2020 HouseplantCTF Re WP
问题
import java.util.*; public class bendy { public static void main(String args[]) { Scanner scanner = new Scanner(System.in); System.out.print("Enter flag: "); String userInput = scanner.next(); String input = userInput.substring("rtcp{".length(),userInput.length()-1); if (check(input)) { System.out.println("Access granted."); } else { System.out.println("Access denied!"); } } public static boolean check(String input){ boolean h = false; String flag = "r34l_g4m3rs_eXclus1v3"; String theflag = ""; int i = 0; if(input.length() != flag.length()){ return false; } for(i = 0; i < flag.length()-14; i++){ theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i+8))); } for(i = 10; i < flag.length()-6; i++){ theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i-8))); } for(; i < flag.length(); i++){ theflag += (char)((int)(flag.charAt(i-3)) + (int)(input.charAt(i))); } //Òdݾ¤¤¾ÙàåÐcÝÆ¥ÌÈáÏܦaã String[] flags = theflag.split(""); for(i=0; i < (int)((flags.length)/2); i++){ flags[i] = Character.toString((char)((int)(flags[i].charAt(0)) + 20)); } theflag = theflag.substring(flags.length/2); for(int k = 0; k < ((flags.length)/2); k++){ theflag += flags[k]; } return theflag.equals("ÄÑÓ¿ÂÒêáøz§è§ñy÷¦"); } }
脚本
# -*- coding:utf-8 -*- a = "ÄÑÓ¿ÂÒêáøz§è§ñy÷¦" flag = "r34l_g4m3rs_eXclus1v3" n = len(flag) in_str = [0]*n num = [ord(x) for x in a] num1 = [x-20 for x in num[len(num)//2:]] num2 = num[:len(num)//2] model = num1+num2 print (model) # 15~20 for i in range(15,n): in_str[i] = model[12+i-15] - ord(flag[i-3]) # 2~6 for i in range(10,n-6): in_str[i-8] = model[7+i-10] - ord(flag[i]) # 8~14 for i in range(n-14): in_str[i+8] = model[i] - ord(flag[i]) print ('rtcp{'+''.join([chr(x) for x in in_str])+'}')
其他脚本
队友用的Z3
from z3 import * flag = "r34l_g4m3rs_eXclus1v3" dist = "ÄÑÓ¿ÂÒêáøz§è§ñy÷¦" inp = [BitVec(('x%s' % i), 8) for i in range(len(flag))] theflag = [] for i in range(0, len(flag) - 14): theflag.append(ord(flag[i]) + inp[i + 8]) for i in range(10, len(flag) - 6): theflag.append(ord(flag[i]) + inp[i - 8]) for i in range(len(flag) - 6, len(flag)): theflag.append(ord(flag[i - 3]) + inp[i]) flags = [_ for _ in theflag] for i in range(len(flags) // 2): flags[i] = flags[i] + 20 theflag = theflag[len(flags) // 2:] for i in range(len(flags) // 2): theflag.append(flags[i]) solver = Solver() for i in zip(theflag, dist): solver.append(i[0] == ord(i[1])) solver.check() model = solver.model() for i, v in enumerate(inp): try: print(chr(model[v].as_long()), end='') except: print(' ', end='')
get flag!
import java.util.*; public class tough { public static int[] realflag = {9,4,23,8,17,1,18,0,13,7,2,20,16,10,22,12,19,6,15,21,3,14,5,11}; public static int[] therealflag = {20,16,12,9,6,15,21,3,18,0,13,7,1,4,23,8,17,2,10,22,19,11,14,5}; public static HashMap<Integer, Character> theflags = new HashMap<>(); public static HashMap<Integer, Character> theflags0 = new HashMap<>(); public static HashMap<Integer, Character> theflags1 = new HashMap<>(); public static HashMap<Integer, Character> theflags2 = new HashMap<>(); public static boolean m = true; public static boolean g = false; public static void main(String args[]) { Scanner scanner = new Scanner(System.in); System.out.print("Enter flag: "); String userInput = scanner.next(); String input = userInput.substring("rtcp{".length(),userInput.length()-1); if (check(input)) { System.out.println("Access granted."); } else { System.out.println("Access denied!"); } } public static boolean check(String input){ boolean h = false; String flag = "ow0_wh4t_4_h4ckr_y0u_4r3"; createMap(theflags, input, m); createMap(theflags0, flag, g); createMap(theflags1, input, g); createMap(theflags2, flag, m); String theflag = ""; String thefinalflag = ""; int i = 0; if(input.length() != flag.length()){ return h; } //rtcp{h3r3s_a_fr33_fl4g!} for(; i < input.length()-3; i++){ theflag += theflags.get(i); } for(; i < input.length();i++){ theflag += theflags1.get(i); } for(int p = 0; p < theflag.length(); p++){ thefinalflag += (char)((int)(theflags0.get(p)) + (int)(theflag.charAt(p))); } for(int p = 0; p < theflag.length(); p++){ if((int)(thefinalflag.charAt(p)) > 145 && (int)(thefinalflag.charAt(p)) < 157){ thefinalflag = thefinalflag.substring(0,p) + (char)((int)(thefinalflag.charAt(p)+10)) + thefinalflag.substring(p+1); } } return thefinalflag.equals("ì¨ ¢«¢¥Ç©© ÂëÏãÒËãhÔÊ"); } public static void createMap(HashMap owo, String input, boolean uwu){ if(uwu){ for(int i = 0; i < input.length(); i++){ owo.put(realflag[i],input.charAt(i)); } } else{ for(int i = 0; i < input.length(); i++){ owo.put(therealflag[i],input.charAt(i)); } } } }
脚本
# finalflag="ì¨ ¢«¢¥Ç ÂëÏãÒËãhÔÊ" finalflag=[157, 157, 236, 168, 160, 162, 171, 162, 165, 199, 169, 169, 160, 194, 235, 207, 227, 210, 157, 203, 227, 104, 212, 202] print(len(finalflag)) flag = "ow0_wh4t_4_h4ckr_y0u_4r3" realflag = [9,4,23,8,17,1,18,0,13,7,2,20,16,10,22,12,19,6,15,21,3,14,5,11] therealflag =[20,16,12,9,6,15,21,3,18,0,13,7,1,4,23,8,17,2,10,22,19,11,14,5] thefinalflag="" theflags={} theflags0={} theflags1={} theflags2={} def createMap(realflag,theflag,input): for i in range(len(input)): theflag[realflag[i]]=input[i] createMap(therealflag,theflags0,flag) createMap(realflag,theflags2,flag) for i in range(len(finalflag)): if finalflag[i]>155 and finalflag[i]<167: thefinalflag+=chr(finalflag[i]-10) else: thefinalflag+=chr(finalflag[i]) theflag="" for i in range(len(thefinalflag)): theflag+=chr((ord(thefinalflag[i])-ord(theflags0.get(i)))&0xff) print(theflag) for i in range(len(theflag)-3): theflags[i]=theflag[i] newflag={} newflag1="" for j in range(len(theflag)-3,len(theflag)): theflags1[j]=theflag[j] print(theflags1) for i in range(len(theflag)-3): newflag[realflag.index(i)]=theflags[i] newflag[2]='4' newflag[14]='_' newflag[19]="_" for i in range(len(theflag)): newflag1+=newflag[i] print(newflag1)
浙公网安备 33010602011771号