PyDis 这个题应该是rx仿今年的hgame的那一个pypy……
先把pyc转成byte_code:
1 2 3 4 5 6 import dis,marshalf=open ("pyre.cpython-39.pyc" ,"rb" ).read() code = marshal.loads(f[16 :]) dis.dis(code)
没错,我就是嫖含树的(理直气壮
然后硬刚byte_code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 1 0 BUILD_LIST 0 2 LOAD_CONST 0 ((178 , 184 , 185 , 191 , 182 , 165 , 174 , 191 , 129 , 183 , 187 , 176 , 129 , 169 , 191 , 167 , 163 )) 4 CALL_FINALLY 1 (to 7 ) 6 STORE_NAME 0 (magic) 2 8 LOAD_NAME 1 (input ) 10 LOAD_CONST 1 ('flag >>> ' ) 12 CALL_FUNCTION 1 14 STORE_NAME 2 (inp) 4 16 LOAD_NAME 3 (list ) 18 LOAD_NAME 2 (inp) 20 CALL_FUNCTION 1 22 STORE_NAME 4 (flag) 5 24 LOAD_NAME 5 (len ) 26 LOAD_NAME 4 (flag) 28 CALL_FUNCTION 1 30 LOAD_NAME 5 (len ) 32 LOAD_NAME 0 (magic) 34 CALL_FUNCTION 1 36 COMPARE_OP 3 (!=) 38 POP_JUMP_IF_FALSE 54 6 40 LOAD_NAME 6 (print ) 42 LOAD_CONST 2 ('qwq' ) 44 CALL_FUNCTION 1 46 POP_TOP 7 48 LOAD_NAME 7 (exit) 50 CALL_FUNCTION 0 52 POP_TOP 9 >> 54 LOAD_NAME 8 (range ) 56 LOAD_NAME 5 (len ) 58 LOAD_NAME 4 (flag) 60 CALL_FUNCTION 1 62 LOAD_CONST 3 (2 ) 64 BINARY_FLOOR_DIVIDE 66 CALL_FUNCTION 1 68 GET_ITER >> 70 FOR_ITER 54 (to 126 ) 72 STORE_NAME 9 (i) 10 74 LOAD_NAME 4 (flag) 76 LOAD_CONST 3 (2 ) 78 LOAD_NAME 9 (i) 80 BINARY_MULTIPLY 82 LOAD_CONST 4 (1 ) 84 BINARY_ADD 86 BINARY_SUBSCR 88 LOAD_NAME 4 (flag) 90 LOAD_CONST 3 (2 ) 92 LOAD_NAME 9 (i) 94 BINARY_MULTIPLY 96 BINARY_SUBSCR 98 ROT_TWO 100 LOAD_NAME 4 (flag) 102 LOAD_CONST 3 (2 ) 104 LOAD_NAME 9 (i) 106 BINARY_MULTIPLY 108 STORE_SUBSCR 110 LOAD_NAME 4 (flag) 112 LOAD_CONST 3 (2 ) 114 LOAD_NAME 9 (i) 116 BINARY_MULTIPLY 118 LOAD_CONST 4 (1 ) 120 BINARY_ADD 122 STORE_SUBSCR 124 JUMP_ABSOLUTE 70 12 >> 126 BUILD_LIST 0 128 STORE_NAME 10 (check) 14 130 LOAD_NAME 8 (range ) 132 LOAD_NAME 5 (len ) 134 LOAD_NAME 4 (flag) 136 CALL_FUNCTION 1 138 CALL_FUNCTION 1 140 GET_ITER >> 142 FOR_ITER 26 (to 170 ) 144 STORE_NAME 9 (i) 15 146 LOAD_NAME 10 (check) 148 LOAD_METHOD 11 (append) 150 LOAD_NAME 12 (ord ) 152 LOAD_NAME 4 (flag) 154 LOAD_NAME 9 (i) 156 BINARY_SUBSCR 158 CALL_FUNCTION 1 160 LOAD_CONST 5 (222 ) 162 BINARY_XOR 164 CALL_METHOD 1 166 POP_TOP 168 JUMP_ABSOLUTE 142 17 >> 170 LOAD_NAME 8 (range ) 172 LOAD_NAME 5 (len ) 174 LOAD_NAME 0 (magic) 176 CALL_FUNCTION 1 178 CALL_FUNCTION 1 180 GET_ITER >> 182 FOR_ITER 34 (to 218 ) 184 STORE_NAME 9 (i) 18 186 LOAD_NAME 10 (check) 188 LOAD_NAME 9 (i) 190 BINARY_SUBSCR 192 LOAD_NAME 0 (magic) 194 LOAD_NAME 9 (i) 196 BINARY_SUBSCR 198 COMPARE_OP 3 (!=) 200 POP_JUMP_IF_FALSE 182 19 202 LOAD_NAME 6 (print ) 204 LOAD_CONST 2 ('qwq' ) 206 CALL_FUNCTION 1 208 POP_TOP 20 210 LOAD_NAME 7 (exit) 212 CALL_FUNCTION 0 214 POP_TOP 216 JUMP_ABSOLUTE 182 22 >> 218 LOAD_NAME 6 (print ) 220 LOAD_CONST 6 ('happy new year!' ) 222 CALL_FUNCTION 1 224 POP_TOP 226 LOAD_CONST 7 (None ) 228 RETURN_VALUE
不是很难:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 magic = [178 , 184 , 185 , 191 , 182 , 165 , 174 , 191 , 129 , 183 , 187 , 176 , 129 , 169 , 191 , 167 , 163 ] inp = input ("flag>>> " ) flag = list (inp) if len (magic) != len (flag): print('qwq' ) exit(0 ) else : for i in range (len (flag)//2 ): flag[i*2 ],flag[i*2 +1 ]=flag[i*2 +1 ],flag[i*2 ] check=[] for i in range (len (flag)): check.append(ord (flag[i]) ^ 222 ) for i in range (len (magic)): if check[i] != magic[i]: print('qwq' ) exit(0 ) print('happy new year!' )
写一下exp:
1 2 3 4 5 6 7 8 check=[178 , 184 , 185 , 191 , 182 , 165 , 174 , 191 , 129 , 183 , 187 , 176 , 129 , 169 , 191 , 167 , 163 ] flag=[] for i in check: flag.append(chr (i^222 )) for i in range (len (flag)//2 ): flag[i*2 ],flag[i*2 +1 ]=flag[i*2 +1 ],flag[i*2 ] for i in flag: print(i,end='' )
FlareOn4 IgniteMe 题确实比较简单,直接定位关键函数sub_401050,重命名一下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 int sub_401050 () int length; int i; unsigned int j; char v4; length = strlen ((int )input); v4 = sub_401000(); for ( i = length - 1 ; i >= 0 ; --i ) { rel[i] = v4 ^ input[i]; v4 = input[i]; } for ( j = 0 ; j < 39 ; ++j ) { if ( rel[j] != (unsigned __int8)byte_403000[j] ) return 0 ; } return 1 ; }
代码逻辑十分简单,然后就是那个v4不会算,动调一下就知道了。
写一下exp:
1 2 3 4 5 6 7 8 9 10 11 12 13 #include <bits/stdc++.h> using namespace std ;int main () int rel[]={0x0D ,0x26 ,0x49 ,0x45 ,0x2A ,0x17 ,0x78 ,0x44 ,0x2B ,0x6C ,0x5D ,0x5E ,0x45 ,0x12 ,0x2F ,0x17 ,0x2B ,0x44 ,0x6F ,0x6E ,0x56 ,0x9 ,0x5F ,0x45 ,0x47 ,0x73 ,0x26 ,0x0A ,0x0D ,0x13 ,0x17 ,0x48 ,0x42 ,0x1 ,0x40 ,0x4D ,0x0C ,0x2 ,0x69 ,0x0 }; char flag[40 ]; int v4=4 ; for ( int i = 38 ; i >= 0 ; --i ) { flag[i] = v4 ^ rel[i]; v4 = flag[i]; } cout <<"flag{" <<flag<<'}' ; }
BUUCTF Firmware 这尼玛……是啥????电子取证???还是MISC???还是IOT???
我还是按照MISC来处理吧……它给的是内存文件,里面应该有日志,配置文件啥的……(我猜的
所以我们先分离一下:
第一个空文件夹……第二个没看出来是个啥,第三个应该跟第二个是一样的,但我解压也没搞定……最后一个没见过。
我们先看一下最后一个的文件格式:
SquashFS 是一套基于Linux内核使用的压缩只读文件系统。该文件系统能够压缩系统内的文档,inode以及目录,文件最大支持$2^{64}$字节。
解析这个文件格式需要用一个工具firm-mod-kit,但是这个东西我死活装不上!!!
我又尝试用ubuntu自带的unsquashfs进行解析:
我又尝试挂载该文件:
草!!!!
最后还是没有解决……淦!!!网上有题解,感兴趣的直接百度……
