2018 强网杯 Streamgame系列部分 Writeup 记录

streamgame1 试题

​ 额，拿到这个题，长度才19位，2进制，判断flag总个524287个，直接上代码爆破。爆了大概3分钟？非预期解题方案。

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time    : 2018/3/24 上午9:38
# @Author  : tudoudou
# @File    : ddd.py
# @Software: PyCharm
# from flag import flag
# flag{1110101100001101011}
# 524287
for num in range(524287):
    s = bin(num)[2:]
    while len(s) < 19:
        s = '0' + s
    print(s)
    flag = 'flag{' + s + "}"
    assert flag.startswith("flag{")
    assert flag.endswith("}")
    assert len(flag) == 25
    def lfsr(R, mask):
        output = (R << 1) & 0xffffff
        i = (R & mask) & 0xffffff
        lastbit = 0
        while i != 0:
            lastbit ^= (i & 1)
            i = i >> 1
        output ^= lastbit
        return (output, lastbit)
    R = int(flag[5:-1], 2)
    mask = 0b1010011000100011100
    f = open("key", "ab")
    for i in range(12):
        tmp = 0
        for j in range(8):
            (R, out) = lfsr(R, mask)
            tmp = (tmp << 1) ^ out
        f.write(chr(tmp))
    f.close()

---

streamgame2 试题

​ 同上一个题，flag总个数为2097151个，也不算多，继续发扬爆破精神，有了上一个题的经验，猜测密码在总可能的flag中后段，所以直接删去一半多，从1000000开始爆破？减少了一大半工作量，上代码。

# 2097151
# flag{110111100101001101001}
for num in range(2097151):
    s = bin(num)[2:]
    while len(s) < 21:
        s = '0' + s
    print(s)
    flag = 'flag{' + s + "}"
    assert flag.startswith("flag{")
    assert flag.endswith("}")
    assert len(flag) == 27
    def lfsr(R, mask):
        output = (R << 1) & 0xffffff
        i = (R & mask) & 0xffffff
        lastbit = 0
        while i != 0:
            lastbit ^= (i & 1)
            i = i >> 1
        output ^= lastbit
        return (output, lastbit)
    R = int(flag[5:-1], 2)
    mask = 0x100002
    f = open("key", "ab")
    for i in range(12):
        tmp = 0
        for j in range(8):
            (R, out) = lfsr(R, mask)
            tmp = (tmp << 1) ^ out
        f.write(chr(tmp))
    f.close()

---

streamgame4 试题

​ 以为放了两个streamgame就结束了，没想到又来一个，稍微大了点？改改代码，继续发挥爆破精神，哇咔咔咔，这个其实更好爆破，虽然有运气的成分。再来一波强势的代码。注： 还是猜测的flag肯定在中后部分，所以也不用大规模爆破，也就用了10分钟不到？

# 2097151
for temp in range(1200000,2097151):
    s = bin(temp)[2:]
    while len(s) < 21:
        s = '0' + s
    flag = 'flag{' + s + "}"
    assert flag.startswith("flag{")
    assert flag.endswith("}")
    assert len(flag) == 27
    def nlfsr(R, mask):
        output = (R << 1) & 0xffffff
        i = (R & mask) & 0xffffff
        lastbit = 0
        changesign = True
        while i != 0:
            if changesign:
                lastbit &= (i & 1)
                changesign = False
            else:
                lastbit ^= (i & 1)
            i = i >> 1
        output ^= lastbit
        return (output, lastbit)
    R = int(flag[5:-1], 2)
    mask = 0b110110011011001101110
    a = ''
    for i in range(10):
        tmp = 0
        for j in range(8):
            (R, out) = nlfsr(R, mask)
            tmp = (tmp << 1) ^ out
        a += chr(tmp)
    if a in fs[:15]:
        print(flag)

总结

​ 发挥暴力精神，别的不会儿，就是爆破，完全非预期解题方案，完美呈现。皮一下就是这么开心，不服你来咬我啊～～