2019 “掘安杯” write up

36次阅读

共计 9357 个字符,预计需要花费 24 分钟才能阅读完成。

前言
肝了一天,最后打了第三,记录下。我逆向真的好菜啊~~~~
Misc
真的不是图片
题目给了一张图片,binwalk 一下
pumpkin9@pumpkin9:/mnt/c/Users/Desktop/juean$ binwalk Misc-JASEC.png

DECIMAL HEXADECIMAL DESCRIPTION
——————————————————————————–
0 0x0 PNG image, 824 x 639, 8-bit/color RGB, non-interlaced
91 0x5B Zlib compressed data, compressed
140598 0x22536 End of Zip archive, footer length: 22
题目中有 zip,和正常压缩包图片对比一下 emmm 反正是少了个 zip 头了
可以发现 50 4B 03 04 被替换成了 ja66
pumpkin9@pumpkin9:/mnt/c/Users/Desktop/juean$ binwalk Misc-JASEC.png

DECIMAL HEXADECIMAL DESCRIPTION
——————————————————————————–
0 0x0 PNG image, 824 x 639, 8-bit/color RGB, non-interlaced
91 0x5B Zlib compressed data, compressed
137859 0x21A83 Zip archive data, at least v2.0 to extract, compressed size: 2605, uncompressed size: 11258, name: subject.zip
140598 0x22536 End of Zip archive, footer length: 22
然后 foremost 分离 ja66 解压缩
import base64
flag = “”
for i in range(0,32):
f = open(‘./’+str(i)+’/’+str(i)+’.txt’,’r’)
flag += f.read()
print base64.b64decode(flag)
#jactf{64se64_1s_50_c001}
what
题目描述
=E4=BD=9B=E6=9B=B0=EF=BC=9A=E6=A2=B5=E5=83=A7=E5=A5=A2=E6=A5=9E=E5=A5=A2=E5=90=89=E8=8B=A5=E5=A5=A2=E4=B8=8D=E5=B8=9D=E5=86=A5=E5=A4=9C=E6=98=AF=E7=BC=BD=E6=9C=8B=E7=BC=BD=E7=9C=9F=E7=89=B9=E4=BF=B1=E4=B8=8A=E7=BD=B0=E8=83=BD=E7=9A=A4=E5=AE=A4=E9=98=BF=E8=AB=B3=E6=98=8E=E4=B8=80=E5=88=87=E5=91=90=E9=99=A4=E6=A2=B5=E5=A7=AA=E7=BC=BD=E5=A9=86=E5=91=90=E4=BA=A6=E5=8F=83=E4=BE=84=E5=91=BC=E7=9A=A4=E4=B8=96=E5=93=86=E7=89=B9=E5=93=86=E6=95=85=E5=8B=9D=E8=AB=B3=E7=88=8D=E8=AC=B9=E6=99=BA=E7=9A=A4=E5=8F=83=E5=AD=95=E9=80=9D=E8=AB=B3=E8=AC=B9=E6=BC=AB=E6=AD=BB=E5=8D=B3=E4=BE=84=E9=99=A4=E5=93=86=E9=80=9D=E4=BE=84=E6=98=AF=E5=A5=A2=E5=96=9D=E7=A4=99=E8=B1=86=E8=AB=B3=E6=A5=9E=E7=84=A1=E4=BF=B1=E8=80=85=E5=93=86=E5=BA=A6=E8=80=85=E3=80=82=E8=AB=B3=E7=9C=9F=E5=86=A5=E8=A8=B6=E4=BE=84=E5=8B=9D=E7=AB=9F=E8=97=9D=E5=A5=A2=E4=B8=8D=E4=BC=8A=E7=9A=A4=E8=AC=B9=E6=B6=85=E5=AD=95=E7=84=A1=E4=BB=96=E7=BE=85=E5=A4=A7=E5=BE=97=E9=97=8D=E5=93=86=E5=96=9D=E8=80=B6=E5=83=A7=E7=84=A1=E7=BE=AF=E6=BB=85=E9=99=A4=E5=88=A9=E7=BC=BD=E5=A4=9A=E6=A2=B5=E5=A4=B7=E6=A2=B5=E6=A0=97=E7=BC=BD=E8=80=85=E5=AD=95=E8=AB=B3=E7=9B=A7=E7=9A=A4=E4=B8=89=E7=BD=B0=E5=AF=AB=E8=80=81=E6=A2=B5=E8=80=B6=E5=AE=A4=E5=B8=9D=E6=A2=B5=E5=AF=AB=E7=BE=AF=E6=95=B8=E6=A2=B5=E7=9B=A1=E4=BE=84=E6=A0=97=E4=BE=84=E8=97=90=E4=BF=B1=E4=B8=96=E8=AB=B3=E4=B8=8A=E8=AB=B3=E5=A7=AA=E6=95=B8=E5=AE=A4=E5=A9=86=E7=BD=B0=E6=A7=83=E5=A5=A2=E8=A8=B6=E5=93=86=E5=A4=9A=E9=80=9D=E8=97=90=E9=81=93=E6=A2=B5=E6=A5=9E=E6=A2=B5=E5=8D=97=E4=BE=84=E8=BF=A6=E5=91=90=E7=9F=A5=E6=9C=8B=E6=A5=9E=E4=BE=84=E9=9B=A2=E5=91=90=E6=B2=99=E5=91=90=E6=99=BA=E9=81=AE=E5=A4=A7=E5=AE=A4=E7=A5=9E=E5=86=A5=E8=BC=B8=E6=AE=BF=E7=BC=BD=E6=A7=83=E6=A2=B5=E6=80=9B=E6=81=90=E8=88=8D=E7=9F=A5=E7=9A=A4=E8=BF=A6=E5=A5=A2=E8=88=AC=E8=AB=B3=E7=88=8D=E5=AF=AB=E6=BC=AB=E4=BC=8A=E4=BF=B1=E6=A0=97=E5=93=86=E4=BB=96=E4=BA=A6=E7=BC=BD=E6=A5=9E=E6=80=9B=E5=86=A5=E5=91=BC=E5=88=87=E4=BF=B1=E8=8F=A9=E8=88=8D=E5=91=90=E5=AF=A6=E6=A0=97=E5=A5=A2=E6=B3=A2=E6=91=A9=E8=AB=B3=E9=81=93=E7=BC=BD=E7=91=9F=E5=93=86=E5=AF=A6=E7=9A=A4=E7=88=8D=E5=8B=9D=E8=96=A9=E7=BD=B0=E8=AB=B8=E5=A5=A2=E8=88=AC=E8=AB=A6=E7=BD=B0=E6=98=8E=E7=BC=BD=E8=AB=A6=E5=B0=BC=E5=93=86=E6=A5=9E=E4=BD=9B=E4=BF=B1=E9=86=AF=E8=AB=B3=E6=BB=85=E5=BA=A6=E5=93=86=E6=89=80=E6=A7=83=E5=A7=AA=E9=BA=BC=E6=89=80=E6=81=90=E8=AB=B3=E4=BB=96=E4=BE=84=E5=AF=AB=E7=91=9F=E4=BE=84=E6=89=80=E5=BE=97=E9=9A=B8=E5=93=86=E9=97=8D=E5=91=90=E6=8F=90=E7=9B=A7=E5=86=A5=E5=92=92=E5=A5=A2=E6=9B=B0=E5=91=90=E6=B2=99=E6=80=AF=E8=88=AC=E5=8D=97=E6=80=AF=E5=9C=B0=E7=BC=BD=E5=96=9D=E5=86=A5=E6=83=B3=E5=91=90=E7=9B=A7=E7=BD=B0=E8=AC=B9=E5=91=BC=E8=B7=8B=E7=BC=BD=E4=B8=8A=E5=A8=91=E8=AB=A6=E6=AD=BB=E4=BE=84=E8=BF=A6
解题过程
Quoted-Printable 也是 MIME 邮件中常用的编码方式之一。同 Base64 一样,它也将输入的字符串或数据编码成全是 ASCII 码的可打印字符串。quopriquopri.decodestring() 解码可得
佛曰:梵僧奢楞奢吉若奢不帝冥夜是缽朋缽真特俱上罰能皤室阿諳明一切呐除梵姪缽婆呐亦參侄呼皤世哆特哆故勝諳爍謹智皤參孕逝諳謹漫死即侄除哆逝侄是奢喝礙豆諳楞無俱者哆度者。諳真冥訶侄勝竟藝奢不伊皤謹涅孕無他羅大得闍哆喝耶僧無羯滅除利缽多梵夷梵栗缽者孕諳盧皤三罰寫老梵耶室帝梵寫羯數梵盡侄栗侄藐俱世諳上諳姪數室婆罰槃奢訶哆多逝藐道梵楞梵南侄迦呐知朋楞侄離呐沙呐智遮大室神冥輸殿缽槃梵怛恐舍知皤迦奢般諳爍寫漫伊俱栗哆他亦缽楞怛冥呼切俱菩舍呐實栗奢波摩諳道缽瑟哆實皤爍勝薩罰諸奢般諦罰明缽諦尼哆楞佛俱醯諳滅度哆所槃姪麼所恐諳他侄寫瑟侄所得隸哆闍呐提盧冥咒奢曰呐沙怯般南怯地缽喝冥想呐盧罰謹呼跋缽上娑諦死侄迦
参悟佛所言的真意公正友善自由公正民主公正和谐法治自由公正公正法治友善平等公正爱国公正平等法治爱国公正敬业公正友善爱国平等诚信平等法治敬业法治平等公正公正公正诚信平等平等友善敬业法治民主法治富强法治友善法治社会主义核心价值观解码得 flagjactf{hexin_yufo_qp}
小梳子
生成字典爆破
crunch 11 11 -t 138364%%%%% -o/root/ 桌面 /test.txt
aircrack-ng -w /root/ 桌面 /test.txt Tenda_D07D90-01.cap
Crypto
贝斯家族三英战群魔
直接上脚本
$ python base.py ciphertext_ea88a4d420c804686a8899608e06130f.txt
1
using base16 decode sucess…..
2
using base16 decode failuer…..
using base32 decode sucess…..
3
using base16 decode failuer…..
using base32 decode failuer…..
using base64 decode sucess…..
4
using base16 decode sucess…..
5
using base16 decode failuer…..
using base32 decode sucess…..
6
using base16 decode failuer…..
using base32 decode failuer…..
using base64 decode sucess…..
7
using base16 decode sucess…..
8
using base16 decode failuer…..
using base32 decode sucess…..
9
using base16 decode failuer…..
using base32 decode failuer…..
using base64 decode sucess…..
10
using base16 decode sucess…..
11
using base16 decode failuer…..
using base32 decode sucess…..
12
using base16 decode failuer…..
using base32 decode failuer…..
using base64 decode sucess…..
13
using base16 decode failuer…..
using base32 decode failuer…..
using base64 decode failuer…..
jactf{4(b64_32_16)}
罗马帝国的奠基者
根据凯撒加密方式和 flag 格式可得
a = ‘h^_o`[pZi^i`’
b = “”

for j in range(0,90):
b= “”
for i in range(len(a)):
b += chr(ord(a[i])+i+2)
print b
绝密情报
题目描述
WzI2NDAzMjMxMEwsIDQ5NTA2MzczNDFMLCA0MTg5MTM3MjM1TCwgMzUwMzY3NTkwNkwsIDExOTMyNzJMLCAzNzQ1MzA5NjhMLCA1MTg5MjgxNTMxTCwgMjUxNDIwMDI3MkwsIDQ0NTQzMDU1ODFMLCA2NDEwNzg1OTdMLCA0Mzk1OTMxNjU5TCwgMjcxNjQyNjU5OUwsIDQzNzUzOTE5NEwsIDM0NDgwMTM1OTZMLCAzMDcyMDcyMDlMLCA0NzUwODIwNjA2TCwgMzI1MDQwNzk5M0wsIDg1MzkwNTIwOUwsIDIxMDk3OTExNTlMLCAyNzE2NDI2NTk5TCwgMjEwNzg5OTU1NEwsIDQzOTU5MzE2NTlMLCAyNzk0Mzg0NTk4TCwgMjEwOTc5MTE1OUwsIDUyOTc3NzkwOTRMLCAxNDYwODc0Mjg2TCwgMTQ2MDg3NDI4NkwsIDc5NDkzMTY3OUwsIDc5NDkzMTY3OUwsIDU0NDcwNTE2MjJMLCA4NTM5MDUyMDlMLCAzMTk4MzQwMjE4TCwgMTE5MzI3MkwsIDE5MTIzMjMxMDFMLCA1Mjk3Nzc5MDk0TCwgMzA3MjA3MjA5TCwgMzIzMTU3MjYwOEwsIDMxOTgzNDAyMThMLCA1MTg5MjgxNTMxTCwgNTI3ODg5NTQ4TCwgNDk1MDYzNzM0MUwsIDI4MzkzNjY4MDVMLCAxMTE2NDU3MzU0TCwgNTI3ODg5NTQ4TCwgNTI5Nzc3OTA5NEwsIDMyNTA0MDc5OTNMLCA0NDU0MzA1NTgxTCwgNjUxMDM5MkwsIDMyNTA0MDc5OTNMLCAxNDYwODc0Mjg2TCwgMTA1OTAzNTEyOUwsIDMyMDAzNTk2MTJMLCA4NTM5MDUyMDlMLCAzMDcyMDcyMDlMLCAxNTY3NzkxMDFMLCAyMTQ1MzAxMzI4TCwgNTI3ODg5NTQ4TCwgMTA1OTAzNTEyOUwsIDU0NjgwMjUwNzJMLCAzNDQ4MDEzNTk2TCwgMjEwNzg5OTU1NEwsIDQxODkxMzcyMzVMLCAzNTAzNjc1OTA2TCwgMjY1MzQzNjExM0xd 而且小菜昨天偷听到了一部分关于情报的绝密资料,如下:N=5520780427 , e = 134257, 你能帮小菜解出这段情报吗?
解题过程
import base64,libnum

enc = “WzI2NDAzMjMxMEwsIDQ5NTA2MzczNDFMLCA0MTg5MTM3MjM1TCwgMzUwMzY3NTkwNkwsIDExOTMyNzJMLCAzNzQ1MzA5NjhMLCA1MTg5MjgxNTMxTCwgMjUxNDIwMDI3MkwsIDQ0NTQzMDU1ODFMLCA2NDEwNzg1OTdMLCA0Mzk1OTMxNjU5TCwgMjcxNjQyNjU5OUwsIDQzNzUzOTE5NEwsIDM0NDgwMTM1OTZMLCAzMDcyMDcyMDlMLCA0NzUwODIwNjA2TCwgMzI1MDQwNzk5M0wsIDg1MzkwNTIwOUwsIDIxMDk3OTExNTlMLCAyNzE2NDI2NTk5TCwgMjEwNzg5OTU1NEwsIDQzOTU5MzE2NTlMLCAyNzk0Mzg0NTk4TCwgMjEwOTc5MTE1OUwsIDUyOTc3NzkwOTRMLCAxNDYwODc0Mjg2TCwgMTQ2MDg3NDI4NkwsIDc5NDkzMTY3OUwsIDc5NDkzMTY3OUwsIDU0NDcwNTE2MjJMLCA4NTM5MDUyMDlMLCAzMTk4MzQwMjE4TCwgMTE5MzI3MkwsIDE5MTIzMjMxMDFMLCA1Mjk3Nzc5MDk0TCwgMzA3MjA3MjA5TCwgMzIzMTU3MjYwOEwsIDMxOTgzNDAyMThMLCA1MTg5MjgxNTMxTCwgNTI3ODg5NTQ4TCwgNDk1MDYzNzM0MUwsIDI4MzkzNjY4MDVMLCAxMTE2NDU3MzU0TCwgNTI3ODg5NTQ4TCwgNTI5Nzc3OTA5NEwsIDMyNTA0MDc5OTNMLCA0NDU0MzA1NTgxTCwgNjUxMDM5MkwsIDMyNTA0MDc5OTNMLCAxNDYwODc0Mjg2TCwgMTA1OTAzNTEyOUwsIDMyMDAzNTk2MTJMLCA4NTM5MDUyMDlMLCAzMDcyMDcyMDlMLCAxNTY3NzkxMDFMLCAyMTQ1MzAxMzI4TCwgNTI3ODg5NTQ4TCwgMTA1OTAzNTEyOUwsIDU0NjgwMjUwNzJMLCAzNDQ4MDEzNTk2TCwgMjEwNzg5OTU1NEwsIDQxODkxMzcyMzVMLCAzNTAzNjc1OTA2TCwgMjY1MzQzNjExM0xd”

enc = base64.b64decode(enc)
enc_list = eval(enc)
flag = “”
print enc_list
d = 3960784897
n = 5520780427
for i in range(len(enc_list)):
m = pow(enc_list[i],d,n)
flag += chr(m)
print flag
#U2FsdGVkX1/8DKBmhvO87/SOLaawwxvAdHLB9AV62nC6LhXzhatpvBcg6tlK7Fs5
des 解密下即可 jactf{So_easy_RSA_and_DES}
贝叶斯
题目
一共给了两个文件 encode.txt
int main()
{
string P(“*****************”);
string C(“*****************”);
int len = C.length();
for (int k = 0; k < len; k ++) {
int where = des_find(P, C[k]);
where = ((where * a) + b) mod x;
cout << P[where];
}
return 0;
}

int des_find(string p, int m)
{
for (int i = 0; i < p.length(); i++) {
if (m == p[i]) {
return i;
}
}
}
题目.txt
现已知某间谍使用的密码本(这可是贝叶斯设计的密码本)如下:”elFXRVJUWVVJT1B4Y3Zibm1hc2RmQVNERkdISktMZ2hqa2xfcXdaWENWQk5NZXJ0e3l1aW9wfTAxMjM0OTg3NjU=” 现获取到了他们的加密算法,同时劫获了一段数据密文:”gf9C{YQ34KHN3sOwhCz3RzH3CKj3Ndpm1Bt7″ 你能破译出明文数据吗?
解题过程
#include <iostream>
#include <cstring>
#define PSIZE 65 // 宏定义密码表大小
using namespace std;
int gcd(int m, int n);
int init_gcd(int m, int n);
int des_find(string p, int m);

int main()
{
string P(“zQWERTYUIOPxcvbnmasdfASDFGHJKLghjkl_qwZXCVBNMert{yuiop}0123498765”);
string M(“gf9C{YQ34KHN3sOwhCz3RzH3CKj3Ndpm1Bt7”); // 明文空间,与已知密文
string C; // 存放解密明文
int i = 2; // 求解所有互素的数
int a1; // 存放逆元
for (i; i < PSIZE; i++)
{
if (gcd(i, PSIZE) == 1)
{// 说明此时的 i 与 28 互素
/*** 求解此时的 i 的逆元 ***/
a1 = init_gcd(i, PSIZE);
for (int j = 0; j < PSIZE; j++) // 控制 b 的遍历
{
cout << “ 此时:a=” << i << ” b=” << j << ” a 的逆元为:” << a1 << ” \””;
for (int k = 0; k < M.length(); k++) {// 每一个汉字站两个字节,所以要用两个数组空间来存
int where = des_find(P, M[k]); // 匹配密文在明文空间的位置
where = ((where – j)*a1) % PSIZE;
if (where < 0) {
where += PSIZE;
}
cout << P[where];
}
cout << “\”” << endl;
}
}
}
return 0;
}
int gcd(int b, int a) // 求互素
{
int temp;
if (a < b)// 判断大小
{
temp = a;
a = b;
b = temp;
}
if (b == 0) return a;
else return gcd(b, a%b);// 递归
}

int init_gcd(int m, int n) // 扩展欧几里得算法
{
int i = 2;
for (i; i < 28; i++)
{
if ((m*i) % n == 1)
{
return i;
}
}
}

int des_find(string p, int m) // 位置匹配函数
{
for (int i = 0; i < p.length(); i ++) {
//cout<<p[i]<<p[i+1]<<endl;
if (m == p[i]) {
return i;
}
}
}
接下来的计划总结下 base 家族 wasm 贝叶斯关于字符向进制转化的算法与逆向 pyc 文件格式 des 加密 ebc cbc

正文完
 0