Windows 初级题

比较输入字符串长度,如果等于36,就循环进行判断,否则退出程序:

1
if ( v34 == 36 )

比较输入字符串与v9中的字符串:

1
2
if ( *v10 != *v9 )
	break;

在此处打断点,运行程序,输入长度为36的字符串之后,查看v9中存储的字符串即为flag

1
fl@g{H@ppy_N3w_e@r!2o24!Fighting!!!}

Android 初级题

手动通关或者解包找视频获得flag

1
flag{happy_new_year_2024}

Android 初级题

WishActivity中FlagActivity是关键:

1
wishActivity.startActivity(new Intent(wishActivity, FlagActivity.class));

FlagActivity代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
ackage com.kbtx.redpack_simple;

import a.b.c.h;
import android.content.pm.PackageManager;
import android.content.pm.Signature;
import android.os.Bundle;
import android.widget.TextView;
import b.a.a.a.a;
import java.nio.ByteBuffer;

/* loaded from: classes.dex */
public class FlagActivity extends h {
   public static byte[] o = {86, -18, 98, 103, 75, -73, 51, -104, 104, 94, 73, 81, 125, 118, 112, 100, -29, 63, -33, -110, 108, 115, 51, 59, 55, 52, 77

   @Override // a.b.c.h, a.i.a.d, androidx.activity.ComponentActivity, a.f.b.g, android.app.Activity
   public void onCreate(Bundle bundle) {
       byte[] bArr;
       Signature[] signatureArr;
       super.onCreate(bundle);
       setContentView(R.layout.activity_flag);
       byte[] bArr2 = o;
       try {
           signatureArr = getPackageManager().getPackageInfo(getPackageName(), 64).signatures;
      } catch (PackageManager.NameNotFoundException unused) {
           bArr = new byte[0];
      }
       if (signatureArr != null && signatureArr.length >= 1) {
           byte[] byteArray = signatureArr[0].toByteArray();
           ByteBuffer allocate = ByteBuffer.allocate(bArr2.length);
           for (int i = 0; i < bArr2.length; i++) {
               allocate.put((byte) (bArr2[i] ^ byteArray[i % byteArray.length]));
          }
           bArr = allocate.array();
           StringBuilder d = a.d("for honest players only: \n");
           d.append(new String(bArr));
          ((TextView) findViewById(R.id.tvFlagHint)).setText(d.toString());
      }
       bArr = new byte[0];
       StringBuilder d2 = a.d("for honest players only: \n");
       d2.append(new String(bArr));
      ((TextView) findViewById(R.id.tvFlagHint)).setText(d2.toString());
  }
}

根据FlagActivity写出脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from androguard.misc import AnalyzeAPK

o = [86, -18, 98, 103, 75, -73, 51, -104, 104, 94, 73, 81, 125, 118, 112, 100, -29, 63, -33, -110, 108, 115, 51, 59, 55, 52, 77]

# Java字节(-128~127) 转 Python字节(0~255)
o = [i & 0xFF for i in o]

a, d, dx = AnalyzeAPK("52pj.apk")

signatures = a.get_certificates()

signature_bytes = signatures[0].dump()

signature_byte_array = [i for i in signature_bytes]

result = [o[i] ^ signature_byte_array[i % len(signature_byte_array)] for i in range(len(o))]

result_bytes = bytes(result)

try:
   result_string = result_bytes.decode('utf-8', errors='ignore')
except UnicodeDecodeError:
   print("Error")
else:
   print("for honest players only: \n" + result_string)
flag{52pj_HappyNewYear2024}

Web 初级题 中级题 高级题

flag1

00:00:02:10出现波纹

1
flag1{52pj2024}
flag2

访问:http://2024challenge.52pojie.cn

得到X-Flag2: flag2{xHOpRP}

1
flag2{xHOpRP}
flag3

视频开头摩尔纹

1
flag3{GRsgk2}
flag4

F12 https://2024challenge.52pojie.cn/flag4_flag10.png

1
flag4{YvJZNS}
flag5

平台注释

1
2
 <!-- flag5 flag9 -->
<pre style="position: absolute; z-index: -1; left: 0; top: 0; right: 0; margin: 0; color: white; user-select: none; pointer-events: none; white-space: pre-wrap; word-break: break-all; line-height: 1;">...</pre>

字符串为:

1
flag5{P3prqF}
flag6

二维码扫码:https://2024challenge.52pojie.cn/

计算md5即可1c450bbafad15ad87c32831fa1a616fc

1
flag6{20240217}
flag7

github:https://github.com/ganlvtech/52pojie-2024-challenge/commit/6bbac038c4813fbc5d129a8d605471ea2e374786

1
flag7{Djl9NQ}
flag8

观察cookie值

通过Cookie-Editor修改game2048_user_data的Value即可实现(以下立刻达到22916分)

1
2
dPEEH/JpzQhCzBwTURxsHWy5lkrXvbkTYZUDbaJWa7LsE81KzmCB6blr3FkOA/c0rSvyuVPMEIHrPFMuk7OtJIzw5NTuiFBVBpNMUBzprkLAx2tcW8+uWgAxgqMfqmaIYUq/8JG0IGuw
flag8{OaOjIK}
flag9

记事本自动换行调整高度

1
flag9{KHTALK}
flag10

F12 https://2024challenge.52pojie.cn/flag4_flag10.png

1
flag10{6BxMkW}
flag11
1
2
/home/kali/.local/bin/gaps run --generations=10 --population=200 --size=30 flag11.png solution.png
flag11{HPQfVF}
flag12

Wasm文件: https://2024challenge.52pojie.cn/flag12/flag12.wasm

WebAssembly代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
(module
(type $t0 (func (param i32) (result i32)))
(func $get_flag12 (export "get_flag12") (type $t0) (param $p0 i32) (result i32)
(select
(i32.const 1213159497)
(i32.const 0)
(i32.eq
(i32.mul
(local.get $p0)
(i32.const 1103515245))
(i32.const 1))))
(memory $memory (export "memory") 16)
(global $__stack_pointer (mut i32) (i32.const 1048576))
(global $__data_end (export "__data_end") i32 (i32.const 1048576))
(global $__heap_base (export "__heap_base") i32 (i32.const 1048576)))

get_flag12函数将输入的数值乘以1103515245,如果然后除以4294967296的余数等于1,则返回1213159497,否则返回0。这个数值就是1103515245的乘法逆元。

python解题:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 求乘法逆元
secret = pow(1103515245, -1, 2**32)
print(f"输入数字为:{secret}")

# 检验结果
assert (secret * 1103515245) % (2**32) == 1

# 转换结果为字符串
flag12 = ''
num = 1213159497
while num > 0:
    flag12 = chr(num & 0xff) + flag12
    num >>= 8

print(f'flag12为:flag12{{{flag12}}}')
flag12{HOXI}
flagA

将cookie中flagA的值输入到uid可以实现解码

1
flagA{xxxxxxxx}
flagB

使用商品后获得:关键词是“溢出”

整数溢出:424672867399

1
flagB{xxxxxxxx}
flagC

coco的数据集

抓api改参数可以看到隐藏物体的分类名