EIS2019

Author Avatar
Xzhah 11月 21, 2019
  • 在其它设备中阅读本文章

[TOC]

Re

re1

把检测断点和ptrace的代码nop了,然后动态跟进去,发现最后输入和以下数组进行异或

0xc,0x1,0x33,0x2f,0x7a,0x7c,0xe0,0x00,0x3,0x7a,0x73,0x4e,0x88,0x6d,0xd2,0xcc

最后做一个倒序,和以下密文进行比较

0xFF,0xE1,0x5F, 0xD7, 0x25, 0x10, 0x13, 0x71, 0x74, 0xBF, 0x19,0x16, 0x5F, 0x5E, 0x30, 0x7F

1
2
3
4
c=[0xFF,0xE1,0x5F, 0xD7, 0x25, 0x10, 0x13, 0x71, 0x74, 0xBF, 0x19,0x16, 0x5F, 0x5E, 0x30, 0x7F]
key=[0xc,0x1,0x33,0x2f,0x7a,0x7c,0xe0,0x00,0x3,0x7a,0x73,0x4e,0x88,0x6d,0xd2,0xcc]
for i in range(16):
	print chr(key[i]^c[15-i])

re2

解方程组,matlab代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
syms a10 a11 a12  a13 a14 a15 a16 a17 a18 a19 a110 a111 a112 a113 a114 a115  a116  a117 a118 a119 a120 a121 a122 a123 a124 a125 a126 a127 a128  a129 a130 a131 
e1=37027 * a130+ 50244 * a128+ 37157 * a127+ 58180 * a124+ 1513 * a123+ 39390 * a122+ 29470 * a119+ 44970 * a118+ 48734 * a116+ 2139 * a115+ 45204 * a111+ 35081 * a110+ 39591 * a19+ 47551 * a17+ 20069 * a16+ 45266 * a15+ 22432 * a14+ 44493 *  a10- 326 * a11- 57451 * a12- 18424 * a13- 3751 * a18- 6984 * a112- 9410 * a113- 54261 * a114- 62111 * a117- 20305 * a120- 33120 * a121- 11160 * a125- 24198 * a126- 1646 * a129- 13318 * a131 - 34771791
e2=12535 * a130+ 50109 * a125+ 48594 * a122+ 11260 * a121+ 51548 * a120+ 26720 * a118+ 9187 * a116+ 28702 * a114+ 9624 * a113+ 21730 * a111+ 46114 * a19+ 32499 * a18+ 11900 * a15+ 22008 * a14+ 48560 * a12+ -54741 *  a10- 3606 * a11- 45416 * a13- 24275 * a16- 64371 * a17- 25714 * a110- 56673 * a112- 39430 * a115- 35779 * a117- 15144 * a119- 45050 * a123- 59016 * a124- 29262 * a126- 55650 * a127- 29492 * a128- 13828 * a129+ 40522 * a131 +9451883
e3=12097 * a130+ 57988 * a128+ 52683 * a127+ 31675 * a126+ 57822 * a125+ 29817 * a122+ 53780 * a121+ 3541 * a120+ 20331 * a119+ 32755 * a116+ 43681 * a115+ 20144 * a114+ 2665 * a111+ 64858 * a110+ 63538 * a19+ 19362 * a17+ 5819 * a15+ 15266 * a14+ 54532 * a13+ 17703 *  a10- 16114 * a11- 24359 * a12- 33999 * a16- 58904 * a18- 11844 * a112- 29623 * a113- 42532 * a117- 60912 * a118- 4711 * a123- 56853 * a124- 33486 * a129+ 24590 * a131 - 29782736
e4=51792 * a130+ 36741 * a129+ 32393 * a128+ 59561 * a127+ 48151 * a118+ 37522 * a117+ 28232 * a115+ 2783 * a112+ 28 * a111+ 27013 * a110+ 24960 * a19+ 42702 * a17+ 17219 * a15+ 41149 * a14+ 3430 * a13+ 24247 *  a10+ 64898 * a11- 24733 * a12- 16545 * a16- 1315 * a18- 15867 * a113- 12126 * a114- 3823 * a116- 20727 * a119- 12037 * a120- 9347 * a121- 39338 * a122- 50524 * a123- 38675 * a124- 26114 * a125- 4975 * a126- 24297 * a131 - 27959979
e5=64702 * a130+ 13289 * a129+ 25143 * a128+ 35562 * a126+ 54655 * a125+ 26782 * a121+ 3079 * a119+ 52035 * a118+ 62825 * a117+ 57738 * a116+ 5380 * a115+ 64221 * a112+ 41251 * a18+ 15294 * a12+ -32261 *  a10- 54551 * a11- 61664 * a13- 40648 * a14- 12277 * a15- 55300 * a16- 63212 * a17- 45548 * a19- 22362 * a110- 32993 * a111- 43046 * a113- 40770 * a114- 7119 * a120- 36194 * a122- 56102 * a123- 19468 * a124- 59856 * a127+ 23822 * a131 +10644544
e6=5977 * a130+ 63681 * a124+ 6461 * a123+ 43924 * a119+ 9886 * a118+ 22558 * a117+ 8314 * a116+ 47577 * a114+ 43847 * a113+ 32583 * a110+ 30627 * a18+ 47843 * a17+ 33702 * a13+ 60965 * a12+ -9407 * a10+ 64048 * a11- 12654 * a14- 56126 * a15- 47366 * a16- 29056 * a19- 50822 * a111- 6240 * a112- 12371 * a115- 23282 * a120- 13137 * a121- 13716 * a122- 43391 * a125- 37217 * a126- 43714 * a127- 55909 * a128- 62806 * a129+ 36688 * a131 - 230179
e7=26401 * a130+ 49426 * a129+ 13407 * a128+ 58093 * a127+ 44955 * a126+ 36904 * a125+ 5856 * a123+ 47030 * a122+ 23917 * a120+ 40389 * a118+ 46343 * a116+ 63390 * a114+ 54218 * a19+ 16024 * a18+ 44459 * a16+ 57144 * a15+ 2565 * a14+ 20301 * a12+ -23136 * a10+ 47281 * a11- 61441 * a13- 31365 * a17- 56894 * a110- 52977 * a111- 39404 * a112- 63477 * a113- 22773 * a115- 50258 * a117- 25970 * a119- 56685 * a121- 55893 * a124- 25199 * a131 - 15871572
e8=22198 * a127+ 41681 * a126+ 53436 * a125+ 11269 * a124+ 15201 * a123+ 14952 * a121+ 58351 * a120+ 1742 * a118+ 7881 * a116+ 18373 * a115+ 50053 * a113+ 3911 * a111+ 15341 * a110+ 42663 * a16+ 22400 * a14+ 4696 * a13+ 18654 * a12+ 62577 *  a10+ 23069 * a11- 16178 * a15- 34941 * a17- 50803 * a18- 28229 * a19- 45565 * a112- 45774 * a114- 28140 * a117- 29986 * a119- 40067 * a122- 63863 * a128- 50393 * a129- 14615 * a130+ 16722 * a131 - 12844672
e9=17326 * a130+ 5750 * a127+ 34037 * a125+ 40581 * a124+ 35119 * a122+ 29560 * a121+ 54431 * a117+ 40135 * a114+ 7362 * a111+ 31888 * a110+ 37963 * a13+ 910 * a12+ -39728 *  a10+ 57392 * a11- 2274 * a14- 61995 * a15- 43938 * a16- 12412 * a17- 10642 * a18- 10303 * a19- 16356 * a112- 615 * a113- 11314 * a115- 17185 * a116- 61134 * a118- 4620 * a119- 4591 * a120- 51958 * a123- 65066 * a126- 6232 * a128- 60002 * a129+ 30503 * a131 +7906855
e10=31106 * a129+ 2313 * a125+ 32582 * a124+ 61335 * a119+ 50686 * a116+ 27537 * a115+ 58190 * a113+ 25366 * a112+ 56260 * a111+ 6483 * a110+ 61315 * a16+ 48180 * a12+ -16296 * a10- 8786 * a11- 65236 * a13- 48383 * a14- 32713 * a15- 58771 * a17- 47593 * a18- 14512 * a19- 60203 * a114- 7295 * a117- 3885 * a118- 39212 * a120- 40687 * a121- 19258 * a122- 57463 * a123- 24504 * a126- 11629 * a127- 8917 * a128- 4535 * a130+ 38212 * a131 +5359162
e11=33683 * a128+ 48721 * a127+ 59096 * a126+ 17103 * a125+ 13203 * a124+ 51928 * a123+ 33264 * a122+ 39538 * a120+ 30153 * a118+ 35247 * a116+ 528 * a115+ 6847 * a113+ 18706 * a112+ 35320 * a111+ 3265 * a110+ 11413 * a19+ 51102 * a17+ 39253 * a16+ 63683 * a15+ 25689 * a13+ -31610 * a10+ 52623 * a11- 35005 * a12- 9320 * a14- 16508 * a18- 55110 * a114- 63180 * a117- 13666 * a119- 49046 * a121- 42949 * a129- 60950 * a130+ 26096 * a131 - 34815239
e12=49588 * a130+ 61328 * a128+ 5176 * a123+ 50390 * a122+ 21307 * a121+ 46709 * a120+ 28722 * a119+ 3656 * a117+ 15786 * a116+ 21116 * a115+ 49637 * a114+ 45466 * a112+ 30791 * a110+ 59808 * a19+ 15859 * a18+ 6146 * a17+ 47557 *  a10+ 52902 * a11- 12806 * a12- 59773 * a13- 9182 * a14- 57417 * a15- 18447 * a16- 54963 * a111- 61599 * a113- 18454 * a118- 30277 * a124- 25544 * a125- 17882 * a126- 25149 * a127- 17363 * a129+ 21848 * a131 - 23582278
e13=18191 * a130+ 58284 * a127+ 4680 * a125+ 42417 * a124+ 36604 * a120+ 54770 * a119+ 33925 * a115+ 45365 * a113+ 12457 * a112+ 38339 * a111+ 42505 * a19+ 29438 * a18+ 60503 * a17+ 5104 * a14+ 59129 * a13+ 37688 * a10+ 23309 * a11- 2616 * a12- 12561 * a15- 3215 * a16- 49703 * a110- 15471 * a114- 23447 * a116- 50859 * a117- 86 * a118- 3773 * a121- 9573 * a122- 25835 * a123- 20107 * a126- 45915 * a128- 56171 * a129+ 29164 * a131 - 30273764
e14=64657 * a130+ 49705 * a127+ 5149 * a126+ 16127 * a125+ 29867 * a122+ 50998 * a121+ 13714 * a119+ 18867 * a114+ 19385 * a113+ 38458 * a111+ 12962 * a110+ 24700 * a19+ 50206 * a15+ 56918 * a13+ 20452 * a10+ 18062 * a11- 56424 * a12- 10457 * a14- 12288 * a16- 54591 * a17- 44777 * a18- 52078 * a112- 9805 * a115- 48011 * a116- 27363 * a117- 20890 * a118- 788 * a120- 7954 * a123- 34056 * a124- 34732 * a128- 54092 * a129+ 35416 * a131 - 7501764
e15=44968 * a130+ 41644 * a126+ 24333 * a125+ 40656 * a123+ 37330 * a122+ 52431 * a120+ 18903 * a119+ 42329 * a116+ 40645 * a113+ 8191 * a18+ 21330 * a15+ 1951 * a12+ -39611 * a10+ 25246 * a11- 37145 * a13- 3824 * a14- 49145 * a16- 43603 * a17- 60671 * a19- 53032 * a110- 48392 * a111- 15417 * a112- 13059 * a114- 58653 * a115- 51631 * a117- 50173 * a118- 44904 * a121- 34380 * a124- 18100 * a127- 57765 * a128- 64534 * a129- 26760 * a131 +35816639
e16=28579 * a130+ 34688 * a129+ 29438 * a127+ 44211 * a124+ 57593 * a121+ 7046 * a119+ 39526 * a118+ 17545 * a117+ 61374 * a116+ 15405 * a115+ 30392 * a114+ 19579 * a112+ 47959 * a111+ 23926 * a19+ 43929 * a15+ 53538 * a13+ 45166 * a12+ -39824 * a10+ 44401 * a11- 2540 * a14- 54452 * a16- 11199 * a17- 19801 * a18- 13592 * a110- 29922 * a113- 34144 * a120- 5305 * a122- 46917 * a123- 4511 * a125- 23881 * a126- 39081 * a128+ 3296 * a131 - 30983928
e17=40454 * a130+ 64380 * a129+ 41415 * a127+ 8487 * a122+ 49381 * a119+ 7959 * a118+ 36587 * a116+ 24510 * a115+ 6928 * a114+ 60087 * a17+ 59815 * a15+ 15203 * a12+ 62215 * a10+ 19566 * a11- 30340 * a13- 15964 * a14- 13939 * a16- 43008 * a18- 44925 * a19- 49239 * a110- 40498 * a111- 54453 * a112- 33557 * a113- 24721 * a117- 21456 * a120- 40311 * a121- 61111 * a123- 18918 * a124- 33393 * a125- 9301 * a126- 61619 * a128+ 58498 * a131 +4472687
e18=2766 * a129+ 14305 * a128+ 10809 * a126+ 6578 * a124+ 53612 * a123+ 36333 * a121+ 30380 * a120+ 3633 * a119+ 35027 * a118+ 62097 * a115+ 39085 * a114+ 21483 * a113+ 43131 * a111+ 5725 * a19+ 40291 * a18+ 63291 * a15+ 57560 * a14+ 40977 * a13+ 33894 * a12+ 35423 * a10- 12994 * a11- 32256 * a16- 23534 * a17- 40660 * a110- 19119 * a112- 33732 * a116- 63756 * a117- 13528 * a122- 47605 * a125- 43202 * a127- 42819 * a130- 34232 * a131 - 18523534
e19=48054 * a129+ 27903 * a128+ 44427 * a127+ 26215 * a126+ 10136 * a125+ 62674 * a120+ 31419 * a119+ 13647 * a118+ 19761 * a115+ 34155 * a111+ 26302 * a17+ 27559 * a16+ 53130 * a15+ 27162 * a14+ 55103 * a13+ 58838 * a12+ 44942 * a10+ 63420 * a11- 24313 * a18- 42499 * a19- 21629 * a110- 2633 * a112- 55014 * a113- 22926 * a114- 305 * a116- 63708 * a117- 32334 * a121- 47684 * a122- 54226 * a123- 50848 * a124- 15102 * a130- 22362 * a131 - 20982750
e20=59525 * a130+ 23936 * a128+ 61587 * a127+ 4221 * a126+ 55552 * a125+ 13058 * a124+ 45781 * a115+ 65438 * a114+ 51231 * a113+ 33875 * a111+ 6137 * a18+ 62261 * a16+ 46559 * a14+ 26426 * a13+ 9153 * a12+ 6300 * a10- 30549 * a11- 55683 * a15- 44433 * a17- 46194 * a19- 57198 * a110- 45266 * a112- 6605 * a116- 43397 * a117- 7672 * a118- 48485 * a119- 54035 * a120- 12567 * a121- 47051 * a122- 62256 * a123- 9828 * a129+ 50225 * a131 - 5070455
e21=39286 * a130+ 13236 * a129+ 42884 * a124+ 12704 * a123+ 53136 * a122+ 47722 * a119+ 30422 * a118+ 10481 * a117+ 55058 * a116+ 63967 * a115+ 8353 * a111+ 62270 * a110+ 12090 * a19+ 14796 * a14+ 59059 * a13+ 5686 * a12+ -28415 * a10+ 36297 * a11- 11307 * a15- 57251 * a16- 29507 * a17- 41415 * a18- 24476 * a112- 41751 * a113- 46589 * a114- 55870 * a120- 6321 * a121- 34350 * a125- 32922 * a126- 64909 * a127- 50870 * a128+ 49349 * a131 - 3066924
e22=18612 * a127+ 54808 * a125+ 42491 * a123+ 16634 * a122+ 52361 * a121+ 6252 * a120+ 63445 * a118+ 57764 * a116+ 3991 * a115+ 61646 * a114+ 23244 * a110+ 29174 * a19+ 5707 * a16+ 63976 * a14+ 58731 * a12+ 15479 * a10+ 10453 * a11- 9782 * a13- 9166 * a15- 21516 * a17- 2689 * a18- 47968 * a111- 38843 * a112- 13488 * a113- 57649 * a117- 487 * a119- 30704 * a124- 61218 * a126- 32873 * a128- 58677 * a129- 2280 * a130+ 35233 * a131 - 26232118
e23=38132 * a130+ 58430 * a128+ 38392 * a127+ 29396 * a125+ 15688 * a124+ 28509 * a121+ 23301 * a117+ 56629 * a116+ 11252 * a114+ 28641 * a113+ 35504 * a112+ 41197 * a111+ 9520 * a14+ 50614 * a12+ 36368 * a10- 30534 * a11- 7805 * a13- 60795 * a15- 17511 * a16- 34692 * a17- 22139 * a18- 49013 * a19- 24672 * a110- 22264 * a115- 55578 * a118- 61882 * a119- 48469 * a120- 8197 * a122- 43020 * a123- 36911 * a126- 6762 * a129+ 56670 * a131 +860377
e24=19958 * a129+ 35318 * a127+ 58305 * a124+ 55072 * a120+ 58300 * a116+ 16494 * a113+ 61205 * a19+ 8511 * a18+ 21876 * a16+ 1791 * a13+ 28247 * a12+ 3542 * a10- 17533 * a11- 44455 * a14- 2748 * a15- 38052 * a17- 16528 * a110- 4664 * a111- 13326 * a112- 52661 * a114- 38860 * a115- 60164 * a117- 39975 * a118- 19566 * a119- 55251 * a121- 8160 * a122- 54674 * a123- 29010 * a125- 6627 * a126- 15962 * a128- 10549 * a130- 8177 * a131 +14482154
e25=15394 * a129+ 13827 * a128+ 47703 * a127+ 37204 * a126+ 8621 * a123+ 26034 * a120+ 38644 * a119+ 26883 * a118+ 31346 * a117+ 29853 * a115+ 2052 * a113+ 37617 * a18+ 35004 * a13+ 25124 * a12+ -7510 * a10- 61303 * a11- 34033 * a14- 49161 * a15- 6021 * a16- 36125 * a17- 10528 * a19- 47741 * a110- 45531 * a111- 1546 * a112- 59464 * a114- 22656 * a116- 24655 * a121- 9816 * a122- 22299 * a124- 23745 * a125- 23945 * a130+ 48741 * a131 +17062269
e26=27496 * a129+ 8511 * a127+ 61644 * a126+ 35917 * a124+ 16432 * a121+ 53570 * a119+ 30949 * a118+ 56668 * a116+ 5395 * a115+ 47866 * a114+ 33349 * a112+ 41169 * a19+ 34746 * a16+ 39102 * a15+ 19310 * a10+ 1288 * a11- 38840 * a12- 49229 * a13- 40618 * a14- 41363 * a17- 45367 * a18- 21440 * a110- 36535 * a111- 43289 * a113- 41392 * a117- 40337 * a120- 1430 * a122- 28334 * a123- 46487 * a125- 42458 * a128- 59664 * a130+ 64335 * a131 - 6695285
e27=41403 * a129+ 13806 * a127+ 26203 * a126+ 59304 * a124+ 56824 * a122+ 3954 * a121+ 33269 * a120+ 12986 * a116+ 60427 * a115+ 42087 * a114+ 30996 * a113+ 51835 * a111+ 53494 * a19+ 33384 * a18+ 41797 * a14+ 17974 * a13+ -18187 * a10+ 28981 * a11- 53485 * a12- 20458 * a15- 8491 * a16- 16831 * a17- 31995 * a110- 12109 * a112- 51691 * a117- 58925 * a118- 40872 * a119- 30202 * a123- 30793 * a125- 42110 * a128- 1100 * a130- 26194 * a131 - 16909859
e28=53536 * a129+ 47559 * a128+ 42732 * a124+ 34737 * a123+ 48156 * a122+ 15071 * a121+ 38175 * a118+ 12186 * a117+ 28859 * a116+ 19225 * a113+ 28950 * a111+ 19883 * a19+ 40590 * a17+ 44081 * a15+ 20386 * a14+ -40011 * a10- 26232 * a11- 4849 * a12- 60564 * a13- 50739 * a16- 17237 * a18- 35381 * a110- 4203 * a112- 50964 * a114- 39946 * a115- 22511 * a119- 20539 * a120- 60250 * a125- 61430 * a126- 11009 * a127- 8879 * a130+ 46741 * a131 +1622782
e29=5442 * a129+ 45907 * a128+ 7689 * a127+ 56136 * a125+ 20039 * a124+ 18672 * a123+ 41239 * a122+ 9871 * a120+ 34328 * a118+ 27387 * a117+ 41615 * a116+ 41961 * a113+ 50367 * a112+ 59350 * a18+ 29632 * a17+ 22126 * a16+ 61953 * a15+ 34932 * a14+ 3756 * a13+ -42653 * a10+ 43668 * a11- 10988 * a12- 48711 * a19- 23958 * a110- 33557 * a111- 17831 * a114- 4583 * a115- 29750 * a119- 49888 * a121- 30956 * a126- 41068 * a130+ 23514 * a131 - 33025495
e30=41909 * a126+ 24036 * a124+ 21760 * a122+ 50228 * a121+ 63177 * a119+ 6738 * a118+ 869 * a117+ 19553 * a115+ 53583 * a114+ 59508 * a113+ 15986 * a111+ 3678 * a15+ 10458 * a14+ 5179 * a13+ 38342 * a12+ -26968 * a10- 23313 * a11- 32333 * a16- 43275 * a17- 2423 * a18- 60827 * a19- 42621 * a110- 27590 * a112- 56307 * a116- 30359 * a120- 19919 * a123- 18153 * a125- 6931 * a127- 5822 * a128- 30949 * a129- 16572 * a130+ 11920 * a131 +10454601
e31=43819 * a129+ 54696 * a127+ 55323 * a124+ 63177 * a123+ 6747 * a122+ 31098 * a121+ 37870 * a118+ 55168 * a116+ 1703 * a115+ 64744 * a114+ 57567 * a112+ 35013 * a111+ 52295 * a110+ 46356 * a19+ 29760 * a17+ 4313 * a16+ 18877 * a15+ 8314 * a14+ 35980 * a12+ 8386 * a10+ 57646 * a11- 4029 * a13- 47059 * a18- 25490 * a113- 62526 * a117- 63227 * a119- 27315 * a120- 23370 * a125- 37329 * a126- 6309 * a128- 12433 * a130+ 8882 * a131 - 51177223
e32=17153 * a127 + 41549 * a126 + 28202 * a124 + 36806 * a123 + 12690 * a122 + 42821 * a120 + 39834 * a119 + 17994 * a117 + 32765 * a114 + 25687 * a110 + 33388 * a19 + 143 * a14 + 63776 *a10 + 8682 * a11 - 16324 * a12 - 20022 * a13 - 48973 * a15 - 57775 * a16 - 43820 * a17 - 41070 * a18 - 15669 * a111 - 6946 * a112 - 23187 * a113 - 46495 * a115 - 8395 * a116 - 27782 * a118 - 46043 * a121 - 15428 * a125 - 59010 * a128 - 49235 * a129 - 53666 * a130 + 28539 * a131 +15479857
[aa10,aa11,aa12,aa13,aa14,aa15,aa16,aa17,aa18,aa19,aa110,aa111,aa112,aa113,aa114,aa115,aa116,aa117,aa118,aa119,aa120,aa121,aa122,aa123,aa124,aa125,aa126,aa127,aa128,aa129,aa130,aa131]=solve(e1,e2,e3,e4,e5,e6,e7,e8,e9,e10,e11,e12,e13,e14,e15,e16,e17,e18,e19,e20,e21,e22,e23,e24,e25,e26,e27,e28,e29,e30,e31,e32,a10,a11,a12,a13,a14,a15,a16,a17,a18,a19,a110,a111,a112,a113,a114,a115,a116,a117,a118,a119,a120,a121,a122,a123,a124,a125,a126,a127,a128,a129,a130,a131)

即可得到flag。

re3

这题多解,我佛了

其实这一坨就是矩阵相乘取余,0x67144772A3C047E5LL * (signed __int128)v26) >> 64) >> 28)这里把v26提出来算常数就知道,是减去除666666666然后*666666666,这么一来就只剩余数了。(也可以把代码dump下来爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#include<iostream>
#include<memory.h>
using namespace std;
typedef long long ll;
ll table1[]={0,0,0,0,1,1,0,1,0};
ll table2[]={0,0,0,0,1,0,0,0,1};
ll table3[]={0,0,0,0,0,0,0,0,0};
ll table3_old[]={0,0,0,0,0,0,0,0,0};


void encrpt1()
{
	ll tmp[]={0,0,0,0,0,0,0,0,0};
	//ll tmp2[]={0,0,0,0,1,0,0,0,1};
	ll v26,v27;
	for(int i=1;i<3;++i)
	{
		for(int j=1;j<3;++j)
		{
			if(table2[j+3*i])
			{
				for(int k=1;k<3;++k)
				{v26=table1[j*3+k]*table2[j+3*i];
v27=tmp[i*3+k]+v26-666666666*((((unsigned __int128)(7427640243139921893* (signed __int128)v26) >> 64) >> 28)-(v26>>63));
                                        tmp[i*3+k]=v27-666666666*((((unsigned __int128)(7427640243139921893 *(signed __int128) v27) >> 64) >> 28)-(v27>>63));

				}
			}
		}
	}
memcpy(table2,tmp,sizeof(table2));
}
void encrpt2()
{
	ll tmp[]={0,0,0,0,0,0,0,0,0};
	ll v26,v27;
	for(int i=1;i<3;++i)
	{
		for(int j=1;j<3;++j)
		{
			if(table1[j+3*i])
			{
				for(int k=1;k<3;++k)
				{
					
					v26=table1[j*3+k]*table1[j+3*i];
					v27=tmp[i*3+k]+v26-666666666*((((unsigned __int128)(7427640243139921893* (signed __int128)v26) >> 64) >> 28)-(v26>>63));
                                        tmp[i*3+k]=v27-666666666*((((unsigned __int128)(7427640243139921893 *(signed __int128) v27) >> 64) >> 28)-(v27>>63));

				}
			}
		}
	}
memcpy(table1,tmp,sizeof(table1));
}

ll check1(ll input)
{
	while(input)
	{
		if(input & 1 )
		{
			encrpt1();
		}
		encrpt2();
		input>>=1;
	}
return table2[5]-666666666*((((unsigned __int128)(7427640243139921893* (signed __int128)table2[5]) >> 64) >> 28)-(table2[5]>>63));
}
int main()
{
    /*ll i;
    check1(9766380);
	for(int j=0;j<=8;++j)
	{
		cout<<table2[j]<<endl;
	}*/
	ll i;
	for(i=0;i<918020069;++i)
	{
		ll res;
		ll qtable1[]={0,0,0,0,1,1,0,1,0};
		ll qtable2[]={0,0,0,0,1,0,0,0,1};
		ll qtable3[]={0,0,0,0,0,0,0,0,0};
		ll qtable3_old[]={0,0,0,0,0,0,0,0,0};
                memcpy(table1,qtable1,sizeof(qtable1));
		memcpy(table2,qtable2,sizeof(qtable1));
		memcpy(table3,qtable3,sizeof(qtable1));
		memcpy(table3_old,qtable3_old,sizeof(qtable1));
		res=check1(i);
		if(res==571036091)
		{
			cout<<"okkkkkkkkkk!"<<i<<endl;
		}
		/*if(i%100000==0)
		{
			cout<<i<<" "<<res<<endl;
		}*/
	}
}
1
2
3
4
5
6
ans=[5104421,109010035,119218877,223124491,233333333,337238947,347447789,451353403,461562245,565467859,575676701,679582315,689791157,793696771,803905613,907811227]
for i in range(len(ans)):
	for j in range(i+1,len(ans)):
		for k in range(j+1,len(ans)):
			if(ans[i]+ans[j]+ans[k]==0x36B7DFE5):
				print 'flag{'+str(ans[i])+'_'+str(ans[j])+'_'+str(ans[k])+'}'

然后稍微试一试就知道了,然后发现多解。。。

Crypto

rsa

设x是p的前200位,y是p的后200位

n=x*y*10^400+( y^2+x^2)*10^200+x*y

所以可以根据n的前200位以及最后200位确定出x*y的值(需要微调一下前200位的值)

已知xy以及x\y*10^400+( y^2+x^2)*10^200+x*y 可以求出x,y的值。具体如下脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import gmpy2
pimul=2117306430457495084373744640919209184441085835440785339151821982858580957554648046398035452941253078562547380021066127607547324391257803263684574686690799140082210093930925498879813981907487546461281266736088527333762011263273533065540484105964087424030617602336598479611569611018708530024591023015267812545697478378348866840434551477126856261767535209092047810194387033643274333303926423370062572301
n=21173064304574950843737446409192091844410858354407853391518219828585809575546480463980354529412530785625473800210661276075473243912578032636845746866907991400822100939309254988798139819074875464612813385347487571449985243023886473371811269444618192595245380064162413031254981146354667983890607067651694310528489568882179752700069248266341927980053359911075295668342299406306747805925686573419756406095039162847475158920069325898899318222396609393685237607183668014820188522330005608037386873926432131081161531088656666402464062741934007562757339219055643198715643442608910351994872740343566582808831066736088527333762011263273533065540484105964087424030617602336598479611569611018708530024591023015267812545697478378348866840434551477126856261767535209092047810194387033643274333303926423370062572301
pjia2=(n-pimul*pow(10,400)-pimul)/pow(10,200)
#print pjia2
p2=pjia2*pjia2-4*pimul*pimul# (x^4+y^4-2x^2y^2)
p2s=gmpy2.iroot(p2,2)[0]#(x^2-y^2)
#print p2s
pb200=gmpy2.iroot((pjia2+p2s)/2,2)[0]#x^2-y^2
pe200=pimul/pb200
p=pb200*pow(10,200)+pe200
#print p
q=pe200*pow(10,200)+pb200
phi=(p-1)*(q-1)
c=16396023285324039009558195962852040868243807971027796599580351414803675753933120024077886501736987010658812435904022750269541456641256887079780585729054681025921699044139927086676479128232499416835051090240458236280851063589059069181638802191717911599940897797235038838827322737207584188123709413077535201099325099110746196702421778588988049442604655243604852727791349351291721230577933794627015369213339150586418524473465234375420448340981330049205933291705601563283196409846408465061438001010141891397738066420524119638524908958331406698679544896351376594583883601612086738834989175070317781690217164773657939589691476539613343289431727103692899002758373929815089904574190511978680084831183328681104467553713888762965976896013404518316128288520016934828176674482545660323358594211794461624622116836
e = 65537
d=gmpy2.invert(e,phi)
plain=pow(c,d,n)
print hex(plain)[2:].decode('hex')

MISC

misc3

f12发现可疑的东西

一个转成0一个转成1,再转字符串

twocats

盲水印,现成脚本解码即可

MISC1

打开看到一串乱码结果,推测应该是某种特定编码或者编码转换的错误

在使用010 Editor和 WinHex查看以及放到Linux下改变编码都不可以

使用偏门编码逐一尝试,在使用EBCDIC编码时,成功看到flag

MISC2

进去看到python代码,稍作格式化整理

这里注意到使用了open()函数打开了flag文件,然后把flag文件进行删除操作

但这里有个问题,由于采用了open文件操作函数,会导致在linux下中/dev/fd下生成进程文件描述符,而/dev/fd/3是读取文件系统的描述符,直接读取/dev/fd/3会把之前open的文件内容读取出来,除非当前进程被关闭后重新打开,这时候3中的内容才会改变(如果修改了flag)

https://blog.csdn.net/zhangpeterx/article/details/90672749

https://unix.stackexchange.com/questions/74454/somethings-special-about-dev-fd-3

http://www.tldp.org/LDP/abs/html/io-redirection.html

WebShell

下载下来是个数据包,直接追踪**HTTP**流

基本可以确定是被机密混淆的流量

这里编写正则提取出所有的chr中的十六进制字符,然后转换成字符串

这里提取的解密最后部分有点乱码,但不影响解密

这里对所有的数据包解密后,可以看到最后两个数据包涉及flag读取操作

上面的base64解码为/bin/sh

下面base64解码为cd “/var/www/html/tmp”;cat flag|base64 ;echo [S];pwd;echo [E]

可以看到最后一个数据包是flag读取响应包

其中AES的key可知为$key=’f5045b05abe6ec9b1e37fafa851f5de9’;

删掉前后的0897d 60c97 然后使用PHP的openssl直接解密即可

把最后一行

bm5ubm5ubm5ubm5ubm5ubm4KZmxhZ3tBbnRTd29yZF9pc19Qb3dlcmZ1bF8zMjIyMjIyISEhIX0K

Base64解密即可得到flag

Web

Ezbypass

这是最近的php7系列disable function bypass的题

https://github.com/mm0r1/exploits/blob/master/php7-gc-bypass/exploit.php

脚本进行修改

命令改写成 /readflag

然后部署到自己的服务器上面

直接部属到自己的服务器,然后远程读取,本地包含即可绕过disable function读到flag

Ezupload

下载下来恢复看看

这里直接把username置为空 不发送password参数即可绕过限制

再上传界面 要求上传图片 这里bp抓包修改,但发现不能发送php文件

于是尝试phtml

发现要求图片,这里加上GIF89a标识,即可成功上传

直接蚁剑连上即可,在根目录执行readflag即可