狗儿

热爱的话就坚持吧~

0%

CyBRICS 2020 逆向

发表于 更新于 分类于

听说是金砖五国的比赛,管它呢,做就完事了。

babyrev

简述

给了一个xml文件,同时描述中提供了一个网址:http://snap.berkeley.edu/offline

1595930578091

我英语不好,一开始没看懂啥意思,后来才发现全文大部分篇幅都在说如何使用离线方案,其实不用这么麻烦,直接点开第二行的网址即可,使用在线的服务。

在线方案

打开https://snap.berkeley.edu/snap/snap.html

1595930687606

导入题目给出的xml文件:

1595930729008

1595930748027

很显然,结合本题的名称,babyrev,这是小孩子玩的卡片式编程。

emmm,写完这部分博文后我才发现可以修改页面语言:

1595933568332

代码中的关键字也可以改成汉语,本来难度就不高,现在难度更低了。

流程

屏幕最右侧有7个sprite:

1595933315699

分别点击时可以屏幕中间区域显示卡片代码,后面6个对应的卡片都对应着这样的卡片代码,就是收到相应的信号时显示所对应的图片:

1595933699810

第一个sprite共有五个卡片。

下图的三个卡片是程序的初始化和终止,对加密逻辑的分析没有影响,不用看。

左上的是当按下空格键时,程序开始运行(发出start_banner信号)。

左下的是当点击某个东西的时候,设置key=[], 程序运行状态为0

右边的是当i为某个数值时,发出显示某个图片的信号。

1595933654541

关键的逻辑代码是剩下的两个卡片:

左边的是加密后的数据

右边的是关键代码,加密很简单,就是异或33。

1595933889329

python模拟卡片代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def encrypt():
    secret = [92,0,74,66,116,77,126,69,17,102,126,69,79,97,126,18,76,17,98,16,77,18,86,90,82,66,72,83,67,88,66]
    secret = secret[::-1]               # 可能唯一需要注意的地方就是这里了

    key = input('say me the key:')
    key = [ord(i) for i in key]

    test = []
    for i in range(len(key)):
        test.append(key[i] ^ 33)

    if len(test) == len(secret):
        is_ok = 1
        for i in range(len(test)):
            if (test[i] < secret[i]) or (test[i] > secret[i]):
                is_ok = 0
        if is_ok == 1:
            print('Well done!')
        else:
            print('No!!!!')
    else:
        print('No!!!!')

为啥要secret = secret[::-1]呢?

因为上图左侧的卡片,向secret插入数据时,是向列表的头插入的,而不是向列表尾插入的:

1595934135665

python解密

1
2
3
4
5
6
7
def decrypt():
    a = [92,0,74,66,116,77,126,69,17,102,126,69,79,97,126,18,76,17,98,16,77,18,86,90,82,66,72,83,67,88,66]
    a = a[::-1]                         # 可能唯一需要注意的地方就是这里了
    for i in a:
        print(chr(i ^ 33),end='')

decrypt()

cybrics{w3l1C0m3_@nd_G0d_lUck!}

polylot

题目简介大意是你掌握了多门语言了吗?

c语言

给出了一段c代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char flagged[] = {78,6,10,80,30,69,0,68,77,83,13,92,1,68,22,68,12,2,90,62,120,68,1,76,29,3,5,71,23,16,88,84,3,28,13,84,28,85,0,1,4,1,16,19,19,28,68,84,3,28,13,84,28,85,0,1,4,1,16,19,16,14,105,43,30,27,22,70,17,68,68,85,92,79,31,62,120,57,1,79,24,2,68,72,82,70,5,77,24,10,68,14,82,82,68,10,77,27,85,15,19,29,85,13,77,13,90,9,72,70,5,77,24,10,68,78,73,61,110,92,86,98,110,71,23,93,20,77,12,27,1,19,78,69,10,82,4,8,10,86,22,16,13,79,25,79,6,13,127,58,23,85,31,26,7,71,82,68,85,29,93,67,68,81,76,16,31,44,103,102,1,93,7,93,68,90,77,25,5,95,7,85,68,28,77,95,68,78,73,61,110,92,86,98,110,71,23,93,20,77,12,27,1,19,78,69,10,82,4,8,10,86,22,16,13,79,25,79,5,31,82,69,10,82,4,8,10,86,22,16,13,79,25,79,6,13,127,58,23,85,31,26,7,71,82,68,86,1,22,98,110,58,23,94,17,76,77,20,68,69,19,92,17,68,77,82,68,2,82,27,68,85,95,83,5,30,67,28,68,67,83,85,94,69,19,92,17,68,77,18,95,62,120,77,95,44,103,27,1,94,2,92,5,85,8,79,88,70,28,67,13,70,3,10,0,19,27,94,16,1,15,81,105,57,1,68,22,84,14,27,68,71,64,12,84,13,77,13,90,19,9,61,110,40,8,1,17,94,82,75,68,87,12,3,17,86,82,13,68,16,77,68,68,71,64,12,84,13,77,13,73,2,76,10,94,87,12,3,17,86,82,77,95,44,103,18,95,62,120,68,1,76,29,3,5,71,23,12,90,44,103,28,16,65,7,83,16,1,25,93,88,3,94,16,84,31,22,98,110,19,82,16,68,68,3,26,9,19,9,16,18,64,1,26,1,19,79,16,84,92,86,98,110,78,73,61,110,87,2,6,0,19,22,85,7,78,9,10,76,70,28,67,13,70,3,10,0,19,17,88,5,83,77,69,0,82,6,81,72,1,24,1,23,90,21,94,1,69,77,6,10,71,82,70,5,77,68,20,105,57,82,16,68,1,24,1,23,90,21,94,1,69,77,6,10,71,82,26,20,85,31,79,89,19,0,85,13,79,25,10,22,67,0,85,16,126,14,14,23,71,78,69,10,82,4,8,10,86,22,16,13,79,25,79,78,13,90,84,5,85,12,70,95,62,120,16,68,1,77,24,12,90,30,85,68,9,71,31,16,65,82,17,89,1,93,70,68,72,127,58,68,1,77,79,68,19,82,16,78,81,25,29,68,14,82,26,20,85,31,79,58,19,4,81,8,26,96,101,68,19,82,16,68,1,77,79,18,82,30,16,89,1,69,25,5,95,82,110,68,9,27,14,8,19,78,12,68,16,68,70,68,109,82,0,28,66,95,94,81,7,64,1,82,26,96,101,68,19,82,16,68,1,77,79,20,71,0,16,79,28,77,94,95,62,120,16,68,1,77,18,105,57,15,61,110,84,3,28,13,84,28,85,0,1,14,7,5,65,82,86,8,64,10,8,1,87,41,109,68,28,77,20,81,31,69,8,72,16,85,89,72,2,68,5,72,19,93,87,72,11,65,28,85,17,90,67,86,0,65,28,85,18,90,67,93,3,94,1,83,18,65,93,86,31,67,1,72,20,88,67,82,7,94,1,84,19,65,94,86,3,94,9,82,13,92,89,80,31,74,6,72,25,91,67,80,3,94,5,87,13,89,87,72,7,68,28,86,21,93,67,85,10,67,28,83,24,65,94,82,0,94,1,80,22,65,87,83,31,67,4,80,13,92,92,72,6,70,28,80,22,65,94,84,6,94,2,84,20,65,93,81,2,94,1,82,18,65,94,82,11,94,2,86,17,65,93,80,2,94,4,81,13,95,95,87,31,67,0,81,13,85,92,72,2,69,6,72,22,92,67,85,2,67,28,82,19,65,88,84,31,64,2,85,13,84,92,72,2,68,28,86,16,85,67,80,7,94,9,82,13,92,87,93,31,67,8,83,13,92,88,87,31,67,6,81,13,85,91,72,1,69,28,85,22,93,67,83,5,94,7,83,13,95,95,80,31,65,7,72,16,84,86,72,11,70,28,86,17,94,67,87,0,94,2,81,18,65,92,86,31,67,9,72,19,93,89,72,0,74,28,86,24,65,86,93,31,67,6,84,13,91,86,72,11,67,28,85,20,90,67,85,6,69,28,85,19,89,67,85,1,68,28,82,25,65,94,80,2,94,9,83,13,92,87,84,31,67,3,92,13,92,89,72,1,64,0,72,19,95,94,72,1,66,1,72,16,84,89,72,4,68,28,87,19,65,88,80,31,67,3,83,13,92,92,84,31,64,3,85,13,92,95,72,2,71,7,72,16,89,86,72,2,68,3,72,16,89,91,72,1,71,4,72,23,93,67,82,2,94,2,85,21,65,94,81,7,94,6,84,13,88,95,72,11,67,28,80,20,65,94,92,31,74,4,72,16,91,89,72,2,68,7,72,18,90,67,85,4,66,28,86,18,89,67,86,3,68,28,85,25,89,67,84,31,67,3,87,13,92,95,72,2,66,2,72,21,91,67,85,10,64,28,86,18,89,67,85,0,66,28,83,13,92,95,83,31,64,5,85,13,92,90,92,31,67,1,83,13,92,88,85,31,67,0,72,24,85,67,92,11,94,1,84,24,65,87,85,31,68,0,72,16,93,87,72,2,69,2,72,19,89,67,92,4,94,6,87,13,92,93,81,31,68,28,87,16,65,93,80,5,94,1,80,18,65,88,83,31,67,7,93,13,92,89,86,31,67,0,83,13,92,87,85,31,67,0,86,13,92,95,84,31,67,0,80,13,89,93,72,2,65,0,72,19,94,88,72,2,68,9,72,16,94,94,72,2,71,8,72,16,85,95,72,6,64,28,85,18,88,67,81,10,94,1,82,13,92,89,81,31,74,2,72,16,93,87,72,2,67,9,72,19,92,67,85,7,70,28,85,16,94,67,86,4,94,2,85,24,65,94,84,2,94,2,84,13,92,89,83,31,67,6,80,13,92,89,82,31,64,5,80,13,91,90,72,1,68,28,86,19,88,67,85,6,94,7,82,13,95,94,82,31,65,8,72,19,92,91,72,2,67,28,86,18,84,67,85,4,94,2,84,25,65,94,84,31,67,9,72,19,93,89,72,0,74,28,86,24,65,86,82,31,64,0,92,13,91,95,72,0,69,28,86,21,88,67,86,7,64,28,85,25,65,94,84,10,94,7,80,13,92,91,93,31,75,6,72,16,85,94,72,2,65,9,72,23,92,67,86,7,68,28,86,19,92,67,86,3,67,28,85,24,91,67,83,5,94,1,84,17,65,94,81,31,64,0,83,13,92,92,84,31,67,9,84,13,90,93,72,1,71,4,72,19,88,95,72,1,70,1,72,16,88,93,72,1,70,7,72,18,85,67,85,5,94,2,81,19,65,94,81,7,94,6,84,13,88,95,72,11,67,28,80,20,65,94,92,31,74,4,72,16,91,89,72,1,70,5,72,24,91,67,86,6,70,28,85,24,92,67,85,6,68,28,86,21,91,67,84,31,67,4,93,13,94,86,72,4,68,28,87,13,95,92,80,31,64,3,80,13,92,92,84,31,69,28,80,20,65,93,80,0,94,1,83,20,65,88,87,31,67,6,83,13,92,67,93,10,94,1,93,13,89,89,72,0,94,6,83,13,92,94,84,31,67,8,85,13,95,90,72,10,64,28,87,18,65,91,86,31,71,6,72,20,93,67,86,7,64,28,85,18,92,67,83,3,94,1,82,18,65,94,80,4,94,6,80,13,92,91,92,31,75,7,72,22,85,67,85,3,70,28,80,19,65,94,87,3,94,1,83,21,65,93,87,4,94,2,81,19,65,93,84,11,94,2,80,16,65,86,93,31,67,3,81,13,94,87,72,2,68,28,86,21,92,67,85,2,94,6,84,13,88,95,72,4,66,28,85,20,85,67,85,11,94,8,80,13,92,90,93,31,65,2,72,24,91,67,86,6,70,28,86,21,89,67,86,1,69,28,86,21,91,67,84,31,69,2,72,19,94,93,72,3,94,7,82,13,95,95,82,31,70,1,72,19,93,89,72,11,70,28,86,17,91,67,86,1,94,2,81,17,65,94,84,31,67,9,72,19,93,89,72,0,74,28,86,24,65,86,82,31,64,0,92,13,91,95,72,0,69,28,86,21,88,67,86,7,64,28,85,25,65,94,84,10,94,7,80,13,92,91,93,31,75,6,72,16,85,94,72,2,65,9,72,23,92,67,86,7,68,28,86,19,92,67,86,3,67,28,85,24,91,67,83,5,94,1,84,17,65,94,81,31,64,0,83,13,92,92,84,31,67,7,80,13,85,90,72,2,75,5,72,16,84,91,72,1,64,9,72,16,89,87,72,1,67,8,72,16,95,67,85,5,94,2,81,19,65,94,81,7,94,6,84,13,88,95,72,11,67,28,80,20,65,94,92,31,74,4,72,16,91,89,72,1,70,5,72,24,91,67,86,6,70,28,85,24,92,67,85,6,68,28,86,21,91,67,84,31,67,4,93,13,94,86,72,4,68,28,87,13,95,92,80,31,64,3,80,13,92,92,84,31,69,28,85,17,90,67,85,11,75,28,86,17,85,67,85,3,94,1,83,21,65,94,85,31,74,9,72,24,89,67,87,7,94,8,72,16,95,94,72,7,65,28,85,23,92,67,86,6,94,1,84,24,65,91,87,31,68,3,72,20,91,67,87,10,94,2,87,17,65,93,84,7,94,3,82,13,95,93,84,31,64,2,85,13,95,95,72,2,71,2,72,22,91,67,85,3,66,28,85,17,89,67,80,1,94,1,87,17,65,94,83,7,94,2,87,22,65,93,81,1,94,2,84,25,65,93,80,2,94,9,93,13,92,92,81,31,65,8,72,16,91,67,86,7,67,28,85,16,65,89,84,31,71,0,72,22,93,67,85,6,74,28,85,25,65,87,80,31,67,5,93,13,94,93,72,10,68,28,86,20,89,67,85,11,65,28,85,22,95,67,85,4,74,28,82,24,65,89,92,31,67,3,93,13,92,95,86,31,65,28,85,21,92,67,85,3,70,28,85,18,93,67,83,31,67,9,80,13,88,86,72,1,66,8,72,16,93,67,85,10,94,2,84,23,65,92,92,31,64,9,72,24,91,67,86,3,74,28,82,17,65,92,83,31,64,4,81,13,95,91,86,31,67,8,72,16,93,86,72,4,70,28,85,21,84,67,93,5,94,1,92,16,65,94,87,10,94,6,85,13,95,91,82,31,64,2,85,13,92,92,92,31,67,3,93,13,95,67,81,6,94,9,85,13,92,90,82,31,67,4,86,13,92,92,85,31,67,1,84,13,95,94,85,31,64,0,92,13,95,91,85,31,67,5,86,13,95,91,83,31,65,8,72,16,91,67,86,6,64,28,85,20,89,67,82,3,94,5,84,13,85,94,72,7,71,28,85,25,65,87,80,31,67,6,82,13,95,91,81,31,75,6,72,19,88,91,72,2,75,1,72,16,88,89,72,1,70,6,72,17,65,94,80,10,94,3,93,13,90,89,72,0,94,2,87,21,65,93,87,7,94,2,84,21,65,88,84,31,65,8,72,19,89,87,72,2,65,1,72,23,65,94,93,4,94,1,85,16,65,92,92,31,64,9,72,16,93,86,72,4,68,28,82,17,65,92,83,31,64,2,82,13,85,89,72,2,74,28,85,17,84,67,85,2,71,28,85,19,92,67,93,5,94,1,92,16,65,94,93,1,94,9,72,19,89,89,72,1,64,1,72,19,93,67,85,6,64,28,83,23,65,94,84,3,94,1,84,21,65,91,86,31,67,3,84,13,92,88,80,31,64,3,83,13,95,90,86,31,64,0,92,13,92,89,81,31,71,4,72,19,92,90,72,2,66,6,72,25,88,67,86,7,75,28,85,16,95,67,82,1,94,1,84,17,65,89,83,31,64,1,92,13,92,89,72,11,70,28,86,16,90,67,85,2,67,28,81,17,65,93,81,7,94,1,92,24,65,93,86,4,94,1,93,16,65,88,92,31,69,2,72,19,89,91,72,2,65,28,83,22,65,93,84,1,94,4,81,13,92,92,92,31,69,3,72,16,89,93,72,2,67,6,72,16,89,88,72,4,71,28,93,20,65,94,81,4,94,4,83,13,84,89,72,2,66,5,72,19,95,95,72,2,69,28,85,20,65,93,80,6,94,2,80,19,65,94,92,31,67,0,93,13,90,91,72,2,70,9,72,24,91,67,85,11,67,28,85,18,84,67,82,2,94,2,80,23,65,93,86,2,94,2,84,16,65,94,93,5,94,7,82,13,92,95,84,31,67,5,72,19,93,88,72,2,65,0,72,16,90,91,72,5,74,28,86,16,92,67,86,3,74,28,86,21,92,67,85,6,64,28,86,21,90,67,87,11,94,1,82,13,95,90,86,31,64,2,84,13,92,94,80,31,69,7,72,16,85,67,93,11,94,8,82,13,92,88,72,2,68,8,72,16,85,93,72,7,69,28,85,19,84,67,86,7,75,28,86,16,94,67,85,11,68,28,82,24,65,93,85,10,94,1,84,19,65,94,72,4,66,28,86,18,93,67,85,10,75,28,85,23,85,67,83,31,67,0,83,13,92,87,93,31,64,0,92,13,92,95,72,1,65,2,72,23,84,67,87,11,94,2,93,13,92,95,93,31,69,6,72,23,93,67,87,4,94,2,86,23,65,87,82,31,67,8,72,16,93,86,72,2,67,5,72,16,95,94,72,10,68,28,85,25,92,67,85,10,64,28,93,13,95,91,82,31,64,2,85,13,95,95,72,2,71,2,72,22,91,67,85,3,66,28,80,23,65,94,84,3,94,2,81,18,65,93,87,4,94,1,82,19,65,94,92,7,94,1,80,24,65,93,81,6,94,3,86,13,95,95,84,31,74,9,72,24,89,67,85,4,68,28,83,17,65,94,86,2,94,6,86,13,92,95,83,31,67,8,84,13,92,87,72,11,70,28,85,20,84,67,87,1,94,9,82,13,95,90,80,31,64,4,80,13,95,93,83,31,64,4,82,13,93,67,83,1,94,1,82,23,65,88,82,31,65,28,85,21,92,67,85,3,70,28,85,18,93,67,83,31,67,9,80,13,88,86,72,1,66,8,72,16,93,67,85,10,94,2,84,23,65,92,92,31,64,9,72,24,91,67,86,3,74,28,82,17,65,86,93,31,67,8,83,13,92,91,85,31,74,1,72,18,89,67,85,7,94,2,84,25,65,94,85,3,94,2,80,23,65,94,93,5,94,6,82,13,92,88,82,31,67,4,92,13,92,90,81,31,67,5,85,13,95,91,72,7,66,28,83,17,65,94,86,10,94,1,93,24,65,93,86,7,94,1,85,13,95,93,87,31,64,5,87,13,95,94,93,31,67,5,86,13,95,91,83,31,65,8,72,16,91,67,86,6,64,28,85,20,89,67,82,3,94,5,84,13,85,94,72,7,71,28,85,25,65,87,80,31,67,6,82,13,95,91,81,31,75,6,72,19,88,91,72,2,75,1,72,16,88,89,72,1,70,6,72,17,65,94,80,10,94,3,93,13,90,89,72,0,94,2,87,21,65,93,87,7,94,1,87,17,65,88,72,2,66,7,72,19,88,94,72,2,71,8,72,16,92,88,72,2,69,1,72,16,93,67,93,11,94,8,92,13,84,86,72,2,71,28,85,16,88,67,93,3,94,1,83,21,65,93,80,31,75,3,72,20,90,67,81,3,94,5,93,13,92,95,92,31,67,5,86,13,95,92,80,31,75,28,86,21,91,67,86,1,67,28,86,17,65,94,81,1,94,7,82,13,92,95,84,31,67,0,80,13,89,93,72,2,65,0,72,16,90,91,72,1,65,7,72,19,88,93,72,1,66,8,72,19,89,94,72,10,75,28,85,18,88,67,87,11,94,1,82,13,95,91,85,31,67,1,72,23,93,67,81,3,94,7,84,13,92,90,92,31,67,8,72,25,89,67,85,6,75,28,87,19,65,92,92,31,67,7,82,13,92,92,93,31,67,6,84,13,92,87,81,31,68,8,72,16,94,67,85,5,74,28,85,20,65,88,82,31,64,4,86,13,89,89,72,1,66,8,72,23,91,67,85,0,71,28,85,17,84,67,85,7,71,28,92,25,65,89,80,31,67,9,80,13,92,94,72,6,71,28,93,23,65,93,84,11,94,6,84,13,94,88,72,1,70,5,72,19,89,93,72,2,74,28,85,17,84,67,83,7,94,1,80,24,65,86,82,31,67,8,85,13,92,92,93,31,68,1,72,19,89,89,72,1,64,1,72,19,93,94,72,2,75,6,72,22,91,67,85,3,66,28,85,20,65,93,84,4,94,1,87,17,65,94,83,7,94,6,92,13,95,94,85,31,64,0,92,13,95,91,85,31,67,5,86,13,92,88,83,31,67,0,80,13,92,94,85,31,67,9,85,13,95,94,87,31,67,2,84,13,92,94,93,31,75,5,72,16,92,95,72,10,65,28,80,18,65,93,86,10,94,1,83,23,65,91,80,31,67,7,92,13,95,92,87,31,64,2,85,13,92,89,80,31,74,3,72,16,88,89,72,2,66,28,85,17,95,67,87,31,64,3,80,13,95,92,80,31,67,3,84,13,90,87,72,0,69,28,86,21,94,67,85,7,75,28,92,25,65,93,87,3,94,5,92,13,85,86,72,10,70,28,87,21,65,87,72,2,64,1,72,24,93,67,85,6,69,28,92,23,65,94,81,31,67,0,93,13,89,87,72,5,67,28,87,16,65,93,81,2,94,1,87,18,65,86,80,31,64,1,93,13,95,91,83,31,64,0,72,16,88,93,72,4,68,28,85,17,93,67,81,11,94,1,85,16,65,93,85,7,94,2,81,16,65,94,93,2,94,1,83,25,65,93,84,11,94,1,92,21,65,91,81,31,64,0,85,13,84,86,72,5,68,28,86,19,93,67,87,0,94,1,83,13,95,91,72,3,94,1,80,18,65,94,92,31,69,3,72,16,88,86,72,2,66,0,72,18,90,67,85,11,70,28,85,25,84,67,85,4,65,28,85,22,84,67,85,1,69,28,85,21,65,93,80,0,94,2,72,23,89,67,85,0,65,28,85,19,95,67,85,7,64,28,86,16,65,93,84,5,94,1,86,16,65,93,85,6,94,8,82,13,92,94,85,31,67,5,84,13,88,91,72,2,65,28,82,17,65,94,83,1,94,1,84,17,65,90,87,31,64,2,92,13,92,87,81,31,67,1,84,13,88,92,72,10,66,28,85,18,88,67,85,10,94,2,84,16,65,93,85,2,94,4,81,13,95,92,84,31,64,1,92,13,92,86,83,31,67,9,82,13,91,87,72,2,66,28,82,21,65,94,86,10,94,1,93,24,65,94,82,1,94,7,83,13,95,93,87,31,64,0,92,13,95,91,93,31,67,4,81,13,95,90,80,31,67,1,72,20,85,67,85,11,68,28,85,18,91,67,82,3,94,4,83,13,85,94,72,2,66,5,72,25,90,67,85,11,94,2,87,24,65,94,92,4,94,3,83,13,92,93,93,31,64,4,93,13,95,95,85,31,67,8,80,13,91,88,72,2,71,7,72,20,89,67,82,7,94,1,92,13,95,92,84,31,67,6,92,13,92,92,87,31,74,3,72,19,94,67,86,1,75,28,85,24,95,67,86,5,94,1,92,17,65,90,83,31,67,2,82,13,92,92,72,2,64,5,72,21,85,67,85,3,66,28,82,16,65,93,80,2,94,4,86,13,90,91,72,2,64,5,72,24,85,67,85,3,94,2,92,13,95,92,83,31,64,0,92,13,95,90,72,1,70,1,72,19,93,86,72,1,66,28,85,21,89,67,87,7,94,4,87,13,94,87,72,2,67,1,72,16,89,93,72,2,68,7,72,19,95,90,72,1,71,2,72,19,92,89,72,1,70,6,72,21,89,67,86,2,65,28,93,25,65,93,87,31,64,5,87,13,95,67,81,0,94,3,85,13,92,95,92,31,64,1,82,13,92,67,92,7,94,1,87,17,65,92,86,31,65,6,72,16,85,88,72,2,69,8,72,16,90,95,72,2,74,4,72,23,84,67,81,6,94,2,86,21,65,93,81,31,69,7,72,19,93,89,72,10,68,28,85,21,91,67,85,2,94,2,85,17,65,90,81,31,67,4,82,13,92,92,72,4,67,28,85,22,85,67,85,1,68,28,85,18,65,94,85,1,94,1,80,25,65,89,80,31,67,2,81,13,95,93,93,31,64,2,83,13,92,94,84,31,71,3,72,25,95,67,85,0,70,28,86,25,65,93,87,4,94,1,81,20,65,91,80,31,67,3,87,13,92,89,85,31,67,4,81,13,95,94,86,31,75,2,72,24,84,67,87,31,64,0,83,13,92,92,92,31,67,9,86,13,92,94,72,2,71,7,72,16,89,86,72,1,71,3,72,16,88,93,72,1,70,7,72,18,94,67,85,2,75,28,85,25,92,67,86,3,70,28,85,19,92,67,81,3,94,2,92,13,92,95,80,31,67,8,72,16,85,67,86,0,70,28,85,25,93,67,87,10,94,2,86,25,65,94,93,2,94,1,81,20,65,93,81,6,94,1,86,13,92,91,93,31,70,7,72,22,88,67,83,7,94,1,82,21,65,94,92,5,94,2,85,20,65,87,87,31,67,0,92,13,92,88,83,31,64,1,83,13,94,67,85,10,69,28,85,16,92,67,93,5,94,9,72,16,93,86,72,11,67,28,82,17,65,86,83,31,67,6,83,13,92,89,72,10,67,28,87,20,65,90,80,31,68,28,87,25,65,93,86,7,94,1,80,19,65,88,80,31,64,5,80,13,95,95,80,31,64,4,72,16,88,93,72,10,71,28,85,17,89,67,85,3,70,28,85,17,89,67,85,0,65,28,86,18,89,67,85,7,71,28,85,23,89,67,85,10,64,28,86,19,89,67,87,10,94,2,81,16,65,94,86,5,94,0,72,19,95,88,72,4,75,28,82,21,65,94,84,5,94,8,82,13,92,91,85,31,74,6,72,21,93,67,85,10,75,28,80,25,65,94,85,5,94,1,92,23,65,94,87,5,94,1,92,22,65,93,87,3,94,2,85,13,92,93,72,1,67,8,72,19,93,67,85,10,94,1,81,23,65,91,80,31,64,5,80,13,84,90,72,1,67,0,72,21,88,67,85,7,74,28,85,16,85,67,83,6,94,2,86,19,65,91,93,31,74,9,72,19,85,67,85,0,68,28,80,21,65,89,85,31,67,7,83,13,92,91,86,31,69,0,72,21,92,67,81,7,94,2,84,20,65,94,85,1,94,1,82,23,65,93,84,4,94,6,81,13,92,87,80,31,67,5,87,13,92,87,85,31,67,5,82,13,84,93,72,0,74,28,83,20,65,94,83,10,94,2,85,25,65,94,93,3,94,7,72,16,88,94,72,2,69,2,72,16,91,92,72,1,64,0,72,16,94,86,72,2,64,6,72,17,65,93,86,11,94,2,86,19,65,89,80,31,67,0,82,13,91,90,72,2,67,0,72,25,91,67,80,3,94,2,81,21,65,93,86,10,94,3,83,13,92,87,82,31,67,9,81,13,92,86,82,31,64,3,84,13,91,88,72,1,66,9,72,24,92,67,86,3,94,1,93,13,92,88,86,31,67,7,80,13,95,90,80,31,75,5,72,16,95,92,72,1,70,8,72,16,89,87,72,2,67,8,72,16,90,89,72,11,70,28,81,21,65,87,93,31,67,7,72,19,93,67,80,6,94,5,86,13,92,89,82,31,70,2,72,22,93,67,80,2,94,1,81,13,94,92,72,2,67,3,72,16,91,88,72,2,65,2,72,16,92,88,72,2,69,4,72,19,93,90,72,4,94,2,86,17,65,91,92,31,68,0,72,16,95,94,72,6,74,28,85,24,85,67,86,2,66,28,85,25,92,67,86,0,68,28,85,24,88,67,85,11,67,28,87,16,65,93,86,0,94,5,80,13,85,90,72,2,74,1,72,16,92,86,72,2,66,0,72,18,88,67,92,6,94,2,85,25,65,94,85,3,94,1,86,13,92,91,87,31,75,8,72,18,91,67,85,0,66,28,85,25,91,67,85,5,69,28,85,18,85,67,92,11,94,8,93,13,92,88,92,31,74,28,85,19,90,67,86,2,65,28,85,19,93,67,85,6,70,28,82,22,65,94,93,3,94,9,93,13,92,86,87,31,64,5,72,25,90,67,85,4,74,28,85,19,91,67,85,0,94,1,85,18,65,94,80,11,94,6,80,13,92,93,81,31,64,2,93,13,95,93,83,31,74,6,72,16,90,67,80,31,64,0,93,13,95,87,72,1,64,5,72,19,93,88,72,5,71,28,85,22,89,67,86,3,71,28,86,16,91,67,85,1,74,28,80,25,65,89,84,31,65,0,72,19,95,94,72,2,75,8,72,19,92,95,72,1,74,28,85,24,88,67,85,7,68,28,85,25,92,67,86,1,74,28,85,22,88,67,81,6,94,0,72,16,85,91,72,1,65,0,72,16,93,95,72,0,70,28,86,18,65,94,84,6,94,1,85,17,65,94,86,31,67,8,87,13,95,93,81,31,65,6,72,16,94,95,72,1,65,1,72,16,89,95,72,1,64,9,72,23,85,67,86,0,65,28,85,19,90,67,93,1,94,6,81,13,92,88,80,31,67,5,84,13,95,94,92,31,64,2,72,16,95,89,72,1,70,9,72,16,90,93,72,11,64,28,86,21,84,67,92,0,94,9,83,13,92,93,72,7,74,28,80,25,65,94,84,3,94,5,87,13,95,91,87,31,64,28,85,16,93,67,81,0,94,9,93,13,92,95,81,31,68,0,72,19,93,94,72,2,71,2,72,19,88,67,86,0,66,28,85,23,92,67,83,5,94,1,86,25,65,86,81,31,64,4,72,21,85,67,81,11,94,1,80,22,65,93,81,3,94,1,80,20,65,94,82,7,94,1,93,19,65,93,86,6,94,6,87,13,95,90,85,31,67,2,82,13,93,67,86,1,70,28,85,16,84,67,85,3,66,28,80,19,65,87,81,31,64,2,82,13,90,91,72,5,74,28,85,21,95,67,85,3,69,28,86,25,65,94,82,5,94,2,86,25,65,93,80,3,94,1,82,21,65,94,86,7,94,1,82,13,92,86,84,31,75,4,72,25,90,67,86,7,67,28,80,25,65,94,80,5,94,2,86,13,92,92,80,31,69,1,72,16,94,89,72,1,69,28,80,13,92,88,92,31,67,2,82,13,88,67,85,2,71,28,85,22,95,67,85,3,66,28,81,18,65,93,86,11,94,1,80,19,65,88,80,31,67,2,81,13,84,94,72,1,65,3,72,20,91,67,85,5,71,28,85,20,88,67,85,1,67,28,85,18,85,67,85,0,65,28,86,16,91,67,86,1,66,28,82,18,65,93,80,31,74,7,72,19,95,92,72,2,70,6,72,19,88,95,72,6,68,28,85,18,84,67,85,10,64,28,86,19,90,67,85,10,68,28,85,18,84,67,85,1,68,28,84,13,95,92,82,31,67,9,92,13,91,91,72,2,66,6,72,23,88,67,82,3,94,1,85,17,65,94,86,31,67,9,84,13,95,92,84,31,64,8,72,16,91,89,72,2,69,5,72,16,89,93,72,2,70,6,72,16,95,91,72,1,66,5,72,20,88,67,93,1,94,1,86,23,65,93,87,11,94,1,92,18,65,93,81,7,94,9,81,13,92,93,87,31,67,7,81,13,92,92,86,31,67,1,92,13,92,88,82,31,74,5,72,20,94,67,82,6,94,1,83,13,95,95,72,7,70,28,81,20,65,94,82,5,94,4,86,13,90,91,72,2,64,4,72,16,93,89,72,6,94,5,82,13,92,89,80,31,64,1,83,13,92,94,83,31,67,7,80,13,95,95,81,31,70,28,86,17,89,67,80,11,94,6,84,13,92,93,84,31,68,2,72,19,95,93,72,1,67,0,72,16,85,94,72,1,65,6,72,16,84,91,72,2,74,1,72,18,92,67,86,1,65,28,81,20,65,87,85,31,67,4,85,13,85,92,72,7,71,28,80,18,65,90,92,31,67,9,92,13,95,67,82,11,94,2,86,22,65,94,86,3,94,1,86,17,65,93,87,4,94,1,87,23,65,94,92,4,94,2,87,17,65,94,83,31,71,2,72,19,88,91,72,11,70,28,85,23,65,93,80,2,94,4,92,13,92,91,82,31,64,1,72,16,94,91,72,4,67,28,85,18,91,67,86,4,94,1,85,13,92,92,87,31,75,0,72,23,84,67,85,2,64,28,85,24,89,67,85,2,66,28,92,24,65,94,83,0,94,2,87,21,65,87,85,31,67,7,72,16,85,67,85,0,65,28,85,16,94,67,86,3,67,28,86,16,92,67,80,6,94,2,87,17,65,94,81,0,94,1,92,16,65,94,81,5,94,9,87,13,92,93,80,31,67,2,80,13,92,88,93,31,64,1,92,13,92,86,84,31,74,4,72,16,94,95,72,2,69,2,72,16,91,86,72,2,64,8,72,16,85,95,72,10,74,28,85,17,85,67,85,5,70,28,85,18,84,67,85,1,68,28,82,20,65,91,81,31,67,1,83,13,95,67,82,11,94,1,82,16,65,93,80,10,94,7,83,13,95,94,86,31,67,9,85,13,92,90,82,31,64,4,82,13,93,67,85,7,75,28,87,24,65,88,82,31,65,28,86,18,89,67,86,0,70,28,85,18,93,67,83,31,67,0,83,13,92,87,93,31,64,0,92,13,92,95,72,1,65,2,72,22,90,67,83,1,94,8,86,13,94,90,72,10,94,4,92,13,94,88,72,1,71,1,72,22,84,67,87,3,94,1,84,24,65,86,92,31,67,0,83,13,92,94,87,31,67,8,81,13,92,86,86,31,67,6,72,19,94,87,72,1,66,9,72,19,93,67,85,0,69,28,93,18,65,94,85,1,94,1,84,17,65,91,86,31,67,4,83,13,92,86,84,31,64,4,92,13,95,91,84,31,64,0,92,13,95,93,80,31,67,1,80,13,92,91,82,31,70,2,72,16,91,67,86,1,70,28,86,20,65,91,83,31,68,2,72,22,93,67,85,0,75,28,84,13,85,87,72,2,71,9,72,20,90,67,85,2,75,28,86,21,95,67,86,7,70,28,86,21,95,67,86,0,66,28,85,23,65,89,92,31,67,6,82,13,85,86,72,2,74,28,85,19,84,67,85,3,70,28,85,21,90,67,86,0,94,2,85,16,65,90,81,31,64,0,92,13,94,94,72,5,94,1,93,21,65,92,92,31,74,28,85,16,84,67,86,1,66,28,82,17,65,91,92,31,64,3,84,13,95,90,80,31,67,8,72,16,95,95,72,10,70,28,85,20,94,67,93,5,94,1,82,16,65,94,80,4,94,4,93,13,95,91,82,31,64,0,85,13,95,95,92,31,64,0,84,13,90,89,72,2,67,3,72,18,92,67,85,10,71,28,85,18,93,67,85,11,69,28,92,19,65,93,86,0,94,2,84,25,65,93,86,7,94,1,87,23,65,93,86,10,94,4,86,13,92,89,72,1,65,7,72,16,94,89,72,7,67,28,82,19,65,87,85,31,70,2,72,16,95,89,72,2,69,28,86,18,95,67,85,4,74,28,81,19,65,94,92,1,94,1,93,16,65,93,84,10,94,1,93,16,65,87,87,31,64,1,82,13,92,95,86,31,64,4,72,23,89,67,85,5,64,28,86,18,88,67,85,0,65,28,85,16,65,94,84,4,94,2,85,24,65,94,80,6,94,7,84,13,92,87,83,31,66,28,80,19,65,93,93,31,67,2,80,13,91,91,72,5,66,28,81,18,65,93,87,11,94,8,82,13,92,95,86,31,68,3,72,18,85,67,82,3,94,1,84,20,65,94,92,6,94,2,87,22,65,92,81,31,64,4,82,13,95,93,85,31,64,0,72,16,88,93,72,4,68,28,85,17,93,67,85,3,70,28,80,19,65,94,87,3,94,1,83,21,65,93,87,4,94,2,81,19,65,93,84,11,94,2,80,16,65,86,93,31,67,3,81,13,94,87,72,1,70,28,86,21,91,67,83,2,94,1,86,16,65,94,86,7,94,6,81,13,92,91,82,31,67,8,72,25,94,67,86,3,69,28,85,16,89,67,80,2,94,1,83,23,65,94,82,3,94,2,86,25,65,93,81,3,94,0,72,22,84,67,86,6,64,28,81,13,85,92,72,2,65,8,72,16,93,95,72,2,65,0,72,17,65,94,87,1,94,4,86,13,95,94,81,31,68,28,85,24,65,93,84,2,94,9,82,13,92,90,72,2,66,3,72,19,92,88,72,6,65,28,92,13,95,93,87,31,67,8,84,13,90,67,85,3,75,28,92,22,65,94,80,10,94,3,82,13,95,91,84,31,64,0,81,13,92,94,82,31,67,8,80,13,92,90,86,31,67,8,86,13,92,92,84,31,64,5,72,21,95,67,83,5,94,1,93,24,65,94,80,5,94,1,82,19,65,89,92,31,67,9,80,13,95,93,84,31,67,7,93,13,92,90,93,31,67,6,87,13,84,95,72,4,64,28,86,18,91,67,85,0,74,28,82,21,65,94,84,5,94,7,87,13,91,93,72,2,67,0,72,16,95,67,85,11,64,28,86,19,84,67,82,2,94,1,87,17,65,93,87,2,94,1,80,17,65,93,87,3,94,8,80,13,95,92,87,31,67,2,83,13,84,93,72,2,74,28,85,25,95,67,85,6,66,28,86,16,85,67,86,0,94,1,86,18,65,94,93,0,94,1,87,23,65,94,92,31,64,5,85,13,88,88,72,2,64,6,72,16,94,67,85,1,70,28,92,13,91,91,72,2,64,5,72,19,89,93,72,4,67,28,92,24,65,94,83,31,70,3,72,16,93,90,72,2,64,0,72,19,94,94,72,2,74,8,72,25,92,67,86,0,67,28,85,20,85,67,82,7,94,2,86,25,65,93,84,31,67,1,82,13,92,93,86,31,67,1,84,13,95,90,80,31,64,4,82,13,95,90,87,31,64,3,92,13,92,88,86,31,67,6,93,13,92,93,87,31,67,4,92,13,84,95,72,4,64,28,86,19,88,67,86,5,94,6,80,13,92,95,82,31,74,6,72,16,89,92,72,2,67,0,72,16,95,67,85,7,65,28,80,25,65,91,82,31,67,3,84,13,92,88,86,31,64,4,87,13,95,92,92,31,74,4,72,20,95,67,86,6,70,28,93,19,65,94,83,31,64,0,85,13,95,95,72,1,67,8,72,19,94,67,86,3,75,28,83,16,65,94,87,5,94,1,92,13,93,67,85,4,74,28,85,19,91,67,85,0,94,1,85,18,65,94,83,1,94,1,84,17,65,90,87,31,64,2,92,13,92,91,86,31,69,4,72,16,95,90,72,10,66,28,86,17,84,67,86,11,94,2,87,22,65,94,81,6,94,4,81,13,92,92,87,31,67,6,85,13,92,91,81,31,64,1,86,13,84,93,72,10,75,28,87,13,92,86,93,31,64,3,82,13,95,93,81,31,67,0,72,16,88,95,72,1,64,0,72,19,89,94,72,1,71,4,72,16,85,93,72,2,66,6,72,23,90,67,85,11,71,28,85,20,93,67,82,3,94,5,87,13,91,92,72,10,74,28,82,23,65,94,83,31,67,6,83,13,95,91,86,31,67,0,92,13,95,90,80,31,67,8,80,13,95,93,93,31,67,7,93,13,85,95,72,2,70,8,72,18,95,67,82,10,94,1,81,13,95,92,80,31,64,2,82,13,92,92,87,31,68,5,72,16,95,95,72,2,74,6,72,19,95,95,72,2,66,28,86,18,84,67,87,31,71,0,72,19,91,67,93,4,94,7,82,13,88,86,72,2,67,7,72,16,90,89,72,0,67,28,93,19,65,90,83,31,67,1,82,13,92,94,86,31,67,0,81,13,92,90,86,31,64,3,80,13,90,86,72,1,64,7,72,19,92,92,72,1,75,28,85,25,92,67,85,3,64,28,83,18,65,89,82,31,70,2,72,16,94,95,72,2,69,4,72,19,94,88,72,1,64,0,72,19,89,95,72,1,66,9,72,23,90,67,85,5,69,28,84,13,93,67,84,31,66,77,95,44,103,6,10,71,82,93,5,72,3,71,77,72,127,58,68,1,77,79,0,86,17,95,0,68,69,9,8,82,21,87,1,69,65,79,16,1,78,0,28,66,12,12,5,3,66,0,84,13,77,27,86,15,70,4,80,13,77,27,85,15,6,2,88,16,93,95,72,19,6,1,88,21,65,92,90,9,72,70,5,77,24,10,90,9,72,70,5,77,24,10,72,19,6,2,88,21,89,67,68,71,67,12,85,16,65,92,90,9,72,70,5,77,24,10,90,9,72,70,5,77,24,10,90,9,72,70,5,77,24,10,90,9,72,70,5,77,24,10,90,9,72,70,5,77,24,10,77,8,127,58,68,1,77,79,23,71,22,10,94,66,2,26,16,19,78,12,68,71,1,14,3,84,23,84,68,29,81,28,16,87,72,10,1,79,9,3,95,62,120,77,100,33,0,0,0,0,0,0,0,0};

int main(){

    char *key = getenv("XKEY");
    if((!key) ||strncmp("mod3r0d!",key,8 )){
        puts(";[");
        return 1;
    }
    unsigned long long val = *(unsigned long long *)key;
    unsigned long long *ptr = (unsigned long long *)flagged;
    while (*ptr != 0) {
        *ptr = *ptr ^ val;
        ptr += 1;
    }
    puts(flagged);
}

main函数中有如下片段:

1
2
3
4
5
char *key = getenv("XKEY");
if((!key) ||strncmp("mod3r0d!",key,8 )){
    puts(";[");
    return 1;
}

从环境变量中查找XKEY并检测其值是否为mod3r0d!,如果没找到或其值不是mod3r0d!,则退出程序。绕过很简单,删掉这部分代码,并设置key = mod3r0d!

修改后的main函数为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
int main(){

    /*char *key = getenv("XKEY");
    if((!key) ||strncmp("mod3r0d!",key,8 )){        //key = mod3r0d!
        puts(";[");
        return 1;
    }*/
    char *key = "mod3r0d!";
    unsigned long long val = *(unsigned long long *)key;
    unsigned long long *ptr = (unsigned long long *)flagged;
    while (*ptr != 0) {
        *ptr = *ptr ^ val;
        ptr += 1;
    }
    puts(flagged);
}

c++

运行后输出一段c++代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#include <iostream>
template <unsigned int a, unsigned int b>
struct t1 {
        enum { value = b + t1<a-1, b>::value };
};
template <unsigned int b>
struct t1<0, b> {
        enum { value = 0 };
};
template <unsigned int a, unsigned int b>
struct t2 {
        enum { value = 1 + t2<a-1, b>::value };
};
template <unsigned int b>
struct t2<0, b> {
        enum { value = 1 + t2<0, b-1>::value };
};
template<>
struct t2<0, 0>{
    enum { value = 0};
};
void decode(unsigned char *data, unsigned int val){
    unsigned int *ptr = reinterpret_cast<unsigned int *>(data);
    while (*ptr != 0) {
        *ptr = *ptr ^ val;
        val = (val ^ (val << 1)) ^ 0xc2154216;
        ptr += 1;
    }
}
unsigned char flagged[] = {5,78,186,165,208,83,107,233,137,90,173,22,11,55,64,102,120,96,164,86,86,40,53,48,46,240,191,79,163,147,87,144,13,54,47,105,205,251,163,168,220,241,45,203,105,83,176,71,111,62,70,221,93,16,218,44,96,189,187,173,165,84,27,170,76,77,204,37,199,84,203,33,253,32,19,206,38,29,99,160,69,81,157,157,124,126,68,141,97,180,138,16,220,221,201,196,76,32,74,137,130,231,10,157,149,163,144,254,60,61,214,154,60,50,81,45,18,84,166,167,37,170,234,206,184,0,133,10,102,46,192,234,130,7,107,251,158,117,171,10,98,88,109,81,60,108,172,24,87,63,125,6,31,246,143,77,179,162,107,181,102,100,104,42,130,237,169,131,158,180,52,135,59,16,165,82,108,119,21,144,113,27,219,101,20,167,164,166,254,65,26,225,15,76,216,38,214,11,239,17,208,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,190,72,254,250,241,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,45,243,175,73,167,1,99,19,46,3,67,110,181,25,92,33,42,56,50,242,131,70,163,147,64,148,97,78,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,96,254,244,227,246,0,72,232,0,76,206,41,206,84,206,22,250,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,85,195,194,229,148,218,12,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,107,189,208,10,174,11,89,94,34,8,121,43,161,25,109,43,63,56,39,230,204,36,220,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,96,254,183,172,178,69,68,139,102,3,141,104,130,7,194,59,208,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,138,139,2,55,91,156,142,131,110,211,208,241,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,204,70,38,248,131,6,197,111,38,29,109,76,60,37,226,86,18,109,115,121,96,181,192,9,246,221,20,152,76,100,104,42,130,174,237,252,208,165,54,215,106,85,249,112,62,100,67,218,16,84,217,111,50,254,189,227,191,78,72,244,13,77,202,45,138,73,142,116,147,75,95,157,47,96,105,220,17,15,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,68,211,208,241,152,247,38,16,252,220,114,77,18,98,86,17,168,182,47,129,249,213,186,69,219,102,1,70,230,199,168,7,107,189,208,10,232,69,38,29,109,76,60,37,226,86,18,109,115,121,96,181,192,9,246,221,20,152,76,100,46,100,253,237,162,184,149,255,32,200,89,94,176,70,121,62,107,180,18,84,159,32,96,254,244,227,246,0,72,166,76,3,141,104,130,7,194,59,208,10,19,206,38,29,96,208,60,99,187,141,81,34,14,208,110,246,196,66,176,148,155,151,24,40,70,129,199,224,11,223,253,219,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,107,251,158,117,171,10,98,88,99,15,115,90,174,24,93,57,50,59,108,152,234,9,246,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,38,176,139,160,185,68,13,168,15,76,242,46,208,66,135,109,145,88,64,194,11,55,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,68,211,208,241,152,177,104,111,191,213,120,119,95,110,93,43,229,176,44,178,233,221,164,83,156,10,102,3,234,234,130,78,37,243,149,88,230,58,89,94,34,8,121,90,157,86,15,109,48,61,31,251,133,94,219,247,20,152,76,100,58,111,214,251,191,178,208,184,45,201,99,66,220,33,17,24,0,143,18,73,159,100,37,184,189,173,179,127,14,243,2,64,133,122,142,21,206,121,215,86,111,150,54,13,60,172,100,53,228,185,110,53,90,135,19,201,211,45,230,218,197,196,68,10,64,129,199,162,77,223,208,249,145,254,11,58,186,136,60,47,81,105,87,18,239,187,37,129,249,201,184,67,157,54,64,18,230,168,133,83,23,229,192,26,180,57,126,13,125,48,100,61,241,42,74,125,98,10,28,237,208,25,241,209,20,144,34,43,38,111,142,167,225,252,216,246,44,213,98,23,253,2,53,31,108,216,1,84,130,32,36,187,178,170,184,69,55,224,25,77,206,96,146,11,210,55,146,13,71,178,126,13,112,148,64,125,229,227,110,53,82,134,28,237,155,44,133,161,145,212,92,99,3,207,138,192,11,157,149,253,152,247,33,119,181,204,121,50,28,104,18,18,234,180,39,228,191,155,255,12,149,47,75,74,164,186,215,83,108,177,217,3,197,111,96,9,109,81,60,97,167,16,91,35,54,6,38,224,142,74,254,204,24,152,95,104,104,104,133,234,145,164,192,224,39,251,126,0,227,79,64,106,86,141,86,40,199,48,116,186,136,187,230,21,12,218,20,19,156,44,254,95,210,45,148,118,75,222,49,89,28,136,44,61,177,142,70,41,54,205,112,166,207,65,184,153,181,156,92,38,75,179,218,190,7,151,172,163,220,139,126,0,228,222,64,106,65,110,86,40,254,229,37,186,195,196,230,67,209,91,20,19,172,174,254,95,123,248,148,118,176,84,54,89,17,20,45,52,166,42,70,41,15,33,113,167,132,117,174,205,7,220,48,60,121,58,198,210,181,236,195,181,31,223,54,85,181,119,100,35,85,218,110,12,143,98,36,130,186,167,138,88,89,178,8,127,213,120,154,67,190,99,193,25,87,178,126,13,113,148,64,125,229,227,86,17,4,209,28,225,207,65,174,205,216,128,48,60,30,221,198,210,28,195,146,181,228,175,55,0,184,230,100,34,23,105,110,12,183,225,36,130,231,140,229,68,233,127,92,65,174,150,218,22,126,249,172,82,249,83,97,12,48,48,100,53,243,2,110,53,99,105,60,201,152,25,230,161,76,128,95,24,48,58,147,250,145,164,192,225,63,251,126,0,224,119,100,42,85,226,74,68,142,107,28,166,228,240,164,124,16,190,94,87,241,48,146,22,134,71,136,27,4,178,126,5,115,172,100,53,228,142,74,125,91,233,56,165,155,121,138,133,216,220,63,24,87,223,146,250,56,139,192,227,196,139,126,0,236,198,64,106,65,60,110,12,190,230,28,166,175,142,146,124,205,55,92,126,238,183,254,95,123,175,132,118,176,85,53,65,17,20,44,55,166,42,74,124,106,5,56,164,217,117,174,205,4,204,48,60,120,62,222,210,181,236,194,181,31,223,55,81,141,83,45,43,58,198,2,68,227,120,120,237,136,187,230,17,52,254,84,16,241,48,146,21,134,71,136,27,11,133,90,69,112,194,110,89,173,234,81,17,18,133,113,201,211,45,230,153,181,156,93,124,124,179,218,190,84,130,172,169,128,180,98,108,164,139,126,65,45,117,2,68,161,249,77,212,191,156,246,0,149,39,76,3,234,234,130,7,107,189,208,10,232,77,72,82,35,9,48,37,251,79,30,109,98,107,113,185,192,16,238,209,20,137,93,112,100,42,147,190,248,240,208,224,114,146,42,16,224,25,47,62,70,139,0,88,159,57,119,242,244,242,230,16,68,166,89,18,129,104,147,23,211,55,208,31,6,194,38,8,119,220,60,48,230,254,18,120,94,153,96,161,147,49,246,201,208,200,76,113,31,195,130,187,82,223,208,224,136,229,42,16,237,136,41,62,81,42,126,17,232,178,52,182,191,209,191,83,216,102,24,64,162,235,133,11,107,219,145,70,187,0,42,29,124,64,60,53,238,86,102,63,38,60,105,185,237,35,246,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,24,246,71,121,124,65,146,18,83,207,114,41,176,160,228,250,0,79,252,5,83,138,100,130,0,132,42,215,6,19,201,96,15,103,217,53,8,223,180,7,109,87,149,36,240,205,116,184,152,182,130,25,42,76,199,146,162,68,194,220,179,159,163,90,72,236,138,64,106,73,62,110,12,182,229,61,130,231,140,230,84,233,127,92,18,182,150,218,23,123,193,136,18,251,57,126,13,124,8,64,125,242,71,89,17,43,105,120,231,188,81,231,158,64,228,20,116,122,110,254,246,253,238,172,169,123,148,90,72,225,26,64,106,86,143,110,12,143,48,46,130,172,243,238,84,52,254,92,17,201,20,218,23,209,71,136,18,0,178,126,13,113,172,100,53,228,142,74,125,90,209,28,237,155,45,133,161,145,212,92,99,3,199,236,225,10,150,220,241,254,182,106,67,185,150,60,53,63,98,66,17,167,242,108,254,184,229,179,80,148,32,69,15,234,226,133,65,120,186,220,10,239,3,50,26,97,76,59,117,176,31,92,57,116,112,105,152,234,79,227,213,29,181,102,73,66,42,130,174,237,220,240,209,67,167,0,0,0,0};
int main(){
    decode(flagged, t2<0xcaca0000, t2<444, t1<t2<100, t1<4,3>::value>::value, t2<44, t1<11,3>::value>::value>::value>::value>::value);
    std::cout << flagged <<std::endl;
}

emmm,用到了模板的语法,我虽然不太懂template的语法,但是也很容易看出就是一个递归。

t1<a,b>可以归纳为a*b

t2<a,b>可以归纳为a+b

修改后的c++代码为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#include <iostream>

/*template <unsigned int a, unsigned int b>
struct t1 {
        enum { value = b + t1<a-1, b>::value };
};

template <unsigned int b>
struct t1<0, b> {
        enum { value = 0 };
};

template <unsigned int a, unsigned int b>
struct t2 {
        enum { value = 1 + t2<a-1, b>::value };
};

template <unsigned int b>
struct t2<0, b> {
        enum { value = 1 + t2<0, b-1>::value };
};

template<>
struct t2<0, 0>{
    enum { value = 0};
};*/

int f1(int a, int b){
    return a*b;
}

int f2(int a, int b){
    return a+b;
}

void decode(unsigned char *data, unsigned int val){
    unsigned int *ptr = reinterpret_cast<unsigned int *>(data);
    while (*ptr != 0) {
        *ptr = *ptr ^ val;
        val = (val ^ (val << 1)) ^ 0xc2154216;
        ptr += 1;
    }
}

unsigned char flagged[] = {5,78,186,165,208,83,107,233,137,90,173,22,11,55,64,102,120,96,164,86,86,40,53,48,46,240,191,79,163,147,87,144,13,54,47,105,205,251,163,168,220,241,45,203,105,83,176,71,111,62,70,221,93,16,218,44,96,189,187,173,165,84,27,170,76,77,204,37,199,84,203,33,253,32,19,206,38,29,99,160,69,81,157,157,124,126,68,141,97,180,138,16,220,221,201,196,76,32,74,137,130,231,10,157,149,163,144,254,60,61,214,154,60,50,81,45,18,84,166,167,37,170,234,206,184,0,133,10,102,46,192,234,130,7,107,251,158,117,171,10,98,88,109,81,60,108,172,24,87,63,125,6,31,246,143,77,179,162,107,181,102,100,104,42,130,237,169,131,158,180,52,135,59,16,165,82,108,119,21,144,113,27,219,101,20,167,164,166,254,65,26,225,15,76,216,38,214,11,239,17,208,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,190,72,254,250,241,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,45,243,175,73,167,1,99,19,46,3,67,110,181,25,92,33,42,56,50,242,131,70,163,147,64,148,97,78,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,96,254,244,227,246,0,72,232,0,76,206,41,206,84,206,22,250,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,85,195,194,229,148,218,12,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,107,189,208,10,174,11,89,94,34,8,121,43,161,25,109,43,63,56,39,230,204,36,220,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,96,254,183,172,178,69,68,139,102,3,141,104,130,7,194,59,208,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,138,139,2,55,91,156,142,131,110,211,208,241,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,204,70,38,248,131,6,197,111,38,29,109,76,60,37,226,86,18,109,115,121,96,181,192,9,246,221,20,152,76,100,104,42,130,174,237,252,208,165,54,215,106,85,249,112,62,100,67,218,16,84,217,111,50,254,189,227,191,78,72,244,13,77,202,45,138,73,142,116,147,75,95,157,47,96,105,220,17,15,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,68,211,208,241,152,247,38,16,252,220,114,77,18,98,86,17,168,182,47,129,249,213,186,69,219,102,1,70,230,199,168,7,107,189,208,10,232,69,38,29,109,76,60,37,226,86,18,109,115,121,96,181,192,9,246,221,20,152,76,100,46,100,253,237,162,184,149,255,32,200,89,94,176,70,121,62,107,180,18,84,159,32,96,254,244,227,246,0,72,166,76,3,141,104,130,7,194,59,208,10,19,206,38,29,96,208,60,99,187,141,81,34,14,208,110,246,196,66,176,148,155,151,24,40,70,129,199,224,11,223,253,219,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,107,251,158,117,171,10,98,88,99,15,115,90,174,24,93,57,50,59,108,152,234,9,246,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,38,176,139,160,185,68,13,168,15,76,242,46,208,66,135,109,145,88,64,194,11,55,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,68,211,208,241,152,177,104,111,191,213,120,119,95,110,93,43,229,176,44,178,233,221,164,83,156,10,102,3,234,234,130,78,37,243,149,88,230,58,89,94,34,8,121,90,157,86,15,109,48,61,31,251,133,94,219,247,20,152,76,100,58,111,214,251,191,178,208,184,45,201,99,66,220,33,17,24,0,143,18,73,159,100,37,184,189,173,179,127,14,243,2,64,133,122,142,21,206,121,215,86,111,150,54,13,60,172,100,53,228,185,110,53,90,135,19,201,211,45,230,218,197,196,68,10,64,129,199,162,77,223,208,249,145,254,11,58,186,136,60,47,81,105,87,18,239,187,37,129,249,201,184,67,157,54,64,18,230,168,133,83,23,229,192,26,180,57,126,13,125,48,100,61,241,42,74,125,98,10,28,237,208,25,241,209,20,144,34,43,38,111,142,167,225,252,216,246,44,213,98,23,253,2,53,31,108,216,1,84,130,32,36,187,178,170,184,69,55,224,25,77,206,96,146,11,210,55,146,13,71,178,126,13,112,148,64,125,229,227,110,53,82,134,28,237,155,44,133,161,145,212,92,99,3,207,138,192,11,157,149,253,152,247,33,119,181,204,121,50,28,104,18,18,234,180,39,228,191,155,255,12,149,47,75,74,164,186,215,83,108,177,217,3,197,111,96,9,109,81,60,97,167,16,91,35,54,6,38,224,142,74,254,204,24,152,95,104,104,104,133,234,145,164,192,224,39,251,126,0,227,79,64,106,86,141,86,40,199,48,116,186,136,187,230,21,12,218,20,19,156,44,254,95,210,45,148,118,75,222,49,89,28,136,44,61,177,142,70,41,54,205,112,166,207,65,184,153,181,156,92,38,75,179,218,190,7,151,172,163,220,139,126,0,228,222,64,106,65,110,86,40,254,229,37,186,195,196,230,67,209,91,20,19,172,174,254,95,123,248,148,118,176,84,54,89,17,20,45,52,166,42,70,41,15,33,113,167,132,117,174,205,7,220,48,60,121,58,198,210,181,236,195,181,31,223,54,85,181,119,100,35,85,218,110,12,143,98,36,130,186,167,138,88,89,178,8,127,213,120,154,67,190,99,193,25,87,178,126,13,113,148,64,125,229,227,86,17,4,209,28,225,207,65,174,205,216,128,48,60,30,221,198,210,28,195,146,181,228,175,55,0,184,230,100,34,23,105,110,12,183,225,36,130,231,140,229,68,233,127,92,65,174,150,218,22,126,249,172,82,249,83,97,12,48,48,100,53,243,2,110,53,99,105,60,201,152,25,230,161,76,128,95,24,48,58,147,250,145,164,192,225,63,251,126,0,224,119,100,42,85,226,74,68,142,107,28,166,228,240,164,124,16,190,94,87,241,48,146,22,134,71,136,27,4,178,126,5,115,172,100,53,228,142,74,125,91,233,56,165,155,121,138,133,216,220,63,24,87,223,146,250,56,139,192,227,196,139,126,0,236,198,64,106,65,60,110,12,190,230,28,166,175,142,146,124,205,55,92,126,238,183,254,95,123,175,132,118,176,85,53,65,17,20,44,55,166,42,74,124,106,5,56,164,217,117,174,205,4,204,48,60,120,62,222,210,181,236,194,181,31,223,55,81,141,83,45,43,58,198,2,68,227,120,120,237,136,187,230,17,52,254,84,16,241,48,146,21,134,71,136,27,11,133,90,69,112,194,110,89,173,234,81,17,18,133,113,201,211,45,230,153,181,156,93,124,124,179,218,190,84,130,172,169,128,180,98,108,164,139,126,65,45,117,2,68,161,249,77,212,191,156,246,0,149,39,76,3,234,234,130,7,107,189,208,10,232,77,72,82,35,9,48,37,251,79,30,109,98,107,113,185,192,16,238,209,20,137,93,112,100,42,147,190,248,240,208,224,114,146,42,16,224,25,47,62,70,139,0,88,159,57,119,242,244,242,230,16,68,166,89,18,129,104,147,23,211,55,208,31,6,194,38,8,119,220,60,48,230,254,18,120,94,153,96,161,147,49,246,201,208,200,76,113,31,195,130,187,82,223,208,224,136,229,42,16,237,136,41,62,81,42,126,17,232,178,52,182,191,209,191,83,216,102,24,64,162,235,133,11,107,219,145,70,187,0,42,29,124,64,60,53,238,86,102,63,38,60,105,185,237,35,246,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,24,246,71,121,124,65,146,18,83,207,114,41,176,160,228,250,0,79,252,5,83,138,100,130,0,132,42,215,6,19,201,96,15,103,217,53,8,223,180,7,109,87,149,36,240,205,116,184,152,182,130,25,42,76,199,146,162,68,194,220,179,159,163,90,72,236,138,64,106,73,62,110,12,182,229,61,130,231,140,230,84,233,127,92,18,182,150,218,23,123,193,136,18,251,57,126,13,124,8,64,125,242,71,89,17,43,105,120,231,188,81,231,158,64,228,20,116,122,110,254,246,253,238,172,169,123,148,90,72,225,26,64,106,86,143,110,12,143,48,46,130,172,243,238,84,52,254,92,17,201,20,218,23,209,71,136,18,0,178,126,13,113,172,100,53,228,142,74,125,90,209,28,237,155,45,133,161,145,212,92,99,3,199,236,225,10,150,220,241,254,182,106,67,185,150,60,53,63,98,66,17,167,242,108,254,184,229,179,80,148,32,69,15,234,226,133,65,120,186,220,10,239,3,50,26,97,76,59,117,176,31,92,57,116,112,105,152,234,79,227,213,29,181,102,73,66,42,130,174,237,220,240,209,67,167,0,0,0,0};
int main(){
    //decode(flagged, t2<0xcaca0000, t2<444, t1<t2<100, t1<4,3>::value>::value, t2<44, t1<11,3>::value>::value>::value>::value>::value);
    decode(flagged, f2(0xcaca0000, f2(444, f1(f2(100, f1(4, 3)), f2(44, f1(11, 3))))));
    std::cout << flagged <<std::endl;
}

python

上面代码输出一个python代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import types

def define_func(argcount, nlocals, code, consts, names):
    #PYTHON3.8!!!
    def inner():
        return 0

    fn_code = inner.__code__
    cd_new = types.CodeType(argcount,
                             0,
                             fn_code.co_kwonlyargcount,
                             nlocals,
                             1024,
                             fn_code.co_flags,
                             code,
                             consts,
                             names,
                             tuple(["v%d" for i in range(nlocals)]),
                             fn_code.co_filename,
                             fn_code.co_name,
                             fn_code.co_firstlineno,
                             fn_code.co_lnotab,
                             fn_code.co_freevars,
                             fn_code.co_cellvars)
    inner.__code__ = cd_new
    return inner

f1 = define_func(2,2,b'|\x00|\x01k\x02S\x00', (None,), ())
f2 = define_func(1,1,b't\x00|\x00\x83\x01S\x00', (None,), ('ord',))
f3 = define_func(0,0,b't\x00d\x01\x83\x01S\x00', (None,  'Give me flag: '), ('input',))
f4 = define_func(1, 3, b'd\x01d\x02d\x03d\x04d\x05d\x01d\x06d\x07d\x08d\td\x03d\nd\x0bd\x0cd\rd\x08d\x0cd\x0ed\x0cd\x0fd\x0ed\x10d\x11d\td\x12d\x03d\x10d\x03d\x0ed\x13d\x0bd\nd\x14d\x08d\x13d\x01d\x01d\nd\td\x01d\x12d\x0bd\x10d\x0fd\x14d\x03d\x0bd\x15d\x16g1}\x01t\x00|\x00\x83\x01t\x00|\x01\x83\x01k\x03r\x82t\x01d\x17\x83\x01\x01\x00d\x18S\x00t\x02|\x00|\x01\x83\x02D\x00]$}\x02t\x03|\x02d\x19\x19\x00t\x04|\x02d\x1a\x19\x00\x83\x01\x83\x02d\x18k\x02r\x8c\x01\x00d\x18S\x00q\x8cd\x1bS\x00',
                 (None, 99, 121, 98, 114, 105, 115, 123, 52, 97, 100, 51, 101, 55, 57, 53, 54, 48, 49, 50, 56, 102, 125, 'Length mismatch!', False, 1, 0, True),
                 ('len', 'print', 'zip', 'f1', 'f2'))
f5 = define_func(0, 1,b't\x00\x83\x00}\x00t\x01|\x00\x83\x01d\x01k\x08r\x1ct\x02d\x02\x83\x01\x01\x00n\x08t\x02d\x03\x83\x01\x01\x00d\x00S\x00',(None, False, 'Nope!', 'Yep!'), ('f3', 'f4', 'print'))
f5()

emm,我这里python3.7没有成功运行,然后看到注释中说这是python3.8的代码。

python3.8我很早之前也有下载,不过没用过,vscode里面没配置好,无奈掏出祖传的IDLE。运行下,程序让我输入flag。看来这就是本题考察的最后一门编程语言了。

导入dis模块,该模块可以反编译python字节码。

define_func函数的return inner之前添加一行代码,print(dis.dis(cd_new))(return之前先把反编译的字节码打印出来),完整代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import types
import dis

def define_func(argcount, nlocals, code, consts, names):
    #PYTHON3.8!!!
    def inner():
        return 0

    fn_code = inner.__code__
    cd_new = types.CodeType(argcount,
                             0,
                             fn_code.co_kwonlyargcount,
                             nlocals,
                             1024,
                             fn_code.co_flags,
                             code,
                             consts,
                             names,
                             tuple(["v%d" for i in range(nlocals)]),
                             fn_code.co_filename,
                             fn_code.co_name,
                             fn_code.co_firstlineno,
                             fn_code.co_lnotab,
                             fn_code.co_freevars,
                             fn_code.co_cellvars)
    inner.__code__ = cd_new
    print(dis.dis(cd_new))
    return inner

f1 = define_func(2,2,b'|\x00|\x01k\x02S\x00', (None,), ())
f2 = define_func(1,1,b't\x00|\x00\x83\x01S\x00', (None,), ('ord',))
f3 = define_func(0,0,b't\x00d\x01\x83\x01S\x00', (None,  'Give me flag: '), ('input',))
f4 = define_func(1, 3, b'd\x01d\x02d\x03d\x04d\x05d\x01d\x06d\x07d\x08d\td\x03d\nd\x0bd\x0cd\rd\x08d\x0cd\x0ed\x0cd\x0fd\x0ed\x10d\x11d\td\x12d\x03d\x10d\x03d\x0ed\x13d\x0bd\nd\x14d\x08d\x13d\x01d\x01d\nd\td\x01d\x12d\x0bd\x10d\x0fd\x14d\x03d\x0bd\x15d\x16g1}\x01t\x00|\x00\x83\x01t\x00|\x01\x83\x01k\x03r\x82t\x01d\x17\x83\x01\x01\x00d\x18S\x00t\x02|\x00|\x01\x83\x02D\x00]$}\x02t\x03|\x02d\x19\x19\x00t\x04|\x02d\x1a\x19\x00\x83\x01\x83\x02d\x18k\x02r\x8c\x01\x00d\x18S\x00q\x8cd\x1bS\x00',
                 (None, 99, 121, 98, 114, 105, 115, 123, 52, 97, 100, 51, 101, 55, 57, 53, 54, 48, 49, 50, 56, 102, 125, 'Length mismatch!', False, 1, 0, True),
                 ('len', 'print', 'zip', 'f1', 'f2'))
f5 = define_func(0, 1,b't\x00\x83\x00}\x00t\x01|\x00\x83\x01d\x01k\x08r\x1ct\x02d\x02\x83\x01\x01\x00n\x08t\x02d\x03\x83\x01\x01\x00d\x00S\x00',(None, False, 'Nope!', 'Yep!'), ('f3', 'f4', 'print'))
f5()

输出为:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
  7           0 LOAD_FAST                0 (v%d)
              2 LOAD_FAST                1 (v%d)
              4 COMPARE_OP               2 (==)
              6 RETURN_VALUE
None
  7           0 LOAD_GLOBAL              0 (ord)
              2 LOAD_FAST                0 (v%d)
              4 CALL_FUNCTION            1
              6 RETURN_VALUE
None
  7           0 LOAD_GLOBAL              0 (input)
              2 LOAD_CONST               1 ('Give me flag: ')
              4 CALL_FUNCTION            1
              6 RETURN_VALUE
None
  7           0 LOAD_CONST               1 (99)
              2 LOAD_CONST               2 (121)
              4 LOAD_CONST               3 (98)
              6 LOAD_CONST               4 (114)
              8 LOAD_CONST               5 (105)
             10 LOAD_CONST               1 (99)
             12 LOAD_CONST               6 (115)
             14 LOAD_CONST               7 (123)
             16 LOAD_CONST               8 (52)
             18 LOAD_CONST               9 (97)
             20 LOAD_CONST               3 (98)
             22 LOAD_CONST              10 (100)
             24 LOAD_CONST              11 (51)
             26 LOAD_CONST              12 (101)
             28 LOAD_CONST              13 (55)
             30 LOAD_CONST               8 (52)
             32 LOAD_CONST              12 (101)
             34 LOAD_CONST              14 (57)
             36 LOAD_CONST              12 (101)
             38 LOAD_CONST              15 (53)
             40 LOAD_CONST              14 (57)
             42 LOAD_CONST              16 (54)
             44 LOAD_CONST              17 (48)
             46 LOAD_CONST               9 (97)
             48 LOAD_CONST              18 (49)
             50 LOAD_CONST               3 (98)
             52 LOAD_CONST              16 (54)
             54 LOAD_CONST               3 (98)
             56 LOAD_CONST              14 (57)
             58 LOAD_CONST              19 (50)
             60 LOAD_CONST              11 (51)
             62 LOAD_CONST              10 (100)
             64 LOAD_CONST              20 (56)
             66 LOAD_CONST               8 (52)
             68 LOAD_CONST              19 (50)
             70 LOAD_CONST               1 (99)
             72 LOAD_CONST               1 (99)
             74 LOAD_CONST              10 (100)
             76 LOAD_CONST               9 (97)
             78 LOAD_CONST               1 (99)
             80 LOAD_CONST              18 (49)
             82 LOAD_CONST              11 (51)
             84 LOAD_CONST              16 (54)
             86 LOAD_CONST              15 (53)
             88 LOAD_CONST              20 (56)
             90 LOAD_CONST               3 (98)
             92 LOAD_CONST              11 (51)
             94 LOAD_CONST              21 (102)
             96 LOAD_CONST              22 (125)
             98 BUILD_LIST              49
            100 STORE_FAST               1 (v%d)
            102 LOAD_GLOBAL              0 (len)
            104 LOAD_FAST                0 (v%d)
            106 CALL_FUNCTION            1
            108 LOAD_GLOBAL              0 (len)
            110 LOAD_FAST                1 (v%d)
            112 CALL_FUNCTION            1
            114 COMPARE_OP               3 (!=)
            116 POP_JUMP_IF_FALSE      130
            118 LOAD_GLOBAL              1 (print)
            120 LOAD_CONST              23 ('Length mismatch!')
            122 CALL_FUNCTION            1
            124 POP_TOP
            126 LOAD_CONST              24 (False)
            128 RETURN_VALUE
        >>  130 LOAD_GLOBAL              2 (zip)
            132 LOAD_FAST                0 (v%d)
            134 LOAD_FAST                1 (v%d)
            136 CALL_FUNCTION            2
            138 GET_ITER
        >>  140 FOR_ITER                36 (to 178)
            142 STORE_FAST               2 (v%d)
            144 LOAD_GLOBAL              3 (f1)
            146 LOAD_FAST                2 (v%d)
            148 LOAD_CONST              25 (1)
            150 BINARY_SUBSCR
            152 LOAD_GLOBAL              4 (f2)
            154 LOAD_FAST                2 (v%d)
            156 LOAD_CONST              26 (0)
            158 BINARY_SUBSCR
            160 CALL_FUNCTION            1
            162 CALL_FUNCTION            2
            164 LOAD_CONST              24 (False)
            166 COMPARE_OP               2 (==)
            168 POP_JUMP_IF_FALSE      140
            170 POP_TOP
            172 LOAD_CONST              24 (False)
            174 RETURN_VALUE
            176 JUMP_ABSOLUTE          140
        >>  178 LOAD_CONST              27 (True)
            180 RETURN_VALUE
None
  7           0 LOAD_GLOBAL              0 (f3)
              2 CALL_FUNCTION            0
              4 STORE_FAST               0 (v%d)
              6 LOAD_GLOBAL              1 (f4)
              8 LOAD_FAST                0 (v%d)
             10 CALL_FUNCTION            1
             12 LOAD_CONST               1 (False)
             14 COMPARE_OP               8 (is)
             16 POP_JUMP_IF_FALSE       28
             18 LOAD_GLOBAL              2 (print)
             20 LOAD_CONST               2 ('Nope!')
             22 CALL_FUNCTION            1
             24 POP_TOP
             26 JUMP_FORWARD             8 (to 36)
        >>   28 LOAD_GLOBAL              2 (print)
             30 LOAD_CONST               3 ('Yep!')
             32 CALL_FUNCTION            1
             34 POP_TOP
        >>   36 LOAD_CONST               0 (None)
             38 RETURN_VALUE
None
Give me flag:

一段一段分析:

f1

1
2
3
4
7           0 LOAD_FAST                0 (v%d)
            2 LOAD_FAST                1 (v%d)
            4 COMPARE_OP               2 (==)
            6 RETURN_VALUE

很简单,判断是否相等

f2

1
2
3
4
7           0 LOAD_GLOBAL              0 (ord)
            2 LOAD_FAST                0 (v%d)
            4 CALL_FUNCTION            1
            6 RETURN_VALUE

ord函数

f3

1
2
3
4
7           0 LOAD_GLOBAL              0 (input)
            2 LOAD_CONST               1 ('Give me flag: ')
            4 CALL_FUNCTION            1
            6 RETURN_VALUE

input_str = input('Give me flag: ')

f4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
7           0 LOAD_CONST               1 (99)
            2 LOAD_CONST               2 (121)
            4 LOAD_CONST               3 (98)
            6 LOAD_CONST               4 (114)
            8 LOAD_CONST               5 (105)
           10 LOAD_CONST               1 (99)
           12 LOAD_CONST               6 (115)
           14 LOAD_CONST               7 (123)
           16 LOAD_CONST               8 (52)
           18 LOAD_CONST               9 (97)
           20 LOAD_CONST               3 (98)
           22 LOAD_CONST              10 (100)
           24 LOAD_CONST              11 (51)
           26 LOAD_CONST              12 (101)
           28 LOAD_CONST              13 (55)
           30 LOAD_CONST               8 (52)
           32 LOAD_CONST              12 (101)
           34 LOAD_CONST              14 (57)
           36 LOAD_CONST              12 (101)
           38 LOAD_CONST              15 (53)
           40 LOAD_CONST              14 (57)
           42 LOAD_CONST              16 (54)
           44 LOAD_CONST              17 (48)
           46 LOAD_CONST               9 (97)
           48 LOAD_CONST              18 (49)
           50 LOAD_CONST               3 (98)
           52 LOAD_CONST              16 (54)
           54 LOAD_CONST               3 (98)
           56 LOAD_CONST              14 (57)
           58 LOAD_CONST              19 (50)
           60 LOAD_CONST              11 (51)
           62 LOAD_CONST              10 (100)
           64 LOAD_CONST              20 (56)
           66 LOAD_CONST               8 (52)
           68 LOAD_CONST              19 (50)
           70 LOAD_CONST               1 (99)
           72 LOAD_CONST               1 (99)
           74 LOAD_CONST              10 (100)
           76 LOAD_CONST               9 (97)
           78 LOAD_CONST               1 (99)
           80 LOAD_CONST              18 (49)
           82 LOAD_CONST              11 (51)
           84 LOAD_CONST              16 (54)
           86 LOAD_CONST              15 (53)
           88 LOAD_CONST              20 (56)
           90 LOAD_CONST               3 (98)
           92 LOAD_CONST              11 (51)
           94 LOAD_CONST              21 (102)
           96 LOAD_CONST              22 (125)
           98 BUILD_LIST              49

crypt = [99,121,98,114,105,99,115,123,52,97,98,100,51,101,55,52,101,57,101,53,57,54,48,97,49,98,54,98,57,50,51,100,56,52,50,99,99,100,97,99,49,51,54,53,56,98,51,102,125]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
         100 STORE_FAST               1 (v%d)
         102 LOAD_GLOBAL              0 (len)
         104 LOAD_FAST                0 (v%d)
         106 CALL_FUNCTION            1
         108 LOAD_GLOBAL              0 (len)
         110 LOAD_FAST                1 (v%d)
         112 CALL_FUNCTION            1
         114 COMPARE_OP               3 (!=)
116 POP_JUMP_IF_FALSE      130
         118 LOAD_GLOBAL              1 (print)
         120 LOAD_CONST              23 ('Length mismatch!')
         122 CALL_FUNCTION            1
         124 POP_TOP
         126 LOAD_CONST              24 (False)
         128 RETURN_VALUE
1
2
if len(crypt) != len(input_str):
    print('Length mismatch!')
1
2
3
4
5
>>  130 LOAD_GLOBAL              2 (zip)
    132 LOAD_FAST                0 (v%d)
    134 LOAD_FAST                1 (v%d)
    136 CALL_FUNCTION            2
    138 GET_ITER

zip(crypt,input_str)

zip函数的作用是啥看下图自己体会:

1595936237890

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
>>  140 FOR_ITER                36 (to 178)
    142 STORE_FAST               2 (v%d)
    144 LOAD_GLOBAL              3 (f1)
    146 LOAD_FAST                2 (v%d)
    148 LOAD_CONST              25 (1)
    150 BINARY_SUBSCR
    152 LOAD_GLOBAL              4 (f2)
    154 LOAD_FAST                2 (v%d)
    156 LOAD_CONST              26 (0)
    158 BINARY_SUBSCR
    160 CALL_FUNCTION            1
    162 CALL_FUNCTION            2
    164 LOAD_CONST              24 (False)
    166 COMPARE_OP               2 (==)
    168 POP_JUMP_IF_FALSE      140
    170 POP_TOP
    172 LOAD_CONST              24 (False)
    174 RETURN_VALUE
    176 JUMP_ABSOLUTE          140
>>  178 LOAD_CONST              27 (True)
    180 RETURN_VALUE

if f1(crypt[i], f2(input_str[i]))

f4合起来的逻辑就是:

1
2
3
4
5
6
crypt = [99,121,98,114,105,99,115,123,52,97,98,100,51,101,55,52,101,57,101,53,57,54,48,97,49,98,54,98,57,50,51,100,56,52,50,99,99,100,97,99,49,51,54,53,56,98,51,102,125]
temp = zip(crypt, input_str)
for t in temp:
	if t[0] != ord(t[1]):
		return Flase
return True

f5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
7           0 LOAD_GLOBAL              0 (f3)
            2 CALL_FUNCTION            0
            4 STORE_FAST               0 (v%d)
            6 LOAD_GLOBAL              1 (f4)
            8 LOAD_FAST                0 (v%d)
           10 CALL_FUNCTION            1
           12 LOAD_CONST               1 (False)
           14 COMPARE_OP               8 (is)
           16 POP_JUMP_IF_FALSE       28
           18 LOAD_GLOBAL              2 (print)
           20 LOAD_CONST               2 ('Nope!')
           22 CALL_FUNCTION            1
           24 POP_TOP
           26 JUMP_FORWARD             8 (to 36)
      >>   28 LOAD_GLOBAL              2 (print)
           30 LOAD_CONST               3 ('Yep!')
           32 CALL_FUNCTION            1
           34 POP_TOP
      >>   36 LOAD_CONST               0 (None)
           38 RETURN_VALUE
1
2
3
4
5
f3()		#input
if f4():
	print('Yep!')
else:
    print('Nope!')

完整加密代码

1
2
3
4
5
6
7
8
9
10
11
12
13
def f4():
    crypt = [99,121,98,114,105,99,115,123,52,97,98,100,51,101,55,52,101,57,101,53,57,54,48,97,49,98,54,98,57,50,51,100,56,52,50,99,99,100,97,99,49,51,54,53,56,98,51,102,125]
    temp = zip(crypt, input_str)
    for t in temp:
        if t[0] != ord(t[1]):
            return False
    return True

input_str = input('Give me flag: ')
if f4():
	print('Yep!')
else:
    print('Nope!')

解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
asm = '''  7           0 LOAD_CONST               1 (99)
              2 LOAD_CONST               2 (121)
              4 LOAD_CONST               3 (98)
              6 LOAD_CONST               4 (114)
              8 LOAD_CONST               5 (105)
             10 LOAD_CONST               1 (99)
             12 LOAD_CONST               6 (115)
             14 LOAD_CONST               7 (123)
             16 LOAD_CONST               8 (52)
             18 LOAD_CONST               9 (97)
             20 LOAD_CONST               3 (98)
             22 LOAD_CONST              10 (100)
             24 LOAD_CONST              11 (51)
             26 LOAD_CONST              12 (101)
             28 LOAD_CONST              13 (55)
             30 LOAD_CONST               8 (52)
             32 LOAD_CONST              12 (101)
             34 LOAD_CONST              14 (57)
             36 LOAD_CONST              12 (101)
             38 LOAD_CONST              15 (53)
             40 LOAD_CONST              14 (57)
             42 LOAD_CONST              16 (54)
             44 LOAD_CONST              17 (48)
             46 LOAD_CONST               9 (97)
             48 LOAD_CONST              18 (49)
             50 LOAD_CONST               3 (98)
             52 LOAD_CONST              16 (54)
             54 LOAD_CONST               3 (98)
             56 LOAD_CONST              14 (57)
             58 LOAD_CONST              19 (50)
             60 LOAD_CONST              11 (51)
             62 LOAD_CONST              10 (100)
             64 LOAD_CONST              20 (56)
             66 LOAD_CONST               8 (52)
             68 LOAD_CONST              19 (50)
             70 LOAD_CONST               1 (99)
             72 LOAD_CONST               1 (99)
             74 LOAD_CONST              10 (100)
             76 LOAD_CONST               9 (97)
             78 LOAD_CONST               1 (99)
             80 LOAD_CONST              18 (49)
             82 LOAD_CONST              11 (51)
             84 LOAD_CONST              16 (54)
             86 LOAD_CONST              15 (53)
             88 LOAD_CONST              20 (56)
             90 LOAD_CONST               3 (98)
             92 LOAD_CONST              11 (51)
             94 LOAD_CONST              21 (102)
             96 LOAD_CONST              22 (125)'''
import re
lines = asm.split('\n')
for line in lines:
    num = re.search(r'\((\d+?)\)', line).group(1)
    print(chr(int(num)), end='')

没啥好解密的,因为没有任何加密的流程,直接就是明文比较。

cybrics{4abd3e74e9e5960a1b6b923d842ccdac13658b3f}

注意

可能会有人还没反编译,直接从一开始的python代码中发现:

1595942813416

并将其直接chr,得到cybris{4ad3e79560128f}

为啥不对呢?因为反编译中的数据是从这串数据中查表,并反编译到代码中的。当然不是flag啦。

hide_and_seek

还在研究(ㄒoㄒ)