第二届数信杯南区wp-easyJava

writeup

easyJava

用Eclipse Memory Analyzer进行分析，利用OQL查找字符串

这里要写正则表达式：我写了\\u.*意思是找unicode字符串，因为这里的中文都做了unicode编码

搜索到这么一个字符串列表，

转码——

红色框框里的是还原后的内容。如下：

想跟你说一个小秘密：我把码表修改成了真的旗帜怎么会这么轻易就让你拿到,但你都找到我了那我给你一个密文吧：赵钱孙李周吴郑王冯陈褚卫蒋沈韩杨朱秦尤许何吕施张孔曹严华金魏陶姜戚谢邹喻柏水窦章云苏潘葛奚范彭郎鲁韦昌马苗凤花方俞任袁柳酆鲍史唐费
0123456789abcdefghijklmnopqrstuvwxyzBCDEFGHIJKLMNOPQRSTUVWXY曹窦韦谢曹方范谢孔许何马沈郑吴喻沈尤苗昌曹喻吴谢卫许朱花沈窦蒋范孔窦吴窦沈昌苗韦孔施朱方曹施秦邹沈窦吴柏孔喻陈鲍pCNxpTJxojkPd65zdiQOpz5xbjgSdCcJoC5CdOQNomgTpmhydC5oz9

0123456789abcdefghijklmnopqrstuvwxyzBCDEFGHIJKLMNOPQRSTUVWXY是base64编码表，补上AZ+/=后，对pCNxpTJxojkPd65zdiQOpz5xbjgSdCcJoC5CdOQNomgTpmhydC5oz9进行解码，结果为：

flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aX�

flag的末端必然是"}"结尾，而"}"的ASCII码为0x7d，二进制为01111101
pCNxpTJxojkPd65zdiQOpz5xbjgSdCcJoC5CdOQNomgTpmhydC5oz9长度为54，base64编码中每4个字符对应源字符串的3个字符，54除以4等于13余2，可知该字符串缺少2个字符，需要添加这两个字符并使得最后解码结果以"}"结尾。于是可以只考虑在dC5oz9添加字符

import redef generate_all_insertions(input_string, char1, char2):    all_insertions = []    for i in range(len(input_string) + 1):        for j in range(i, len(input_string) + 1):            modified_string = input_string[:i] + char1 + input_string[i:j] + char2 + input_string[j:]            all_insertions.append(modified_string)    return all_insertions# 获取字符串所有固定长度且不重合切片def generate_non_overlapping_slices(input_string, slice_length):    all_slices = []    for i in range(0, len(input_string), slice_length):        if i + slice_length <= len(input_string):            all_slices.append(input_string[i:i + slice_length])    return all_slices# 自定义字符集def custom_base64_decode(encoded_string):    custom_charset = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/"    encoded_binary_string = ""    for char in encoded_string:        index = custom_charset.index(char)        binary_index = format(index, '06b')        encoded_binary_string += binary_index    chs = generate_non_overlapping_slices(encoded_binary_string,8)    # print(chs)    decode_string = ''    for ch in chs:        decode_string += chr(int(ch,2))    return decode_stringdef is_only_alpha_numeric(input_string):    # 使用正则表达式匹配只包含英文字母和数字的字符串    return bool(re.match('^[a-zA-Z0-9]+$', input_string))# 要解码的自定义base64编码字符串encoded_string = "pCNxpTJxojkPd65zdiQOpz5xbjgSdCcJoC5CdOQNomgTpmhy"front = custom_base64_decode(encoded_string)print(front)custom_charset = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/"str1 = "dC5oz9"for i in custom_charset:    for j in custom_charset:        # 将生成的所有修改后的字符串逐个与原字符串连接        for modified_str in generate_all_insertions(str1, i, j):            result = custom_base64_decode(modified_str)            # 判断result[:-1]是否只包含英文字母和数字            if is_only_alpha_numeric(result[:-1]):                # print(result)                          if result[-1] == "}":                    print("i=%s,j=%s" % (i,j))                    print("拼接字符串: %s,UTF-8字符串: %s" % (modified_str,front+result))

结果：

i=1,j=Z
拼接字符串: dC51oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aAb2}
i=2,j=Z
拼接字符串: dC52oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aBb2}
i=3,j=Z
拼接字符串: dC53oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aCb2}
i=4,j=Z
拼接字符串: dC54oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aDb2}
i=5,j=Z
拼接字符串: dC55oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aEb2}
i=5,j=Z
拼接字符串: dC55oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aEb2}
i=6,j=Z
拼接字符串: dC56oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aFb2}
i=7,j=Z
拼接字符串: dC57oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aGb2}
i=8,j=Z
拼接字符串: dC58oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aHb2}
i=9,j=Z
拼接字符串: dC95oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6bEb2}
i=9,j=Z
拼接字符串: dC59oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aIb2}
i=a,j=Z
拼接字符串: dC5aoz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aJb2}
i=b,j=Z
拼接字符串: dC5boz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aKb2}
i=c,j=Z
拼接字符串: dC5coz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aLb2}
i=c,j=Z
拼接字符串: dC5ocz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aX22}
i=d,j=Z
拼接字符串: dCd5oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6cEb2}
i=d,j=Z
拼接字符串: dC5doz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aMb2}
i=d,j=Z
拼接字符串: dC5odz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aX62}
i=e,j=Z
拼接字符串: dC5eoz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aNb2}
i=f,j=Z
拼接字符串: dC5foz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aOb2}
i=g,j=Z
拼接字符串: dC5goz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aPb2}
i=g,j=Z
拼接字符串: dC5ogz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXB2}
i=h,j=Z
拼接字符串: dCh5oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6dEb2}
i=h,j=Z
拼接字符串: dC5hoz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aQb2}
i=h,j=Z
拼接字符串: dC5ohz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXF2}
i=i,j=Z
拼接字符串: dC5ioz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aRb2}
i=i,j=Z
拼接字符串: dC5oiz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXJ2}
i=j,j=Z
拼接字符串: dC5joz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aSb2}
i=j,j=Z
拼接字符串: dC5ojz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXN2}
i=k,j=Z
拼接字符串: dC5koz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aTb2}
i=k,j=Z
拼接字符串: dC5okz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXR2}
i=l,j=Z
拼接字符串: dCl5oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6eEb2}
i=l,j=Z
拼接字符串: dC5loz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aUb2}
i=l,j=Z
拼接字符串: dC5olz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXV2}
i=m,j=Z
拼接字符串: dC5moz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aVb2}
i=m,j=Z
拼接字符串: dC5omz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXZ2}
i=n,j=Z
拼接字符串: dC5noz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aWb2}
i=o,j=Z
拼接字符串: dC5ooz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXb2}
i=o,j=Z
拼接字符串: dC5ooz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXb2}
i=p,j=Z
拼接字符串: dCp5oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6fEb2}
i=p,j=Z
拼接字符串: dC5poz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aYb2}
i=p,j=Z
拼接字符串: dC5opz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXf2}
i=q,j=Z
拼接字符串: dC5qoz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aZb2}
i=q,j=Z
拼接字符串: dC5oqz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXj2}
i=r,j=Z
拼接字符串: dC5orz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXn2}
i=s,j=Z
拼接字符串: dC5osz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXr2}
i=t,j=Z
拼接字符串: dCt5oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6gEb2}
i=t,j=Z
拼接字符串: dC5otz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXv2}
i=u,j=Z
拼接字符串: dC5ouz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aXz2}
i=x,j=Z
拼接字符串: dCx5oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6hEb2}
i=x,j=Z
拼接字符串: dC5xoz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aab2}
i=y,j=Z
拼接字符串: dC5yoz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6abb2}
i=z,j=Z
拼接字符串: dC5zoz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6acb2}
i=A,j=Z
拼接字符串: dC5Aoz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6adb2}  # 最终的正确flag
i=B,j=Z
拼接字符串: dCB5oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6iEb2}
i=B,j=Z
拼接字符串: dC5Boz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aeb2}
i=C,j=Z
拼接字符串: dC5Coz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6afb2}
i=D,j=Z
拼接字符串: dC5Doz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6agb2}
i=E,j=Z
拼接字符串: dC5Eoz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6ahb2}
i=F,j=Z
拼接字符串: dCF5oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6jEb2}
i=F,j=Z
拼接字符串: dC5Foz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aib2}
i=G,j=Z
拼接字符串: dC5Goz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6ajb2}
i=H,j=Z
拼接字符串: dC5Hoz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6akb2}
i=I,j=Z
拼接字符串: dC5Ioz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6alb2}
i=J,j=Z
拼接字符串: dCJ5oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6kEb2}
i=J,j=Z
拼接字符串: dC5Joz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6amb2}
i=K,j=Z
拼接字符串: dC5Koz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6anb2}
i=L,j=Z
拼接字符串: dC5Loz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aob2}
i=M,j=Z
拼接字符串: dC5Moz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6apb2}
i=N,j=Z
拼接字符串: dCN5oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6lEb2}
i=N,j=Z
拼接字符串: dC5Noz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aqb2}
i=O,j=Z
拼接字符串: dC5Ooz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6arb2}
i=P,j=Z
拼接字符串: dC5Poz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6asb2}
i=Q,j=Z
拼接字符串: dC5Qoz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6atb2}
i=R,j=Z
拼接字符串: dCR5oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6mEb2}
i=R,j=Z
拼接字符串: dC5Roz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6aub2}
i=S,j=Z
拼接字符串: dC5Soz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6avb2}
i=T,j=Z
拼接字符串: dC5Toz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6awb2}
i=U,j=Z
拼接字符串: dC5Uoz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6axb2}
i=V,j=Z
拼接字符串: dCV5oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6nEb2}
i=V,j=Z
拼接字符串: dC5Voz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6ayb2}
i=W,j=Z
拼接字符串: dC5Woz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6azb2}
i=Z,j=Z
拼接字符串: dCZ5oz9Z,UTF-8字符串: flag{aa534ac5-2f1a-466c-baf7-1ad7edb6oEb2}

只有拼接A、Z的才是正确的flag，不知道为什么。