2018领航杯线上WriteUp

BabyRe

s='66 6C 61 69 7B 57 61 78 6F 67 61 75 89  61 6E 7B 9D'.replace('  ',' ')
for i in range(len(s)):
     ...:     print chr((int(s[i],16)^i)-i),

Crack

$ ./wyvern_c85f1be480808a9da350faaa6104a19b
+-----------------------+
| Welcome Hero |
+-----------------------+
[!] Quest: there is a dragon prowling the domain.
brute strength and magic is our only hope. Test your skill.

Enter the dragon's secret:
For further analysis, I used PIN based tracer. First objective was to find the length. Supplying an input of 100 bytes, the CMP instruction was found using PIN

0x4046b6 : cmp rax, rcx
0x4046b6 : [0x64] [0x1c]
The length of key is 28 bytes. Now lets see if we could find the algorithm by tracking user input using PIN tool. Supplying input as BAAAAAAAAAAAAAAAAAAAAAAAAAAA, below instructions were found:
0x4017e8 : add ecx, dword ptr [rax]
0x4017e8 : [0x42] [0] := [0x42] -> input B

0x402a7f : cmp eax, ecx
0x402a7f : [0x64] [0x42] -> compared with 0x64
Now supplying input as dBAAAAAAAAAAAAAAAAAAAAAAAAAA

0x4017e8 : add ecx, dword ptr [rax]
0x4017e8 : [0x42] [0x64] := [0xa5] -> input A and 0x64 from previous operation

0x402a7f : cmp eax, ecx
0x402a7f : [0xd6] [0xa5]
So the algorithm reads each byte of user input, compares with a hard coded array, which is a sum input and previous result

0x00 + input[0] == 0x64
0x64 + input[1] == 0xd6
.....
Lets fetch the array using GDB by setting breakpoint at 0x402a7f, and compute the flag

import gdb

sum_array = [0]
def exit_handler(event):
 key = ''
 for i in range(len(sum_array)-1):
 key += chr(sum_array[i+1] - sum_array[i]) 
 print key

def callback_fetch_array():
 EAX = int(gdb.parse_and_eval("$eax"))
 sum_array.append(EAX)
 gdb.execute("set $ecx = $eax")

class HitBreakpoint(gdb.Breakpoint):
 def __init__(self, loc, callback):
 super(HitBreakpoint, self).__init__(
 loc, gdb.BP_BREAKPOINT, internal=False)
 self.callback = callback

 def stop(self):
 self.callback()
 return False

HitBreakpoint("*0x402a7f", callback_fetch_array)
gdb.events.exited.connect(exit_handler)

$ gdb -q ./wyvern_c85f1be480808a9da350faaa6104a19b

gdb-peda$ source re500.py
Breakpoint 1 at 0x402a7f

gdb-peda$ run
Enter the dragon's secret: AAAAAAAAAAAAAAAAAAAAAAAAAAAA

[+] A great success! Here is a flag{AAAAAAAAAAAAAAAAAAAAAAAAAAAA}
[Inferior 1 (process 33655) exited normally]
dr4g0n_or_p4tric1an_it5_LLVM
So the key is dr4g0n_or_p4tric1an_it5_LLVM

EasyCpp1

a='13 1B 37 5 0B 0 6 36 34 0E 14 1A 0 11 4 1A 12 0C 0'.split(' ')
 for i in range(1,17):
     ...:     for j in range(1,17):
     ...:         if (int(a[(i+3)%20],16)+j)%56==16 and (int(a[(i+2)%20],16)+j)%56==10 and (int(a[(i+1)%20],16)+j)%56==21 and (int(a[(i)%20],16)+j)%56==15:
     ...:             print i,j

EasyCpp2

a = [i/100.0 for i in range(100, 1000)]
for i in a:
    if (i*31)%56<=15.5 and (i*31)%56>=15:
        print i,

贝斯手

m='Nseky2SjMiUq9tf/BEIlaJxAwPT07V+pWX6LFgG3ZmOHK4Y8uQhRz1oDc5nCrdvb'
a='X4DPXQGP'
b='uWRtcMSt'
c='RyotcBR9'
d='FJk9uBot'
e='cWlP5alP'
f='RFRt1MRt'
g='=z3w'
s=a[::-1]+b[::-1]+c[::-1]+d[::-1]+e[::-1]+f[::-1]+g[::-1]
index=[]
print s
for i in range(len(s)):                                                                                                                                                                                   
    for j in range(len(m)):                                                                                                                                                                               
        if ord(s[i])==ord(m[j]):                                                                                                                                                                          
            index.append(j)  
l=''
for i in range(len(index)):                                                                                                                                                                                 
    l+=bin(int(index[i])).replace('0b','').rjust(6,'0') 
for i in range(0,len(l),8):
    print chr(int(l[i:i+8].ljust(8,'0'),2)),

System

用户名输入测试,会进行rot25后与真正用户名对比,密码这是反向对比

WireShark

Binwalk -e 提取数据包


数据包提取后明文攻击,(题目压缩包为2345好压,压缩软件不同算法也不同,所以制作明文压缩包也要用2345好压制作)

Xor

异或写个脚本跑一下得到flag

import base64

str=base64.b64decode('Nz0wNiplNGU1ZzJiYmMzZzc0Z2MwZ2IwNzRkZ2BmYDc1YmZjZCw=')

for n in range(30,126):
    flag=''
    for i in str:
        flag+= chr(ord(i)^n)
    if 'flag' in flag:
        print flag

妈妈的唠叨

mac下自动循环压缩最后得到flag.jpg,改后缀为zip发现有flag.txt

根据内容可猜测是词频分析,在线http://corpus.zhonghuayuwen.org/CpsTongji.aspx

得到flag

Uzi

打开是一张图片,window下查看其属性发现内容 uziliupi

将后缀名改为zip,发现要密码,输入刚刚获得的内容,打开后可猜测是词频分析

http://corpus.zhonghuayuwen.org/CpsTongji.aspx
得到flag

emmmmm


图片解压zip得pdf,修复pdf

找到源文件对比得到flag

dict_create

尝试密码xiaoming_65,xiaoming_22得到flag

Word?

首先将doc文件改成zip压缩包,发现里面又有一个doc,解压打开发现需要密码,在前一个doc中,通过显示隐藏文字发现密码


打开第二个doc文件,发现里面乱七八糟一片,全选保存到notepad++,发现有些蹊跷

将排版缩小,至最小,发现是一个二维码,扫码可得flag:

Jiami

之前遇到几个图片隐写与Stegsolve中的通道相关,分析Extract Preview,红黄蓝均选0(实在不太理解为什么一般都选0,见多了就先试试),拉至头部发现是个压缩包文件,

保存下来存为zip文件,得flag

Pyc

# -*- coding: utf-8 -*-
import random, base64
from hashlib import sha1

def crypt(data, key):
    """RC4 algorithm"""
    x = 0
    box = range(256)
    for i in range(256):
        x = (x + box[i] + ord(key[i % len(key)])) % 256
        box[i], box[x] = box[x], box[i]
    x = y = 0
    out = []
    for char in data:
        x = (x + 1) % 256
        y = (y + box[x]) % 256
        box[x], box[y] = box[y], box[x]
        out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))

    return ''.join(out)

def tencode(data, key, encode=base64.b64encode, salt_length=16):
    """RC4 encryption with random salt and final encoding"""
    salt = ''
    for n in range(salt_length):
        salt += chr(random.randrange(256))
    data = salt + crypt(data, sha1(key + salt).digest())
    if encode:
        data = encode(data)
    return data

def tdecode(data, key, decode=base64.b64decode, salt_length=16):
    """RC4 decryption of encoded data"""
    if decode:
        data = decode(data)
    salt = data[:salt_length]
    return crypt(data[salt_length:], sha1(str(key) + salt).digest())

encoded_data='nKgI13JDX8qpFyUcvsnZqyKxb8Zfv9jCnrWul2knc8ZzhlfDpPxZmA=='
for key in range(1000,9999):
    decoded_data = tdecode(data=encoded_data, key=key)
    if decoded_data[0]=='f':
        print decoded_data

奇怪的密码

Coo和boy分别是0和1,!代表数量,二进制解码得flag

chinese_dream

http://ctf.ssleye.com/cvencode.html

Where flag

检查是否调试:


nop即可

flag是什么


过分啊,按钮到处跑,不可能被点击到,只好干掉判断nop即可


错误一位休眠0x14s。。。浪费时间。。push 14h 和 call edi都给nop吧

Check1

长度限制22,


此处判断头部decode:

BB=[4294967245, 4294967237, 4294967253, 4294967248, 5240696, 
1995234256, 926298419, 4278203445, 3503670733, 9044154, 3916937913]

var_14='316754'
intE = 0
AA = [0,0,0,0]
c=0
A=[]
for i in BB:
    A.append(-signed(i, 32))
print(A)
AA[0] = chr(ord(var_14[0])+A[0]) 
AA[1] = chr(ord(var_14[1])+A[1])
AA[2] = chr(ord(var_14[2])+A[2])
AA[3] = chr(ord(var_14[3])+A[3])
print(''.join(AA)+strin[4:])

Check2

sub_191BB0里边太杂了,复杂之中还有递归函数,sub_191BB0转了python,但是递归函数sub_191D40@(char a1@

, int a2@, int a3)不好转,看不太懂,索性直接dump整个程序,模拟运行这个函数拿到返回值就好,在返回给sub_191BB0:转化要注意符号扩展

sub_191BB0如下def check(strin):
    ABC = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
    abc = 'abcdefghijklmnopqrstuvwxyz'
    v15 = strin[5:-5]+'\x00'*10
    dword_1A91C0=["","","","","","","","","","","","","","","","","",""]
    print(v15)
    v4 = 0
    while 1:
        v5 = ord(v15[v4])
        if unsigned(v5-65,32) <= 0x19:
            v6 = len(ABC)
            v7 = v6/2
            v8 = ord(ABC[v6/2])
            if (v5 != v8):
                v9 = ord(v15[v4])
                if v5 <= v8:
                    if debug:
                        print("sub_191D40    1a")
                    v7 = sub_191D40(v9, 1, 0, v6 / 2)
                else:
                    if debug:
                        print("sub_191D40    1b")
                    v7 += sub_191D40(v9, 1, v7, v6 - v7)
            if debug:
                print('1',v4, hex(v7))
            dword_1A91C0[v4] = v7
            v4 += 1
            if v4 >= 12:
                return dword_1A91C0
            continue

        if unsigned(v5-97,32) > 0x19:
            if unsigned(v5-16,32) <= 0x29:
                v7=v5+152

                if debug:
                    print('2',v4, hex(v7))
                dword_1A91C0[v4] = v7
                v4 += 1
                if v4 >= 12:
                    return dword_1A91C0
                continue
            else:
                return dword_1A91C0

        v10 = len(abc)
        v11 = v10/2
        v12 = ord(abc[v10/2])
        if (v5 == v12):
            v7 = v11+100

            if debug:
                print('3', v4, hex(v7))
            dword_1A91C0[v4] = v7
            v4 += 1
            if v4 >= 12:
                return dword_1A91C0
            continue

        v13 = ord(v15[v4])
        if (v5 <= v12):
            if debug:
                print("sub_191D40    4")
            v11 = sub_191D40(v13, 0, 0, v10 / 2)
            v7 = v11+100

            if debug:
                print('4', v4, hex(v7))
            dword_1A91C0[v4] = v7
            v4 += 1
            if v4 >= 12:
                return dword_1A91C0
            continue

        if debug:
            print("sub_191D40    5")
        v7 = sub_191D40(v13, 0, v11, v10 - v11)+v11+100

        if debug:
            print('5', v4, hex(v7))
        dword_1A91C0[v4] = v7
        v4 += 1
        if v4 >= 12:
            return dword_1A91C0

一看是逐位加密,一对一关系,有模拟器直接爆破就好,模拟器虽然不好初始化,但还是坚持下来了,重要的是:
模拟函数环境很重要,不然递归到报错


401D40有四处调用,但是最哈选择这两处
这里start用了2个地址分别是
Index只需要给寄存器esi即可,不用加abcdef… table和ABCDEFG… table的字符串,方便点

附录脚本

# -*- encoding: utf-8 -*-
from __future__ import print_function
from capstone import *
from capstone.x86 import *
from unicorn import *
from unicorn.x86_const import *
import pickle
import sys,string

from ctypes import cdll

debug = 0

cs = Cs(CS_ARCH_X86, CS_MODE_64)
cs.detail = True
SYSTEM = 'Win'
library = None
libpath = None
ldpath = None
programpath = None
if 'Linux' in SYSTEM:
    library = cdll.LoadLibrary('libc.so.6')  # Load standard C library on Linux
    libpath = None
    ldpath = './ld.so.pkl'
    programpath = 'C:\\Users\\bibi\\Desktop\\my_list.pkl'
elif 'Mac' in SYSTEM:
    library = cdll.LoadLibrary('libc.dylib')  # Load standard C library on Mac
elif 'Win' in SYSTEM:
    library = cdll.msvcrt  # Load standard C library on Windows
    libpath = None
    ldpath = 'C:\\Users\\bibi\\Desktop\\ld.so.pkl'
    programpath = 'C:\\Users\\bibi\\Desktop\\my_list.pkl'

print(''' TMD WXC
                 /\\'.         _,.
                 |:\ \.     .'_/
            _.-  |(\\\\ \   .'_.'
        _.-'  ,__\\\\ \\\\_),/ _/
      _:.'  .:::::::.___  ,'
      //   ' ./::::::\<o\(
     //     /|::/   `"(   \\
    ;/_    / ::(       `.  `.
   /_'/   | ::::\        `.  \\
   '//    '\ :::':\_    _, ` _'-
   / |     '\.:/|::::.._ `-__ )/
   | |       \;| \:(    '.(_ \_)
   | |        \(  \::.    '-)
   \ \  ,          '""""---.
    \ \ \    ,        _.-...)
     \ \/\.  \:,___.-'..:::/
      \ |\\\\:,.\:::::'.::::/
       `  `:;::::'.::;::'
             \'"":;:""\'
''')

class segmentData():
    def __init__(self, name, segmentdata, assembly, startEA, endEA):
        self.name = name
        self.segmentdata = segmentdata
        self.assembly = assembly
        self.startEA = startEA
        self.endEA = endEA

# callback for tracing instructions
passaddr = [0x000000000400BA7, 0x000000000400C53,
            0x000000000400C6C, 0x000000000400744]
flag='afasfffffffffffffffffffff'
def hook_code(uc, address, size, user_data):
    if debug:
        print("0x%016x rax = 0x%016x size = %d code=   " % (address, size, uc.reg_read(UC_X86_REG_EAX)), end='')
    if 1:
        mem = uc.mem_read(address, size)
        for insn in cs.disasm(mem, size):
            if debug:
                print(": {:5s}\t{:s}\n".format(insn.mnemonic, insn.op_str), end='')
    if address in passaddr:
        rip = uc.reg_read(UC_X86_REG_RIP)
        uc.reg_write(UC_X86_REG_RIP, rip+size)
        if address ==0x000000000400C6C:
            rsi = uc.reg_read(UC_X86_REG_RSI)
            uc.mem_write(rsi, flag)
        if address == 0x000000000400744:
            rdi = uc.reg_read(UC_X86_REG_RDI)

            count = 0
            while 1:
                char = uc.mem_read(rdi+count, 1)[0]
                if char == 0:
                    print('')
                    break
                else:
                    print('%c' % char, end='')
                count += 1
            uc.reg_write(UC_X86_REG_RAX, count)
    # read this instruction code from memory
    '''
    tmp = uc.mem_read(address, size)
    for i in tmp:
        print(" %02x" % i, end="")

    '''
    if debug:
        print("")
def u32(ss):
    if len(ss) != 4:
        print('must 4 byte')
        sys.exit()
    sss = 0
    for i in range(4):
        sss = ss[3-i] | (sss << 8)
    return sss

def u64(ss):
    if len(ss) != 8:
        print('must 8 byte')
        sys.exit()
    sss = 0
    for i in range(8):
        sss = ss[7-i] | (sss << 8)
    return sss

def p32(number):
    ls = ''
    while number > 0:
        ls += chr(number & 0xff)
        number = number >> 8
    if len(ls) > 7:
        sys.exit()
    return ls.ljust(4, '\x00')
def p64(number):
    ls=''
    while number>0:
        ls+=chr(number&0xff)
        number=number>>8
    if len(ls)>8:
        sys.exit()
    return ls.ljust(8,'\x00')
def hook_syscall(mu, user_data):
    l_rax = mu.reg_read(UC_X86_REG_RAX)
    l_rdx = mu.reg_read(UC_X86_REG_RDX)
    l_rdi = mu.reg_read(UC_X86_REG_RDI)
    l_rsi = mu.reg_read(UC_X86_REG_RSI)
    print('rax=%d in syscall RDI=%s RDX=%s RSI=%s' %\
          (l_rax, hex(l_rdi), hex(l_rdx), hex(l_rsi)))
    if l_rax == 0x100:
        mu.reg_write(UC_X86_REG_RAX, 0x200)
    elif l_rax == 0x14:  # rdi:fd rdx:len rsi:vec   LINUX - sys_writev
        print(hex(l_rdi), hex(l_rdx), hex(l_rsi))
        s = ''
        for i in range(l_rdx):
            arg1 = u64(mu.mem_read(l_rsi+i*16, 8))
            arg2 = u64(mu.mem_read(l_rsi+i*16+8, 8))
            #print(hex(arg1), hex(arg2),end='     ')
            for i1 in mu.mem_read(arg1, arg2):
                s += chr(i1)
        print(s)
        mu.reg_write(UC_X86_REG_RAX, len(s))
    # rsi:filename   LINUX - asmlinkage long sys_chdir(const char __user * filename)
    elif l_rax == 0xC:
        count=0
        while 1:
            char = mu.mem_read(l_rsi+count, 1)[0]
            if char == 0:
                print('')
                break
            else:
                print('%c'%char,end='')
            count+=1
    elif l_rax == 0x00:  # fd rdi ,  buff  rsi ,edx n
        for count in range(l_rdx):
            char = mu.mem_read(l_rdi+count, 1)[0]
            mu.mem_write(l_rsi+count, chr(char))
            print(chr(char), end='')
        print('')
    else:
        print(user_data)

# callback for tracing basic blocks

def hook_block(uc, address, size, user_data):
    print(">>> Tracing basic block at 0x%x, block size = 0x%x" % (address, size))

# callback for tracing Linux interrupt
def hook_intr(uc, intno, user_data):
    # only handle Linux syscall
    if intno != 0x80:
        print("got interrupt %x ???" % intno)
        uc.emu_stop()
        return

    eax = uc.reg_read(UC_X86_REG_EAX)
    eip = uc.reg_read(UC_X86_REG_EIP)
    if eax == 1:    # sys_exit
        print(">>> 0x%x: interrupt 0x%x, EAX = 0x%x" % (eip, intno, eax))
        uc.emu_stop()
    elif eax == 4:    # sys_write
        # ECX = buffer address
        ecx = uc.reg_read(UC_X86_REG_ECX)
        # EDX = buffer size
        edx = uc.reg_read(UC_X86_REG_EDX)

        try:
            buf = uc.mem_read(ecx, edx)
            print(">>> 0x%x: interrupt 0x%x, SYS_WRITE. buffer = 0x%x, size = %u, content = "
                  % (eip, intno, ecx, edx), end="")
            for i in buf:
                print("%c" % i, end="")
            print("")
        except UcError as e:
            print(">>> 0x%x: interrupt 0x%x, SYS_WRITE. buffer = 0x%x, size = %u, content = <unknown>\n"
                  % (eip, intno, ecx, edx))
    else:
        print(">>> 0x%x: interrupt 0x%x, EAX = 0x%x" % (eip, intno, eax))

def hook_in(uc, port, size, user_data):
    eip = uc.reg_read(UC_X86_REG_EIP)
    print("--- reading from port 0x%x, size: %u, address: 0x%x" %
          (port, size, eip))
    if size == 1:
        # read 1 byte to AL
        return 0xf1
    if size == 2:
        # read 2 byte to AX
        return 0xf2
    if size == 4:
        # read 4 byte to EAX
        return 0xf4
    # we should never reach here
    return 0

# callback for OUT instruction
def hook_out(uc, port, size, value, user_data):
    eip = uc.reg_read(UC_X86_REG_EIP)
    print("--- writing to port 0x%x, size: %u, value: 0x%x, address: 0x%x" %
          (port, size, value, eip))

    # confirm that value is indeed the value of AL/AX/EAX
    v = 0
    if size == 1:
        # read 1 byte in AL
        v = uc.reg_read(UC_X86_REG_AL)
    if size == 2:
        # read 2 bytes in AX
        v = uc.reg_read(UC_X86_REG_AX)
    if size == 4:
        # read 4 bytes in EAX
        v = uc.reg_read(UC_X86_REG_EAX)

    print("--- register value = 0x%x" % v)

def test_x86(mode, data_segments, a1, index, value, kind):
    #print("Emulate x86 code")

    # Initialize emulator
    mu = Uc(UC_ARCH_X86, mode)

    # map 2MB memory for this emulation
    addr = []
    size_Q = 0x10000
    for segName in data_segments:
        seg = data_segments[segName]
        mapstart = seg.startEA & (0xffffffffffff0000 & 0xffffffff)
        need_size = seg.endEA-seg.startEA
        cu = 0
        for i in range(len(addr)):
            if addr[i][0] == mapstart:
                cu = 1
                plen = seg.startEA - mapstart+seg.startEA-seg.endEA
                plen2 = (size_Q - plen % size_Q) % size_Q + plen
                if addr[i][1] < plen:
                    addr[i] = [mapstart, plen2]
                break
        if cu == 0:
            addr.append([mapstart, (size_Q - need_size %
                                    size_Q) % size_Q + need_size])
    for i in addr:
        #print(hex(i[0]), hex(i[1]))
        mu.mem_map(i[0], i[1])
    argv_memaddr = 0x00009FFE51FF0000 & 0xffffffff
    for segName in data_segments:
        seg = data_segments[segName]
        #print(segName, '  startEA:', hex(seg.startEA), '  endEA:',hex(seg.endEA), '  len', hex(seg.endEA-seg.startEA))
        mu.mem_write(seg.startEA, seg.segmentdata.decode('hex'))
        if argv_memaddr < seg.endEA:
            need = argv_memaddr-seg.startEA+seg.endEA
            argv_memaddr = (size_Q - need % size_Q) % size_Q + need
    StartEsp = (0x00008FFE51FF0000 & 0xffffffff) + 0x2000
    #print('ddd',hex(StartEsp))
    mu.mem_map(0x00008FFE51FF0000 & 0xffffffff, 0xFF0000)
    mu.reg_write(UC_X86_REG_ESP, StartEsp)
    mu.reg_write(UC_X86_REG_EBP, StartEsp-0x100)
    count=1
    # strlen = 0
    # for ll in args:
    #     strlen+=(len(ll)+1)
    # if strlen:
    #     mu.mem_map(argv_memaddr, (size_Q - strlen % size_Q) % size_Q + strlen)
    # strlen=0
    # for argvalue in args:
    #     mu.mem_write(argv_memaddr+strlen, argvalue+'\x00')
    #     mu.mem_write(StartEsp+count*8, p64(argv_memaddr+strlen))
    #     count+=1
    #     strlen += (len(argvalue)+1)
    mu.mem_write(StartEsp, p32(value))
    mu.reg_write(UC_X86_REG_ESI, index)
    mu.reg_write(UC_X86_REG_DL, a1)
    #mu.mem_write(0x00000000040099F, X86_CODE64)

    mu.hook_add(UC_HOOK_INSN, hook_in, None, 1, 0, UC_X86_INS_IN)
    mu.hook_add(UC_HOOK_INSN, hook_out, None, 1, 0, UC_X86_INS_OUT)

    if debug:
        mu.hook_add(UC_HOOK_CODE, hook_code)
    mu.hook_add(UC_HOOK_INSN, hook_syscall, None, 1, 0, UC_X86_INS_SYSCALL)
    if kind==1:
        mu.emu_start(0x00191C71, 0x00191C7C)
    else:
        mu.emu_start(0x00191CCC, 0x00191CD7)
    return mu.reg_read(UC_X86_REG_EAX)
    #print(">>> Emulation done")

data_segments = None
ld_segments = None
try:
    pickle_file = open(programpath, 'rb')
    data_segments = pickle.load(pickle_file)
    pickle_file.close()
except:
    pass
try:
    pickle_file = open(ldpath, 'rb')
    ld_segments = pickle.load(pickle_file)
    pickle_file.close()
except:
    pass
if __name__ == '__main__':
    args =[]# ["./ld.so","--library-path", "./","./NoLeak"]
    '''
    if data_segments:
        test_x86(UC_MODE_64, args, ld_segments)
    '''

def unsigned(signed_number, si_size):
    base = pow(2, si_size)
    if signed_number < (-base/2):
        print('signed_number:  ', signed_number, ' : ', signed_number+base)
        return signed_number+base
    if signed_number < 0:
        return base+signed_number
    return signed_number

def movsx(nn, si_size):
    if nn < pow(2, si_size)/2:
        return nn
    t = nn
    le = 0
    while 1:
        le += 1
        t = t >> 8
        if t == 0:
            break
    return -1 << (le*8) | nn
def cc():
    what2 = 0xc0
    what = 1
    t = what2
    le = 0
    while 1:
        le += 1
        t = t >> 8
        if t == 0:
            break
    v7 = movsx(what2,8) ^ what
    print(hex(movsx(what2,8)), hex(v7))
    print(hex(unsigned(v7, 32)))
    if unsigned(v7, 32) >= 0:
        pass
    else:
        pass

    dword_1A91C0 = [0x66, 0x64, 0xC8, 0x68, 0x75,
                    0x75, 0x14, 0x0B, 0x68, 0x15, 0x68, 0x12]
    tmp = dword_1A91C0[6]
    dword_1A91C0[6] = dword_1A91C0[0]
    dword_1A91C0[0] = tmp

    tmp = dword_1A91C0[8]
    dword_1A91C0[8] = dword_1A91C0[3]
    dword_1A91C0[3] = tmp

    tmp = dword_1A91C0[5]
    dword_1A91C0[5] = dword_1A91C0[2]
    dword_1A91C0[2] = tmp

    tmp = dword_1A91C0[4]
    dword_1A91C0[4] = dword_1A91C0[11]
    dword_1A91C0[11] = tmp
    for i in dword_1A91C0:
        print(hex(i),end='  ')
    print('')
    return dword_1A91C0

def sub_191D40(a1, zimu, index, value):  # dl a1,index ecx,push
    # value = 0xD
    # index = 0
    # a1 = 0X62
    if debug:
        print(hex(a1), hex(index), hex(value))
    RE = test_x86(UC_MODE_32, data_segments, a1, index, value, zimu)
    if debug:
        print('ret:',hex(RE))
    return RE
def check(strin):
    ABC = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
    abc = 'abcdefghijklmnopqrstuvwxyz'
    v15 = strin[5:-5]+'\x00'*10
    dword_1A91C0=["","","","","","","","","","","","","","","","","",""]
    print(v15)
    v4 = 0
    while 1:
        v5 = ord(v15[v4])
        if unsigned(v5-65,32) <= 0x19:
            v6 = len(ABC)
            v7 = v6/2
            v8 = ord(ABC[v6/2])
            if (v5 != v8):
                v9 = ord(v15[v4])
                if v5 <= v8:
                    if debug:
                        print("sub_191D40    1a")
                    v7 = sub_191D40(v9, 1, 0, v6 / 2)
                else:
                    if debug:
                        print("sub_191D40    1b")
                    v7 += sub_191D40(v9, 1, v7, v6 - v7)
            if debug:
                print('1',v4, hex(v7))
            dword_1A91C0[v4] = v7
            v4 += 1
            if v4 >= 12:
                return dword_1A91C0
            continue

        if unsigned(v5-97,32) > 0x19:
            if unsigned(v5-16,32) <= 0x29:
                v7=v5+152

                if debug:
                    print('2',v4, hex(v7))
                dword_1A91C0[v4] = v7
                v4 += 1
                if v4 >= 12:
                    return dword_1A91C0
                continue
            else:
                return dword_1A91C0

        v10 = len(abc)
        v11 = v10/2
        v12 = ord(abc[v10/2])
        if (v5 == v12):
            v7 = v11+100

            if debug:
                print('3', v4, hex(v7))
            dword_1A91C0[v4] = v7
            v4 += 1
            if v4 >= 12:
                return dword_1A91C0
            continue

        v13 = ord(v15[v4])
        if (v5 <= v12):
            if debug:
                print("sub_191D40    4")
            v11 = sub_191D40(v13, 0, 0, v10 / 2)
            v7 = v11+100

            if debug:
                print('4', v4, hex(v7))
            dword_1A91C0[v4] = v7
            v4 += 1
            if v4 >= 12:
                return dword_1A91C0
            continue

        if debug:
            print("sub_191D40    5")
        v7 = sub_191D40(v13, 0, v11, v10 - v11)+v11+100

        if debug:
            print('5', v4, hex(v7))
        dword_1A91C0[v4] = v7
        v4 += 1
        if v4 >= 12:
            return dword_1A91C0

#if data_segments:

# dword_1A91C0 = 
# print(dword_1A91C0)
strin = 'xxxx{XXXXXXXXXXXXxxxx}'
truelen = 5
tmpdword_1A91C0 = cc()
while 1:
    ddd=0
    try:
        for i1 in string.printable:
            strin = list(strin)
            strin[truelen] = i1
            strin = ''.join(strin)
            dwor=check(strin)
            #print(dword_1A91C0)
            # print(tmpdword_1A91C0)
            print(dwor)
            print(dwor[truelen-5], tmpdword_1A91C0[truelen-5])
            if dwor[truelen-5] - long(tmpdword_1A91C0[truelen-5]) == 0:
                print(i1, end='  ')
                truelen+=1
                break
    except:
        break
def signed(unsigned_number, un_size):
    base = pow(2, un_size-1)
    if unsigned_number >= base*2:
        print('unsigned_number:  ', unsigned_number,
              '  溢出 : ', unsigned_number-base*2)
        return unsigned_number-base*2
    if unsigned_number > base:
        return unsigned_number-base*2
    return unsigned_number

print(chr(0x33 ^ 1))
print(chr(0x30 ^ 1))
print(chr(0x31 ^ 1))
print(chr(0x36 ^ 1))
BB=[4294967245, 4294967237, 4294967253, 4294967248, 5240696, 1995234256, 926298419, 4278203445, 3503670733, 9044154, 3916937913]

var_14='316754'
intE = 0
AA = [0,0,0,0]
c=0
A=[]
for i in BB:
    A.append(-signed(i, 32))
print(A)
AA[0] = chr(ord(var_14[0])+A[0]) 
AA[1] = chr(ord(var_14[1])+A[1])
AA[2] = chr(ord(var_14[2])+A[2])
AA[3] = chr(ord(var_14[3])+A[3])
print(''.join(AA)+strin[4:])
dfk=[]
for i1 in range(0xff):
    for i2 in range(0xff):
        edx = unsigned(movsx(i2, 8), 32) ^ i1
        if edx==2:
            dfk.append([i2, i1])
print(dfk)
for f in dfk:
        #edx = unsigned(movsx(i, 8), 32) ^ f
        edx = unsigned(movsx(f[0], 8), 32) ^ f[1]

        print(f,hex(i), hex(unsigned(movsx(i, 8), 32)), hex(edx))
        for i1 in string.printable:
            for i2 in string.printable:
                for i3 in string.printable:
                    for i4 in string.printable:
                        if (edx ^ 0x33 == ord(i1)) and (edx ^ 0x30 == ord(i2)) and (edx ^ 0x31 == ord(i3)) and (edx ^ 0x36 == ord(i4)):
                            print(''.join(AA)+strin[4:],i1, i2, i3, i4,'}')
'flag{UareS0cLeVer1234}'
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇