34C3

JuniorCTF - nohtyp1

题目：

We love snakes.
Hints: $ cat flag | md5sum 5a76c600c2ca0f179b643a4fcd4bc7ac

---

Writeup:

打开py文件之后有许多下划线值：

____=input;__________________=print;___________=____();_________=map;__________=ord;_______________=zip;____________________________=list;___=21;_____=lambda ______,_______:______+(_______^___);______________={not not not ___ and not not ___:lambda:__________________('\x41\x6c\x6d\x6f\x73\x74\x21\x21'),not not ___ and not not ___:lambda:__________________('\x43\x6f\x72\x72\x65\x63\x74\x21')};______________[[_____(*________) for ________ in _______________(____________________________(_________(__________,___________)),____________________________(_________(__________,___________))[::-1])][::-1]==[160,155,208,160,190,215,237,134,210,126,212,222,224,238,128,240,164,213,183,192,162,178,163,162] and 'mo4r' in ___________ and '34C3_' in ___________ and ___________.split('_')[3] == 'tzzzz']()

转换整理之后：

#input=input;
#print=print;
input_1=input();
#map=map;
#ord=ord;
#zip=zip;
#list=list;
#21=21;
func=lambda a,b:a+(b^21);
choose={False:(lambda:print('\x41\x6c\x6d\x6f\x73\x74\x21\x21'), #Almost!!
		True:(lambda:print '\x43\x6f\x72\x72\x65\x63\x74\x21')}; #Correct!
choose[[func(*addr) for addr in zip(list(map(ord,input_1)),list(map(ord,input_1))[::-1])][::-1]==[160,155,208,160,190,215,237,134,210,126,212,222,224,238,128,240,164,213,183,192,162,178,163,162] and 'mo4r' in input_1 and '34C3_' in input_1 and input_1.split('_')[3] == 'tzzzz']()

>>> zip(list(map(ord,'abcd')),list(map(ord,'abcd'))[::-1])
[(97, 100), (98, 99), (99, 98), (100, 97)]

可推断，input1一共有24个字符，第i个字符与第23-i个字符两两用func计算（i=0…23）

import string

dict = string.ascii_letters+string.digits+'_'
l = [160,155,208,160,190,215,237,134,210,126,212,222,224,238,128,240,164,213,183,192,162,178,163,162]
res = []
for index in xrange(12):
	chars = []
	for a in dict:
		for b in dict:
			if ord(a)+(ord(b)^21)==l[index] and ord(b)+(ord(a)^21)==l[23-index]:
				chars.append((b, a))
	print chars
	res.append(chars)

得到所有满足条件的解：

[(‘3’, ‘z’), (‘K’, ‘B’), (‘O’, ‘F’), (‘C’, ‘J’), (‘G’, ‘N’), (’’, ‘V’), (‘S’, ‘Z’)]
[(‘6’, ‘x’), (‘7’, ‘y’), (‘4’, ‘z’), (‘O’, ‘A’), (‘L’, ‘B’), (‘M’, ‘C’), (‘F’, ‘H’), (‘G’, ‘I’), (‘D’, ‘J’), (‘E’, ‘K’), (’’,‘Q’), (‘V’, ‘X’), (‘W’, ‘Y’), (‘T’, ‘Z’), (‘v’, ‘8’), (‘w’, ‘9’)]
[(‘K’, ‘r’), (‘O’, ‘v’), (‘C’, ‘z’), (‘k’, ‘R’), (‘o’, ‘V’), (‘c’, ‘Z’)]
[(‘3’, ‘z’), (‘K’, ‘B’), (‘O’, ‘F’), (‘C’, ‘J’), (‘G’, ‘N’), (’’, ‘V’), (‘S’, ‘Z’)]
[(‘I’, ‘b’), (‘O’, ‘d’), (‘M’, ‘f’), (‘C’, ‘h’), (‘A’, ‘j’), (‘G’, ‘l’), (‘E’, ‘n’), (‘Y’, ‘r’), (’’, ‘t’), (‘S’, ‘x’), (‘Q’, ‘z’), (‘i’, ‘B’), (‘o’, ‘D’), (‘m’, ‘F’), (‘c’, ‘H’), (‘a’, ‘J’), (‘g’, ‘L’), (‘e’, ‘N’), (‘y’, ‘R’), (‘s’, ‘X’), (‘q’, ‘Z’)]
[(‘J’, ‘x’), (‘K’, ‘y’), (‘H’, ‘z’), (‘j’, ‘X’), (‘k’, ‘Y’), (‘h’, ‘Z’), (‘m’, ‘_’)]
[(‘n’, ‘r’), (‘o’, ‘s’), (‘f’, ‘z’)]
[(‘0’, ‘a’), (‘4’, ‘e’), (‘P’, ‘A’), (‘T’, ‘E’)]
[(‘z’, ‘c’), (‘r’, ‘k’), (‘v’, ‘o’)]
[(‘9’, ‘R’), (‘3’, ‘X’), (‘1’, ‘Z’), (‘Y’, ‘2’), (’_’, ‘4’), (‘S’, ‘8’)]
[(‘s’, ‘n’)]
[(‘i’, ‘b’), (‘o’, ‘d’), (‘m’, ‘f’), (‘c’, ‘h’), (‘a’, ‘j’), (‘g’, ‘l’), (‘e’, ‘n’), (‘y’, ‘r’), (‘s’, ‘x’), (‘q’, ‘z’)]

可以看到34C4与_tzzzz，也能看到mo4r
所以可以得到输入的前后部分34C3_mo4r******kes_tzzzz
又因为 _ 有3个，所以可以判定34C3_mo4r_****4kes_tzzzz
一共有1*10 = 10种可能的flag。

import hashlib

flagb = '34C3_mo4r_'
flage = '4kes_tzzzz'
char1 = [('s', 'n')]
char2 = [('i', 'b'), ('o', 'd'), ('m', 'f'), ('c', 'h'), ('a', 'j'), ('g', 'l'), ('e', 'n'), ('y', 'r'), ('s', 'x'), ('q', 'z')]

def md5check(flag):
	md5str = '5a76c600c2ca0f179b643a4fcd4bc7ac'
	if hashlib.md5(flag).hexdigest()==md5str:
		return True
	return False
for (a, d) in char1:
	for (b, c) in char2:
		flag = flagb+a+b+c+d+flage+'\n'
		if md5check(flag):
			print flag

注意： 题目比较坑的地方在于使用了md5sum，md5sum与md5的区别在于md5sum包含’\0’或者’\n’，而md5不包含，没有考虑到这一点就会发现无法找到匹配的flag。