整理文件翻出了半年前的东西,发一下
优化了一些脚本
简单的base64
sing me up
多次base64解码可得
with open('./sign_me_up') as f:
data=f.read()
import base64
for i in range(1000):
data=base64.b64decode(data)
if b'flag' in data:
print(data)
break
findpass
压缩包末尾可见解压密码
winhex打开可得flag
treasure
py -2 vol.py -f memdump.mem imageinfo
py -2 vol.py -f memdump.mem --profile=Win7SP1x64 pslist
找到比较可疑的wordpad.exe,pid=2260
dump出来搜索flag字符串可得flag
py -2 vol.py -f memdump.mem --profile=Win7SP1x64 memdump -p 2260 -D ./
so easy
binwalk找到flag_enc.enc
pcap包内找到私钥
利用openssl中的rsautl -decrypt -in flag_enc.enc -inkey privateKey.pem解开加密文件
转字符得到flag
base
IDA打开,f5反编译可得
if判断中前两个判断比较了开头结尾必须为flag{和},后两个函数的逻辑如下:
↑很明显的换表(若为字母,大小写互换),↓很明显的base64,题目名也提示了
显然为换表的base64,构造解密脚本:
import base64
import string
str1 = "Agf2zwz1BML0"
# new table
string1 = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/"
# original table
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
print (base64.b64decode(str1.translate(str.maketrans(string1,string2))))
或直接使用CyberChef:
RE4
用jadx打开,看到被加密的Flag_en.dex文件,在\com\zhuotong\re4\MainActivity中找到encrypt(),为加密函数
该函数中调用的copy()如下,即Arr2 = Arr2[:i] + Arr,返回len(Arr2):
即
copy(bArr7, bArr, copy(bArr6, bArr, copy(bArr5, bArr, copy(bArr4, bArr, copy(bArr3, bArr, copy(bArr2, bArr, 0))))));
可以化简为Arr(key) = Arr2(p0) + Arr3(p8) + ... + Arr7(p48),且len=24。
参考一文读懂 DEX 文件格式解析,由
for (int i = 0; i < length; i++) {
bArr8[i] = (byte) (bArr8[i] ^ bArr[i % 24]);
}
且Flag_en.dex的file size为812,整理如下:
p0^p0=c0 # 0x00000000
p8^p4=c4 # p4=0x30333500, get p8
p16^p8=c8 # known p8&c8, get p16
p32^p12=c12 # p32 (0x20) is file_size = 0x2c030000 (812,0x0000032c)
p40^p16=c16 # p40=0x78563412
p48^p20=c20 # p48 (0x30) is link_off = 0x00000000
...
p0^p48=c48 # known p48, get p0
构造脚本
from libnum import n2s
with open('Flag_en.dex','rb') as f:
data=f.read()
d2=data.hex()
key=d2[96:104] #get p0
p=0x30333500
for i in range(8,24,8):
p=p^int(d2[i:i+8],16) #get p8,p16
key+=hex(p)[2:].zfill(8)
key+='2c0300007856341200000000' #p32,p40,p48
key=list(bytearray.fromhex(key))
res=b''
for i in range(len(data)):
res+=n2s(key[i%24]^data[i])
with open('Flag.dex','wb') as f2:
f2.write(res)
base64解密得到flag
php审计
参考代码审计--变量覆盖漏洞 - CSDN,构造
?a=&b=
得到flag
异想天开
import base64
import requests
url = '---'
res = requests.session()
ans = res.put(url=url,data='message')
print (base64.b64decode(ans.content))
复盘-change3 (rsa)
题目所给数据如下
((p+q)**2-2*n)**2-2*n**2:
17139247138621108110267372649828533418536767737695221189424954618216205681656989058442648388579615342281074498947962467179493001033467280368001755022592040284145591971899754292757729801406703466930466132865207684683606404842800322519993820417418378189879981644278422056320391824566882101302880669164824372872695414099594788221695495466768308735871769176424176663804613579673554530738771506091097196368202954008781621005771653768707855527166341400343533394477500595097344817523894819666098466130018836342101856304138635276087319353852420418091592676597353097276029182048678208069022788143048026459865137033775245607522
n:
82069430046337681723021668559023589123940769063554004340280487288285378380254182514792585851158128608742772541626478941930664294394804225515969973481525739055677314229577494462978872000012015126021480270994845091961760866661624220447581088713787971734379095061608257022018325790244959854482040102912914748281
e:
65537
c:
51154595075485579698661275523886327267861447145097756788916619597786370655185140681805676237787193541416585725053869518921436458721099576961705517097277141697935014443532188355193626861003314681692350343325953306812886556917229436250774033481355385932974827110999243554731789150210339422185132833908785710846
由于已经给出
易算出
只需将该式开方,得到的结果+2n,再开方,即可得到p+q
import gmpy2
# 计算平方结果
res = tmp+2*n**2
# 将该结果开方,计算(p+q)^2-2n
res = gmpy2.isqrt(res)
# +2n,得到(p+q)^2
res += 2*n
# 开方,得到p+q
res = gmpy2.isqrt(res)
由于n = p*q,phi = (p-1)*(q-1) = pq-(p+q)+1,所以phi = n-(p+q)+1
又由于d = gmpy2.invert(e, phi),m=pow(c,d,n),则可得明文m
phi = n-res+1
d = gmpy2.invert(e, phi)
m = pow(c,d,n)
转字符串可得flag
libnum.n2s(int(m))
> b'flag{9988b6cef9cbf41624095f6d32fade05}'
