听说是金砖五国的比赛,管它呢,做就完事了。
babyrev
简述
给了一个xml文件,同时描述中提供了一个网址:http://snap.berkeley.edu/offline
我英语不好,一开始没看懂啥意思,后来才发现全文大部分篇幅都在说如何使用离线方案,其实不用这么麻烦,直接点开第二行的网址即可,使用在线的服务。
在线方案
打开https://snap.berkeley.edu/snap/snap.html
导入题目给出的xml文件:
很显然,结合本题的名称,babyrev,这是小孩子玩的卡片式编程。
emmm,写完这部分博文后我才发现可以修改页面语言:
代码中的关键字也可以改成汉语,本来难度就不高,现在难度更低了。
流程
屏幕最右侧有7个sprite:
分别点击时可以屏幕中间区域显示卡片代码,后面6个对应的卡片都对应着这样的卡片代码,就是收到相应的信号时显示所对应的图片:
第一个sprite共有五个卡片。
下图的三个卡片是程序的初始化和终止,对加密逻辑的分析没有影响,不用看。
左上的是当按下空格键时,程序开始运行(发出start_banner信号)。
左下的是当点击某个东西的时候,设置key=[], 程序运行状态为0
右边的是当i为某个数值时,发出显示某个图片的信号。
关键的逻辑代码是剩下的两个卡片:
左边的是加密后的数据
右边的是关键代码,加密很简单,就是异或33。
python模拟卡片代码
def encrypt():
secret = [92,0,74,66,116,77,126,69,17,102,126,69,79,97,126,18,76,17,98,16,77,18,86,90,82,66,72,83,67,88,66]
secret = secret[::-1] # 可能唯一需要注意的地方就是这里了
key = input('say me the key:')
key = [ord(i) for i in key]
test = []
for i in range(len(key)):
test.append(key[i] ^ 33)
if len(test) == len(secret):
is_ok = 1
for i in range(len(test)):
if (test[i] < secret[i]) or (test[i] > secret[i]):
is_ok = 0
if is_ok == 1:
print('Well done!')
else:
print('No!!!!')
else:
print('No!!!!')
为啥要secret = secret[::-1]呢?
因为上图左侧的卡片,向secret插入数据时,是向列表的头插入的,而不是向列表尾插入的:
python解密
def decrypt():
a = [92,0,74,66,116,77,126,69,17,102,126,69,79,97,126,18,76,17,98,16,77,18,86,90,82,66,72,83,67,88,66]
a = a[::-1] # 可能唯一需要注意的地方就是这里了
for i in a:
print(chr(i ^ 33),end='')
decrypt()
cybrics{w3l1C0m3_@nd_G0d_lUck!}
polylot
题目简介大意是你掌握了多门语言了吗?
c语言
给出了一段c代码:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char flagged[] = {};
int main(){
char *key = getenv("XKEY");
if((!key) ||strncmp("mod3r0d!",key,8 )){
puts(";[");
return 1;
}
unsigned long long val = *(unsigned long long *)key;
unsigned long long *ptr = (unsigned long long *)flagged;
while (*ptr != 0) {
*ptr = *ptr ^ val;
ptr += 1;
}
puts(flagged);
}
main函数中有如下片段:
char *key = getenv("XKEY");
if((!key) ||strncmp("mod3r0d!",key,8 )){
puts(";[");
return 1;
}
从环境变量中查找XKEY并检测其值是否为mod3r0d!
,如果没找到或其值不是mod3r0d!
,则退出程序。绕过很简单,删掉这部分代码,并设置key = mod3r0d!
修改后的main函数为:
int main(){
/*char *key = getenv("XKEY");
if((!key) ||strncmp("mod3r0d!",key,8 )){ //key = mod3r0d!
puts(";[");
return 1;
}*/
char *key = "mod3r0d!";
unsigned long long val = *(unsigned long long *)key;
unsigned long long *ptr = (unsigned long long *)flagged;
while (*ptr != 0) {
*ptr = *ptr ^ val;
ptr += 1;
}
puts(flagged);
}
c++
运行后输出一段c++代码:
#include <iostream>
template <unsigned int a, unsigned int b>
struct t1 {
enum { value = b + t1<a-1, b>::value };
};
template <unsigned int b>
struct t1<0, b> {
enum { value = 0 };
};
template <unsigned int a, unsigned int b>
struct t2 {
enum { value = 1 + t2<a-1, b>::value };
};
template <unsigned int b>
struct t2<0, b> {
enum { value = 1 + t2<0, b-1>::value };
};
template<>
struct t2<0, 0>{
enum { value = 0};
};
void decode(unsigned char *data, unsigned int val){
unsigned int *ptr = reinterpret_cast<unsigned int *>(data);
while (*ptr != 0) {
*ptr = *ptr ^ val;
val = (val ^ (val << 1)) ^ 0xc2154216;
ptr += 1;
}
}
unsigned char flagged[] = {5,78,186,165,208,83,107,233,137,90,173,22,11,55,64,102,120,96,164,86,86,40,53,48,46,240,191,79,163,147,87,144,13,54,47,105,205,251,163,168,220,241,45,203,105,83,176,71,111,62,70,221,93,16,218,44,96,189,187,173,165,84,27,170,76,77,204,37,199,84,203,33,253,32,19,206,38,29,99,160,69,81,157,157,124,126,68,141,97,180,138,16,220,221,201,196,76,32,74,137,130,231,10,157,149,163,144,254,60,61,214,154,60,50,81,45,18,84,166,167,37,170,234,206,184,0,133,10,102,46,192,234,130,7,107,251,158,117,171,10,98,88,109,81,60,108,172,24,87,63,125,6,31,246,143,77,179,162,107,181,102,100,104,42,130,237,169,131,158,180,52,135,59,16,165,82,108,119,21,144,113,27,219,101,20,167,164,166,254,65,26,225,15,76,216,38,214,11,239,17,208,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,190,72,254,250,241,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,45,243,175,73,167,1,99,19,46,3,67,110,181,25,92,33,42,56,50,242,131,70,163,147,64,148,97,78,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,96,254,244,227,246,0,72,232,0,76,206,41,206,84,206,22,250,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,85,195,194,229,148,218,12,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,107,189,208,10,174,11,89,94,34,8,121,43,161,25,109,43,63,56,39,230,204,36,220,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,96,254,183,172,178,69,68,139,102,3,141,104,130,7,194,59,208,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,138,139,2,55,91,156,142,131,110,211,208,241,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,204,70,38,248,131,6,197,111,38,29,109,76,60,37,226,86,18,109,115,121,96,181,192,9,246,221,20,152,76,100,104,42,130,174,237,252,208,165,54,215,106,85,249,112,62,100,67,218,16,84,217,111,50,254,189,227,191,78,72,244,13,77,202,45,138,73,142,116,147,75,95,157,47,96,105,220,17,15,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,68,211,208,241,152,247,38,16,252,220,114,77,18,98,86,17,168,182,47,129,249,213,186,69,219,102,1,70,230,199,168,7,107,189,208,10,232,69,38,29,109,76,60,37,226,86,18,109,115,121,96,181,192,9,246,221,20,152,76,100,46,100,253,237,162,184,149,255,32,200,89,94,176,70,121,62,107,180,18,84,159,32,96,254,244,227,246,0,72,166,76,3,141,104,130,7,194,59,208,10,19,206,38,29,96,208,60,99,187,141,81,34,14,208,110,246,196,66,176,148,155,151,24,40,70,129,199,224,11,223,253,219,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,107,251,158,117,171,10,98,88,99,15,115,90,174,24,93,57,50,59,108,152,234,9,246,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,38,176,139,160,185,68,13,168,15,76,242,46,208,66,135,109,145,88,64,194,11,55,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,68,211,208,241,152,177,104,111,191,213,120,119,95,110,93,43,229,176,44,178,233,221,164,83,156,10,102,3,234,234,130,78,37,243,149,88,230,58,89,94,34,8,121,90,157,86,15,109,48,61,31,251,133,94,219,247,20,152,76,100,58,111,214,251,191,178,208,184,45,201,99,66,220,33,17,24,0,143,18,73,159,100,37,184,189,173,179,127,14,243,2,64,133,122,142,21,206,121,215,86,111,150,54,13,60,172,100,53,228,185,110,53,90,135,19,201,211,45,230,218,197,196,68,10,64,129,199,162,77,223,208,249,145,254,11,58,186,136,60,47,81,105,87,18,239,187,37,129,249,201,184,67,157,54,64,18,230,168,133,83,23,229,192,26,180,57,126,13,125,48,100,61,241,42,74,125,98,10,28,237,208,25,241,209,20,144,34,43,38,111,142,167,225,252,216,246,44,213,98,23,253,2,53,31,108,216,1,84,130,32,36,187,178,170,184,69,55,224,25,77,206,96,146,11,210,55,146,13,71,178,126,13,112,148,64,125,229,227,110,53,82,134,28,237,155,44,133,161,145,212,92,99,3,207,138,192,11,157,149,253,152,247,33,119,181,204,121,50,28,104,18,18,234,180,39,228,191,155,255,12,149,47,75,74,164,186,215,83,108,177,217,3,197,111,96,9,109,81,60,97,167,16,91,35,54,6,38,224,142,74,254,204,24,152,95,104,104,104,133,234,145,164,192,224,39,251,126,0,227,79,64,106,86,141,86,40,199,48,116,186,136,187,230,21,12,218,20,19,156,44,254,95,210,45,148,118,75,222,49,89,28,136,44,61,177,142,70,41,54,205,112,166,207,65,184,153,181,156,92,38,75,179,218,190,7,151,172,163,220,139,126,0,228,222,64,106,65,110,86,40,254,229,37,186,195,196,230,67,209,91,20,19,172,174,254,95,123,248,148,118,176,84,54,89,17,20,45,52,166,42,70,41,15,33,113,167,132,117,174,205,7,220,48,60,121,58,198,210,181,236,195,181,31,223,54,85,181,119,100,35,85,218,110,12,143,98,36,130,186,167,138,88,89,178,8,127,213,120,154,67,190,99,193,25,87,178,126,13,113,148,64,125,229,227,86,17,4,209,28,225,207,65,174,205,216,128,48,60,30,221,198,210,28,195,146,181,228,175,55,0,184,230,100,34,23,105,110,12,183,225,36,130,231,140,229,68,233,127,92,65,174,150,218,22,126,249,172,82,249,83,97,12,48,48,100,53,243,2,110,53,99,105,60,201,152,25,230,161,76,128,95,24,48,58,147,250,145,164,192,225,63,251,126,0,224,119,100,42,85,226,74,68,142,107,28,166,228,240,164,124,16,190,94,87,241,48,146,22,134,71,136,27,4,178,126,5,115,172,100,53,228,142,74,125,91,233,56,165,155,121,138,133,216,220,63,24,87,223,146,250,56,139,192,227,196,139,126,0,236,198,64,106,65,60,110,12,190,230,28,166,175,142,146,124,205,55,92,126,238,183,254,95,123,175,132,118,176,85,53,65,17,20,44,55,166,42,74,124,106,5,56,164,217,117,174,205,4,204,48,60,120,62,222,210,181,236,194,181,31,223,55,81,141,83,45,43,58,198,2,68,227,120,120,237,136,187,230,17,52,254,84,16,241,48,146,21,134,71,136,27,11,133,90,69,112,194,110,89,173,234,81,17,18,133,113,201,211,45,230,153,181,156,93,124,124,179,218,190,84,130,172,169,128,180,98,108,164,139,126,65,45,117,2,68,161,249,77,212,191,156,246,0,149,39,76,3,234,234,130,7,107,189,208,10,232,77,72,82,35,9,48,37,251,79,30,109,98,107,113,185,192,16,238,209,20,137,93,112,100,42,147,190,248,240,208,224,114,146,42,16,224,25,47,62,70,139,0,88,159,57,119,242,244,242,230,16,68,166,89,18,129,104,147,23,211,55,208,31,6,194,38,8,119,220,60,48,230,254,18,120,94,153,96,161,147,49,246,201,208,200,76,113,31,195,130,187,82,223,208,224,136,229,42,16,237,136,41,62,81,42,126,17,232,178,52,182,191,209,191,83,216,102,24,64,162,235,133,11,107,219,145,70,187,0,42,29,124,64,60,53,238,86,102,63,38,60,105,185,237,35,246,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,24,246,71,121,124,65,146,18,83,207,114,41,176,160,228,250,0,79,252,5,83,138,100,130,0,132,42,215,6,19,201,96,15,103,217,53,8,223,180,7,109,87,149,36,240,205,116,184,152,182,130,25,42,76,199,146,162,68,194,220,179,159,163,90,72,236,138,64,106,73,62,110,12,182,229,61,130,231,140,230,84,233,127,92,18,182,150,218,23,123,193,136,18,251,57,126,13,124,8,64,125,242,71,89,17,43,105,120,231,188,81,231,158,64,228,20,116,122,110,254,246,253,238,172,169,123,148,90,72,225,26,64,106,86,143,110,12,143,48,46,130,172,243,238,84,52,254,92,17,201,20,218,23,209,71,136,18,0,178,126,13,113,172,100,53,228,142,74,125,90,209,28,237,155,45,133,161,145,212,92,99,3,199,236,225,10,150,220,241,254,182,106,67,185,150,60,53,63,98,66,17,167,242,108,254,184,229,179,80,148,32,69,15,234,226,133,65,120,186,220,10,239,3,50,26,97,76,59,117,176,31,92,57,116,112,105,152,234,79,227,213,29,181,102,73,66,42,130,174,237,220,240,209,67,167,0,0,0,0};
int main(){
decode(flagged, t2<0xcaca0000, t2<444, t1<t2<100, t1<4,3>::value>::value, t2<44, t1<11,3>::value>::value>::value>::value>::value);
std::cout << flagged <<std::endl;
}
emmm,用到了模板的语法,我虽然不太懂template的语法,但是也很容易看出就是一个递归。
t1<a,b>可以归纳为a*b
t2<a,b>可以归纳为a+b
修改后的c++代码为:
#include <iostream>
/*template <unsigned int a, unsigned int b>
struct t1 {
enum { value = b + t1<a-1, b>::value };
};
template <unsigned int b>
struct t1<0, b> {
enum { value = 0 };
};
template <unsigned int a, unsigned int b>
struct t2 {
enum { value = 1 + t2<a-1, b>::value };
};
template <unsigned int b>
struct t2<0, b> {
enum { value = 1 + t2<0, b-1>::value };
};
template<>
struct t2<0, 0>{
enum { value = 0};
};*/
int f1(int a, int b){
return a*b;
}
int f2(int a, int b){
return a+b;
}
void decode(unsigned char *data, unsigned int val){
unsigned int *ptr = reinterpret_cast<unsigned int *>(data);
while (*ptr != 0) {
*ptr = *ptr ^ val;
val = (val ^ (val << 1)) ^ 0xc2154216;
ptr += 1;
}
}
unsigned char flagged[] = {5,78,186,165,208,83,107,233,137,90,173,22,11,55,64,102,120,96,164,86,86,40,53,48,46,240,191,79,163,147,87,144,13,54,47,105,205,251,163,168,220,241,45,203,105,83,176,71,111,62,70,221,93,16,218,44,96,189,187,173,165,84,27,170,76,77,204,37,199,84,203,33,253,32,19,206,38,29,99,160,69,81,157,157,124,126,68,141,97,180,138,16,220,221,201,196,76,32,74,137,130,231,10,157,149,163,144,254,60,61,214,154,60,50,81,45,18,84,166,167,37,170,234,206,184,0,133,10,102,46,192,234,130,7,107,251,158,117,171,10,98,88,109,81,60,108,172,24,87,63,125,6,31,246,143,77,179,162,107,181,102,100,104,42,130,237,169,131,158,180,52,135,59,16,165,82,108,119,21,144,113,27,219,101,20,167,164,166,254,65,26,225,15,76,216,38,214,11,239,17,208,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,190,72,254,250,241,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,45,243,175,73,167,1,99,19,46,3,67,110,181,25,92,33,42,56,50,242,131,70,163,147,64,148,97,78,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,96,254,244,227,246,0,72,232,0,76,206,41,206,84,206,22,250,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,85,195,194,229,148,218,12,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,107,189,208,10,174,11,89,94,34,8,121,43,161,25,109,43,63,56,39,230,204,36,220,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,96,254,183,172,178,69,68,139,102,3,141,104,130,7,194,59,208,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,138,139,2,55,91,156,142,131,110,211,208,241,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,204,70,38,248,131,6,197,111,38,29,109,76,60,37,226,86,18,109,115,121,96,181,192,9,246,221,20,152,76,100,104,42,130,174,237,252,208,165,54,215,106,85,249,112,62,100,67,218,16,84,217,111,50,254,189,227,191,78,72,244,13,77,202,45,138,73,142,116,147,75,95,157,47,96,105,220,17,15,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,68,211,208,241,152,247,38,16,252,220,114,77,18,98,86,17,168,182,47,129,249,213,186,69,219,102,1,70,230,199,168,7,107,189,208,10,232,69,38,29,109,76,60,37,226,86,18,109,115,121,96,181,192,9,246,221,20,152,76,100,46,100,253,237,162,184,149,255,32,200,89,94,176,70,121,62,107,180,18,84,159,32,96,254,244,227,246,0,72,166,76,3,141,104,130,7,194,59,208,10,19,206,38,29,96,208,60,99,187,141,81,34,14,208,110,246,196,66,176,148,155,151,24,40,70,129,199,224,11,223,253,219,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,107,251,158,117,171,10,98,88,99,15,115,90,174,24,93,57,50,59,108,152,234,9,246,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,38,176,139,160,185,68,13,168,15,76,242,46,208,66,135,109,145,88,64,194,11,55,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,68,211,208,241,152,177,104,111,191,213,120,119,95,110,93,43,229,176,44,178,233,221,164,83,156,10,102,3,234,234,130,78,37,243,149,88,230,58,89,94,34,8,121,90,157,86,15,109,48,61,31,251,133,94,219,247,20,152,76,100,58,111,214,251,191,178,208,184,45,201,99,66,220,33,17,24,0,143,18,73,159,100,37,184,189,173,179,127,14,243,2,64,133,122,142,21,206,121,215,86,111,150,54,13,60,172,100,53,228,185,110,53,90,135,19,201,211,45,230,218,197,196,68,10,64,129,199,162,77,223,208,249,145,254,11,58,186,136,60,47,81,105,87,18,239,187,37,129,249,201,184,67,157,54,64,18,230,168,133,83,23,229,192,26,180,57,126,13,125,48,100,61,241,42,74,125,98,10,28,237,208,25,241,209,20,144,34,43,38,111,142,167,225,252,216,246,44,213,98,23,253,2,53,31,108,216,1,84,130,32,36,187,178,170,184,69,55,224,25,77,206,96,146,11,210,55,146,13,71,178,126,13,112,148,64,125,229,227,110,53,82,134,28,237,155,44,133,161,145,212,92,99,3,207,138,192,11,157,149,253,152,247,33,119,181,204,121,50,28,104,18,18,234,180,39,228,191,155,255,12,149,47,75,74,164,186,215,83,108,177,217,3,197,111,96,9,109,81,60,97,167,16,91,35,54,6,38,224,142,74,254,204,24,152,95,104,104,104,133,234,145,164,192,224,39,251,126,0,227,79,64,106,86,141,86,40,199,48,116,186,136,187,230,21,12,218,20,19,156,44,254,95,210,45,148,118,75,222,49,89,28,136,44,61,177,142,70,41,54,205,112,166,207,65,184,153,181,156,92,38,75,179,218,190,7,151,172,163,220,139,126,0,228,222,64,106,65,110,86,40,254,229,37,186,195,196,230,67,209,91,20,19,172,174,254,95,123,248,148,118,176,84,54,89,17,20,45,52,166,42,70,41,15,33,113,167,132,117,174,205,7,220,48,60,121,58,198,210,181,236,195,181,31,223,54,85,181,119,100,35,85,218,110,12,143,98,36,130,186,167,138,88,89,178,8,127,213,120,154,67,190,99,193,25,87,178,126,13,113,148,64,125,229,227,86,17,4,209,28,225,207,65,174,205,216,128,48,60,30,221,198,210,28,195,146,181,228,175,55,0,184,230,100,34,23,105,110,12,183,225,36,130,231,140,229,68,233,127,92,65,174,150,218,22,126,249,172,82,249,83,97,12,48,48,100,53,243,2,110,53,99,105,60,201,152,25,230,161,76,128,95,24,48,58,147,250,145,164,192,225,63,251,126,0,224,119,100,42,85,226,74,68,142,107,28,166,228,240,164,124,16,190,94,87,241,48,146,22,134,71,136,27,4,178,126,5,115,172,100,53,228,142,74,125,91,233,56,165,155,121,138,133,216,220,63,24,87,223,146,250,56,139,192,227,196,139,126,0,236,198,64,106,65,60,110,12,190,230,28,166,175,142,146,124,205,55,92,126,238,183,254,95,123,175,132,118,176,85,53,65,17,20,44,55,166,42,74,124,106,5,56,164,217,117,174,205,4,204,48,60,120,62,222,210,181,236,194,181,31,223,55,81,141,83,45,43,58,198,2,68,227,120,120,237,136,187,230,17,52,254,84,16,241,48,146,21,134,71,136,27,11,133,90,69,112,194,110,89,173,234,81,17,18,133,113,201,211,45,230,153,181,156,93,124,124,179,218,190,84,130,172,169,128,180,98,108,164,139,126,65,45,117,2,68,161,249,77,212,191,156,246,0,149,39,76,3,234,234,130,7,107,189,208,10,232,77,72,82,35,9,48,37,251,79,30,109,98,107,113,185,192,16,238,209,20,137,93,112,100,42,147,190,248,240,208,224,114,146,42,16,224,25,47,62,70,139,0,88,159,57,119,242,244,242,230,16,68,166,89,18,129,104,147,23,211,55,208,31,6,194,38,8,119,220,60,48,230,254,18,120,94,153,96,161,147,49,246,201,208,200,76,113,31,195,130,187,82,223,208,224,136,229,42,16,237,136,41,62,81,42,126,17,232,178,52,182,191,209,191,83,216,102,24,64,162,235,133,11,107,219,145,70,187,0,42,29,124,64,60,53,238,86,102,63,38,60,105,185,237,35,246,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,24,246,71,121,124,65,146,18,83,207,114,41,176,160,228,250,0,79,252,5,83,138,100,130,0,132,42,215,6,19,201,96,15,103,217,53,8,223,180,7,109,87,149,36,240,205,116,184,152,182,130,25,42,76,199,146,162,68,194,220,179,159,163,90,72,236,138,64,106,73,62,110,12,182,229,61,130,231,140,230,84,233,127,92,18,182,150,218,23,123,193,136,18,251,57,126,13,124,8,64,125,242,71,89,17,43,105,120,231,188,81,231,158,64,228,20,116,122,110,254,246,253,238,172,169,123,148,90,72,225,26,64,106,86,143,110,12,143,48,46,130,172,243,238,84,52,254,92,17,201,20,218,23,209,71,136,18,0,178,126,13,113,172,100,53,228,142,74,125,90,209,28,237,155,45,133,161,145,212,92,99,3,199,236,225,10,150,220,241,254,182,106,67,185,150,60,53,63,98,66,17,167,242,108,254,184,229,179,80,148,32,69,15,234,226,133,65,120,186,220,10,239,3,50,26,97,76,59,117,176,31,92,57,116,112,105,152,234,79,227,213,29,181,102,73,66,42,130,174,237,220,240,209,67,167,0,0,0,0};
int main(){
//decode(flagged, t2<0xcaca0000, t2<444, t1<t2<100, t1<4,3>::value>::value, t2<44, t1<11,3>::value>::value>::value>::value>::value);
decode(flagged, f2(0xcaca0000, f2(444, f1(f2(100, f1(4, 3)), f2(44, f1(11, 3))))));
std::cout << flagged <<std::endl;
}
python
上面代码输出一个python代码:
import types
def define_func(argcount, nlocals, code, consts, names):
#PYTHON3.8!!!
def inner():
return 0
fn_code = inner.__code__
cd_new = types.CodeType(argcount,
0,
fn_code.co_kwonlyargcount,
nlocals,
1024,
fn_code.co_flags,
code,
consts,
names,
tuple(["v%d" for i in range(nlocals)]),
fn_code.co_filename,
fn_code.co_name,
fn_code.co_firstlineno,
fn_code.co_lnotab,
fn_code.co_freevars,
fn_code.co_cellvars)
inner.__code__ = cd_new
return inner
f1 = define_func(2,2,b'|\x00|\x01k\x02S\x00', (None,), ())
f2 = define_func(1,1,b't\x00|\x00\x83\x01S\x00', (None,), ('ord',))
f3 = define_func(0,0,b't\x00d\x01\x83\x01S\x00', (None, 'Give me flag: '), ('input',))
f4 = define_func(1, 3, b'd\x01d\x02d\x03d\x04d\x05d\x01d\x06d\x07d\x08d\td\x03d\nd\x0bd\x0cd\rd\x08d\x0cd\x0ed\x0cd\x0fd\x0ed\x10d\x11d\td\x12d\x03d\x10d\x03d\x0ed\x13d\x0bd\nd\x14d\x08d\x13d\x01d\x01d\nd\td\x01d\x12d\x0bd\x10d\x0fd\x14d\x03d\x0bd\x15d\x16g1}\x01t\x00|\x00\x83\x01t\x00|\x01\x83\x01k\x03r\x82t\x01d\x17\x83\x01\x01\x00d\x18S\x00t\x02|\x00|\x01\x83\x02D\x00]$}\x02t\x03|\x02d\x19\x19\x00t\x04|\x02d\x1a\x19\x00\x83\x01\x83\x02d\x18k\x02r\x8c\x01\x00d\x18S\x00q\x8cd\x1bS\x00',
(None, 99, 121, 98, 114, 105, 115, 123, 52, 97, 100, 51, 101, 55, 57, 53, 54, 48, 49, 50, 56, 102, 125, 'Length mismatch!', False, 1, 0, True),
('len', 'print', 'zip', 'f1', 'f2'))
f5 = define_func(0, 1,b't\x00\x83\x00}\x00t\x01|\x00\x83\x01d\x01k\x08r\x1ct\x02d\x02\x83\x01\x01\x00n\x08t\x02d\x03\x83\x01\x01\x00d\x00S\x00',(None, False, 'Nope!', 'Yep!'), ('f3', 'f4', 'print'))
f5()
emm,我这里python3.7没有成功运行,然后看到注释中说这是python3.8的代码。
python3.8我很早之前也有下载,不过没用过,vscode里面没配置好,无奈掏出祖传的IDLE。运行下,程序让我输入flag。看来这就是本题考察的最后一门编程语言了。
导入dis模块,该模块可以反编译python字节码。
在define_func
函数的return inner
之前添加一行代码,print(dis.dis(cd_new))
(return之前先把反编译的字节码打印出来),完整代码如下:
import types
import dis
def define_func(argcount, nlocals, code, consts, names):
#PYTHON3.8!!!
def inner():
return 0
fn_code = inner.__code__
cd_new = types.CodeType(argcount,
0,
fn_code.co_kwonlyargcount,
nlocals,
1024,
fn_code.co_flags,
code,
consts,
names,
tuple(["v%d" for i in range(nlocals)]),
fn_code.co_filename,
fn_code.co_name,
fn_code.co_firstlineno,
fn_code.co_lnotab,
fn_code.co_freevars,
fn_code.co_cellvars)
inner.__code__ = cd_new
print(dis.dis(cd_new))
return inner
f1 = define_func(2,2,b'|\x00|\x01k\x02S\x00', (None,), ())
f2 = define_func(1,1,b't\x00|\x00\x83\x01S\x00', (None,), ('ord',))
f3 = define_func(0,0,b't\x00d\x01\x83\x01S\x00', (None, 'Give me flag: '), ('input',))
f4 = define_func(1, 3, b'd\x01d\x02d\x03d\x04d\x05d\x01d\x06d\x07d\x08d\td\x03d\nd\x0bd\x0cd\rd\x08d\x0cd\x0ed\x0cd\x0fd\x0ed\x10d\x11d\td\x12d\x03d\x10d\x03d\x0ed\x13d\x0bd\nd\x14d\x08d\x13d\x01d\x01d\nd\td\x01d\x12d\x0bd\x10d\x0fd\x14d\x03d\x0bd\x15d\x16g1}\x01t\x00|\x00\x83\x01t\x00|\x01\x83\x01k\x03r\x82t\x01d\x17\x83\x01\x01\x00d\x18S\x00t\x02|\x00|\x01\x83\x02D\x00]$}\x02t\x03|\x02d\x19\x19\x00t\x04|\x02d\x1a\x19\x00\x83\x01\x83\x02d\x18k\x02r\x8c\x01\x00d\x18S\x00q\x8cd\x1bS\x00',
(None, 99, 121, 98, 114, 105, 115, 123, 52, 97, 100, 51, 101, 55, 57, 53, 54, 48, 49, 50, 56, 102, 125, 'Length mismatch!', False, 1, 0, True),
('len', 'print', 'zip', 'f1', 'f2'))
f5 = define_func(0, 1,b't\x00\x83\x00}\x00t\x01|\x00\x83\x01d\x01k\x08r\x1ct\x02d\x02\x83\x01\x01\x00n\x08t\x02d\x03\x83\x01\x01\x00d\x00S\x00',(None, False, 'Nope!', 'Yep!'), ('f3', 'f4', 'print'))
f5()
输出为:
7 0 LOAD_FAST 0 (v%d)
2 LOAD_FAST 1 (v%d)
4 COMPARE_OP 2 (==)
6 RETURN_VALUE
None
7 0 LOAD_GLOBAL 0 (ord)
2 LOAD_FAST 0 (v%d)
4 CALL_FUNCTION 1
6 RETURN_VALUE
None
7 0 LOAD_GLOBAL 0 (input)
2 LOAD_CONST 1 ('Give me flag: ')
4 CALL_FUNCTION 1
6 RETURN_VALUE
None
7 0 LOAD_CONST 1 (99)
2 LOAD_CONST 2 (121)
4 LOAD_CONST 3 (98)
6 LOAD_CONST 4 (114)
8 LOAD_CONST 5 (105)
10 LOAD_CONST 1 (99)
12 LOAD_CONST 6 (115)
14 LOAD_CONST 7 (123)
16 LOAD_CONST 8 (52)
18 LOAD_CONST 9 (97)
20 LOAD_CONST 3 (98)
22 LOAD_CONST 10 (100)
24 LOAD_CONST 11 (51)
26 LOAD_CONST 12 (101)
28 LOAD_CONST 13 (55)
30 LOAD_CONST 8 (52)
32 LOAD_CONST 12 (101)
34 LOAD_CONST 14 (57)
36 LOAD_CONST 12 (101)
38 LOAD_CONST 15 (53)
40 LOAD_CONST 14 (57)
42 LOAD_CONST 16 (54)
44 LOAD_CONST 17 (48)
46 LOAD_CONST 9 (97)
48 LOAD_CONST 18 (49)
50 LOAD_CONST 3 (98)
52 LOAD_CONST 16 (54)
54 LOAD_CONST 3 (98)
56 LOAD_CONST 14 (57)
58 LOAD_CONST 19 (50)
60 LOAD_CONST 11 (51)
62 LOAD_CONST 10 (100)
64 LOAD_CONST 20 (56)
66 LOAD_CONST 8 (52)
68 LOAD_CONST 19 (50)
70 LOAD_CONST 1 (99)
72 LOAD_CONST 1 (99)
74 LOAD_CONST 10 (100)
76 LOAD_CONST 9 (97)
78 LOAD_CONST 1 (99)
80 LOAD_CONST 18 (49)
82 LOAD_CONST 11 (51)
84 LOAD_CONST 16 (54)
86 LOAD_CONST 15 (53)
88 LOAD_CONST 20 (56)
90 LOAD_CONST 3 (98)
92 LOAD_CONST 11 (51)
94 LOAD_CONST 21 (102)
96 LOAD_CONST 22 (125)
98 BUILD_LIST 49
100 STORE_FAST 1 (v%d)
102 LOAD_GLOBAL 0 (len)
104 LOAD_FAST 0 (v%d)
106 CALL_FUNCTION 1
108 LOAD_GLOBAL 0 (len)
110 LOAD_FAST 1 (v%d)
112 CALL_FUNCTION 1
114 COMPARE_OP 3 (!=)
116 POP_JUMP_IF_FALSE 130
118 LOAD_GLOBAL 1 (print)
120 LOAD_CONST 23 ('Length mismatch!')
122 CALL_FUNCTION 1
124 POP_TOP
126 LOAD_CONST 24 (False)
128 RETURN_VALUE
>> 130 LOAD_GLOBAL 2 (zip)
132 LOAD_FAST 0 (v%d)
134 LOAD_FAST 1 (v%d)
136 CALL_FUNCTION 2
138 GET_ITER
>> 140 FOR_ITER 36 (to 178)
142 STORE_FAST 2 (v%d)
144 LOAD_GLOBAL 3 (f1)
146 LOAD_FAST 2 (v%d)
148 LOAD_CONST 25 (1)
150 BINARY_SUBSCR
152 LOAD_GLOBAL 4 (f2)
154 LOAD_FAST 2 (v%d)
156 LOAD_CONST 26 (0)
158 BINARY_SUBSCR
160 CALL_FUNCTION 1
162 CALL_FUNCTION 2
164 LOAD_CONST 24 (False)
166 COMPARE_OP 2 (==)
168 POP_JUMP_IF_FALSE 140
170 POP_TOP
172 LOAD_CONST 24 (False)
174 RETURN_VALUE
176 JUMP_ABSOLUTE 140
>> 178 LOAD_CONST 27 (True)
180 RETURN_VALUE
None
7 0 LOAD_GLOBAL 0 (f3)
2 CALL_FUNCTION 0
4 STORE_FAST 0 (v%d)
6 LOAD_GLOBAL 1 (f4)
8 LOAD_FAST 0 (v%d)
10 CALL_FUNCTION 1
12 LOAD_CONST 1 (False)
14 COMPARE_OP 8 (is)
16 POP_JUMP_IF_FALSE 28
18 LOAD_GLOBAL 2 (print)
20 LOAD_CONST 2 ('Nope!')
22 CALL_FUNCTION 1
24 POP_TOP
26 JUMP_FORWARD 8 (to 36)
>> 28 LOAD_GLOBAL 2 (print)
30 LOAD_CONST 3 ('Yep!')
32 CALL_FUNCTION 1
34 POP_TOP
>> 36 LOAD_CONST 0 (None)
38 RETURN_VALUE
None
Give me flag:
一段一段分析:
f1
7 0 LOAD_FAST 0 (v%d)
2 LOAD_FAST 1 (v%d)
4 COMPARE_OP 2 (==)
6 RETURN_VALUE
很简单,判断是否相等
f2
7 0 LOAD_GLOBAL 0 (ord)
2 LOAD_FAST 0 (v%d)
4 CALL_FUNCTION 1
6 RETURN_VALUE
ord函数
f3
7 0 LOAD_GLOBAL 0 (input)
2 LOAD_CONST 1 ('Give me flag: ')
4 CALL_FUNCTION 1
6 RETURN_VALUE
input_str = input('Give me flag: ')
f4
7 0 LOAD_CONST 1 (99)
2 LOAD_CONST 2 (121)
4 LOAD_CONST 3 (98)
6 LOAD_CONST 4 (114)
8 LOAD_CONST 5 (105)
10 LOAD_CONST 1 (99)
12 LOAD_CONST 6 (115)
14 LOAD_CONST 7 (123)
16 LOAD_CONST 8 (52)
18 LOAD_CONST 9 (97)
20 LOAD_CONST 3 (98)
22 LOAD_CONST 10 (100)
24 LOAD_CONST 11 (51)
26 LOAD_CONST 12 (101)
28 LOAD_CONST 13 (55)
30 LOAD_CONST 8 (52)
32 LOAD_CONST 12 (101)
34 LOAD_CONST 14 (57)
36 LOAD_CONST 12 (101)
38 LOAD_CONST 15 (53)
40 LOAD_CONST 14 (57)
42 LOAD_CONST 16 (54)
44 LOAD_CONST 17 (48)
46 LOAD_CONST 9 (97)
48 LOAD_CONST 18 (49)
50 LOAD_CONST 3 (98)
52 LOAD_CONST 16 (54)
54 LOAD_CONST 3 (98)
56 LOAD_CONST 14 (57)
58 LOAD_CONST 19 (50)
60 LOAD_CONST 11 (51)
62 LOAD_CONST 10 (100)
64 LOAD_CONST 20 (56)
66 LOAD_CONST 8 (52)
68 LOAD_CONST 19 (50)
70 LOAD_CONST 1 (99)
72 LOAD_CONST 1 (99)
74 LOAD_CONST 10 (100)
76 LOAD_CONST 9 (97)
78 LOAD_CONST 1 (99)
80 LOAD_CONST 18 (49)
82 LOAD_CONST 11 (51)
84 LOAD_CONST 16 (54)
86 LOAD_CONST 15 (53)
88 LOAD_CONST 20 (56)
90 LOAD_CONST 3 (98)
92 LOAD_CONST 11 (51)
94 LOAD_CONST 21 (102)
96 LOAD_CONST 22 (125)
98 BUILD_LIST 49
crypt = [99,121,98,114,105,99,115,123,52,97,98,100,51,101,55,52,101,57,101,53,57,54,48,97,49,98,54,98,57,50,51,100,56,52,50,99,99,100,97,99,49,51,54,53,56,98,51,102,125]
100 STORE_FAST 1 (v%d)
102 LOAD_GLOBAL 0 (len)
104 LOAD_FAST 0 (v%d)
106 CALL_FUNCTION 1
108 LOAD_GLOBAL 0 (len)
110 LOAD_FAST 1 (v%d)
112 CALL_FUNCTION 1
114 COMPARE_OP 3 (!=)
116 POP_JUMP_IF_FALSE 130
118 LOAD_GLOBAL 1 (print)
120 LOAD_CONST 23 ('Length mismatch!')
122 CALL_FUNCTION 1
124 POP_TOP
126 LOAD_CONST 24 (False)
128 RETURN_VALUE
if len(crypt) != len(input_str):
print('Length mismatch!')
>> 130 LOAD_GLOBAL 2 (zip)
132 LOAD_FAST 0 (v%d)
134 LOAD_FAST 1 (v%d)
136 CALL_FUNCTION 2
138 GET_ITER
zip(crypt,input_str)
zip函数的作用是啥看下图自己体会:
>> 140 FOR_ITER 36 (to 178)
142 STORE_FAST 2 (v%d)
144 LOAD_GLOBAL 3 (f1)
146 LOAD_FAST 2 (v%d)
148 LOAD_CONST 25 (1)
150 BINARY_SUBSCR
152 LOAD_GLOBAL 4 (f2)
154 LOAD_FAST 2 (v%d)
156 LOAD_CONST 26 (0)
158 BINARY_SUBSCR
160 CALL_FUNCTION 1
162 CALL_FUNCTION 2
164 LOAD_CONST 24 (False)
166 COMPARE_OP 2 (==)
168 POP_JUMP_IF_FALSE 140
170 POP_TOP
172 LOAD_CONST 24 (False)
174 RETURN_VALUE
176 JUMP_ABSOLUTE 140
>> 178 LOAD_CONST 27 (True)
180 RETURN_VALUE
if f1(crypt[i], f2(input_str[i]))
f4合起来的逻辑就是:
crypt = [99,121,98,114,105,99,115,123,52,97,98,100,51,101,55,52,101,57,101,53,57,54,48,97,49,98,54,98,57,50,51,100,56,52,50,99,99,100,97,99,49,51,54,53,56,98,51,102,125]
temp = zip(crypt, input_str)
for t in temp:
if t[0] != ord(t[1]):
return Flase
return True
f5
7 0 LOAD_GLOBAL 0 (f3)
2 CALL_FUNCTION 0
4 STORE_FAST 0 (v%d)
6 LOAD_GLOBAL 1 (f4)
8 LOAD_FAST 0 (v%d)
10 CALL_FUNCTION 1
12 LOAD_CONST 1 (False)
14 COMPARE_OP 8 (is)
16 POP_JUMP_IF_FALSE 28
18 LOAD_GLOBAL 2 (print)
20 LOAD_CONST 2 ('Nope!')
22 CALL_FUNCTION 1
24 POP_TOP
26 JUMP_FORWARD 8 (to 36)
>> 28 LOAD_GLOBAL 2 (print)
30 LOAD_CONST 3 ('Yep!')
32 CALL_FUNCTION 1
34 POP_TOP
>> 36 LOAD_CONST 0 (None)
38 RETURN_VALUE
f3() #input
if f4():
print('Yep!')
else:
print('Nope!')
完整加密代码
def f4():
crypt = [99,121,98,114,105,99,115,123,52,97,98,100,51,101,55,52,101,57,101,53,57,54,48,97,49,98,54,98,57,50,51,100,56,52,50,99,99,100,97,99,49,51,54,53,56,98,51,102,125]
temp = zip(crypt, input_str)
for t in temp:
if t[0] != ord(t[1]):
return False
return True
input_str = input('Give me flag: ')
if f4():
print('Yep!')
else:
print('Nope!')
解密
asm = ''' 7 0 LOAD_CONST 1 (99)
2 LOAD_CONST 2 (121)
4 LOAD_CONST 3 (98)
6 LOAD_CONST 4 (114)
8 LOAD_CONST 5 (105)
10 LOAD_CONST 1 (99)
12 LOAD_CONST 6 (115)
14 LOAD_CONST 7 (123)
16 LOAD_CONST 8 (52)
18 LOAD_CONST 9 (97)
20 LOAD_CONST 3 (98)
22 LOAD_CONST 10 (100)
24 LOAD_CONST 11 (51)
26 LOAD_CONST 12 (101)
28 LOAD_CONST 13 (55)
30 LOAD_CONST 8 (52)
32 LOAD_CONST 12 (101)
34 LOAD_CONST 14 (57)
36 LOAD_CONST 12 (101)
38 LOAD_CONST 15 (53)
40 LOAD_CONST 14 (57)
42 LOAD_CONST 16 (54)
44 LOAD_CONST 17 (48)
46 LOAD_CONST 9 (97)
48 LOAD_CONST 18 (49)
50 LOAD_CONST 3 (98)
52 LOAD_CONST 16 (54)
54 LOAD_CONST 3 (98)
56 LOAD_CONST 14 (57)
58 LOAD_CONST 19 (50)
60 LOAD_CONST 11 (51)
62 LOAD_CONST 10 (100)
64 LOAD_CONST 20 (56)
66 LOAD_CONST 8 (52)
68 LOAD_CONST 19 (50)
70 LOAD_CONST 1 (99)
72 LOAD_CONST 1 (99)
74 LOAD_CONST 10 (100)
76 LOAD_CONST 9 (97)
78 LOAD_CONST 1 (99)
80 LOAD_CONST 18 (49)
82 LOAD_CONST 11 (51)
84 LOAD_CONST 16 (54)
86 LOAD_CONST 15 (53)
88 LOAD_CONST 20 (56)
90 LOAD_CONST 3 (98)
92 LOAD_CONST 11 (51)
94 LOAD_CONST 21 (102)
96 LOAD_CONST 22 (125)'''
import re
lines = asm.split('\n')
for line in lines:
num = re.search(r'\((\d+?)\)', line).group(1)
print(chr(int(num)), end='')
没啥好解密的,因为没有任何加密的流程,直接就是明文比较。
cybrics{4abd3e74e9e5960a1b6b923d842ccdac13658b3f}
注意
可能会有人还没反编译,直接从一开始的python代码中发现:
并将其直接chr,得到cybris{4ad3e79560128f}
为啥不对呢?因为反编译中的数据是从这串数据中查表,并反编译到代码中的。当然不是flag啦。
hide_and_seek
还在研究(ㄒoㄒ)