暑假内部赛

MISC

小小侦探家

encode

# uncompyle6 version 3.9.1
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.10.9 | packaged by Anaconda, Inc. | (main, Mar  1 2023, 18:18:15) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: encode.py


def xor_encrypt(input_bytes, key):
    key_length = len(key)
    output_bytes = bytearray(len(input_bytes))
    for i in range(len(input_bytes)):
        output_bytes[i] = input_bytes[i] ^ key[i % key_length]
    else:
        return output_bytes


def encrypt_image(input_file, output_file):
    key = b'whereamifindme'
    with open(input_file, "rb") as f:
        image_data = f.read()
    encrypted_data = xor_encrypt(image_data, key)
    with open(output_file, "wb") as f:
        f.write(encrypted_data)
    print(f"Encryption completed. Encrypted image saved to {output_file}")


if __name__ == "__main__":
    input_file = "1.jpg"
    output_file = "flag.jpg"
    encrypt_image(input_file, output_file)

# okay decompiling encode.pyc

exp

def xor_encrypt(input_bytes, key):
    key_length = len(key)
    output_bytes = bytearray(len(input_bytes))
    for i in range(len(input_bytes)):
        output_bytes[i] = input_bytes[i] ^ key[i % key_length]
    else:
        return output_bytes

def encrypt_image(input_file, output_file):
    key = b'whereamifindme'
    with open(input_file, "rb") as f:
        image_data = f.read()
    encrypted_data = xor_encrypt(image_data, key)
    with open(output_file, "wb") as f:
        f.write(encrypted_data)
    print(f"Encryption completed. Encrypted image saved to {output_file}")


def xor_decrypt(input_bytes, key):
    # XOR 解密与加密是相同的操作
    return xor_encrypt(input_bytes, key)

def decrypt_image(input_file, output_file):
    key = b'whereamifindme'
    with open(input_file, "rb") as f:
        encrypted_data = f.read()
    decrypted_data = xor_decrypt(encrypted_data, key)
    with open(output_file, "wb") as f:
        f.write(decrypted_data)
    print(f"Decryption completed. Decrypted image saved to {output_file}")

if __name__ == "__main__":
    input_file = "flag.jpg"
    output_file = "decrypted.jpg"
    decrypt_image(input_file, output_file)

嗯，美国的朋友

正常

Matryoshka

exp

import zipfile
import os
import shutil
import uuid

def extract_zip(zip_path, extract_to):
    """解压缩指定的 ZIP 文件到指定目录"""
    with zipfile.ZipFile(zip_path, 'r') as zip_ref:
        zip_ref.extractall(extract_to)
    print(f"Extracted: {zip_path} to {extract_to}")

def find_and_extract_zips(base_folder, temp_folder, output_folder):
    """递归查找并解压所有 ZIP 文件"""
    for root, dirs, files in os.walk(base_folder):
        for file in files:
            file_path = os.path.join(root, file)
            if file.endswith('.zip'):
                unique_folder = os.path.join(temp_folder, str(uuid.uuid4()))  # 创建唯一的临时文件夹
                os.makedirs(unique_folder, exist_ok=True)
                extract_zip(file_path, unique_folder)
                os.remove(file_path)  # 解压后删除 ZIP 文件
                print(f"Deleted: {file_path}")
                # 在新解压出的目录中继续查找 ZIP 文件
                find_and_extract_zips(unique_folder, temp_folder, output_folder)
            else:
                # 将最里面的文件移动到输出文件夹
                destination_path = os.path.join(output_folder, file)
                shutil.move(file_path, destination_path)
                print(f"Moved: {file_path} to {destination_path}")

if __name__ == "__main__":
    input_folder = r"D:\网站下载\exppy"  # 指定包含嵌套 ZIP 文件的根目录
    temp_folder = r"D:\临时解压文件夹"  # 用于解压的临时目录
    output_folder = r"D:\解压后的文件"  # 所有文件提取到的目标文件夹
    os.makedirs(temp_folder, exist_ok=True)  # 确保临时目录存在
    os.makedirs(output_folder, exist_ok=True)  # 确保输出目录存在

    find_and_extract_zips(input_folder, temp_folder, output_folder)
    print("所有文件提取完毕")

然后爆破密码

改成zip然后解压缩

然后就拿到照片不会了

来自周神的万能py（伟大无需多言）

\

sb0olI

WkpHU1VDVEZ7ODY1ODYzNkItNDJGMy0zNjQ4LTVCMjUtQUY2Q0RCRjI5NTI5fQ==

CRYPTO

phi

def euler_totient(n):
    result = n  # Initialize result as n
    p = 2
    # Consider all prime factors of n and subtract their multiples from result
    while p * p <= n:
        # Check if p is a prime factor
        if n % p == 0:
            # If yes, then update n and result
            while n % p == 0:
                n //= p
            result -= result // p
        p += 1
    # If n has a prime factor greater than sqrt(n)
    # (There can be at most one such prime factor)
    if n > 1:
        result -= result // n
    return result

n = int(input("Enter a number: "))
print(f"The number of integers less than {n} that are coprime with {n} is {euler_totient(n)}.")

basic_RSA

获得p，q

n = 8518969207529636389484032230886536704406768047371377256638626913642749445259329340941109791553519452501892180150380956873522604338824472473236167891564393
p = 983335626386310597717550945092743654289318641603143018459883485703236916430
q = 866333831393483651450507450957397118458633113000718740740857324290558250886

for i in range(100):
    for j in range(100):
        if((p*100+i)*(q*100+j)==n):
            print("p=",p*100+i)
            print("q=",q*100+j)
            break

解密

import gmpy2
from Crypto.Util.number import long_to_bytes

q =86633383139348365145050745095739711845863311300071874074085732429055825088613
p =98333562638631059771755094509274365428931864160314301845988348570323691643061

e = 65537
c = 6562905193530371491664319145474869160361926759601288401756039886752371060413124293251174780962557430362519513676355513923070074558557958599788395941875438
# n=8518969207529636389484032230886536704406768047371377256638626913642749445259329340941109791553519452501892180150380956873522604338824472473236167891564393
n = q * p
# print(n)
d = gmpy2.invert(e, (p - 1) * (q - 1))
print("d=", d)
m = pow(c, d, n)
print(m)
print(long_to_bytes(m))

enc

from Crypto.Cipher import AES
import base64
import json

# 与JavaScript中相同的密钥和IV
key = b'1234123412ABCDEF'
iv = b'1234123412ABCDEF'


def decrypt(encrypted_text):
    # 将Base64编码的密文转换为字节
    encrypted_bytes = base64.b64decode(encrypted_text)

    # 使用AES进行解密
    cipher = AES.new(key, AES.MODE_CBC, iv)
    decrypted_bytes = cipher.decrypt(encrypted_bytes)

    # 去除填充
    pad_len = decrypted_bytes[-1]
    decrypted_bytes = decrypted_bytes[:-pad_len]

    # 将解密后的字节转换为字符串
    decrypted_text = decrypted_bytes.decode('utf-8')

    # 尝试解析为JSON对象
    try:
        decrypted_data = json.loads(decrypted_text)
        return decrypted_data
    except json.JSONDecodeError:
        return decrypted_text
a='2rn7Wcu6OECQFBrkBSCzvQ=='
print(decrypt(a))

BASIC_rsa?

得到十进制的p

exp

import gmpy2
from Crypto.Util.number import long_to_bytes

p = 11078621793949482625914372710810959398675963822415939216168633283415944613128498588716242943797946558845513908279515179517717865327915107375374373236695797

e = 65537
c = 34249174398573844561724553123097991805748045349941051239905387500962666334254143693989050793644602109372118418179926824099494693623993781741261080861283160331937184329685234484575779194527204931907049442889394176292943564908081818520471872867158523349155125154566723265694918287939042067461946833720803908419

n = 127697470012830699516312095200727334137458073897637275467480374448830146587852701396242747281584152916736575300669782612348674479798285191271836719149002228481986613159355642035344516698166166815694171737146410931677450051628031191289869988494519088068698936030651830429428544621447638050279630876476422484677

# 确保 q 是一个整数
q = n // p
print("q =", q)

# 计算 d
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
print("d =", d)

# 解密消息
m = pow(c, d, n)
print("m =", m)
print("Decrypted message:", long_to_bytes(m))

common（多组nc）

import gmpy2
import libnum
from Crypto.Util.number import long_to_bytes

n1 = 132963755548206229559127689166757584511233225283043942347398006713394304522162906766220322689091908141056178489298724072090068593524622575063324464083235534352678901324592982116353558072908375775464810233662811977377434641059529949137944412090936664215705396037823298138229472328757455343491215225582072326609
n2 = 135715978430684287381713379483929616945110106139653924228097245208713615447908876761578043850197920250417331466583068362027199914761824520739671581870758012290130748364801002790393321246996987185380538754400076604470645538272868000108348182618645865412772843015157084652883886834388848492901314867879577439991
c1 = 118311856007994446471425653368270431815268347185806809785193216737612021273781210857995561399953518478531629168544046740368055620359324847835880188911396310860156525631827183309640891399780327812381201798593921912143408764197609046182658951137157492643749925697701468531330210148652740735483028164075625352731
c2 = 10880604230339738820239117607212371216541411086376043211246572277203913063699089407935153227605276627875795616322147701707404835648471284140116567004143554388076937920404785484782546601765715529529539324463336305223709231573270251380061360588847679377993816543999438875782700254270857313316044309542281002278

# ...此处省略20组n和c

e = 65537
n = []
c = []
p = []
for i in range(1, 2):
    n.append(eval('n' + str(i)))
    c.append(eval('c' + str(i)))
data = list(zip(n, c))
for i in range(len(n)):
    for j in range(i + 1, len(n)):
        if gmpy2.gcd(n[i], n[j]) != 1:
            print(i, j)  # i=4,j=17
            print(gmpy2.gcd(n[i], n[j]))
p = gmpy2.gcd(n1, n2)
q = n1 // p
d1 = gmpy2.invert(e, (p - 1) * (q - 1))
print("d1=",d1)
m1 = pow(c1, d1, n1)


p = gmpy2.gcd(n1, n2)
q = n2 // p
d2 = gmpy2.invert(e, (p - 1) * (q - 1))
print("d2=",d2)
m2 = pow(c2, d2, n2)
print(long_to_bytes(m1),end='')
print(long_to_bytes(m2))

RE

Hard_Signin

ida打不开，题目说文件被改了，放到010看一下

发现头被改了

正常的头

改回来就可以看到有个upx壳了

脱壳后放入ida得到flag

不要非预期

Python_Revenge

3.10

magic number 6F 0D 0D 61

将后缀改成pyc

放到kali里面用pycdc反编译

# Source Generated with Decompyle++
# File: python.pyc (Python 3.10)

import base64
str = ''
print('Please input your flag:')
str1 = input(str)
a = base64.b64encode(str1.encode('utf-8'))
a = a.decode()
s = []
s1 = [72,112,107,87,68,86,49,85,55,90,69,86,122,66,85,90,119,57,86,101,102,78,87,101,102,53,87,97,50,78,106,99,122,74,88,90,61,48,88,90]
for i in range(len(a)):
    s.append(ord(a[i]))
for i in range(0, len(s), 4):
    s[i] = s[i + 3]
    s[i + 3] = s[i]
    s[i + 1] = s[i + 2]
    s[i + 2] = s[i + 1]
for i in range(len(s)):
    if s[i] != s1[i]:
        print('Wrong')
        exit(0)
print('success')

exp

import base64

s = [72, 112, 107, 87, 68, 86, 49, 85, 55, 90, 69, 86, 122, 66, 85, 90, 119, 57, 86, 101, 102, 78, 87, 101, 102, 53, 87, 97, 50, 78, 106, 99, 122, 74, 88, 90, 61, 48, 88, 90]


for i in range(0, len(s), 4):
    s[i], s[i + 3] = s[i + 3], s[i]
    s[i + 1], s[i + 2] = s[i + 2], s[i + 1]
encoded_str = ''.join(chr(num) for num in s)

original_str = base64.b64decode(encoded_str).decode('utf-8')

print(original_str)

Assembly_Yao

edx=‘@’ 0x40