BeginCTF 2024(新生赛道)WP-P1sc3s007
1. xor
算法不复杂,就是大量的异或,慢慢还原就好
a1 = 6329079420771558
a2 = 7679621386735000
a3 = flag前16
a4 = flag后16
a3和a2逐位异或
a4和a1逐位异或
a3 a1
a4 a2
a3和a2倒序异或
a4 a1
a3 a1
a4 a2
a5前16=a4
a5后16=a3
a6 = 4180387362590136
a7 = 3092606632787947
a8 = a5前16
a9 = a5后16
a8和a7逐位异或
a9和a6逐位异或
a8^a6
a9^a7
a8^a7倒序
a9^a6倒序
a8^a6倒序
a9^a7倒序
enc前16 = a9
enc后16 = a8
enc = `agh{^bvuwTooahlYocPtmyiijj|ek'p
#include
int main()
{
char enc[] = "`agh{^bvuwTooahlYocPtmyiijj|ek'p";
char a9[16] = { 0 };
char a8[16] = { 0 };
char a7[16] = "4180387362590136";
char a6[16] = "3092606632787947";
char a5[32] = { 0 };
char a4[16] = { 0 };
char a3[16] = { 0 };
char a2[16] = "7679621386735000";
char a1[16] = "6329079420771558";
char flag[32] = { 0 };
int i, j, k, m;
for (m = 0; m < 16; ++m)
{
a8[m] = enc[m + 16];
}
for (k = 0; k < 16; ++k)
{
a9[k] = enc[k];
}
for (j = 0; j < 16; ++j)
{
a9[j] ^= a7[16 - j];
}
for (i = 0; i < 16; ++i)
{
a8[i] ^= a6[16 - i];
}
for (m = 0; m < 16; ++m)
{
a9[m] ^= a6[16 - m];
}
for (k = 0; k < 16; ++k)
{
a8[k] ^= a7[16 - k];
}
for (j = 0; j < 16; ++j)
{
a9[j] ^= a7[j];
}
for (i = 0; i < 16; ++i)
{
a8[i] ^= a6[i];
}
for (m = 0; m < 16; ++m)
{
a9[m] ^= a6[m];
}
for (k = 0; k < 16; ++k)
{
a8[k] ^= a7[k];
}
for (j = 0; j < 16; ++j)
{
a5[j + 16] = a9[j];
}
for (i = 0; i < 16; ++i)
{
a5[i] = a8[i];
}
for (j = 0; j < 16; ++j)
{
a3[j] = a5[j + 16];
}
for (i = 0; i < 16; ++i)
{
a4[i] = a5[i];
}
for (m = 0; m < 16; ++m)
{
a4[m] ^= a2[16 - m];
}
for (k = 0; k < 16; ++k)
{
a3[k] ^= a1[16 - k];
}
for (j = 0; j < 16; ++j)
{
a4[j] ^= a1[16 - j];
}
for (i = 0; i < 16; ++i)
{
a3[i] ^= a2[16 - i];
}
for (m = 0; m < 16; ++m)
{
a4[m] ^= a2[m];
}
for (k = 0; k < 16; ++k)
{
a3[k] ^= a1[k];
}
for (j = 0; j < 16; ++j)
{
a4[j] ^= a1[j];
}
for (i = 0; i < 16; ++i)
{
a3[i] ^= a2[i];
}
for (m = 0; m < 16; ++m)
{
flag[m + 16] = a4[m];
}
for (k = 0; k < 16; ++k)
{
flag[k] = a3[k];
}
printf("%s", flag);
//flag{Virus_gonna_be_terminated!} 
2. real check in
base一把梭
3. real checkin xor
#chal wp
def verify_func(ciper,key):
encrypted = []
for i in range(len(ciper)):
encrypted.append(ciper[i]^ord(key[i%len(key)]))
return encrypted
secret = [7, 31, 56, 25, 23, 15, 91, 21, 49, 15, 33, 88, 26, 48, 60, 58, 4, 86, 36, 64, 23, 54, 63, 0, 54, 22, 6, 55, 59, 38, 108, 39, 45, 23, 102, 27, 11, 56, 32, 0, 82, 24]
key = "ez_python_xor_reverse"
flag0 = verify_func(secret,key)
flag = ''
for i in flag0:
flag += chr(i)
print(flag)
#begin{3z_PY7hoN_r3V3rSE_For_TH3_Be9inNEr!}4. 俄语学习
rus = нечегонечегонечего
key1 = key = rus -114
//rc4init(s,key,keylen)
key2 = flag + key1 -112 (取最短)
//rc4_encrypt(s,key2,key2len)
str1 = +i&[@Y:g8[&l$f8S8v$Y&e>{
//rc4_encrypt(s,str1,str1len)
key2 = str1几个问答全都没用,看中间关键的几个加密函数
中间涉及到rc4,但是最后用于比对的key2和str1经过同一个S盒的RC4加密,等于没加密
几个长得像key的几个字符串是有用的,排除干扰之后逻辑非常简单
#include
#include
int main()
{
int i;
char rus[38] = "нечегонечегонечего";//37
char key2[26] = "+i&[@Y:g8[&l$f8S8v$Y&e>{";//25
char key1[38] = { 0 };//37
char flag[26] = { 0 };
for (i = 0; i <= strlen(rus); ++i)
key1[i] = rus[i] - 114;
printf("%s %d", key1, strlen(key1));//5m5d5w5d5b5n5m5d5w5d5b5n5m5d5w5d5b5n 37
for (i = 0; i <= strlen(key2); ++i)
flag[i] = key2[i] - key1[i] + 112;
printf("%s", flag);//flag{Russian_is_so_easy}
return 0;
} 5. 红白机
脑洞题……原本在手搓,但实际上只要找一个编译器跑一遍就可以
Easy 6502
6. ezpython
卡版本很恶心,必须下载python3.8再使用pyinstxtractor.py才能提取出作者自定义的一些文件
from gmssl import sm4
from secret import key, enc
import base64
def pad_pkcs7(data):
"""PKCS#7填充"""
padding_len = 16 - len(data) % 16
padding = bytes([padding_len] * padding_len)
return data + padding
def unpad_pkcs7(padded_data):
"""PKCS#7去填充"""
padding_len = padded_data[-1]
return padded_data[:-padding_len]
class SM4:
def __init__(self):
self.gmsm4 = sm4.CryptSM4()
def encryptSM4(self, encrypt_key, value):
gmsm4 = self.gmsm4
gmsm4.set_key(encrypt_key.encode(), sm4.SM4_ENCRYPT)
padded_value = pad_pkcs7(value.encode())
encrypt_value = gmsm4.crypt_ecb(padded_value)
return base64.b64encode(encrypt_value)
if __name__ == '__main__':
print('请输入你的flag:')
flag = input()
sm4_instance = SM4()
flag_1 = sm4_instance.encryptSM4(key, flag)
if flag_1 != enc:
print('flag错误!!')
else:
print('恭喜你获得flag')发现key,enc在secret文件里,路径是ezpython.exe_extracted\PYZ-00.pyz_extracted
key = 'BeginCTFBeginCTF'
enc = b'JmjJEAJGMT6F9bmC+Vyxy8Z1lpfaJzdEX6BGG/qgqUjUpQaYSON1CnZyX9YXTEClSRYm7PFZtGxmJw6LPuw1ww=='还是解不出来,看一下引用的sm4(ezpython.exe_extracted\PYZ-00.pyz_extracted\gmssl)和库里默认的sm4是不是有魔改(\lib\site-packages\gmssl\__pycache__)
偷偷加了一行异或
解密的时候记得异或一下key就可以了
#ezp
from gmssl import sm4
import base64
def pad_pkcs7(data):
"""PKCS#7填充"""
padding_len = 16 - len(data) % 16
padding = bytes([padding_len] * padding_len)
return data + padding
def unpad_pkcs7(padded_data):
"""PKCS#7去填充"""
padding_len = padded_data[-1]
return padded_data[:-padding_len]
class SM4:
def __init__(self):
self.gmsm4 = sm4.CryptSM4()
def decryptSM4(self, decrypt_key, value):
gmsm4 = self.gmsm4
gmsm4.set_key(decrypt_key.encode(), sm4.SM4_DECRYPT)
padded_value = pad_pkcs7(value)
decrypt_value = gmsm4.crypt_ecb(padded_value)
return decrypt_value
key0 = 'BeginCTFBeginCTF'
key = ''
for i in key0:
key += chr(ord(i)^37)
enc = b'JmjJEAJGMT6F9bmC+Vyxy8Z1lpfaJzdEX6BGG/qgqUjUpQaYSON1CnZyX9YXTEClSRYm7PFZtGxmJw6LPuw1ww=='
sm4_instance = SM4()
flag = sm4_instance.decryptSM4(key, base64.b64decode(enc))
print(flag)
#flag{Pay_M0re_@ttention_to_th3_key!!}
7. where is crazyman v1.0
谷歌地图搜一下,或者直接猜二次元圣地