目录
[HNCTF 2022 WEEK3]Help_Me!
[HNCTF 2022 WEEK3]What's 1n DLL?
[HNCTF 2022 WEEK4]ez_maze
这几天在做HNCTF的week3,week4部分,学到了一些不知道的没接触过的东西,所以记录一下
[HNCTF 2022 WEEK3]Help_Me!
题目下载:下载
运行下程序:
发现是让你获得最高的score,并且不能猝死(不能超过某一个值),这个就和 01背包问题很像,这个是第一次接触,宿舍的一个py大佬给我讲了一遍,然后看了视频就一点点理会了。
视频链接:【动态规划】背包问题_哔哩哔哩_bilibili
载入IDA,前面就是一些题目论述和给的一些含金量和“重量”(防止猝死)。重点看一下下面的地方:
可以发现不能超过200,并且会进入func函数,看一下:
发现这里会输出flag,所以只要你满足这个01背包,就会出flag。
#总重量不超过200,根据重量200,物品数量20,所以创建空表格:21行201列
val=[26, 59, 30, 19, 66, 85, 94, 8, 3, 44, 5, 1, 41, 82, 76, 1, 12,81,73,32] #价值
w=[71, 34, 82, 23, 1,88,12,57, 10, 68, 5, 33, 37, 69, 98,24, 26,83, 16, 26] #重量#建立表格给dp
dp=[[0 for _ in range(201)] for _ in range(21)]
#填表格
for i in range(1,21):for j in range(1,201):if j>=w[i-1]:dp[i][j]=max(dp[i-1][j-w[i-1]]+val[i-1],dp[i-1][j]) #取添加这个物品的价值,和不添加这个物品的价值的最大值else:dp[i][j]=dp[i-1][j]
#回溯
i=20
j=200
tmp=dp[i][j] #表格的右下角,即最大价值
res=[] #用来接收含金量的值
while i!=0:if tmp==dp[i-1][j]:i=i-1else:res.append(val[i-1])tmp=tmp-val[i-1]i=i-1for t in range(j+1):if dp[i][t]==tmp:j=tbreak
print(res)# 含金量 [32, 73, 82, 41, 5, 94, 66, 59]
根据获得的含金量就可以根据提示输入了。
[HNCTF 2022 WEEK3]What's 1n DLL?
题目下载:下载
下载完附件发现有一个可执行程序和.dll动态链接库。根据题目就知道需要观察这个.dll文件。先把exe载入IDA
首先输入flag,然后出现v4数组,然后载入Dll1.dll的ttt函数地址,打开这个.dll文件。发现有upx壳,载入十六进制编辑器,把UFO改为UPX在upx -d脱壳就可
IDA载入DLL1.dll。在导出表中找到ttt函数
根据这个格式知道是一个xxtea加密,那前面exe中出现的v4数组就可能是key,所以可以在网上找脚本求解。代码如下
#include <stdbool.h>
#include <stdio.h>
#define MX \((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))
bool btea(unsigned int* v, int n, unsigned int* k) {unsigned int z = v[n - 1], y = v[0], sum = 0, e, DELTA = 0x9e3779b9;unsigned int p, q;if (n > 1) { /* Coding Part */q = 6 + 52 / n;while (q-- > 0) {sum += DELTA;e = (sum >> 2) & 3;for (p = 0; p < n - 1; p++)y = v[p + 1], z = v[p] += MX;y = v[0];z = v[n - 1] += MX;}return 0;} else if (n < -1) { /* Decoding Part */n = -n;q = 6 + 52 / n;sum = q * DELTA;while (sum != 0) {e = (sum >> 2) & 3;for (p = n - 1; p > 0; p--)z = v[p - 1], y = v[p] -= MX;z = v[n - 1];y = v[0] -= MX;sum -= DELTA;}return 0;}return 1;
}int main(int argc, char const* argv[]) {// testunsigned int v[5] = {0x22a577c1,0x1c12c03,0xc74c3ebd,0xa9d03c85,0xadb8ffb3}, key[4] = {55,66,77,88};//printf("%u,%u\n", v[0], v[1]);//btea(v, 2, key);//printf("%u,%u\n", v[0], v[1]);btea(v, -5, key); //n为要加密的数据个数 char *p=(char *) v;for(int i=0;i<20;i++){printf("%c",*p);p++;}//printf("%u,%u\n", v[0], v[1]);return 0;
}
flag:NSSCTF{He110_w0r1d!}
[HNCTF 2022 WEEK4]ez_maze
题目下载:下载
下载完是一个pyc文件,可以在线转化为.pc文件
参考:Python可执行文件反编译教程(exe转py)_python_脚本之家
转化完,查看代码
map1 = [[1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],[1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1],[1,0,1,0,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,0,1],[1,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1,0,0,0,1,0,1],[1,0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,0,1,0,1,0,1,0,1],[1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1],[1,1,1,0,1,0,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1],[1,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1],[1,0,1,1,1,0,1,0,1,1,1,0,1,1,1,1,1,1,1,0,1,0,1,1,1,0,1,0,1,0,1],[1,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,1,0,1,0,1,0,0,0,1,0,1,0,0,0,1],[1,1,1,1,1,1,1,0,1,0,1,1,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1,1,1,0,1],[1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,1,0,1,0,0,0,1],[1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,1,1,0,1,0,1,1,1],[1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,1,0,0,0,1],[1,0,1,1,1,1,1,0,1,0,1,0,1,0,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,1,1],[1,0,1,0,0,0,1,0,1,0,1,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1],[1,0,1,0,1,0,1,0,1,0,1,0,1,1,1,0,1,1,1,0,1,1,1,1,1,0,1,1,1,0,1],[1,0,1,0,1,0,1,0,1,0,1,0,0,0,1,0,0,0,1,0,1,0,0,0,1,0,1,0,0,0,1],[1,0,1,0,1,1,1,0,1,0,1,1,1,0,1,1,1,0,1,0,1,0,1,0,1,1,1,0,1,1,1],[1,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,1,0,1,0,1,0,1,0,0,0,1,0,0,0,1],[1,0,1,1,1,0,1,0,1,0,1,0,1,1,1,1,1,0,1,0,1,0,1,1,1,0,1,0,1,0,1],[1,0,1,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1],[1,0,1,0,1,1,1,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1],[1,0,1,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,1,0,1,0,1],[1,0,1,1,1,0,1,0,1,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],[1,0,0,0,1,0,1,0,1,0,0,0,0,0,1,0,1,0,1,0,0,0,1,0,0,0,1,0,1,0,1],[1,1,1,1,1,0,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,0,1,1,1,0,1],[1,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1],[1,0,1,1,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,0,1],[1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1],[1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]]
path = str(input('please input your path:'))
x = 1
y = 1
for i in path:if i not in 'wasd':print('lose')exit(0)if i == 's':y += 1if i == 'w':y -= 1if i == 'a':x -= 1if i == 'd':x += 1if map1[y][x] != 0:print('lose!')exit(0)if x == 29 and y == 29:print('win!')print('NSSCTF{md5(path)}')continuereturn None
可以知道这是一个简单的迷宫问题,‘wsad’分别代表上下左右,起点是(1,1),终点是(29,29),0是路,1是墙。这道题手动应该也是能走出来的,这里看一下代码求解,使用dfs。
map1=[[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1],[1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1],[1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1],[1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1],[1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1],[1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],[1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1],[1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1],[1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1],[1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1],[1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1],[1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1],[1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1],[1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],[1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1],[1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1],[1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1],[1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1],[1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1],[1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],[1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1],[1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1],[1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1],[1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1],[1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1],[1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1],[1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1],[1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1],[1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1],[1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1],[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
]
map2 = [[0 for i in range(len(map1))] for i in range(len(map1)) ]
flag=""
def DFS(x,y):global flagif x == len(map1) - 2 and y == len(map1) - 2: # 判断边界 终点print(flag)if map1[x + 1][y] == 0 and map2[x + 1][y] == 0:map2[x][y] = 1flag += 's'DFS(x + 1, y)flag = flag[:-1]map2[x][y] = 0if map1[x - 1][y] == 0 and map2[x - 1][y] == 0:map2[x][y] = 1flag += 'w'DFS(x - 1, y)flag = flag[:-1]map2[x][y] = 0if map1[x][y + 1] == 0 and map2[x][y + 1] == 0:map2[x][y] = 1flag += 'd'DFS(x, y + 1)flag = flag[:-1]map2[x][y] = 0if map1[x][y - 1] == 0 and map2[x][y - 1] == 0:map2[x][y] = 1flag += 'a'DFS(x, y - 1)flag = flag[:-1]map2[x][y] = 0
x=1
y=1
DFS(x,y)
然后在md5(path)就可获得flag。