陕西省赛2023-ukfc
wp-ukfc
- 其他方向的队友去隔壁打icpc了,象征性发一下
web
ezrce
Misc
管道
re
我的upx -d怎么坏了
- 手动脱壳dump程序
- 迷宫题
- 迷宫生成
s = [
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x53, 0x30, 0x30, 0x30,
0x2A, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x2A, 0x2A,
0x2A, 0x30, 0x2A, 0x2A, 0x30, 0x30, 0x30, 0x2A, 0x2A, 0x2A,
0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x2A, 0x30, 0x2A, 0x30, 0x30,
0x2A, 0x30, 0x2A, 0x30, 0x30, 0x30, 0x2A, 0x30, 0x2A, 0x2A,
0x2A, 0x30, 0x30, 0x30, 0x2A, 0x2A, 0x30, 0x2A, 0x30, 0x2A,
0x30, 0x2A, 0x30, 0x2A, 0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x2A,
0x30, 0x30, 0x2A, 0x30, 0x2A, 0x30, 0x2A, 0x30, 0x30, 0x2A,
0x2A, 0x30, 0x2A, 0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x30, 0x2A,
0x30, 0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x30, 0x30, 0x30, 0x2A,
0x30, 0x2A, 0x30, 0x30, 0x2A, 0x30, 0x30, 0x2A, 0x30, 0x2A,
0x2A, 0x2A, 0x2A, 0x30, 0x2A, 0x30, 0x2A, 0x2A, 0x2A, 0x2A,
0x2A, 0x2A, 0x30, 0x23, 0x2A, 0x2A, 0x2A, 0x2A, 0x30, 0x2A,
0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x2A, 0x2A,
0x2A, 0x30, 0x30, 0x30, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x2A,
0x30, 0x30, 0x30, 0x30, 0x30, 0x2A, 0x30, 0x30, 0x2A, 0x2A,
0x2A, 0x30, 0x2A, 0x30, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x30,
0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x2A, 0x30, 0x30, 0x30, 0x30,
0x30, 0x30, 0x30, 0x2A, 0x30, 0x30, 0x30, 0x30, 0x30, 0x2A,
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x00]
for i in range(len(s)):
print(chr(s[i]),end=' ')
if (i+1) % 15 == 0:
print()
* * * * * * * * * * * * * * *
* S 0 0 0 * 0 0 0 0 0 0 0 * *
* 0 * * 0 0 0 * * * * * 0 * *
* 0 * 0 0 * 0 * 0 0 0 * 0 * *
* 0 0 0 * * 0 * 0 * 0 * 0 * *
* 0 * * * 0 0 * 0 * 0 * 0 0 *
* 0 * * * 0 * * 0 * 0 * * 0 *
* 0 0 0 * 0 * 0 0 * 0 0 * 0 *
* * * 0 * 0 * * * * * * 0 # *
* * * 0 * 0 0 0 0 0 0 0 0 * *
* 0 0 0 * * * * * * * * 0 * *
* 0 * * * 0 0 0 0 0 * 0 0 * *
* 0 * 0 * * * * * 0 * * 0 * *
* 0 0 0 0 0 0 0 * 0 0 0 0 0 *
* * * * * * * * * * * * * * *
RRRDRRURRRRRRDDDDRDDD
- 最后md5路径
Babypython
-
字节码
-
输出:1nb0A3b7AUQwB3b84mQ/E0MvJUb+EXbx5TQwF3bt52bAZncsd9c
-
输出时先base64加密,然后逆序,再替换了三个字符,字节码翻译成伪代码如图
-
手搓得到伪代码
import base64
s = '1nb0A3b7AUQwB3b84mQ/E0MvJUb+EXbx5TQwF3bt52bAZncsd9c'
s = s.replace('1','g')
s = s.replace('3','H')
s = s.replace('9','W')
s = s[::-1]
# decode
t = 'qglrv@onmlqpA>qmq>mBo3A?Bn
for i in t:
print(chr((ord(i) - 3) ^ 8),end='')
# flag{5dcbafe63fbf3b7d8647c1aee650ae9c}
BadCoffee
-
是一道加了混淆后的js代码,混淆主要就是在数字和字符串上,逻辑感觉上并无影响,虽然关键逻辑就一点点。
-
一步一步手动解混淆,把表达式都求出来,是两个42个数字的数组,再将一些不好看的字符串重命名一下。再看逻辑,如图:
-
Xxx函数就是传入两个数进行异或。大概就是将input逐位异或num_42数组,再倒着异或一遍num_42数组,得到了最后的密文,在最后有对密文的比较
-
exp
#include
int main()
{
unsigned char num[]={233,129,127,238,145,144,11,43,87,134,243,158,197,216,111,136,152,29,204,31,26,228,39,148,215,220,90,76,251,57,183,184,150,157,156,176,13,41,30,86,244,8};
unsigned char miwen[]={135,25,72,151,195,212,228,212,250,101,39,77,163,77,70,167,119,184,7,77,144,154,93,10,185,48,179,77,71,163,67,61,113,156,196,136,239,241,128,93,84,156};
for (int i = 41; i >= 0;i--)
miwen[41 - i] ^= num[i];
for(int i = 0; i < 42; i++){
miwen[i] ^= num[i];
printf("%c",miwen[i]);
}
return 0;
}
//flag{I_c0uld_neu3r_undeRstand_jvaVs3rIpt!}
Crypto
HaM3
pq乘积的高位和低位在n中泄露,但是这个中间有一位需要自己猜
-
构造之后yafu爆破
s = '1426720866262835870' t = '6081295993762052633' for i in range(10): print(s + str(i) + t,end=',')
-
之后就是生成PPQQ正常求解rsa
from Crypto.Util.number import * from gmpy2 import gmpy2 n = 142672086626283587048017713116658568907056287246536918432205313755474498483915485435443731126588499776739329317569276048159601495493064346081295993762052633 c = 35771468551700967499031290145813826705314774357494021918317304230766070868171631520643911378972522363861624359732252684003796428570328730483253546904382041 p = 9937378783676979077 q = 14357114660923972229 P = int(str(p) + str(q)) Q = int(str(q) + str(p)) PP = int(str(P) + str(Q)) QQ = int(str(Q) + str(P)) phi = (PP-1) * (QQ-1) e = 65537 d = gmpy2.invert(e,phi) m = pow(c,d,n) print(long_to_bytes(m)) # b'flag{HaMbu2g3r_1S_2ea1ll_D3lci0U3_By_R3A!!}'