crackme

一个UPX壳

修改一下特征码,然后就可以用工具去

image-20231129114815800

然后用IDA打开就是flag

ISCTF{873c-298c-2948-23bh-291h-kt30}

babyre

使用:pyinstxtractor.py 工具解 后用

然后在线工具反编译pyc文件:
image-20231129115621077

结合给的txt文件中的:

1
2
3
4
5
6
p+q=
292884018782106151080211087047278002613718113661882871562870811030932129300110050822187903340426820507419488984883216665816506575312384940488196435920320779296487709207011656728480651848786849994095965852212548311864730225380390740637527033103610408592664948012814290769567441038868614508362013860087396409860
(p+1)*(q+1)=
21292789073160227295768319780997976991300923684414991432030077313041762314144710093780468352616448047534339208324518089727210764843655182515955359309813600286949887218916518346391288151954579692912105787780604137276300957046899460796651855983154616583709095921532639371311099659697834887064510351319531902433355833604752638757132129136704458119767279776712516825379722837005380965686817229771252693736534397063201880826010273930761767650438638395019411119979149337260776965247144705915951674697425506236801595477159432369862377378306461809669885764689526096087635635247658396780671976617716801660025870405374520076160
c=
5203005542361323780340103662023144468501161788183930759975924790394097999367062944602228590598053194005601497154183700604614648980958953643596732510635460233363517206803267054976506058495592964781868943617992245808463957957161100800155936109928340808755112091651619258385206684038063600864669934451439637410568700470057362554045334836098013308228518175901113235436257998397401389511926288739759268080251377782356779624616546966237213737535252748926042086203600860251557074440685879354169866206490962331203234019516485700964227924668452181975961352914304357731769081382406940750260817547299552705287482926593175925396

进行解密

easy_z3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from z3 import *

# 创建Z3整数变量
l = [Int(f"l{i}") for i in range(6)]

# 创建Z3求解器
solver = Solver()

# 添加等式约束
solver.add(
    (593*l[5] + 997*l[0] + 811*l[1] + 258*l[2] + 829*l[3] + 532*l[4]) == 0x54eb02012bed42c08,
    (605*l[4] + 686*l[5] + 328*l[0] + 602*l[1] + 695*l[2] + 576*l[3]) == 0x4f039a9f601affc3a,
    (373*l[3] + 512*l[4] + 449*l[5] + 756*l[0] + 448*l[1] + 580*l[2]) == 0x442b62c4ad653e7d9,
    (560*l[2] + 635*l[3] + 422*l[4] + 971*l[5] + 855*l[0] + 597*l[1]) == 0x588aabb6a4cb26838,
    (717*l[1] + 507*l[2] + 388*l[3] + 925*l[4] + 324*l[5] + 524*l[0]) == 0x48f8e42ac70c9af91,
    (312*l[0] + 368*l[1] + 884*l[2] + 518*l[3] + 495*l[4] + 414*l[5]) == 0x4656c19578a6b1170
)

# 检查求解器是否有解
if solver.check() == sat:
    # 打印解
    model = solver.model()
    for var in l:
        print(f"{var} = {model[var]}")
else:
    print("无解")
#l0 = 20639221941697358
#l1 = 13615593641303915
#l2 = 31015537033047360
#l3 = 32765855640286324
#l4 = 28554726411354222
#l5 = 26860403902456189

image-20231129121219625

在线解密

z3_

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

from z3 import *

# 定义变量
v4, SBYTE1v4, SBYTE2v4, SBYTE3v4, SBYTE4v4, SBYTE5v4, SBYTE6v4, SHIBYTEv4 = Ints(
    'v4 SBYTE1v4 SBYTE2v4 SBYTE3v4 SBYTE4v4 SBYTE5v4 SBYTE6v4 SHIBYTEv4')
v5, SBYTE1v5, SBYTE2v5, SBYTE3v5, SBYTE4v5, SBYTE5v5, SBYTE6v5, SHIBYTEv5 = Ints(
    'v5 SBYTE1v5 SBYTE2v5 SBYTE3v5 SBYTE4v5 SBYTE5v5 SBYTE6v5 SHIBYTEv5')
v6, SBYTE1v6, SBYTE2v6, SBYTE3v6, SBYTE4v6, SBYTE5v6, SBYTE6v6, SHIBYTEv6 = Ints(
    'v6 SBYTE1v6 SBYTE2v6 SBYTE3v6 SBYTE4v6 SBYTE5v6 SBYTE6v6 SHIBYTEv6')
v7, SBYTE1v7, SBYTE2v7, SBYTE3v7, SBYTE4v7, SBYTE5v7, SBYTE6v7, SHIBYTEv7 = Ints(
    'v7 SBYTE1v7 SBYTE2v7 SBYTE3v7 SBYTE4v7 SBYTE5v7 SBYTE6v7 SHIBYTEv7')
v8, SBYTE1v8, SBYTE2v8, SBYTE3v8, SBYTE4v8, SBYTE5v8, SBYTE6v8, SHIBYTEv8 = Ints(
    'v8 SBYTE1v8 SBYTE2v8 SBYTE3v8 SBYTE4v8 SBYTE5v8 SBYTE6v8 SHIBYTEv8')
v9, SBYTE1v9, SBYTE2v9 = Ints('v9 SBYTE1v9 SBYTE2v9')

# 定义方程组
s = Solver()
s.add(v4 + 293 + 682 * SBYTE1v4 == 56972, 582 * SBYTE1v4 + 211 * SBYTE2v4 == 62443,
      SBYTE2v4 - 246 - 940 * SBYTE3v4 == -79139, SBYTE3v4 - 612 + 399 - SBYTE4v4 == -199,
      SBYTE4v4 + 709 - (200 - SBYTE5v4) == 702, SBYTE5v4 + 818 + 281 - SBYTE6v4 == 1169,
      295 * SBYTE6v4 - 122 * SHIBYTEv4 == 9535, SHIBYTEv4 + 577 + 369 * v5 == 19815, v5 - 530 + 488 * SBYTE1v5 == 22946,
      578 * SBYTE1v5 + 232 - SBYTE2v5 == 27921, SBYTE2v5 - 266 + 168 - SBYTE3v5 == -91,
      SBYTE4v5 + 591 + 610 * SBYTE3v5 == 29919, SBYTE4v5 + 322 + 257 * SBYTE5v5 == 13477,
      SBYTE6v5 + 368 + 206 * SBYTE5v5 == 10919, SBYTE6v5 + 815 - (350 - SHIBYTEv5) == 562,
      266 * SHIBYTEv5 + 400 * v6 == 52632, v6 - 651 - (SBYTE1v6 + 303) == -957, SBYTE1v6 + 889 + SBYTE2v6 + 980 == 2019,
      SBYTE2v6 - 968 + 730 * SBYTE3v6 == 31932, SBYTE3v6 + 254 - (676 - SBYTE4v6) == -325,
      SBYTE4v6 - 969 + SBYTE5v6 + 950 == 86, SBYTE5v6 + 597 - (SBYTE6v6 + 120) == 478,
      SBYTE6v6 - 412 + 861 - SHIBYTEv6 == 450, 722 * SHIBYTEv6 - 697 * v7 == 5457, v7 + 871 - 741 * SBYTE1v7 == -40580,
      805 * SBYTE1v7 - 838 * SBYTE2v7 == -172, SBYTE3v7 + 636 + 646 * SBYTE2v7 == 35573,
      889 * SBYTE3v7 + 688 * SBYTE4v7 == 115917, SBYTE5v7 + 830 + 462 * SBYTE4v7 == 47075,
      SBYTE5v7 + 556 - (118 - SBYTE6v7) == 532, SBYTE6v7 - 783 + 840 * SHIBYTEv7 == 84946,
      SHIBYTEv7 + 964 + v8 + 990 == 2109, v8 + 698 + SBYTE1v8 + 923 == 1774, 384 * SBYTE1v8 + 847 * SBYTE2v8 == 79056,
      SBYTE2v8 + 358 + 637 * SBYTE3v8 == 62195, SBYTE4v8 + 693 + 818 * SBYTE3v8 == 80089,
      SBYTE4v8 - 638 + 348 - SBYTE5v8 == -292, SBYTE5v8 + 425 - (828 - SBYTE6v8) == -295,
      SBYTE6v8 - 941 + SHIBYTEv8 + 331 == -453, SHIBYTEv8 - 826 - 370 * v9 == -19595,
      v9 - 857 - (818 - SBYTE1v9) == -1527, 999 * SBYTE1v9 + 616 * SBYTE2v9 == 173903,
      498 * SBYTE2v9 + 206 * v4 == 77288)
# 求解方程组
if s.check() == sat:
    m = (s.model())
    sorted_model = sorted(m, key=lambda x: str(x))
    for variable in sorted_model:
        print(f"{variable} = {m[variable]}")

else:
    print("无解")

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
SBYTE1v4 = 83
SBYTE1v5 = 48
SBYTE1v6 = 100
SBYTE1v7 = 56
SBYTE1v8 = 100
SBYTE1v9 = 97
SBYTE2v4 = 67
SBYTE2v5 = 55
SBYTE2v6 = 50
SBYTE2v7 = 54
SBYTE2v8 = 48
SBYTE2v9 = 125
SBYTE3v4 = 84
SBYTE3v5 = 48
SBYTE3v6 = 45
SBYTE3v7 = 53
SBYTE3v8 = 97
SBYTE4v4 = 70
SBYTE4v5 = 48
SBYTE4v6 = 52
SBYTE4v7 = 100
SBYTE4v8 = 50
SBYTE5v4 = 123
SBYTE5v5 = 51
SBYTE5v6 = 53
SBYTE5v7 = 45
SBYTE5v8 = 52
SBYTE6v4 = 53
SBYTE6v5 = 45
SBYTE6v6 = 52
SBYTE6v7 = 49
SBYTE6v8 = 56
SHIBYTEv4 = 50
SHIBYTEv5 = 52
SHIBYTEv6 = 51
SHIBYTEv7 = 102
SHIBYTEv8 = 101
v4 = 73
v5 = 52
v6 = 97
v7 = 45
v8 = 53
v9 = 51

解出来是10进制,然后再自己排一个顺序转成ascii 就出flag了

mfx_re

是一个ELF的UPX壳

还是要修改特征码【用010将MFX改成UPX】 然后 upx-d 脱壳

1
2
3
4
5
a = "HRBSEz//3cac6/,7`7d,3635,8550,285ca0a7427c|"
flag = ""
for i in range(len(a)):
    flag += chr(ord(a[i]) + 1)
print(flag)

easy_flower_tea

去除花后:再F5

image-20231129122150422

是一个tea加密:
image-20231129122222801

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include <cstdio>
#include <stdint.h>
#include <stdlib.h>
void decrypt(unsigned int* v, const unsigned int* k)
{

	uint32_t v3 = v[0];
	uint32_t v4 = v[1];

	
	uint32_t v5 = ((-1640531527) * 32) & 0xFFFFFFFF;

	for (int i = 0; i <= 31; ++i)
	{
		
		v4 -= (k[3] + (v3 >> 5)) ^ (v5 + v3) ^ (k[2] + 16 * v3);
 		v3 -= (k[1] + (v4 >> 5)) ^ (v5 + v4) ^ (k[0] + 16 * v4);
		v5 += 1640531527;
	}

	v[0] = v3;
	v[1] = v4;
}
int main()
{



	unsigned int v[2] = {	
	0x42777AFA,0x781A30CA
	};
	unsigned int k[4] = { 0xC, 0x22, 0x38, 0x4E };
	for (int i = 0; i < 2; i += 2)
	{
		decrypt(v + i, k);
	}
	for (int i = 0; i < 2; i++)
	{
		printf("%u\n", v[i]);
	}

//1472353
//3847872

ISCTF{1472353 3847872}

FloweyRSA

首先去花后:
image-20231129122800534

根据题目猜测是一个RSA的题

1
2
3
4
a1 = ? 
a2 = e = 0x1D1 465
a3 = n = 0xBC7C05B3  
c = 加密后的数据,给了的

然后就是RSA解密:

flag{reverse_is_N0T_@lways_jusT_RE_myy_H@bIb1!!!!!!}