about 9 years ago
得到一份 Python code,題目要對某串奇怪的東西選某些操作做,並且路上都不能壞掉。
不如就先來爆一下要哪個順序的操作可以是好的:
... 原先的 passcode.py
def main():
for a in range(1, 10):
for b in range(1, 10):
for c in range(1, 10):
for d in range(1, 10):
f1='fun'+str(a)
f2='fun'+str(b)
f3='fun'+str(c)
f4='fun'+str(d)
try:
answer_hash = f['fun6'](f['fun2'](f[f1](f[f2](f[f3](f[f4](answer))))))
except:
continue
if len(answer_hash) == 0:
continue
print a, b, c, d
$ python passcode.py
3 5 1 4
只有一組解耶真好。
觀察一下後,可以發現有一招是在 base64 後面多加上些 = 解出來不會變,所以就來寫個 code:
... 原先的 passcode.py
def main():
h = f['fun3'](f['fun5'](f['fun1'](f['fun4'](answer))))
print hex2dec(reverse(binascii.hexlify(zlib.compress(h + '='))))
$ python passcode.py
14776808117554463895524407143315295523453799430392848299468657220152312326943167735766291274545269565571655501790641293086612883281379329572762713221559220272895777630561406954290568277444047387566672405325067568106228025972170232788497361815951678363187671648647
$ nc 218.2.197.243 9991
Welcome to Secure Passcode System
First, please choose function combination:
f1: 3
f2: 5
f3: 1
f4: 4
Your passcode: 14776808117554463895524407143315295523453799430392848299468657220152312326943167735766291274545269565571655501790641293086612883281379329572762713221559220272895777630561406954290568277444047387566672405325067568106228025972170232788497361815951678363187671648647
Welcome back! The door always open for you, your majesty!
BCTF{py7h0n-l1b-func7i0ns-re4lly-str4nge}
Win!
備註: 比賽時寫這題的人和寫 writeup 的人不同,比賽時是用某種改 zlib compress rate 過的,但因為比較麻煩這裡就寫簡單的做法了
