ACTF个人能力认证考核WP

shenghuo2 收录于 Writeup

2022-06-25 2023-02-01 约 600 字预计阅读 2 分钟

警告

本文最后更新于 2023-02-01，文中内容可能已过时。

misc

mahjoong

就打开自动对战挂着就行

胜利就有flag

1

ACTF{y@kumAn_1s_incredl3le}

emoji

emoji进行base100解密

得到一串0和1

转成hex

1

4e696e3649355f6353316d

然后转成字符串

1

Nin6I5_cS1m

倒序再包上ACTF{}

1

ACTF{m1Sc_5I6niN}

web

babyshiro

shiro反序列化漏洞命令执行

直接上工具就行

https://github.com/j1anFen/shiro_attack

re

crackme

IDA反编译

先对输入的数据8位一组存进内存 intel是小端序所以需要倒回来

下一个函数里面看到 0xC6EF3720 是TEA算法

有两段值判断为解密函数

程序逻辑是把输入的数据进行分段加密后进行解密

再与程序中存储的数据进行比较

所以要先对数据小端序读取，然后加密

得到的就是flag

提取数组

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19


array1 = [0x77, 0x42, 0x6B, 0xD7, 0x5F, 0x82, 0xAE, 0x48, 0xA3, 0x64, 
        0x24, 0xC0, 0x7D, 0x96, 0x04, 0x17, 0x14, 0x8D, 0x4C, 0xF4, 
        0x6E, 0x9A, 0xF6, 0xE0, 0x31, 0x37, 0xA9, 0x33, 0xEE, 0xB5, 
        0x2D, 0xE7][::-1]
a = 0
array2 = ""
temp = ""
for i in array1:
    a += 1
    temp += str(hex(i))[2::]
    
    if a % 4 == 0:
        array2 += "0x" + temp + ", "
        temp = ""
# print(array2)
array2 = [0xe72db5ee, 0x33a93731, 0xe0f69a6e, 0xf44c8d14, 0x1704967d, 0xc02464a3, 0x48ae825f, 0xd76b4277]
for i in range(8):
    print(hex(array2[7-i]),end=', ')
array2 = [0xd76b4277, 0x48ae825f, 0xc02464a3, 0x1704967d, 0xf44c8d14, 0xe0f69a6e, 0x33a93731, 0xe72db5ee]

密钥是四组AAAAAAAA

tea加密分段处理

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48


import binascii
from ctypes import * 

# TEA加密函数
def encrypt(v,k):
    v0=c_uint32(v[0])
    v1=c_uint32(v[1])
    sum1=c_uint32(0)
    delta=0x9e3779b9
    for i in range(32):
        sum1.value+=delta
        v0.value+=((v1.value<<4)+k[0])^(v1.value+sum1.value)^((v1.value>>5)+k[1])
        v1.value+=((v0.value<<4)+k[2])^(v0.value+sum1.value)^((v0.value>>5)+k[3])
    return hex(v0.value),hex(v1.value)

# 大小端序转换
def big_small_end_convert(data):
    result = binascii.hexlify(binascii.unhexlify(data)[::-1])
    return str(result)[2:-1:]

# 16进制转字符串
def hex_string(hexstr):
    
    flag = ""
    while len(hexstr):
        flag = flag + chr(int(hexstr[:2],16)%128)
        hexstr = hexstr[2:]
    return flag

# 主函数
if __name__=='__main__':
    flag = ""
    a=[0xd76b4277,0x48ae825f]
    k=[0xAAAAAAAA,0xAAAAAAAA,0xAAAAAAAA,0xAAAAAAAA]

    res=encrypt(a,k)
    flag += big_small_end_convert(res[0][2::]) + big_small_end_convert(res[1][2::])
    a=[0xc02464a3, 0x1704967d]
    res=encrypt(a,k)
    flag += big_small_end_convert(res[0][2::]) + big_small_end_convert(res[1][2::])
    a=[0xf44c8d14, 0xe0f69a6e]
    res=encrypt(a,k)
    flag += big_small_end_convert(res[0][2::]) + big_small_end_convert(res[1][2::])
    a=[0x33a93731, 0xe72db5ee]
    res=encrypt(a,k)
    flag += big_small_end_convert(res[0][2::]) + big_small_end_convert(res[1][2::])

    print(hex_string(flag))

1

ACTF{th1s_i5_s0_E4sy_r1gHt???!!}