TPCTF2025 | Re

无标签
发布日期:   2025-04-15

TPCTF 2025 | Re | Linuxpdf

单纯很喜欢这道题,所以在此记录一下hhhh

回过头看不是很难,但是很有趣!!!!

附件:linux.pdf下载后改后缀为pdf

题目分析

加载了几个文件,我们可以看一下这些文件

img

有段js代码遍历embedded_files里原始base64编码后的字符串,然后pako解压缩后赋值到原位

pako 是一個流行的 JavaScript 壓縮/解壓縮函式庫,inflate 通常用於解壓縮使用 DEFLATE 演算法(例如 Gzip 或 Zlib 格式)壓縮過的資料。它接收 Uint8Array 格式的壓縮資料作為輸入,並輸出解壓縮後的資料(通常也是 Uint8Array 或根據 pako 的設定可能是字串)。

image-20250414165728201

写代码恢复二进制文件,用ida打开0000a9文件,发现是check_flag函数,修改一些变量名好读一点——

image-20250414222916540

image-20250414222845380

直接搜前几个md5没有一点思路,但是从最后一个开始,发现

38F88A3BC570210F8A8D95585B46B065 —>F}

所以是从最后开始向前爆破

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
import hashlib
import string 

md5_list = [
    "38F88A3BC570210F8A8D95585B46B065",
    "83055AE80CDC8BD59378B8628D733FCB",
    "FA7DAFFBD7ACEC13B0695D935A04BC0F",
    "C29CC0FD3801C7FDD315C782999BD4CB",
    "2BA2D01AF12D9BE31A2B44323C1A4F47",
    "DDEEBAF002527A9EAD78BD16684573CC",
    "BF95B89934A1B555E1090FECDFD3DA9F",
    "B6422C30B02938535F8E648D60A87B94",
    "08C1B76643AF8DD50CB06D7FDD3CF8ED",
    "42D69719F97088F06540F412DC1706FB",
    "A1F23DA61615400E7BD9EA72D63567EB",
    "4E246F0A5DD3CE59465FF3D02EC4F984",
    "B8CF25F963E8E9F4C3FDDA34F6F01A35",
    "2D98D820835C75A9F981AD4DB826BF8E",
    "702EAD08A3DD56B3134C7C3841A652AA",
    "D2D557B613662B92F399D612FB91591E",
    "E4422B6320ED989E7E3CB97F369CBA38",
    "71803586C67059DDA32525CE844C5079",
    "83B371801D0ADE07B5C4F51E8C6215E2",
    "B0D1B4885BC2FDC5A665266924486C5F",
    "792C9E7F05C407C56F3BEC4CA7E5C171",
    "3855E5A5BBC1CBE18A6EAB5DD97C063C",
    "886D45E0451BBBA7C0341FE90A954F34",
    "3A437CBE6591EA34896425856EAE7B65",
    "34304967A067308A76701F05C0668551",
    "D6AF7C4FEDCF2B6777DF8E83C932F883",
    "DF88931E7EEFDFCC2BB80D4A4F5710FB",
    "CB0FC813755A45CE5984BFBA15847C1E",
]

flag = "}"

chr_list = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_-1234567890{}"

num_hashes = len(md5_list)

for i in range(num_hashes):
    target_md5 = md5_list[num_hashes - 1 - i]
    
    found_char = False 
    for char_to_try in chr_list:
        temp_flag = char_to_try + flag

        encoded_flag = temp_flag.encode('utf-8')
        hash_object = hashlib.md5(encoded_flag)
        current_md5 = hash_object.hexdigest().upper()
        
        if current_md5 == target_md5:
            flag = temp_flag
            print(f"找到字符: '{char_to_try}', 当前 Flag: {flag}")
            found_char = True
            break 
            
    if not found_char:
        print(f"错误:无法为索引 {num_hashes - 1 - i} (哈希值 {target_md5}) 找到匹配的字符。")
        break

print("\n最终推导出的 Flag:")
print(flag)
文章作者: W3nL0u
文章链接: https://github.com/xyy9233/xyy9233.github.io.git/2025/04/15/tpctf2025-re/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 W3nL0u !
无标签
  目录