记某次线下ctf比赛, 选择题 200 分,ctf : 10题
1 看不见的flag
杂项
打开发现是一个 打不开的 png 格式图片
使用winhex打开,对照
文件头不对,而且没有宽度
百度搜索 爆破图片宽高
有代码,直接抄
import zlib
import struct
filename = 'misc4.png'
with open(filename, 'rb') as f:
all_b = f.read()
crc32key = int(all_b[29:33].hex(),16)
data = bytearray(all_b[12:29])
n = 4095 #理论上0xffffffff,但考虑到屏幕实际/cpu,0x0fff就差不多了
for w in range(n): #高和宽一起爆破
width = bytearray(struct.pack('>i', w)) #q为8字节,i为4字节,h为2字节
for h in range(n):
height = bytearray(struct.pack('>i', h))
for x in range(4):
data[x+4] = width[x]
data[x+8] = height[x]
crc32result = zlib.crc32(data)
if crc32result == crc32key:
print("宽为:",end="")
print(width)
print("高为:",end="")
print(height)
exit(0)
拿到宽高
修改
打开图片
getflag
flag{Png_is_v3ry_fu0ny!}
2 easystega
一张图片
记事本打开
getflag
flag{w9ii12y3jbdjh123}
3 word文件本质
word 是一个压缩包文件,这是我偶然间发现的
所以直接用压缩包文件打开
Flag.xml
getflag
KEY{y0u_ar3_rirght}
4 badimage
我以为是一个坏的图片,然后发现我做不了,直接用 记事本打开搜索,居然找到了
getflag
Flag{yc4pl0fvjs2k1t7T}
Flag f改成小写提交
5 ctrypto3
给了一个 c 代码和 一个 被加密的文件
然后看不懂代码, 太难了
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#define KEY_SIZE 32
#define BUFF_SIZE 1024
unsigned int holdrand = 0;
static void Srand (unsigned int seed) {
holdrand = seed;
}
static int Rand (void) {
return(((holdrand = holdrand * 214013L + 2531011L) >> 16) & 0x7fff);
}
char* genere_key(void) {
int i;
static char key[KEY_SIZE+1];
const char charset[] =
"abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"123456789";
for(i = 0; i < KEY_SIZE; i++) {
key[i] = charset[Rand() % (sizeof(charset) - 1)];
}
key[KEY_SIZE] = '�';
return key;
}
void crypt_buffer(unsigned char *buffer, size_t size, char *key) {
size_t i;
int j;
j = 0;
for(i = 0; i < size; i++) {
if(j >= KEY_SIZE)
j = 0;
buffer[i] ^= key[j];
j++;
}
}
void crypt_file(FILE *in, FILE *out) {
unsigned char buffer[BUFF_SIZE];
char *key;
size_t size;
key = genere_key();
printf("[+] Using key : %s
", key);
do {
size = fread(buffer, 1, BUFF_SIZE, in);
crypt_buffer(buffer, size, key);
fwrite(buffer, 1, size, out);
}while(size == BUFF_SIZE);
}
int main(int argc, char **argv) {
char path[128];
FILE *in, *out;
Srand(time(NULL));
if(argc != 2) {
printf("[-] Usage : %s <file>
", argv[0]);
return EXIT_FAILURE;
}
snprintf(path, sizeof(path)-1, "%s.crypt", argv[1]);
if((in = fopen(argv[1], "r")) == NULL) {
perror("[-] fopen (in) ");
return EXIT_FAILURE;
}
if((out = fopen(path, "w")) == NULL) {
perror("[-] fopen (out) ");
return EXIT_FAILURE;
}
crypt_file(in, out);
printf("[+] File %s crypted !
", path);
printf("[+] DONE.
");
return EXIT_SUCCESS;
}
不会, 真香
6 simpleCrypto.txt
给了一个文本文档
题目: simpleCrypto
内容: hex((m>>388)<<388)=0xb3ed7763ea4f8a9e444093c1922f32a30d9e9502e566a8cefb3416905afecb5c57d3a065f41a4f193d968ea095dd56568e59cf599c35c61252f78f46e300da8dc696fa16d428a8fa71a8d64bb5a2659a11d43e74edcb7a95a7fd27d46004b7e5e45fada0aadf82b30749d1037ff73435e1a8058162e83a75da40fb793f7cad2c36ab12c66751ca205e97c52893d37bbb8e7077467befdbeb21aea590bffc83f4571edec7e6a5660e7dbdb2bbfa2b9a57633c3f2b54fc459da95f0ee402cd51746491af316a54da12b5e8693566034ac0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
n = 0x00bef498e6eb2cffe71312da47ab89d2c47db7438ea2cfa992ddddbc2a01978001fc51e286e6ebf028396cdb8b3323c60e6b9d50cd84187cf7f48e3875a2f0890f70b02333ad89db2923863ce146562286f63fb0a1d0198e3a6862ba5ac12e85a5c6d0d27cb1c81bdf69cc5bc95b8001a2f744517f9437b4ddd5a076fc0e9a5de1a7a268c40f31aa29e8dc27c0b3a182299ca7a9335b4bd4585452f6107c238e486c98dd73a5f9862e9e80b152f53381c72f897107551c281259ac3ee32c4b4f46cc03127d1bf699acd0266f3c6729253c70da0c69b1560fa172735709866b375b6eba294e1ce8b46fba798ba380080b4bf9603998cac199d9cd46e30ae8da9e7f
e = 3
c = 0xb5db85220ca60232ea1bb2be0e11c72299bb16db26be7287e5859e7935fb7536327de36e691003a26002187f887d8ca6e0f537b78848179e9be0d61f0759e7ac3e69281ded720bef58b1c88d63bc937ffe13f2bb92ec3f037b2e889bce7012b3fba323d7b279ed253b98426ac3b5ed2db45dc4f9a7da25c2cbca4226e8f3eeaad7a7a7320c8a04b157df59611f91fff37d525b7505ca3f36ad206c147ed707c43275115c5fe90de6cf0e63cff74bab7756fc411d355ff9560934d13a51c6f94f69f7c765650dba182d7f59154f55cc59d488382f6a837bd91165f15196b0f34e3344a0a6d911dc3c140e139e5c19a6d60c9290a653e7698f3f32ab65f0b4cebL
flag = 'flag{' + '{:x}'.format(m)[-32:]) +'}'
答案:
看到 e n c 就想到了rsa
公式: 明文的 e 次方 mod n = 密文 其中 明文 为 c 密文 为 m
Python 3.8.2 (tags/v3.8.2:7b3ab59, Feb 25 2020, 22:45:29) [MSC v.1916 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> pow(0xb5db85220ca60232ea1bb2be0e11c72299bb16db26be7287e5859e7935fb7536327de36e691003a26002187f887d8ca6e0f537b78848179e9be0d61f0759e7ac3e69281ded720bef58b1c88d63bc937ffe13f2bb92ec3f037b2e889bce7012b3fba323d7b279ed253b98426ac3b5ed2db45dc4f9a7da25c2cbca4226e8f3eeaad7a7a7320c8a04b157df59611f91fff37d525b7505ca3f36ad206c147ed707c43275115c5fe90de6cf0e63cff74bab7756fc411d355ff9560934d13a51c6f94f69f7c765650dba182d7f59154f55cc59d488382f6a837bd91165f15196b0f34e3344a0a6d911dc3c140e139e5c19a6d60c9290a653e7698f3f32ab65f0b4ceb,3,0x00bef498e6eb2cffe71312da47ab89d2c47db7438ea2cfa992ddddbc2a01978001fc51e286e6ebf028396cdb8b3323c60e6b9d50cd84187cf7f48e3875a2f0890f70b02333ad89db2923863ce146562286f63fb0a1d0198e3a6862ba5ac12e85a5c6d0d27cb1c81bdf69cc5bc95b8001a2f744517f9437b4ddd5a076fc0e9a5de1a7a268c40f31aa29e8dc27c0b3a182299ca7a9335b4bd4585452f6107c238e486c98dd73a5f9862e9e80b152f53381c72f897107551c281259ac3ee32c4b4f46cc03127d1bf699acd0266f3c6729253c70da0c69b1560fa172735709866b375b6eba294e1ce8b46fba798ba380080b4bf9603998cac199d9cd46e30ae8da9e7f)
7406108333883632516051063752111789984154984930641427553981380244547450820051773301792389579469673373362498329375384681440308795656648744450232119646664660297470893609220029468620254254671843923124934865834774872081624967427326430321922950462560016438259307948251629231743016043501549033390045737706464978710758904505921393113501263275227911831203150115827599841065645911731914832302543083858701660599999859538441624317718514551520251681459789704667123340970505979933790578130998816228540057021749166534686762246975789297184363266145559393290310601293902027361894904885252202104472659879820448038445659352692228374514
>>> hex(7406108333883632516051063752111789984154984930641427553981380244547450820051773301792389579469673373362498329375384681440308795656648744450232119646664660297470893609220029468620254254671843923124934865834774872081624967427326430321922950462560016438259307948251629231743016043501549033390045737706464978710758904505921393113501263275227911831203150115827599841065645911731914832302543083858701660599999859538441624317718514551520251681459789704667123340970505979933790578130998816228540057021749166534686762246975789297184363266145559393290310601293902027361894904885252202104472659879820448038445659352692228374514)
'0x3aaaed003a3bcc51ad231b263565a6bdf1c295295dc81e1112770541a996e2b64bed3f4f95e660d9609d8f9013c5a48d33bb59a41c14b3a9d04cd163436723a38087717cf257f012ace84ddfd270098ebe56819c3e5f6a886ab35f6d8f0b7fa1b118d0f2814bef0c70f7318b6bd6d6c56d5dd517e548715c388e7a047cd9135568fc63082511588847d48caf8f9fa1585b0875eb9135a39d4509ccf8331ced5800c54ede867155f187acfad12305acedea9271d512bd4e80c3bea256b9cfd71ec48317145f414d116acec095442ce97dc6d374b1f9ab18e910295a70b7cb8327d27b3f16d1295bdb10adca9a4a580f6f2575de653cbec1fb5cc055f15e8c3ff2'
>>> m = pow(0xb5db85220ca60232ea1bb2be0e11c72299bb16db26be7287e5859e7935fb7536327de36e691003a26002187f887d8ca6e0f537b78848179e9be0d61f0759e7ac3e69281ded720bef58b1c88d63bc937ffe13f2bb92ec3f037b2e889bce7012b3fba323d7b279ed253b98426ac3b5ed2db45dc4f9a7da25c2cbca4226e8f3eeaad7a7a7320c8a04b157df59611f91fff37d525b7505ca3f36ad206c147ed707c43275115c5fe90de6cf0e63cff74bab7756fc411d355ff9560934d13a51c6f94f69f7c765650dba182d7f59154f55cc59d488382f6a837bd91165f15196b0f34e3344a0a6d911dc3c140e139e5c19a6d60c9290a653e7698f3f32ab65f0b4ceb,3,0x00bef498e6eb2cffe71312da47ab89d2c47db7438ea2cfa992ddddbc2a01978001fc51e286e6ebf028396cdb8b3323c60e6b9d50cd84187cf7f48e3875a2f0890f70b02333ad89db2923863ce146562286f63fb0a1d0198e3a6862ba5ac12e85a5c6d0d27cb1c81bdf69cc5bc95b8001a2f744517f9437b4ddd5a076fc0e9a5de1a7a268c40f31aa29e8dc27c0b3a182299ca7a9335b4bd4585452f6107c238e486c98dd73a5f9862e9e80b152f53381c72f897107551c281259ac3ee32c4b4f46cc03127d1bf699acd0266f3c6729253c70da0c69b1560fa172735709866b375b6eba294e1ce8b46fba798ba380080b4bf9603998cac199d9cd46e30ae8da9e7f)
>>> m
7406108333883632516051063752111789984154984930641427553981380244547450820051773301792389579469673373362498329375384681440308795656648744450232119646664660297470893609220029468620254254671843923124934865834774872081624967427326430321922950462560016438259307948251629231743016043501549033390045737706464978710758904505921393113501263275227911831203150115827599841065645911731914832302543083858701660599999859538441624317718514551520251681459789704667123340970505979933790578130998816228540057021749166534686762246975789297184363266145559393290310601293902027361894904885252202104472659879820448038445659352692228374514
>>> hex(m)
'0x3aaaed003a3bcc51ad231b263565a6bdf1c295295dc81e1112770541a996e2b64bed3f4f95e660d9609d8f9013c5a48d33bb59a41c14b3a9d04cd163436723a38087717cf257f012ace84ddfd270098ebe56819c3e5f6a886ab35f6d8f0b7fa1b118d0f2814bef0c70f7318b6bd6d6c56d5dd517e548715c388e7a047cd9135568fc63082511588847d48caf8f9fa1585b0875eb9135a39d4509ccf8331ced5800c54ede867155f187acfad12305acedea9271d512bd4e80c3bea256b9cfd71ec48317145f414d116acec095442ce97dc6d374b1f9ab18e910295a70b7cb8327d27b3f16d1295bdb10adca9a4a580f6f2575de653cbec1fb5cc055f15e8c3ff2'
>>> ((m>>388)<<388)
7406108333883632516051063752111789984154984930641427553981380244547450820051773301792389579469673373362498329375384681440308795656648744450232119646664660297470893609220029468620254254671843923124934865834774872081624967427326430321922950462560016438259307948251629231743016043501549033390045737706464978710758904505921393113501263275227911831203150115827599841065645911731914832302543083858701660599999859538441624317718514551520251681459789704667123340970505979933790578130998816228540057021749165991858559586488877314454455977962226782614546937841712528590853996022182534961217637873074607263356196944597720498176
>>> hex((m>>388)<<388)
'0x3aaaed003a3bcc51ad231b263565a6bdf1c295295dc81e1112770541a996e2b64bed3f4f95e660d9609d8f9013c5a48d33bb59a41c14b3a9d04cd163436723a38087717cf257f012ace84ddfd270098ebe56819c3e5f6a886ab35f6d8f0b7fa1b118d0f2814bef0c70f7318b6bd6d6c56d5dd517e548715c388e7a047cd9135568fc63082511588847d48caf8f9fa1585b0875eb9135a39d4509ccf8331ced5800c54ede867155f187acfad12305acedea9271d512bd4e80c3bea256b9cfd71ec48317145f414d116acec095442ce970000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
控制台测试了一下,发现不对,然后看到了 c 里面有一个 l ,盲猜最后一位需要跑出来
脚本
#coding = utf-8
n = 0x00bef498e6eb2cffe71312da47ab89d2c47db7438ea2cfa992ddddbc2a01978001fc51e286e6ebf028396cdb8b3323c60e6b9d50cd84187cf7f48e3875a2f0890f70b02333ad89db2923863ce146562286f63fb0a1d0198e3a6862ba5ac12e85a5c6d0d27cb1c81bdf69cc5bc95b8001a2f744517f9437b4ddd5a076fc0e9a5de1a7a268c40f31aa29e8dc27c0b3a182299ca7a9335b4bd4585452f6107c238e486c98dd73a5f9862e9e80b152f53381c72f897107551c281259ac3ee32c4b4f46cc03127d1bf699acd0266f3c6729253c70da0c69b1560fa172735709866b375b6eba294e1ce8b46fba798ba380080b4bf9603998cac199d9cd46e30ae8da9e7f
e = 3
c = "0xb5db85220ca60232ea1bb2be0e11c72299bb16db26be7287e5859e7935fb7536327de36e691003a26002187f887d8ca6e0f537b78848179e9be0d61f0759e7ac3e69281ded720bef58b1c88d63bc937ffe13f2bb92ec3f037b2e889bce7012b3fba323d7b279ed253b98426ac3b5ed2db45dc4f9a7da25c2cbca4226e8f3eeaad7a7a7320c8a04b157df59611f91fff37d525b7505ca3f36ad206c147ed707c43275115c5fe90de6cf0e63cff74bab7756fc411d355ff9560934d13a51c6f94f69f7c765650dba182d7f59154f55cc59d488382f6a837bd91165f15196b0f34e3344a0a6d911dc3c140e139e5c19a6d60c9290a653e7698f3f32ab65f0b4ceb"
m1 = 0
for i in range(0x10):
c += hex(i)[2:]
print(c)
c1 = int(c,16)
m = pow(c1,3,n)
if hex((m>>388)<<388)==0xb3ed7763ea4f8a9e444093c1922f32a30d9e9502e566a8cefb3416905afecb5c57d3a065f41a4f193d968ea095dd56568e59cf599c35c61252f78f46e300da8dc696fa16d428a8fa71a8d64bb5a2659a11d43e74edcb7a95a7fd27d46004b7e5e45fada0aadf82b30749d1037ff73435e1a8058162e83a75da40fb793f7cad2c36ab12c66751ca205e97c52893d37bbb8e7077467befdbeb21aea590bffc83f4571edec7e6a5660e7dbdb2bbfa2b9a57633c3f2b54fc459da95f0ee402cd51746491af316a54da12b5e8693566034ac0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000:
m1 = m
break
flag = 'flag{' + '{:x}'.format(m)[-32:] +'}'
print(flag)
getflag
flag{97e238e0725733ccc1f84f4f373b78df}
7 编码
不会, 略
突发奇想,百度了一下
居然找到了真题,这个是随便找的啊
8 soeasy_re
线上赛做过的题目, 写详细一点
查看文件格式
elf 64位
ida 打开
点开 main 函数
直接 f5 反汇编
unsigned __int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
char buf; // [rsp+0h] [rbp-30h]
unsigned __int64 v5; // [rsp+28h] [rbp-8h]
v5 = __readfsqword(0x28u);
read(0, &buf, 0x26uLL);
if ( strlen(&buf) != 38 )
{
puts("error");
exit(0);
}
printf("input : %s
", &buf);
xor_str(&buf, aKakalll); // 对输入的字符串进行 xor加密
if ( !strcmp(&buf, s2) )
printf("congratulation !", s2);
return __readfsqword(0x28u) ^ v5;
}
符号基本都给出来了
size_t __fastcall xor_str(const char *a1, const char *a2)
{
char v2; // r13
size_t result; // rax
int i; // [rsp+1Ch] [rbp-24h]
for ( i = 0; ; ++i )
{
result = strlen(a1);
if ( i >= result )
break;
v2 = a1[i];
a1[i] = v2 ^ a2[i % strlen(a2)];
}
return result;
}
一个加密函数, 对 a1 里面的字符串 ascii 码值 逐一 和 a2 的字符串,进行异或加密运算, a2的位数不够,就取余, 就是循环异或
python脚本
#coding=utf-8
l = [0xd,0xd,0xa,6,0x17,0xd,0xa,0x5b,0x59,0x5c,4,0x5e,0xf,
0x5e,0x5c,7,0x5e,2,0x5d,0x5d,0x55,0xf,0x53,0xf,5,0x5a,0xd,
0x5a,0xa,0x59,0x59,0x52,0x5b,0x5c,8,0xf,0x56,0x16]
print(len(l))
s = 'kakalll'
flag = ''
for i in range(38):
flag += chr(l[i] ^ ord(s[i%len(s)]))
print(flag)
# flag{af087e2c27f5c119d2dd6a6a82370dd7}
getflag
flag{af087e2c27f5c119d2dd6a6a82370dd7}
9 这是什么
打开压缩包,发现有加密,盲猜zip伪加密
winhex 打开 ,搜索十六进制
第三个就是
这一位改成 0000 即可
binwalk 分析 里面的 jpg 文件
提取文件
binwalk -e
只找到这个 信息
KMZWG5RTMZTBGV6Q====
然后不会了
真香
10 拿我旗帜没有那么容易
一个 apk , 幸好 比赛前 恶补了一下 安卓逆向的知识
mumu 模拟器打开
输入密码无显示
jeb 打开
左边找到 MainActivity
右键解析
查看源码
按钮点击后, 取出文本框的内容和 "EYG3QMCS" 进行比较, 比较成功, 打开另一个窗体
查看 另一个窗体执行函数的源码
package ctf.crackme;
import android.app.Activity;
import android.os.Bundle;
import android.view.Menu;
import android.view.MenuItem;
import android.widget.TextView;
public class FlagActivity extends Activity {
@Override // android.app.Activity
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
this.setContentView(0x7F030000); // layout:activity_flag
String flag = "";
int[] d = new int[]{75, 69, 89, 0x7B, 97, 0x77, 52, 110, 110, 52, 0x5F, 107, 52, 0x72, 0x5F, 109, 120, 0x5F, 100, 51, 120, 0x7D};
int i;
for(i = 0; i < 22; ++i) {
flag = flag.concat(String.valueOf(((char)d[i])));
}
((TextView)this.findViewById(0x7F080001)).setText(flag); // id:flagText
}
@Override // android.app.Activity
public boolean onCreateOptionsMenu(Menu menu) {
this.getMenuInflater().inflate(0x7F070000, menu); // menu:flag
return 1;
}
@Override // android.app.Activity
public boolean onOptionsItemSelected(MenuItem item) {
return item.getItemId() == 0x7F080004 ? true : super.onOptionsItemSelected(item); // id:action_settings
}
}
出题人把 字符串隐藏 成 十六进制 ,然后放到 文本框中
提取数据 写脚本
#coding = utf-8
l = [75, 69, 89, 0x7B, 97, 0x77, 52, 110, 110, 52, 0x5F, 107, 52, 0x72, 0x5F, 109, 120, 0x5F, 100, 51, 120, 0x7D]
flag = ''
for i in l:
flag += chr(i)
print(flag)
getflag
KEY{aw4nn4_k4r_mx_d3x}
也可以 输入 EYG3QMCS 直接显示 flag