-
-
[原创][原创]KCTF2023 第二题wp
-
2023-9-5 08:05 8036
-
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 | from itertools import combinations from itertools import product from itertools import permutations from itertools import combinations_with_replacement import hashlib numbers = [] dict = {} anti = {} def genNums(): items = [ '0' , '1' , '2' ] for p in product(items, items, items, items): #print(''.join(p)) if ' '.join(p) == ' 0000 ' or ' '.join(p) == ' 1111 ' or ' '.join(p) == ' 2222 ': continue k = ''.join(p) numbers.append(k) arr = [] for i in range ( 4 ): if p[i] = = '0' : arr.append( 0 ) elif p[i] = = '1' : arr.append( 1 ) elif p[i] = = '2' : arr.append( - 1 ) else : print ( 'unknown num' + p[i]) dict [k] = arr print ( dict ) def sumItem(a, b): if a[ 0 ] + b[ 0 ] = = 0 and a[ 1 ] + b[ 1 ] = = 0 and a[ 2 ] + b[ 2 ] = = 0 and a[ 3 ] + b[ 3 ] = = 0 : return 0 # raise Exception("invalid sum") def checkItem(items): for n in range ( 4 ): count = 0 for i in items: if dict [i][n] = = 0 : count + = 1 if count ! = 13 : raise Exception( "invalid zero" ) for item in combinations(items, 2 ): sumItem( dict [item[ 0 ]], dict [item[ 1 ]]) def printItems(items): str = '' for i in range ( 4 ): for item in items: str + = item[i] #print(str) return str def permuteUnique(nums): return list ( set (permutations(nums))) def genNum2(): data = list ( '0' * 13 + '1' * 13 + '2' * 13 ) all = permuteUnique(data) print ( len ( all )) for i in all : print (''.join(i)) def getInfo(l): info = [ 0 , 0 , 0 ] for i in l: if dict [i][ 1 ] = = 0 : info[ 0 ] + = 1 elif dict [i][ 1 ] = = 1 : info[ 1 ] + = 1 elif dict [i][ 1 ] = = - 1 : info[ 2 ] + = 1 return info def brute2(): genNums() array0 = [] array12 = [] array1 = [] array2 = [] tmp1 = [] tmp2 = [] dict01 = {} dict02 = {} for i in combinations(numbers, 2 ): if sumItem( dict [i[ 0 ]], dict [i[ 1 ]]) = = 0 : anti[i[ 0 ]] = i[ 1 ] anti[i[ 1 ]] = i[ 0 ] if i[ 0 ][ 0 ] = = '0' : array0.append( list (i)) elif i[ 0 ][ 0 ] = = '1' : array1.append( list (i)[ 0 ]) set1 = set (array1) else : print (i) if i[ 0 ][ 0 ] = = '0' : if not i[ 0 ] in dict01.keys(): dict01[i[ 0 ]] = [] if not i[ 0 ] in dict02.keys(): dict02[i[ 0 ]] = [] if i[ 1 ][ 0 ] = = '1' : dict01[i[ 0 ]].append(i[ 1 ]) elif i[ 1 ][ 0 ] = = '2' : dict02[i[ 0 ]].append(i[ 1 ]) #print(dict01) for i0 in product(array0[ 0 ], array0[ 1 ], array0[ 2 ], array0[ 3 ], array0[ 4 ], array0[ 5 ], array0[ 6 ], array0[ 7 ], array0[ 8 ], array0[ 9 ], array0[ 10 ], array0[ 11 ], array0[ 12 ]): l = list (i0) l.sort() set1 = set () for i in l: if len (set1) = = 0 : set1 = set (dict01[i]) #print(set1) else : set1 = set1 & set (dict01[i]) print (l, set1) l1 = list (set1) l1.sort() for i1 in combinations(l1, 13 ): tmp = list (set1 - set (i1)) tmp.sort() l2 = [] for i2 in tmp: l2.append(anti[i2]) l2.sort() #print(l, list(i1), l2) l1 = list (i1) l1.sort() info = getInfo(l) info1 = getInfo(l1) info2 = getInfo(l2) if info[ 0 ] + info1[ 0 ] + info2[ 0 ] = = 13 and info[ 1 ] + info1[ 1 ] + info2[ 1 ] = = 13 and info[ 2 ] + info1[ 2 ] + info2[ 2 ] = = 13 : #print(l, l1, l2) str = printItems(l + l1 + l2) if hashlib.md5( str .encode()).hexdigest() = = "aac82b7ad77ab00dcef90ac079c9490d" : print ( str ) # Press the green button in the gutter to run the script. if __name__ = = '__main__' : brute2() |
根据提示信息和逆向分析结果,将爆破范围缩小到2^13*cn(13,26)数量级之后,进行爆破,得到flag
000000000000011111111111112222222222222000011111111100001122222220000011222222011100011122200120200112220112202001122101201201201212001212020120121202010201
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
赞赏
他的文章
看原图