代码

## __Auther__ = 'boyka'

from pwn import *

from hashlib import sha256

#  context.log_level = "debug"

def brute(cipher,tail):

    char_range=[string.ascii_letters+string.digits]

    for a in char_range[0]:

        for b in char_range[0]:

            for c in char_range[0]:

                for d in char_range[0]:

                    x = a+b+c+d+tail

                    #print(x)

                    if sha256( x.encode() ).hexdigest() == cipher:

                    #  success("x -> {}".format(x))

                        return x

    print "not found"

if __name__ == "__main__":

    #io = remote("47.105.154.127", 10000)

    io = remote("127.0.0.1", 10000)

    io.recvuntil("sha256(XXXX+")

    tail = io.recvuntil(")", drop = True)

    print("tail=="+tail)

    io.recvuntil("== ")

    cipher = io.recvuntil("\n", drop = True)

    print("cipher=="+cipher)

    x = brute(cipher,tail)

    print x

    io.recvuntil("Give me XXXX:")

    io.sendline(x[:4])

    success("pass proof!")

    io.recvuntil("!!!\n")

    io.recvline()

    line_enc = "000000000000000000000000000000000000000000000000"

    io.sendline("/dec "+line_enc)

    line_dec = io.recvuntil("\n", drop = True)

    line_dec_mb0=line_dec[16:32]

    print(line_enc +"      "+line_dec)

    middle=[]

    for z in range(8):

        print("z=  "+hex(z))

        for i in range(0x100):

            io.sendline("/dec "+line_enc[:30-z*2]+hex(i)[2:].zfill(2)+line_enc[32-z*2:])

            line = io.recvuntil("\n", drop = True)

            io.sendline("/dec "+line_enc[:30-z*2]+hex(i)[2:].zfill(2)+line_enc[32-z*2:32]+hex(int(line[16:32],16))[2:].zfill(16))

            line = io.recvuntil("\n", drop = True)

            print(hex(i)+"/dec "+line_enc[:30-z*2]+hex(i)[2:].zfill(2)+line_enc[32-z*2:32]+hex(int(line[16:32],16))[2:].zfill(16)+"  "+line+"  "+line[46-z*2:48-z*2])

            if (line[46-z*2:48-z*2] == "")or((line[46-z*2:48-z*2] == "08") and (z == 7) ):

                print hex(z+1)[2:].zfill(2)

                middle.append(i)

                print(middle)

                print(i)

                if z == len(middle)-1:

                    for j in range(z+1):

                        print(hex(middle[j]^j^(z+1))[2:].zfill(2))

                        line_enc = line_enc[:30-j*2]+hex(middle[j]^(j+1)^(z+2))[2:].zfill(2)+line_enc[32-j*2:]

                        print(line_enc)

                break

    middle=middle[::-1]

    dec_mb1=""

    for i in range(len(middle)):

        dec_mb1=dec_mb1+hex(middle[i]^(8-i))[2:].zfill(2)

    print(dec_mb1+"      "+line_dec_mb0)

    io.sendline("/enc "+dec_mb1+"0000000000000000")

    line = io.recvuntil("\n", drop = True)

    print(line)

    io.sendline("/enc 00000000000000000000000000000000")

    line = io.recvuntil("\n", drop = True)

    print(line)

    io.sendline("/enc "+dec_mb1+"6c73000000000000") #ls

    line = io.recvuntil("\n", drop = True)

    enc_result = hex(int(line[16:],16)^int(dec_mb1,16))[2:].zfill(16)

    print(line+"  "+enc_result)

    io.sendline("/cmd "+enc_result)

    lines = io.recvline()+io.recvline()+io.recvline()+io.recvline()+io.recvline()

    print(lines)

    io.sendline("/enc "+dec_mb1+"63617420666c6167") #cat flag

    line = io.recvuntil("\n", drop = True)

    print(line+"  zlx")

    enc_result = hex(int(line[16:],16)^int(dec_mb1,16))[2:].zfill(16)

    print(line+"  "+enc_result)

    io.sendline("/cmd "+enc_result)

    lines = io.recvline()

    print(lines)

    io.interactive()

比赛后才在自己搭建的环境下复现的结果，不确定下图标红的坑是不是需要绕