第四届“长城杯”信息安全铁人三项赛 Junk&&language

第四届“长城杯”信息安全铁人三项赛 Junk&&language

Junk

一眼花指令

这里发现call了个函数，仔细看发现
pop 出了返回地址
然后返回地址+10
63+a=6D
所以这部分

等同于nop
直接nop


同理

一样的道理

v7 % 100001 == 331 && v7 % 10000079 == 1009 && v7 % 10001269 == 10001

求出v7的最小值就行，中国剩余定理

language

加密逻辑是先用num进行sha256在base64之后的值进行异或

import subprocess
from typing import List

def f1(s1: str, s2: str) -> str:
    return "".join(chr(ord(c1) ^ c2) for (c1, c2) in zip(s1, s2))

def f2(command: str) -> str:
    proc = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE)
    return proc.stdout.read().decode()

def main() -> None:
    with open("flag.txt", "r") as f:
        contents = f.read().strip()
    number = int(input("Key? "))
    arr = [13817382882945892163, 11981362477940068859, 15565376004970860571, 9289653146223670153, 10756880856242106767, 9894127981516380841, 10238229679407507287, 9710703753422507729, 10657889945311313641, 13504220130461522129, 13803825974548049497, 14920116056534898233, 15632599539576708509, 13759455315204814571, 10093307776393200077, 15238687618512734183]
    t = [num % x for (num, x) in zip([number] * len(arr), arr)]
    assert number < prod(arr), "too big"
    assert t == [10310396961361403274, 4961986008647557365, 13968825266080359119, 5116430780059239731, 7325364491754059752, 4473328037653903247, 2810438785866611784, 8321467780510747289, 5892005478714175254, 12851142119012897040, 7300192969480689261, 2282831960924441046, 5121069978296721861, 6987308129012337675, 7813058204868331779, 11203522277396859834], "assertion failed"
    z = f"echo -n {number} | openssl dgst -binary -sha256 | base64"
    a = f2(z).strip()
    b = len(contents)
    print(f1(contents, a[:b]))

if __name__ == "__main__":
    main()

先求num

再求flag

import itertools
import base64
import hashlib

enc='\r\x05#\x0b/\x0fDPD\x13[\x02=\\\x04;\x14&$*'
s='5uLbdPjORVBoFSq82hVowTFZ6AAWjEuFPd4FOFKNwNg==='
num=172422282955526557272420239733996943438305195882249154057182238824896714153729386270058950137909604957537166221848663721197156751566234144960275930080154385567483899397625311698926178394763250035442862353002682792293201635194627062199951208188367133165847351849183776402598921549002077207777900223672050874
aa = base64.b64encode(hashlib.sha256(str(num).encode()).digest()).decode()
for i in range(len(enc)):
        print(chr(ord(enc[i])^ord(aa[i])),end='')
        #flag{H45ke11_s0_Fun}