吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 2427|回复: 11
收起左侧

[CTF] 【2024春节】解题领红包题解 Windows初级题 & Web全题

[复制链接]
QAQ~QL 发表于 2024-2-25 17:42
本帖最后由 QAQ~QL 于 2024-2-28 15:33 编辑

【2024春节】解题领红包题解  2-Windows初级题

IDA分析

202402140123479.png

main方法分析

202402140144082.png

根据伪代码,得知flag长度36位,逐位判断字符串是否相等(红色断点行)

动态调试

断点判断语句

查看v7地址,v8是从v20来的,即输入文本

202402140150985.png

202402140151150.png

凯撒分析

void *Src[5];
void *Block[5];

sub_732560(Src, "ioCj~KCss|bQ6zbhCu$5r57$Iljkwlqj$$$?", 36u);
if ( v21 == 36 )
  {
    sub_732490(Src);
    sub_731FE0();
    LOBYTE(v23) = 2;
    v7 = Block;
    v8 = v20;
    if ( v19 >= 16 )
      v7 = (void **)Block[0];
    if ( v4 >= 16 )
      v8 = v5;
    if ( Block[4] == (void *)36 )
    {
      v9 = 32;
      do
      {
        if ( *v8 != *v7 )
          break;
        ++v8;
        ++v7;
        v10 = v9 < 4;
        v9 -= 4;
      }
      while ( !v10 );
    }
    ...

_DWORD *__thiscall sub_732490(_DWORD *this, _DWORD *Src)
{
  _OWORD *v2; // ebx
  unsigned int v4; // ecx
  _DWORD *result; // eax
  int v6; // edi
  size_t v7; // eax
  void *v8; // eax
  _DWORD *v9; // ecx
  unsigned int v10; // [esp+Ch] [ebp-4h]

  v2 = Src;
  this[4] = 0;
  this[5] = 0;
  v4 = Src[4];
  v10 = v4;
  if ( Src[5] >= 16u )
    v2 = (_OWORD *)*Src;
  if ( v4 >= 16 )
  {
    v6 = v4 | 15;
    if ( (v4 | 15) > 2147483647 )
      v6 = 2147483647;
    if ( (unsigned int)(v6 + 1) < 4096 )
    {
      if ( v6 == -1 )
        v9 = 0;
      else
        v9 = operator new(v6 + 1);
    }
    else
    {
      v7 = v6 + 36;
      if ( v6 + 36 <= (unsigned int)(v6 + 1) )
        v7 = -1;
      v8 = operator new(v7);
      if ( !v8 )
        _invalid_parameter_noinfo_noreturn();
      v9 = (_DWORD *)(((unsigned int)v8 + 35) & 0xFFFFFFE0);
      *(v9 - 1) = v8;
    }
    *this = v9;
    memmove(v9, v2, v10 + 1);
    this[4] = v10;
    result = this;
    this[5] = v6;
  }
  else
  {
    result = this;
    *(_OWORD *)this = *v2;
    this[4] = v4;
    this[5] = 15;
  }
  return result;
}

由于tip的提示过于明了,直接根据万年答案flag{}编写测试脚本

a = "ioCj~KCss|bQ6zbhCu$5r57$Iljkwlqj$$$?"
# flag f=>102  i->105
for i in a:
    print(chr(ord(i)-(105-102)),end="")

Windows初级题 题解.zip (259 Bytes, 下载次数: 10)



【2024春节】解题领红包题解  8~10-Web

题解

https://www.bilibili.com/video/BV1ap421R7VS/

从视频中得出几个易知网址

QR码

https://2024challenge.52pojie.cn/

202402211419847.png

项目地址

https://github.com/ganlvtech/52pojie-2024-challenge

flagA

https://2024challenge.52pojie.cn/index.html

https://2024challenge.52pojie.cn/auth/login

HTTP/1.1 302 Found
Date: Wed, 21 Feb 2024 18:44:54 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: wzws_sessionid=gDI3LjE1NC4yMDMuOTeCZjkyZGJjoGXWRKaBYzEzNjll; Path=/; HttpOnly
Location: /
Set-Cookie: uid=2KFwj6jFf44dKlXDB+Ti88nMbWFkPXRXHFga9LtUy7ChNg==; path=/; SameSite=Lax
Set-Cookie: flagA=L6Sv7Og44YdiI+gNpgm9YF5sWDCoAa4OYlnM9AKsTQHrjEZ54tPcYWx12Q==; expires=Wed, 21 Feb 2024 18:50:00 GMT; path=/; SameSite=Lax
WZWS-RAY: 1139-1708569894.388-s4jhg

HTTP/1.1 302 Found
Date: Wed, 21 Feb 2024 19:14:08 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: wzws_sessionid=gDI3LjE1NC4yMDMuOTegZdZLgIFjMTM2OWWCZjkyZGJj; Path=/; HttpOnly
Location: /
Set-Cookie: uid=UUt56zJRESolKTW0ORX2PqGHYM3KB/J7eherP4nANd0yvA==; path=/; SameSite=Lax
Set-Cookie: flagA=RB7TyehutV08nZaXMaQADZx8WIwXjwmJkQtHqVnFjIKBNNSwGgAx7idYJg==; expires=Wed, 21 Feb 2024 19:20:00 GMT; path=/; SameSite=Lax
WZWS-RAY: 1139-1708571648.108-s5jhg

这个加密是动态的,盲猜RSA,暴力肯定是不行的,猜测https://2024challenge.52pojie.cn/auth/uid接口的uid解密关系

发现只和cookie中的uid有关,遂将uid内容替换为flagA(脑洞不是一般的大)

202402220932566.png

flagA{e3cadceb}

此处https://2024challenge.52pojie.cn/auth/uid接口相当于本次2024challenge的解密接口,能看到所有cookie缓存加密的数据,比如game2048_user_data

game2048_user_data
   NtDDJugdK6TKcTmcBCnYLkelVZWMLEArgd8fsJELNZWRwJERBE9rcy9IpXysY8b4qUgdo4reIaMkT0hlKjw3/gXty+q1qx1PjxR8z3KEqsVwF2YBk8tEPnsEAsABb0sj7DforzjCJ7oAjHq4il1IZ76FFBz5jNVTT4legOKoM64=;
{"game_data":{"tiles":[2,4,2,4,4,256,32,2,8,32,2,512,16,128,4,128],"score":7572},"money_count":8194}

3+WawrjedRnS42J4x3aEDQ/whnHbIHSGbWhq3C/Vg2HBwlqCAvxreT5n2LM96ZVVQ/UCPO2QaF9TKMQiRxD5AKcaJiiuf304Fxzs3oJR03z76AYYC6xcTEZMBeBxn4t8dikJkRW+zFg=
{"game_data":{"tiles":[0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0]},"money_count":7994}

Jz0gXDjJG+a1gpE1Z70m7PibK246/vtXKKMPXOfAUaHp02uCZdhwKShsHKoVVDnOO3lpN4B5qFEYmU2xRbrM1Ct1j4Tr6MoQEXyl+JloyuTHimkF/g==
{"game_data":{"tiles":[0,0,0,0,0,0,0,0,2,0,0,0,0,2,0,0]}}

Oqgi98bM7Ce0E2e4n74FX9jStsvbVMkss76cfWx3ge6n5VKg7ajCMZqgp/5MWvtB8bJ/TrJkMl/R5Yg2tdRZ9YF79hRTrMSRy312GLKwgHYMKvrPj94ERE6P7Zvcw+HoROtYvlv1b2VG4xU304p6LHsuYeyc8PLO39V4dN4pZfctGsyT5bOn5Sf7Hw==
{"game_data":{"tiles":[0,0,0,2,0,0,0,0,0,0,2,4,0,4,8,64],"score":332},"money_count":282,"double_money_count":1}

flagB

https://2024challenge.52pojie.cn/flagB/index.html

根据flagB.js页面代码知,通过访问后台接口游玩2048,获得积分

//开局
const get_info = () => request('/flagB/info');
//重试
const restart = () => request('/flagB/restart', {method: 'POST'});
//运动  MOVE_UP-1  MOVE_DOWN-2  MOVE_LEFT-3  MOVE_RIGHT-4
const move = (direction) => request('/flagB/move', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: `direction=${encodeURIComponent(direction)}`});
//获取商店信息
const get_shop = () => request('/flagB/shop');
//购买商品
const buy_item = (shop_item_id, buy_count) => request('/flagB/buy_item', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: `shop_item_id=${encodeURIComponent(shop_item_id)}&buy_count=${encodeURIComponent(buy_count)}`});
//使用物品
const use_item = (item_id) => request('/flagB/use_item', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'}, body: `item_id=${encodeURIComponent(item_id)}`});

202402211437545.png

思路不明确,查看网络访问,发现set_cookie,game2048_user_data一直在变,重发旧ck,发现数据直接是存储在game2048_user_data里的,逆加密秘钥?不现实(后来解flag2的时候发现是RSA逆个锤子,哈哈哈哈哈)

当数量填写50000000000购买flagB触发溢出,祭出py测试金币上限

2^63-1 = 9223372036854775807
Long型的最大值

//购买商品之后钱怎么还变多了?不知道出什么 bug 了,暂时先拦一下 ^_^
//钱不够

202402211437546.png

import requests
import numpy as np

ck = "wzws_sessionid=gmY5MmRiY6Bl1qBhgDI3LjE1NC4yMDIuMTgzgTlmZWE3MA==; uid=RReWEcPoCdv7reT42vzFbfliVdI8x0c61RdIQCsx24eidQ==; game2048_user_data=MhXwAjipQS7eWkuF0RYS6I0IoebonNW8B4Is04IblIoO0gCC3PljSd4LhpWaur8tAwJQAJwi3lKO0N3bnmg6O22er6kyQHjUH2HYBYMkKW1TW+rVavpD9vEvtRKXQliB+VKzpmlm95eRf7pgLkututvICfgH+ozWBpbRP9noYGmkrVbA4foeUogAAJAp9TH8IQ=="

session = requests.session()
headers = {
    "Host": "2024challenge.52pojie.cn",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0",
    "Accept": "*/*",
    "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
    "Accept-Encoding": "gzip, deflate, br",
    "Referer": "https://2024challenge.52pojie.cn/flagB/index.html",
    "Content-Type": "application/x-www-form-urlencoded",
    "Origin": "https://2024challenge.52pojie.cn",
    "Connection": "keep-alive",
    "Cookie": ck,
    "Sec-Fetch-Dest": "empty",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Site": "same-origin",
    "Pragma": "no-cache",
    "Cache-Control": "no-cache"
}

def get_headers(_ck):
    # 复制一份headers,修改ck
    _headers = headers.copy()
    _headers["Cookie"] = _headers["Cookie"]+_ck+";"
    return _headers

def buy_item(shop_item_id, buy_count):
    _data = {}
    try:
        url = "https://2024challenge.52pojie.cn/flagB/buy_item"
        data = {
            "shop_item_id": shop_item_id,
            "buy_count": buy_count
        }
        response = session.post(url, headers=get_headers(ck), data=data)
        _data = response.json()
        if _data["code"] == 0:
            print("购买成功", shop_item_id, buy_count)
            return _data
        # if "msg" in _data:
        #     print(_data["msg"])
        # toView(_data)
        return _data
    except Exception as e:
        print(_data)
        return None

# buy_item("5", num)["code"] = 0时,表示购买成功,否则购买失败
# 有两种提示
# 钱不够  表示金币不够
# 购买商品之后钱怎么还变多了?不知道出什么 bug 了,暂时先拦一下 ^_^  表示触发溢出
# 需要找到一个在溢出和钱不够之间的值,能购买成功
# 既然是溢出,那就直接上2^n
for i in range(10, 65):
    rs = buy_item("5", str(2**i))
    if rs["code"] == 0:
        print("购买成功, [ 2^", i, "] ", str(2**i))

# 购买成功, [ 2^ 62 ]  4611686018427387904

flagB{f382d735}

flagC

https://2024challenge.52pojie.cn/flagC/index.html

202402211719795.png

构造图片给猜,flag肯定在/flagC/verify接口里

document.querySelector('#result').textContent = hint; // 错误时显示提示,正确时显示 flag

暴力?你怎么天天暴力!!!哈哈哈哈哈

202402220022474.png

flag1

202402211829039.png

202402211829823.png

flag1{52pj2024}

flag2

藏得真深啊

202402220240603.png

flag2{xHOpRP}

flag3

雪花屏人工识别

flag3{GRsgk2}

flag4 & 5 & 9 & 10

https://2024challenge.52pojie.cn/flag4_flag10.png

202402220219271.png

flag4{YvJZNS}

flag5{P3prqF}

flag9{KHTALK}

这玩意没看到flag10,但文件名包含,盲猜隐写了,上工具 Stegsolve.jar

java -jar ./Stegsolve.jar

202402221622237.png

flag10{6BxMkW}

flag6

https://2024challenge.52pojie.cn/flag6/index.html

document.querySelector('button').addEventListener('click', () => {
    const t0 = Date.now();
    for (let i = 0; i < 1e8; i++) {
        if ((i & 0x1ffff) === 0x1ffff) {
            const progress = i / 1e8;
            const t = Date.now() - t0;
            console.log(`${(progress * 100).toFixed(2)}% ${Math.floor(t / 1000)}s ETA:${Math.floor(t / progress / 1000)}s`);
        }
        if (MD5(String(i)) === '1c450bbafad15ad87c32831fa1a616fc') {
            document.querySelector('#result').textContent = `flag6{${i}}`;
            break;
        }
    }
});
//flag6{20240217}

flag7

https://github.com/ganlvtech/52pojie-2024-challenge

commit中包含删除不小心提交的flag内容

202402211649962.png

还有一个新的视频吾爱破解2024年春节解题红包视频.mp4

flag8

flagB购买道具显示

flag8{OaOjIK}

flag11

https://2024challenge.52pojie.cn/flag11/index.html

202402211629890.png

拼图游戏

<html>
<head>
    <style>
        :root {
            --var1: 0; /* 在 0 ~ 100 范围内找到一个合适的值 */
            --var2: 0; /* 在 0 ~ 100 范围内找到一个合适的值 */
        }

        #a000 {
            position: absolute;
            left: 0;
            top: 0;
            width: 30px;
            height: 30px;
            background: url(flag11.png) 0px 0px;
            transform: translate(calc(942.5135817416999px + 1.0215884355337748px * var(--var1) + 0.24768196677010001px * var(--var2)), calc(224.16483995058888px + 2.9293942195858147px * var(--var1) + 0.8924085229409133px * var(--var2)));
        }
    </style>
</head>
<body>
    <div>
        <div id="a000"></div>
        <div id="a319"></div>
    </div>
</body>
</html>

才100*100,直接暴力解

const root = document.documentElement;
let i = 0;
let j = 0;
function updateValues() {
    root.style.setProperty('--var1', i);
    root.style.setProperty('--var2', j);
    console.log("i: " + i + ", j: " + j);
    j++; // 更新j的值
    if (j === 100) {
        j = 0;
        i++; // 更新i的值
    }
    if (i === 100) {
        clearInterval(interval); // 当i达到100时停止定时器
    }
}
let interval = setInterval(updateValues, 50);

//答案
let i = 71;
let j = 20;
document.documentElement.style.setProperty('--var1', i);
document.documentElement.style.setProperty('--var2', j);

202402211647443.png

flag12

https://2024challenge.52pojie.cn/flag12/index.html

https://2024challenge.52pojie.cn/flag12/flag12.wasm

暴力?

//密码范围: 0 ~ 4294967295
const get_flag = (secret) => {
    let num = instance.exports.get_flag12(secret);
    let str = '';
    while (num > 0) {
        str = String.fromCodePoint(num & 0xff) + str;
        num >>= 8;
    }
    //console.log(str)
    if(str.length>0)  throw Error(str) 
    //return `flag12{${str}}`;
}

for(i=0;i<=4294967295;i++){
    get_flag(i)
}
<meta charset="UTF-8">
<div>输入密码获取 flag12 (密码范围: 0 ~ 4294967295): <input type="text"><button>获取 flag12</button></div>
<div id="result"></div>
<script>
    WebAssembly.instantiateStreaming(fetch('flag12.wasm'))
        .then(({instance}) => {
            const get_flag = (secret) => {
            let num = instance.exports.get_flag12(secret);
            let str = '';
            while (num > 0) {
                str = String.fromCodePoint(num & 0xff) + str;
                num >>= 8;
            }
            //console.log(str)
            if(str.length>0)  throw Error(str) 
            //return `flag12{${str}}`;
        }

        document.querySelector('button').addEventListener('click', (e) => {
            for(i=0;i<=4294967295;i++){
                get_flag(i)
            }
            e.preventDefault();
            document.querySelector('#result').textContent = get_flag12(parseInt(document.querySelector('input').value));
        });
    });
</script>

//index.html:15 Uncaught Error: HOXI

汇总

flagA{e3cadceb}
flagB{f382d735}
flagC{d466f41e}

flag1{52pj2024}
flag2{xHOpRP}
flag3{GRsgk2}
flag4{YvJZNS}
flag5{P3prqF}
flag6{20240217}
flag7{Djl9NQ}
flag8{OaOjIK}
flag9{KHTALK}
flag10{6BxMkW}
flag11{HPQfVF}
flag12{HOXI}

# flagABC有时效,需即用即取
flag1{52pj2024} flag2{xHOpRP} flag3{GRsgk2} flag4{YvJZNS} flag5{P3prqF} flagA{e3cadceb}

flag5{P3prqF} flag6{20240217} flag7{Djl9NQ} flag8{OaOjIK} flagB{f382d735}

flag9{KHTALK} flag10{6BxMkW} flag11{HPQfVF} flag12{HOXI} flagC{d466f41e}

8~10-Web 初级题 题解.zip (380.73 KB, 下载次数: 3)

免费评分

参与人数 2威望 +2 吾爱币 +102 热心值 +2 收起 理由
fengbolee + 2 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
Hmily + 2 + 100 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

平淡最真 发表于 2024-2-26 01:20
本帖最后由 平淡最真 于 2024-2-26 01:21 编辑

发现大家都在用同一个工具解这个10

平淡最真 发表于 2024-2-26 01:23
ioyr5995 发表于 2024-2-26 07:16
soughing 发表于 2024-2-26 07:47
厉害,跟着大佬学习
dongye 发表于 2024-2-26 13:12
太暴力了
 楼主| QAQ~QL 发表于 2024-2-26 14:46

他是alpha通道的隐写,基本上是殊途同归了
CuteCabbage 发表于 2024-2-29 18:56
厉害,跟着大佬学习
chuqiao68 发表于 2024-2-29 20:23
来学习,提高成绩。
_季夏 发表于 2024-2-29 20:47
学习了很有帮助
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-15 07:09

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表