Reverse-BUUCTF-1

本文最后更新于 2025年9月4日晚上

easyre

考点

二进制工具使用

int __fastcall main(int argc, const char **argv, const char **envp)
{
  int b; // [rsp+28h] [rbp-8h] BYREF
  int b_1; // [rsp+2Ch] [rbp-4h] BYREF

  _main();
  scanf("%d%d", &b_1, &b);
  if ( b_1 == b )
    printf("flag{this_Is_a_EaSyRe}");
  else
    printf("sorry,you can't get flag");
  return 0;
}

1
2
3

# Exp
## 因为它是以字符串常量出现，那么只要能看到二进制形式就能找到flag
flag{this_Is_a_EaSyRe}

reverse1

考点

字符替换

动态调试

int __fastcall main_0(int argc, const char **argv, const char **envp)
{
  char *v3; // rdi
  __int64 i; // rcx
  size_t __hello_world__; // rax
  char v7; // [rsp+0h] [rbp-20h] BYREF
  int j; // [rsp+24h] [rbp+4h]
  char Str1[224]; // [rsp+48h] [rbp+28h] BYREF
  __int64 j_1; // [rsp+128h] [rbp+108h]

  v3 = &v7;
  for ( i = 82LL; i; --i )
  {
    *(_DWORD *)v3 = -858993460;
    v3 += 4;
  }
  for ( j = 0; ; ++j )
  {
    j_1 = j;
    if ( j > j_strlen(Str2) )                   // "{hello_world}"
      break;
    if ( Str2[j] == 'o' )                       // "{hello_world}"
      Str2[j] = '0';                            // "{hello_world}"
  }
  sub_1400111D1("input the flag:");
  sub_14001128F("%20s", Str1);
  __hello_world__ = j_strlen(Str2);             // "{hello_world}"
  if ( !strncmp(
          Str1,
          Str2,                                 // "{hello_world}"
          __hello_world__) )
    sub_1400111D1("this is the right flag!\n");
  else
    sub_1400111D1("wrong flag\n");
  return 0;
}

# Exp
## 程序逻辑是将o替换成0
## 由于替换逻辑优先于check，且对已有的字符串进行替换，那么如果能调试，就可以获得flag
flag{hell0_w0rld}

reverse2

考点

字符替换

子进程

动态调试

int __fastcall main(int argc, const char **argv, const char **envp)
{
  int stat_loc; // [rsp+4h] [rbp-3Ch] BYREF
  int i; // [rsp+8h] [rbp-38h]
  __pid_t pid; // [rsp+Ch] [rbp-34h]
  char s2[24]; // [rsp+10h] [rbp-30h] BYREF
  unsigned __int64 v8; // [rsp+28h] [rbp-18h]

  v8 = __readfsqword(0x28u);
  pid = fork();
  if ( pid )
  {
    waitpid(pid, &stat_loc, 0);
  }
  else
  {
    // "{hacking_for_fun}"
    for ( i = 0; i <= strlen(flag); ++i )
    {
      if ( flag[i] == 'i' || flag[i] == 'r' )   // "{hacking_for_fun}"
        flag[i] = '1';                          // "{hacking_for_fun}"
    }
  }
  printf("input the flag:");
  __isoc99_scanf("%20s", s2);
  if ( !strcmp(
          flag,                                 // "{hacking_for_fun}"
          s2) )
    return puts("this is the right flag!");
  else
    return puts("wrong flag!");
}

# Exp
## 程序逻辑是将i、r替换成1
## 由于替换逻辑优先于check，且对已有的字符串进行替换，那么如果能调试，就可以获得flag
flag{hack1ng_fo1_fun}

内涵的软件

考点

二进制工具的使用

int __cdecl main_0(int argc, const char **argv, const char **envp)
{
  char v4[4]; // [esp+4Ch] [ebp-Ch] BYREF
  const char *DBAPP_49d3c93df25caad81232130f3d2ebfad_; // [esp+50h] [ebp-8h]
  int n5; // [esp+54h] [ebp-4h]

  n5 = 5;
  DBAPP_49d3c93df25caad81232130f3d2ebfad_ = "DBAPP{49d3c93df25caad81232130f3d2ebfad}";
  while ( n5 >= 0 )
  {
    printf(&Format_, n5);
    sub_40100A();
    --n5;
  }
  printf(asc_425088);
  v4[0] = 1;
  scanf("%c", v4);
  if ( v4[0] == 89 )
  {
    printf(aOd);
    return sub_40100A();
  }
  else
  {
    if ( v4[0] == 78 )
      printf(&Format__0);
    else
      printf(&Format__1);
    return sub_40100A();
  }
}

1
2
3

# Exp
## 打开就有
flag{49d3c93df25caad81232130f3d2ebfad}

新年快乐

考点

upx脱壳技术

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char Str2[14]; // [esp+12h] [ebp-3Ah] BYREF
  char Str1[44]; // [esp+20h] [ebp-2Ch] BYREF

  __main();
  strcpy(Str2, "HappyNewYear!");
  memset(Str1, 0, 32);
  printf("please input the true flag:");
  scanf("%s", Str1);
  if ( !strncmp(Str1, Str2, strlen(Str2)) )
    return puts("this is true flag!");
  else
    return puts("wrong!");
}

1
2
3

# EXP
## 使用upx.exe -d <filename>.exe来进行脱壳，当然也有手动脱壳的
flag{HappyNewYear!}

xor

考点

xor

int __fastcall main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+2Ch] [rbp-124h]
  char __b[264]; // [rsp+40h] [rbp-110h] BYREF

  memset(__b, 0, 0x100uLL);
  printf("Input your flag:\n");
  get_line(__b, 256LL);
  if ( strlen(__b) != 33 )
    goto LABEL_7;
  for ( i = 1; i < 33; ++i )
    __b[i] ^= __b[i - 1];
  if ( !strncmp(
          __b,
          global,                               // "f\nk\fw&O.@\x11x\rZ;U\x11p\x19F\x1Fv\"M#D\x0Eg\x06h\x0FG2O"
          0x21uLL) )
    printf("Success");
  else
LABEL_7:
    printf("Failed");
  return 0;
}

// EXP
// 这里用c脚本

#include<stdio.h>

unsigned char aFKWOXZUPFVMDGH[34] = {
    0x66, 0x0A, 0x6B, 0x0C, 0x77, 0x26, 0x4F, 0x2E, 0x40, 0x11, 0x78, 0x0D, 0x5A, 0x3B, 0x55, 0x11, 
    0x70, 0x19, 0x46, 0x1F, 0x76, 0x22, 0x4D, 0x23, 0x44, 0x0E, 0x67, 0x06, 0x68, 0x0F, 0x47, 0x32, 
    0x4F,0x00
    };

int main(){
    for (size_t i = 32; i > 0 ; i--){
        aFKWOXZUPFVMDGH[i] ^= aFKWOXZUPFVMDGH[i-1];
    }
    printf("%s",aFKWOXZUPFVMDGH);
    return 0; 
}

reverse3

考点

base64加密

base算法识别

int __cdecl main_0(int argc, const char **argv, const char **envp)
{
  size_t v3; // eax
  const char *Source; // eax
  size_t MaxCount; // eax
  char v7; // [esp+0h] [ebp-188h]
  char v8; // [esp+0h] [ebp-188h]
  signed int j; // [esp+DCh] [ebp-ACh]
  int i; // [esp+E8h] [ebp-A0h]
  signed int j_1; // [esp+E8h] [ebp-A0h]
  char Destination[108]; // [esp+F4h] [ebp-94h] BYREF
  char Str[28]; // [esp+160h] [ebp-28h] BYREF
  _BYTE v14[8]; // [esp+17Ch] [ebp-Ch] BYREF

  for ( i = 0; i < 100; ++i )
  {
    if ( (unsigned int)i >= 0x64 )
      j____report_rangecheckfailure();
    Destination[i] = 0;
  }
  sub_41132F("please enter the flag:", v7);
  sub_411375("%20s", (char)Str);
  v3 = j_strlen(Str);
  Source = (const char *)sub_4110BE(Str, v3, v14);
  strncpy(Destination, Source, 0x28u);
  j_1 = j_strlen(Destination);
  for ( j = 0; j < j_1; ++j )
    Destination[j] += j;
  MaxCount = j_strlen(Destination);
  if ( !strncmp(
          Destination,
          Str2,                                 // "e3nifIH9b_C@n@dH"
          MaxCount) )
    sub_41132F("rigth flag!\n", v8);
  else
    sub_41132F("wrong flag!\n", v8);
  return 0;
}

# Exp
## 使用base64加密算法以及加法实现加密，利用base64与减法解密算法实现逆向
import base64

enc = 'e3nifIH9b_C@n@dH'
enc = list(enc)

for i in range(len(enc)):
    enc[i] = chr(ord(enc[i])-i)

print('flag'+base64.b64decode(''.join(enc)).decode())

helloword

考点

java类APK文件

android反编译工具jeb、jadx等使用

package com.example.helloword;

import android.os.Bundle;
import android.support.v7.app.ActionBarActivity;
import android.view.Menu;
import android.view.MenuItem;

public class MainActivity extends ActionBarActivity {
    @Override  // android.support.v7.app.ActionBarActivity
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        this.setContentView(0x7F030018);  // layout:activity_main
    }

    @Override  // android.app.Activity
    public boolean onCreateOptionsMenu(Menu menu) {
        this.getMenuInflater().inflate(0x7F0C0000, menu);  // menu:main
        return true;
    }

    @Override  // android.app.Activity
    public boolean onOptionsItemSelected(MenuItem item) {
        return item.getItemId() == 0x7F05003C ? true : super.onOptionsItemSelected(item);  // id:action_settings
    }
}

1
2
3

# Exp
## flag在smali中
flag{7631a988259a00816deda84afb29430a}

不一样的flag

考点

maze类（5*5）

找起始点

是否是三维

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  char _11110100001010000101111_[29]; // [esp+17h] [ebp-35h] BYREF
  int v4; // [esp+34h] [ebp-18h]
  int n4; // [esp+38h] [ebp-14h] BYREF
  int i; // [esp+3Ch] [ebp-10h]
  _BYTE v7[12]; // [esp+40h] [ebp-Ch] BYREF

  __main();
  _11110100001010000101111_[26] = 0;
  *(_WORD *)&_11110100001010000101111_[27] = 0;
  v4 = 0;
  strcpy(_11110100001010000101111_, "*11110100001010000101111#");
  while ( 1 )
  {
    puts("you can choose one action to execute");
    puts("1 up");
    puts("2 down");
    puts("3 left");
    printf("4 right\n:");
    scanf("%d", &n4);
    if ( n4 == 2 )
    {
      ++*(_DWORD *)&_11110100001010000101111_[25];
    }
    else if ( n4 > 2 )
    {
      if ( n4 == 3 )
      {
        --v4;
      }
      else
      {
        if ( n4 != 4 )
LABEL_13:
          exit(1);
        ++v4;
      }
    }
    else
    {
      if ( n4 != 1 )
        goto LABEL_13;
      --*(_DWORD *)&_11110100001010000101111_[25];
    }
    for ( i = 0; i <= 1; ++i )
    {
      if ( *(_DWORD *)&_11110100001010000101111_[4 * i + 25] > 4u )
        exit(1);
    }
    if ( v7[5 * *(_DWORD *)&_11110100001010000101111_[25] - 41 + v4] == '1' )
      exit(1);
    if ( v7[5 * *(_DWORD *)&_11110100001010000101111_[25] - 41 + v4] == '#' )
    {
      puts("\nok, the order you enter is the flag!");
      exit(0);
    }
  }
}

1
2
3

# Exp
## 自己画画或者写个脚本都行
flag{222441144222}

SimpleRev

考点

凯撒

动调

unsigned __int64 Decry()
{
  char n10; // [rsp+Fh] [rbp-51h]
  int v2; // [rsp+10h] [rbp-50h]
  int v3; // [rsp+14h] [rbp-4Ch]
  int i; // [rsp+18h] [rbp-48h]
  int i_1; // [rsp+1Ch] [rbp-44h]
  char src[8]; // [rsp+20h] [rbp-40h] BYREF
  __int64 v7; // [rsp+28h] [rbp-38h]
  int v8; // [rsp+30h] [rbp-30h]
  _QWORD v9[2]; // [rsp+40h] [rbp-20h] BYREF
  int v10; // [rsp+50h] [rbp-10h]
  unsigned __int64 v11; // [rsp+58h] [rbp-8h]

  v11 = __readfsqword(0x28u);
  *(_QWORD *)src = 0x534C43444ELL;
  v7 = 0LL;
  v8 = 0;
  v9[0] = 0x776F646168LL;
  v9[1] = 0LL;
  v10 = 0;
  text = (char *)join(
                   key3,                        // "kills"
                   v9);
  strcpy(key, key1);                            // "ADSFK"
  strcat(key, src);
  v2 = 0;
  v3 = 0;
  getchar();
  i_1 = strlen(key);
  for ( i = 0; i < i_1; ++i )
  {
    if ( key[v3 % i_1] > 64 && key[v3 % i_1] <= 90 )
      key[i] = key[v3 % i_1] + 32;
    ++v3;
  }
  printf("Please input your flag:");
  while ( 1 )
  {
    n10 = getchar();
    if ( n10 == 10 )
      break;
    if ( n10 == 32 )
    {
      ++v2;
    }
    else
    {
      if ( n10 <= 96 || n10 > 122 )
      {
        if ( n10 > 64 && n10 <= 90 )
        {
          str2[v2] = (n10 - 39 - key[v3 % i_1] + 97) % 26 + 97;
          ++v3;
        }
      }
      else
      {
        str2[v2] = (n10 - 39 - key[v3 % i_1] + 97) % 26 + 97;
        ++v3;
      }
      if ( !(v3 % i_1) )
        putchar(32);
      ++v2;
    }
  }
  if ( !strcmp(text, str2) )
    puts("Congratulation!\n");
  else
    puts("Try again!\n");
  return __readfsqword(0x28u) ^ v11;
}

# EXP

#include<stdio.h>
#include<string.h>
char enc[11] = "killshadow";
char key[11] = "ADSFKNDCLS";
int main(){
    size_t count = 0;
    for (size_t i = 0; key[i]; i++) {
        key[i] += 32;
    }
    for (size_t i = 0; i < strlen(enc); i++) {
        for (size_t alp = 'A'; alp <= 'z'; alp++) {
            char ans = alp;
            ans = (ans - 39 - key[i] + 97)% 26 + 97;
            if(ans == enc[i]){
                printf("%c",alp);
                break;
            }
        }
    }
}

[GXYCTF2019]luck_guy

考点

调试，逻辑理解

unsigned __int64 get_flag()
{
  unsigned int seed; // eax
  int i; // [rsp+4h] [rbp-3Ch]
  int j; // [rsp+8h] [rbp-38h]
  __int64 s; // [rsp+10h] [rbp-30h] BYREF
  char v5; // [rsp+18h] [rbp-28h]
  unsigned __int64 v6; // [rsp+38h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  seed = time(0LL);
  srand(seed);
  for ( i = 0; i <= 4; ++i )
  {
    switch ( rand() % 200 )
    {
      case 1:
        puts("OK, it's flag:");
        memset(&s, 0, 0x28uLL);
        strcat((char *)&s, f1);                 // "GXY{do_not_"
        strcat((char *)&s, &f2);
        printf("%s", (const char *)&s);
        break;
      case 2:
        printf("Solar not like you");
        break;
      case 3:
        printf("Solar want a girlfriend");
        break;
      case 4:
        s = 0x7F666F6067756369LL;
        v5 = 0;
        strcat(&f2, (const char *)&s);
        break;
      case 5:
        for ( j = 0; j <= 7; ++j )
        {
          if ( j % 2 == 1 )
            *(&f2 + j) -= 2;
          else
            --*(&f2 + j);
        }
        break;
      default:
        puts("emmm,you can't find flag 23333");
        break;
    }
  }
  return __readfsqword(0x28u) ^ v6;
}

# Exp
## 程序是有问题的，f2的空间只有1，无法构成一个flag，所以得自己组合，正常循序（case）应该是4，5，1
enc = [0x69, 0x63, 0x75, 0x67, 0x60, 0x6F, 0x66, 0x7F]
for i in range(len(enc)):
    if i % 2 == 1:
        enc[i] -= 2
    else:
        enc[i] -= 1
print('flag{do_not_'+bytes(enc).decode())

# flag{do_not_hate_me}

Java逆向解密

考点

java类，class文件

反编译有很多jeb，jadx、ide都可以

import java.util.ArrayList;
import java.util.Scanner;

public class Reverse {
    public static void Encrypt(char[] arr_c) {
        ArrayList arrayList0 = new ArrayList();
        for(int v1 = 0; v1 < arr_c.length; ++v1) {
            arrayList0.add(Integer.valueOf(arr_c[v1] + 0x40 ^ 0x20));
        }

        ArrayList arrayList1 = new ArrayList();
        for(int v = 0; v < 18; ++v) {
            arrayList1.add(Integer.valueOf(new int[]{180, 0x88, 0x89, 0x93, 0xBF, 0x89, 0x93, 0xBF, 0x94, 0x88, 0x85, 0xBF, 0x86, 140, 0x81, 0x87, 0xBF, 65}[v]));
        }

        System.out.println("Result:");
        if(arrayList0.equals(arrayList1)) {
            System.out.println("Congratulations！");
            return;
        }

        System.err.println("Error！");
    }

    public static void main(String[] arr_s) {
        Scanner scanner0 = new Scanner(System.in);
        System.out.println("Please input the flag ：");
        String s = scanner0.next();
        System.out.println("Your input is ：");
        System.out.println(s);
        Reverse.Encrypt(s.toCharArray());
    }
}

# Exp
enc = [180, 0x88, 0x89, 0x93, 0xBF, 0x89, 0x93, 0xBF, 0x94, 0x88, 0x85, 0xBF, 0x86, 140, 0x81, 0x87, 0xBF, 65]
for i in range(len(enc)):
    enc[i] ^= 0x20
    enc[i] -= 0x40
    print(chr(enc[i]),end='')

[BJDCTF2020]JustRE

考点

win32API类

INT_PTR __stdcall DialogFunc(HWND hWnd, UINT n273, WPARAM n2, LPARAM a4)
{
  CHAR Buffer[100]; // [esp+0h] [ebp-64h] BYREF

  if ( n273 != 272 )
  {
    if ( n273 != 273 )
      return 0;
    if ( (_WORD)n2 != 1 && (_WORD)n2 != 2 )
    {
      sprintf(Buffer, &Format, ++n19999);
      if ( n19999 == 19999 )
      {
        sprintf(Buffer, " BJD{%d%d2069a45792d233ac}", 19999, 0);
        SetWindowTextA(hWnd, Buffer);
        return 0;
      }
      SetWindowTextA(hWnd, Buffer);
      return 0;
    }
    EndDialog(hWnd, (unsigned __int16)n2);
  }
  return 1;
}

1 2	`# Exp flag{1999902069a45792d233ac}`

刮开有奖

考点

win32API类

a1[0] = 90;
      a1[1] = 74;
      a1[2] = 83;
      a1[3] = 69;
      a1[4] = 67;
      a1[5] = 97;
      a1[6] = 78;
      a1[7] = 72;
      a1[8] = 51;
      a1[9] = 110;
      a1[10] = 103;
      sub_FE10F0(a1, 0, 10);
      memset(v9, 0, 0xFFFFu);
      v9[0] = String[5];
      v9[2] = String[7];
      v9[1] = String[6];
      v4 = (const char *)sub_FE1000(v9, strlen(v9));
      memset(v9, 0, 0xFFFFu);
      v9[1] = String[3];
      v9[0] = String[2];
      v9[2] = String[4];
      v5 = (const char *)sub_FE1000(v9, strlen(v9));
      if ( String[0] == a1[0] + 34
        && String[1] == a1[4]
        && 4 * String[2] - 141 == 3 * a1[2]
        && String[3] / 4 == 2 * (a1[7] / 9)
        && !strcmp(v4, "ak1w")
        && !strcmp(v5, "V1Ax") )
      {
        MessageBoxA(hDlg, "U g3t 1T!", "@_@", MB_OK);
      }
    }

# Exp
## 根据逻辑逆推即可，这里注意配合东条调试过sub_FE10F0函数获取enc
import base64
enc = [0x00000033, 0x00000043, 0x00000045, 0x00000048, 0x0000004A, 0x0000004E, 0x00000053, 0x0000005A, 0x00000061, 0x00000067, 0x0000006E]

String = [0]*11
String[0] = enc[0] + 34
String[1] = enc[4]
String[2] = (3 * enc[2] + 141) // 4
String[3] = 8 * (enc[7] // 9)

tmp = 'V1Ax'
tmpp = list(base64.b64decode(tmp))
String[2] = tmpp[0]
String[3] = tmpp[1]
String[4] = tmpp[2]

tmp = 'ak1w'
tmpp = list(base64.b64decode(tmp))
String[5] = tmpp[0]
String[6] = tmpp[1]
String[7] = tmpp[2]

print('flag{'+bytes(String).decode()+'}')
# flag{UJWP1jMp}

[ACTF新生赛2020]easyre

考点

upx脱壳

寻表

int __cdecl main(int argc, const char **argv, const char **envp)
{
  _BYTE _F___N___(I?_@[12]; // [esp+12h] [ebp-2Eh] BYREF
  _DWORD v5[3]; // [esp+1Eh] [ebp-22h]
  _BYTE v6[5]; // [esp+2Ah] [ebp-16h] BYREF
  int v7; // [esp+2Fh] [ebp-11h]
  int v8; // [esp+33h] [ebp-Dh]
  int v9; // [esp+37h] [ebp-9h]
  char n125; // [esp+3Bh] [ebp-5h]
  int i; // [esp+3Ch] [ebp-4h]

  __main();
  qmemcpy(_F___N___(I?_@, "*F'\"N,\"(I?+@", sizeof(_F___N___(I?_@));
  printf("Please input:");
  scanf("%s", v6);
  if ( v6[0] != 65 || v6[1] != 67 || v6[2] != 84 || v6[3] != 70 || v6[4] != 123 || n125 != 125 )
    return 0;
  v5[0] = v7;
  v5[1] = v8;
  v5[2] = v9;
  for ( i = 0; i <= 11; ++i )
  {
    if ( _F___N___(I?_@[i] != _data_start__[*((char *)v5 + i) - 1] )// "~}|{zyxwvutsrqponmlkjihgfedcba`_^]\\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$# !\""
      return 0;
  }
  printf("You are correct!");
  return 0;
}

# Exp
alp = [0x7E, 0x7D, 0x7C, 0x7B, 0x7A, 0x79, 0x78, 0x77, 0x76, 0x75, 0x74, 0x73, 0x72, 0x71, 0x70, 0x6F, 0x6E, 0x6D, 0x6C, 0x6B, 0x6A, 0x69, 0x68, 0x67, 0x66, 0x65, 0x64, 0x63, 0x62, 0x61, 0x60, 0x5F, 0x5E, 0x5D, 0x5C, 0x5B, 0x5A, 0x59, 0x58, 0x57, 0x56, 0x55, 0x54, 0x53, 0x52, 0x51, 0x50, 0x4F, 0x4E, 0x4D, 0x4C, 0x4B, 0x4A, 0x49, 0x48, 0x47, 0x46, 0x45, 0x44, 0x43, 0x42, 0x41, 0x40, 0x3F, 0x3E, 0x3D, 0x3C, 0x3B, 0x3A, 0x39, 0x38, 0x37, 0x36, 0x35, 0x34, 0x33, 0x32, 0x31, 0x30, 0x2F, 0x2E, 0x2D, 0x2C, 0x2B, 0x2A, 0x29, 0x28, 0x27, 0x26, 0x25, 0x24, 0x23, 0x20, 0x21, 0x22, 0x00]
value = [0x2A, 0x46, 0x27, 0x22, 0x4E, 0x2C, 0x22, 0x28, 0x49, 0x3F, 0x2B, 0x40, 0x60]
for i in range(len(value)):
    for j in range(32,97):
        if(alp[j-1] == value[i]):
            print(chr(j),end='')
            break
# flag{U9X_1S_W6@T?}

简单注册器

考点

java类：APK

位置变换

package com.example.flag;

import android.os.Bundle;
import android.support.v4.app.Fragment;
import android.support.v7.app.ActionBarActivity;
import android.view.LayoutInflater;
import android.view.Menu;
import android.view.MenuItem;
import android.view.View.OnClickListener;
import android.view.View;
import android.view.ViewGroup;
import android.widget.Button;
import android.widget.EditText;
import android.widget.TextView;

public class MainActivity extends ActionBarActivity {
    public static class PlaceholderFragment extends Fragment {
        @Override  // android.support.v4.app.Fragment
        public View onCreateView(LayoutInflater inflater, ViewGroup container, Bundle savedInstanceState) {
            return inflater.inflate(0x7F030018, container, false);  // layout:fragment_main
        }
    }

    @Override  // android.support.v7.app.ActionBarActivity
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        this.setContentView(0x7F030017);  // layout:activity_main
        if(savedInstanceState == null) {
            this.getSupportFragmentManager().beginTransaction().add(0x7F05003C, new PlaceholderFragment()).commit();  // id:container
        }

        Button button = (Button)this.findViewById(0x7F05003F);  // id:button1
        TextView textview = (TextView)this.findViewById(0x7F05003E);  // id:textView1
        button.setOnClickListener(new View.OnClickListener() {
            @Override  // android.view.View$OnClickListener
            public void onClick(View v) {
                int flag = 1;
                String s = ((EditText)this.findViewById(0x7F05003D)).getText().toString();  // id:editText1
                if(s.length() != 0x20 || s.charAt(0x1F) != 97 || s.charAt(1) != 98 || s.charAt(0) + s.charAt(2) - 0x30 != 56) {
                    flag = 0;
                }

                if(flag == 1) {
                    char[] arr_c = "dd2940c04462b4dd7c450528835cca15".toCharArray();
                    arr_c[2] = (char)(arr_c[2] + arr_c[3] - 50);
                    arr_c[4] = (char)(arr_c[2] + arr_c[5] - 0x30);
                    arr_c[30] = (char)(arr_c[0x1F] + arr_c[9] - 0x30);
                    arr_c[14] = (char)(arr_c[27] + arr_c[28] - 97);
                    for(int i = 0; i < 16; ++i) {
                        char a = arr_c[0x1F - i];
                        arr_c[0x1F - i] = arr_c[i];
                        arr_c[i] = a;
                    }

                    textview.setText("flag{" + arr_c + "}");
                    return;
                }

                textview.setText("输入注册码错误");
            }
        });
    }

    @Override  // android.app.Activity
    public boolean onCreateOptionsMenu(Menu menu) {
        this.getMenuInflater().inflate(0x7F0C0000, menu);  // menu:main
        return true;
    }

    @Override  // android.app.Activity
    public boolean onOptionsItemSelected(MenuItem item) {
        return item.getItemId() == 0x7F050040 ? true : super.onOptionsItemSelected(item);  // id:action_settings
    }
}

# Exp
arr_c = list(b"dd2940c04462b4dd7c450528835cca15")

arr_c[2] = (arr_c[2] + arr_c[3] - 50)
arr_c[4] = (arr_c[2] + arr_c[5] - 0x30)
arr_c[30] = (arr_c[0x1F] + arr_c[9] - 0x30)
arr_c[14] = (arr_c[27] + arr_c[28] - 97)

for i in range(16):
    a = arr_c[0x1F - i]
    arr_c[0x1F - i] = arr_c[i]
    arr_c[i] = a

print('flag{'+bytes(arr_c).decode()+'}')
# flag{59acc538825054c7de4b26440c0999dd}

[GWCTF 2019]pyre

考点

python类：pyc文件

pycdc等python反编译工具使用

# Source Generated with Decompyle++
# File: attachment.pyc (Python 2.7)

print 'Welcome to Re World!'
print 'Your input1 is your flag~'
l = len(input1)
for i in range(l):
    num = ((input1[i] + i) % 128 + 128) % 128
    code += num

for i in range(l - 1):
    code[i] = code[i] ^ code[i + 1]

print code
code = [
    '\x1f',
    '\x12',
    '\x1d',
    '(',
    '0',
    '4',
    '\x01',
    '\x06',
    '\x14',
    '4',
    ',',
    '\x1b',
    'U',
    '?',
    'o',
    '6',
    '*',
    ':',
    '\x01',
    'D',
    ';',
    '%',
    '\x13']

# Exp
## python2的逻辑有点不一样，code += num 相当于 code.append(num)
code = ['\x1f','\x12','\x1d','(','0','4','\x01','\x06','\x14','4',',','\x1b','U','?','o','6','*',':','\x01','D',';','%','\x13']
for i in range(len(code)):
    code[i] = ord(code[i])

for i in range(len(code)-2,-1,-1):
    code[i] ^= code[i+1] 
for i in range(len(code)):
    for alp in range(32,127):
        num = ((alp + i) % 128 + 128) % 128
        if num == code[i]:
            print(chr(alp),end='')
            break
# flag{Just_Re_1s_Ha66y!}

[ACTF新生赛2020]rome

考点

凯撒，针对大小写的变化

int func()
{
  int n65_1; // eax
  _DWORD v1[4]; // [esp+14h] [ebp-44h]
  unsigned __int8 n65; // [esp+24h] [ebp-34h] BYREF
  unsigned __int8 n67; // [esp+25h] [ebp-33h]
  unsigned __int8 n84; // [esp+26h] [ebp-32h]
  unsigned __int8 n70; // [esp+27h] [ebp-31h]
  unsigned __int8 n123; // [esp+28h] [ebp-30h]
  int v7; // [esp+29h] [ebp-2Fh]
  int v8; // [esp+2Dh] [ebp-2Bh]
  int v9; // [esp+31h] [ebp-27h]
  int v10; // [esp+35h] [ebp-23h]
  unsigned __int8 n125; // [esp+39h] [ebp-1Fh]
  char Qsw3sj_lz4_Ujw@l[17]; // [esp+3Bh] [ebp-1Dh] BYREF
  int i; // [esp+4Ch] [ebp-Ch]

  strcpy(Qsw3sj_lz4_Ujw@l, "Qsw3sj_lz4_Ujw@l");
  printf("Please input:");
  scanf("%s", &n65);
  n65_1 = n65;
  if ( n65 == 65 )
  {
    n65_1 = n67;
    if ( n67 == 67 )
    {
      n65_1 = n84;
      if ( n84 == 84 )
      {
        n65_1 = n70;
        if ( n70 == 70 )
        {
          n65_1 = n123;
          if ( n123 == 123 )
          {
            n65_1 = n125;
            if ( n125 == 125 )
            {
              v1[0] = v7;
              v1[1] = v8;
              v1[2] = v9;
              v1[3] = v10;
              for ( i = 0; i <= 15; ++i )
              {
                if ( *(v1 + i) > 64 && *(v1 + i) <= 90 )
                  *(v1 + i) = (*(v1 + i) - 51) % 26 + 65;
                if ( *(v1 + i) > 96 && *(v1 + i) <= 122 )
                  *(v1 + i) = (*(v1 + i) - 79) % 26 + 97;
              }
              for ( i = 0; i <= 15; ++i )
              {
                n65_1 = Qsw3sj_lz4_Ujw@l[i];
                if ( *(v1 + i) != n65_1 )
                  return n65_1;
              }
              return printf("You are correct!");
            }
          }
        }
      }
    }
  }
  return n65_1;
}

# Exp
code = list(b'Qsw3sj_lz4_Ujw@l')
for i in range(len(code)):
    for alp in range(32,127):
        if chr(alp).isalpha():
            if chr(alp).isupper():
                if (alp - 51) % 26 + 65 == code[i]:
                    print(chr(alp),end='')
                    break
            else:
                if (alp - 79) % 26 + 97 == code[i]:
                    print(chr(alp),end='')
                    break
        elif not chr(code[i]).isalpha():
            print(chr(code[i]),end='')
            break
# flag{Cae3ar_th4_Gre@t}

findit

考点

java类：APK

package com.example.findit;

import android.os.Bundle;
import android.support.v7.app.ActionBarActivity;
import android.view.MenuItem;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.TextView;

/* loaded from: classes.dex */
public class MainActivity extends ActionBarActivity {
    @Override // android.support.v7.app.ActionBarActivity, android.support.v4.app.FragmentActivity, android.app.Activity
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        Button btn = (Button) findViewById(R.id.widget3);
        final EditText edit = (EditText) findViewById(R.id.widget2);
        final TextView text = (TextView) findViewById(R.id.widget1);
        final char[] a = {'T', 'h', 'i', 's', 'I', 's', 'T', 'h', 'e', 'F', 'l', 'a', 'g', 'H', 'o', 'm', 'e'};
        final char[] b = {'p', 'v', 'k', 'q', '{', 'm', '1', '6', '4', '6', '7', '5', '2', '6', '2', '0', '3', '3', 'l', '4', 'm', '4', '9', 'l', 'n', 'p', '7', 'p', '9', 'm', 'n', 'k', '2', '8', 'k', '7', '5', '}'};
        btn.setOnClickListener(new View.OnClickListener() { // from class: com.example.findit.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View v) {
                char[] x = new char[17];
                char[] y = new char[38];
                for (int i = 0; i < 17; i++) {
                    if ((a[i] < 'I' && a[i] >= 'A') || (a[i] < 'i' && a[i] >= 'a')) {
                        x[i] = (char) (a[i] + 18);
                    } else if ((a[i] >= 'A' && a[i] <= 'Z') || (a[i] >= 'a' && a[i] <= 'z')) {
                        x[i] = (char) (a[i] - '\b');
                    } else {
                        x[i] = a[i];
                    }
                }
                String m = String.valueOf(x);
                if (m.equals(edit.getText().toString())) {
                    for (int i2 = 0; i2 < 38; i2++) {
                        if ((b[i2] >= 'A' && b[i2] <= 'Z') || (b[i2] >= 'a' && b[i2] <= 'z')) {
                            y[i2] = (char) (b[i2] + 16);
                            if ((y[i2] > 'Z' && y[i2] < 'a') || y[i2] >= 'z') {
                                y[i2] = (char) (y[i2] - 26);
                            }
                        } else {
                            y[i2] = b[i2];
                        }
                    }
                    String n = String.valueOf(y);
                    text.setText(n);
                    return;
                }
                text.setText("答案错了肿么办。。。不给你又不好意思。。。哎呀好纠结啊~~~");
            }
        });
    }

    @Override // android.app.Activity
    public boolean onOptionsItemSelected(MenuItem item) {
        int id = item.getItemId();
        if (id == R.id.action_settings) {
            return true;
        }
        return super.onOptionsItemSelected(item);
    }
}

code = ['p', 'v', 'k', 'q', '{', 'm', '1', '6', '4', '6', '7', '5', '2', '6', '2', '0', '3', '3', 'l', '4', 'm', '4', '9', 'l', 'n', 'p', '7', 'p', '9', 'm', 'n', 'k', '2', '8', 'k', '7', '5', '}']
code = [ord(i) for i in code]
for i in range(38):
    if chr(code[i]).isalpha():
        code[i] += 16
        if (code[i] > ord('Z') and code[i] < ord('a')) or code[i] >= ord('z'):
            code[i] -= 26
print(bytes(code).decode())
# flag{c164675262033b4c49bdf7f9cda28a75}

考点

html

凯撒

<!DOCTYPE Html />
<html>
    <head>
        <title>FLARE On 2017</title>
    </head>
    <body>
        <input type="text" name="flag" id="flag" value="Enter the flag" />
        <input type="button" id="prompt" value="Click to check the flag" />
        <script type="text/javascript">
            document.getElementById("prompt").onclick = function () {
                var flag = document.getElementById("flag").value;
                var rotFlag = flag.replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);});
                if ("PyvragFvqrYbtvafNerRnfl@syner-ba.pbz" == rotFlag) {
                    alert("Correct flag!");
                } else {
                    alert("Incorrect flag, rot again");
                }
            }
        </script>
    </body>
</html>

1
2
3

# Exp
# key = 13
flag{ClientSideLoginsAreEasy@flare-on.com}

rsa

考点

rsa基本算法

# Exp
import rsa
import gmpy2
e = 65537  # 一般都是固定的
# c = 0xad939ff59f6e70bcbfad406f2494993757eee98b91bc244184a377520d06fc35  # 密文
n = 86934482296048119190666062003494800588905656017203025617216654058378322103517  # 由公钥解析出：
p = 285960468890451637935629440372639283459  # n分解
q = 304008741604601924494328155975272418463 # n分解
# 已知公钥pub.ky，求解析得到e、n

# 通过n计算p、q

phin = (q - 1) * (p - 1)
d = gmpy2.invert(e, phin)

# 有.enc文件时如下处理：
key = rsa.PrivateKey(n, e, int(d), p, q)

with open(fr"C:\Users\Admin\Downloads\output\flag.enc", "rb+") as f:
    # 打开对应路径下的xxx.enc文件
    f = f.read()
flag = rsa.decrypt(f, key)
print(flag)
# flag{decrypt_256}

[WUSTCTF2020]level1

考点

基本运算逻辑

（文件读取）

int __fastcall main(int argc, const char **argv, const char **envp)
{
  int i; // [rsp+4h] [rbp-2Ch]
  FILE *stream; // [rsp+8h] [rbp-28h]
  _BYTE ptr[24]; // [rsp+10h] [rbp-20h] BYREF
  unsigned __int64 v7; // [rsp+28h] [rbp-8h]

  v7 = __readfsqword(0x28u);
  stream = fopen("flag", "r");
  fread(ptr, 1uLL, 0x14uLL, stream);
  fclose(stream);
  for ( i = 1; i <= 19; ++i )
  {
    if ( (i & 1) != 0 )
      printf("%ld\n", (ptr[i] << i));
    else
      printf("%ld\n", (i * ptr[i]));
  }
  return 0;
}

# Exp
## python
data = []
with open(fr"C:\Users\Admin\Downloads\level1\output.txt",'r') as f:
    for i in f:
        data.append(int(i.strip()))
for i in range(0,19):
    if (i+1) % 2 == 0:
        print(chr(data[i]//(i+1)),end='')
    else:
        print(chr(data[i] >> (i+1)),end='')

flag{d9-dE6-20c}

#include<stdio.h>
#include<string.h>
#include<Windows.h>
int main(){
    FILE * fp = NULL;
    fp = fopen("C:\\Users\\Admin\\Downloads\\level1\\output.txt","r");
    unsigned char data[MAX_PATH];

    size_t count = 0;
    int value;
    while (fscanf(fp, "%d", &value) != EOF) {
        ++ count;
        if(count % 2 == 0){
            printf("%c",value / count );
        }else{
            printf("%c",value >> count );
        }
    }

    fclose(fp);
}
//-----------------------------------------------------------------
#include<stdio.h>
#include<string.h>
#include<Windows.h>
int main(){
    FILE * fp = NULL;
    fp = fopen("C:\\Users\\Admin\\Downloads\\level1\\output.txt","r");
    unsigned char data[MAX_PATH];
    
    size_t count = 0;
    int value;
    char line[128];  // 缓冲区，一行最大长度
    while (fgets(line, sizeof(line), fp)) {
        // 去掉换行
        line[strcspn(line, "\r\n")] = 0;  


        int value = atoi(line);

        ++ count;
        if(count % 2 == 0){
            printf("%c",(char)(value / count) );
        }else{
            printf("%c",value >> count );
        }
    }
    fclose(fp);
}

[GUET-CTF2019]re

考点

upx脱壳

z3求解

_BOOL8 __fastcall sub_4009AE(char *a1)
{
  if ( 1629056 * *a1 != 166163712 )
    return 0LL;
  if ( 6771600 * a1[1] != 731332800 )
    return 0LL;
  if ( 3682944 * a1[2] != 357245568 )
    return 0LL;
  if ( 10431000 * a1[3] != 1074393000 )
    return 0LL;
  if ( 3977328 * a1[4] != 489211344 )
    return 0LL;
  if ( 5138336 * a1[5] != 518971936 )
    return 0LL;
  if ( 7532250 * a1[7] != 406741500 )
    return 0LL;
  if ( 5551632 * a1[8] != 294236496 )
    return 0LL;
  if ( 3409728 * a1[9] != 177305856 )
    return 0LL;
  if ( 13013670 * a1[10] != 650683500 )
    return 0LL;
  if ( 6088797 * a1[11] != 298351053 )
    return 0LL;
  if ( 7884663 * a1[12] != 386348487 )
    return 0LL;
  if ( 8944053 * a1[13] != 438258597 )
    return 0LL;
  if ( 5198490 * a1[14] != 249527520 )
    return 0LL;
  if ( 4544518 * a1[15] != 445362764 )
    return 0LL;
  if ( 3645600 * a1[17] != 174988800 )
    return 0LL;
  if ( 10115280 * a1[16] != 981182160 )
    return 0LL;
  if ( 9667504 * a1[18] != 493042704 )
    return 0LL;
  if ( 5364450 * a1[19] != 257493600 )
    return 0LL;
  if ( 13464540 * a1[20] != 767478780 )
    return 0LL;
  if ( 5488432 * a1[21] != 312840624 )
    return 0LL;
  if ( 14479500 * a1[22] != 1404511500 )
    return 0LL;
  if ( 6451830 * a1[23] != 316139670 )
    return 0LL;
  if ( 6252576 * a1[24] != 619005024 )
    return 0LL;
  if ( 7763364 * a1[25] != 372641472 )
    return 0LL;
  if ( 7327320 * a1[26] != 373693320 )
    return 0LL;
  if ( 8741520 * a1[27] != 498266640 )
    return 0LL;
  if ( 8871876 * a1[28] != 452465676 )
    return 0LL;
  if ( 4086720 * a1[29] != 208422720 )
    return 0LL;
  if ( 9374400 * a1[30] == 515592000 )
    return 5759124 * a1[31] == 719890500;
  return 0LL;
}

# Exp
## 少了一个等式，自己遍历一下吧
import binascii

import libnum
from z3 import *

a1 = [Int('v[%d]' % i) for i in range(32)]
s = Solver()

s.add(1629056 * a1[0] == 166163712 )
s.add(6771600 * a1[1] == 731332800 )
s.add(3682944 * a1[2] == 357245568 )
s.add(10431000 * a1[3] == 1074393000 )
s.add(3977328 * a1[4] == 489211344 )
s.add(5138336 * a1[5] == 518971936 )
s.add(7532250 * a1[7] == 406741500 )
s.add(5551632 * a1[8] == 294236496 )
s.add(3409728 * a1[9] == 177305856 )
s.add(13013670 * a1[10] == 650683500 )
s.add(6088797 * a1[11] == 298351053 )
s.add(7884663 * a1[12] == 386348487 )
s.add(8944053 * a1[13] == 438258597 )
s.add(5198490 * a1[14] == 249527520 )
s.add(4544518 * a1[15] == 445362764 )
s.add(3645600 * a1[17] == 174988800 )
s.add(10115280 * a1[16] == 981182160 )
s.add(9667504 * a1[18] == 493042704 )
s.add(5364450 * a1[19] == 257493600 )
s.add(13464540 * a1[20] == 767478780 )
s.add(5488432 * a1[21] == 312840624 )
s.add(14479500 * a1[22] == 1404511500 )
s.add(6451830 * a1[23] == 316139670 )
s.add(6252576 * a1[24] == 619005024 )
s.add(7763364 * a1[25] == 372641472 )
s.add(7327320 * a1[26] == 373693320 )
s.add(8741520 * a1[27] == 498266640 )
s.add(8871876 * a1[28] == 452465676 )
s.add(4086720 * a1[29] == 208422720 )
s.add(9374400 * a1[30] == 515592000 )
s.add(5759124 * a1[31] == 719890500)
flag = ''
if s.check() == sat:
    m = s.model()
    for i in range(32):
        try:
            ans = chr(m[a1[i]].as_long())
            flag += ans
        except:
            flag += '?'
print(flag)
#flag{e?65421110ba03099a1c039337}

CrackRTF

考点

API算法

hash爆破

rtf文件格式

int __cdecl sub_401230(BYTE *pbData, DWORD dwDataLen, LPSTR lpString1)
{
  DWORD i; // [esp+4Ch] [ebp-28h]
  CHAR String2[4]; // [esp+50h] [ebp-24h] BYREF
  BYTE pbData_1[20]; // [esp+54h] [ebp-20h] BYREF
  DWORD pdwDataLen; // [esp+68h] [ebp-Ch] BYREF
  HCRYPTHASH phHash; // [esp+6Ch] [ebp-8h] BYREF
  HCRYPTPROV phProv; // [esp+70h] [ebp-4h] BYREF

  // ;0xf0000000 -> CRYPT_VERIFYCONTEXT
  if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000) )
    return 0;
  if ( CryptCreateHash(phProv, CALG_SHA, 0, 0, &phHash) )
  {
    if ( CryptHashData(phHash, pbData, dwDataLen, 0) )
    {
      CryptGetHashParam(phHash, HP_HASHVAL, pbData_1, &pdwDataLen, 0);
      *lpString1 = 0;
      for ( i = 0; i < pdwDataLen; ++i )
      {
        wsprintfA(String2, "%02X", pbData_1[i]);
        lstrcatA(lpString1, String2);
      }
      CryptDestroyHash(phHash);
      CryptReleaseContext(phProv, 0);
      return 1;
    }
    else
    {
      CryptDestroyHash(phHash);
      CryptReleaseContext(phProv, 0);
      return 0;
    }
  }
  else
  {
    CryptReleaseContext(phProv, 0);
    return 0;
  }
}

int __cdecl sub_401040(BYTE *pbData, DWORD dwDataLen, LPSTR lpString1)
{
  DWORD i; // [esp+4Ch] [ebp-24h]
  CHAR String2[4]; // [esp+50h] [ebp-20h] BYREF
  BYTE pbData_1[16]; // [esp+54h] [ebp-1Ch] BYREF
  DWORD pdwDataLen; // [esp+64h] [ebp-Ch] BYREF
  HCRYPTHASH phHash; // [esp+68h] [ebp-8h] BYREF
  HCRYPTPROV phProv; // [esp+6Ch] [ebp-4h] BYREF

  // ;0xf0000000 -> CRYPT_VERIFYCONTEXT
  if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000) )
    return 0;
  if ( CryptCreateHash(phProv, CALG_MD5, 0, 0, &phHash) )
  {
    if ( CryptHashData(phHash, pbData, dwDataLen, 0) )
    {
      CryptGetHashParam(phHash, HP_HASHVAL, pbData_1, &pdwDataLen, 0);
      *lpString1 = 0;
      for ( i = 0; i < pdwDataLen; ++i )
      {
        wsprintfA(String2, "%02X", pbData_1[i]);
        lstrcatA(lpString1, String2);
      }
      CryptDestroyHash(phHash);
      CryptReleaseContext(phProv, 0);
      return 1;
    }
    else
    {
      CryptDestroyHash(phHash);
      CryptReleaseContext(phProv, 0);
      return 0;
    }
  }
  else
  {
    CryptReleaseContext(phProv, 0);
    return 0;
  }
}

int __cdecl main_0(int argc, const char **argv, const char **envp)
{
  size_t dwDataLen; // eax
  size_t dwDataLen_1; // eax
  char Destination_1[260]; // [esp+4Ch] [ebp-310h] BYREF
  int n100000; // [esp+150h] [ebp-20Ch]
  char String1[260]; // [esp+154h] [ebp-208h] BYREF
  char Destination[260]; // [esp+258h] [ebp-104h] BYREF

  memset(Destination, 0, sizeof(Destination));
  memset(String1, 0, sizeof(String1));
  n100000 = 0;
  printf("pls input the first passwd(1): ");
  scanf("%s", Destination);
  if ( strlen(Destination) != 6 )
  {
    printf("Must be 6 characters!\n");
    ExitProcess(0);
  }
  n100000 = atoi(Destination);
  if ( n100000 < 100000 )
    ExitProcess(0);
  strcat(Destination, "@DBApp");
  dwDataLen = strlen(Destination);
  sub_40100A((BYTE *)Destination, dwDataLen, String1);
  if ( !_strcmpi(String1, "6E32D0943418C2C33385BC35A1470250DD8923A9") )
  {
    printf("continue...\n\n");
    printf("pls input the first passwd(2): ");
    memset(Destination_1, 0, sizeof(Destination_1));
    scanf("%s", Destination_1);
    if ( strlen(Destination_1) != 6 )
    {
      printf("Must be 6 characters!\n");
      ExitProcess(0);
    }
    strcat(Destination_1, Destination);
    memset(String1, 0, sizeof(String1));
    dwDataLen_1 = strlen(Destination_1);
    sub_401019((BYTE *)Destination_1, dwDataLen_1, String1);
    if ( !_strcmpi("27019e688a4e62a649fd99cadaafdb4e", String1) )
    {
      if ( !(unsigned __int8)sub_40100F(Destination_1) )
      {
        printf("Error!!\n");
        ExitProcess(0);
      }
      printf("bye ~~\n");
    }
  }
  return 0;
}

# Exp
## 难点
## 1.识别算法，利用API（CryptCreateHash）来实现hash算法
## 2.对pwd的解密，这里有两个思路，比较巧妙的就是利用rtf的magic头来还原；第二直接解密md5（可以直接解密的）
import hashlib

tmp = '@DBApp'
hash_ans = '6E32D0943418C2C33385BC35A1470250DD8923A9'
for i in range(100000,1000000):
    ans = str(i) + tmp
    if hashlib.sha1(ans.encode()).hexdigest().upper() == hash_ans:
        print(i)
        tmp = ans
        break

rtf = b'{\\rtf1'
with open(fr"C:\Users\Admin\Downloads\AAA101.bin",'rb') as f:
    data = f.read()
key = []
for i in range(len(rtf)):
    key.append(rtf[i] ^ data[i])
pwd = bytes(key).decode() + tmp

data = list(data)
for i in range(len(data)):
    data[i] ^= ord(pwd[i%len(pwd)])
print(bytes(data).decode())
# flag{N0_M0re_Free_Bugs}

[WUSTCTF2020]level2

考点

upx脱壳

二进制工具使用

.text:0804887C ; __unwind {
.text:0804887C                 lea     ecx, [esp+4]
.text:08048880                 and     esp, 0FFFFFFF0h
.text:08048883                 push    dword ptr [ecx-4]
.text:08048886                 push    ebp
.text:08048887                 mov     ebp, esp
.text:08048889                 push    ecx
.text:0804888A                 sub     esp, 14h
.text:0804888D                 mov     [ebp+var_C], offset flag ; "wctf2020{Just_upx_-d}"
.text:08048894                 sub     esp, 0Ch
.text:08048897                 push    offset aWhereIsIt ; "where is it?"
.text:0804889C                 call    puts
.text:080488A1                 add     esp, 10h
.text:080488A4                 mov     eax, 0
.text:080488A9                 mov     ecx, [ebp+var_4]
.text:080488AC                 leave
.text:080488AD                 lea     esp, [ecx-4]
.text:080488B0                 retn
.text:080488B0 ; } // starts at 804887C
.text:080488B0 main            endp

1 2	`# Exp flag{Just_upx_-d}`

[MRCTF2020]Transform

考点

排序

xor

int __fastcall main(int argc, const char **argv, const char **envp)
{
  char Str[104]; // [rsp+20h] [rbp-70h] BYREF
  int j; // [rsp+88h] [rbp-8h]
  int i; // [rsp+8Ch] [rbp-4h]

  sub_402230(argc, argv, envp);
  sub_40E640("Give me your code:\n");
  sub_40E5F0("%s", Str);
  if ( strlen(Str) != 33 )
  {
    sub_40E640("Wrong!\n");
    system("pause");
    exit(0);
  }
  for ( i = 0; i <= 32; ++i )
  {
    byte_414040[i] = Str[dword_40F040[i]];
    byte_414040[i] ^= LOBYTE(dword_40F040[i]);
  }
  for ( j = 0; j <= 32; ++j )
  {
    if ( byte_40F0E0[j] != byte_414040[j] )
    {
      sub_40E640("Wrong!\n");
      system("pause");
      exit(0);
    }
  }
  sub_40E640("Right!Good Job!\n");
  sub_40E640("Here is your flag: %s\n", Str);
  system("pause");
  return 0;
}

# Exp
## 根据key来排序ans
code = [0x67, 0x79, 0x7B, 0x7F, 0x75, 0x2B, 0x3C, 0x52, 0x53, 0x79, 0x57, 0x5E, 0x5D, 0x42, 0x7B, 0x2D, 0x2A, 0x66, 0x42, 0x7E, 0x4C, 0x57, 0x79, 0x41, 0x6B, 0x7E, 0x65, 0x3C, 0x5C, 0x45, 0x6F, 0x62, 0x4D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]
key = [0x00000009, 0x0000000A, 0x0000000F, 0x00000017, 0x00000007, 0x00000018, 0x0000000C, 0x00000006, 0x00000001, 0x00000010, 0x00000003, 0x00000011, 0x00000020, 0x0000001D, 0x0000000B, 0x0000001E, 0x0000001B, 0x00000016, 0x00000004, 0x0000000D, 0x00000013, 0x00000014, 0x00000015, 0x00000002, 0x00000019, 0x00000005, 0x0000001F, 0x00000008, 0x00000012, 0x0000001A, 0x0000001C, 0x0000000E, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]
for i in range(33):
    code[i] ^= key[i]
ans = [0] * 33
for i in range(33):
    ans[key[i]] = code[i]
print(bytes(ans))

#-------------------------------------------------------------------
code = [0x67, 0x79, 0x7B, 0x7F, 0x75, 0x2B, 0x3C, 0x52, 0x53, 0x79, 0x57, 0x5E, 0x5D, 0x42, 0x7B, 0x2D, 0x2A, 0x66, 0x42, 0x7E, 0x4C, 0x57, 0x79, 0x41, 0x6B, 0x7E, 0x65, 0x3C, 0x5C, 0x45, 0x6F, 0x62, 0x4D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]
key = [0x00000009, 0x0000000A, 0x0000000F, 0x00000017, 0x00000007, 0x00000018, 0x0000000C, 0x00000006, 0x00000001, 0x00000010, 0x00000003, 0x00000011, 0x00000020, 0x0000001D, 0x0000000B, 0x0000001E, 0x0000001B, 0x00000016, 0x00000004, 0x0000000D, 0x00000013, 0x00000014, 0x00000015, 0x00000002, 0x00000019, 0x00000005, 0x0000001F, 0x00000008, 0x00000012, 0x0000001A, 0x0000001C, 0x0000000E, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]
for i in range(33):
    code[i] ^= key[i]
ans = [c for k,c in sorted(zip(key,code))]
# 等价于
# ans = [k ^ c for k,c in sorted(zip(key,code))]
## zip打包成字典
print(bytes(ans))

[2019红帽杯]easyRE

考点

xor

__int64 sub_4009C6()
{
  __int64 result; // rax
  int i; // [rsp+Ch] [rbp-114h]
  __int64 v2; // [rsp+10h] [rbp-110h]
  __int64 v3; // [rsp+18h] [rbp-108h]
  __int64 v4; // [rsp+20h] [rbp-100h]
  __int64 v5; // [rsp+28h] [rbp-F8h]
  __int64 v6; // [rsp+30h] [rbp-F0h]
  __int64 v7; // [rsp+38h] [rbp-E8h]
  __int64 v8; // [rsp+40h] [rbp-E0h]
  __int64 v9; // [rsp+48h] [rbp-D8h]
  __int64 v10; // [rsp+50h] [rbp-D0h]
  __int64 v11; // [rsp+58h] [rbp-C8h]
  _BYTE Iodl_Qnb(ocy[13]; // [rsp+60h] [rbp-C0h] BYREF
  char y.i_x7Fd_3w_wek9_iy__yL@EC[23]; // [rsp+6Dh] [rbp-B3h] BYREF
  char buf[32]; // [rsp+90h] [rbp-90h] BYREF
  int v15; // [rsp+B0h] [rbp-70h]
  char v16; // [rsp+B4h] [rbp-6Ch]
  char buf_1[72]; // [rsp+C0h] [rbp-60h] BYREF
  unsigned __int64 v18; // [rsp+108h] [rbp-18h]

  v18 = __readfsqword(0x28u);
  qmemcpy(Iodl_Qnb(ocy, "Iodl>Qnb(ocy", 12);
  Iodl_Qnb(ocy[12] = 127;
  qmemcpy(y.i_x7Fd_3w_wek9_iy__yL@EC, "y.i\x7Fd`3w}wek9{iy=~yL@EC", sizeof(y.i_x7Fd_3w_wek9_iy__yL@EC));
  memset(buf, 0, sizeof(buf));
  v15 = 0;
  v16 = 0;
  sub_4406E0(0, buf, 0x25uLL);
  v16 = 0;
  if ( ((__int64 (__fastcall *)(char *))strlen)(buf) == 0x24 )
  {
    for ( i = 0; i < (unsigned __int64)((__int64 (__fastcall *)(char *))strlen)(buf); ++i )
    {
      if ( (unsigned __int8)(buf[i] ^ i) != (char)Iodl_Qnb(ocy[i] )
      {
        result = 4294967294LL;
        goto LABEL_13;
      }
    }
    sub_410CC0("continue!");
    memset(buf_1, 0, 65);
    sub_4406E0(0, buf_1, 0x40uLL);
    buf_1[39] = 0;
    if ( ((__int64 (__fastcall *)(char *))strlen)(buf_1) == 39 )
    {
      v2 = base((const __m128i *)buf_1);
      v3 = base((const __m128i *)v2);
      v4 = base((const __m128i *)v3);
      v5 = base((const __m128i *)v4);
      v6 = base((const __m128i *)v5);
      v7 = base((const __m128i *)v6);
      v8 = base((const __m128i *)v7);
      v9 = base((const __m128i *)v8);
      v10 = base((const __m128i *)v9);
      v11 = base((const __m128i *)v10);
      if ( !(unsigned int)sub_400360(v11, (__int64)off_6CC090) )// "Vm0wd2VHUXhTWGhpUm1SWVYwZDRWVll3Wkc5WFJsbDNXa1pPVlUxV2NIcFhhMk0xVmpKS1NHVkdXbFpOYmtKVVZtcEtTMUl5VGtsaVJtUk9ZV3hhZVZadGVHdFRNVTVYVW01T2FGSnRVbGhhVjNoaFZWWmtWMXBFVWxSTmJFcElWbTAxVDJGV1NuTlhia0pXWWxob1dGUnJXbXRXTVZaeVdrWm9hVlpyV1hwV1IzaGhXVmRHVjFOdVVsWmlhMHBZV1ZSR1lWZEdVbFZTYlhSWFRWWndNRlZ0TVc5VWJGcFZWbXR3VjJKSFVYZFdha1pXWlZaT2NtRkhhRk5pVjJoWVYxZDBhMVV3TlhOalJscFlZbGhTY1ZsclduZGxiR1J5VmxSR1ZXSlZjRWhaTUZKaFZqSktWVkZZYUZkV1JWcFlWV3BHYTFkWFRrZFRiV3hvVFVoQ1dsWXhaRFJpTWtsM1RVaG9hbEpYYUhOVmJUVkRZekZhY1ZKcmRGTk5Wa3A2VjJ0U1ExWlhTbFpqUldoYVRVWndkbFpxUmtwbGJVWklZVVprYUdFeGNHOVhXSEJIWkRGS2RGSnJhR2hTYXpWdlZGVm9RMlJzV25STldHUlZUVlpXTlZadE5VOVdiVXBJVld4c1dtSllUWGhXTUZwell6RmFkRkpzVWxOaVNFSktWa1phVTFFeFduUlRhMlJxVWxad1YxWnRlRXRXTVZaSFVsUnNVVlZVTURrPQ=="
      {
        sub_410CC0("You found me!!!");
        sub_410CC0("bye bye~");
      }
      result = 0LL;
    }
    else
    {
      result = 4294967293LL;
    }
  }
  else
  {
    result = 0xFFFFFFFFLL;
  }
LABEL_13:
  if ( __readfsqword(0x28u) != v18 )
    sub_444020();
  return result;
}

unsigned __int64 sub_400D35()
{
  unsigned __int64 result; // rax
  unsigned int v1; // [rsp+Ch] [rbp-24h]
  int i; // [rsp+10h] [rbp-20h]
  int j; // [rsp+14h] [rbp-1Ch]
  unsigned int v4; // [rsp+24h] [rbp-Ch]
  unsigned __int64 v5; // [rsp+28h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  v1 = sub_43FD20(0LL) - qword_6CEE38;
  for ( i = 0; i <= 1233; ++i )
  {
    sub_40F790(v1);
    sub_40FE60();
    sub_40FE60();
    v1 = sub_40FE60() ^ 0x98765432;
  }
  v4 = v1;
  if ( ((unsigned __int8)v1 ^ unk_6CC0A0[0]) == 'f' && (HIBYTE(v4) ^ unk_6CC0A3) == 'g' )
  {
    for ( j = 0; j <= 24; ++j )
      sub_410E90((unsigned __int8)(unk_6CC0A0[j] ^ *((_BYTE *)&v4 + j % 4)));
  }
  result = __readfsqword(0x28u) ^ v5;
  if ( result )
    sub_444020();
  return result;
}

# Exp
## 真正的密文数据和base64密文数据相邻，通过交叉引用可以找到加密流程
## 程序也给出了提示flag头起步
tips = [0x49,0x6f,0x64,0x6c,0x3e,0x51,0x6e,0x62,0x28,0x6f,0x63,0x79,0x7f,0x79,0x2e,0x69,0x7f,0x64,0x60,0x33,0x77,0x7d,0x77,0x65,0x6b,0x39,0x7b,0x69,0x79,0x3d,0x7e,0x79,0x4c,0x40,0x45,0x43,]
for i in range(len(tips)):
    tips[i] ^= i
print(bytes(tips))

code = [0x40, 0x35, 0x20, 0x56, 0x5D, 0x18, 0x22, 0x45, 0x17, 0x2F, 0x24, 0x6E, 0x62, 0x3C, 0x27, 0x54, 0x48, 0x6C, 0x24, 0x6E, 0x72, 0x3C, 0x32, 0x45, 0x5B]
key = [38,89,65,49]
for i in range(len(code)):
    code[i] ^= key[i%len(key)]
print(bytes(code))
# flag{Act1ve_Defen5e_Test}

[MRCTF2020]Xor

考点

xor

int __cdecl main(int argc, const char **argv, const char **envp)
{
  unsigned int i; // eax

  sub_401020((int)"Give Me Your Flag String:\n");
  sub_401050("%s", byte_4212C0);
  if ( strlen(byte_4212C0) != 27 )
  {
LABEL_6:
    sub_401020((int)"Wrong!\n");
    sub_404B7E("pause");
    _loaddll(0);
    __debugbreak();
  }
  for ( i = 0; i < 0x1B; ++i )
  {
    if ( ((unsigned __int8)i ^ (unsigned __int8)byte_4212C0[i]) != byte_41EA08[i] )
      goto LABEL_6;
  }
  sub_401020((int)"Right!\n");
  sub_404B7E("pause");
  return 0;
}

# Exp
code = [0x4D, 0x53, 0x41, 0x57, 0x42, 0x7E, 0x46, 0x58, 0x5A, 0x3A, 0x4A, 0x3A, 0x60, 0x74, 0x51, 0x4A, 0x22, 0x4E, 0x40, 0x20, 0x62, 0x70, 0x64, 0x64, 0x7D, 0x38, 0x67]
for i in range(len(code)):
    code[i] ^= i
print(bytes(code))
# flag{@_R3@1ly_E2_R3verse!}

[MRCTF2020]hello_world_go

考点

go语言类

二进制代码理解

// main.main
void __golang main_main()
{
  __int64 v0; // rax
  io_Writer_0 typ; // [rsp+0h] [rbp-B0h]
  io_Reader_0 typa; // [rsp+0h] [rbp-B0h]
  io_Writer_0 typb; // [rsp+0h] [rbp-B0h]
  io_Writer_0 typc; // [rsp+0h] [rbp-B0h]
  _slice_interface__0 a; // [rsp+10h] [rbp-A0h]
  string_0 aa; // [rsp+10h] [rbp-A0h]
  _slice_interface__0 ab; // [rsp+10h] [rbp-A0h]
  _slice_interface__0 ac; // [rsp+10h] [rbp-A0h]
  char a_8; // [rsp+18h] [rbp-98h]
  _slice_interface__0 a_16a; // [rsp+20h] [rbp-90h]
  __int64 a_16; // [rsp+20h] [rbp-90h]
  string *p_string; // [rsp+60h] [rbp-50h]
  _slice_interface__0 v13; // [rsp+68h] [rbp-48h] BYREF
  char **OK_You_are_right_; // [rsp+80h] [rbp-30h]
  _QWORD array_1[2]; // [rsp+88h] [rbp-28h] BYREF
  _QWORD array[3]; // [rsp+98h] [rbp-18h] BYREF

  p_string = runtime_newobject(&RTYPE_string);
  array[0] = &RTYPE_string;
  array[1] = &off_4EA530;                       // "Please input the flag: "
  typ.tab = go_itab__ptr_os_File_comma_io_Writer;
  typ.data = os_Stdout;
  a.array = array;
  a.len = 1LL;
  a.cap = 1LL;
  fmt_Fprint(typ, a);
  array_1[0] = &RTYPE__ptr_string;
  array_1[1] = p_string;
  typa.tab = go_itab__ptr_os_File_comma_io_Reader;
  typa.data = os_Stdin;
  aa.str = "%s";
  aa.len = 2LL;
  a_16a.array = array_1;
  a_16a.len = 1LL;
  a_16a.cap = 1LL;
  fmt_Fscanf(typa, aa, a_16a);
  if ( p_string->len == 24 && (runtime_memequal(), a_8) )
  {
    v0 = 0LL;
  }
  else
  {
    runtime_cmpstring();
    if ( a_16 >= 0 )
      v0 = 1LL;
    else
      v0 = -1LL;
  }
  if ( v0 )
  {
    v13.array = &RTYPE_string;
    v13.len = &off_4EA550;                      // "Wrong"
    typc.tab = go_itab__ptr_os_File_comma_io_Writer;
    typc.data = os_Stdout;
    ac.array = &v13;
    ac.len = 1LL;
    ac.cap = 1LL;
    fmt_Fprintln(typc, ac);
  }
  else
  {
    v13.cap = &RTYPE_string;
    OK_You_are_right_ = &off_4EA540;            // "OK!You are right!"
    typb.tab = go_itab__ptr_os_File_comma_io_Writer;
    typb.data = os_Stdout;
    ab.array = &v13.cap;
    ab.len = 1LL;
    ab.cap = 1LL;
    fmt_Fprintln(typb, ab);
  }
}

# Exp
## 找到比较的那行代码，查看汇编能看到flag

# flag{hello_world_gogogo}

[ACTF新生赛2020]usualCrypt

考点

base64变表

动态调试

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v3; // esi
  _DWORD v5[3]; // [esp+8h] [ebp-74h] BYREF
  __int16 v6; // [esp+14h] [ebp-68h]
  char v7; // [esp+16h] [ebp-66h]
  char v8[100]; // [esp+18h] [ebp-64h] BYREF

  sub_403CF8(&error__n_);
  scanf("%s", v8);
  memset(v5, 0, sizeof(v5));
  v6 = 0;
  v7 = 0;
  sub_401080((int)v8, strlen(v8), (int)v5);
  v3 = 0;
  // "zMXHz3TIgnxLxJhFAdtZn2fFk3lYCrtPC2l9"
  while ( *((_BYTE *)v5 + v3) == aZmxhz3tignxlxj[v3] )
  {
    if ( ++v3 > strlen((const char *)v5) )
      goto LABEL_6;
  }
  sub_403CF8(aError);                           // "error!\n"
LABEL_6:
  if ( v3 - 1 == strlen(aZmxhz3tignxlxj) )      // "zMXHz3TIgnxLxJhFAdtZn2fFk3lYCrtPC2l9"
    // "Are you happy?yes!\n"
    return sub_403CF8(aAreYouHappyYes);
  else
    // "Are you happy?No!\n"
    return sub_403CF8(aAreYouHappyNo);
}

# Exp
## 可以通过动态调试的手段获取变表，最后还有一个大小写互换的操作
import base64
def Base64_change_decode(Str, enc):
    model = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    print(base64.b64decode(enc.translate(str.maketrans(Str, model))).decode())

alp = 'ABCDEFQRSTUVWXYPGHIJKLMNOZabcdefghijklmnopqrstuvwxyz0123456789+/'
enc = 'zMXHz3TIgnxLxJhFAdtZn2fFk3lYCrtPC2l9'.swapcase()
Base64_change_decode(alp,enc)

#flag{bAse64_h2s_a_Surprise}

[HDCTF2019]Maze

考点

Maze类

upx脱壳

花指令 ‘E8’

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int i; // [esp+10h] [ebp-14h]
  _BYTE v5[16]; // [esp+14h] [ebp-10h] BYREF

  sub_401140(aGoThroughTheMa);                  // "Go through the maze to get the flag!\n"
  scanf("%14s", v5);
  for ( i = 0; i <= 13; ++i )
  {
    switch ( v5[i] )
    {
      case 'a':
        --*(_DWORD *)asc_408078;                // "\a"
        break;
      case 'd':
        ++*(_DWORD *)asc_408078;                // "\a"
        break;
      case 's':
        --dword_40807C;
        break;
      case 'w':
        ++dword_40807C;
        break;
      default:
        continue;
    }
  }
  if ( *(_DWORD *)asc_408078 == 5 && dword_40807C == -4 )// "\a"
  {
    sub_401140(aCongratulation);                // "Congratulations!\n"
    sub_401140(aHereIsTheFlagF);                // "Here is the flag:flag{%s}\n"
  }
  else
  {
    sub_401140(aTryAgain);                      // "Try again...\n"
  }
  return 0;
}

1
2
3

# Exp
## 7*10的地图
# flag{ssaaasaassdddw}

考点

基本RSA

import gmpy2
import libnum

p=366669102002966856876605669837014229419
q=282164587459512124844245113950593348271

c = 0xad939ff59f6e70bcbfad406f2494993757eee98b91bc244184a377520d06fc35

e = 65537

n = 103461035900816914121390101299049044413950405173712170434161686539878160984549
print(n)

d = gmpy2.invert(e, (p - 1) * (q - 1))

# 求明文
M = pow(c, d, n)  # 快速求幂取模运算

print(libnum.n2s(int(M)))

Reverse

#BUUCTF

Reverse-BUUCTF-1

https://tforevery.github.io/Reverse-BUUCTF-1/

作者

发布于

2025年9月4日

许可协议

PWN-BUUCTF-2 下一篇

Reverse-BUUCTF-1

easyre

reverse1

reverse2

内涵的软件

新年快乐

xor

reverse3

helloword

不一样的flag

SimpleRev

[GXYCTF2019]luck_guy

Java逆向解密

[BJDCTF2020]JustRE

刮开有奖

[ACTF新生赛2020]easyre

简单注册器

[GWCTF 2019]pyre

[ACTF新生赛2020]rome

findit

[FlareOn4]login

rsa

[WUSTCTF2020]level1

[GUET-CTF2019]re

CrackRTF

[WUSTCTF2020]level2

[MRCTF2020]Transform

[2019红帽杯]easyRE

[MRCTF2020]Xor

[MRCTF2020]hello_world_go

[ACTF新生赛2020]usualCrypt

[HDCTF2019]Maze

[SUCTF2019]SignIn