ctf-第一场网鼎杯

1.reverse-beijing

放在kali下使用file命令发现这是一个32位的elf文件，直接运行获得一串乱码，放入ida中找到main函数进行反编译，发现里面有嵌套函数，打开嵌套函数，发现函数是根据外层参数做异或，猜测这里是将flag顺序打乱后与一个密钥做异或得到我们所看到的乱码，将做异或的两行数据取出再按外层函数调用参数选定的顺序排好即可(注意有部分参数不存在是因为他们的值为0而未被反编译器识别),即可得到结果flag{amazing_beijing}

2.reverse-advanced

放在kali下使用file命令发现这是一个64位的elf文件，直接运行结果为“welcome, here is your identification, please keep it in your pocket: 4b404c4b5648725b445845734c735949405c414d5949725c45495a51”，用ida打开程序，找到main函数反汇编发现了一个极其复杂的函数，看了一会便看不下去了，直接观察得到的那一串字符串，猜测这是flag进过某种变换获得的，将字符串开头与flag做异或，发现得到的值为45，44，45，44，将规律推广，获得字符串flag{d_with_a_template_phew},即为答案

s="4b404c4b5648725b445845734c735949405c414d5949725c45495a51"
mingwen=""
i=0
while i<len(s):
    ss=s[i:i+2]
    mingwen+=chr(int(ss,16)^45)
    ss=s[i+2:i+4]
    mingwen+=chr(int(ss,16)^44)
    i=i+4

print mingwen

3.misc-clip

给了一个损坏的磁盘文件，无法挂载，有哪个winhex打开，输入常见文件头部进行查询，找到了一个png的头部和两个IHDR，将这两个png文件拆解出来，给第一个png文件补上尾部，给第二个png文件补上头部和尾部，用PS打开，发现图像是错位的(在磁盘中有照片会被拆解成几块放入，块与块之间用无效字节填充导致图像错位），使用PS打开，对两张图像做切分，重组即可得到答案

4.misc-minified

拿到一张图片，放入stegsolve中发现在red plane0通道下该图片是一张黑色的图片，于是将blue plane 0，green plane 0，alpha plane 0保存为1.bmp，2.bmp，3.bmp，对图片两两做异或，即可发现使用alpha plane 0和green plane 0得到flag

from PIL import Image
lena1=Image.open('1.bmp')
lena2=Image.open('2.bmp')
lena3=Image.open('3.bmp')
pixsel=[]
pixsel.append(lena1.load())
pixsel.append(lena2.load())
pixsel.append(lena3.load())
for i in xrange(3):
    j=i+1
    while j<3:
        im=Image.new('RGB',(lena1.width,lena1.height))
        for x in xrange(0,lena1.width):
            for y in xrange(0,lena1.height):
                r=pixsel[i][x,y][0]^pixsel[j][x,y][0]
                g=pixsel[i][x,y][1]^pixsel[j][x,y][1]
                b=pixsel[i][x,y][2]^pixsel[j][x,y][2]
                im.putpixel((x,y),(r,g,b))
        ss=str(i)+str(j)+".bmp"
        j=j+1
        print ss
        im.save(ss)

5.crypto-hashcoll

题目文件描述为“Sometime, you wonder why you rEad the DescrIption Because it may contaIn something useless.",并有一段加密程序

#!/usr/bin/env python2

from flag import FLAG 

h0 = 45740974929179720441799381904411404011270459520712533273451053262137196814399

# 2**168 + 355
g = 374144419156711147060143317175368453031918731002211L

def shitty_hash(msg):
    h = h0 
    msg = map(ord, msg)
    for i in msg:
        h = (h + i)*g 
        # This line is just to screw you up :))
        h = h & 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
    
    return h - 0xe6168647f636


if __name__ == '__main__':
    try: 
        introduction = """
        .--.     .------------------------.
        | __\    |                        |
        | > <   <  Homies, Hash collision |
        |  \|    |                        |
        |/_//    `------------------------'
        |  / 
        `-'
        I never want to create challenges that people can grab random scripts to solve it. Nah
        """

        print introduction

        m1 = raw_input('m1 : ')
        m2 = raw_input('m2 : ')

        assert m1 != m2 

        #print "m1 = {!r}".format(m1)
        #print "m2 = {!r}".format(m2)

        hash1 = shitty_hash(m1)
        hash2 = shitty_hash(m2) 

        if hash1 == hash2:
            print "\nThe flag is simple, it is 'the flag' :)) "
            print FLAG
        else:
            print 'Wrong.'

    except:
        print "Take your time to think of the inputs."
        pass

阅读程序可知该题目要求我们输入两串不同的字符串m1,m2，而且shitty_hash(m1)=shitty_hash(m2)，在shitty_hash中，首先将字符串的每一个字符转化为ascii值，例如m1=[x1,x2,x3......,xn]，而shitty_hash(m1)=(h0*g^n+x1*g^n+x2*g^(n-1)+x3*g^(n-2)+......+xn*g^1)%(2^256)，发现shitty_hash(m1)=shitty_hash(m2)与h0无关，将h0转化为字符获得“e you ever see something weird ?”，这是想要shitty_hash(m1)=shitty_hash(m2)，设m1=[x1,x2,x3......,xn]，m2=[y1,y2,y3......,yn]，(x1*g^n+x2*g^(n-1)+x3*g^(n-2)+......+xn*g)%(2^256)=(y1*g^n+y2*g^(n-1)+y3*g^(n-2)+......+yn*g)%(2^256)，这里我们可以假定一个m1，找到c=[c1,c2,c3......,cn]，使得(c1*g^n+c2*g^(n-1)+c3*g^(n-2)+......+cn*g)%(2^256)=0，且要满足0<c1+x1,c2+x2......,cn+xn<128，即要求这里的c1.......cn尽量的小，这时问题转化为SVP问题(即在整数格上寻找长度最小且与原向量近似正交的向量），在这里我们使用LLL算法解决这个问题，构造矩阵(构造以及求解原理可查看https://www.di.ens.fr/~granboul/recherche/publications/data/hash.pdf）

代码如下(sega脚本，没有环境可以在https://cocalc.com/在线运行

from sage.all import *

mod = 2**256
h0 = 45740974929179720441799381904411404011270459520712533273451053262137196814399

g = 2**168 + 355

K = 2**20

base = map(ord, "a"*56)
N = len(base)

m = matrix(ZZ, N + 1, N + 1)
for i in xrange(N):
    ge = pow(g, N-i, mod)
    m[i,0] = ge
    m[i,1+i] = 1
m[N,0] = mod
for i in xrange(N+1):
    m[i,0] *= K

ml = m.LLL()

ttt = ml.rows()[0]
print "result:", ttt
if ttt[0] != 0:
    print "Error"
    exit()
if not base:
    base = [BASE] * N
msg = []
for i in range(N):
    msg.append(base[i] + ttt[1+i])
    if not (0 <= msg[-1] <= 255):
        print "Need more bytes!"
        quit()


def shitty_hash(msg):
    h = h0
    for i in msg:
        h = (h + i)*g 
        # This line is just to screw you up :))
        h = h & 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff#mod2**256
        #print h

    return h - 0xe6168647f636

def pure_hash(msg):
    h = 0
    for i in msg:
        h = (h + i)*g 
        # This line is just to screw you up :))
        h = h & 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff#mod2**256
    return h
print base
print "m1:", "".join(map(chr, base))
print hex(shitty_hash(base)), shitty_hash(base)
print msg
diff = [i-j for i,j in zip(msg,base)]
print diff
print hex(pure_hash(diff))
print "m2:", "".join(map(chr, msg))
print hex(shitty_hash(msg)), shitty_hash(msg)