re
jeb
安卓逆向,扔到jadx里面,先尝试搜索flag,然后发现了flag{,点进去,发现
package com.example.crackme;
import android.app.Activity;
import android.os.Bundle;
import android.view.Menu;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
/* loaded from: classes.dex */
public class MainActivity extends Activity {
private Button btn_register;
private EditText edit_sn;
String edit_userName;
@Override // android.app.Activity
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(C0236R.layout.activity_main);
setTitle(C0236R.string.unregister);
this.edit_userName = "Tenshine";
this.edit_sn = (EditText) findViewById(C0236R.id.edit_sn);
this.btn_register = (Button) findViewById(C0236R.id.button_register);
this.btn_register.setOnClickListener(new View.OnClickListener() { // from class: com.example.crackme.MainActivity.1
@Override // android.view.View.OnClickListener
public void onClick(View v) {
if (!MainActivity.this.checkSN(MainActivity.this.edit_userName.trim(), MainActivity.this.edit_sn.getText().toString().trim())) {
Toast.makeText(MainActivity.this, C0236R.string.unsuccessed, 0).show();
return;
}
Toast.makeText(MainActivity.this, C0236R.string.successed, 0).show();
MainActivity.this.btn_register.setEnabled(false);
MainActivity.this.setTitle(C0236R.string.registered);
}
});
}
@Override // android.app.Activity
public boolean onCreateOptionsMenu(Menu menu) {
getMenuInflater().inflate(C0236R.menu.activity_main, menu);
return true;
}
/* JADX INFO: Access modifiers changed from: private */
public boolean checkSN(String userName, String sn) {
if (userName == null) {
return false;
}
try {
if (userName.length() == 0 || sn == null || sn.length() != 22) {
return false;
}
MessageDigest digest = MessageDigest.getInstance("MD5");
digest.reset();
digest.update(userName.getBytes());
byte[] bytes = digest.digest();
String hexstr = toHexString(bytes, "");
StringBuilder sb = new StringBuilder();
for (int i = 0; i < hexstr.length(); i += 2) {
sb.append(hexstr.charAt(i));
}
String userSN = sb.toString();
return new StringBuilder().append("flag{").append(userSN).append("}").toString().equalsIgnoreCase(sn);
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
return false;
}
}
private static String toHexString(byte[] bytes, String separator) {
StringBuilder hexString = new StringBuilder();
for (byte b : bytes) {
String hex = Integer.toHexString(b & 255);
if (hex.length() == 1) {
hexString.append('0');
}
hexString.append(hex).append(separator);
}
return hexString.toString();
}
}发现了生成flag的方法,直接写
import hashlib
def to_hex_string(bytes, separator=""):
hex_string = []
for b in bytes:
hex = format(b, '02x')
hex_string.append(hex)
return separator.join(hex_string)
def generate_sn(user_name):
if user_name is None or len(user_name) == 0:
return None
md5_hash = hashlib.md5(user_name.encode()).digest()
hex_str = to_hex_string(md5_hash)
user_sn = ''.join([hex_str[i] for i in range(0, len(hex_str), 2)])
sn = f"flag{{{user_sn}}}"
return sn
user_name = "Tenshine"
sn = generate_sn(user_name)
print("序列号:", sn)pyc
python逆向,先使用pyinstxtractor.py将exe文件转换成pyc文件,然后uncompyle6 abc_text.pyc,直接发现加密方式
def check():
a =input('plz input your flag:')
c=[144,163,158,177,121,39,58,58,91,111,25,158,72,53,152,
78,171,12,53,105,45,12,12,53,12,171,111,91,53,
152,105,45,152,144,39,171,45,91,78,45,158,8]
if len(a)!=42:
print('wrong length')
return 0
b=179
for i in range(len(a)):
if ord(a[i])*33% b !=c[i]:
print('wrong')
return
print('win')
check()
exp
c = [144,163,158,177,121,39,58,58,91,111,25,158,72,53,152,
78,171,12,53,105,45,12,12,53,12,171,111,91,53,
152,105,45,152,144,39,171,45,91,78,45,158,8]
b = 179
flag = ''
for value in c:
for i in range(128):
if (i * 33) % b == value:
flag += chr(i)
break
print("Flag is:", flag)re1
扔到ida里面就看见了
Baidu
1.翻网站源码,发现css的折叠代码,打开,最下面是AES,直接爆破(gpt生成的)。
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
import base64
# 提供的密钥、初始化向量和加密数据
key = base64.b64decode("0KzSrImRtVwdh7UonVrQK1TXA++PTBs/3qTxwFLXTRw=")
iv = base64.b64decode("ywz2evC5YAg0pz+Xvkd2eQ==")
data = base64.b64decode("4tdJizgiux0hs4CJjzYbBYQxlSkJDL0i8fxZuoRyuWE=")
# 解密函数
def decrypt_data(cipher):
decryptor = cipher.decryptor()
decrypted_data = decryptor.update(data) + decryptor.finalize()
return decrypted_data
# 尝试不同的 AES 模式
modes_list = [
modes.ECB(),
modes.CBC(iv),
modes.CFB(iv),
modes.OFB(iv),
modes.CTR(iv),
]
for mode in modes_list:
try:
cipher = Cipher(algorithms.AES(key), mode, backend=default_backend())
decrypted_data = decrypt_data(cipher)
print(f"Mode: {mode.name}, Decrypted data: {decrypted_data}")
except Exception as e:
print(f"Mode: {mode.name}, Error: {e}")
# GCM 模式需要额外的标签参数
try:
tag = data[-16:] # 假设最后16字节是标签
data_without_tag = data[:-16]
cipher = Cipher(algorithms.AES(key), modes.GCM(iv, tag), backend=default_backend())
decrypted_data = decrypt_data(cipher)
print(f"Mode: GCM, Decrypted data: {decrypted_data}")
except Exception as e:
print(f"Mode: GCM, Error: {e}")发现密码the_ultimate_password123,然后得到二进制文件,脱壳直接逆向
v3_bytes = [
0x66, 0x6E, 0x65, 0x67, 0x83, 0x7A, 0x6D,0x7A, # v3[0]
0x73, 0x6A, 0x5F, 0x7D, 0x6F, 0x85, 0x8A, 0x5F, # v3[1]
0x86, 0x89, 0x90, 0x89, 0x7D # v3[2]
]
flag = ''.join(chr((v3_bytes[i] - i) ^ i) for i in range(21))
print(f"Flag: {flag}")crypto
来一道一元积分吧
先解积分,然后出题人发的,说是base85,解开文件即可
import sympy as sp
x, a = sp.symbols('x a')
expr = ((x + 1)**95 * (a * x + 1)**5) / (x**2 + 1)**50
limit_expr = sp.limit(expr, x, sp.oo)
print(f"极限表达式: {limit_expr}")
solution = sp.solve(limit_expr - 32, a)
print(f"解: {solution}")
#a=2
import base64
s = b'RMbpoP9B1wmOMH8kLz9P0ml(I3v='
ss = base64.b85encode(s)
print(ss)
#flag{I_LOVE_susu}你真的喜欢CTF吗
AABABAAAAAABABBAABBAAAABBABBBABBAAAABBBABABAAABABBABAAAABABAAABAAAAABABAABBAABAB
一眼培根,但是前缀是Flag
At
゚ω゚ノ= /`m´)ノ ~┻━┻ //´∇`/ [‘‘]; o=(゚ー゚) ==3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^^o)/ (o^^o);(゚Д゚)={゚Θ゚: ‘‘ ,゚ω゚ノ : ((゚ω゚ノ==3) +’‘) [゚Θ゚] ,゚ー゚ノ :(゚ω゚ノ+ ‘‘)[o^^o -(゚Θ゚)] ,゚Д゚ノ:((゚ー゚==3) +’‘)[゚ー゚] }; (゚Д゚) [゚Θ゚] =((゚ω゚ノ==3) +’‘) [c^^o];(゚Д゚) [‘c’] = ((゚Д゚)+’‘) [ (゚ー゚)+(゚ー゚)-(゚Θ゚) ];(゚Д゚) [‘o’] = ((゚Д゚)+’‘) [゚Θ゚];(゚o゚)=(゚Д゚) [‘c’]+(゚Д゚) [‘o’]+(゚ω゚ノ +’‘)[゚Θ゚]+ ((゚ω゚ノ==3) +’‘) [゚ー゚] + ((゚Д゚) +’‘) [(゚ー゚)+(゚ー゚)]+ ((゚ー゚==3) +’‘) [゚Θ゚]+((゚ー゚==3) +’‘) [(゚ー゚) – (゚Θ゚)]+(゚Д゚) [‘c’]+((゚Д゚)+’‘) [(゚ー゚)+(゚ー゚)]+ (゚Д゚) [‘o’]+((゚ー゚==3) +’‘) [゚Θ゚];(゚Д゚) [‘‘] =(o^^o) [゚o゚] [゚o゚];(゚ε゚)=((゚ー゚==3) +’‘) [゚Θ゚]+ (゚Д゚) .゚Д゚ノ+((゚Д゚)+’‘) [(゚ー゚) + (゚ー゚)]+((゚ー゚==3) +’‘) [o^^o -゚Θ゚]+((゚ー゚==3) +’‘) [゚Θ゚]+ (゚ω゚ノ +’‘) [゚Θ゚]; (゚ー゚)+=(゚Θ゚); (゚Д゚)[゚ε゚]=’\’; (゚Д゚).゚Θ゚ノ=(゚Д゚+ ゚ー゚)[o^^o -(゚Θ゚)];(o゚ー゚o)=(゚ω゚ノ +’‘)[c^^o];(゚Д゚) [゚o゚]=’\"’;(゚Д゚) [‘‘] ( (゚Д゚) [‘‘] (゚ε゚+(゚Д゚)[゚o゚]+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^^o) +(o^^o))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (o^^o))+ ((o^^o) – (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^^o) +(o^^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (o^^o))+ (o^^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^^o) +(o^^o))+ ((o^^o) – (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (o^^o)+ ((゚ー゚) + (o^^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^^o) +(o^^o))+ (o^^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (c^^o)+ (c^^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (o^^o)+ ((゚ー゚) + (o^^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (o^^o)+ ((o^^o) – (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (o^^o))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚o゚]) (゚Θ゚)) (‘‘);
hint:注意大小写
先是颜文字(https://www.a.tools/Tool.php?Id=174), 然后用厨子里面的埃特巴什码,得到
flag{Ni_h@O_A!!!}
Base签到
TVpXR0NaMzNNSlFXU1lUQk5GUFVHVkNHTDQzRFFOS1lORlFXNjZMVlBVPT09PT09
随波逐流一把出
flag{baibai_CTF_685Xiaoyu}
没有key
UH6G2CXOVIYRJI2PXMPHVFXXWWYRRH2AXMNIZF2JXAYRBEFYWWSQRF2FWAYRBAXYXEWIPIXSWOARFIEFXMRIZFFXWASSTIFCXIOIZFFHTWWH6EFTYWSR2F2FVIPRLGFYWDMSTIXSVEYRJJPYXMPHVGXXWWUGRH2YXMTSHF2HTWWIFIXOWWTRBZFGVIYRZJFWWWWIBAPIVAYRJIOFXSRIZEFXWWRHJIFKVISH4FXDXAWIXIXTXMSIDF2JVIPRDEFXTVMSPGXJWAURJGOFXMUHXEFBWWYGRIPAXMQSZFXVXAYRJIXYTISIRH2AWAQRZJFXWESIZD2JWEURJGWFXAOHZGF2WSPSTIFSVEPRZFEFVAXRJIXXYWSIVD2HX5XGRHXWXMSIVG2JWWSRJF2GXEUHXEOIWSYGRIXIXMQSHF2QVAYSBIXXWMSSBZFFXIXHZJFYXOWIZI2IVEQRHZFGXWRIZD2JWAWIHIXGXHMR2FXJWAXHFIFXXWSRHF2BWIPHLAXWX4MSTG2SVMSRFGXYXWQHZGPBWSXGRH2AVMOIZF2BWAXHXIPVWWSRHH2KWIXHVIFYXEWIVI2SWMWRFEFQWMQHZJFEWATITH2KVIPR4FFGTWWITIXTWWSRBH2FTWXHBGFYYOWITAPSVAARFIEFXMYIXEFXWWWITH2AXMRRHF2ZXAWSXEXXXWSRZZFJWIQRRGFYWESIVE2RVEURHHMFXSYHXEFXWWRSTHFCVITRHF2LWAWH2EFRXMRIXJFIV5QRFGFXW5WITGXJVMSRJIPYXWYHXGFJWSYHJIXUVMASXF2XWAURFIXQTISIVZFIX5PHZIFUVAWIZH2IWWSRBI2YXARHVJFIWAZSTIFUVIOH4FFGXAWHJIFTWMSIVZFGXIPHVHFXXISIRF2JWWSRHFFGX42RXEPBWAXQRH2MXIQSHFFZXAYRBEFZWMSRXH2GXIQRVJFYXOSIZEXRWIQRHIFPXESIXE2XWAXRTIPCVIQRHFFKWAWR2EF2YSSHJH2GXSXHTAXYXHMSPFXJVMYRHH2XXWYHXFFBWSWIRHMHXIOIHFXVXAYRBEFSVMSQRD2GWAPGRGXYXEOIBI2SWOQRHIEFXMPHZFFBWASITIFAVITQXFXFTWXIPEFTXMQHVF2JTWPHJGFYWDMSTFXRWMARFGPQXMYIXGPTWWASTGXYXMSSRF2ZVAYSBEXVTIRIBZFGVAQSHFXUWWSH4JXSVD2HFIWFXAVIXEXXWEPITHEFVISRHE2TXAWGVEXUYWRHDH2IV5QRBFFXTWWIRF2JWIURJH2PXMXHXEPBWSQRTGFCXMSRHFFXXAYIXEXZXMSSBH2AWIPHZFFYVISIRF2JV5URJEWFXAPHZEP2WATRTIFUXITRHFFCTWWHJIXRYWSIVD2KXAPHLJFWV5SIRE2JWWORLFPGXAXIXF2BWWYGRIXKXIPSHF2UWAWR6IFYWWQIXF2GWIYRRIFYWWWIVI2SVMURHIFFXASHZJFMWWPSTIFGVIUSHFFTTWYRXIFPXWSHLH2KWIPHLIFXXDMSXAFSVMARHGXQXWSIXF2XWEYRJH2AVMOIHF2JTWXIBIXUWMSR6D2HWIXHDFFYWDMSPIXSWMARFEXYXWQHZJFAWASITHFKXISIZFFITWXIFIXTWWSHBH2JX5PHJFFUV5SITIXTVIYRFIFGXIYHXE2BWWWGRHFAXMQHHF2HTWWSXIXSXMRQXFFDTWXQZIXV
过程就是base32,rot13,倒转,再来,直到发现flag是flagishere
crypto_2
[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]][+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()(([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[+[]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+([][[]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[!+[]+!+[]]]+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[+[]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]]+[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+([+[]]+![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]])
控制台直接输出
flag{3e858ccd79287cfe8509f15a71b4c45d}
AES&Base
import base64
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
# 以上是可能用到的库
# 您收到了一段使用AES-CBC模式加密的密文,同时您知道了密钥的一部分生成规则:
# 密钥的前8字节是固定的,后8字节是通过某个秘密字符串的后三位数字(000-999)与特定前缀(例如secret_)
# 进行SHA-256哈希后取前8字节得到的。您的任务是编写一个Python脚本,尝试所有可能的三位数字组合,
# 以找到正确的密钥,并解密密文,获取其中的flag。
# 固定的前8字节密钥部分
fixed_key_part = b'fixedpart'[:8]
# 秘密字符串的前缀
secret_prefix = b'secret_'
# Base64编码的密文和IV
encoded_data = '[lg/hfCVaU7OGl11oy7JsUzozFojJSjBmYt6BGY+sO/KCKkQxdXzHjiJP1AM0eoTH]'
# ----请写出你的解题过程,得到flag---------直接写就行了
import base64
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
fixed_key_part = b'fixedpart'[:8]
secret_prefix = b'secret_'
encoded_data = '[lg/hfCVaU7OGl11oy7JsUzozFojJSjBmYt6BGY+sO/KCKkQxdXzHjiJP1AM0eoTH]'
encoded_data = encoded_data.strip('[]')
ciphertext_iv = base64.b64decode(encoded_data)
iv = ciphertext_iv[:16]
ciphertext = ciphertext_iv[16:]
for i in range(1000):
num_str = f'{i:03}'
secret_string = secret_prefix + num_str.encode()
hashed_secret = hashlib.sha256(secret_string).digest()[:8]
key = fixed_key_part + hashed_secret
cipher = AES.new(key, AES.MODE_CBC, iv)
try:
decrypted_data = unpad(cipher.decrypt(ciphertext), AES.block_size)
decrypted_text = decrypted_data.decode('utf-8')
if 'flag' in decrypted_text:
print(f"Found flag: {decrypted_text}")
break
except (ValueError, UnicodeDecodeError):
continueXOR
def xor_encrypt(data, key):
encrypted_data = bytearray()
for char in data:
encrypted_data.append(ord(char) ^ key)
return encrypted_data.hex() # 返回十六进制字符串作为加密结果
# 以下是使用该函数加密后的一个十六进制字符串:
encrypted_string = '7a6f796973746865666c6167'
# 加密时所用的密钥(key)是 13(注意:这只是一个示例,实际题目中可以使用不同的密钥)
key=13
# 你的任务是解密这个十六进制字符串,找出它隐藏的信息,并将其格式化为 flag{*}
# 请将你的答案以 print(f"flag{{{your_decrypted_message}}}") 的形式输出,即可得到flag
# 输出解密后的结果,请注意格式奥~.~没啥好说的
def xor_decrypt(encrypted_hex, key):
encrypted_data = bytearray.fromhex(encrypted_hex)
decrypted_data = bytearray()
for byte in encrypted_data:
decrypted_data.append(byte ^ key)
return decrypted_data.decode()
encrypted_string = '7a6f796973746865666c6167'
key = 13
decrypted_message = xor_decrypt(encrypted_string, key)
print(f"flag{{{decrypted_message}}}")总结
抽象,密码全是古典,misc的抽象程度不亚于一个XXX,pwn挺难的对于我来说,下机!(md,服务器没拿到)