shenghuo2's Blog
shenghuo2's Blog

NSSCTF平台 密码刷题记录

shenghuo2 shenghuo2 收录于 Writeup
  约 2400 字 预计阅读 5 分钟 
https://file.shenghuo2.top/typecho/202304182122158.png
警告
本文最后更新于 2023-04-18,文中内容可能已过时。

做了一些MT 之类的伪随机数生成器

密码入门

[SWPUCTF 2021 新生赛]crypto8

uuencode

uu库其实调用的是binascii的函数(

1
2
3
4

import binascii
print(binascii.a2b_uu(b'73E-30U1&>V-H965S95]I<U]P;W=E<GT`'))

# b'NSSCTF{cheese_is_power}'

[SWPUCTF 2021 新生赛]crypto7已解决

somd5查询

1

NSSCTF{md5yyds}

[强网拟态 2021]拟态签到题

解base64

1

flag{GaqY7KtEtrVIX1Q5oP5iEBRCYXEAy8rT}

[鹤城杯 2021]A_CRYPTO

base+rot13

1

flag{W0w_y0u_c4n_rea11y_enc0d1ng!}

常用编码

[BJDCTF 2020]base??

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

import base64,string

dict = {0: 'J', 1: 'K', 2: 'L', 3: 'M', 4: 'N', 5: 'O', 6: 'x', 7: 'y', 8: 'U', 9: 'V', 10: 'z', 11: 'A', 12: 'B', 13: 'C', 14: 'D', 15: 'E', 16: 'F', 17: 'G', 18: 'H', 19: '7', 20: '8', 21: '9', 22: 'P', 23: 'Q', 24: 'I', 25: 'a', 26: 'b', 27: 'c', 28: 'd', 29: 'e', 30: 'f', 31: 'g', 32: 'h', 33: 'i', 34: 'j', 35: 'k', 36: 'l', 37: 'm', 38: 'W', 39: 'X', 40: 'Y', 41: 'Z', 42: '0', 43: '1', 44: '2', 45: '3', 46: '4', 47: '5', 48: '6', 49: 'R', 50: 'S', 51: 'T', 52: 'n', 53: 'o', 54: 'p', 55: 'q', 56: 'r', 57: 's', 58: 't', 59: 'u', 60: 'v', 61: 'w', 62: '+', 63: '/', 64: '='}
base_table = string.ascii_uppercase + string.ascii_lowercase + string.digits + "+/="
chipertext = 'FlZNfnF6Qol6e9w17WwQQoGYBQCgIkGTa9w3IQKw'
decode = ""
vals = list(dict.values())
keys = list(dict.keys())
for i in chipertext:
    decode += base_table[(vals.index(i))]

# print(decode)
print(base64.b64decode(decode.encode()).decode())

NSSCTF{D0_Y0u_kNoW_Th1s_b4se_map}

伪随机

[GWCTF 2019]枯燥的抽奖

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

R1X4KMJVvf

<?php
#这不是抽奖程序的源代码!不许看!
header("Content-Type: text/html;charset=utf-8");
session_start();
if(!isset($_SESSION['seed'])){
$_SESSION['seed']=rand(0,999999999);
}

mt_srand($_SESSION['seed']);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
    $str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);       
}
$str_show = substr($str, 0, 10);
echo "<p id='p1'>".$str_show."</p>";


if(isset($_POST['num'])){
    if($_POST['num']===$str){
        echo "<p id=flag>抽奖,就是那么枯燥且无味,给你flag{xxxxxxxxx}</p>";
    }
    else{
        echo "<p id=flag>没抽中哦,再试试吧</p>";
    }
}
show_source("check.php");
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

str1='abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
str2='R1X4KMJVvf'
str3 = str1[::-1]
length = len(str2)
res=''
for i in range(len(str2)):  
    for j in range(len(str1)):
        if str2[i] == str1[j]:
            res+=str(j)+' '+str(j)+' '+'0'+' '+str(len(str1)-1)+' '
            break
print(res)

# 53 53 0 61 27 27 0 61 59 59 0 61 30 30 0 61 46 46 0 61 48 48 0 61 45 45 0 61 57 57 0 61 21 21 0 61 5 5 0 61

image-20230418164401518

1
2
3
4
5
6
7
8
9

<?php 
mt_srand(67204988);
$str_long1 = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$str='';
$len1=20;
for ( $i = 0; $i < $len1; $i++ ){
    $str.=substr($str_long1, mt_rand(0, strlen($str_long1) - 1), 1);       
}
echo "<p id='p1'>".$str."</p>";

R1X4KMJVvflgWwhsgen0

POST:num=R1X4KMJVvflgWwhsgen0

image-20230418164438033

[PASECA 2019]Tornado_Casino

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

这段代码是一个简单的游戏,包含以下要素:
1. 彩票机界面,使用十六进制随机数模拟滚轮
2. 玩家可以输入赌注来旋转彩票机。如果输入的数字与随机数匹配,玩家赢得游戏并打印 flag。否则输掉赌注。
3. 玩家有初试余额 10$,可以通过输入 promo 码 b33_1_4m_b3333 获得 1000$。promo 码只能使用一次。
4. 玩家可以选择退出游戏。
主要逻辑如下:
1. 打印彩票机界面
2. 提示玩家选择:玩彩票机、输入 promo 码、退出游戏
3. 如果选择玩彩票机:
- 检查玩家余额,如果>0 可以继续玩
- 玩家输入 $ 来旋转
- 生成 32 位随机数 state 作为彩票机结果
- 让玩家猜测结果,如果猜对打印 flag 并退出游戏
- 否则扣除 1$ 余额并显示随机数
4. 如果选择输入 promo 码,检查码是否正确并添加余额
5. 如果选择退出,退出游戏
6. 循环上述操作直到玩家退出游戏
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

from mt19937predictor import MT19937Predictor
from pwn import *

context.log_level = 'debug'
r = lambda : p.recv()
rx = lambda x: p.recv(x)
ru = lambda x: p.recvuntil(x)
rud = lambda x: p.recvuntil(x, drop=True)
s = lambda x: p.send(x)
sl = lambda x: p.sendline(x)
sa = lambda x, y: p.sendafter(x, y)
sla = lambda x, y: p.sendlineafter(x, y)
close = lambda : p.close()
debug = lambda : gdb.attach(p)
shell = lambda : p.interactive()

pt = MT19937Predictor()
addr = "node4.anna.nssctf.cn:28234".split(':')
p = remote(addr[0],addr[1])

sla("[3] - Exit\n","2")
sla("Enter your promocode:","b33_1_4m_b3333")
sla("[3] - Exit\n","1")
for i in range(624):

    sla("[$] - $$$SPIN$$$\n","$")
    sla("It will be: ","1")
    pff = int(p.recvline().decode().replace('|',''),16)
    pt.setrandbits(pff,32)
sla("[$] - $$$SPIN$$$\n","$")
sla("It will be: ",hex(pt.getrandbits(32)))
shell()

image-20230418173419490

[GKCTF 2021]Random

最简单的预测题

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

from mt19937predictor import MT19937Predictor
from hashlib import md5

numbers = open("random.txt","r").readlines()

mt = MT19937Predictor()
for i in range(0,104*3,3):
    mt.setrandbits(int(numbers[i]),32)
    mt.setrandbits(int(numbers[i+1]),64)
    mt.setrandbits(int(numbers[i+2]),96)

flag = "NSSCTF{"+md5(str(mt.getrandbits(32)).encode()).hexdigest()+"}"
print(flag)

NSSCTF{14c71fec812b754b2061a35a4f6d8421}

[天翼杯 2021]babypack

太难了😭

春哥的exp:https://zhuanlan.zhihu.com/p/413319231

[HGAME 2022 week4]PRNG

简单的MT

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

from extend_mt19937_predictor import ExtendMT19937Predictor
from libnum import n2s


data = open('output.txt','r').readlines()
numbers = eval(data[0])
flags = eval(data[1])


mt = ExtendMT19937Predictor()
for i in numbers:
    mt.setrandbits(i,32)

for i in flags:
    print((n2s(i ^ mt.predict_getrandbits(32)).decode()),end='')
    
# hgame{meRsenne!tWisTER~iS^A*WIDelY-USEd^pSEUDo&rAndOM:nUmBEr!GeNErATIon?AlgorIThM}

[长城杯 2021 政企组]魔鬼凯撒的RC4茶室

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

int __cdecl sub_467480(int a1, int a2, int a3)
{
  int result; // eax
  char v4; // [esp+Ch] [ebp-D0h]
  int i; // [esp+D4h] [ebp-8h]

  __CheckForDebuggerJustMyCode(704670720);
  for ( i = 0; ; ++i )
  {
    result = i + a1;
    if ( !*(_BYTE *)(i + a1) )
      break;
    if ( *(char *)(i + a1) >= 65 && *(char *)(i + a1) <= 90 || *(char *)(i + a1) >= 97 && *(char *)(i + a1) <= 122 )
    {
      if ( *(char *)(i + a1) < 65 || *(char *)(i + a1) > 90 )
        v4 = *(_BYTE *)(i + a1);
      else
        v4 = *(_BYTE *)(i + a1) + 32;
      *(_BYTE *)(i + a1) = v4;
      *(_BYTE *)(i + a1) = (*(char *)(i + a1) + a2 - 97) % 26 + 97;
    }
    if ( *(char *)(i + a1) >= 48 && *(char *)(i + a1) <= 57 )
      *(_BYTE *)(i + a1) = (*(char *)(i + a1) + a3 - 48) % 10 + 48;
  }
  return result;
}
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

str1 = list('z8layn_b91_nb9ha1}')

flag2 = ''
for i in range(len(str1)):
    if str1[i].isupper():
        str1[i] += 32
        for c in range(97, 97+26):
            if (c-97+20) % 26 + 97 == ord(str1[i]):
                flag2 += chr(c)
    elif str1[i].islower():
        for c in range(97, 97+26):
            if (c-97+20) % 26 + 97 == ord(str1[i]):
                flag2 += chr(c)
    elif str1[i].isdigit():
        for c in range(48, 58):
            if (c-48+8) % 10 + 48 == ord(str1[i]):
                flag2 += chr(c)
    else:
        flag2 += str1[i]

print(flag2)
# f0rget_h13_th1ng3}

另外半段有关rc4的部分

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

int __cdecl sub_466DB0(char *Str)
{
  int m; // [esp+610h] [ebp-300CCh]
  char v3[65556]; // [esp+61Ch] [ebp-300C0h] BYREF
  FILE *v4; // [esp+10630h] [ebp-200ACh]
  int k; // [esp+1063Ch] [ebp-200A0h]
  char v6[65556]; // [esp+10648h] [ebp-20094h] BYREF
  FILE *v7; // [esp+2065Ch] [ebp-10080h]
  int j; // [esp+20668h] [ebp-10074h]
  char FileName[65547]; // [esp+20674h] [ebp-10068h] BYREF
  char v10; // [esp+3067Fh] [ebp-5Dh]
  FILE *Stream; // [esp+30688h] [ebp-54h]
  int v12; // [esp+30694h] [ebp-48h]
  int i; // [esp+306A0h] [ebp-3Ch]
  int v14; // [esp+306ACh] [ebp-30h]
  int v15[8]; // [esp+306B8h] [ebp-24h] BYREF

  __CheckForDebuggerJustMyCode(704670720);
  v15[0] = 5;
  v15[1] = 2;
  v15[2] = 0;
  v15[3] = 1;
  v15[4] = 3;
  v15[5] = 1;
  v15[6] = 4;
  v14 = j__strlen(Str);
  sub_45FBB3();
  sub_462B5B();
  sub_45FE0B();
  sub_45F7EE(Str, v14);
  sub_45FCDA(-1596038656);
  for ( i = 0; i < v14; ++i )
    *(_BYTE *)(i + 1486383616) = MEMORY[0x60986500] ^ Str[i];
  sub_45FCDA(-924950016);
  v12 = 64;
  sub_4620E3(64, 1620600064, v15);
  sub_462CBE(1620600064, 20, 8);
  sub_45FCDA(-186752512);
  sub_45F1CC(-1663147520, (char)FileName);
  Stream = j__fopen(FileName, (const char *)0x14DF6200);
  if ( !Stream )
  {
    sub_45FCDA(417292800);
    j___loaddll(0);
  }
  v10 = MEMORY[0x58986A00];
  v10 = j__getchar();
  for ( j = 0; j < v14; ++j )
  {
    j__fputc(v10, Stream);
    v10 = *(_BYTE *)(j + 1503160832);
  }
  j__fclose(Stream);
  sub_45FCDA(752837120);
  sub_45F1CC(-1663147520, (char)v6);
  v7 = j__fopen(v6, (const char *)0x14DF6200);
  if ( !v7 )
  {
    sub_45FCDA(417292800);
    j___loaddll(0);
  }
  v6[65547] = j__getchar();
  for ( k = 0; k < 1; ++k )
    sub_46150D(v7, 1356816896, MEMORY[0x60986500]);
  j__fclose(v7);
  sub_45FCDA(1423925760);
  sub_45F1CC(-1663147520, (char)v3);
  v4 = j__fopen(v3, (const char *)0x14DF6200);
  if ( !v4 )
  {
    sub_45FCDA(417292800);
    j___loaddll(0);
  }
  v3[65547] = j__getchar();
  for ( m = 0; m < 1; ++m )
    sub_46150D(v4, 1356816896, MEMORY[0x60986504]);
  return j__fclose(v4);
}
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

int __cdecl sub_467320(int a1, int a2)
{
  int result; // eax
  int v4; // [esp+D4h] [ebp-44h]
  int v5; // [esp+F8h] [ebp-20h]
  int v6; // [esp+104h] [ebp-14h]
  int i; // [esp+110h] [ebp-8h]

  __CheckForDebuggerJustMyCode(704670720);
  v4 = 0;
  v6 = 0;
  for ( i = 0;
        ;
        *(_DWORD *)(4 * v4++ + 0x60986500) = *(_DWORD *)(4
                                                       * ((*(_DWORD *)(4 * v6 + 0x608F6500)
                                                         + *(_DWORD *)(4 * i + 0x608F6500))
                                                        % 256)
                                                       + 0x608F6500) )
  {
    result = a2;
    if ( !a2-- )
      break;
    i = (i + 1) % 256;
    v6 = (*(_DWORD *)(4 * i + 0x608F6500) + v6) % 256;
    v5 = *(_DWORD *)(4 * i + 0x608F6500);
    *(_DWORD *)(4 * i + 0x608F6500) = *(_DWORD *)(4 * v6 + 0x608F6500);
    *(_DWORD *)(4 * v6 + 0x608F6500) = v5;
  }
  return result;
}

rc4的%256

直接xor爆破也是能得到结果的

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

str1 = list('z8layn_b91_nb9ha1}')

flag2 = ''
for i in range(len(str1)):
    if str1[i].isupper():
        str1[i] += 32
        for c in range(97, 97+26):
            if (c-97+20) % 26 + 97 == ord(str1[i]):
                flag2 += chr(c)
    elif str1[i].islower():
        for c in range(97, 97+26):
            if (c-97+20) % 26 + 97 == ord(str1[i]):
                flag2 += chr(c)
    elif str1[i].isdigit():
        for c in range(48, 58):
            if (c-48+8) % 10 + 48 == ord(str1[i]):
                flag2 += chr(c)
    else:
        flag2 += str1[i]



[print(chr(i^0xde),end='') for i in open('flag片段/flag','rb').read()]

print(flag2)

# ÓÔlag{x1aom1ng_1s_3o_easy_f0rget_h13_th1ng3}
更新于 2023-04-18 
Powered by shenghuo2
CryptoReverseWeb
返回 | 主页
0%