reverse部分三道题都比较简单,当做刷熟练度了,大部分时间去做misc和取证了,取证还没来得及复现,先发一部分,还是太懒了,要复现的越欠越多。。。

Reverse

checker

主函数逻辑很简单,就是先输入然后调用check

image-20250125235959031

验证函数,调用了加密函数,然后用加密结果去和密文比较,密文已经给了,直接dump就行

image-20250126000040325

encrypted_flag

image-20250126000332032

加密函数``encrypt_flag,逐位亦或0x23`

image-20250126000516430

解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
data = [
    0x72, 0x6B, 0x60, 0x77, 0x65, 0x58, 0x46, 0x46,
    0x15, 0x40, 0x14, 0x41, 0x1A, 0x40, 0x0E, 0x46,
    0x14, 0x45, 0x16, 0x0E, 0x17, 0x45, 0x42, 0x41,
    0x0E, 0x1A, 0x41, 0x47, 0x45, 0x0E, 0x46, 0x42,
    0x13, 0x14, 0x46, 0x13, 0x10, 0x17, 0x45, 0x15,
    0x42, 0x16, 0x5E
]

xor_value = 0x23
result_chars = ''.join(chr(byte ^ xor_value) for byte in data)
print("flag:", result_chars)

# flag: QHCTF{ee6c7b9c-e7f5-4fab-9bdf-ea07e034f6a5}

note

查壳,upx -d直接可以脱掉

image-20250126003653524

主函数,对dest加密得到密文s2,将得到的密文和输入的密码进行check,dest直接dump,注意这里是43字节

image-20250126002228013

加密函数,这里进行了两次亦或,v6是小端序,四字节42 37 A1 7C

image-20250126002320044

解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
key = [0x42, 0x37, 0xA1, 0x7C]
dest = [0x12, 0x7D, 0xE1, 0x2C, 0x01, 0x4A, 0xC4, 0x45, 0x78, 0x5E, 0xC9, 0x46, 0x78, 0x5D, 0x83, 0x0F, 0x37, 0x12, 0xD0, 0x45, 0x63, 0x42, 0xD5, 0x57, 0x76, 0x14, 0xDE, 0x06, 0x6E, 0x04, 0x8F, 0x3E, 0x50, 0x21, 0xE1, 0x3B, 0x53, 0x72, 0xB7, 0x6C, 0x5D, 0x79, 0xF7]
a2 = []

for i in range(len(dest)):
    tmp = dest[i] ^ key[i % 4]  
    tmp = tmp ^ (i + 1)      
    a2.append(chr(tmp))       

result = ''.join(a2)
print("flag: ",result)

# flag:  QHCTF{b13cc67d-cd7b-4cc3-9df1-1b34cc4c186d}

rainbow

附件给了加密密文

image-20250126002853129

其他不用管,直接进hide_flag()函数

image-20250126003028048

加密是直接亦或了0x5A

image-20250126003457564

解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
hex_string = "0B12190E1C213B6268686C6B6A69776F3B633B776E3C3B6D773B38393C773E3F3B6E69623B6D393F6D6227"
byte_array = bytes.fromhex(hex_string)
xor_key = 0x5A
result = bytearray()

for byte in byte_array:
    result.append(byte ^ xor_key)

result_hex = result.hex() 
result_string = result.decode(errors='ignore')  
print("flag:", result_string)

# flag: QHCTF{a8226103-5a9a-4fa7-abcf-dea438a7ce78}

Misc

QHCTF For Year 2025

给了hint,发现数字都是不超过31的,并且分为了10组

image-20250126121001306

还给了一个日历

image-20250126121146944

将数字在日历上对应,可以得到flag

c13cd00017a4b4b752ee487d450f227

QHCTF{FUN},注意最后是N,区别前面的H

你能看懂这串未知的文字吗

image-20250126121524162

拿到图片去百度识图,找到羊文对应字母表

微信图片_20250125153358

翻译过来是szfpguwizgwesqzoaoerv

比赛的时候没去扫图片,其实图里面藏了秘钥qihangbeiiseasy

image-20250126122036890

拿工具去跑,发现是维吉尼亚密码

image-20250126122247106

QHCTF{cryptoveryeasybysheep}

PvzHE

拿到附件观察日期,images目录下找到最近修改的一张图片,可以直接发现flag

image-20250126123325910

QHCTF{300cef31-68d9-4b72-b49d-a7802da481a5}

  • 居然就这么水灵灵的摆在这里了?!

______启动!

tcp流135中找到url

image-20250126125036863

直接访问可以下载log文件,记事本打开

image-20250126124937136

QHCTF{69b62b46-de2f-4ac2-81f7-234613d25cfb}

猿类的编程语言你了解吗

给了jpg图片

image-20250127020823059

jphsseek密码为空点击OK

image-20250127020904700

保存后得到一个文件,内容为

1
.. .. .. .. .. .. .. .. .. .. !? .? .. .? .. .. .. .? .. .. .. .. .. .. .. .? .. .. .. .. .. .. .. .. .. .. ?. ?. ?. ?. !! ?! .? .? .? .. .. .. .. .. .. .. .. .. .. .. !. !! !! !! !! !! !! !! !! !! !. !! !! !! !! !! !. .? !! !! !! !! !! !! !! !! !! !! !! !! !! !! !! !! !. ?. .. .. .. !. .? .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. !. ?. ?. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. !. .? .? !! !! !! !! !! !! !! !! !! !! !! !! !! !! !! !! !! !! !! !! !! !! !! !. ?. ?. .. .. .. !. !. .? .? !. ?. ?. !! !! !! !! !! !. .? .? .. !. ?. ?. .. .. .. .. !. !! !! !! !! !! !! !! !. .? .? !! !! !! !! !. ?. ?. .. .. .. .. .. .. .. .. !. .? .? !. ?. ?. .. .. .. .. !. !! !! !! !! !! !! !! !! !! !! !! !! !. .. .. .. .. .. .. .. !. !! !! !! !! !. .? .? .. .. .. .. !. !! !! !! !! !. ?. ?. !! !! !! !. .. .. .. .. .. .. .. .. .. .. .. !. !! !! !! !! !! !! !! !! !. .? .? .. .. .. .. .. !. ?. ?. .. .. .. .. !. !! !! !! !! !! !! !! !. .? .? !! !! !! !! !. .. !. ?. ?. .. .. .. .. .. .. !. .. .. .. !. !! !! !! !! !! !! !. .. .. .. !. .? .? !! !! !. ?. ?. !! !! !! !. .? .? .. .. .. .. !. !! !! !! !! !. ?. ?. .. .. .. !. .. .. .. .. .. .. !. .? .? .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. !.

Ook!解密

image-20250127023547841

QHCTF{2d55d0e4-a5a9-40ea-80f4-bc3603a0ea39}

forensics

E01文件需要磁盘挂载+仿真

参考:

https://blog.csdn.net/NDASH/article/details/109295885

https://blog.csdn.net/youyou519/article/details/106859820

挂载用Arsenal Image Mounter

  • 一开始用FTK Image挂载的,但是一直仿真不了,虚拟机打不开,后面才用的Arsenal Image Mounter

image-20250127015018513

挂载后物理机上可以显示对应挂载磁盘

image-20250127015119827

仿真:Save as new image file导出vmdk文件,用VM(以管理员身份运行)开启虚拟机即可

win01

image-20250126124412270

win02

image-20250126124438541

后门账户HackY$,密码与登录密码相同123456,这个其实有点猜的成分,不知道还有什么其他好方法,欢迎大家指点

image-20250126230352609

image-20250127004842625

QHCTF{fb484ad326c0f3a4970d1352bfbafef8}

win04

image-20250126124503236

win+r+regedit打开注册表,进去就可以看到flag

image-20250126220935993

QHCTF{c980ad20-f4e4-4e72-81a0-f227f6345f01}

win05

image-20250126124521545

win06

image-20250126124539586

win07

image-20250126124554056

HackY$的桌面上发现flag.zip文件

image-20250126214735379

解压需要密码,提示在环境变量中

image-20250126221610494

打开环境变量发现解压密码

image-20250126222105960

解压后是一段base64,去拿工具解码,得到flag

image-20250126222231092

image-20250126222348187

QHCTF{6143b46a-8e98-4356-a9b2-251a7ec19e51}

漏出的题目

  • 好像是出题人忘记放题了。。。

Admin桌面上有一个Hacker_.exe文件

image-20250127005910086

python写的exe文件,用pyinstxtractor解包

image-20250127010419477

拿工具反编译1.pyc

image-20250127013556492

加密逻辑为:AES(ECB) + base64 + xor + base64

image-20250127013407692

解密将上述加密逆过来即可

image-20250127013134093

QHCTF{8b0c14a8-5823-46fd-a547-0dcdc404a7ed}