2024CISCN 初赛WP

战队名称：四象限守护者

战队排名：356名

火锅链观光打卡

下载一个metamask连接

androidso_re

不知道为什么动态调试的key为什么总是出错，下次可以试试hook

from base64 import b64decode
from Crypto.Cipher import DES
from Crypto.Util.Padding import unpad

def des_decrypt(ciphertext, key, iv):
    des = DES.new(key.encode(), DES.MODE_CBC, iv.encode())
    plaintext = unpad(des.decrypt(b64decode(ciphertext)), DES.block_size)
    return plaintext.decode()

ciphertext = 'JqslHrdvtgJrRs2QAp+FEVdwRPNLswrnykD/sZMivmjGRKUMVIC/rw=='
key = 'A8UdWaeq'
iv = 'Wf3DLups'  # 你需要提供一个正确的 IV
print(des_decrypt(ciphertext, key, iv))

#188cba3a5c0fbb2250b5a2e590c391ce

asm_re

ai化简的汇编有一定的问题，大体上方向一致

#include <stdio.h>
#include <string.h>

int main(int argc, const char **argv, const char **envp) {
    char __src[] = "flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}";
    char __dst[0x98];

    memcpy(__dst, __src, 0x98);

    int len = strlen(__dst);
    int i;

    for (i = 0; i < len; i++) {
        __dst[i] *= 0x50;
        __dst[i] += 0x14;
        __dst[i] ^= 0x4D;
        __dst[i] += 0x1E;
    }

    printf("%s\n", __dst);

    return 0;
}

a='flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}'
b=[0x00001FD7,
    0x000021B7,
    0x00001E47,
    0x00002027,
    0x000026E7,
    0x000010D7,
    0x00001127,
    0x00002007,
    0x000011C7,
    0x00001E47,
    0x00001017,
    0x00001017,
    0x000011F7,
    0x2007,
    0x1037,
    0x1107,
    0x1F17,
    0X10D7,
    0X1017,
   0X1017,
   0X1F67,
   0X1017,
   0X11C7,
   0X11C7,
   0X1017,
    0x00001FD7,
    0x00001F17,
    0x00001107,
    0x00000F47,
    0x00001127,
    0x00001037,
    0x1E47,
    0X1037,
    0x00001FD7,
    0x00001107,
    0x00001FD7,
    0x00001107,
    0x00002787
]
c=''
for i in b:
    c+=chr(int((((i-0X1E)^0x4D)-0x14)/0x50))
print(c)
print(len(a))
#flag{67e9a228e45b622c2992fb5174a4f5f5}
#38

gdb_debug

时间戳爆破

#include <stdio.h>
#include <stdlib.h>
#include <time.h>
int main() {
    int a;
    char j[39]="flag{11111111111111111111111111111111}";
    int d[5]={1, 184, 64, 189, 156};
    int k[38],b[38],c[38];
    for (unsigned int i = 0; i <= 0xF; ++i) {
        unsigned int address = i << 28;  // Shift the value of 'i' left by 28 bits
        srand(address & 0xF0000000);
        printf("%x\n",address);
        for(int i=0;i<38;i++)
        {
            a = rand();
            k[i]=a^j[i];
            printf("%x,",a&0xFF);
        }
        printf("\n");
        for(int i=0;i<38;i++)
        {
            b[i]=i;
        }
        for ( int i = 37; i; --i )
          {
            a=rand() % (i + 1);
            int temp;
            temp=b[i];
            b[i]=b[a];
            b[a]=temp;
          }
        for(int i=0;i<38;i++)
        {
            c[i]=k[b[i]];
            printf("%d,",b[i]);
        }
        printf("\n");
        for(int i=0;i<38;i++)
        {
            int temp=c[i];
            //c[i]=rand()^temp;
            printf("%x,",rand()&0xFF);
        }
        printf("\n");                                                                                                                                                                                                                                                 
    } 
    return 0;
}
/*-------------0------------
67,c6,69,73,51,ff,4a,ec,29,cd,ba,ab,f2,fb,e3,46,7c,c2,54,f8,1b,e8,e7,8d,76,5a,2e,63,33,9f,c9,9a,66,32,d,b7,31,58,
7,12,37,27,16,10,14,15,3,22,28,29,11,17,0,31,5,36,4,2,9,34,6,35,25,1,21,32,20,8,26,24,23,19,18,33,30,13,
97,ea,dc,6b,96,8f,38,5c,2a,ec,b0,3b,fb,32,af,3c,54,ec,18,db,5c,2,1a,fe,43,fb,fa,aa,3a,fb,29,d1,e6,5,3c,7c,94,75,
-------------10000000------------
62,7b,47,a6,ca,da,5d,f,49,bc,7f,23,36,25,dd,1f,11,50,d1,4,6d,34,99,83,39,35,59,f5,e,b4,c,70,2f,54,17,f9,2e,74,
37,16,1,14,21,11,24,4,23,22,28,2,10,27,12,20,0,7,26,9,6,18,15,19,5,31,25,32,3,8,30,33,36,35,17,13,29,34,
2c,d4,ba,eb,9d,11,ae,d2,9d,a,8b,61,9c,9d,1b,3c,63,e1,4c,58,fb,74,46,43,10,3d,4,dd,bc,60,11,e9,34,cb,d4,d1,dc,82,
-------------20000000------------
7e,61,7e,8e,41,2a,2d,2b,a6,5c,a,ee,ab,69,f3,86,dc,f6,43,b6,f8,40,ba,44,e9,93,f6,e5,f,6f,3b,8d,d1,b9,1b,12,e3,48,
16,3,17,34,11,12,6,32,7,19,5,27,9,33,23,21,14,28,24,10,31,26,25,29,15,35,36,22,0,1,30,37,13,2,8,20,4,18,
20,6e,5c,ae,d0,75,f3,2a,ce,f2,c8,11,84,5d,39,26,61,9c,54,36,b8,9e,1d,b7,31,43,41,68,b1,43,ee,d1,b1,4a,7f,81,bf,72,
-------------30000000------------
df,b9,30,b6,12,aa,b9,3c,7d,88,3d,47,76,1e,eb,bc,1d,63,65,d0,8,9c,8b,62,70,ff,d6,dc,b2,2c,17,91,e5,48,47,f7,f2,1,
23,7,0,14,30,27,28,22,33,4,8,9,37,2,35,17,10,18,3,29,32,6,15,34,11,1,21,25,20,24,13,16,31,19,36,5,26,12,
85,24,d7,32,29,f8,af,37,b5,b7,a8,e2,be,ee,ec,77,61,d,c2,ba,76,54,a,d1,e7,8e,9c,3,83,1e,1e,9,42,f6,3b,6c,ee,eb,
-------------40000000------------
d3,47,e7,32,21,10,39,3c,2c,b0,75,b3,60,b2,a3,fb,7e,97,ec,9e,e6,fc,f0,72,36,52,f3,53,6a,3e,9c,3e,85,83,70,a7,94,a9,
32,33,37,20,2,0,14,16,18,5,1,35,12,25,28,8,4,30,3,29,31,22,27,21,10,26,15,6,36,23,7,11,19,9,24,34,13,17,
ad,25,f5,36,d3,96,5e,67,34,75,6e,7,df,68,2e,b4,a0,f1,c6,5e,38,49,c3,12,76,c,ad,fc,ad,bb,3d,5a,e0,32,91,b3,c9,ef,
-------------50000000------------
fe,64,d0,df,4c,8f,d7,2a,8a,2b,43,37,b,ac,9a,64,e7,46,8c,1f,89,b4,f6,b1,58,6,b6,75,90,da,7e,8f,3e,4e,6e,8b,de,45,
35,32,13,1,34,28,19,2,23,15,24,29,3,18,25,9,12,30,6,26,20,21,22,0,17,10,7,33,5,16,31,36,27,11,14,8,4,37,
65,d9,47,f1,58,b3,9b,60,d3,3c,19,4c,e3,88,3a,1b,d2,a7,e1,5a,62,16,6d,fb,91,35,fc,7c,f6,9c,e3,5c,75,2a,4d,cd,dd,e8,
-------------60000000------------
d9,f,18,bd,c7,16,81,be,f8,4a,65,f2,5d,ab,2b,33,d4,a5,67,98,9f,7e,2b,5d,c2,af,8e,3a,4c,a5,75,25,b4,8d,e3,7b,a3,64,
18,14,27,30,17,5,7,1,16,34,6,23,22,8,25,19,4,15,2,13,37,12,3,21,28,20,11,26,24,9,29,35,31,32,36,10,0,33,
de,aa,42,fc,9,e8,b2,6,d,93,61,f4,24,49,15,1,d7,ab,4,18,cf,e9,d5,96,33,ca,f9,2a,5e,ea,2d,3c,94,6f,38,9d,58,ea,
-------------70000000------------
c8,f2,53,8a,52,41,5a,ee,f2,f1,f2,7a,a3,17,9c,87,38,63,69,2a,36,1f,e8,e5,1e,e8,ce,47,6d,d2,10,35,c4,63,bf,17,a5,19,
14,21,11,18,29,22,9,5,7,2,24,30,10,20,31,32,28,27,17,34,33,0,25,26,3,4,13,8,23,1,16,15,12,36,6,35,19,37,
b4,90,ab,fc,a0,49,6e,e7,6,c8,13,e1,b,d,3,ba,da,36,9f,6b,cc,42,13,7,ff,c0,d9,c7,66,bc,3d,1a,4c,e8,16,ec,31,84,
-------------80000000------------
5d,e0,20,ff,f6,50,2a,7,91,29,51,d5,b7,c4,95,7a,8f,fb,f7,95,d8,f3,aa,c7,69,78,4b,f2,82,4a,22,df,2b,42,de,21,93,8,
7,27,36,10,15,13,18,24,14,23,26,6,29,21,3,37,34,1,35,5,28,16,4,22,9,12,25,2,32,17,8,30,11,20,31,33,19,0,
eb,4e,4a,b9,d8,a5,1b,3b,f3,28,65,aa,ad,da,53,b4,9a,1f,9a,85,2d,5e,91,ce,2a,c5,93,28,73,53,f,5e,a1,5a,17,7a,ff,33,
-------------90000000------------
db,a1,1d,ca,e2,6b,d6,f8,87,4,87,1a,85,d3,34,2d,36,10,cb,5c,de,5e,6b,61,3e,cf,b5,68,65,1f,f,40,c0,2d,a,a2,98,e1,
9,20,8,6,34,11,13,29,5,37,23,7,24,15,17,16,2,31,36,19,10,14,35,27,32,0,25,26,21,3,12,22,18,4,30,33,28,1,
a8,4,39,d4,82,9b,5c,df,5b,50,9d,59,13,10,c0,3b,a3,36,a3,f5,d9,15,ea,14,69,7a,70,a1,2d,5,44,d5,9,7d,aa,8c,19,6,
-------------a0000000------------
c9,84,58,97,6e,97,b0,29,81,ab,14,a2,ca,3f,a5,80,9a,ce,cc,ee,75,fe,28,e9,9a,8,f5,76,86,4c,aa,4f,d0,3,e6,3e,9a,96,
14,4,35,13,28,9,29,7,18,2,8,15,17,31,6,21,11,23,33,32,19,34,37,16,24,10,26,20,12,3,30,27,0,36,1,22,25,5,
7f,e9,a2,d4,1a,fc,18,c0,54,85,4f,46,f9,d4,ae,f4,a6,c0,3e,48,d6,6e,28,85,35,70,50,3e,34,d7,54,b3,c1,f6,88,db,f2,a0,
-------------b0000000------------
a4,2e,a1,75,e8,1d,5a,bc,ef,ca,37,5d,1c,3e,36,50,87,2d,a8,67,8b,c8,5d,95,3,b1,cd,3b,41,17,a1,e6,46,42,5b,2e,5f,b5,
23,37,8,16,29,7,13,14,25,4,31,22,17,28,27,32,19,11,35,18,9,15,10,12,36,21,33,30,2,26,24,0,5,20,34,3,6,1,
f7,bb,9d,df,cb,31,2f,66,8e,dc,97,ee,3a,95,89,da,ab,c5,60,6,43,41,90,20,d7,5,4d,ed,9c,25,9e,94,e0,3c,73,ab,6d,a2,
-------------c0000000------------
cf,4c,89,22,13,9c,f8,aa,4d,45,4,e0,c8,38,2d,b9,f0,dc,48,e8,2e,80,64,d4,26,65,90,5c,67,b3,83,37,ff,d,59,12,a9,51,
5,22,0,9,10,26,27,4,31,8,14,35,24,2,3,20,29,18,6,37,17,7,19,15,32,16,28,1,30,11,23,25,33,13,36,34,12,21,
b0,6f,ef,9a,50,4e,6c,5f,2d,a3,42,33,3e,b6,95,41,dc,7a,7b,2,6d,e,3a,9,f2,2f,9c,6c,e5,6,44,95,75,33,2f,c5,81,9c,
-------------d0000000------------
c3,da,40,9e,23,2,77,aa,fc,6d,3c,4c,b1,cc,e5,f7,51,10,cf,b6,c,e1,c9,e4,ec,b8,ad,d3,20,c5,8,e3,9f,48,82,c2,4b,f9,
34,14,1,30,25,29,0,23,20,37,36,4,19,8,22,24,5,9,6,2,13,7,11,28,33,3,17,32,16,18,15,21,31,12,10,27,35,26,
d7,70,d,9e,f9,ec,1b,8f,ac,61,8,58,5f,2f,d7,7e,1b,5f,80,a6,2f,4,f3,4a,81,ad,ac,66,f,a3,63,e7,13,70,85,c,5c,a0,
-------------e0000000------------
25,31,f3,c6,f3,82,4,bb,d3,99,6f,a5,7d,81,dd,2e,92,7d,f0,d0,1c,3c,99,2,73,24,8d,ca,c3,82,e4,e8,b3,d7,ae,a7,5a,b2,
4,14,31,15,18,2,24,17,22,26,33,21,5,36,0,23,1,35,32,3,30,9,12,25,8,11,34,13,7,10,29,19,16,37,28,27,6,20,
3d,26,88,22,53,6f,d7,9c,93,26,e8,29,99,c1,8a,cf,1c,d0,ed,2a,ed,b9,e0,64,37,f8,8,1,e2,7e,93,1f,a4,1b,41,f7,8b,18,
-------------f0000000------------
41,18,29,ae,6a,d2,d3,d8,30,39,fa,70,f2,c5,f3,95,5d,23,62,82,a7,49,ba,c3,23,82,2a,bb,c3,3d,13,4,55,3c,b2,c0,f,86,
2,27,32,7,20,21,22,30,8,6,13,11,14,0,34,9,15,5,24,28,1,31,16,25,18,36,12,10,37,26,29,23,3,17,35,19,33,4,
30,bf,2a,e5,86,d3,1c,f4,c4,e,25,d9,82,81,a8,b9,1a,8b,f5,8,aa,e4,b7,d8,58,fd,45,8c,d6,61,70,7,21,9b,ec,a7,6e,9,*/

a='congratulationstoyoucongratulationstoy'
b=[191, 215, 46, 218, 238, 168, 26, 16, 131, 115, 172, 241, 6, 190, 173, 136, 4, 215, 18, 254, 181, 226, 97, 183, 61, 7, 74, 232, 150, 162, 157, 77, 188, 129, 140, 233, 136, 120]
c=[]
d=[]
shu1=[]
shu2=[]
shu3=[]
for i in range(38):
    c.append(ord(a[i])^b[i])
f=open(r"D:\desktop\编程\ctf\CISCN\RE\gdb_debug\2.txt").readlines()
for i in range(0,64,4):
    d=[0 for k in range(38)]
    m=[0 for k in range(38)]
    shu1=f[i+1].strip().split(",")
    shu2 = f[i + 2].strip().split(",")
    shu3 = f[i + 3].strip().split(",")
    for j in range(38):
        m[j] = c[j] ^ int(shu3[j],16)
    for k in range(38):
        #d.append(c[shu2.shu2(chr(k+48))])
        d[int(shu2[k])]=m[k]
    for l in range(38):
        d[l] = d[l] ^ int(shu1[l],16)
    for cs in d:
        print(chr(cs),end='')
    print()
#[9¶4À_§Gü9 µv —Û,¸ƒVîµ[<ºZQӂ™sÄ
j¾à}…p@êoŠûói‹V}{(—­5ñùh¸]ô+o™”ÝɄ
5áÛX:°
&±·¢ùø ê0VäšO£Àål<ãž7œ½
ò7ïœéd¹0èÆÉq>Ù;­aßís¢ EFÅ6Ö
Œñ¨‰êwXèdmLÍ֜“h|y7­m>4
XꙟšëÃÐô^8Ã
Õ(ÕUvƒKèÚÌò²«(J¸˜Ôê=/”™âgÓêw…_¯ª2¦¬
flag{78bace5989660ee38f1fd980a4b4fbcd}
‰:ôó¨ñ‘<ðô¹ì(üë7hyÕôßÜîiè‚y_f¢œ
oQ•rh^0wLU§¨‰>\k‚mù´ý7ÕöyŽX7¢¥/ƙ@
ǦÕpß¿9þpˆH(á¬íñ"b‰š$D‰¬›¥ZØæ<GF£
Ûóσ?6ÀŒžoV^Ï^wîÖön‡à›á :K@܃±
ÇC&.ÐD2_¨6ì5œå~%§X«+¾tÐ+l@Ñ©`1×3Ƕ
`½ïi)ðþ)übÈ%®ä·`¹gœÝ“³yqÔ^ŜõB«¹yØ
¶—mUãrŠ#œF°.5-}¤‚¯€O"ÀnÝBºà+#d†‰y›Š
qFUgrh£«­Ò;’C±å„?ëå1ʐ¹ }øß #ç˜ÙKF
dÅ\b÷π|ë1‰8äåWu¸½SÈ૊ˆ¼@¤‚m?µÄӔª

whereThel1b

import whereThel1b
import itertools

# 初始flag结构
flag_template = 'a'*42

# 目标加密值
target_encryption = [108, 117, 72, 80, 64, 49, 99, 19, 69, 115, 94, 93, 94, 115, 71, 95, 84, 89, 56, 101, 70, 2, 84, 75,
                     127, 68, 103, 85, 105, 113, 80, 103, 95, 67, 81, 7, 113, 70, 47, 73, 92, 124, 93, 120, 104, 108,
                     106, 17, 80, 102, 101, 75, 93, 68, 121, 26]

# 字符集
charset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-@_{}'

# 分段破解，每次破解三个字符
for i in range(0, 41, 3):  # 从第个字符开始
    found = False
    for combo in itertools.product(charset, repeat=3):
        # 替换当前部分
        test_flag_list = list(flag_template)
        test_flag_list[i:i + 3] = combo
        test_flag = ''.join(test_flag_list)
        test_flag_bytes = test_flag.encode()

        # 加密并获取结果
        whereThel1b.whereistheflag(test_flag_bytes)
        result = whereThel1b.trytry(test_flag_bytes)

        # 比较当前三字符对应的四个加密值是否匹配
        if result[int((i+3)/3-1)*4:(int((i+3)/3-1)*4)+4] == target_encryption[int((i+3)/3-1)*4:(int((i+3)/3-1)*4)+4]:
            found = True
            flag_template = test_flag  # 更新flag模板
            print(f"Match found for position {i}-{i + 2}: {''.join(combo)}")
            break

    if not found:
        print(f"No matching flag part found for position {i}-{i + 2}.")
        break

# 输出最终flag
print("Final flag:", flag_template)
#Final flag: flag{7f9a2d3c-07de-11ef-be5e-cf1e88674c0b}