📖ciscn2020部分题目WP
2020-8-21
| 2024-8-11
字数 1995阅读时长≈ 5 分钟
看了两道题目,简单记录下

z3

首先看压缩包名字是Z3,猜测题目考察的是Z3解方程
载入IDA Pro发现果然如此
输入字符串 带入方程 如果解出来的42个字符与v47这个数组每一位一致就输出“win”
97行下断点 动态调试 就可以拿到这个字符串
notion image
最终,脚本如下:

python

#!/usr/bin/env python
# -*- coding:utf-8 -*-
# @Author    :iqiqiya
# @Blog      :iqiqiya.com
# @Time      :2020/8/20
# @FileName  :z3.py
from z3 import *
v4 = 0x4F17
v5 = 0x9CF6
v6 = 0x8DDB
v7 = 0x8EA6
v8 =0x6929
v9 =0x9911
v10 =0x40A2
v11 = 0x2F3E
v12 =0x62B6
v13 =0x4B82
v14 =0x486C
v15 =0x4002
v16 =0x52D7
v17 =0x2DEF
v18 =0x28DC
v19 =0x640D
v20 = 0x528F
v21 =0x613B
v22 = 0x4781
v23 =0x6B17
v24 = 0x3237
v25 =0x2A93
v26 =0x615F
v27 = 0x50BE
v28 =0x598E
v29 =0x4656
v30 =0x5B31
v31 =0x313A
v32 = 0x3010
v33 =0x67FE
v34 =0x4D5F
v35 =0x58DB
v36 =0x3799
v37 =0x60A0
v38 =0x2750
v39 =0x3759
v40 =0x8953
v41 =0x7122
v42 =0x81F9
v43 =0x5524
v44 =0x8971
v45 =0x3A1D
v46 = Int('v46')
v47 = Int('v47')
v48 = Int('v48')
v49 = Int('v49')
v50 = Int('v50')
v51 = Int('v51')
v52 = Int('v52')
v53 = Int('v53')
v54 = Int('v54')
v55 = Int('v55')
v56 = Int('v56')
v57 = Int('v57')
v58 = Int('v58')
v59 = Int('v59')
v60 = Int('v60')
v61 = Int('v61')
v62 = Int('v62')
v63 = Int('v63')
v64 = Int('v64')
v65 = Int('v65')
v66 = Int('v66')
v67 = Int('v67')
v68 = Int('v68')
v69 = Int('v69')
v70 = Int('v70')
v71 = Int('v71')
v72 = Int('v72')
v73 = Int('v73')
v74 = Int('v74')
v75 = Int('v75')
v76 = Int('v76')
v77 = Int('v77')
v78 = Int('v78')
v79 = Int('v79')
v80 = Int('v80')
v81 = Int('v81')
v82 = Int('v82')
v83 = Int('v83')
v84 = Int('v84')
v85 = Int('v85')
v86 = Int('v86')
v87 = Int('v87')
s = Solver()
s.add(v4 == 34 * v49 + 12 * v46 + 53 * v47 + 6 * v48 + 58 * v50 + 36 * v51 + v52)
s.add(v5 == 27 * v50 + 73 * v49 + 12 * v48 + 83 * v46 + 85 * v47 + 96 * v51 + 52 * v52)
s.add(v6 == 24 * v48 + 78 * v46 + 53 * v47 + 36 * v49 + 86 * v50 + 25 * v51 + 46 * v52)
s.add(v7 == 78 * v47 + 39 * v46 + 52 * v48 + 9 * v49 + 62 * v50 + 37 * v51 + 84 * v52)
s.add(v8 == 48 * v50 + 14 * v48 + 23 * v46 + 6 * v47 + 74 * v49 + 12 * v51 + 83 * v52)
s.add(v9 == 15 * v51 + 48 * v50 + 92 * v48 + 85 * v47 + 27 * v46 + 42 * v49 + 72 * v52)
s.add(v10 == 26 * v51 + 67 * v49 + 6 * v47 + 4 * v46 + 3 * v48 + 68 * v52)
s.add(v11 == 34 * v56 + 12 * v53 + 53 * v54 + 6 * v55 + 58 * v57 + 36 * v58 + v59)
s.add(v12 == 27 * v57 + 73 * v56 + 12 * v55 + 83 * v53 + 85 * v54 + 96 * v58 + 52 * v59)
s.add(v13 == 24 * v55 + 78 * v53 + 53 * v54 + 36 * v56 + 86 * v57 + 25 * v58 + 46 * v59)
s.add(v14 == 78 * v54 + 39 * v53 + 52 * v55 + 9 * v56 + 62 * v57 + 37 * v58 + 84 * v59)
s.add(v15 == 48 * v57 + 14 * v55 + 23 * v53 + 6 * v54 + 74 * v56 + 12 * v58 + 83 * v59)
s.add(v16 == 15 * v58 + 48 * v57 + 92 * v55 + 85 * v54 + 27 * v53 + 42 * v56 + 72 * v59)
s.add(v17 == 26 * v58 + 67 * v56 + 6 * v54 + 4 * v53 + 3 * v55 + 68 * v59)
s.add(v18 == 34 * v63 + 12 * v60 + 53 * v61 + 6 * v62 + 58 * v64 + 36 * v65 + v66)
s.add(v19 == 27 * v64 + 73 * v63 + 12 * v62 + 83 * v60 + 85 * v61 + 96 * v65 + 52 * v66)
s.add(v20 == 24 * v62 + 78 * v60 + 53 * v61 + 36 * v63 + 86 * v64 + 25 * v65 + 46 * v66)
s.add(v21 == 78 * v61 + 39 * v60 + 52 * v62 + 9 * v63 + 62 * v64 + 37 * v65 + 84 * v66)
s.add(v22 == 48 * v64 + 14 * v62 + 23 * v60 + 6 * v61 + 74 * v63 + 12 * v65 + 83 * v66)
s.add(v23 == 15 * v65 + 48 * v64 + 92 * v62 + 85 * v61 + 27 * v60 + 42 * v63 + 72 * v66)
s.add(v24 == 26 * v65 + 67 * v63 + 6 * v61 + 4 * v60 + 3 * v62 + 68 * v66)
s.add(v25 == 34 * v70 + 12 * v67 + 53 * v68 + 6 * v69 + 58 * v71 + 36 * v72 + v73)
s.add(v26 == 27 * v71 + 73 * v70 + 12 * v69 + 83 * v67 + 85 * v68 + 96 * v72 + 52 * v73)
s.add(v27 == 24 * v69 + 78 * v67 + 53 * v68 + 36 * v70 + 86 * v71 + 25 * v72 + 46 * v73)
s.add(v28 == 78 * v68 + 39 * v67 + 52 * v69 + 9 * v70 + 62 * v71 + 37 * v72 + 84 * v73)
s.add(v29 == 48 * v71 + 14 * v69 + 23 * v67 + 6 * v68 + 74 * v70 + 12 * v72 + 83 * v73)
s.add(v30 == 15 * v72 + 48 * v71 + 92 * v69 + 85 * v68 + 27 * v67 + 42 * v70 + 72 * v73)
s.add(v31 == 26 * v72 + 67 * v70 + 6 * v68 + 4 * v67 + 3 * v69 + 68 * v73)
s.add(v32 == 34 * v77 + 12 * v74 + 53 * v75 + 6 * v76 + 58 * v78 + 36 * v79 + v80
s.add(v33 == 27 * v78 + 73 * v77 + 12 * v76 + 83 * v74 + 85 * v75 + 96 * v79 + 52 * v80)
s.add(v34 == 24 * v76 + 78 * v74 + 53 * v75 + 36 * v77 + 86 * v78 + 25 * v79 + 46 * v80)
s.add(v35 == 78 * v75 + 39 * v74 + 52 * v76 + 9 * v77 + 62 * v78 + 37 * v79 + 84 * v80)
s.add(v36 == 48 * v78 + 14 * v76 + 23 * v74 + 6 * v75 + 74 * v77 + 12 * v79 + 83 * v80)
s.add(v37 == 15 * v79 + 48 * v78 + 92 * v76 + 85 * v75 + 27 * v74 + 42 * v77 + 72 * v80)
s.add(v38 == 26 * v79 + 67 * v77 + 6 * v75 + 4 * v74 + 3 * v76 + 68 * v80)
s.add(v39 == 34 * v84 + 12 * v81 + 53 * v82 + 6 * v83 + 58 * v85 + 36 * v86 + v87)
s.add(v40 == 27 * v85 + 73 * v84 + 12 * v83 + 83 * v81 + 85 * v82 + 96 * v86 + 52 * v87)
s.add(v41 == 24 * v83 + 78 * v81 + 53 * v82 + 36 * v84 + 86 * v85 + 25 * v86 + 46 * v87)
s.add(v42 == 78 * v82 + 39 * v81 + 52 * v83 + 9 * v84 + 62 * v85 + 37 * v86 + 84 * v87)
s.add(v43 == 48 * v85 + 14 * v83 + 23 * v81 + 6 * v82 + 74 * v84 + 12 * v86 + 83 * v87)
s.add(v44 == 15 * v86 + 48 * v85 + 92 * v83 + 85 * v82 + 27 * v81 + 42 * v84 + 72 * v87)
s.add(v45 == 26 * v86 + 67 * v84 + 6 * v82 + 4 * v81 + 3 * v83 + 68 * v87)

s.check()
result = s.model()
print(result)
Python
得到乱序的字符,按顺序输出就好

python

#!/usr/bin/env python
# -*- coding:utf-8 -*-
# @Author    :iqiqiya
# @Blog      :iqiqiya.com
# @Time      :2020/8/20
# @FileName  :77.py
v84 = 54
v65 = 52
v63 = 57
v74 = 45
v47 = 108
v62 = 98
v81 = 97
v64 = 45
v48 = 97
v51 = 55
v58 = 51
v53 = 49
v49 = 103
v55 = 49
v57 = 52
v67 = 49
v54 = 55
v70 = 57
v69 = 45
v56 = 100
v86 = 56
v72 = 48
v60 = 54
v78 = 52
v68 = 56
v79 = 99
v75 = 54
v46 = 102
v77 = 49
v76 = 101
v50 = 123
v61 = 51
v71 = 57
v82 = 102
v83 = 101
v85 = 52
v87 = 125
v80 = 50
v73 = 101
v66 = 101
v59 = 45
v52 = 101
print(chr(v46)+chr(v47)+chr(v48)+chr(v49)+chr(v50)+chr(v51)+chr(v52)+chr(v53)+
      chr(v54)+chr(v55)+chr(v56)+chr(v57)+chr(v58)+chr(v59)+chr(v60)+chr(v61)
+chr(v62)+chr(v63)+chr(v64)+chr(v65)+chr(v66)+chr(v67)+chr(v68)+chr(v69)+
      chr(v70) + chr(v71)
      + chr(v72) + chr(v73) + chr(v74) + chr(v75) + chr(v76) + chr(v77) + chr(v78) + chr(v79)
      +chr(v80)+chr(v81)
+chr(v82)+chr(v83)+chr(v84)+chr(v85)+chr(v86)+chr(v87))
Python
运行得到flag
notion image

diskdump

使用binwalk -e disk_dump分离得到0.ext文件
可以继续分离,也可以挂载到文件系统
mount 0.ext /mnt
进入目录 得到misc01文件夹,里面有三个文件
notion image
分析demo 得到加密算法
notion image
真实加密后的flag还是在diskdump中(ps:这里就比较脑洞了)
十六进制搜索加密后的特征44 2A 03
notion image
图片打开提示flag已经被删除了,后来发现其实这里也可以使用**extundelete **恢复出flag.txt

bash

apt-get install extundelete
extundelete disk_dump --restore-all
cd RECOVERED_FILES/
cd misc01/
cat flag.txt
Bash
编写脚本就可以得到flag,如下所示

python

flag = ''
fake_flag = [0x44, 0x2A, 0x03, 0xE5, 0x29, 0xBC, 0x96, 0x7F,
0x55, 0x35, 0x1B, 0xE1, 0xDD, 0xA4, 0x85, 0xA2, 0x1D,
0x0E, 0xEF, 0xD0, 0xA7, 0x6B]
real_flag = [0x44, 0x2A, 0x03, 0xE5, 0x29, 0xA3, 0xAF, 0x62, 0x05, 0x31, 0x4E, 0xF3,
0xD6, 0xEB, 0x90, 0x66, 0x24, 0x5C, 0xB7, 0x92, 0xF6, 0xD7, 0x4D, 0x0B,
0x6A, 0x41, 0xA3, 0x85, 0xEF, 0x90, 0x5A, 0x7E, 0x5B, 0xEC, 0xC1, 0xF0,
0xD4, 0x61, 0x12, 0x12, 0x45, 0xEB, 0xB8]
i = 0
v4 = 0x22
for j in range(len(real_flag)):
	ff = (v4 ^ real_flag[j]) - i
	print(hex(ff & 0xff))
	flag += chr(ff & 0xff)
	v4 += 0x22
	i = (i + 2) & 0xF
	print(flag)
#flag{e5d7c4ed-b8f6-4417-8317-b809fc26c047}
Python
相关文章 :
网络安全
  • CTF
    • Docker Remote API 未授权访问漏洞复现NSCTF测试平台WriteUp
    Loading...
    目录
    0%