go

程序主要作用就是输入正确的内容,然后经过base64加密,与硬编码的字符串进行比较,如果正确则输出flag。

动态调试,可以得到base64码表

upload successful

替换码表解密脚本如下

import string
import base64
my_base64table = "XYZFGHI2+/Jhi345jklmEnopuvwqrABCDKL6789abMNWcdefgstOPQRSTUVxyz01"
std_base64table ="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
s = "nRKKAHzMrQzaqQzKpPHClX=="
s = s.translate(string.maketrans(my_base64table,std_base64table))
print base64.b64decode(s)
# What_is_go_a_A_H

可以直接输入获取flag

upload successful

tree

这题主要逻辑就是输入flag{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}格式的flag,然后第一个函数会对为x的位置的字符进行判断,然后将字符转换为二进制表示,然后调用第二个函数,主要是通过判断上个函数得到的二进制字符串,为0则加12,为1则加16,然后通过系统自动生成的数组得到最终加密的字符,solver代码如下:

关键需要模拟数组的起始地址,用字典表示

flag = [
   0x00000000, 0x00000001, 0x00000062, 0x00000013, 0x00000001, 0x00000000, 0x00000000, 0x00000001,
   0x00000063, 0x0000001B, 0x00000002, 0x00000000, 0x00000000, 0x00000001, 0x00000064, 0x00000006,
   0x00000003, 0x00000000, 0x00000000, 0x00000001, 0x00000065, 0x0000000F, 0x00000004, 0x00000000,
   0x00000000, 0x00000001, 0x00000066, 0x0000002F, 0x00000005, 0x00000000, 0x00000000, 0x00000001,
   0x00000067, 0x0000002A, 0x00000006, 0x00000000, 0x00000000, 0x00000001, 0x00000068, 0x0000003A,
   0x00000007, 0x00000000, 0x00000000, 0x00000001, 0x00000069, 0x00000006, 0x00000008, 0x00000000,
   0x00000000, 0x00000001, 0x0000006A, 0x0000005F, 0x00000009, 0x00000000, 0x00000000, 0x00000001,
   0x0000006B, 0x00000019, 0x0000000A, 0x00000000, 0x00000000, 0x00000001, 0x0000006C, 0x00000007,
   0x0000000B, 0x00000000, 0x00000000, 0x00000001, 0x0000006D, 0x00000012, 0x0000000C, 0x00000000,
   0x00000000, 0x00000001, 0x0000006E, 0x00000037, 0x0000000D, 0x00000000, 0x00000000, 0x00000001,
   0x0000006F, 0x0000001E, 0x0000000E, 0x00000000, 0x00000000, 0x00000001, 0x00000070, 0x00000018,
   0x0000000F, 0x00000000, 0x00000000, 0x00000001, 0x00000071, 0x00000016, 0x00000010, 0x00000000,
   0x00000000, 0x00000001, 0x00000072, 0x00000002, 0x00000011, 0x00000000, 0x00000000, 0x00000001,
   0x00000073, 0x00000069, 0x00000012, 0x00000000, 0x00000000, 0x00000001, 0x00000074, 0x0000000D,
   0x00000013, 0x00000000, 0x00000000, 0x00000001, 0x00000075, 0x00000004, 0x00000014, 0x00000000,
   0x00000000, 0x00000001, 0x00000076, 0x0000004B, 0x00000015, 0x00000000, 0x00000000, 0x00000001,
   0x00000077, 0x00000017, 0x00000016, 0x00000000, 0x00000000, 0x00000001, 0x00000078, 0x0000000C,
   0x00000017, 0x00000000, 0x00000000, 0x00000001, 0x00000079, 0x00000026, 0x00000018, 0x00000000,
   0x00000000, 0x00000001, 0x0000007A, 0x00000033, 0x00000019, 0x00000000, 0x00000000, 0x00000001,
   0x00000000, 0x00000005, 0x0000001A, 0x00406218, 0x00406080, 0x00000001, 0x00000000, 0x00000009,
   0x0000001B, 0x00406260, 0x004062F0, 0x00000001, 0x00000000, 0x0000000C, 0x0000001C, 0x004060C8,
   0x00406140, 0x00000001, 0x00000000, 0x00000010, 0x0000001D, 0x00406188, 0x00406308, 0x00000001,
   0x00000000, 0x00000018, 0x0000001E, 0x004062A8, 0x00406320, 0x00000001, 0x00000000, 0x0000001C,
   0x0000001F, 0x00406248, 0x004060E0, 0x00000001, 0x00000000, 0x00000022, 0x00000020, 0x00406338,
   0x004061A0, 0x00000001, 0x00000000, 0x00000029, 0x00000021, 0x00406098, 0x00406200, 0x00000001,
   0x00000000, 0x0000002F, 0x00000022, 0x00406290, 0x004061E8, 0x00000001, 0x00000000, 0x00000031,
   0x00000023, 0x00406350, 0x00406170, 0x00000001, 0x00000000, 0x00000037, 0x00000024, 0x004060B0,
   0x00406368, 0x00000001, 0x00000000, 0x00000040, 0x00000025, 0x004061D0, 0x00406380, 0x00000001,
   0x00000000, 0x0000004F, 0x00000026, 0x004062C0, 0x00406398, 0x00000001, 0x00000000, 0x00000059,
   0x00000027, 0x00406110, 0x004060F8, 0x00000001, 0x00000000, 0x00000060, 0x00000028, 0x004063B0,
   0x004063C8, 0x00000001, 0x00000000, 0x0000006A, 0x00000029, 0x004062D8, 0x004061B8, 0x00000001,
   0x00000000, 0x00000071, 0x0000002A, 0x004063E0, 0x00406128, 0x00000001, 0x00000000, 0x0000008B,
   0x0000002B, 0x004063F8, 0x00406278, 0x00000001, 0x00000000, 0x000000A8, 0x0000002C, 0x00406410,
   0x00406428, 0x00000001, 0x00000000, 0x000000BF, 0x0000002D, 0x00406158, 0x00406440, 0x00000001,
   0x00000000, 0x000000D3, 0x0000002E, 0x00406230, 0x00406458, 0x00000001, 0x00000000, 0x000000FC,
   0x0000002F, 0x00406470, 0x00406488, 0x00000001, 0x00000000, 0x00000167, 0x00000030, 0x004064A0,
   0x004064B8, 0x00000001, 0x00000000, 0x000001CF, 0x00000031, 0x004064D0, 0x004064E8, 0x00000001,
   0x00000000, 0x00000336, 0x00000032, 0x00406500, 0x00406518
   ]

#offset = 0x00406090
#for i in range(0,len(flag)):
#    print hex(offset + i * 4)+":"+hex(flag[i])+',',

flag = {0x406090:0x0, 0x406094:0x1, 0x406098:0x62, 0x40609c:0x13, 0x4060a0:0x1, 0x4060a4:0x0, 0x4060a8:0x0, 0x4060ac:0x1, 0x4060b0:0x63, 0x4060b4:0x1b, 0x4060b8:0x2, 0x4060bc:0x0, 0x4060c0:0x0, 0x4060c4:0x1, 0x4060c8:0x64, 0x4060cc:0x6, 0x4060d0:0x3, 0x4060d4:0x0, 0x4060d8:0x0, 0x4060dc:0x1, 0x4060e0:0x65, 0x4060e4:0xf, 0x4060e8:0x4, 0x4060ec:0x0, 0x4060f0:0x0, 0x4060f4:0x1, 0x4060f8:0x66, 0x4060fc:0x2f, 0x406100:0x5, 0x406104:0x0, 0x406108:0x0, 0x40610c:0x1, 0x406110:0x67, 0x406114:0x2a, 0x406118:0x6, 0x40611c:0x0, 0x406120:0x0, 0x406124:0x1, 0x406128:0x68, 0x40612c:0x3a, 0x406130:0x7, 0x406134:0x0, 0x406138:0x0, 0x40613c:0x1, 0x406140:0x69, 0x406144:0x6, 0x406148:0x8, 0x40614c:0x0, 0x406150:0x0, 0x406154:0x1, 0x406158:0x6a, 0x40615c:0x5f, 0x406160:0x9, 0x406164:0x0, 0x406168:0x0, 0x40616c:0x1, 0x406170:0x6b, 0x406174:0x19, 0x406178:0xa, 0x40617c:0x0, 0x406180:0x0, 0x406184:0x1, 0x406188:0x6c, 0x40618c:0x7, 0x406190:0xb, 0x406194:0x0, 0x406198:0x0, 0x40619c:0x1, 0x4061a0:0x6d, 0x4061a4:0x12, 0x4061a8:0xc, 0x4061ac:0x0, 0x4061b0:0x0, 0x4061b4:0x1, 0x4061b8:0x6e, 0x4061bc:0x37, 0x4061c0:0xd, 0x4061c4:0x0, 0x4061c8:0x0, 0x4061cc:0x1, 0x4061d0:0x6f, 0x4061d4:0x1e, 0x4061d8:0xe, 0x4061dc:0x0, 0x4061e0:0x0, 0x4061e4:0x1, 0x4061e8:0x70, 0x4061ec:0x18, 0x4061f0:0xf, 0x4061f4:0x0, 0x4061f8:0x0, 0x4061fc:0x1, 0x406200:0x71, 0x406204:0x16, 0x406208:0x10, 0x40620c:0x0, 0x406210:0x0, 0x406214:0x1, 0x406218:0x72, 0x40621c:0x2, 0x406220:0x11, 0x406224:0x0, 0x406228:0x0, 0x40622c:0x1, 0x406230:0x73, 0x406234:0x69, 0x406238:0x12, 0x40623c:0x0, 0x406240:0x0, 0x406244:0x1, 0x406248:0x74, 0x40624c:0xd, 0x406250:0x13, 0x406254:0x0, 0x406258:0x0, 0x40625c:0x1, 0x406260:0x75, 0x406264:0x4, 0x406268:0x14, 0x40626c:0x0, 0x406270:0x0, 0x406274:0x1, 0x406278:0x76, 0x40627c:0x4b, 0x406280:0x15, 0x406284:0x0, 0x406288:0x0, 0x40628c:0x1, 0x406290:0x77, 0x406294:0x17, 0x406298:0x16, 0x40629c:0x0, 0x4062a0:0x0, 0x4062a4:0x1, 0x4062a8:0x78, 0x4062ac:0xc, 0x4062b0:0x17, 0x4062b4:0x0, 0x4062b8:0x0, 0x4062bc:0x1, 0x4062c0:0x79, 0x4062c4:0x26, 0x4062c8:0x18, 0x4062cc:0x0, 0x4062d0:0x0, 0x4062d4:0x1, 0x4062d8:0x7a, 0x4062dc:0x33, 0x4062e0:0x19, 0x4062e4:0x0, 0x4062e8:0x0, 0x4062ec:0x1, 0x4062f0:0x0, 0x4062f4:0x5, 0x4062f8:0x1a, 0x4062fc:0x406218, 0x406300:0x406080, 0x406304:0x1, 0x406308:0x0, 0x40630c:0x9, 0x406310:0x1b, 0x406314:0x406260, 0x406318:0x4062f0, 0x40631c:0x1, 0x406320:0x0, 0x406324:0xc, 0x406328:0x1c, 0x40632c:0x4060c8, 0x406330:0x406140, 0x406334:0x1, 0x406338:0x0, 0x40633c:0x10, 0x406340:0x1d, 0x406344:0x406188, 0x406348:0x406308, 0x40634c:0x1, 0x406350:0x0, 0x406354:0x18, 0x406358:0x1e, 0x40635c:0x4062a8, 0x406360:0x406320, 0x406364:0x1, 0x406368:0x0, 0x40636c:0x1c, 0x406370:0x1f, 0x406374:0x406248, 0x406378:0x4060e0, 0x40637c:0x1, 0x406380:0x0, 0x406384:0x22, 0x406388:0x20, 0x40638c:0x406338, 0x406390:0x4061a0, 0x406394:0x1, 0x406398:0x0, 0x40639c:0x29, 0x4063a0:0x21, 0x4063a4:0x406098, 0x4063a8:0x406200, 0x4063ac:0x1, 0x4063b0:0x0, 0x4063b4:0x2f, 0x4063b8:0x22, 0x4063bc:0x406290, 0x4063c0:0x4061e8, 0x4063c4:0x1, 0x4063c8:0x0, 0x4063cc:0x31, 0x4063d0:0x23, 0x4063d4:0x406350, 0x4063d8:0x406170, 0x4063dc:0x1, 0x4063e0:0x0, 0x4063e4:0x37, 0x4063e8:0x24, 0x4063ec:0x4060b0, 0x4063f0:0x406368, 0x4063f4:0x1, 0x4063f8:0x0, 0x4063fc:0x40, 0x406400:0x25, 0x406404:0x4061d0, 0x406408:0x406380, 0x40640c:0x1, 0x406410:0x0, 0x406414:0x4f, 0x406418:0x26, 0x40641c:0x4062c0, 0x406420:0x406398, 0x406424:0x1, 0x406428:0x0, 0x40642c:0x59, 0x406430:0x27, 0x406434:0x406110, 0x406438:0x4060f8, 0x40643c:0x1, 0x406440:0x0, 0x406444:0x60, 0x406448:0x28, 0x40644c:0x4063b0, 0x406450:0x4063c8, 0x406454:0x1, 0x406458:0x0, 0x40645c:0x6a, 0x406460:0x29, 0x406464:0x4062d8, 0x406468:0x4061b8, 0x40646c:0x1, 0x406470:0x0, 0x406474:0x71, 0x406478:0x2a, 0x40647c:0x4063e0, 0x406480:0x406128, 0x406484:0x1, 0x406488:0x0, 0x40648c:0x8b, 0x406490:0x2b, 0x406494:0x4063f8, 0x406498:0x406278, 0x40649c:0x1, 0x4064a0:0x0, 0x4064a4:0xa8, 0x4064a8:0x2c, 0x4064ac:0x406410, 0x4064b0:0x406428, 0x4064b4:0x1, 0x4064b8:0x0, 0x4064bc:0xbf, 0x4064c0:0x2d, 0x4064c4:0x406158, 0x4064c8:0x406440, 0x4064cc:0x1, 0x4064d0:0x0, 0x4064d4:0xd3, 0x4064d8:0x2e, 0x4064dc:0x406230, 0x4064e0:0x406458, 0x4064e4:0x1, 0x4064e8:0x0, 0x4064ec:0xfc, 0x4064f0:0x2f, 0x4064f4:0x406470, 0x4064f8:0x406488, 0x4064fc:0x1, 0x406500:0x0, 0x406504:0x167, 0x406508:0x30, 0x40650c:0x4064a0, 0x406510:0x4064b8, 0x406514:0x1, 0x406518:0x0, 0x40651c:0x1cf, 0x406520:0x31, 0x406524:0x4064d0, 0x406528:0x4064e8, 0x40652c:0x1, 0x406530:0x0, 0x406534:0x336, 0x406538:0x32, 0x40653c:0x406500, 0x406540:0x406518}

offset = 0x406530
cmpstr = 'zvzjyvosgnzkbjjjypjbjdvmsjjyvsjx'
print cmpstr
print len(cmpstr)
for i in range(0,len(cmpstr)):
    for j in [12,16]:
        try:
            if flag[flag[offset+j]] == ord(cmpstr[i]):
                print j,
                break
        except:
            pass
        for k in [12,16]:
            try:
                if flag[flag[flag[offset+j]+k]] == ord(cmpstr[i]):
                    print j,k,
                    break
            except:
                pass
            for l in [12,16]:
                try:
                    if flag[flag[flag[flag[offset+j]+k]+l]] == ord(cmpstr[i]):
                        print j,k,l,
                        break
                except:
                    pass
                for m in [12,16]:
                    try:
                        if flag[flag[flag[flag[flag[offset+j]+k]+l]+m]] == ord(cmpstr[i]):
                            print j,k,l,m,
                            break
                    except:
                        pass
                    for n in [12,16]:
                        try:
                            if flag[flag[flag[flag[flag[flag[offset+j]+k]+l]+m]+n]] == ord(cmpstr[i]):
                                print j,k,l,m,n,
                                break
                        except:
                            pass
                        for s in [12,16]:
                            try:
                                if flag[flag[flag[flag[flag[flag[flag[offset+j]+k]+l]+m]+n]+s]] == ord(cmpstr[i]):
                                    print j,k,l,m,n,s,
                                    break
                            except:
                                pass
                            for buf in [12,16]:
                                try:
                                    if flag[flag[flag[flag[flag[flag[flag[flag[offset+j]+k]+l]+m]+n]+s]+buf]] == ord(cmpstr[i]):
                                        print j,k,l,m,n,s,buf,
                                        break
                                except:
                                    pass
opcode = [16,12,16,12,16,16,16,16,16,12,16,12,12,16,12,12,12,12,12,16,16,16,16,16,16,16,12,12,16,12,12,12,12,16,12,16,12,16,16,16,12,16,12,12,16,16,16,16,12,12,12,16,12,12,16,12,12,16,12,12,16,12,12,12,12,12,12,16,16,12,16,12,16,12,12,12,12,16,12,12,16,12,12,16,16,16,12,16,12,16,16,16,16,16,16,16,12,16,16,16,12,12,12,16,12,12,16,12,12,12,12,12,16,16,16,16,16,12,12,12,16,12,12,16,16,16,12,12]
flag = []
for i in range(0,len(opcode),4):
    aaaa = ''
    for j in range(0,4):
        if opcode[i+j] == 16:
            aaaa += '1'
        elif opcode[i+j] == 12:
            aaaa += '0'
    flag.append(aaaa)
print ''
for i in flag:
    print hex(int(i,2))[2:],
# 得到的结果带入到flag{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
# flag{afa41fc8-574f-1248-1a84-9d7f7120f89c}


ctf      ctf

本博客所有文章除特别声明外,均采用 CC BY-SA 3.0协议 。转载请注明出处!