HGAME 2023 week2 wp

stream

反编译pyexe

在线反编译pyc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.10

import base64

def gen(key):
    s = list(range(256))
    j = 0
    for i in range(256):
        j = (j + s[i] + ord(key[i % len(key)])) % 256
        tmp = s[i]
        s[i] = s[j]
        s[j] = tmp
    i = j = 0
    data = []
    for _ in range(50):
        i = (i + 1) % 256
        j = (j + s[i]) % 256
        tmp = s[i]
        s[i] = s[j]
        s[j] = tmp
        data.append(s[(s[i] + s[j]) % 256])
    return data


def encrypt(text, key):
    result = ''
    for c, k in zip(text, gen(key)):
        result += chr(ord(c) ^ k)
    result = base64.b64encode(result.encode()).decode()
    return result

text = input('Flag: ')
key = 'As_we_do_as_you_know'
enc = encrypt(text, key)
if enc == 'wr3ClVcSw7nCmMOcHcKgacOtMkvDjxZ6asKWw4nChMK8IsK7KMOOasOrdgbDlx3DqcKqwr0hw701Ly57w63CtcOl':
    print('yes!')
    return None
None('try again...')

gen(key)不用看,直接跑就是,这题唯一坑了我的地方是base64加密encode函数的问题 encode函数是返回字符串,所以base64加密了这段字符串,导致长度更长了

脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import base64

def gen(key):
    s = list(range(256))
    j = 0
    for i in range(256):
        j = (j + s[i] + ord(key[i % len(key)])) % 256
        tmp = s[i]
        s[i] = s[j]
        s[j] = tmp
    i = j = 0
    data = []
    for _ in range(50):
        i = (i + 1) % 256
        j = (j + s[i]) % 256
        tmp = s[i]
        s[i] = s[j]
        s[j] = tmp
        data.append(s[(s[i] + s[j]) % 256])
    return data


def encrypt(text, key):
    result = ''
    for c, k in zip(text, gen(key)):
        result += chr(ord(c) ^ k)
    result = base64.b64encode(result.encode()).decode()
    return result

key = 'As_we_do_as_you_know'
print(gen(key))
key2 = [213, 242, 54, 127, 156, 227, 172, 100, 212, 1, 130, 92, 20, 189, 115, 12, 15, 228, 186, 225, 227, 75, 200, 119, 171, 11, 152, 15, 89, 160, 116, 157, 194, 226, 72, 147, 65, 74, 92, 21, 136, 193, 152, 94, 17, 178, 205, 195, 87, 145]
enc = 'wr3ClVcSw7nCmMOcHcKgacOtMkvDjxZ6asKWw4nChMK8IsK7KMOOasOrdgbDlx3DqcKqwr0hw701Ly57w63CtcOl'
print(list(base64.b64decode(enc.encode()).decode()))
enc2 = ['½', '\x95', 'W', '\x12', 'ù', '\x98', 'Ü', '\x1d', '\xa0', 'i', 'í', '2', 'K', 'Ï', '\x16', 'z', 'j', '\x96', 'É', '\x84', '¼', '"', '»', '(', 'Î', 'j', 'ë', 'v', '\x06', '×', '\x1d', 'é', 'ª', '½', '!', 'ý', '5', '/', '.', '{', 'í', 'µ', 'å']
for c, k in zip(enc2, key2):
    print(chr(ord(c)^k),end='')

before main

换表base64:

1
2
3
4
5
6
7
8
9
10
11
12
13
import base64

enc = 'AMHo7dLxUEabf6Z3PdWr6cOy75i4fdfeUzL17kaV7rG='

model = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"  #正常表

str = 'qaCpwYM2tO/RP0XeSZv8kLd6nfA7UHJ1No4gF5zr3VsBQbl9juhEGymc+WTxIiDK'   #被改变了的base64的表
#这段是排序归位
dnc = ''
for i in range(len(enc)):
    dnc += model[str.find(enc[i])]

print(base64.b64decode(dnc).decode())

math

(谢谢Mr.fish)

z3梭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
from z3 import *

v10 = [0x0000007E, 0x000000E1, 0x0000003E, 0x00000028, 0x000000D8,
       0x000000FD, 0x00000014, 0x0000007C, 0x000000E8, 0x0000007A,
       0x0000003E, 0x00000017, 0x00000064, 0x000000A1, 0x00000024,
       0x00000076, 0x00000015, 0x000000B8, 0x0000001A, 0x0000008E,
       0x0000003B, 0x0000001F, 0x000000BA, 0x00000052, 0x0000004F]
v12 = [0x0000F9FE, 0x00008157, 0x000108B2, 0x0000D605, 0x0000F21B,
       0x00010FF3, 0x00009146, 0x00011212, 0x0000CF76, 0x00010C46,
       0x0000F76B, 0x000077DF, 0x000103BE, 0x0000C6F8, 0x0000ED8A,
       0x0000BE90, 0x000075EC, 0x0000EAC8, 0x0000AE37, 0x0000CC29,
       0x0000A828, 0x00005C6C, 0x0000AB4A, 0x0000836E, 0x0000ACEE]
s = Solver()

x = [Int('x[%d]' % i) for i in range(25)]
for i in range(5):
    for j in range(5):
        s.add(v12[i * 5 + j] == (
                    x[i * 5] * v10[j] + x[i * 5 + 1] * v10[1 * 5 + j] + x[i * 5 + 2] * v10[2 * 5 + j] + x[i * 5 + 3] *
                    v10[3 * 5 + j] + x[i * 5 + 4] * v10[4 * 5 + j]))

if (s.check()):
    k = 0
    while (s.check() == sat): #万一多解
        condition = []
        m = s.model()
        print("[%d]" % k)
        print(m)
        k += 1
        for i in range(25):
            condition.append(x[i] != int("%s" % (m[x[i]])))
        s.add(Or(condition))
x[6] = 121
x[3] = 109
x[5] = 123
x[4] = 101
x[12] = 64
x[13] = 116
x[23] = 125
x[1] = 103
x[11] = 109
x[10] = 95
x[15] = 95
x[19] = 103
x[0] = 104
x[16] = 49
x[9] = 114
x[14] = 104
x[17] = 115
x[22] = 100
x[24] = 0
x[21] = 48
x[8] = 117
x[2] = 97
x[7] = 48
x[18] = 95
x[20] = 79
for i in x:
    print(chr(i),end='')

VidarCamera

通过XML找到关键类:com.example.android.camera2.basic.CameraActivity

再找到关键点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
public static final void m1onCreate$lambda0(EditText inputsomething, CameraActivity this$0, AlertDialog alertDialog, View view) {
        Intrinsics.checkNotNullParameter(inputsomething, "$inputsomething");
        Intrinsics.checkNotNullParameter(this$0, "this$0");
        String input = inputsomething.getText().toString();
        if (input.length() != 40) {
            Toast.makeText(this$0, "序列号不正确", 0).show();
            return;
        }
        int[] iArr = UIntArray.m167constructorimpl(10);
        for (int i = 0; i < 40; i += 4) {
            UIntArray.m178setVXSXFK8(iArr, i / 4, UInt.m114constructorimpl(UInt.m114constructorimpl(UInt.m114constructorimpl(UInt.m114constructorimpl(input.charAt(i)) + UInt.m114constructorimpl(input.charAt(i + 1) << '\b')) + UInt.m114constructorimpl(input.charAt(i + 2) << 16)) + UInt.m114constructorimpl(input.charAt(i + 3) << 24)));
        }
        int[] iArr2 = this$0.m0encrypthkIa6DI(iArr);
        UInt[] uIntArr = {UInt.m108boximpl(637666042), UInt.m108boximpl(457511012), UInt.m108boximpl(-2038734351), UInt.m108boximpl(578827205), UInt.m108boximpl(-245529892), UInt.m108boximpl(-1652281167), UInt.m108boximpl(435335655), UInt.m108boximpl(733644188), UInt.m108boximpl(705177885), UInt.m108boximpl(-596608744)};
        int i2 = 0;
        while (true) {
            int i3 = i2 + 1;
            if (uIntArr[i2].m165unboximpl() != UIntArray.m173getpVg5ArA(iArr2, i2)) {
                Toast.makeText(this$0, "序列号不正确", 0).show();
                return;
            } else if (i3 > 9) {
                alertDialog.dismiss();
                return;
            } else {
                i2 = i3;
            }
        }
    }

加密函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
private final int[] m0encrypthkIa6DI(int[] iArr) {
        int i;
        int[] iArr2 = UIntArray.m167constructorimpl(4);
        UIntArray.m178setVXSXFK8(iArr2, 0, 2233);
        UIntArray.m178setVXSXFK8(iArr2, 1, 4455);
        UIntArray.m178setVXSXFK8(iArr2, 2, 6677);
        UIntArray.m178setVXSXFK8(iArr2, 3, 8899);
        int i2 = 0;
        while (i2 < 9) {
            int i3 = 0;
            int i4 = 0;
            do {
                i3++;
                i = i2 + 1;
                UIntArray.m178setVXSXFK8(iArr, i2, UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(iArr, i2) + UInt.m114constructorimpl(UInt.m114constructorimpl(UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(iArr2, UInt.m114constructorimpl(i4 & 3)) + i4) ^ UInt.m114constructorimpl(UInt.m114constructorimpl(UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(iArr, i) << 4) ^ UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(iArr, i) >>> 5)) + UIntArray.m173getpVg5ArA(iArr, i))) ^ i4)));
                UIntArray.m178setVXSXFK8(iArr, i, UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(iArr, i) + UInt.m114constructorimpl(UInt.m114constructorimpl(UInt.m114constructorimpl(UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(iArr, i2) << 4) ^ UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(iArr, i2) >>> 5)) + UIntArray.m173getpVg5ArA(iArr, i2)) ^ UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(iArr2, UInt.m114constructorimpl(UInt.m114constructorimpl(i4 >>> 11) & 3)) + i4))));
                i4 = UInt.m114constructorimpl(i4 + 878077251);
            } while (i3 <= 32);
            i2 = i;
        }
        return iArr;
    }

是魔改xtea

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#include <iostream>
void decipher(uint32_t v[2]) {
    uint32_t const key[4] = {2233,4455,6677,8899};
    unsigned int i;
    uint32_t v0=v[0], v1=v[1], delta=878077251, sum=delta*33;
    for (i=0; i < 33; i++) {
        sum -= delta;
        v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
        v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]) ^ sum;
    }
    v[0]=v0; v[1]=v1;
}
int main() {
    unsigned int enc[] = {0x260202fa,0x1b451064,0x867b61f1,0x228033c5,0xf15d82dc,0x9d8430b1,0x19f2b1e7,0x2bba859c,0x2a08291d,0xdc707918};
    for (int i = 8; i >=0 ; --i) {
        decipher(&enc[i]);
    }
    for (int i = 0; i < 10; ++i) {
        for (int j = 0; j < 4; ++j) {
            printf("%c",enc[i]&0xff);
            enc[i] = enc[i] >> 8;
        }
    }
    return 0;
}