zoukankan      html  css  js  c++  java
  • [FLARE ON7] Challenge1,2,3 ,4

    1 - Fidler

    python,给了源代码,第一部分为输入密码,直接打印出来

    def password_check():
        altered_key = 'hiptu'
        key = ''.join([chr(ord(x) - 1) for x in altered_key])
        print(key)
    password_check()

    第二部分,胜利后会解密flag,需要传入一个值

    def decode_flag(frob):
        last_value = frob
        encoded_flag = [1135, 1038, 1126, 1028, 1117, 1071, 1094, 1077, 1121, 1087, 1110, 1092, 1072, 1095, 1090, 1027,
                        1127, 1040, 1137, 1030, 1127, 1099, 1062, 1101, 1123, 1027, 1136, 1054]
        decoded_flag = []
    
        for i in range(len(encoded_flag)):
            c = encoded_flag[i]
            val = (c - ((i%2)*1 + (i%3)*2)) ^ last_value
            decoded_flag.append(val)
            last_value = c
    
        return ''.join([chr(x) for x in decoded_flag])

    往上找发现

    target_amount = (2**36) + (2**35)
            if current_coins > (target_amount - 2**20):
                while current_coins >= (target_amount + 2**20):
                    current_coins -= 2**20
                victory_screen(int(current_coins / 10**8))
                return

    算出为1030,解密得flag

    2 garbage

    题目说文件不全,查看一下发现是upx过的程序,用010editor打开,看看数据目录表

    第二个结构指向导入表,查看一下RVA为0x1929c处

    发现后面被删掉了,资源也不全,于是要先想办法重建这里,我直接选择自己写了一个小程序加壳,把资源替换了

    之后要改一下导入表中的RVA,同时把数据目录表第四个DWORD改为0xF0

    之后upx脱壳,发现无法运行,拖进ida,根据字符串找到可疑函数

    对数据进行了一些处理后放入一个文件中并运行此文件,写个脚本处理数据

    v25=[0x38,0x0e,0x02,0x3B,0x19,0x3b,0x1b,0x34,0x1b,0x0c,0x23,0x3E,0x33,0x08,0x11,0x42,0x39,0x12,0x1e,0x73]
    v8="KglPFOsQDxBPXmclOpmsdLDEPMRWbMDzwhDGOyqAkVMRvnBeIkpZIhFznwVylfjrkqprBPAdPuaiVoVugQAlyOQQtxBNsTdPZgDH "
    v7="nPTnaGLkIqdcQwvieFQKGcTGOTbfMjDNmvibfBDdFBhoPaBbtfQuuGWYomtqTFqvBSKdUMmciqKSGZaosWCSoZlcIlyQpOwkcAgw "
    
    a=[]
    
    #for i in range(20):
     #   a.append(hex(v25[i]^ord(v8[i])))
    #print(a)
    
    v9 =[0x23,0x23,0x33,0x2c,
         0x0e,0x3f,0x64,0x49,
         0x0a,0x1e,0x0a,0x04,
         0x23,0x16,0x02,0x1a,
         0x44,0x66,0x08,0x24,
         0x32,0x11,0x74,0x2c,
         0x2a,0x2d,0x42,0x0f,
         0x3e,0x50,0x64,0x0d,
         0x5d,0x04,0x1b,0x17,
         0x16,0x36,0x03,0x05,
         0x34,0x20,0x09,0x08,
         0x63,0x21,0x24,0x0e,
         0x15,0x14,0x34,0x58,
         0x1a,0x29,0x79,0x3a,
         0x00,0x00,0x56,0x58,
         0x54]
    
    for i in range(len(v9)):
        print(chr(v9[i]^ord(v7[i])),end="")
        

    3 wednesday

    游戏,提示只逆mydude.exe,经过一番寻找,判断处为

    当分数为296时胜利,但如果直接修改分数是无法得到flag的,可以推测,每获得一次分数,会进行一些解密的操作

    查看游戏资源,有m的地方要蹲,有f的地方要跳,且每次跳和蹲次序是不变的,可以想到有一张0和1组成的地图,于是寻找

    有了地图,第一个想法是控制地图生成,但依然不能获得flag,只好想别的方法

    #include<windows.h>
    
    int map[] = {
        0,0,1,1,0,0,0,1,0,1,1,1,0,1,0,0,
        0,1,0,1,1,1,1,1,0,1,1,0,1,0,0,1,
        0,0,1,1,0,1,0,1,0,1,0,1,1,1,1,1,
        0,1,1,1,0,1,1,1,
        0,1,0,0,0,1,0,1,0,1,1,0,0,1,0,0,
        0,1,1,0,1,1,1,0,0,0,1,1,0,0,1,1,
        0,1,1,1,0,0,1,1,0,1,1,0,0,1,0,0,
        0,0,1,1,0,1,0,0,0,1,1,1,1,0,0,1,
        0,1,0,1,1,1,1,1,0,1,1,0,1,1,0,1,
        0,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,
        0,1,0,0,0,1,0,0,0,1,1,1,0,1,0,1,
        0,1,1,0,0,1,0,0,0,0,1,1,0,0,1,1,
        0,1,1,1,0,0,1,1,0,1,0,0,0,0,0,0,
        0,1,1,0,0,1,1,0,0,1,1,0,1,1,0,0,
        0,1,1,0,0,0,0,1,0,1,1,1,0,0,1,0,
        0,1,1,0,0,1,0,1,0,0,1,0,1,1,0,1,
        0,1,1,0,1,1,1,1,0,1,1,0,1,1,1,0,
        0,0,1,0,1,1,1,0,0,1,1,0,0,0,1,1,
        0,1,1,0,1,1,1,1,0,1,1,0,1,1,0,1,
    };
    void jump(HWND hwnd) {
        SendMessage(hwnd, WM_KEYUP, VK_DOWN, NULL);
        SendMessage(hwnd, WM_KEYDOWN, VK_UP, NULL);
        SendMessage(hwnd, WM_KEYUP, VK_UP, NULL);
    }
    
    int main(void) {
        int length = sizeof(map) / sizeof(map[0]);
        HWND hwnd = FindWindow(NULL, L"Wednesday");
        if (hwnd)
        {
                SendMessage(hwnd, WM_KEYDOWN, VK_DOWN, NULL);
                Sleep(2100);
                int k = 1360;
                for (int i = 0; i < length; i += 2) {
                    if (map[i] == 0 && map[i + 1] == 0) {
                        Sleep(k);
                        Sleep(2750);
                    }
                    if (map[i] == 0 && map[i + 1] == 1) {
                        Sleep(k);
                        jump(hwnd);
                        Sleep(800);
                        SendMessage(hwnd, WM_KEYDOWN, VK_DOWN, NULL);
                        Sleep(1950);
                    }
                    if (map[i] == 1 && map[i + 1] == 0) {
                        jump(hwnd);
                        Sleep(800);
                        SendMessage(hwnd, WM_KEYDOWN, VK_DOWN, NULL);
                        Sleep(k);
                        Sleep(1950);
                    }
                    if (map[i] == 1 && map[i + 1] == 1) {
                        jump(hwnd);
                        Sleep(k);
                        jump(hwnd);
                        Sleep(800);
                        SendMessage(hwnd, WM_KEYDOWN, VK_DOWN, NULL);
                        Sleep(1950);
                    }
                    if (i == 10) k -= 12;
                    if (i == 20) k -= 26;
                    if (i == 30) k -= 12;
                }
                SendMessage(hwnd, WM_KEYUP, VK_DOWN, NULL);
        }
        return 0;
    }

    不过失败了,速度总是控制不好,每次到40分左右就死了。。。不过提到速度,我想起了变速齿轮

    直接调慢速度,玩出flag

    4 report

    https://bbs.pediy.com/thread-263048.htm

  • 相关阅读:
    Java 9 模块解耦的设计策略
    Spring Data JPA 事务锁
    如何配置Spring Boot Tomcat
    Spring Cloud Turbine
    Spring Boot 测试时的日志级别
    Spring Boot中使用RSocket
    构造函数
    递归函数的使用
    有序数列的二分搜索
    Java第一次代码作业汇总
  • 原文地址:https://www.cnblogs.com/harmonica11/p/13656287.html
Copyright © 2011-2022 走看看