一个废话连篇思路不清的wp，后续会完善

RE

stream

DIE查了一下elf文件，于是ubuntu下执行一下发现thread ‘main’ panicked at ‘open failed’, src/main.rs:10:19 note: run with RUST_BACKTRACE=1 environment variable to display a backtrace
rust没接触过的语言，安装rust环境很简单，rust是一种安全的语言
https://www.rust-lang.org/learn/get-started下载rustup-init.exe，输选项时输1，直接默认安装在c盘下，在把程序的安装环境加到path里面我的是C:\Users\Administrator.cargo\bin，然后查找rustc --version和cargo --version，全部成功，rust环境安装完后
编译一个helloworld吧

fn main(){
println!("Hello,world!");
}

切到路径下，rustc hello.rs编译出exe文件，拖入ida7.5，竟然反编译不了，恐怖
但这是个elf文件，所以linux下也要安装rust环境
https://blog.csdn.net/qq_41879343/article/details/104802548
找到这篇文章

curl https://sh.rustup.rs -sSf | sh
source $HOME/.cargo/env

安装好环境提示thread ‘main’ panicked at ‘open failed’, src/main.rs:10:19
动调解决，在主函数下断
动调发现程序打开flag文件，而且判断flag文件里的内容是否是utf-8范围内，若是就继续向下执行

进入到一个rand_chacha，百度了一波发现是一种流密码，是随机数类的，init_chacha是在设置随机数种子
通过动调看函数的参数以及汇编，可以发现程序每次取i7 mod 46位置的值与某随机数异或，随机数是以目前所有取过的值为种子进行随机，所以可以爆破，从前往后加密字节所以我们可以使用popen枚举原文，依次枚举i7 mod 46位字节，然后读取output对比测试的第i*7 mod 46位字节是否和out_flag 一样，如果一样则代表该处字符是对的，可以继续向下枚举。

#!/usr/bin/python2
# -*- coding:utf-8 -*-
import os
import time
import subprocess
def excuteCommand(com):
    ex = subprocess.Popen(com, stdout=subprocess.PIPE, shell=True)
    out, err  = ex.communicate()
    status = ex.wait()
def genFile(flag):
    f=open('flag','wb')
    f.write(flag)
    f.close()
def checkByte(index):
    f1=open('output_flag','rb')
    buf1=f1.read()
    f1.close()
    f2=open('output','rb')
    buf2=f2.read()
    f2.close()
    if len(buf2)!=46:
        return False
    if buf1[index]==buf2[index]:
        return True
    return False
def toStr(arr):
    bb=''
    for i in range(len(arr)):
        bb+=chr(arr[i])
    return bb
index=[4,11,18,25,32,39,0,7,14,21,28,35,42,3,10,17,24,31,38,45,6,13,20,27,34,41,2,9,16,23,30,37,44,5,12,19,26,33,40,1,8,15,22,29,36,43]
result=[]
for i in range(46):
    result.append(0x41)
    def dfs(i):
        if i>=46:
            print(toStr(result))
            pass
        for x in range(0x20,0x7F+1,1):
            result[index[i]]=x
            sflag=toStr(result)
            genFile(sflag)
            excuteCommand("./a")
            if checkByte(index[i])==True:
                print(sflag)
                dfs(i+1)
            else:
                continue
dfs(0)
#*ctf{EbXZCOD56vEHNSofFvRHG7XtgFJXcUXUGnaaaaaa}

1rep

elf文件，ubuntu可以运行，提示输入字符串
perl语言逆向，没接触过，简单百度了一下Perl 是一种优秀的脚本语言，linux内预装，我的ida分析的停不下来

ChineseGame

elf，有catflag，符号表丢失，随便找一个c++的sig加载
竟然有congratulation和sorry
从ida的flair工具去理解它是怎么识别出静态链接程序中的库函数的

C语言关于*号的比较
“*p”表示地址为p存储单元的baidu；“p”表示地址；“&a”表示取a的地址；a为变量。
int *p;//初始化指针，但是该指针无指向地址！如果直接使用会有问题。
int *p=&a;//初始化指针，该形式只在定义时正确，表示以p指针所指向地址的值为变量a的值。
p=&a;//表示指针p所指向的地址就是a的地址。即地址间的赋值。

*p=a;//表示指针p所指向地址的值是a变量。
通过搜索字符串cat flag定位到主函数

动调过程中发现v4地址反复被传递，找到最开始引用的地方，查看怎么生成的，

发现是链表结构，为了方便分析，我们定义两个结构体
第一个结构体针对的是链表的第一个元素，存着第一个随机数的地址和链表元素的总个数，第二个结构体针对的是除第一个元素以外也就是后面的元素，第一个位置存的是当前的随机数，第二个位置存的是后面元素的地址。将结构体解析到相应的位置
接着分析main函数
发现只允许输入0和1
进入到两个函数分析

分析对0和对1的操作可知变化条件相同，但变换操作相反。
看眼check函数

全部数都要<100，于是我们规定<100为true，>100为false。
所以整体逻辑是：有10个格子，初始化的时候第二个置为true(<100)，其他条件置为false(>100)，然后从输入接受0和1
的序列，当碰到0时满足某种条件，会把false变为true，碰到1时相反
发生变化的条件

• 当前选中是最后一个格子
• 当前格子的下一个格子是false且下一个格子之后的格子都是true
  当所有的格子都变为true(<100)时就可cat flag
  每次选中的格子由固定数组提供序列

简单试玩了一下，固定数组的序列和让10个块变为true的顺序相同。所以写个脚本跑一下数组

array=[0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x7,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x6,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x9,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x6,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x7,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x6,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x8,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x6,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x7,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x6,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0xa,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x6,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x7,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x6,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x8,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x6,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x7,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x6,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x9,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x6,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x7,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x6,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x8,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x6,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x7,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x6,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x5,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x4,0x1,0x2,0x1,0x3,0x1,0x2,0x1,0x0,0x4058a0,0x0]
ans=[False]*10
ans[1]=True
cnt=0
for i in array[:-3]:
	reverse_index=0-i
	if not ans[reverse_index]:
		print('0',end='')
	else:
		print('1',end='')
	ans[reverse_index]=not ans[reverse_index]
	cnt+=1
print(cnt)

nc连接上去，将0和1的那串输入得到flag

Favourite Architecture

好几个文件
单看逆向的话，文件在share里，qemu-riscv64和main，在ubuntu下执行./qemu-riscv64 main后，程序可以执行，发现关键字符串

Ghidra打开，搜索字符串找到关键函数，反编译不了，动调失败，安装qemu后程序可以运行（就是不用程序给的qemu-riscv64），gdb调但是调不了，所以就看Ghidra汇编，现学riscv64架构的汇编。
简单记录一下，异或+tea算法逆向

MISC

MineGame

mine就有地雷的意思，扫雷游戏
If you love reverse, you can try it, otherwise, you must finish it as quickly as possible.
游戏题，感觉应该不难，在下MATLAB Runtime，没装这个版本的matlab，根据提示装一下支持运行matlab程序的环境，需要安装对应版本的，题目提供的是MATLAB Runtime for R2020b 。
题目开始加载复旦6星的队标，然后打开一个扫雷，简单玩了一下，在规定时间内完不成游戏就退出，思路转变到扫雷游戏外挂制作
发现了这篇文章https://www.cnblogs.com/csnd/p/11785696.html

little tricks

给了一个二进制文件，winhex打开vhdxfileM头，
https://bbs.csdn.net/topics/397323056，电脑还是win7，尝试一下能不能恢复
下载了IsoBuster，打开之后找到一个已撤销的文件.bmp（位图文件），想办法保存下来，保存不下来

puzzle

一张图片常规的方法不行，只有两个神仙做出来了，但是就只有一张图片，从图片中恢复数据

chess

更狠，直接给了个地址个端口nc 52.249.253.150 8083
能执行一些系统调用

但是没有回显

CRYPTO

GuessKey

有三个随机的地方，第一个随机的地方可以输出，自然被破掉了，然后是p和q，p和q是生成key的二进制的0的位置，最好的情况是之间都是1，不是1有点难受，一个菜鸡妄图满足全是两个相邻的p和q

from random import randint
import os
from flag import flag
N=64
key=randint(0,2**N)
print key
key=bin(key)[2:].rjust(N,'0')
count=0
while True:
	p=0
	q=0
	new_key=''
	zeros=[0]
	for j in range(len(key)):
		if key[j]=='0':
			zeros.append(j)
	p=zeros[randint(0,len(zeros))-1]
	q=zeros[randint(0,len(zeros))-1]
	try:
		mask=int(raw_input("mask:"))
	except:
		exit(0)
	mask=bin(mask)[2:]
	if p>q:
		tmp=q
		q=p
		p=tmp
	cnt=0
	for j in range(0,N):
		if j in range(p,q+1):
			new_key+=str(int(mask[cnt])^int(key[j]))
		else:
			new_key+=key[j]
		cnt+=1
		cnt%=len(mask)
	key=new_key
	try:
		guess=int(raw_input("guess:"))
	except:
		exit(0)
	if guess==int(key,2):
		count+=1
		print 'Nice.'
	else:
		count=0
		print 'Oops.'
	if count>2:
		print flag

GuessKey2

开始给了你key，现在连key也不给你，挺有意思，能看懂但是不会做

MyCurve

我的曲线
找到一个算法库的解释文档
http://codingdict.com/sources/py/Crypto.Util.number.html
https://www.mrskye.cn/amp/19找到了一些相关的关于Crypto库的说明
https://blog.csdn.net/weixin_34239592/article/details/88712750
关于算法的一些函数
https://segmentfault.com/a/1190000016851956

MyEnc

不难能读懂

little case

小意思