re DASCTF Apr.2023 X SU战队2023开局之战复现

最新推荐文章于 2024-03-03 17:04:53 发布

豆腐西蓝花

最新推荐文章于 2024-03-03 17:04:53 发布

阅读量378

点赞数 1

文章标签：网络安全安全

本文链接：https://blog.csdn.net/m0_75098930/article/details/130331976

版权

Python版本问题，3.11弄不好，手搓

import marshal

import dis

a=open('pyc.pyc','rb')

a.seek(16)

dis.dis(marshal.load(a))

用这个脚本一定要确保python版本一致，题目是3.11

0 0 RESUME 0

1 2 LOAD_CONST 0 (0)

4 LOAD_CONST 1 (None)

6 IMPORT_NAME 0 (random)

8 STORE_NAME 0 (random)

3 10 PUSH_NULL

12 LOAD_NAME 0 (random)

14 LOAD_ATTR 1 (Random)

24 LOAD_CONST 2 (322376503)

26 PRECALL 1

30 CALL 1

40 STORE_NAME 2 (r)

6 42 PUSH_NULL

44 LOAD_NAME 3 (input)

46 LOAD_CONST 3 ('Enter your flag: ')

48 PRECALL 1

52 CALL 1

62 LOAD_METHOD 4 (encode)

84 PRECALL 0

88 CALL 0

98 STORE_NAME 5 (pt)

8 100 LOAD_CONST 4 (b'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff')

102 STORE_NAME 6 (ct)

10 104 BUILD_LIST 0

106 STORE_NAME 7 (buf)

12 108 LOAD_NAME 5 (pt)

110 GET_ITER

>> 112 FOR_ITER 46 (to 206)

114 STORE_NAME 8 (b)

13 116 LOAD_NAME 7 (buf)

118 LOAD_METHOD 9 (append)

140 LOAD_NAME 2 (r)

142 LOAD_METHOD 10 (randint)

164 LOAD_CONST 0 (0)

166 LOAD_CONST 5 (255)

168 PRECALL 2

172 CALL 2

182 LOAD_NAME 8 (b)

184 BINARY_OP 12 (^)

188 PRECALL 1

192 CALL 1

202 POP_TOP

204 JUMP_BACKWARD 47 (to 112)

15 >> 206 PUSH_NULL

208 LOAD_NAME 11 (bytes)

210 LOAD_NAME 7 (buf)

212 PRECALL 1

216 CALL 1

226 LOAD_NAME 6 (ct)

228 COMPARE_OP 2 (==)

234 POP_JUMP_FORWARD_IF_TRUE 2 (to 240)

236 LOAD_ASSERTION_ERROR

238 RAISE_VARARGS 1

17 >> 240 PUSH_NULL

242 LOAD_NAME 12 (print)

244 LOAD_CONST 6 ('Correct!')

246 PRECALL 1

250 CALL 1

260 POP_TOP

262 LOAD_CONST 1 (None)

264 RETURN_VALUE

>>>试了一下

import dis

from random import *

def fuck():

    Random(322376503)

    r=input()

    pt=r.encode()

    ct=b'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff'

    buf=[]

    for i in range(0x46):

        buf.append(r)

        b=randint(0,255)

        r^=b

    if bytes(buf)==ct:

        print("corrct!")



    return 0

dis.dis(fuck)

编写脚本

import random

a=random.Random(322376503)

b=[]

enc=[139, 204, 107, 211, 237, 150, 255,  70,  98,   6,

  114,   8,  53, 130, 188,  32, 178, 222,  41, 112,

  136,  81,  96,  27, 102,  24, 182,  81,  85,  83,

  119,  16, 205, 217,  19,  65,  36, 134, 229, 205,

  217, 255]

random.seed(322376503)

for i in range(len(enc)):

    b.append(random.randint(0,255))

print(b)

a=b'\x8b\xcck\xd3\xed\x96\xffFb\x06r\x085\x82\xbc \xb2\xde)p\x88Q`\x1bf\x18\xb6QUSw\x10\xcd\xd9\x13A$\x86\xe5\xcd\xd9\xff'

key=[237, 160, 10, 180, 150, 160, 198, 126, 87, 62, 16, 61, 3, 175, 136, 25, 138, 233, 4, 68, 187, 105, 6, 54, 7, 40, 132, 50, 120, 102, 22, 114, 248, 186, 35, 120, 65, 179, 212, 254, 225, 130]

for i in range(len(key)):

    print(chr(key[i]^enc[i]),end='')

    #flag{69858b56-4987-438f-a02c-5ab5c09e5138}