大二上的第二次线下比赛,远赴哈尔滨,最终得到21名(队里少一名队友捏),可惜差一名进决赛,但愿可以作为明年的铺垫吧。。。
一.reverse-- justamat
直接看最后的比较函数,sub_4051A0
qmemcpy(v11, &unk_574020, sizeof(v11));
qmemcpy(v12, &unk_5741C0, sizeof(v12));
v3 = a1 + 10;
while ( 2 )
{
v4 = v11;
v5 = v2;
do
{
v6 = v4;
v7 = v1;
LODWORD(v8) = 0;
do
{
v9 = (unsigned int)(*(_DWORD *)v6 * *v7++);
v6 += 40;
v8 = (unsigned int)(v9 + v8);
}
while ( v7 != v3 );
if ( *(_DWORD *)v5 != (_DWORD)v8 )
{
result = 0LL;
goto LABEL_10;
}
v4 += 4;
v5 += 4;
}
while ( v4 != &v11[40] );
v2 += 40;
v1 += 10;
v3 = v7 + 10;
if ( v2 != &v13 )
continue;
break;
}
result = 1LL;
两重循环,找到输入的数组以及最后的需要比较的数组,直接用z3解就可以
import z3
last=[0x1C633, 0x1DF94, 0x20EBF, 0x2BA40, 0x1E884, 0x260D1, 0x1F9B1, 0x1EA1A, 0x1EEAA, 0x1DFB2, 0x1C1D0, 0x1EEF2, 0x216E1, 0x2BE00, 0x1FB5E, 0x25D74, 0x1F000, 0x202D6, 0x20002, 0x1DDFE, 0x1C017, 0x1F08C, 0x227F6, 0x2C7BA, 0x201AE, 0x27FBF, 0x20E21, 0x1FF5C, 0x1FD62, 0x1E948, 0x1BE6E, 0x1F4D7, 0x22C8D, 0x2C353, 0x1F8DB, 0x26E1D, 0x1FF61, 0x1EA0F, 0x1F0D6, 0x1EDA8, 0x1AD7D, 0x18218, 0x1CCD4, 0x239B6, 0x1AC4C, 0x20D7C, 0x1D967, 0x1A4F4, 0x1CAD8, 0x196AE, 0x1831B, 0x17E45, 0x1D0CF, 0x23EDF, 0x181AE, 0x21760, 0x1D3B4, 0x175D6, 0x17D3A, 0x1994F, 0x1189D, 0x14CCF, 0x1568E, 0x17EEB, 0x1327E, 0x16A45, 0x12921, 0x11FF0, 0x13643, 0x11729, 0x15191, 0x17D17, 0x17262, 0x1A863, 0x17010, 0x17B10, 0x14F9C, 0x143E8, 0x15E9B, 0x1242C, 0x0F68C, 0x1192A, 0x150AD, 0x1B1A0, 0x14C60, 0x182AB, 0x13F4B, 0x141A6, 0x15AA3, 0x135C9, 0x1D86F, 0x1E8FA, 0x2158D, 0x2BDAC, 0x20E4F, 0x27EE6, 0x213B9, 0x20E86, 0x211FF, 0x1E1EF]
v4=[0xFE, 0x0B, 0x1D, 0xF6, 0x83, 0xFF, 0xE0, 0xB8, 0xDD, 0xB0, 0xC5, 0xDE, 0xF6, 0x14, 0x9F, 0xDD, 0xD9, 0x07, 0x2D, 0x6B, 0x19, 0xCA, 0x73, 0xFD, 0x87, 0x72, 0x24, 0x04, 0x49, 0x7E, 0xA9, 0xCE, 0x91, 0xBE, 0x41, 0x18, 0x60, 0x3F, 0x2B, 0x63, 0x1C, 0xD2, 0x90, 0xE9, 0x8E, 0xBA, 0x1E, 0xF3, 0x41, 0xAD, 0x2C, 0x03, 0x69, 0xDA, 0x10, 0xFD, 0xFD, 0xE7, 0x06, 0x36, 0xD6, 0x02, 0x59, 0x18, 0xCC, 0x50, 0x87, 0xAF, 0xFB, 0x18, 0x44, 0x7F, 0xAD, 0xF8, 0x2C, 0x67, 0x1D, 0x22, 0x84, 0xAC, 0x0E, 0x23, 0xDC, 0xE6, 0xBB, 0xD2, 0xB8, 0x4A, 0xBC, 0xDE, 0x50, 0x9C, 0x1C, 0x1E, 0x86, 0x3A, 0x2D, 0xDD, 0xC3, 0x03]
s = z3.Solver()
a = [z3.Int(f'a{i}') for i in range(len(last))]
for i in range(0, 10):
for j in range(0, 10):
s.add(((a[0 + j * 10] * v4[i + 0]) +(a[1 + j * 10] * v4[i + 10]) + (a[2 + j * 10] * v4[i + 20]) +(a[3 + j * 10] * v4[i + 30]) +(a[4 + j * 10] * v4[i + 40]) +(a[5 + j * 10] * v4[i + 50]) +(a[6 + j * 10] * v4[i + 60]) +(a[7 + j * 10] * v4[i + 70]) +(a[8 + j * 10] * v4[i + 80]) +(a[9 + j * 10] * v4[i + 90]) ) == last[i + j * 10])
if s.check() == z3.sat:
m = s.model()
for i in range(len(last)):
print(chr(m[a[i]].as_long()), end='')
得到there_are_a_lot_useless_information_but_oh.o0O_flag{8f9c6cf7-f362-4a4e-ace2-a34d90939589}_you_get_it
二. Crypto--ezrsa
注意到:两个相等的分数,首先将左边的分数通分,直接让左右两个分数的分子分母对应相等
也就是说n+n+p+q+1==2*s-X,以及n+q=s+Y,就是一个方程组,我们直接让一式减去二式乘二,就可以得到p+1-q==-X-2*Y,这时就可以得到p-q的值,我们知道p*q,那么p+q就容易知道了,从而可以得到phi,进而求解flag
下面为脚本:
x=153801856029563198525204130558738800846256680799373350925981555360388985602786501362501554433635610131437376183630577217917787342621398264625389914280509
y=8086061902465799210233863613232941060876437002894022994953293934963170056653232109405937694010696299303888742108631749969054117542816358078039478109426
n = 161010103536746712075112156042553283066813155993777943981946663919051986586388748662616958741697621238654724628406094469789970509959159343108847331259823125490271091357244742345403096394500947202321339572876147277506789731024810289354756781901338337411136794489136638411531539112369520980466458615878975406339
c = 15380535750650959213679345560658190067564859611922563753882617419201718847747207949211621591882732604480600745000879508274349808435529637573773711729853565120321608048340424321537282281161623712479117497156437792084977778826238039385697230676340978078264209760724043776058017336241110097549146883806481148999#
e=65537
print(-x-2*y-1)
sub=-169973979834494796945671857785204682968009554805161396915888143230315325716092965581313429821657002730045153667847840717855895577707030980781468870499362
phi = n - gmpy2.iroot(sub**2+4*n, 2)[0] + 1
d=inverse(e,phi)
print(long_to_bytes(pow(c,d,n)))
得到flag{2a5a9c6fe94da5ef7edeffebb506b29a}
三. misc--排队队吃果果
基本思路为列排序,再标黑找二维码(甚至不需要写脚本)
首先将所有加粗的数字标黑,直接用ctrl+h特殊格式改就行,然后根据题目提示进行排序,当然在排序之前先把表格中的数据转换成数字格式,才能正常的升序排序,这里直接手动列排序即可,最终得到二维码,扫描出flag