GDOUCTF

发布于 2023-04-19  0 次阅读

签到

hate eat snake

找到这一段,其中部分flag被混淆

if (this['getScore']() > -0x1e9 * -0xf + 0x5 * 0x6d + -0x2e * 0xaa) return alert(_0x324fcb(0x2d9, 0x2c3, 0x2db, 0x2f3) + 'k3r_h0pe_t' + _0xe4a674(0x5a1, 0x595, 0x59e, 0x57c) + 'irlfriend}'), ![];
			else if (isEnd) {
				if (this.snakeTimer) {
					clearInterval(this.snakeTimer)
				}
				var score = this.getScore();
				if (confirm(msg + "下头男你的分数是:" + score + "! 乖乖remake吧")) {
					this.reset();
				}
				return false;
			}

把文件拉到本地,条件改为1>0(结果为True即可)

if (1 > 0) return alert(_0x324fcb(0x2d9, 0x2c3, 0x2db, 0x2f3) + 'k3r_h0pe_t' + _0xe4a674(0x5a1, 0x595, 0x59e, 0x57c) + 'irlfriend}'), ![];
			else if (1 < 0) {
				if (this.snakeTimer) {
					clearInterval(this.snakeTimer)
				}
				var score = this.getScore();
				if (confirm(msg + "下头男你的分数是:" + score + "! 乖乖remake吧")) {
					this.reset();
				}
				return false;
			}

Check_Your_Luck

void flag_checker(int v,int w, int x, int y, int z){
	if ((v * 23 + w * -32 + x * 98 + y * 55 + z * 90 == 333322) &&
		(v * 123 + w * -322 + x * 68 + y * 67 + z * 32 == 707724) &&
		(v * 266 + w * -34 + x * 43 + y * 8 + z * 32 == 1272529) &&
		(v * 343 + w * -352 + x * 58 + y * 65 + z * 5 == 1672457) &&
		(v * 231 + w * -321 + x * 938 + y * 555 + z * 970 == 3372367)){
			cout << "Congratulations, Here is your flag:\n";
			cout << "flag{" << v << "_" << w << "_" << x << "_" << y << "_" << z << "}" << endl;
		}
		else{
			cout << "\nSeems your luck is not in favor right now!\nBetter luck next time!" << endl;
		}

}

根据代码得知这是个方程组,解一下就可以了

Matryoshka

套娃,每个压缩包里有两个文件,下一个压缩包以及下一个压缩包的密码。这个密码首先需要将英文转换为数字与操作符,再按照从左至右的顺序进行计算(不是先乘除后加减),最后对数字取绝对值。

利用7za进行解压,解压后删除上一个文件以节约空间

import subprocess,os

def decode(num):
    mapping = {'zero': '0','one': '1','two': '2','three': '3','four': '4','five': '5','six': '6','seven': '7','eight': '8','nine': '9','plus': '+','minus': '-','times': '*','divide': '/','mod': '%'    }
    with open('password'+str(num)+'.txt', 'r') as f:
        str_to_replace = f.read()
    
    for word, digit in mapping.items():
        str_to_replace = str_to_replace.replace(word, digit)

    result = 0
    current_number = ''
    current_operation = '+'
    for char in str_to_replace:
        if char.isdigit():
            current_number += char
        else:
            if current_number:
                current_number = int(current_number)
                if current_operation == '+':
                    result += current_number
                elif current_operation == '-':
                    result -= current_number
                elif current_operation == '*':
                    result *= current_number
                elif current_operation == '%':
                    result %= current_number
            current_number = ''
            current_operation = char

    if current_number:
        current_number = int(current_number)
        if current_operation == '+':
            result += current_number
        elif current_operation == '-':
            result -= current_number
        elif current_operation == '*':
            result *= current_number
        elif current_operation == '%':
            result %= current_number
    print(str_to_replace,'=',result)
    return result;

for num in range(1000,-1,-1):
    if num<999:
        os.remove('Matryoshka'+str(abs(num+1))+'.zip')
        os.remove('password'+str(abs(num+1))+'.txt')
    subprocess.run(['7za.exe', 'x', '-o.', '-p{}'.format(abs(decode(num))), 'Matryoshka'+str(abs(num))+'.zip'])

目录下文件:

若金色的阳光停止了它耀眼的光芒,你的一个微笑,将照亮我的整个世界