2018强网杯记录


 

1 签到题

 2018强网杯记录_第1张图片

2welcome

下载文件,发现是一个BMP图片文件。

2018强网杯记录_第2张图片

于是使用Stegsolve工具分离,发现,得到flag

 2018强网杯记录_第3张图片

streamgame1

上脚本1

#! /usr/bin/env python3

# coding:utf8

def lfsr(R,mask):

    output = (R << 1) & 0xffffff

    i=(R&mask)&0xffffff

    lastbit=0

    while i!=0:

        lastbit^=(i&1)

        i=i>>1

    output^=lastbit

    return (output,lastbit)

mask = 0b1010011000100011100

f=open("./key","rb")

c=f.read()

f.close()

count = -1

while count <= 0b1111111111111111111:

    count += 1

    print(count)

    R = count

    for i in range(12):

        tmp=0

        for j in range(8):

            (R,out)=lfsr(R,mask)

            tmp=(tmp << 1)^out

        if tmp != c[i]:

            break

        if i == 11:

            print('succeed')

            print('flag{%s}' % bin(count)[2:])

            exit(0)

 

           

4 streamgame2

上脚本2

#! /usr/bin/env python3

# coding:utf8

def lfsr(R,mask):

    output = (R << 1) & 0xffffff

    i=(R&mask)&0xffffff

    lastbit=0

    while i!=0:

        lastbit^=(i&1)

        i=i>>1

    output^=lastbit

    return (output,lastbit)

mask = 0x100002

f=open("./key","rb")

c=f.read()

f.close()

count = -1

while count <= 0b111111111111111111111:

    count += 1

    if count % 10000 == 0:

        print(count)

    R = count

    for i in range(12):

        tmp=0

        for j in range(8):

            (R,out)=lfsr(R,mask)

            tmp=(tmp << 1)^out

        if tmp != c[i]:

            break

        if i == 11:

            print('succeed')

            print('flag{%s}' % bin(count)[2:])

            exit(0)

 

           

5 streamgame4

上脚本3

#! /usr/bin/env python3

# coding:utf8

def lfsr(R,mask):

    output = (R << 1) & 0xffffff

    i=(R&mask)&0xffffff

    lastbit=0

    while i!=0:

        lastbit^=(i&1)

        i=i>>1

    output^=lastbit

    return (output,lastbit)

mask = 0b1010011000100011100

 

f=open("./key","rb")

c=f.read()

f.close()

count = -1

while count <= 0b1111111111111111111:

    count += 1

    #print(count)

    R = count

    for i in range(12):

        tmp=0

        for j in range(8):

            (R,out)=lfsr(R,mask)

            tmp=(tmp << 1)^out

        if tmp != c[i]:

            break

        if i == 11:

            print('succeed')

            print('flag{%s}' % bin(count)[2:])

            exit(0)

 

6 web签到题

因为每次在网页里,都有网页代码的提示,三次都是绕过。

第一次绕过是利用php,==的弱等于

240610708 QNKCDZO 

第二次:传递数组,越过

第三次:利用碰撞试验,

d131dd02c5e6eec4693d9a0698aff95c2fcab58712467eab4004583eb8fb7f89

55ad340609f4b30283e488832571415a085125e8f7cdc99fd91dbdf280373c5b

d8823e3156348f5bae6dacd436c919c6dd53e2b487da03fd02396306d248cda0

e99f33420f577ee8ce54b67080a80d1ec69821bcb6a8839396f9652b6ff72a70

AND

d131dd02c5e6eec4693d9a0698aff95c2fcab50712467eab4004583eb8fb7f89

55ad340609f4b30283e4888325f1415a085125e8f7cdc99fd91dbd7280373c5b

d8823e3156348f5bae6dacd436c919c6dd53e23487da03fd02396306d248cda0

e99f33420f577ee8ce54b67080280d1ec69821bcb6a8839396f965ab6ff72a70

7 simple check

  反编译apk,获得java代码,明白了是对字符串的判定。

public class a

{

  private static int[] a = { 0, 146527998, 205327308, 94243885, 138810487, 408218567, 77866117, 71548549, 563255818, 559010506, 449018203, 576200653, 307283021, 467607947, 314806739, 341420795, 341420795, 469998524, 417733494, 342206934, 392460324, 382290309, 185532945, 364788505, 210058699, 198137551, 360748557, 440064477, 319861317, 676258995, 389214123, 829768461, 534844356, 427514172, 864054312 };

  private static int[] b = { 13710, 46393, 49151, 36900, 59564, 35883, 3517, 52957, 1509, 61207, 63274, 27694, 20932, 37997, 22069, 8438, 33995, 53298, 16908, 30902, 64602, 64028, 29629, 26537, 12026, 31610, 48639, 19968, 45654, 51972, 64956, 45293, 64752, 37108 };

  private static int[] c = { 38129, 57355, 22538, 47767, 8940, 4975, 27050, 56102, 21796, 41174, 63445, 53454, 28762, 59215, 16407, 64340, 37644, 59896, 41276, 25896, 27501, 38944, 37039, 38213, 61842, 43497, 9221, 9879, 14436, 60468, 19926, 47198, 8406, 64666 };

  private static int[] d = { 0, -341994984, -370404060, -257581614, -494024809, -135267265, 54930974, -155841406, 540422378, -107286502, -128056922, 265261633, 275964257, 119059597, 202392013, 283676377, 126284124, -68971076, 261217574, 197555158, -12893337, -10293675, 93868075, 121661845, 167461231, 123220255, 221507, 258914772, 180963987, 107841171, 41609001, 276531381, 169983906, 276158562 };

  

  public static boolean a(String paramString)

  {

    if (paramString.length() != b.length) {

      return false;

    }

    int[] arrayOfInt = new int[a.length];

    arrayOfInt[0] = 0;

    paramString = paramString.getBytes();

    int k = paramString.length;

    int i = 0;

    int j = 1;

    while (i < k)

    {

      arrayOfInt[j] = paramString[i];

      j += 1;

      i += 1;

    }

    i = 0;

    for (;;)

    {

      if (i >= c.length) {

        break label166;

      }

      if ((a[i] != b[i] * arrayOfInt[i] * arrayOfInt[i] + c[i] * arrayOfInt[i] + d[i]) || (a[(i + 1)] != b[i] * arrayOfInt[(i + 1)] * arrayOfInt[(i + 1)] + c[i] * arrayOfInt[(i + 1)] + d[i])) {

        break;

      }

      i += 1;

    }

    label166:

    return true;

  }

}

 

首先是判定字符串长度是否为34,然后是对字符串进行双位判定。写出脚本,得到flag

a = [0, 146527998, 205327308, 94243885, 138810487, 408218567, 77866117, 71548549, 563255818, 559010506, 449018203,

     576200653, 307283021, 467607947, 314806739, 341420795, 341420795, 469998524, 417733494, 342206934, 392460324,

     382290309, 185532945, 364788505, 210058699, 198137551, 360748557, 440064477, 319861317, 676258995, 389214123,

     829768461, 534844356, 427514172, 864054312]b = [13710, 46393, 49151, 36900, 59564, 35883, 3517, 52957, 1509, 61207, 63274, 27694, 20932, 37997, 22069, 8438, 33995,

     53298, 16908, 30902, 64602, 64028, 29629, 26537, 12026, 31610, 48639, 19968, 45654, 51972, 64956, 45293, 64752,

     37108]c = [38129, 57355, 22538, 47767, 8940, 4975, 27050, 56102, 21796, 41174, 63445, 53454, 28762, 59215, 16407, 64340,

     37644, 59896, 41276, 25896, 27501, 38944, 37039, 38213, 61842, 43497, 9221, 9879, 14436, 60468, 19926, 47198, 8406,

     64666]d = [0, -341994984, -370404060, -257581614, -494024809, -135267265, 54930974, -155841406, 540422378, -107286502,

     -128056922, 265261633, 275964257, 119059597, 202392013, 283676377, 126284124, -68971076, 261217574, 197555158,

     -12893337, -10293675, 93868075, 121661845, 167461231, 123220255, 221507, 258914772, 180963987, 107841171, 41609001,

     276531381, 169983906, 276158562]arrayOfInt = []print()for i in range (0, a.__len__()-1):

        arrayOfInt.append(int((-c[i] + (c[i] ** 2 - 4 * b[i] * (d[i] - a[i])) ** 0.5) / 2 / b[i]))

        print(int((-c[i] + (c[i] ** 2 - 4 * b[i] * (d[i] - a[i])) ** 0.5) / 2 / b[i]),end=',')answer = bytes(arrayOfInt)print(answer)

answer = str(answer)print(answer[0:36])

print('flag{MAth_i&_GOOd_DON7_90V_7hInK?}'.__len__())

8线上提交反馈

你可能感兴趣的:(CTF)