领航杯部分题解

　　这次比赛周五9点开始，但是我们周五满课，所以一直到晚上才开始做。这次比赛难度较小，我们队独立解出十几道题目。这里我主要写一下我做出来的题目。主要是逆向，此外还一道USB流量分析，以及一道拓展凯撒。

　　顺便说个彩蛋：

虽然在前三十，但是每个学校只能出一只队伍，呜呜呜～学长TQL~~

easyelf

流程大致如上图：
输入后，先对所有的异或一次，再分别对5~~9，11~~15加密，这两段比较简单，直接**即可。
17~30也是异或，但是不是很好观察。不过倒着运算即可。

以上都比较清晰。一个新的思路需要注意，之前我做题碰到的都是可逆运算，所以直接逆运算求flag，但是今天这个复杂的不好逆运算，所以可以直接枚举所有的数据，暴力破解。如果某一个数据经过这些复杂的运算后，得到了已知的数据，那么这个数据就是我们要求的数据。
之后是花费我比较长时间的a17_30

其实看懂了之后并没有很麻烦，关键在于知道最后的哪个等式是哪个，初始的等式是哪个。然后倒着运算一次就可以了。

'''
with open(r'd:\1.txt', 'rb')as f:
    bin = f.read()
for i in range(len(bin)):
    if i % 4 == 0:
        print('%s,'%hex(bin[i]),end='')
'''
b = [0x10,0x1a,0x17,0x11,0xd,0x4f,0x73,0x5d,0x7a,0x70,0x29,0x4e,0x12,0x43,0x47,0xe,0x29,0x1a,0x42,0x13,0x12,0x29,0x13,0x45,0x7,0x19,0x1,0x28,0x23,0x18,0xf,0xb]
flag = [0] * 32
for i in range(len(b)):
    if 5 <= i <= 9:
        for n in range(256):
            x = (n ^ 0x76) ^ 0xad
            if ((x & 0xaa) >> 1 | 2 * x & 0xaa) == b[i]:
                flag[i] = n
    elif 11 <= i <= 15:
        for n in range(256):
            x = (n ^ 0x76) ^ 0xe
            if ((x & 0xcc) >> 2 | 4 * x & 0xcc) == b[i]:
                flag[i] = n
    elif 17 <= i <= 30:
        pass
    else:
        flag[i] = b[i] ^ 0x76
for j in range(17, 31):
    flag[j] = b[j]
a, b = 23, 24
while (a >= 17 and b<= 30):
    flag[a] ^= flag[b]
    print('flag[%d] ^= flag[%d]'%(a,b))
    flag[b] ^= flag[a]
    print('flag[%d] ^= flag[%d]'%(b,a))
    flag[a] ^= flag[b]   1
    print('flag[%d] ^= flag[%d]   1'%(a,b))
    a -= 1
    b  = 1
for j in range(17, 31):
    flag[j] ^= 0x76
for i in flag:
    print(chr(i),end='')

EasyRE

奇数时取左边一位字符，偶数时取右边一位字符。

s = 'lfgaL{teU__stsr4_t3R3vSr}e'
f = [' '] * len(s)
for i in range(len(s)):
    j = i
    if (i & 1):
        j -= 1
    else:
        j  = 1
    f[j] = s[i]
for i in f:
    print(i,end='')

比较简单，不多赘述。有意思的是，这题150，而上面的那道是100分。

EASYReverse

主函数：

加密函数sub_401000：

a是已知的s = ‘IVaQIg]:DfDcL7=VN64bF3TfEE=WCCDh<c@fM3ADHCPgME9ANGd ‘
加密的字符串4个一组，字符串a三个一组。
第二个大if是对长度不能整除的，字符串的最后几个字符进行处理。

s = 'IVaQIg]:DfDcL7=VN64bF3TfEE=WCCDh<c@fM3ADHCPgME9ANGd '
flag = []
for i in range(len(s)//4):
    b = [ord(i) for i in s[4*i:4*i 4]]
    #print(b)
    for x in range(128):
        for y in range(128):
            for z in range(128):
                if (b[0] == ((x >> 2) & 0x3f)   48 and \
                    b[1] == (16 * (x & 3) | (y >> 4) & 0xf)   48 and \
                    b[2] == ((z >> 6) & 3 | 4 * (y & 0xf))   48 and \
                    b[3] == (z & 0x3f)   48):
                    flag  = [x,y,z]
b = [ord(i) for i in 'NGd ']
for x in range(128):
    for y in range(128):
        if b[0] == ((x >> 2) & 0x3f)   48 and \
            b[1] == (16 * (x & 3) | (y >> 4) & 0xf)   48 and \
            b[2] == 4 * ((y & 0xf)   12):
            flag  = [x,y]
for i in flag:
    print(chr(i),end='')

凯撒2

题目明示键值空间从26拓展到128，改一改凯撒的脚本即可。
但是要注意，如何以转换成字节流保存至文件中。
strcut.pack了解一下。

https://www.jianshu.com/p/5a985f29fa81
struct模块中最重要的三个函数是pack(), unpack(), calcsize()

# 按照给定的格式化字符串，把数据封装成字符串(实际上是类似于c结构体的字节流)
string = struct.pack(fmt, v1, v2, ...)
# 按照给定的格式(fmt)解析字节流string，返回解析出来的tuple
tuple = unpack(fmt, string)
# 计算给定的格式(fmt)占用多少字节的内存
offset = calcsize(fmt)

struct中支持的格式如下表：
| Format | C Type | Python | 字节数 |
| —— | —————— | —————— | —— |
| x | pad byte | no value | 1 |
| c | char | string of length 1 | 1 |
| b | signed char | integer | 1 |
| B | unsigned char | integer | 1 |
| ? | _Bool | bool | 1 |
| h | short | integer | 2 |
| H | unsigned short | integer | 2 |
| i | int | integer | 4 |
| I | unsigned int | integer or lon | 4 |
| l | long | integer | 4 |
| L | unsigned long | long | 4 |
| q | long long | long | 8 |
| Q | unsigned long long | long | 8 |
| f | float | float | 4 |
| d | double | float | 8 |
| s | char[] | string | 1 |
| p | char[] | string | 1 |
| P | void * | long | |

import struct
def to_bytes(myData):
    #return struct.pack('{}s'.format(len(myData)), bytes(myData.encode('utf-8')))
    return struct.pack('b', myData)
    
def save(offset, bin):
    with open(r'd:\桌面\kaisa\{}.txt'.format(offset), 'wb')as f:
        f.write(bin)
def caesar_Crypto(msg):
    result = []
    offset = 1
    while offset<=128:        
        temp = []
        for char in msg:
            temp.append((char   offset) % 128)
        #string = "".join(temp)
        bin = b''
        for i in temp:
            bin  = to_bytes(i)
        save(offset, bin)
        offset  = 1
    return result
with open(r'd:\桌面\1', 'rb')as f:
    dump = f.read()
caesar_Crypto(dump)

偏移60，得到一个文本，最后一个单词即为flag

USB

参考：

https://www.cnblogs.com/hackxf/p/10670844.html
https://blog.csdn.net/qq_36609913/article/details/78578406
https://blog.csdn.net/u013771867/article/details/51465193
USB协议的数据部分在Leftover Capture Data域之中，在Mac和Linux下可以用tshark命令可以将 leftover capture data单独提取出来命令如下：
tshark -r capture.pcapng -T fields -e usb.capdata > usbdata.txt
（capture.pcapng改成相应的文件名）
数据即导出至usbdata.txt中。
*tshark可以在linux直接使用。在windows要在wireshark的所在路径下进入cmd，并运行tshark.exe（注意是命令行）**
USB流量分为键盘流量和鼠标流量。**
键盘数据包的数据长度为8个字节，击键信息集中在第3个字节，每次key stroke都会产生一个keyboard event usb packet。
鼠标数据包的数据长度为**4个字节，第一个字节代表按键，当取0x00时，代表没有按键、为0x01时，代表按左键，为0x02时，代表当前按键为右键。第二个字节可以看成是一个signed byte类型，其最高位为符号位，当这个值为正时，代表鼠标水平右移多少像素，为负时，代表水平左移多少像素。第三个字节与第二字节类似，代表垂直上下移动的偏移。
提取数据，发现只有两行，坑死我了。

你使劲滑鼠标，发现后面还有

*鼠标流量数据包转换脚本**

nums = [] 
keys = open('usbdata.txt','r') 
posx = 0 
posy = 0 
for line in keys: 
    if len(line) != 12 : 
        continue 
    x = int(line[3:5],16) 
    y = int(line[6:8],16) 
    if x > 127 : 
        x -= 256 
    if y > 127 : 
        y -= 256 
    posx  = x 
    posy  = y 
    btn_flag = int(line[0:2],16)  # 1 for left , 2 for right , 0 for nothing 
    if btn_flag == 1 : 
        with open('mouse.txt', 'a ')as f:
            f.write('%d %d\n'%(posx,posy)) 
keys.close()

生成的mouse.txt如图（部分）：
1574513939493

然后可以用gnuplot将坐标画出来。
1574514027097

PS将图片水平翻转 180度旋转即可看到flag。
Snipaste_2019-11-23_08-33-50

不过有点坑，flag是CTF{tHe_CAT_is_the_CULpRiT}，大小写太坑了，以及第一个the.

*另附键位的对应数值**

第一列10进制键值，第二列16进制键值，第四列是按键
 
0 00 Reserved (no event indicated)9 N/A √ √ √ 4/101/104
1 01 Keyboard ErrorRollOver9 N/A √ √ √ 4/101/104
2 02 Keyboard POSTFail9 N/A √ √ √ 4/101/104
3 03 Keyboard ErrorUndefined9 N/A √ √ √ 4/101/104
4 04 Keyboard a and A4 31 √ √ √ 4/101/104
5 05 Keyboard b and B 50 √ √ √ 4/101/104
6 06 Keyboard c and C4 48 √ √ √ 4/101/104
7 07 Keyboard d and D 33 √ √ √ 4/101/104
8 08 Keyboard e and E 19 √ √ √ 4/101/104
9 09 Keyboard f and F 34 √ √ √ 4/101/104
10 0A Keyboard g and G 35 √ √ √ 4/101/104
11 0B Keyboard h and H 36 √ √ √ 4/101/104
12 0C Keyboard i and I 24 √ √ √ 4/101/104
13 0D Keyboard j and J 37 √ √ √ 4/101/104
14 0E Keyboard k and K 38 √ √ √ 4/101/104
15 0F Keyboard l and L 39 √ √ √ 4/101/104
16 10 Keyboard m and M4 52 √ √ √ 4/101/104
17 11 Keyboard n and N 51 √ √ √ 4/101/104
18 12 Keyboard o and O4 25 √ √ √ 4/101/104
19 13 Keyboard p and P4 26 √ √ √ 4/101/104
20 14 Keyboard q and Q4 17 √ √ √ 4/101/104
21 15 Keyboard r and R 20 √ √ √ 4/101/104
22 16 Keyboard s and S4 32 √ √ √ 4/101/104
23 17 Keyboard t and T 21 √ √ √ 4/101/104
24 18 Keyboard u and U 23 √ √ √ 4/101/104
25 19 Keyboard v and V 49 √ √ √ 4/101/104
26 1A Keyboard w and W4 18 √ √ √ 4/101/104
27 1B Keyboard x and X4 47 √ √ √ 4/101/104
28 1C Keyboard y and Y4 22 √ √ √ 4/101/104
29 1D Keyboard z and Z4 46 √ √ √ 4/101/104
30 1E Keyboard 1 and !4 2 √ √ √ 4/101/104
31 1F Keyboard 2 and @4 3 √ √ √ 4/101/104
32 20 Keyboard 3 and #4 4 √ √ √ 4/101/104
33 21 Keyboard 4 and $4 5 √ √ √ 4/101/104
34 22 Keyboard 5 and %4 6 √ √ √ 4/101/104
35 23 Keyboard 6 and ^4 7 √ √ √ 4/101/104
36 24 Keyboard 7 and &4 8 √ √ √ 4/101/104
37 25 Keyboard 8 and *4 9 √ √ √ 4/101/104
38 26 Keyboard 9 and (4 10 √ √ √ 4/101/104
39 27 Keyboard 0 and )4 11 √ √ √ 4/101/104
40 28 Keyboard Return (ENTER)5 43 √ √ √ 4/101/104
41 29 Keyboard ESCAPE 110 √ √ √ 4/101/104
42 2A Keyboard DELETE (Backspace)13 15 √ √ √ 4/101/104
43 2B Keyboard Tab 16 √ √ √ 4/101/104
44 2C Keyboard Spacebar 61 √ √ √ 4/101/104
45 2D Keyboard - and (underscore)4 12 √ √ √ 4/101/104
46 2E Keyboard = and  4 13 √ √ √ 4/101/104
47 2F Keyboard [ and {4 27 √ √ √ 4/101/104
48 30 Keyboard ] and }4 28 √ √ √ 4/101/104
49 31 Keyboard \ and | 29 √ √ √ 4/101/104
50 32 Keyboard Non-US # and ~2 42 √ √ √ 4/101/104
51 33 Keyboard ; and :4 40 √ √ √ 4/101/104
52 34 Keyboard ‘ and “4 41 √ √ √ 4/101/104
53 35 Keyboard Grave Accent and Tilde4 1 √ √ √ 4/101/104
54 36 Keyboard, and <4 53 √ √ √ 4/101/104
55 37 Keyboard . and >4 54 √ √ √ 4/101/104
56 38 Keyboard / and ?4 55 √ √ √ 4/101/104
57 39 Keyboard Caps Lock11 30 √ √ √ 4/101/104
58 3A Keyboard F1 112 √ √ √ 4/101/104
59 3B Keyboard F2 113 √ √ √ 4/101/104
60 3C Keyboard F3 114 √ √ √ 4/101/104
61 3D Keyboard F4 115 √ √ √ 4/101/104
62 3E Keyboard F5 116 √ √ √ 4/101/104
63 3F Keyboard F6 117 √ √ √ 4/101/104
64 40 Keyboard F7 118 √ √ √ 4/101/104
65 41 Keyboard F8 119 √ √ √ 4/101/104
66 42 Keyboard F9 120 √ √ √ 4/101/104
67 43 Keyboard F10 121 √ √ √ 4/101/104
68 44 Keyboard F11 122 √ √ √ 101/104
69 45 Keyboard F12 123 √ √ √ 101/104
70 46 Keyboard PrintScreen1 124 √ √ √ 101/104
71 47 Keyboard Scroll Lock11 125 √ √ √ 4/101/104
72 48 Keyboard Pause1 126 √ √ √ 101/104
73 49 Keyboard Insert1 75 √ √ √ 101/104
74 4A Keyboard Home1 80 √ √ √ 101/104
75 4B Keyboard PageUp1 85 √ √ √ 101/104
76 4C Keyboard Delete Forward1;14 76 √ √ √ 101/104
77 4D Keyboard End1 81 √ √ √ 101/104
78 4E Keyboard PageDown1 86 √ √ √ 101/104
79 4F Keyboard RightArrow1 89 √ √ √ 101/104
80 50 Keyboard LeftArrow1 79 √ √ √ 101/104
81 51 Keyboard DownArrow1 84 √ √ √ 101/104
82 52 Keyboard UpArrow1 83 √ √ √ 101/104
83 53 Keypad Num Lock and Clear11 90 √ √ √ 101/104
84 54 Keypad /1 95 √ √ √ 101/104
85 55 Keypad * 100 √ √ √ 4/101/104
86 56 Keypad - 105 √ √ √ 4/101/104
87 57 Keypad   106 √ √ √ 4/101/104
88 58 Keypad ENTER5 108 √ √ √ 101/104
89 59 Keypad 1 and End 93 √ √ √ 4/101/104
90 5A Keypad 2 and Down Arrow 98 √ √ √ 4/101/104
91 5B Keypad 3 and PageDn 103 √ √ √ 4/101/104
92 5C Keypad 4 and Left Arrow 92 √ √ √ 4/101/104
93 5D Keypad 5 97 √ √ √ 4/101/104
94 5E Keypad 6 and Right Arrow 102 √ √ √ 4/101/104
95 5F Keypad 7 and Home 91 √ √ √ 4/101/104
96 60 Keypad 8 and Up Arrow 96 √ √ √ 4/101/104
97 61 Keypad 9 and PageUp 101 √ √ √ 4/101/104
98 62 Keypad 0 and Insert 99 √ √ √ 4/101/104
99 63 Keypad . and Delete 104 √ √ √ 4/101/104
100 64 Keyboard Non-US \ and |3;6 45 √ √ √ 4/101/104
101 65 Keyboard Application10 129 √ √ 104
102 66 Keyboard Power9 √ √
103 67 Keypad = √
104 68 Keyboard F13 √
105 69 Keyboard F14 √
106 6A Keyboard F15 √
107 6B Keyboard F16
108 6C Keyboard F17
109 6D Keyboard F18
110 6E Keyboard F19
111 6F Keyboard F20
112 70 Keyboard F21
113 71 Keyboard F22
114 72 Keyboard F23
115 73 Keyboard F24
116 74 Keyboard Execute √
117 75 Keyboard Help √
118 76 Keyboard Menu √
119 77 Keyboard Select √
120 78 Keyboard Stop √
121 79 Keyboard Again √
122 7A Keyboard Undo √
123 7B Keyboard Cut √
124 7C Keyboard Copy √
125 7D Keyboard Paste √
126 7E Keyboard Find √
127 7F Keyboard Mute √
128 80 Keyboard Volume Up √
129 81 Keyboard Volume Down √
130 82 Keyboard Locking Caps Lock12 √
131 83 Keyboard Locking Num Lock12 √
132 84 Keyboard Locking Scroll Lock12 √
133 85 Keypad Comma27 107
134 86 Keypad Equal Sign29
135 87 Keyboard International115,28 56
136 88 Keyboard International216
137 89 Keyboard International317
138 8A Keyboard International418
139 8B Keyboard International519
140 8C Keyboard International620
141 8D Keyboard International721
142 8E Keyboard International822
143 8F Keyboard International922
144 90 Keyboard LANG125
145 91 Keyboard LANG226
146 92 Keyboard LANG330
147 93 Keyboard LANG431
148 94 Keyboard LANG532
149 95 Keyboard LANG68
150 96 Keyboard LANG78
151 97 Keyboard LANG88
152 98 Keyboard LANG98
153 99 Keyboard Alternate Erase7
154 9A Keyboard SysReq/Attention1
155 9B Keyboard Cancel
156 9C Keyboard Clear
157 9D Keyboard Prior
158 9E Keyboard Return
159 9F Keyboard Separator
160 A0 Keyboard Out
161 A1 Keyboard Oper
162 A2 Keyboard Clear/Again
163 A3 Keyboard CrSel/Props
164 A4 Keyboard ExSel
165-175 A5-CF Reserved
176 B0 Keypad 00
177 B1 Keypad 000
178 B2 Thousands Separator 33
179 B3 Decimal Separator 33
180 B4 Currency Unit 34
181 B5 Currency Sub-unit 34
182 B6 Keypad (
183 B7 Keypad )
184 B8 Keypad {
185 B9 Keypad }
186 BA Keypad Tab
187 BB Keypad Backspace
188 BC Keypad A
189 BD Keypad B
190 BE Keypad C
191 BF Keypad D
192 C0 Keypad E
193 C1 Keypad F
194 C2 Keypad XOR
195 C3 Keypad ^
196 C4 Keypad %
197 C5 Keypad <
198 C6 Keypad >
199 C7 Keypad &
200 C8 Keypad &&
201 C9 Keypad |
202 CA Keypad ||
203 CB Keypad :
204 CC Keypad #
205 CD Keypad Space
206 CE Keypad @
207 CF Keypad !
208 D0 Keypad Memory Store
209 D1 Keypad Memory Recall
210 D2 Keypad Memory Clear
211 D3 Keypad Memory Add
212 D4 Keypad Memory Subtract
213 D5 Keypad Memory Multiply
214 D6 Keypad Memory Divide
215 D7 Keypad  /-
216 D8 Keypad Clear
217 D9 Keypad Clear Entry
218 DA Keypad Binary
219 DB Keypad Octal
220 DC Keypad Decimal
221 DD Keypad Hexadecimal
222-223 DE-DF Reserved
224 E0 Keyboard LeftControl 58 √ √ √ 4/101/104
225 E1 Keyboard LeftShift 44 √ √ √ 4/101/104
226 E2 Keyboard LeftAlt 60 √ √ √ 4/101/104
227 E3 Keyboard Left GUI10;23 127 √ √ √ 104
228 E4 Keyboard RightControl 64 √ √ √ 101/104
229 E5 Keyboard RightShift 57 √ √ √ 4/101/104
230 E6 Keyboard RightAlt 62 √ √ √ 101/104
231 E7 Keyboard Right GUI10;24 128 √ √ √ 104
232-65535 E8-FFFF Reserved