文章目录

MISC

ChieftainsSecret

鸣雏恋

层层取证

shuffle_code

Reverse

Rev_Dizzy

​​​​​​​

MISC

ChieftainsSecret

题目描述：Our agent risked his life to install a mysterious device in the immemorial telephone, can you find out the chieftain's telephone number? Flag format: flag{11 digits}

题目附件给了一张老式轮盘电话机图片，猜测图片藏了东西，直接上kali分离。

foremost ChieftainsSecret.jpg

得到一个RAR压缩包，直接解压，里面包含adc.csv和diagram.png两个文件。

csv文件中包含了2162组PC0、PC1、PC2、PC3数据。

右边是STM32F103单片机，左边是TLE5501芯片。

查阅TLE5501资料：TLE5501 是一种基于 TMR 的 360° 角度传感器，可检测磁场的方向。这是通过测量正弦和正弦角度组件与隧道磁阻 （TMR） 元件实现的。这些原始信号（sin和cos）作为微分输出信号提供，可在微控制器内直接进一步处理。

结合电路图分析，PC0-3各自对应SIN_P、SIN_N、COS_P、COS_N引脚输出，通过计算每一组数据可以得到一个角度。并且题意说明需要十一位电话号码，猜测2162组角度模拟了老式轮盘电话机的拨号过程。

计算过程（可能比较笨）：题目给出sin_N的范围为[2091,4098]，将其近似转化到[-1,1]方便求角度令sin_N的范围为[sin_min,sin_max]sin_ave = (sin_min+sin_max) / 2sin_max_res=(sin_max-sin_ave)对每个sin_N的值进行转化操作：sin_a = (sin_N-sin_ave) / sin_max_rescos_N操作同理得到cos_a,进一步计算Θ_a确定Θ数值：Θ_t = arcsin(sin_a) * 180 / π确定Θ象限：Θ_a = cos_a > 0 ? Θ_t : Θ_t+360

如图把2162组角度变化用图表绘制，可以观察到刚好有11个波峰。

接下来计算角度对应老式电话上的数字，打开PS直接抠图模拟（当然直接算也是可以的/doge）。

假设波峰角度是210°，直接将轮盘转210°，观察到指向数字7，即第一个号码为7。

最终得到十一位数字：flag{77085962457}

鸣雏恋

题目描述：在喜欢的人面前,我可不能……丢脸啊……因为我,喜欢鸣人君…………

层层取证

题目描述：（本题附件较大）

shuffle_code

无题目描述

题目给了一个文件

用010Editor打开查看文件。观察发现，文件末尾有PNG头，猜测是个反过来的PNG。

上Pycharm将文件倒置

input_file = "shuffle_code"output_file = "output.png"with open(input_file, 'rb') as f1, open(output_file, 'wb') as f2:f2.write(f1.read()[::-1])

生成一张二维码图片。

扫码后得到行和列两组各29个数据

col426327/1132122/1211132223/3113253/61531113/111312/5323125/2222/11122153/311111/14312121/11231211/2423211/262121/422221/622132/31121/221122111/5122311/2111221221/121692/12122111/232326/11142121/31253151/22111111123/111313121/1111111/2151371row31121113/12321133/13111112/13112221121/12112232/16113232/11311311/21111231/11111211/711111117/2124112211/611111241/1311371/131152131/13/2121111311/521(11)11/1311321131/1211211/11111111/14221262/3411131/161713/422141/7122117/1111112111/7111412/71111121/131112131

观察到特点521(11)11猜测11代表了11位数字，联想可能为数织，解密后的答案可能为29x29的二维码。打开excel输入数据，开始解密，题目有多解，考虑到二维码的容错率选取任意一解均可。

结合29x29二维码特征发现该点阵行序被打乱，呼应了题目shuffle_code。

上Pycharm爆破，大概一两分钟时间。参考大佬代码

data = [[1,1,1,1,1,1,1,0,1,0,1,1,0,0,1,1,0,1,0,0,1,0,1,1,1,1,1,1,1],[1,0,0,0,0,0,1,0,1,0,1,0,0,0,1,0,0,0,0,1,1,0,1,0,0,0,0,0,1],[1,0,1,1,1,0,1,0,1,0,1,1,1,1,1,0,0,0,0,1,1,0,1,0,1,1,1,0,1],[1,0,1,1,1,0,1,0,0,1,0,0,1,1,1,0,0,1,1,0,1,0,1,0,1,1,1,0,1],[1,0,1,1,1,0,1,0,1,0,0,0,0,1,0,0,0,0,1,1,0,0,1,0,1,1,1,0,1],[1,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,0,1,0,0,1,0,1,0,0,0,0,0,1],[1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1],[0,0,0,0,0,0,0,0,0,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],[1,0,0,1,1,1,1,1,1,0,1,0,0,0,0,1,1,1,1,1,1,1,0,0,1,0,1,1,1],[1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,1,1,0,0,0,1,0,1,1,1,1,0,0,1],[1,1,0,0,1,0,1,1,0,0,1,1,1,1,0,1,0,1,0,1,1,0,0,1,1,0,1,0,1],[0,1,1,0,1,0,0,0,0,0,0,0,1,0,0,0,1,0,1,0,0,1,1,0,1,1,1,0,1],[1,1,0,0,1,0,1,1,0,0,0,1,0,1,0,1,0,0,0,1,0,1,1,1,0,1,0,0,1],[1,1,1,0,1,0,0,0,0,1,0,1,1,0,0,1,0,1,0,1,0,0,0,1,1,1,0,0,0],[0,0,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,1,1,0,1,1,1,0,1,1,0,0,0],[1,1,1,1,1,1,0,1,0,0,0,1,0,1,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1],[0,1,1,1,0,1,1,1,1,0,0,1,0,1,0,0,0,0,1,1,1,0,0,0,0,0,0,0,1],[1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,1,0,0,1,1,1,0,0],[1,0,1,1,1,1,1,1,0,0,1,0,1,0,1,1,1,0,1,1,0,1,1,1,0,0,0,1,1],[1,0,1,1,1,1,0,0,1,1,0,1,1,0,1,0,0,1,1,0,1,1,1,1,1,1,0,1,1],[1,1,1,1,1,0,1,1,0,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1],[0,0,0,0,0,0,0,0,1,0,1,1,0,1,0,1,0,0,0,1,1,0,0,0,1,0,1,0,0],[1,1,1,1,1,1,1,0,1,0,0,1,0,1,0,1,0,1,1,1,1,0,1,0,1,1,0,0,0],[1,0,0,0,0,0,1,0,1,1,1,0,1,0,1,0,1,1,1,0,1,0,0,0,1,0,0,0,0],[1,0,1,1,1,0,1,0,1,0,0,0,1,1,1,0,0,0,1,1,1,1,1,1,1,0,0,1,0],[1,0,1,1,1,0,1,0,1,0,1,1,0,0,1,1,0,1,1,0,1,0,0,1,0,1,1,0,1],[1,0,1,1,1,0,1,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,1,1],[1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,1,1,0,1,0,1,0,1],[1,1,1,1,1,1,1,0,1,0,1,0,0,0,0,1,0,0,0,0,1,0,1,1,0,1,0,0,0]]import pyzbar.pyzbar as pyzbarfrom itertools import permutationsfrom PIL import Image, ImageDraw as drawimport matplotlib.pyplot as pltfrom tqdm import tqdmshuffle_1 = [9, 11, 13, 15, 17, 19]shuffle_2 = [10, 12, 14, 16, 18]head = data[:9]tail = data[20:]def body(body_1, body_2): # 获取中间部分的一种排列body = []for i in range(5):body.append(body_1[i])body.append(body_2[i])body.append(body_1[5])return [data[i] for i in body]def draw_img(data): # 生成二维码图片assert len(data) == 29 and len(data[0]) == 29img = Image.new('RGB', (31, 31), (255,255,255))for i, row in enumerate(data):for j, pixel in enumerate(row):img.putpixel((j + 1, i + 1), (0,0,0) if pixel == 1 else (255,255,255))return imgwith tqdm(total=720 * 120) as pbar:for body_1 in permutations(shuffle_1):for body_2 in permutations(shuffle_2):im = draw_img(head + body(body_1, body_2) + tail)barcodes = pyzbar.decode(im)pbar.update(1)if(len(barcodes) == 0):continuefor barcode in barcodes:barcodeData = barcode.data.decode("utf-8")print(barcodeData)plt.imshow(im)plt.show()

爆破结果：

flag{f31861a9-a753-47d5-8660-a8cada6c599e}

Reverse

Rev_Dizzy

题目描述：逆向分析要依赖工具，更要相信自己

题目只给一个exe附件，Window下直接运行，随意输入后命令窗口直接关闭。

上kali，分析文件格式。

file Dizzy.exeDizzy.exe: PE32 executable (console) Intel 80386, for MS Windows

32位，用ida打开

Shift+F12字符串搜索，找到刚才看到的字符串“Please input flag:”

Ctrl+X交叉引用定位到函数位置。

汇编看不明白，F5反编译。

反编译卡死，代码量很大，正常现象。若提示反编译失败，函数太大则修改IDA安装目录\cfg\hexrays.cfg文件，以文本方式打开，修改MAX_FUNCSIZE 的值（可修改为1024）。

反编译成C++结果：（太长了不放代码了Orz）

int sub_401190(){int v0; // eax@1char v2; // [sp+0h] [bp-28h]@4char v3; // [sp+1h] [bp-27h]@4char v4; // [sp+2h] [bp-26h]@4char v5; // [sp+3h] [bp-25h]@4char v6; // [sp+4h] [bp-24h]@4char v7; // [sp+5h] [bp-23h]@4char v8; // [sp+6h] [bp-22h]@4char v9; // [sp+7h] [bp-21h]@4char v10; // [sp+8h] [bp-20h]@4char v11; // [sp+9h] [bp-1Fh]@4char v12; // [sp+Ah] [bp-1Eh]@4char v13; // [sp+Bh] [bp-1Dh]@4char v14; // [sp+Ch] [bp-1Ch]@4char v15; // [sp+Dh] [bp-1Bh]@4char v16; // [sp+Eh] [bp-1Ah]@4char v17; // [sp+Fh] [bp-19h]@4char v18; // [sp+10h] [bp-18h]@4char v19; // [sp+11h] [bp-17h]@4char v20; // [sp+12h] [bp-16h]@4char v21; // [sp+13h] [bp-15h]@4char v22; // [sp+14h] [bp-14h]@4char v23; // [sp+15h] [bp-13h]@4char v24; // [sp+16h] [bp-12h]@4char v25; // [sp+17h] [bp-11h]@4char v26; // [sp+18h] [bp-10h]@4char v27; // [sp+19h] [bp-Fh]@4char v28; // [sp+1Ah] [bp-Eh]@4char v29; // [sp+1Bh] [bp-Dh]@4char v30; // [sp+1Ch] [bp-Ch]@4char v31; // [sp+1Dh] [bp-Bh]@4char v32; // [sp+1Eh] [bp-Ah]@4char v33; // [sp+1Fh] [bp-9h]@4int i; // [sp+20h] [bp-8h]@1int j; // [sp+24h] [bp-4h]@4v0 = sub_434330(std::cout, "Please input flag:");std::basic_ostream<char,std::char_traits<char>>::operator<<(v0, sub_434570);sub_4345A0(std::cin, byte_43841C);byte_43841C[6] += byte_43841C[3];byte_43841C[10] -= byte_43841C[27];byte_43841C[10] += byte_43841C[6];byte_43841C[14] += byte_43841C[3];byte_43841C[28] ^= byte_43841C[24];...此处省略上千次操作...byte_43841C[21] -= 54;byte_43841C[0] += byte_43841C[5];byte_43841C[16] += byte_43841C[20];puts(byte_4361E6);v2 = 39;v3 = 60;v4 = -29;v5 = -4;v6 = 46;v7 = 65;v8 = 7;v9 = 94;v10 = 98;v11 = -49;v12 = -24;v13 = -14;v14 = -110;v15 = -128;v16 = -30;v17 = 54;v18 = -76;v19 = -78;v20 = 103;v21 = 119;v22 = 15;v23 = -10;v24 = 13;v25 = -74;v26 = -19;v27 = 28;v28 = 101;v29 = -118;v30 = 7;v31 = 83;v32 = -90;v33 = 102;for ( j = 0; j < 32 && (unsigned __int8)*(&v2 + j) == (unsigned __int8)byte_43841C[j]; ++j );if ( j == 32 )puts("You find flag");elseputs("You don;t find it");puts(byte_4361E6);return 0;}

分析：输入一个长度为32的字符串，字符串内部元素互相作加 ‘+’ 、减 ‘-’ 、异或 ‘^’ 操作共5000次，最后输出的字符串与设定值进行比对。若均相同，则输入字符串为所需flag。可进行相应逆运算解题目（加对应逆运算为减）。

上PyCharm将5000个公式进行相应逆处理：

input_file_path = "D:/Dizzy_eff0e8b1e85ea6cf91d71dac530e9c9c/1.txt"ans = ""with open(input_file_path, 'r') as f:for line in f.readlines():if '+' in line:ans = line.replace('+', '-') + anselse:ans = line.replace('-', '+') + ansprint(ans)

再把代码放进Cpp文件在Visual Studio里面跑一遍。

#include <bits/stdc++.h>using namespace std;int main(){char flag[32] = {39,60,-29,-4,46,65,7,94,98,-49,-24,-14,-110,-128,-30,54,-76,-78,103,119,15,-10,13,-74,-19,28,101,-118,7,83,-90,102};flag[16] -= flag[20];flag[0] -= flag[5];flag[21] += 54;...此处省略上千次操作...flag[28] ^= flag[24];flag[14] -= flag[3];flag[10] -= flag[6];flag[10] += flag[27];flag[6] -= flag[3];for (int i = 0; i < 32; i++) {cout << flag[i];}int a;cin >> a;return 0;}

很快啊，一会儿就跑出来了。

flag{Try_R3vers1ng_W1th_ScR!pt!}