前言

不多说，就一句话，无pwn雪崩

URL从哪里来

题目描述说明程序会生成什么文件

将程序拖入ida分析

从伪代码中发现重要字符 ou标识符

动调发现程序生成了好多文件，

ida中可找到有关ou的文件

路径 C:\Users\86189\AppData\Local\Temp\ou.3BDB.tmp

该文件拖入010发现其实是PE文件

将此程序拖入ida分析，动调一会得解

1	flag{6469616e-6369-626f-7169-746170617761}

hello_py - xxtea

此题目在2023CISCN华中赛区就用过 — 不过没让我去，太可恶了！

(ichunqiu重复利用白嫖 Mz1 题目，哈哈哈哈哈)

jadx分析，Java层

发现关键标识符 - hello

题目思路：apk文件解压，翻目录找到了源代码

hello.py —— 题目源代码

审计代码，发现是xxtea

编写exp，得解

exp

#define _CRT_SECURE_NO_WARNINGS 1
#define _CRT_SECURE_NO_WARNINGS 1
#include<stdio.h>
#include<stdint.h>
#define DELTA 0x9e3779b9
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))

using namespace std;

unsigned int cipher[9] = { 689085350 ,626885696 ,1894439255 ,1204672445 ,1869189675 ,475967424 ,1932042439 ,1280104741 ,2808893494 };
unsigned int key[4] = { 12345678 ,12398712 ,91283904 ,12378192 };

void xxtea(uint32_t* v, int n, uint32_t const key[4])
{
    uint32_t y, z, sum;
    unsigned p, rounds, e;
    if (n < -1)
    {
        n = -n;
        rounds = 6 + 52 / n;
        sum = rounds * DELTA;
        y = v[0];
        do
        {
            e = (sum >> 2) & 3;
            for (p = n - 1; p > 0; p--)
            {
                z = v[p - 1];
                y = v[p] -= MX;
            }
            z = v[n - 1];
            y = v[0] -= MX;
            sum -= DELTA;
        } while (--rounds);
    }
}

int main()
{
    xxtea(cipher, -9, key);
    for (int i = 0; i < 9; i++)
    {
        //printf("0x%x",cipher[i]);
        printf("0x%x,0x%x,0x%x,0x%x,", *((char*)&cipher[i] + 0) & 0xff, *((char*)&cipher[i] + 1) & 0xff, *((char*)&cipher[i] + 2) & 0xff, *((char*)&cipher[i] + 3) & 0xff);
    }
    printf("\n");
    int Dec[] =
    {
        0x63,0x31,0x66,0x38,0x61,0x63,0x65,0x36,0x2d,0x34,0x62,0x34,0x36,0x2d,0x34,0x39,0x33,0x31,0x2d,0x62,0x32,0x35,0x62,0x2d,0x61,0x31,0x30,0x31,0x30,0x61,0x38,0x39,0x63,0x35,0x39,0x32
    };
    for (int i = 0; i < 36; i++)
        printf("%c", Dec[i]);

    return 0;
}




// flag{c1f8ace6-4b46-4931-b25b-a1010a89c592}