第九届中国海洋大学信息安全CTF-WP (部分)
因为是新生赛嘛,题目还是比较简单的,不错很适合我玩哈哈哈,就差一丢丢拿奖,可惜呜呜,采购们的wp罢了,希望师傅们批评指正。
Reverse
一.钩子
顾名思义,盲猜是一手hook api的题,无壳,载入ida之后直接找一手真正的加密逻辑,先shift+f12看一手字符串。
看到假flag之后直接接着这个假的判断逻辑函数接着往上溯源,选中函数sub_7FF71CC712C0摁x,然后往回逆
继续选中StartAddress,摁x往回逆,然后到最后发现就是在装载主程序之前有先创建一个StartAddress的线程的操作,对于真正的加密逻辑进行了一个勾取
步入StartAddress,进入下图的RC4中(此处函数我已重命名)
然后就经典RC4魔改,取出密文,直接解密
贴出解密脚本如下:
key=[136,227,238,17,198,73,116,165,221,152,89,233,72,247,110,191,58,179,155,223,16,66,255,153,108,227,62,5,44,101,71,239]
table=[2,204,71,179,77,108,253,154,76,78,212,139,30,129,25,10,52,38,208,255,112,182,176,146,73,179]
S =list(range(256))
T =[key[i %len(key)]for i inrange(256)]
v9=0for j inrange(256):
v9=(T[j]+S[j]+v9)%256
S[j],S[v9]=S[v9],S[j]
a1=26
v6=0
v8=0for k inrange(26):
v6=(v6+1)%256
v8=(S[v6]+v8)%256
S[v6],S[v8]=S[v8],S[v6]print(chr(table[k]^S[(S[v8]+S[v6])%256]),end='')#flag{ho00OoOoOoked_gotcha}
二.xor++
签到题,直接贴出脚本如下:
data =[37,40,36,33,60,42,60,30,20,40,36,40,41,97,50,39,63,32,12,9,32,104,55,46,4,63,53,106,17,7,4,61,14,17,38,14,26]
key=67for i inrange(len(data)):print(chr(data[i]^key),end='')
key=key+1#flag{buT_diff1cultY_w0nt_ch4Nge_muCh}
三.睡_Lite
上手给了个hex文件,嘶,有点难受,没逆过单片机,确实不知道该咋分析,开始一直以为是arm架构,但是拖进 ida 之后好像有地址错误,嘶,卡了很久,最后还下载了个单片机的烧录软件,寻思烧录出来看看,但是后面才知道好像只知道hex文件是烧录不了的,最后回到最开始的起点,拿hex文件问了一下gpt才知道,这居然是个avr架构。。。。。。
然后转bin直接拖进ida选择avr架构,反编译成功,爽了。。。
题目说flag给的比较直接,然后看了最长的这个函数,有疑似flag的字符,应该就是直接提取
flag开头的几个字符,将字符传个r24寄存器之后都有一个call sub_48的操作,盲猜应该就是类似输出的操作,所以只需要把所有有call sub_48这个操作的字符提取出来即可。
flag{dEl4y_n0_MoR3}
Pwn
一.摩登Pwn
运行显示,输入负数可以获取flag,看程序
stroul把输入转换成无符号整数,输入
2147483648
flag{292be5d2-3a2f-4a03-ae34-c9a649c19d27}
Crypto
一.Base64*rot13
flag{ezez3zeze2ezEz}
二.模!
题目分析
from math import factorial
from functools importreduce
flag ="flag{xxxxxxxxxxxxxxxxxx}"defmooooo(s:str):
res =0for i in s:#对flag中的字符进行匹配
res <<=8#位运算,相当于乘256
res +=( factorial(ord(i))%233)#对字符进行阶乘,然后模233return res
table ="abcdefghijklmnopqrstuvwxyz{}"assert(reduce(lambda p,i:(i in table)*p, flag,True))#匹配flag,flag中的字符只能是table里的print(mooooo(flag))# output: 2508450541438803643416583335895451914701844680466330955847
既然每次是先左移8位/乘256,然后再求字符ASCII的阶乘并模233(巧的是,table里的字符的阶乘的模没有重复的)
那样我们可以倒着求,先除256,然后得到的余数就是字符ASCII的阶乘并模233的结果,然后结果逆置,匹配,即为结果
from math import factorial
from functools importreduce# table = "abcdefghijklmnopqrstuvwxyz{}"
de_dict ={114:'a',221:'b',210:'c',30:'d',1:'e',102:'f',21:'g',87:'h',48:'i',195:'j',128:'k',77:'l',5:'m',84:'n',4:'o',215:'p',63:'q',192:'r',178:'s',144:'t',72:'u',108:'v',37:'w',13:'x',175:'y',147:'z',140:'{',71:'}'}
en_flag =2508450541438803643416583335895451914701844680466330955847
result_t =[]for i inrange(24):
temp_x = en_flag %256
result_t.insert(0, temp_x)
en_flag = en_flag - temp_x
en_flag = en_flag //256for x in result_t:
everyf = de_dict.get(x)print(everyf,end='')
flag{dalaodalaohaolihai}
三.NeXT RSA
原题分析
import sympy
import libnum
flag="flag{"+"???"+"}"
m = libnum.s2n(flag)
p = sympy.randprime(1<<1024,1<<1025)#随机数,在1024位到1025位之间的数
q = sympy.nextprime(p)#p下一个素数
n = p*q
r =(p-1)*(q-1)
e =65537
c =pow(m, e, n)#正常RSAprint(n, e, c)# output:# 80044118049755180996754407858488943779355738585718372337839486032339412481191013051614126608584578841408197524632831442032118319629160505851518198448787590483634506563248531254421862061651099856312546562506221294620627871718678484548245902274972044599314097339549053518589561289734819710218838311181044519738709148493164321955860982700783886286661558574861608455547990794798848491695189544811325833194530596317989718866319530140199263278168146224240677087191093183415595617994125075880280632369616506148501757653260154487000183157405531772172082897743929126980157956142627803176227942226654177011633301413616266656761# 65537# 23280133104463252598665779150831148192014617461904564929071121215373331248942762386170411274023248423328388793808975632652896384007449549469345318875514363621903138122407682293848670093433946555776164835208375667498606187869211466397624286383057425296636315379314349307816391315242971306898487494604324473266965665471735612154916305882443496151118031672777088597821127499085632141307413890900246444539517971766135909771880642211582699957211983212981047822362311969553832913399476190919026666192056319334425636757404603336130688707109219644178606626422717046059209499394056295682594928581470210114322505904198054215544
根据脚本看,p和q十分接近,那就可以开n的平方,求到在p、q之间的数字,然后向下/向上遍历,找到p和q,然后解RSA
结题脚本:
import math
import gmpy2
from Crypto.Util.number import*
n =80044118049755180996754407858488943779355738585718372337839486032339412481191013051614126608584578841408197524632831442032118319629160505851518198448787590483634506563248531254421862061651099856312546562506221294620627871718678484548245902274972044599314097339549053518589561289734819710218838311181044519738709148493164321955860982700783886286661558574861608455547990794798848491695189544811325833194530596317989718866319530140199263278168146224240677087191093183415595617994125075880280632369616506148501757653260154487000183157405531772172082897743929126980157956142627803176227942226654177011633301413616266656761defexp1(num):
root = gmpy2.iroot(num,2)[0]for i inrange(root, num):if num % i ==0:
p = i
q = num // i
print(f'p = {p}')print(f'q = {q}')return p, q
defDecrypt(c,e,p,q):
phi=(p-1)*(q-1)#算欧拉函数
d = inverse(e, phi)
m2 =pow(c, d, n)
m = long_to_bytes(m2)print(m)
e =65537
c =23280133104463252598665779150831148192014617461904564929071121215373331248942762386170411274023248423328388793808975632652896384007449549469345318875514363621903138122407682293848670093433946555776164835208375667498606187869211466397624286383057425296636315379314349307816391315242971306898487494604324473266965665471735612154916305882443496151118031672777088597821127499085632141307413890900246444539517971766135909771880642211582699957211983212981047822362311969553832913399476190919026666192056319334425636757404603336130688707109219644178606626422717046059209499394056295682594928581470210114322505904198054215544
p, q = exp1(n)
Decrypt(c, e, p, q)
flag{n0t_s3Cure_4t_aIl}
Misc
一.帕鲁服务器#1
打开虚拟机
抓包试试
flag{Ur_s3rVer_1s_n0w_mY_p4l}
二.一眼盯帧
得到一个理塘王的视频,放的时候发现有异常图片闪过,既然盯帧了都,直接下载下来拆个帧,每一帧一拆,六千来张,直接按大小排个序,整合一下异常图片。
得到62个表达式图片,思路清晰了,直接把表达式拿出来z3一把嗦了,一开始用uTools的OCR一个个识别,最后z3没嗦出来,心态炸了,最后又重新弄了一遍,找了个在线网站https://web.baimiaoapp.com/,一次最多识别放50张,分两次把62张放进去,还挺好用的
贴出解密脚本如下:
from z3 import*
a1 = Int('a1')
a2 = Int('a2')
a3 = Int('a3')
a4 = Int('a4')
a5 = Int('a5')
a6 = Int('a6')
a7 = Int('a7')
a8 = Int('a8')
a9 = Int('a9')
a10 = Int('a10')
a11 = Int('a11')
a12 = Int('a12')
a13 = Int('a13')
a14 = Int('a14')
a15 = Int('a15')
a16 = Int('a16')
a17 = Int('a17')
a18 = Int('a18')
a19 = Int('a19')
a20 = Int('a20')
a21 = Int('a21')
a22 = Int('a22')
a23 = Int('a23')
a24 = Int('a24')
a25 = Int('a25')
a26 = Int('a26')
a27 = Int('a27')
a28 = Int('a28')
a29 = Int('a29')
a30 = Int('a30')
a31 = Int('a31')
slover = Solver()
slover.add(40*a1 +42*a2 +69*a3 +91*a4 +91*a5 +74*a6 +45*a7 +49*a8 +99*a9 +41*a10 +79*a11 +26*a12 +51*a13+74*a14+84*a15 +31*a16 +74*a17 +11*a18+87*a19 +76*a20 +26*a21 +40*a22 +13*a23 +31*a24 +39*a25 +7*a26 +84*a27 +65*a28 +25*a29 +88*a30+13*a31==159700)
slover.add(76*a1+23*a2 +47*a3 +95*a4 +56*a5 +94*a6 +9*a7 +89*a8 +1*a9 +27*a10 +64*a11 +54*a12 +77*a13 +57*a14 +11*a15 +80*a16+61*a17+98*a18 +14*a19 +72*a20 +67*a21 +98*a22 +66*a23 +26*a24 +11*a25+36*a26 +94*a27 +66*a28 +99*a29 +64*a30 +40*a31==171444)
slover.add(49*a1 +38*a2 +20*a3 +28*a4 +36*a5 +44*a6 +85*a7 +48*a8 +74*a9 +73*a10 +27*a11 +99*a12 +21*a13+72*a14 +89*a15 +3*a16 +3*a17 +72*a18 +71*a19 +29*a20 +92*a21 +19*a22 +42*a23+87*a24 +97*a25 +36*a26 +84*a27 +56*a28 +96*a29 +40*a30 +82*a31==164206)
slover.add(81*a1 +88*a2 +41*a3 +98*a4+8*a5 +70*a6 +19*a7 +85*a8 +37*a9 +64*a10 +24*a11 +96*a12 +94*a13 +78*a14 +81*a15 +38*a16 +10*a17 +87*a18 +75*a19 +35*a20 +7*a21 +98*a22 +63*a23 +37*a24 +4*a25 +40*a26 +13*a27 +83*a28 +99*a29 +61*a30 +60*a31==171511)
slover.add(53*a1 +39*a2 +10*a3 +36*a4 +37*a5 +42*a6 +69*a7 +66*a8 +22*a9 +33*a10 +34*a11 +4*a12 +77*a13 +94*a14 +51*a15 +87*a16+3*a17+34*a18 +44*a19 +17*a20+48*a21 +31*a22 +62*a23+15*a24 +59*a25 +39*a26 +42*a27 +48*a28 +63*a29 +44*a30 +84*a31==131705)
slover.add(95*a1 +37*a2 +70*a3 +10*a4+72*a5 +37*a6 +26*a7 +11*a8 +89*a9 +36*a10 +80*a11 +81*a12 +13*a13 +84*a14 +79*a15 +69*a16 +15*a17 +53*a18+52*a19 +92*a20 +13*a21 +44*a22 +33*a23 +48*a24 +77*a25 +40*a26 +50*a27 +20*a28 +9*a29 +69*a30 +44*a31==149011)
slover.add(58*a1 +53*a2 +93*a3 +4*a4 +33*a5 +76*a6 +88*a7 +7*a8 +21*a9+24*a10 +8*a11 +35*a12 +64*a13 +54*a14 +20*a15 +1*a16+4*a17 +42*a18 +29*a19 +96*a20 +40*a21 +22*a22 +39*a23 +47*a24 +4*a25 +42*a26 +31*a27 +69*a28 +39*a29 +6*a30 +50*a31==114939)
slover.add(89*a1 +73*a2 +43*a3 +41*a4 +28*a5 +19*a6 +83*a7 +32*a8 +65*a9 +37*a10 +22*a11 +22*a12 +42*a13 +74*a14 +43*a15 +72*a16+4*a17 +94*a18 +66*a19 +60*a20 +63*a21 +91*a22 +69*a23 +7*a24 +39*a25 +96*a26 +76*a27 +5*a28 +32*a29 +57*a30 +22*a31==147181)
slover.add(76*a1 +83*a2 +10*a3 +31*a4 +18*a5 +2*a6 +2*a7 +65*a8 +27*a9 +47*a10 +63*a11 +61*a12 +77*a13 +38*a14+22*a15 +49*a16+4*a17 +2*a18 +63*a19 +24*a20 +16*a21 +36*a22 +48*a23 +50*a24 +40*a25 +78*a26 +19*a27 +95*a28 +73*a29 +47*a30 +56*a31 ==128931)
slover.add(93*a1 +3*a2 +86*a3 +90*a4 +97*a5 +11*a6 +66*a7 +69*a8 +96*a9 +62*a10 +40*a11 +58*a12 +25*a13+64*a14 +50*a15 +65*a16+59*a17 +5*a18 +7*a19 +55*a20 +92*a21 +29*a22 +35*a23 +83*a24 +59*a25 +55*a26 +51*a27 +62*a28+1*a29 +64*a30 +12*a31==159474)
slover.add(60*a1 +19*a2 +66*a3 +62*a4 +42*a5 +86*a6 +61*a7 +63*a8 +56*a9 +2*a10 +46*a11 +7*a12 +7*a13 +2*a14 +16*a15 +97*a16 +12*a17 +28*a18 +11*a19 +92*a20 +26*a21 +64*a22 +63*a23 +62*a24 +45*a25+56*a26 +50*a27 +97*a28 +62*a29 +71*a30 +65*a31 ==146558)
slover.add(11*a1 +79*a2 +17*a3 +68*a4+26*a5 +38*a6 +23*a7 +78*a8 +82*a9 +71*a10 +46*a11 +18*a12 +20*a13 +19*a14 +89*a15 +86*a16 +20*a17 +54*a18 +47*a19 +15*a20+62*a21 +49*a22 +97*a23 +75*a24 +17*a25+76*a26 +52*a27 +62*a28 +65*a29 +89*a30 +80*a31 ==158569)
slover.add(79*a1 +10*a2 +66*a3+31*a4+76*a5 +58*a6 +45*a7 +64*a8 +97*a9 +9*a10 +15*a11 +6*a12 +61*a13 +65*a14 +52*a15 +1*a16 +38*a17 +11*a18 +66*a19 +21*a20 +30*a21 +76*a22 +41*a23 +75*a24 +52*a25+45*a26 +91*a27 +96*a28 +29*a29 +64*a30 +59*a31 ==149303)
slover.add(87*a1 +64*a2 +72*a3 +22*a4 +38*a5 +64*a6 +27*a7 +35*a8 +18*a9 +24*a10 +64*a11 +80*a12 +35*a13 +56*a14 +39*a15 +97*a16+83*a17 +88*a18 +21*a19 +51*a20 +76*a21 +63*a22 +54*a23 +38*a24 +92*a25+56*a26 +84*a27 +75*a28 +38*a29 +2*a30 +43*a31==162212)
slover.add(89*a1 +93*a2 +48*a3 +5*a4 +37*a5 +76*a6 +32*a7 +66*a8 +25*a9 +39*a10 +59*a11 +14*a12 +48*a13 +62*a14 +4*a15 +76*a16 +72*a17 +78*a18+40*a19 +96*a20 +68*a21 +35*a22 +89*a23 +3*a24 +29*a25 +17*a26 +63*a27 +43*a28 +61*a29 +37*a30 +12*a31==142706)
slover.add(4*a1 +25*a2 +16*a3 +45*a4 +65*a5 +17*a6 +39*a7 +59*a8 +82*a9 +54*a10 +69*a11 +59*a12+86*a13 +37*a14 +70*a15+21*a16 +46*a17 +89*a18 +96*a19 +32*a20 +35*a21 +69*a22 +22*a23 +13*a24 +95*a25 +58*a26 +94*a27 +29*a28+84*a29 +24*a30 +3*a31==146480)
slover.add(50*a1 +48*a2 +87*a3 +37*a4 +53*a5 +19*a6 +24*a7 +30*a8 +40*a9 +31*a10 +18*a11 +89*a12 +81*a13 +70*a14 +98*a15 +87*a16 +98*a17 +82*a18+31*a19+71*a20+30*a21 +28*a22 +95*a23 +22*a24 +15*a25+73*a26 +51*a27 +92*a28 +32*a29 +97*a30 +65*a31 ==168401)
slover.add(40*a1+20*a2+13*a3+25*a4+87*a5 +95*a6 +47*a7 +80*a8 +22*a9 +43*a10 +4*a11 +83*a12 +50*a13 +85*a14 +39*a15 +22*a16+75*a17 +3*a18 +22*a19 +6*a20 +16*a21 +29*a22 +65*a23 +19*a24 +64*a25 +48*a26 +41*a27 +8*a28 +10*a29 +66*a30 +12*a31==117331)
slover.add(37*a1 +49*a2 +63*a3 +49*a4+3*a5 +54*a6 +52*a7 +61*a8 +58*a9 +36*a10 +24*a11 +6*a12 +46*a13 +47*a14 +16*a15 +29*a16 +83*a17 +2*a18 +50*a19 +94*a20 +38*a21 +56*a22 +34*a23+13*a24 +34*a25+12*a26 +41*a27 +47*a28 +35*a29 +67*a30 +74*a31==125357)
slover.add(37*a1+2*a2 +12*a3+84*a4 +79*a5 +36*a6 +93*a7 +64*a8 +68*a9 +7*a10 +37*a11 +58*a12 +68*a13+49*a14 +19*a15 +95*a16 +43*a17 +22*a18+10*a19 +21*a20 +70*a21 +72*a22 +73*a23+19*a24 +32*a25 +8*a26 +6*a27 +89*a28 +43*a29 +32*a30+95*a31==138223)
slover.add(24*a1 +23*a2 +12*a3 +73*a4 +32*a5 +3*a6 +61*a7 +51*a8 +85*a9 +94*a10 +36*a11 +90*a12 +49*a13 +97*a14+18*a15 +55*a16 +26*a17 +40*a18+39*a19 +95*a20 +61*a21 +17*a22 +29*a23 +7*a24 +40*a25 +58*a26 +5*a27 +49*a28 +2*a29 +83*a30 +69*a31 ==136759)
slover.add(64*a1 +28*a2 +52*a3+74*a4+84*a5 +36*a6 +39*a7 +55*a8 +40*a9 +44*a10+47*a11 +23*a12 +1*a13 +58*a14 +33*a15 +25*a16 +70*a17 +20*a18 +45*a19 +33*a20+15*a21 +77*a22 +46*a23 +8*a24 +5*a25 +98*a26 +39*a27 +72*a28 +9*a29 +99*a30 +25*a31==128285)
slover.add(39*a1 +8*a2 +57*a3 +39*a4 +27*a5 +98*a6 +70*a7 +77*a8 +97*a9 +20*a10 +5*a11 +2*a12 +62*a13 +88*a14 +42*a15 +58*a16 +86*a17 +94*a18 +91*a19 +76*a20 +46*a21 +32*a22 +10*a23+75*a24 +99*a25 +62*a26 +76*a27 +78*a28 +72*a29 +50*a30 +50*a31==173243)
slover.add(52*a1+69*a2 +20*a3+29*a4+23*a5 +30*a6 +74*a7 +21*a8 +9*a9 +5*a10 +76*a11 +5*a12 +45*a13+49*a14 +59*a15 +25*a16 +98*a17 +54*a18+80*a19 +19*a20 +51*a21 +37*a22 +85*a23+84*a24 +78*a25 +54*a26 +5*a27+21*a28 +97*a29 +92*a30 +78*a31==138560)
slover.add(24*a1+70*a2+59*a3 +66*a4+7*a5 +59*a6 +95*a7 +46*a8 +28*a9 +21*a10 +99*a11 +95*a12 +61*a13+43*a14 +50*a15 +3*a16 +15*a17 +79*a18 +88*a19 +51*a20 +72*a21 +67*a22 +67*a23 +47*a24 +76*a25+45*a26 +18*a27 +32*a28 +82*a29 +37*a30 +20*a31 ==148441)
slover.add(76*a1 +10*a2 +22*a3 +48*a4 +64*a5 +22*a6 +94*a7 +25*a8 +44*a9 +83*a10 +24*a11 +64*a12 +58*a13 +41*a14 +4*a15+29*a16 +96*a17 +78*a18 +45*a19 +30*a20 +35*a21 +62*a22 +81*a23 +54*a24 +5*a25 +82*a26 +14*a27 +46*a28 +16*a29 +18*a30 +69*a31 ==134112)
slover.add(65*a1 +72*a2 +44*a3 +52*a4+29*a5 +17*a6 +31*a7 +44*a8 +58*a9 +26*a10 +47*a11 +82*a12 +47*a13 +80*a14 +3*a15 +97*a16+88*a17+9*a18 +10*a19 +21*a20 +79*a21 +27*a22 +49*a23 +24*a24 +2*a25 +64*a26 +60*a27 +45*a28+19*a29 +97*a30 +76*a31==140899)
slover.add(98*a1+61*a2 +33*a3 +62*a4+50*a5 +7*a6 +88*a7 +75*a8 +94*a9 +21*a10 +37*a11 +55*a12 +32*a13 +39*a14 +42*a15 +11*a16+48*a17 +87*a18 +34*a19 +14*a20 +76*a21 +13*a22 +39*a23 +27*a24 +62*a25 +38*a26 +53*a27 +27*a28 +20*a29 +67*a30 +94*a31==145615)
slover.add(54*a1+23*a2 +33*a3 +16*a4+7*a5 +12*a6 +58*a7 +67*a8 +88*a9 +84*a10 +51*a11 +27*a12 +96*a13 +9*a14 +73*a15 +51*a16+27*a17+52*a18 +96*a19 +56*a20 +87*a21 +66*a22 +49*a23 +74*a24 +28*a25 +71*a26 +94*a27 +16*a28 +43*a29 +33*a30 +57*a31 ==155144)
slover.add(82*a1 +42*a2 +13*a3 +65*a4 +17*a5 +31*a6 +46*a7 +25*a8 +62*a9 +65*a10 +56*a11 +56*a12+26*a13 +62*a14 +76*a15+69*a16 +40*a17 +31*a18 +58*a19 +54*a20 +9*a21 +23*a22 +72*a23 +95*a24 +75*a25 +74*a26 +32*a27 +8*a28 +53*a29 +36*a30 +71*a31 ==144052)
slover.add(75*a1 +5*a2 +53*a3 +71*a4 +9*a5 +14*a6 +16*a7 +80*a8 +41*a9 +70*a10 +63*a11 +81*a12 +73*a13 +24*a14 +96*a15 +61*a16 +87*a17 +28*a18 +89*a19 +43*a20 +46*a21+4*a22 +59*a23 +91*a24 +10*a25 +1*a26 +41*a27 +87*a28 +99*a29 +9*a30 +74*a31==154311)
slover.add(81*a1 +69*a2 +66*a3 +57*a4 +58*a5 +72*a6 +8*a7 +61*a8 +5*a9 +73*a10 +35*a11 +57*a12 +67*a13 +77*a14 +35*a15 +7*a16 +91*a17 +83*a18 +4*a19 +92*a20 +39*a21+84*a22 +47*a23 +60*a24 +35*a25 +59*a26 +74*a27 +42*a28 +51*a29 +93*a30+20*a31==164152)
slover.add(34*a1 +7*a2 +10*a3 +52*a4 +39*a5 +34*a6 +52*a7 +7*a8 +73*a9 +34*a10+8*a11 +76*a12 +63*a13 +32*a14 +40*a15 +70*a16 +7*a17 +38*a18 +32*a19 +92*a20 +97*a21+87*a22 +57*a23 +74*a24 +46*a25 +3*a26 +14*a27 +84*a28 +35*a29 +92*a30 +62*a31==143604)
slover.add(48*a1 +35*a2 +21*a3 +87*a4+4*a5 +65*a6 +70*a7 +69*a8 +34*a9 +63*a10 +25*a11 +23*a12 +62*a13+72*a14 +75*a15 +98*a16 +18*a17 +86*a18+19*a19 +54*a20 +96*a21 +74*a22 +97*a23 +27*a24 +21*a25 +74*a26 +74*a27 +90*a28 +33*a29 +71*a30 +46*a31==164871)
slover.add(74*a1 +49*a2 +85*a3 +69*a4 +54*a5 +86*a6 +75*a7 +34*a8 +30*a9 +42*a10 +71*a11 +52*a12 +35*a13 +22*a14 +91*a15 +34*a16 +13*a17 +1*a18 +80*a19 +48*a20 +32*a21 +71*a22 +88*a23+68*a24 +22*a25+64*a26 +60*a27 +85*a28 +79*a29 +52*a30 +22*a31==158482)
slover.add(65*a1 +99*a2 +25*a3 +72*a4 +68*a5 +66*a6 +85*a7 +8*a8 +24*a9 +59*a10 +74*a11 +99*a12 +82*a13 +88*a14+17*a15 +21*a16 +70*a17 +68*a18+2*a19 +22*a20 +69*a21 +32*a22 +38*a23 +27*a24+8*a25+7*a26+19*a27 +36*a28 +32*a29 +85*a30+40*a31==140834)
slover.add(11*a1 +37*a2 +33*a3+25*a4 +10*a5 +12*a6 +99*a7 +58*a8 +66*a9 +94*a10 +94*a11 +78*a12 +33*a13 +15*a14 +92*a15 +64*a16 +39*a17 +23*a18 +11*a19 +41*a20 +67*a21 +8*a22 +24*a23 +4*a24 +40*a25 +92*a26 +54*a27 +37*a28+94*a29 +71*a30 +25*a31==134191)
slover.add(78*a1 +57*a2 +74*a3 +90*a4+14*a5 +52*a6 +7*a7 +12*a8 +57*a9 +14*a10 +47*a11 +20*a12 +24*a13 +32*a14 +61*a15 +85*a16 +58*a17 +99*a18 +18*a19 +52*a20 +31*a21 +77*a22 +13*a23 +69*a24 +62*a25+85*a26 +46*a27+40*a28+75*a29 +48*a30 +69*a31==153769)
slover.add(39*a1 +62*a2 +21*a3+75*a4+24*a5 +8*a6 +12*a7 +66*a8 +2*a9 +74*a10 +21*a11 +40*a12 +84*a13 +36*a14 +45*a15 +98*a16 +95*a17 +43*a18+49*a19 +27*a20 +61*a21 +24*a22 +1*a23 +90*a24+89*a25 +70*a26 +45*a27 +65*a28 +46*a29 +17*a30 +65*a31==149992)
slover.add(2*a1 +97*a2 +59*a3 +95*a4 +21*a5 +52*a6 +49*a7 +30*a8 +59*a9 +62*a10 +81*a11 +91*a12 +56*a13 +69*a14 +36*a15 +12*a16 +92*a17+12*a18 +58*a19 +16*a20 +38*a21 +24*a22 +31*a23+87*a24 +98*a25+13*a26 +83*a27 +33*a28+11*a29 +89*a30 +50*a31 ==152681)
slover.add(85*a1 +75*a2 +2*a3 +54*a4+72*a5 +14*a6 +76*a7 +49*a8 +71*a9 +21*a10 +52*a11 +12*a12 +48*a13+67*a14 +48*a15 +50*a16 +78*a17 +85*a18 +59*a19 +86*a20 +43*a21 +9*a22 +28*a23 +60*a24 +66*a25+35*a26 +42*a27 +51*a28 +84*a29 +33*a30 +38*a31==151583)
slover.add(76*a1 +64*a2 +28*a3 +18*a4+26*a5 +12*a6 +48*a7 +38*a8 +45*a9 +32*a10 +31*a11 +32*a12 +70*a13 +76*a14 +55*a15 +32*a16 +66*a17 +10*a18 +92*a19 +32*a20+75*a21 +52*a22 +89*a23+84*a24+53*a25+25*a26 +14*a27 +86*a28+44*a29 +25*a30 +27*a31 ==135652)
slover.add(22*a1+73*a2 +60*a3+72*a4+85*a5 +8*a6 +75*a7 +91*a8 +90*a9 +93*a10 +40*a11 +2*a12 +89*a13 +89*a14 +34*a15 +87*a16 +77*a17 +99*a18 +71*a19 +82*a20 +34*a21 +6*a22 +10*a23+92*a24 +8*a25 +8*a26 +5*a27 +66*a28 +29*a29 +77*a30 +72*a31==171031)
slover.add(47*a1 +30*a2+43*a3+62*a4+29*a5 +79*a6 +4*a7 +92*a8 +45*a9 +93*a10 +11*a11+41*a12 +86*a13 +51*a14 +15*a15 +25*a16+4*a17 +38*a18 +59*a19 +67*a20+57*a21 +28*a22 +36*a23 +97*a24 +69*a25 +5*a26 +71*a27 +95*a28 +39*a29 +7*a30 +12*a31==144653)
slover.add(96*a1 +45*a2 +36*a3 +83*a4 +61*a5 +3*a6 +44*a7 +20*a8 +70*a9 +93*a10 +23*a11 +83*a12 +19*a13 +77*a14 +54*a15 +64*a16 +41*a17 +76*a18 +60*a19 +92*a20 +44*a21 +63*a22 +42*a23+84*a24+26*a25+68*a26 +74*a27 +58*a28 +32*a29 +50*a30 +81*a31==171959)
slover.add(64*a1 +56*a2 +43*a3 +39*a4+85*a5 +16*a6 +67*a7 +86*a8 +22*a9 +16*a10 +40*a11 +68*a12 +97*a13 +6*a14 +37*a15 +20*a16 +5*a17 +3*a18 +82*a19 +73*a20 +21*a21+97*a22 +95*a23+96*a24 +6*a25 +62*a26+95*a27+45*a28+55*a29 +8*a30 +51*a31==151173)
slover.add(17*a1 +49*a2 +16*a3 +59*a4 +1*a5 +66*a6 +82*a7 +58*a8 +91*a9+8*a10+44*a11 +13*a12 +88*a13 +98*a14 +44*a15 +41*a16 +27*a17 +68*a18 +2*a19 +33*a20 +99*a21 +37*a22 +92*a23+94*a24 +43*a25 +16*a26 +86*a27 +96*a28 +36*a29 +89*a30+23*a31==151468)
slover.add(23*a1 +40*a2 +5*a3 +76*a4 +15*a5 +39*a6 +5*a7 +69*a8 +48*a9+3*a10+99*a11 +14*a12 +66*a13 +97*a14 +66*a15 +90*a16 +17*a17 +41*a18 +73*a19 +45*a20 +45*a21 +36*a22 +81*a23+74*a24 +53*a25 +29*a26 +93*a27 +25*a28 +35*a29 +34*a30+8*a31==135144)
slover.add(6*a1 +78*a2 +51*a3 +74*a4+1*a5 +25*a6 +41*a7 +99*a8 +52*a9+74*a10 +30*a11 +97*a12 +63*a13 +2*a14 +25*a15 +76*a16 +56*a17 +35*a18 +28*a19 +34*a20 +40*a21 +18*a22 +65*a23 +67*a24 +43*a25 +78*a26 +6*a27 +54*a28 +38*a29 +45*a30+81*a31==146290)
slover.add(58*a1 +47*a2 +72*a3 +43*a4 +99*a5 +36*a6 +89*a7 +31*a8 +61*a9 +66*a10 +59*a11 +74*a12 +32*a13 +2*a14 +39*a15 +73*a16 +86*a17 +63*a18 +18*a19 +92*a20 +44*a21 +67*a22 +37*a23 +66*a24 +25*a25 +32*a26 +59*a27 +31*a28+11*a29 +41*a30 +65*a31 ==157439)
slover.add(79*a1+18*a2+22*a3+73*a4+21*a5 +76*a6 +5*a7 +27*a8 +36*a9 +22*a10 +90*a11 +23*a12 +20*a13 +88*a14 +77*a15 +18*a16 +10*a17 +14*a18 +80*a19 +1*a20 +96*a21 +97*a22 +41*a23 +90*a24 +53*a25 +20*a26 +41*a27 +2*a28 +87*a29 +8*a30 +40*a31==127198)
slover.add(94*a1 +70*a2 +72*a3 +93*a4 +17*a5 +56*a6 +53*a7 +78*a8 +72*a9 +49*a10 +86*a11 +62*a12 +41*a13 +85*a14 +69*a15 +71*a16+20*a17 +34*a18 +24*a19 +24*a20 +14*a21 +86*a22 +54*a23 +13*a24 +41*a25 +68*a26 +31*a27 +50*a28 +23*a29 +94*a30 +72*a31==162137)
slover.add(34*a1 +95*a2 +66*a3 +79*a4 +91*a5 +35*a6 +8*a7 +16*a8 +95*a9 +95*a10 +40*a11 +68*a12 +13*a13 +54*a14+80*a15 +98*a16 +15*a17 +39*a18+41*a19 +79*a20 +34*a21 +54*a22 +92*a23+17*a24 +97*a25 +76*a26 +49*a27 +95*a28 +6*a29 +83*a30 +79*a31==180077)
slover.add(74*a1 +42*a2 +45*a3 +72*a4 +6*a5 +3*a6 +59*a7 +47*a8 +57*a9 +62*a10+85*a11 +6*a12 +72*a13+25*a14 +78*a15 +27*a16 +6*a17 +27*a18+61*a19 +88*a20 +60*a21+89*a22 +53*a23 +76*a24 +97*a25 +56*a26 +52*a27 +26*a28 +5*a29 +7*a30 +35*a31==142239)
slover.add(53*a1 +30*a2 +63*a3 +88*a4 +54*a5 +99*a6 +40*a7 +85*a8 +42*a9+35*a10 +99*a11 +88*a12 +55*a13 +8*a14 +24*a15 +91*a16 +55*a17 +23*a18+53*a19 +68*a20+76*a21 +49*a22 +32*a23 +80*a24 +81*a25+95*a26 +21*a27 +73*a28 +83*a29 +46*a30 +44*a31==179115)
slover.add(55*a1+43*a2 +39*a3 +27*a4+19*a5 +41*a6 +7*a7 +70*a8 +54*a9 +53*a10 +38*a11 +72*a12 +50*a13+1*a14 +15*a15 +89*a16+79*a17+17*a18 +32*a19 +58*a20 +64*a21 +68*a22 +12*a23+92*a24 +53*a25 +33*a26 +54*a27 +67*a28 +34*a29 +25*a30 +37*a31==140482)
slover.add(23*a1 +39*a2 +6*a3 +84*a4 +81*a5+4*a6+47*a7+8*a8+1*a9 +46*a10 +7*a11 +85*a12 +60*a13 +26*a14 +57*a15 +24*a16 +60*a17 +70*a18 +42*a19 +97*a20 +25*a21 +88*a22 +64*a23 +1*a24 +58*a25 +25*a26 +93*a27 +8*a28+16*a29 +85*a30 +19*a31==130498)
slover.add(9*a1 +88*a2 +7*a3 +54*a4 +77*a5 +34*a6 +58*a7 +43*a8 +17*a9 +93*a10+15*a11 +84*a12 +65*a13 +64*a14 +34*a15 +55*a16 +89*a17 +61*a18 +64*a19 +31*a20 +33*a21 +29*a22 +52*a23 +79*a24 +83*a25 +78*a26 +9*a27 +96*a28+52*a29 +30*a30+14*a31==153195)
slover.add(15*a1 +84*a2 +36*a3+24*a4+97*a5 +67*a6 +14*a7 +66*a8 +22*a9 +4*a10 +90*a11 +96*a12 +3*a13 +50*a14 +47*a15 +7*a16 +67*a17 +33*a18 +5*a19 +52*a20 +56*a21 +55*a22 +3*a23 +69*a24 +73*a25 +65*a26 +56*a27 +91*a28+98*a29 +52*a30 +90*a31==154967)
slover.add(14*a1+27*a2 +99*a3 +64*a4+19*a5 +37*a6 +63*a7 +26*a8 +51*a9 +52*a10 +44*a11 +8*a12 +15*a13+29*a14 +36*a15 +26*a16 +94*a17 +85*a18 +40*a19+2*a20+75*a21 +10*a22 +47*a23 +77*a24 +55*a25+77*a26 +88*a27 +12*a28 +36*a29 +59*a30 +33*a31==131294)
slover.add(17*a1 +93*a2 +64*a3 +86*a4 +59*a5 +6*a6 +73*a7 +60*a8 +7*a9 +83*a10+61*a11 +37*a12 +27*a13 +84*a14 +89*a15 +65*a16 +17*a17 +47*a18 +60*a19 +32*a20 +37*a21 +62*a22 +64*a23 +94*a24 +75*a25 +8*a26 +61*a27 +73*a28+17*a29 +36*a30+81*a31==159522)
slover.add(76*a1+94*a2 +26*a3+86*a4+73*a5 +31*a6 +60*a7 +42*a8 +26*a9 +23*a10 +30*a11 +78*a12 +29*a13 +86*a14 +71*a15 +87*a16 +30*a17 +88*a18+65*a19+47*a20+28*a21 +17*a22 +42*a23+17*a24 +42*a25+81*a26 +41*a27 +82*a28 +48*a29 +67*a30 +90*a31 ==165913)if slover.check()== sat:
model = slover.model()print(model)else:print("No solution found.")#102 108 97 103 123 108 48 110 103 95 49 105 118 51 95 116 72 101 95 108 105 84 52 110 103 95 107 105 78 103 125#flag{l0ng_1iv3_tHe_liT4ng_kiNg}
Web
一.ezphp
GET:
?a[]=1&b[]=0&O+U+C=100%0a&md5=ouc
POST:
md51[]=1&md52[]=0
Cookie:
md5=06d92f344c7d8c89cb164353ca0fa070
这道题我是傻波一,第二个想半天,最后还以为是哈希扩展攻击,结果是白给
二.菜狗工具#1
flag{af048055-42e4-4610-9f48-5ce68b885885}
本文转载自: https://blog.csdn.net/m0_75243362/article/details/138258063
版权归原作者 bananashipsBBQ 所有, 如有侵权,请联系我们删除。
版权归原作者 bananashipsBBQ 所有, 如有侵权,请联系我们删除。