听说是金砖五国的比赛,管它呢,做就完事了。

babyrev

简述

给了一个xml文件,同时描述中提供了一个网址:http://snap.berkeley.edu/offline

1595930578091

我英语不好,一开始没看懂啥意思,后来才发现全文大部分篇幅都在说如何使用离线方案,其实不用这么麻烦,直接点开第二行的网址即可,使用在线的服务。

在线方案

打开https://snap.berkeley.edu/snap/snap.html

1595930687606

导入题目给出的xml文件:

1595930729008

1595930748027

很显然,结合本题的名称,babyrev,这是小孩子玩的卡片式编程。

emmm,写完这部分博文后我才发现可以修改页面语言:

1595933568332

代码中的关键字也可以改成汉语,本来难度就不高,现在难度更低了。

流程

屏幕最右侧有7个sprite:

1595933315699

分别点击时可以屏幕中间区域显示卡片代码,后面6个对应的卡片都对应着这样的卡片代码,就是收到相应的信号时显示所对应的图片:

1595933699810

第一个sprite共有五个卡片。

下图的三个卡片是程序的初始化和终止,对加密逻辑的分析没有影响,不用看。

左上的是当按下空格键时,程序开始运行(发出start_banner信号)。

左下的是当点击某个东西的时候,设置key=[], 程序运行状态为0

右边的是当i为某个数值时,发出显示某个图片的信号。

1595933654541

关键的逻辑代码是剩下的两个卡片:

左边的是加密后的数据

右边的是关键代码,加密很简单,就是异或33。

1595933889329

python模拟卡片代码

def encrypt():
    secret = [92,0,74,66,116,77,126,69,17,102,126,69,79,97,126,18,76,17,98,16,77,18,86,90,82,66,72,83,67,88,66]
    secret = secret[::-1]               # 可能唯一需要注意的地方就是这里了

    key = input('say me the key:')
    key = [ord(i) for i in key]

    test = []
    for i in range(len(key)):
        test.append(key[i] ^ 33)

    if len(test) == len(secret):
        is_ok = 1
        for i in range(len(test)):
            if (test[i] < secret[i]) or (test[i] > secret[i]):
                is_ok = 0
        if is_ok == 1:
            print('Well done!')
        else:
            print('No!!!!')
    else:
        print('No!!!!')

为啥要secret = secret[::-1]呢?

因为上图左侧的卡片,向secret插入数据时,是向列表的头插入的,而不是向列表尾插入的:

1595934135665

python解密

def decrypt():
    a = [92,0,74,66,116,77,126,69,17,102,126,69,79,97,126,18,76,17,98,16,77,18,86,90,82,66,72,83,67,88,66]
    a = a[::-1]                         # 可能唯一需要注意的地方就是这里了
    for i in a:
        print(chr(i ^ 33),end='')

decrypt()

cybrics{w3l1C0m3_@nd_G0d_lUck!}

polylot

题目简介大意是你掌握了多门语言了吗?

c语言

给出了一段c代码:

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
char flagged[] = {};

int main(){

    char *key = getenv("XKEY");
    if((!key) ||strncmp("mod3r0d!",key,8 )){
        puts(";[");
        return 1;
    }
    unsigned long long val = *(unsigned long long *)key;
    unsigned long long *ptr = (unsigned long long *)flagged;
    while (*ptr != 0) {
        *ptr = *ptr ^ val;
        ptr += 1;
    }
    puts(flagged);
}

main函数中有如下片段:

    char *key = getenv("XKEY");
    if((!key) ||strncmp("mod3r0d!",key,8 )){
        puts(";[");
        return 1;
    }

从环境变量中查找XKEY并检测其值是否为mod3r0d!,如果没找到或其值不是mod3r0d!,则退出程序。绕过很简单,删掉这部分代码,并设置key = mod3r0d!

修改后的main函数为:

int main(){

    /*char *key = getenv("XKEY");
    if((!key) ||strncmp("mod3r0d!",key,8 )){        //key = mod3r0d!
        puts(";[");
        return 1;
    }*/
    char *key = "mod3r0d!";
    unsigned long long val = *(unsigned long long *)key;
    unsigned long long *ptr = (unsigned long long *)flagged;
    while (*ptr != 0) {
        *ptr = *ptr ^ val;
        ptr += 1;
    }
    puts(flagged);
}

c++

运行后输出一段c++代码:

#include <iostream>
template <unsigned int a, unsigned int b>
struct t1 {
        enum { value = b + t1<a-1, b>::value };
};
template <unsigned int b>
struct t1<0, b> {
        enum { value = 0 };
};
template <unsigned int a, unsigned int b>
struct t2 {
        enum { value = 1 + t2<a-1, b>::value };
};
template <unsigned int b>
struct t2<0, b> {
        enum { value = 1 + t2<0, b-1>::value };
};
template<>
struct t2<0, 0>{
    enum { value = 0};
};
void decode(unsigned char *data, unsigned int val){
    unsigned int *ptr = reinterpret_cast<unsigned int *>(data);
    while (*ptr != 0) {
        *ptr = *ptr ^ val;
        val = (val ^ (val << 1)) ^ 0xc2154216;
        ptr += 1;
    }
}
unsigned char flagged[] = {5,78,186,165,208,83,107,233,137,90,173,22,11,55,64,102,120,96,164,86,86,40,53,48,46,240,191,79,163,147,87,144,13,54,47,105,205,251,163,168,220,241,45,203,105,83,176,71,111,62,70,221,93,16,218,44,96,189,187,173,165,84,27,170,76,77,204,37,199,84,203,33,253,32,19,206,38,29,99,160,69,81,157,157,124,126,68,141,97,180,138,16,220,221,201,196,76,32,74,137,130,231,10,157,149,163,144,254,60,61,214,154,60,50,81,45,18,84,166,167,37,170,234,206,184,0,133,10,102,46,192,234,130,7,107,251,158,117,171,10,98,88,109,81,60,108,172,24,87,63,125,6,31,246,143,77,179,162,107,181,102,100,104,42,130,237,169,131,158,180,52,135,59,16,165,82,108,119,21,144,113,27,219,101,20,167,164,166,254,65,26,225,15,76,216,38,214,11,239,17,208,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,190,72,254,250,241,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,45,243,175,73,167,1,99,19,46,3,67,110,181,25,92,33,42,56,50,242,131,70,163,147,64,148,97,78,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,96,254,244,227,246,0,72,232,0,76,206,41,206,84,206,22,250,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,85,195,194,229,148,218,12,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,107,189,208,10,174,11,89,94,34,8,121,43,161,25,109,43,63,56,39,230,204,36,220,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,96,254,183,172,178,69,68,139,102,3,141,104,130,7,194,59,208,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,138,139,2,55,91,156,142,131,110,211,208,241,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,204,70,38,248,131,6,197,111,38,29,109,76,60,37,226,86,18,109,115,121,96,181,192,9,246,221,20,152,76,100,104,42,130,174,237,252,208,165,54,215,106,85,249,112,62,100,67,218,16,84,217,111,50,254,189,227,191,78,72,244,13,77,202,45,138,73,142,116,147,75,95,157,47,96,105,220,17,15,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,68,211,208,241,152,247,38,16,252,220,114,77,18,98,86,17,168,182,47,129,249,213,186,69,219,102,1,70,230,199,168,7,107,189,208,10,232,69,38,29,109,76,60,37,226,86,18,109,115,121,96,181,192,9,246,221,20,152,76,100,46,100,253,237,162,184,149,255,32,200,89,94,176,70,121,62,107,180,18,84,159,32,96,254,244,227,246,0,72,166,76,3,141,104,130,7,194,59,208,10,19,206,38,29,96,208,60,99,187,141,81,34,14,208,110,246,196,66,176,148,155,151,24,40,70,129,199,224,11,223,253,219,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,107,251,158,117,171,10,98,88,99,15,115,90,174,24,93,57,50,59,108,152,234,9,246,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,38,176,139,160,185,68,13,168,15,76,242,46,208,66,135,109,145,88,64,194,11,55,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,68,211,208,241,152,177,104,111,191,213,120,119,95,110,93,43,229,176,44,178,233,221,164,83,156,10,102,3,234,234,130,78,37,243,149,88,230,58,89,94,34,8,121,90,157,86,15,109,48,61,31,251,133,94,219,247,20,152,76,100,58,111,214,251,191,178,208,184,45,201,99,66,220,33,17,24,0,143,18,73,159,100,37,184,189,173,179,127,14,243,2,64,133,122,142,21,206,121,215,86,111,150,54,13,60,172,100,53,228,185,110,53,90,135,19,201,211,45,230,218,197,196,68,10,64,129,199,162,77,223,208,249,145,254,11,58,186,136,60,47,81,105,87,18,239,187,37,129,249,201,184,67,157,54,64,18,230,168,133,83,23,229,192,26,180,57,126,13,125,48,100,61,241,42,74,125,98,10,28,237,208,25,241,209,20,144,34,43,38,111,142,167,225,252,216,246,44,213,98,23,253,2,53,31,108,216,1,84,130,32,36,187,178,170,184,69,55,224,25,77,206,96,146,11,210,55,146,13,71,178,126,13,112,148,64,125,229,227,110,53,82,134,28,237,155,44,133,161,145,212,92,99,3,207,138,192,11,157,149,253,152,247,33,119,181,204,121,50,28,104,18,18,234,180,39,228,191,155,255,12,149,47,75,74,164,186,215,83,108,177,217,3,197,111,96,9,109,81,60,97,167,16,91,35,54,6,38,224,142,74,254,204,24,152,95,104,104,104,133,234,145,164,192,224,39,251,126,0,227,79,64,106,86,141,86,40,199,48,116,186,136,187,230,21,12,218,20,19,156,44,254,95,210,45,148,118,75,222,49,89,28,136,44,61,177,142,70,41,54,205,112,166,207,65,184,153,181,156,92,38,75,179,218,190,7,151,172,163,220,139,126,0,228,222,64,106,65,110,86,40,254,229,37,186,195,196,230,67,209,91,20,19,172,174,254,95,123,248,148,118,176,84,54,89,17,20,45,52,166,42,70,41,15,33,113,167,132,117,174,205,7,220,48,60,121,58,198,210,181,236,195,181,31,223,54,85,181,119,100,35,85,218,110,12,143,98,36,130,186,167,138,88,89,178,8,127,213,120,154,67,190,99,193,25,87,178,126,13,113,148,64,125,229,227,86,17,4,209,28,225,207,65,174,205,216,128,48,60,30,221,198,210,28,195,146,181,228,175,55,0,184,230,100,34,23,105,110,12,183,225,36,130,231,140,229,68,233,127,92,65,174,150,218,22,126,249,172,82,249,83,97,12,48,48,100,53,243,2,110,53,99,105,60,201,152,25,230,161,76,128,95,24,48,58,147,250,145,164,192,225,63,251,126,0,224,119,100,42,85,226,74,68,142,107,28,166,228,240,164,124,16,190,94,87,241,48,146,22,134,71,136,27,4,178,126,5,115,172,100,53,228,142,74,125,91,233,56,165,155,121,138,133,216,220,63,24,87,223,146,250,56,139,192,227,196,139,126,0,236,198,64,106,65,60,110,12,190,230,28,166,175,142,146,124,205,55,92,126,238,183,254,95,123,175,132,118,176,85,53,65,17,20,44,55,166,42,74,124,106,5,56,164,217,117,174,205,4,204,48,60,120,62,222,210,181,236,194,181,31,223,55,81,141,83,45,43,58,198,2,68,227,120,120,237,136,187,230,17,52,254,84,16,241,48,146,21,134,71,136,27,11,133,90,69,112,194,110,89,173,234,81,17,18,133,113,201,211,45,230,153,181,156,93,124,124,179,218,190,84,130,172,169,128,180,98,108,164,139,126,65,45,117,2,68,161,249,77,212,191,156,246,0,149,39,76,3,234,234,130,7,107,189,208,10,232,77,72,82,35,9,48,37,251,79,30,109,98,107,113,185,192,16,238,209,20,137,93,112,100,42,147,190,248,240,208,224,114,146,42,16,224,25,47,62,70,139,0,88,159,57,119,242,244,242,230,16,68,166,89,18,129,104,147,23,211,55,208,31,6,194,38,8,119,220,60,48,230,254,18,120,94,153,96,161,147,49,246,201,208,200,76,113,31,195,130,187,82,223,208,224,136,229,42,16,237,136,41,62,81,42,126,17,232,178,52,182,191,209,191,83,216,102,24,64,162,235,133,11,107,219,145,70,187,0,42,29,124,64,60,53,238,86,102,63,38,60,105,185,237,35,246,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,24,246,71,121,124,65,146,18,83,207,114,41,176,160,228,250,0,79,252,5,83,138,100,130,0,132,42,215,6,19,201,96,15,103,217,53,8,223,180,7,109,87,149,36,240,205,116,184,152,182,130,25,42,76,199,146,162,68,194,220,179,159,163,90,72,236,138,64,106,73,62,110,12,182,229,61,130,231,140,230,84,233,127,92,18,182,150,218,23,123,193,136,18,251,57,126,13,124,8,64,125,242,71,89,17,43,105,120,231,188,81,231,158,64,228,20,116,122,110,254,246,253,238,172,169,123,148,90,72,225,26,64,106,86,143,110,12,143,48,46,130,172,243,238,84,52,254,92,17,201,20,218,23,209,71,136,18,0,178,126,13,113,172,100,53,228,142,74,125,90,209,28,237,155,45,133,161,145,212,92,99,3,199,236,225,10,150,220,241,254,182,106,67,185,150,60,53,63,98,66,17,167,242,108,254,184,229,179,80,148,32,69,15,234,226,133,65,120,186,220,10,239,3,50,26,97,76,59,117,176,31,92,57,116,112,105,152,234,79,227,213,29,181,102,73,66,42,130,174,237,220,240,209,67,167,0,0,0,0};
int main(){
    decode(flagged, t2<0xcaca0000, t2<444, t1<t2<100, t1<4,3>::value>::value, t2<44, t1<11,3>::value>::value>::value>::value>::value);
    std::cout << flagged <<std::endl;
}

emmm,用到了模板的语法,我虽然不太懂template的语法,但是也很容易看出就是一个递归。

t1<a,b>可以归纳为a*b

t2<a,b>可以归纳为a+b

修改后的c++代码为:

#include <iostream>

/*template <unsigned int a, unsigned int b>
struct t1 {
        enum { value = b + t1<a-1, b>::value };
};

template <unsigned int b>
struct t1<0, b> {
        enum { value = 0 };
};

template <unsigned int a, unsigned int b>
struct t2 {
        enum { value = 1 + t2<a-1, b>::value };
};

template <unsigned int b>
struct t2<0, b> {
        enum { value = 1 + t2<0, b-1>::value };
};

template<>
struct t2<0, 0>{
    enum { value = 0};
};*/

int f1(int a, int b){
    return a*b;
}

int f2(int a, int b){
    return a+b;
}

void decode(unsigned char *data, unsigned int val){
    unsigned int *ptr = reinterpret_cast<unsigned int *>(data);
    while (*ptr != 0) {
        *ptr = *ptr ^ val;
        val = (val ^ (val << 1)) ^ 0xc2154216;
        ptr += 1;
    }
}

unsigned char flagged[] = {5,78,186,165,208,83,107,233,137,90,173,22,11,55,64,102,120,96,164,86,86,40,53,48,46,240,191,79,163,147,87,144,13,54,47,105,205,251,163,168,220,241,45,203,105,83,176,71,111,62,70,221,93,16,218,44,96,189,187,173,165,84,27,170,76,77,204,37,199,84,203,33,253,32,19,206,38,29,99,160,69,81,157,157,124,126,68,141,97,180,138,16,220,221,201,196,76,32,74,137,130,231,10,157,149,163,144,254,60,61,214,154,60,50,81,45,18,84,166,167,37,170,234,206,184,0,133,10,102,46,192,234,130,7,107,251,158,117,171,10,98,88,109,81,60,108,172,24,87,63,125,6,31,246,143,77,179,162,107,181,102,100,104,42,130,237,169,131,158,180,52,135,59,16,165,82,108,119,21,144,113,27,219,101,20,167,164,166,254,65,26,225,15,76,216,38,214,11,239,17,208,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,190,72,254,250,241,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,45,243,175,73,167,1,99,19,46,3,67,110,181,25,92,33,42,56,50,242,131,70,163,147,64,148,97,78,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,96,254,244,227,246,0,72,232,0,76,206,41,206,84,206,22,250,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,85,195,194,229,148,218,12,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,107,189,208,10,174,11,89,94,34,8,121,43,161,25,109,43,63,56,39,230,204,36,220,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,96,254,183,172,178,69,68,139,102,3,141,104,130,7,194,59,208,10,19,206,38,29,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,138,139,2,55,91,156,142,131,110,211,208,241,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,204,70,38,248,131,6,197,111,38,29,109,76,60,37,226,86,18,109,115,121,96,181,192,9,246,221,20,152,76,100,104,42,130,174,237,252,208,165,54,215,106,85,249,112,62,100,67,218,16,84,217,111,50,254,189,227,191,78,72,244,13,77,202,45,138,73,142,116,147,75,95,157,47,96,105,220,17,15,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,68,211,208,241,152,247,38,16,252,220,114,77,18,98,86,17,168,182,47,129,249,213,186,69,219,102,1,70,230,199,168,7,107,189,208,10,232,69,38,29,109,76,60,37,226,86,18,109,115,121,96,181,192,9,246,221,20,152,76,100,46,100,253,237,162,184,149,255,32,200,89,94,176,70,121,62,107,180,18,84,159,32,96,254,244,227,246,0,72,166,76,3,141,104,130,7,194,59,208,10,19,206,38,29,96,208,60,99,187,141,81,34,14,208,110,246,196,66,176,148,155,151,24,40,70,129,199,224,11,223,253,219,152,247,38,16,252,154,60,50,81,45,18,84,166,245,96,254,191,156,246,0,149,39,76,3,234,234,130,7,107,251,158,117,171,10,98,88,99,15,115,90,174,24,93,57,50,59,108,152,234,9,246,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,16,241,11,60,50,70,158,18,84,159,32,38,176,139,160,185,68,13,168,15,76,242,46,208,66,135,109,145,88,64,194,11,55,96,208,60,37,245,242,18,109,74,149,96,181,139,61,246,221,201,196,76,100,15,207,130,174,68,211,208,241,152,177,104,111,191,213,120,119,95,110,93,43,229,176,44,178,233,221,164,83,156,10,102,3,234,234,130,78,37,243,149,88,230,58,89,94,34,8,121,90,157,86,15,109,48,61,31,251,133,94,219,247,20,152,76,100,58,111,214,251,191,178,208,184,45,201,99,66,220,33,17,24,0,143,18,73,159,100,37,184,189,173,179,127,14,243,2,64,133,122,142,21,206,121,215,86,111,150,54,13,60,172,100,53,228,185,110,53,90,135,19,201,211,45,230,218,197,196,68,10,64,129,199,162,77,223,208,249,145,254,11,58,186,136,60,47,81,105,87,18,239,187,37,129,249,201,184,67,157,54,64,18,230,168,133,83,23,229,192,26,180,57,126,13,125,48,100,61,241,42,74,125,98,10,28,237,208,25,241,209,20,144,34,43,38,111,142,167,225,252,216,246,44,213,98,23,253,2,53,31,108,216,1,84,130,32,36,187,178,170,184,69,55,224,25,77,206,96,146,11,210,55,146,13,71,178,126,13,112,148,64,125,229,227,110,53,82,134,28,237,155,44,133,161,145,212,92,99,3,207,138,192,11,157,149,253,152,247,33,119,181,204,121,50,28,104,18,18,234,180,39,228,191,155,255,12,149,47,75,74,164,186,215,83,108,177,217,3,197,111,96,9,109,81,60,97,167,16,91,35,54,6,38,224,142,74,254,204,24,152,95,104,104,104,133,234,145,164,192,224,39,251,126,0,227,79,64,106,86,141,86,40,199,48,116,186,136,187,230,21,12,218,20,19,156,44,254,95,210,45,148,118,75,222,49,89,28,136,44,61,177,142,70,41,54,205,112,166,207,65,184,153,181,156,92,38,75,179,218,190,7,151,172,163,220,139,126,0,228,222,64,106,65,110,86,40,254,229,37,186,195,196,230,67,209,91,20,19,172,174,254,95,123,248,148,118,176,84,54,89,17,20,45,52,166,42,70,41,15,33,113,167,132,117,174,205,7,220,48,60,121,58,198,210,181,236,195,181,31,223,54,85,181,119,100,35,85,218,110,12,143,98,36,130,186,167,138,88,89,178,8,127,213,120,154,67,190,99,193,25,87,178,126,13,113,148,64,125,229,227,86,17,4,209,28,225,207,65,174,205,216,128,48,60,30,221,198,210,28,195,146,181,228,175,55,0,184,230,100,34,23,105,110,12,183,225,36,130,231,140,229,68,233,127,92,65,174,150,218,22,126,249,172,82,249,83,97,12,48,48,100,53,243,2,110,53,99,105,60,201,152,25,230,161,76,128,95,24,48,58,147,250,145,164,192,225,63,251,126,0,224,119,100,42,85,226,74,68,142,107,28,166,228,240,164,124,16,190,94,87,241,48,146,22,134,71,136,27,4,178,126,5,115,172,100,53,228,142,74,125,91,233,56,165,155,121,138,133,216,220,63,24,87,223,146,250,56,139,192,227,196,139,126,0,236,198,64,106,65,60,110,12,190,230,28,166,175,142,146,124,205,55,92,126,238,183,254,95,123,175,132,118,176,85,53,65,17,20,44,55,166,42,74,124,106,5,56,164,217,117,174,205,4,204,48,60,120,62,222,210,181,236,194,181,31,223,55,81,141,83,45,43,58,198,2,68,227,120,120,237,136,187,230,17,52,254,84,16,241,48,146,21,134,71,136,27,11,133,90,69,112,194,110,89,173,234,81,17,18,133,113,201,211,45,230,153,181,156,93,124,124,179,218,190,84,130,172,169,128,180,98,108,164,139,126,65,45,117,2,68,161,249,77,212,191,156,246,0,149,39,76,3,234,234,130,7,107,189,208,10,232,77,72,82,35,9,48,37,251,79,30,109,98,107,113,185,192,16,238,209,20,137,93,112,100,42,147,190,248,240,208,224,114,146,42,16,224,25,47,62,70,139,0,88,159,57,119,242,244,242,230,16,68,166,89,18,129,104,147,23,211,55,208,31,6,194,38,8,119,220,60,48,230,254,18,120,94,153,96,161,147,49,246,201,208,200,76,113,31,195,130,187,82,223,208,224,136,229,42,16,237,136,41,62,81,42,126,17,232,178,52,182,191,209,191,83,216,102,24,64,162,235,133,11,107,219,145,70,187,0,42,29,124,64,60,53,238,86,102,63,38,60,105,185,237,35,246,221,20,152,76,100,104,42,130,174,237,252,208,241,99,135,38,24,246,71,121,124,65,146,18,83,207,114,41,176,160,228,250,0,79,252,5,83,138,100,130,0,132,42,215,6,19,201,96,15,103,217,53,8,223,180,7,109,87,149,36,240,205,116,184,152,182,130,25,42,76,199,146,162,68,194,220,179,159,163,90,72,236,138,64,106,73,62,110,12,182,229,61,130,231,140,230,84,233,127,92,18,182,150,218,23,123,193,136,18,251,57,126,13,124,8,64,125,242,71,89,17,43,105,120,231,188,81,231,158,64,228,20,116,122,110,254,246,253,238,172,169,123,148,90,72,225,26,64,106,86,143,110,12,143,48,46,130,172,243,238,84,52,254,92,17,201,20,218,23,209,71,136,18,0,178,126,13,113,172,100,53,228,142,74,125,90,209,28,237,155,45,133,161,145,212,92,99,3,199,236,225,10,150,220,241,254,182,106,67,185,150,60,53,63,98,66,17,167,242,108,254,184,229,179,80,148,32,69,15,234,226,133,65,120,186,220,10,239,3,50,26,97,76,59,117,176,31,92,57,116,112,105,152,234,79,227,213,29,181,102,73,66,42,130,174,237,220,240,209,67,167,0,0,0,0};
int main(){
    //decode(flagged, t2<0xcaca0000, t2<444, t1<t2<100, t1<4,3>::value>::value, t2<44, t1<11,3>::value>::value>::value>::value>::value);
    decode(flagged, f2(0xcaca0000, f2(444, f1(f2(100, f1(4, 3)), f2(44, f1(11, 3))))));
    std::cout << flagged <<std::endl;
}

python

上面代码输出一个python代码:

import types

def define_func(argcount, nlocals, code, consts, names):
    #PYTHON3.8!!!
    def inner():
        return 0

    fn_code = inner.__code__
    cd_new = types.CodeType(argcount,
                             0,
                             fn_code.co_kwonlyargcount,
                             nlocals,
                             1024,
                             fn_code.co_flags,
                             code,
                             consts,
                             names,
                             tuple(["v%d" for i in range(nlocals)]),
                             fn_code.co_filename,
                             fn_code.co_name,
                             fn_code.co_firstlineno,
                             fn_code.co_lnotab,
                             fn_code.co_freevars,
                             fn_code.co_cellvars)
    inner.__code__ = cd_new
    return inner

f1 = define_func(2,2,b'|\x00|\x01k\x02S\x00', (None,), ())
f2 = define_func(1,1,b't\x00|\x00\x83\x01S\x00', (None,), ('ord',))
f3 = define_func(0,0,b't\x00d\x01\x83\x01S\x00', (None,  'Give me flag: '), ('input',))
f4 = define_func(1, 3, b'd\x01d\x02d\x03d\x04d\x05d\x01d\x06d\x07d\x08d\td\x03d\nd\x0bd\x0cd\rd\x08d\x0cd\x0ed\x0cd\x0fd\x0ed\x10d\x11d\td\x12d\x03d\x10d\x03d\x0ed\x13d\x0bd\nd\x14d\x08d\x13d\x01d\x01d\nd\td\x01d\x12d\x0bd\x10d\x0fd\x14d\x03d\x0bd\x15d\x16g1}\x01t\x00|\x00\x83\x01t\x00|\x01\x83\x01k\x03r\x82t\x01d\x17\x83\x01\x01\x00d\x18S\x00t\x02|\x00|\x01\x83\x02D\x00]$}\x02t\x03|\x02d\x19\x19\x00t\x04|\x02d\x1a\x19\x00\x83\x01\x83\x02d\x18k\x02r\x8c\x01\x00d\x18S\x00q\x8cd\x1bS\x00',
                 (None, 99, 121, 98, 114, 105, 115, 123, 52, 97, 100, 51, 101, 55, 57, 53, 54, 48, 49, 50, 56, 102, 125, 'Length mismatch!', False, 1, 0, True),
                 ('len', 'print', 'zip', 'f1', 'f2'))
f5 = define_func(0, 1,b't\x00\x83\x00}\x00t\x01|\x00\x83\x01d\x01k\x08r\x1ct\x02d\x02\x83\x01\x01\x00n\x08t\x02d\x03\x83\x01\x01\x00d\x00S\x00',(None, False, 'Nope!', 'Yep!'), ('f3', 'f4', 'print'))
f5()

emm,我这里python3.7没有成功运行,然后看到注释中说这是python3.8的代码。

python3.8我很早之前也有下载,不过没用过,vscode里面没配置好,无奈掏出祖传的IDLE。运行下,程序让我输入flag。看来这就是本题考察的最后一门编程语言了。

导入dis模块,该模块可以反编译python字节码。

define_func函数的return inner之前添加一行代码,print(dis.dis(cd_new))(return之前先把反编译的字节码打印出来),完整代码如下:

import types
import dis

def define_func(argcount, nlocals, code, consts, names):
    #PYTHON3.8!!!
    def inner():
        return 0

    fn_code = inner.__code__
    cd_new = types.CodeType(argcount,
                             0,
                             fn_code.co_kwonlyargcount,
                             nlocals,
                             1024,
                             fn_code.co_flags,
                             code,
                             consts,
                             names,
                             tuple(["v%d" for i in range(nlocals)]),
                             fn_code.co_filename,
                             fn_code.co_name,
                             fn_code.co_firstlineno,
                             fn_code.co_lnotab,
                             fn_code.co_freevars,
                             fn_code.co_cellvars)
    inner.__code__ = cd_new
    print(dis.dis(cd_new))
    return inner

f1 = define_func(2,2,b'|\x00|\x01k\x02S\x00', (None,), ())
f2 = define_func(1,1,b't\x00|\x00\x83\x01S\x00', (None,), ('ord',))
f3 = define_func(0,0,b't\x00d\x01\x83\x01S\x00', (None,  'Give me flag: '), ('input',))
f4 = define_func(1, 3, b'd\x01d\x02d\x03d\x04d\x05d\x01d\x06d\x07d\x08d\td\x03d\nd\x0bd\x0cd\rd\x08d\x0cd\x0ed\x0cd\x0fd\x0ed\x10d\x11d\td\x12d\x03d\x10d\x03d\x0ed\x13d\x0bd\nd\x14d\x08d\x13d\x01d\x01d\nd\td\x01d\x12d\x0bd\x10d\x0fd\x14d\x03d\x0bd\x15d\x16g1}\x01t\x00|\x00\x83\x01t\x00|\x01\x83\x01k\x03r\x82t\x01d\x17\x83\x01\x01\x00d\x18S\x00t\x02|\x00|\x01\x83\x02D\x00]$}\x02t\x03|\x02d\x19\x19\x00t\x04|\x02d\x1a\x19\x00\x83\x01\x83\x02d\x18k\x02r\x8c\x01\x00d\x18S\x00q\x8cd\x1bS\x00',
                 (None, 99, 121, 98, 114, 105, 115, 123, 52, 97, 100, 51, 101, 55, 57, 53, 54, 48, 49, 50, 56, 102, 125, 'Length mismatch!', False, 1, 0, True),
                 ('len', 'print', 'zip', 'f1', 'f2'))
f5 = define_func(0, 1,b't\x00\x83\x00}\x00t\x01|\x00\x83\x01d\x01k\x08r\x1ct\x02d\x02\x83\x01\x01\x00n\x08t\x02d\x03\x83\x01\x01\x00d\x00S\x00',(None, False, 'Nope!', 'Yep!'), ('f3', 'f4', 'print'))
f5()

输出为:

  7           0 LOAD_FAST                0 (v%d)
              2 LOAD_FAST                1 (v%d)
              4 COMPARE_OP               2 (==)
              6 RETURN_VALUE
None
  7           0 LOAD_GLOBAL              0 (ord)
              2 LOAD_FAST                0 (v%d)
              4 CALL_FUNCTION            1
              6 RETURN_VALUE
None
  7           0 LOAD_GLOBAL              0 (input)
              2 LOAD_CONST               1 ('Give me flag: ')
              4 CALL_FUNCTION            1
              6 RETURN_VALUE
None
  7           0 LOAD_CONST               1 (99)
              2 LOAD_CONST               2 (121)
              4 LOAD_CONST               3 (98)
              6 LOAD_CONST               4 (114)
              8 LOAD_CONST               5 (105)
             10 LOAD_CONST               1 (99)
             12 LOAD_CONST               6 (115)
             14 LOAD_CONST               7 (123)
             16 LOAD_CONST               8 (52)
             18 LOAD_CONST               9 (97)
             20 LOAD_CONST               3 (98)
             22 LOAD_CONST              10 (100)
             24 LOAD_CONST              11 (51)
             26 LOAD_CONST              12 (101)
             28 LOAD_CONST              13 (55)
             30 LOAD_CONST               8 (52)
             32 LOAD_CONST              12 (101)
             34 LOAD_CONST              14 (57)
             36 LOAD_CONST              12 (101)
             38 LOAD_CONST              15 (53)
             40 LOAD_CONST              14 (57)
             42 LOAD_CONST              16 (54)
             44 LOAD_CONST              17 (48)
             46 LOAD_CONST               9 (97)
             48 LOAD_CONST              18 (49)
             50 LOAD_CONST               3 (98)
             52 LOAD_CONST              16 (54)
             54 LOAD_CONST               3 (98)
             56 LOAD_CONST              14 (57)
             58 LOAD_CONST              19 (50)
             60 LOAD_CONST              11 (51)
             62 LOAD_CONST              10 (100)
             64 LOAD_CONST              20 (56)
             66 LOAD_CONST               8 (52)
             68 LOAD_CONST              19 (50)
             70 LOAD_CONST               1 (99)
             72 LOAD_CONST               1 (99)
             74 LOAD_CONST              10 (100)
             76 LOAD_CONST               9 (97)
             78 LOAD_CONST               1 (99)
             80 LOAD_CONST              18 (49)
             82 LOAD_CONST              11 (51)
             84 LOAD_CONST              16 (54)
             86 LOAD_CONST              15 (53)
             88 LOAD_CONST              20 (56)
             90 LOAD_CONST               3 (98)
             92 LOAD_CONST              11 (51)
             94 LOAD_CONST              21 (102)
             96 LOAD_CONST              22 (125)
             98 BUILD_LIST              49
            100 STORE_FAST               1 (v%d)
            102 LOAD_GLOBAL              0 (len)
            104 LOAD_FAST                0 (v%d)
            106 CALL_FUNCTION            1
            108 LOAD_GLOBAL              0 (len)
            110 LOAD_FAST                1 (v%d)
            112 CALL_FUNCTION            1
            114 COMPARE_OP               3 (!=)
            116 POP_JUMP_IF_FALSE      130
            118 LOAD_GLOBAL              1 (print)
            120 LOAD_CONST              23 ('Length mismatch!')
            122 CALL_FUNCTION            1
            124 POP_TOP
            126 LOAD_CONST              24 (False)
            128 RETURN_VALUE
        >>  130 LOAD_GLOBAL              2 (zip)
            132 LOAD_FAST                0 (v%d)
            134 LOAD_FAST                1 (v%d)
            136 CALL_FUNCTION            2
            138 GET_ITER
        >>  140 FOR_ITER                36 (to 178)
            142 STORE_FAST               2 (v%d)
            144 LOAD_GLOBAL              3 (f1)
            146 LOAD_FAST                2 (v%d)
            148 LOAD_CONST              25 (1)
            150 BINARY_SUBSCR
            152 LOAD_GLOBAL              4 (f2)
            154 LOAD_FAST                2 (v%d)
            156 LOAD_CONST              26 (0)
            158 BINARY_SUBSCR
            160 CALL_FUNCTION            1
            162 CALL_FUNCTION            2
            164 LOAD_CONST              24 (False)
            166 COMPARE_OP               2 (==)
            168 POP_JUMP_IF_FALSE      140
            170 POP_TOP
            172 LOAD_CONST              24 (False)
            174 RETURN_VALUE
            176 JUMP_ABSOLUTE          140
        >>  178 LOAD_CONST              27 (True)
            180 RETURN_VALUE
None
  7           0 LOAD_GLOBAL              0 (f3)
              2 CALL_FUNCTION            0
              4 STORE_FAST               0 (v%d)
              6 LOAD_GLOBAL              1 (f4)
              8 LOAD_FAST                0 (v%d)
             10 CALL_FUNCTION            1
             12 LOAD_CONST               1 (False)
             14 COMPARE_OP               8 (is)
             16 POP_JUMP_IF_FALSE       28
             18 LOAD_GLOBAL              2 (print)
             20 LOAD_CONST               2 ('Nope!')
             22 CALL_FUNCTION            1
             24 POP_TOP
             26 JUMP_FORWARD             8 (to 36)
        >>   28 LOAD_GLOBAL              2 (print)
             30 LOAD_CONST               3 ('Yep!')
             32 CALL_FUNCTION            1
             34 POP_TOP
        >>   36 LOAD_CONST               0 (None)
             38 RETURN_VALUE
None
Give me flag: 

一段一段分析:

f1

  7           0 LOAD_FAST                0 (v%d)
              2 LOAD_FAST                1 (v%d)
              4 COMPARE_OP               2 (==)
              6 RETURN_VALUE

很简单,判断是否相等

f2

  7           0 LOAD_GLOBAL              0 (ord)
              2 LOAD_FAST                0 (v%d)
              4 CALL_FUNCTION            1
              6 RETURN_VALUE

ord函数

f3

  7           0 LOAD_GLOBAL              0 (input)
              2 LOAD_CONST               1 ('Give me flag: ')
              4 CALL_FUNCTION            1
              6 RETURN_VALUE

input_str = input('Give me flag: ')

f4

  7           0 LOAD_CONST               1 (99)
              2 LOAD_CONST               2 (121)
              4 LOAD_CONST               3 (98)
              6 LOAD_CONST               4 (114)
              8 LOAD_CONST               5 (105)
             10 LOAD_CONST               1 (99)
             12 LOAD_CONST               6 (115)
             14 LOAD_CONST               7 (123)
             16 LOAD_CONST               8 (52)
             18 LOAD_CONST               9 (97)
             20 LOAD_CONST               3 (98)
             22 LOAD_CONST              10 (100)
             24 LOAD_CONST              11 (51)
             26 LOAD_CONST              12 (101)
             28 LOAD_CONST              13 (55)
             30 LOAD_CONST               8 (52)
             32 LOAD_CONST              12 (101)
             34 LOAD_CONST              14 (57)
             36 LOAD_CONST              12 (101)
             38 LOAD_CONST              15 (53)
             40 LOAD_CONST              14 (57)
             42 LOAD_CONST              16 (54)
             44 LOAD_CONST              17 (48)
             46 LOAD_CONST               9 (97)
             48 LOAD_CONST              18 (49)
             50 LOAD_CONST               3 (98)
             52 LOAD_CONST              16 (54)
             54 LOAD_CONST               3 (98)
             56 LOAD_CONST              14 (57)
             58 LOAD_CONST              19 (50)
             60 LOAD_CONST              11 (51)
             62 LOAD_CONST              10 (100)
             64 LOAD_CONST              20 (56)
             66 LOAD_CONST               8 (52)
             68 LOAD_CONST              19 (50)
             70 LOAD_CONST               1 (99)
             72 LOAD_CONST               1 (99)
             74 LOAD_CONST              10 (100)
             76 LOAD_CONST               9 (97)
             78 LOAD_CONST               1 (99)
             80 LOAD_CONST              18 (49)
             82 LOAD_CONST              11 (51)
             84 LOAD_CONST              16 (54)
             86 LOAD_CONST              15 (53)
             88 LOAD_CONST              20 (56)
             90 LOAD_CONST               3 (98)
             92 LOAD_CONST              11 (51)
             94 LOAD_CONST              21 (102)
             96 LOAD_CONST              22 (125)
             98 BUILD_LIST              49

crypt = [99,121,98,114,105,99,115,123,52,97,98,100,51,101,55,52,101,57,101,53,57,54,48,97,49,98,54,98,57,50,51,100,56,52,50,99,99,100,97,99,49,51,54,53,56,98,51,102,125]

            100 STORE_FAST               1 (v%d)
            102 LOAD_GLOBAL              0 (len)
            104 LOAD_FAST                0 (v%d)
            106 CALL_FUNCTION            1
            108 LOAD_GLOBAL              0 (len)
            110 LOAD_FAST                1 (v%d)
            112 CALL_FUNCTION            1
            114 COMPARE_OP               3 (!=)
            116 POP_JUMP_IF_FALSE      130
            118 LOAD_GLOBAL              1 (print)
            120 LOAD_CONST              23 ('Length mismatch!')
            122 CALL_FUNCTION            1
            124 POP_TOP
            126 LOAD_CONST              24 (False)
            128 RETURN_VALUE
if len(crypt) != len(input_str):
    print('Length mismatch!')
        >>  130 LOAD_GLOBAL              2 (zip)
            132 LOAD_FAST                0 (v%d)
            134 LOAD_FAST                1 (v%d)
            136 CALL_FUNCTION            2
            138 GET_ITER

zip(crypt,input_str)

zip函数的作用是啥看下图自己体会:

1595936237890

        >>  140 FOR_ITER                36 (to 178)
            142 STORE_FAST               2 (v%d)
            144 LOAD_GLOBAL              3 (f1)
            146 LOAD_FAST                2 (v%d)
            148 LOAD_CONST              25 (1)
            150 BINARY_SUBSCR
            152 LOAD_GLOBAL              4 (f2)
            154 LOAD_FAST                2 (v%d)
            156 LOAD_CONST              26 (0)
            158 BINARY_SUBSCR
            160 CALL_FUNCTION            1
            162 CALL_FUNCTION            2
            164 LOAD_CONST              24 (False)
            166 COMPARE_OP               2 (==)
            168 POP_JUMP_IF_FALSE      140
            170 POP_TOP
            172 LOAD_CONST              24 (False)
            174 RETURN_VALUE
            176 JUMP_ABSOLUTE          140
        >>  178 LOAD_CONST              27 (True)
            180 RETURN_VALUE

if f1(crypt[i], f2(input_str[i]))

f4合起来的逻辑就是:

crypt = [99,121,98,114,105,99,115,123,52,97,98,100,51,101,55,52,101,57,101,53,57,54,48,97,49,98,54,98,57,50,51,100,56,52,50,99,99,100,97,99,49,51,54,53,56,98,51,102,125]
temp = zip(crypt, input_str)
for t in temp:
    if t[0] != ord(t[1]):
        return Flase
return True

f5

  7           0 LOAD_GLOBAL              0 (f3)
              2 CALL_FUNCTION            0
              4 STORE_FAST               0 (v%d)
              6 LOAD_GLOBAL              1 (f4)
              8 LOAD_FAST                0 (v%d)
             10 CALL_FUNCTION            1
             12 LOAD_CONST               1 (False)
             14 COMPARE_OP               8 (is)
             16 POP_JUMP_IF_FALSE       28
             18 LOAD_GLOBAL              2 (print)
             20 LOAD_CONST               2 ('Nope!')
             22 CALL_FUNCTION            1
             24 POP_TOP
             26 JUMP_FORWARD             8 (to 36)
        >>   28 LOAD_GLOBAL              2 (print)
             30 LOAD_CONST               3 ('Yep!')
             32 CALL_FUNCTION            1
             34 POP_TOP
        >>   36 LOAD_CONST               0 (None)
             38 RETURN_VALUE
f3()        #input
if f4():
    print('Yep!')
else:
    print('Nope!')

完整加密代码

def f4():
    crypt = [99,121,98,114,105,99,115,123,52,97,98,100,51,101,55,52,101,57,101,53,57,54,48,97,49,98,54,98,57,50,51,100,56,52,50,99,99,100,97,99,49,51,54,53,56,98,51,102,125]
    temp = zip(crypt, input_str)
    for t in temp:
        if t[0] != ord(t[1]):
            return False
    return True

input_str = input('Give me flag: ')
if f4():
    print('Yep!')
else:
    print('Nope!')

解密

asm = '''  7           0 LOAD_CONST               1 (99)
              2 LOAD_CONST               2 (121)
              4 LOAD_CONST               3 (98)
              6 LOAD_CONST               4 (114)
              8 LOAD_CONST               5 (105)
             10 LOAD_CONST               1 (99)
             12 LOAD_CONST               6 (115)
             14 LOAD_CONST               7 (123)
             16 LOAD_CONST               8 (52)
             18 LOAD_CONST               9 (97)
             20 LOAD_CONST               3 (98)
             22 LOAD_CONST              10 (100)
             24 LOAD_CONST              11 (51)
             26 LOAD_CONST              12 (101)
             28 LOAD_CONST              13 (55)
             30 LOAD_CONST               8 (52)
             32 LOAD_CONST              12 (101)
             34 LOAD_CONST              14 (57)
             36 LOAD_CONST              12 (101)
             38 LOAD_CONST              15 (53)
             40 LOAD_CONST              14 (57)
             42 LOAD_CONST              16 (54)
             44 LOAD_CONST              17 (48)
             46 LOAD_CONST               9 (97)
             48 LOAD_CONST              18 (49)
             50 LOAD_CONST               3 (98)
             52 LOAD_CONST              16 (54)
             54 LOAD_CONST               3 (98)
             56 LOAD_CONST              14 (57)
             58 LOAD_CONST              19 (50)
             60 LOAD_CONST              11 (51)
             62 LOAD_CONST              10 (100)
             64 LOAD_CONST              20 (56)
             66 LOAD_CONST               8 (52)
             68 LOAD_CONST              19 (50)
             70 LOAD_CONST               1 (99)
             72 LOAD_CONST               1 (99)
             74 LOAD_CONST              10 (100)
             76 LOAD_CONST               9 (97)
             78 LOAD_CONST               1 (99)
             80 LOAD_CONST              18 (49)
             82 LOAD_CONST              11 (51)
             84 LOAD_CONST              16 (54)
             86 LOAD_CONST              15 (53)
             88 LOAD_CONST              20 (56)
             90 LOAD_CONST               3 (98)
             92 LOAD_CONST              11 (51)
             94 LOAD_CONST              21 (102)
             96 LOAD_CONST              22 (125)'''
import re
lines = asm.split('\n')
for line in lines:
    num = re.search(r'\((\d+?)\)', line).group(1)
    print(chr(int(num)), end='')

没啥好解密的,因为没有任何加密的流程,直接就是明文比较。

cybrics{4abd3e74e9e5960a1b6b923d842ccdac13658b3f}

注意

可能会有人还没反编译,直接从一开始的python代码中发现:

1595942813416

并将其直接chr,得到cybris{4ad3e79560128f}

为啥不对呢?因为反编译中的数据是从这串数据中查表,并反编译到代码中的。当然不是flag啦。

hide_and_seek

还在研究(ㄒoㄒ)

Last modification:July 28th, 2020 at 09:31 pm