排名
数据分析
不安全的U盘.1
找密码lsadump
flag:hahaha123
不安全的U盘.2
找外联
找路径
flag:C:ProgramFiles(x86)AdobeReader9.0ReaderAcroRd32.exe
不安全的U盘.3
flag:192.168.31.238:4444
不安全的U盘.4
找外联程序
找到配置文件
flag:118.180.126.13_6770
网站的数据绝对安全.1
找登录成功的包
看用户名
flag:livwdaw
网站的数据绝对安全.2
找到一个datasec.ttf
,和其他字体文件的字体映射顺序不一样。
找到key对应的位置
得到key2
,提交
flag:EccpSOIlRPolP936707
Bitcoin.4
GPT
flag:transferFrom
数据安全
drinktea
附件看到是pyc
操作码,GPT
加人工,得到python源码
from ctypes import c_uint32
import struct
def encrypt(v, key):
v0 = c_uint32(v[0])
v1 = c_uint32(v[1])
delta = 555885348
total = c_uint32(0)
for i in range(32):
v0.value += ((v1.value << 4) ^ (v1.value >> 5)) + v1.value ^ (total.value + key[total.value & 0x3])
total.value += delta
v1.value += ((v0.value << 4) ^ (v0.value >> 5)) + v0.value ^ (total.value + key[(total.value >> 11) & 0x3])
return [v0.value, v1.value]
def main():
key = [1900550021, 2483099539, 2205172504, 1359557939] # Placeholder values
arr = [
[392252415, 2941946969],
[1122976151, 1335193774],
[815478816, 2529100980],
[2237049875, 188954780]
]
flag = input('please input flag: ')
encry = []
for i in range(0, len(flag), 8):
v = [
struct.unpack('<I', flag[i:i+4].encode('utf-8'))[0],
struct.unpack('<I', flag[i+4:i+8].encode('utf-8'))[0]
]
encrypted = encrypt(v, key)
encry.append(encrypted)
if encry == arr:
print('yes~')
else:
print('no~')
if __name__ == "__main__":
main()
逆向
from ctypes import c_uint32
import struct
def decrypt(v, key):
v0 = c_uint32(v[0])
v1 = c_uint32(v[1])
delta = 555885348
total = c_uint32(delta * 32)
for i in range(32):
v1.value -= ((v0.value << 4) ^ (v0.value >> 5)) + v0.value ^ (total.value + key[(total.value >> 11) & 0x3])
total.value -= delta
v0.value -= ((v1.value << 4) ^ (v1.value >> 5)) + v1.value ^ (total.value + key[total.value & 0x3])
return [v0.value, v1.value]
def main():
key = [1900550021, 2483099539, 2205172504, 1359557939]
arr = [
[392252415, 2941946969],
[1122976151, 1335193774],
[815478816, 2529100980],
[2237049875, 188954780]
]
# Assuming the 'arr' is obtained from the encrypted output, which we want to decrypt
flag = b''
for v in arr:
decrypted = decrypt(v, key)
flag += struct.pack('<I', decrypted[0])
flag += struct.pack('<I', decrypted[1])
print(flag.decode())
if __name__ == "__main__":
main()
flag{acb8739759dc496ccc945703037e037f}
Magic Audio
打开 ctf.wav
听发现是sstv
,使用 robot36
获得一张图片
在wav
中分解出一个zip
,有密码,尝试菜就多练
flag{61909dd6f4120aac7edb9193491fd83e}
原文始发于微信公众号(ACT Team):第二届数据安全大赛暨首届“数信杯”积分争夺赛实践预赛南区Writeup
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论