HNCTF-re部分复现

news/2024/11/21 9:14:46/

目录

[HNCTF 2022 WEEK3]Help_Me!

[HNCTF 2022 WEEK3]What's 1n DLL?

 [HNCTF 2022 WEEK4]ez_maze


这几天在做HNCTF的week3,week4部分,学到了一些不知道的没接触过的东西,所以记录一下

[HNCTF 2022 WEEK3]Help_Me!

题目下载:下载

运行下程序:

发现是让你获得最高的score,并且不能猝死(不能超过某一个值),这个就和 01背包问题很像,这个是第一次接触,宿舍的一个py大佬给我讲了一遍,然后看了视频就一点点理会了。

视频链接:【动态规划】背包问题_哔哩哔哩_bilibili

载入IDA,前面就是一些题目论述和给的一些含金量和“重量”(防止猝死)。重点看一下下面的地方:

可以发现不能超过200,并且会进入func函数,看一下:

发现这里会输出flag,所以只要你满足这个01背包,就会出flag。

#总重量不超过200,根据重量200,物品数量20,所以创建空表格:21行201列
val=[26, 59, 30, 19, 66, 85, 94, 8, 3, 44, 5, 1, 41, 82, 76, 1, 12,81,73,32] #价值
w=[71, 34, 82, 23, 1,88,12,57, 10, 68, 5, 33, 37, 69, 98,24, 26,83, 16, 26] #重量#建立表格给dp
dp=[[0 for _ in range(201)] for _ in range(21)]
#填表格
for i in range(1,21):for j in range(1,201):if j>=w[i-1]:dp[i][j]=max(dp[i-1][j-w[i-1]]+val[i-1],dp[i-1][j]) #取添加这个物品的价值,和不添加这个物品的价值的最大值else:dp[i][j]=dp[i-1][j]
#回溯
i=20
j=200
tmp=dp[i][j] #表格的右下角,即最大价值
res=[]      #用来接收含金量的值
while i!=0:if tmp==dp[i-1][j]:i=i-1else:res.append(val[i-1])tmp=tmp-val[i-1]i=i-1for t in range(j+1):if dp[i][t]==tmp:j=tbreak
print(res)# 含金量 [32, 73, 82, 41, 5, 94, 66, 59]

根据获得的含金量就可以根据提示输入了。

[HNCTF 2022 WEEK3]What's 1n DLL?

题目下载:下载

下载完附件发现有一个可执行程序和.dll动态链接库。根据题目就知道需要观察这个.dll文件。先把exe载入IDA

首先输入flag,然后出现v4数组,然后载入Dll1.dll的ttt函数地址,打开这个.dll文件。发现有upx壳,载入十六进制编辑器,把UFO改为UPX在upx -d脱壳就可

 IDA载入DLL1.dll。在导出表中找到ttt函数

根据这个格式知道是一个xxtea加密,那前面exe中出现的v4数组就可能是key,所以可以在网上找脚本求解。代码如下

#include <stdbool.h>
#include <stdio.h>
#define MX \((z >> 5 ^ y << 2) + (y >> 3 ^ z << 4) ^ (sum ^ y) + (k[p & 3 ^ e] ^ z))
bool btea(unsigned int* v, int n, unsigned int* k) {unsigned int z = v[n - 1], y = v[0], sum = 0, e, DELTA = 0x9e3779b9;unsigned int p, q;if (n > 1) { /* Coding Part */q = 6 + 52 / n;while (q-- > 0) {sum += DELTA;e = (sum >> 2) & 3;for (p = 0; p < n - 1; p++)y = v[p + 1], z = v[p] += MX;y = v[0];z = v[n - 1] += MX;}return 0;} else if (n < -1) { /* Decoding Part */n = -n;q = 6 + 52 / n;sum = q * DELTA;while (sum != 0) {e = (sum >> 2) & 3;for (p = n - 1; p > 0; p--)z = v[p - 1], y = v[p] -= MX;z = v[n - 1];y = v[0] -= MX;sum -= DELTA;}return 0;}return 1;
}int main(int argc, char const* argv[]) {// testunsigned int v[5] = {0x22a577c1,0x1c12c03,0xc74c3ebd,0xa9d03c85,0xadb8ffb3}, key[4] = {55,66,77,88};//printf("%u,%u\n", v[0], v[1]);//btea(v, 2, key);//printf("%u,%u\n", v[0], v[1]);btea(v, -5, key);         //n为要加密的数据个数 char *p=(char *) v;for(int i=0;i<20;i++){printf("%c",*p);p++;}//printf("%u,%u\n", v[0], v[1]);return 0;
}

flag:NSSCTF{He110_w0r1d!} 

 [HNCTF 2022 WEEK4]ez_maze

题目下载:下载

下载完是一个pyc文件,可以在线转化为.pc文件

参考:Python可执行文件反编译教程(exe转py)_python_脚本之家

转化完,查看代码

map1 = [[1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],[1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1],[1,0,1,0,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,0,1],[1,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1,0,0,0,1,0,1],[1,0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,0,1,0,1,0,1,0,1],[1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1],[1,1,1,0,1,0,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1],[1,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1],[1,0,1,1,1,0,1,0,1,1,1,0,1,1,1,1,1,1,1,0,1,0,1,1,1,0,1,0,1,0,1],[1,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,1,0,1,0,1,0,0,0,1,0,1,0,0,0,1],[1,1,1,1,1,1,1,0,1,0,1,1,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1,1,1,0,1],[1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,1,0,1,0,0,0,1],[1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,1,1,0,1,0,1,1,1],[1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,1,0,0,0,1],[1,0,1,1,1,1,1,0,1,0,1,0,1,0,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,1,1],[1,0,1,0,0,0,1,0,1,0,1,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1],[1,0,1,0,1,0,1,0,1,0,1,0,1,1,1,0,1,1,1,0,1,1,1,1,1,0,1,1,1,0,1],[1,0,1,0,1,0,1,0,1,0,1,0,0,0,1,0,0,0,1,0,1,0,0,0,1,0,1,0,0,0,1],[1,0,1,0,1,1,1,0,1,0,1,1,1,0,1,1,1,0,1,0,1,0,1,0,1,1,1,0,1,1,1],[1,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,1,0,1,0,1,0,1,0,0,0,1,0,0,0,1],[1,0,1,1,1,0,1,0,1,0,1,0,1,1,1,1,1,0,1,0,1,0,1,1,1,0,1,0,1,0,1],[1,0,1,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1],[1,0,1,0,1,1,1,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1],[1,0,1,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,1,0,1,0,1],[1,0,1,1,1,0,1,0,1,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],[1,0,0,0,1,0,1,0,1,0,0,0,0,0,1,0,1,0,1,0,0,0,1,0,0,0,1,0,1,0,1],[1,1,1,1,1,0,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,0,1,1,1,0,1],[1,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1],[1,0,1,1,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,0,1],[1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1],[1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]]
path = str(input('please input your path:'))
x = 1
y = 1
for i in path:if i not in 'wasd':print('lose')exit(0)if i == 's':y += 1if i == 'w':y -= 1if i == 'a':x -= 1if i == 'd':x += 1if map1[y][x] != 0:print('lose!')exit(0)if x == 29 and y == 29:print('win!')print('NSSCTF{md5(path)}')continuereturn None

可以知道这是一个简单的迷宫问题,‘wsad’分别代表上下左右,起点是(1,1),终点是(29,29),0是路,1是墙。这道题手动应该也是能走出来的,这里看一下代码求解,使用dfs。

map1=[[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1],[1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1],[1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1],[1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1],[1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1],[1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],[1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1],[1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1],[1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1],[1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1],[1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1],[1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1],[1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1],[1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],[1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1],[1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1],[1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1],[1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1],[1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 1, 1],[1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1],[1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1],[1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1],[1, 0, 1, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1],[1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1],[1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1],[1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1],[1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1],[1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1],[1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 0, 1],[1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1],[1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1]
]
map2 =  [[0 for i in range(len(map1))] for i in range(len(map1)) ]
flag=""
def DFS(x,y):global flagif x == len(map1) - 2 and y == len(map1) - 2:  # 判断边界 终点print(flag)if map1[x + 1][y] == 0 and map2[x + 1][y] == 0:map2[x][y] = 1flag += 's'DFS(x + 1, y)flag = flag[:-1]map2[x][y] = 0if map1[x - 1][y] == 0 and map2[x - 1][y] == 0:map2[x][y] = 1flag += 'w'DFS(x - 1, y)flag = flag[:-1]map2[x][y] = 0if map1[x][y + 1] == 0 and map2[x][y + 1] == 0:map2[x][y] = 1flag += 'd'DFS(x, y + 1)flag = flag[:-1]map2[x][y] = 0if map1[x][y - 1] == 0 and map2[x][y - 1] == 0:map2[x][y] = 1flag += 'a'DFS(x, y - 1)flag = flag[:-1]map2[x][y] = 0
x=1
y=1
DFS(x,y)

然后在md5(path)就可获得flag。

 


http://www.ppmy.cn/news/52676.html

相关文章

Mysql表索引唯一索引

文章目录 一、创建表时定义索引二、已存在的表上创建索引 1.create 命令创建2.alter 命令创建总结 前言 一、创建表时定义索引 所谓唯一索引&#xff0c;就是在创建索引时&#xff0c;限制索引的字段值必须是唯一的。通过该类型的索引可以比普通索引更快速地查询某条记录。 …

IT人员选择光缆的五大原因

基于铜和光纤的信号都会受到衰减&#xff0c;或者波形信号随着距离的推移而减弱。然而&#xff0c;光纤电缆可以在更长的距离上传输数据。事实上&#xff0c;差异是巨大的。 当构建需要长距离、高速和/或高带宽连接的网络时&#xff0c;毫无疑问&#xff1a;光纤电缆会赢得胜利…

基于重要抽样技术的非序贯蒙特卡洛法(Matlab代码实现)

&#x1f4a5;&#x1f4a5;&#x1f49e;&#x1f49e;欢迎来到本博客❤️❤️&#x1f4a5;&#x1f4a5; &#x1f3c6;博主优势&#xff1a;&#x1f31e;&#x1f31e;&#x1f31e;博客内容尽量做到思维缜密&#xff0c;逻辑清晰&#xff0c;为了方便读者。 ⛳️座右铭&a…

2023年重庆经济发展研究报告

第一章 发展概况 1.1 地理和人口发展概况 重庆&#xff08;简称“渝”&#xff09;位于中国西南地区&#xff0c;是中国四个直辖市之一&#xff0c;地处长江中上游&#xff0c;横跨东经10517到11011&#xff0c;北纬2810到3213之间。重庆市地势复杂&#xff0c;地形多山&…

【01】数据结构与算法基础-数据、数据元素、数据项和数据对象 | 数据类型和抽象数据类型 | 抽象数据类型的表示和C++实现

目录) 0.数据结构的研究内容1.数据、数据元素、数据项和数据对象1.1数据1.2数据元素(Data element)和数据项1.3数据项1.4数据对象1.5数据结构(Data Structure)1.6逻辑结构的种类1.7存储结构的种类2.数据类型和抽象数据类型2.1数据类型(Data Type)2.2抽象数据类型(Abstract …

ARM64内存屏障指令

ARM64内存屏障指令 1 内存屏障的提供的功能2 介绍DMB/DSB/ISB指令以及区别2.1 数据存储屏障指令DMB(Data Memory Barrier)2.2 数据同步屏障指令DSB(Data Synchronization Barrier)2.3 指令同步屏障指令ISB(Instruction Synchronization Barrier) 3 内存屏障指令参数 1 内存屏障…

聚观早报 | 马斯克称星舰1-2个月内准备再发射;推特撤下官媒标签

今日要闻&#xff1a;马斯克称星舰1-2个月内准备再发射&#xff1b;推特撤下「官媒」标签&#xff1b;Pixel Fold 折叠机型首次被泄露&#xff1b;蔚来员工曝半年加班500小时&#xff1b;苹果Mac Pro和Mac Studio无缘WWDC 马斯克称星舰1-2个月内准备再发射 美国当地时间 4 月 …

手术麻醉信息管理系统源码,生成规范麻醉文书,自动信息采集

C#手麻系统源码&#xff0c;C# .net 桌面软件 C/S版手术麻醉信息管理系统源码 手术麻醉信息管理系统源码是专门为麻醉科和手术室开发的围手术期临床信息管理系统&#xff0c;具备以下功能: 1.规范手术流程管理&#xff1a;系统整合了手术室、麻醉科的工作及管理流程&#xff…