泷羽CTF_crypto&re

re

jeb

安卓逆向,扔到jadx里面,先尝试搜索flag,然后发现了flag{,点进去,发现

package com.example.crackme;

import android.app.Activity;
import android.os.Bundle;
import android.view.Menu;
import android.view.View;
import android.widget.Button;
import android.widget.EditText;
import android.widget.Toast;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

/* loaded from: classes.dex */
public class MainActivity extends Activity {
    private Button btn_register;
    private EditText edit_sn;
    String edit_userName;

    @Override // android.app.Activity
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(C0236R.layout.activity_main);
        setTitle(C0236R.string.unregister);
        this.edit_userName = "Tenshine";
        this.edit_sn = (EditText) findViewById(C0236R.id.edit_sn);
        this.btn_register = (Button) findViewById(C0236R.id.button_register);
        this.btn_register.setOnClickListener(new View.OnClickListener() { // from class: com.example.crackme.MainActivity.1
            @Override // android.view.View.OnClickListener
            public void onClick(View v) {
                if (!MainActivity.this.checkSN(MainActivity.this.edit_userName.trim(), MainActivity.this.edit_sn.getText().toString().trim())) {
                    Toast.makeText(MainActivity.this, C0236R.string.unsuccessed, 0).show();
                    return;
                }
                Toast.makeText(MainActivity.this, C0236R.string.successed, 0).show();
                MainActivity.this.btn_register.setEnabled(false);
                MainActivity.this.setTitle(C0236R.string.registered);
            }
        });
    }

    @Override // android.app.Activity
    public boolean onCreateOptionsMenu(Menu menu) {
        getMenuInflater().inflate(C0236R.menu.activity_main, menu);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean checkSN(String userName, String sn) {
        if (userName == null) {
            return false;
        }
        try {
            if (userName.length() == 0 || sn == null || sn.length() != 22) {
                return false;
            }
            MessageDigest digest = MessageDigest.getInstance("MD5");
            digest.reset();
            digest.update(userName.getBytes());
            byte[] bytes = digest.digest();
            String hexstr = toHexString(bytes, "");
            StringBuilder sb = new StringBuilder();
            for (int i = 0; i < hexstr.length(); i += 2) {
                sb.append(hexstr.charAt(i));
            }
            String userSN = sb.toString();
            return new StringBuilder().append("flag{").append(userSN).append("}").toString().equalsIgnoreCase(sn);
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
            return false;
        }
    }

    private static String toHexString(byte[] bytes, String separator) {
        StringBuilder hexString = new StringBuilder();
        for (byte b : bytes) {
            String hex = Integer.toHexString(b & 255);
            if (hex.length() == 1) {
                hexString.append('0');
            }
            hexString.append(hex).append(separator);
        }
        return hexString.toString();
    }
}

发现了生成flag的方法,直接写

import hashlib

def to_hex_string(bytes, separator=""):
    hex_string = []
    for b in bytes:
        hex = format(b, '02x')
        hex_string.append(hex)
    return separator.join(hex_string)

def generate_sn(user_name):
    if user_name is None or len(user_name) == 0:
        return None
    md5_hash = hashlib.md5(user_name.encode()).digest()
    hex_str = to_hex_string(md5_hash)
    user_sn = ''.join([hex_str[i] for i in range(0, len(hex_str), 2)])
    sn = f"flag{{{user_sn}}}"

    return sn

user_name = "Tenshine"

sn = generate_sn(user_name)
print("序列号:", sn)

pyc

python逆向,先使用pyinstxtractor.py将exe文件转换成pyc文件,然后uncompyle6 abc_text.pyc,直接发现加密方式

def check():
   a =input('plz input your flag:')
   c=[144,163,158,177,121,39,58,58,91,111,25,158,72,53,152,
78,171,12,53,105,45,12,12,53,12,171,111,91,53,
152,105,45,152,144,39,171,45,91,78,45,158,8]
   if len(a)!=42:
       print('wrong length')
       return 0
   b=179
   for i in range(len(a)):
      if ord(a[i])*33% b !=c[i]:
          print('wrong')
          return
print('win')
check()

exp

c = [144,163,158,177,121,39,58,58,91,111,25,158,72,53,152,
     78,171,12,53,105,45,12,12,53,12,171,111,91,53,
     152,105,45,152,144,39,171,45,91,78,45,158,8]
b = 179

flag = ''
for value in c:
    for i in range(128):
        if (i * 33) % b == value:
            flag += chr(i)
            break

print("Flag is:", flag)

re1

扔到ida里面就看见了

Baidu

1.翻网站源码,发现css的折叠代码,打开,最下面是AES,直接爆破(gpt生成的)。

from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
import base64

# 提供的密钥、初始化向量和加密数据
key = base64.b64decode("0KzSrImRtVwdh7UonVrQK1TXA++PTBs/3qTxwFLXTRw=")
iv = base64.b64decode("ywz2evC5YAg0pz+Xvkd2eQ==")
data = base64.b64decode("4tdJizgiux0hs4CJjzYbBYQxlSkJDL0i8fxZuoRyuWE=")

# 解密函数
def decrypt_data(cipher):
    decryptor = cipher.decryptor()
    decrypted_data = decryptor.update(data) + decryptor.finalize()
    return decrypted_data

# 尝试不同的 AES 模式
modes_list = [
    modes.ECB(),
    modes.CBC(iv),
    modes.CFB(iv),
    modes.OFB(iv),
    modes.CTR(iv),
]

for mode in modes_list:
    try:
        cipher = Cipher(algorithms.AES(key), mode, backend=default_backend())
        decrypted_data = decrypt_data(cipher)
        print(f"Mode: {mode.name}, Decrypted data: {decrypted_data}")
    except Exception as e:
        print(f"Mode: {mode.name}, Error: {e}")

# GCM 模式需要额外的标签参数
try:
    tag = data[-16:]  # 假设最后16字节是标签
    data_without_tag = data[:-16]
    cipher = Cipher(algorithms.AES(key), modes.GCM(iv, tag), backend=default_backend())
    decrypted_data = decrypt_data(cipher)
    print(f"Mode: GCM, Decrypted data: {decrypted_data}")
except Exception as e:
    print(f"Mode: GCM, Error: {e}")

发现密码the_ultimate_password123,然后得到二进制文件,脱壳直接逆向

v3_bytes = [
    0x66, 0x6E, 0x65, 0x67, 0x83, 0x7A,  0x6D,0x7A,  # v3[0]
    0x73, 0x6A, 0x5F, 0x7D, 0x6F, 0x85, 0x8A, 0x5F,  # v3[1]
    0x86, 0x89, 0x90, 0x89, 0x7D                      # v3[2]
]

flag = ''.join(chr((v3_bytes[i] - i) ^ i) for i in range(21))

print(f"Flag: {flag}")

crypto

来一道一元积分吧

先解积分,然后出题人发的,说是base85,解开文件即可

import sympy as sp

x, a = sp.symbols('x a')
expr = ((x + 1)**95 * (a * x + 1)**5) / (x**2 + 1)**50
limit_expr = sp.limit(expr, x, sp.oo)
print(f"极限表达式: {limit_expr}")
solution = sp.solve(limit_expr - 32, a)
print(f"解: {solution}")

#a=2

import base64

s = b'RMbpoP9B1wmOMH8kLz9P0ml(I3v='
ss = base64.b85encode(s)
print(ss)

#flag{I_LOVE_susu}

你真的喜欢CTF吗

AABABAAAAAABABBAABBAAAABBABBBABBAAAABBBABABAAABABBABAAAABABAAABAAAAABABAABBAABAB
一眼培根,但是前缀是Flag

At

゚ω゚ノ= /`m´)ノ ~┻━┻ //´∇`/ [‘‘]; o=(゚ー゚) ==3; c=(゚Θ゚) =(゚ー゚)-(゚ー゚); (゚Д゚) =(゚Θ゚)= (o^^o)/ (o^^o);(゚Д゚)={゚Θ゚: ‘‘ ,゚ω゚ノ : ((゚ω゚ノ==3) +’‘) [゚Θ゚] ,゚ー゚ノ :(゚ω゚ノ+ ‘‘)[o^^o -(゚Θ゚)] ,゚Д゚ノ:((゚ー゚==3) +’‘)[゚ー゚] }; (゚Д゚) [゚Θ゚] =((゚ω゚ノ==3) +’‘) [c^^o];(゚Д゚) [‘c’] = ((゚Д゚)+’‘) [ (゚ー゚)+(゚ー゚)-(゚Θ゚) ];(゚Д゚) [‘o’] = ((゚Д゚)+’‘) [゚Θ゚];(゚o゚)=(゚Д゚) [‘c’]+(゚Д゚) [‘o’]+(゚ω゚ノ +’‘)[゚Θ゚]+ ((゚ω゚ノ==3) +’‘) [゚ー゚] + ((゚Д゚) +’‘) [(゚ー゚)+(゚ー゚)]+ ((゚ー゚==3) +’‘) [゚Θ゚]+((゚ー゚==3) +’‘) [(゚ー゚) – (゚Θ゚)]+(゚Д゚) [‘c’]+((゚Д゚)+’‘) [(゚ー゚)+(゚ー゚)]+ (゚Д゚) [‘o’]+((゚ー゚==3) +’‘) [゚Θ゚];(゚Д゚) [‘‘] =(o^^o) [゚o゚] [゚o゚];(゚ε゚)=((゚ー゚==3) +’‘) [゚Θ゚]+ (゚Д゚) .゚Д゚ノ+((゚Д゚)+’‘) [(゚ー゚) + (゚ー゚)]+((゚ー゚==3) +’‘) [o^^o -゚Θ゚]+((゚ー゚==3) +’‘) [゚Θ゚]+ (゚ω゚ノ +’‘) [゚Θ゚]; (゚ー゚)+=(゚Θ゚); (゚Д゚)[゚ε゚]=’\’; (゚Д゚).゚Θ゚ノ=(゚Д゚+ ゚ー゚)[o^^o -(゚Θ゚)];(o゚ー゚o)=(゚ω゚ノ +’‘)[c^^o];(゚Д゚) [゚o゚]=’\"’;(゚Д゚) [‘‘] ( (゚Д゚) [‘‘] (゚ε゚+(゚Д゚)[゚o゚]+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^^o) +(o^^o))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ ((゚ー゚) + (o^^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (o^^o))+ ((o^^o) – (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^^o) +(o^^o))+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (o^^o))+ (o^^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^^o) +(o^^o))+ ((o^^o) – (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (o^^o)+ ((゚ー゚) + (o^^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((o^^o) +(o^^o))+ (o^^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (c^^o)+ (c^^o)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (゚Θ゚)+ (゚ー゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (o^^o)+ ((゚ー゚) + (o^^o))+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ (o^^o)+ ((o^^o) – (゚Θ゚))+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚ー゚)+ (゚Θ゚)+ (゚Д゚)[゚ε゚]+(゚Θ゚)+ ((゚ー゚) + (o^^o))+ ((゚ー゚) + (゚Θ゚))+ (゚Д゚)[゚o゚]) (゚Θ゚)) (‘‘);
hint:注意大小写

先是颜文字(https://www.a.tools/Tool.php?Id=174), 然后用厨子里面的埃特巴什码,得到

flag{Ni_h@O_A!!!}

Base签到

TVpXR0NaMzNNSlFXU1lUQk5GUFVHVkNHTDQzRFFOS1lORlFXNjZMVlBVPT09PT09

随波逐流一把出

flag{baibai_CTF_685Xiaoyu}

没有key

UH6G2CXOVIYRJI2PXMPHVFXXWWYRRH2AXMNIZF2JXAYRBEFYWWSQRF2FWAYRBAXYXEWIPIXSWOARFIEFXMRIZFFXWASSTIFCXIOIZFFHTWWH6EFTYWSR2F2FVIPRLGFYWDMSTIXSVEYRJJPYXMPHVGXXWWUGRH2YXMTSHF2HTWWIFIXOWWTRBZFGVIYRZJFWWWWIBAPIVAYRJIOFXSRIZEFXWWRHJIFKVISH4FXDXAWIXIXTXMSIDF2JVIPRDEFXTVMSPGXJWAURJGOFXMUHXEFBWWYGRIPAXMQSZFXVXAYRJIXYTISIRH2AWAQRZJFXWESIZD2JWEURJGWFXAOHZGF2WSPSTIFSVEPRZFEFVAXRJIXXYWSIVD2HX5XGRHXWXMSIVG2JWWSRJF2GXEUHXEOIWSYGRIXIXMQSHF2QVAYSBIXXWMSSBZFFXIXHZJFYXOWIZI2IVEQRHZFGXWRIZD2JWAWIHIXGXHMR2FXJWAXHFIFXXWSRHF2BWIPHLAXWX4MSTG2SVMSRFGXYXWQHZGPBWSXGRH2AVMOIZF2BWAXHXIPVWWSRHH2KWIXHVIFYXEWIVI2SWMWRFEFQWMQHZJFEWATITH2KVIPR4FFGTWWITIXTWWSRBH2FTWXHBGFYYOWITAPSVAARFIEFXMYIXEFXWWWITH2AXMRRHF2ZXAWSXEXXXWSRZZFJWIQRRGFYWESIVE2RVEURHHMFXSYHXEFXWWRSTHFCVITRHF2LWAWH2EFRXMRIXJFIV5QRFGFXW5WITGXJVMSRJIPYXWYHXGFJWSYHJIXUVMASXF2XWAURFIXQTISIVZFIX5PHZIFUVAWIZH2IWWSRBI2YXARHVJFIWAZSTIFUVIOH4FFGXAWHJIFTWMSIVZFGXIPHVHFXXISIRF2JWWSRHFFGX42RXEPBWAXQRH2MXIQSHFFZXAYRBEFZWMSRXH2GXIQRVJFYXOSIZEXRWIQRHIFPXESIXE2XWAXRTIPCVIQRHFFKWAWR2EF2YSSHJH2GXSXHTAXYXHMSPFXJVMYRHH2XXWYHXFFBWSWIRHMHXIOIHFXVXAYRBEFSVMSQRD2GWAPGRGXYXEOIBI2SWOQRHIEFXMPHZFFBWASITIFAVITQXFXFTWXIPEFTXMQHVF2JTWPHJGFYWDMSTFXRWMARFGPQXMYIXGPTWWASTGXYXMSSRF2ZVAYSBEXVTIRIBZFGVAQSHFXUWWSH4JXSVD2HFIWFXAVIXEXXWEPITHEFVISRHE2TXAWGVEXUYWRHDH2IV5QRBFFXTWWIRF2JWIURJH2PXMXHXEPBWSQRTGFCXMSRHFFXXAYIXEXZXMSSBH2AWIPHZFFYVISIRF2JV5URJEWFXAPHZEP2WATRTIFUXITRHFFCTWWHJIXRYWSIVD2KXAPHLJFWV5SIRE2JWWORLFPGXAXIXF2BWWYGRIXKXIPSHF2UWAWR6IFYWWQIXF2GWIYRRIFYWWWIVI2SVMURHIFFXASHZJFMWWPSTIFGVIUSHFFTTWYRXIFPXWSHLH2KWIPHLIFXXDMSXAFSVMARHGXQXWSIXF2XWEYRJH2AVMOIHF2JTWXIBIXUWMSR6D2HWIXHDFFYWDMSPIXSWMARFEXYXWQHZJFAWASITHFKXISIZFFITWXIFIXTWWSHBH2JX5PHJFFUV5SITIXTVIYRFIFGXIYHXE2BWWWGRHFAXMQHHF2HTWWSXIXSXMRQXFFDTWXQZIXV

过程就是base32,rot13,倒转,再来,直到发现flag是flagishere

crypto_2

[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]][+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()(([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[+[]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+([][[]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[!+[]+!+[]]]+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[+[]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]]+[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+([+[]]+![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]])

控制台直接输出

flag{3e858ccd79287cfe8509f15a71b4c45d}

AES&Base

import base64
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
# 以上是可能用到的库

# 您收到了一段使用AES-CBC模式加密的密文,同时您知道了密钥的一部分生成规则:
# 密钥的前8字节是固定的,后8字节是通过某个秘密字符串的后三位数字(000-999)与特定前缀(例如secret_)
# 进行SHA-256哈希后取前8字节得到的。您的任务是编写一个Python脚本,尝试所有可能的三位数字组合,
# 以找到正确的密钥,并解密密文,获取其中的flag。

# 固定的前8字节密钥部分
fixed_key_part = b'fixedpart'[:8]
# 秘密字符串的前缀
secret_prefix = b'secret_'
# Base64编码的密文和IV
encoded_data = '[lg/hfCVaU7OGl11oy7JsUzozFojJSjBmYt6BGY+sO/KCKkQxdXzHjiJP1AM0eoTH]'

# ----请写出你的解题过程,得到flag---------

直接写就行了

import base64
import hashlib
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

fixed_key_part = b'fixedpart'[:8]
secret_prefix = b'secret_'
encoded_data = '[lg/hfCVaU7OGl11oy7JsUzozFojJSjBmYt6BGY+sO/KCKkQxdXzHjiJP1AM0eoTH]'

encoded_data = encoded_data.strip('[]')
ciphertext_iv = base64.b64decode(encoded_data)
iv = ciphertext_iv[:16]
ciphertext = ciphertext_iv[16:]

for i in range(1000):
    num_str = f'{i:03}'
    secret_string = secret_prefix + num_str.encode()
    hashed_secret = hashlib.sha256(secret_string).digest()[:8]
    key = fixed_key_part + hashed_secret
    cipher = AES.new(key, AES.MODE_CBC, iv)
    try:
        decrypted_data = unpad(cipher.decrypt(ciphertext), AES.block_size)
        decrypted_text = decrypted_data.decode('utf-8')
        if 'flag' in decrypted_text:
            print(f"Found flag: {decrypted_text}")
            break
    except (ValueError, UnicodeDecodeError):
        continue

XOR

def xor_encrypt(data, key):
    encrypted_data = bytearray()
    for char in data:
        encrypted_data.append(ord(char) ^ key)
    return encrypted_data.hex()  # 返回十六进制字符串作为加密结果

# 以下是使用该函数加密后的一个十六进制字符串:
encrypted_string = '7a6f796973746865666c6167'
# 加密时所用的密钥(key)是 13(注意:这只是一个示例,实际题目中可以使用不同的密钥)
key=13
# 你的任务是解密这个十六进制字符串,找出它隐藏的信息,并将其格式化为 flag{*}
# 请将你的答案以 print(f"flag{{{your_decrypted_message}}}") 的形式输出,即可得到flag
# 输出解密后的结果,请注意格式奥~.~

没啥好说的

def xor_decrypt(encrypted_hex, key):
    encrypted_data = bytearray.fromhex(encrypted_hex)
    decrypted_data = bytearray()
    for byte in encrypted_data:
        decrypted_data.append(byte ^ key)
    return decrypted_data.decode()

encrypted_string = '7a6f796973746865666c6167'
key = 13

decrypted_message = xor_decrypt(encrypted_string, key)
print(f"flag{{{decrypted_message}}}")

总结

抽象,密码全是古典,misc的抽象程度不亚于一个XXX,pwn挺难的对于我来说,下机!(md,服务器没拿到)

心如草木,向阳而生
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇