LoRexxar's Blog

hctf2016 giligili writeup

2016/11/19

棰樼洰鏄垜寰堟棭浠ュ墠鍋氱殑sctf q1涓殑web500,鎴戝仛鐨勬椂鍊欒俯浜嗗潙锛屾墍浠ヨ姳浜嗗緢涔咃紝鎰熻棰樼洰寰堟湁鎰忔濓紝鎵浠ュ氨淇敼浜嗛鐩張鏀句笂鏉ヤ簡銆

姝hВwp
https://github.com/sternze/CTF_writeups/blob/master/sCTF/2016_Q1/obfuscat/readme.md

鏈缁堝垎鏁帮細124
瀹屾垚闃熶紞锛64

瑙i浜烘暟鎰忓鐨勫锛屾劅瑙夎繕鏄湁寰堝py鐨勪汉锛岃糠鈥

鍒嗘瀽浠g爜

1
h = new MersenneTwister(parseInt(btoa(answer[_[$[6]]](0, 4)), 32));

棣栧厛鎴戜滑鏍规嵁绗竴鍙ュ緱鍒癶锛宧涓轰竴涓吉闅忔満鐨勬暟缁勶紝鏍规嵁鍓嶅洓浣嶆瀯鎴愶紝鎵浠lag鐨勫ごhctf寰堥噸瑕併

绱ф帴鐫寰堝浼殢鏈烘暟閮芥垚浜嗗浐瀹氱殑鏁板瓧锛屼篃灏变究浜庡垎鏋愪簡

1
o = answer.split("_");

杩欓噷鎶婅緭鍏ユ牴鎹笅鍒掔嚎鍒嗗壊寰楀埌o

1
2
e =- (this[_[$[42]]](_[$[31]](o[1])) ^ s[0]); if (-e != $[21]) return false;
e ^= (this[_[$[42]]](_[$[31]](o[2])) ^ s[1]); if (-e != $[22]) return false; e -= 0x352c4a9b;

鏍规嵁杩欓儴鍒嗭紝鐩镐簰寮傛垨寰楀埌浜嗕腑闂翠袱閮ㄥ垎鐨刟scii鐮侊紝杩欓噷鍏跺疄鍒嗘瀽閫昏緫瀹规槗杩涘叆璇尯锛岃繖閲岃鑲畾鐨勬槸锛屽叾瀹瀎lag涓瀹氭槸鍙樉绀虹殑瀛楃锛屾墍浠ヨ偗瀹氫笉鍙互鏄3浣嶆垨鏇村浣嶅垎鍓诧紝杩欎箞涓鏉ュ氨寰堝鏄撶‘璁や簡

浠g爜鍒颁簡杩欓噷

1
2
3
a += _[$[31]](o[3].substring(o[3].length - 2)).split("x")[1];
//o[3]鐨勬渶鍚庝袱浣
d = parseInt(a, 16) == (Math.pow(2, 16)+ -5+ "") + o[3].charCodeAt(o[3].length - 3).toString(16) + "53846" + (new Date().getFullYear()- +1+ "");

鍑虹幇浜嗗緢澶氬彲鍙樼殑涓滆タ锛岄鍏堟槸a
a鐢眔[0]鍜宱[3]鍏卞悓鍐冲畾

1
a = parseInt(_[$[23]]("1", Math.max(o[0].length, o[3].length)), 3) ^ eval(_[$[31]](o[0]));

鍏舵a浼氬湪鍗佽繘鍒剁殑鍩虹涓婏紝鎷兼帴涓妎[3]鍑哄ぇ鎷彿鐨勫悗涓や綅鐨勫崄鍏繘鍒讹紝杞崄杩涘埗
a += _[$[31]](o[3].substring(o[3].length - 2)).split("x")[1];

鍜宎鐩告瘮杈冪殑鍚庨潰鐨勪唬鐮侊紝鍏朵腑鏈変竴涓彲鍙橀噺涓簅[3]鐨勫掓暟绗笁浣嶏紝杩欓噷鍑虹幇浜嗛殣钘忔潯浠
1銆佷腑闂寸殑o[3]鍊掓暟绗笁浣嶈浆鍗佸叚杩涘埗鍚庝笉鍏佽瀛樺湪瀛楁瘝
2銆佹暣浣撹浆16杩涘埗涔嬪悗锛岄櫎浜嗗悗鍥涗綅涓嶈兘瀛樺湪瀛楁瘝
3銆佸掓暟2浣嶅繀椤诲彲鏄

缁煎悎涓婇潰鐨勬潯浠讹紝鎴戜滑灏遍渶瑕佽剼鏈潵瑙e喅闂浜

1
2
3
4
5
6
7
8
9
10
11
12
13
for i in range(30,120):
if 'a' not in hex(int("65531" + repr(i) + "53846" + "2015"))[2:-5]:
if 'b' not in hex(int("65531" + repr(i) + "53846" + "2015"))[2:-5]:
if 'c' not in hex(int("65531" + repr(i) + "53846" + "2015"))[2:-5]:
if 'd' not in hex(int("65531" + repr(i) + "53846" + "2015"))[2:-5]:
if 'e' not in hex(int("65531" + repr(i) + "53846" + "2015"))[2:-5]:
if 'f' not in hex(int("65531" + repr(i) + "53846" + "2015"))[2:-5]:
print i
print hex(int("65531" + repr(i) + "53846" + "2015"))
print hex(int("65531" + repr(i) + "53846" + "2015"))[-5:-1]
# print chr(int(hex(int("65531" + repr(i) + "53846" + "2015"))[-5:-3],16))
# print chr(int(hex(int("65531" + repr(i) + "53846" + "2015"))[-3:-1],16))

涓嬮潰鎴戜滑寰楀埌浜7鏉★紝绱ф帴鐫锛岀瓫閫夊彲鏄剧ず瀛楃
鍙墿涓3涓簡

1
2
3
64
0x17481184783f3fL
3f3f

鍙墿涓嬭繖涓簡锛岄偅涔堟渶鍚庝簩浣嶆槸??,鍊掓暟绗笁浣嶆槸d

閭d箞鎴戜滑鐜板湪杩樺緱鍒颁簡o[3]鍜宱[0]鐩稿叧鐨勫叧绯伙紝閭d箞鎴戜滑鎺ヤ笅鍘荤湅

1
2
3
4
5
6
i = 0xffff;
n = (f = _[$[23]](o[3].charAt(o[3].length - 4), 3)) == o[3].substring(1, 4);
// f 鏄痮[3]鐨勫掓暟绗4浣嶉噸澶3閬嶅拰o[3]234浣嶇浉绛
g = 3;
t = _[$[23]](o[3].charAt(3), 3) == o[3].substring(5, 8) && o[3].charCodeAt(1) * o[0].charCodeAt(0) == 0x2ef3;
//o[3]鐨勭鍥涗綅閲嶅涓夐亶鍜宱[3]鐨678浣嶇浉鍚岋紝o[3]绗2浣嶇殑闃挎柉鍏嬬爜-2脳o[0]绗1浣嶇殑闃挎柉鍏嬬爜==0x2ef3

杩欓噷鎴戜滑鎷嗚В0x32ab寰楀埌119鍜101
寰楀埌涓や釜瀛楃鍒嗗埆涓篹鍜寃,閭d箞鍙互纭畾2浣嶏紝浣嗘槸涓嶇‘瀹氶『搴

涓嬮潰鎺ョ潃鍒嗘瀽

1
2
3
4
5
i = 0xffff;
g = 3;
h = ((31249*g) & i).toString(16);
i = _[$[31]](o[3].split(f).join("").substring(0, 2)).split("x")[1];
s = i == h;

杩欓噷鐨剆鍒ゆ柇缁欎簡鎴戜滑鏂扮殑淇℃伅锛屽洜涓篽宸茬煡锛屾墍浠ユ垜浠氨鑳藉緱鍒皁[3]鐨勭涓浣嶅拰绗簲浣嶏紝杩欎箞涓鏉ワ紝o[3]鎵鏈夌殑浣嶆垜浠兘鐭ラ亾浜嗘槸
neee3eeed??

鐜板湪鎴戜滑鐭ラ亾浜嗛暱搴︼紝鍙互鑲畾鐨勬槸锛宱[3]鑲畾姣攐[1]闀匡紝閭d箞鍩烘湰鍙互寰楀埌o[1]浜嗭紝鍥炲埌鍒氭墠鐨勯昏緫

1
a = parseInt(_[$[23]]("1", Math.max(o[0].length, o[3].length)), 3) ^ eval(_[$[31]](o[0]));

杩欓噷鎴戜滑寰楀埌鐨刼[0]涓h3r3, 鐗瑰埆鐨勬槸锛屾垜浠垰鎵嶅緱鍒皁[0]绗竴浣嶄负w锛岃繖閲屾湁涓皬鍧戯紝鐢变簬parseInt(_[$[23]]("1", Math.max(o[0].length, o[3].length)), 3)杩囧皬锛屾墍浠ュ紓鎴栨病鏈夊奖鍝嶅埌鎵鏈夌殑浣嶏紝鏍规嵁鎰忔濓紝鎴戜滑鍔犱笂浜唚锛岄偅涔坓etflag

1
hctf{wh3r3_iz_y0ur_neee3eeed??}
CATALOG