安恒抗"疫"练习赛几题题解

碎碎念:之前更了几篇上个学期时候的笔记和WP,还有很多比较基础的比赛的WP没有放上来,一来由于更换了新电脑图片什么的只能二次截图,这也是我之前博客里面的图片大部分都比较糊的原因,再者说很多内容现在看来也是过去的比赛了,大部分网上也都有更完善的题解,想着发出来的意义也不会很大.而最近自己想着整理出一份较系统的笔记,但是严重拖延症患者一直没能完工,导致最近都没发什么新的东西.(说白了以上就是为自己这段时间和上学期的懒惰行为在找借口orz...

今天下午做了几道安恒平台的练习赛,没有pwn题,除了web方向(tcl根本不会)其他方向的题目算是比较基础入门,但是想着很久没有发点东西了,也来水一篇博客吧 T3T (dbq 题目的名字都不记得了 所以会有一定差异

RE

pyc逆向

使用在线网站逆向pyc文件:

import base64, string

def caser(flag):
    enc1 = ''
    for i in flag:
        enc1 += chr(ord(i) - 5)

    return enc1


def rail(flag):
    p1 = p2 = p3 = enc2 = ''
    for i in range(len(flag)):
        j = i % 3
        if j == 0:
            p1 += flag[i]
        elif j == 1:
            p2 += flag[i]
        else:
            p3 += flag[i]

    enc2 = p1 + p2 + p3
    return enc2


def rep(flag):
    table1 = 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'
    table2 = 'QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm'
    table = string.maketrans(table1, table2)
    return flag.translate(table, '=')


while True:
    flag = raw_input('please input flag to check:')
    if rep(base64.b64encode(rail(caser(flag)))) == 'ywjCytmRxI9CycWZngD2ncTDkZqYlJrGmhHCxISUnfWSlgfDlJi':
        print 'Success!you got it!'
        break
    else:
        print 'try a gain'

分析可知,对flag进行了三层加密,左移量为5的caser加密,拆分,对结果进行base64加密,最后按照table表替换,按照加密脚本写出解密脚本:

import base64
import string
table2 = 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'
table1 = 'QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm'
cipher='ywjCytmRxI9CycWZngD2ncTDkZqYlJrGmhHCxISUnfWSlgfDlJi'
table=cipher.maketrans(table1,table2)
print (cipher.translate(table))
ans1='YWJcYTMrXi9cYCwzNGd2NCtdKzQyLjRgMHhcXisuNFwsLGFdLjI='
ans2=base64.b64decode(ans1)
print (ans2)
asn2='ab\\a3+^/\\`,34gv4+]+42.4`0x\\^+.4\\,,a].2'
print (len(asn2))
p1=asn2[0:13]
print(len(p1))
p2=asn2[13:26]
print(len(p2))
p3=asn2[26:]
print(len(p3))
flag=''
for i in range(12):
    flag+=p1[i]
    flag+=p2[i]
    flag+=p3[i]
flag+=p1[12]
flag+=p2[12]
flagg=''
for i in flag:
    flagg+=chr(ord(i)+5)
print (flagg)

注:其中涉及转义字符,base64解密出来的\\其实是'\'一个字符,后面会出现\b等不可见字符(python不好,写了好久,wtcl...

maze1

逆向题目做的很少,好在这道题分析起来很清晰,如下:


容易得出迷宫如下:

image-20200226195907991

字符'd'表示向右,字符's'表示向下,于是:

Crypto

古典密码1

第一关:Caesar解密 key=3 得到:flag{36d9f2777

第二关:摩斯密码解密 得到:b92bac39aa2(注意是小写

第三关:栅栏密码解密 key=3 得到:ab206cd90d47}

注:最后的栅栏密码是千千秀字网站解密

RSA

典型的共模攻击,白拿了V爷爷的脚本来跑:

from gmpy2 import invert
n = 21550279102644053137401794357450944302610731390301294678793250727396089358072700658571260795910112265309568014296122288384516447895827201111531054386530016432904989927216701507587366446802666848322853781729905492728655474832512381505627940555854308364578108265962388044363133246414753768229564846275154311898383993892293297122428661960946207950994560898964054913194462187242818633295970027741085201122155726130759045957757833942616544066055081600792366411691979350744894938994915328874600229684477533220240489600171746943849179803693122081888324258987779131223150589953248929679931142134208151043000793272520874205933
def egcd(a, b):
	if a == 0:
		return (b, 0, 1)
	else:
		g, y, x = egcd(b % a, a)
		return (g, x - (b // a) * y, y)

c1 = 3398498381912395819190972489172462865619978412426461006637853132394421358554444085509204376417687407497725837275868696481008111895766215578504776574832032556271718345687763315140723387608016365200919607751172500433727679269003098314988424638473027123820847847826679169000817669427223462669128173658466684135284118199815059085013479646863344355311315928713888347485004116168388822942797985291207722712351376891776564431593839662958249777540851019964959285093222467104765037231393043482615879794268339523066822738215251088897330388858109680412562153811860413533184870172160079371279534423386236128033224501238509297353
c2 = 3466733921305804638105947202761163747472618602445995245253771384553216569474005211746398256742813639292824489920799418551206486872148557599625985549276697777903434273072767901043963396047653458242735767809413051298636887840641872939342025101757793615068691040228073377366562557622977332819376942596081135968249279010542277871138668977160241877260538203101507006391433015105607006204397243716334344883925947719719479074061998068934050946968531874465924912747079003982022188875112147185558223515367430238618463189740762128953957802291125793882636020335117593003197811477506533564676975831899876919568948425610130348710
e1 = 65537
e2 = 11187289 
s = egcd(e1,e2)
s1 = s[1]
s2 = s[2]
if s1<0:
	s1 = - s1
	c1 = invert(c1, n)
elif s2<0:
	s2 = - s2
	c2 = invert(c2, n)
m = pow(c1, s1, n) * pow(c2, s2, n) % n
print (hex(m)[2:].decode('hex'))

MISC

打开压缩包即可看到zip的hex格式:

导入至winhex/010editor再导出成zip格式文件,发现文件已损坏,考虑文件格式问题,修改压缩方式位为:08 00即可

posted @ 2020-02-26 20:38  Theffth  阅读(412)  评论(0编辑  收藏  举报