litctf-re

lit的时候忙其他的去了只能含泪复现 rc4的附件不知道丢哪了 整体的难度还行

FeatureExtraction

image-20250526210702101

image-20250526212451811

image-20250526212508200

将我们的输入处理为32位

image-20250526212624114

发现到key

image-20250526212938936

进入加密函数观察加密流程

image-20250526213204783

image-20250526213210871

image-20250526213550474

搞到密文

image-20250526225616806

理解加密流程 解密就简单了

image-20250526224430727

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
key = [0x4C, 0x69, 0x74, 0x43, 0x54, 0x46, 0x32, 0x30, 0x32, 0x35]
enc = [0x1690, 0x3E58, 0x6FF1, 0x86F0, 0x9D66, 0xAB30, 0xCA71, 0xCF29, 0xE335, 0xE492,
        0xF1FD, 0xDE80, 0xD0C8, 0xC235, 0xB9B5, 0xB1CF, 0x9E9F, 0x9E86, 0x96B4, 0xA550,
        0xA0D3, 0xA135, 0x99CA, 0xACC0, 0xBE78, 0xC196, 0xBC00, 0xB5C3, 0xB7F0, 0xB465,
        0xB673, 0xB71F, 0xBBE2, 0xCB4F, 0xD2AD, 0xDE20, 0xEC94, 0xFC30, 0x104B8, 0xF6EE,
        0xEDC9, 0xE385, 0xD78B, 0xDE19, 0xC94C, 0xAD14, 0x7E88, 0x6BB9, 0x4CC6, 0x3806,
        0x2DC9, 0x2398, 0x19E1]

data = [0] * 44
for i in range(44):
    total = 0
    for m in range(1, min(9, i) + 1):  # 计算已知项的累加和
        if i - m >= 0:
            total += data[i - m] * key[m]
    data[i] = (enc[i] - total) // key[0]

flag = ''.join(chr(c) for c in data)
print(flag)

easy_tea

一些较为基础的花指令

image-20250526195708224

全给抹了

image-20250526195721059

查看加密

image-20250526195735063

抹除的大差不差

image-20250526195924599

tea 脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include <stdio.h>
#include <stdint.h>

void decrypt(uint32_t* v, uint32_t* key) {
    uint32_t v0 = v[0], v1 = v[1];
    uint32_t delta = 0x114514;  // 修正为黄金分割数[4](@ref)
    uint32_t sum = delta * 32;     // 初始sum应为delta*轮数(32)[6](@ref)

    for (int i = 0; i < 32; i++) {
        // 严格反向加密操作[2](@ref)
        v1 -= ((v0 << 4) + key[2]) ^ (v0 + sum) ^ ((v0 >> 5) + key[3]);
        v0 -= ((v1 << 4) + key[0]) ^ (v1 + sum) ^ ((v1 >> 5) + key[1]);
        sum -= delta;
    }
    v[0] = v0; 
    v[1] = v1;
}

int main() {
    uint32_t key[4] = {
        0x11223344, 0x55667788, 
        0x99AABBCC, 0xDDEEFF11
    };

    // 加密数据(每个块64位)
    uint32_t enc[10] = {
        0x977457FE, 0xDA3E1880, 0xB8169108, 0x1E95285C,
        0x1FE7E6F2, 0x2BC5FC57, 0xB28F0FA8, 0x8E0E0644,
        0x68454425, 0xC57740D9
    };

    // 解密所有块(每2个uint32组成一个64位块)
    for (int i = 0; i < 10; i += 2) {  // 修正循环范围
        decrypt(&enc[i], key);
    }

    // 转换为字节序列输出
    uint8_t *flag = (uint8_t *)enc;
    for (int i = 0; i < 40; i++) {
        printf("%c", flag[i]);  // 直接输出ASCII字符
    }
    return 0;
}

image-20250526204311850

pickle

image-20250526210736580

拷打ai获取脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import dill
import types
import dis

def extract_code_objects(obj, path="root"):
    """递归提取 code 对象或函数对象"""
    results = []

    if isinstance(obj, types.FunctionType):
        results.append((path, obj.__code__))
    elif isinstance(obj, types.CodeType):
        results.append((path, obj))
    elif isinstance(obj, (list, tuple, set)):
        for i, item in enumerate(obj):
            results.extend(extract_code_objects(item, f"{path}[{i}]"))
    elif isinstance(obj, dict):
        for k, v in obj.items():
            results.extend(extract_code_objects(v, f"{path}[{repr(k)}]"))
    elif hasattr(obj, "__dict__"):
        for k, v in vars(obj).items():
            results.extend(extract_code_objects(v, f"{path}.{k}"))

    return results

# 加载 pickle 文件
with open("challenge.pickle", "rb") as f:
    data = dill.load(f)

# 提取所有 code 对象
code_objs = extract_code_objects(data)

# 显示机器码(字节码)和反汇编
for path, code in code_objs:
    print(f"\n[+] 在路径: {path}")
    print(f"  函数名: {code.co_name}")
    print(f"  字节码 (co_code): {code.co_code.hex()}")
    print("  反汇编:")
    dis.dis(code)

获取到字节码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184

[+] 在路径: root
  函数名: check
  字节码 (co_code): 970074010000000000000000000064015c010000ab0100000000000000003c0100000000000000000000000000000000000000005c000000ab0000000000000000007d0067007d017405000000000000000000007407000000000000000000007c005c010000ab0100000000000000005c010000ab01000000000000000044005d2200007c007c021900000000000000000064027a0a00007d037c013c0400000000000000000000000000000000000000007c035c010000ab01000000000000000001008c2367006403a2017d0467006404a2017d05640584007d0602007c067c047c055c020000ab0200000000000000007d077c017c076b02000000007211740b0000000000000000000064065c010000ab010000000000000000010064005300740b0000000000000000000064075c010000ab010000000000000000010064005300
  反汇编:
  5           0 RESUME                   0

  6           2 LOAD_GLOBAL              1 (NULL + input)
             12 CACHE
             14 LOAD_CONST               1 ('input your flag > ')
             16 UNPACK_SEQUENCE          1
             20 CALL                     1
             28 CACHE
             30 STORE_SUBSCR
             34 CACHE
             36 CACHE
             38 CACHE
             40 CACHE
             42 CACHE
             44 CACHE
             46 CACHE
             48 CACHE
             50 CACHE
             52 UNPACK_SEQUENCE          0
             56 CALL                     0
             64 CACHE
             66 STORE_FAST               0 (user_input)

  8          68 BUILD_LIST               0
             70 STORE_FAST               1 (decrypted)

  9          72 LOAD_GLOBAL              5 (NULL + range)
             82 CACHE
             84 LOAD_GLOBAL              7 (NULL + len)
             94 CACHE
             96 LOAD_FAST                0 (user_input)
             98 UNPACK_SEQUENCE          1
            102 CALL                     1
            110 CACHE
            112 UNPACK_SEQUENCE          1
            116 CALL                     1
            124 CACHE
            126 GET_ITER
        >>  128 FOR_ITER                34 (to 200)

 10         132 LOAD_FAST                0 (user_input)
            134 LOAD_FAST                2 (i)
            136 BINARY_SUBSCR
            140 CACHE
            142 CACHE
            144 CACHE
            146 LOAD_CONST               2 (6)
            148 BINARY_OP               10 (-)
            152 STORE_FAST               3 (b)

 11         154 LOAD_FAST                1 (decrypted)
            156 STORE_SUBSCR
            160 CACHE
            162 CACHE
            164 CACHE
            166 CACHE
            168 CACHE
            170 CACHE
            172 CACHE
            174 CACHE
            176 CACHE
            178 LOAD_FAST                3 (b)
            180 UNPACK_SEQUENCE          1
            184 CALL                     1
            192 CACHE
            194 POP_TOP
            196 JUMP_BACKWARD           35 (to 128)

 13         198 BUILD_LIST               0
        >>  200 LOAD_CONST               3 ((85, 84, 174, 227, 132, 190, 207, 142, 77, 24, 235, 236, 231, 213, 138, 153, 60, 29, 241, 241, 237, 208, 144, 222, 115, 16, 242, 239, 231, 165, 157, 224, 56, 104, 242, 128, 250, 211, 150, 225, 63, 29, 242, 169))
            202 LIST_EXTEND              1
            204 STORE_FAST               4 (fflag)

 14         206 BUILD_LIST               0
            208 LOAD_CONST               4 ((19, 55, 192, 222, 202, 254, 186, 190))
            210 LIST_EXTEND              1
            212 STORE_FAST               5 (key_ints)

 16         214 LOAD_CONST               5 (<code object encrypt at 0x00000165C203A8B0, file "d:\code\PYTHON\IPParser1.py", line 16>)
            216 MAKE_FUNCTION            0
            218 STORE_FAST               6 (encrypt)

 23         220 PUSH_NULL
            222 LOAD_FAST                6 (encrypt)
            224 LOAD_FAST                4 (fflag)
            226 LOAD_FAST                5 (key_ints)
            228 UNPACK_SEQUENCE          2
            232 CALL                     2
            240 CACHE
            242 STORE_FAST               7 (encrypted_flag)

 25         244 LOAD_FAST                1 (decrypted)
            246 LOAD_FAST                7 (encrypted_flag)
            248 COMPARE_OP               2 (<)
            252 CACHE
            254 POP_JUMP_IF_FALSE       17 (to 290)

 26         256 LOAD_GLOBAL             11 (NULL + print)
            266 CACHE
            268 LOAD_CONST               6 ('Good job! You made it!')
            270 UNPACK_SEQUENCE          1
            274 CALL                     1
            282 CACHE
            284 POP_TOP
            286 LOAD_CONST               0 (None)
            288 RETURN_VALUE

 28     >>  290 LOAD_GLOBAL             11 (NULL + print)
            300 CACHE
            302 LOAD_CONST               7 ("Nah, don't give up!")
            304 UNPACK_SEQUENCE          1
            308 CALL                     1
            316 CACHE
            318 POP_TOP
            320 LOAD_CONST               0 (None)
            322 RETURN_VALUE

Disassembly of <code object encrypt at 0x00000165C203A8B0, file "d:\code\PYTHON\IPParser1.py", line 16>:
 16           0 RESUME                   0

 17           2 BUILD_LIST               0
              4 STORE_FAST               2 (result)

 18           6 LOAD_GLOBAL              1 (NULL + range)
             16 CACHE
             18 LOAD_GLOBAL              3 (NULL + len)
             28 CACHE
             30 LOAD_FAST                0 (flag_bytes)
             32 UNPACK_SEQUENCE          1
             36 CALL                     1
             44 CACHE
             46 UNPACK_SEQUENCE          1
             50 CALL                     1
             58 CACHE
             60 GET_ITER
        >>   62 FOR_ITER                56 (to 178)

 19          66 LOAD_FAST                0 (flag_bytes)
             68 LOAD_FAST                3 (i)
             70 BINARY_SUBSCR
             74 CACHE
             76 CACHE
             78 CACHE
             80 LOAD_FAST                1 (key)
             82 LOAD_FAST                3 (i)
             84 LOAD_GLOBAL              3 (NULL + len)
             94 CACHE
             96 LOAD_FAST                1 (key)
             98 UNPACK_SEQUENCE          1
            102 CALL                     1
            110 CACHE
            112 BINARY_OP                6 (%)
            116 BINARY_SUBSCR
            120 CACHE
            122 CACHE
            124 CACHE
            126 BINARY_OP               12 (^)
            130 STORE_FAST               4 (b)

 20         132 LOAD_FAST                2 (result)
            134 STORE_SUBSCR
            138 CACHE
            140 CACHE
            142 CACHE
            144 CACHE
            146 CACHE
            148 CACHE
            150 CACHE
            152 CACHE
            154 CACHE
            156 LOAD_FAST                4 (b)
            158 UNPACK_SEQUENCE          1
            162 CALL                     1
            170 CACHE
            172 POP_TOP
            174 JUMP_BACKWARD           57 (to 62)

 21         176 LOAD_FAST                2 (result)
        >>  178 RETURN_VALUE

继续拷打

image-20250526211743280

1
LitCTF{6d518316-5075-40ff-873a-d1e8d632e208}

Robbie Wanna Revenge

dll加壳 改了标志位即可完成

image-20250527180210000

image-20250527180215894

image-20250527180227413

正常进行分析

image-20250527180523369

我们可以看到有playerwon的东西

image-20250527180709344

image-20250527180735773

image-20250526235421502