ctfshow REVERSE re2 萌新赛 内部赛 七夕杯 WP

目录

re2

萌新赛

flag白给

签退 

数学不及格 

内部赛

批量生产的伪劣产品 

来一个派森 

好好学习 天天向上 

屏幕裂开了

七夕杯

逆向签到 

easy_magic 

re2

ida分析主函数，将flag.txt内容加密写入enflag.txt

这是密钥加密过程

标准rc4加密

简单异或解密密钥 

将enflag.txt进行rc4解密 

得flag{RC4&->ENc0d3F1le}

萌新赛

flag白给

查壳，有壳

upx解壳 

解壳成功，进入关键函数

找到flag

即flag{HackAv}

签退 

python逆向，用pycdc反编译或python反编译 - 在线工具

得到python源代码

import string
c_charset = string.ascii_uppercase + string.ascii_lowercase + string.digits + '()'
flag = 'BozjB3vlZ3ThBn9bZ2jhOH93ZaH9'

def encode(origin_bytes):
    c_bytes = [ '{:0>8}'.format(str(bin(b)).replace('0b', '')) for b in origin_bytes ]
    resp = ''
    nums = len(c_bytes) // 3
    remain = len(c_bytes) % 3
    integral_part = c_bytes[0:3 * nums]
    for x in [
        0,
        6,
        12,
        18]:
        tmp_unit = [][int(tmp_unit[x:x + 6], 2)]
        resp += ''.join([ c_charset[i] for i in tmp_unit ])
        integral_part = integral_part[3:]
    if remain:
        remain_part = ''.join(c_bytes[3 * nums:]) + (3 - remain) * '0' * 8
        tmp_unit = [ int(remain_part[x:x + 6], 2) for x in [
            0,
            6,
            12,
            18] ][:remain + 1]
        resp += ''.join([ c_charset[i] for i in tmp_unit ]) + (3 - remain) * '.'
    return rend(resp)


def rend(s):

    def encodeCh(ch):

        f = lambda x: chr(((ord(ch) - x) + 2) % 26 + x)
        if ch.islower():
            return f(97)
        if (None,).isupper():
            return f(65)

    return (''.join,)((lambda .0: pass)(s))

这里的encode其实就是base64加密，换码表有一点改动，对密文没有影响，rend函数就是字符右移两位，写出rend逆向脚本

def rend_reverse(s):
    decoded = []
    for c in s:
        if c.islower():
            # 小写字母前移2位（循环）
            decoded_char = chr((ord(c) - 97 - 2) % 26 + 97)
        elif c.isupper():
            # 大写字母前移2位（循环）
            decoded_char = chr((ord(c) - 65 - 2) % 26 + 65)
        else:
            decoded_char = c  # 数字和括号不变
        decoded.append(decoded_char)
    return ''.join(decoded)

encrypted_flag = 'BozjB3vlZ3ThBn9bZ2jhOH93ZaH9'
after_rend = rend_reverse(encrypted_flag)
print("逆移位后字符串:", after_rend)
# ZmxhZ3tjX3RfZl9zX2hfMF93XyF9

赛博厨子base64解密 

flag{c_t_f_s_h_0_w_!} 

数学不及格 

分析一下主逻辑

判断了四个方程，并且v9=f(v4)

双击跟进f()函数，返回斐波那契数列第n项

于是(v9-v10)+(v9-v11)+(v9-v12)+(v4+v12+v11+v10)=3*v9+v4=0x19d024e75ff，十进制为1773860189695，又v9=f(v4)

写脚本爆破 

for v4 in range(3,100):
    a = [1, 1]
    for i in range(2,v4):
        v9=a[i-1]+a[i-2]
        if 3*v9+v4 == 1773860189695:
            print(v4)
            print(v9)
        a.append(v9)
#58
#591286729879

 得到v4，v9后解出argv数组

v9=591286729879
v4=58
print(hex(v9-0x233F0E151C))
#argv[1]=0x666c61677b
print(hex(v9-0x1B45F81A32))
#argv[2]=0x6e65776265
print(hex(v9-0x244C071725))
#argv[3]=0x655f686572
print(hex(v4+0x6543))
#argv[4]=0x657d

赛博厨子一键16进制解密 

得flag{newbee_here}

内部赛

批量生产的伪劣产品 

apk文件，jadx打开，查看AndroidManifest.xml

找到app入口appinventor.ai_QA629A242D5E83EFA948B9020CD35CB60.checkme.a

看到ctfshow{群主最爱36D} 

来一个派森 

python反编译工具pyinstxtractor.py得到.pyc文件

python反编译 - 在线工具得到python源码

def b58encode(tmp = None):
    tmp = list(map(ord, tmp))
    temp = tmp[0]
    base58 = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'
    for i in range(len(tmp) - 1):
        temp = temp * 256 + tmp[i + 1]
    
    tmp = []
    while None:
        temp = temp // 58
        if temp == 0:
            break
        temp = ''
        for i in tmp:
            temp += base58[i]
        
    tmp = []
    for i in range(len(temp)):
        tmp.append(chr(ord(temp[i]) ^ i))
    
    check = ['A','5','q','O','g','q','d','\x7f','[','\x7f','s','{','G','A','x','`','D','@','K','c','-','c',' ','G','+','+','|','x','}','J','h','\\','l']
    if tmp == check:
        return 1

flag = input('输入flag：')
if b58encode(flag):
    print('you win')
else:
    print('try again')

标准的base58，最后做了一步异或，异或脚本

tmp=['A','5','q','O','g','q','d','\x7f','[','\x7f','s','{','G','A','x','`','D','@','K','c','-','c',' ','G','+','+','|','x','}','J','h','\\','l']
for i in range(len(tmp)):
     temp.append(chr(ord(tmp[i]) ^ i))
for i in range(len(temp)):
     print(temp[i],end="")
#A4sLctbxSvypKLvoTQYp9v6P32fcaWvCL

再base58解密

得ctfshow{zhe_bu_shi_flag}

好好学习 天天向上 

[ctf.show.reverse] 来一个派森，好好学习天天向上_ctfshow 好好学习 天天向上-CSDN博客 

flag{good_good_study_day_day_up}

屏幕裂开了

jadx打开 

还有native层 

定位关键函数checkflag 

很明显是rc4加密，但解密不出来

所以S盒打乱那部分要重复 99999 次，贴个大佬的脚本

s = [i for i in range(256)]
k = (b"InfinityLoop"*22) [0:256]
 
for hit_count in range(99999):
    j = 0
    for i in range(256):
        j = (s[i]+j+k[i])%256
        s[i],s[j] = s[j],s[i]

answer =[0xA6,0x3D,0x54,0x0B0,0x74,0xCC,0xBD,0x2A,0x4A,0x0DE,0x0BD,0x35,0x0D1,0x1D,0x80,0x32,0x5F,0x64,0x2F,0x0C5,0x0DD,0x11,0x3E,0x95,0x0CC,0x17,0x13,0x0E5,0x5E,0x65,0x0CE,0x42,0x9E,0x47,0x0C8,0x0F3,0x4D,0x8A,0x0A6,0x1F,0x0F0,0x50,0x27,0x0A2,0x28,0x81,0x24,0x0A7,0x0B4,0x90,0x0FC,0x93,0x8A,0x0C1,0x77,0x0D5,0x16,0x1E,0x0FD,0x87,0x0C7,0x0BB,0x0B3,0x0]
 
v10,v11 = 0,0
v14 = s 
tab = [0]*63
for j in range(63):
    v11 = v11+1
    v10 = (v14[v11] + v10)& 0xff
    v14[v11],v14[v10] = v14[v10],v14[v11]
    tab[j] = v14[(v14[v10]+ v14[v11]) %256]

flag = [answer[i]^tab[i] for i in range(63)]
print(bytes(flag))
#flag{i_hope_you_didnt_click_the_button_99999__justRE_in_Static}

七夕杯

逆向签到 

分析主逻辑汇编代码 

用deepseek辅助 

mov     rax, 7B776F6873667463h  ; 小端序为 "ctfshow{"
mov     rdx, 5F6E6769735F6572h  ; 小端序为 "re_sign_"
mov     rax, 5F797361655F7369h  ; 小端序为 "is_easy_"
mov     [rbp+var_18], 7Dh        ;        结束符 "}"

即ctfshow{re_sign_is_easy_}

easy_magic 

看到一串16进制，16进制转字符串失败 

猜测为md5MD5免费在线解密破解_MD5在线加密-SOMD5

得ctfshow{7x_flag_is_here}