CTFlearn-misc(fore/prog)-wp(3)
Snowboard
一道非常规的隐写, 直接strings出来的flag是错误的, binwalk发现有隐藏文件, 后来知道可以设置strings的参数直接读出正确的flag
Q1RGbGVhcm57U2tpQmFuZmZ9Cg==
解码得到
CTFlearn{SkiBanff}
PDF by fdpumyp
pdf文件, strings得到
Q1RGbGVhcm57KV8xbDB3M3kwVW0wMG15MTIzfQ==
CTFlearn{)_1l0w3y0Um00my123}
Tux!
strings得到
ICAgICAgUGFzc3dvcmQ6IExpbnV4MTIzNDUK
Password: Linux12345
binwalk分解得到zip文件
填入解压密码, 得到flag
CTFlearn{Linux_Is_Awesome}
Chalkboard
CTFlearn{I_Like_Math_x_y}
CTFlearn{I_Like_Math_2_5}
Pho Is Tasty!
strings和binwalk都没有突破, stegsolve也没有进展
直接winhex看16进制, emm
应该是把隐写的信息按字母隔开了, 所以strings没识别出来
CTFlearn{I_Love_Pho!!!}
Adoni Assembler Chall
简单的汇编问题
; This is a comment
; CTFlearn Assembly Programming Challenge "Adoni" by kcbowhuntersection .datawelcome db "Hello CTFlearn Adoni Assembler Challenge!",0x0anoflag db "Sorry no flag for you :-(",0x0aadoni db 67, 84, 70, 108, 101, 97, 114, 110, 123, 75, 117, 114, 110, 48, 48, 108, 95, 68, 105, 115, 116, 114, 105, 99, 116, 125, 0x0acongrats db 67, 111, 110, 103, 114, 97, 116, 115, 44, 32, 121, 111, 117, 32, 102, 111, 117, 110, 100, 32, 116, 104, 101, 32, 102, 108, 97, 103, 33, 0x0asection .textglobal _start_start:mov rax, 1 ; sys_write system callmov rdi, 1 ; stdout (write to screen)mov rsi, welcome ; memory location of string to writemov rdx, 42 ; number of characters in string to writesyscallmov rax, 1 ; sys_write system callmov rdi, 1 ; stdoutmov rsi, noflag ; memory location of string to writemov rdx, 26 ; number of characters in string to writesyscallmov rax, 60 ; exit system callmov rdi, 0syscall; this is the assembly code to print the flag
_printflag:mov rax, 1 ; sys_write system callmov rdi, 1mov rsi, congratsmov rdx, 30syscallmov rax, 1 ; sys_write system callmov rdi, 1mov rsi, adonimov rdx, 27syscallmov rax, 60 ; exit system callmov rdi, 0syscall
就是把adoni(flag)打印出来, 直接上脚本
F = [67, 84, 70, 108, 101, 97, 114, 110, 123, 75, 117, 114, 110, 48, 48, 108, 95, 68, 105, 115, 116, 114, 105, 99, 116, 125, 0x0a]
flag = ''
for i in range(len(F)):flag += chr(F[i])
print(flag)
CTFlearn{Kurn00l_District}
AndhraPradesh Assembler Chall
第二关, 用到了条件跳转指令
; Andrha Pradesh Assembler Challenge for CTFLearn
; This challenge focuses on cmp, je and jnesection .datawelcome db "Hello CTFlearn Andhra Pradesh Assembler Challenge!",0x0a,0x00noflag db "Sorry no flag for you :-(",0x0a,0x00alldone db "All Done!",0x0a,0x00baddata db "Baad Data!",0x0a,0x00congrats db "Congrats!! You found the flag!!", 0x0a, 0x00data dw 0xbb35,0xbb4c,0xbb3a,0xbb54,0xbb5b,0xbb57,0xbb66,0xbb52,0xbb5d,0xbb30,\0xbb5f,0xbb5c,0xbb5b,0xbb66,0xbb57,0xbb56,0xbb57,0xbb5c,0xbb41,0xbb4c,\0xbb5b,0xbb54,0xbb6b,0xbb59,0xbb6b,0xbb63; ###################################################################
; Change the values of these five constants to solve the challengecon1 db 0x00 ; C syntax for hex constantcon2 db 0x00 ;con3 db 0x00con4 db 00h ; this form for hex constants is popular among assembly language programmerscon5 db 00h
; ####################################################################
; Do not change any code below heresection .bssbuffer resb 32section .textglobal _start_start:xor r8, r8 ; init the exit status to 0mov rax, 1 ; sys_write system callmov rdi, 1 ; stdout (write to screen)mov rsi, welcome ; memory location of string to writemov rdx, 51 ; number of characters in string to writesyscallxor rax, rax ; clear the rax registermov al, [con1] ; move the value of con1 to the low byte of raxcmp al, 0xabje _test2mov r8, 1 ; exit statusjmp _noflagforyou_test2:xor rax, raxmov al, [con2]cmp al, 0xcbjne _test3mov r8, 2 ; exit statusjmp _noflagforyou_test3:mov r8, 3 ; exit statusxor rax, raxmov al, [con3]cmp al, 0x20ja _noflagforyoumov r8, 4 ; exit statusxor rax, raxmov al, [con3]cmp al, 20hjb _noflagforyou_test4:; https://en.wikibooks.org/wiki/X86_Assembly/X86_Architecturemov r8, 5h ; exit statusxor rax, raxmov al, [con4]mov ah, [con5]cmp ax, 0baadhjne _noflagforyoumov r8, 6h ; exit status
_checkflag:xor rdx, rdx ; clear the rdx registerxor rcx, rcx ; init the rcx counter to zeroxor rbx, rbx ; clear the rbx registermov bl, BYTE [con1]add bl, BYTE [con3]mov dl, BYTE [con4]mov dh, BYTE [con5]_Loop1:xor rax, raxmov ax, WORD [data+rcx*2]sub ax, dxxor rax, rbxcmp rax, 32jb _baddatacmp rax, 126ja _baddatamov [buffer+rcx], BYTE alinc rcxcmp rcx, 26jb _Loop1mov [buffer+rcx], BYTE 0x0a_printcongrats:mov rax, 1 ; sys_write system callmov rdi, 1 ; stdoutmov rsi, congrats ; memory location of string to writemov rdx, 32 ; number of characters in string to writesyscall_printflag:mov rax, 1 ; sys_write system callmov rdi, 1 ; stdoutmov rsi, buffer ; memory location of string to writemov rdx, 27 ; number of characters in string to writesyscallmov r8, 0h ; exit statusjmp _alldone_baddata:mov rax, 1 ; sys_write system callmov rdi, 1 ; stdoutmov rsi, baddata ; memory location of string to writemov rdx, 11 ; number of characters in string to writesyscalljmp _alldone_noflagforyou:mov rax, 1 ; sys_write system callmov rdi, 1 ; stdoutmov rsi, noflag ; memory location of string to writemov rdx, 26 ; number of characters in string to writesyscall_alldone:mov rax, 1 ; sys_write system callmov rdi, 1 ; stdoutmov rsi, alldone ; memory location of string to writemov rdx, 10 ; number of characters in string to writesyscall_byebye:mov rax, 60 ; exit system callmov rdi, r8 ; return code saved in register r8syscall意思是改变
con1 db 0x00 ; C syntax for hex constantcon2 db 0x00 ;con3 db 0x00con4 db 00h ; this form for hex constants is popular among assembly language programmerscon5 db 00h
这个几个常数使得程序能通过start, test2,3,4的测试
con1 db 0xab ; C syntax for hex constantcon2 db 0xcc ;con3 db 0x20con4 db adh ; this form for hex constants is popular among assembly language programmerscon5 db bah
按照条件修改的常数如上, 丢进kali编译运行, 得到flag
先给sh脚本上运行权限, sudo chmod +x clnasm.sh
此处出现一个错误, 以h结尾表示16进制数时, 应该在前面加0, 否则编译器无法判断诸如abh是关键词还是16进制数, 改成0abh
所以正确的修改方式是
con1 db 0xab ; C syntax for hex constantcon2 db 0xcc ;con3 db 0x20con4 db 0adh ; this form for hex constants is popular among assembly language programmerscon5 db 0bah
编译运行, 就能得到flag
CTFlearn{Hyderabad_Telugu}
Bangalore Assembler Chall
大概思路是手动修改平衡栈和保护寄存器现场, 使得程序流程正确, 运行得到flag
不过… …暂时没分析清楚, 先插一个flag在这里, 过段时间来回收
CTFlearn-misc(fore/prog)-wp(3)相关推荐
- CTFlearn-misc(fore/prog)-wp(5)
The Keymaker 一道进阶类型的misc, 配合密码学和标记标识符 strings拿到假的flag CTFlearn{TheKeymakerIsK00l} 之后binwalk, stegsol ...
- BUUCTF misc第二页WP
目录 梅花香之苦寒来 just_a_rar 鸡你太美 神奇的二维码 一叶障目 穿越时空的思念 纳尼 outguess 我有一只马里奥 谁赢了比赛? 来题中等的吧 gakki find_me base6 ...
- 2021深育杯MISC超详细WP
login 示例-副本.txt是伪加密,解出后明文攻击 解密password.zip发现是六字符CRC32 得到密码 welc0me_sangforctf 解密.passwd.swp 家人们以后恢复s ...
- CTFshow DJBCTF MISC(大吉杯) WP
只做了misc的菜鸡,来写写misc部分的writeup,狸神的FM到最后也看不懂,太难了呜呜呜. 博客原文:http://www.7yue.top/djbctf/ 十八般兵器 hint1:JPHS ...
- ISCC2023 misc 练武+擂台WP
转载请备注来源 联系我:UVE6MjI4MjY3OTAwNA== 文章目录 练武 好看的维吾尔族小姐姐 人生之路 汤姆历险记 菜鸟黑客-1 菜鸟黑客-2 通信方式 mystery of bits 消息 ...
- 应用时间线服务器启动报错_从服务器到无服务器的时间轴和教程
应用时间线服务器启动报错 Amazon Web Services is a behemoth powering companies from Fortune 500 corporations to h ...
- 技术学校面试该说什么_我第一次现场技术面试后,香港专业教育学院学到了什么...
技术学校面试该说什么 技术面试 (Technical Interviews) 前言 (Preface) I know a lot of people get nervous in interviews ...
- [ctf misc][wp]一些内存取证的wp(含[2021蓝帽杯北部赛区分区赛]博人的文件)
wp 1.[V&N2020 公开赛]内存取证 1.找策略 volatility.exe -f C:\Users\shen\Downloads\mem.raw imageinfo 2.看进程 v ...
- Linux内核文件vmlinux 和压缩后的bzImage文件格式分析
Linux内核文件vmlinux 和压缩后的bzImage文件格式分析 ================= 1. 需要使用的命令 ================ readelf -- 显示el ...
最新文章
- CentOS安装tomcat
- day01: oracle12C在Linux7.5上图形化安装部署方法:
- hdu 1754 I Hate It(线段树之 单点更新+区间最值)
- STM32F0单片机快速入门八 聊聊 Coolie DMA
- 作者:吴琳(1974-),男,博士,国防大学信息作战与指挥训练教研部教授,主要研究方向为复杂系统与网络、战争复杂系统建模。...
- 导出Oracle数据库字典
- win11beta渠道升级的如何改为正式版 Windows11beta版升级正式版的步骤方法
- 第 45 届国际大学生程序设计竞赛(ICPC)亚洲区域赛(上海),签到题G Fibonacci
- 9000多篇投稿,接收率只有15%,今年的AAAI你中了吗?
- @SuppressLint(HandlerLeak),或Handler使用有警告;
- 19春招多益网络前端笔试题
- Matplot pyplot绘制单图,多子图不同样式详解
- ERD-ONLINE 2.0.3 免费在线数据库建模工具 正式发布
- ESP8266驱动SG90舵机控制开关灯(灯的开关)的折腾记录
- PAZU -- 4Fang WEB 打印控件
- 12V铅酸电池充放电保护板
- jnz和djnz_8051的指令
- Android字节码插桩
- Python机器学习(二):决策树(Decision Tree-DTs)
- doe报告模板_波峰焊DOE实验报告范本(EXCEL档) .xls