-
-
[原创] 杭电hgame2021 week1 writeup
-
发表于: 2021-5-27 12:52
-
杭电hgame2021 week1
web
Hitchhiking_in_the_Galaxy
http请求头,按照每一步提示增加项
watermelon
f12在调试器中查看project.js,搜索1999
宝藏走私者
http请求走私
|
1
2
3
4
5
6
7
8
9
10
11
|
GET / HTTP/1.1
Host: thief.0727.site
GET /secret HTTP/1.1
Host:thief.0727.site
client-ip:127.0.0.1
foo: |
智商检测机
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
import requests
import json
from bs4 import BeautifulSoup
from sympy import *
numArr = ["0","1","2","3","4","5","6","7","8","9","-","+"]
def scan(str1):
newStr = ""
for x in range(0,len(str1)):
if str1[x] in numArr:
newStr += str1[x]
return newStr
def getQ(session="session=eyJzb2x2aW5nIjoxfQ.YBfJbQ.L2PH1NyDzVTQcjiJjLR5lqeU4cw"):
headers = {"Cookie":session}
res = requests.get(url="http://r4u.top:5000/api/getQuestion",headers=headers)
return json.loads(res.text)
#q = getQ()def anaylaze(q):
q = q['question']
soup = BeautifulSoup(q,"lxml")
xiaxian = soup.msubsup.mo.next_sibling
shangxian = soup.msubsup.mo.next_sibling.next_sibling
a = soup.math.mn
a = a.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element
b = soup.math.mn.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element
fuhao = soup.math.mn.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element
return [int(scan(str(xiaxian))),int(scan(str(shangxian))),int(scan(str(a))),scan(str(fuhao)),int(scan(str(b)))]
#print(anaylaze(q))def calc(arr):
print(arr)
x = symbols('x')
if arr[3] == "+":
answer = integrate(arr[2]*x+arr[4], (x, arr[0], arr[1]))
else:
answer = integrate(arr[2]*x-arr[4], (x, arr[0], arr[1]))
return(round(answer,2))
#answer = calc(anaylaze(q))def submit(answer,cookie="session=eyJzb2x2aW5nIjoxfQ.YBfJbQ.L2PH1NyDzVTQcjiJjLR5lqeU4cw"):
data = '{"answer":'+str(answer)+'}'
print(data)
headers = {"Cookie":cookie,"Content-Type":"application/json;charset=UTF-8"}
res = requests.post(url="http://r4u.top:5000/api/verify",data=data,headers=headers)
print(res.text)
newCookie = res.headers['Set-Cookie']
print(newCookie)
return newCookie
#submit(answer)def run(cookie):
q = getQ(cookie)
answer = calc(anaylaze(q))
cookie = submit(answer,cookie)
run(cookie)
run("session=eyJzb2x2aW5nIjozfQ.YBfbuQ.R7aqFFYJmRgJ7FITfhRqfCKPNCg")
|
走私者的愤怒
和宝藏走私者一样的考点
re
apacha
主要加密流程如上,写出正向代码,然后对着逆
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
v6l = [ 0x9E3779B9 , 0x3C6EF372, 0xDAA66D2B, 0x78DDE6E4, 0x1715609D, 0xB54CDA56, 0x5384540F]
v7l = [ 0x278DDE6E , 0xF1BBCDC, 0x36A99B4A, 0x1E3779B9, 0x5C55827, 0x2D533695, 0x14E11503]
key = [1, 2, 3, 4]
flag = [0xE74EB323, 0xB7A72836, 0x59CA6FE2, 0x967CC5C1, 0xE7802674, 0x3D2D54E6, 0x8A9D0356, 0x99DCC39C, 0x7026D8ED, 0x6A33FDAD, 0xF496550A, 0x5C9C6F9E, 0x1BE5D04C, 0x6723AE17, 0x5270A5C2, 0xAC42130A, 0x84BE67B2, 0x705CC779, 0x5C513D98, 0xFB36DA2D, 0x22179645, 0x5CE3529D, 0xD189E1FB, 0xE85BD489, 0x73C8D11F, 0x54B5C196, 0xB67CB490, 0x2117E4CA, 0x9DE3F994, 0x2F5AA1AA, 0xA7E801FD, 0xC30D6EAB, 0x1BADDC9C, 0x3453B04A, 0x92A406F9]
''' 正向加密代码flag = b'hgame{aaaaaaaaaaaaaaaaaaaaaaaaaaaa}'flag = list(flag)v5 = flag[34]for i in range(7): for j in range(34):
v5 = flag[j] + ((((v5 >> 5) ^ (4 * flag[j + 1])) + ((16 * v5) ^ (flag[j + 1] >> 3))) ^ ((key[ (j ^ v7l[i] ) & 3 ] ^ v5) + (flag[j + 1] ^ v6l[i])))
v5 &= 0xffffffff
flag[j] = v5
v5 = flag[34] + (((key[(34 ^ v7l[i]) & 3] ^ v5) + (flag[0] ^ v6l[i])) ^ (((4 * flag[0]) ^ (v5 >> 5)) + (((16 * v5) ^ (flag[0] >> 3))&0xffffffff)))
v5 &= 0xffffffff
flag[34] = v5
'''for x in range(7):
i = 6 - x
v5 = flag[34]
flag[34] = v5 - ((((key[(34 ^ v7l[i]) & 3] ^ flag[33]) + (flag[0] ^ v6l[i])) ^ (((4 * flag[0]) ^ (flag[33] >> 5)) + ((16 * flag[33]) ^ (flag[0] >> 3))))&0xffffffff)
flag[34]&=0xffffffff
for y in range(34):
j = 33 - y
v5 = flag[j]
flag[j] = v5 - (((((flag[j-1] >> 5) ^ (4 * flag[j + 1])) + ((16 * flag[j-1]) ^ (flag[j + 1] >> 3))) ^ ((key[ (j ^ v7l[i] ) & 3 ] ^ flag[j-1]) + (flag[j + 1] ^ v6l[i])))&0xffffffff)
flag[j]&=0xffffffff
if(j==0):
flag[j] = v5 - (((((flag[34] >> 5) ^ (4 * flag[j + 1])) + ((16 * flag[34]) ^ (flag[j + 1] >> 3))) ^ ((key[ (j ^ v7l[i] ) & 3 ] ^ flag[34]) + (flag[j + 1] ^ v6l[i])))&0xffffffff)
flag[j]&=0xffffffff
print(bytes(flag))
|
HelloRe
签到题,就是一个异或
pypy
简单的python字节码,对照官方文档写出源码,然后逆
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
raw_flag = ''
cipher = list((raw_flag[6:-1]))
length = len(cipher)
for i in range(length//2):
cipher[2*i],cipher[2*i+1] = cipher[2*i+1],cipher[2*i]
res=[]
for i in range(length):
res.append(ord(cipher[i])^i)
res = bytes(res).hex()
res = b'30466633346f59213b4139794520572b45514d61583151576638643a'
|
pwn
这几道pwn题都非常有意思,虽然考的都是栈溢出、格式化字符串,但是都有一些有趣的细节
whitegive
签到题,输入的是数字,要和一个字符串比较,相等就返回shell
通过调试发现字符串参与比较的其实是它的内存地址
那么我们直接输入这个地址就get shell了
SteinsGate2
week1压轴题,截至目前只有七解
保护全开
首先是要读源码,然后可以发现一个泄露点和一个溢出点和一处格式化字符串漏洞点
其中泄露点虽然不能溢出,但是可以由于printf的\x00才截断的性质,泄露出libc基址,然后调试的时候我们还发现,除了[rbp-0x8]处是canary的值,在栈中还残留着之前函数的canary值,由于canary在一次运行中都一样,所以我们也可以得到canary的值
溢出点就是栈溢出覆盖返回地址,ret2libc
这里的格式化字符串漏洞是个坑点,虽然存在,但经过反复调试发现触发它的条件永远不可能满足,浪费了我好多时间
泄露点+溢出点就可以打通了
然后还是要读源码,得到触发各个漏洞点的条件,也就是第几天要做固定的事
总体流程就是:
首先输入的世界线变化率要与初始世界线变化率的差值小于0.000001,这样我们就满足了 know_true
[招生]科锐逆向工程师培训(2025年3月11日实地,远程教学同时开班, 第52期)!
赞赏记录
参与人
雪币
留言
时间
PLEBFE
为你点赞~
2023-1-13 03:24
Youlor
为你点赞~
2022-7-17 11:40
SYJ-Re
为你点赞~
2021-5-27 18:22
|
|
|---|---|
