ISCTF2023个人解题报告

只写逆向题,其他的题不写。

crackme

运行即可。

1
./crackme.exe

或者是个upx魔改,二进制改UPX0 UPX1然后脱壳就行了。

mfx_re

010Editor打开,把里面所有MFX改成UPX,再upx -d脱壳即可。

1
2
3
s='HRBSEz7d220317,0de6,3ca2,7dd/,1//27428451d|'
for i in s:
    print(chr(ord(i)+1),end='')

EasyRe

实名举报出题人题改完还是错的。

1
2
3
4
5
6
7
8
9
10
11
12
13
s=']P_ISRF^PCY[I_YWERYC'
flag=[]
s=[ord(ch) for ch in s]
print(s)
for i in range(len(s)):
    if((0x9b-s[i]==88)or(0x9b-s[i]==66)):
        s[i]=0x9b-s[i]
    s[i]^=0x11
    flag.append(chr(s[i]))
print("".join(flag))
f='LANXBCWOAISJXNSFTCSI'
f=f[::-1]
print(f)

babyRe

1
2
3
4
5
6
7
8
9
10
11
from Crypto.Util.number import *
from gmpy2 import *
n = 21292789073160227295768319780997976991300923684414991432030077313041762314144710093780468352616448047534339208324518089727210764843655182515955359309813600286949887218916518346391288151954579692912105787780604137276300957046899460796651855983154616583709095921532639371311099659697834887064510351319531902433062949585970532606051918049657180117153561663050633953816852025974448836386707178949064790396107576555782391841127057264945261075126253454531214684058828557964289256040133049187471022848638656242705629624946884057997647152926071069032358731585915687494970687234844106011104535578848187151663856545287123666299
a = 292884018782106151080211087047278002613718113661882871562870811030932129300110050822187903340426820507419488984883216665816506575312384940488196435920320779296487709207011656728480651848786849994095965852212548311864730225380390740637527033103610408592664948012814290769567441038868614508362013860087396409860
b = 21292789073160227295768319780997976991300923684414991432030077313041762314144710093780468352616448047534339208324518089727210764843655182515955359309813600286949887218916518346391288151954579692912105787780604137276300957046899460796651855983154616583709095921532639371311099659697834887064510351319531902433355833604752638757132129136704458119767279776712516825379722837005380965686817229771252693736534397063201880826010273930761767650438638395019411119979149337260776965247144705915951674697425506236801595477159432369862377378306461809669885764689526096087635635247658396780671976617716801660025870405374520076160
c = 5203005542361323780340103662023144468501161788183930759975924790394097999367062944602228590598053194005601497154183700604614648980958953643596732510635460233363517206803267054976506058495592964781868943617992245808463957957161100800155936109928340808755112091651619258385206684038063600864669934451439637410568700470057362554045334836098013308228518175901113235436257998397401389511926288739759268080251377782356779624616546966237213737535252748926042086203600860251557074440685879354169866206490962331203234019516485700964227924668452181975961352914304357731769081382406940750260817547299552705287482926593175925396
e = 65537
n = b - a -1
phi = b - 2*a
d = gmpy2.invert(e,phi)
print(long_to_bytes(pow(c,d,n)))

easy_flower_tea

花指令直接新建函数然后反汇编改一下就行。标准TEA加密。

1
2
3
4
5
6
7
8
9
10
11
12
#include <cstdio>
using namespace std;
unsigned int key[4]={12,34,56,78},data[2]={0x42777AFA,0x781A30CA},v0,v1,sum;
int main(void){
    v0=data[0],v1=data[1],sum=-0x61C88647*32;
    for(register int i=0;i<32;i++)
        v1-=(key[3]+(v0>>5))^(sum+v0)^(key[2]+(v0<<4)),
        v0-=(key[1]+(v1>>5))^(sum+v1)^(key[0]+(v1<<4)),
        sum+=0x61C88647;
    printf("%d,%d\n",v0,v1);
    return 0;
};

easy_z3

z3求解,然后每个解转十六进制转字符串。

1
2
3
4
5
6
7
8
9
10
11
from z3 import *
l=[Int('l%d'%i)for i in range(0,6)]
x=Solver()
x.add(593*l[5] + 997*l[0] + 811*l[1] + 258*l[2] + 829*l[3] + 532*l[4]== 0x54eb02012bed42c08)
x.add(605*l[4] + 686*l[5] + 328*l[0] + 602*l[1] + 695*l[2] + 576*l[3]== 0x4f039a9f601affc3a)
x.add(373*l[3] + 512*l[4] + 449*l[5] + 756*l[0] + 448*l[1] + 580*l[2]== 0x442b62c4ad653e7d9)
x.add(560*l[2] + 635*l[3] + 422*l[4] + 971*l[5] + 855*l[0] + 597*l[1]== 0x588aabb6a4cb26838)
x.add(717*l[1] + 507*l[2] + 388*l[3] + 925*l[4] + 324*l[5] + 524*l[0]== 0x48f8e42ac70c9af91)
x.add(312*l[0] + 368*l[1] + 884*l[2] + 518*l[3] + 495*l[4] + 414*l[5]== 0x4656c19578a6b1170)
x.check()
print(x.model())

z3_revenge

z3求解即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
from z3 import *
x=Solver()
l=[Int('v%d'%i)for i in range(1,45)]
x.add(312 * l[1] - (l[2] + 124) == 22569)
x.add(l[2] - 960 - (381 - l[3]) == -1191)
x.add(191 * l[3] - (323 - l[4]) == 12558)
x.add(l[4] + 399 + l[5] + 234 == 787)
x.add(l[5] - 912 - (l[6] + 206) == -1171)
x.add(645 * l[6] - (l[7] + 595) == 78638)
x.add(l[7] + 712 - (428 - l[8]) == 486)
x.add(l[9] + 573 + 373 * l[8] == 37973)
x.add(l[9] - 166 + l[10] + 126 == 115)
x.add(436 * l[10] + 674 * l[11] == 57680)
x.add(l[11] - 258 + l[12] + 697 == 539)
x.add(l[12] + 189 - (l[13] + 769) == -584)
x.add(l[13] + 853 - 455 * l[14] == -44593)
x.add(499 * l[14] + 209 * l[15] == 59305)
x.add(l[15] + 493 - (l[16] + 384) == 57)
x.add(l[16] - 296 - 887 * l[17] == -50758)
x.add(l[17] + 118 + l[18] + 454 == 678)
x.add(758 * l[18] + 685 * l[19] == 70022)
x.add(257 * l[19] + 712 * l[20] == 44376)
x.add(682 * l[20] - (l[21] + 418) == 30220)
x.add(l[21] - 258 + 534 * l[22] == 29698)
x.add(l[22] - 651 - (l[23] + 760) == -1454)
x.add(l[23] + 383 + 892 * l[24] == 45082)
x.add(l[24] - 800 - (916 - l[25]) == -1621)
x.add(l[25] + 343 - (l[26] + 681) == -391)
x.add(l[26] - 907 - (l[27] + 622) == -1481)
x.add(l[27] - 293 - (l[28] + 755) == -1097)
x.add(788 * l[28] + 892 * l[29] == 124396)
x.add(l[30] + 955 + 290 * l[29] == 16080)
x.add(l[30] + 842 - (122 - l[31]) == 816)
x.add(l[32] + 115 + 958 * l[31] == 49072)
x.add(802 * l[32] - (l[33] + 751) == 78590)
x.add(l[33] - 441 - 122 * l[34] == -12340)
x.add(l[34] + 801 + 828 * l[35] == 41471)
x.add(l[35] + 918 + l[36] + 836 == 1856)
x.add(l[36] + 231 - (l[37] + 545) == -362)
x.add(l[37] - 384 - (139 - l[38]) == -372)
x.add(l[38] + 741 - (627 - l[39]) == 263)
x.add(l[39] - 834 + l[40] + 827 == 192)
x.add(492 * l[40] + 793 - l[41] == 49893)
x.add(l[41] + 160 + l[42] + 272 == 630)
x.add(l[42] - 365 - 582 * l[0] == -73017)
x.add(l[0] - 110 - (332 - l[1]) == -244)
x.check()
rst=x.model()
for i in range(0,45):
    print(chr(rst[l[i]].as_long()),end='')

FloweyRSA

1
2
3
4
5
6
7
8
9
10
11
12
from Crypto.Util.number import *
from gmpy2 import *
p=56099
q=56369
e=465
flag=""
ciph=[0x753C2EC5, 0x8D90C736, 0x81282CB0, 0x7EECC470, 0x944E15D3, 0x2C7AC726, 0x717E8070, 0x30CBE439, 0xB1D95A9C, 0x6DB667BB, 0x1240463C, 0x77CBFE64, 0x11D8BE59]
d = inverse(e,(p-1)*(q-1))
for i in ciph:
    flag += str(long_to_bytes(pow(i, d, p*q)))
print(flag)
# flag{reverse_is_N0T_@lways_jusT_RE_myy_H@bIb1!!!!!!}