HNCTF week1

Xor

代码分析

puts("please input your flag!");
  scanf("%s", Str);
  // 输入22个字符串
  if ( strlen(Str) != 22 )
  {
    printf("strlen error!");
    exit(0);
  }
  // 将输入的22个字符与0x34进行异或并且 + 900要与arr相等
  for ( i = 0; i <= 21; ++i )
  {
    if ( arr[i] != (Str[i] ^ 0x34) + 900 )
    {
      printf("flag error!");
      exit(0);
    }
  }
  printf("you are right!");

解题脚本

arr = [0x000003FE, 0x000003EB, 0x000003EB, 0x000003FB, 0x000003E4, 0x000003F6, 0x000003D3, 0x000003D0, 0x00000388,
       0x000003CA, 0x000003EF, 0x00000389, 0x000003CB, 0x000003EF, 0x000003CB, 0x00000388, 0x000003EF, 0x000003D5,
       0x000003D9, 0x000003CB, 0x000003D1, 0x000003CD]

for i in arr:
    print(chr((i - 900) ^ 0x34), end='')

超级签到

代码分析

 for ( j = 0; ; ++j )
  {
    v10 = j;
    if ( j > j_strlen(Str2) )
      break;
    // 双击点进去，Str2为 {hello_world}
    // 将字符o变成0
    if ( Str2[j] == 111 )
      Str2[j] = 48;
  }
  sub_1400111D1("input the flag:");
  sub_14001128F("%20s", Str1);
  v5 = j_strlen(Str2);
  // 验证输入str1的是否与str2相等
  if ( !strncmp(Str1, Str2, v5) )
    sub_1400111D1("this is the right flag!\n");
  else
    sub_1400111D1("wrong flag\n");
  return 0;

脚本（用不用都一样，直接手改还快）：

str2 = '{hello_world}'

print(str2.replace(chr(111), chr(48)))

贝斯是什么乐器啊

代码分析

for ( i = 0; i < strlen(Str); ++i )
    Str[i] -= i;
  // base64加密
  base64_encode(Str2, Str);
  // 将加密后的数据与 enc对比
  // 双击看到enc的值为TlJRQFBBdTs4alsrKFI6MjgwNi5p
  if ( !strcmp(enc, Str2) )
    printf("yes!");
  else
    printf("error");

解题脚本

import base64

data = list(base64.b64decode('TlJRQFBBdTs4alsrKFI6MjgwNi5p'))

for i in range(len(data)):
    print(chr(data[i] + i), end='')

你知道什么是Py嘛

代码分析

s = str(input("please input your flag:"))

# 输入的字符串与下一个字符串异或后的结果
arr = [29, 0, 16, 23, 18, 61, 43, 41, 13, 28, 88, 94, 49, 110, 66, 44, 43, 28, 91, 108, 61, 7, 22, 7, 43, 51, 44, 46, 9,
       18, 20, 6, 2, 24]

# 输入的长度为35，且第一个为N
if len(s) != 35 or s[0] != 'N':
    print("error")
    exit(0)

# 校验输入的字符与下一个字符异或是否等于 arr
for i in range(1, len(s)):
    if ord(s[i - 1]) ^ ord(s[i]) != arr[i - 1]:
        print("error!")
        exit(0)
print("right!")

解题脚本

arr = [29, 0, 16, 23, 18, 61, 43, 41, 13, 28, 88, 94, 49, 110, 66, 44, 43, 28, 91, 108, 61, 7, 22, 7, 43, 51, 44, 46, 9,
       18, 20, 6, 2, 24]

# 已知的唯一字符
flag = [ord('N')]

# a ^ b = c 则 a = c ^ b 或 b = c ^ a
# 第i个 arr与flag异或就能得到 i + 1 个flag的值
for i in range(0, len(arr)):
    flag.append(arr[i] ^ flag[i])
    print(chr(flag[i]), end='')

给阿姨倒一杯Jvav

代码分析

public static void Encrypt(char[] arr) {
    	// 将输入的值 + @ 然后 ^ 32
        ArrayList<Integer> Resultlist = new ArrayList<>();
        for (char c : arr) {
            int result = (c + '@') ^ 32;
            Resultlist.add(Integer.valueOf(result));
        }
    	// 预期的结果（正确的结果）
        int[] KEY = {180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65};
        ArrayList<Integer> KEYList = new ArrayList<>();
        for (int i : KEY) {
            KEYList.add(Integer.valueOf(i));
        }
    	// 将输入的值进行加密后与 预期的结果比较
        System.out.println("Result:");
        if (Resultlist.equals(KEYList)) {
            System.out.println("Congratulations！");
        } else {
            System.err.println("Error！");
        }
}

解题脚本

key = [180, 136, 137, 147, 191, 137, 147, 191, 148, 136, 133, 191, 134, 140, 129, 135, 191, 65]

for i in range(len(key)):
    tmp = (key[i] ^ 32) - ord('@')
    print(chr(tmp), end='')

Little Endian

代码分析

puts("please input your flag");
// 输入字符串
  scanf("%s", v4);
  v6 = v4;
  for ( i = 0; i <= 5; ++i )
  {
    // enc 与 0x12345678异或 然后比较输入的字符串
    if ( *v6 != (enc[i] ^ 0x12345678) )
    {
      printf("Data3rr0r!");
      exit(0);
    }
    v6 += 4;
  }
  printf("you are right!");
  return 0;

解题脚本

import binascii

enc = [0x51670536, 0x5E4F102C, 0x7E402211, 0x7C71094B, 0x7C553F1C, 0x6F5A3816]
key = 0x12345678
tmp = b''
for i in enc:
    tmp += binascii.hexlify(
        # 将大端存储转换为小端存储
        binascii.unhexlify(hex(i ^ key).removeprefix('0x'))[::-1])

print(binascii.unhexlify(tmp))