about 4 years ago

得到一份 Python code,題目要對某串奇怪的東西選某些操作做,並且路上都不能壞掉。
不如就先來爆一下要哪個順序的操作可以是好的:

... 原先的 passcode.py
def main():
  for a in range(1, 10):
    for b in range(1, 10):
      for c in range(1, 10):
        for d in range(1, 10):
          f1='fun'+str(a)
          f2='fun'+str(b)
          f3='fun'+str(c)
          f4='fun'+str(d)
          try:
            answer_hash = f['fun6'](f['fun2'](f[f1](f[f2](f[f3](f[f4](answer))))))
          except:
            continue

          if len(answer_hash) == 0:
            continue
          print a, b, c, d
$ python passcode.py
3 5 1 4

只有一組解耶真好。

觀察一下後,可以發現有一招是在 base64 後面多加上些 = 解出來不會變,所以就來寫個 code:

... 原先的 passcode.py
def main():
  h = f['fun3'](f['fun5'](f['fun1'](f['fun4'](answer))))
  print hex2dec(reverse(binascii.hexlify(zlib.compress(h + '='))))
$ python passcode.py
14776808117554463895524407143315295523453799430392848299468657220152312326943167735766291274545269565571655501790641293086612883281379329572762713221559220272895777630561406954290568277444047387566672405325067568106228025972170232788497361815951678363187671648647
$ nc 218.2.197.243 9991
Welcome to Secure Passcode System
First, please choose function combination:
f1: 3
f2: 5
f3: 1
f4: 4
Your passcode: 14776808117554463895524407143315295523453799430392848299468657220152312326943167735766291274545269565571655501790641293086612883281379329572762713221559220272895777630561406954290568277444047387566672405325067568106228025972170232788497361815951678363187671648647
Welcome back! The door always open for you, your majesty!
BCTF{py7h0n-l1b-func7i0ns-re4lly-str4nge}

Win!

備註: 比賽時寫這題的人和寫 writeup 的人不同,比賽時是用某種改 zlib compress rate 過的,但因為比較麻煩這裡就寫簡單的做法了

← BCTF 神秘系統 Writeup BCTF 地铁难挤 Writeup →