2018网鼎杯部分WriteUp

发表于

Misc 签到

flag{hello_wangdingbei}

Misc clip

010editor打开,搜IHDR有俩png文件,提取出来补好文件头

观察到最上面是明显的flag的样子,但是缺少下半部分

修改高度什么的貌似不好使,再仔细看,似乎是被拆分后重新拼的

于是画图打开(PS和美图秀秀都打不开),按着水平方向的边界拆成一个个单个的,然后再拼一起

拼完就能读出flag了

flag{0b008070-eb72-4b99-abed-092075d72a40}

Misc minified

图片隐写,stego打开

red0通道全0,所以所有0通道都试一下吧

最后发现:

alpha0另存为一张图片,green0另存为一张图片

然后stego的combiner:

flag{7bb6db9f-d2eb-4e69-8dee-0002ce1e07f9}

Reverse Beijing

file一下,32位ELF,运行一下,输出一堆乱码

IDA打开,找到main函数,F5

发现21次重复过程:

每次传进去一个值到函数里,然后%c打印出来

点进函数,一堆case然后异或^

然后就琢磨呗

最后发现,是取每次case的、a^b的、b地址处的值,十六进制解ASCII码,得到flag(部分的case还要动态调orz

最后 flag{amazing_beijing}

Reverse advance

原题

wp

https://github.com/ctfs/write-ups-2016/tree/master/csaw-ctf-2016-quals/reverse/deedeedee-150

改个文件名就能直接跑= =

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from itertools import cycle
import subprocess
def xor(s1, s2, enc_add):
    return ''.join(chr(ord(a) ^ ord(b) ^ enc_add) for a,b in zip(cycle(s1), s2))
keys = [str(x)*3 for x in range(1, 500)]
# pull the encoded stuff out of the program's output
out, _ = subprocess.Popen(['./src'], stdout=subprocess.PIPE).communicate()
hex_enc = out.split('\n')[0].split()[-1]
enc = hex_enc.decode('hex')
for key in keys:
    enc_add = len(enc) & 0xFF;
    enc = xor(key, enc, enc_add)
print enc

flag{d_with_a_template_phew}

Reverse blend

原题= =

照着wp怼

https://github.com/TechSecCTF/writeups/blob/master/CSAWQuals2017/realism/README.md

script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
import binascii
import struct
# Initial value of xmm5
xmm5_start = binascii.unhexlify('220f02c883fbe083c0200f10cd0013b8')
# The data stored at 0x7DA8 and compared against esi
esi_consts = [
                '04031103',
                'cd02d902',
                'db02d402',
                'e202c402',
                'e202ce02',
                'ed02d802',
                'e802dc02',
                'f602dd02',
              ]
esi_consts = [struct.unpack('<I', binascii.unhexlify(c))[0] for c in esi_consts]
esi_consts = esi_consts[::-1]
# Our 16 variables ('a' through 'p')
variables = [chr(ord('a') + i) for i in range(16)]
def esi_to_xmm5(esi):
  s1 = esi % (1 << 0x10)
  s2 = (esi - s1) >> (0x10)
  w = struct.pack('>Q', s1) + struct.pack('>Q', s2)
  return w
def print_constraints():
  for i in range(8):
    prev_esi = esi_consts[i-1]
    xmm5 = esi_to_xmm5(prev_esi)
    if i == 0:
      xmm5 = xmm5_start
    esi = esi_consts[i]
    s1 = esi % (1 << 0x10)
    s2 = (esi - s1) >> (0x10)
    # sum of absolute differences between xmm5 and our flag
    s = ''
    for j in range(8):
      if j == 7-i:
        # This is the masking step
        s += 'abs(0-' + str(ord(xmm5[j])) + ') + '
        continue
      s += 'abs(' + variables[j] + '-' + str(ord(xmm5[j])) + ') + '
    s += '0 == {}, '.format(s1)
    print(s)
    s = ''
    for j in range(8,16):
      if j-8 == 7-i:
        # This is the masking step
        s += 'abs(0-' + str(ord(xmm5[j])) + ') + '
        continue
      s += 'abs(' + variables[j] + '-' + str(ord(xmm5[j])) + ') + '
    s += '0 == {}, '.format(s2)
    print(s)
if __name__ == '__main__':
  print_constraints()

output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
abs(a-34) + abs(b-15) + abs(c-2) + abs(d-200) + abs(e-131) + abs(f-251) + abs(g-224) + abs(0-131) + 0 == 758,
abs(i-192) + abs(j-32) + abs(k-15) + abs(l-16) + abs(m-205) + abs(n-0) + abs(o-19) + abs(0-184) + 0 == 733,
abs(a-0) + abs(b-0) + abs(c-0) + abs(d-0) + abs(e-0) + abs(f-0) + abs(0-2) + abs(h-246) + 0 == 744,
abs(i-0) + abs(j-0) + abs(k-0) + abs(l-0) + abs(m-0) + abs(n-0) + abs(0-2) + abs(p-221) + 0 == 732,
abs(a-0) + abs(b-0) + abs(c-0) + abs(d-0) + abs(e-0) + abs(0-0) + abs(g-2) + abs(h-232) + 0 == 749,
abs(i-0) + abs(j-0) + abs(k-0) + abs(l-0) + abs(m-0) + abs(0-0) + abs(o-2) + abs(p-220) + 0 == 728,
abs(a-0) + abs(b-0) + abs(c-0) + abs(d-0) + abs(0-0) + abs(f-0) + abs(g-2) + abs(h-237) + 0 == 738,
abs(i-0) + abs(j-0) + abs(k-0) + abs(l-0) + abs(0-0) + abs(n-0) + abs(o-2) + abs(p-216) + 0 == 718,
abs(a-0) + abs(b-0) + abs(c-0) + abs(0-0) + abs(e-0) + abs(f-0) + abs(g-2) + abs(h-226) + 0 == 738,
abs(i-0) + abs(j-0) + abs(k-0) + abs(0-0) + abs(m-0) + abs(n-0) + abs(o-2) + abs(p-206) + 0 == 708,
abs(a-0) + abs(b-0) + abs(0-0) + abs(d-0) + abs(e-0) + abs(f-0) + abs(g-2) + abs(h-226) + 0 == 731,
abs(i-0) + abs(j-0) + abs(0-0) + abs(l-0) + abs(m-0) + abs(n-0) + abs(o-2) + abs(p-196) + 0 == 724,
abs(a-0) + abs(0-0) + abs(c-0) + abs(d-0) + abs(e-0) + abs(f-0) + abs(g-2) + abs(h-219) + 0 == 717,
abs(i-0) + abs(0-0) + abs(k-0) + abs(l-0) + abs(m-0) + abs(n-0) + abs(o-2) + abs(p-212) + 0 == 729,
abs(0-0) + abs(b-0) + abs(c-0) + abs(d-0) + abs(e-0) + abs(f-0) + abs(g-2) + abs(h-205) + 0 == 772,
abs(0-0) + abs(j-0) + abs(k-0) + abs(l-0) + abs(m-0) + abs(n-0) + abs(o-2) + abs(p-217) + 0 == 785,

然后输出的部分代入到下面s.add()的部分,就解出来了,然后拼一下,代入到qemu中,正确

最终flag flag{mbr_is_funny__eh}

窝很可爱,请给窝钱