ctf解题积累

First Post:

Last Update:

不常见加密

javascript加密:(jsfuck)

形式:

1
2
3
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()

最近又见了一种形式:-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~[]

解密方式:浏览器控制台输入即可,或者也有专门的解密网站

IDA手册

IDA里改花指令或者动调改一些汇编代码值:edit->patch program->assemble

IDA快捷键:h:16进制转10进制

IDA附加动调

题目:[INSHack2017]secure-garden-shed-v1

这个题目给了两个附件,一个elf文件,一个存放数据的文件,elf文件不能单独运行,在linux里需要:

1
./sgs-exec-release lock.sgsc

单独一个文件可以使用远程linux动调的方式,那两个的话需要先运行程序,再附加到ida里,方法如下:

先在Linux里运行该程序,并且运行linux_server(64),再空白打开ida,debugger下与linux建立连接,成功后它会自动跳出linux下的各个进程,选择目标程序的进程附加上去即可动调了

z3

在bin/python目录下shift右键powshell进入

变量有三种类型,整形,实型,向量

其中向量类型(BitVec)才可以进行异或之类的操作,并且定义时需要表明字节数

eg:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
from z3 import*
v1 = BitVec('v1',8)
v2 =  BitVec('v2',8)
v3 = BitVec('v3',8)
v4 =  BitVec('v4',8)
v5 =  BitVec('v5',8)
v6 =  BitVec('v6',8)
v7 =  BitVec('v7',8)
v8 =  BitVec('v8',8)
v9 =  BitVec('v9',8)
v10=  BitVec ('v10',8)
v11 =  BitVec('v11',8)
v12 =  BitVec('v12',8)
v13 =  BitVec('v13',8)
v14 =  BitVec('v14',8)
v15 =  BitVec('v15',8)
v16 =  BitVec('v16',8)
v17 =  BitVec('v17',8)
v18 =  BitVec('v18',8)
v19 =  BitVec('v19',8)
v20=   BitVec('v20',8)
v21 =  BitVec('v21',8)
v22 =  BitVec('v22',8)
v23 =  BitVec('v23',8)
v24 =  BitVec('v24',8)
v25 =  BitVec('v25',8)
v26 =  BitVec('v26',8)
v27 =  BitVec('v27',8)
v28 =  BitVec('v28',8)
v29 =  BitVec('v29',8)
v30=   BitVec('v30',8)
v31 =  BitVec('v31',8)
v32 =  BitVec('v32',8)
v33 =  BitVec('v33',8)
v34 =  BitVec('v34',8)
v35 =  BitVec('v35',8)
v36 =  BitVec('v36',8)
v37 =  BitVec('v37',8)
v38 =  BitVec('v38',8)
v39 =  BitVec('v39',8)
v40=   BitVec('v40',8)
v41 =  BitVec('v41',8)
v42 =  BitVec('v42',8)
v43 =  BitVec('v43',8)
v44 =  BitVec('v44',8)


s = Solver()
s.add((( v34 ^  v23 * 7 ^ ~ v36 + 13) & 255) == 182)
s.add((( v37 ^  v10 * 7 ^ ~ v21 + 13) & 255) == 223)
s.add((( v24 ^  v23 * 7 ^ ~ v19 + 13) & 255) == 205)
s.add((( v25 ^  v13 * 7 ^ ~ v23 + 13) & 255) == 144)
s.add((( v6 ^  v27 * 7 ^ ~ v25 + 13) & 255) == 138)
s.add((( v4 ^  v32 * 7 ^ ~ v22 + 13) & 255) == 227)
s.add((( v25 ^  v19 * 7 ^ ~ v1 + 13) & 255) == 107)
s.add((( v22 ^  v7 * 7 ^ ~ v29 + 13) & 255) == 85)
s.add((( v15 ^  v10 * 7 ^ ~ v20 + 13) & 255) == 188)
s.add((( v29 ^  v16 * 7 ^ ~ v12 + 13) & 255) == 88)
s.add((( v35 ^  v4 * 7 ^ ~ v33 + 13) & 255) == 84)
s.add((( v36 ^  v2 * 7 ^ ~ v4 + 13) & 255) == 103 )
s.add((( v26 ^  v3 * 7 ^ ~ v1 + 13) & 255) == 216)
s.add((( v12 ^  v6 * 7 ^ ~ v18 + 13) & 255) == 165)
s.add((( v12 ^  v28 * 7 ^ ~ v36 + 13) & 255) == 151)
s.add((( v20 ^  v0 * 7 ^ ~ v21 + 13) & 255) == 101)
s.add((( v27 ^  v36 * 7 ^ ~ v14 + 13) & 255) == 248)
s.add((( v35 ^  v2 * 7 ^ ~ v19 + 13) & 255) == 44)
s.add(((v13 ^  v11 * 7 ^ ~ v33 + 13) & 255) == 242)
s.add((( v33 ^  v11 * 7 ^ ~ v3 + 13) & 255) == 235  )
s.add((( v31 ^  v37 * 7 ^ ~ v29 + 13) & 255) == 248)
s.add((( v1 ^  v33 * 7 ^ ~ v31 + 13) & 255) == 33)
s.add(((v34 ^  v22 * 7 ^ ~ v35 + 13) & 255) == 84)
s.add((( v36 ^  v16 * 7 ^ ~ v4 + 13) & 255) == 75   )
s.add((( v8 ^  v3 * 7 ^ ~ v10 + 13) & 255) == 214)
s.add((( v20 ^  v5 * 7 ^ ~ v12 + 13) & 255) == 193)
s.add((( v28 ^  v34 * 7 ^ ~ v16 + 13) & 255) == 210)
s.add((( v3 ^  v35 * 7 ^ ~ v9 + 13) & 255) == 205)
s.add((( v27 ^  v22 * 7 ^ ~ v2 + 13) & 255) == 46)
s.add((( v27 ^  v18 * 7 ^ ~ v9 + 13) & 255) == 54)
s.add((( v3 ^  v29 * 7 ^ ~ v22 + 13) & 255) == 32)
s.add((( v24 ^  v4 * 7 ^ ~ v13 + 13) & 255) == 99)
s.add((( v22 ^  v16 * 7 ^ ~ v13 + 13) & 255) == 108)
s.add((( v12 ^  v8 * 7 ^ ~ v30 + 13) & 255) == 117)
s.add((( v25 ^  v27 * 7 ^ ~ v35 + 13) & 255) == 146)
s.add((( v16 ^  v10 * 7 ^ ~ v14 + 13) & 255) == 250)
s.add((( v21 ^  v25 * 7 ^ ~ v12 + 13) & 255) == 195)
s.add((( v26 ^  v10 * 7 ^ ~ v30 + 13) & 255) == 203)
s.add((( v20 ^  v2 * 7 ^ ~ v1 + 13) & 255) == 47)
s.add((( v34 ^  v12 * 7 ^ ~ v27 + 13) & 255) == 121)
s.add((( v19 ^  v34 * 7 ^ ~ v20 + 13) & 255) == 246)
s.add((( v25 ^  v22 * 7 ^ ~ v14 + 13) & 255) == 61)
s.add((( v19 ^  v28 * 7 ^ ~ v37 + 13) & 255) == 189)
s.add((( v24 ^  v9 * 7 ^ ~ v17 + 13) & 255) == 185)

print(s.check())
print(s.model())

angr的使用

安环境时间跨度两个星期……

真的好用呀,直接无脑爆破

使用方法:先进入angr目录:cd angr

再进入虚拟环境:source venv/bin/activate

编脚本就ok

image-20230308102337307

例题:[网鼎杯 2020 青龙组]singal

exp:(这估计是最简单的用法了)

1
2
3
4
5
6
7
8
import angr

p = angr.Project('signal.exe')  
state = p.factory.entry_state()  
simgr = p.factory.simgr(state)  
simgr.explore(find=0x0040179e ,avoid=0x004016E6) //成功地址与失败地址 
flag = simgr.found[0].posix.dumps(0)[:15]    
print(flag)

五秒内爆破出来,真的强

python打包的exe文件

用pyinstxtractor-master解包,至于怎么发现是python打包的,可以看ida打开是否有——main——这种python特有的关键字。

使用命令行打开,输入:

1
2
python pyinstxtractor.py {exe路径}
示例: python pyinstxtractor.py CreatFoder.exe

base64隐写

脚本(例子):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
def base64_stego(lines):
    alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    flag = ''
    temp = 0
    digit = 0
    for i in lines:
        if i[-1] != '=':
            continue
        elif i[-2] != '=':
            digit += 2
            temp = (temp << 2) + (alphabet.find(i[-2]) & 0x3)
        else:
            digit += 4
            temp = (temp << 4) + (alphabet.find(i[-3]) & 0xf)
        if digit == 8:
            digit = 0
            flag += chr(temp)
            temp = 0
        elif digit > 8:
            digit = 2
            flag += chr(temp >> 2)
            temp = temp & 0x3
    return flag
a = ["55y85YmN6YeN5aSN55qE6aOO5pmvLG==",
"5riQ5riQ5qih57OK5LqG57qm5a6aLO==",
"5pif56m65LiL5rWB5rWq55qE5L2gLH==",
"5LuN54S256eY5a+G55qE6Led56a7LA==",
"5rip5bqm5raI5aSx55qE556s6Ze0LH==",
"5peg5rOV6Kem5pG455qE5piO5aSpLF==",
"5rKh5pyJ5byV5Yqb55qE5LiW55WMLG==",
"5rKh5pyJ6ISa5Y2w55qE5YWJ5bm0LD==",
"6L+Y5Zyo562J552A5L2g5Ye6546wLH==",
"5pel5pel5aSc5aSc6Ieq6L2s55qE6KGM5pifLE==",
"5Yiw5aSE6YGu5ruh5Yir5Lq655qE6IOM5b2xLG==",
"6K6p6aOO5ZC55pWj5re35Lmx55qE5ZG85ZC4LG==",
"5b+r5b+r5riF6YaSfn==",
"6Z2Z6Z2Z54Wn5Lqu5Y6f5p2l55qE6Ieq5bexLL==",
"5aSp56m65rSS5ruh5b+954S255qE5YWJ5piOLE==",
"55y85Lit5Y+q6KaB57ua54OC55qE5aSp6ZmFLG==",
"5YaN6aOe6KGMIW==",
"5oiR5YuH5pWi5Zyw5oqs6LW35aS0LM==",
"55yL552A6Iyr6Iyr55qE5a6H5a6ZLH==",
"5aSa5bCR5pyq55+l55qE5pif55CDLJ==",
"5pyJ5rKh5pyJ6YCa5ZCR5pyq5p2l6Lev5Y+jLD==",
"5Lqy54ix55qE5LyZ5Ly0LB==",
"6K6p5oiR5Lus5LiA6LW354K554eDLG==",
"5YuH5rCU5ZKM5L+h5b+1LO==",
"5Zyo6YGl6L+c55qE5aSp6L65LG==",
"6ZO25rKz6L6557yYLH==",
"5pyJ5LiA54mH56We5aWH55qE5b2p6Jm55rW3LC==",
"5ZKM5oiR5LiA6LW35YaS6ZmpLB==",
"6aOe5ZCR5Y+m5LiA5Liq5LiW55WMLC==",
"5Zyo6YGl6L+c55qE5aSp6L65LB==",
"6ZO25rKz6L6557yYLC==",
"5pyJ5LiA54mH56We5aWH55qE5b2p6Jm55rW3LB==",
"5ZKM5oiR5LiA6LW35YaS6ZmpLH==",
"6aOe5ZCR5Y+m5LiA5Liq5LiW55WMLN==",
"c3VwZXIgbWFnaWMgd29ybGR+fg=="]
print(base64_stego(a))
#npuctf{Fly1ng!!!}

RC4

这是一个对称加密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#include<stdio.h>
typedef struct _RC4INFO
{
	unsigned char s_box[256];
	unsigned char t_box[256];
}RC4_INFO, * PRC4_INFO;		

void rc4_init(PRC4_INFO prc4, unsigned char key[], unsigned int keylen)
{
	int i = 0;
	int j = 0;
	unsigned char tmp;
	if (prc4 == NULL)
	{
		return;
	}

	
	for (i = 0; i < 256; i++)
	{
		prc4->s_box[i] = i;
		prc4->t_box[i] = key[i % keylen];
	}

	
	for (i = 0; i < 256; i++)
	{
		j = (j + prc4->s_box[i] + prc4->t_box[i]) % 256;
		tmp = prc4->s_box[i];
		prc4->s_box[i] = prc4->s_box[j];
		prc4->s_box[j] = tmp;
	}
}



void rc4_crypt(unsigned char data[], unsigned int datalen, unsigned char key[], unsigned int keylen)	
{
	int dn = 0;	
	int i = 0;
	int j = 0;	
	int t = 0;	
	unsigned char tmp;

	RC4_INFO rc4;		
	rc4_init(&rc4, key, keylen);		

	for (dn = 0; dn < datalen; dn++)
    {
	
		i = (i + 1) % 256;
		j = (j + rc4.s_box[i]) % 256;

	
		tmp = rc4.s_box[i];
		rc4.s_box[i] = rc4.s_box[j];
		rc4.s_box[j] = tmp;

	
		t = (rc4.s_box[i] + rc4.s_box[j]) % 256;
		data[dn] ^= rc4.s_box[t];
	}
}

void EntryBuffer(unsigned char data[], unsigned int datalen)
{
	unsigned char key[] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF };//key
	rc4_crypt(data, datalen, key, sizeof(key) / sizeof(key[0]));
}

int main()
{
	char Hell[] = { 0x12, 0xF8, 0xA3, 0x80, 0x6B, 0x2E, 0x69, 0x0A, 0x74, 0x24,
  0xB7, 0x32, 0x53, 0xFC, 0x7A, 0x9D, 0xE8, 0x7B, 0x9B, 0x2E,
  0xEF, 0xF3, 0x0B, 0x45, 0x63, 0x01, 0x35, 0xB7, 0x76, 0x8C,
  0xCB, 0xD9, 0xC6, 0x8B, 0x8C, 0x2A, 0xA8, 0xAD, 0x67, 0x09,
  0x5C, 0x0F, 0x52, 0xD4, 0x9D, 0x27, 0xC3, 0xD0, 0xC5, 0x91,
  0xC0, 0xEA, 0xBF, 0x0D, 0xE7, 0x6C, 0x1A, 0x6A, 0x1A, 0x12,
  0xB7, 0xB8, 0x18, 0xB9, 0x46, 0xC3, 0x5B, 0x90, 0x45, 0x7B,
  0x94, 0xE6, 0x5F, 0x4F, 0xF0, 0x66, 0x78, 0xCC, 0xE9, 0xBE,
  0x0B, 0x94, 0x84, 0x0F, 0x33, 0xAE, 0x97, 0x88, 0x45, 0x4E,
  0xD2, 0x76, 0x11, 0x8E, 0x99, 0xFC, 0xCA, 0xD5, 0xE6, 0x27,
  0x57, 0x74, 0x01, 0x98, 0x0A, 0xCD, 0x7F, 0x0D, 0xA2, 0xC5,
  0xAB, 0xA2, 0x05, 0xA2, 0x86, 0xD3, 0x0E, 0x3A, 0x8E, 0xBA,
  0xCC, 0x43, 0xA0, 0xBC, 0x30, 0x1C, 0x7B, 0x42, 0x02, 0xDC,
  0xA4, 0xAA, 0x06, 0x89, 0x97, 0xAF, 0x81, 0xC0, 0x8A, 0x0B,
  0xF7, 0x6C, 0xFE, 0x30, 0x97, 0x17, 0xEA, 0x79, 0x4F, 0x48,
  0x5B, 0xD3, 0xCF, 0x91, 0xD6, 0xF6, 0x73, 0xA9, 0x16, 0x46,
  0xB7, 0x5E, 0x63, 0x08, 0x3A, 0x1F, 0x0C, 0xB8, 0xE4, 0xBB,
  0x52, 0x2E, 0xAE, 0xED, 0x46, 0x51, 0x82, 0x22, 0xE7, 0x70,
  0x33, 0x7C, 0xF8, 0x45, 0x45, 0x33, 0xCA, 0x72, 0x66, 0xCF,
  0xC9, 0x2E, 0x5C, 0x45, 0xC1, 0xD1, 0x0A, 0x66, 0xD7, 0x51,
  0xA1, 0x74, 0xCC, 0x4A, 0x71, 0xDF, 0xDC, 0x76, 0xEA, 0x9A,
  0x11, 0x22, 0x1A, 0x6A, 0x5A, 0x75, 0x12, 0x46, 0x38, 0x6C,
  0x63, 0x88, 0x75, 0x20, 0xD5, 0x3C, 0xF8, 0xB5, 0x2F, 0x45,
  0x6F, 0x34, 0x8F, 0x9D, 0x10, 0xA8, 0xB3, 0x19, 0x4F, 0xCA,
  0xEE, 0x0D, 0xD9, 0xE6, 0xA9, 0x76, 0xEE, 0x97, 0x8E, 0x12,
  0x91, 0xED, 0x9A, 0x3C, 0x34, 0xA4, 0xB0, 0x33, 0xAF, 0xC9,
  0xFE, 0x7F, 0x00, 0x00, 0xAF, 0x68, 0xCA, 0x91, 0x61, 0x7F };
//密文或者是原文
	
	EntryBuffer((unsigned char*)Hell, sizeof(Hell) / sizeof(Hell[0])); 
	printf("%s\n\n", Hell);
	//EntryBuffer((unsigned char*)Hell, sizeof(Hell) / sizeof(Hell[0])); //由于异或运算的对合性,RC4加密解密使用同一套算法。
	//printf("解密后:pData=%s\n\n", Hell);
	return 0;
}

高版本pyc反编译

对于python版本3.11以上的pyc,现在的在线网站就不支持了

首先安装python3.11,配置好pycharm。

1
2
3
4
5
6
7
8
9
10
11
import dis
import marshal

PATH = "./easyRE.exe_extracted/easyRE.pyc"

with open(PATH, "rb") as f:
    code = f.seek(16)
    code = marshal.load(f)
    with open("easyRE.pyc.txt", "w") as f:
        dis.dis(code, file=f)

但是只能获得字节码

idc提取数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
auto addr = 0x0000000100008000;
auto i = 0;
for(i; i < 10; i = i+1)
{
	Message("%x",Byte(addr+i));
	//PatchByte(addr+i,Byte());
}

auto addr = 0x000000000000006020C0;
auto i = 0;
for(i; addr+i < 0x060213C; i = i+4)
{
	Message("%d,",Byte(addr+i));
	//PatchByte(addr+i,Byte());
}

python版本问题

现在电脑上是有2.7,3.8,3.11三个版本的,在pycharm里切换的话就在setting里,挺方便的

在cmd里切换的话,需要在环境变量里切换顺序,注意是下面那个系统环境变量,要用谁就把他上移到最前面。

base64解码

1
2
3
4
5
6
7
8
9
10
11
12
13
import base64

# 待解密的 Base64 编码字符串
base64_str = "fiAGBkgXN3McFy9hAHRfCwYaIjQCRDFsXC8ZYBFmEDU="

# 将 Base64 编码字符串解码为字节数组
byte_str = base64.b64decode(base64_str)

# 将字节数组转换为数字列表
num_list = list(byte_str)

# 输出数字列表
print(num_list)

android

so层反编译之后,如果类型是int a1,然后又加了一个很大的偏移,还很明显是函数的,就是ida识别错了,按y键改为 JNIEnv *env

联想超级互联

额,没地方记,就记这里

pc端打开Lenovo 超级互联和lenovo one,平板在设置里打开超级互联,wifi和蓝牙都打开,保证两设备同一个wifi,检测连接。lenovo one直接连接的话是平板到了电脑上,这个时候打开lenovo 超级互联,在下面的已连接设备上点扩展至就可以作为电脑副屏了

python库问题

经常就是需要使用在cmd里使用pip下载一些库,下载完后如何导入pycharm:

命令下载第三方库导入Pycharm中_pycharm用什么指令下载库_麻辣臭猪的博客-CSDN博客

先把pycharm里的venv环境文件删除,点设置里的setting,python Interpteter 右边的add Interpteter,点下面的Inherit global site-package,确定即可

TEA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#include <stdio.h>
unsigned int a1[7];
int main()
{
    //char aa[] = "flag{bao_wen_hui_da_ben_dan}";
   /* for (int i = 0; i < 28; i++)
    {
        printf("%x", aa[i]);

    }*/
    //0x666c6167,0x7b62616f,0x5f77656e,0x5f687569,0x5f64615f,0x62656e5f,0x64616e7d
    //unsigned int a1[]={ 0x666c6167,0x7b62616f,0x5f77656e,0x5f687569,0x5f64615f,0x62656e5f,0x64616e7d };
    unsigned char flag[30] ="";
   
    int len = 0;
    printf("please input your flag:");
    scanf("%s", flag);
    for (int i = 0;; i++)
    {
        if (flag[i] == 0)
        {
            break;
        }
        len++;
    }
    if (len != 28)
    {
        return 0;
    }
    for (int j = 0; j < 7; j++) {
        a1[j] = (flag[4 * j] << 24) | (flag[4 * j + 1] << 16) | (flag[4 * j + 2] << 8) | flag[4 * j + 3];
    }

    /*for (int i = 0; i < 7; i++)
    {
        printf("%x ", a1[i]);
    }*/
    

    unsigned int a2[4]={1,2,3,4};
    for (int i = 0; i < 6; ++i)
    {
        int v5 = 0;
        unsigned int v6 = 256256256 * i;
        
        do
        {
            ++v5;
            a1[i] += v6 ^ (a1[i+1]) + ((a1[i+1] >> 5) ^ (16 * a1[i+1])) ^ (v6 + a2[v6&3]);
            a1[i+1] += (v6 + a2[(v6>>11)&3] ) ^ (a1[i]+ ((a1[i] >> 5) ^ (16 * a1[i])));
            v6 += 256256256;
        } while (v5 <= 32);
        
    }
    unsigned miwen[] = { 0x61dbd98c,0x79352f73,0x6ab1de45,0xd6394d7a,0xd4d744b2,0xe6d098f7,0x698b056a };
    for (int i = 0; i < 7; i++)
    {
        if (a1[i] != miwen[i])
        {
            printf("wrong");
            return 0;
        }
    }
    printf("yes");


    /*for (int i = 0; i < 7; i++)
    {
        printf("0x%x,", a1[i]);
    }*/
	return 0;
}

solve

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <stdio.h>
int main()
{   
    unsigned int a1[] = { 0x61dbd98c,0x79352f73,0x6ab1de45,0xd6394d7a,0xd4d744b2,0xe6d098f7,0x698b056a };
    unsigned int a2[4] = { 1,2,3,4 };
    for (int i = 5; i >= 0; --i)//从后往前遍历
    {
        int v5 = 0;
        unsigned int v6 = 256256256 * (i + 33);//detal  因为v6也就是detal在加密过程中一直加256256256,加了32次,所以逆的时候先求出最后的结果,并且要注意使用unsigned int

        do//这个部分就完全逆过来,一共三步嘛,去原文那里对照着看一下,+=变-=,后面的内容不需要变,直接抄
        {
            ++v5;
            v6 -= 256256256;
            a1[i + 1] -= (v6 + a2[(v6 >> 11) & 3]) ^ (a1[i] + ((a1[i] >> 5) ^ (16 * a1[i])));
            a1[i] -= v6 ^ (a1[i + 1] + ((a1[i + 1] >> 5) ^ (16 * a1[i + 1]))) ^ (v6 + a2[v6 & 3]);

        } while (v5 <= 32);

    }
    for (int i = 0; i < 7; i++)
    {
        for (int j = 3; j >= 0; j--)
        {
            printf("%c", (a1[i] >> (j * 8)) & 0xFF);
        }
    }
    return 0;
}

python字节换十六进制

1
2
3
4
5
6
7
import binascii

byte_sequence = b'\xd8\x94\x1e\xab\x9bft\xeb]@\x1b\xba\xe6\xe8\x133W\xdd\x0e\xe6\x924\xf1\x80mh\xeb=\x08a\x02\t.\xb5\x05B\xb0\xb0/D\x8cY'

hex_string = ', '.join(['0x{:02X}'.format(byte) for byte in byte_sequence])

print(hex_string)

去除符号表

1
strip -s --strip-all 路径