二等奖

Matlab_SMC?

首先运行给的MyAppInstaller_web,获取MATLAB Runtime环境

先运行一边程序,发现多得到了一个log文件,log文件内容是

输入文件 “flag.xlsx” 不存在!

观察到有enc文件我将enc文件改名位flag.xlsx

得到这个,猜想flag->enc的加密关系,尝试将flag里面的数据换成简单的

enc的值换成上面的得到

1.0205
1.042
1.0645
1.088
1.25
1.6
2.05
2.6
8
25
52
89
8

得到关系时 5xx+2*x+1=y

所以写exp获取所有的值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#include <stdio.h>
#include <math.h>

double inverse(double y) {
    if (5 * y - 4.0 < 0) {
        return NAN;
    }
    return (-1.0 + sqrt(5.0 * y - 4.0)) / 5.0;
}

int main(void) {
    // 两列数据,各有 33 个元素
    double col1[33] = {
        24.890125,   1084.192,    89.210125,   876.626125,  157.6,
        9833.195125, 66.866125,   83.6245,     939.25,      778.3045,
        589.4125,    72.431125,   212.05,      261.442,     968.2405,
        578.075125,  157.6,       205.280125,  516.928,     987.110125,
        2248,        182.002,     246.5005,    299.5645,    65.2405,
        591.041125,  529.192,     71.8645,     87.328,      1230.112,
        257.128,     125.051125,  504.808
    };

    double col2[33] = {
        214.0045,    6.9605,      454.9045,    26.338,      101.152,
        88.162,      236.7845,    1423.7845,   190.528,     14.7445,
        229.9645,    685.25,      196.738,     192.3805,    10.882,
        63.1045,     538.4845,    647.1845,    1003.328,    724.4045,
        102.05,      451.1005,    2284.1845,   132.3845,    685.25,
        8.0,         23.9125,     5079.2845,   2178.5845,   67.4125,
        33.058,      921.5245,    555.2045
    };

    int n = 33;

    for (int i = 0; i < n; i++) {
        double y = col1[i];

        double x = inverse(y);
        if (isnan(x)) {
            printf("对于 y = %.6f,不存在实数解 x\n", y);
        }
        else {
            printf("%.6f\n", x);
        }
    }
    printf("---------------------------------------------------------------\n");
    for (int i = 0; i < n; i++) {
        double y = col2[i];

        double x = inverse(y);
        if (isnan(x)) {
            printf("对于 y = %.6f,不存在实数解 x\n", y);
        }
        else {
            printf("%.6f\n", x);
        }
    }

    return 0;
}

得到

1.995 6.33
14.52 0.91
4.005 9.33
13.035 2.06
5.4 4.28
44.145 3.98
3.435 6.67
3.87 16.67
13.5 5.96
12.27 1.47
10.65 6.57
3.585 11.5
6.3 6.06
7.02 5.99
13.71 1.22
10.545 3.33
5.4 10.17
6.195 11.17
9.96 13.96
13.845 11.83
21 4.3
5.82 9.29
6.81 21.17
7.53 4.93
3.39 11.5
10.665 1
10.08 1.95
3.57 31.67
3.96 20.67
15.48 3.45
6.96 2.34
4.785 13.37
9.84 10.33

计算平均值得到

8.346
9.493

计算md5得到

包裹flag得到flag{4291e94d849f009d7b60dd89a12dcfba}

ezBase

upx壳,手脱

找到入口点进去然后就是从start找到main

找到主函数,逻辑很简单,输入在v5,v5进加密到v4,密文是iP}ui7siC`otMgAh5o]Tg<4jPmtIvM5CI4h644K7M~KVg=

加密在base64基础上加了个异或

base64换表AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789+/

得到flag{Y0u_@R3_Upx_4nd_b45364_m4st3r!}

你知道base么

第一段对输入key tea加密,解密得到y0uokTea

key是y0uokTea,然后对base表进行rc4,rc4的key就是y0uokTea,rc4变种

最后是加,写解密得到gVxwoFhPyT/YM0BKcHe4b8GCUZtlnLW2SJO51IErk+q6vzpamdARX9siND3uQfj7

最后是base系列的,表如上,得到的密文是0tCPwtnncFZyYUlSK/4Cw0/echcG2lteBWnG2Ulw0htCYTMW

没看出来是base几,直接写解密 ,最后exp如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
#include<stdio.h>
#include<Windows.h>
#include<stdlib.h>
#include<stdint.h>
#include<string.h>

void erc4(unsigned char* key, int key_Len, unsigned char* data, int data_Len) //加解密
{
	int i = 0, j = 0, t = 0;
	unsigned  char s[256] = { 0 };
	unsigned char tmp = 0;
	for (i = 0; i < 256; i++) {
		s[i] = i;
	}
	for (i = 0; i < 256; i++) {
		j = (j + s[i] + key[i % key_Len]) % 256;
		tmp = s[i];
		s[i] = s[j]; //交换s[i]和s[j]
		s[j] = tmp;
	}
	int q = 0;
	i = j = 0;
	for (q = 0; q < data_Len; q++) {
		i = (i + 1) % 256;
		j = (j + s[i]) % 256;

		tmp = s[i];
		s[i] = s[j]; //交换s[x]和s[y]
		s[j] = tmp;
		t = (s[i] + s[j]) % 256;
		data[q] -= s[t];
	}
}


void detea(unsigned int* a1, uint32_t* a2)
{
	unsigned int v2; // [rsp+24h] [rbp+4h]
	unsigned int v3; // [rsp+44h] [rbp+24h]
	int v4; // [rsp+64h] [rbp+44h]
	unsigned int i; // [rsp+84h] [rbp+64h]

	v2 = *a1;
	v3 = a1[1];
	v4 = 0;
	for (int i = 0; i < 0x20; i++)
	{
		v4-= 1640531527;
	}
	for (i = 0; i < 0x20; ++i)
	{
		v3 -= (a2[3] + (v2 >> 5)) ^ (v4 + v2) ^ (a2[2] + 16 * v2);
		v2 -= (a2[1] + (v3 >> 5)) ^ (v4 + v3) ^ (*a2 + 16 * v3);
		v4 += 1640531527;
	}
	*a1 = v2;
	a1[1] = v3;
}

uint8_t str[40];
uint8_t cn1 = 0;
void printfbin(uint8_t* a1)
{
	for (uint8_t j = 0; j < 7; j++)
	{
		for (int i = 4; i >= 0; i--)
		{
			str[cn1++] = (a1[j] >> i) & 0x1;
		}
	}

	return;
}

void debase(char* input, int len, char* table)
{
	char* out;
	uint32_t i, v3, v5, cn, on, v10;
	uint64_t v11 = 0;

	out = malloc(100);
	cn = 0;
	on = 0;

	uint8_t untable[256] = { 0 };
	for (i = 0; i < 64; i++)
	{
		untable[table[i]] = i;
	}
	uint8_t a[7];

	for (int i = 0; i < 7; i++)
	{
		a[0] = ((untable[input[cn++]] - 1));
		a[1] = ((untable[input[cn++]] - 1));
		a[2] = ((untable[input[cn++]] - 1));
		a[3] = ((untable[input[cn++]] - 1));
		a[4] = ((untable[input[cn++]] - 1));
		a[5] = ((untable[input[cn++]] - 1));
		a[6] = ((untable[input[cn++]] - 1));
		printfbin(a);
	}
	//for (uint8_t i = 0; i < cn1 -1; i++)
	//{
	//	printf("%d", str[i]);
	//}
	//printf("\n");
	uint8_t outstr = 0;
	uint8_t k = 0;
	for (uint8_t i = 0; i < cn1/8; i++)
	{
		outstr = 0;
		for (int j = 7; j >= 0; j--)
		{
			//printf("%d", str[k]);
			outstr |= str[k++] << j;
		}
		printf("%c", outstr);
	}
	printf("\n");
	
}

int main()
{
	uint32_t v8[4];
	v8[0] = 0x12345678;
	v8[1] = 0x3456789A;
	v8[2] = 0x89ABCDEF;
	v8[3] = 0x12345678;
	uint32_t v7[2];
	v7[0] = 0xA92F3865;
	v7[1] = 0x9E60E953;
	detea(v7, v8);
	uint8_t a[9];
	for (int k = 0; k < 2; k++) {
		a[k * 4] = (v7[k]);
		a[k * 4 + 1] = (v7[k] >> 8);
		a[k * 4 + 2] = (v7[k] >> 16);
		a[k * 4 + 3] = (v7[k] >> 24);
	}
	a[8] = 0;
	printf("%s\n", a);
	//y0uokTea
	uint8_t rc4table[65] = {
		0xD4, 0x59, 0x23, 0x76, 0xB4, 0xBF, 0xE3, 0x2C, 0x58, 0x8F, 0x56, 0x19, 0xDA, 0xF0, 0xC0, 0xBD,
		0x36, 0x3D, 0x7B, 0x46, 0x1B, 0xB8, 0x17, 0x1F, 0xE3, 0xD0, 0x03, 0x45, 0xCD, 0x04, 0xED, 0xC9,
		0x67, 0xE6, 0xAB, 0x29, 0xA7, 0xBC, 0x0B, 0xDE, 0x5C, 0x30, 0x71, 0xD7, 0xD5, 0x5A, 0xC6, 0x9F,
		0x40, 0x65, 0xC4, 0x71, 0xA9, 0xC3, 0xAE, 0xD9, 0xB5, 0xE5, 0x12, 0x8C, 0x80, 0x52, 0x34, 0x36,
		0
	};
	erc4(a, 8, rc4table, 64);
	printf("%s\n", rc4table);
	//gVxwoFhPyT/YM0BKcHe4b8GCUZtlnLW2SJO51IErk+q6vzpamdARX9siND3uQfj7
	uint8_t flag[] = "0tCPwtnncFZyYUlSK/4Cw0/echcG2lteBWnG2Ulw0htCYTMW";
	debase(flag, 48, rc4table);
	//flag{y0u__rea11y__k1ow__Base!}
	return 0;
}