RE

easy_xor

首先patch掉花指令和反调试

动态调式拿到v10再跟byte_403114异或即可

exp如下：

1
2
3
4
5
6


dst = [0x99, 0x48, 0x5E, 0xBD, 0xC5, 0x9B,0x85, 0x96, 0x20, 0xFC, 0x18, 0xB2, 0x00,0xC5, 0xDA, 0xC0, 0xB1, 0xC8, 0x6C, 0x81,0x63, 0xBD, 0x09, 0x50, 0xC2, 0xBB, 0xEC,0x33, 0xD6, 0xD7, 0x8F, 0xAF, 0xAD, 0xCE,0x14, 0xED, 0x8C, 0xCE, 0x6F, 0xA9, 0xA8,0x02, 0x8C, 0x90, 0x94, 0x67]
l = [  0xFF, 0x24, 0x3F, 0xDA, 0xBE, 0xA9,0xB6, 0xF7, 0x12, 0x8F,0x29, 0xD0, 0x73, 0xF7, 0xF7, 0xA2, 0x83,0xAD, 0x5F, 0xB0,0x51, 0x90, 0x3F, 0x68, 0xF6, 0x8C, 0xC1,0x0A, 0xB7, 0xB5,0xBC, 0x82, 0xCC, 0xFC, 0x67, 0xDE, 0xE9,0xFF, 0x5B, 0xCB,0xC9, 0x67, 0xEA, 0xF6, 0xA6, 0x1A, 0x39,0x56, 0xCA, 0x23,0x46, 0xE3, 0xC8, 0x71, 0x43, 0x53, 0xFF,0x72, 0x2F, 0xC3,0x5C, 0x1C, 0x5B, 0x94]
flag = []
for i in range(46):
  flag.append(dst[i]^l[i])
print(bytes(flag))

T4ee

初始化了一个二叉树然后前序遍历

get_tree是（如果调试的话会走不同的结果）

1
2
3
4


if a3==1：
	a1[1] = a2
else:
	a1[2] = a2

walk是前序遍历（1是左节点

1
2
3


a1()
walk(a1[1])
walk(a1[2])

调⽤顺序是menu -> check_len -> sub -> rc4 -> xor -> cmp 倒过来写exp：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


from arc4 import ARC4 
dst = [0x2C, 0x40, 0xCE, 0x88, 0xEA, 0xB3,
0xA7, 0xFA, 0xBE, 0xE3, 0x32,
0xD9, 0x8B, 0xE4, 0x1C, 0x77, 0xFC, 0xD4,
0x76, 0xAB, 0x87, 0x41, 0xB0,
0xCE, 0xF5, 0x5E, 0x61, 0x86, 0xA8, 0xCF,
0x71, 0x99, 0x5C, 0xB1]
# xor
for i in range(33)["$-1]:
	dst[i] "% dst[i+1]
# rc4
key = b'GoodLuck'
rc4 = ARC4(key)
rc4Arr = list(rc4.encrypt(bytes(dst)))
# sub
v2 = [4, 19, 9, 1, 24, 14, 5, 0, 18, 31, 21,
16, 11, 29, 12, 2, 30, 13, 3,
15, 8, 7, 17, 32, 33, 6, 25, 20, 26, 10, 23,
22, 27, 28]
flag = [0] * 34
for i in range(34):
	flag[v2[i]] = rc4Arr[i]
print(bytes(flag)

crypto

next-prime

简单题

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21


import libnum
from gmpy2 import iroot, next_prime
n =
2857627481101079436215316089755693517853064082
5011441539841241257190782139295561904323347128
9568735697546450712050432389851414743885310083
67238218822591
c =
4950287528557867543805255421526667840365929091
5102322948363030271494959804587081871467110614
6839729290376158839227436514316834651000619682
0490133462714979582942995038584875372850017716
4800064208215503246868631076011505268371936586
6453216598845270550072998226255707136139961392
23348709621258028349513737798120
t =  int(iroot(n << 520, 2)[0])
print(t)
q = next_prime(t)
print(q)
print(libnum.n2s(int(pow(c,
libnum.invmod(0x10001, (q-1)), q))))

RE#

easy_xor#

T4ee#

crypto#

next-prime#

RE

easy_xor

T4ee

crypto

next-prime