糖题

EasyCrack

拼接字符串拿到flag

EasyKeygen

动调拿到密钥，加密就一个异或

key=[0x10, 0x20, 0x30]
enc=list(bytes.fromhex("5B134977135E7D13"))
for i in range(len(enc)):
    enc[i]^=key[i%len(key)]
print("".join(map(chr,enc)))

Easy Unpack

找到大跳转，显然oep为00401150

Replace

假如我们输入0

动调到

动调看到，对eax除地址进行了nop操作

其中eax和输入有关，动调前面知道全是add操作，所以eax=input+0x601605CB

分析外层逻辑，要到correct，可以将0x00401071除代码nop掉即可，所以要保证eax=0x0401071

两个操作数对应两个nop

所以得到

1	print((0x0401071-0x601605CB)&0xffffffff)

ImagePrc

看到LoadResource，用Resourcehacker拿到资源文件

看到数据中基本是大部分ff，小部分0，

让gpt写个脚本

from PIL import Image
import numpy as np

width, height = 200, 150  # 根据你的数据调整
with open("temp.bin", "rb") as f:
    data = np.frombuffer(f.read(), dtype=np.uint8)

# 如果是 24 位 RGB 图像，每像素 3 字节
data = data.reshape((height, width, 3))

# 创建图片
img = Image.fromarray(data, 'RGB')
img.save("output.bmp")
img.show()

不知道为啥镜像了，但是能看出是GOT

Position

逻辑很显然，直接爆破

for i in range(97, 128):
    for j in range(33, 128):
        if (((i & 1) + 5) + ((j >> 2 & 1) + 1) == 7) and (((i >> 3 & 1) + 5) + ((j >> 3 & 1) + 1) == 6) and (
                ((j >> 4 & 1) + 1) + ((i >> 1 & 1) + 5) == 8) and (((j & 1) + 1) + ((i >> 2 & 1) + 5) == 7) and (
                ((i >> 4 & 1) + 5) + ((j >> 1 & 1) + 1) == 6):
            print(chr(i), chr(j),sep="")
print("\n")
for i in range(97, 128):
    j = ord("p")
    if (((i & 1) + 5) + ((j >> 2 & 1) + 1) == 7) and (((i >> 3 & 1) + 5) + ((j >> 3 & 1) + 1) == 7) and (
            ((j >> 4 & 1) + 1) + ((i >> 1 & 1) + 5) == 7) and (((j & 1) + 1) + ((i >> 2 & 1) + 5) == 7) and (
            ((i >> 4 & 1) + 5) + ((j >> 1 & 1) + 1) == 6):
        print(chr(i), chr(j), sep="")

EasyELF

异或

1	print(chr(0x34^120),"1",chr(0x32^124),chr(0x88^0xdd),"X",sep="")

Ransomware

脱壳

jmp跳过垃圾代码

包括401000处的代码也全是垃圾代码，将call 0x401000也全部nop掉，得到加密

得猜key，但是不知道file是啥文件，猜测是exe，找个exe取头部，与密文解密出key

enc=list(bytes.fromhex("DE C0 1B 8C 8C 93 9E 86 98 97 9A 8C 73 6C 9A 8B"))
exe=list(bytes.fromhex("4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00"))
for i in range(len(exe)):
    enc[i]=(~enc[i])&0xff
    enc[i]^=exe[i]
print("".join(map(chr,enc)))
#letsplaychesslet

所以key为letsplaychess

解密file，脱壳

key=[ord(i) for i in "letsplaychess"]
enc=list(open("file","rb").read())
for i in range(len(enc)):
    enc[i]=(~enc[i])&0xff
    enc[i]^=key[i%len(key)]
open("out.exe","wb").write(bytes(enc))

CSHOP

net逆向，dnspy打开

给了标签的位置和字符

根据位置排序一下就行了

t=r'''
this.lbl\u007F\u0014.Text = "W";
this.lbl\u007F\u000A.Text = "5";
this.lbl\u007F\u000D.Text = "4";
this.lbl\u007F\u0011.Text = "R";
this.lbl\u007F\u0003.Text = "E";
this.lbl\u007F\u0019.Text = "6";
this.lbl\u007F\u0015.Text = "M";
this.lbl\uFFFD\u0014.Text = "I";
this.lbl\u007F\u000A.Text = "P";
this.lbl\u007F\u0002.Text = "S";
this.lbl\uFFFD\u0014.Text = "P";
this.lbl\u007F\u0015.Text = "6";
this.lbl\u007F\u0001.Text = "S";
'''

Location=r'''
this.lbl\u007F\u000A.Location = new Point(43, 123);
this.lbl\u007F\u000A.Name = "lblGu";
this.lbl\u007F\u000A.Size = new Size(53, 23);
this.lbl\u007F\u000A.TabIndex = 1;
this.lbl\u007F\u000A.Text = "label1";
this.lbl\u007F\u000D.Location = new Point(90, 123);
this.lbl\u007F\u000D.Name = "lblNu";
this.lbl\u007F\u000D.Size = new Size(53, 23);
this.lbl\u007F\u000D.TabIndex = 2;
this.lbl\u007F\u000D.Text = "label2";
this.lbl\u007F\u0014.Location = new Point(135, 123);
this.lbl\u007F\u0014.Name = "lblSu";
this.lbl\u007F\u0014.Size = new Size(53, 23);
this.lbl\u007F\u0014.TabIndex = 3;
this.lbl\u007F\u0014.Text = "label3";
this.lbl\u007F\u0015.Location = new Point(182, 123);
this.lbl\u007F\u0015.Name = "lblTu";
this.lbl\u007F\u0015.Size = new Size(53, 23);
this.lbl\u007F\u0015.TabIndex = 4;
this.lbl\u007F\u0015.Text = "label4";
this.lbl\u007F\u0011.Location = new Point(228, 123);
this.lbl\u007F\u0011.Name = "lblKu";
this.lbl\u007F\u0011.Size = new Size(53, 23);
this.lbl\u007F\u0011.TabIndex = 5;
this.lbl\u007F\u0011.Text = "label4";
this.lbl\uFFFD\u0014.Location = new Point(278, 123);
this.lbl\uFFFD\u0014.Name = "ppppp";
this.lbl\uFFFD\u0014.Size = new Size(53, 23);
this.lbl\uFFFD\u0014.TabIndex = 6;
this.lbl\uFFFD\u0014.Text = "label4";
this.lbl\u007F\u0019.Location = new Point(324, 123);
this.lbl\u007F\u0019.Name = "lblMu";
this.lbl\u007F\u0019.Size = new Size(53, 23);
this.lbl\u007F\u0019.TabIndex = 7;
this.lbl\u007F\u0019.Text = "label4";
this.lbl\u007F\u0001.Location = new Point(369, 123);
this.lbl\u007F\u0001.Name = "lblXu";
this.lbl\u007F\u0001.Size = new Size(53, 23);
this.lbl\u007F\u0001.TabIndex = 8;
this.lbl\u007F\u0001.Text = "label4";
this.lbl\u007F\u0003.Location = new Point(413, 123);
this.lbl\u007F\u0003.Name = "lblZu";
this.lbl\u007F\u0003.Size = new Size(53, 23);
this.lbl\u007F\u0003.TabIndex = 9;
this.lbl\u007F\u0003.Text = "label4";
this.lbl\u007F\u0002.Location = new Point(457, 123);
this.lbl\u007F\u0002.Name = "lblQu";
this.lbl\u007F\u0002.Size = new Size(53, 23);
this.lbl\u007F\u0002.TabIndex = 10;
this.lbl\u007F\u0002.Text = "label4";'''
data={}
for i in t.split("\n"):
    if i!="":
        data[i[:20]]=[i[29]]
for i in Location.split("\n"):
    if "Location" in i:
        data[i[:20]].append(eval(i.split("(")[1].split(",")[0]))

ndata={}
for i in data:
    ndata[data[i][1]]=data[i][0]

pos=[i for i in ndata]
pos.sort()
for i in pos:
    print(ndata[i],end="")

Direct3D_FPS

字符串定位关键代码

byte_5A7028显然被加密了，交叉引用查看调用

运行起来后idapython获取数据

import ida_bytes
start=0x05A9184
data=[ida_bytes.get_byte(start+528*i) for i in range(56)]
print(data)

异或拿到输出

enc=[0x43, 0x6B, 0x66, 0x6B, 0x62, 0x75, 0x6C, 0x69, 0x4C, 0x45,
  0x5C, 0x45, 0x5F, 0x5A, 0x46, 0x1C, 0x07, 0x25, 0x25, 0x29,
  0x70, 0x17, 0x34, 0x39, 0x01, 0x16, 0x49, 0x4C, 0x20, 0x15,
  0x0B, 0x0F, 0xF7, 0xEB, 0xFA, 0xE8, 0xB0, 0xFD, 0xEB, 0x20,
  0xF4, 0xCC, 0xDA, 0x9F, 0xF5, 0xF0, 0xE8, 0xCE, 0xF0, 0xA9,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00]
key=[0, 4, 8, 12, 16, 20, 24, 28, 32, 36, 40, 44, 48, 52, 56, 60, 64, 68, 72, 76, 80, 84, 88, 92, 96, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144, 148, 152, 156, 160, 164, 168, 172, 176, 180, 184, 188, 192, 196, 0, 0, 0, 0, 114, 0]
for i in range(len(enc)):
    enc[i]^=key[i]
print("".join(map(chr,enc)))

Multiplicative

recaf反编译代码

有限域内乘法，求逆元，解密

import gmpy2
target = -1536092243306511225
multiplier = 26729
d=gmpy2.invert(multiplier,2**64)
print(((target*d)%2**64)-2**64)
#-8978084842198767761

Music Player

ida中找到检查点

全部改成jmp跳过

AutoHotkey1

脱壳