UCSCCTF2025 WP

simplere-ucsc

脱壳，发现脱不掉

010打开修一下特征码

ida64打开，看到两个加密obfuscate_encode和obfuscate_transpose_xor

obfuscate_encode可以看出是换表base58，表是wmGbyFp7WeLh2XixZUYsS5cVv1ABRrujdzQ4Kfa6gP8HJN3nTCktqEDo9M

obfuscate_transpose_xor就是个简单的异或

很显然，input[a2 - i - 1] = output[i] ^ (i + 1);

data=[0x72, 0x7A, 0x32, 0x48, 0x34, 0x4E, 0x3F, 0x3A, 0x42, 0x33,
  0x47, 0x69, 0x75, 0x63, 0x7C, 0x7D, 0x77, 0x62, 0x65, 0x64,
  0x7B, 0x6F, 0x62, 0x50, 0x73, 0x2B, 0x68, 0x6C, 0x67, 0x47,
  0x69, 0x15, 0x42, 0x75, 0x65, 0x40, 0x76, 0x61, 0x56, 0x41,
  0x11, 0x44, 0x7F, 0x19, 0x65, 0x4C, 0x40, 0x48, 0x65, 0x60,
  0x01, 0x40, 0x50, 0x01, 0x61, 0x6F, 0x69, 0x57]
get=[0]*len(data)
for i in range(len(data)):
    get[len(data)-i-1]=data[i]^(i+1)
print("".join(map(chr,get)))
#mPWV7et2RTxobH5Tn8iqGSdFWc5vYzps1jHuynpvpfmsmxeL9K28H1L1xs

再解base得到flag

flag{0ba878d9-8bb5-11ef-b419-a4b1c1c5a2d2}

easy_re-ucsc

ida64打开

断在这，直接动调，拿str1就是flag

flag{d7610b86-5205-3bf3-b0f4-84484ba74105}

EZ_debug-ucsc

ida64打开

断在这，动调，v5就是flag

flag{709e9bdd-0858-9750-8c37-9b135b31f16d}

re_ez-ucsc

ida9.0打开

动调简单分析一下逻辑

迷宫不大，手动走一下迷宫，然后md5

maps=[0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x00000001, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x00000001, 0x00000001, 0x00000000, 0x00000001, 0x00000000, 0x00000001, 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001, 0x00000001]
for i in range(0,len(maps),5):
  print("".join(map(str,maps[i:i+5])))
# 0 上 1 下 2 左 3 右
path=[1,1,1,3,3,0,0,0]
for i in range(len(path)):
  path[i]^=3
  path[i]+=32
print("".join(map(chr,path)))