2022年度“强国杯”初赛wp（有脚本，过程详细）

首先感谢360强国杯平台和出题的各位大佬

目录

题目名称：Welcome_to_QGB

题目名称：大佬大佬

题目名称：The fn picture

题目名称：找找GIF

题目名称：B@tCh

题目名称：babyRSA

加油各位( •̀ ω •́ )y 期待与君再相逢

题目名称：Welcome_to_QGB

直接base64得到flag

题目名称：大佬大佬

下载附件得到一张图片

题目提示说了可以通过lsb隐写获得图片但大部分人不太不会用stegsolve这个软件

这里有个更直接的方法

放到kali里

用zsteg查找信息

发现里面有一张图片

提出图片

zsteg -e b1,rgb,lsb,xy 1.png>99.png

提取出一张图片

图片有箭头指引想到可能是高度隐写

拖到010

改高度

得到flag

题目名称：The fn picture

下载附件发现需要密码

再发现没有提示时

就直接尝试爆破

得到四位数的解压密码

7u3N

打开压缩包

打开txt

Txt有提示所以就直接把flag 在010里

txt说是图片又根据010代码

所以添加png的文件头

成功得到二维码一张

但扫描发现flag不在这里

所以可能是迷惑信息

还有一个文件

打不开拖010里

发现是压缩包格式

直接改后缀

打开之后打开还是有个无后缀的文件

想到txt的提示

果断改文件头

得到二维码一张

转码得到flag

题目名称：找找GIF

下载附件

发现压缩包需要解压密码

再各种尝试无果

拖到010里

发现压缩包是伪密码

用win软件自带的修复工具修复之后解压

得到

aaa拖010

发现是png格式

加后缀得一图片

直接拖010里改高度

旋转图片得到bbb.zip的解压密码

得到一个无后缀的bbb文件

最开始还执着分析GIF动图（后来发现用处很小）

对比bbb和ccc.gif文件格式

发现有相似之处

所以就有理由怀疑bbb是gif文件

所以果断就用ccc的头把bbb的乱码换掉

再保存为gif文件

得到另一个GIF文件

隐约发现里面有flag闪过

放到stegsolve里提帧数

在第八帧果然是有东西

保存之后再直接用stegsolve

打开调色位找到最清晰的的一张

得到flag

题目名称：B@tCh

解压得到bat文件

不清楚是什么

先使用010打开

乱码

点击hex

经过多方资源查找知其加密方式为batchencryption 使用py编写脚本进行解密，在此之前需要对该bat进行一些处理，以匹配该加密方式使用010editor打开bat，切换为hex模式，在程序头部加入如下字段：

::BatchEncryption Build 201610 By gwsbhqt@163.com

保存为txt文件

这时候就需要脚本去修复了

附上脚本（免费的哦）

 #!/usr/bin/python
# -*- coding:utf-8 -*-
#
# Batch Decryption 202009 (BatchEncryption Build 201610)
#
 
import os
import sys
 
encrypt_file = ''
encodeErrByteArray = [b'\xfe', b'\xff']
 
def decryption(data):
    # 去除头部后的源代码下标开始位置
    i = data.index(b'163.com\r\n') + 9
    vars = {}
    length = len(data)
    source = ''
    while i < length:
        Data = run(vars, data, i)
        i = Data.get('index')
        source += Data.get('buf')
    return source
 
def run(vars, data, i):
    buf = ''
    f = 0
    t = 0
    x = False
    l = len(data)
    while(True):
        if data[i] == 0x0d and data[i+1] == 0x0a:
            i += 2
            break
        # get %var:~x,y% %0
        if data[i] == 0x25:
            if not x:
                x = True
                f = i
            else:
                x = False
                t = i
                rst = var_percent(data[f:t+1], vars)
                buf += rst
            i += 1
        else:
            if not x:
                try:
                    buf += str(data[i:i+1], encoding="utf-8")
                    i += 1
                except Exception as err:
                    # 过滤掉无法解析的字节
                    if data[i:i+1] in encodeErrByteArray:
                        buf = ''
                        i += 1
                    else:
                        # 以ansi码解析中文
                        chinese = b''
                        temp = i
                        while (str(data[temp:temp+1]).find('x') >= 0):
                            chinese += data[temp:temp+1]
                            temp += 1
                        buf += chinese.decode('ansi', 'ignore')
                        i = temp
            else:
                if (f + 1 == i) and ((data[i] >= 0x30 and data[i] <= 0x39) or data[i] == 0x2a):
                    x = False
                    t = i
                    rst = str(data[f:t+1], encoding="utf-8")
                    buf += rst
                i += 1
        if i >= l:
            break
    #print(buf)
    bufs = buf.split('&@')
    for var in bufs:
        if var[0:4] == 'set ':
            var = var[4:]
            b = var.find('=')
            vars[var[0:b]] = var[b+1:].replace('^^^', '^')
    buf += '\r\n'
    return {'index':i, 'buf':buf}
 
"""
%':~-53,1%
':~-53,1
["'", '-53,1']
"""
def var_percent(data, vars):
    full = str(data, encoding="utf-8")
    buf = full[1:len(full)-1]
    buf = buf.split(':~')
    var = buf[0]
    if not var in vars:
        vars[var] = os.getenv(var)
    ent = vars[var]
    if (len(buf) > 1):
        l = len(ent)
        buf = buf[1].split(',')
        f = int(buf[0])
        t = int(buf[1])
        if f < 0:
            f, t = l + f, t
        rst = ent[f: f+t]
    else:
        rst = full
    return rst
 
def makeFile(path,content):
    try:
        encryptionFilePath = os.path.dirname(sys.argv[1])
        encryptionFileName = os.path.basename(sys.argv[1])
        encryptionFile = encryptionFileName.split('.')
        decryptionFileName = encryptionFile[0] + '_denctyption.' + encryptionFile[1]
        decryptionFile = encryptionFilePath + '/' + decryptionFileName
        print(decryptionFile)
        file = open(decryptionFile, 'w+')
        file.write(content)
        file.close()
    except Exception as err:
        print(err)
        exit        
 
if __name__ == '__main__':
 
    try:
        if len(sys.argv) < 2:
            print('param len error\nuse: python dencrypt.py encrypt.bat')
            exit
        encrypt_file = sys.argv[1]
        file = open(encrypt_file, "rb")
        data = file.read()
        file.close()
        source = decryption(data)
        makeFile(encrypt_file, source)
    except Exception as err:
        print(err)
        exit

在cmd命令行输入

D:\py>python 2.py 2.txt

得到flag

题目名称：babyRSA

下载附件得到

一个标准的rsa解码

一看rsa隐写

上脚本（免费的哦）

 from Crypto.Util.number import long_to_bytes
import gmpy2
p =gmpy2.mpz(138426212841397149251588296134109165537899310438173750798364671675288360000561798355248532054510396589533971267028332214842673811687883616744131130398289077554612883492204032984950562003356001139508926059499376562553551028636226548350263501563647121411422314575340826478224596800551927493501012088298680613879)
q =gmpy2.mpz(143049585916449723925099288769361999764006236021072588846981723369760726410300239985500007665844216512624584735358913225102358935263419564762626442560266419262555820476424949328464294635696200999314599615276252945343396324462380831303649657541178450608628341694003116451196859197001909770503494349726784153027)
e =gmpy2.mpz(33)
phi_n= (p - 1) * (q - 1)
d = gmpy2.invert(e, phi_n)
n=q*p
print("d is:")
print (d)
print("n")
print(n)
c=eval('8289193595993122921665841895022976104081072031742625708463764526627277052318279883859957490142516216024577600646435489409922900157398525709897066174566802837502462355349783465478982642622084973551364981880045419080599645199823932885880822500635358984691098019833373137233421653021398144494548012693727095816659975325054446041806452350925160187980103112171629784199440456927010178848494443466141894033183475723365090593126309457761806861074583084445735295863195227044710706725657905516027928685083079534461311107335936896525014768633605005601716003989306032040278750752221002412831419560140443505534384151408234420458')
m = pow(c, d, n)
 
print(m)
string = long_to_bytes(m)
print(string)

运行

得到flag

看在脚本免费的份上，点个关注吧嘻嘻

附件下载

2022年度“强国杯”技术技能大赛-附件2022年度“强国杯”技术技能大赛更多下载资源、学习资料请访问CSDN下载频道.https://download.csdn.net/download/m0_68012373/86240223

加油各位( •̀ ω •́ )y 期待与君再相逢

本文作者：路baby

本文链接：https://www.cnblogs.com/sakura--tears/p/17148303.html

posted @ 2022-07-18 11:31 路baby 阅读(156) 评论(0) 编辑收藏举报

刷新页面返回顶部

登录后才能查看或发表评论，立即登录或者逛逛博客园首页

公告

昵称：路baby 园龄：2年1个月粉丝：32 关注：0

昵称：路baby
园龄： 2年1个月
粉丝： 32
关注： 0

2025年3月

日

一

二

三

四

五

六

sakura--tears

2022年度“强国杯”初赛wp（有脚本，过程详细）

题目名称：Welcome_to_QGB

题目名称：大佬大佬

题目名称：The fn picture

题目名称：找找GIF

题目名称：B@tCh

题目名称：babyRSA

加油各位( •̀ ω •́ )y 期待与君再相逢

公告

搜索

常用链接

我的标签

随笔分类

随笔档案

阅读排行榜

评论排行榜

推荐排行榜

最新评论

	#!/usr/bin/python
	# -- coding:utf-8 --
	#
	# Batch Decryption 202009 (BatchEncryption Build 201610)
	#

	import os
	import sys

	encrypt_file = ''
	encodeErrByteArray = [b'\xfe', b'\xff']

	def decryption(data):
	# 去除头部后的源代码下标开始位置
	i = data.index(b'163.com\r\n') + 9
	vars = {}
	length = len(data)
	source = ''
	while i < length:
	Data = run(vars, data, i)
	i = Data.get('index')
	source += Data.get('buf')
	return source

	def run(vars, data, i):
	buf = ''
	f = 0
	t = 0
	x = False
	l = len(data)
	while(True):
	if data[i] == 0x0d and data[i+1] == 0x0a:
	i += 2
	break
	# get %var:~x,y% %0
	if data[i] == 0x25:
	if not x:
	x = True
	f = i
	else:
	x = False
	t = i
	rst = var_percent(data[f:t+1], vars)
	buf += rst
	i += 1
	else:
	if not x:
	try:
	buf += str(data[i:i+1], encoding="utf-8")
	i += 1
	except Exception as err:
	# 过滤掉无法解析的字节
	if data[i:i+1] in encodeErrByteArray:
	buf = ''
	i += 1
	else:
	# 以ansi码解析中文
	chinese = b''
	temp = i
	while (str(data[temp:temp+1]).find('x') >= 0):
	chinese += data[temp:temp+1]
	temp += 1
	buf += chinese.decode('ansi', 'ignore')
	i = temp
	else:
	if (f + 1 == i) and ((data[i] >= 0x30 and data[i] <= 0x39) or data[i] == 0x2a):
	x = False
	t = i
	rst = str(data[f:t+1], encoding="utf-8")
	buf += rst
	i += 1
	if i >= l:
	break
	#print(buf)
	bufs = buf.split('&@')
	for var in bufs:
	if var[0:4] == 'set ':
	var = var[4:]
	b = var.find('=')
	vars[var[0:b]] = var[b+1:].replace('^^^', '^')
	buf += '\r\n'
	return {'index':i, 'buf':buf}

	"""
	%':~-53,1%
	':~-53,1
	["'", '-53,1']
	"""
	def var_percent(data, vars):
	full = str(data, encoding="utf-8")
	buf = full[1:len(full)-1]
	buf = buf.split(':~')
	var = buf[0]
	if not var in vars:
	vars[var] = os.getenv(var)
	ent = vars[var]
	if (len(buf) > 1):
	l = len(ent)
	buf = buf[1].split(',')
	f = int(buf[0])
	t = int(buf[1])
	if f < 0:
	f, t = l + f, t
	rst = ent[f: f+t]
	else:
	rst = full
	return rst

	def makeFile(path,content):
	try:
	encryptionFilePath = os.path.dirname(sys.argv[1])
	encryptionFileName = os.path.basename(sys.argv[1])
	encryptionFile = encryptionFileName.split('.')
	decryptionFileName = encryptionFile[0] + '_denctyption.' + encryptionFile[1]
	decryptionFile = encryptionFilePath + '/' + decryptionFileName
	print(decryptionFile)
	file = open(decryptionFile, 'w+')
	file.write(content)
	file.close()
	except Exception as err:
	print(err)
	exit

	if __name__ == '__main__':

	try:
	if len(sys.argv) < 2:
	print('param len error\nuse: python dencrypt.py encrypt.bat')
	exit
	encrypt_file = sys.argv[1]
	file = open(encrypt_file, "rb")
	data = file.read()
	file.close()
	source = decryption(data)
	makeFile(encrypt_file, source)
	except Exception as err:
	print(err)
	exit

	from Crypto.Util.number import long_to_bytes
	import gmpy2
	p =gmpy2.mpz(138426212841397149251588296134109165537899310438173750798364671675288360000561798355248532054510396589533971267028332214842673811687883616744131130398289077554612883492204032984950562003356001139508926059499376562553551028636226548350263501563647121411422314575340826478224596800551927493501012088298680613879)
	q =gmpy2.mpz(143049585916449723925099288769361999764006236021072588846981723369760726410300239985500007665844216512624584735358913225102358935263419564762626442560266419262555820476424949328464294635696200999314599615276252945343396324462380831303649657541178450608628341694003116451196859197001909770503494349726784153027)
	e =gmpy2.mpz(33)
	phi_n= (p - 1) * (q - 1)
	d = gmpy2.invert(e, phi_n)
	n=q*p
	print("d is:")
	print (d)
	print("n")
	print(n)
	c=eval('8289193595993122921665841895022976104081072031742625708463764526627277052318279883859957490142516216024577600646435489409922900157398525709897066174566802837502462355349783465478982642622084973551364981880045419080599645199823932885880822500635358984691098019833373137233421653021398144494548012693727095816659975325054446041806452350925160187980103112171629784199440456927010178848494443466141894033183475723365090593126309457761806861074583084445735295863195227044710706725657905516027928685083079534461311107335936896525014768633605005601716003989306032040278750752221002412831419560140443505534384151408234420458')
	m = pow(c, d, n)

	print(m)
	string = long_to_bytes(m)
	print(string)