RE

re-elf

#!/usr/bin/env python
# coding: utf-8
a="gmbh{fmg_tp_fbtz_ipipipip}"
b=""
for i in range(len(a)):
	if a[i] == '_' or a[i] == '{' or a[i] == '}':
	 	b += a[i]
	 	
	else:
		b += chr(ord(a[i])-1)	
print b

flag{elf_so_easy_hohohoho}

感谢assassin^_^

babylogin

后第一个py是该算法的逆向结果

V10V11在内存中差一个字节

所以v11[0-1]就是v10的地址

#!/usr/bin/env python
# coding: utf-8
asc = [0x3E,0x1B,0x00,0x19,0x0B,0x2C,0x02,0x2F,0x16,0x17,0x08,0x2A,0x00,0x17,0x06,0x07,0x13,0x10,0x16,0x10,0x06,0x1E,0x12,0x2A,0x03,0x20,0x09,0x04,0x0C,0x1A,0x12,0x18,0x02,0x04,0x06,0x01,0x55,0x14,0x57,0x0D,0x54,0x1F,0x5F,0x15,0x06,0x28,0x25,0x1C,0x1C,0x1B,0x49,0x2B,0x3D,0x03,0x00,0x0F,0x15,0x2C,0x16,0x30]
byte_409034 = ''
dword = 0x1E
for j in range(0,len(asc),2):        
	byte_409034 += chr((asc[j] ^ 0x66) - 1)
print byte_409034                  
byte_40925c = [0x6c,0x12,0x51,0x23,0x6e,0x2d,0x75,0x1d,0x79,0x10,
0x0d,0x12,0x7c,0x26,0x2e,0x07,0x75,0x0e,0x0d,0x1c,0x7c,0x03,0x2e,
0x26,0x75,0x22,0x5e,0x2f,0x64,0x26,0x2e,0x29,0x36,0x1b,0x59,0x2e,
0x6c,0x14,0x70,0x16,0x36,0x1c,0x5b,0x1a,0x6c,0x2e,0x2e,0x15,0x75,
0x21,0x0d,0x07,0x7c,0x0a,0x2e,0x0e,0x75,0x1e,0x0d,0x2a,0x7c,0x06,
0x63,0x1e]

dword_40924c = [2,0,1,8]
flag = ""
for i in range(0,len(byte_40925c),2):
	flag += chr((byte_40925c[i] ^ ord(byte_409034[dword_40924c[(i/2)%4]])^0x68)-2)
print flag

 

mobile

decode解码每一位减1

a="gmbh|bbbbbbbbboesp2e`tp`fbtz~"

b=''

for i in range(len(a)):
	b+=chr(ord(a[i])-1)
	print b

flag{aaaaaaaaandro1d_so_easy}

MISC

easy_rsa

 

流量包分析

过滤http~~发现shell.php~~找到py文件直接编译得到flag

flag{63723c95548d4a5c4ff94eb08a9d1b0f}

backdoor

过滤http流~~追踪TCP流~~提取十六进制HXD保存得到二维码~~扫描得flag

flag{b3c4r3fortheChinaChopperFHGJKUI^U%}

 

发表评论

电子邮件地址不会被公开。 必填项已用*标注