陕西省赛2023-ukfc

wp-ukfc

  • 其他方向的队友去隔壁打icpc了,象征性发一下

web

ezrce

陕西省赛2023-ukfc_第1张图片

Misc

管道

陕西省赛2023-ukfc_第2张图片

re

我的upx -d怎么坏了

  • 手动脱壳dump程序
  • 迷宫题
  • 迷宫生成
s = [
  0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
  0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x53, 0x30, 0x30, 0x30,
  0x2A, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x2A, 0x2A,
  0x2A, 0x30, 0x2A, 0x2A, 0x30, 0x30, 0x30, 0x2A, 0x2A, 0x2A,
  0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x2A, 0x30, 0x2A, 0x30, 0x30,
  0x2A, 0x30, 0x2A, 0x30, 0x30, 0x30, 0x2A, 0x30, 0x2A, 0x2A,
  0x2A, 0x30, 0x30, 0x30, 0x2A, 0x2A, 0x30, 0x2A, 0x30, 0x2A,
  0x30, 0x2A, 0x30, 0x2A, 0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x2A,
  0x30, 0x30, 0x2A, 0x30, 0x2A, 0x30, 0x2A, 0x30, 0x30, 0x2A,
  0x2A, 0x30, 0x2A, 0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x30, 0x2A,
  0x30, 0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x30, 0x30, 0x30, 0x2A,
  0x30, 0x2A, 0x30, 0x30, 0x2A, 0x30, 0x30, 0x2A, 0x30, 0x2A,
  0x2A, 0x2A, 0x2A, 0x30, 0x2A, 0x30, 0x2A, 0x2A, 0x2A, 0x2A,
  0x2A, 0x2A, 0x30, 0x23, 0x2A, 0x2A, 0x2A, 0x2A, 0x30, 0x2A,
  0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x2A, 0x2A,
  0x2A, 0x30, 0x30, 0x30, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
  0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x2A,
  0x30, 0x30, 0x30, 0x30, 0x30, 0x2A, 0x30, 0x30, 0x2A, 0x2A,
  0x2A, 0x30, 0x2A, 0x30, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x30,
  0x2A, 0x2A, 0x30, 0x2A, 0x2A, 0x2A, 0x30, 0x30, 0x30, 0x30,
  0x30, 0x30, 0x30, 0x2A, 0x30, 0x30, 0x30, 0x30, 0x30, 0x2A,
  0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
  0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x00]
for i in range(len(s)):
  print(chr(s[i]),end=' ')
  if (i+1) % 15 == 0:
    print()
* * * * * * * * * * * * * * * 
* S 0 0 0 * 0 0 0 0 0 0 0 * * 
* 0 * * 0 0 0 * * * * * 0 * * 
* 0 * 0 0 * 0 * 0 0 0 * 0 * * 
* 0 0 0 * * 0 * 0 * 0 * 0 * * 
* 0 * * * 0 0 * 0 * 0 * 0 0 * 
* 0 * * * 0 * * 0 * 0 * * 0 * 
* 0 0 0 * 0 * 0 0 * 0 0 * 0 * 
* * * 0 * 0 * * * * * * 0 # * 
* * * 0 * 0 0 0 0 0 0 0 0 * * 
* 0 0 0 * * * * * * * * 0 * * 
* 0 * * * 0 0 0 0 0 * 0 0 * * 
* 0 * 0 * * * * * 0 * * 0 * * 
* 0 0 0 0 0 0 0 * 0 0 0 0 0 * 
* * * * * * * * * * * * * * * 
RRRDRRURRRRRRDDDDRDDD
  • 最后md5路径

Babypython

  • 字节码

  • 输出:1nb0A3b7AUQwB3b84mQ/E0MvJUb+EXbx5TQwF3bt52bAZncsd9c

  • 输出时先base64加密,然后逆序,再替换了三个字符,字节码翻译成伪代码如图
    在这里插入图片描述

  • 手搓得到伪代码

陕西省赛2023-ukfc_第3张图片

import base64
s = '1nb0A3b7AUQwB3b84mQ/E0MvJUb+EXbx5TQwF3bt52bAZncsd9c'
s = s.replace('1','g')
s = s.replace('3','H')
s = s.replace('9','W')
s = s[::-1]
# decode
t = 'qglrv@onmlqpA>qmq>mBo3A?Bn
for i in t:
    print(chr((ord(i) - 3) ^ 8),end='')
# flag{5dcbafe63fbf3b7d8647c1aee650ae9c}

BadCoffee

  • 是一道加了混淆后的js代码,混淆主要就是在数字和字符串上,逻辑感觉上并无影响,虽然关键逻辑就一点点。

  • 一步一步手动解混淆,把表达式都求出来,是两个42个数字的数组,再将一些不好看的字符串重命名一下。再看逻辑,如图:
    陕西省赛2023-ukfc_第4张图片

  • Xxx函数就是传入两个数进行异或。大概就是将input逐位异或num_42数组,再倒着异或一遍num_42数组,得到了最后的密文,在最后有对密文的比较
    在这里插入图片描述

  • exp

#include  
int main()
{
  unsigned char num[]={233,129,127,238,145,144,11,43,87,134,243,158,197,216,111,136,152,29,204,31,26,228,39,148,215,220,90,76,251,57,183,184,150,157,156,176,13,41,30,86,244,8};
  unsigned char miwen[]={135,25,72,151,195,212,228,212,250,101,39,77,163,77,70,167,119,184,7,77,144,154,93,10,185,48,179,77,71,163,67,61,113,156,196,136,239,241,128,93,84,156};
  for (int i = 41; i >= 0;i--)
    miwen[41 - i] ^= num[i];
  for(int i = 0; i < 42; i++){
    miwen[i] ^= num[i];
    printf("%c",miwen[i]);
  }  
    return 0;
}
//flag{I_c0uld_neu3r_undeRstand_jvaVs3rIpt!}

Crypto

HaM3

pq乘积的高位和低位在n中泄露,但是这个中间有一位需要自己猜

  • 构造之后yafu爆破

    s = '1426720866262835870'
    t = '6081295993762052633'
    for i in range(10):
        print(s + str(i) + t,end=',')
    

陕西省赛2023-ukfc_第5张图片

  • 之后就是生成PPQQ正常求解rsa

    from Crypto.Util.number import *
    from gmpy2 import gmpy2
    n = 142672086626283587048017713116658568907056287246536918432205313755474498483915485435443731126588499776739329317569276048159601495493064346081295993762052633
    c = 35771468551700967499031290145813826705314774357494021918317304230766070868171631520643911378972522363861624359732252684003796428570328730483253546904382041
    p = 9937378783676979077
    q = 14357114660923972229
    P = int(str(p) + str(q))
    Q = int(str(q) + str(p))
    PP = int(str(P) + str(Q))
    QQ = int(str(Q) + str(P))
    phi = (PP-1) * (QQ-1)
    e = 65537
    d = gmpy2.invert(e,phi)
    m = pow(c,d,n)
    print(long_to_bytes(m))
    # b'flag{HaMbu2g3r_1S_2ea1ll_D3lci0U3_By_R3A!!}'
    

你可能感兴趣的:(python,java,安全)