''.join([chr((ord(flag[i]) << 8) + ord(flag[i + 1])) for i inrange(0, len(flag), 2)])
寫一個程式把它解密
1 2 3 4 5 6 7 8
encode_flag = open("enc").read() flag = "" for i inrange(0, len(encode_flag)): character1 = chr((ord(encode_flag[i]) >> 8)) character2 = chr(encode_flag[i].encode('utf-16be')[-1]) flag += character1 flag += character2 print(flag)
import hashlib flag_part1 = "picoCTF{1n_7h3_|<3y_of_" flag_part2 = "".join([hashlib.sha256(b"GOUGH").hexdigest()[x] for x in [4,5,3,6,2,7,1,8]]) flag_part3 = "}" flag = flag_part1 + flag_part2 + flag_part3 print(flag)
Flag: picoCTF{1n_7h3_|<3y_of_f911a486}
crackme-py [30 points]
這題看完source code後發現他已經有寫好的function只是沒有使用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
defdecode_secret(secret): """ROT47 decode NOTE: encode and decode are the same operation in the ROT cipher family. """
# Encryption key rotate_const = 47
# Storage for decoded secret decoded = ""
# decode loop for c in secret: index = alphabet.find(c) original_index = (index + rotate_const) % len(alphabet) decoded = decoded + alphabet[original_index]
print(decoded)
1 2 3 4 5 6
┌──(luyee㉿DESKTOP-KADOGNG)-[~/picoCTF] └─$ /bin/python3 /home/luyee/picoCTF/2021/reverse/crackme-py/crackme.py What's your first number? 123 What's your second number? 123 The number with largest positive magnitude is 123 picoCTF{1|\/|_4_p34|\|ut_4593da8a}
gef➤ r input the flag: p gef➤ x/x $ebp-0x14 0xffffd294: 0x00000001 gef➤ r input the flag: pi gef➤ x/x $ebp-0x14 0xffffd294: 0x00000002 gef➤ r input the flag: picoCTF{ gef➤ x/x $ebp-0x14 0xffffd294: 0x00000008
# /usr/bin/env python3 from pwn import * from string import *
p = process("gdb-gef") p.sendline("file ./brute") p.sendline("start") p.recvuntil("gef") p.sendline("b *0x565559a7") print(p.recvuntil("gef")) alphabet = string.printable flag = "picoCTF" while"}"notin flag: for c in alphabet: p.sendline("run") p.recvuntil("Starting program") print("trying " + flag + c) p.sendline(flag + c) p.recvuntil("flag") p.recvuntil("gef") p.sendline("x/x $ebp-0x14") p.recvuntil("0xffff") count = int(p.recvline().split()[1], 16) if count > len(flag): flag += c print(flag) break
ARMssembly 4 [170 points]
和前面幾題都一樣,跑起來傳值就完事,已經變template了
1 2 3 4 5 6 7 8 9 10 11
#!/bin/bash
# Cross-Compile and Link $(aarch64-linux-gnu-as -o chall_4.o chall_4.S) $(aarch64-linux-gnu-gcc -o chall_4.elf chall_4.o) $(chmod +x chall_4.elf)
deffind_pass_index(base_chr): global best_count; search_indexs = [i for i inrange(32) if collect_pass[i] == "*"] for i in search_indexs: try_pass = collect_pass[:i] + base_chr + collect_pass[i + 1:] print(try_pass) count = count_instrucations(try_pass) if count > best_count: best_count = count print("found an index: "+str(i)) return try_pass
collect_pass = "********************************" best_count = count_instrucations(collect_pass) print("searching for necessary characters for verification...") whileany(c == "*"for c in collect_pass): for c in flag_try_char: count = count_instrucations(collect_pass.replace("*", c)) if count > best_count: print(c+" is necessary for the next verification, searching for an index...") collect_pass = find_pass_index(c) print("approximate password: " + collect_pass + ", continuing the search...") break print("finished.")