mcfx's blog - 2019年10月
/2019/10/
个人博客,(曾经)基本只放题解,现在随便写点啥了吧(HITCON CTF 2019 Quals Writeup
/archives/268/
2019-10-15T00:48:00+08:00# Misc
### EmojiiVM
It's too long to directly print each character, but we can push 1,1,1,2,...,9,9 into the stack, and write a simple loop to print the table.
Unfortunately my blog doesn't support emojis, so here's no solution.
### heXDump
Xxd only overwrites the first bytes of the file, so we can just enumerate each byte.
```python
from pwn import *
r=remote('13.113.205.160',21700)
def get():
r.recvuntil('0) quit\n')
r.send('2\n')
return r.recvuntil('\n')[:-1]
r.recvuntil('0) quit\n')
r.send('1337\n')
fh=get()
known='hitcon{'
while True:
flag=False
for j in range(32,127):
print j
t=known+chr(j)
r.recvuntil('0) quit\n')
r.send('1\n')
r.recvuntil('format)\n')
r.send(t.encode('hex')+'\n')
if get()==fh:
known=t
flag=True
break
print known
if not flag: break
```
# Crypto
### Very Simple Haskell
If a bit in the flag is 1, the answer will multiply square of a specific prime number.
Then we can use meet-in-middle to find the answer. However, here N is too big, so just factorize the primes is okay.
```python
from gmpy2 import *
from Crypto.Util.number import isPrime
primes=[]
pinv={}
for i in range(2,5000):
if isPrime(i):
pinv[i]=len(primes)
primes.append(i)
print(len(primes))
n=134896036104102133446208954973118530800743044711419303630456535295204304771800100892609593430702833309387082353959992161865438523195671760946142657809228938824313865760630832980160727407084204864544706387890655083179518455155520501821681606874346463698215916627632418223019328444607858743434475109717014763667
base=129105988525739869308153101831605950072860268575706582195774923614094296354415364173823406181109200888049609207238266506466864447780824680862439187440797565555486108716502098901182492654356397840996322893263870349262138909453630565384869193972124927953237311411285678188486737576555535085444384901167109670365
req=84329776255618646348016649734028295037597157542985867506958273359305624184282146866144159754298613694885173220275408231387000884549683819822991588176788392625802461171856762214917805903544785532328453620624644896107723229373581460638987146506975123149045044762903664396325969329482406959546962473688947985096
req=req*invert(base,n)%n
flag='hitcon{'
for i in range(6):
t=0
for j in range(8):
r=28+i*8-j
if req%primes[r]==0:
t|=1