admin 管理员组文章数量: 1086019
文章目录
- ISCC 2019 Writeup
-
- Misc
-
- 1. 隐藏的信息(50)
- 2. 最危险的地方就是最安全的地方(100)
- 3. 解密成绩单(100)
- 4. Welcome(100)
- 5. 倒立屋(100)
- 6. 无法运行的exe(150)
- 7. High起来!(200)
- 8. 他们能在一起吗?(200)
- 9. Keyes' secret(200)
- 10. Aesop's secret(300)
- 11. 碎纸机(400)
- Reverse
-
- 1. answer to everything(100)
- 2. dig dig dig(200)
- 3. Rev03(200)
- 4. 简单Python(200)
- 5. Rev04(300)
- 6. Rev02(300)
- 7. Rev01(300)
- Web
-
- 1. web4(150)
- 2. web2(200)
- 3. web1(200)
- 4. web3(300)
- 5. web6(350)
- 6. web5 (400)
- Mobile
-
- Mobile01
ISCC 2019 Writeup
- 一个菜鸡的iscc之旅,还有蜜汁强迫症,好好的工具不用,非要每道题自己写代码,就更艰难了。基本上都是python2写的,但其实除了web的一道题,大部分稍微改改和python3都能通用。
- pwn题是菜鸡中的菜鸡,学了好久还是一道没做出来。。
- 然后脑洞是个坑,提交flag的格式也是个坑。
Misc
1. 隐藏的信息(50)
- 这是一个被混淆的文件,但是我忘记了这个文件的密码。你能够帮助我还原明文吗?
- 八进制转十进制转ASCII码,疑似base64加密,解密得到flag,python代码如下:
import base64
with open("message.txt", "r") as f:
cipher = f.read()
cipher_list = cipher.split(' ')
base_cipher = ''
for each in cipher_list:
base_cipher += chr(int(each, 8))
flag = base64.b64decode(base_cipher)
print flag
2. 最危险的地方就是最安全的地方(100)
- 打开文件就知道了
- jpg打不开,改一下文件头,得到图片,是个表情包:修复我没用啊。。binwalk分析一下,发现后面有压缩的图片文件,分离之后是49个png二维码和1个jpg二维码,扫码:remake:最危险的地方就是最安全的地方+1~+10086,又是一个坑。hexdump分析一下50.jpg(因为和别的二维码比起来,它看着就很特殊),大片的\x00区域,拉到中间有字符的区域,就看到flag了,提取代码如下:
- 还有一种分析,看题目,直接右键50.jpg,看属性,有段base64编码,解码就是flag:
with open('50.jpg', 'rb') as f:
data = f.read(4500)
flag = data[0x107c:0x1097]
flag = flag.replace('\x00','')
print flag
3. 解密成绩单(100)
- 老师为了保密将某门课程的成绩单进行了加密处理,但在查成绩时忘记了自己原来是怎样进行了加密,你能帮同学们顺利查到成绩吗?
- 加密的压缩包,因为没有任何提示,怀疑是伪加密。伪加密可以直接用binwalk提取,果然提取出来了。然后,我也不知道我怎么就把杂项做成逆向了,大概是因为太菜。。
- C#做法(也可以直接IDA看IL指令,也不复杂)。用软件.NET.Reflector将C#反汇编,将Score_List导出,分析函数,定义了一系列浮点数,在btnLogin_Click函数中将浮点数逐个转成整型再转成字符添加到字符串,然后字符串弹框,直接写个脚本就得到flag了。或者根据函数checkUsername() 和 checkPassword()输入用户名admin,密码ISCCq19pc1Yhb6SqtGhliYH688feCH7lqQxtfa2MpOdONW1wmIleBo4TW5n就弹窗得到了flag。
namespace Score_List
{
using System;
using System.ComponentModel;
using System.Drawing;
using System.Text;
using System.Windows.Forms;
public class score_list : Form
{
private int loginAttemptCount = 1;
private float r1 = 73f;
private float r2 = 83f;
private float r3 = 67f;
private float r4 = 67f;
private float r5 = 123f;
private float r6 = 89f;
private float r7 = 48f;
private float r8 = 117f;
private float r9 = 95f;
private float r10 = 70f;
private float r11 = 48f;
private float r12 = 85f;
private float r13 = 110f;
private float r14 = 68f;
private float r15 = 95f;
private float r16 = 84f;
private float r17 = 104f;
private float r18 = 69f;
private float r19 = 95f;
private float r20 = 80f;
private float r21 = 52f;
private float r22 = 83f;
private float r23 = 83f;
private float r24 = 87f;
private float r25 = 48f;
private float r26 = 82f;
private float r27 = 68f;
private float r28 = 33f;
private float r29 = 125f;
private IContainer components;
private Button btnLogin;
private Label lblUsername;
private TextBox txtUsername;
private Button btnCancel;
private GroupBox groupBox1;
private Label lblPassword;
private TextBox txtPassword;
public score_list()
{
this.InitializeComponent();
}
private void btnCancel_Click(object sender, EventArgs e)
{
Application.Exit();
}
private void btnLogin_Click(object sender, EventArgs e)
{
if (this.checkUsername() && this.checkPassword())
{
StringBuilder builder = new StringBuilder();
char ch = Convert.ToChar((int) this.r1);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r2);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r3);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r4);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r5);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r6);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r7);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r8);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r9);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r10);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r11);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r12);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r13);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r14);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r15);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r16);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r17);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r18);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r19);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r20);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r21);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r22);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r23);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r24);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r25);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r26);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r27);
builder.Append(ch.ToString());
ch = Convert.ToChar((int) this.r28);
builder.Append(ch.ToString());
builder.Append(Convert.ToChar((int) this.r29).ToString());
int num = (int) MessageBox.Show(builder.ToString());
Application.Exit();
}
if (this.loginAttemptCount > 2)
{
this.showLoginCountExceeded();
Application.Exit();
}
if (!(this.checkUsername() && this.checkPassword()))
{
this.showError();
this.loginAttemptCount++;
}
}
private bool checkPassword() =>
(this.txtPassword.Text == "ISCCq19pc1Yhb6SqtGhliYH688feCH7lqQxtfa2MpOdONW1wmIleBo4TW5n");
private bool checkUsername() =>
(this.txtUsername.Text == "admin");
protected override void Dispose(bool disposing)
{
if (disposing && (this.components > null))
{
this.components.Dispose();
}
base.Dispose(disposing);
}
private void InitializeComponent()
{
this.btnLogin = new Button();
this.lblUsername = new Label();
this.txtUsername = new TextBox();
this.btnCancel = new Button();
this.groupBox1 = new GroupBox();
this.lblPassword = new Label();
this.txtPassword = new TextBox();
this.groupBox1.SuspendLayout();
base.SuspendLayout();
this.btnLogin.Location = new Point(190, 120);
this.btnLogin.Name = "btnLogin";
this.btnLogin.Size = new Size(0x4b, 0x17);
this.btnLogin.TabIndex = 0;
this.btnLogin.Text = "&OK";
this.btnLogin.UseVisualStyleBackColor = true;
this.btnLogin.Click += new EventHandler(this.btnLogin_Click);
this.lblUsername.AutoSize = true;
this.lblUsername.Location = new Point(6, 0x20);
this.lblUsername.Name = "lblUsername";
this.lblUsername.Size = new Size(0x3a, 13);
this.lblUsername.TabIndex = 1;
this.lblUsername.Text = "Username:";
this.lblUsername.TextAlign = ContentAlignment.TopRight;
this.txtUsername.Location = new Point(70, 0x1d);
this.txtUsername.Name = "txtUsername";
this.txtUsername.Size = new Size(0x9a, 20);
this版权声明:本文标题:ISCC 2019 部分 Writeup 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.roclinux.cn/b/1726379261a958460.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论