0%

LingHang2019

2019年11月领航杯线上赛WP

usb

直接流量包上tshark提取数据,然后用脚本输出鼠标轨迹坐标点,如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
nums = []
keys = open('./usbdata.txt','r')
posx = 0
posy = 0
for line in keys:
x = int(line[2:4],16)
y = int(line[4:6],16)
if x > 127 :
x -= 256
if y > 127 :
y -= 256
posx += x
posy += y
btn_flag = int(line[0:2],16) # 1 for left , 2 for right , 0 for nothing
if btn_flag == 1 :
print posx , -posy
keys.close()

最后gnuplot画下点就可以得到flag图片。

easyRe

简单题,如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Python 3.8.0 (default, Oct 23 2019, 18:51:26)
[GCC 9.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>> s = "lfgaL{teU__stsr4_t3R3vSr}e"
>>> for i in range(13):
...
KeyboardInterrupt
>>> res = ""
>>> for i in range(13):
... res += s[i*2+1]+s[i*2]
...
>>> res
'flag{Let_Us_st4rt_R3v3rSe}'
>>>

EASYReverse

首先解密前面大部分,如下:

1
2
3
4
5
6
7
8
9
10
cipher = "IVaQIg]:DfDcL7=VN64bF3TfEE=WCCDh<c@fM3ADHCPgME9ANGd "
#cipher = cipher[:-4]

m = ""
for i in range(12):
now = cipher[i*4:(i+1)*4]
ch = "".join(map(lambda x: bin(ord(x)-48)[2:].rjust(8,'0')[2:],now))
m += "".join([chr(int(ch[8*i:8*(i+1)],2)) for i in range(3)])

print(m)

最后爆破最后几位:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#include <stdio.h>
#include <string.h>

typedef char _BYTE;

int transform(char *input, _BYTE *middle, int size)
{
int v3; // edi
_BYTE *v4; // eax
int v5; // esi

v3 = size;
v4 = middle;
v5 = 0;
if ( size - 2 > 0 )
{
do
{
*v4 = ((input[v5] >> 2) & 0x3F) + 48;
v4[1] = (16 * (input[v5] & 3) | (input[v5 + 1] >> 4) & 0xF) + 48;
v4[2] = ((input[v5 + 2] >> 6) & 3 | 4 * (input[v5 + 1] & 0xF)) + 48;
v4[3] = (input[v5 + 2] & 0x3F) + 48;
v5 += 3;
v4 += 4;
}
while ( v5 < size - 2 );
v3 = size;
}
if ( v5 < v3 )
{
*v4 = ((input[v5] >> 2) & 0x3F) + 48;
if ( v5 == v3 - 1 ) // % 1
{
v4[1] = 16 * ((input[v5] & 3) + 3);
v4[2] = ' ';
}
else // % 2
{
v4[1] = (16 * (input[v5] & 3) | (input[v5 + 1] >> 4) & 0xF) + 48;
v4[2] = 4 * ((input[v5 + 1] & 0xF) + 12);
}
v4 += 4;
*(v4 - 1) = ' ';
}
*v4 = 0;
return v4 - middle + 1;
}

int main(){
char input[] = "flag{JSe3psfxa2X96USgM58346t4Ta87uRQ_}";
char middle[52];
char cipher[] = "IVaQIg]:DfDcL7=VN64bF3TfEE=WCCDh<c@fM3ADHCPgME9ANGd ";
for(int i = 0; i < 256; ++i){
input[36] = i;
transform(input, middle, 38);
if(strcmp(middle, cipher) == 0){
printf("%s", input);
break;
}
}
return 0;
}

即可得到答案