Fork me on GitHub

JarvisOJ - Writeup(5.31更新)

此篇用来记录我在jarivsOJ上的一些题解,只给解题思路,不放flag


Misc

0x01 You Need Python(300)

题目有两个文件,一个py文件,另一个是经过编码的key

文件key

首先看到提示key_is_here_but_do_you_know_rfc4042,baidu一下了解到是utf9编码,于是将这个文件解码,得到一串字符(md里对下划线要转义才能正常显示,偷个懒所以我这里贴出的字符是没转义过的,请不要直接拿去进行下一步的操作以免出错

_((//+_+____-%)**((_%(_-_))+____+(_%_+_+___%+____-(__//(_%_)))))+(((____/)+_%+_-(____//))*(_(_+_)+___+_%_))+__(((_//+__%)+(_-_))**((_+_)+_-(__//)))+_((_+___-(__//_-_%%_))**(___+_+_))+*(+_-(_//_-_%_%))**(___-+___)+(_+_)(____%_%+_+__)+(_-)*((__//-_%%_)+_)(_-(___//___+_%_)+____)+(_+(_%___)+_)**___+___(((_%___)+_-(____//____))**___)+(____/__)(((-_+___)(__+__))**_)+___((+___-_)_)+*(((+___-__/_+-_%_%)*(_-_+____/+___%_)))+(_//_)*(((__%_%+_+_)%__)+___-_)*_+___((__/(_%_))+_)((_%___)+___+_)+_//_+_+_/___

对下划线计数,运算符正常运算可以得到5287002131074331513,一开始以为这就是真正的key,然后死活解不出来,后来尝试ascii解码得到I_4m-k3y,这才是正确的key

文件flag.py

marshal.loads是反序列化操作,用uncompyle2即可解决。

脚本如下

1
2
3
4
5
6
7
8
9
#参考链接:https://www.aliyun.com/jiaocheng/475933.html

import uncompyle2
import marshal, zlib, base64

co = marshal.loads(zlib.decompress(base64.b64decode('eJxtVP9r21YQvyd/ieWm66Cd03QM1B8C3pggUuzYCSWstHSFQijyoJBhhGq9OXJl2ZFeqAMOK6Q/94f9Ofvn1s+d7Lgtk/3O997du/vc584a0eqpYP2GVfwDEeOrKCU6g2LRRyiK4oooFsVVUSqkqxTX6J1F+SfSNYrrdKPorC76luhbpOEGCZNFZw2KG3Rmk26QtuXi3xTb7ND6/aVu0g2RuvhEcZNut5lAGbTvAFbyH57TkYLKy8J6xpDvQxiiiaIlcdqJxVcHbXY6bXNlZgviPCrO0+StqfKd88gzNh/qRZyMdWHE29TZZvIkG7eZFRGGRcBmsXJaUoKCQ9fWKHwSqNeKFnsM5PnwJ7q2aKk4AFhcWtQCh+ChB5+Lu/RmyYUxmtOEYxas7i/2iuR7Ti14OEOSmU0RADd4+dQzbM1FJhukAUeQ+kZROuLyioagrau76kc1slY1NNaY/y3LAxDQBrAICJisV2hMdF2lxQcyFuMoqcX3+TCl6xotqzSpkqmxYVmjXVjAXiwBsEfBrd1VvTvLCj2EXRnhoryAKdpxcIgJcowUB68yAx/tlCAuPHqDuZo0CN3CUGHwkPhGMA7aXMfphjbmQLhLhJcHa0a+mpgB191c1U1lnHJQbgkHx+WGxeJbejnpkzSavo2jkxZ7i725npGAaTc8FXmUjbUETHUmkxXN5zqL5WiWxwE7Bc11yyYzNJpN02jerq+DzNNodfxOX8kE4FcmYKscDdYD1oPGGucXYNmgs1F+NTf3GOt3Mg7b+NTVruqoQyX1hOEUacKw+AGbP38ZOq9THRXaSbL5pXGQ8bho/Z/lrzQaHxdoCrlev+t6nZ7re57r+57rHXag93Deh37k+vuw9zorO/Qj/B50cAf2oyOsvut3D+ADWxdxfN/1Drqu39mHzvcRswv/Hvz7sHeg9w8Qzy99DzuFwxhPhs6zWTbOI3OZRiaZZcVj5wVwOklx7OwVxR47PR46r/SVM8ulBJic9zku/eqY/MqJxiDj+Gd55wS3f35pbLCzHoEwzKKpDkN5i+TR+1AYCWTo5IV0Z0P9H3phDDd6lMzPdS5bbo9eJGbTsW9nbDqLL1N9Iq+rRxDbll2x67a9Lf27hw5uK1s1rZr6DOPF+FI=')))

f = open('test','w')
uncompyle2.uncompyle('2.7.3',co,f)

拿到源码之后就很好做了,运行源码可以知道我们需要输入keyflag,然后经过encrypt函数的加密和cipherText比较,而key我们已经拿到了,简单分析一下encrypt函数可以发现,连爆破都不用,直接赋值就好了。。

解题脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/usr/bin/python
# -*- coding: utf-8 -*-
__Author__ = "LB@10.0.0.55"

import utf9
import hashlib
from libnum import n2s
from string import printable

def get_key():

a = open('key','r').read()
print type(a)
key = utf9.utf9decode(a)
print key

exp = ''
num = 0
for i in key:
if i == '_':
num += 1
elif num != 0:
exp += str(num) + i
num = 0
else:
exp += i
exp += str(num)

return n2s(eval(exp))

def sha1(string):
return hashlib.sha1(string).hexdigest()


def calc(strSHA1):
r = 0
for i in strSHA1:
r += int('0x%s' % i, 16)
return r


def decrypt(key):
print key
keySHA1 = sha1(key)
print keySHA1
intSHA1 = calc(keySHA1)
print intSHA1
r = ''

flag = '-185-147-211-221-164-217-188-169-205-174-211-225-191-234-148-199-198-253-175-157-222-135-240-229-201-154-178-187-244-183-212-222-164'
flag = flag.split('-')[1:]
flag = [ eval('-'+i) for i in flag ]
print len(flag),flag

for i in range(33):
r += chr(-int('0x%s' % keySHA1[i % 40], 16)+intSHA1+flag[i])
intSHA1 = calc(sha1(r[:i + 1])[:20] + sha1(str(intSHA1))[:20])
print len(r),r

def main():

key = get_key()
decrypt(str(key))

main()

Crypto

Reverse

Pwn