,
    0x4D, 0x09, 0x66, 0x61, 0x09, 0x6B, 0x18, 0x44
]
flag = ""
for i in range(len(enc)):
    flag += chr(enc[i] ^ 0x39)
print(flag)

moectf{You_kn0w_h0w_t0_X0R!}

ANDROID

核心代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
public class MainActivity extends AppCompatActivity {
    char[] enc;
    char[] key;

    public MainActivity() {
        this.enc = new char[]{'\u0019', '\u0007', '\u0000', '\u000E', '\u001B', '\u0003', '\u0010', '/', '\u0018', '\u0002', '\t', ':', '\u0004', '\u0001', ':', '*', '\u000B', '\u001D', '\u0006', '\u0007', '\f', '\t', '0', 'T', '\u0018', ':', '\u001C', '\u0015', '\u001B', '\u001C', '\u0010'};
        this.key = new char[]{'t', 'h', 'e', 'm', 'o', 'e', 'k', 'e', 'y'};
    }

    @Override  // androidx.fragment.app.FragmentActivity
    protected void onCreate(Bundle arg3) {
        super.onCreate(arg3);
        this.setContentView(0x7F0B001C);  // layout:activity_main
        ((Button)this.findViewById(0x7F080074)).setOnClickListener(new View.OnClickListener() {  // id:check
            @Override  // android.view.View$OnClickListener
            public void onClick(View arg7) {
                String v7 = ((EditText)this.findViewById(0x7F0800E4)).getText().toString();  // id:input
                if(v7.length() != 0x1F) {
                    Toast.makeText(MainActivity.this.getApplicationContext(), "长度不对哦", 0).show();
                    return;
                }

                byte[] v7_1 = v7.getBytes();
                int v0;
                for(v0 = 0; v0 < 0x1F; ++v0) {
                    if((v7_1[v0] ^ MainActivity.this.key[v0 % MainActivity.this.key.length]) != MainActivity.this.enc[v0]) {
                        Toast.makeText(MainActivity.this.getApplicationContext(), "好像有哪里不对", 0).show();
                        return;
                    }
                }

                Toast.makeText(MainActivity.this.getApplicationContext(), "恭喜!回答正确", 0).show();
            }
        });
    }
}

这段代码定义了一个加密字符串(enc)和一个密钥(key),然后在 onCreate() 方法中检查文本框中输入的异或处理过的字符串是否与加密字符串匹配。

核心代码即v7_1[v0] ^ MainActivity.this.key[v0 % MainActivity.this.key.length]) != MainActivity.this.enc[v0]

1
2
3
4
5
6
enc = ['\u0019', '\u0007', '\u0000', '\u000E', '\u001B', '\u0003', '\u0010', '/', '\u0018', '\u0002', '\t', ':', '\u0004', '\u0001', ':', '*', '\u000B', '\u001D', '\u0006', '\u0007', '\f', '\t', '0', 'T', '\u0018', ':', '\u001C', '\u0015', '\u001B', '\u001C', '\u0010']
key = ['t', 'h', 'e', 'm', 'o', 'e', 'k', 'e', 'y']
flag = ""
for v0 in range(0, 31):
    flag += chr(ord(enc[v0]) ^ ord(key[v0 % len(key)]))
print(flag)

moectf{Java_in_Android_1s_easy}

EQUATION