前往小程序,Get更优阅读体验!
立即前往
首页
学习
活动
专区
工具
TVP
发布
社区首页 >专栏 >【记】2021年第十二届极客大挑战

【记】2021年第十二届极客大挑战

作者头像
sidiot
发布2023-08-31 13:12:14
3070
发布2023-08-31 13:12:14
举报
文章被收录于专栏:技术大杂烩

前言

极客大挑战对萌新还是很友好的,特别适合我这种😀  

解题

RE

Re0

F12就行,SYC{Welcome_to_Geek_challenge2021};  

Re1

exe 文件,无壳,拖进 ida,

一个长度为60的数组,两个重要函数 enc0enc1

点进 enc0,一看就是 base64,在看看表,没有换表,

代码语言:javascript
复制
.rdata:0000000000405000 aAbcdefghijklmn db 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/',0

再进入 enc1 ,就是把 base64 之后的密文在进行一次异或,poc 脚本如下:

代码语言:javascript
复制
import base64

str = [
    21, 113, 44, 4, 37, 113, 40, 16, 21, 44,
    121, 40, 34, 45, 18, 38, 25, 45, 6, 58,
    26, 20, 25, 112, 24, 114, 6, 57, 26, 22,
    121, 112, 33, 7, 22, 38, 25, 45, 6, 58,
    33, 24, 14, 38, 34, 114, 26, 38, 35, 45,
    22, 114, 26, 24, 10, 58, 26, 24, 112, 125
]
flag = ''
for s in str:
    s ^= 64
    flag += chr(s)

print(base64.b64decode(flag))
# b'SYC{XOR_and_base64_are_the_basis_of_reverse}'

刘壮桌面美化大师

根据主要类看出这道 APK 题就是签到题,在资源下找 String 即可,SYC{We1c0m3_t0_4ndRo1d_ReV3rse!};  

买Activity

主要类就是 Decode,源码如下:

代码语言:javascript
复制
package com.sorrowrain.buyactivity;

import kotlin.Metadata;
import kotlin.jvm.internal.Intrinsics;

@Metadata(mo12032d1 = {"\u0000\u0014\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0002\b\u0002\bÆ\u0002\u0018\u00002\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002J\u0006\u0010\u0003\u001a\u00020\u0004J\t\u0010\u0005\u001a\u00020\u0004H† ¨\u0006\u0006"}, mo12033d2 = {"Lcom/sorrowrain/buyactivity/Decode;", "", "()V", "getDecodedFlag", "", "stringFromNative", "app_release"}, mo12034k = 1, mo12035mv = {1, 5, 1}, mo12037xi = 48)
/* compiled from: Decode.kt */
public final class Decode {
    public static final Decode INSTANCE = new Decode();

    public final native String stringFromNative();

    private Decode() {
    }

    public final String getDecodedFlag() {
        String str = stringFromNative().toString();
        int length = str.length();
        String str2 = "";
        int i = 0;
        while (i < length) {
            char charAt = str.charAt(i);
            i++;
            str2 = Intrinsics.stringPlus(str2, Character.valueOf((char) (charAt ^ 16)));
        }
        return str2;
    }
}

主要内容就是一个简单的 XOR,但是这个字符串 str 要通过本地方法 stringFromNative() 来获取,众所周知,Java 的本地方法都是 C/C++ 写的,所以去找 so 文件反编译,或者直接动调拿到值,

代码语言:javascript
复制
p1 = "CSD!Os!yiyO#|iU`bu1"
p2 = "Ikxc$dFdOCBq!Oh dtm"
str = ""
for i in range(0,19):
    str = str + p1[i] + p2[i]

flag = ""
for i in str:
    flag += chr(ord(i)^16)

print(flag)
# SYC{Th1s_4ct1Vity_iS_R3al1y_Exp0rted!}

调试

题面:

代码语言:javascript
复制
Intro && Hint: 提取码:Geek。 菜逼出题人本来想送你们一个flag, 但是却写错了代码, 这下怎么得到flag呢...(提示:安装linux虚拟机,在linux里才能运行)

题目和题面都暗示这道题是要调试的,因此多半就是 DEBUG;

先进入主函数看一下,就一个比较,按照正常的思路应该还要写一点啥的,所以先猜测是这一部分就是要调试的区域;

看一下结构图,果不其然:

现在的流程是走 ① 号路线了,那我们接下来要让它走 ② 号线,然后才能进行一个输出,即把 jnz 改成 jz 即可;

改完之后的主函数:

运行一遍之后就会拿到 flag:

easypyc

熟悉的样式,该怎么反编译就不多说了,pyinstxtractor.py 和 uncompyle6 的混合双打,

反编译后的源码如下:

代码语言:javascript
复制
whatbox = [0] * 256

def aaaaaaa(a, b):
    k = [0] * 256
    t = 0
    for m in range(256):
        whatbox[m] = m
        k[m] = ord(a[(m % b)])
    else:
        for i in range(256):
            t = (t + whatbox[i] + k[i]) % 256
            temp = whatbox[i]
            whatbox[i] = whatbox[t]
            whatbox[t] = temp

def bbbbbbbbbb(a, b):
    q = 0
    w = 0
    e = 0
    for k in range(b):
        q = (q + 1) % 256
        w = (w + whatbox[q]) % 256
        temp = whatbox[q]
        whatbox[q] = whatbox[w]
        whatbox[w] = temp
        e = (whatbox[q] + whatbox[w]) % 256
        a[k] = a[k] ^ whatbox[e] ^ 102

def ccccccccc(a, b):
    for i in range(b):
        a[i] ^= a[((i + 1) % b)]
    else:
        for j in range(1, b):
            a[j] ^= a[(j - 1)]

if __name__ == '__main__':
    kkkkkkk = 'Geek2021'
    tttttt = [117, 62, 240, 152, 195, 117, 103, 74, 240, 151, 173, 162, 17, 75, 141, 165, 136, 117, 113, 33, 98, 151, 174, 4, 48, 25, 254, 101, 185, 127, 131, 87]
    ssss = input('Please input your flag:')
    inp = [0] * len(ssss)
    if len(ssss) != 32:
        print('Length Error!!!!')
        exit(0)
    for i in range(len(ssss)):
        inp[i] = ord(ssss[i])
    else:
        aaaaaaa(kkkkkkk, len(kkkkkkk))
        bbbbbbbbbb(inp, 32)
        ccccccccc(inp, 32)
        for m in range(32):
            if tttttt[m] != inp[m]:
                raise Exception('sorry your flag is wrong')
            print('success!!!!!!')
            print('your flag is {}'.format(ssss))

这是个 RC4 算法嗷,其实我一开始也没注意,解出 flag 才发现的,just easy Rc4;

有三个函数,其实需要逆向的只有一个 ccccccccc,我们先通过 aaaaaaa 拿到经过加密后的秘钥 whatbox,如下:

代码语言:javascript
复制
whatbox = [41, 244, 181, 212, 184, 237, 95, 117, 193, 26, 137, 126, 65, 122, 239, 250, 214, 112, 62, 207, 240, 227, 120, 48, 36, 148, 234, 150, 228, 165, 129, 174, 56, 190, 46, 127, 49, 43, 245, 130, 114, 34, 202, 27, 131, 224, 64, 160, 50, 153, 157, 206, 52, 91, 225, 58, 176, 14, 5, 147, 103, 12, 30, 146, 77, 61, 179, 85, 101, 71, 72, 210, 47, 253, 8, 98, 45, 7, 246, 67, 135, 18, 255, 168, 90, 139, 203, 2, 242, 32, 111, 22, 220, 102, 107, 138, 37, 169, 116, 28, 35, 156, 89, 173, 235, 185, 136, 31, 252, 29, 78, 63, 170, 25, 222, 19, 99, 44, 100, 124, 229, 
144, 20, 221, 177, 232, 82, 163, 3, 249, 40, 93, 83, 68, 152, 223, 60, 54, 96, 97, 166, 94, 21, 16, 230, 154, 109, 178, 254, 92, 132, 155, 142, 1, 182, 243, 215, 197, 13, 0, 79, 151, 84, 187, 216, 180, 188, 175, 59, 66, 10, 106, 121, 183, 205, 42, 105, 204, 87, 86, 134, 189, 23, 241, 248, 118, 110, 211, 57, 158, 247, 231, 24, 218, 38, 149, 33, 15, 164, 217, 128, 115, 17, 233, 53, 236, 140, 51, 11, 208, 196, 55, 39, 172, 9, 76, 80, 226, 4, 70, 195, 108, 201, 69, 238, 123, 88, 145, 162, 125, 192, 219, 74, 161, 81, 198, 209, 73, 133, 186, 119, 251, 
143, 200, 194, 171, 141, 104, 213, 113, 6, 159, 199, 167, 75, 191]

然后把 ccccccccc 逆向一下即可,poc 脚本如下:

代码语言:javascript
复制
def rebbbbbbbbbb(a, b):
    flag = ""
    q = 0
    w = 0
    e = 0
    for k in range(b):
        q = (q + 1) % 256
        w = (w + whatbox[q]) % 256
        temp = whatbox[q]
        whatbox[q] = whatbox[w]
        whatbox[w] = temp
        e = (whatbox[q] + whatbox[w]) % 256
        a[k] = chr(a[k] ^ whatbox[e] ^ 102)
        flag += a[k]
    print(flag)

def reccccccccc(a,b):
    for j in range(b-1,0,-1):
        a[j] ^= a[(j-1)]
    else: 
        for i in range(b-1,-1,-1):
            a[i] ^= a[((i + 1) % b)]

if __name__ == '__main__':

    kkkkkkk = 'Geek2021'
    tttttt = [117, 62, 240, 152, 195, 117, 103, 74, 240, 151, 173, 162, 17, 75, 141, 165, 136, 117, 113, 33, 98, 151, 174, 4, 48, 25, 254, 101, 185, 127, 131, 87]
    whatbox = [41, 244, 181, 212, 184, 237, 95, 117, 193, 26, 137, 126, 65, 122, 239, 250, 214, 112, 62, 207, 240, 227, 120, 48, 36, 148, 234, 150, 228, 165, 129, 174, 56, 190, 46, 127, 49, 43, 245, 130, 114, 34, 202, 27, 131, 224, 64, 160, 50, 153, 157, 206, 52, 91, 225, 58, 176, 14, 5, 147, 103, 12, 30, 146, 77, 61, 179, 85, 101, 71, 72, 210, 47, 253, 8, 98, 45, 7, 246, 67, 135, 18, 255, 168, 90, 139, 203, 2, 242, 32, 111, 22, 220, 102, 107, 138, 37, 169, 116, 28, 35, 156, 89, 173, 235, 185, 136, 31, 252, 29, 78, 63, 170, 25, 222, 19, 99, 44, 100, 124, 229, 
    144, 20, 221, 177, 232, 82, 163, 3, 249, 40, 93, 83, 68, 152, 223, 60, 54, 96, 97, 166, 94, 21, 16, 230, 154, 109, 178, 254, 92, 132, 155, 142, 1, 182, 243, 215, 197, 13, 0, 79, 151, 84, 187, 216, 180, 188, 175, 59, 66, 10, 106, 121, 183, 205, 42, 105, 204, 87, 86, 134, 189, 23, 241, 248, 118, 110, 211, 57, 158, 247, 231, 24, 218, 38, 149, 33, 15, 164, 217, 128, 115, 17, 233, 53, 236, 140, 51, 11, 208, 196, 55, 39, 172, 9, 76, 80, 226, 4, 70, 195, 108, 201, 69, 238, 123, 88, 145, 162, 125, 192, 219, 74, 161, 81, 198, 209, 73, 133, 186, 119, 251, 
    143, 200, 194, 171, 141, 104, 213, 113, 6, 159, 199, 167, 75, 191]

    reccccccccc(tttttt,32)
    rebbbbbbbbbb(tttttt,32)

# SYC{Just_a_Eeeeeeasy_Rc4_right?}

珍惜生命

一个 pyc 文件,没有设陷阱,就是正常的 uncompyle6 反编译一下就好了,拿到源码如下:

代码语言:javascript
复制
def Challenge():
    import sys
    print("Welcome to py's world")
    S = input('plz give me your flag:')
    Key = input('plz give me your key(string):')
    if len(S) != 51 or len(Key) != 8:
        print("the flag's or key's strlen...")
        sys.exit()
    else:
        tmp = S[4:50]
        KEY_cmp = 'Syclover'
        key = []
        key_cmp = ''
        for i in Key:
            key.append(ord(i))

        try:
            key_cmp += chr((key[1] * key[2] - key[5] * 72 - key[4] * 3 - key[3] ^ key[1] + (key[3] << 2) + key[2] * 6 - key[7] & key[6] - 1000) - 14)
            key_cmp += chr((key[5] * 7 + key[3] * 3 + key[2] + key[6] - (key[2] >> 2) - key[1] ^ key[0] + key[7] + (key[4] ^ key[1]) + (key[4] | key[7])) - 801)
            key_cmp += chr((key[6] * 5 + key[2] * 6 - key[3] * 7 + key[4] | key[5] + key[4] * 10 + key[0] ^ key[1] * 3 - key[7] + key[0] + key[1]) - 924)
            key_cmp += chr(key[1] * 3 + key[5] * 9 + key[0] + key[2] * 2 + key[3] * 5 - key[4] * (key[6] ^ key[7]) + 321 - 16)
            key_cmp += chr((key[5] * 12 - key[0] ^ key[6] - key[3] * 23 + key[4] * 3 + key[2] * 8 + key[1] - key[7] * 2 + key[6] * 4 + 1324) + 1)
            key_cmp += chr(key[3] * 54 - key[1] * 3 + key[2] * 3 + key[4] * 11 - key[5] * 2 + key[0] + key[7] * 3 - key[6] - 6298 + 40)
            key_cmp += chr(key[7] - key[6] * key[3] + key[2] * key[2] - key[4] * 32 + key[5] * (key[0] >> 2) - key[1] * key[1] - 6689 + 41)
            key_cmp += chr((key[5] - key[3] * 41 + key[6] * 41 + key[5] ^ (key[4] & key[6] | key[0]) - (key[7] * 24 | key[2]) + key[1] - 589) - 36)
        except ValueError:
            print("You know what I'm going to say...")
            sys.exit()

        if key_cmp != KEY_cmp:
            print("You know what I'm going to say...")
            sys.exit()
        flag = [
         113, 74, 71, 35, 29, 91, 29, 12, 114, 73, 60, 52, 69, 5, 113, 35, 95, 38, 20, 112, 95, 7, 74, 12, 102, 23, 7, 31, 87, 5, 113, 98, 85, 38, 16, 112, 29, 6, 30, 12, 65, 73, 83, 36, 12, 23]
        for i in range(46):
            if ord(tmp[i]) ^ key[((i + 1) % len(key))] != flag[i]:
                print("You know what I'm going to say...")
                sys.exit()

        print('Yeah!Submit your flag in a hurry~')


Challenge()

关键就在于拿到 key,用 z3 进行爆破:

代码语言:javascript
复制
from z3 import *

KEY_cmp = 'Syclover'
key = [BitVec('u%d'%i,32) for i in range(0,8)]

s = Solver()

s.add( ((key[1] * key[2] - key[5] * 72 - key[4] * 3 - key[3] ^ key[1] + (key[3] << 2) + key[2] * 6 - key[7] & key[6] - 1000) - 14) == ord(KEY_cmp[0]))
s.add( ((key[5] * 7 + key[3] * 3 + key[2] + key[6] - (key[2] >> 2) - key[1] ^ key[0] + key[7] + (key[4] ^ key[1]) + (key[4] | key[7])) - 801) == ord(KEY_cmp[1]))
s.add( ((key[6] * 5 + key[2] * 6 - key[3] * 7 + key[4] | key[5] + key[4] * 10 + key[0] ^ key[1] * 3 - key[7] + key[0] + key[1]) - 924) == ord(KEY_cmp[2]))
s.add( (key[1] * 3 + key[5] * 9 + key[0] + key[2] * 2 + key[3] * 5 - key[4] * (key[6] ^ key[7]) + 321 - 16) == ord(KEY_cmp[3]))
s.add( ((key[5] * 12 - key[0] ^ key[6] - key[3] * 23 + key[4] * 3 + key[2] * 8 + key[1] - key[7] * 2 + key[6] * 4 + 1324) + 1) == ord(KEY_cmp[4]))
s.add( (key[3] * 54 - key[1] * 3 + key[2] * 3 + key[4] * 11 - key[5] * 2 + key[0] + key[7] * 3 - key[6] - 6298 + 40) == ord(KEY_cmp[5]))
s.add( (key[7] - key[6] * key[3] + key[2] * key[2] - key[4] * 32 + key[5] * (key[0] >> 2) - key[1] * key[1] - 6689 + 41) == ord(KEY_cmp[6]))
s.add( ((key[5] - key[3] * 41 + key[6] * 41 + key[5] ^ (key[4] & key[6] | key[0]) - (key[7] * 24 | key[2]) + key[1] - 589) - 36) == ord(KEY_cmp[7]))

if s.check() == sat:
    result = s.model()
    
print (result)

拿到 key 值为 [83, 38, 121, 99, 64, 45, 54, 46],重新异或一下即可:

代码语言:javascript
复制
key = [83, 38, 121, 99, 64, 45, 54, 46]
flag = 'SYC{'
tmp = [
    113, 74, 71, 35, 29, 91, 29, 12, 114, 73, 60, 52, 69, 5, 113, 35, 95, 38, 20, 112, 95, 7, 74, 12, 102, 23, 7, 31, 87, 5, 113, 98, 85, 38, 16, 112, 29, 6, 30, 12, 65, 73, 83, 36, 12, 23]

for i in range(46):
    flag += chr((tmp[i]) ^ key[((i + 1) % len(key))])

flag += '}'
print(flag)

# SYC{W3$c0m3_T0_th3_py_w0r1d_@nd_z3_1s_s0000_g00d!!}

new_language

可能是好久没做题了,生疏了,看到 .net,我还扔进 ida,我就是傻逼;

扔进 dnSpy 这就是道签到题,扔进 ida 这就是道进阶题,源码如下:

代码语言:javascript
复制
using System;

namespace new___language
{
	// Token: 0x02000002 RID: 2
	internal class geek
	{
		// Token: 0x06000002 RID: 2 RVA: 0x00002058 File Offset: 0x00000258
		public static int getNumFromSBox(char index)
		{
			int num = (int)(index >> 4);
			int num2 = (int)(index & '\u000f');
			return geek.sbox[num * 16 + num2];
		}

		// Token: 0x06000003 RID: 3 RVA: 0x00002080 File Offset: 0x00000280
		private static void Main(string[] args)
		{
			Console.WriteLine("input:");
			string text = Console.ReadLine();
			int[] array = new int[34];
			int[] array2 = new int[]
			{
				64,
				249,
				133,
				69,
				146,
				253,
				253,
				207,
				182,
				4,
				157,
				207,
				251,
				4,
				60,
				81,
				59,
				77,
				146,
				77,
				207,
				26,
				38,
				207,
				64,
				77,
				177,
				77,
				64,
				195,
				77,
				253,
				253
			};
			bool flag = text.Length != 38;
			if (!flag)
			{
				bool flag2 = text.Substring(0, 4) != "SYC{" || text.Substring(37, 1) != "}";
				if (!flag2)
				{
					text = text.Substring(4, 33);
					for (int i = 0; i < 33; i++)
					{
						array[i] = geek.getNumFromSBox(text[i]);
					}
					for (int j = 0; j < 33; j++)
					{
						bool flag3 = array[j] != array2[j];
						if (flag3)
						{
							return;
						}
					}
					Console.WriteLine("good");
				}
			}
		}

		// Token: 0x04000001 RID: 1
		private static int[] sbox = new int[]
		{
			99,
			124,
			119,
			123,
			242,
			107,
			111,
			197,
			48,
			1,
			103,
			43,
			254,
			215,
			171,
			118,
			202,
			130,
			201,
			125,
			250,
			89,
			71,
			240,
			173,
			212,
			162,
			175,
			156,
			164,
			114,
			192,
			183,
			253,
			147,
			38,
			54,
			63,
			247,
			204,
			52,
			165,
			229,
			241,
			113,
			216,
			49,
			21,
			4,
			199,
			35,
			195,
			24,
			150,
			5,
			154,
			7,
			18,
			128,
			226,
			235,
			39,
			178,
			117,
			9,
			131,
			44,
			26,
			27,
			110,
			90,
			160,
			82,
			59,
			214,
			179,
			41,
			227,
			47,
			132,
			83,
			209,
			0,
			237,
			32,
			252,
			177,
			91,
			106,
			203,
			190,
			57,
			74,
			76,
			88,
			207,
			208,
			239,
			170,
			251,
			67,
			77,
			51,
			133,
			69,
			249,
			2,
			127,
			80,
			60,
			159,
			168,
			81,
			163,
			64,
			143,
			146,
			157,
			56,
			245,
			188,
			182,
			218,
			33,
			16,
			255,
			243,
			210,
			205,
			12,
			19,
			236,
			95,
			151,
			68,
			23,
			196,
			167,
			126,
			61,
			100,
			93,
			25,
			115,
			96,
			129,
			79,
			220,
			34,
			42,
			144,
			136,
			70,
			238,
			184,
			20,
			222,
			94,
			11,
			219,
			224,
			50,
			58,
			10,
			73,
			6,
			36,
			92,
			194,
			211,
			172,
			98,
			145,
			149,
			228,
			121,
			231,
			200,
			55,
			109,
			141,
			213,
			78,
			169,
			108,
			86,
			244,
			234,
			101,
			122,
			174,
			8,
			186,
			120,
			37,
			46,
			28,
			166,
			180,
			198,
			232,
			221,
			116,
			31,
			75,
			189,
			139,
			138,
			112,
			62,
			181,
			102,
			72,
			3,
			246,
			14,
			97,
			53,
			87,
			185,
			134,
			193,
			29,
			158,
			225,
			248,
			152,
			17,
			105,
			217,
			142,
			148,
			155,
			30,
			135,
			233,
			206,
			85,
			40,
			223,
			140,
			161,
			137,
			13,
			191,
			230,
			66,
			104,
			65,
			153,
			45,
			15,
			176,
			84,
			187,
			22
		};
	}
}

题面已经说是某种加密算法的一部分了,关键就是这两个循环:

代码语言:javascript
复制
for (int i = 0; i < 33; i++)
{
	array[i] = geek.getNumFromSBox(text[i]);
}
for (int j = 0; j < 33; j++)
{
	bool flag3 = array[j] != array2[j];
	if (flag3)
	{
		return;
	}
}

通过 getNumFromSBox 函数对输入的值进行逐个加密,然后再将这个加密的值作为索引,返回沙盒 sbox 对应下标的值,很简单,直接上 poc 脚本:

代码语言:javascript
复制
public static void main(String[] args) {
    int[] array2 = new int[]
            {
                    64,
                    249,
                    133,
                    69,
                    146,
                    253,
                    253,
                    207,
                    182,
                    4,
                    157,
                    207,
                    251,
                    4,
                    60,
                    81,
                    59,
                    77,
                    146,
                    77,
                    207,
                    26,
                    38,
                    207,
                    64,
                    77,
                    177,
                    77,
                    64,
                    195,
                    77,
                    253,
                    253
            };

    String flag = "SYC{";
    for (int num : array2) {
        for (int i = 0; i < 128; i++) {
            char str = (char) i;
            if (getNumFromSBox(str) == num){
                flag += str;
            }
        }
    }
    flag += "}";
    System.out.println(flag);
}

/* 
SYC{right!!_y0u_c0mpIete_C#_reVer3e!!}
*/

沙盒 sbox getNumFromSBox 函数自己记得加上去,太长了,这里就不放了;

win32

一个奇奇怪怪的 exe 文件,查壳,EP 区段:UPX1,

尝试 UPX 脱壳,拖进ida,

看一下主要功能函数,

代码语言:javascript
复制
LRESULT __fastcall sub_140011B80(HWND a1, UINT a2, WPARAM a3, LPARAM a4)
{
  char *v4; // rdi
  __int64 i; // rcx
  unsigned int v6; // eax
  LRESULT v7; // rax
  LRESULT v8; // rdi
  char v10[32]; // [rsp+0h] [rbp-60h] BYREF
  char v11; // [rsp+60h] [rbp+0h] BYREF
  CHAR String[136]; // [rsp+70h] [rbp+10h] BYREF
  char v13[48]; // [rsp+F8h] [rbp+98h] BYREF
  char *Str1; // [rsp+128h] [rbp+C8h] BYREF
  struct tagPAINTSTRUCT Paint; // [rsp+150h] [rbp+F0h] BYREF
  HDC v16; // [rsp+1B8h] [rbp+158h]
  UINT v17; // [rsp+284h] [rbp+224h]

  v4 = &v11;
  for ( i = 92i64; i; --i )
  {
    *(_DWORD *)v4 = -858993460;
    v4 += 4;
  }
  sub_1400113DE(&unk_1400240BE);
  strcpy(v13, "0123456789+/");
  Str1 = 0i64;
  v17 = a2;
  if ( a2 == 1 )
  {
    hWnd = CreateWindowExW(0, L"EDIT", 0i64, 0x50810000u, 0, 0, 390, 30, a1, (HMENU)0x12C, hInstance, 0i64);
    qword_14001E2B8 = (__int64)CreateWindowExW(
                                 0,
                                 L"BUTTON",
                                 &word_14001AEB8,
                                 0x50000000u,
                                 0,
                                 31,
                                 390,
                                 33,
                                 a1,
                                 (HMENU)0xC8,
                                 hInstance,
                                 0i64);
LABEL_17:
    v7 = 0i64;
    goto LABEL_18;
  }
  switch ( v17 )
  {
    case 2u:
      PostQuitMessage(0);
      goto LABEL_17;
    case 0xFu:
      v16 = BeginPaint(a1, &Paint);
      EndPaint(a1, &Paint);
      goto LABEL_17;
    case 0x111u:
      v17 = (unsigned __int16)a3;
      if ( (unsigned __int16)a3 == 200 )
      {
        GetWindowTextA(hWnd, String, 100);
        v6 = j_strlen(String);
        sub_1400110F5(String, v6, &Str1, v13);
        if ( !j_strcmp(Str1, Str2) )
          MessageBoxW(0i64, &Text, &Caption, 0);
        else
          MessageBoxW(0i64, &word_14001AF20, &word_14001AF18, 0);
      }
      goto LABEL_17;
  }
  v7 = DefWindowProcW(a1, a2, a3, a4);
LABEL_18:
  v8 = v7;
  sub_140011366(v10, &unk_14001ADD0);
  return v8;
}

主要就是发送信息,对信息内容进行一个 base64 的加密,

代码语言:javascript
复制
import base64
str = 'U1lDe3kwdV9nM3RfQV9mMWFnX2J5X2N5YmVybG9hZmluZ19hdXRoMHJ9'
print(base64.b64decode(str))
# SYC{y0u_g3t_A_f1ag_by_cyberloafing_auth0r}

WEB

Dark

就用 tor 浏览器打开即可,其他浏览器应该是无法加载的,毕竟顾名思义嘛,SYC{hav3_fUn_1n_darK};  

Welcome2021

题目提示看源码,

很清楚的说用 WELCOME 方式发送请求,

接着请求 f1111aaaggg9.php,

babysql

一道 SQL 注入题,

直接 SQLMAP,懂得都懂,

蜜雪冰城甜蜜蜜

看到提示可以知道,点到第九号饮料就直接出 flag,但这里只有8个,然而它是有 id 的,根据 JS 分析得出,在提交时会获取被点击的图片的 id 号,直接修改前端页面的 id=9,在点击一下,

后记

后面出来的题就没有做了,现在做 RE 就是图一乐罢了🤪

本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2022-09-12,如有侵权请联系 cloudcommunity@tencent.com 删除

本文分享自 作者个人站点/博客 前往查看

如有侵权,请联系 cloudcommunity@tencent.com 删除。

本文参与 腾讯云自媒体同步曝光计划  ,欢迎热爱写作的你一起参与!

评论
登录后参与评论
0 条评论
热度
最新
推荐阅读
目录
  • 前言
  • 解题
    • RE
      • Re0
      • Re1
      • 刘壮桌面美化大师
      • 买Activity
      • 调试
      • easypyc
      • 珍惜生命
      • new_language
      • win32
    • WEB
      • Dark
      • Welcome2021
      • babysql
      • 蜜雪冰城甜蜜蜜
  • 后记
领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档