ISCC 2018 Reverse WriteUp
2024-05-05 10:07:01
1.RSA256 [分值:100]
问题描述:
RSA
题目已说明是RSA算法。
附件中共有四个文件。
3个加密后的信息,一个公钥,公钥内容如下:
-----BEGIN PUBLIC KEY-----
MDwwDQYJKoZIhvcNAQEBBQADKwAwKAIhANmelSKWptlg38JQSrpUW5RC1gp7npMK
/0UceOxV1VXrAgMBAAE=
-----END PUBLIC KEY-----结果搜索,确定公钥应该是PKCS#8格式。
https://blog.csdn.net/yue7603835/article/details/72575262
Public Key file (PKCS#8)
Because RSA is not used exclusively inside X509 and SSL/TLS, a more generic key format is available in the form of PKCS#8, that identifies the type of public key and contains the relevant data.It starts and ends with the tags:-----BEGIN PUBLIC KEY-----
BASE64 ENCODED DATA
-----END PUBLIC KEY-----
Within the base64 encoded data the following DER structure is present:PublicKeyInfo ::= SEQUENCE {algorithm AlgorithmIdentifier,PublicKey BIT STRING
}AlgorithmIdentifier ::= SEQUENCE {algorithm OBJECT IDENTIFIER,parameters ANY DEFINED BY algorithm OPTIONAL
}
So for an RSA public key, the OID is 1.2.840.113549.1.1.1 and there is a RSAPublicKey as the PublicKey key data bitstring.RSAPublicKey ::= SEQUENCE {modulus INTEGER, -- npublicExponent INTEGER -- e
}key的格式是ASN.1 在线解析网站http://lapo.it/asn1js/
获取到数据如下:(10进制)
N=98432079271513130981267919056149161631892822707167177858831841699521774310891
E=65537
要想解密数据需要私钥D,要计算私钥D,则需要分解N,得到素数P,Q。
很幸运的是这个N已经被分解过,在网站之耳机可以查询:
http://factordb.com/index.php?query=98432079271513130981267919056149161631892822707167177858831841699521774310891
分解之后:
P=302825536744096741518546212761194311477
Q=325045504186436346209877301320131277983
接着用工具计算出D,输入P,Q点击Calc.D 立即就能出结果。
当然也可以用此工具分解N,但是速度有点慢。
知道了以上信息就可以解密了。
网上找了一段python代码:
https://my.oschina.net/KFeC5dSwgN1q/blog/1623311
def __multi(array, bin_array):result = 1for index in range(len(array)):a = array[index]if not int(bin_array[index]):continueresult *= areturn resultdef exp_mode(base, exponent, n):bin_array = bin(exponent)[2:][::-1]r = len(bin_array)base_array = []pre_base = basebase_array.append(pre_base)for _ in range(r - 1):next_base = (pre_base * pre_base) % n base_array.append(next_base)pre_base = next_basea_w_b = __multi(base_array, bin_array)return a_w_b % n# 加密 m是被加密的信息 加密成为c
def encrypt(m, n,e): c = exp_mode(m, e, n)return c# 解密 c是密文,解密为明文m
def decrypt(c, n,d): m = exp_mode(c, d, n)return m解密:
P=0xE3D213B0A3C9551F9FB1EB8D7C3DAF35
Q=0xF4897CAABA80236BDC1B59385C4BF49F
N=0xD99E952296A6D960DFC2504ABA545B9442D60A7B9E930AFF451C78EC55D555EB
D=0x04547B732CBC3527104CB57C4728D6899B44C4994FAE2713D6B594BC0F522A41
E=0x10001//x1 x2 x3 分别对应encrypted.message1,2,3 大端序
x1=0x0B39CC1B6127D3BBED2BC045148C911D467985A94B147EDE80750F95A360D47A
x2=0x9AFB1CDC1986D3BB53A3425B396C83618EFAAA81C14C965C813415E5C54FCE4B
x3=0x0F04B3B67EF230F80BB518D26DED38AF84B6C8D87BA80C09EBF1D865123082FA//x1 x2 x3 分别对应encrypted.message1,2,3 小端序
x11=0x7ad460a3950f7580de7e144ba98579461d918c1445c02bedbbd327611bcc390b
x12=0x4BCE4FC5E51534815C964CC181AAFA8E61836C395B42A353BBD38619DC1CFB9A
x13=0xfa82301265d8f1eb090ca87bd8c8b684af38ed6dd218b50bf830f27eb6b3040fnum1=decrypt(x1,N,D)
num2=decrypt(x2,N,D)
num3=decrypt(x3,N,D)print hex(num1)
print hex(num2)
print hex(num3)
这里num1,2,3就是解出来之后的明文,这里有个坑,密文32字节,解出来也应该是32字节,但是数字的话,最高位为0可以省略。
hex(num1) 值为0x25a8007e9ad2809abbf5a00666c61677b33623664333830362d346232620aL,补上几个0
00025a8007e9ad2809abbf5a00666c61677b33623664333830362d346232620a
16进制数据转字符。
如此,三个解完整就可以得到key.
2.My math is bad [分值:150]
问题描述:
I think the math problem is too difficult for me.
flag:flag{XXXX}程序是一个ELF程序,x64的,用IDA打开:
判断逻辑很明显:
_int64 __fastcall main(__int64 a1, char **a2, char **a3)
{puts("=======================================");puts("= Welcome to the flag access machine! =");puts("= Input the password to login ... =");puts("=======================================");__isoc99_scanf("%s", s);if ( (unsigned int)sub_400766() ){puts("Congratulations! You should get the flag...");sub_400B16();}else{puts("Wrong password!");}return 0LL;
}主要验证函数:
sub_400766signed __int64 sub_400766()
{signed __int64 result; // rax__int64 v1_22; // ST40_8__int64 v2_39; // ST48_8__int64 x1; // [rsp+20h] [rbp-60h]__int64 x2; // [rsp+28h] [rbp-58h]__int64 x3; // [rsp+30h] [rbp-50h]__int64 x4; // [rsp+38h] [rbp-48h]__int64 v7_45; // [rsp+50h] [rbp-30h]__int64 v8_45; // [rsp+58h] [rbp-28h]__int64 v9_35; // [rsp+60h] [rbp-20h]__int64 v10_41; // [rsp+68h] [rbp-18h]__int64 v11_13; // [rsp+70h] [rbp-10h]__int64 v12_36; // [rsp+78h] [rbp-8h]if ( strlen(s) != 32 )// A1 A2 A3 A4 A5 A6 A7 A8return 0LL;x1 = *(signed int *)&s[16];x2 = *(signed int *)&s[20];x3 = *(signed int *)&s[24];x4 = *(signed int *)&s[28];if ( *(signed int *)&s[4] * (signed __int64)*(signed int *)s- *(signed int *)&s[12] * (signed __int64)*(signed int *)&s[8] != 0x24CDF2E7C953DA56LL )goto LABEL_15;if ( 3LL * *(signed int *)&s[8] + 4LL * *(signed int *)&s[12] - *(signed int *)&s[4] - 2LL * *(signed int *)s != 0x17B85F06 )goto LABEL_15;if ( 3 * *(signed int *)s * (signed __int64)*(signed int *)&s[12]- *(signed int *)&s[8] * (signed __int64)*(signed int *)&s[4] != 0x2E6E497E6415CF3ELL )goto LABEL_15;if ( 27LL * *(signed int *)&s[4] + *(signed int *)s - 11LL * *(signed int *)&s[12] - *(signed int *)&s[8] != 0x95AE13337LL )goto LABEL_15;// s=A1// s[4]=A2// S[8]=A3// S[12]=A4// A1*A2-A4*A3=0x24CDF2E7C953DA56LL// 3*A3+4*A4-A2-2*A1=0x// 3*A1*A4-A3*A2=// 27*A2+A1-11*A4-a3=srand(*(_DWORD *)&s[8] ^ *(_DWORD *)&s[4] ^ *(_DWORD *)s ^ *(_DWORD *)&s[12]);v1_22 = rand() % 50;v2_39 = rand() % 50;v7_45 = rand() % 50;v8_45 = rand() % 50;v9_35 = rand() % 50;v10_41 = rand() % 50;v11_13 = rand() % 50;// 0x16 0x27 0x2d 0x2d 0x23 0x29 0xd 0x24// 22 39 45 45 35 41 13 36v12_36 = rand() % 50;if ( x4 * v2_39 + x1 * v1_22 - x2 - x3 != 61799700179LL|| x4 + x1 + x3 * v8_45 - x2 * v7_45 != 48753725643LL|| x1 * v9_35 + x2 * v10_41 - x3 - x4 != 59322698861LL|| x3 * v12_36 + x1 - x2 - x4 * v11_13 != 51664230587LL ){
LABEL_15:result = 0LL;}else{result = 1LL;}return result;
}简单的说就是输入一个32个字符组成的字符串,会分割成8个int型的值,分别记为x1-x8
首先前4个值x1-x4满足方程:
x1*x2-x3*x4-2652042832920173142=0
3*x3+4*x4-x2-2*x1-397958918=0
3*x1*x4-x3*x2-3345692380376715070=0
27*x2+x1-11*x4-x3-40179413815=0
解方程使用scypi:
from scipy.optimize import fsolve
import structdef func(x):x1,x2,x3,x4 = x.tolist()return [(x2*x1)-(x4*x3)-0x24CDF2E7C953DA56,3*x3+4*x4-x2-2*x1-0x17B85F06,(3*x1*x4)-(x3*x2)-0x2E6E497E6415CF3E,27*x2+x1-11*x4-x3-0x95AE13337]
initial_x = [0x88880000,0x8888ffff,0x8888ffff,0x8888ffff]
result = fsolve(func, initial_x)strxx=""
print resultx1,x2,x3,x4 = result.tolist()
print x1*x2-x3*x4-2652042832920173142
print 3*x3+4*x4-x2-2*x1-397958918
print 3*x1*x4-x3*x2-3345692380376715070
print 27*x2+x1-11*x4-x3-40179413815
for x in result:print hex(x),x,int(x)strxx+=struct.pack("I",int(x)&0xffffffff)print strxx上边的代码有一些问题,似乎是受到初始值的影响,计算出来的值的最后一个字节是错的,错的,....
找到bug了,python float转int 有问题。
比如:811816014.0 转int 会变成 811816013
后边四个值要满足方程:
v1=0x0000000007779C28%50
v2=0x000000002E27FDB5%50
v7=0x00000000528857D7%50
v8=0x000000000941FAD3%50
v9=0x00000000129422D7%50
v10=0x00000000724E98F7%50
v11=0x00000000263FD923%50
v12=0x0000000052AB8CB2%50
print hex(v1),hex(v2),hex(v7),hex(v8),hex(v9),hex(v10),hex(v11),hex(v12)
print (v1),(v2),(v7),(v8),(v9),(v10),(v11),(v12)
def func(x):x1,x2,x3,x4 = x.tolist()return [x4 * v2 + x1 * v1 - x2 - x3-0xE638C96D3,x4 + x1 + x3 * v8 - x2 * v7 -0xB59F2D0CB,x1 * v9 + x2 * v10 - x3 - x4- 0xDCFE88C6D,x3 * v12 + x1 - x2 - x4 * v11-0xC076D98BB ]
initial_x = [0xffffffff,0xffffffff,0xffffffff,0xffffffff]
result = fsolve(func, initial_x)
strxx=""
for x in result:print hex(x),x,int(x)strxx+=struct.pack("I",int(x)&0xffffffff)
print strxx
这个也有点问题,第一个值差了1,。。。。。。。
不知道为啥我的科学计算全是错的(科学计算没有错,是python float转int 与期望不太一样)。
这个网站所出来是对的。
http://www.yunsuanzi.com/cgi-bin/linear_system.py
算出来正确字符串输入即可得到答案。
贴一个完整脚本:
from scipy.optimize import fsolve
import structdef float2Int(fx):text=str(fx)n=text.find(".")return int(text[0:n])def func(x):x1,x2,x3,x4 = x.tolist()return [(x2*x1)-(x4*x3)-0x24CDF2E7C953DA56,3*x3+4*x4-x2-2*x1-0x17B85F06,(3*x1*x4)-(x3*x2)-0x2E6E497E6415CF3E,27*x2+x1-11*x4-x3-0x95AE13337]
initial_x = [0xffffffff,0x8888ffff,0x8888ffff,0x8888ffff]
result = fsolve(func, initial_x)
strxx=""
for x in result:#print hex(x),x,int(x)strxx+=struct.pack("I",float2Int(x))
print "first: ",strxxv1=0x0000000007779C28%50
v2=0x000000002E27FDB5%50
v7=0x00000000528857D7%50
v8=0x000000000941FAD3%50
v9=0x00000000129422D7%50
v10=0x00000000724E98F7%50
v11=0x00000000263FD923%50
v12=0x0000000052AB8CB2%50
def func(x):x1,x2,x3,x4 = x.tolist()return [x4 * v2 + x1 * v1 - x2 - x3-0xE638C96D3,x4 + x1 + x3 * v8 - x2 * v7 -0xB59F2D0CB,x1 * v9 + x2 * v10 - x3 - x4- 0xDCFE88C6D,x3 * v12 + x1 - x2 - x4 * v11-0xC076D98BB ]
initial_x = [0xffffffff,0xffffffff,0xffffffff,0xffffffff]
result = fsolve(func, initial_x)
strxx=""
for x in result:strxx+=struct.pack("I",float2Int(x))
print "second: ",strxx3.obfuscation and encode [分值:250]
题目描述:
You know what to do.
附件是一个x64的elf。
主函数:
int __cdecl main(int argc, const char **argv, const char **envp)
{signed __int64 v3; // raxchar s1; // [rsp+60h] [rbp-270h]char v6; // [rsp+160h] [rbp-170h]char s; // [rsp+260h] [rbp-70h]int v8; // [rsp+2CCh] [rbp-4h]v8 = 0;memset(&s, 0, 0x64uLL);printf("flag:", 0LL);__isoc99_scanf("%s", &s);memset(&v6, 0, 0xFFuLL);memset(&s1, 0, 0xFFuLL);if ( (unsigned int)fencode(&s, (__int64)&v6) ){v3 = strlen(&v6);encode((__int64)&v6, v3, (__int64)&s1);if ( !strcmp(&s1, (const char *)(unsigned int)"lUFBuT7hADvItXEGn7KgTEjqw8U5VQUq") )printf("correct");elseprintf("error");}else{printf("error", &v6);v8 = 0;}return v8;
}主要就是两个函数:
1.fencode --这个是一个矩阵的计算 (4元一次方程组)
代码有乱序膨胀主要代码也不多:
.text:000000000040065A mov rdi, [rbp+s] ; s
.text:000000000040065E call _strlen
.text:00000000004007E3 mov rdx, [rbp+var_8] ; len
.text:00000000004007E7 cmp rdx, 18h ; 注册码长度0x18//矩阵乘法
.text:0000000000400894 mov rax, offset m
.text:000000000040089E movsxd rcx, [rbp+var_2C]
.text:00000000004008A2 shl rcx, 4
.text:00000000004008A6 add rax, rcx
.text:00000000004008A9 movsxd rcx, [rbp+var_34_i]
.text:00000000004008AD mov edx, [rax+rcx*4]
.text:00000000004008B0 mov rax, [rbp+s]
.text:00000000004008B4 mov esi, [rbp+var_34_i]
.text:00000000004008B7 mov edi, [rbp+var_28]
.text:00000000004008BA shl edi, 2
.text:00000000004008BD add esi, edi
.text:00000000004008BF movsxd rcx, esi
.text:00000000004008C2 movsx esi, byte ptr [rax+rcx]
.text:00000000004008C6 imul edx, esi
.text:00000000004008C9 add edx, [rbp+var_30_sum]
.text:00000000004008CC mov [rbp+var_30_sum], edx//计算结果
.text:00000000004008F0 mov eax, 7Fh
.text:00000000004008F5 mov ecx, [rbp+var_30_sum]
.text:00000000004008F8 mov dl, cl
.text:00000000004008FA movsx ecx, dl
.text:00000000004008FD mov [rbp+var_80], eax
.text:0000000000400900 mov eax, ecx
.text:0000000000400902 cdq
.text:0000000000400903 mov ecx, [rbp+var_80]
.text:0000000000400906 idiv ecx
.text:0000000000400908 mov sil, dl
.text:000000000040090B mov rdi, [rbp+var_20]
.text:000000000040090F mov edx, [rbp+var_24_i]
.text:0000000000400912 mov r8d, edx
.text:0000000000400915 add r8d, 1
.text:0000000000400919 mov [rbp+var_24_i], r8d
.text:000000000040091D movsxd r9, edx
.text:0000000000400920 mov [rdi+r9], sil函数的主要功能类似以下C代码:
int m[][4]={{2,2,4,-5},{1,1,3,-3},{-1,-2,-3,4},{-1,0,-2,2}};char * pInput="flag{111111111111111111}"; //自己输入的unsigned char szOut[24]={0}; //这里边的内容会进入下边的运算for(int k=0;k<6;k++){for(int i=0;i<4;i++){char nSum=0;for(int j=0;j<4;j++){nSum+=*(pInput+k*4+j)*m[i][j];}szOut[k*4+i]=(nSum%0x7f);}}QString xxOut;for(int i=0;i<24;i++){xxOut+=QString("%1 ").arg(szOut[i],2,16,QLatin1Char( '0' ));}qDebug()<<xxOut;2.encode 是一个变形的base64_encode 算法,初始的字符表被改。
修改后的字符表:FeVYKw6a0lDIOsnZQ5EAf2MvjS1GUiLWPTtH4JqRgu3dbC8hrcNo9/mxzpXBky7+
所以要还原输入的flag
1.将字符串lUFBuT7hADvItXEGn7KgTEjqw8U5VQUq 进行base64解密
解密后内容为:
"25 c0 3b a6 1f af 4c a5 cb 8b a4 9b 3b e1 28 85 26 26 16 e7 11 09 07 26 "2.解方程:
四个字符一组,设为x1,x2,x3,x4
则有方程
(2*x1+2*x2+4*x3+(-5)*x4)&0xff %0x7f==25
(1*x1+1*x2+2*x3+(-3)*x4)&0xff %0x7f==c0
(-1*x1+(-2)*x2+(-3)*x3+(4)*x4)&0xff %0x7f==3b
(-1*x1+0*x2+(-2)*x3+(2)*x4)&0xff %0x7f==a6带取模运算的不好接。但是根据以往输入的数据计算结果显示:
348 221 -232 -109
276 189 -184 -85
397 264 -270 -143
245 146 -147 -97
161 105 -105 -56
-233 -130 206 103
第一个结果>第二个结果>(第三个结果>第四个结果),前两个多数为正数,后两个多为负数。
因此可将结果调整为:
25 c0 3b a6
1f af 4c a5
cb 8b a4 9b
3b e1 28 85
26 26 16 e7
11 09 07 26 293 192 -197 -90 {25->125 c0->c0 3b->ff3b ffffffffffffffa6}
287 175 -180 -91 {1f->11f ffffffffffffffaf->af 4C->ff4C ffffffffffffffa5}
203 139 -92 -101 {cb 8b ffa4 ff9b}
315 225 -216 -123 {3b->13b ffffffffffffffe1_>e1 28-->ff28 ffffffffffffff85}
38 38 22 -25 {26->26 26->26 16-->16 ffffffffffffffe7}
17 9 7 38 http://www.yunsuanzi.com/matrixcomputations/solvelinearsystems.html
在线解方程转字符即可得到答案。
4.leftleftrightright [分值:150]
题目描述:
leftleftrightright.....Aha, here is the flag!
附件是一个win32控制台程序,加有upx壳。
程序逻辑:
int main_401170()
{int v0; // edx@1int v1; // ebx@1int v2; // edi@1void **v3; // esi@1int v4; // ecx@1void **v5; // eax@2void **v6; // edx@3void *v7; // eax@5char *v8; // ecx@6unsigned int v9; // eax@8void *v10; // eax@16unsigned int v11; // eax@19unsigned int v12; // edi@26unsigned int v13; // eax@26const char *v14; // edx@30int v15; // eax@32int v16; // ecx@32unsigned int v17; // eax@36unsigned int v18; // ecx@38unsigned int v19; // eax@48unsigned int v20; // esi@50int v22; // [sp+10h] [bp-5Ch]@1void *Memory; // [sp+14h] [bp-58h]@5unsigned int v24; // [sp+28h] [bp-44h]@5void *v25; // [sp+2Ch] [bp-40h]@1int v26; // [sp+3Ch] [bp-30h]@1unsigned int v27; // [sp+40h] [bp-2Ch]@1void *Dst; // [sp+44h] [bp-28h]@1unsigned int v29; // [sp+54h] [bp-18h]@1unsigned int v30; // [sp+58h] [bp-14h]@1int v31; // [sp+68h] [bp-4h]@1v27 = 15;v26 = 0;LOBYTE(v25) = 0;v31 = 0;v30 = 15;v29 = 0;LOBYTE(Dst) = 0;LOBYTE(v31) = 1;input_401F60(std::cin, (int)&v25);v1 = v26;v2 = 0;v3 = (void **)v25;v4 = v26 - 1;v22 = v26 - 1;while ( v1 > 0 ){--v1;v5 = &v25;if ( v1 & 2 ){v6 = &Dst;if ( v27 >= 0x10 )v5 = v3;LOBYTE(v6) = *((_BYTE *)v5 + v4);v7 = (void *)string_xx_401AD0((int)&Memory, (int)v6, &Dst);string_xxx_401480(&Dst, v7);if ( v24 >= 0x10 ){v8 = (char *)Memory;if ( v24 + 1 >= 0x1000 ){if ( (unsigned __int8)Memory & 0x1F )goto LABEL_35;v9 = *((_DWORD *)Memory - 1);if ( v9 >= (unsigned int)Memory )goto LABEL_35;v8 = (char *)Memory - v9;// 长度 4-0x23if ( (char *)Memory - v9 < (char *)4 || (unsigned int)v8 > 0x23 )goto LABEL_35;v8 = (char *)*((_DWORD *)Memory - 1);}j_free(v8);}v4 = v22-- - 1;}else{if ( v27 >= 0x10 )v5 = v3;LOBYTE(v0) = *((_BYTE *)v5 + v2);v10 = (void *)string_xx_401AD0((int)&Memory, v0, &Dst);string_xxx_401480(&Dst, v10);if ( v24 >= 0x10 ){v8 = (char *)Memory;if ( v24 + 1 >= 0x1000 ){if ( (unsigned __int8)Memory & 0x1F )goto LABEL_35;v11 = *((_DWORD *)Memory - 1);if ( v11 >= (unsigned int)Memory )goto LABEL_35;v8 = (char *)Memory - v11;if ( (char *)Memory - v11 < (char *)4 || (unsigned int)v8 > 0x23 )goto LABEL_35;v8 = (char *)*((_DWORD *)Memory - 1);}j_free(v8);}v4 = v22;++v2;}}v12 = v29;v13 = 0x1D;if ( v29 < 0x1D )v13 = v29;if ( sub_401090(v13) || v12 < 0x1D || (v14 = "flag is right!", v12 > 0x1D) )v14 = "try again!";v15 = sub_401BF0(std::cout, v14);std::basic_ostream<char,std::char_traits<char>>::operator<<(v15, sub_401E30);system("pause");if ( v30 >= 0x10 ){v8 = (char *)Dst;if ( v30 + 1 >= 0x1000 ){if ( (unsigned __int8)Dst & 0x1F )
LABEL_35:invalid_parameter_noinfo_noreturn(v8);v17 = *((_DWORD *)v8 - 1);if ( v17 >= (unsigned int)v8 )v17 = invalid_parameter_noinfo_noreturn(v8);v18 = (unsigned int)&v8[-v17];if ( v18 < 4 )v17 = invalid_parameter_noinfo_noreturn(v18);if ( v18 > 0x23 )v17 = invalid_parameter_noinfo_noreturn(v18);v8 = (char *)v17;}j_free(v8);}v30 = 15;v29 = 0;LOBYTE(Dst) = 0;if ( v27 >= 0x10 ){if ( v27 + 1 >= 0x1000 ){if ( (unsigned __int8)v25 & 0x1F )invalid_parameter_noinfo_noreturn(v16);v19 = (unsigned int)*(v3 - 1);if ( v19 >= (unsigned int)v3 )v19 = invalid_parameter_noinfo_noreturn(v16);v20 = (unsigned int)v3 - v19;if ( v20 < 4 )v19 = invalid_parameter_noinfo_noreturn(v16);if ( v20 > 0x23 )v19 = invalid_parameter_noinfo_noreturn(v16);v3 = (void **)v19;}j_free(v3);}return 0;
}比较乱,也懒得看。
大致流程就是检查长度,然后打乱输入字符串,最后与字符串s_imsaplw_e_siishtnt{g_ialt}F比较,相等即成功。
既然给了最后的字符串,而且算法只是简单的移位的话,说明要输入的字符串长度必定与此字符串相等,由此可知字符串长度为29.
构造一个29位的字符串:0123456789abcdefghiklmnopqrst
在最后比较的地方查看移位后的字符串:edfgcbhia9kl87mn65op43qr21st0
有了这几个字符串,对照着还原即可:
str_end="s_imsaplw_e_siishtnt{g_ialt}F"str_in="0123456789abcdefghiklmnopqrst"
str_out="edfgcbhia9kl87mn65op43qr21st0"strxx=""
for x in str_in:index=str_out.find(x)strxx+=str_end[index]print strxxISCC 2018 Reverse WriteUp相关推荐
- ISCC 2018 PWN WriteUp
1.Login [分值:200]--年轻人的第一道PWN 漏洞位置: 漏洞见上图,BUF大小0x40 读取时读了0x280字节,这样可覆盖掉Menu函数的返回值. 此函数中存在一个可能执行system ...
- 强网杯2018 - nextrsa - Writeup
强网杯2018 - nextrsa - Writeup 原文地址:M4x@10.0.0.55 所有代码均已上传至我的github 俄罗斯套娃一样的rsa题目,基本把我见过的rsa套路出了一遍,值得记录 ...
- ISCC 2019 部分 Writeup
文章目录 ISCC 2019 Writeup Misc 1. 隐藏的信息(50) 2. 最危险的地方就是最安全的地方(100) 3. 解密成绩单(100) 4. Welcome(100) 5. 倒立屋 ...
- GXNNCTF 2018 We_ax WriteUp 第三届南宁市网络安全技术大赛
By:桂林电子科技大学We_ax战队 Web 超简单 分值:100 类型:WEB 已解决 题目:超简单的web题 http://gxnnctf.gxsosec.cn:12311/ 看到ereg函数, ...
- [BUGKU][CTF][Reverse][2020] Reverse writeup 1-7 暂时肝不动了
Reverse 入门逆向 步骤: ida main函数 按R Reverse signin 关键字: 知识点:Android逆向分析.(常用工具:安卓模拟器.JEB.Cyberchef.Android ...
- kss admin index.php,XCTF Final 2018 Web Writeup (Bestphp与PUBG详解)
WEB1--Bestphp 这道题提供index.php源码 index.php highlight_file(__FILE__); error_reporting(0); ini_set('open ...
- [护网杯 2018]easy_tornado WriteUp
打开环境发现有三个链接 分别点击 分别得到 flag.txt welcome.txt 以及hints.txt 看到网址后面有 file/filename= 等字样,以及出现的md5加密函数 初步猜测f ...
- 2019强网杯crypto writeup
本次write包含以下题目 copperstudy randomstudy 强网先锋-辅助 copperstudy 题目描述 nc 119.3.245.36 12345 连上去返回 [+]proof: ...
- 吉林大学计算机伦理学,王爱民-吉林大学计算机科学与技术学院
自2012年以来, 以第一作者或通讯作者在<IEEE Transactions on Antennas and Propagation>等国内外权威期刊及国际会议上发表了学术论文. 1.L ...
最新文章
- 基于EMQ X,打造AIoT物联网视频接入解决方案
- 如何使用Web Audio API听到“ Yanny”和“ Laurel”的声音
- unity, monoDevelop ide 代码提示不起作用的解决方法
- 肝了三天,万字长文教你玩转 tcpdump,从此抓包不用愁
- iOS自动化测试之Appium的安装和使用
- 用脑机接口去“搜索一下”,是种什么体验? | CCF C³-03@搜狗
- 死磕 java集合之ConcurrentSkipListMap源码分析——发现个bug
- freemarker 教程
- 《图解密码技术》分组密码(5) 输出反馈OFB模式
- python使用curses库获取控制台的键盘输入(如上下左右)
- 批处理延时启动的几个方法
- httpsrequest java_java如何通过https返回数据
- python tkinter 弹窗_tkinter主窗口和子窗口同时弹出该怎么办?
- 面试官 | Java中的注解是如何工作的?
- Office 365系列之十二:ActiveDirectory同步
- python 钉钉机器人发送图片_利用Python自动发送钉钉数据消息
- android 截屏 分享,Android应用内截图分享的实现记录
- 在WCF中使用消息队列MSMQ
- ios 持续获取定位 高德地图_高德地图API获取POI数据
- Eclipse调试:改变颜色, 背景与字体大小 和xml字体调整