FXTi's blog
0%

LingHang2019

Posted on Edited on

2019年11月领航杯线上赛WP

usb

直接流量包上tshark提取数据,然后用脚本输出鼠标轨迹坐标点,如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
nums = []
keys = open('./usbdata.txt','r')
posx = 0
posy = 0
for line in keys:
    x = int(line[2:4],16)
    y = int(line[4:6],16)
    if x > 127 :
        x -= 256
    if y > 127 :
        y -= 256
    posx += x
    posy += y
    btn_flag = int(line[0:2],16)  # 1 for left , 2 for right , 0 for nothing
    if btn_flag == 1 :
        print posx , -posy
keys.close()

最后gnuplot画下点就可以得到flag图片。

easyRe

简单题,如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Python 3.8.0 (default, Oct 23 2019, 18:51:26)
[GCC 9.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>> s = "lfgaL{teU__stsr4_t3R3vSr}e"
>>> for i in range(13):
...
KeyboardInterrupt
>>> res = ""
>>> for i in range(13):
...     res += s[i*2+1]+s[i*2]
...
>>> res
'flag{Let_Us_st4rt_R3v3rSe}'
>>>

EASYReverse

首先解密前面大部分,如下:

1
2
3
4
5
6
7
8
9
10
cipher = "IVaQIg]:DfDcL7=VN64bF3TfEE=WCCDh<c@fM3ADHCPgME9ANGd "
#cipher = cipher[:-4]

m = ""
for i in range(12):
    now = cipher[i*4:(i+1)*4]
    ch = "".join(map(lambda x: bin(ord(x)-48)[2:].rjust(8,'0')[2:],now))
    m += "".join([chr(int(ch[8*i:8*(i+1)],2)) for i in range(3)])

print(m)

最后爆破最后几位:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#include <stdio.h>
#include <string.h>

typedef char _BYTE;

int transform(char *input, _BYTE *middle, int size)
{
  int v3; // edi
  _BYTE *v4; // eax
  int v5; // esi

  v3 = size;
  v4 = middle;
  v5 = 0;
  if ( size - 2 > 0 )
  {
    do
    {
      *v4 = ((input[v5] >> 2) & 0x3F) + 48;
      v4[1] = (16 * (input[v5] & 3) | (input[v5 + 1] >> 4) & 0xF) + 48;
      v4[2] = ((input[v5 + 2] >> 6) & 3 | 4 * (input[v5 + 1] & 0xF)) + 48;
      v4[3] = (input[v5 + 2] & 0x3F) + 48;
      v5 += 3;
      v4 += 4;
    }
    while ( v5 < size - 2 );
    v3 = size;
  }
  if ( v5 < v3 )
  {
    *v4 = ((input[v5] >> 2) & 0x3F) + 48;
    if ( v5 == v3 - 1 )                         // % 1
    {
      v4[1] = 16 * ((input[v5] & 3) + 3);
      v4[2] = ' ';
    }
    else                                        // % 2
    {
      v4[1] = (16 * (input[v5] & 3) | (input[v5 + 1] >> 4) & 0xF) + 48;
      v4[2] = 4 * ((input[v5 + 1] & 0xF) + 12);
    }
    v4 += 4;
    *(v4 - 1) = ' ';
  }
  *v4 = 0;
  return v4 - middle + 1;
}

int main(){
	char input[] = "flag{JSe3psfxa2X96USgM58346t4Ta87uRQ_}";
	char middle[52];
	char cipher[] = "IVaQIg]:DfDcL7=VN64bF3TfEE=WCCDh<c@fM3ADHCPgME9ANGd ";
	for(int i = 0; i < 256; ++i){
		input[36] = i;
		transform(input, middle, 38);
		if(strcmp(middle, cipher) == 0){
			printf("%s", input);
			break;
		}
	}
	return 0;
}

即可得到答案