一、我将要给你FLAG
下载附件,是一个exe文件,文件名为我将要给你FLAG.exe,首先运行程序,得到如下结果:
bash
I'll give you the FLAG soon
I'll give you the FLAG soon
I'll give you the FLAG soon
I'll give you the FLAG soon
I'll give you the FLAG soon
Content of flag: I don't know why the FLAG isn't displayed here使用ida打开程序,反编译如下:
c
int __fastcall main(int argc, const char **argv, const char **envp)
{
char v4[48]; // [rsp+20h] [rbp-70h] BYREF
char v5[60]; // [rsp+50h] [rbp-40h] BYREF
int i; // [rsp+8Ch] [rbp-4h]
_main();
strcpy(v5, "qsnctrf{0ebec219-a7d6-4c50-8aa2-85a43ec7eaa2}");
strcpy(v4, "I don't know why the FLAG isn't displayed here");
for ( i = 0; i <= 4; ++i )
{
puts("I'll give you the FLAG soon");
sleep(1u);
}
printf("Content of flag: %s\n", v4);
return 0;
}得到flag为qsnctrf{0ebec219-a7d6-4c50-8aa2-85a43ec7eaa2}
二、慕然回首,那人却在灯火阑珊处
题目提示:Tom能不能捉到Jerry捏? 请找到最短路径!
下载附件,打开是一个Jerry.exe的程序,运行提示:
bash
Welcome to the Maze Game!
Find the path from 'S' to 'E' using w/a/s/d to move.
Enter your moves (e.g., 'wasd'):使用ida反编译得到如下代码:
c
int __fastcall __noreturn main(int argc, const char **argv, const char **envp)
{
char move; // [rsp+2Fh] [rbp-1h] BYREF
_main();
puts("Welcome to the Maze Game!");
puts("Find the path from 'S' to 'E' using w/a/s/d to move.");
puts("Enter your moves (e.g., 'wasd'):");
while ( 1 )
{
scanf(" %c", &move);
if ( move == 100 )
break;
if ( move > 100 )
{
if ( move == 115 )
{
if ( x <= 8 && maze[10 * x + 10 + y] != 35 )
++x;
}
else
{
if ( move != 119 )
goto LABEL_24;
if ( x > 0 && maze[10 * x - 10 + y] != 35 )
--x;
}
LABEL_25:
if ( maze[10 * x + y] == 69 )
{
puts("You are so clever! This is Jerry!");
puts("xixi Now enter the flag in the format 'sqctf{your_path}':");
exit(0);
}
}
else
{
if ( move == 97 )
{
if ( y > 0 && maze[10 * x - 1 + y] != 35 )
--y;
goto LABEL_25;
}
LABEL_24:
puts("Invalid move!");
}
}
if ( y <= 8 && maze[10 * x + 1 + y] != 35 )
++y;
goto LABEL_25;
}发现maze是一个迷宫数组,获取到maze的内容,经过整理:
tex
S**#######
##*#######
#**#######
##**######
###*###**#
#***###**#
#*#####**#
#*#####*E#
#*******##
##########按照规则规划最短路径,得到flag为sqctf{ddsssdssaasssddddddwd}
三、Lihua's for
题目信息:李华刚学会了c语言的for循环,因此赶紧出了一个crackme来考你,你能解出flag么?题目来源于2021年强网杯青少年专项赛"Lihua's for",得到的FLAG请以flag{}格式提交。
下载解压附件,发现是一个名为crackme.exe的可执行程序,运行后提示输入flag,尝试后没有结果,使用ida反编译后得到下面代码:
c
int __fastcall main(int argc, const char **argv, const char **envp)
{
char flag[48]; // [rsp+20h] [rbp-60h] BYREF
int a[44]; // [rsp+50h] [rbp-30h] BYREF
int b[45]; // [rsp+100h] [rbp+80h]
int i_0; // [rsp+1B4h] [rbp+134h]
int i; // [rsp+1B8h] [rbp+138h]
int good; // [rsp+1BCh] [rbp+13Ch]
_main();
qmemcpy(a, &unk_403040, 0xA8u);
puts("input flag");
scanf("%s", flag);
puts(flag);
for ( i = 0; i <= 41; ++i )
b[i] = i ^ flag[i];
for ( i_0 = 0; i_0 <= 41; ++i_0 )
{
if ( a[i_0] != b[i_0] )
{
good = 0;
break;
}
good = 1;
}
if ( good == 1 )
printf("good~");
else
printf("error!");
return 0;
}分析得到unk_403040的数据可能是关键部分,读取对应内容:
textile
.data:0000000000403040 unk_403040 db 66h ; f ; DATA XREF: main+1B↑o
.data:0000000000403041 db 0
.data:0000000000403042 db 0
.data:0000000000403043 db 0
.data:0000000000403044 db 6Dh ; m
.data:0000000000403045 db 0
.data:0000000000403046 db 0
.data:0000000000403047 db 0
.data:0000000000403048 db 63h ; c
.data:0000000000403049 db 0
.data:000000000040304A db 0
.data:000000000040304B db 0
.data:000000000040304C db 64h ; d
.data:000000000040304D db 0
.data:000000000040304E db 0
.data:000000000040304F db 0
.data:0000000000403050 db 7Fh ;
.data:0000000000403051 db 0
.data:0000000000403052 db 0
.data:0000000000403053 db 0
.data:0000000000403054 db 64h ; d
.data:0000000000403055 db 0
.data:0000000000403056 db 0
.data:0000000000403057 db 0
.data:0000000000403058 db 32h ; 2
.data:0000000000403059 db 0
.data:000000000040305A db 0
.data:000000000040305B db 0
.data:000000000040305C db 36h ; 6
.data:000000000040305D db 0
.data:000000000040305E db 0
.data:000000000040305F db 0
.data:0000000000403060 db 6Ah ; j
.data:0000000000403061 db 0
.data:0000000000403062 db 0
.data:0000000000403063 db 0
.data:0000000000403064 db 6Ch ; l
.data:0000000000403065 db 0
.data:0000000000403066 db 0
.data:0000000000403067 db 0
.data:0000000000403068 db 3Eh ; >
.data:0000000000403069 db 0
.data:000000000040306A db 0
.data:000000000040306B db 0
.data:000000000040306C db 3Dh ; =
.data:000000000040306D db 0
.data:000000000040306E db 0
.data:000000000040306F db 0
.data:0000000000403070 db 39h ; 9
.data:0000000000403071 db 0
.data:0000000000403072 db 0
.data:0000000000403073 db 0
.data:0000000000403074 db 20h
.data:0000000000403075 db 0
.data:0000000000403076 db 0
.data:0000000000403077 db 0
.data:0000000000403078 db 6Fh ; o
.data:0000000000403079 db 0
.data:000000000040307A db 0
.data:000000000040307B db 0
.data:000000000040307C db 3Ah ; :
.data:000000000040307D db 0
.data:000000000040307E db 0
.data:000000000040307F db 0
.data:0000000000403080 db 20h
.data:0000000000403081 db 0
.data:0000000000403082 db 0
.data:0000000000403083 db 0
.data:0000000000403084 db 77h ; w
.data:0000000000403085 db 0
.data:0000000000403086 db 0
.data:0000000000403087 db 0
.data:0000000000403088 db 3Fh ; ?
.data:0000000000403089 db 0
.data:000000000040308A db 0
.data:000000000040308B db 0
.data:000000000040308C db 27h ; '
.data:000000000040308D db 0
.data:000000000040308E db 0
.data:000000000040308F db 0
.data:0000000000403090 db 25h ; %
.data:0000000000403091 db 0
.data:0000000000403092 db 0
.data:0000000000403093 db 0
.data:0000000000403094 db 27h ; '
.data:0000000000403095 db 0
.data:0000000000403096 db 0
.data:0000000000403097 db 0
.data:0000000000403098 db 22h ; "
.data:0000000000403099 db 0
.data:000000000040309A db 0
.data:000000000040309B db 0
.data:000000000040309C db 3Ah ; :
.data:000000000040309D db 0
.data:000000000040309E db 0
.data:000000000040309F db 0
.data:00000000004030A0 db 7Ah ; z
.data:00000000004030A1 db 0
.data:00000000004030A2 db 0
.data:00000000004030A3 db 0
.data:00000000004030A4 db 2Eh ; .
.data:00000000004030A5 db 0
.data:00000000004030A6 db 0
.data:00000000004030A7 db 0
.data:00000000004030A8 db 78h ; x
.data:00000000004030A9 db 0
.data:00000000004030AA db 0
.data:00000000004030AB db 0
.data:00000000004030AC db 7Ah ; z
.data:00000000004030AD db 0
.data:00000000004030AE db 0
.data:00000000004030AF db 0
.data:00000000004030B0 db 31h ; 1
.data:00000000004030B1 db 0
.data:00000000004030B2 db 0
.data:00000000004030B3 db 0
.data:00000000004030B4 db 2Fh ; /
.data:00000000004030B5 db 0
.data:00000000004030B6 db 0
.data:00000000004030B7 db 0
.data:00000000004030B8 db 29h ; )
.data:00000000004030B9 db 0
.data:00000000004030BA db 0
.data:00000000004030BB db 0
.data:00000000004030BC db 29h ; )
.data:00000000004030BD db 0
.data:00000000004030BE db 0
.data:00000000004030BF db 0
.data:00000000004030C0 db 16h
.data:00000000004030C1 db 0
.data:00000000004030C2 db 0
.data:00000000004030C3 db 0
.data:00000000004030C4 db 40h ; @
.data:00000000004030C5 db 0
.data:00000000004030C6 db 0
.data:00000000004030C7 db 0
.data:00000000004030C8 db 44h ; D
.data:00000000004030C9 db 0
.data:00000000004030CA db 0
.data:00000000004030CB db 0
.data:00000000004030CC db 45h ; E
.data:00000000004030CD db 0
.data:00000000004030CE db 0
.data:00000000004030CF db 0
.data:00000000004030D0 db 12h
.data:00000000004030D1 db 0
.data:00000000004030D2 db 0
.data:00000000004030D3 db 0
.data:00000000004030D4 db 47h ; G
.data:00000000004030D5 db 0
.data:00000000004030D6 db 0
.data:00000000004030D7 db 0
.data:00000000004030D8 db 47h ; G
.data:00000000004030D9 db 0
.data:00000000004030DA db 0
.data:00000000004030DB db 0
.data:00000000004030DC db 41h ; A
.data:00000000004030DD db 0
.data:00000000004030DE db 0
.data:00000000004030DF db 0
.data:00000000004030E0 db 1Ah
.data:00000000004030E1 db 0
.data:00000000004030E2 db 0
.data:00000000004030E3 db 0
.data:00000000004030E4 db 54h ; T
.data:00000000004030E5 db 0
.data:00000000004030E6 db 0
.data:00000000004030E7 db 0
.data:00000000004030E8 db 0
.data:00000000004030E9 db 0
.data:00000000004030EA db 0
.data:00000000004030EB db 0
.data:00000000004030EC db 0
.data:00000000004030ED db 0
.data:00000000004030EE db 0
.data:00000000004030EF db 0
.data:00000000004030F0 db 0
.data:00000000004030F1 db 0
.data:00000000004030F2 db 0
.data:00000000004030F3 db 0
.data:00000000004030F4 db 0
.data:00000000004030F5 db 0
.data:00000000004030F6 db 0
.data:00000000004030F7 db 0
.data:00000000004030F8 db 0
.data:00000000004030F9 db 0
.data:00000000004030FA db 0
.data:00000000004030FB db 0
.data:00000000004030FC db 0
.data:00000000004030FD db 0
.data:00000000004030FE db 0
.data:00000000004030FF db 0整理得到:
textile
666D63647F6432366A6C3E3D39206F3A20773F272527223A7A2E787A312F292916404445124747411A54根据程序中对该部分的使用是进行异或处理再比较,所以首先使用hex转字符串,发现不是flag,于是编写相关python程序:
python
hex_str = "666D63647F6432366A6C3E3D39206F3A20773F272527223A7A2E787A312F292916404445124747411A54"
byte_data = bytes.fromhex(hex_str)
flag = ""
for i in range(len(byte_data)):
flag += chr(byte_data[i] ^ i)
print("Flag is:", flag)运行得到flag为flag{a41be465-a50f-4124-b7ba-2766aff6baf2}
四、听说你学了C语言?
题目信息:听说你学了C语言,那请你将附件的内容编译并执行,提交得到的结果。
下载附件,打开发现是一个名为题目附件.cpp的源代码,内容如下:
cpp
#include <stdio.h>
#include <ctype.h>
void caesarCipher(char *text, int shift, int mode) {
int i;
for (i = 0; text[i] != '\0'; i++) {
if (isalpha(text[i])) {
char base = isupper(text[i]) ? 'A' : 'a';
char newChar = ((text[i] - base + shift) % 26) + base;
if (mode == 0 && shift > 0 && (text[i] == 'z' || text[i] == 'Z') && newChar < base) {
newChar += 26;
}
if (mode == 0 && shift < 0 && (text[i] == 'a' || text[i] == 'A') && newChar > base) {
newChar -= 26;
}
text[i] = newChar;
}
}
}
int main() {
char text[] = "xyvtc_welcome";
int shift = 3;
caesarCipher(text, shift, 1);
printf("xyvtc{%s}", text);
scanf("%s", &text);
return 0;
}编译运行得到xyvtc{abywf_zhofrph},即为flag。
五、easyre
题目信息:没有比这个更简单的了!
下载附件,解压得到easyre.exe,运行没有输出,可以输入,使用ida反编译得到:
c
int __fastcall main(int argc, const char **argv, const char **envp)
{
int v4; // [rsp+28h] [rbp-8h] BYREF
int v5; // [rsp+2Ch] [rbp-4h] BYREF
_main();
scanf("%d %d", &v5, &v4);
if ( v5 == v4 )
printf("qsnctf{3ac31921-322a-45de-ab69-e58269743af0}");
else
printf("sorry, you can't get flag");
return 0;
}flag就是qsnctf{3ac31921-322a-45de-ab69-e58269743af0},也可以通过输入两个相同的数得到。
六、simple_re
题目信息:Simple Re
解压得到一个exe,使用ida反编译得到:
c
int __fastcall main(int argc, const char **argv, const char **envp)
{
char Str[32]; // [rsp+20h] [rbp-60h] BYREF
char Str1[224]; // [rsp+40h] [rbp-40h] BYREF
size_t MaxCount; // [rsp+120h] [rbp+A0h]
size_t i; // [rsp+128h] [rbp+A8h]
_main();
strcpy(Str, "qsnctf{hello_world}");
printf("Input the flag: ");
scanf("%20s", Str1);
MaxCount = strlen(Str);
for ( i = 0; i < MaxCount; ++i )
{
if ( Str[i] == 'o' )
Str[i] = '0';
}
if ( !strncmp(Str1, Str, MaxCount) )
puts("This is the right flag!");
else
puts("Wrong flag");
return 0;
}lag");
return 0;
}flag就是qsnctf{hell0_w0rld}。
七、encrypt1
题目信息:2024御网杯线下半决赛题目
解压附件得到一个名为encrypt1的附件的文件,拖入ida发现是elf,反编译代码后得到:
cpp
int __fastcall main(int argc, const char **argv, const char **envp)
{
int v3; // ebx
int v4; // eax
__int64 v5; // rax
int v6; // r12d
__int64 v7; // rax
char v9; // [rsp+17h] [rbp-69h]
int i; // [rsp+18h] [rbp-68h]
int j; // [rsp+1Ch] [rbp-64h]
_BYTE v12[32]; // [rsp+20h] [rbp-60h] BYREF
_BYTE v13[40]; // [rsp+40h] [rbp-40h]
unsigned __int64 v14; // [rsp+68h] [rbp-18h]
v14 = __readfsqword(0x28u);
v13[0] = 'M';
v13[1] = '\x7F';
v13[2] = 'p';
v13[3] = 'F';
v13[4] = 'J';
v13[5] = '!';
v13[6] = ',';
v13[7] = '\x17';
v13[8] = 'I';
v13[9] = '"';
v13[10] = '-';
v13[11] = 'H';
v13[12] = '\x13';
v13[13] = '\'';
v13[14] = 'p';
v13[15] = 'F';
v13[16] = '\x13';
v13[17] = 's';
v13[18] = '$';
v13[19] = 'F';
v13[20] = '\x11';
v13[21] = '$';
v13[22] = 't';
v13[23] = '\x11';
v13[24] = 'E';
v13[25] = '\x7F';
v13[26] = 'x';
v13[27] = '\x17';
v13[28] = '\x1E';
v13[29] = 'q';
v13[30] = '.';
v13[31] = '\x12';
std::string::basic_string(v12, argv, envp);
std::operator>><char>(&std::cin, v12);
if ( std::string::length(v12) != 32 )
{
v4 = std::string::length(v12);
exit(v4);
}
v9 = 'z';
for ( i = 0; i <= 31; ++i )
{
for ( j = 0; j < i; ++j )
v9 ^= *(_BYTE *)std::string::operator[](v12, j);
if ( ((unsigned __int8)v9 ^ *(_BYTE *)std::string::operator[](v12, i)) != v13[i] )
{
v5 = std::operator<<<std::char_traits<char>>(&std::cout, "error");
std::ostream::operator<<(v5, &std::endl<char,std::char_traits<char>>);
v3 = 0;
v6 = 0;
goto LABEL_12;
}
}
v7 = std::operator<<<std::char_traits<char>>(&std::cout, "You have got the flag!");
std::ostream::operator<<(v7, &std::endl<char,std::char_traits<char>>);
v6 = 1;
LABEL_12:
std::string::~string(v12);
if ( v6 == 1 )
return 0;
return v3;
}分析后发现使用了异或加密,编写对应python脚本:
python
v13 = [
77, 127, 112, 70, 74, 33, 44, 23,
73, 34, 45, 72, 19, 39, 112, 70,
19, 115, 36, 70, 17, 36, 116, 17,
69, 127, 120, 23, 30, 113, 46, 18
]
seed = 122
flag = []
current_v9 = seed
for i in range(32):
for j in range(i):
current_v9 ^= flag[j]
plain_char = current_v9 ^ v13[i]
flag.append(plain_char)
result = ''.join(chr(c) for c in flag)
print("Flag is:", result)运行后得到flag,为flag{72831e2a6b086a44cb6abaf2e9a07afd}
八、你看得懂汇编吗
题目信息:你看得懂汇编吗?这是世界上最简单的语言了。
下载附件,得到一个名为附件.asm的汇编源代码,内容如下:
nasm
section .data
flag db "}97caeec9b59f5bf53da48ef5e0a7e4b0{galf",0
success db "正确",0
fail db "不正确",0
section .bss
user_input resb 256
section .text
global _start
_start:
; 读取用户输入
mov eax, 3 ; syscall: sys_read
mov ebx, 0 ; file descriptor: stdin
mov ecx, user_input ; buffer
mov edx, 256 ; buffer size
int 0x80 ; call kernel
; 去除换行符
mov ecx, user_input
mov edi, eax ; eax contains the number of bytes read
dec edi ; exclude the newline character
mov byte [ecx + edi], 0 ; null-terminate the string
; 翻转输入字符串
mov esi, user_input
mov edi, esi
add edi, eax
dec edi ; point to the last character (excluding null terminator)
reverse_loop:
cmp esi, edi
jge compare ; if start >= end, go to compare
; swap characters
mov al, [esi]
mov bl, [edi]
mov [esi], bl
mov [edi], al
inc esi
dec edi
jmp reverse_loop
compare:
; 比较翻转后的字符串与flag
mov esi, user_input
mov edi, flag
repe cmpsb
je success_message
; 显示失败消息
mov eax, 4 ; syscall: sys_write
mov ebx, 1 ; file descriptor: stdout
mov ecx, fail ; buffer
mov edx, 9 ; buffer size
int 0x80 ; call kernel
jmp exit
success_message:
; 显示成功消息
mov eax, 4 ; syscall: sys_write
mov ebx, 1 ; file descriptor: stdout
mov ecx, success ; buffer
mov edx, 9 ; buffer size
int 0x80 ; call kernel
exit:
; 退出程序
mov eax, 1 ; syscall: sys_exit
xor ebx, ebx ; exit code 0
int 0x80 ; call kernel发现flag是反向的,}97caeec9b59f5bf53da48ef5e0a7e4b0{gal,反向后得到真正的flag,flag{0b4e7a0e5fe84ad35fb5f95b9ceeac79}。