这题实在是太复杂了,所以特地写了一个WP记录一下我的思路,同时给没思路的小伙伴一点参考。
参考文章:
https://blog.csdn.net/weixin_45696568/article/details/111413521
http://www.manongjc.com/detail/27-yvizdftissymciz.html
打开压缩包发现有两个txt:
标明了步骤,应该是先实现step1,再实现step2。
打开发现txt中有大量tab,尝试用snowfall解码。解码网址:https://vii5ard.github.io/whitespace/
step1.txt解码结果得到一个key:OK now you can run whitespace code. By the way, the key is H0wt0Pr1ntAWh17e5p4ceC0de.
step2.txt解码得到:
这个看起来是一个7z文件,里面有flag.txt这个文件。因为这个是乱码,要恢复这个7z就要找到他的byte格式,发现右侧flag区有一些堆栈命令:
好像可以生成bytes的,网上的wp都是修改whitelips网页的源代码输出格式直接生成byte,但是我为了避开这个步骤,写了个脚本试试把栈命令转换成byte再存成7z压缩包得到txt。脚本附上:
class StackDemo(object):
def __init__(self):
self.stack=[]
def push(self,x):
self.stack.append(x)
def pop(self):
self.stack.pop()
def printc(self):
print(self.stack[-1],end=' ')
self.pop()
def print(self):
print(self.stack)
def dup(self):
self.push(self.stack[-1])
def add(self):
a=self.stack[-1]
b=self.stack[-2]
self.pop()
self.pop()
self.push(a+b)
stack=StackDemo()
stack.push(0)
stack.push(98)
stack.add()
stack.dup()
stack.printc()
stack.push(103)
stack.push(117)
stack.printc()
stack.dup()
stack.printc()
stack.push(107)
stack.dup()
stack.printc()
stack.push(10)
stack.add()
stack.dup()
stack.printc()
stack.push(70)
stack.push(123)
stack.printc()
stack.dup()
stack.printc()
stack.push(49)
stack.dup()
stack.printc()
stack.push(120)
stack.dup()
stack.printc()
stack.push(65)
stack.dup()
stack.printc()
stack.push(45)
stack.add()
stack.dup()
stack.printc()
stack.push(69)
stack.dup()
stack.printc()
stack.push(-16)
stack.add()
stack.dup()
stack.printc()
stack.push(103)
stack.push(110)
stack.push(97)
stack.push(108)
stack.push(111)
stack.printc()
stack.printc()
stack.printc()
stack.printc()
stack.dup()
stack.printc()
stack.push(114)
stack.push(80)
stack.printc()
stack.dup()
stack.printc()
stack.push(-66)
stack.add()
stack.dup()
stack.printc()
stack.push(55)
stack.add()
stack.dup()
stack.printc()
stack.push(11)
stack.add()
stack.dup()
stack.printc()
stack.push(52)
stack.dup()
stack.printc()
stack.push(57)
stack.add()
stack.dup()
stack.printc()
stack.push(84)
stack.dup()
stack.printc()
stack.push(48)
stack.dup()
stack.printc()
stack.push(97)
stack.push(67)
stack.printc()
stack.dup()
stack.printc()
stack.push(114)
stack.push(117)
stack.push(55)
stack.push(112)
stack.printc()
stack.printc()
stack.printc()
stack.dup()
stack.printc()
stack.push(70)
stack.push(51)
stack.push(104)
stack.push(84)
stack.push(101)
stack.printc()
stack.printc()
stack.printc()
stack.printc()
stack.dup()
stack.printc()
stack.push(49)
stack.dup()
stack.printc()
stack.push(52)
stack.dup()
stack.printc()
stack.push(51)
stack.add()
stack.dup()
stack.printc()
stack.push(22)
stack.add()
stack.dup()
stack.printc()
把输出结果生成7z:
b=bytes([55,122,188,175,39,28,0,4,233,178,103,148,176,0,0,0,0,0,0,0,106,0,0,0,0,0,0,0,205,61,162,91,148,163,10,161,6,123,111,146,195,229,199,77,197,176,226,227,44,177,43,96,161,183,25,95,211,125,221,70,102,117,157,219,2,113,89,134,199,190,90,208,113,2,30,131,134,158,192,184,130,200,49,95,169,69,184,36,202,69,2,69,160,13,36,13,176,115,55,167,181,220,144,24,156,128,159,52,143,64,170,177,64,129,83,122,169,252,159,170,33,201,53,141,86,73,35,149,56,209,111,227,46,146,218,18,60,77,165,23,248,38,213,201,136,18,249,150,90,225,255,195,101,23,65,13,144,238,93,31,150,182,136,40,73,137,105,218,0,3,2,92,123,250,128,137,207,217,187,15,202,154,187,172,229,221,223,77,58,56,62,234,238,175,206,236,90,65,197,234,53,242,98,189,93,69,135,58,1,4,6,0,1,9,128,176,0,7,11,1,0,2,36,6,241,7,1,18,83,15,181,85,78,250,249,198,199,186,171,74,81,185,17,229,245,136,33,33,1,0,1,0,12,128,162,131,85,0,8,10,1,126,78,13,98,0,0,5,1,17,19,0,102,0,108,0,97,0,103,0,46,0,116,0,120,0,116,0,0,0,25,0,20,10,1,0,50,92,151,50,148,119,215,1,21,6,1,0,32,0,0,0,0,0])
with open('d.7z','wb') as f:
f.write(b)
压缩包密码就是我们step1跑出来的key,打开压缩包发现了flag.txt。当我激动地打开txt后发现又是个whitelip加密。再到网页上跑的时候发现跑不出结果,看了别人的wp,原来是右侧的printc都被改成了drop,没办法还是得修改网页脚本,把printc的函数复制替换了drop的就ok了。
但是我为了避开修改脚本又重复了一次了刚才的步骤用自己的脚本跑出了一个txt(drop换成printc)。
大佬的WP在跑出step2.txt的时候直接修改网页脚本让输出形式变成byte(这样方便多了,但是凭我自己是不懂得改的,所以才一直避开这个步骤。。。
很笨的方法,师傅们见笑了