关于xxxx比赛xxx学弟xxxx时间给了xxxx两个道re题,👴开了下题不难,就是写脚本老是报错,g
这两天学弟给了两道Rev题,重温下当年的re味道,re都不难,随便水一个博客文章(毕竟博客刚创建没多久,没文章可发),直接给题代码和exp
Reverse wp ezxz3 xxx附件名 题目源码:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 print ("Please input flag:" )flag = input () if len (flag)!=42 : print ("Check your length!" ) exit() l=[] for i in range (6 ): s="" for j in flag[i*7 :i*7 +7 ]: s+=hex (ord (j))[2 :] l.append(int (s,16 )) if ((593 *l[0 ] + 997 *l[1 ] + 811 *l[2 ] + 258 *l[3 ] + 829 *l[4 ] + 532 *l[5 ])== 0x5b8e0aef71d34ff43 and \ (605 *l[0 ] + 686 *l[1 ] + 328 *l[2 ] + 602 *l[3 ] + 695 *l[4 ] + 576 *l[5 ])== 0x551a262360964ef7f and \ (373 *l[0 ] + 512 *l[1 ] + 449 *l[2 ] + 756 *l[3 ] + 448 *l[4 ] + 580 *l[5 ])== 0x49d158a5657d6931c and \ (560 *l[0 ] + 635 *l[1 ] + 422 *l[2 ] + 971 *l[3 ] + 855 *l[4 ] + 597 *l[5 ])== 0x625568d5abbabf4f3 and \ (717 *l[0 ] + 507 *l[1 ] + 388 *l[2 ] + 925 *l[3 ] + 324 *l[4 ] + 524 *l[5 ])== 0x50ee0c025e70e3c23 and \ (312 *l[0 ] + 368 *l[1 ] + 884 *l[2 ] + 518 *l[3 ] + 495 *l[4 ] + 414 *l[5 ])== 0x40e735f8aa2815f65 ): print ("Good job!" ) else : print ("Wrong\nTry again!!!" ) exit()
分析源码,直接用z3 设置约束条件跑就行了,注意最后取数据的时候,exp.py:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 from z3 import *ctx = Context() l = [Int(f"l{i} " , ctx=ctx) for i in range (42 )] eq1 = (593 *l[0 ] + 997 *l[1 ] + 811 *l[2 ] + 258 *l[3 ] + 829 *l[4 ] + 532 *l[5 ]) == 0x5b8e0aef71d34ff43 eq2 = (605 *l[0 ] + 686 *l[1 ] + 328 *l[2 ] + 602 *l[3 ] + 695 *l[4 ] + 576 *l[5 ]) == 0x551a262360964ef7f eq3 = (373 *l[0 ] + 512 *l[1 ] + 449 *l[2 ] + 756 *l[3 ] + 448 *l[4 ] + 580 *l[5 ]) == 0x49d158a5657d6931c eq4 = (560 *l[0 ] + 635 *l[1 ] + 422 *l[2 ] + 971 *l[3 ] + 855 *l[4 ] + 597 *l[5 ]) == 0x625568d5abbabf4f3 eq5 = (717 *l[0 ] + 507 *l[1 ] + 388 *l[2 ] + 925 *l[3 ] + 324 *l[4 ] + 524 *l[5 ]) == 0x50ee0c025e70e3c23 eq6 = (312 *l[0 ] + 368 *l[1 ] + 884 *l[2 ] + 518 *l[3 ] + 495 *l[4 ] + 414 *l[5 ]) == 0x40e735f8aa2815f65 solver = Solver(ctx=ctx) solver.add(eq1, eq2, eq3, eq4, eq5, eq6) if solver.check() == sat: model = solver.model() print (model) for i in range (42 ): print (f"l{i} = {model[l[i]]} " ) else : print ("无解" ) l_values = [ 28829613228248624 , 26827458353261422 , 13642136288051316 , 29378135513658469 , 32192963475959391 , 30791965425607037 ] result = "" for val in l_values: while val > 0 : byte = val & 0xFF result = chr (byte) + result val >>= 8 result =result print (result)import structl_values = [ 28829613228248624 , 26827458353261422 , 13642136288051316 , 29378135513658469 , 32192963475959391 , 30791965425607037 ] char_lists = [] for val in l_values: char_list = [] while val > 0 : byte = val & 0xFF char_list.insert(0 , chr (byte)) val >>= 8 char_lists.append(char_list) sorted_char_lists = sorted (enumerate (char_lists), key=lambda x: x[0 ]) result = '' .join(['' .join(char_list) for _, char_list in sorted_char_lists]) print (result)
ezzzapk xxxx附件名 此题用jeb 去看伪代码,伪代码如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 @Override protected void onCreate (Bundle savedInstanceState) { super .onCreate(savedInstanceState); this .setContentView(0x7F0B001C ); this .flag = (TextView)this .findViewById(0x7F0800C0 ); this .input_1 = (EditText)this .findViewById(0x7F0800DF ); Button v1 = (Button)this .findViewById(0x7F080062 ); this .button = v1; v1.setOnClickListener(new View .OnClickListener() { @Override public void onClick (View view) { String str3 = encrypt.encode(MainActivity.this .input_1.getText().toString().getBytes(StandardCharsets.UTF_8)); if ("5TAYhycAPT1aAd535TGdWYQ8CvfoRjErGEreqhDpqv1LydTqd3mxuK2hhUp9Pws3u9mq6eX" .equals(str3)) { Toast.makeText(MainActivity.this .getApplication(), "flag正确" , 1 ).show(); return ; } Toast.makeText(MainActivity.this .getApplication(), "flag错误,再去撅一会" , 0 ).show(); } }); } }
encrypt.encode:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 package cn.shenghuo2.ctf.ez_apk;import java.util.Arrays;public class encrypt { private static final char [] ALPHABET; private static final char ENCODED_ZERO; private static final int [] INDEXES; static { char [] v0 = "9LfnoVpi1HrzBSKxhNFeyY745R2g3QmqsTCZJuDvcMdkE8wPGbUXajtAW6" .toCharArray(); encrypt.ALPHABET = v0; encrypt.ENCODED_ZERO = v0[0 ]; int [] v0_1 = new int [0x80 ]; encrypt.INDEXES = v0_1; Arrays.fill(v0_1, -1 ); int i; for (i = 0 ; true ; ++i) { char [] v1 = encrypt.ALPHABET; if (i >= v1.length) { return ; } encrypt.INDEXES[v1[i]] = i; } } private static byte divmod (byte [] arg5, int arg6, int arg7, int arg8) { int remainder = 0 ; int i; for (i = arg6; i < arg5.length; ++i) { int temp = remainder * arg7 + (arg5[i] & 0xFF ); arg5[i] = (byte )(temp / arg8); remainder = temp % arg8; } return (byte )remainder; } public static String encode (byte [] arg7) { if (arg7.length == 0 ) { return "" ; } int zeros; for (zeros = 0 ; zeros < arg7.length && arg7[zeros] == 0 ; ++zeros) { } byte [] v7 = Arrays.copyOf(arg7, arg7.length); char [] encoded = new char [v7.length * 2 ]; int outputStart = encoded.length; int inputStart = zeros; while (inputStart < v7.length) { --outputStart; encoded[outputStart] = encrypt.ALPHABET[encrypt.divmod(v7, inputStart, 0x100 , 58 )]; if (v7[inputStart] != 0 ) { continue ; } ++inputStart; } while (outputStart < encoded.length && encoded[outputStart] == encrypt.ENCODED_ZERO) { ++outputStart; } while (true ) { --zeros; if (zeros < 0 ) { break ; } --outputStart; encoded[outputStart] = encrypt.ENCODED_ZERO; } return new String (encoded, outputStart, encoded.length - outputStart); } }
分析一下伪代码,发现就是一个base58,只不过换表了,跟base64换码(biao)一个道理,直接写脚本换下即可
exp.py:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 BASE58_ALPHABET = "9LfnoVpi1HrzBSKxhNFeyY745R2g3QmqsTCZJuDvcMdkE8wPGbUXajtAW6" def base58_decode (cipher_input ): try : for item in cipher_input: if item not in BASE58_ALPHABET: return '不是有效的Base58编码,请仔细检查字符:' + item decoded_value = 0 for char in cipher_input: decoded_value = decoded_value * 58 + BASE58_ALPHABET.index(char) result = bytearray () while decoded_value > 0 : decoded_value, remainder = divmod (decoded_value, 256 ) result.insert(0 , remainder) return result.decode('utf-8' ) except Exception as e: return str (e) def base58_encode (string_input ): try : string_bytes = string_input.encode('utf-8' ) string_decimal = 0 for byte in string_bytes: string_decimal = string_decimal * 256 + byte result = "" while string_decimal > 0 : string_decimal, remainder = divmod (string_decimal, 58 ) result = BASE58_ALPHABET[remainder] + result return result except Exception as e: return str (e) encoded_str = "5TAYhycAPT1aAd535TGdWYQ8CvfoRjErGEreqhDpqv1LydTqd3mxuK2hhUp9Pws3u9mq6eX" decoded_str = base58_decode(encoded_str) print ("Decoded String:" , decoded_str)
总结:啥也没有,就是很开摆…………..,以后就不常写文章了,毕竟要准备考试www