streamgame1 试题

额,拿到这个题,长度才19位,2进制,判断flag总个524287个,直接上代码爆破。爆了大概3分钟?非预期解题方案。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Time    : 2018/3/24 上午9:38
# @Author  : tudoudou
# @File    : ddd.py
# @Software: PyCharm
# from flag import flag
# flag{1110101100001101011}
# 524287
for num in range(524287):
    s = bin(num)[2:]
    while len(s) < 19:
        s = '0' + s
    print(s)
    flag = 'flag{' + s + "}"
    assert flag.startswith("flag{")
    assert flag.endswith("}")
    assert len(flag) == 25
    def lfsr(R, mask):
        output = (R << 1) & 0xffffff
        i = (R & mask) & 0xffffff
        lastbit = 0
        while i != 0:
            lastbit ^= (i & 1)
            i = i >> 1
        output ^= lastbit
        return (output, lastbit)
    R = int(flag[5:-1], 2)
    mask = 0b1010011000100011100
    f = open("key", "ab")
    for i in range(12):
        tmp = 0
        for j in range(8):
            (R, out) = lfsr(R, mask)
            tmp = (tmp << 1) ^ out
        f.write(chr(tmp))
    f.close()

streamgame2 试题

同上一个题,flag总个数为2097151个,也不算多,继续发扬爆破精神,有了上一个题的经验,猜测密码在总可能的flag中后段,所以直接删去一半多,从1000000开始爆破?减少了一大半工作量,上代码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# 2097151
# flag{110111100101001101001}
for num in range(2097151):
    s = bin(num)[2:]
    while len(s) < 21:
        s = '0' + s
    print(s)
    flag = 'flag{' + s + "}"
    assert flag.startswith("flag{")
    assert flag.endswith("}")
    assert len(flag) == 27
    def lfsr(R, mask):
        output = (R << 1) & 0xffffff
        i = (R & mask) & 0xffffff
        lastbit = 0
        while i != 0:
            lastbit ^= (i & 1)
            i = i >> 1
        output ^= lastbit
        return (output, lastbit)
    R = int(flag[5:-1], 2)
    mask = 0x100002
    f = open("key", "ab")
    for i in range(12):
        tmp = 0
        for j in range(8):
            (R, out) = lfsr(R, mask)
            tmp = (tmp << 1) ^ out
        f.write(chr(tmp))
    f.close()

streamgame4 试题

以为放了两个streamgame就结束了,没想到又来一个,稍微大了点?改改代码,继续发挥爆破精神,哇咔咔咔,这个其实更好爆破,虽然有运气的成分。再来一波强势的代码。注: 还是猜测的flag肯定在中后部分,所以也不用大规模爆破,也就用了10分钟不到?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

# 2097151
for temp in range(1200000,2097151):
    s = bin(temp)[2:]
    while len(s) < 21:
        s = '0' + s
    flag = 'flag{' + s + "}"
    assert flag.startswith("flag{")
    assert flag.endswith("}")
    assert len(flag) == 27
    def nlfsr(R, mask):
        output = (R << 1) & 0xffffff
        i = (R & mask) & 0xffffff
        lastbit = 0
        changesign = True
        while i != 0:
            if changesign:
                lastbit &= (i & 1)
                changesign = False
            else:
                lastbit ^= (i & 1)
            i = i >> 1
        output ^= lastbit
        return (output, lastbit)
    R = int(flag[5:-1], 2)
    mask = 0b110110011011001101110
    a = ''
    for i in range(10):
        tmp = 0
        for j in range(8):
            (R, out) = nlfsr(R, mask)
            tmp = (tmp << 1) ^ out
        a += chr(tmp)
    if a in fs[:15]:
        print(flag)

总结

发挥暴力精神,别的不会儿,就是爆破,完全非预期解题方案,完美呈现。皮一下就是这么开心,不服你来咬我啊~~