2020网鼎杯

Author Avatar
Xzhah 5月 10, 2020
  • 在其它设备中阅读本文章

[TOC]

Re

bang

用frida脱壳后,明文flag:flag{borring_things}

signal

vm,逻辑如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
read flag
stack=16 ^ flag[0]
flag[0]=stack
stack=flag[0]-5
v4[0]=stack
stack=32 ^ flag[1]
flag[1]=stack
stack=flag[1]*3
v4[1]=stack
stack=flag[2]-2
flag[2]=stack
stack=input[2]-1
v4[2]=stack
stack=input[3]+1
flag[3]=stack
stack=4 ^ flag[3]
v4[3]=stack
stack=flag[4]*3
flag[4]=stack
stack=flag[4]-33
v4[4]=stack
stack=input[5]-1
flag[5]=stack
stack=input[5]-1
v4[5]=stack
stack=9 ^ flag[6]
flag[6]=stack
stack=flag[6]-32
v4[6]=stack
stack=flag[7]+81
flag[7]=stack
stack=36 ^ flag[7]
v4[7]=stack
stack=input[8]+1
flag[8]=stack
stack=input[8]-1
v4[8]=stack
stack=flag[9]*2
flag[9]=stack
stack=flag[9]+37
v4[9]=stack
stack=flag[10]+54
flag[10]=stack
stack=65 ^ flag[10]
v4[10]=stack
stack=flag[11]+32
flag[11]=stack
stack=flag[11]*1
v4[11]=stack
stack=flag[12]*3
flag[12]=stack
stack=flag[12]+37
v4[12]=stack
stack=9 ^ flag[13]
flag[13]=stack
stack=flag[13]-32
v4[13]=stack
stack=flag[14]+65
flag[14]=stack
stack=input[14]+1
v4[14]=stack
assert(v4[0]==0x22)
assert(v4[1]==0x3f)
assert(v4[2]==0x34)
assert(v4[3]==0x32)
assert(v4[4]==0x72)
assert(v4[5]==0x33)
assert(v4[6]==0x18)
assert(v4[7]==0xffffffa7)
assert(v4[8]==0x31)
assert(v4[9]==0xfffffff1)
assert(v4[10]==0x28)
assert(v4[11]==0xffffff84)
assert(v4[12]==0xffffffc1)
assert(v4[13]==0x1e)
assert(v4[14]==0x7a)
done

flag{757515121f3d478}

joker

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#flag=input()
final=[0x00000066, 0x0000006B, 0x00000063, 0x00000064, 0x0000007F, 0x00000061, 0x00000067, 0x00000064, 0x0000003B, 0x00000056, 0x0000006B, 0x00000061, 0x0000007B, 0x00000026, 0x0000003B, 0x00000050, 0x00000063, 0x0000005F, 0x0000004D, 0x0000005A, 0x00000071, 0x0000000C, 0x00000037, 0x00000066]
for i in range(24):
if(i&1):
print '%d:%s'%(i,chr(final[i]+i))
else:
print '%d:%s'%(i,chr(final[i]^i))
check1=[0x0000000E, 0x0000000D, 0x00000009, 0x00000006, 0x00000013, 0x00000005, 0x00000058, 0x00000056, 0x0000003E, 0x00000006, 0x0000000C, 0x0000003C, 0x0000001F, 0x00000057, 0x00000014, 0x0000006B, 0x00000057, 0x00000059, 0x0000000D]
#flag{d07abccf8a410c2345}
check2='hahahaha_do_you_find_me?'
flag=''
for i in range(19):
flag+=chr(ord(check2[i])^check1[i])
check3=[0x25,0x74,0x70,0x26,0x3A]
for i in range(5):
flag+=chr(0x47^check3[i])
#flag{fak3_alw35_sp_me!!}
print flag

Crypto

you raise me up

https://sagecell.sagemath.org/ sage 在线运行网站

离散对数问题,参考https://blog.csdn.net/qq_39642801/article/details/104158699,利用sage求解:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
m = 391190709124527428959489662565274039318305952172936859403855079581402770986890308469084735451207885386318986881041563704825943945069343345307381099559075
c = 6665851394203214245856789450723658632520816791621796775909766895233000234023642878786025644953797995373211308485605397024123180085924117610802485972584499
n=2**512
ans=discrete_log(mod(c,n),mod(m,n))

def hex2str(s):
i=0
mystr=''
while(i<len(s)):
mystr+=chr(16*int(s[i],16)+int(s[i+1],16))
i+=2
return mystr

hex2str(hex(ans)[2:])

得flag:’flag{5f95ca93-1594-762d-ed0b-a9139692cb4a}’

boom

第一段md5值可以在cmd5中求得为en5oy

第二段解方程x=74,y=68,z=31

第三段解方程x=89127561

flag{en5oy_746831_89127561}